AB#2593: Deploy verification service via Helm (#594)

2025-09-19 20:44:52 -04:00 · 2022-11-21 17:06:41 +01:00 · 2022-11-21 17:06:41 +01:00 · adc09a1ad1
commit adc09a1ad1
parent 1f9b6ba90f
29 changed files with 514 additions and 276 deletions
--- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
@ -2,39 +2,46 @@ apiVersion: v2
 name: constellation-services
 description: A chart to deploy all microservices that are part of a valid constellation cluster
 type: application
-version: 2.2.2
+version: 2.3.0-pre

 dependencies:
  - name: kms
-    version: 2.2.2
+    version: 2.3.0-pre
    tags:
      - Azure
      - GCP
      - AWS
      - QEMU
  - name: join-service
-    version: 2.2.2
+    version: 2.3.0-pre
    tags:
      - Azure
      - GCP
      - AWS
      - QEMU
  - name: ccm
-    version: 2.2.2
+    version: 2.3.0-pre
    tags:
      - Azure
      - GCP
      - AWS
  - name: cnm
-    version: 2.2.2
+    version: 2.3.0-pre
    tags:
      - Azure
  - name: autoscaler
-    version: 2.2.2
+    version: 2.3.0-pre
    tags:
      - Azure
      - GCP
      - AWS
+  - name: verification-service
+    version: 2.3.0-pre
+    tags:
+      - Azure
+      - GCP
+      - AWS
+      - QEMU
  - name: gcp-compute-persistent-disk-csi-driver
    version: 1.0.1
    condition: gcp.deployCSIDriver
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: autoscaler
 description: A Helm chart to deploy the cluster autoscaler.
 type: application
-version: 2.2.2
+version: 2.3.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: ccm
 description: A Helm chart to deploy the cloud controller manager.
 type: application
-version: 2.2.2
+version: 2.3.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: cnm
 description: A chart to deploy cloud node manager for constellation
 type: application
-version: 2.2.2
+version: 2.3.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: join-service
 description: A chart to deploy the Constellation join-service
 type: application
-version: 2.2.2
+version: 2.3.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml
@ -2,4 +2,4 @@ apiVersion: v2
 name: kms
 description: A Helm chart to deploy the Constellation Key Management Service
 type: application
-version: 2.2.2
+version: 2.3.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/.helmignore
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/.helmignore
@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/Chart.yaml
@ -0,0 +1,5 @@
+apiVersion: v2
+name: verification-service
+description: A Helm chart for Kubernetes
+type: application
+version: 2.3.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/daemonset.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/daemonset.yaml
@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: verification-service
+    k8s-app: verification-service
+  name: verification-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: verification-service
+  template:
+    metadata:
+      labels:
+        k8s-app: verification-service
+    spec:
+      containers:
+      - args:
+        - --cloud-provider={{ .Values.csp }}
+        image: {{ .Values.image }}
+        name: verification-service
+        ports:
+        - containerPort: {{ .Values.httpContainerPort }}
+          name: http
+        - containerPort: {{ .Values.grpcContainerPort }}
+          name: grpc
+        resources: {}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/kernel/security/
+          name: event-log
+          readOnly: true
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /sys/kernel/security/
+        name: event-log
+  updateStrategy: {}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verify
+  namespace: {{ .Release.Namespace }}
+spec:
+  allocateLoadBalancerNodePorts: false
+  externalIPs:
+  - {{ .Values.loadBalancerIP }}
+  loadBalancerClass: constellation
+  ports:
+  - name: grpc
+    port: {{ .Values.grpcNodePort }}
+    protocol: TCP
+    targetPort: {{ .Values.grpcContainerPort }}
+  selector:
+    k8s-app: verification-service
+  type: LoadBalancer
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/nodeport-service.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/nodeport-service.yaml
@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verification-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: http
+    nodePort: {{ .Values.httpNodePort }}
+    port: {{ .Values.httpContainerPort }}
+    protocol: TCP
+    targetPort: {{ .Values.httpContainerPort }}
+  - name: grpc
+    nodePort: {{ .Values.grpcNodePort }}
+    port: {{ .Values.grpcContainerPort }}
+    protocol: TCP
+    targetPort: {{ .Values.grpcContainerPort }}
+  selector:
+    k8s-app: verification-service
+  type: NodePort
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.schema.json
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.schema.json
@ -0,0 +1,25 @@
+{
+    "$schema": "https://json-schema.org/draft-07/schema#",
+    "properties": {
+        "csp": {
+            "description": "CSP to which the chart is deployed.",
+            "enum": ["Azure", "GCP", "AWS", "QEMU"]
+        },
+        "image": {
+            "description": "Container image to use for the spawned pods.",
+            "type": "string",
+            "examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
+        },
+        "loadBalancerIP": {
+            "description": "IP of the k8s LB service",
+            "type": "string"
+        }
+    },
+    "required": [
+        "csp",
+        "image",
+        "loadBalancerIP"
+    ],
+    "title": "Values",
+    "type": "object"
+}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.yaml
@ -0,0 +1,4 @@
+httpContainerPort: 8080
+grpcContainerPort: 9090
+httpNodePort: 30080
+grpcNodePort: 30081
--- a/cli/internal/helm/loader.go
+++ b/cli/internal/helm/loader.go
@ -39,11 +39,19 @@ var helmFS embed.FS

