Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

AB#2593: Deploy verification service via Helm (#594)

Browse Source
This commit is contained in:
Otto Bittner 2022-11-21 17:06:41 +01:00 committed by GitHub
parent 1f9b6ba90f
commit adc09a1ad1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
29 changed files with 514 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

196
bootstrapper/internal/kubernetes/k8sapi/resources/verification.go
View File

@ -1,196 +0,0 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package resources
import (
"fmt"
"net"
"strings"
"github.com/edgelesssys/constellation/v2/internal/constants"
"github.com/edgelesssys/constellation/v2/internal/kubernetes"
"github.com/edgelesssys/constellation/v2/internal/versions"
"google.golang.org/protobuf/proto"
apps "k8s.io/api/apps/v1"
k8s "k8s.io/api/core/v1"
meta "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
)
// VerificationDaemonset groups all k8s resources for the verification service deployment.
type VerificationDaemonset struct {
DaemonSet apps.DaemonSet
Service k8s.Service
LoadBalancer k8s.Service
}
// NewVerificationDaemonSet creates a new VerificationDaemonset.
func NewVerificationDaemonSet(csp, loadBalancerIP string) *VerificationDaemonset {
var err error
if strings.Contains(loadBalancerIP, ":") {
loadBalancerIP, _, err = net.SplitHostPort(loadBalancerIP)
if err != nil {
panic(err)
}
}
return &VerificationDaemonset{
DaemonSet: apps.DaemonSet{
TypeMeta: meta.TypeMeta{
APIVersion: "apps/v1",
Kind: "DaemonSet",
},
ObjectMeta: meta.ObjectMeta{
Name: "verification-service",
Namespace: "kube-system",
Labels: map[string]string{
"k8s-app": "verification-service",
"component": "verification-service",
},
},
Spec: apps.DaemonSetSpec{
Selector: &meta.LabelSelector{
MatchLabels: map[string]string{
"k8s-app": "verification-service",
},
},
Template: k8s.PodTemplateSpec{
ObjectMeta: meta.ObjectMeta{
Labels: map[string]string{
"k8s-app": "verification-service",
},
},
Spec: k8s.PodSpec{
Tolerations: []k8s.Toleration{
{
Key: "node-role.kubernetes.io/master",
Operator: k8s.TolerationOpEqual,
Value: "true",
Effect: k8s.TaintEffectNoSchedule,
},
{
Key: "node-role.kubernetes.io/control-plane",
Operator: k8s.TolerationOpExists,
Effect: k8s.TaintEffectNoSchedule,
},
{
Operator: k8s.TolerationOpExists,
Effect: k8s.TaintEffectNoExecute,
},
{
Operator: k8s.TolerationOpExists,
Effect: k8s.TaintEffectNoSchedule,
},
},
Containers: []k8s.Container{
{
Name: "verification-service",
Image: versions.VerificationImage,
Ports: []k8s.ContainerPort{
{
Name: "http",
ContainerPort: constants.VerifyServicePortHTTP,
},
{
Name: "grpc",
ContainerPort: constants.VerifyServicePortGRPC,
},
},
SecurityContext: &k8s.SecurityContext{
Privileged: func(b bool) *bool { return &b }(true),
},
Args: []string{
fmt.Sprintf("--cloud-provider=%s", csp),
},
VolumeMounts: []k8s.VolumeMount{
{
Name: "event-log",
ReadOnly: true,
MountPath: "/sys/kernel/security/",
},
},
},
},
Volumes: []k8s.Volume{
{
Name: "event-log",
VolumeSource: k8s.VolumeSource{
HostPath: &k8s.HostPathVolumeSource{
Path: "/sys/kernel/security/",
},
},
},
},
},
},
},
},
Service: k8s.Service{
TypeMeta: meta.TypeMeta{
APIVersion: "v1",
Kind: "Service",
},
ObjectMeta: meta.ObjectMeta{
Name: "verification-service",
Namespace: "kube-system",
},
Spec: k8s.ServiceSpec{
Type: k8s.ServiceTypeNodePort,
Ports: []k8s.ServicePort{
{
Name: "http",
Protocol: k8s.ProtocolTCP,
Port: constants.VerifyServicePortHTTP,
TargetPort: intstr.FromInt(constants.VerifyServicePortHTTP),
NodePort: constants.VerifyServiceNodePortHTTP,
},
{
Name: "grpc",
Protocol: k8s.ProtocolTCP,
Port: constants.VerifyServicePortGRPC,
TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),
NodePort: constants.VerifyServiceNodePortGRPC,
},
},
Selector: map[string]string{
"k8s-app": "verification-service",
},
},
},
LoadBalancer: k8s.Service{
TypeMeta: meta.TypeMeta{
APIVersion: "v1",
Kind: "Service",
},
ObjectMeta: meta.ObjectMeta{
Name: "verify",
Namespace: "kube-system",
},
Spec: k8s.ServiceSpec{
AllocateLoadBalancerNodePorts: proto.Bool(false),
Type: k8s.ServiceTypeLoadBalancer,
LoadBalancerClass: proto.String("constellation"),
ExternalIPs: []string{loadBalancerIP},
Ports: []k8s.ServicePort{
{
Name: "grpc",
Protocol: k8s.ProtocolTCP,
Port: constants.VerifyServiceNodePortGRPC,
TargetPort: intstr.FromInt(constants.VerifyServicePortGRPC),
},
},
Selector: map[string]string{
"k8s-app": "verification-service",
},
},
},
}
}
// Marshal to Kubernetes YAML.
func (v *VerificationDaemonset) Marshal() ([]byte, error) {
return kubernetes.MarshalK8SResources(v)
}

25
bootstrapper/internal/kubernetes/k8sapi/resources/verification_test.go
View File

@ -1,25 +0,0 @@
/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package resources
import (
"testing"
"github.com/edgelesssys/constellation/v2/internal/kubernetes"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestNewVerificationDaemonset(t *testing.T) {
deployment := NewVerificationDaemonSet("csp", "192.168.2.1")
deploymentYAML, err := deployment.Marshal()
require.NoError(t, err)
var recreated VerificationDaemonset
require.NoError(t, kubernetes.UnmarshalK8SResources(deploymentYAML, &recreated))
assert.Equal(t, deployment, &recreated)
}

1
bootstrapper/internal/kubernetes/k8sutil.go
View File

@ -23,7 +23,6 @@ type clusterUtil interface {
InitCluster(ctx context.Context, initConfig []byte, nodeName string, ips []net.IP, controlPlaneEndpoint string, conformanceMode bool, log *logger.Logger) error
JoinCluster(ctx context.Context, joinConfig []byte, peerRole role.Role, controlPlaneEndpoint string, log *logger.Logger) error
SetupKonnectivity(kubectl k8sapi.Client, konnectivityAgentsDaemonSet kubernetes.Marshaler) error
SetupVerificationService(kubectl k8sapi.Client, verificationServiceConfiguration kubernetes.Marshaler) error
SetupGCPGuestAgent(kubectl k8sapi.Client, gcpGuestAgentConfiguration kubernetes.Marshaler) error
FixCilium(log *logger.Logger)
StartKubelet() error

46
bootstrapper/internal/kubernetes/kubernetes.go
View File

@ -192,7 +192,15 @@ func (k *KubeWrapper) InitCluster(
return nil, fmt.Errorf("setting up konnectivity: %w", err)
}
extraVals, err := k.setupExtraVals(ctx, k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI)
loadBalancerIP := controlPlaneEndpoint
if strings.Contains(controlPlaneEndpoint, ":") {
loadBalancerIP, _, err = net.SplitHostPort(controlPlaneEndpoint)
if err != nil {
return nil, fmt.Errorf("splitting host port: %w", err)
}
}
serviceConfig := constellationServicesConfig{k.initialMeasurementsJSON, idKeyDigest, measurementSalt, subnetworkPodCIDR, cloudServiceAccountURI, loadBalancerIP}
extraVals, err := k.setupExtraVals(ctx, serviceConfig)
if err != nil {
return nil, fmt.Errorf("setting up extraVals: %w", err)
}
@ -205,12 +213,6 @@ func (k *KubeWrapper) InitCluster(
return nil, fmt.Errorf("failed to setup internal ConfigMap: %w", err)
}
if err := k.clusterUtil.SetupVerificationService(
k.client, resources.NewVerificationDaemonSet(k.cloudProvider, controlPlaneEndpoint),
); err != nil {
return nil, fmt.Errorf("failed to setup verification service: %w", err)
}
// cert-manager is necessary for our operator deployments.
// They are currently only deployed on GCP & Azure. This is why we deploy cert-manager only on GCP & Azure.
if k.cloudProvider == "gcp" || k.cloudProvider == "azure" {
@ -393,13 +395,16 @@ func getIPAddr() (string, error) {
// setupExtraVals create a helm values map for consumption by helm-install.
// Will move to a more dedicated place once that place becomes apparent.
func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSON []byte, idkeydigest []byte, measurementSalt []byte, subnetworkPodCIDR string, cloudServiceAccountURI string) (map[string]any, error) {
func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constellationServicesConfig) (map[string]any, error) {
extraVals := map[string]any{
"join-service": map[string]any{
"measurements": string(initialMeasurementsJSON),
"measurementSalt": base64.StdEncoding.EncodeToString(measurementSalt),
"measurements": string(serviceConfig.initialMeasurementsJSON),
"measurementSalt": base64.StdEncoding.EncodeToString(serviceConfig.measurementSalt),
},
"ccm": map[string]any{},
"verification-service": map[string]any{
"loadBalancerIP": serviceConfig.loadBalancerIP,
},
}
instance, err := k.providerMetadata.Self(ctx)
@ -419,7 +424,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
return nil, fmt.Errorf("splitting providerID: %w", err)
}
serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(cloudServiceAccountURI)
serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(serviceConfig.cloudServiceAccountURI)
if err != nil {
return nil, fmt.Errorf("getting service account key: %w", err)
}
@ -436,7 +441,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
"projectID": projectID,
"uid": uid,
"secretData": string(rawKey),
"subnetworkPodCIDR": subnetworkPodCIDR,
"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
}
case cloudprovider.Azure:
@ -445,7 +450,7 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
return nil, errors.New("invalid cloud provider metadata for Azure")
}
ccmConfig, err := ccmAzure.GetCCMConfig(ctx, instance.ProviderID, cloudServiceAccountURI)
ccmConfig, err := ccmAzure.GetCCMConfig(ctx, instance.ProviderID, serviceConfig.cloudServiceAccountURI)
if err != nil {
return nil, fmt.Errorf("creating ccm secret: %w", err)
}
@ -456,20 +461,20 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, initialMeasurementsJSO
}
ccmVals["Azure"] = map[string]any{
"azureConfig": string(ccmConfig),
"subnetworkPodCIDR": subnetworkPodCIDR,
"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
}
joinVals, ok := extraVals["join-service"].(map[string]any)
if !ok {
return nil, errors.New("invalid join-service values")
}
joinVals["idkeydigest"] = hex.EncodeToString(idkeydigest)
joinVals["idkeydigest"] = hex.EncodeToString(serviceConfig.idkeydigest)
subscriptionID, resourceGroup, err := azureshared.BasicsFromProviderID(instance.ProviderID)
if err != nil {
return nil, err
}
creds, err := azureshared.ApplicationCredentialsFromURI(cloudServiceAccountURI)
creds, err := azureshared.ApplicationCredentialsFromURI(serviceConfig.cloudServiceAccountURI)
if err != nil {
return nil, err
}
@ -504,3 +509,12 @@ func (k *KubeWrapper) setupOperatorVals(ctx context.Context) (map[string]any, er
type ccmConfigGetter interface {
GetCCMConfig(ctx context.Context, providerID, cloudServiceAccountURI string) ([]byte, error)
}
type constellationServicesConfig struct {
initialMeasurementsJSON []byte
idkeydigest []byte
measurementSalt []byte
subnetworkPodCIDR string
cloudServiceAccountURI string
loadBalancerIP string
}

