mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-14 17:07:15 -05:00
005e865a13
* [wip] use state file in CLI Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use state file in CLI Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> take clusterConfig from IDFile for compat Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> various fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> wip Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add GCP-specific values in Helm loader test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove unnecessary pointer Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * write ClusterValues in one step Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * move stub to test file Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove mention of id-file Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * move output to `migrateTerraform` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * unconditional assignments converting from idFile Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * move require block in go modules file Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fall back to id file on upgrade Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * fix linter check Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add notice to remove Terraform state check on manual migration Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add `name` field Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> fix name tests Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * return early if no Terraform diff Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * tidy Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * return infrastructure state even if no diff exists Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add TODO to remove comment Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * use state-file in miniconstellation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * cli: remove id-file (#2402) * remove id-file from `constellation create` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add file renaming to handler * rename id-file after upgrade * use idFile on `constellation init` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove id-file from `constellation verify` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * linter fixes Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove id-file from `constellation mini` * remove id-file from `constellation recover` * linter fixes * remove id-file from `constellation terminate` * fix initSecret type * fix recover argument precedence * fix terminate test * generate * add TODO to remove id-file removal * Update cli/internal/cmd/init.go Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * fix verify arg parse logic Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * add version test Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove id-file from docs * add file not found log * use state-file in miniconstellation Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove id-file from `constellation iam destroy` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * remove id-file from `cdbg deploy` Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> * use state-file in CI Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> * update orchestration docs --------- Signed-off-by: Moritz Sanft <58110325+msanft@users.noreply.github.com> Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com>
200 lines
7.7 KiB
Go
200 lines
7.7 KiB
Go
/*
|
|
Copyright (c) Edgeless Systems GmbH
|
|
|
|
SPDX-License-Identifier: AGPL-3.0-only
|
|
*/
|
|
/*
|
|
Overrides contains helm values that are dynamically injected into the helm charts.
|
|
*/
|
|
package helm
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
|
|
"github.com/edgelesssys/constellation/v2/cli/internal/state"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/azureshared"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared"
|
|
"github.com/edgelesssys/constellation/v2/internal/cloud/openstack"
|
|
"github.com/edgelesssys/constellation/v2/internal/config"
|
|
"github.com/edgelesssys/constellation/v2/internal/constants"
|
|
"github.com/edgelesssys/constellation/v2/internal/kms/uri"
|
|
)
|
|
|
|
// TODO(malt3): switch over to DNS name on AWS and Azure
|
|
// soon as every apiserver certificate of every control-plane node
|
|
// has the dns endpoint in its SAN list.
|
|
// extraCiliumValues extends the given values map by some values depending on user input.
|
|
// This extra step of separating the application of user input is necessary since service upgrades should
|
|
// reuse user input from the init step. However, we can't rely on reuse-values, because
|
|
// during upgrades we all values need to be set locally as they might have changed.
|
|
// Also, the charts are not rendered correctly without all of these values.
|
|
func extraCiliumValues(provider cloudprovider.Provider, conformanceMode bool, output state.Infrastructure) map[string]any {
|
|
extraVals := map[string]any{}
|
|
if conformanceMode {
|
|
extraVals["kubeProxyReplacementHealthzBindAddr"] = ""
|
|
extraVals["kubeProxyReplacement"] = "partial"
|
|
extraVals["sessionAffinity"] = true
|
|
extraVals["cni"] = map[string]any{
|
|
"chainingMode": "portmap",
|
|
}
|
|
}
|
|
|
|
extraVals["k8sServiceHost"] = output.ClusterEndpoint
|
|
extraVals["k8sServicePort"] = constants.KubernetesPort
|
|
if provider == cloudprovider.GCP {
|
|
extraVals["ipv4NativeRoutingCIDR"] = output.GCP.IPCidrPod
|
|
extraVals["strictModeCIDR"] = output.GCP.IPCidrPod
|
|
}
|
|
return extraVals
|
|
}
|
|
|
|
// extraConstellationServicesValues extends the given values map by some values depending on user input.
|
|
// Values set inside this function are only applied during init, not during upgrade.
|
|
func extraConstellationServicesValues(
|
|
cfg *config.Config, masterSecret uri.MasterSecret, serviceAccURI string, output state.Infrastructure,
|
|
) (map[string]any, error) {
|
|
extraVals := map[string]any{}
|
|
extraVals["join-service"] = map[string]any{
|
|
"attestationVariant": cfg.GetAttestationConfig().GetVariant().String(),
|
|
}
|
|
extraVals["verification-service"] = map[string]any{
|
|
"attestationVariant": cfg.GetAttestationConfig().GetVariant().String(),
|
|
"loadBalancerIP": output.ClusterEndpoint,
|
|
}
|
|
extraVals["konnectivity"] = map[string]any{
|
|
"loadBalancerIP": output.ClusterEndpoint,
|
|
}
|
|
|
|
extraVals["key-service"] = map[string]any{
|
|
"masterSecret": base64.StdEncoding.EncodeToString(masterSecret.Key),
|
|
"salt": base64.StdEncoding.EncodeToString(masterSecret.Salt),
|
|
}
|
|
switch cfg.GetProvider() {
|
|
case cloudprovider.OpenStack:
|
|
extraVals["openstack"] = map[string]any{
|
|
"deployYawolLoadBalancer": cfg.DeployYawolLoadBalancer(),
|
|
}
|
|
if cfg.DeployYawolLoadBalancer() {
|
|
extraVals["yawol-controller"] = map[string]any{
|
|
"yawolOSSecretName": "yawolkey",
|
|
// has to be larger than ~30s to account for slow OpenStack API calls.
