mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-17 05:32:22 -04:00
AB#2554 GCP CSI driver deployment (#532)
* Allow enabling/disabling of CSI driver through config * Fix inconsistent namespace parsing * Deploy GCP CSI driver on init * Update invalid pod tolerations * Add generate script for CSI charts * Update generateCilium script Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
Daniel Weiße
GitHub
parent
6b7e470983
commit
b966f57a2f
45 changed files with 1597 additions and 165 deletions
|
|
@ -18,6 +18,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
||||
"github.com/edgelesssys/constellation/v2/internal/config"
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/deploy/helm"
|
||||
"github.com/edgelesssys/constellation/v2/internal/versions"
|
||||
|
|
@ -30,6 +31,8 @@ import (
|
|||
|
||||
// Run `go generate` to deterministically create the patched Helm deployment for cilium
|
||||
//go:generate ./generateCilium.sh
|
||||
// Run `go generate` to load CSI driver charts from the CSI repositories
|
||||
//go:generate ./update-csi-charts.sh
|
||||
|
||||
//go:embed all:charts/*
|
||||
var helmFS embed.FS
|
||||
|
|
@ -66,13 +69,15 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
|
|||
}
|
||||
|
||||
// Load the embedded helm charts.
|
||||
func (i *ChartLoader) Load(csp cloudprovider.Provider, conformanceMode bool, masterSecret []byte, salt []byte, enforcedPCRs []uint32, enforceIDKeyDigest bool) ([]byte, error) {
|
||||
func (i *ChartLoader) Load(config *config.Config, conformanceMode bool, masterSecret, salt []byte) ([]byte, error) {
|
||||
csp := config.GetProvider()
|
||||
|
||||
ciliumRelease, err := i.loadCilium(csp, conformanceMode)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("loading cilium: %w", err)
|
||||
}
|
||||
|
||||
conServicesRelease, err := i.loadConstellationServices(csp, masterSecret, salt, enforcedPCRs, enforceIDKeyDigest)
|
||||
conServicesRelease, err := i.loadConstellationServices(config, masterSecret, salt)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("loading constellation-services: %w", err)
|
||||
}
|
||||
|
|
@ -122,11 +127,9 @@ func (i *ChartLoader) loadCilium(csp cloudprovider.Provider, conformanceMode boo
|
|||
return helm.Release{Chart: chartRaw, Values: ciliumVals, ReleaseName: "cilium", Wait: true}, nil
|
||||
}
|
||||
|
||||
// loadConstellationServices loads the constellation-services chart from the embed.FS, marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
|
||||
func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
||||
masterSecret []byte, salt []byte, enforcedPCRs []uint32,
|
||||
enforceIDKeyDigest bool,
|
||||
) (helm.Release, error) {
|
||||
// loadConstellationServices loads the constellation-services chart from the embed.FS,
|
||||
// marshals it into a helm-package .tgz and sets the values that can be set in the CLI.
|
||||
func (i *ChartLoader) loadConstellationServices(config *config.Config, masterSecret, salt []byte) (helm.Release, error) {
|
||||
chart, err := loadChartsDir(helmFS, "charts/edgeless/constellation-services")
|
||||
if err != nil {
|
||||
return helm.Release{}, fmt.Errorf("loading constellation-services chart: %w", err)
|
||||
|
|
@ -137,11 +140,12 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
|||
return helm.Release{}, fmt.Errorf("packaging chart: %w", err)
|
||||
}
|
||||
|
||||
enforcedPCRsJSON, err := json.Marshal(enforcedPCRs)
|
||||
enforcedPCRsJSON, err := json.Marshal(config.GetEnforcedPCRs())
|
||||
if err != nil {
|
||||
return helm.Release{}, fmt.Errorf("marshaling enforcedPCRs: %w", err)
|
||||
}
|
||||
|
||||
csp := config.GetProvider()
|
||||
vals := map[string]any{
|
||||
"global": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
|
|
@ -154,7 +158,6 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
|||
"image": i.kmsImage,
|
||||
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret),
|
||||
"salt": base64.StdEncoding.EncodeToString(salt),
|
||||
"namespace": constants.ConstellationNamespace,
|
||||
"saltKeyName": constants.ConstellationSaltKey,
|
||||
"masterSecretKeyName": constants.ConstellationMasterSecretKey,
|
||||
"masterSecretName": constants.ConstellationMasterSecretStoreName,
|
||||
|
|
@ -164,7 +167,6 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
|||
"csp": csp,
|
||||
"enforcedPCRs": string(enforcedPCRsJSON),
|
||||
"image": i.joinServiceImage,
|
||||
"namespace": constants.ConstellationNamespace,
|
||||
},
|
||||
"ccm": map[string]any{
|
||||
"csp": csp,
|
||||
|
|
@ -177,49 +179,61 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
|
|||
|
||||
switch csp {
|
||||
case cloudprovider.Azure:
|
||||
{
|
||||
joinServiceVals, ok := vals["join-service"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid join-service values")
|
||||
}
|
||||
joinServiceVals["enforceIdKeyDigest"] = enforceIDKeyDigest
|
||||
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["Azure"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
|
||||
vals["cnm"] = map[string]any{
|
||||
"image": i.cnmImage,
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"Azure": true,
|
||||
}
|
||||
joinServiceVals, ok := vals["join-service"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid join-service values")
|
||||
}
|
||||
joinServiceVals["enforceIdKeyDigest"] = config.EnforcesIDKeyDigest()
|
||||
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["Azure"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
|
||||
vals["cnm"] = map[string]any{
|
||||
"image": i.cnmImage,
|
||||
}
|
||||
|
||||
vals["azure"] = map[string]any{
|
||||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"Azure": true,
|
||||
}
|
||||
|
||||
case cloudprovider.GCP:
|
||||
{
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["GCP"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
return helm.Release{}, errors.New("invalid ccm values")
|
||||
}
|
||||
ccmVals["GCP"] = map[string]any{
|
||||
"image": i.ccmImage,
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"GCP": true,
|
||||
}
|
||||
vals["gcp"] = map[string]any{
|
||||
"deployCSIDriver": config.DeployCSIDriver(),
|
||||
}
|
||||
|
||||
vals["gcp-compute-persistent-disk-csi-driver"] = map[string]any{
|
||||
"csiNode": map[string]any{
|
||||
"kmsPort": constants.KMSPort,
|
||||
"kmsNamespace": "", // empty namespace means we use the release namespace
|
||||
},
|
||||
}
|
||||
|
||||
vals["tags"] = map[string]any{
|
||||
"GCP": true,
|
||||
}
|
||||
|
||||
case cloudprovider.QEMU:
|
||||
{
|
||||
vals["tags"] = map[string]interface{}{
|
||||
"QEMU": true,
|
||||
}
|
||||
vals["tags"] = map[string]interface{}{
|
||||
"QEMU": true,
|
||||
}
|
||||
|
||||
case cloudprovider.AWS:
|
||||
ccmVals, ok := vals["ccm"].(map[string]any)
|
||||
if !ok {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue