constellation-lib: add Helm wrapper (#2680)

* Add Helm wrapper to constellation-lib
* Move helm package to constellation-lib

---------

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

.github/workflows/check-links.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Link Checker
         uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0
         with:
-          args: "--verbose --no-progress --max-concurrency 5 --exclude-path './internal/helm/charts/cilium' './**/*.md' './**/*.html'"
+          args: "--verbose --no-progress --max-concurrency 5 --exclude-path './internal/constellation/helm/charts/cilium' './**/*.md' './**/*.html'"
           fail: true
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/test-unittest.yml

@@ -14,7 +14,7 @@ on:
       - ".github/workflows/test-unittest.yml"
   pull_request:
     paths:
-      - "internal/helm/**"
+      - "internal/constellation/helm/**"
       - "**.go"
       - "**/go.mod"
       - "**/go.sum"

CODEOWNERS

@@ -40,7 +40,7 @@
 /internal/featureset @malt3
 /internal/file @daniel-weisse
 /internal/grpc @thomasten
-/internal/helm @derpsteb
+/internal/constellation/helm @derpsteb
 /internal/imagefetcher @malt3
 /internal/installer @3u13r
 /internal/kms @daniel-weisse

bazel/ci/shellcheck.sh.in

@@ -25,7 +25,7 @@ readarray -t <<< "${scriptsStr}"
 scripts=("${MAPFILE[@]}")
 
 excludeDirs=(
-  "internal/helm/charts/cilium"
+  "internal/constellation/helm/charts/cilium"
   "build"
   "docs/node_modules"
 )

bazel/ci/shfmt.sh.in

@@ -23,7 +23,7 @@ readarray -t <<< "${scriptsStr}"
 scripts=("${MAPFILE[@]}")
 
 excludeDirs=(
-  "internal/helm/charts/cilium"
+  "internal/constellation/helm/charts/cilium"
   "build"
   "docs/node_modules"
 )

cli/internal/cmd/BUILD.bazel

@@ -73,13 +73,13 @@ go_library(
         "//internal/config/migration",
         "//internal/constants",
         "//internal/constellation",
+        "//internal/constellation/helm",
         "//internal/constellation/kubecmd",
         "//internal/crypto",
         "//internal/featureset",
         "//internal/file",
         "//internal/grpc/dialer",
         "//internal/grpc/retry",
-        "//internal/helm",
         "//internal/imagefetcher",
         "//internal/kms/uri",
         # keep
@@ -165,6 +165,7 @@ go_test(
         "//internal/config",
         "//internal/constants",
         "//internal/constellation",
+        "//internal/constellation/helm",
         "//internal/constellation/kubecmd",
         "//internal/crypto",
         "//internal/crypto/testvector",
@@ -172,7 +173,6 @@ go_test(
         "//internal/grpc/atlscredentials",
         "//internal/grpc/dialer",
         "//internal/grpc/testdialer",
-        "//internal/helm",
         "//internal/kms/uri",
         "//internal/logger",
         "//internal/semver",

cli/internal/cmd/apply.go

@@ -30,10 +30,10 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/constellation"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd"
 	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	"github.com/edgelesssys/constellation/v2/internal/imagefetcher"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/semver"
@@ -230,14 +230,6 @@ func runApply(cmd *cobra.Command, _ []string) error {
 		return dialer.New(nil, validator, &net.Dialer{})
 	}
 
-	newHelmClient := func(kubeConfigPath string, log debugLog) (helmApplier, error) {
-		kubeConfig, err := fileHandler.Read(kubeConfigPath)
-		if err != nil {
-			return nil, fmt.Errorf("reading kubeconfig: %w", err)
-		}
-		return helm.NewClient(kubeConfig, log)
-	}
-
 	upgradeID := generateUpgradeID(upgradeCmdKindApply)
 	upgradeDir := filepath.Join(constants.UpgradeDir, upgradeID)
 
