AB#2593: Deploy verification service via Helm (#594)

2025-11-19 19:42:21 -05:00 · 2022-11-21 17:06:41 +01:00 · 2022-11-21 17:06:41 +01:00 · adc09a1ad1
commit adc09a1ad1
parent 1f9b6ba90f
29 changed files with 514 additions and 276 deletions
--- a/bootstrapper/internal/kubernetes/kubernetes.go
+++ b/bootstrapper/internal/kubernetes/kubernetes.go
@ -192,7 +192,15 @@ func (k *KubeWrapper) InitCluster(
 		return nil, fmt.Errorf("setting up konnectivity: %w", err)
 	}

-	extraVals, err := k.setupExtraVals(ctx, k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI)
+	loadBalancerIP := controlPlaneEndpoint
+	if strings.Contains(controlPlaneEndpoint, ":") {
+		loadBalancerIP, _, err = net.SplitHostPort(controlPlaneEndpoint)
+		if err != nil {
+			return nil, fmt.Errorf("splitting host port: %w", err)
+		}
+	}
+	serviceConfig := constellationServicesConfig{k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI, loadBalancerIP}
+	extraVals, err := k.setupExtraVals(ctx, serviceConfig)
 	if err != nil {
 		return nil, fmt.Errorf("setting up extraVals: %w", err)
 	}
@ -205,12 +213,6 @@ func (k *KubeWrapper) InitCluster(
 		return nil, fmt.Errorf("failed to setup internal ConfigMap: %w", err)
 	}

-	if err := k.clusterUtil.SetupVerificationService(
-		k.client, resources.NewVerificationDaemonSet(k.cloudProvider, controlPlaneEndpoint),
-	); err != nil {
-		return nil, fmt.Errorf("failed to setup verification service: %w", err)
-	}
-
 	// cert-manager is necessary for our operator deployments.
 	// They are currently only deployed on GCP & Azure. This is why we deploy cert-manager only on GCP & Azure.
 	if k.cloudProvider == "gcp" || k.cloudProvider == "azure" {
@ -393,13 +395,16 @@ func getIPAddr() (string, error) {

 // setupExtraVals create a helm values map for consumption by helm-install.
 // Will move to a more dedicated place once that place becomes apparent.
-func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSON []byte, idkeydigest []byte, measurementSalt []byte, subnetworkPodCIDR string, cloudServiceAccountURI string) (map[string]any, error) {
+func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constellationServicesConfig) (map[string]any, error) {
 	extraVals := map[string]any{
 		"join-service": map[string]any{
-			"measurements":    string(initialMeasurementsJSON),
-			"measurementSalt": base64.StdEncoding.EncodeToString(measurementSalt),
+			"measurements":    string(serviceConfig.initialMeasurementsJSON),
+			"measurementSalt": base64.StdEncoding.EncodeToString(serviceConfig.measurementSalt),
 		},
 		"ccm": map[string]any{},
+		"verification-service": map[string]any{
+			"loadBalancerIP": serviceConfig.loadBalancerIP,
+		},
 	}

 	instance, err := k.providerMetadata.Self(ctx)
@ -419,7 +424,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
 			return nil, fmt.Errorf("splitting providerID: %w", err)
 		}

-		serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(cloudServiceAccountURI)
+		serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(serviceConfig.cloudServiceAccountURI)
 		if err != nil {
 			return nil, fmt.Errorf("getting service account key: %w", err)
 		}
@ -436,7 +441,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
 			"projectID":         projectID,
 			"uid":               uid,
 			"secretData":        string(rawKey),
-			"subnetworkPodCIDR": subnetworkPodCIDR,
+			"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
 		}

 	case cloudprovider.Azure:
@ -445,7 +450,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
 			return nil, errors.New("invalid cloud provider metadata for Azure")
 		}

-		ccmConfig, err := ccmAzure.GetCCMConfig(ctx, instance.ProviderID, cloudServiceAccountURI)
+		ccmConfig, err := ccmAzure.GetCCMConfig(ctx, instance.ProviderID, serviceConfig.cloudServiceAccountURI)
 		if err != nil {
 			return nil, fmt.Errorf("creating ccm secret: %w", err)
 		}
@ -456,20 +461,20 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
 		}
 		ccmVals["Azure"] = map[string]any{
 			"azureConfig":       string(ccmConfig),
-			"subnetworkPodCIDR": subnetworkPodCIDR,
+			"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
 		}

 		joinVals, ok := extraVals["join-service"].(map[string]any)
 		if !ok {
 			return nil, errors.New("invalid join-service values")
 		}
-		joinVals["idkeydigest"] = hex.EncodeToString(idkeydigest)
+		joinVals["idkeydigest"] = hex.EncodeToString(serviceConfig.idkeydigest)

 		subscriptionID, resourceGroup, err := azureshared.BasicsFromProviderID(instance.ProviderID)
 		if err != nil {
 			return nil, err
 		}
-		creds, err := azureshared.ApplicationCredentialsFromURI(cloudServiceAccountURI)
+		creds, err := azureshared.ApplicationCredentialsFromURI(serviceConfig.cloudServiceAccountURI)
 		if err != nil {
 			return nil, err
 		}
@ -504,3 +509,12 @@ func (k *KubeWrapper) setupOperatorVals(ctx context.Context) (map[string]any, er
 type ccmConfigGetter interface {
 	GetCCMConfig(ctx context.Context, providerID, cloudServiceAccountURI string) ([]byte, error)
 }
+
+type constellationServicesConfig struct {
+	initialMeasurementsJSON []byte
+	idkeydigest             []byte
+	measurementSalt         []byte
+	subnetworkPodCIDR       string
+	cloudServiceAccountURI  string
+	loadBalancerIP          string
+}