helm

README

Helm

Constellation uses helm to install and upgrade deployments to the Kubernetes cluster. Helm wraps deployments into charts. One chart should contain all the configuration needed to run a deployment.

Charts used by Constellation

To make installation and lifecycle management easier, Constellation groups multiple related charts into sub-charts. The following "parent" charts are used by Constellation:

• cert-manager

• Cilium

• constellation-services

  Cluster services (mostly) written by us, providing basic functionality of the cluster

• csi

  Our modified Kubernetes CSI drivers and Snapshot controller/CRDs

• operators

  Kubernetes operators we use to control and manage the lifecycle of a Constellation cluster

Chart upgrades

All services that are installed via helm-install are upgraded via helm-upgrade. Two aspects are not full covered by running helm-upgrade: CRDs and values. While helm-install can install CRDs if they are contained in a chart's crds folder, upgrade won't change any installed CRDs. Furthermore, new values introduced with a new version of a chart will not be installed into the cluster if the --reuse-values flag is set. Nevertheless, we have to rely on the values already present in the cluster because some of the values are set by the bootstrapper during installation. Because upgrades should be a CLI-only operation and we want to avoid the behaviour of --reuse-values, we fetch the cluster values and merge them with any new values.

Here is how we manage CRD upgrades for each chart.

Cilium

• CRDs are updated by cilium-operator.

cert-manager

• installCRDs flag is set during upgrade. This flag is managed by cert-manager. cert-manager is in charge of correctly upgrading the CRDs.
• WARNING: upgrading cert-manager might break other installations of cert-manager in the cluster, if those other installation are not on the same version as the Constellation-manager installation. This is due to the cluster-wide CRDs.

Operators

• Manually update CRDs before upgrading the chart. Update by applying the CRDs found in the operators/crds/ folder.

Constellation-services

• There currently are no CRDs in this chart.

CSI

• CRDs are required for enabling snapshot support
• CRDs are provided as their own helm chart and may be updated using helm

Documentation

Overview

Package helm provides a higher level interface to the Helm Go SDK.

It is used by the CLI to:

• load embedded charts
• install charts
• update helm releases
• get versions for installed helm releases
• create local backups before running service upgrades

The charts themselves are embedded in the CLI binary, and values are dynamically updated depending on configuration. The charts can be found in “./charts/“. Values should be added in the chart's "values.yaml“ file if they are static i.e. don't depend on user input, otherwise they need to be dynamically created depending on a user's configuration.

Helm logic should not be implemented outside this package. All values loading, parsing, installing, uninstalling, and updating of charts should be implemented here. As such, the helm package requires to implement some CSP specific logic. However, exported functions should be CSP agnostic and take a cloudprovider.Provider as argument. As such, the number of exported functions should be kept minimal.

Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only

Overrides contains helm values that are dynamically injected into the helm charts.

Package helm provides types and functions shared across services.

Index

• Constants
• Variables
• type Applier
• type ChartApplyExecutor
  • func (c ChartApplyExecutor) Apply(ctx context.Context) error
  • func (c ChartApplyExecutor) SaveCharts(chartsDir string, fileHandler file.Handler) error
• type Client
  • func NewClient(kubeConfigPath string, log debugLog) (*Client, error)
  • func (h Client) PrepareApply(conf *config.Config, stateFile *state.State, flags Options, ...) (Applier, bool, error)
• type Options
• type Release
• type ReleaseVersionClient
  • func NewReleaseVersionClient(kubeConfigPath string, log debugLog) (*ReleaseVersionClient, error)
  • func (c ReleaseVersionClient) Versions() (ServiceVersions, error)
• type ServiceVersions
  • func (s ServiceVersions) ConstellationServices() semver.Semver
  • func (s ServiceVersions) String() string
• type WaitMode

Constants

const (
	// AllowDestructive is a named bool to signal that destructive actions have been confirmed by the user.
	AllowDestructive = true
	// DenyDestructive is a named bool to signal that destructive actions have not been confirmed by the user yet.
	DenyDestructive = false
)

Variables

var ErrConfirmationMissing = errors.New("action requires user confirmation")

ErrConfirmationMissing signals that an action requires user confirmation.

Types

type Applier

type Applier interface {
	Apply(ctx context.Context) error
	SaveCharts(chartsDir string, fileHandler file.Handler) error
}

Applier runs the Helm actions.

type ChartApplyExecutor

type ChartApplyExecutor struct {
	// contains filtered or unexported fields
}

ChartApplyExecutor is a Helm action executor that applies all actions.

func (ChartApplyExecutor) Apply

func (c ChartApplyExecutor) Apply(ctx context.Context) error

Apply applies the charts in order.

func (ChartApplyExecutor) SaveCharts

func (c ChartApplyExecutor) SaveCharts(chartsDir string, fileHandler file.Handler) error

SaveCharts saves all Helm charts and their values to the given directory.

type Client

type Client struct {
	// contains filtered or unexported fields
}

Client is a Helm client to apply charts.

func NewClient

func NewClient(kubeConfigPath string, log debugLog) (*Client, error)

NewClient returns a new Helm client.

func (Client) PrepareApply

func (h Client) PrepareApply(
	conf *config.Config, stateFile *state.State,
	flags Options, serviceAccURI string, masterSecret uri.MasterSecret,
) (Applier, bool, error)

PrepareApply loads the charts and returns the executor to apply them. TODO(elchead): remove validK8sVersion by putting ValidK8sVersion into config.Config, see AB#3374.

type Options

type Options struct {
	Conformance      bool
	HelmWaitMode     WaitMode
	AllowDestructive bool
	Force            bool
}

Options are options for loading charts.

type Release

type Release struct {
	Chart       *chart.Chart
	Values      map[string]any
	ReleaseName string
	WaitMode    WaitMode
}

Release bundles all information necessary to create a helm release.

type ReleaseVersionClient

type ReleaseVersionClient struct {
	// contains filtered or unexported fields
}

ReleaseVersionClient is a client that can retrieve the version of a helm release.

func NewReleaseVersionClient

func NewReleaseVersionClient(kubeConfigPath string, log debugLog) (*ReleaseVersionClient, error)

NewReleaseVersionClient creates a new ReleaseVersionClient.

func (ReleaseVersionClient) Versions

func (c ReleaseVersionClient) Versions() (ServiceVersions, error)

Versions queries the cluster for running versions and returns a map of releaseName -> version.

type ServiceVersions

type ServiceVersions struct {
	// contains filtered or unexported fields
}

ServiceVersions bundles the versions of all services that are part of Constellation.

func (ServiceVersions) ConstellationServices

func (s ServiceVersions) ConstellationServices() semver.Semver

ConstellationServices returns the version of the constellation-services release.

func (ServiceVersions) String

func (s ServiceVersions) String() string

String returns a string representation of the ServiceVersions struct.

type WaitMode

type WaitMode string

WaitMode specifies the wait mode for a helm release.

const (
	// WaitModeNone specifies that the helm release should not wait for the resources to be ready.
	WaitModeNone WaitMode = ""
	// WaitModeWait specifies that the helm release should wait for the resources to be ready.
	WaitModeWait WaitMode = "wait"
	// WaitModeAtomic specifies that the helm release should
	// wait for the resources to be ready and roll back atomically on failure.
	WaitModeAtomic WaitMode = "atomic"
)