@@ -261,7 +253,6 @@ func runApply(cmd *cobra.Command, _ []string) error {
 		wLog:            &warnLogger{cmd: cmd, log: log},
 		spinner:         spinner,
 		merger:          &kubeconfigMerger{log: log},
-		newHelmClient:   newHelmClient,
 		newInfraApplier: newInfraApplier,
 		imageFetcher:    imagefetcher.New(),
 		applier:         applier,
@@ -287,39 +278,9 @@ type applyCmd struct {
 	imageFetcher imageFetcher
 	applier      applier
 
-	newHelmClient   func(kubeConfigPath string, log debugLog) (helmApplier, error)
 	newInfraApplier func(context.Context) (cloudApplier, func(), error)
 }
 
-type applier interface {
-	SetKubeConfig(kubeConfig []byte) error
-	CheckLicense(ctx context.Context, csp cloudprovider.Provider, licenseID string) (int, error)
-	GenerateMasterSecret() (uri.MasterSecret, error)
-	GenerateMeasurementSalt() ([]byte, error)
-	Init(
-		ctx context.Context,
-		validator atls.Validator,
-		state *state.State,
-		clusterLogWriter io.Writer,
-		payload constellation.InitPayload,
-	) (
-		*initproto.InitSuccessResponse,
-		error,
-	)
-	ExtendClusterConfigCertSANs(ctx context.Context, clusterEndpoint, customEndpoint string, additionalAPIServerCertSANs []string) error
-	GetClusterAttestationConfig(ctx context.Context, variant variant.Variant) (config.AttestationCfg, error)
-	ApplyJoinConfig(ctx context.Context, newAttestConfig config.AttestationCfg, measurementSalt []byte) error
-	UpgradeNodeImage(ctx context.Context, imageVersion semver.Semver, imageReference string, force bool) error
-	UpgradeKubernetesVersion(ctx context.Context, kubernetesVersion versions.ValidK8sVersion, force bool) error
-	BackupCRDs(ctx context.Context, fileHandler file.Handler, upgradeDir string) ([]apiextensionsv1.CustomResourceDefinition, error)
-	BackupCRs(ctx context.Context, fileHandler file.Handler, crds []apiextensionsv1.CustomResourceDefinition, upgradeDir string) error
-}
-
-type warnLog interface {
-	Warnf(format string, args ...any)
-	Infof(format string, args ...any)
-}
-
 /*
 apply updates a Constellation cluster by applying a user's config.
 The control flow is as follows:
@@ -845,6 +806,42 @@ func (wl warnLogger) Warnf(fmtStr string, args ...any) {
 	wl.cmd.PrintErrf("Warning: %s\n", fmt.Sprintf(fmtStr, args...))
 }
 
+type warnLog interface {
+	Warnf(format string, args ...any)
+	Infof(format string, args ...any)
+}
+
+// applier is used to run the different phases of the apply command.
+type applier interface {
+	SetKubeConfig(kubeConfig []byte) error
+	CheckLicense(ctx context.Context, csp cloudprovider.Provider, licenseID string) (int, error)
+
+	// methods required by "init"
+
+	GenerateMasterSecret() (uri.MasterSecret, error)
+	GenerateMeasurementSalt() ([]byte, error)
+	Init(
+		ctx context.Context, validator atls.Validator, state *state.State,
+		clusterLogWriter io.Writer, payload constellation.InitPayload,
+	) (*initproto.InitSuccessResponse, error)
+
+	// methods required to install/upgrade Helm charts
+
+	PrepareHelmCharts(
+		flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
+	) (helm.Applier, bool, error)
+
+	// methods to interact with Kubernetes
+
+	ExtendClusterConfigCertSANs(ctx context.Context, clusterEndpoint, customEndpoint string, additionalAPIServerCertSANs []string) error
+	GetClusterAttestationConfig(ctx context.Context, variant variant.Variant) (config.AttestationCfg, error)
+	ApplyJoinConfig(ctx context.Context, newAttestConfig config.AttestationCfg, measurementSalt []byte) error
+	UpgradeNodeImage(ctx context.Context, imageVersion semver.Semver, imageReference string, force bool) error
+	UpgradeKubernetesVersion(ctx context.Context, kubernetesVersion versions.ValidK8sVersion, force bool) error
+	BackupCRDs(ctx context.Context, fileHandler file.Handler, upgradeDir string) ([]apiextensionsv1.CustomResourceDefinition, error)
+	BackupCRs(ctx context.Context, fileHandler file.Handler, crds []apiextensionsv1.CustomResourceDefinition, upgradeDir string) error
+}
+
 // imageFetcher gets an image reference from the versionsapi.
 type imageFetcher interface {
 	FetchReference(ctx context.Context,

