AB#2593: Deploy verification service via Helm (#594)

cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml

@@ -2,39 +2,46 @@ apiVersion: v2
 name: constellation-services
 description: A chart to deploy all microservices that are part of a valid constellation cluster
 type: application
-version: 2.2.2
+version: 2.3.0-pre
 
 dependencies:
   - name: kms
-    version: 2.2.2
+    version: 2.3.0-pre
     tags:
       - Azure
       - GCP
       - AWS
       - QEMU
   - name: join-service
-    version: 2.2.2
+    version: 2.3.0-pre
     tags:
       - Azure
       - GCP
       - AWS
       - QEMU
   - name: ccm
-    version: 2.2.2
+    version: 2.3.0-pre
     tags:
       - Azure
       - GCP
       - AWS
   - name: cnm
-    version: 2.2.2
+    version: 2.3.0-pre
     tags:
       - Azure
   - name: autoscaler
-    version: 2.2.2
+    version: 2.3.0-pre
     tags:
       - Azure
       - GCP
       - AWS
+  - name: verification-service
+    version: 2.3.0-pre
+    tags:
+      - Azure
+      - GCP
+      - AWS
+      - QEMU
   - name: gcp-compute-persistent-disk-csi-driver
     version: 1.0.1
     condition: gcp.deployCSIDriver

cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: autoscaler
 description: A Helm chart to deploy the cluster autoscaler.
 type: application
-version: 2.2.2
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: ccm
 description: A Helm chart to deploy the cloud controller manager.
 type: application
-version: 2.2.2
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: cnm
 description: A chart to deploy cloud node manager for constellation
 type: application
-version: 2.2.2
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: join-service
 description: A chart to deploy the Constellation join-service
 type: application
-version: 2.2.2
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v2
 name: kms
 description: A Helm chart to deploy the Constellation Key Management Service
 type: application
-version: 2.2.2
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: verification-service
+description: A Helm chart for Kubernetes
+type: application
+version: 2.3.0-pre

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/daemonset.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    component: verification-service
+    k8s-app: verification-service
+  name: verification-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      k8s-app: verification-service
+  template:
+    metadata:
+      labels:
+        k8s-app: verification-service
+    spec:
+      containers:
+      - args:
+        - --cloud-provider={{ .Values.csp }}
+        image: {{ .Values.image }}
+        name: verification-service
+        ports:
+        - containerPort: {{ .Values.httpContainerPort }}
+          name: http
+        - containerPort: {{ .Values.grpcContainerPort }}
+          name: grpc
+        resources: {}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - mountPath: /sys/kernel/security/
+          name: event-log
+          readOnly: true
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Equal
+        value: "true"
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        operator: Exists
+      - effect: NoSchedule
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /sys/kernel/security/
+        name: event-log
+  updateStrategy: {}

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verify
+  namespace: {{ .Release.Namespace }}
+spec:
+  allocateLoadBalancerNodePorts: false
+  externalIPs:
+  - {{ .Values.loadBalancerIP }}
+  loadBalancerClass: constellation
+  ports:
+  - name: grpc
+    port: {{ .Values.grpcNodePort }}
+    protocol: TCP
+    targetPort: {{ .Values.grpcContainerPort }}
+  selector:
+    k8s-app: verification-service
+  type: LoadBalancer

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/nodeport-service.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: verification-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+  - name: http
+    nodePort: {{ .Values.httpNodePort }}
+    port: {{ .Values.httpContainerPort }}
+    protocol: TCP
+    targetPort: {{ .Values.httpContainerPort }}
+  - name: grpc
+    nodePort: {{ .Values.grpcNodePort }}
+    port: {{ .Values.grpcContainerPort }}
+    protocol: TCP
+    targetPort: {{ .Values.grpcContainerPort }}
+  selector:
+    k8s-app: verification-service
+  type: NodePort

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.schema.json

@@ -0,0 +1,25 @@
+{
+    "$schema": "https://json-schema.org/draft-07/schema#",
+    "properties": {
+        "csp": {
+            "description": "CSP to which the chart is deployed.",
+            "enum": ["Azure", "GCP", "AWS", "QEMU"]
+        },
+        "image": {
+            "description": "Container image to use for the spawned pods.",
+            "type": "string",
+            "examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
+        },
+        "loadBalancerIP": {
+            "description": "IP of the k8s LB service",
+            "type": "string"
+        }
+    },
+    "required": [
+        "csp",
+        "image",
+        "loadBalancerIP"
+    ],
+    "title": "Values",
+    "type": "object"
+}

cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.yaml

@@ -0,0 +1,4 @@
+httpContainerPort: 8080
+grpcContainerPort: 9090
+httpNodePort: 30080
+grpcNodePort: 30081