 // ChartLoader loads embedded helm charts.
 type ChartLoader struct {
-	joinServiceImage string
-	kmsImage         string
-	ccmImage         string
-	cnmImage         string
-	autoscalerImage  string
+	joinServiceImage         string
+	kmsImage                 string
+	ccmImage                 string
+	cnmImage                 string
+	autoscalerImage          string
+	verificationServiceImage string
+}
+
+type LoadConfig struct {
+	Csp             cloudprovider.Provider
+	ConformanceMode bool
+	MasterSecret    []byte
+	Salt            []byte
 }

 // New creates a new ChartLoader.
@ -60,11 +68,12 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
 	}

 	return &ChartLoader{
-		joinServiceImage: versions.JoinImage,
-		kmsImage:         versions.KmsImage,
-		ccmImage:         ccmImage,
-		cnmImage:         cnmImage,
-		autoscalerImage:  versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
+		joinServiceImage:         versions.JoinImage,
+		kmsImage:                 versions.KmsImage,
+		ccmImage:                 ccmImage,
+		cnmImage:                 cnmImage,
+		autoscalerImage:          versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
+		verificationServiceImage: versions.VerificationImage,
 	}
 }

@ -376,6 +385,10 @@ func (i *ChartLoader) loadConstellationServicesHelper(config *config.Config, mas
 			"csp":   csp.String(),
 			"image": i.autoscalerImage,
 		},
+		"verification-service": map[string]any{
+			"csp":   csp.String(),
+			"image": i.verificationServiceImage,
+		},
 	}

 	switch csp {
--- a/cli/internal/helm/loader_test.go
+++ b/cli/internal/helm/loader_test.go
@ -88,7 +88,7 @@ func TestConstellationServices(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage"}
+			chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage", verificationServiceImage: "verificationImage"}
 			chart, values, err := chartLoader.loadConstellationServicesHelper(tc.config, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
 			require.NoError(err)

@ -248,6 +248,11 @@ func prepareGCPValues(values map[string]any) error {
 		},
 	}

+	verificationVals, ok := values["verification-service"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'verification-service' key")
+	}
+	verificationVals["loadBalancerIP"] = "127.0.0.1"
 	return nil
 }

@ -278,6 +283,12 @@ func prepareAzureValues(values map[string]any) error {
 		"subscriptionID": "subscriptionID",
 		"tenantID":       "TenantID",
 	}
+
+	verificationVals, ok := values["verification-service"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'verification-service' key")
+	}
+	verificationVals["loadBalancerIP"] = "127.0.0.1"
 	return nil
 }

@ -289,5 +300,11 @@ func prepareQEMUValues(values map[string]any) error {
 	joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
 	joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

