Move CSI charts to separate chart and cleanup loader code

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

bootstrapper/internal/helm/helm.go

@@ -34,7 +34,7 @@ import (
 
 const (
 	// timeout is the maximum time given to the helm client.
-	timeout = 5 * time.Minute
+	timeout = 10 * time.Minute
 	// maximumRetryAttempts is the maximum number of attempts to retry a helm install.
 	maximumRetryAttempts = 3
 )
@@ -66,31 +66,8 @@ func New(log *logger.Logger) (*Client, error) {
 	}, nil
 }
 
-// InstallConstellationServices installs the constellation-services chart. In the future this chart should bundle all microservices.
+// InstallChart installs a helm chart, optionally merging extraVals into the values of the chart.
-func (h *Client) InstallConstellationServices(ctx context.Context, release helm.Release, extraVals map[string]any) error {
+func (h *Client) InstallChart(ctx context.Context, release helm.Release, extraVals map[string]any) error {
-	h.ReleaseName = release.ReleaseName
-	if err := h.setWaitMode(release.WaitMode); err != nil {
-		return err
-	}
-
-	mergedVals := helm.MergeMaps(release.Values, extraVals)
-
-	return h.install(ctx, release.Chart, mergedVals)
-}
-
-// InstallChart installs a helm chart without extra setup.
-func (h *Client) InstallChart(ctx context.Context, release helm.Release) error {
-	h.ReleaseName = release.ReleaseName
-	h.Timeout = 10 * time.Minute
-	if err := h.setWaitMode(release.WaitMode); err != nil {
-		return err
-	}
-
-	return h.install(ctx, release.Chart, release.Values)
-}
-
-// InstallOperators installs the Constellation Operators.
-func (h *Client) InstallOperators(ctx context.Context, release helm.Release, extraVals map[string]any) error {
 	h.ReleaseName = release.ReleaseName
 	if err := h.setWaitMode(release.WaitMode); err != nil {
 		return err

bootstrapper/internal/kubernetes/k8sutil.go

@@ -26,12 +26,9 @@ type clusterUtil interface {
 	StartKubelet() error
 }
 
-// helmClient bundles functions related to microservice deployment. Only microservices that can be deployed purely via Helm are deployed with this interface.
+// helmClient bundles functions related to microservice deployment.
-// Currently only a subset of microservices is deployed via Helm.
+// Only microservices that can be deployed purely via Helm are deployed with this interface.
-// Naming is inspired by Helm.
 type helmClient interface {
 	InstallCilium(context.Context, k8sapi.Client, helm.Release, k8sapi.SetupPodNetworkInput) error
-	InstallChart(ctx context.Context, release helm.Release) error
+	InstallChart(ctx context.Context, release helm.Release, extraVals map[string]any) error
-	InstallOperators(ctx context.Context, release helm.Release, extraVals map[string]any) error
-	InstallConstellationServices(ctx context.Context, release helm.Release, extraVals map[string]any) error
 }

bootstrapper/internal/kubernetes/kubernetes.go

@@ -232,29 +232,36 @@ func (k *KubeWrapper) InitCluster(
 	}
 
 	log.Infof("Installing Constellation microservices")
-	if err = k.helmClient.InstallConstellationServices(ctx, helmReleases.ConstellationServices, extraVals); err != nil {
+	if err = k.helmClient.InstallChart(ctx, helmReleases.ConstellationServices, extraVals); err != nil {
 		return nil, fmt.Errorf("installing constellation-services: %w", err)
 	}
 
 	// cert-manager provides CRDs used by other deployments,
-	// so it should be installed as early as possible, but after our microservices.
+	// so it should be installed as early as possible, but after the services cert-manager depends on.
 	log.Infof("Installing cert-manager")
-	if err = k.helmClient.InstallChart(ctx, helmReleases.CertManager); err != nil {
+	if err = k.helmClient.InstallChart(ctx, helmReleases.CertManager, nil); err != nil {
 		return nil, fmt.Errorf("installing cert-manager: %w", err)
 	}
 
