AB#2582: deploy CNM via Helm (#423)

2025-07-24 07:50:40 -04:00 · 2022-11-02 17:47:10 +01:00 · 2022-11-02 17:47:10 +01:00 · e363f03240
commit e363f03240
parent 4b257616e4
24 changed files with 297 additions and 335 deletions
--- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml
@ -25,3 +25,7 @@ dependencies:
      - Azure
      - GCP
      - AWS
+  - name: cnm
+    version: 2.2.0-pre
+    tags:
+      - Azure
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/.helmignore
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/.helmignore
@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/Chart.yaml
@ -0,0 +1,5 @@
+apiVersion: v2
+name: cnm
+description: A chart to deploy cloud node manager for constellation
+type: application
+version: 2.2.0-pre
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/azure-daemonset.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/azure-daemonset.yaml
@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-node-manager
+  namespace: {{ .Release.Namespace}}
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    component: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cloud-node-manager
+  template:
+    metadata:
+      annotations:
+        cluster-autoscaler.kubernetes.io/daemonset-pod: "true"
+      labels:
+        k8s-app: cloud-node-manager
+    spec:
+      containers:
+      - name: cloud-node-manager
+        image: {{ .Values.image }}
+        imagePullPolicy: IfNotPresent
+        command:
+          - cloud-node-manager
+          - --node-name=$(NODE_NAME)
+          - --wait-routes=true
+        env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+        resources:
+          requests:
+            cpu: 50m
+            memory: 50Mi
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-node-critical
+      serviceAccountName: cloud-node-manager
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Equal
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+  updateStrategy: {}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/clusterrole.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/clusterrole.yaml
@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cloud-node-manager
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - watch
+  - list
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/clusterrolebinding.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/clusterrolebinding.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cloud-node-manager
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cloud-node-manager
+subjects:
+- kind: ServiceAccount
+  name: cloud-node-manager
+  namespace: {{ .Release.Namespace}}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/serviceaccount.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/templates/serviceaccount.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-node-manager
+  namespace: {{ .Release.Namespace}}
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/values.schema.json
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/values.schema.json
@ -0,0 +1,15 @@
+{
+    "$schema": "https://json-schema.org/draft-07/schema#",
+    "properties": {
+        "image": {
+            "description": "Container image to use for the spawned pods.",
+            "type": "string",
+            "examples": ["mcr.microsoft.com/oss/kubernetes/azure-cloud-node-manager:v1.23.21"]
+        }
+    },
+    "required": [
+        "image"
+    ],
+    "title": "Values",
+    "type": "object"
+}
--- a/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/values.yaml
+++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cnm/values.yaml
--- a/cli/internal/helm/loader.go
+++ b/cli/internal/helm/loader.go
@ -38,15 +38,17 @@ type ChartLoader struct {
 	joinServiceImage string
 	kmsImage         string
 	ccmImage         string
+	cnmImage         string
 }

 func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *ChartLoader {
-	var ccmImage string
+	var ccmImage, cnmImage string
 	switch csp {
 	case cloudprovider.AWS:
 		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAWS
 	case cloudprovider.Azure:
 		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageAzure
+		cnmImage = versions.VersionConfigs[k8sVersion].CloudNodeManagerImageAzure
 	case cloudprovider.GCP:
 		ccmImage = versions.VersionConfigs[k8sVersion].CloudControllerManagerImageGCP
 	}
@ -55,6 +57,7 @@ func New(csp cloudprovider.Provider, k8sVersion versions.ValidK8sVersion) *Chart
 		joinServiceImage: versions.JoinImage,
 		kmsImage:         versions.KmsImage,
 		ccmImage:         ccmImage,
+		cnmImage:         cnmImage,
 	}
 }

@ -156,7 +159,7 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 			"image":        i.joinServiceImage,
 			"namespace":    constants.ConstellationNamespace,
 		},
-		"ccm": map[string]interface{}{
+		"ccm": map[string]any{
 			"csp": csp,
 		},
 	}
@ -178,6 +181,10 @@ func (i *ChartLoader) loadConstellationServices(csp cloudprovider.Provider,
 				"image": i.ccmImage,
 			}

