mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-10-01 01:36:09 -04:00
AB#2593: Deploy verification service via Helm (#594)
This commit is contained in:
parent
1f9b6ba90f
commit
adc09a1ad1
@ -1,196 +0,0 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package resources
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strings"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/kubernetes"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
"google.golang.org/protobuf/proto"
|
||||
apps "k8s.io/api/apps/v1"
|
||||
k8s "k8s.io/api/core/v1"
|
||||
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
)
|
||||
|
||||
// VerificationDaemonset groups all k8s resources for the verification service deployment.
|
||||
type VerificationDaemonset struct {
|
||||
DaemonSet apps.DaemonSet
|
||||
Service k8s.Service
|
||||
LoadBalancer k8s.Service
|
||||
}
|
||||
|
||||
// NewVerificationDaemonSet creates a new VerificationDaemonset.
|
||||
func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset {
|
||||
var err error
|
||||
if strings.Contains(loadBalancerIP, ":") {
|
||||
loadBalancerIP, _, err = net.SplitHostPort(loadBalancerIP)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
return &VerificationDaemonset{
|
||||
DaemonSet: apps.DaemonSet{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
APIVersion: "apps/v1",
|
||||
Kind: "DaemonSet",
|
||||
},
|
||||
ObjectMeta: meta.ObjectMeta{
|
||||
Name: "verification-service",
|
||||
Namespace: "kube-system",
|
||||
Labels: map[string]string{
|
||||
"k8s-app": "verification-service",
|
||||
"component": "verification-service",
|
||||
},
|
||||
},
|
||||
Spec: apps.DaemonSetSpec{
|
||||
Selector: &meta.LabelSelector{
|
||||
MatchLabels: map[string]string{
|
||||
"k8s-app": "verification-service",
|
||||
},
|
||||
},
|
||||
Template: k8s.PodTemplateSpec{
|
||||
ObjectMeta: meta.ObjectMeta{
|
||||
Labels: map[string]string{
|
||||
"k8s-app": "verification-service",
|
||||
},
|
||||
},
|
||||
Spec: k8s.PodSpec{
|
||||
Tolerations: []k8s.Toleration{
|
||||
{
|
||||
Key: "node-role.kubernetes.io/master",
|
||||
Operator: k8s.TolerationOpEqual,
|
||||
Value: "true",
|
||||
Effect: k8s.TaintEffectNoSchedule,
|
||||
},
|
||||
{
|
||||
Key: "node-role.kubernetes.io/control-plane",
|
||||
Operator: k8s.TolerationOpExists,
|
||||
Effect: k8s.TaintEffectNoSchedule,
|
||||
},
|
||||
{
|
||||
Operator: k8s.TolerationOpExists,
|
||||
Effect: k8s.TaintEffectNoExecute,
|
||||
},
|
||||
{
|
||||
Operator: k8s.TolerationOpExists,
|
||||
Effect: k8s.TaintEffectNoSchedule,
|
||||
},
|
||||
},
|
||||
Containers: []k8s.Container{
|
||||
{
|
||||
Name: "verification-service",
|
||||
Image: versions.VerificationImage,
|
||||
Ports: []k8s.ContainerPort{
|
||||
{
|
||||
Name: "http",
|
||||
ContainerPort: constants.VerifyServicePortHTTP,
|
||||
},
|
||||
{
|
||||
Name: "grpc",
|
||||
ContainerPort: constants.VerifyServicePortGRPC,
|
||||
},
|
||||
},
|
||||
SecurityContext: &k8s.SecurityContext{
|
||||
Privileged: func(b bool) *bool { return &b }(true),
|
||||
},
|
||||
Args: []string{
|
||||
fmt.Sprintf("--cloud-provider=%s", csp),
|
||||
},
|
||||
VolumeMounts: []k8s.VolumeMount{
|
||||
{
|
||||
Name: "event-log",
|
||||
ReadOnly: true,
|
||||
MountPath: "/sys/kernel/security/",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
Volumes: []k8s.Volume{
|
||||
{
|
||||
Name: "event-log",
|
||||
VolumeSource: k8s.VolumeSource{
|
||||
HostPath: &k8s.HostPathVolumeSource{
|
||||
Path: "/sys/kernel/security/",
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
Service: k8s.Service{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
APIVersion: "v1",
|
||||
Kind: "Service",
|
||||
},
|
||||
ObjectMeta: meta.ObjectMeta{
|
||||
Name: "verification-service",
|
||||
Namespace: "kube-system",
|
||||
},
|
||||
Spec: k8s.ServiceSpec{
|
||||