|
|
"openstackTimeout": "1m",
|
|
"yawolFloatingID": cfg.Provider.OpenStack.FloatingIPPoolID,
|
|
"yawolFlavorID": cfg.Provider.OpenStack.YawolFlavorID,
|
|
"yawolImageID": cfg.Provider.OpenStack.YawolImageID,
|
|
}
|
|
}
|
|
case cloudprovider.GCP:
|
|
serviceAccountKey, err := gcpshared.ServiceAccountKeyFromURI(serviceAccURI)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting service account key: %w", err)
|
|
}
|
|
rawKey, err := json.Marshal(serviceAccountKey)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("marshaling service account key: %w", err)
|
|
}
|
|
if output.GCP == nil {
|
|
return nil, fmt.Errorf("no GCP output from Terraform")
|
|
}
|
|
extraVals["ccm"] = map[string]any{
|
|
"GCP": map[string]any{
|
|
"projectID": output.GCP.ProjectID,
|
|
"uid": output.UID,
|
|
"secretData": string(rawKey),
|
|
"subnetworkPodCIDR": output.GCP.IPCidrPod,
|
|
},
|
|
}
|
|
case cloudprovider.Azure:
|
|
if output.Azure == nil {
|
|
return nil, fmt.Errorf("no Azure output from Terraform")
|
|
}
|
|
ccmConfig, err := getCCMConfig(*output.Azure, serviceAccURI)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting Azure CCM config: %w", err)
|
|
}
|
|
extraVals["ccm"] = map[string]any{
|
|
"Azure": map[string]any{
|
|
"azureConfig": string(ccmConfig),
|
|
},
|
|
}
|
|
}
|
|
|
|
return extraVals, nil
|
|
}
|
|
|
|
// cloudConfig is used to marshal the cloud config for the Kubernetes Cloud Controller Manager on Azure.
|
|
type cloudConfig struct {
|
|
Cloud string `json:"cloud,omitempty"`
|
|
TenantID string `json:"tenantId,omitempty"`
|
|
SubscriptionID string `json:"subscriptionId,omitempty"`
|
|
ResourceGroup string `json:"resourceGroup,omitempty"`
|
|
Location string `json:"location,omitempty"`
|
|
SubnetName string `json:"subnetName,omitempty"`
|
|
SecurityGroupName string `json:"securityGroupName,omitempty"`
|
|
SecurityGroupResourceGroup string `json:"securityGroupResourceGroup,omitempty"`
|
|
LoadBalancerName string `json:"loadBalancerName,omitempty"`
|
|
LoadBalancerSku string `json:"loadBalancerSku,omitempty"`
|
|
VNetName string `json:"vnetName,omitempty"`
|
|
VNetResourceGroup string `json:"vnetResourceGroup,omitempty"`
|
|
CloudProviderBackoff bool `json:"cloudProviderBackoff,omitempty"`
|
|
UseInstanceMetadata bool `json:"useInstanceMetadata,omitempty"`
|
|
VMType string `json:"vmType,omitempty"`
|
|
UseManagedIdentityExtension bool `json:"useManagedIdentityExtension,omitempty"`
|
|
UserAssignedIdentityID string `json:"userAssignedIdentityID,omitempty"`
|
|
}
|
|
|
|
// getCCMConfig returns the configuration needed for the Kubernetes Cloud Controller Manager on Azure.
|
|
func getCCMConfig(azureState state.Azure, serviceAccURI string) ([]byte, error) {
|
|
creds, err := azureshared.ApplicationCredentialsFromURI(serviceAccURI)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("getting service account key: %w", err)
|
|
}
|
|
useManagedIdentityExtension := creds.PreferredAuthMethod == azureshared.AuthMethodUserAssignedIdentity
|
|
config := cloudConfig{
|
|
Cloud: "AzurePublicCloud",
|
|
TenantID: creds.TenantID,
|
|
SubscriptionID: azureState.SubscriptionID,
|
|
ResourceGroup: azureState.ResourceGroup,
|
|
LoadBalancerSku: "standard",
|
|
SecurityGroupName: azureState.NetworkSecurityGroupName,
|
|
LoadBalancerName: azureState.LoadBalancerName,
|
|
UseInstanceMetadata: true,
|
|
VMType: "vmss",
|
|
Location: creds.Location,
|
|
UseManagedIdentityExtension: useManagedIdentityExtension,
|
|
UserAssignedIdentityID: azureState.UserAssignedIdentity,
|
|
}
|
|
|
|
return json.Marshal(config)
|
|
}
|
|
|
|
// extraOperatorValues returns the values for the constellation-operator chart.
|
|
func extraOperatorValues(uid string) map[string]any {
|
|
return map[string]any{
|
|
"constellation-operator": map[string]any{
|
|
"constellationUID": uid,
|
|
},
|
|
}
|
|
}
|
|
|
|
// extraCSIValues returns the values for the csi chart.
|
|
func extraCSIValues(provider cloudprovider.Provider, serviceAccURI string) (map[string]any, error) {
|
|
var csiVals map[string]any
|
|
if provider == cloudprovider.OpenStack {
|
|
creds, err := openstack.AccountKeyFromURI(serviceAccURI)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cinderIni := creds.CloudINI().CinderCSIConfiguration()
|
|
csiVals = map[string]any{
|
|
"cinder-config": map[string]any{
|
|
"secretData": cinderIni,
|
|
},
|
|
}
|
|
}
|
|
return csiVals, nil
|
|
}
|