-	// CSI snapshot-controller requires CRDs from cert-manager. It must be installed after it.
+	// Install CSI drivers if enabled by the user.
-	// CSI snapshot support should also only be deployed on clouds where we can deploy CSI drivers,
+	if helmReleases.CSI != nil {
-	// and the deployment was not disabled by the user.
+		var csiVals map[string]any
-	if helmReleases.SnapshotCRDs != nil && helmReleases.SnapshotController != nil {
+		if cloudprovider.FromString(k.cloudProvider) == cloudprovider.OpenStack {
-		log.Infof("Installing CSI snapshot CRDs")
+			creds, err := openstack.AccountKeyFromURI(serviceConfig.cloudServiceAccountURI)
-		if err = k.helmClient.InstallChart(ctx, *helmReleases.SnapshotCRDs); err != nil {
+			if err != nil {
-			return nil, fmt.Errorf("installing CSI snapshot CRDs: %w", err)
+				return nil, err
+			}
+			cinderIni := creds.CloudINI().CinderCSIConfiguration()
+			csiVals = map[string]any{
+				"cinder-config": map[string]any{
+					"secretData": cinderIni,
+				},
+			}
 		}
 
-		log.Infof("Installing CSI snapshot-controller")
+		log.Infof("Installing CSI deployments")
-		if err = k.helmClient.InstallChart(ctx, *helmReleases.SnapshotController); err != nil {
+		if err := k.helmClient.InstallChart(ctx, *helmReleases.CSI, csiVals); err != nil {
-			return nil, fmt.Errorf("installing CSI snapshot-controller: %w", err)
+			return nil, fmt.Errorf("installing CSI snapshot CRDs: %w", err)
 		}
 	}
 
@@ -266,7 +273,7 @@ func (k *KubeWrapper) InitCluster(
 	// Constellation operators require CRDs from cert-manager.
 	// They must be installed after it.
 	log.Infof("Installing operators")
-	if err = k.helmClient.InstallOperators(ctx, helmReleases.Operators, operatorVals); err != nil {
+	if err = k.helmClient.InstallChart(ctx, helmReleases.Operators, operatorVals); err != nil {
 		return nil, fmt.Errorf("installing operators: %w", err)
 	}
 
@@ -430,7 +437,6 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constell
 		"join-service": map[string]any{
 			"measurementSalt": base64.StdEncoding.EncodeToString(serviceConfig.measurementSalt),
 		},
-		"ccm": map[string]any{},
 		"verification-service": map[string]any{
 			"loadBalancerIP": serviceConfig.loadBalancerIP,
 		},
@@ -465,15 +471,13 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constell
 			return nil, fmt.Errorf("marshaling service account key: %w", err)
 		}
 
-		ccmVals, ok := extraVals["ccm"].(map[string]any)
+		extraVals["ccm"] = map[string]any{
-		if !ok {
+			"GCP": map[string]any{
-			return nil, errors.New("invalid ccm values")
-		}
-		ccmVals["GCP"] = map[string]any{
 				"projectID":         projectID,
 				"uid":               uid,
 				"secretData":        string(rawKey),
 				"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
+			},
 		}
 
 	case cloudprovider.Azure:
@@ -487,13 +491,10 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constell
 			return nil, fmt.Errorf("creating ccm secret: %w", err)
 		}
 
-		ccmVals, ok := extraVals["ccm"].(map[string]any)
+		extraVals["ccm"] = map[string]any{
-		if !ok {
+			"Azure": map[string]any{
-			return nil, errors.New("invalid ccm values")
-		}
-		ccmVals["Azure"] = map[string]any{
 				"azureConfig": string(ccmConfig),
-			"subnetworkPodCIDR": serviceConfig.subnetworkPodCIDR,
+			},
 		}
 