cli/internal/cmd/apply_test.go

@@ -24,8 +24,8 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/constellation"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/file"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/state"
@@ -193,7 +193,9 @@ func TestBackupHelmCharts(t *testing.T) {
 
 			a := applyCmd{
 				fileHandler: file.NewHandler(afero.NewMemMapFs()),
-				applier:     &stubConstellApplier{stubKubernetesUpgrader: tc.backupClient},
+				applier: &stubConstellApplier{
+					stubKubernetesUpgrader: tc.backupClient,
+				},
 				log: logger.NewTest(t),
 			}
 
@@ -502,6 +504,7 @@ type stubConstellApplier struct {
 	initErr                    error
 	initResponse               *initproto.InitSuccessResponse
 	*stubKubernetesUpgrader
+	helmApplier
 }
 
 func (s *stubConstellApplier) SetKubeConfig([]byte) error { return nil }
@@ -521,3 +524,10 @@ func (s *stubConstellApplier) GenerateMeasurementSalt() ([]byte, error) {
 func (s *stubConstellApplier) Init(context.Context, atls.Validator, *state.State, io.Writer, constellation.InitPayload) (*initproto.InitSuccessResponse, error) {
 	return s.initResponse, s.initErr
 }
+
+type helmApplier interface {
+	PrepareHelmCharts(
+		flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
+	) (
+		helm.Applier, bool, error)
+}

cli/internal/cmd/applyhelm.go

@@ -16,7 +16,7 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/compatibility"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/state"
 	"github.com/spf13/cobra"
@@ -32,6 +32,10 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi
 	}
 
 	options := helm.Options{
+		CSP:                 conf.GetProvider(),
+		AttestationVariant:  conf.GetAttestationConfig().GetVariant(),
+		K8sVersion:          conf.KubernetesVersion,
+		MicroserviceVersion: conf.MicroserviceVersion,
 		DeployCSIDriver:     conf.DeployCSIDriver(),
 		Force:               a.flags.force,
 		Conformance:         a.flags.conformance,
@@ -39,10 +43,6 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi
 		ApplyTimeout:        a.flags.helmTimeout,
 		AllowDestructive:    helm.DenyDestructive,
 	}
-	helmApplier, err := a.newHelmClient(constants.AdminConfFilename, a.log)
-	if err != nil {
-		return fmt.Errorf("creating Helm client: %w", err)
-	}
 
 	a.log.Debugf("Getting service account URI")
 	serviceAccURI, err := cloudcmd.GetMarshaledServiceAccountURI(conf, a.fileHandler)
@@ -51,8 +51,7 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi
 	}
 
