constellation/cli/internal/helm
Leonard Cohnen 7318f605e1 cilium: also encryption control-planes
When enabling node-to-node encryption, Cilium does not
encrypt control-plane to control-plane traffic by
default since they say that they cannot gurantee that
the generated private key for a node is persisted across
reboots.

In Constellation we use stateful VMs which when rebooted
still have the cilium_wg0 interface containing the
private key.

Therefore, we can enable this type of encryption.
2023-11-15 19:27:33 +01:00
..
charts deps: update cilium 2023-11-15 19:27:33 +01:00
imageversion bazel: allow custom container_prefix (#1693) 2023-04-27 11:52:02 +02:00
testdata helm: add gcp ccm permissions for internal LBs (#2474) 2023-10-19 10:57:59 +02:00
action.go Retry helm apply on any error (#2322) 2023-09-08 22:54:01 +02:00
actionfactory_test.go cli: check chart versions against target version in users config before upgrading (#2319) 2023-09-08 23:09:02 +02:00
actionfactory.go cli: check chart versions against target version in users config before upgrading (#2319) 2023-09-08 23:09:02 +02:00
BUILD.bazel deps: update cilium 2023-11-15 19:27:33 +01:00
chartutil.go cli: save Helm charts to disk before running upgrades (#2305) 2023-09-08 12:02:16 +02:00
cilium.patch deps: update cilium 2023-11-15 19:27:33 +01:00
ciliumhelper.go cli: install cilium in cli instead of bootstrapper (#2146) 2023-08-02 15:49:40 +02:00
generateCertManager.sh bazel: add go generate to //:generate target 2023-03-29 12:51:40 -04:00
generateCilium.sh deps: update cilium 2023-11-15 19:27:33 +01:00
helm_test.go cli: use state file on init and upgrade (#2395) 2023-10-09 13:04:29 +02:00
helm.go cli: use state file on init and upgrade (#2395) 2023-10-09 13:04:29 +02:00
loader_test.go terraform: always output node cidr (#2481) 2023-10-23 15:06:48 +02:00
loader.go cli: use state file on init and upgrade (#2395) 2023-10-09 13:04:29 +02:00
overrides.go Support internal load balancers (#2388) 2023-10-17 15:46:15 +02:00
README.md Fix README 2023-07-20 15:47:12 +02:00
release.go cli: helm install and upgrade unification (#2244) 2023-08-24 16:40:47 +02:00
retryaction_test.go Retry helm apply on any error (#2322) 2023-09-08 22:54:01 +02:00
retryaction.go Retry helm apply on any error (#2322) 2023-09-08 22:54:01 +02:00
serviceversion.go cli: output CSI driver versions on status (#2128) 2023-07-27 16:14:36 +02:00
update-aws-load-balancer-chart.sh aws: use new LB controller to fix SecurityGroup cleanup on K8s service deletion (#2090) 2023-07-24 10:30:53 +02:00
update-csi-charts.sh cli: update Azure/GCP CSI charts (#2416) 2023-10-06 14:56:49 +02:00
values.go cilium: also encryption control-planes 2023-11-15 19:27:33 +01:00
versionlister.go cli: helm install and upgrade unification (#2244) 2023-08-24 16:40:47 +02:00

Helm

Constellation uses helm to install and upgrade deployments to the Kubernetes cluster. Helm wraps deployments into charts. One chart should contain all the configuration needed to run a deployment.

Charts used by Constellation

To make installation and lifecycle management easier, Constellation groups multiple related charts into sub-charts. The following "parent" charts are used by Constellation:

  • cert-manager

  • Cilium

  • constellation-services

    Cluster services (mostly) written by us, providing basic functionality of the cluster

  • csi

    Our modified Kubernetes CSI drivers and Snapshot controller/CRDs

  • operators

    Kubernetes operators we use to control and manage the lifecycle of a Constellation cluster

Chart upgrades

All services that are installed via helm-install are upgraded via helm-upgrade. Two aspects are not full covered by running helm-upgrade: CRDs and values. While helm-install can install CRDs if they are contained in a chart's crds folder, upgrade won't change any installed CRDs. Furthermore, new values introduced with a new version of a chart will not be installed into the cluster if the --reuse-values flag is set. Nevertheless, we have to rely on the values already present in the cluster because some of the values are set by the bootstrapper during installation. Because upgrades should be a CLI-only operation and we want to avoid the behaviour of --reuse-values, we fetch the cluster values and merge them with any new values.

Here is how we manage CRD upgrades for each chart.

Cilium

  • CRDs are updated by cilium-operator.

cert-manager

  • installCRDs flag is set during upgrade. This flag is managed by cert-manager. cert-manager is in charge of correctly upgrading the CRDs.
  • WARNING: upgrading cert-manager might break other installations of cert-manager in the cluster, if those other installation are not on the same version as the Constellation-manager installation. This is due to the cluster-wide CRDs.

Operators

  • Manually update CRDs before upgrading the chart. Update by applying the CRDs found in the operators/crds/ folder.

Constellation-services

  • There currently are no CRDs in this chart.

CSI

  • CRDs are required for enabling snapshot support
  • CRDs are provided as their own helm chart and may be updated using helm