mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-17 20:04:36 -05:00
AB#2554 GCP CSI driver deployment (#532)
* Allow enabling/disabling of CSI driver through config * Fix inconsistent namespace parsing * Deploy GCP CSI driver on init * Update invalid pod tolerations * Add generate script for CSI charts * Update generateCilium script Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
6b7e470983
commit
b966f57a2f
@ -23,6 +23,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
### Added
|
||||
- Environment variable `CONSTELL_AZURE_CLIENT_SECRET_VALUE` as an alternative way to provide the configuration value `provider.azure.clientSecretValue`.
|
||||
|
||||
- GCP CSI driver deployment during Constellation init
|
||||
|
||||
### Changed
|
||||
<!-- For changes in existing functionality. -->
|
||||
|
||||
|
@ -117,7 +117,7 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
||||
return fmt.Errorf("parsing or generating master secret from file %s: %w", flags.masterSecretPath, err)
|
||||
}
|
||||
helmLoader := helm.New(provider, k8sVersion)
|
||||
helmDeployments, err := helmLoader.Load(provider, flags.conformance, masterSecret.Key, masterSecret.Salt, getEnforcedPCRs(provider, conf), getEnforceIDKeyDigest(provider, conf))
|
||||
helmDeployments, err := helmLoader.Load(conf, flags.conformance, masterSecret.Key, masterSecret.Salt)
|
||||
if err != nil {
|
||||
return fmt.Errorf("loading Helm charts: %w", err)
|
||||
}
|
||||
@ -133,8 +133,8 @@ func initialize(cmd *cobra.Command, newDialer func(validator *cloudcmd.Validator
|
||||
CloudServiceAccountUri: serviceAccURI,
|
||||
KubernetesVersion: conf.KubernetesVersion,
|
||||
HelmDeployments: helmDeployments,
|
||||
EnforcedPcrs: getEnforcedPCRs(provider, conf),
|
||||
EnforceIdkeydigest: getEnforceIDKeyDigest(provider, conf),
|
||||
EnforcedPcrs: conf.GetEnforcedPCRs(),
|
||||
EnforceIdkeydigest: conf.EnforcesIDKeyDigest(),
|
||||
ConformanceMode: flags.conformance,
|
||||
}
|
||||
resp, err := initCall(cmd.Context(), newDialer(validator), idFile.IP, req)
|
||||
@ -219,30 +219,6 @@ func writeRow(wr io.Writer, col1 string, col2 string) {
|
||||
fmt.Fprint(wr, col1, "\t", col2, "\n")
|
||||
}
|
||||
|
||||
func getEnforcedPCRs(provider cloudprovider.Provider, config *config.Config) []uint32 {
|
||||
switch provider {
|
||||
case cloudprovider.AWS:
|
||||
return config.Provider.AWS.EnforcedMeasurements
|
||||
case cloudprovider.Azure:
|
||||
return config.Provider.Azure.EnforcedMeasurements
|
||||
case cloudprovider.GCP:
|
||||
return config.Provider.GCP.EnforcedMeasurements
|
||||
case cloudprovider.QEMU:
|
||||
return config.Provider.QEMU.EnforcedMeasurements
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
func getEnforceIDKeyDigest(provider cloudprovider.Provider, config *config.Config) bool {
|
||||
switch provider {
|
||||
case cloudprovider.Azure:
|
||||
return *config.Provider.Azure.EnforceIDKeyDigest
|
||||
default:
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
// evalFlagArgs gets the flag values and does preprocessing of these values like
|
||||
// reading the content from file path flags and deriving other values from flag combinations.
|
||||
func evalFlagArgs(cmd *cobra.Command) (initFlags, error) {
|
||||
|
@ -35,3 +35,13 @@ dependencies:
|
||||
- Azure
|
||||
- GCP
|
||||
- AWS
|
||||
- name: gcp-compute-persistent-disk-csi-driver
|
||||
version: 1.0.1
|
||||
condition: gcp.deployCSIDriver
|
||||
tags:
|
||||
- GCP
|
||||
- name: csi-azuredisk
|
||||
version: 1.0.1
|
||||
condition: azure.deployCSIDriver
|
||||
tags:
|
||||
- Azure
|
||||
|
@ -14,4 +14,4 @@ roleRef:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: constellation-cluster-autoscaler
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
@ -45,8 +45,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
|
@ -0,0 +1,5 @@
|
||||
apiVersion: v2
|
||||
appVersion: "v1.0.1"
|
||||
description: Azure disk Container Storage Interface (CSI) Storage Plugin with on-node encryption support
|
||||
name: csi-azuredisk
|
||||
version: v1.0.1
|
@ -0,0 +1,5 @@
|
||||
apiVersion: v2
|
||||
version: 1.0.1
|
||||
appVersion: "v1.0.1"
|
||||
description: GCP Compute Persistent Disk Container Storage Interface (CSI) Storage Plugin with on-node encryption support
|
||||
name: gcp-compute-persistent-disk-csi-driver
|
@ -0,0 +1,308 @@
|
||||
##### Node Service Account, Roles, RoleBindings
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: csi-gce-pd-node-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
##### Controller Service Account, Roles, Rolebindings
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
# xref: https://github.com/kubernetes-csi/external-provisioner/blob/master/deploy/kubernetes/rbac.yaml
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-provisioner-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["csinodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshots"]
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["get", "list"]
|
||||
# Access to volumeattachments is only needed when the CSI driver
|
||||
# has the PUBLISH_UNPUBLISH_VOLUME controller capability.
|
||||
# In that case, external-provisioner will watch volumeattachments
|
||||
# to determine when it is safe to delete a volume.
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-provisioner-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-provisioner-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
# xref: https://github.com/kubernetes-csi/external-attacher/blob/master/deploy/kubernetes/rbac.yaml
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-attacher-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["csinodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments/status"]
|
||||
verbs: ["patch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-attacher-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-attacher-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: csi-gce-pd-controller
|
||||
value: 900000000
|
||||
globalDefault: false
|
||||
description: "This priority class should be used for the GCE PD CSI driver controller deployment only."
|
||||
|
||||
---
|
||||
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: csi-gce-pd-node
|
||||
value: 900001000
|
||||
globalDefault: false
|
||||
description: "This priority class should be used for the GCE PD CSI driver node deployment only."
|
||||
|
||||
---
|
||||
|
||||
# Resizer must be able to work with PVCs, PVs, SCs.
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-resizer-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
# If handle-volume-inuse-error=true, the pod specific rbac is needed
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-resizer-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-resizer-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-deploy
|
||||
rules:
|
||||
- apiGroups: ["policy"]
|
||||
resources: ["podsecuritypolicies"]
|
||||
verbs: ["use"]
|
||||
resourceNames:
|
||||
- csi-gce-pd-controller-psp
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-deploy
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-controller-deploy
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-node-deploy
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- csi-gce-pd-node-psp
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csi-gce-pd-node
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-node-deploy
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-node-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csi-gce-pd-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-node-deploy
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: csi-gce-pd-snapshotter-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
# Secrets resource omitted since GCE PD snapshots does not require them
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents/status"]
|
||||
verbs: ["update", "patch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-snapshotter-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-snapshotter-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-leaderelection-role
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
k8s-app: gcp-compute-persistent-disk-csi-driver
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
|
||||
---
|
||||
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-leaderelection-binding
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
k8s-app: gcp-compute-persistent-disk-csi-driver
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: csi-gce-pd-leaderelection-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -0,0 +1,175 @@
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
replicas: {{ .Values.csiController.replicas }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
spec:
|
||||
{{- if .Values.csiController.runOnControlPlane }}
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node.cloudprovider.kubernetes.io/uninitialized
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node.kubernetes.io/not-ready
|
||||
operator: Exists
|
||||
{{- end }}
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
{{- if .Values.csiController.runOnControlPlane }}
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
{{- end }}
|
||||
serviceAccountName: csi-gce-pd-controller-sa
|
||||
priorityClassName: csi-gce-pd-controller
|
||||
containers:
|
||||
- name: csi-provisioner
|
||||
image: {{ .Values.image.csiProvisioner.repo }}:{{ .Values.image.csiProvisioner.tag }}
|
||||
imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--feature-gates=Topology=true"
|
||||
- "--http-endpoint=:22011"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--timeout=450s"
|
||||
- "--extra-create-metadata"
|
||||
# - "--run-controller-service=false" # disable the controller service of the CSI driver
|
||||
# - "--run-node-service=false" # disable the node service of the CSI driver
|
||||
- "--leader-election"
|
||||
- "--default-fstype=ext4"
|
||||
- "--controller-publish-readonly=true"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 22011
|
||||
name: http-endpoint
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 1
|
||||
httpGet:
|
||||
path: /healthz/leader-election
|
||||
port: http-endpoint
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 20
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: csi-attacher
|
||||
image: {{ .Values.image.csiAttacher.repo }}:{{ .Values.image.csiAttacher.tag }}
|
||||
imagePullPolicy: {{ .Values.image.csiAttacher.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--http-endpoint=:22012"
|
||||
- "--leader-election"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--timeout=450s"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 22012
|
||||
name: http-endpoint
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 1
|
||||
httpGet:
|
||||
path: /healthz/leader-election
|
||||
port: http-endpoint
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 20
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: csi-resizer
|
||||
image: {{ .Values.image.csiResizer.repo }}:{{ .Values.image.csiResizer.tag }}
|
||||
imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--http-endpoint=:22013"
|
||||
- "--leader-election"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--handle-volume-inuse-error=false"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 22013
|
||||
name: http-endpoint
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 1
|
||||
httpGet:
|
||||
path: /healthz/leader-election
|
||||
port: http-endpoint
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 20
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: csi-snapshotter
|
||||
image: {{ .Values.image.csiSnapshotter.repo }}:{{ .Values.image.csiSnapshotter.tag }}
|
||||
imagePullPolicy: {{ .Values.image.csiSnapshotter.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--metrics-address=:22014"
|
||||
- "--leader-election"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--timeout=450s"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: gce-pd-driver
|
||||
# Don't change base image without changing pdImagePlaceholder in
|
||||
# test/k8s-integration/main.go
|
||||
image: {{ .Values.image.gcepdDriver.repo }}:{{ .Values.image.gcepdDriver.tag }}
|
||||
imagePullPolicy: {{ .Values.image.gcepdDriver.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
env:
|
||||
- name: GOOGLE_APPLICATION_CREDENTIALS
|
||||
value: "/etc/cloud-sa/key.json"
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: cloud-sa-volume
|
||||
readOnly: true
|
||||
mountPath: "/etc/cloud-sa"
|
||||
volumes:
|
||||
- name: socket-dir
|
||||
emptyDir: {}
|
||||
- name: cloud-sa-volume
|
||||
secret:
|
||||
secretName: gcekey
|
@ -0,0 +1,117 @@
|
||||
kind: DaemonSet
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-node
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
spec:
|
||||
priorityClassName: csi-gce-pd-node
|
||||
serviceAccountName: csi-gce-pd-node-sa
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
containers:
|
||||
- name: csi-driver-registrar
|
||||
image: {{ .Values.image.csiNodeRegistrar.repo }}:{{ .Values.image.csiNodeRegistrar.tag }}
|
||||
imagePullPolicy: {{ .Values.image.csiNodeRegistrar.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--kubelet-registration-path=/var/lib/kubelet/plugins/gcp.csi.confidential.cloud/csi.sock"
|
||||
env:
|
||||
- name: KUBE_NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
volumeMounts:
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
- name: registration-dir
|
||||
mountPath: /registration
|
||||
livenessProbe:
|
||||
initialDelaySeconds: 3
|
||||
exec:
|
||||
command:
|
||||
- /csi-node-driver-registrar
|
||||
- --kubelet-registration-path=/var/lib/kubelet/plugins/gcp.csi.confidential.cloud/csi.sock
|
||||
- --mode=kubelet-registration-probe
|
||||
- name: gce-pd-driver
|
||||
image: {{ .Values.image.gcepdDriver.repo }}:{{ .Values.image.gcepdDriver.tag }}
|
||||
imagePullPolicy: {{ .Values.image.gcepdDriver.pullPolicy }}
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=kms.{{ .Values.csiNode.kmsNamespace | default .Release.Namespace }}:{{ .Values.csiNode.kmsPort }}"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: kubelet-dir
|
||||
mountPath: /var/lib/kubelet
|
||||
mountPropagation: "Bidirectional"
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
- name: device-dir
|
||||
mountPath: /dev
|
||||
# The following mounts are required to trigger host udevadm from
|
||||
# container
|
||||
- name: udev-rules-etc
|
||||
mountPath: /etc/udev
|
||||
- name: udev-rules-lib
|
||||
mountPath: /lib/udev
|
||||
- name: udev-socket
|
||||
mountPath: /run/udev
|
||||
- name: sys
|
||||
mountPath: /sys
|
||||
- name: cryptsetup
|
||||
mountPath: /run/cryptsetup
|
||||
volumes:
|
||||
- name: registration-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins_registry/
|
||||
type: Directory
|
||||
- name: kubelet-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet
|
||||
type: Directory
|
||||
- name: plugin-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins/gcp.csi.confidential.cloud/
|
||||
type: DirectoryOrCreate
|
||||
- name: device-dir
|
||||
hostPath:
|
||||
path: /dev
|
||||
type: Directory
|
||||
# The following mounts are required to trigger host udevadm from
|
||||
# container
|
||||
- name: udev-rules-etc
|
||||
hostPath:
|
||||
path: /etc/udev
|
||||
type: Directory
|
||||
- name: udev-rules-lib
|
||||
hostPath:
|
||||
path: /lib/udev
|
||||
type: Directory
|
||||
- name: udev-socket
|
||||
hostPath:
|
||||
path: /run/udev
|
||||
type: Directory
|
||||
- name: sys
|
||||
hostPath:
|
||||
path: /sys
|
||||
type: Directory
|
||||
- name: cryptsetup
|
||||
hostPath:
|
||||
path: /run/cryptsetup
|
||||
type: Directory
|
||||
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||||
# See "special case". This will tolerate everything. Node component should
|
||||
# be scheduled on all nodes.
|
||||
tolerations:
|
||||
- operator: Exists
|
@ -0,0 +1,14 @@
|
||||
{{- if .Values.createStorageClass }}
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
name: encrypted-rwo
|
||||
parameters:
|
||||
type: pd-standard
|
||||
provisioner: gcp.csi.confidential.cloud
|
||||
allowVolumeExpansion: true
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: Immediate
|
||||
{{- end }}
|
@ -0,0 +1,14 @@
|
||||
{{- if .Values.createStorageClass }}
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
annotations:
|
||||
name: integrity-encrypted-rwo
|
||||
parameters:
|
||||
type: pd-ssd
|
||||
csi.storage.k8s.io/fstype: ext4-integrity
|
||||
provisioner: gcp.csi.confidential.cloud
|
||||
allowVolumeExpansion: false
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: Immediate
|
||||
{{- end }}
|
@ -0,0 +1,7 @@
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: CSIDriver
|
||||
metadata:
|
||||
name: gcp.csi.confidential.cloud
|
||||
spec:
|
||||
attachRequired: true
|
||||
podInfoOnMount: false
|
@ -0,0 +1,36 @@
|
||||
image:
|
||||
csiProvisioner:
|
||||
repo: k8s.gcr.io/sig-storage/csi-provisioner
|
||||
tag: "v3.1.0"
|
||||
pullPolicy: IfNotPresent
|
||||
csiAttacher:
|
||||
repo: k8s.gcr.io/sig-storage/csi-attacher
|
||||
tag: "v3.4.0"
|
||||
pullPolicy: IfNotPresent
|
||||
csiResizer:
|
||||
repo: k8s.gcr.io/sig-storage/csi-resizer
|
||||
tag: "v1.4.0"
|
||||
pullPolicy: IfNotPresent
|
||||
csiSnapshotter:
|
||||
repo: k8s.gcr.io/sig-storage/csi-snapshotter
|
||||
tag: "v4.0.1"
|
||||
pullPolicy: IfNotPresent
|
||||
csiNodeRegistrar:
|
||||
repo: k8s.gcr.io/sig-storage/csi-node-driver-registrar
|
||||
tag: "v2.5.0"
|
||||
pullPolicy: IfNotPresent
|
||||
gcepdDriver:
|
||||
repo: ghcr.io/edgelesssys/constellation/gcp-csi-driver
|
||||
# CSI driver version is independent of Constellation releases
|
||||
tag: "v1.0.0"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
csiController:
|
||||
replicas: 1
|
||||
runOnControlPlane: true
|
||||
|
||||
csiNode:
|
||||
kmsPort: "9000"
|
||||
kmsNamespace: "kube-system"
|
||||
|
||||
createStorageClass: true
|
@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: join-config
|
||||
namespace: kube-system
|
||||
namespace: {{ .Release.Namespace }}
|
||||
data:
|
||||
# mustToJson is required so the json-strings passed from go are of type string in the rendered yaml.
|
||||
enforcedPCRs: {{ .Values.enforcedPCRs | mustToJson }}
|
||||
|
@ -23,8 +23,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
@ -39,7 +38,7 @@ spec:
|
||||
image: {{ .Values.image }}
|
||||
args:
|
||||
- --cloud-provider={{ .Values.csp }}
|
||||
- --kms-endpoint=kms.kube-system:{{ .Values.global.kmsPort }}
|
||||
- --kms-endpoint=kms.{{ .Release.Namespace }}:{{ .Values.global.kmsPort }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ .Values.global.serviceBasePath }}
|
||||
name: config
|
||||
|
@ -1,5 +1,3 @@
|
||||
# Namespace to which to deploy
|
||||
namespace: "kube-system"
|
||||
csp: "gcp"
|
||||
joinServicePort: 9090
|
||||
joinServiceNodePort: 30090
|
||||
|
@ -35,8 +35,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
|
@ -1,5 +1,3 @@
|
||||
# Namespace to which KMS will be deployed.
|
||||
namespace: "kube-system"
|
||||
# Name of the key within the respective secret that holds the salt.
|
||||
saltKeyName: salt
|
||||
# Name of the secret that contains the master secret.
|
||||
|
@ -10,6 +10,14 @@ global:
|
||||
# Name of the ConfigMap that holds configs that should not be modified by the user.
|
||||
internalCMName: internal-config
|
||||
|
||||
# GCP specific configuration
|
||||
gcp:
|
||||
deployCSIDriver: false
|
||||
|
||||
# Azure specific configuration
|
||||
azure:
|
||||
deployCSIDriver: false
|
||||
|
||||
# Set one of the tags to true to indicate which CSP you are deploying to.
|
||||
tags:
|
||||
Azure: false
|
||||
|
@ -5,9 +5,16 @@ shopt -s inherit_errexit
|
||||
|
||||
calldir=$(pwd)
|
||||
ciliumTmpDir=$(mktemp -d)
|
||||
cd "${ciliumTmpDir}" || exit 1
|
||||
git clone --depth 1 -b 1.12.1 https://github.com/cilium/cilium.git
|
||||
cd cilium || exit 1
|
||||
pushd "${ciliumTmpDir}"
|
||||
git clone --filter=blob:none --no-checkout --sparse --depth 1 -b 1.12.1 https://github.com/cilium/cilium.git
|
||||
pushd cilium
|
||||
|
||||
git sparse-checkout add install/kubernetes/cilium
|
||||
git checkout
|
||||
|
||||
git apply "${calldir}"/cilium.patch
|
||||
cp -r install/kubernetes/cilium "${calldir}"/charts
|
||||
|
||||
popd
|
||||
popd
|
||||
rm -r "${ciliumTmpDir}"
|
||||
|
@ -18,6 +18,7 @@ import (
|
||||
"strings"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
@ -30,6 +31,8 @@ import (
|
||||
|
||||
// Run `go generate` to deterministically create the patched Helm deployment for cilium
|
||||
//go:generate ./generateCilium.sh
|
||||
// Run `go generate` to load CSI driver charts from the CSI repositories
|
||||
//go:generate ./update-csi-charts.sh
|
||||
|
||||
//go:embed all:charts/*
|
||||
var helmFS embed.FS
|
||||
@ -66,13 +69,15 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
|
||||
}
|
||||
|
||||
// Load the embedded helm charts.
|
||||
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) {
|
||||
func (i *ChartLoader) Load(config *config.Config, conformanceMode bool, masterSecret, salt []byte) ([]byte, error) {
|
||||
csp := config.GetProvider()
|
||||
|
||||
ciliumRelease, err := i.loadCilium(csp, conformanceMode)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("loading cilium: %w", err)
|
||||
}
|
||||
|
||||
conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest)
|
||||
conServicesRelease, err := i.loadConstellationServices(config, masterSecret, salt)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("loading constellation-services: %w", err)
|
||||
}
|
||||
@ -122,11 +127,9 @@ func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode boo
|
||||
return helm.Release{Chart: chartRaw, Values: ciliumVals, ReleaseName: "cilium", Wait: true}, nil
|
||||
}
|
||||
|
||||
// loadConstellationServices loads the constellation-services chart from the embed.FS, marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
|
||||
func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
masterSecret []byte, salt []byte, enforcedPCRs []uint32,
|
||||
enforceIDKeyDigest bool,
|
||||
) (helm.Release, error) {
|
||||
// loadConstellationServices loads the constellation-services chart from the embed.FS,
|
||||
// marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
|
||||
func (i *ChartLoader) loadConstellationServices(config *config.Config, masterSecret, salt []byte) (helm.Release, error) {
|
||||
chart, err := loadChartsDir(helmFS, "charts/edgeless/constellation-services")
|
||||
if err != nil {
|
||||
return helm.Release{}, fmt.Errorf("loading constellation-services chart: %w", err)
|
||||
@ -137,11 +140,12 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
return helm.Release{}, fmt.Errorf("packaging chart: %w", err)
|
||||
}
|
||||
|
||||
enforcedPCRsJSON, err := json.Marshal(enforcedPCRs)
|
||||
enforcedPCRsJSON, err := json.Marshal(config.GetEnforcedPCRs())
|
||||
if err != nil {
|
||||
return helm.Release{}, fmt.Errorf("marshaling enforcedPCRs: %w", err)
|
||||
}
|
||||
|
||||
csp := config.GetProvider()
|
||||
vals := map[string]any{
|
||||
"global": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
@ -154,7 +158,6 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
"image": i.kmsImage,
|
||||
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
|
||||
"salt": base64.StdEncoding.EncodeToString(salt),
|
||||
"namespace": constants.ConstellationNamespace,
|
||||
"saltKeyName": constants.ConstellationSaltKey,
|
||||
"masterSecretKeyName": constants.ConstellationMasterSecretKey,
|
||||
"masterSecretName": constants.ConstellationMasterSecretStoreName,
|
||||
@ -164,7 +167,6 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
"csp": csp,
|
||||
"enforcedPCRs": string(enforcedPCRsJSON),
|
||||
"image": i.joinServiceImage,
|
||||
"namespace": constants.ConstellationNamespace,
|
||||
},
|
||||
"ccm": map[string]any{
|
||||
"csp": csp,
|
||||
@ -177,49 +179,61 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
|
||||
switch csp {
|
||||
case cloudprovider.Azure:
|
||||
{
|
||||
joinServiceVals, ok := vals["join-service"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid join-service values")
|
||||
}
|
||||
joinServiceVals["enforceIdKeyDigest"] = enforceIDKeyDigest
|
||||
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["Azure"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
|
||||
vals["cnm"] = map[string]any{
|
||||
"image": i.cnmImage,
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"Azure": true,
|
||||
}
|
||||
joinServiceVals, ok := vals["join-service"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid join-service values")
|
||||
}
|
||||
joinServiceVals["enforceIdKeyDigest"] = config.EnforcesIDKeyDigest()
|
||||
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["Azure"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
|
||||
vals["cnm"] = map[string]any{
|
||||
"image": i.cnmImage,
|
||||
}
|
||||
|
||||
vals["azure"] = map[string]any{
|
||||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"Azure": true,
|
||||
}
|
||||
|
||||
case cloudprovider.GCP:
|
||||
{
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["GCP"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["GCP"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"GCP": true,
|
||||
}
|
||||
vals["gcp"] = map[string]any{
|
||||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
vals["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
|
||||
"csiNode": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"kmsNamespace": "", // empty namespace means we use the release namespace
|
||||
},
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"GCP": true,
|
||||
}
|
||||
|
||||
case cloudprovider.QEMU:
|
||||
{
|
||||
vals["tags"] = map[string]interface{}{
|
||||
"QEMU": true,
|
||||
}
|
||||
vals["tags"] = map[string]interface{}{
|
||||
"QEMU": true,
|
||||
}
|
||||
|
||||
case cloudprovider.AWS:
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
|
@ -15,7 +15,7 @@ import (
|
||||
"path"
|
||||
"testing"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/stretchr/testify/assert"
|
||||
@ -31,7 +31,8 @@ func TestLoad(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
chartLoader := ChartLoader{}
|
||||
release, err := chartLoader.Load(cloudprovider.GCP, true, []byte("secret"), []byte("salt"), nil, false)
|
||||
config := &config.Config{Provider: config.ProviderConfig{GCP: &config.GCPConfig{}}}
|
||||
release, err := chartLoader.Load(config, true, []byte("secret"), []byte("salt"))
|
||||
require.NoError(err)
|
||||
|
||||
var helmReleases helm.Releases
|
||||
@ -46,27 +47,35 @@ func TestLoad(t *testing.T) {
|
||||
// TestTemplate checks if the rendered constellation-services chart produces the expected yaml files.
|
||||
func TestTemplate(t *testing.T) {
|
||||
testCases := map[string]struct {
|
||||
csp cloudprovider.Provider
|
||||
config *config.Config
|
||||
enforceIDKeyDigest bool
|
||||
valuesModifier func(map[string]any) error
|
||||
ccmImage string
|
||||
cnmImage string
|
||||
}{
|
||||
"GCP": {
|
||||
csp: cloudprovider.GCP,
|
||||
config: &config.Config{Provider: config.ProviderConfig{GCP: &config.GCPConfig{
|
||||
DeployCSIDriver: func() *bool { b := true; return &b }(),
|
||||
EnforcedMeasurements: []uint32{1, 11},
|
||||
}}},
|
||||
enforceIDKeyDigest: false,
|
||||
valuesModifier: prepareGCPValues,
|
||||
ccmImage: "ccmImageForGCP",
|
||||
},
|
||||
"Azure": {
|
||||
csp: cloudprovider.Azure,
|
||||
config: &config.Config{Provider: config.ProviderConfig{Azure: &config.AzureConfig{
|
||||
EnforcedMeasurements: []uint32{1, 11},
|
||||
EnforceIDKeyDigest: func() *bool { b := true; return &b }(),
|
||||
}}},
|
||||
enforceIDKeyDigest: true,
|
||||
valuesModifier: prepareAzureValues,
|
||||
ccmImage: "ccmImageForAzure",
|
||||
cnmImage: "cnmImageForAzure",
|
||||
},
|
||||
"QEMU": {
|
||||
csp: cloudprovider.QEMU,
|
||||
config: &config.Config{Provider: config.ProviderConfig{QEMU: &config.QEMUConfig{
|
||||
EnforcedMeasurements: []uint32{1, 11},
|
||||
}}},
|
||||
enforceIDKeyDigest: false,
|
||||
valuesModifier: prepareQEMUValues,
|
||||
},
|
||||
@ -78,7 +87,7 @@ func TestTemplate(t *testing.T) {
|
||||
require := require.New(t)
|
||||
|
||||
chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage, autoscalerImage: "autoscalerImage"}
|
||||
release, err := chartLoader.Load(tc.csp, true, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []uint32{1, 11}, tc.enforceIDKeyDigest)
|
||||
release, err := chartLoader.Load(tc.config, true, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"))
|
||||
require.NoError(err)
|
||||
|
||||
var helmReleases helm.Releases
|
||||
@ -110,7 +119,7 @@ func TestTemplate(t *testing.T) {
|
||||
result, err := engine.Render(chart, valuesToRender)
|
||||
require.NoError(err)
|
||||
for k, v := range result {
|
||||
currentFile := path.Join("testdata", tc.csp.String(), k)
|
||||
currentFile := path.Join("testdata", tc.config.GetProvider().String(), k)
|
||||
content, err := os.ReadFile(currentFile)
|
||||
|
||||
// If a file does not exist, we expect the render for that path to be empty.
|
||||
@ -142,6 +151,45 @@ func prepareGCPValues(values map[string]any) error {
|
||||
ccmVals["GCP"].(map[string]any)["uid"] = "242424242424"
|
||||
ccmVals["GCP"].(map[string]any)["secretData"] = "baaaaaad"
|
||||
|
||||
testTag := "v0.0.0"
|
||||
pullPolicy := "IfNotPresent"
|
||||
csiVals, ok := values["gcp-compute-persistent-disk-csi-driver"].(map[string]any)
|
||||
if !ok {
|
||||
return errors.New("missing 'gcp-compute-persistent-disk-csi-driver' key")
|
||||
}
|
||||
csiVals["image"] = map[string]any{
|
||||
"csiProvisioner": map[string]any{
|
||||
"repo": "csi-provisioner",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiAttacher": map[string]any{
|
||||
"repo": "csi-attacher",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiResizer": map[string]any{
|
||||
"repo": "csi-resizer",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiSnapshotter": map[string]any{
|
||||
"repo": "csi-snapshotter",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"csiNodeRegistrar": map[string]any{
|
||||
"repo": "csi-registrar",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
"gcepdDriver": map[string]any{
|
||||
"repo": "csi-driver",
|
||||
"tag": testTag,
|
||||
"pullPolicy": pullPolicy,
|
||||
},
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
@ -14,4 +14,4 @@ roleRef:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: constellation-cluster-autoscaler
|
||||
namespace: kube-system
|
||||
namespace: testNamespace
|
||||
|
@ -45,8 +45,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: join-config
|
||||
namespace: kube-system
|
||||
namespace: testNamespace
|
||||
data:
|
||||
enforcedPCRs: "[1,11]"
|
||||
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
|
||||
|
@ -23,8 +23,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
@ -39,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=Azure
|
||||
- --kms-endpoint=kms.kube-system:9000
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
@ -35,8 +35,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
|
@ -14,4 +14,4 @@ roleRef:
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: constellation-cluster-autoscaler
|
||||
namespace: kube-system
|
||||
namespace: testNamespace
|
||||
|
@ -0,0 +1,297 @@
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: csi-gce-pd-node-sa
|
||||
namespace: testNamespace
|
||||
|
||||
---
|
||||
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-provisioner-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "create", "delete"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch", "update"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["storageclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["csinodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshots"]
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-provisioner-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-provisioner-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-attacher-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["nodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["csinodes"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources: ["volumeattachments/status"]
|
||||
verbs: ["patch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-attacher-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-attacher-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: csi-gce-pd-controller
|
||||
value: 900000000
|
||||
globalDefault: false
|
||||
description: "This priority class should be used for the GCE PD CSI driver controller deployment only."
|
||||
|
||||
---
|
||||
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: csi-gce-pd-node
|
||||
value: 900001000
|
||||
globalDefault: false
|
||||
description: "This priority class should be used for the GCE PD CSI driver node deployment only."
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-resizer-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumes"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["persistentvolumeclaims/status"]
|
||||
verbs: ["update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-resizer-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-resizer-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-deploy
|
||||
rules:
|
||||
- apiGroups: ["policy"]
|
||||
resources: ["podsecuritypolicies"]
|
||||
verbs: ["use"]
|
||||
resourceNames:
|
||||
- csi-gce-pd-controller-psp
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-deploy
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-controller-deploy
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-node-deploy
|
||||
rules:
|
||||
- apiGroups: ['policy']
|
||||
resources: ['podsecuritypolicies']
|
||||
verbs: ['use']
|
||||
resourceNames:
|
||||
- csi-gce-pd-node-psp
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csi-gce-pd-node
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-node-deploy
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-node-sa
|
||||
namespace: testNamespace
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: csi-gce-pd-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-node-deploy
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
|
||||
---
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: csi-gce-pd-snapshotter-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["events"]
|
||||
verbs: ["list", "watch", "create", "update", "patch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotclasses"]
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents"]
|
||||
verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
|
||||
- apiGroups: ["snapshot.storage.k8s.io"]
|
||||
resources: ["volumesnapshotcontents/status"]
|
||||
verbs: ["update", "patch"]
|
||||
|
||||
---
|
||||
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-snapshotter-binding
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: csi-gce-pd-snapshotter-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
|
||||
---
|
||||
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-leaderelection-role
|
||||
namespace: testNamespace
|
||||
labels:
|
||||
k8s-app: gcp-compute-persistent-disk-csi-driver
|
||||
rules:
|
||||
- apiGroups: ["coordination.k8s.io"]
|
||||
resources: ["leases"]
|
||||
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
||||
|
||||
---
|
||||
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller-leaderelection-binding
|
||||
namespace: testNamespace
|
||||
labels:
|
||||
k8s-app: gcp-compute-persistent-disk-csi-driver
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: csi-gce-pd-controller-sa
|
||||
namespace: testNamespace
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: csi-gce-pd-leaderelection-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
@ -0,0 +1,167 @@
|
||||
kind: Deployment
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-controller
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
spec:
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node.cloudprovider.kubernetes.io/uninitialized
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node.kubernetes.io/not-ready
|
||||
operator: Exists
|
||||
nodeSelector:
|
||||
node-role.kubernetes.io/control-plane: ""
|
||||
kubernetes.io/os: linux
|
||||
serviceAccountName: csi-gce-pd-controller-sa
|
||||
priorityClassName: csi-gce-pd-controller
|
||||
containers:
|
||||
- name: csi-provisioner
|
||||
image: csi-provisioner:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--feature-gates=Topology=true"
|
||||
- "--http-endpoint=:22011"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--timeout=450s"
|
||||
- "--extra-create-metadata"
|
||||
- "--leader-election"
|
||||
- "--default-fstype=ext4"
|
||||
- "--controller-publish-readonly=true"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 22011
|
||||
name: http-endpoint
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 1
|
||||
httpGet:
|
||||
path: /healthz/leader-election
|
||||
port: http-endpoint
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 20
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: csi-attacher
|
||||
image: csi-attacher:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--http-endpoint=:22012"
|
||||
- "--leader-election"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--timeout=450s"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 22012
|
||||
name: http-endpoint
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 1
|
||||
httpGet:
|
||||
path: /healthz/leader-election
|
||||
port: http-endpoint
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 20
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: csi-resizer
|
||||
image: csi-resizer:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--http-endpoint=:22013"
|
||||
- "--leader-election"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--handle-volume-inuse-error=false"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
ports:
|
||||
- containerPort: 22013
|
||||
name: http-endpoint
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
failureThreshold: 1
|
||||
httpGet:
|
||||
path: /healthz/leader-election
|
||||
port: http-endpoint
|
||||
initialDelaySeconds: 10
|
||||
timeoutSeconds: 10
|
||||
periodSeconds: 20
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: csi-snapshotter
|
||||
image: csi-snapshotter:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--metrics-address=:22014"
|
||||
- "--leader-election"
|
||||
- "--leader-election-namespace=$(PDCSI_NAMESPACE)"
|
||||
- "--timeout=450s"
|
||||
env:
|
||||
- name: PDCSI_NAMESPACE
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: gce-pd-driver
|
||||
image: csi-driver:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
env:
|
||||
- name: GOOGLE_APPLICATION_CREDENTIALS
|
||||
value: "/etc/cloud-sa/key.json"
|
||||
volumeMounts:
|
||||
- name: socket-dir
|
||||
mountPath: /csi
|
||||
- name: cloud-sa-volume
|
||||
readOnly: true
|
||||
mountPath: "/etc/cloud-sa"
|
||||
volumes:
|
||||
- name: socket-dir
|
||||
emptyDir: {}
|
||||
- name: cloud-sa-volume
|
||||
secret:
|
||||
secretName: gcekey
|
@ -0,0 +1,110 @@
|
||||
kind: DaemonSet
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: csi-gce-pd-node
|
||||
namespace: testNamespace
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gcp-compute-persistent-disk-csi-driver
|
||||
spec:
|
||||
priorityClassName: csi-gce-pd-node
|
||||
serviceAccountName: csi-gce-pd-node-sa
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
containers:
|
||||
- name: csi-driver-registrar
|
||||
image: csi-registrar:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--csi-address=/csi/csi.sock"
|
||||
- "--kubelet-registration-path=/var/lib/kubelet/plugins/gcp.csi.confidential.cloud/csi.sock"
|
||||
env:
|
||||
- name: KUBE_NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
volumeMounts:
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
- name: registration-dir
|
||||
mountPath: /registration
|
||||
livenessProbe:
|
||||
initialDelaySeconds: 3
|
||||
exec:
|
||||
command:
|
||||
- /csi-node-driver-registrar
|
||||
- --kubelet-registration-path=/var/lib/kubelet/plugins/gcp.csi.confidential.cloud/csi.sock
|
||||
- --mode=kubelet-registration-probe
|
||||
- name: gce-pd-driver
|
||||
image: csi-driver:v0.0.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
args:
|
||||
- "--v=5"
|
||||
- "--endpoint=unix:/csi/csi.sock"
|
||||
- "--run-controller-service=false"
|
||||
- "--kms-addr=kms.testNamespace:9000"
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: kubelet-dir
|
||||
mountPath: /var/lib/kubelet
|
||||
mountPropagation: "Bidirectional"
|
||||
- name: plugin-dir
|
||||
mountPath: /csi
|
||||
- name: device-dir
|
||||
mountPath: /dev
|
||||
- name: udev-rules-etc
|
||||
mountPath: /etc/udev
|
||||
- name: udev-rules-lib
|
||||
mountPath: /lib/udev
|
||||
- name: udev-socket
|
||||
mountPath: /run/udev
|
||||
- name: sys
|
||||
mountPath: /sys
|
||||
- name: cryptsetup
|
||||
mountPath: /run/cryptsetup
|
||||
volumes:
|
||||
- name: registration-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins_registry/
|
||||
type: Directory
|
||||
- name: kubelet-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet
|
||||
type: Directory
|
||||
- name: plugin-dir
|
||||
hostPath:
|
||||
path: /var/lib/kubelet/plugins/gcp.csi.confidential.cloud/
|
||||
type: DirectoryOrCreate
|
||||
- name: device-dir
|
||||
hostPath:
|
||||
path: /dev
|
||||
type: Directory
|
||||
- name: udev-rules-etc
|
||||
hostPath:
|
||||
path: /etc/udev
|
||||
type: Directory
|
||||
- name: udev-rules-lib
|
||||
hostPath:
|
||||
path: /lib/udev
|
||||
type: Directory
|
||||
- name: udev-socket
|
||||
hostPath:
|
||||
path: /run/udev
|
||||
type: Directory
|
||||
- name: sys
|
||||
hostPath:
|
||||
path: /sys
|
||||
type: Directory
|
||||
- name: cryptsetup
|
||||
hostPath:
|
||||
path: /run/cryptsetup
|
||||
type: Directory
|
||||
tolerations:
|
||||
- operator: Exists
|
@ -0,0 +1,12 @@
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
annotations:
|
||||
storageclass.kubernetes.io/is-default-class: "true"
|
||||
name: encrypted-rwo
|
||||
parameters:
|
||||
type: pd-standard
|
||||
provisioner: gcp.csi.confidential.cloud
|
||||
allowVolumeExpansion: true
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: Immediate
|
@ -0,0 +1,12 @@
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: StorageClass
|
||||
metadata:
|
||||
annotations:
|
||||
name: integrity-encrypted-rwo
|
||||
parameters:
|
||||
type: pd-ssd
|
||||
csi.storage.k8s.io/fstype: ext4-integrity
|
||||
provisioner: gcp.csi.confidential.cloud
|
||||
allowVolumeExpansion: false
|
||||
reclaimPolicy: Delete
|
||||
volumeBindingMode: Immediate
|
@ -0,0 +1,7 @@
|
||||
apiVersion: storage.k8s.io/v1
|
||||
kind: CSIDriver
|
||||
metadata:
|
||||
name: gcp.csi.confidential.cloud
|
||||
spec:
|
||||
attachRequired: true
|
||||
podInfoOnMount: false
|
@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: join-config
|
||||
namespace: kube-system
|
||||
namespace: testNamespace
|
||||
data:
|
||||
enforcedPCRs: "[1,11]"
|
||||
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
|
||||
|
@ -23,8 +23,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
@ -39,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=GCP
|
||||
- --kms-endpoint=kms.kube-system:9000
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
@ -35,8 +35,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
|
@ -2,7 +2,7 @@ apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: join-config
|
||||
namespace: kube-system
|
||||
namespace: testNamespace
|
||||
data:
|
||||
enforcedPCRs: "[1,11]"
|
||||
measurements: "{'1':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA','15':'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='}"
|
||||
|
@ -23,8 +23,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
@ -39,7 +38,7 @@ spec:
|
||||
image: joinServiceImage
|
||||
args:
|
||||
- --cloud-provider=QEMU
|
||||
- --kms-endpoint=kms.kube-system:9000
|
||||
- --kms-endpoint=kms.testNamespace:9000
|
||||
volumeMounts:
|
||||
- mountPath: /var/config
|
||||
name: config
|
||||
|
@ -35,8 +35,7 @@ spec:
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/master
|
||||
operator: Equal
|
||||
value: "true"
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: node-role.kubernetes.io/control-plane
|
||||
operator: Exists
|
||||
|
54
cli/internal/helm/update-csi-charts.sh
Executable file
54
cli/internal/helm/update-csi-charts.sh
Executable file
@ -0,0 +1,54 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# update-csi-charts updates the Helm charts for the CSI drivers in the CLI.
|
||||
|
||||
set -euo pipefail
|
||||
shopt -s inherit_errexit
|
||||
|
||||
# Required tools
|
||||
if ! command -v git &> /dev/null; then
|
||||
echo "git could not be found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# download_chart downloads the Helm chart for the given CSI driver and version.
|
||||
#
|
||||
# Arguments:
|
||||
# $1: URL of the git repo containing the Helm chart
|
||||
# $2: branch or tag of the git repo
|
||||
# $3: path to the Helm chart in the git repo
|
||||
# $4: name of the Helm chart
|
||||
download_chart() {
|
||||
chart_url=$1
|
||||
branch=$2
|
||||
chart_dir=$3
|
||||
chart_name=$4
|
||||
|
||||
repo_tmp_dir=$(mktemp -d)
|
||||
|
||||
chart_base_path="charts/edgeless/constellation-services/charts/"
|
||||
|
||||
pushd "${repo_tmp_dir}"
|
||||
git clone --filter=blob:none --no-checkout --sparse --depth 1 --branch="${branch}" "${chart_url}" "${repo_tmp_dir}"
|
||||
|
||||
git sparse-checkout add "${chart_dir}"
|
||||
git checkout
|
||||
popd
|
||||
|
||||
# remove old chart
|
||||
rm -r "${chart_base_path}${chart_name}"
|
||||
|
||||
# move new chart
|
||||
mkdir -p "${chart_base_path}/${chart_name}"
|
||||
cp -r "${repo_tmp_dir}/${chart_dir}"/* "${chart_base_path}${chart_name}"
|
||||
rm -r "${repo_tmp_dir}"
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
## GCP CSI Driver
|
||||
# TODO: clone from main branch once we rebase on upstream
|
||||
download_chart "https://github.com/edgelesssys/constellation-gcp-compute-persistent-disk-csi-driver" "develop" "charts" "gcp-compute-persistent-disk-csi-driver"
|
||||
|
||||
## Azure CSI Driver
|
||||
# TODO: https://github.com/edgelesssys/constellation/pull/548
|
@ -182,11 +182,14 @@ type AzureConfig struct {
|
||||
// Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison
|
||||
StateDiskType string `yaml:"stateDiskType" validate:"oneof=Premium_LRS Premium_ZRS Standard_LRS StandardSSD_LRS StandardSSD_ZRS"`
|
||||
// description: |
|
||||
// Expected confidential VM measurements.
|
||||
Measurements Measurements `yaml:"measurements"`
|
||||
// Deploy Azure Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
|
||||
DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
|
||||
// description: |
|
||||
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||
// Use Confidential VMs. If set to false, Trusted Launch VMs are used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview
|
||||
ConfidentialVM *bool `yaml:"confidentialVM" validate:"required"`
|
||||
// description: |
|
||||
// Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob.
|
||||
SecureBoot *bool `yaml:"secureBoot" validate:"required"`
|
||||
// description: |
|
||||
// Expected value for the field 'idkeydigest' in the AMD SEV-SNP attestation report. Only usable with ConfidentialVMs. See 4.6 and 7.3 in: https://www.amd.com/system/files/TechDocs/56860.pdf
|
||||
IDKeyDigest string `yaml:"idKeyDigest" validate:"required_if=EnforceIdKeyDigest true,omitempty,hexadecimal,len=96"`
|
||||
@ -194,11 +197,11 @@ type AzureConfig struct {
|
||||
// Enforce the specified idKeyDigest value during remote attestation.