Type: k8s.ServiceTypeNodePort,
|
||||
Ports: []k8s.ServicePort{
|
||||
{
|
||||
Name: "http",
|
||||
Protocol: k8s.ProtocolTCP,
|
||||
Port: constants.VerifyServicePortHTTP,
|
||||
TargetPort: intstr.FromInt(constants.VerifyServicePortHTTP),
|
||||
NodePort: constants.VerifyServiceNodePortHTTP,
|
||||
},
|
||||
{
|
||||
Name: "grpc",
|
||||
Protocol: k8s.ProtocolTCP,
|
||||
Port: constants.VerifyServicePortGRPC,
|
||||
TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),
|
||||
NodePort: constants.VerifyServiceNodePortGRPC,
|
||||
},
|
||||
},
|
||||
Selector: map[string]string{
|
||||
"k8s-app": "verification-service",
|
||||
},
|
||||
},
|
||||
},
|
||||
LoadBalancer: k8s.Service{
|
||||
TypeMeta: meta.TypeMeta{
|
||||
APIVersion: "v1",
|
||||
Kind: "Service",
|
||||
},
|
||||
ObjectMeta: meta.ObjectMeta{
|
||||
Name: "verify",
|
||||
Namespace: "kube-system",
|
||||
},
|
||||
Spec: k8s.ServiceSpec{
|
||||
AllocateLoadBalancerNodePorts: proto.Bool(false),
|
||||
Type: k8s.ServiceTypeLoadBalancer,
|
||||
LoadBalancerClass: proto.String("constellation"),
|
||||
ExternalIPs: []string{loadBalancerIP},
|
||||
Ports: []k8s.ServicePort{
|
||||
{
|
||||
Name: "grpc",
|
||||
Protocol: k8s.ProtocolTCP,
|
||||
Port: constants.VerifyServiceNodePortGRPC,
|
||||
TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),
|
||||
},
|
||||
},
|
||||
Selector: map[string]string{
|
||||
"k8s-app": "verification-service",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// Marshal to Kubernetes YAML.
|
||||
func (v *VerificationDaemonset) Marshal() ([]byte, error) {
|
||||
return kubernetes.MarshalK8SResources(v)
|
||||
}
|
@ -1,25 +0,0 @@
|
||||
/*
|
||||
Copyright (c) Edgeless Systems GmbH
|
||||
|
||||
SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
|
||||
package resources
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/kubernetes"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestNewVerificationDaemonset(t *testing.T) {
|
||||
deployment := NewVerificationDaemonSet("csp", "192.168.2.1")
|
||||
deploymentYAML, err := deployment.Marshal()
|
||||
require.NoError(t, err)
|
||||
|
||||
var recreated VerificationDaemonset
|
||||
require.NoError(t, kubernetes.UnmarshalK8SResources(deploymentYAML, &recreated))
|
||||
assert.Equal(t, deployment, &recreated)
|
||||
}
|
@ -23,7 +23,6 @@ type clusterUtil interface {
|
||||
InitCluster(ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger) error
|
||||
JoinCluster(ctx context.Context, joinConfig []byte, peerRole role.Role, controlPlaneEndpoint string, log *logger.Logger) error
|
||||
SetupKonnectivity(kubectl k8sapi.Client, konnectivityAgentsDaemonSet kubernetes.Marshaler) error
|
||||
SetupVerificationService(kubectl k8sapi.Client, verificationServiceConfiguration kubernetes.Marshaler) error
|
||||
SetupGCPGuestAgent(kubectl k8sapi.Client, gcpGuestAgentConfiguration kubernetes.Marshaler) error
|
||||
FixCilium(log *logger.Logger)
|
||||
StartKubelet() error
|
||||
|
@ -192,7 +192,15 @@ func (k *KubeWrapper) InitCluster(
|
||||
return nil, fmt.Errorf("setting up konnectivity: %w", err)
|
||||
}
|
||||
|
||||
extraVals, err := k.setupExtraVals(ctx, k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI)
|
||||
loadBalancerIP := controlPlaneEndpoint
|
||||
if strings.Contains(controlPlaneEndpoint, ":") {
|
||||
loadBalancerIP, _, err = net.SplitHostPort(controlPlaneEndpoint)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("splitting host port: %w", err)
|
||||
}
|
||||
}
|
||||
serviceConfig := constellationServicesConfig{k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI, loadBalancerIP}
|
||||
extraVals, err := k.setupExtraVals(ctx, serviceConfig)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("setting up extraVals: %w", err)
|
||||
}
|
||||
@ -205,12 +213,6 @@ func (k *KubeWrapper) InitCluster(
|
||||
return nil, fmt.Errorf("failed to setup internal ConfigMap: %w", err)
|
||||
}
|
||||
|
||||
if err := k.clusterUtil.SetupVerificationService(
|
||||
k.client, resources.NewVerificationDaemonSet(k.cloudProvider, controlPlaneEndpoint),
|
||||
); err != nil {
|
||||
return nil, fmt.Errorf("failed to setup verification service: %w", err)
|
||||
}
|
||||
|
||||
// cert-manager is necessary for our operator deployments.
|
||||
// They are currently only deployed on GCP & Azure. This is why we deploy cert-manager only on GCP & Azure.
|
||||
if k.cloudProvider == "gcp" || k.cloudProvider == "azure" {
|
||||
@ -393,13 +395,16 @@ func getIPAddr() (string, error) {
|
||||
|
||||
// setupExtraVals create a helm values map for consumption by helm-install.
|
||||
// Will move to a more dedicated place once that place becomes apparent.
|
||||
func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSON []byte, idkeydigest []byte, measurementSalt []byte, subnetworkPodCIDR string, cloudServiceAccountURI string) (map[string]any, error) {
|
||||
func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constellationServicesConfig) (map[string]any, error) {
|
||||
extraVals := map[string]any{
|
||||
"join-service": map[string]any{
|
||||
"measurements": string(initialMeasurementsJSON),
|
||||
"measurementSalt": base64.StdEncoding.EncodeToString(measurementSalt),
|
||||
"measurements": string(serviceConfig.initialMeasurementsJSON),
|
||||
"measurementSalt": base64.StdEncoding.EncodeToString(serviceConfig.measurementSalt),
|
||||
},
|
||||
"ccm": map[string]any{},
|
||||
"verification-service": map[string]any{
|
||||
"loadBalancerIP": serviceConfig.loadBalancerIP,
|
||||
},
|
||||
}
|
||||
|
||||
instance, err := k.providerMetadata.Self(ctx)
|
||||
@ -419,7 +424,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
|
||||
return nil, fmt.Errorf("splitting providerID: %w", err)
|
||||
}
|
||||
|
||||
serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(cloudServiceAccountURI)
|
||||
serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(serviceConfig.cloudServiceAccountURI)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("getting service account key: %w", err)
|
||||
}
|
||||
@ -436,7 +441,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
|
||||
"projectID": projectID,
|
||||
"uid": uid,
|
||||
"secretData": string(rawKey),
|
||||
"subnetworkPodCIDR": subnetworkPodCIDR,
|
||||
"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
|
||||
}
|
||||
|
||||
case cloudprovider.Azure:
|
||||
@ -445,7 +450,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
|
||||
return nil, errors.New("invalid cloud provider metadata for Azure")
|
||||
}
|
||||
|
||||
ccmConfig, err := ccmAzure.GetCCMConfig(ctx, instance.ProviderID, cloudServiceAccountURI)
|
||||
ccmConfig, err := ccmAzure.GetCCMConfig(ctx, instance.ProviderID, serviceConfig.cloudServiceAccountURI)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("creating ccm secret: %w", err)
|
||||
}
|
||||
@ -456,20 +461,20 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
|
||||
}
|
||||
ccmVals["Azure"] = map[string]any{
|
||||
"azureConfig": string(ccmConfig),
|
||||
"subnetworkPodCIDR": subnetworkPodCIDR,
|
||||
"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
|
||||
}
|
||||
|
||||
joinVals, ok := extraVals["join-service"].(map[string]any)
|
||||
if !ok {
|
||||
return nil, errors.New("invalid join-service values")
|
||||
}
|
||||
joinVals["idkeydigest"] = hex.EncodeToString(idkeydigest)
|
||||
joinVals["idkeydigest"] = hex.EncodeToString(serviceConfig.idkeydigest)
|
||||
|
||||
subscriptionID, resourceGroup, err := azureshared.BasicsFromProviderID(instance.ProviderID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
creds, err := azureshared.ApplicationCredentialsFromURI(cloudServiceAccountURI)
|
||||