+			vals["cnm"] = map[string]any{
+				"image": i.cnmImage,
+			}
+
 			vals["tags"] = map[string]any{
 				"Azure": true,
 			}
--- a/cli/internal/helm/loader_test.go
+++ b/cli/internal/helm/loader_test.go
@ -50,6 +50,7 @@ func TestTemplate(t *testing.T) {
 		enforceIDKeyDigest bool
 		valuesModifier     func(map[string]any) error
 		ccmImage           string
+		cnmImage           string
 	}{
 		"GCP": {
 			csp:                cloudprovider.GCP,
@ -62,6 +63,7 @@ func TestTemplate(t *testing.T) {
 			enforceIDKeyDigest: true,
 			valuesModifier:     prepareAzureValues,
 			ccmImage:           "ccmImageForAzure",
+			cnmImage:           "cnmImageForAzure",
 		},
 		"QEMU": {
 			csp:                cloudprovider.QEMU,
@ -75,7 +77,7 @@ func TestTemplate(t *testing.T) {
 			assert := assert.New(t)
 			require := require.New(t)

-			chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage}
+			chartLoader := ChartLoader{joinServiceImage: "joinServiceImage", kmsImage: "kmsImage", ccmImage: tc.ccmImage, cnmImage: tc.cnmImage}
 			release, err := chartLoader.Load(tc.csp, true, []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []byte("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), []uint32{1, 11}, tc.enforceIDKeyDigest)
 			require.NoError(err)

@ -98,8 +100,13 @@ func TestTemplate(t *testing.T) {
 			err = tc.valuesModifier(helmReleases.ConstellationServices.Values)
 			require.NoError(err)

+			// This step is needed to enabled/disable subcharts according to their tags/conditions.
+			err = chartutil.ProcessDependencies(chart, helmReleases.ConstellationServices.Values)
+			require.NoError(err)
+
 			valuesToRender, err := chartutil.ToRenderValues(chart, helmReleases.ConstellationServices.Values, options, caps)
 			require.NoError(err)
+
 			result, err := engine.Render(chart, valuesToRender)
 			require.NoError(err)
 			for k, v := range result {
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/azure-daemonset.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/azure-daemonset.yaml
@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cloud-node-manager
+  namespace: testNamespace
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    component: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
+spec:
+  selector:
+    matchLabels:
+      k8s-app: cloud-node-manager
+  template:
+    metadata:
+      annotations:
+        cluster-autoscaler.kubernetes.io/daemonset-pod: "true"
+      labels:
+        k8s-app: cloud-node-manager
+    spec:
+      containers:
+      - name: cloud-node-manager
+        image: cnmImageForAzure
+        imagePullPolicy: IfNotPresent
+        command:
+          - cloud-node-manager
+          - --node-name=$(NODE_NAME)
+          - --wait-routes=true
+        env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+        resources:
+          requests:
+            cpu: 50m
+            memory: 50Mi
+      hostNetwork: true
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: system-node-critical
+      serviceAccountName: cloud-node-manager
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Equal
+          value: "true"
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Exists
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+  updateStrategy: {}
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/clusterrole.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/clusterrole.yaml
@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cloud-node-manager
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - watch
+  - list
+  - get
+  - update
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - nodes/status
+  verbs:
+  - patch
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/clusterrolebinding.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/clusterrolebinding.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cloud-node-manager
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: cloud-node-manager
+    kubernetes.io/cluster-service: "true"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cloud-node-manager
+subjects:
+- kind: ServiceAccount
+  name: cloud-node-manager
+  namespace: testNamespace
--- a/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/serviceaccount.yaml
+++ b/cli/internal/helm/testdata/Azure/constellation-services/charts/cnm/templates/serviceaccount.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cloud-node-manager
+  namespace: testNamespace
+  labels:
+    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: cloud-node-manager
+    kubernetes.io/cluster-service: "true"