helm: add tests for AWS and OpenStack

cli/internal/helm/testdata/OpenStack/constellation-services/charts/ccm/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:cloud-controller-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: cloud-controller-manager
+    namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/ccm/templates/openstack-daemonset.yaml

@@ -0,0 +1,68 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace
+  labels:
+    k8s-app: cloud-controller-manager
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cloud-controller-manager
+  template:
+    metadata:
+      labels:
+        k8s-app: cloud-controller-manager
+    spec:
+      containers:
+        - name: cloud-controller-manager
+          image: ccmImageForOpenStack
+          args:
+          - /bin/openstack-cloud-controller-manager
+          - --cloud-provider=openstack
+          - --cloud-config=/etc/config/cloud.conf
+          - --leader-elect=true
+          - --allocate-node-cidrs=false
+          - -v=2
+          volumeMounts:
+          - name: etckubernetes
+            mountPath: /etc/kubernetes
+            readOnly: true
+          - name: etcssl
+            mountPath: /etc/ssl
+            readOnly: true
+          - name: etcpki
+            mountPath: /etc/pki
+            readOnly: true
+          - name: etcconfig
+            mountPath: /etc/config
+            readOnly: true
+          resources: {}
+      serviceAccountName: cloud-controller-manager
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      tolerations:
+        - effect: NoSchedule
+          key: node.cloudprovider.kubernetes.io/uninitialized
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoSchedule
+          key: node.kubernetes.io/not-ready
+      volumes:
+      - name: etckubernetes
+        hostPath:
+          path: /etc/kubernetes
+      - name: etcssl
+        hostPath:
+          path: /etc/ssl
+      - name: etcpki
+        hostPath:
+          path: /etc/pki
+      - name: etcconfig
+        secret:
+          secretName: openstackkey
+  updateStrategy: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/ccm/templates/openstack-secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: openstackkey
+  namespace: testNamespace
+data:
+  cloud.conf: YmFhYWFhYWQ=

cli/internal/helm/testdata/OpenStack/constellation-services/charts/ccm/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-controller-manager
+  namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/clusterrole.yaml

@@ -0,0 +1,45 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: join-service
+  name: join-service
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - create
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  - rolebindings
+  verbs:
+  - create
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - "update.edgeless.systems"
+  resources:
+  - joiningnodes
+  verbs:
+  - get
+  - create
+  - update
+  - patch
+- apiGroups:
+  - "update.edgeless.systems"
+  resources:
+  - nodeversions
+  verbs:
+  - get

cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: join-service
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: join-service
+subjects:
+- kind: ServiceAccount
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: join-config
+  namespace: testNamespace
+data:
+  measurements: "{\"1\":{\"expected\":\"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\"warnOnly\":false}}"
+binaryData:
+  measurementSalt: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/daemonset.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: join-service
+  namespace: testNamespace
+  labels:
+    component: join-service
+    k8s-app: join-service
+    kubernetes.io/cluster-service: "true"
+spec:
+  selector:
+    matchLabels:
+      k8s-app: join-service
+  template:
+    metadata:
+      labels:
+        k8s-app: join-service
+    spec:
+      priorityClassName: system-cluster-critical
+      serviceAccountName: join-service
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      containers:
+        - name: join-service
+          image: joinServiceImage
+          args:
+            - --cloud-provider=OpenStack
+            - --key-service-endpoint=key-service.testNamespace:9000
+            - --attestation-variant=dummy
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+            - mountPath: /etc/kubernetes
+              name: kubeadm
+              readOnly: true
+          ports:
+            - containerPort: 9090
+              name: tcp
+          resources: {}
+          securityContext:
+            privileged: true
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  name: join-config
+              - configMap:
+                  name: internal-config
+        - name: kubeadm
+          hostPath:
+            path: /etc/kubernetes
+  updateStrategy: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: join-service
+  namespace: testNamespace
+spec:
+  type: NodePort
+  selector:
+    k8s-app: join-service
+  ports:
+  - name: grpc
+    protocol: TCP
+    port: 9090
+    targetPort: 9090
+    nodePort: 30090
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/join-service/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: join-service
+  namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/key-service/templates/clusterrole.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-app: key-service
+  name: key-service
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get