creds, err := azureshared.ApplicationCredentialsFromURI(serviceConfig.cloudServiceAccountURI)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -504,3 +509,12 @@ func (k *KubeWrapper) setupOperatorVals(ctx context.Context) (map[string]any, er
|
||||
type ccmConfigGetter interface {
|
||||
GetCCMConfig(ctx context.Context, providerID, cloudServiceAccountURI string) ([]byte, error)
|
||||
}
|
||||
|
||||
type constellationServicesConfig struct {
|
||||
initialMeasurementsJSON []byte
|
||||
idkeydigest []byte
|
||||
measurementSalt []byte
|
||||
subnetworkPodCIDR string
|
||||
cloudServiceAccountURI string
|
||||
loadBalancerIP string
|
||||
}
|
||||
|
@ -187,7 +187,8 @@ func TestInitCluster(t *testing.T) {
|
||||
k8sVersion: versions.Default,
|
||||
},
|
||||
"kubeadm init fails when setting up verification service": {
|
||||
clusterUtil: stubClusterUtil{setupVerificationServiceErr: someErr},
|
||||
clusterUtil: stubClusterUtil{},
|
||||
helmClient: stubHelmClient{servicesError: someErr},
|
||||
kubeconfigReader: &stubKubeconfigReader{
|
||||
kubeconfig: []byte("someKubeconfig"),
|
||||
},
|
||||
@ -414,17 +415,16 @@ func TestK8sCompliantHostname(t *testing.T) {
|
||||
}
|
||||
|
||||
type stubClusterUtil struct {
|
||||
installComponentsErr error
|
||||
initClusterErr error
|
||||
setupAutoscalingError error
|
||||
setupKonnectivityError error
|
||||
setupVerificationServiceErr error
|
||||
setupGCPGuestAgentErr error
|
||||
setupOLMErr error
|
||||
setupNMOErr error
|
||||
setupNodeOperatorErr error
|
||||
joinClusterErr error
|
||||
startKubeletErr error
|
||||
installComponentsErr error
|
||||
initClusterErr error
|
||||
setupAutoscalingError error
|
||||
setupKonnectivityError error
|
||||
setupGCPGuestAgentErr error
|
||||
setupOLMErr error
|
||||
setupNMOErr error
|
||||
setupNodeOperatorErr error
|
||||
joinClusterErr error
|
||||
startKubeletErr error
|
||||
|
||||
initConfigs [][]byte
|
||||
joinConfigs [][]byte
|
||||
@ -451,10 +451,6 @@ func (s *stubClusterUtil) SetupGCPGuestAgent(kubectl k8sapi.Client, gcpGuestAgen
|
||||
return s.setupGCPGuestAgentErr
|
||||
}
|
||||
|
||||
func (s *stubClusterUtil) SetupVerificationService(kubectl k8sapi.Client, verificationServiceConfiguration kubernetes.Marshaler) error {
|
||||
return s.setupVerificationServiceErr
|
||||
}
|
||||
|
||||
func (s *stubClusterUtil) SetupOperatorLifecycleManager(ctx context.Context, kubectl k8sapi.Client, olmCRDs, olmConfiguration kubernetes.Marshaler, crdNames []string) error {
|
||||
return s.setupOLMErr
|
||||
}
|
||||
|
@ -2,39 +2,46 @@ apiVersion: v2
|
||||
name: constellation-services
|
||||
description: A chart to deploy all microservices that are part of a valid constellation cluster
|
||||
type: application
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
|
||||
dependencies:
|
||||
- name: kms
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
tags:
|
||||
- Azure
|
||||
- GCP
|
||||
- AWS
|
||||
- QEMU
|
||||
- name: join-service
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
tags:
|
||||
- Azure
|
||||
- GCP
|
||||
- AWS
|
||||
- QEMU
|
||||
- name: ccm
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
tags:
|
||||
- Azure
|
||||
- GCP
|
||||
- AWS
|
||||
- name: cnm
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
tags:
|
||||
- Azure
|
||||
- name: autoscaler
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
tags:
|
||||
- Azure
|
||||
- GCP
|
||||
- AWS
|
||||
- name: verification-service
|
||||
version: 2.3.0-pre
|
||||
tags:
|
||||
- Azure
|
||||
- GCP
|
||||
- AWS
|
||||
- QEMU
|
||||
- name: gcp-compute-persistent-disk-csi-driver
|
||||
version: 1.0.1
|
||||
condition: gcp.deployCSIDriver
|
||||
|
@ -2,4 +2,4 @@ apiVersion: v2
|
||||
name: autoscaler
|
||||
description: A Helm chart to deploy the cluster autoscaler.
|
||||
type: application
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
|