+	verificationVals, ok := values["verification-service"].(map[string]any)
+	if !ok {
+		return errors.New("missing 'verification-service' key")
+	}
+	verificationVals["loadBalancerIP"] = "127.0.0.1"
+
 	return nil
 }
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/daemonset.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/daemonset.yaml
@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: verification-service
+    k8s-app: verification-service
+  name: verification-service
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: verification-service
+  template:
+    metadata:
+      labels:
+        k8s-app: verification-service
+    spec:
+      containers:
+      - args:
+        - --cloud-provider=Azure
+        image: verificationImage
+        name: verification-service
+        ports:
+        - containerPort: 8080
+          name: http
+        - containerPort: 9090
+          name: grpc
+        resources: {}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/kernel/security/
+          name: event-log
+          readOnly: true
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /sys/kernel/security/
+        name: event-log
+  updateStrategy: {}
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verify
+  namespace: testNamespace
+spec:
+  allocateLoadBalancerNodePorts: false
+  externalIPs:
+  - 127.0.0.1
+  loadBalancerClass: constellation
+  ports:
+  - name: grpc
+    port: 30081
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: LoadBalancer
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/nodeport-service.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/nodeport-service.yaml
@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verification-service
+  namespace: testNamespace
+spec:
+  ports:
+  - name: http
+    nodePort: 30080
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: grpc
+    nodePort: 30081
+    port: 9090
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: NodePort
--- a/cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/daemonset.yaml
+++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/daemonset.yaml
@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: verification-service
+    k8s-app: verification-service
+  name: verification-service
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: verification-service
+  template:
+    metadata:
+      labels:
+        k8s-app: verification-service
+    spec:
+      containers:
+      - args:
+        - --cloud-provider=GCP
+        image: verificationImage
+        name: verification-service
+        ports:
+        - containerPort: 8080
+          name: http
+        - containerPort: 9090
+          name: grpc
+        resources: {}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/kernel/security/
+          name: event-log
+          readOnly: true
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /sys/kernel/security/
+        name: event-log
+  updateStrategy: {}
--- a/cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
+++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verify
+  namespace: testNamespace
+spec:
+  allocateLoadBalancerNodePorts: false
+  externalIPs:
+  - 127.0.0.1
+  loadBalancerClass: constellation
+  ports:
+  - name: grpc
+    port: 30081
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: LoadBalancer
--- a/cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/nodeport-service.yaml
+++ b/cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/nodeport-service.yaml
@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verification-service
+  namespace: testNamespace
+spec:
+  ports:
+  - name: http
+    nodePort: 30080
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: grpc
+    nodePort: 30081
+    port: 9090
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: NodePort
--- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/daemonset.yaml
+++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/daemonset.yaml
@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: verification-service
+    k8s-app: verification-service
+  name: verification-service
+  namespace: testNamespace
+spec:
+  selector:
+    matchLabels:
+      k8s-app: verification-service
+  template:
+    metadata:
+      labels:
+        k8s-app: verification-service
+    spec:
+      containers:
+      - args:
+        - --cloud-provider=QEMU
+        image: verificationImage
+        name: verification-service
+        ports:
+        - containerPort: 8080
+          name: http
+        - containerPort: 9090
+          name: grpc
+        resources: {}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/kernel/security/
+          name: event-log
+          readOnly: true
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /sys/kernel/security/
+        name: event-log
+  updateStrategy: {}
--- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
+++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml
@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verify
+  namespace: testNamespace
+spec:
+  allocateLoadBalancerNodePorts: false
+  externalIPs:
+  - 127.0.0.1
+  loadBalancerClass: constellation
+  ports:
+  - name: grpc
+    port: 30081
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: LoadBalancer
--- a/cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/nodeport-service.yaml
+++ b/cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/nodeport-service.yaml
@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verification-service
+  namespace: testNamespace
+spec:
+  ports:
+  - name: http
+    nodePort: 30080
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: grpc
+    nodePort: 30081
+    port: 9090
+    protocol: TCP
+    targetPort: 9090
+  selector:
+    k8s-app: verification-service
+  type: NodePort