Cleanup TA and AM

Signed-off-by: Subash Lakkimsetti <subash.lakkimsetti@intel.com>

Author: lsubash

helm/attestation-verifier/charts/cleanup-host/templates/job.yaml

@@ -32,16 +32,10 @@ spec:
           volumeMounts:
           - name: host-volume-verifier
             mountPath: /tmp/verifier
-          - name: host-volume-trustagent
-            mountPath: /tmp/trustagent
           securityContext:
             {{- toYaml .Values.securityContext.cleanupHost | nindent 12 }}
       volumes:
       - name: host-volume-verifier
         hostPath:
           path: /opt/verifier
           type: ""
-      - name: host-volume-trustagent
-        hostPath:
-          path: /opt/trustagent
-          type: ""

helm/attestation-verifier/charts/cleanup-ta/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+appVersion: 0.1.0
+dependencies:
+- name: factory
+  repository: file://../../charts/factory/
+  version: 0.1.0
+description: A Helm chart for cleaning up folders create post helm uninstall of a release
+name: cleanup-host
+type: application
+version: 0.1.0

helm/attestation-verifier/charts/cleanup-ta/templates/_helpers.tpl

@@ -0,0 +1,29 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cleanup-ta.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cleanup-ta.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cleanup-ta.labels" -}}
+helm.sh/chart: {{ include "cleanup-ta.chart" . }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/name: {{ include "cleanup-ta.name" . }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cleanup-ta.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cleanup-ta.name" . }}
+{{- end }}

helm/attestation-verifier/charts/cleanup-ta/templates/job.yaml

@@ -0,0 +1,48 @@
+{{- include "factory.headers" . }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "cleanup-ta.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cleanup-ta.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      labels:
+        {{- include "cleanup-ta.labels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml .Values.securityContext.cleanupHostInit | nindent 8 }}
+      serviceAccountName: {{ include "factory.name" . }}
+      restartPolicy: Never
+      containers:
+        - name: cleanup-ta
+          image: debian:bullseye-slim
+          imagePullPolicy: Always
+          command: ["/bin/sh", "-c"]
+          args:
+            - >
+              echo deleting &&
+              rm -rf /tmp/trustagent && /tmp/attestation-manager
+          volumeMounts:
+          - name: host-volume-trustagent
+            mountPath: /tmp/trustagent
+          volumeMounts:
+          - name: host-volume-am
+            mountPath: /tmp/attestation-manager
+          securityContext:
+            {{- toYaml .Values.securityContext.cleanupHost | nindent 12 }}
+      volumes:
+      - name: host-volume-trustagent
+        hostPath:
+          path: /opt/trustagent
+          type: ""
+      - name: host-volume-am
+        hostPath:
+          path: /tmp/attestation-manager
+          type: ""

helm/attestation-verifier/charts/cleanup-ta/templates/rbac.yaml

@@ -0,0 +1,40 @@
+{{- include "factory.headers" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "factory.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-5"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "factory.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-5"
+rules:
+  - apiGroups: ["batch"]
+    resources: ["host"]
+    verbs: ["delete","list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "factory.name" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-weight": "-5"
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "factory.name" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "factory.name" . }}
+  apiGroup: rbac.authorization.k8s.io

helm/attestation-verifier/charts/cleanup-ta/values.yaml

@@ -0,0 +1,14 @@
+# Default values for cleanup-host.
+
+nameOverride: "" # The name for CLEANUP-HOST chart (Default: .Chart.Name)
+
+securityContext:
+  cleanupHostInit: # The fsGroup id for init containers for Cleanup host
+    fsGroup: 0
+  cleanupHost: # The security content for Cleanup host
+    runAsUser: 0
+    runAsGroup: 0
+    capabilities:
+      drop:
+        - all
+    allowPrivilegeEscalation: false