@ -2,4 +2,4 @@ apiVersion: v2
|
||||
name: ccm
|
||||
description: A Helm chart to deploy the cloud controller manager.
|
||||
type: application
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
|
@ -2,4 +2,4 @@ apiVersion: v2
|
||||
name: cnm
|
||||
description: A chart to deploy cloud node manager for constellation
|
||||
type: application
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
|
@ -2,4 +2,4 @@ apiVersion: v2
|
||||
name: join-service
|
||||
description: A chart to deploy the Constellation join-service
|
||||
type: application
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
|
@ -2,4 +2,4 @@ apiVersion: v2
|
||||
name: kms
|
||||
description: A Helm chart to deploy the Constellation Key Management Service
|
||||
type: application
|
||||
version: 2.2.2
|
||||
version: 2.3.0-pre
|
||||
|
@ -0,0 +1,23 @@
|
||||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
@ -0,0 +1,5 @@
|
||||
apiVersion: v2
|
||||
name: verification-service
|
||||
description: A Helm chart for Kubernetes
|
||||
type: application
|
||||
version: 2.3.0-pre
|
@ -0,0 +1,51 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: verification-service
|
||||
k8s-app: verification-service
|
||||
name: verification-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: verification-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: verification-service
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --cloud-provider={{ .Values.csp }}
|
||||
image: {{ .Values.image }}
|
||||
name: verification-service
|
||||
ports:
|
||||
- containerPort: {{ .Values.httpContainerPort }}
|
||||
name: http
|
||||
- containerPort: {{ .Values.grpcContainerPort }}
|
||||
name: grpc
|
||||
resources: {}
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /sys/kernel/security/
|
||||
name: event-log
|
||||
readOnly: true
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /sys/kernel/security/
|
||||
name: event-log
|
||||
updateStrategy: {}
|
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verify
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
allocateLoadBalancerNodePorts: false
|
||||
externalIPs:
|
||||
- {{ .Values.loadBalancerIP }}
|
||||
loadBalancerClass: constellation
|
||||
ports:
|
||||
- name: grpc
|
||||
port: {{ .Values.grpcNodePort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.grpcContainerPort }}
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: LoadBalancer
|
@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verification-service
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
nodePort: {{ .Values.httpNodePort }}
|
||||
port: {{ .Values.httpContainerPort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.httpContainerPort }}
|
||||
- name: grpc
|
||||
nodePort: {{ .Values.grpcNodePort }}
|
||||
port: {{ .Values.grpcContainerPort }}
|
||||
protocol: TCP
|
||||
targetPort: {{ .Values.grpcContainerPort }}
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: NodePort
|
@ -0,0 +1,25 @@
|
||||
{
|
||||
"$schema": "https://json-schema.org/draft-07/schema#",
|
||||
"properties": {
|
||||
"csp": {
|
||||
"description": "CSP to which the chart is deployed.",
|
||||
"enum": ["Azure", "GCP", "AWS", "QEMU"]
|
||||
},
|
||||
"image": {
|
||||
"description": "Container image to use for the spawned pods.",
|
||||
"type": "string",
|
||||
"examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
|
||||
},
|
||||
"loadBalancerIP": {
|
||||
"description": "IP of the k8s LB service",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
"csp",
|
||||
"image",
|
||||
"loadBalancerIP"
|
||||
],
|
||||
"title": "Values",
|
||||
"type": "object"
|
||||
}
|
@ -0,0 +1,4 @@
|
||||
httpContainerPort: 8080
|
||||
grpcContainerPort: 9090
|
||||
httpNodePort: 30080
|
||||
grpcNodePort: 30081
|
@ -39,11 +39,19 @@ var helmFS embed.FS
|
||||
|
||||
// ChartLoader loads embedded helm charts.