 	a.log.Debugf("Preparing Helm charts")
-	executor, includesUpgrades, err := helmApplier.PrepareApply(conf.GetProvider(), conf.GetAttestationConfig().GetVariant(),
+	executor, includesUpgrades, err := a.applier.PrepareHelmCharts(options, stateFile, serviceAccURI, masterSecret, conf.Provider.OpenStack)
-		conf.KubernetesVersion, conf.MicroserviceVersion, stateFile, options, serviceAccURI, masterSecret, conf.Provider.OpenStack)
 	if errors.Is(err, helm.ErrConfirmationMissing) {
 		if !a.flags.yes {
 			cmd.PrintErrln("WARNING: Upgrading cert-manager will destroy all custom resources you have manually created that are based on the current version of cert-manager.")
@@ -66,8 +65,7 @@ func (a *applyCmd) runHelmApply(cmd *cobra.Command, conf *config.Config, stateFi
 			}
 		}
 		options.AllowDestructive = helm.AllowDestructive
-		executor, includesUpgrades, err = helmApplier.PrepareApply(conf.GetProvider(), conf.GetAttestationConfig().GetVariant(),
+		executor, includesUpgrades, err = a.applier.PrepareHelmCharts(options, stateFile, serviceAccURI, masterSecret, conf.Provider.OpenStack)
-			conf.KubernetesVersion, conf.MicroserviceVersion, stateFile, options, serviceAccURI, masterSecret, conf.Provider.OpenStack)
 	}
 	var upgradeErr *compatibility.InvalidUpgradeError
 	if err != nil {

cli/internal/cmd/init.go

@@ -20,15 +20,7 @@ import (
 	clientcodec "k8s.io/client-go/tools/clientcmd/api/latest"
 	"sigs.k8s.io/yaml"
 
-	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
-	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/file"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
-	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
-	"github.com/edgelesssys/constellation/v2/internal/semver"
-	"github.com/edgelesssys/constellation/v2/internal/state"
-	"github.com/edgelesssys/constellation/v2/internal/versions"
 )
 
 // NewInitCmd returns a new cobra.Command for the init command.
@@ -116,10 +108,3 @@ func (c *kubeconfigMerger) kubeconfigEnvVar() string {
 type grpcDialer interface {
 	Dial(ctx context.Context, target string) (*grpc.ClientConn, error)
 }
-type helmApplier interface {
-	PrepareApply(
-		csp cloudprovider.Provider, attestationVariant variant.Variant, k8sVersion versions.ValidK8sVersion, microserviceVersion semver.Semver, stateFile *state.State,
-		flags helm.Options, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
-	) (
-		helm.Applier, bool, error)
-}

cli/internal/cmd/init_test.go

@@ -18,14 +18,13 @@ import (
 	"github.com/edgelesssys/constellation/v2/bootstrapper/initproto"
 	"github.com/edgelesssys/constellation/v2/cli/internal/cmd/pathprefix"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/measurements"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
 	"github.com/edgelesssys/constellation/v2/internal/constellation"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/file"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/semver"
@@ -233,9 +232,6 @@ func TestInitialize(t *testing.T) {
 				log:     logger.NewTest(t),
 				spinner: &nopSpinner{},
 				merger:  &stubMerger{},
-				newHelmClient: func(string, debugLog) (helmApplier, error) {
-					return &stubHelmApplier{}, nil
-				},
 				applier: &stubConstellApplier{
 					masterSecret: uri.MasterSecret{
 						Key:  bytes.Repeat([]byte{0x01}, 32),
@@ -248,6 +244,7 @@ func TestInitialize(t *testing.T) {
 						// On init, no attestation config exists yet
 						getClusterAttestationConfigErr: k8serrors.NewNotFound(schema.GroupResource{}, ""),
 					},
+					helmApplier: &stubHelmApplier{},
 				},
 			}
 
@@ -282,9 +279,8 @@ type stubHelmApplier struct {
 	err error
 }
 
-func (s stubHelmApplier) PrepareApply(
+func (s stubHelmApplier) PrepareHelmCharts(
-	_ cloudprovider.Provider, _ variant.Variant, _ versions.ValidK8sVersion, _ semver.Semver,
+	_ helm.Options, _ *state.State, _ string, _ uri.MasterSecret, _ *config.OpenStackConfig,
-	_ *state.State, _ helm.Options, _ string, _ uri.MasterSecret, _ *config.OpenStackConfig,
 ) (helm.Applier, bool, error) {
 	return stubRunner{}, false, s.err
 }

