cli: add cinder csi helm charts

cli/internal/helm/BUILD.bazel

@@ -334,6 +334,20 @@ go_library(
         "charts/edgeless/constellation-services/charts/yawol-config/templates/secret.yaml",
         "charts/edgeless/constellation-services/charts/yawol-config/values.schema.json",
         "charts/edgeless/constellation-services/charts/yawol-config/values.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-config/.helmignore",
+        "charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-config/values.schema.json",
+        "charts/edgeless/constellation-services/charts/cinder-config/values.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml",
+        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
     visibility = ["//cli:__subpackages__"],

cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml

@@ -77,3 +77,13 @@ dependencies:
     condition: openstack.deployYawolLoadBalancer
     tags:
       - OpenStack
+  - name: cinder-config
+    version: 1.0.0
+    condition: openstack.deployCSIDriver
+    tags:
+      - OpenStack
+  - name: cinder-csi-plugin
+    version: 1.0.0
+    condition: openstack.deployCSIDriver
+    tags:
+      - OpenStack

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: cinder-config
+description: A Helm chart for Kubernetes
+type: application
+version: 1.0.0

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cinder-csi-cloud-config
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  cloudprovider.conf: {{ .Values.secretData | b64enc }}

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.schema.json

@@ -0,0 +1,17 @@
+{
+    "$schema": "https://json-schema.org/draft-07/schema#",
+    "properties": {
+        "secretData": {
+            "description": "Cloud INI secret used for cinder.",
+            "type": "string",
+            "examples": [
+                "[Global]\nauth-url = ..."
+            ]
+        }
+    },
+    "required": [
+        "secretData"
+    ],
+    "title": "Values",
+    "type": "object"
+}

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: v1.0.0
+description: Cinder CSI Chart for OpenStack with on-node encryption support
+name: cinder-csi-plugin
+version: 1.0.0

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl

@@ -0,0 +1,103 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cinder-csi.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cinder-csi.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cinder-csi.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "cinder-csi.labels" -}}
+app.kubernetes.io/name: {{ include "cinder-csi.name" . }}
+helm.sh/chart: {{ include "cinder-csi.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cinder-csi.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "cinder-csi.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create unified labels for cinder-csi components
+*/}}
+{{- define "cinder-csi.common.matchLabels" -}}
+app: {{ template "cinder-csi.name" . }}
+release: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "cinder-csi.common.metaLabels" -}}
+chart: {{ template "cinder-csi.chart" . }}
+heritage: {{ .Release.Service }}
+{{- if .Values.extraLabels }}
+{{ toYaml .Values.extraLabels -}}
+{{- end }}
+{{- end -}}
+
+{{- define "cinder-csi.controllerplugin.matchLabels" -}}
+component: controllerplugin
+{{ include "cinder-csi.common.matchLabels" . }}
+{{- end -}}
+
+{{- define "cinder-csi.controllerplugin.labels" -}}
+{{ include "cinder-csi.controllerplugin.matchLabels" . }}
+{{ include "cinder-csi.common.metaLabels" . }}
+{{- end -}}
+
+{{- define "cinder-csi.nodeplugin.matchLabels" -}}
+component: nodeplugin
+{{ include "cinder-csi.common.matchLabels" . }}
+{{- end -}}
+
+{{- define "cinder-csi.nodeplugin.labels" -}}
+{{ include "cinder-csi.nodeplugin.matchLabels" . }}
+{{ include "cinder-csi.common.metaLabels" . }}
+{{- end -}}
+
+{{- define "cinder-csi.snapshot-controller.matchLabels" -}}
+component: snapshot-controller
+{{ include "cinder-csi.common.matchLabels" . }}
+{{- end -}}
+
+{{- define "cinder-csi.snapshot-controller.labels" -}}
+{{ include "cinder-csi.snapshot-controller.matchLabels" . }}
+{{ include "cinder-csi.common.metaLabels" . }}
+{{- end -}}

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml

@@ -0,0 +1,10 @@
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: cinder.csi.confidential.cloud
+spec:
+  attachRequired: true
+  podInfoOnMount: true
+  volumeLifecycleModes:
+  - Persistent
+  - Ephemeral

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml

@@ -0,0 +1,194 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ include "cinder-csi.name" . }}-controllerplugin
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cinder-csi.controllerplugin.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.csi.plugin.controllerPlugin.replicas }}
+  strategy:
+    type: {{ .Values.csi.plugin.controllerPlugin.strategy.type }}
+{{- if eq .Values.csi.plugin.controllerPlugin.strategy.type "RollingUpdate" }}
+    rollingUpdate:
+      maxUnavailable: {{ .Values.csi.plugin.controllerPlugin.strategy.rollingUpdate.maxUnavailable }}
+      maxSurge: {{ .Values.csi.plugin.controllerPlugin.strategy.rollingUpdate.maxSurge }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "cinder-csi.controllerplugin.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "cinder-csi.controllerplugin.labels" . | nindent 8 }}
+    spec:
+      serviceAccount: csi-cinder-controller-sa
+      containers:
+        - name: csi-attacher
+          image: "{{ .Values.csi.attacher.image.repository }}:{{ .Values.csi.attacher.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.attacher.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--csi-address=$(ADDRESS)"
+            - "--timeout={{ .Values.timeout }}"
+            - "--leader-election=true"
+            - "--default-fstype=ext4"
+            {{- if .Values.csi.attacher.extraArgs }}
+            {{- with .Values.csi.attacher.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: ADDRESS
+              value: /var/lib/csi/sockets/pluginproxy/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          resources: {{ toYaml .Values.csi.attacher.resources | nindent 12 }}
+        - name: csi-provisioner
+          image: "{{ .Values.csi.provisioner.image.repository }}:{{ .Values.csi.provisioner.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.provisioner.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--csi-address=$(ADDRESS)"
+            - "--timeout={{ .Values.timeout }}"
+            - "--leader-election=true"
+            - "--default-fstype=ext4"
+            - "--feature-gates=Topology={{ .Values.csi.provisioner.topology }}"
+            - "--extra-create-metadata"
+            {{- if .Values.csi.provisioner.extraArgs }}
+            {{- with .Values.csi.provisioner.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: ADDRESS
+              value: /var/lib/csi/sockets/pluginproxy/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          resources: {{ toYaml .Values.csi.provisioner.resources | nindent 12 }}
+        - name: csi-snapshotter
+          image: "{{ .Values.csi.snapshotter.image.repository }}:{{ .Values.csi.snapshotter.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.snapshotter.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--csi-address=$(ADDRESS)"
+            - "--timeout={{ .Values.timeout }}"
+            - "--leader-election=true"
+            {{- if .Values.csi.snapshotter.extraArgs }}
+            {{- with .Values.csi.snapshotter.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: ADDRESS
+              value: /var/lib/csi/sockets/pluginproxy/csi.sock
+          volumeMounts:
+            - mountPath: /var/lib/csi/sockets/pluginproxy/
+              name: socket-dir
+          resources: {{ toYaml .Values.csi.snapshotter.resources | nindent 12 }}
+        - name: csi-resizer
+          image: "{{ .Values.csi.resizer.image.repository }}:{{ .Values.csi.resizer.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.resizer.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--csi-address=$(ADDRESS)"