8
bootstrapper/internal/kubernetes/kubernetes_test.go
View File

@ -187,7 +187,8 @@ func TestInitCluster(t *testing.T) {
k8sVersion: versions.Default,
},
"kubeadm init fails when setting up verification service": {
clusterUtil: stubClusterUtil{setupVerificationServiceErr: someErr},
clusterUtil: stubClusterUtil{},
helmClient: stubHelmClient{servicesError: someErr},
kubeconfigReader: &stubKubeconfigReader{
kubeconfig: []byte("someKubeconfig"),
},
@ -418,7 +419,6 @@ type stubClusterUtil struct {
initClusterErr error
setupAutoscalingError error
setupKonnectivityError error
setupVerificationServiceErr error
setupGCPGuestAgentErr error
setupOLMErr error
setupNMOErr error
@ -451,10 +451,6 @@ func (s *stubClusterUtil) SetupGCPGuestAgent(kubectl k8sapi.Client, gcpGuestAgen
return s.setupGCPGuestAgentErr
}
func (s *stubClusterUtil) SetupVerificationService(kubectl k8sapi.Client, verificationServiceConfiguration kubernetes.Marshaler) error {
return s.setupVerificationServiceErr
}
func (s *stubClusterUtil) SetupOperatorLifecycleManager(ctx context.Context, kubectl k8sapi.Client, olmCRDs, olmConfiguration kubernetes.Marshaler, crdNames []string) error {
return s.setupOLMErr
}

19
cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
View File

@ -2,39 +2,46 @@ apiVersion: v2
name: constellation-services
description: A chart to deploy all microservices that are part of a valid constellation cluster
type: application
version: 2.2.2
version: 2.3.0-pre
dependencies:
- name: kms
version: 2.2.2
version: 2.3.0-pre
tags:
- Azure
- GCP
- AWS
- QEMU
- name: join-service
version: 2.2.2
version: 2.3.0-pre
tags:
- Azure
- GCP
- AWS
- QEMU
- name: ccm
version: 2.2.2
version: 2.3.0-pre
tags:
- Azure
- GCP
- AWS
- name: cnm
version: 2.2.2
version: 2.3.0-pre
tags:
- Azure
- name: autoscaler
version: 2.2.2
version: 2.3.0-pre
tags:
- Azure
- GCP
- AWS
- name: verification-service
version: 2.3.0-pre
tags:
- Azure
- GCP
- AWS
- QEMU
- name: gcp-compute-persistent-disk-csi-driver
version: 1.0.1
condition: gcp.deployCSIDriver

2
cli/internal/helm/charts/edgeless/constellation-services/charts/autoscaler/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v2
name: autoscaler
description: A Helm chart to deploy the cluster autoscaler.
type: application
version: 2.2.2
version: 2.3.0-pre

2
cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v2
name: ccm
description: A Helm chart to deploy the cloud controller manager.
type: application
version: 2.2.2
version: 2.3.0-pre

2
cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v2
name: cnm
description: A chart to deploy cloud node manager for constellation
type: application
version: 2.2.2
version: 2.3.0-pre

2
cli/internal/helm/charts/edgeless/constellation-services/charts/join-service/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v2
name: join-service
description: A chart to deploy the Constellation join-service
type: application
version: 2.2.2
version: 2.3.0-pre

2
cli/internal/helm/charts/edgeless/constellation-services/charts/kms/Chart.yaml
View File

@ -2,4 +2,4 @@ apiVersion: v2
name: kms
description: A Helm chart to deploy the Constellation Key Management Service
type: application
version: 2.2.2
version: 2.3.0-pre

23
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

5
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/Chart.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v2
name: verification-service
description: A Helm chart for Kubernetes
type: application
version: 2.3.0-pre

51
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,51 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: verification-service
k8s-app: verification-service
name: verification-service
namespace: {{ .Release.Namespace }}
spec:
selector:
matchLabels:
k8s-app: verification-service
template:
metadata:
labels:
k8s-app: verification-service
spec:
containers:
- args:
- --cloud-provider={{ .Values.csp }}
image: {{ .Values.image }}
name: verification-service
ports:
- containerPort: {{ .Values.httpContainerPort }}
name: http
- containerPort: {{ .Values.grpcContainerPort }}
name: grpc
resources: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /sys/kernel/security/
name: event-log
readOnly: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- hostPath:
path: /sys/kernel/security/
name: event-log
updateStrategy: {}

