diff --git a/Makefile b/Makefile index ffaad513e..73fcfba61 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,15 @@ docker-image: docker-push: @docker push $(IMAGE_PREFIX)/gardener-extension-provider-metal:$(IMAGE_TAG) +.PHONY: update-crds +update-crds: + go mod tidy + cp -f $(shell go list -mod=mod -m -f '{{.Dir}}' all | grep metal-stack/duros-controller)/config/crd/bases/* charts/internal/crds-storage/templates + cp -f $(shell go list -mod=mod -m -f '{{.Dir}}' all | grep metal-stack/firewall-controller-manager)/config/crds/* charts/internal/crds-firewall/templates/firewall-controller-manager/ + cp -f $(shell go list -mod=mod -m -f '{{.Dir}}' all | grep metal-stack/firewall-controller/v2)/config/crd/bases/* charts/internal/crds-firewall/templates/firewall-controller/ + cp -f charts/internal/crds-firewall/templates/firewall-controller-manager/*monitors.yaml charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/ + cp -f charts/internal/crds-firewall/templates/firewall-controller/* charts/internal/shoot-control-plane/templates/firewall-controller-crds/ + ##################################################################### # Rules for verification, formatting, linting, testing and cleaning # ##################################################################### @@ -79,7 +88,7 @@ generate: $(HELM) $(YQ) @$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate-sequential.sh ./charts/... ./cmd/... ./pkg/... .PHONY: generate-in-docker -generate-in-docker: revendor $(HELM) +generate-in-docker: revendor update-crds $(HELM) echo $(shell git describe --abbrev=0 --tags) > VERSION docker run --rm -i$(DOCKER_TTY_ARG) \ --volume $(PWD):/go/src/github.com/metal-stack/gardener-extension-provider-metal golang:$(GO_VERSION) \ diff --git a/charts/charts.go b/charts/charts.go index 4acd8c756..4c9b07eeb 100644 --- a/charts/charts.go +++ b/charts/charts.go @@ -8,3 +8,6 @@ import ( // //go:embed internal var InternalChart embed.FS + +// InternalChartsPath is the path to the internal charts +const InternalChartsPath = "internal" diff --git a/charts/images.yaml b/charts/images.yaml index 11a665ab1..662b63273 100644 --- a/charts/images.yaml +++ b/charts/images.yaml @@ -3,14 +3,10 @@ images: sourceRepository: github.com/metal-stack/metal-ccm repository: ghcr.io/metal-stack/metal-ccm tag: "v0.7.13" -- name: machine-controller-manager - sourceRepository: github.com/gardener/machine-controller-manager - repository: eu.gcr.io/gardener-project/gardener/machine-controller-manager - tag: "0.49.3" - name: machine-controller-manager-provider-metal sourceRepository: https://github.com/metal-stack/machine-controller-manager-provider-metal repository: ghcr.io/metal-stack/machine-controller-manager-provider-metal - tag: "v0.1.17" + tag: "v0.1.19" - name: droptailer sourceRepository: github.com/metal-stack/droptailer repository: ghcr.io/metal-stack/droptailer diff --git a/charts/internal/control-plane/charts/utils-tls-cipher-suites b/charts/internal/control-plane/charts/utils-tls-cipher-suites deleted file mode 120000 index bb8c882cb..000000000 --- a/charts/internal/control-plane/charts/utils-tls-cipher-suites +++ /dev/null @@ -1 +0,0 @@ -../../utils-tls-cipher-suites \ No newline at end of file diff --git a/charts/internal/control-plane/templates/cloud-controller-manager.yaml b/charts/internal/control-plane/templates/cloud-controller-manager.yaml index 8f878675f..192c2ee07 100644 --- a/charts/internal/control-plane/templates/cloud-controller-manager.yaml +++ b/charts/internal/control-plane/templates/cloud-controller-manager.yaml @@ -6,6 +6,11 @@ metadata: labels: app: kubernetes role: cloud-controller-manager + annotations: + networking.resources.gardener.cloud/from-all-scrape-targets-allowed-ports: '[{"port":{{ include "cloud-controller-manager.port" . }},"protocol":"TCP"}]' + # TODO: This label approach is deprecated and no longer needed in the future. Remove them as soon as gardener/gardener@v1.75 has been released. + networking.resources.gardener.cloud/from-policy-pod-label-selector: all-scrape-targets + networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ include "cloud-controller-manager.port" . }},"protocol":"TCP"}]' spec: type: ClusterIP clusterIP: None @@ -72,7 +77,7 @@ spec: - --authorization-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - --tls-cert-file=/var/lib/cloud-controller-manager-server/tls.crt - --tls-private-key-file=/var/lib/cloud-controller-manager-server/tls.key - - --tls-cipher-suites={{ include "kubernetes.tlsCipherSuites" . | replace "\n" "," | trimPrefix "," }} + - --tls-cipher-suites={{ .Values.cloudControllerManager.tlsCipherSuites | join "," }} - --use-service-account-credentials - --v=2 {{- range $index, $param := $.Values.cloudControllerManager.additionalParameters }} diff --git a/charts/internal/control-plane/templates/_helpers.tpl b/charts/internal/control-plane/templates/helpers.tpl similarity index 100% rename from charts/internal/control-plane/templates/_helpers.tpl rename to charts/internal/control-plane/templates/helpers.tpl diff --git a/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml b/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml index 8098ae91b..c8ea3b611 100644 --- a/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml +++ b/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterwidenetworkpolicies.metal-stack.io spec: group: metal-stack.io @@ -30,14 +30,19 @@ spec: wide network policy to be applied. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -45,81 +50,82 @@ spec: description: PolicySpec defines the rules to create for ingress and egress properties: description: - description: Description is a free form string, it can be used by - the creator of the rule to store human-readable explanation of the - purpose of this rule. Rules cannot be identified by comment. + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human-readable explanation of the purpose of this + rule. Rules cannot be identified by comment. type: string egress: - description: List of egress rules to be applied. Outgoing traffic - is allowed if there is a ClusterwideNetworkPolicy that allows it. + description: |- + List of egress rules to be applied. Outgoing traffic is + allowed if there is a ClusterwideNetworkPolicy that allows it. Clusters are isolated by default. items: - description: EgressRule describes a particular set of traffic that - is allowed out of the cluster The traffic must match both ports - and to. + description: |- + EgressRule describes a particular set of traffic that is allowed out of the cluster + The traffic must match both ports and to. properties: ports: - description: List of destination ports for outgoing traffic. - Each item in this list is combined using a logical OR. If - this field is empty or missing, this rule matches all ports - (traffic not restricted by port). If this field is present - and contains at least one item, then this rule allows traffic - only if the traffic matches at least one port in the list. + description: |- + List of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: If set, indicates that the range of ports - from port to endPort, inclusive, should be allowed by - the policy. This field cannot be defined if the port - field is not defined or if the port field is defined - as a named (string) port. The endPort must be equal - or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can - either be a numerical or named port on a pod. If this - field is not provided, this matches all port names and - numbers. If present, only traffic on the specified protocol - AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic - must match. If not specified, this field defaults to - TCP. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string type: object type: array to: - description: List of destinations for outgoing traffic of a - cluster for this rule. Items in this list are combined using - a logical OR operation. If this field is empty or missing, - this rule matches all destinations (traffic not restricted - by destination). If this field is present and contains at - least one item, this rule allows traffic only if the traffic - matches at least one item in the to list. To rules can't contain - ToFQDNs rules. + description: |- + List of destinations for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. + To rules can't contain ToFQDNs rules. items: - description: IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") - that is allowed to the pods matched by a NetworkPolicySpec's - podSelector. The except entry describes CIDRs that should - not be included within this rule. + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. properties: cidr: - description: CIDR is a string representing the IP Block + description: |- + cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: Except is a slice of CIDRs that should not - be included within an IP Block Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will be rejected if - they are outside the CIDR range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array @@ -128,11 +134,11 @@ spec: type: object type: array toFQDNs: - description: List of FQDNs (fully qualified domain names) for - outgoing traffic of a cluster for this rule. Items in this - list are combined using a logical OR operation. This field - is used as whitelist for DNS names. If none specified, no - rule will be applied. ToFQDNs rules can't contain To rules. + description: |- + List of FQDNs (fully qualified domain names) for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. This field is used as + whitelist for DNS names. If none specified, no rule will be applied. + ToFQDNs rules can't contain To rules. items: description: FQDNSelector describes rules for matching DNS names. @@ -142,8 +148,9 @@ spec: pattern: ^([-a-zA-Z0-9_]+[.]?)+$ type: string matchPattern: - description: MatchPattern allows using "*" to match DNS - names. "*" matches 0 or more valid characters. + description: |- + MatchPattern allows using "*" to match DNS names. + "*" matches 0 or more valid characters. pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string type: object @@ -151,38 +158,38 @@ spec: type: object type: array ingress: - description: List of ingress rules to be applied. Traffic is allowed - to a cluster if there is a ClusterwideNetworkPolicy that allows - it, OR there is a service exposed with type Loadbalancer. Clusters - are isolated by default. + description: |- + List of ingress rules to be applied. Traffic is allowed to + a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service + exposed with type Loadbalancer. Clusters are isolated by default. items: - description: IngressRule describes a particular set of traffic that - is allowed to the cluster. The traffic must match both ports and - from. + description: |- + IngressRule describes a particular set of traffic that is allowed to the cluster. + The traffic must match both ports and from. properties: from: - description: List of sources which should be able to access - the cluster for this rule. Items in this list are combined - using a logical OR operation. If this field is empty or missing, - this rule matches all sources (traffic not restricted by source). - If this field is present and contains at least one item, this - rule allows traffic only if the traffic matches at least one - item in the from list. + description: |- + List of sources which should be able to access the cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. items: - description: IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") - that is allowed to the pods matched by a NetworkPolicySpec's - podSelector. The except entry describes CIDRs that should - not be included within this rule. + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. properties: cidr: - description: CIDR is a string representing the IP Block + description: |- + cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: Except is a slice of CIDRs that should not - be included within an IP Block Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will be rejected if - they are outside the CIDR range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array @@ -191,41 +198,39 @@ spec: type: object type: array ports: - description: List of ports which should be made accessible on - the cluster for this rule. Each item in this list is combined - using a logical OR. If this field is empty or missing, this - rule matches all ports (traffic not restricted by port). If - this field is present and contains at least one item, then - this rule allows traffic only if the traffic matches at least - one port in the list. + description: |- + List of ports which should be made accessible on the cluster for this + rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: If set, indicates that the range of ports - from port to endPort, inclusive, should be allowed by - the policy. This field cannot be defined if the port - field is not defined or if the port field is defined - as a named (string) port. The endPort must be equal - or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can - either be a numerical or named port on a pod. If this - field is not provided, this matches all port names and - numbers. If present, only traffic on the specified protocol - AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic - must match. If not specified, this field defaults to - TCP. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string type: object type: array @@ -255,12 +260,15 @@ spec: type: string type: object type: array - description: FQDNState stores mapping from FQDN rules to nftables - sets used for a firewall rule. Key is either MatchName or MatchPattern + description: |- + FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule. + Key is either MatchName or MatchPattern type: object message: + description: Message describes why the state changed type: string state: + description: State of the CWNP, can be either deployed or ignored type: string type: object type: object diff --git a/charts/internal/machine-controller-manager/seed/Chart.yaml b/charts/internal/machine-controller-manager/seed/Chart.yaml deleted file mode 100644 index 20a7f72d2..000000000 --- a/charts/internal/machine-controller-manager/seed/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Helm chart for needed resource for machine-controller-manager in control cluster -name: machine-controller-manager -version: 0.1.0 diff --git a/charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json b/charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json deleted file mode 100644 index f69abde24..000000000 --- a/charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json +++ /dev/null @@ -1,1174 +0,0 @@ -{ - "description": "Information about the operations of the Machine Controller Manager", - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": 16, - "iteration": 1564731005347, - "links": [ - { - "icon": "external link", - "tags": [], - "targetBlank": true, - "title": "Machine Controller Manager", - "tooltip": "", - "type": "link", - "url": "https://github.com/gardener/machine-controller-manager" - } - ], - "panels": [ - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "decimals": null, - "description": "State of the managed machines.\n\n| Code | Machine State |\n|---|---|\n| 0 | Running |\n| 1 | Terminating |\n| 2 | Unknown |\n| 3 | Failed |\n| -1 | Available |\n| -2 | Pending |", - "fill": 0, - "gridPos": { - "h": 7, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 5, - "legend": { - "alignAsTable": true, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "mcm_machine_current_status_phase", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{name}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Managed Machines States", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": "3.2", - "min": "-2.2", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Shows the CPU usage of the Machine Controller Manager and shows the requests and limits.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 7 - }, - "id": 13, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{pod=~\"machine-controller-manager-(.+)\"}[5m])) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Current ({{pod}})", - "refId": "A" - }, - { - "expr": "sum(kube_pod_container_resource_limits{resource=\"cpu\", unit=\"core\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Limits ({{pod}})", - "refId": "C" - }, - { - "expr": "sum(kube_pod_container_resource_requests{resource=\"cpu\", unit=\"core\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Requests ({{pod}})", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "MCM CPU usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Shows the memory usage of the Machine Controller Manager.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 7 - }, - "id": 11, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(container_memory_working_set_bytes{pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Current ({{pod}})", - "refId": "A" - }, - { - "expr": "sum(kube_pod_container_resource_limits{resource=\"memory\", unit=\"byte\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Limits ({{pod}})", - "refId": "B" - }, - { - "expr": "sum(kube_pod_container_resource_requests{resource=\"memory\", unit=\"byte\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Requests ({{pod}})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "MCM Memory Usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 2, - "max": null, - "min": null, - "show": true - }, - { - "format": "none", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Indicates if the Machine Controller Manager is frozen due to unreachable API server.\n\n0 = ok; 1= frozen", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 13 - }, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "mcm_machine_controller_frozen", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{pod}}", - "refId": "A" - } - ], - "thresholds": [ - { - "colorMode": "critical", - "fill": true, - "line": true, - "op": "gt", - "value": 0.5, - "yaxis": "left" - }, - { - "colorMode": "ok", - "fill": true, - "line": true, - "op": "lt", - "value": 0.5, - "yaxis": "left" - } - ], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "MCM Frozen Status (API Server reachable)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": "", - "logBase": 1, - "max": "1.2", - "min": "-0.2", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "decimals": null, - "description": "Average per Second rate over 1m of IaaS provider api calls split by services. \n\nShows also the rate of failed iaas calls if at least one failed.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 13 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(mcm_cloud_api_requests_total[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{provider}} / {{service}} ({{pod}})", - "refId": "A" - }, - { - "expr": "rate(mcm_cloud_api_requests_failed_total[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Error: {{provider}} / {{service}} ({{pod}})", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "IaaS API Calls", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "decimals": 0, - "description": "The count of kubernetes resources managed by the Machine Controller Manager.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 19 - }, - "id": 3, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "mcm_machine_items_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "machine(s)", - "refId": "A" - }, - { - "expr": "mcm_machine_set_items_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "machine set(s)", - "refId": "B" - }, - { - "expr": "mcm_machine_deployment_items_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "machine deployment(s)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Count of Managed Resouces", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 25 - }, - "id": 9, - "panels": [], - "title": "Control Loops", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Average processing time of items in the workqueue.", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 19, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "${controlloop}_work_duration{quantile=\"0.5\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p50 ({{pod}})", - "refId": "A" - }, - { - "expr": "${controlloop}_work_duration{quantile=\"0.9\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p90 ({{pod}})", - "refId": "B" - }, - { - "expr": "${controlloop}_work_duration{quantile=\"0.99\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p99 ({{pod}})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Workqueue item processing time: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "How long items stay in the workqueue before they get processed.", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 18, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "${controlloop}_queue_latency{quantile=\"0.5\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p50 ({{pod}})", - "refId": "A" - }, - { - "expr": "${controlloop}_queue_latency{quantile=\"0.9\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p90 ({{pod}})", - "refId": "B" - }, - { - "expr": "${controlloop}_queue_latency{quantile=\"0.99\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p99 ({{pod}})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Workqueue item latency: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Current amount of items in the workqueue.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 33 - }, - "id": 16, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "${controlloop}_depth", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "${controlloop} ({{pod}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Items in Workqueue: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Average per second rate over 5m of workqueue item adds.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 33 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(${controlloop}_adds[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "${controlloop} ({{pod}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Adds to Workqueue: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Average per second rate over 5m of workqueue item retries.