+            - "--timeout={{ .Values.timeout }}"
+            - "--handle-volume-inuse-error=false"
+            - "--leader-election=true"
+            {{- if .Values.csi.resizer.extraArgs }}
+            {{- with .Values.csi.resizer.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: ADDRESS
+              value: /var/lib/csi/sockets/pluginproxy/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+          resources: {{ toYaml .Values.csi.resizer.resources | nindent 12 }}
+        - name: liveness-probe
+          image: "{{ .Values.csi.livenessprobe.image.repository }}:{{ .Values.csi.livenessprobe.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.livenessprobe.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--csi-address=$(ADDRESS)"
+            {{- if .Values.csi.livenessprobe.extraArgs }}
+            {{- with .Values.csi.livenessprobe.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: ADDRESS
+              value: /var/lib/csi/sockets/pluginproxy/csi.sock
+          volumeMounts:
+            - mountPath: /var/lib/csi/sockets/pluginproxy/
+              name: socket-dir
+          resources: {{ toYaml .Values.csi.livenessprobe.resources | nindent 12 }}
+        - name: cinder-csi-plugin
+          image: "{{ .Values.csi.plugin.image.repository }}:{{ .Values.csi.plugin.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.csi.plugin.image.pullPolicy }}
+          args:
+            - /bin/cinder-csi-plugin
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--endpoint=$(CSI_ENDPOINT)"
+            - "--cloud-config=$(CLOUD_CONFIG)"
+            - "--cluster=$(CLUSTER_NAME)"
+            - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}"
+            {{- if .Values.csi.plugin.extraArgs }}
+            {{- with .Values.csi.plugin.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: CSI_ENDPOINT
+              value: unix://csi/csi.sock
+            - name: CLOUD_CONFIG
+              value: /etc/kubernetes/{{ .Values.secret.filename }}
+            - name: CLUSTER_NAME
+              value: "{{ .Values.clusterID }}"
+          ports:
+            - containerPort: 9808
+              name: healthz
+              protocol: TCP
+          # The probe
+          livenessProbe:
+            failureThreshold: {{ .Values.csi.livenessprobe.failureThreshold }}
+            httpGet:
+              path: /healthz
+              port: healthz
+            initialDelaySeconds: {{ .Values.csi.livenessprobe.initialDelaySeconds }}
+            timeoutSeconds: {{ .Values.csi.livenessprobe.timeoutSeconds }}
+            periodSeconds: {{ .Values.csi.livenessprobe.periodSeconds }}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - name: cloud-config
+              mountPath: /etc/kubernetes/{{ .Values.secret.filename }}
+              readOnly: true
+              subPath: {{ .Values.secret.filename }}
+          resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }}
+      volumes:
+        - name: socket-dir
+          emptyDir:
+        - name: cloud-config
+        {{- if .Values.secret.enabled }}
+          secret:
+            secretName: {{ .Values.secret.name }}
+        {{- else }}
+          hostPath:
+            path: /etc/kubernetes
+        {{- end }}
+      affinity: {{ toYaml .Values.csi.plugin.controllerPlugin.affinity | nindent 8 }}
+      nodeSelector: {{ toYaml .Values.csi.plugin.controllerPlugin.nodeSelector | nindent 8 }}
+      tolerations: {{ toYaml .Values.csi.plugin.controllerPlugin.tolerations | nindent 8 }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+    {{- end }}
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml

@@ -0,0 +1,174 @@
+# This YAML file contains RBAC API objects,
+# which are necessary to run csi controller plugin
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-cinder-controller-sa
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-attacher-role
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-attacher-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-cinder-controller-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-attacher-role
+  apiGroup: rbac.authorization.k8s.io
+---
+# external Provisioner
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-role
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["get", "list"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-provisioner-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-cinder-controller-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-provisioner-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-snapshotter-role
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  # Secret permission is optional.
+  # Enable it if your driver needs secret.
+  # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
+  # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
+  #  - apiGroups: [""]
+  #    resources: ["secrets"]
+  #    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-snapshotter-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-cinder-controller-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-snapshotter-role
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-resizer-role
+rules:
+  # The following rule should be uncommented for plugins that require secrets
+  # for provisioning.
+  # - apiGroups: [""]
+  #   resources: ["secrets"]
+  #   verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-resizer-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-cinder-controller-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-resizer-role
+  apiGroup: rbac.authorization.k8s.io
+---

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml

@@ -0,0 +1,153 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ include "cinder-csi.name" . }}-nodeplugin
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cinder-csi.nodeplugin.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "cinder-csi.nodeplugin.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "cinder-csi.nodeplugin.labels" . | nindent 8 }}
+    spec:
+      serviceAccount: csi-cinder-node-sa
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+        - name: node-driver-registrar
+          image: "{{ .Values.csi.nodeDriverRegistrar.image.repository }}:{{ .Values.csi.nodeDriverRegistrar.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.nodeDriverRegistrar.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--csi-address=$(ADDRESS)"
+            - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)"
+            {{- if .Values.csi.nodeDriverRegistrar.extraArgs }}
+            {{- with .Values.csi.nodeDriverRegistrar.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: ADDRESS
+              value: /csi/csi.sock
+            - name: DRIVER_REG_SOCK_PATH
+              value: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}/plugins/cinder.csi.openstack.org/csi.sock
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - name: registration-dir
+              mountPath: /registration
+          resources: {{ toYaml .Values.csi.nodeDriverRegistrar.resources | nindent 12 }}
+        - name: liveness-probe
+          image: "{{ .Values.csi.livenessprobe.image.repository }}:{{ .Values.csi.livenessprobe.image.tag }}"
+          imagePullPolicy: {{ .Values.csi.livenessprobe.image.pullPolicy }}
+          args:
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - --csi-address=/csi/csi.sock
+            {{- if .Values.csi.livenessprobe.extraArgs }}
+            {{- with .Values.csi.livenessprobe.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+          resources: {{ toYaml .Values.csi.livenessprobe.resources | nindent 12 }}
+        - name: cinder-csi-plugin
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          image: "{{ .Values.csi.plugin.image.repository }}:{{ .Values.csi.plugin.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.csi.plugin.image.pullPolicy }}
+          args:
+            - /bin/cinder-csi-plugin
+            - "-v={{ .Values.logVerbosityLevel }}"
+            - "--endpoint=$(CSI_ENDPOINT)"
+            - "--cloud-config=$(CLOUD_CONFIG)"
+            - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}"
+            {{- if .Values.csi.plugin.extraArgs }}
+            {{- with .Values.csi.plugin.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
+          env:
+            - name: CSI_ENDPOINT
+              value: unix://csi/csi.sock
+            - name: CLOUD_CONFIG
+              value: /etc/kubernetes/{{ .Values.secret.filename }}
+          ports:
+            - containerPort: 9808
+              name: healthz
+              protocol: TCP
+          # The probe
+          livenessProbe:
+            failureThreshold: {{ .Values.csi.livenessprobe.failureThreshold }}
+            httpGet:
+              path: /healthz
+              port: healthz
+            initialDelaySeconds: {{ .Values.csi.livenessprobe.initialDelaySeconds }}
+            timeoutSeconds: {{ .Values.csi.livenessprobe.timeoutSeconds }}
+            periodSeconds: {{ .Values.csi.livenessprobe.periodSeconds }}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - name: kubelet-dir
+              mountPath: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}
+              mountPropagation: "Bidirectional"
+            - name: pods-probe-dir
+              mountPath: /dev
+              mountPropagation: "HostToContainer"
+            - name: cloud-config
+              mountPath: /etc/kubernetes/{{ .Values.secret.filename }}
+              readOnly: true
+              subPath: {{ .Values.secret.filename }}
+          resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }}
+      volumes:
+        - name: socket-dir
+          hostPath:
+            path: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}/plugins/cinder.csi.openstack.org
+            type: DirectoryOrCreate
+        - name: registration-dir
+          hostPath:
+            path: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}/plugins_registry/
+            type: Directory
+        - name: kubelet-dir
+          hostPath:
+            path: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}
+            type: Directory
+        # - name: pods-cloud-data
+        #   hostPath:
+        #     path: /var/lib/cloud/data
+        #     type: Directory
+        - name: pods-probe-dir
+          hostPath:
+            path: /dev
+            type: Directory
+        - name: cloud-config
+        {{- if .Values.secret.enabled }}
+          secret:
+            secretName: {{ .Values.secret.name }}
+        {{- else }}
+          hostPath:
+            path: /etc/kubernetes
+        {{- end }}
+      affinity: {{ toYaml .Values.csi.plugin.nodePlugin.affinity | nindent 8 }}
+      nodeSelector: {{ toYaml .Values.csi.plugin.nodePlugin.nodeSelector | nindent 8 }}
+      tolerations: {{ toYaml .Values.csi.plugin.nodePlugin.tolerations | nindent 8 }}
+      imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+    {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+    {{- end }}
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-cinder-node-sa
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-nodeplugin-role
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-nodeplugin-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-cinder-node-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-nodeplugin-role
+  apiGroup: rbac.authorization.k8s.io