cli/internal/cmd/status.go

@@ -16,9 +16,9 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd"
 	"github.com/edgelesssys/constellation/v2/internal/file"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	"github.com/spf13/afero"
 	"github.com/spf13/cobra"
 	"gopkg.in/yaml.v3"

cli/internal/cmd/upgradeapply_test.go

@@ -16,9 +16,9 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd"
 	"github.com/edgelesssys/constellation/v2/internal/file"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/logger"
 	"github.com/edgelesssys/constellation/v2/internal/semver"
@@ -53,7 +53,7 @@ func TestUpgradeApply(t *testing.T) {
 	}{
 		"success": {
 			kubeUpgrader:      &stubKubernetesUpgrader{currentConfig: config.DefaultForAzureSEVSNP()},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
 			fh:                fsWithStateFileAndTfState,
@@ -66,7 +66,7 @@ func TestUpgradeApply(t *testing.T) {
 		},
 		"id file and state file do not exist": {
 			kubeUpgrader:      &stubKubernetesUpgrader{currentConfig: config.DefaultForAzureSEVSNP()},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
 			fh: func() file.Handler {
@@ -79,7 +79,7 @@ func TestUpgradeApply(t *testing.T) {
 				currentConfig:  config.DefaultForAzureSEVSNP(),
 				nodeVersionErr: assert.AnError,
 			},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			wantErr:           true,
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
@@ -90,7 +90,7 @@ func TestUpgradeApply(t *testing.T) {
 				currentConfig:  config.DefaultForAzureSEVSNP(),
 				nodeVersionErr: kubecmd.ErrInProgress,
 			},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
 			fh:                fsWithStateFileAndTfState,
@@ -99,7 +99,7 @@ func TestUpgradeApply(t *testing.T) {
 			kubeUpgrader: &stubKubernetesUpgrader{
 				currentConfig: config.DefaultForAzureSEVSNP(),
 			},
-			helmUpgrader:      stubHelmApplier{err: assert.AnError},
+			helmUpgrader:      &stubHelmApplier{err: assert.AnError},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			wantErr:           true,
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
@@ -109,7 +109,7 @@ func TestUpgradeApply(t *testing.T) {
 			kubeUpgrader: &stubKubernetesUpgrader{
 				currentConfig: config.DefaultForAzureSEVSNP(),
 			},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{terraformDiff: true},
 			wantErr:           true,
 			stdin:             "no\n",
@@ -215,7 +215,7 @@ func TestUpgradeApply(t *testing.T) {
 		},
 		"attempt to change attestation variant": {
 			kubeUpgrader:      &stubKubernetesUpgrader{currentConfig: &config.AzureTrustedLaunch{}},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
 			fh:                fsWithStateFileAndTfState,
@@ -223,7 +223,7 @@ func TestUpgradeApply(t *testing.T) {
 		},
 		"image fetching fails": {
 			kubeUpgrader:      &stubKubernetesUpgrader{currentConfig: config.DefaultForAzureSEVSNP()},
-			helmUpgrader:      stubHelmApplier{},
+			helmUpgrader:      &stubHelmApplier{},
 			terraformUpgrader: &stubTerraformUpgrader{},
 			fetchImageErr:     assert.AnError,
 			flags:             applyFlags{yes: true, skipPhases: skipPhases{skipInitPhase: struct{}{}}},
@@ -254,13 +254,13 @@ func TestUpgradeApply(t *testing.T) {
 				log:         logger.NewTest(t),
 				spinner:     &nopSpinner{},
 				merger:      &stubMerger{},
-				newHelmClient: func(string, debugLog) (helmApplier, error) {
-					return tc.helmUpgrader, nil
-				},
 				newInfraApplier: func(ctx context.Context) (cloudApplier, func(), error) {
 					return tc.terraformUpgrader, func() {}, nil
 				},
-				applier:      &stubConstellApplier{stubKubernetesUpgrader: tc.kubeUpgrader},
+				applier: &stubConstellApplier{
+					stubKubernetesUpgrader: tc.kubeUpgrader,
+					helmApplier:            tc.helmUpgrader,
+				},
 				imageFetcher: &stubImageFetcher{fetchReferenceErr: tc.fetchImageErr},
 			}
 			err := upgrader.apply(cmd, stubAttestationFetcher{}, "test")
@@ -375,10 +375,10 @@ type mockApplier struct {
 	mock.Mock
 }
 
-func (m *mockApplier) PrepareApply(csp cloudprovider.Provider, variant variant.Variant, k8sVersion versions.ValidK8sVersion, microserviceVersion semver.Semver, stateFile *state.State,
+func (m *mockApplier) PrepareHelmCharts(
-	helmOpts helm.Options, str string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
+	helmOpts helm.Options, stateFile *state.State, str string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
 ) (helm.Applier, bool, error) {
-	args := m.Called(csp, variant, k8sVersion, microserviceVersion, stateFile, helmOpts, str, masterSecret, openStackCfg)
+	args := m.Called(helmOpts, stateFile, helmOpts, str, masterSecret, openStackCfg)
 	return args.Get(0).(helm.Applier), args.Bool(1), args.Error(2)
 }
 

cli/internal/cmd/upgradecheck.go

@@ -26,10 +26,10 @@ import (
 	"github.com/edgelesssys/constellation/v2/internal/compatibility"
 	"github.com/edgelesssys/constellation/v2/internal/config"
 	"github.com/edgelesssys/constellation/v2/internal/constants"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd"
 	"github.com/edgelesssys/constellation/v2/internal/featureset"
 	"github.com/edgelesssys/constellation/v2/internal/file"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	consemver "github.com/edgelesssys/constellation/v2/internal/semver"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore"
 	"github.com/edgelesssys/constellation/v2/internal/sigstore/keyselect"

hack/gocoverage/main_test.go

@@ -39,10 +39,10 @@ ok  	github.com/edgelesssys/constellation/v2/cli/internal/clusterid	(cached)	cov
 ?   	github.com/edgelesssys/constellation/v2/cli/internal/cmd/pathprefix	[no test files]
 ok  	github.com/edgelesssys/constellation/v2/cli/internal/cmd	(cached)	coverage: 54.3% of statements
 ?   	github.com/edgelesssys/constellation/v2/internal/featureset	[no test files]
-?   	github.com/edgelesssys/constellation/v2/internal/helm/imageversion	[no test files]
+?   	github.com/edgelesssys/constellation/v2/internal/constellation/helm/imageversion	[no test files]
 ?   	github.com/edgelesssys/constellation/v2/cli/internal/libvirt	[no test files]
 ?   	github.com/edgelesssys/constellation/v2/debugd/cmd/cdbg	[no test files]
-ok  	github.com/edgelesssys/constellation/v2/internal/helm	(cached)	coverage: 36.0% of statements
+ok  	github.com/edgelesssys/constellation/v2/internal/constellation/helm	(cached)	coverage: 36.0% of statements
 ok  	github.com/edgelesssys/constellation/v2/cli/internal/kubernetes	(cached)	coverage: 40.4% of statements
 ok  	github.com/edgelesssys/constellation/v2/cli/internal/terraform	(cached)	coverage: 70.8% of statements
 ok  	github.com/edgelesssys/constellation/v2/cli/internal/upgrade	(cached)	coverage: 66.7% of statements
@@ -226,8 +226,8 @@ ok  	github.com/edgelesssys/constellation/v2/operators/constellation-node-operat
 `
 
 const (
-	exampleReportCLI    = `{"Metadate":{"Created":"2023-08-24T16:09:02Z"},"Coverage":{"github.com/edgelesssys/constellation/v2/cli":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/cmd":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd":{"Coverage":65.5,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/clusterid":{"Coverage":56.2,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cmd":{"Coverage":53.5,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cmd/pathprefix":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/featureset":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/helm":{"Coverage":47.7,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/helm/imageversion":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd":{"Coverage":54.1,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/libvirt":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/terraform":{"Coverage":71.3,"Notest":false,"Nostmt":false}}}`
+	exampleReportCLI    = `{"Metadate":{"Created":"2023-08-24T16:09:02Z"},"Coverage":{"github.com/edgelesssys/constellation/v2/cli":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/cmd":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd":{"Coverage":65.5,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/clusterid":{"Coverage":56.2,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cmd":{"Coverage":53.5,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cmd/pathprefix":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/featureset":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/constellation/helm":{"Coverage":47.7,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/constellation/helm/imageversion":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd":{"Coverage":54.1,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/libvirt":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/terraform":{"Coverage":71.3,"Notest":false,"Nostmt":false}}}`
-	exampleReportCLIOld = `{"Metadate":{"Created":"2023-08-24T16:48:39Z"},"Coverage":{"github.com/edgelesssys/constellation/v2/cli":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/cmd":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd":{"Coverage":73.1,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/clusterid":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cmd":{"Coverage":61.6,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/featureset":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/helm":{"Coverage":51.7,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/helm/imageversion":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/iamid":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/kubernetes":{"Coverage":49.8,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/libvirt":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/terraform":{"Coverage":66.7,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/upgrade":{"Coverage":83,"Notest":false,"Nostmt":false}}}`
+	exampleReportCLIOld = `{"Metadate":{"Created":"2023-08-24T16:48:39Z"},"Coverage":{"github.com/edgelesssys/constellation/v2/cli":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/cmd":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cloudcmd":{"Coverage":73.1,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/clusterid":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/cmd":{"Coverage":61.6,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/featureset":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/constellation/helm":{"Coverage":51.7,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/internal/constellation/helm/imageversion":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/iamid":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/kubernetes":{"Coverage":49.8,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/libvirt":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/terraform":{"Coverage":66.7,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/cli/internal/upgrade":{"Coverage":83,"Notest":false,"Nostmt":false}}}`
 	exampleReportDisk   = `{"Metadate":{"Created":"2023-08-24T16:40:25Z"},"Coverage":{"github.com/edgelesssys/constellation/v2/disk-mapper/cmd":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/disk-mapper/internal/diskencryption":{"Coverage":0,"Notest":true,"Nostmt":false},"github.com/edgelesssys/constellation/v2/disk-mapper/internal/recoveryserver":{"Coverage":89.1,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/disk-mapper/internal/rejoinclient":{"Coverage":91.8,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/disk-mapper/internal/setup":{"Coverage":68.9,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/disk-mapper/internal/systemd":{"Coverage":25.8,"Notest":false,"Nostmt":false},"github.com/edgelesssys/constellation/v2/disk-mapper/recoverproto":{"Coverage":0,"Notest":true,"Nostmt":false}}}`
 )
 

internal/constellation/BUILD.bazel

@@ -7,6 +7,7 @@ go_library(
         "apply.go",
         "applyinit.go",
         "constellation.go",
+        "helm.go",
         "kubernetes.go",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/internal/constellation",
@@ -18,13 +19,13 @@ go_library(
         "//internal/cloud/cloudprovider",
         "//internal/config",
         "//internal/constants",
+        "//internal/constellation/helm",
         "//internal/constellation/kubecmd",
         "//internal/crypto",
         "//internal/file",
         "//internal/grpc/dialer",
         "//internal/grpc/grpclog",
         "//internal/grpc/retry",
-        "//internal/helm",
         "//internal/kms/uri",
         "//internal/license",
         "//internal/retry",

internal/constellation/apply.go

@@ -11,20 +11,13 @@ import (
 	"fmt"
 