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 33 - }, - "id": 17, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(${controlloop}_retries[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "${controlloop} ({{pod}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Workqueue item retries: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "schemaVersion": 18, - "style": "dark", - "tags": [ - "controlplane", - "seed" - ], - "templating": { - "list": [ - { - "allValue": null, - "current": { - "tags": [], - "text": "machine", - "value": "machine" - }, - "hide": 0, - "includeAll": false, - "label": "Control Loop", - "multi": false, - "name": "controlloop", - "options": [ - { - "selected": true, - "text": "machine", - "value": "machine" - }, - { - "selected": false, - "text": "machineset", - "value": "machineset" - }, - { - "selected": false, - "text": "machinedeployment", - "value": "machinedeployment" - }, - { - "selected": false, - "text": "node", - "value": "node" - }, - { - "selected": false, - "text": "secret", - "value": "secret" - }, - { - "selected": false, - "text": "machinesafetyapiserver", - "value": "machinesafetyapiserver" - }, - { - "selected": false, - "text": "machinesafetyorphanvms", - "value": "machinesafetyorphanvms" - }, - { - "selected": false, - "text": "machinesafetyovershooting", - "value": "machinesafetyovershooting" - } - ], - "query": "machine, machineset, machinedeployment, node, secret, machinesafetyapiserver, machinesafetyorphanvms, machinesafetyovershooting", - "skipUrlSync": false, - "type": "custom" - } - ] - }, - "time": { - "from": "now-3h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "14d" - ] - }, - "timezone": "utc", - "title": "Machine Controller Manager", - "uid": "machine-controller-manager", - "version": 1 -} diff --git a/charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml b/charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml deleted file mode 100644 index 05f91bcb8..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:{{ .Release.Namespace }}:machine-controller-manager - ownerReferences: - - apiVersion: v1 - kind: Namespace - name: {{ .Release.Namespace }} - uid: {{ .Values.namespace.uid }} - controller: true - blockOwnerDeletion: true -rules: -- apiGroups: - - machine.sapcloud.io - resources: - - "*" - verbs: - - "*" -- apiGroups: - - "" - resources: - - configmaps - - secrets - - endpoints - - events - verbs: - - "*" -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - machine-controller - - machine-controller-manager - verbs: - - get - - watch - - update diff --git a/charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml b/charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml deleted file mode 100644 index bc3368ebf..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:{{ .Release.Namespace }}:machine-controller-manager - ownerReferences: - - apiVersion: v1 - kind: Namespace - name: {{ .Release.Namespace }} - uid: {{ .Values.namespace.uid }} - controller: true - blockOwnerDeletion: true -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: extensions.gardener.cloud:{{ .Values.providerName }}:{{ .Release.Namespace }}:machine-controller-manager -subjects: -- kind: ServiceAccount - name: machine-controller-manager - namespace: {{ .Release.Namespace }} diff --git a/charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml b/charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml deleted file mode 100644 index e46804f47..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-controller-manager-monitoring-config - namespace: {{ .Release.Namespace }} - labels: - extensions.gardener.cloud/configuration: monitoring -data: - alerting_rules: | - machine-controller-manager.rules.yaml: | - groups: - - name: machine-controller-manager.rules - rules: - - alert: MachineControllerManagerDown - expr: absent(up{job="machine-controller-manager"} == 1) - for: 15m - labels: - service: machine-controller-manager - severity: critical - type: seed - visibility: operator - annotations: - description: There are no running machine controller manager instances. No shoot nodes can be created/maintained. - summary: Machine controller manager is down. - - dashboard_operators: | - machine-controller-manager-dashboard.json: |- -{{ .Files.Get "mcm-monitoring-dashboard.json" | indent 6 }} diff --git a/charts/internal/machine-controller-manager/seed/templates/deployment.yaml b/charts/internal/machine-controller-manager/seed/templates/deployment.yaml deleted file mode 100644 index 2d9388f78..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/deployment.yaml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} - labels: - app: kubernetes - role: machine-controller-manager - high-availability-config.resources.gardener.cloud/type: controller -spec: - revisionHistoryLimit: 1 - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: kubernetes - role: machine-controller-manager - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - gardener.cloud/role: controlplane - app: kubernetes - role: machine-controller-manager - networking.gardener.cloud/to-dns: allowed - networking.gardener.cloud/to-public-networks: allowed - networking.gardener.cloud/to-private-networks: allowed - networking.gardener.cloud/to-runtime-apiserver: allowed - networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - spec: - priorityClassName: gardener-system-300 - serviceAccountName: machine-controller-manager - terminationGracePeriodSeconds: 5 - containers: - - name: machine-controller-manager-provider-metal - image: {{ index .Values.images "machine-controller-manager-provider-metal" }} - imagePullPolicy: IfNotPresent - command: - - ./machine-controller - - --control-kubeconfig=inClusterConfig - - --target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - - --machine-creation-timeout=20m - - --machine-drain-timeout=2h - - --machine-health-timeout=10080m - - --machine-safety-apiserver-statuscheck-timeout=30s - - --machine-safety-apiserver-statuscheck-period=1m - - --machine-safety-orphan-vms-period=30m - - --namespace={{ .Release.Namespace }} - - --port={{ .Values.metricsPort2 }} - - --v=3 - resources: -{{ toYaml .Values.resources.mcmProviderMetal | indent 10 }} - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: {{ .Values.metricsPort2 }} - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig - name: kubeconfig - readOnly: true - - name: metal-machine-controller-manager - image: {{ index .Values.images "machine-controller-manager" }} - imagePullPolicy: IfNotPresent - command: - - ./machine-controller-manager - - --control-kubeconfig=inClusterConfig - # this flag does not work for metal-stack because we never were officially in-tree - # - --delete-migrated-machine-class=true - - --target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - - --namespace={{ .Release.Namespace }} - - --port={{ .Values.metricsPort }} - - --machine-safety-overshooting-period=1m - - --safety-up=2 - - --safety-down=1 - - --v=3 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: {{ .Values.metricsPort }} - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - ports: - - name: metrics - containerPort: {{ .Values.metricsPort }} - protocol: TCP - resources: -{{ toYaml .Values.resources.mcm | indent 10 }} - volumeMounts: - - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig - name: kubeconfig - readOnly: true - volumes: - - name: kubeconfig - projected: - defaultMode: 420 - sources: - - secret: - items: - - key: kubeconfig - path: kubeconfig - name: {{ .Values.genericTokenKubeconfigSecretName }} - optional: false - - secret: - items: - - key: token - path: token - name: shoot-access-machine-controller-manager - optional: false diff --git a/charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml b/charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml deleted file mode 100644 index 5c5ad6ae9..