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.storageClass.enabled }}
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: encrypted-rwo
+  {{- if .Values.storageClass.default.isDefault }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+  {{- end }}
+provisioner: cinder.csi.confidential.cloud
+reclaimPolicy: Delete
+allowVolumeExpansion: {{ .Values.storageClass.default.allowVolumeExpansion }}
+volumeBindingMode: Immediate
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: integrity-encrypted-rwo
+  {{- if .Values.storageClass.integrity.isDefault }}
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+  {{- end }}
+parameters:
+  csi.storage.k8s.io/fstype: ext4-integrity
+provisioner: cinder.csi.confidential.cloud
+reclaimPolicy: Delete
+allowVolumeExpansion: {{ .Values.storageClass.integrity.allowVolumeExpansion }}
+volumeBindingMode: Immediate
+{{- end }}

cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml

@@ -0,0 +1,120 @@
+extraLabels: {}
+
+nameOverride: ""
+fullnameOverride: ""
+timeout: 3m
+
+csi:
+  attacher:
+    image:
+      repository: registry.k8s.io/sig-storage/csi-attacher
+      tag: v4.2.0
+      pullPolicy: IfNotPresent
+    resources: {}
+    extraArgs: {}
+  provisioner:
+    topology: "true"
+    image:
+      repository: registry.k8s.io/sig-storage/csi-provisioner
+      tag: v3.4.1
+      pullPolicy: IfNotPresent
+    resources: {}
+    extraArgs: {}
+  snapshotter:
+    image:
+      repository: registry.k8s.io/sig-storage/csi-snapshotter
+      tag: v6.2.1
+      pullPolicy: IfNotPresent
+    resources: {}
+    extraArgs: {}
+  resizer:
+    image:
+      repository: registry.k8s.io/sig-storage/csi-resizer
+      tag: v1.7.0
+      pullPolicy: IfNotPresent
+    resources: {}
+    extraArgs: {}
+  livenessprobe:
+    image:
+      repository: registry.k8s.io/sig-storage/livenessprobe
+      tag: v2.9.0
+      pullPolicy: IfNotPresent
+    failureThreshold: 5
+    initialDelaySeconds: 10
+    timeoutSeconds: 10
+    periodSeconds: 60
+    resources: {}
+    extraArgs: {}
+  nodeDriverRegistrar:
+    image:
+      repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
+      tag: v2.6.2
+      pullPolicy: IfNotPresent
+    resources: {}
+    extraArgs: {}
+  plugin:
+    image:
+      repository: ghcr.io/edgelesssys/constellation/cinder-csi-plugin
+      pullPolicy: IfNotPresent
+      tag: # defaults to .Chart.AppVersion
+    volumeMounts:
+      - name: cloud-config
+        mountPath: /etc/kubernetes
+        readOnly: true
+    nodePlugin:
+      affinity: {}
+      nodeSelector: {}
+      tolerations:
+        - operator: Exists
+      kubeletDir: /var/lib/kubelet
+    controllerPlugin:
+      replicas: 1
+      strategy:
+        # RollingUpdate strategy replaces old pods with new ones gradually,
+        # without incurring downtime.
+        type: RollingUpdate
+        rollingUpdate:
+          # maxUnavailable is the maximum number of pods that can be
+          # unavailable during the update process.
+          maxUnavailable: 0
+          # maxSurge is the maximum number of pods that can be
+          # created over the desired number of pods.
+          maxSurge: 1
+      affinity: {}
+      nodeSelector: {}
+      tolerations: []
+    resources: {}
+    extraArgs: {}
+  kms:
+    keyServiceName: "key-service"
+    keyServicePort: 9000
+    keyServiceNamespace: "kube-system"
+
+# Log verbosity level.
+# See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md
+# for description of individual verbosity levels.
+logVerbosityLevel: 2
+
+secret:
+  enabled: true
+  create: false
+  filename: cloudprovider.conf
+  name: cinder-csi-cloud-config
+
+storageClass:
+  enabled: true
+  default:
+    isDefault: true
+    allowVolumeExpansion: true
+  integrity:
+    isDefault: false
+    allowVolumeExpansion: false
+
+# You may set ID of the cluster where openstack-cinder-csi is deployed. This value will be appended
+# to volume metadata in newly provisioned volumes as `cinder.csi.openstack.org/cluster=<cluster ID>`.
+clusterID: "kubernetes"
+
+priorityClassName: ""
+
+imagePullSecrets: []
+# - name: my-imagepull-secret

cli/internal/helm/charts/edgeless/constellation-services/values.yaml

@@ -19,6 +19,7 @@ azure:
 # OpenStack specific configuration
 openstack:
   deployYawolLoadBalancer: false
+  deployCSIDriver: false
 
 # Set one of the tags to true to indicate which CSP you are deploying to.
 tags: