join: synchronize control plane joining (#776)

* join: synchronize control plane joining

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/deployment.yaml

@@ -0,0 +1,143 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: constellation-operator-controller-manager
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: constellation-operator-controller-manager
+  namespace: testNamespace
+  labels:
+    control-plane: controller-manager
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      app.kubernetes.io/name: constellation-operator
+      app.kubernetes.io/instance: testRelease
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        app.kubernetes.io/name: constellation-operator
+        app.kubernetes.io/instance: testRelease
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      containers:
+      - args:
+        - --secure-listen-address=0.0.0.0:8443
+        - --upstream=http://127.0.0.1:8080/
+        - --logtostderr=true
+        - --v=0
+        env:
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.1
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - args:
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=127.0.0.1:8080
+        - --leader-elect
+        command:
+        - /manager
+        env:
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        - name: CONSTEL_CSP
+          value: QEMU
+        - name: constellation-uid
+          value: "42424242424242"
+        image: constellationOperatorImage
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+        volumeMounts:
+        - mountPath: /etc/kubernetes/pki/etcd
+          name: etcd-certs
+        - mountPath: /host/usr/lib/os-release
+          name: usr-lib-os-release
+        - mountPath: /etc/os-release
+          name: etc-os-release
+        - mountPath: /etc/azure
+          name: azureconfig
+          readOnly: true
+        - mountPath: /etc/gce
+          name: gceconf
+          readOnly: true
+      nodeSelector:
+        node-role.kubernetes.io/control-plane: ""
+      securityContext:
+        runAsUser: 0
+      serviceAccountName: constellation-operator-controller-manager
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+        operator: Exists
+      volumes:
+      - hostPath:
+          path: /etc/kubernetes/pki/etcd
+          type: Directory
+        name: etcd-certs
+      - hostPath:
+          path: /usr/lib/os-release
+          type: File
+        name: usr-lib-os-release
+      - hostPath:
+          path: /etc/os-release
+          type: File
+        name: etc-os-release
+      - name: azureconfig
+        secret:
+          optional: true
+          secretName: azureconfig
+      - configMap:
+          name: gceconf
+          optional: true
+        name: gceconf

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/leader-election-rbac.yaml

@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: constellation-operator-leader-election-role
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: constellation-operator-leader-election-rolebinding
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: 'constellation-operator-leader-election-role'
+subjects:
+- kind: ServiceAccount
+  name: 'constellation-operator-controller-manager'
+  namespace: 'testNamespace'

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-config.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: constellation-operator-manager-config
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+data:
+  controller_manager_config.yaml: |
+    apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
+    health:
+      healthProbeBindAddress: ":8081"
+    kind: ControllerManagerConfig
+    leaderElection:
+      leaderElect: true
+      resourceName: "38cc1645.edgeless.systems"
+    metrics:
+      bindAddress: "127.0.0.1:8080"
+    webhook:
+      port: 9443

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/manager-rbac.yaml

@@ -0,0 +1,209 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: constellation-operator-manager-role
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - nodemaintenance.medik8s.io
+  resources:
+  - nodemaintenances
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - autoscalingstrategies
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - autoscalingstrategies/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - autoscalingstrategies/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - joiningnodes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - joiningnodes/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - joiningnodes/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - nodeimage
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - nodeimages
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - nodeimages/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - nodeimages/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - pendingnodes
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - pendingnodes/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - pendingnodes/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - scalinggroups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - scalinggroups/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - update.edgeless.systems
+  resources:
+  - scalinggroups/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: constellation-operator-manager-rolebinding
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'constellation-operator-manager-role'
+subjects:
+- kind: ServiceAccount
+  name: 'constellation-operator-controller-manager'
+  namespace: 'testNamespace'

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/metrics-reader-rbac.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: constellation-operator-metrics-reader
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/metrics-service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: constellation-operator-controller-manager-metrics-service
+  namespace: testNamespace
+  labels:
+    control-plane: controller-manager
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  selector:
+    control-plane: controller-manager
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https

cli/internal/helm/testdata/QEMU/constellation-operators/charts/constellation-operator/templates/proxy-rbac.yaml

@@ -0,0 +1,42 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: constellation-operator-proxy-role
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: constellation-operator-proxy-rolebinding
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: constellation-operator-2.3.0-pre
+    app.kubernetes.io/name: constellation-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'constellation-operator-proxy-role'
+subjects:
+- kind: ServiceAccount
+  name: 'constellation-operator-controller-manager'
+  namespace: 'testNamespace'

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/deployment.yaml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-maintenance-operator-controller-manager
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: node-maintenance-operator-controller-manager
+  namespace: testNamespace
+  labels:
+    control-plane: controller-manager
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+      node-maintenance-operator: ""
+      app.kubernetes.io/name: node-maintenance-operator
+      app.kubernetes.io/instance: testRelease
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+        node-maintenance-operator: ""
+        app.kubernetes.io/name: node-maintenance-operator
+        app.kubernetes.io/instance: testRelease
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: node-role.kubernetes.io/master
+                operator: Exists
+            - matchExpressions:
+              - key: node-role.kubernetes.io/control-plane
+                operator: Exists
+      containers:
+      - args:
+        - --health-probe-bind-address=:8081
+        - --metrics-bind-address=:8080
+        - --leader-elect
+        command:
+        - /manager
+        env:
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: nodeMaintenanceOperatorImage
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 200m
+            memory: 100Mi
+          requests:
+            cpu: 100m
+            memory: 20Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      priorityClassName: system-cluster-critical
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: node-maintenance-operator-controller-manager
+      terminationGracePeriodSeconds: 10
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/leader-election-rbac.yaml

@@ -0,0 +1,63 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: node-maintenance-operator-leader-election-role
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: node-maintenance-operator-leader-election-rolebinding
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: 'node-maintenance-operator-leader-election-role'
+subjects:
+- kind: ServiceAccount
+  name: 'node-maintenance-operator-controller-manager'
+  namespace: 'testNamespace'

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/manager-rbac.yaml

@@ -0,0 +1,131 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-maintenance-operator-manager-role
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/eviction
+  verbs:
+  - create
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - replicasets
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - servicemonitors
+  verbs:
+  - create
+  - get
+- apiGroups:
+  - nodemaintenance.medik8s.io
+  resources:
+  - nodemaintenances
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - nodemaintenance.medik8s.io
+  resources:
+  - nodemaintenances/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - nodemaintenance.medik8s.io
+  resources:
+  - nodemaintenances/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - oauth.openshift.io
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-maintenance-operator-manager-rolebinding
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'node-maintenance-operator-manager-role'
+subjects:
+- kind: ServiceAccount
+  name: 'node-maintenance-operator-controller-manager'
+  namespace: 'testNamespace'

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/metrics-reader-rbac.yaml

@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-maintenance-operator-metrics-reader
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/metrics-service.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: node-maintenance-operator-controller-manager-metrics-service
+  namespace: testNamespace
+  labels:
+    control-plane: controller-manager
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  selector:
+    control-plane: controller-manager
+    node-maintenance-operator: ""
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/proxy-rbac.yaml

@@ -0,0 +1,44 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-maintenance-operator-proxy-role
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-maintenance-operator-proxy-rolebinding
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'node-maintenance-operator-proxy-role'
+subjects:
+- kind: ServiceAccount
+  name: 'node-maintenance-operator-controller-manager'
+  namespace: 'testNamespace'

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/selfsigned-issuer.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: node-maintenance-operator-selfsigned-issuer
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selfSigned: {}

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/serving-cert.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: node-maintenance-operator-serving-cert
+  namespace: testNamespace
+  labels:
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  dnsNames:
+  - 'node-maintenance-operator-webhook-service.testNamespace.svc'
+  - 'node-maintenance-operator-webhook-service.testNamespace.svc.cluster.local'
+  issuerRef:
+    kind: Issuer
+    name: node-maintenance-operator-selfsigned-issuer
+  secretName: webhook-server-cert

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/validating-webhook-configuration.yaml

@@ -0,0 +1,34 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: node-maintenance-operator-validating-webhook-configuration
+  namespace: testNamespace
+  annotations:
+    cert-manager.io/inject-ca-from: testNamespace/node-maintenance-operator-serving-cert
+  labels:
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: node-maintenance-operator-webhook-service
+      namespace: testNamespace
+      path: /validate-nodemaintenance-medik8s-io-v1beta1-nodemaintenance
+  failurePolicy: Fail
+  name: vnodemaintenance.kb.io
+  rules:
+  - apiGroups:
+    - nodemaintenance.medik8s.io
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - nodemaintenances
+  sideEffects: None
+  timeoutSeconds: 15

cli/internal/helm/testdata/QEMU/constellation-operators/charts/node-maintenance-operator/templates/webhook-service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: node-maintenance-operator-webhook-service
+  namespace: testNamespace
+  labels:
+    node-maintenance-operator: ""
+    helm.sh/chart: node-maintenance-operator-2.3.0-pre
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  selector:
+    control-plane: controller-manager
+    node-maintenance-operator: ""
+    app.kubernetes.io/name: node-maintenance-operator
+    app.kubernetes.io/instance: testRelease
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443