Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deploy shoot-cert-service on garden runtime cluster #314

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Deploy shoot-cert-service on garden runtime cluster #314

wants to merge 10 commits into from

Conversation

MartinWeindel
Copy link
Member

@MartinWeindel MartinWeindel commented Nov 14, 2024
edited
Loading

How to categorize this PR?

/area control-plane
/kind enhancement

What this PR does / why we need it:
With the introduction of operation extensions, it is possible to deploy an extension on the Garden runtime cluster.
Adjustments both to the deployment of the shoot-cert-service itself and the deployment of the cert-management are needed to deal with the different environment on the Garden runtime cluster. In contrast to the deployment in the shoot namespace on the seed, deploy host and target are the same here. Moreover, some features like shootIssuers, dnsChallengeOnShoot, alerting are not relevant in this context. Prometheus scraping and Plutono dashboards are also not supported.

Addtionally, the default issuer can now be a CA issuer instead a ACME issuer to support test and private cloud scenarios.

The management of "controlplane-cert" TLS secrets for the runtime cluster and the seeds can be enabled optionally.
On the runtime cluster, this includes fetching the domain names from the Garden resources, creating the Certificate resource, requesting the certificate via its own cert-controller-manager and patching the virtual-garden-kube-apiserver deployment.
On the seed clusters, there is also an own cert-controller-manager. A Certificate is created for the wildcard subdomain *. of the seed ingress domain.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
Part of gardener/gardener#9635

Release note:

Support for deploying the shoot-cert-service extension on the Garden runtime cluster.

Support for using a `CA` issuer as default issuer.

Management of `controlplane-cert` TLS secrets on runtime cluster and seeds.

@gardener-robot gardener-robot added kind/api-change API change with impact on API users needs/second-opinion Needs second review by someone else area/control-plane Control plane related kind/enhancement Enhancement, improvement, extension needs/review Needs review size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) labels Nov 14, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 14, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 26, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Nov 26, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Nov 26, 2024
@timuthy
Copy link
Member

timuthy commented Dec 9, 2024

/assign

@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Dec 10, 2024
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Dec 11, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Dec 11, 2024
@MartinWeindel MartinWeindel changed the title [WIP] Deploy shoot-cert-service on garden runtime cluster Deploy shoot-cert-service on garden runtime cluster Dec 11, 2024
@MartinWeindel MartinWeindel marked this pull request as ready for review December 11, 2024 10:23
@MartinWeindel MartinWeindel requested review from a team as code owners December 11, 2024 10:23
@marc1404
Copy link
Member

/assign

@gardener-robot gardener-robot added needs/second-opinion Needs second review by someone else and removed reviewed/lgtm Has approval for merging labels Jan 2, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 removed the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 2, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 2, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jan 2, 2025
@gardener-robot-ci-2 gardener-robot-ci-2 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jan 3, 2025
@gardener-robot-ci-3 gardener-robot-ci-3 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Jan 3, 2025
@gardener-robot-ci-3 gardener-robot-ci-3 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jan 3, 2025
@MartinWeindel
Add controllers to watch garden and certificate resources on runtime …
10a8ff3 
…cluster; add webhook to patch sniconfig of virtual kube-apiserver deployment; create controlplane-cert on seed

fix
@MartinWeindel
Update documentation
81d7278
@gardener-robot-ci-1 gardener-robot-ci-1 added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marc1404 marc1404 marc1404 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@marc1404 marc1404

@timuthy timuthy

Labels
area/control-plane Control plane related kind/api-change API change with impact on API users kind/enhancement Enhancement, improvement, extension needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) needs/second-opinion Needs second review by someone else size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@MartinWeindel @timuthy @marc1404 @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3 @gardener-robot