18
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: verify
namespace: {{ .Release.Namespace }}
spec:
allocateLoadBalancerNodePorts: false
externalIPs:
- {{ .Values.loadBalancerIP }}
loadBalancerClass: constellation
ports:
- name: grpc
port: {{ .Values.grpcNodePort }}
protocol: TCP
targetPort: {{ .Values.grpcContainerPort }}
selector:
k8s-app: verification-service
type: LoadBalancer

20
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/templates/nodeport-service.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: verification-service
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: http
nodePort: {{ .Values.httpNodePort }}
port: {{ .Values.httpContainerPort }}
protocol: TCP
targetPort: {{ .Values.httpContainerPort }}
- name: grpc
nodePort: {{ .Values.grpcNodePort }}
port: {{ .Values.grpcContainerPort }}
protocol: TCP
targetPort: {{ .Values.grpcContainerPort }}
selector:
k8s-app: verification-service
type: NodePort

25
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.schema.json Normal file
View File

@ -0,0 +1,25 @@
{
"$schema": "https://json-schema.org/draft-07/schema#",
"properties": {
"csp": {
"description": "CSP to which the chart is deployed.",
"enum": ["Azure", "GCP", "AWS", "QEMU"]
},
"image": {
"description": "Container image to use for the spawned pods.",
"type": "string",
"examples": ["ghcr.io/edgelesssys/constellation/join-service:latest"]
},
"loadBalancerIP": {
"description": "IP of the k8s LB service",
"type": "string"
}
},
"required": [
"csp",
"image",
"loadBalancerIP"
],
"title": "Values",
"type": "object"
}

4
cli/internal/helm/charts/edgeless/constellation-services/charts/verification-service/values.yaml Normal file
View File

@ -0,0 +1,4 @@
httpContainerPort: 8080
grpcContainerPort: 9090
httpNodePort: 30080
grpcNodePort: 30081

13
cli/internal/helm/loader.go
View File

@ -44,6 +44,14 @@ type ChartLoader struct {
ccmImage string
cnmImage string
autoscalerImage string
verificationServiceImage string
}
type LoadConfig struct {
Csp cloudprovider.Provider
ConformanceMode bool
MasterSecret []byte
Salt []byte
}
// New creates a new ChartLoader.
@ -65,6 +73,7 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
ccmImage: ccmImage,
cnmImage: cnmImage,
autoscalerImage: versions.VersionConfigs[k8sVersion].ClusterAutoscalerImage,
verificationServiceImage: versions.VerificationImage,
}
}
@ -376,6 +385,10 @@ func (i *ChartLoader) loadConstellationServicesHelper(config *config.Config, mas
"csp": csp.String(),
"image": i.autoscalerImage,
},
"verification-service": map[string]any{
"csp": csp.String(),
"image": i.verificationServiceImage,
},
}
switch csp {

19
cli/internal/helm/loader_test.go
View File

@ -88,7 +88,7 @@ func TestConstellationServices(t *testing.T) {
assert := assert.New(t)
require := require.New(t)
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage"}
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage", verificationServiceImage: "verificationImage"}
chart, values, err := chartLoader.loadConstellationServicesHelper(tc.config, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
require.NoError(err)
@ -248,6 +248,11 @@ func prepareGCPValues(values map[string]any) error {
},
}
verificationVals, ok := values["verification-service"].(map[string]any)
if !ok {
return errors.New("missing 'verification-service' key")
}
verificationVals["loadBalancerIP"] = "127.0.0.1"
return nil
}
@ -278,6 +283,12 @@ func prepareAzureValues(values map[string]any) error {
"subscriptionID": "subscriptionID",
"tenantID": "TenantID",
}
verificationVals, ok := values["verification-service"].(map[string]any)
if !ok {
return errors.New("missing 'verification-service' key")
}
verificationVals["loadBalancerIP"] = "127.0.0.1"
return nil
}
@ -289,5 +300,11 @@ func prepareQEMUValues(values map[string]any) error {
joinVals["measurements"] = "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
joinVals["measurementSalt"] = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
verificationVals, ok := values["verification-service"].(map[string]any)
if !ok {
return errors.New("missing 'verification-service' key")
}
verificationVals["loadBalancerIP"] = "127.0.0.1"
return nil
}

51
cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,51 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: verification-service
k8s-app: verification-service
name: verification-service
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: verification-service
template:
metadata:
labels:
k8s-app: verification-service
spec:
containers:
- args:
- --cloud-provider=Azure
image: verificationImage
name: verification-service
ports:
- containerPort: 8080
name: http
- containerPort: 9090
name: grpc
resources: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /sys/kernel/security/
name: event-log
readOnly: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- hostPath:
path: /sys/kernel/security/
name: event-log
updateStrategy: {}

18
cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml vendored Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: verify
namespace: testNamespace
spec:
allocateLoadBalancerNodePorts: false
externalIPs:
- 127.0.0.1
loadBalancerClass: constellation
ports:
- name: grpc
port: 30081
protocol: TCP
targetPort: 9090
selector:
k8s-app: verification-service
type: LoadBalancer

20
cli/internal/helm/testdata/Azure/constellation-services/charts/verification-service/templates/nodeport-service.yaml vendored Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: verification-service
namespace: testNamespace
spec:
ports:
- name: http
nodePort: 30080
port: 8080
protocol: TCP
targetPort: 8080
- name: grpc
nodePort: 30081
port: 9090
protocol: TCP
targetPort: 9090
selector:
k8s-app: verification-service
type: NodePort

51
cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,51 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: verification-service
k8s-app: verification-service
name: verification-service
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: verification-service
template:
metadata:
labels:
k8s-app: verification-service
spec:
containers:
- args:
- --cloud-provider=GCP
image: verificationImage
name: verification-service
ports:
- containerPort: 8080
name: http
- containerPort: 9090
name: grpc
resources: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /sys/kernel/security/
name: event-log
readOnly: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- hostPath:
path: /sys/kernel/security/
name: event-log
updateStrategy: {}

18
cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml vendored Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: verify
namespace: testNamespace
spec:
allocateLoadBalancerNodePorts: false
externalIPs:
- 127.0.0.1
loadBalancerClass: constellation
ports:
- name: grpc
port: 30081
protocol: TCP
targetPort: 9090
selector:
k8s-app: verification-service
type: LoadBalancer

20
cli/internal/helm/testdata/GCP/constellation-services/charts/verification-service/templates/nodeport-service.yaml vendored Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: verification-service
namespace: testNamespace
spec:
ports:
- name: http
nodePort: 30080
port: 8080
protocol: TCP
targetPort: 8080
- name: grpc
nodePort: 30081
port: 9090
protocol: TCP
targetPort: 9090
selector:
k8s-app: verification-service
type: NodePort

51
cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/daemonset.yaml vendored Normal file
View File

@ -0,0 +1,51 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
component: verification-service
k8s-app: verification-service
name: verification-service
namespace: testNamespace
spec:
selector:
matchLabels:
k8s-app: verification-service
template:
metadata:
labels:
k8s-app: verification-service
spec:
containers:
- args:
- --cloud-provider=QEMU
image: verificationImage
name: verification-service
ports:
- containerPort: 8080
name: http
- containerPort: 9090
name: grpc
resources: {}
securityContext:
privileged: true
volumeMounts:
- mountPath: /sys/kernel/security/
name: event-log
readOnly: true
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Equal
value: "true"
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- hostPath:
path: /sys/kernel/security/
name: event-log
updateStrategy: {}

18
cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/loadbalancer-service.yaml vendored Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: verify
namespace: testNamespace
spec:
allocateLoadBalancerNodePorts: false
externalIPs:
- 127.0.0.1
loadBalancerClass: constellation
ports:
- name: grpc
port: 30081
protocol: TCP
targetPort: 9090
selector:
k8s-app: verification-service
type: LoadBalancer

20
cli/internal/helm/testdata/QEMU/constellation-services/charts/verification-service/templates/nodeport-service.yaml vendored Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Service
metadata:
name: verification-service
namespace: testNamespace
spec:
ports:
- name: http
nodePort: 30080
port: 8080
protocol: TCP
targetPort: 8080
- name: grpc
nodePort: 30081
port: 9090
protocol: TCP
targetPort: 9090
selector:
k8s-app: verification-service
type: NodePort