|
||||
type ChartLoader struct {
|
||||
joinServiceImage string
|
||||
kmsImage string
|
||||
ccmImage string
|
||||
cnmImage string
|
||||
autoscalerImage string
|
||||
joinServiceImage string
|
||||
kmsImage string
|
||||
ccmImage string
|
||||
cnmImage string
|
||||
autoscalerImage string
|
||||
verificationServiceImage string
|
||||
}
|
||||
|
||||
type LoadConfig struct {
|
||||
Csp cloudprovider.Provider
|
||||
ConformanceMode bool
|
||||
MasterSecret []byte
|
||||
Salt []byte
|
||||
}
|
||||
|
||||
// New creates a new ChartLoader.
|
||||
@ -60,11 +68,12 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
|
||||
}
|
||||
|
||||
return &ChartLoader{
|
||||
joinServiceImage: versions.JoinImage,
|
||||
kmsImage: versions.KmsImage,
|
||||
ccmImage: ccmImage,
|
||||
cnmImage: cnmImage,
|
||||
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
|
||||
joinServiceImage: versions.JoinImage,
|
||||
kmsImage: versions.KmsImage,
|
||||
ccmImage: ccmImage,
|
||||
cnmImage: cnmImage,
|
||||
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
|
||||
verificationServiceImage: versions.VerificationImage,
|
||||
}
|
||||
}
|
||||
|
||||
@ -376,6 +385,10 @@ func (i *ChartLoader) loadConstellationServicesHelper(config *config.Config, mas
|
||||
"csp": csp.String(),
|
||||
"image": i.autoscalerImage,
|
||||
},
|
||||
"verification-service": map[string]any{
|
||||
"csp": csp.String(),
|
||||
"image": i.verificationServiceImage,
|
||||
},
|
||||
}
|
||||
|
||||
switch csp {
|
||||
|
@ -88,7 +88,7 @@ func TestConstellationServices(t *testing.T) {
|
||||
assert := assert.New(t)
|
||||
require := require.New(t)
|
||||
|
||||
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage"}
|
||||
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage", verificationServiceImage: "verificationImage"}
|
||||
chart, values, err := chartLoader.loadConstellationServicesHelper(tc.config, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
|
||||
require.NoError(err)
|
||||
|
||||
@ -248,6 +248,11 @@ func prepareGCPValues(values map[string]any) error {
|
||||
},
|
||||
}
|
||||
|
||||
verificationVals, ok := values["verification-service"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'verification-service' key")
|
||||
}
|
||||
verificationVals["loadBalancerIP"] = "127.0.0.1"
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -278,6 +283,12 @@ func prepareAzureValues(values map[string]any) error {
|
||||
"subscriptionID": "subscriptionID",
|
||||
"tenantID": "TenantID",
|
||||
}
|
||||
|
||||
verificationVals, ok := values["verification-service"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'verification-service' key")
|
||||
}
|
||||
verificationVals["loadBalancerIP"] = "127.0.0.1"
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -289,5 +300,11 @@ func prepareQEMUValues(values map[string]any) error {
|
||||
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
|
||||
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
|
||||
verificationVals, ok := values["verification-service"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'verification-service' key")
|
||||
}
|
||||
verificationVals["loadBalancerIP"] = "127.0.0.1"
|
||||
|
||||
return nil
|
||||
}
|
||||
|
@ -0,0 +1,51 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: verification-service
|
||||
k8s-app: verification-service
|
||||
name: verification-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: verification-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: verification-service
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --cloud-provider=Azure
|
||||
image: verificationImage
|
||||
name: verification-service
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
- containerPort: 9090
|
||||
name: grpc
|
||||
resources: {}
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /sys/kernel/security/
|
||||
name: event-log
|
||||
readOnly: true
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /sys/kernel/security/
|
||||
name: event-log
|
||||
updateStrategy: {}
|
