a87b7894db
* add current chart add current helm chart * disable service controller for aws ccm * add new iam roles * doc AWS internet LB + add to LB test * pass clusterName to helm for AWS LB * fix update-aws-lb chart to also include .helmignore * move chart outside services * working state * add subnet tags for AWS subnet discovery * fix .helmignore load rule with file in subdirectory * upgrade iam profile * revert new loader impl since cilium is not correctly loaded * install chart if not already present during `upgrade apply` * cleanup PR + fix build + add todos cleanup PR + add todos * shared helm pkg for cli install and bootstrapper * add link to eks docs * refactor iamMigrationCmd * delete unused helm.symwallk * move iammigrate to upgrade pkg * fixup! delete unused helm.symwallk * add to upgradecheck * remove nodeSelector from go code (Otto) * update iam docs and sort permission + remove duplicate roles * fix bug in `upgrade check` * better upgrade check output when svc version upgrade not possible * pr feedback * remove force flag in upgrade_test * use upgrader.GetUpgradeID instead of extra type * remove todos + fix check * update doc lb (leo) * remove bootstrapper helm package * Update cli/internal/cmd/upgradecheck.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * final nits * add docs for e2e upgrade test setup * Apply suggestions from code review Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/helm/loader.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * Update cli/internal/cmd/tfmigrationclient.go Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> * fix daniel review * link to the iam permissions instead of manually updating them (agreed with leo) * disable iam upgrade in upgrade apply --------- Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com> Co-authored-by: Malte Poll |
||
|---|---|---|
| .. | ||
| charts | ||
| imageversion | ||
| testdata | ||
| backup_test.go | ||
| backup.go | ||
| BUILD.bazel | ||
| cilium.patch | ||
| client_test.go | ||
| client.go | ||
| generateCertManager.sh | ||
| generateCilium.sh | ||
| helm.go | ||
| loader_test.go | ||
| loader.go | ||
| README.md | ||
| update-aws-load-balancer-chart.sh | ||
| update-csi-charts.sh | ||
| values.go | ||
Helm
Constellation uses helm to install and upgrade deployments to the Kubernetes cluster. Helm wraps deployments into charts. One chart should contain all the configuration needed to run a deployment.
Charts used by Constellation
To make installation and lifecycle management easier, Constellation groups multiple related charts into sub-charts. The following "parent" charts are used by Constellation:
-
Cluster services (mostly) written by us, providing basic functionality of the cluster
-
Our modified Kubernetes CSI drivers and Snapshot controller/CRDs
-
Kubernetes operators we use to control and manage the lifecycle of a Constellation cluster
Chart upgrades
All services that are installed via helm-install are upgraded via helm-upgrade.
Two aspects are not full covered by running helm-upgrade: CRDs and values.
While helm-install can install CRDs if they are contained in a chart's crds folder, upgrade won't change any installed CRDs.
Furthermore, new values introduced with a new version of a chart will not be installed into the cluster if the --reuse-values flag is set.
Nevertheless, we have to rely on the values already present in the cluster because some of the values are set by the bootstrapper during installation.
Because upgrades should be a CLI-only operation and we want to avoid the behaviour of --reuse-values, we fetch the cluster values and merge them with any new values.
Here is how we manage CRD upgrades for each chart.
Cilium
- CRDs are updated by cilium-operator.
cert-manager
- installCRDs flag is set during upgrade. This flag is managed by cert-manager. cert-manager is in charge of correctly upgrading the CRDs.
- WARNING: upgrading cert-manager might break other installations of cert-manager in the cluster, if those other installation are not on the same version as the Constellation-manager installation. This is due to the cluster-wide CRDs.
Operators
- Manually update CRDs before upgrading the chart. Update by applying the CRDs found in the
operators/crds/folder.
Constellation-services
- There currently are no CRDs in this chart.
CSI
- CRDs are required for enabling snapshot support
- CRDs are provided as their own helm chart and may be updated using helm