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} - labels: - app: kubernetes - role: machine-controller-manager -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: kubernetes - role: machine-controller-manager diff --git a/charts/internal/machine-controller-manager/seed/templates/service.yaml b/charts/internal/machine-controller-manager/seed/templates/service.yaml deleted file mode 100644 index 69d436784..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} - labels: - app: kubernetes - role: machine-controller-manager -spec: - type: ClusterIP - clusterIP: None - ports: - - name: metrics - port: {{ .Values.metricsPort }} - protocol: TCP - selector: - app: kubernetes - role: machine-controller-manager diff --git a/charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml b/charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml deleted file mode 100644 index dc56ec2c3..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} -automountServiceAccountToken: false diff --git a/charts/internal/machine-controller-manager/seed/templates/vpa.yaml b/charts/internal/machine-controller-manager/seed/templates/vpa.yaml deleted file mode 100644 index c964fb688..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/vpa.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.vpa.enabled }} -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: machine-controller-manager-vpa - namespace: {{ .Release.Namespace }} -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: machine-controller-manager - updatePolicy: - updateMode: {{ .Values.vpa.updatePolicy.updateMode | quote }} - resourcePolicy: - containerPolicies: - - containerName: machine-controller-manager-provider-metal - minAllowed: - memory: {{ .Values.resources.mcmProviderMetal.requests.memory }} - maxAllowed: - cpu: {{ .Values.vpa.resourcePolicy.mcmProviderMetal.maxAllowed.cpu }} - memory: {{ .Values.vpa.resourcePolicy.mcmProviderMetal.maxAllowed.memory }} - controlledValues: RequestsOnly - - containerName: metal-machine-controller-manager - minAllowed: - memory: {{ .Values.resources.mcm.requests.memory }} - maxAllowed: - cpu: {{ .Values.vpa.resourcePolicy.mcm.maxAllowed.cpu }} - memory: {{ .Values.vpa.resourcePolicy.mcm.maxAllowed.memory }} - controlledValues: RequestsOnly -{{- end }} diff --git a/charts/internal/machine-controller-manager/seed/values.yaml b/charts/internal/machine-controller-manager/seed/values.yaml deleted file mode 100644 index 756453853..000000000 --- a/charts/internal/machine-controller-manager/seed/values.yaml +++ /dev/null @@ -1,47 +0,0 @@ -images: - machine-controller-manager: image-repository:image-tag - machine-controller-manager-provider-metal: image-repository:image-tag - -replicas: 1 - -podAnnotations: {} - -podLabels: {} - -providerName: provider-foo - -# injected by generic worker actuator -genericTokenKubeconfigSecretName: generic-token-kubeconfig - -namespace: - uid: uuid-of-namespace - -metricsPort: 10258 -metricsPort2: 10259 - -vpa: - enabled: true - updatePolicy: - updateMode: "Auto" - resourcePolicy: - mcm: - maxAllowed: - cpu: 2 - memory: 5G - mcmProviderMetal: - maxAllowed: - cpu: 2 - memory: 5G - -resources: - mcm: - requests: - cpu: 31m - memory: 70Mi - mcmProviderMetal: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: "2" - memory: 5G diff --git a/charts/internal/machine-controller-manager/shoot/Chart.yaml b/charts/internal/machine-controller-manager/shoot/Chart.yaml deleted file mode 100644 index 8a921ab3f..000000000 --- a/charts/internal/machine-controller-manager/shoot/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Helm chart for needed resource for machine-controller-manager in target cluster -name: machine-controller-manager -version: 0.1.0 diff --git a/charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml deleted file mode 100644 index 0e99cdc77..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -rules: -- apiGroups: - - "" - resources: - - nodes - - nodes/status - - endpoints - - replicationcontrollers - - pods - - persistentvolumes - - persistentvolumeclaims - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create -- apiGroups: - - extensions - - apps - resources: - - replicasets - - statefulsets - - daemonsets - - deployments - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch diff --git a/charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml deleted file mode 100644 index 712604780..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -subjects: -- kind: ServiceAccount - name: machine-controller-manager - namespace: kube-system diff --git a/charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml deleted file mode 100644 index 20fba7fdb..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: kube-system - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list diff --git a/charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml deleted file mode 100644 index c1245f38c..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -subjects: -- kind: ServiceAccount - name: machine-controller-manager - namespace: kube-system diff --git a/charts/internal/machine-controller-manager/shoot/values.yaml b/charts/internal/machine-controller-manager/shoot/values.yaml deleted file mode 100644 index 7bc5d27da..000000000 --- a/charts/internal/machine-controller-manager/shoot/values.yaml +++ /dev/null @@ -1 +0,0 @@ -providerName: provider-foo diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-crds b/charts/internal/shoot-control-plane/templates/firewall-controller-crds deleted file mode 120000 index a23e449be..000000000 --- a/charts/internal/shoot-control-plane/templates/firewall-controller-crds +++ /dev/null @@ -1 +0,0 @@ -../../crds-firewall/templates/firewall-controller \ No newline at end of file diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml b/charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml new file mode 100644 index 000000000..c8ea3b611 --- /dev/null +++ b/charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml @@ -0,0 +1,278 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterwidenetworkpolicies.metal-stack.io +spec: + group: metal-stack.io + names: + kind: ClusterwideNetworkPolicy + listKind: ClusterwideNetworkPolicyList + plural: clusterwidenetworkpolicies + shortNames: + - cwnp + singular: clusterwidenetworkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .status.message + name: Message + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterwideNetworkPolicy contains the desired state for a cluster + wide network policy to be applied. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PolicySpec defines the rules to create for ingress and egress + properties: + description: + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human-readable explanation of the purpose of this + rule. Rules cannot be identified by comment. + type: string + egress: + description: |- + List of egress rules to be applied. Outgoing traffic is + allowed if there is a ClusterwideNetworkPolicy that allows it. + Clusters are isolated by default. + items: + description: |- + EgressRule describes a particular set of traffic that is allowed out of the cluster + The traffic must match both ports and to. + properties: + ports: + description: |- + List of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow traffic + on + properties: + endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: |- + List of destinations for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. + To rules can't contain ToFQDNs rules. + items: + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. + properties: + cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range + items: + type: string + type: array + required: + - cidr + type: object + type: array + toFQDNs: + description: |- + List of FQDNs (fully qualified domain names) for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. This field is used as + whitelist for DNS names. If none specified, no rule will be applied. + ToFQDNs rules can't contain To rules. + items: + description: FQDNSelector describes rules for matching DNS + names. + properties: + matchName: + description: MatchName matches FQDN. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using "*" to match DNS names. + "*" matches 0 or more valid characters. + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + type: object + type: array + ingress: + description: |- + List of ingress rules to be applied. Traffic is allowed to + a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service + exposed with type Loadbalancer. Clusters are isolated by default. + items: + description: |- + IngressRule describes a particular set of traffic that is allowed to the cluster. + The traffic must match both ports and from. + properties: + from: + description: |- + List of sources which should be able to access the cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. + items: + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. + properties: + cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range + items: + type: string + type: array + required: + - cidr + type: object + type: array + ports: + description: |- + List of ports which should be made accessible on the cluster for this + rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow traffic + on + properties: + endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array + type: object + status: + description: PolicyStatus defines the observed state for CWNP resource + properties: + fqdn_state: + additionalProperties: + items: + description: IPSet stores set name association to IP addresses + properties: + expirationTime: + format: date-time + type: string + fqdn: + type: string + ips: + items: + type: string + type: array + setName: + type: string + version: + type: string + type: object + type: array + description: |- + FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule. + Key is either MatchName or MatchPattern + type: object + message: + description: Message describes why the state changed + type: string + state: + description: State of the CWNP, can be either deployed or ignored + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml b/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml deleted file mode 120000 index 32160e5bc..000000000 --- a/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../crds-firewall/templates/firewall-controller-manager/firewall.metal-stack.io_firewallmonitors.yaml \ No newline at end of file diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml b/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml new file mode 100644 index 000000000..dc859c3f8 --- /dev/null +++ b/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml @@ -0,0 +1,317 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: firewallmonitors.firewall.metal-stack.io +spec: + group: firewall.metal-stack.io + names: + kind: FirewallMonitor + listKind: FirewallMonitorList + plural: firewallmonitors + shortNames: + - fwmon + singular: firewallmonitor + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .machineStatus.machineID + name: Machine ID + type: string + - jsonPath: .image + name: Image + type: string + - jsonPath: .size + name: Size + type: string + - jsonPath: .machineStatus.lastEvent.event + name: Last Event + type: string + - jsonPath: .machineStatus.allocationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: |- + FirewallMonitor is typically deployed into the shoot cluster in comparison to the other resources of this controller + which are deployed into the seed cluster's shoot namespace. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + conditions: + description: Conditions contain the latest available observations of a + firewall's current state. + items: + description: Condition holds the information about the state of a resource. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: Last time the condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about the + transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of the condition. + type: string + required: + - lastTransitionTime + - lastUpdateTime + - message + - reason + - status + - type + type: object + type: array + controllerStatus: + description: ControllerStatus holds the status of the firewall-controller + reconciling this firewall + properties: + controllerVersion: + type: string + distance: + description: |- + FirewallDistance defines the as-path length of firewalls, influencing how strong they attract + network traffic for routing traffic in and out of the cluster. + This is of particular interest during rolling firewall updates, i.e. when there is + more than a single firewall running in front of the cluster. + During a rolling update, new firewalls start with a longer distance such that + traffic is only attracted by the existing firewalls ("firewall staging"). + When the new firewall has connected successfully to the firewall monitor, the deployment + controller throws away the old firewalls and the new firewall takes over the routing. + The deployment controller will then shorten the distance of the new firewall. + This approach reduces service interruption of the external user traffic of the cluster + (for firewall-controller versions that support this feature). + type: integer + distanceSupported: + type: boolean + lastRun: + format: date-time + type: string + lastRunAgainstSeed: + format: date-time + type: string + message: + type: string + nftablesExporterVersion: + type: string + stats: + description: FirewallStats contains firewall statistics + properties: + devices: + additionalProperties: + description: DeviceStat contains statistics of a device + properties: + in: + format: int64 + type: integer + out: + format: int64 + type: integer + required: + - in + - out + type: object + description: DeviceStatsByDevice contains DeviceStatistics grouped + by device name + type: object + idsStats: + additionalProperties: + properties: + drop: + type: integer + invalidChecksums: + type: integer + packets: + type: integer + required: + - drop + - invalidChecksums + - packets + type: object + type: object + rules: + additionalProperties: + additionalProperties: + description: RuleStat contains the statistics