 	"github.com/edgelesssys/constellation/v2/internal/atls"
-	"github.com/edgelesssys/constellation/v2/internal/attestation/variant"
 	"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
-	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
 	"github.com/edgelesssys/constellation/v2/internal/constellation/kubecmd"
 	"github.com/edgelesssys/constellation/v2/internal/crypto"
-	"github.com/edgelesssys/constellation/v2/internal/file"
 	"github.com/edgelesssys/constellation/v2/internal/grpc/dialer"
-	"github.com/edgelesssys/constellation/v2/internal/helm"
 	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
 	"github.com/edgelesssys/constellation/v2/internal/license"
-	"github.com/edgelesssys/constellation/v2/internal/semver"
-	"github.com/edgelesssys/constellation/v2/internal/state"
-	"github.com/edgelesssys/constellation/v2/internal/versions"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
 // An Applier handles applying a specific configuration to a Constellation cluster
@@ -120,21 +113,3 @@ func (a *Applier) GenerateMeasurementSalt() ([]byte, error) {
 	a.log.Debugf("Generated measurement salt")
 	return measurementSalt, nil
 }
-
-type helmApplier interface {
-	PrepareApply(
-		csp cloudprovider.Provider, attestationVariant variant.Variant, k8sVersion versions.ValidK8sVersion, microserviceVersion semver.Semver, stateFile *state.State,
-		flags helm.Options, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
-	) (
-		helm.Applier, bool, error)
-}
-
-type kubecmdClient interface {
-	UpgradeNodeImage(ctx context.Context, imageVersion semver.Semver, imageReference string, force bool) error
-	UpgradeKubernetesVersion(ctx context.Context, kubernetesVersion versions.ValidK8sVersion, force bool) error
-	ExtendClusterConfigCertSANs(ctx context.Context, alternativeNames []string) error
-	GetClusterAttestationConfig(ctx context.Context, variant variant.Variant) (config.AttestationCfg, error)
-	ApplyJoinConfig(ctx context.Context, newAttestConfig config.AttestationCfg, measurementSalt []byte) error
-	BackupCRs(ctx context.Context, fileHandler file.Handler, crds []apiextensionsv1.CustomResourceDefinition, upgradeDir string) error
-	BackupCRDs(ctx context.Context, fileHandler file.Handler, upgradeDir string) ([]apiextensionsv1.CustomResourceDefinition, error)
-}

internal/constellation/helm.go

@@ -0,0 +1,34 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package constellation
+
+import (
+	"errors"
+
+	"github.com/edgelesssys/constellation/v2/internal/config"
+	"github.com/edgelesssys/constellation/v2/internal/constellation/helm"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
+	"github.com/edgelesssys/constellation/v2/internal/state"
+)
+
+// PrepareHelmCharts loads Helm charts for Constellation and returns an executor to apply them.
+func (a *Applier) PrepareHelmCharts(
+	flags helm.Options, state *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
+) (helm.Applier, bool, error) {
+	if a.helmClient == nil {
+		return nil, false, errors.New("helm client not initialized")
+	}
+
+	return a.helmClient.PrepareApply(flags, state, serviceAccURI, masterSecret, openStackCfg)
+}
+
+type helmApplier interface {
+	PrepareApply(
+		flags helm.Options, stateFile *state.State, serviceAccURI string, masterSecret uri.MasterSecret, openStackCfg *config.OpenStackConfig,
+	) (
+		helm.Applier, bool, error)
+}

internal/constellation/helm/BUILD.bazel

@@ -454,7 +454,7 @@ go_library(
         "charts/cilium/templates/spire/server/serviceaccount.yaml",
         "charts/cilium/templates/spire/server/statefulset.yaml",
     ],
-    importpath = "github.com/edgelesssys/constellation/v2/internal/helm",
+    importpath = "github.com/edgelesssys/constellation/v2/internal/constellation/helm",
     visibility = ["//:__subpackages__"],
     deps = [
         "//internal/attestation/variant",
@@ -465,8 +465,8 @@ go_library(
         "//internal/compatibility",
         "//internal/config",
         "//internal/constants",
+        "//internal/constellation/helm/imageversion",
         "//internal/file",
-        "//internal/helm/imageversion",
         "//internal/kms/uri",
         "//internal/kubernetes/kubectl",
         "//internal/retry",