cli/internal/helm/testdata/OpenStack/constellation-services/charts/key-service/templates/clusterrolebinding.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: key-service
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: key-service
+subjects:
+  - kind: ServiceAccount
+    name: key-service
+    namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/key-service/templates/daemonset.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: key-service
+    k8s-app: key-service
+    kubernetes.io/cluster-service: "true"
+  name: key-service
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: key-service
+  template:
+    metadata:
+      labels:
+        k8s-app: key-service
+    spec:
+      containers:
+        - name: key-service
+          image: keyServiceImage
+          args:
+            - --port=9000
+          volumeMounts:
+            - mountPath: /var/config
+              name: config
+              readOnly: true
+          resources: {}
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      priorityClassName: system-cluster-critical
+      serviceAccountName: key-service
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - name: config
+          projected:
+            sources:
+              - configMap:
+                  items:
+                    - key: measurements
+                      path: measurements
+                  name: join-config
+              - secret:
+                  items:
+                    - key: mastersecret
+                      path: mastersecret
+                    - key: salt
+                      path: salt
+                  name: constellation-mastersecret
+  updateStrategy: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/key-service/templates/mastersecret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: constellation-mastersecret
+  namespace: testNamespace
+data:
+  mastersecret: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=
+  salt: YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWE=

cli/internal/helm/testdata/OpenStack/constellation-services/charts/key-service/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: key-service
+  namespace: testNamespace
+spec:
+  ports:
+    - name: grpc
+      port: 9000
+      protocol: TCP
+      targetPort: 9000
+  selector:
+    k8s-app: key-service
+  type: ClusterIP
+status:
+  loadBalancer: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/key-service/templates/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: key-service
+  namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/clusterrolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+  name: system:konnectivity-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:konnectivity-server

cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/daemonset.yaml

@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: konnectivity-agent
+  name: konnectivity-agent
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: konnectivity-agent
+  template:
+    metadata:
+      labels:
+        k8s-app: konnectivity-agent
+    spec:
+      containers:
+      - args:
+        - --logtostderr=true
+        - --proxy-server-host=127.0.0.1
+        - --ca-cert=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+        - --proxy-server-port=8132
+        - --admin-server-port=8133
+        - --health-server-port=8134
+        - --service-account-token-path=/var/run/secrets/tokens/konnectivity-agent-token
+        - --agent-identifiers=host=$(HOST_IP)
+        - --sync-forever=true
+        - --keepalive-time=60m
+        - --sync-interval=5s
+        - --sync-interval-cap=30s
+        - --probe-interval=5s
+        - --v=3
+        command:
+        - /proxy-agent
+        env:
+        - name: HOST_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.hostIP
+        image: konnectivityImage
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8134
+          initialDelaySeconds: 15
+          timeoutSeconds: 15
+        name: konnectivity-agent
+        resources: {}
+        volumeMounts:
+        - mountPath: /var/run/secrets/tokens
+          name: konnectivity-agent-token
+          readOnly: true
+      priorityClassName: system-cluster-critical
+      serviceAccountName: konnectivity-agent
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - key: CriticalAddonsOnly
+        operator: Exists
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+      volumes:
+      - name: konnectivity-agent-token
+        projected:
+          sources:
+          - serviceAccountToken:
+              audience: system:konnectivity-server
+              path: konnectivity-agent-token
+  updateStrategy: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/konnectivity/templates/serviceaccount.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    kubernetes.io/cluster-service: "true"
+  name: konnectivity-agent
+  namespace: testNamespace

cli/internal/helm/testdata/OpenStack/constellation-services/charts/verification-service/templates/daemonset.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: verification-service
+    k8s-app: verification-service
+  name: verification-service
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: verification-service
+  template:
+    metadata:
+      labels:
+        k8s-app: verification-service
+    spec:
+      containers:
+      - args:
+        - --attestation-variant=dummy
+        image: verificationImage
+        name: verification-service
+        ports:
+        - containerPort: 8080
+          name: http
+        - containerPort: 9090
+          name: grpc
+        resources: {}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/kernel/security/
+          name: event-log
+          readOnly: true
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /sys/kernel/security/
+        name: event-log
+  updateStrategy: {}

cli/internal/helm/testdata/OpenStack/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verify
+  namespace: testNamespace
+spec:
+  allocateLoadBalancerNodePorts: false
+  externalIPs:
+  - 127.0.0.1
+  loadBalancerClass: constellation
+  ports:
+  - name: grpc
+    port: 30081
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: LoadBalancer

cli/internal/helm/testdata/OpenStack/constellation-services/charts/verification-service/templates/nodeport-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verification-service
+  namespace: testNamespace
+spec:
+  ports:
+  - name: http
+    nodePort: 30080
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: grpc
+    nodePort: 30081
+    port: 9090
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: NodePort