|
||||
EnforceIDKeyDigest *bool `yaml:"enforceIdKeyDigest" validate:"required"`
|
||||
// description: |
|
||||
// Use Confidential VMs. If set to false, Trusted Launch VMs are used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview
|
||||
ConfidentialVM *bool `yaml:"confidentialVM" validate:"required"`
|
||||
// Expected confidential VM measurements.
|
||||
Measurements Measurements `yaml:"measurements"`
|
||||
// description: |
|
||||
// Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob.
|
||||
SecureBoot *bool `yaml:"secureBoot" validate:"required"`
|
||||
// List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning.
|
||||
EnforcedMeasurements []uint32 `yaml:"enforcedMeasurements"`
|
||||
}
|
||||
|
||||
// GCPConfig are GCP specific configuration values used by the CLI.
|
||||
@ -225,6 +228,9 @@ type GCPConfig struct {
|
||||
// Type of a node's state disk. The type influences boot time and I/O performance. See: https://cloud.google.com/compute/docs/disks#disk-types
|
||||
StateDiskType string `yaml:"stateDiskType" validate:"oneof=pd-standard pd-balanced pd-ssd"`
|
||||
// description: |
|
||||
// Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage
|
||||
DeployCSIDriver *bool `yaml:"deployCSIDriver" validate:"required"`
|
||||
// description: |
|
||||
// Expected confidential VM measurements.
|
||||
Measurements Measurements `yaml:"measurements"`
|
||||
// description: |
|
||||
@ -295,21 +301,23 @@ func Default() *Config {
|
||||
Image: DefaultImageAzure,
|
||||
InstanceType: "Standard_DC4as_v5",
|
||||
StateDiskType: "Premium_LRS",
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure),
|
||||
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12, 13, 15},
|
||||
DeployCSIDriver: func() *bool { b := true; return &b }(),
|
||||
IDKeyDigest: "57486a447ec0f1958002a22a06b7673b9fd27d11e1c6527498056054c5fa92d23c50f9de44072760fe2b6fb89740b696",
|
||||
EnforceIDKeyDigest: func() *bool { b := true; return &b }(),
|
||||
ConfidentialVM: func() *bool { b := true; return &b }(),
|
||||
SecureBoot: func() *bool { b := false; return &b }(),
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.Azure),
|
||||
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12, 13, 15},
|
||||
},
|
||||
GCP: &GCPConfig{
|
||||
Project: "",
|
||||
Region: "",
|
||||
Zone: "",
|
||||
ServiceAccountKeyPath: "",
|
||||
Image: DefaultImageGCP,
|
||||
InstanceType: "n2d-standard-4",
|
||||
StateDiskType: "pd-ssd",
|
||||
ServiceAccountKeyPath: "",
|
||||
DeployCSIDriver: func() *bool { b := true; return &b }(),
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.GCP),
|
||||
EnforcedMeasurements: []uint32{0, 4, 8, 9, 11, 12, 13, 15},
|
||||
},
|
||||
@ -320,9 +328,9 @@ func Default() *Config {
|
||||
MetadataAPIImage: versions.QEMUMetadataImage,
|
||||
LibvirtURI: "",
|
||||
LibvirtContainerImage: versions.LibvirtImage,
|
||||
NVRAM: "production",
|
||||
Measurements: measurements.DefaultsFor(cloudprovider.QEMU),
|
||||
EnforcedMeasurements: []uint32{4, 8, 9, 11, 12, 13, 15},
|
||||
NVRAM: "production",
|
||||
},
|
||||
},
|
||||
KubernetesVersion: string(versions.Default),
|
||||
@ -482,6 +490,29 @@ func (c *Config) EnforcesIDKeyDigest() bool {
|
||||
return c.Provider.Azure != nil && c.Provider.Azure.EnforceIDKeyDigest != nil && *c.Provider.Azure.EnforceIDKeyDigest
|
||||
}
|
||||
|
||||
// GetEnforcedPCRs returns the list of enforced PCRs for the configured cloud provider.
|
||||
func (c *Config) GetEnforcedPCRs() []uint32 {
|
||||
provider := c.GetProvider()
|
||||
switch provider {
|
||||
case cloudprovider.AWS:
|
||||
return c.Provider.AWS.EnforcedMeasurements
|
||||
case cloudprovider.Azure:
|
||||
return c.Provider.Azure.EnforcedMeasurements
|
||||
case cloudprovider.GCP:
|
||||
return c.Provider.GCP.EnforcedMeasurements
|
||||
case cloudprovider.QEMU:
|
||||
return c.Provider.QEMU.EnforcedMeasurements
|
||||
default:
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
// DeployCSIDriver returns whether the CSI driver should be deployed for a given cloud provider.
|
||||
func (c *Config) DeployCSIDriver() bool {
|
||||
return c.Provider.Azure != nil && c.Provider.Azure.DeployCSIDriver != nil && *c.Provider.Azure.DeployCSIDriver ||
|
||||
c.Provider.GCP != nil && c.Provider.GCP.DeployCSIDriver != nil && *c.Provider.GCP.DeployCSIDriver
|
||||
}
|
||||
|
||||
// Validate checks the config values and returns validation errors.
|
||||
func (c *Config) Validate() error {
|
||||
trans := ut.New(en.New()).GetFallback()
|
||||
|
@ -208,7 +208,7 @@ func init() {
|
||||
FieldName: "azure",
|
||||
},
|
||||
}
|
||||
AzureConfigDoc.Fields = make([]encoder.Doc, 16)
|
||||
AzureConfigDoc.Fields = make([]encoder.Doc, 17)
|
||||
AzureConfigDoc.Fields[0].Name = "subscription"
|
||||
AzureConfigDoc.Fields[0].Type = "string"
|
||||
AzureConfigDoc.Fields[0].Note = ""
|
||||
@ -259,36 +259,41 @@ func init() {
|
||||
AzureConfigDoc.Fields[9].Note = ""
|
||||
AzureConfigDoc.Fields[9].Description = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison"
|
||||
AzureConfigDoc.Fields[9].Comments[encoder.LineComment] = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison"
|
||||
AzureConfigDoc.Fields[10].Name = "measurements"
|
||||
AzureConfigDoc.Fields[10].Type = "Measurements"
|
||||
AzureConfigDoc.Fields[10].Name = "deployCSIDriver"
|
||||
AzureConfigDoc.Fields[10].Type = "bool"
|
||||
AzureConfigDoc.Fields[10].Note = ""
|
||||
AzureConfigDoc.Fields[10].Description = "Expected confidential VM measurements."
|
||||
AzureConfigDoc.Fields[10].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||
AzureConfigDoc.Fields[11].Name = "enforcedMeasurements"
|
||||
AzureConfigDoc.Fields[11].Type = "[]uint32"
|
||||
AzureConfigDoc.Fields[10].Description = "Deploy Azure Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
|
||||
AzureConfigDoc.Fields[10].Comments[encoder.LineComment] = "Deploy Azure Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
|
||||
AzureConfigDoc.Fields[11].Name = "confidentialVM"
|
||||
AzureConfigDoc.Fields[11].Type = "bool"
|
||||
AzureConfigDoc.Fields[11].Note = ""
|
||||
AzureConfigDoc.Fields[11].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
AzureConfigDoc.Fields[11].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
AzureConfigDoc.Fields[12].Name = "idKeyDigest"
|
||||
AzureConfigDoc.Fields[12].Type = "string"
|
||||
AzureConfigDoc.Fields[11].Description = "Use Confidential VMs. If set to false, Trusted Launch VMs are used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
||||
AzureConfigDoc.Fields[11].Comments[encoder.LineComment] = "Use Confidential VMs. If set to false, Trusted Launch VMs are used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
||||
AzureConfigDoc.Fields[12].Name = "secureBoot"
|
||||
AzureConfigDoc.Fields[12].Type = "bool"
|
||||
AzureConfigDoc.Fields[12].Note = ""
|
||||
AzureConfigDoc.Fields[12].Description = "Expected value for the field 'idkeydigest' in the AMD SEV-SNP attestation report. Only usable with ConfidentialVMs. See 4.6 and 7.3 in: https://www.amd.com/system/files/TechDocs/56860.pdf"
|
||||
AzureConfigDoc.Fields[12].Comments[encoder.LineComment] = "Expected value for the field 'idkeydigest' in the AMD SEV-SNP attestation report. Only usable with ConfidentialVMs. See 4.6 and 7.3 in: https://www.amd.com/system/files/TechDocs/56860.pdf"
|
||||
AzureConfigDoc.Fields[13].Name = "enforceIdKeyDigest"
|
||||
AzureConfigDoc.Fields[13].Type = "bool"
|
||||
AzureConfigDoc.Fields[12].Description = "Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob."
|
||||
AzureConfigDoc.Fields[12].Comments[encoder.LineComment] = "Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob."
|
||||
AzureConfigDoc.Fields[13].Name = "idKeyDigest"
|
||||
AzureConfigDoc.Fields[13].Type = "string"
|
||||
AzureConfigDoc.Fields[13].Note = ""
|
||||
AzureConfigDoc.Fields[13].Description = "Enforce the specified idKeyDigest value during remote attestation."
|
||||
AzureConfigDoc.Fields[13].Comments[encoder.LineComment] = "Enforce the specified idKeyDigest value during remote attestation."
|
||||
AzureConfigDoc.Fields[14].Name = "confidentialVM"
|
||||
AzureConfigDoc.Fields[13].Description = "Expected value for the field 'idkeydigest' in the AMD SEV-SNP attestation report. Only usable with ConfidentialVMs. See 4.6 and 7.3 in: https://www.amd.com/system/files/TechDocs/56860.pdf"
|
||||
AzureConfigDoc.Fields[13].Comments[encoder.LineComment] = "Expected value for the field 'idkeydigest' in the AMD SEV-SNP attestation report. Only usable with ConfidentialVMs. See 4.6 and 7.3 in: https://www.amd.com/system/files/TechDocs/56860.pdf"
|
||||
AzureConfigDoc.Fields[14].Name = "enforceIdKeyDigest"
|
||||
AzureConfigDoc.Fields[14].Type = "bool"
|
||||
AzureConfigDoc.Fields[14].Note = ""
|
||||
AzureConfigDoc.Fields[14].Description = "Use Confidential VMs. If set to false, Trusted Launch VMs are used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
||||
AzureConfigDoc.Fields[14].Comments[encoder.LineComment] = "Use Confidential VMs. If set to false, Trusted Launch VMs are used instead. See: https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview"
|
||||
AzureConfigDoc.Fields[15].Name = "secureBoot"
|
||||
AzureConfigDoc.Fields[15].Type = "bool"
|
||||
AzureConfigDoc.Fields[14].Description = "Enforce the specified idKeyDigest value during remote attestation."
|
||||
AzureConfigDoc.Fields[14].Comments[encoder.LineComment] = "Enforce the specified idKeyDigest value during remote attestation."
|
||||
AzureConfigDoc.Fields[15].Name = "measurements"
|
||||
AzureConfigDoc.Fields[15].Type = "Measurements"
|
||||
AzureConfigDoc.Fields[15].Note = ""
|
||||
AzureConfigDoc.Fields[15].Description = "Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob."
|
||||
AzureConfigDoc.Fields[15].Comments[encoder.LineComment] = "Enable secure boot for VMs. If enabled, the OS image has to include a virtual machine guest state (VMGS) blob."
|
||||
AzureConfigDoc.Fields[15].Description = "Expected confidential VM measurements."
|
||||
AzureConfigDoc.Fields[15].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||
AzureConfigDoc.Fields[16].Name = "enforcedMeasurements"
|
||||
AzureConfigDoc.Fields[16].Type = "[]uint32"
|
||||
AzureConfigDoc.Fields[16].Note = ""
|
||||
AzureConfigDoc.Fields[16].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
AzureConfigDoc.Fields[16].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
|
||||
GCPConfigDoc.Type = "GCPConfig"
|
||||
GCPConfigDoc.Comments[encoder.LineComment] = "GCPConfig are GCP specific configuration values used by the CLI."
|
||||
@ -299,7 +304,7 @@ func init() {
|
||||
FieldName: "gcp",
|
||||
},
|
||||
}
|
||||
GCPConfigDoc.Fields = make([]encoder.Doc, 9)
|
||||
GCPConfigDoc.Fields = make([]encoder.Doc, 10)
|
||||
GCPConfigDoc.Fields[0].Name = "project"
|
||||
GCPConfigDoc.Fields[0].Type = "string"
|
||||
GCPConfigDoc.Fields[0].Note = ""
|
||||
@ -335,16 +340,21 @@ func init() {
|
||||
GCPConfigDoc.Fields[6].Note = ""
|
||||
GCPConfigDoc.Fields[6].Description = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://cloud.google.com/compute/docs/disks#disk-types"
|
||||
GCPConfigDoc.Fields[6].Comments[encoder.LineComment] = "Type of a node's state disk. The type influences boot time and I/O performance. See: https://cloud.google.com/compute/docs/disks#disk-types"
|
||||
GCPConfigDoc.Fields[7].Name = "measurements"
|
||||
GCPConfigDoc.Fields[7].Type = "Measurements"
|
||||
GCPConfigDoc.Fields[7].Name = "deployCSIDriver"
|
||||
GCPConfigDoc.Fields[7].Type = "bool"
|
||||
GCPConfigDoc.Fields[7].Note = ""
|
||||
GCPConfigDoc.Fields[7].Description = "Expected confidential VM measurements."
|
||||
GCPConfigDoc.Fields[7].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||
GCPConfigDoc.Fields[8].Name = "enforcedMeasurements"
|
||||
GCPConfigDoc.Fields[8].Type = "[]uint32"
|
||||
GCPConfigDoc.Fields[7].Description = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
|
||||
GCPConfigDoc.Fields[7].Comments[encoder.LineComment] = "Deploy Persistent Disk CSI driver with on-node encryption. For details see: https://docs.edgeless.systems/constellation/architecture/encrypted-storage"
|
||||
GCPConfigDoc.Fields[8].Name = "measurements"
|
||||
GCPConfigDoc.Fields[8].Type = "Measurements"
|
||||
GCPConfigDoc.Fields[8].Note = ""
|
||||
GCPConfigDoc.Fields[8].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
GCPConfigDoc.Fields[8].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
GCPConfigDoc.Fields[8].Description = "Expected confidential VM measurements."
|
||||
GCPConfigDoc.Fields[8].Comments[encoder.LineComment] = "Expected confidential VM measurements."
|
||||
GCPConfigDoc.Fields[9].Name = "enforcedMeasurements"
|
||||
GCPConfigDoc.Fields[9].Type = "[]uint32"
|
||||
GCPConfigDoc.Fields[9].Note = ""
|
||||
GCPConfigDoc.Fields[9].Description = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
GCPConfigDoc.Fields[9].Comments[encoder.LineComment] = "List of values that should be enforced to be equal to the ones from the measurement list. Any non-equal values not in this list will only result in a warning."
|
||||
|
||||
QEMUConfigDoc.Type = "QEMUConfig"
|
||||
QEMUConfigDoc.Comments[encoder.LineComment] = "QEMUConfig holds config information for QEMU based Constellation deployments."
|
||||
|
Loading…
Reference in New Issue
Block a user