 	case cloudprovider.OpenStack:
@@ -526,10 +527,6 @@ func (k *KubeWrapper) setupExtraVals(ctx context.Context, serviceConfig constell
 			"yawolNetworkID": networkIDs[0],
 			"yawolAPIHost":   fmt.Sprintf("https://%s:%d", serviceConfig.loadBalancerIP, constants.KubernetesPort),
 		}
-		cinderIni := creds.CloudINI().CinderCSIConfiguration()
-		extraVals["cinder-config"] = map[string]any{
-			"secretData": cinderIni,
-		}
 	}
 	return extraVals, nil
 }

bootstrapper/internal/kubernetes/kubernetes_test.go

@@ -138,23 +138,7 @@ func TestInitCluster(t *testing.T) {
 		},
 		"kubeadm init fails when setting up constellation-services chart": {
 			clusterUtil:      stubClusterUtil{kubeconfig: []byte("someKubeconfig")},
-			helmClient:       stubHelmClient{servicesError: assert.AnError},
+			helmClient:       stubHelmClient{installChartError: assert.AnError},
-			kubeAPIWaiter:    stubKubeAPIWaiter{},
-			providerMetadata: &stubProviderMetadata{},
-			wantErr:          true,
-			k8sVersion:       versions.Default,
-		},
-		"kubeadm init fails when setting the cloud node manager": {
-			clusterUtil:      stubClusterUtil{kubeconfig: []byte("someKubeconfig")},
-			helmClient:       stubHelmClient{servicesError: assert.AnError},
-			kubeAPIWaiter:    stubKubeAPIWaiter{},
-			providerMetadata: &stubProviderMetadata{},
-			wantErr:          true,
-			k8sVersion:       versions.Default,
-		},
-		"kubeadm init fails when setting the cluster autoscaler": {
-			clusterUtil:      stubClusterUtil{kubeconfig: []byte("someKubeconfig")},
-			helmClient:       stubHelmClient{servicesError: assert.AnError},
 			kubeAPIWaiter:    stubKubeAPIWaiter{},
 			providerMetadata: &stubProviderMetadata{},
 			wantErr:          true,
@@ -167,14 +151,6 @@ func TestInitCluster(t *testing.T) {
 			wantErr:          true,
 			k8sVersion:       versions.Default,
 		},
-		"kubeadm init fails when setting up konnectivity": {
-			clusterUtil:      stubClusterUtil{kubeconfig: []byte("someKubeconfig")},
-			helmClient:       stubHelmClient{servicesError: assert.AnError},
-			kubeAPIWaiter:    stubKubeAPIWaiter{},
-			providerMetadata: &stubProviderMetadata{},
-			wantErr:          true,
-			k8sVersion:       versions.Default,
-		},
 		"kubeadm init fails when setting up verification service": {
 			clusterUtil:      stubClusterUtil{kubeconfig: []byte("someKubeconfig")},
 			kubeAPIWaiter:    stubKubeAPIWaiter{},
@@ -582,26 +558,16 @@ func (s *stubKubectl) EnforceCoreDNSSpread(_ context.Context) error {
 type stubHelmClient struct {
 	ciliumError       error
 	installChartError error
-	operatorsError    error
-	servicesError     error
 }
 
 func (s *stubHelmClient) InstallCilium(_ context.Context, _ k8sapi.Client, _ helm.Release, _ k8sapi.SetupPodNetworkInput) error {
 	return s.ciliumError
 }
 
-func (s *stubHelmClient) InstallChart(_ context.Context, _ helm.Release) error {
+func (s *stubHelmClient) InstallChart(_ context.Context, _ helm.Release, _ map[string]any) error {
 	return s.installChartError
 }
 
