cli: use Bazel container images

cli/internal/helm/BUILD.bazel

@@ -319,6 +319,7 @@ go_library(
     visibility = ["//cli:__subpackages__"],
     deps = [
         "//cli/internal/clusterid",
+        "//cli/internal/helm/imageversion",
         "//internal/attestation/idkeydigest",
         "//internal/cloud/cloudprovider",
         "//internal/compatibility",

cli/internal/helm/charts/edgeless/operators/charts/constellation-operator/templates/deployment.yaml

@@ -51,7 +51,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        -  /ko-app/v2
+        -  /node-operator
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: {{ .Values.kubernetesClusterDomain }}

cli/internal/helm/imageversion/BUILD.bazel

@@ -0,0 +1,41 @@
+# gazelle:ignore
+
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("//bazel/oci:containers.bzl", "helm_containers")
+load("//bazel/oci:pin.bzl", "oci_go_source")
+
+GENERATED_SRCS = [
+    ":" + container["name"]
+    for container in helm_containers()
+]
+
+go_library(
+    name = "imageversion",
+    srcs = ["imageversion.go"] + GENERATED_SRCS,  # keep
+    importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm/imageversion",
+    visibility = ["//cli:__subpackages__"],
+    deps = ["//internal/containerimage"],
+)
+
+[
+    oci_go_source(
+        name = container["name"],
+        identifier = container["identifier"],
+        image_name = container["image_name"],
+        oci = container["oci"],
+        package = "imageversion",
+        prefix = container["prefix"],
+        registry = container["registry"],
+        tag_file = container["tag_file"],
+        visibility = ["//cli:__subpackages__"],
+    )
+    for container in helm_containers()
+]
+
+# TODO(malt3): add missing third-party images
+# - logstash
+# - filebeat
+# - konnectivity-agent
+# - konnectivity-server
+# - node-maintenance-operator
+# - gcp-guest-agent

cli/internal/helm/imageversion/imageversion.go

@@ -0,0 +1,67 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+// Package imageversion contains the pinned container images for the helm charts.
+package imageversion
+
+import "github.com/edgelesssys/constellation/v2/internal/containerimage"
+
+// TODO(malt3): Migrate third-party images from versions.go.
+
+// JoinService is the image of the join service.
+// registry and prefix can be optionally set to use a different source.
+func JoinService(registry, prefix string) string {
+	return containerimage.NewBuilder(defaultJoinService, registry, prefix).Build().String()
+}
+
+// KeyService is the image of the key service.
+// registry and prefix can be optionally set to use a different source.
+func KeyService(registry, prefix string) string {
+	return containerimage.NewBuilder(defaultKeyService, registry, prefix).Build().String()
+}
+
+// VerificationService is the image of the verification service.
+// registry and prefix can be optionally set to use a different source.
+func VerificationService(registry, prefix string) string {
+	return containerimage.NewBuilder(defaultVerificationService, registry, prefix).Build().String()
+}
+
+// ConstellationNodeOperator is the image of the constellation node operator.
+// registry and prefix can be optionally set to use a different source.
+func ConstellationNodeOperator(registry, prefix string) string {
+	return containerimage.NewBuilder(defaultNodeOperator, registry, prefix).Build().String()
+}
+
+var (
+	defaultJoinService = containerimage.Image{
+		Registry: joinServiceRegistry,
+		Prefix:   joinServicePrefix,
+		Name:     joinServiceName,
+		Tag:      joinServiceTag,
+		Digest:   joinServiceDigest,
+	}
+	defaultKeyService = containerimage.Image{
+		Registry: keyServiceRegistry,
+		Prefix:   keyServicePrefix,
+		Name:     keyServiceName,
+		Tag:      keyServiceTag,
+		Digest:   keyServiceDigest,
+	}
+	defaultVerificationService = containerimage.Image{
+		Registry: verificationServiceRegistry,
+		Prefix:   verificationServicePrefix,
+		Name:     verificationServiceName,
+		Tag:      verificationServiceTag,
+		Digest:   verificationServiceDigest,
+	}
+	defaultNodeOperator = containerimage.Image{
+		Registry: constellationNodeOperatorRegistry,
+		Prefix:   constellationNodeOperatorPrefix,
+		Name:     constellationNodeOperatorName,
+		Tag:      constellationNodeOperatorTag,
+		Digest:   constellationNodeOperatorDigest,
+	}
+)

cli/internal/helm/imageversion/placeholder.go

@@ -0,0 +1,36 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package imageversion
+
+// This file is only used if `go build` is used instead of Bazel.
+// It contains placeholder values for the container images so that everything
+// still compiles.
+
+const (
+	joinServiceRegistry = "placeholder"
+	joinServicePrefix   = "placeholder"
+	joinServiceName     = "placeholder"
+	joinServiceDigest   = "placeholder"
+	joinServiceTag      = "placeholder"
+
+	keyServiceRegistry = "placeholder"
+	keyServicePrefix   = "placeholder"
+	keyServiceName     = "placeholder"
+	keyServiceDigest   = "placeholder"
+	keyServiceTag      = "placeholder"
+
+	verificationServiceRegistry = "placeholder"
+	verificationServicePrefix   = "placeholder"
+	verificationServiceName     = "placeholder"
+	verificationServiceDigest   = "placeholder"
+	verificationServiceTag      = "placeholder"
+
+	constellationNodeOperatorRegistry = "placeholder"
+	constellationNodeOperatorPrefix   = "placeholder"
+	constellationNodeOperatorName     = "placeholder"
+	constellationNodeOperatorDigest   = "placeholder"
+	constellationNodeOperatorTag      = "placeholder"
+)

cli/internal/helm/loader.go

@@ -17,6 +17,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/edgelesssys/constellation/v2/cli/internal/helm/imageversion"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/compatibility"
 	"github.com/edgelesssys/constellation/v2/internal/config"
@@ -81,17 +82,19 @@ func NewLoader(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion)
 		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageOpenStack
 	}
 
+	// TODO(malt3): Allow overriding container image registry + prefix for all images
+	// (e.g. for air-gapped environments).
 	return &ChartLoader{
 		csp:                          csp,
-		joinServiceImage:             versions.JoinImage,
-		keyServiceImage:              versions.KeyServiceImage,
+		joinServiceImage:             imageversion.JoinService("", ""),
+		keyServiceImage:              imageversion.KeyService("", ""),
 		ccmImage:                     ccmImage,
 		cnmImage:                     cnmImage,
 		autoscalerImage:              versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
-		verificationServiceImage:     versions.VerificationImage,
+		verificationServiceImage:     imageversion.VerificationService("", ""),
 		gcpGuestAgentImage:           versions.GcpGuestImage,
 		konnectivityImage:            versions.KonnectivityAgentImage,
-		constellationOperatorImage:   versions.ConstellationOperatorImage,
+		constellationOperatorImage:   imageversion.ConstellationNodeOperator("", ""),
 		nodeMaintenanceOperatorImage: versions.NodeMaintenanceOperatorImage,
 	}
 }

cli/internal/helm/testdata/AWS/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -63,7 +63,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        - /ko-app/v2
+        - /node-operator
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: cluster.local

cli/internal/helm/testdata/Azure/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -63,7 +63,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        - /ko-app/v2
+        - /node-operator
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: cluster.local

cli/internal/helm/testdata/GCP/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -63,7 +63,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        - /ko-app/v2
+        - /node-operator
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: cluster.local

cli/internal/helm/testdata/OpenStack/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -63,7 +63,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        - /ko-app/v2
+        - /node-operator
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: cluster.local

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -63,7 +63,7 @@ spec:
         - --metrics-bind-address=127.0.0.1:8080
         - --leader-elect
         command:
-        - /ko-app/v2
+        - /node-operator
         env:
         - name: KUBERNETES_CLUSTER_DOMAIN
           value: cluster.local