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verify
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
allocateLoadBalancerNodePorts: false
|
||||
externalIPs:
|
||||
- 127.0.0.1
|
||||
loadBalancerClass: constellation
|
||||
ports:
|
||||
- name: grpc
|
||||
port: 30081
|
||||
protocol: TCP
|
||||
targetPort: 9090
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: LoadBalancer
|
@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verification-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
nodePort: 30080
|
||||
port: 8080
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
- name: grpc
|
||||
nodePort: 30081
|
||||
port: 9090
|
||||
protocol: TCP
|
||||
targetPort: 9090
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: NodePort
|
@ -0,0 +1,51 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: verification-service
|
||||
k8s-app: verification-service
|
||||
name: verification-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: verification-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: verification-service
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --cloud-provider=GCP
|
||||
image: verificationImage
|
||||
name: verification-service
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
- containerPort: 9090
|
||||
name: grpc
|
||||
resources: {}
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /sys/kernel/security/
|
||||
name: event-log
|
||||
readOnly: true
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /sys/kernel/security/
|
||||
name: event-log
|
||||
updateStrategy: {}
|
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verify
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
allocateLoadBalancerNodePorts: false
|
||||
externalIPs:
|
||||
- 127.0.0.1
|
||||
loadBalancerClass: constellation
|
||||
ports:
|
||||
- name: grpc
|
||||
port: 30081
|
||||
protocol: TCP
|
||||
targetPort: 9090
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: LoadBalancer
|
@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verification-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
nodePort: 30080
|
||||
port: 8080
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
- name: grpc
|
||||
nodePort: 30081
|
||||
port: 9090
|
||||
protocol: TCP
|
||||
targetPort: 9090
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: NodePort
|
@ -0,0 +1,51 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
component: verification-service
|
||||
k8s-app: verification-service
|
||||
name: verification-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
k8s-app: verification-service
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
k8s-app: verification-service
|
||||
spec:
|
||||
containers:
|
||||
- args:
|
||||
- --cloud-provider=QEMU
|
||||
image: verificationImage
|
||||
name: verification-service
|
||||
ports:
|
||||
- containerPort: 8080
|
||||
name: http
|
||||
- containerPort: 9090
|
||||
name: grpc
|
||||
resources: {}
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- mountPath: /sys/kernel/security/
|
||||
name: event-log
|
||||
readOnly: true
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /sys/kernel/security/
|
||||
name: event-log
|
||||
updateStrategy: {}
|
@ -0,0 +1,18 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verify
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
allocateLoadBalancerNodePorts: false
|
||||
externalIPs:
|
||||
- 127.0.0.1
|
||||
loadBalancerClass: constellation
|
||||
ports:
|
||||
- name: grpc
|
||||
port: 30081
|
||||
protocol: TCP
|
||||
targetPort: 9090
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: LoadBalancer
|
@ -0,0 +1,20 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: verification-service
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
nodePort: 30080
|
||||
port: 8080
|
||||
protocol: TCP
|
||||
targetPort: 8080
|
||||
- name: grpc
|
||||
nodePort: 30081
|
||||
port: 9090
|
||||
protocol: TCP
|
||||
targetPort: 9090
|
||||
selector:
|
||||
k8s-app: verification-service
|
||||
type: NodePort
|
Loading…
Reference in New Issue
Block a user