-func (s *stubHelmClient) InstallOperators(_ context.Context, _ helm.Release, _ map[string]any) error {
-	return s.operatorsError
-}
-
-func (s *stubHelmClient) InstallConstellationServices(_ context.Context, _ helm.Release, _ map[string]any) error {
-	return s.servicesError
-}
-
 type stubKubeAPIWaiter struct {
 	waitErr error
 }

cli/internal/helm/BUILD.bazel

@@ -191,22 +191,6 @@ go_library(
         "charts/edgeless/constellation-services/charts/autoscaler/templates/serviceaccount.yaml",
         "charts/edgeless/constellation-services/charts/autoscaler/values.schema.json",
         "charts/edgeless/constellation-services/charts/autoscaler/values.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/_helpers.tpl",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/crd-csi-snapshot.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-driver.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/rbac-csi-azuredisk-node.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/rbac-csi-snapshot-controller.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-controller.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-node.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/storageclass_default.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/templates/storageclass_integrity.yaml",
-        "charts/edgeless/constellation-services/charts/azuredisk-csi-driver/values.yaml",
         "charts/edgeless/constellation-services/charts/ccm/.helmignore",
         "charts/edgeless/constellation-services/charts/ccm/Chart.yaml",
         "charts/edgeless/constellation-services/charts/ccm/templates/aws-daemonset.yaml",
@@ -227,14 +211,6 @@ go_library(
         "charts/edgeless/constellation-services/charts/cnm/templates/serviceaccount.yaml",
         "charts/edgeless/constellation-services/charts/cnm/values.schema.json",
         "charts/edgeless/constellation-services/charts/cnm/values.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/cluster_setup.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/controller.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/storageclass_default.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/storageclass_integrity.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/templates/v1_csidriver.yaml",
-        "charts/edgeless/constellation-services/charts/gcp-compute-persistent-disk-csi-driver/values.yaml",
         "charts/edgeless/constellation-services/charts/gcp-guest-agent/.helmignore",
         "charts/edgeless/constellation-services/charts/gcp-guest-agent/Chart.yaml",
         "charts/edgeless/constellation-services/charts/gcp-guest-agent/templates/daemonset.yaml",
@@ -334,61 +310,91 @@ go_library(
         "charts/edgeless/constellation-services/charts/yawol-config/templates/secret.yaml",
         "charts/edgeless/constellation-services/charts/yawol-config/values.schema.json",
         "charts/edgeless/constellation-services/charts/yawol-config/values.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-config/.helmignore",
+        "charts/edgeless/csi/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/_helpers.tpl",
-        "charts/edgeless/constellation-services/charts/cinder-config/values.schema.json",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/crd-csi-snapshot.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-config/values.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/csi-azuredisk-driver.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/rbac-csi-azuredisk-node.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/rbac-csi-snapshot-controller.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-controller.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-node.yaml",
-        "charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/CHANGELOG.md",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/storageclass_default.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/Chart.yaml",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/templates/storageclass_integrity.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/NOTES.txt",
+        "charts/edgeless/csi/charts/azuredisk-csi-driver/values.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/_helpers.tpl",
+        "charts/edgeless/csi/charts/cinder-config/.helmignore",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrole-attacher.yaml",
+        "charts/edgeless/csi/charts/cinder-config/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrole-csi-node.yaml",
+        "charts/edgeless/csi/charts/cinder-config/templates/secret.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrole-provisioner.yaml",
+        "charts/edgeless/csi/charts/cinder-config/values.schema.json",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrole-resizer.yaml",
+        "charts/edgeless/csi/charts/cinder-config/values.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrole-snapshotter.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrolebinding-attacher.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/templates/cluster_setup.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrolebinding-csi-node.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/templates/controller.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrolebinding-provisioner.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/templates/node.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrolebinding-resizer.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/templates/storageclass_default.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/clusterrolebinding-snapshotter.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/templates/storageclass_integrity.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/controller.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/templates/v1_csidriver.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/csidriver.yaml",
+        "charts/edgeless/csi/charts/gcp-compute-persistent-disk-csi-driver/values.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/metrics.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/Chart.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/node-windows.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/README.md",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/node.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/NOTES.txt",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/poddisruptionbudget-controller.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/_helpers.tpl",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/serviceaccount-csi-controller.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/cinder-csi-driver.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/serviceaccount-csi-node.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/controllerplugin-deployment.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/storageclass.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/controllerplugin-rbac.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/storageclass_default.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/custom_storageclass.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/storageclass_integrity.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/templates/volumesnapshotclass.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/nodeplugin-rbac.yaml",
-        "charts/edgeless/constellation-services/charts/aws-csi-driver/values.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/secret.yaml",
-        "charts/csi-snapshotter/crds/Chart.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/templates/storageclass.yaml",
-        "charts/csi-snapshotter/crds/templates/volumesnapshotclasses.yaml",
+        "charts/edgeless/csi/charts/openstack-cinder-csi/values.yaml",
-        "charts/csi-snapshotter/crds/templates/volumesnapshotcontents.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/Chart.yaml",
-        "charts/csi-snapshotter/crds/templates/volumesnapshots.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/admission-configuration.yaml",
-        "charts/csi-snapshotter/crds/values.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/rbac-snapshot-controller.yaml",
-        "charts/csi-snapshotter/snapshot-controller/Chart.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/rbac-snapshot-webhook.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/rbac-snapshot-controller.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/selfsigned-issuer.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/rbac-snapshot-webhook.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/serving-cert.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/selfsigned-issuer.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/snapshot-controller.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/serving-cert.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/templates/snapshot-webhook.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/snapshot-controller.yaml",
+        "charts/edgeless/csi/charts/snapshot-controller/values.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/snapshot-webhook.yaml",
+        "charts/edgeless/csi/charts/snapshot-crds/Chart.yaml",
-        "charts/csi-snapshotter/snapshot-controller/values.yaml",
+        "charts/edgeless/csi/charts/snapshot-crds/templates/volumesnapshotclasses.yaml",
-        "charts/csi-snapshotter/snapshot-controller/templates/admission-configuration.yaml",
+        "charts/edgeless/csi/charts/snapshot-crds/templates/volumesnapshotcontents.yaml",
+        "charts/edgeless/csi/charts/snapshot-crds/templates/volumesnapshots.yaml",
+        "charts/edgeless/csi/charts/snapshot-crds/values.yaml",
+        "charts/edgeless/csi/values.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/CHANGELOG.md",
+        "charts/edgeless/csi/charts/aws-csi-driver/Chart.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/NOTES.txt",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/_helpers.tpl",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrole-attacher.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrole-csi-node.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrole-provisioner.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrole-resizer.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrole-snapshotter.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrolebinding-attacher.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrolebinding-csi-node.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrolebinding-provisioner.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrolebinding-resizer.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/clusterrolebinding-snapshotter.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/controller.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/csidriver.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/metrics.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/node-windows.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/node.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/poddisruptionbudget-controller.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/serviceaccount-csi-controller.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/serviceaccount-csi-node.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/storageclass.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/storageclass_default.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/storageclass_integrity.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/templates/volumesnapshotclass.yaml",
+        "charts/edgeless/csi/charts/aws-csi-driver/values.yaml",
     ],
     importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm",
     visibility = ["//cli:__subpackages__"],

cli/internal/helm/README.md

@@ -10,14 +10,18 @@ Because upgrades should be a CLI-only operation and we want to avoid the behavio
 Here is how we manage CRD upgrades for each chart.
 
 ## Cilium
+
 - CRDs are updated by cilium-operator.
 
 ## cert-manager
+
 - installCRDs flag is set during upgrade. This flag is managed by cert-manager. cert-manager is in charge of correctly upgrading the CRDs.
 - WARNING: upgrading cert-manager might break other installations of cert-manager in the cluster, if those other installation are not on the same version as the Constellation-manager installation. This is due to the cluster-wide CRDs.
 
 ## Operators
+
 - Manually update CRDs before upgrading the chart. Update by running applying the CRDs found in the `operators/crds/` folder.
 
 ## Constellation-services
+
 - There currently are no CRDs in this chart.

cli/internal/helm/charts/csi-snapshotter/crds/Chart.yaml

@@ -1,6 +0,0 @@
-apiVersion: v2
-name: crds
-description: A chart to deploy csi snapshot CRDs
-type: application
-version: 6.2.2
-appVersion: "6.2.2"

cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml

@@ -57,21 +57,6 @@ dependencies:
     version: 0.0.0
     tags:
       - GCP
-  - name: gcp-compute-persistent-disk-csi-driver
-    version: 1.0.1
-    condition: gcp.deployCSIDriver
-    tags:
-      - GCP
-  - name: azuredisk-csi-driver
-    version: 1.0.1
-    condition: azure.deployCSIDriver
-    tags:
-      - Azure
-  - name: aws-csi-driver
-    version: 1.0.0
-    condition: aws.deployCSIDriver
-    tags:
-      - AWS
   - name: yawol-config
     version: 0.0.0
     condition: openstack.deployYawolLoadBalancer
@@ -82,13 +67,3 @@ dependencies:
     condition: openstack.deployYawolLoadBalancer
     tags:
       - OpenStack
-  - name: cinder-config
-    version: 1.0.0
-    condition: openstack.deployCSIDriver
-    tags:
-      - OpenStack
-  - name: cinder-csi-plugin
-    version: 1.0.0
-    condition: openstack.deployCSIDriver
-    tags:
-      - OpenStack

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/aws-daemonset.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: cloud-controller-manager
-          image: {{ .Values.AWS.image | quote }}
+          image: {{ .Values.image | quote }}
           args:
           - --cloud-provider=aws
           - --leader-elect=true

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/azure-daemonset.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: cloud-controller-manager
-          image: {{ .Values.Azure.image | quote }}
+          image: {{ .Values.image | quote }}
           command:
           - cloud-controller-manager
           - --cloud-provider=azure

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/gcp-daemonset.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: cloud-controller-manager
-          image: {{ .Values.GCP.image | quote }}
+          image: {{ .Values.image | quote }}
           command:
           - /cloud-controller-manager
           - --cloud-provider=gce

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/templates/openstack-daemonset.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: cloud-controller-manager
-          image: {{ .Values.OpenStack.image | quote }}
+          image: {{ .Values.image | quote }}
           args:
           - /bin/openstack-cloud-controller-manager
           - --cloud-provider=openstack

cli/internal/helm/charts/edgeless/constellation-services/charts/ccm/values.schema.json

@@ -3,37 +3,28 @@
     "properties": {
         "csp": {
             "description": "CSP to which the chart is deployed.",
-            "enum": ["AWS", "Azure", "GCP", "OpenStack", "QEMU"]
+            "enum": [
-        },
+                "AWS",
-        "AWS": {
+                "Azure",
-            "description": "Config values required for deployment on AWS",
+                "GCP",
-            "type": "object",
+                "OpenStack",
-            "properties": {
+                "QEMU"
-                "image": {
-                    "description": "Container image to use for the spawned pods.",
-                    "type": "string"
-                }
-            },
-            "required": [
-                "image"
             ]
         },
+        "image": {
+            "description": "Container image to use for the Cloud Controller Manager.",
+            "type": "string"
+        },
         "Azure": {
             "description": "Config values required for deployment on Azure",
             "type": "object",
             "properties": {
-                "image": {
-                    "description": "Container image to use for the spawned pods.",
-                    "type": "string",
-                    "examples": ["mcr.microsoft.com/oss/kubernetes/azure-cloud-controller-manager:latest"]
-                },
                 "azureConfig": {
                     "description": "Base64 encoded json string that hold required config parameters for Azure CCM.",
                     "type": "string"
                 }
             },
             "required": [
-                "image",
                 "azureConfig"
             ]
         },
@@ -41,14 +32,12 @@
             "description": "Config values required for deployment on GCP",
             "type": "object",
             "properties": {
-                "image": {
-                    "description": "Container image to use for the spawned pods.",
-                    "type": "string"
-                },
                 "projectID": {
                     "description": "ID of the GCP project into which the cluster is deployed",
                     "type": "string",
-                    "examples": ["demoproject-581925"]
+                    "examples": [
+                        "demoproject-581925"
+                    ]
                 },
                 "uid": {
                     "description": "Unique identifier for the cluster",
@@ -61,12 +50,13 @@
                 "subnetworkPodCIDR": {
                     "description": "CIDR Range for Pods in cluster",
                     "type": "string",
-                    "examples": ["192.0.2.0/24"],
+                    "examples": [
+                        "192.0.2.0/24"
+                    ],
                     "pattern": "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}"
                 }
             },
             "required": [
-                "image",
                 "projectID",
                 "uid",
                 "secretData",
@@ -77,52 +67,71 @@
             "description": "Config values required for deployment on OpenStack",
             "type": "object",
             "properties": {
-                "image": {
-                    "description": "Container image to use for the spawned pods.",
-                    "type": "string"
-                },
                 "secretData": {
                     "description": "OpenStack service account key as a json-string",
                     "type": "string"
                 }
             },
             "required": [
-                "image",
                 "secretData"
             ]
         }
     },
     "required": [
-        "csp"
+        "csp",
+        "image"
     ],
     "allOf": [
         {
             "if": {
-                "properties": { "csp": { "const": "AWS" } },
+                "properties": {
-                "required": ["csp"]
+                    "csp": {
+                        "const": "Azure"
+                    }
                 },
-            "then": { "required": ["AWS"] }
+                "required": [
+                    "csp"
+                ]
+            },
+            "then": {
+                "required": [
+                    "Azure"
+                ]
+            }
         },
         {
             "if": {
-                "properties": { "csp": { "const": "Azure" } },
+                "properties": {
-                "required": ["csp"]
+                    "csp": {
+                        "const": "GCP"
+                    }
                 },
-            "then": { "required": ["Azure"] }
+                "required": [
+                    "csp"
+                ]
+            },
+            "then": {
+                "required": [
+                    "GCP"
+                ]
+            }
         },
         {
             "if": {
-                "properties": { "csp": { "const": "GCP" } },
+                "properties": {
-                "required": ["csp"]
+                    "csp": {
+                        "const": "OpenStack"
+                    }
                 },
-            "then": { "required": ["GCP"] }
+                "required": [
+                    "csp"
+                ]
             },
-        {
+            "then": {
-            "if": {
+                "required": [
-                "properties": { "csp": { "const": "OpenStack" } },
+                    "OpenStack"
-                "required": ["csp"]
+                ]
-            },
+            }
-            "then": { "required": ["OpenStack"] }
         }
     ],
     "title": "Values",

cli/internal/helm/charts/edgeless/constellation-services/values.yaml

@@ -8,22 +8,9 @@ global:
   # Name of the ConfigMap that holds configs that should not be modified by the user.
   internalCMName: internal-config
 
-# AWS specific configuration
-aws:
-  deployCSIDriver: false
-
-# Azure specific configuration
-azure:
-  deployCSIDriver: false
-
-# GCP specific configuration
-gcp:
-  deployCSIDriver: false
-
 # OpenStack specific configuration
 openstack:
   deployYawolLoadBalancer: false
-  deployCSIDriver: false
 
 # Set one of the tags to true to indicate which CSP you are deploying to.
 tags:

cli/internal/helm/charts/edgeless/csi/Chart.yaml

@@ -0,0 +1,30 @@
+apiVersion: v2
+name: constellation-csi
+description: A chart to deploy CSI services for Constellation
+type: application
+version: 0.0.0
+dependencies:
+  - name: snapshot-controller
+    version: 6.2.2
+  - name: snapshot-crds
+    version: 6.2.2
+  - name: aws-csi-driver
+    version: 1.1.0
+    tags:
+      - AWS
+  - name: azuredisk-csi-driver
+    version: v1.2.0
+    tags:
+      - Azure
+  - name: cinder-config
+    version: 1.0.0
+    tags:
+      - OpenStack
+  - name: gcp-compute-persistent-disk-csi-driver
+    version: 1.2.0
+    tags:
+      - GCP
+  - name: openstack-cinder-csi
+    version: 1.0.0
+    tags:
+      - OpenStack

cli/internal/helm/charts/edgeless/csi/charts/openstack-cinder-csi/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 appVersion: v1.0.0
 description: Cinder CSI Chart for OpenStack with on-node encryption support
-name: cinder-csi-plugin
+name: openstack-cinder-csi
 version: 1.0.0

cli/internal/helm/charts/edgeless/csi/charts/openstack-cinder-csi/README.md

@@ -0,0 +1,21 @@
+# Cinder CSI volume provisioner
+
+Deploys a Cinder csi provisioner to your cluster, with the appropriate storageClass.
+
+## How To install
+- Enable deployment of storageclasses using `storageClass.enabled`
+- Tag the retain or delete class as default class using `storageClass.delete.isDefault` in your value yaml
+- Set `storageClass.<reclaim-policy>.allowVolumeExpansion` to `true` or `false`
+
+First add the repo:
+
+    helm repo add cpo https://kubernetes.github.io/cloud-provider-openstack
+    helm repo update
+
+If you are using Helm v3:
+
+    helm install cinder-csi cpo/openstack-cinder-csi
+
+If you are using Helm v2:
+
+    helm install --name cinder-csi cpo/openstack-cinder-csi

cli/internal/helm/charts/edgeless/csi/charts/openstack-cinder-csi/templates/NOTES.txt

@@ -0,0 +1 @@
+Use the following storageClass encrypted-rwo and integrity-encrypted-rwo only for RWO volumes.

cli/internal/helm/charts/edgeless/csi/charts/openstack-cinder-csi/templates/custom_storageclass.yaml

@@ -0,0 +1,3 @@
+{{- if .Values.storageClass.custom -}}
+{{ .Values.storageClass.custom }}
+{{- end }}

cli/internal/helm/charts/edgeless/csi/charts/openstack-cinder-csi/templates/secret.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.secret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.secret.name }}
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  {{ .Values.secret.data | toYaml | trimSuffix "\n" | nindent 2 }}
+{{- end }}

cli/internal/helm/charts/edgeless/csi/charts/snapshot-crds/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: snapshot-crds
+description: A chart to deploy CSI snapshot CRDs
+type: application
+version: 6.2.2
+appVersion: "6.2.2"

cli/internal/helm/charts/edgeless/csi/values.yaml

@@ -0,0 +1,11 @@
+global:
+  # Port on which the KeyService will listen.
+  keyServicePort: 9000
+
+# Set one of the tags to true to indicate which CSP you are deploying to.
+tags:
+  AWS: false
+  Azure: false
+  GCP: false
+  OpenStack: false
+  QEMU: false

cli/internal/helm/client.go

@@ -267,29 +267,20 @@ func (c *Client) upgradeRelease(
 	switch chart.Metadata.Name {
 	case ciliumInfo.chartName:
 		releaseName = ciliumInfo.releaseName
-		values, err = loader.loadCiliumValues()
+		values = ciliumVals[conf.GetProvider().String()]
-		if err != nil {
-			return fmt.Errorf("loading values: %w", err)
-		}
 	case certManagerInfo.chartName:
 		releaseName = certManagerInfo.releaseName
 		values = loader.loadCertManagerValues()
 	case constellationOperatorsInfo.chartName:
 		releaseName = constellationOperatorsInfo.releaseName
-		values, err = loader.loadOperatorsValues()
+		values = loader.loadOperatorsValues()
-		if err != nil {
-			return fmt.Errorf("loading values: %w", err)
-		}
 
 		if err := c.updateCRDs(ctx, chart); err != nil {
 			return fmt.Errorf("updating CRDs: %w", err)
 		}
 	case constellationServicesInfo.chartName:
 		releaseName = constellationServicesInfo.releaseName
-		values, err = loader.loadConstellationServicesValues()
+		values = loader.loadConstellationServicesValues()
-		if err != nil {
-			return fmt.Errorf("loading values: %w", err)
-		}
 
 		if err := c.applyMigrations(ctx, releaseName, values, conf); err != nil {
 			return fmt.Errorf("applying migrations: %w", err)