for a single + nftables rule + properties: + counter: + description: Counter holds values of a nftables counter + object + properties: + bytes: + format: int64 + type: integer + packets: + format: int64 + type: integer + required: + - bytes + - packets + type: object + required: + - counter + type: object + description: RuleStats contains firewall rule statistics of + all rules of an action + type: object + description: 'RuleStatsByAction contains firewall rule statistics + groups by action: e.g. accept, drop, policy, masquerade' + type: object + required: + - devices + - idsStats + - rules + type: object + type: object + egressRules: + description: EgressRules contains egress rules configured for this firewall. + items: + description: EgressRuleSNAT holds a Source-NAT rule + properties: + ips: + description: IPs contains the ips used as source addresses for packets + leaving the specified network. + items: + type: string + type: array + networkID: + description: NetworkID is the network for which the egress rule + will be configured. + type: string + required: + - ips + - networkID + type: object + type: array + image: + description: Image is the os image of the firewall. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + logAcceptedConnections: + description: LogAcceptedConnections if set to true, also log accepted + connections in the droptailer log. + type: boolean + machineStatus: + description: MachineStatus holds the status of the firewall machine + properties: + allocationTimestamp: + description: AllocationTimestamp is the timestamp when the machine + was allocated. + format: date-time + type: string + crashLoop: + description: CrashLoop can occur during provisioning of the firewall + causing the firewall not to get ready. + type: boolean + imageID: + description: ImageID contains the used os image id of the firewall + (the fully qualified version, no shorthand version). + type: string + lastEvent: + description: LastEvent contains the last provisioning event of the + machine. + properties: + event: + description: Event is the provisioning event. + type: string + message: + description: Message contains a message further describing the + event. + type: string + timestamp: + description: Timestamp is the point in time when the provisioning + event was received. + format: date-time + type: string + required: + - event + - message + - timestamp + type: object + liveliness: + description: Liveliness expresses the liveliness of the firewall and + can be used to determine the general health state of the machine. + type: string + machineID: + description: MachineID is the id of the firewall in the metal-stack + api. + type: string + required: + - allocationTimestamp + - liveliness + - machineID + type: object + metadata: + type: object + networks: + description: Networks are the networks to which this firewall is connected. + items: + type: string + type: array + partition: + description: Partition is the partition in which the firewall resides. + type: string + project: + description: Project is the project in which the firewall resides. + type: string + rateLimits: + description: RateLimits allows configuration of rate limit rules for interfaces. + items: + description: RateLimit contains the rate limit rule for a network. + properties: + networkID: + description: NetworkID specifies the network which should be rate + limited. + type: string + rate: + description: Rate is the input rate in MiB/s. + format: int32 + type: integer + required: + - networkID + - rate + type: object + type: array + size: + description: Size is the machine size of the firewall. + type: string + required: + - conditions + - image + - networks + - partition + - project + - size + type: object + served: true + storage: true + subresources: {} diff --git a/charts/internal/shoot-storageclasses/templates/_helpers.tpl b/charts/internal/shoot-storageclasses/templates/helpers.tpl similarity index 100% rename from charts/internal/shoot-storageclasses/templates/_helpers.tpl rename to charts/internal/shoot-storageclasses/templates/helpers.tpl diff --git a/charts/internal/utils-tls-cipher-suites/Chart.yaml b/charts/internal/utils-tls-cipher-suites/Chart.yaml deleted file mode 100644 index 11d39bd14..000000000 --- a/charts/internal/utils-tls-cipher-suites/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Util chart for cipher-suites -name: utils-tls-cipher-suites -version: 0.1.0 diff --git a/charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl b/charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl deleted file mode 100644 index 364d206a6..000000000 --- a/charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl +++ /dev/null @@ -1,10 +0,0 @@ -{{- define "kubernetes.tlsCipherSuites" }} -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 -TLS_RSA_WITH_AES_128_CBC_SHA -TLS_RSA_WITH_AES_256_CBC_SHA -TLS_RSA_WITH_AES_128_GCM_SHA256 -TLS_RSA_WITH_AES_256_GCM_SHA384 -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -{{- end -}} diff --git a/cmd/gardener-extension-provider-metal/app/app.go b/cmd/gardener-extension-provider-metal/app/app.go index 83471a96d..0ace37a92 100644 --- a/cmd/gardener-extension-provider-metal/app/app.go +++ b/cmd/gardener-extension-provider-metal/app/app.go @@ -11,6 +11,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gardenerhealthz "github.com/gardener/gardener/pkg/healthz" + "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/charts" metalinstall "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/install" metalcmd "github.com/metal-stack/gardener-extension-provider-metal/pkg/cmd" @@ -21,6 +22,7 @@ import ( "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" shootcontrolplanewebhook "github.com/metal-stack/gardener-extension-provider-metal/pkg/webhook/controlplane" metalcontrolplaneexposure "github.com/metal-stack/gardener-extension-provider-metal/pkg/webhook/controlplaneexposure" + autoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" "github.com/gardener/gardener/extensions/pkg/controller/heartbeat" heartbeatcmd "github.com/gardener/gardener/extensions/pkg/controller/heartbeat/cmd" @@ -35,6 +37,7 @@ import ( "github.com/spf13/cobra" "k8s.io/component-base/version/verflag" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -171,14 +174,27 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command { if err := controller.AddToScheme(scheme); err != nil { return fmt.Errorf("could not update manager scheme: %w", err) } - if err := metalinstall.AddToScheme(scheme); err != nil { return fmt.Errorf("could not update manager scheme: %w", err) } - if err := druidv1alpha1.AddToScheme(scheme); err != nil { return fmt.Errorf("could not update manager scheme: %w", err) } + if err := autoscalingv1.AddToScheme(scheme); err != nil { + return fmt.Errorf("could not update manager scheme: %w", err) + } + + log := mgr.GetLogger() + gardenCluster, err := getGardenCluster(log) + if err != nil { + return err + } + log.Info("Adding garden cluster to manager") + if err := mgr.Add(gardenCluster); err != nil { + return fmt.Errorf("failed adding garden cluster to manager: %w", err) + } + + log.Info("Adding controllers to manager") configFileOpts.Completed().ApplyETCD(&metalcontrolplaneexposure.DefaultAddOptions.ETCD) configFileOpts.Completed().ApplyMachineImages(&metalworker.DefaultAddOptions.MachineImages) @@ -195,6 +211,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command { reconcileOpts.Completed().Apply(&metalcontrolplane.DefaultAddOptions.IgnoreOperationAnnotation) reconcileOpts.Completed().Apply(&metalworker.DefaultAddOptions.IgnoreOperationAnnotation) workerCtrlOpts.Completed().Apply(&metalworker.DefaultAddOptions.Controller) + metalworker.DefaultAddOptions.GardenCluster = gardenCluster atomicShootWebhookConfig, err := webhookOptions.Completed().AddToManager(ctx, mgr) if err != nil { @@ -232,3 +249,21 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command { return cmd } + +func getGardenCluster(log logr.Logger) (cluster.Cluster, error) { + log.Info("Getting rest config for garden") + gardenRESTConfig, err := kubernetes.RESTConfigFromKubeconfigFile(os.Getenv("GARDEN_KUBECONFIG"), kubernetes.AuthTokenFile) + if err != nil { + return nil, err + } + + log.Info("Setting up cluster object for garden") + gardenCluster, err := cluster.New(gardenRESTConfig, func(opts *cluster.Options) { + opts.Scheme = kubernetes.GardenScheme + opts.Logger = log + }) + if err != nil { + return nil, fmt.Errorf("failed creating garden cluster object: %w", err) + } + return gardenCluster, nil +} diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index ed6d9a55f..9dccca3c9 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -8,7 +8,7 @@ providerConfig: chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoG7up7xJ7YfvSOxRFoJXoXcVaURUlO26a/37Dl0S9Vis7ddJGAwNeUZzhkJwZDodDLd3ExxFOLPwuxRENSGTFCbkOfCha49QNR4/uDWOAJ3t7/D9A9T//PdmdTaZ70/19Vj7Z3x3PHqG9+zfdDRlN3QShRwkh6aZ6Xe//orDsnP/nKzdJ7Vt3Hd61DTbB+7NZ6/xPd2fl+Z9C0fgRGn/MjrbBFz7/bhy8xgmbdwddTww3jvNHc2KPTcPH1EuCOOVFB+gnHK6Rx0QCXZIEpSuMXkgRQq+YvKC5FB+US5QRuWvsoE5RM65V02Mb2jY+9dh8CdCt/z7x7CW5Txtd+r+3+6Ri/5/MxnuD/j8EjEZL4iyZBLgpRnSFLA+Ztj2Cv2sc+SQZLYN0lS1sj6xHSliKHyvXuxopdMsjUZqQMATZSfAyoCmUgkTZQLYsVMhGX33ruSkSLb0+Ojs/Pj35Tj7id+46DvGojRxbi9Bz8XIeuhF2BNHj6DJxoVbmpVmiCn8myRVOxINpGKMRmgPP7hJLK4YjdxFiikrDkMUxkRZOFgbRkhs7jyQJ9lJU8IZKvBmxTv3zN2Hd+p9imAwYFXpnT7C3/zcd746ng//3ENBn/t+scBjDEm2ncS9fsMP+T6bT/cr8T/eng/1/EHj/3kI+vgwijEzmppnI+vDB6HbVGB6sD7y2oRMJ3QUOqQ2OpH2FbwU5/pAtcBJhkCM7ICPWVIlGC4lrN8wkT+/foyDywszPObWRRNzASB23yiCj4qCWGrJ93lK9F0EEwhN5mKPbZzjELsX2CTDXyFnOWrCGFUJwhhB7E1yilUvnCbx/h0y6cqd7+w40+5o1D02x+nbqLlGOESdBlF4i82v6/de0WjPBMaFBSpLbTSSgj7iJoHNngtBZrd/VCfFxHJLbNY5S6efnwkFHsPXQh+tTa8WXA33sP/g8l8Fy7cYWn/xr8INIYhGYzZskSHFrjKDL/5/t71bs/xNWNNj/BwBpfUpa/ZpP7KmaV2H7SmGCqyDyHeaCgzy8cmODSYrvpq4DlkBs9putdbPgSCQKrnODKeXFwsgIw+w0mHNG/g8oBFlO0YzVVuzwFumbspQ66A9GZGOvy+Q0o/app+yjwp30v2c0sEP/Z5NJ1f/bnewO+v8g8LEUO5eNP1WZRSu5CiMAy7L4f70jXHBtJcd2LtrUlgSU1NteSDIfvA83jFfuhBPKh0Du78VgZGJ/b1TspaTnhQHwCjUjMCJQTfQQ+K2UO7wUmPU8HLNyYCy9uI0x5UOV4N+yIME+Mjvo23UCKKA5vtnFXxO+ZJkPsirtyZWG2Y8dHTHn47e476gARr92GULe3iJLaNqzRY7Tr02BUl5SmqVq7Xor8JyP+Qqm+CwVcu1Jyf9YQGwjcuti1tzyJXTlxg3DY5iWJHJDsTMpmGh7v4GfVpKtrLGGdtCPx/99dQTDu4YVvIVbvEwwpYeYpkHEtTTns/5mA4cNZDbyhlPPVwpNwXWAgVaPTPNdSk+Uxay2BJi2RLHzmoUkAroLhjJIb7uxZUVNjF3vKosLTqi3wn4WtjMiEGxVT2fDx2HqnkduTFckneMkIH4XmQYURbEySH6WEFrwKQKxjfRVZzmGLSu2S29rddVU7CZpwGZY2PYNMlEmVcErxGMybZAP7lXOszCckzDwGqeyUqW9S3nFc+wlOIVOecTH/iHxrtQK9a/z05Na06K6GuQWrI2cdTf4d3WNvwjo4/8XAZx+G4DN/v9kMtmrnv/v7u4N5/8PArrbrCJxwgM+zGd7613An+L70xh7rOEEXweMz58CZpRvXwbrALy1MX8Tg/V0acmOycLnJItS0SgFXtgW35F+VOqtXm7Hx74goDRBEtAGhfv0UURS5WSolWbL8Eq+7K+wd0WztRZq40rYHDcpTcO3PICLvrIvJJf2DzDwczddIXOryJ35He+yCD4DDzpflZWthdWNW8M7MLsVWzC6LnCmRhiGKwk8teqfewkIeLQsLf4JgUornOUHEQ4yG+L3ZgsGZTQZTppkuKi0w+LcbhamSLLABiwmrJtBpB0XWwkIZLDGLdTZubPkp9yjOTuQ1rmqzYlSKlUhwukNSUCZa/vdlCguLBgeihMQBFD/MCQ32N8O3wcp74cRZwtQSEvW6Y2dBNcsxWArdPDjSZZ4MHh1QoBmgWtKUmqxw5xiAKzUi63ZbLeg3GEVnuZ+rbRQXC1gol3YdyX5RFhdJlMAV8zyzNfOXj58cGqvxQmMWabT4nUKjLjkb+b6TNZrUKRCfCw0anAOhDlawUY90WqWXQY9DwRoQpt6XUsaBOsyCPGzEewdRs1DIw3BSAv6VMmwVmKWAQLtvGMFXpYkMDdWgtkDNECflX1byVf+m2PbBeb5beRRfVxYSysMjv8Cu6mVL2/PNqxuTYhAG99YAdv8XsMIUcaf38pcjmdzvGOJdi6wqq0EpbyX/kNRxu8ajGAZEWiFxFiExKxi4WttgKOcKoyDHKFK+4Yn6/TvgcDr4vwGL0Dxr5T89ZzLCrY0Gsxe61zJWs/l9pFXkqa7RM0PKFugNFUpdU6+LqKQLBbxFlYTZD4222jJtpsI/SxftVCpuCnlJafUlnxlLcAIWq7vs5DJM6d1udrkQUgFCdNVOzXxvomR3DbJw2S907nVl+90XBxd6zZO2OaXRweHR2dvjl4ePb84Pj15c3Lw6uh8fvD8KK+JEE8F+BEWa0crZKEwHPpn+LJcKsuZR+PknqKdS9xd/UPF7/GrgxdHr4HZ07M3p6+Pzn4+O76o8eqgEU9C0w6/Ro2nYZsmKQyuYSQpnSdkgfU+rtI0flGEFgTEvL8jMWu/l19xx6ZzahmwSBTr5U8XF3PtRRAFaeCGhzh0b6UldNBknNdIsOsHvXllWLcPwuqeoTdA61KoLIywGhq53KmYVznbxtxwFzMlHgkddPF8Xo0w5c6SjpMXNsXGCow/UKQiYOOGCBiDaxJma/yKbcMauiyMqcbqmlUUatPtGtxXjdpOo5uYqamSVo/J0GkUgrPF9gTt6sTmJ/DwgecxwifdbuEOci8vmTDdOnkJEx//ALz3g4ZXKD+IOMxgi7U8F0Fd+HXM12BZfPQOe5l+ILUjx4W7ueeljbJ6yQeEbZqP3sXMTusb3aKGha7wbWs6VZ5wVcNDSDgU0Co6jhpec5PW0CBrcovkrTJaSmISkuXtvxmvZjmpa0VoyidC4ggBrrnzFQn01JGpbmS2PjFVILeQr4gPeLOpsm29xHs74e7Pb5eybOB9iA5/ttAn/gt2B9zJJOOXgRaZv8TbBYI773/MKvc/4MeT6RD/fQiQpmWZom9ZqKopevodmlRTwGIePhhdTxYgIipgPCf+YS4eP3Dx+Dwix7Cd/E/kXrtByLZCnDzNFp0dvnfE+K9g+vrof7JwvbtcBO3Qf9D6qv5PJ+Mng/4/BLD0KV2z+Ry7WboiSfC7uNJ09ZT7RUV2WAhjhpMzEuI++t1Hc5MsZB6XxbK6XiQki7n7ZSEtk6sc2TVKWxZWVaQjLDLvCqe0XjKCaU8z/QU0ngS4oaRclfITntKDXsETgyMftBhjQ4mO50eUhbkSv/qoVyoH6hrL9OoiKlb6XbwGD24hh4oZau78B1T8uGGWjv+K819ZDPOM61PSFmuvz4gIBft5aZkJ8x9mnbhHYAhkNo6Uwzpdvk5UqHmwJePeaa1X92xDlfNlSbyrBL+hKnvgSwfLGOQjXLeyeYi3eS7ahts0+T92VCtlUE1Qq+YKBH8d8D1b6baiXiEONO3SXmjnKm2jky/dtPI4gh2qGwa/KymE/UMktZHyvJJcK8RWSNaSB2dSFfJz6NrziHpuiCU5vrWm+oMr9tklxQTlw7UCFn6E/onyokbt1VuyED/AEy5+jGAnKQQ8S/lFURmU8fTEUVEddqSB31HHA7bIWo0wvzwTFG/lbHAHLNhKh2QioE3dmCtm4wwyzBqpHZFIazE/KrgMPNRmlmW1FKxmI3WV+1ca+JuAqUTf3ihSdr828yclcqqgLF1drat0sK7GebrYFvT8LRYyqKMvTcVjH1t+n5V0i6XpDgyApSJMfTfZFSCbglMegpap6sKSdI2r2J/UCTbsYNsXjj7LojBMIWYm+14e1Q/C3vxpjhU0IQ8r1JBt4NDIs+E1l6+DH9hZvYWVj5sJgXxeinp292ebjeCndpv/NtBn/yeX1d5bwI7933RvVs3/m+4P938eBhrv/0iN/fjRm1qO3DZJO5cJWbPMgNC3WCIQPztD3/zy3lTHWqZjXjyfm49N9s50tjse+/DrN/044IlDGPuWSACzQGzY8mHJbKESY1U+yofij6uc34kXdVq4iY+HGqB89i0VMpMcaDEzaLdy0lI6FwceBVETBqiGWGmPLWOAwPO4zF6cggdg8cUx57TIA4EhDFgWaeEbGeLQ6OL08NRBF6uAisWWbb8SAn41u/kDHiT4Q2AgfZ6IGBEUkmiJE2AHvHefZf+xD8dcZjy5Bp3xmyysaI1ciighEftf+7TO99cT+8ke+ywAWmAcgSfDNcq3+0mK8ISserd5mluTQN+J/kdTgrvEd1N+U036KMfsHL4I3G6X2ZsfyFvy8H822+XjUD4550eHfJR6HcR/ahu/Ce6w/stt9fZuQNf5z3Q2qaz/s+l4yP9/ENi0/iuP/ZMe4nzqAfqbQ7f+i8SL+3wAtEP/d8f7Vf0fz/aH858HAZF2ziMlKs3cQcuVlygHTYa5mnLBK5+EYmvj0kF8rWDb/FhLQj8Ib9xbahj6MauDJkYRn0HvPxiG5iI46On46dgoUu94wcQwtIxZ+UmA/ERF7CkqWcAi8a58TLKhYh6XF3Wa8q8dtMuyW8SRyqY229KeHXTphhQbRj3N10G//GpUknZ5mbGDmvJ+2GcQWFZTIO+D72gZQLGbUZFhzJMHDZH9JAb8TJ/u4guPhYOu/1yEZDFau8y9Gi2yIAQ3mpEeidugLI/fUMlnGlUhQ0tCliF+U9yLELiWu/b3ZxKNy425yz43KwryD8FO7MnEfvfX7tWk1ivzn89Yz6bihW3bhlHyHx1D5AqqhE/mjRo7O1CWsrMDyj9MKXXlMcL20kZU3XRa3CLu1BfXigBTKRYjDHTE5aj8opLC5S8NdRNb3Z2SSY2Gl7PW/FWLpm9awD6JqTurNHpLSaR0pfi+RGMN/uWHyVikkMnPMky4zpW/fsD0ovKFgMY7/6zeho8WiNfFdf7KPfXiKr8qUJfzBX+l+/b5bXtDZcXVb9AblSZKF+Hza/DCRIjC6oV1ZiwbrvocX55AI9B9zOOsjbfA2+6AG/lH/4T0YTkYysjLr6oM/tgAAwwwwAADDDDAAAMMMMAAAwwwwAADDDDAAAMMMMDnDf8HJasSEQB4AAA= values: image: - tag: v0.22.12 + tag: v0.23.1 --- apiVersion: core.gardener.cloud/v1beta1 kind: ControllerRegistration diff --git a/go.mod b/go.mod index f59543b5c..76ffa01f7 100644 --- a/go.mod +++ b/go.mod @@ -8,11 +8,11 @@ require ( github.com/Masterminds/semver/v3 v3.2.1 github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 github.com/coreos/go-systemd/v22 v22.5.0 - github.com/gardener/etcd-druid v0.19.2 - github.com/gardener/gardener v1.81.0 + github.com/gardener/etcd-druid v0.20.1 + github.com/gardener/gardener v1.82.3 github.com/gardener/gardener-extension-networking-calico v1.36.1 github.com/gardener/gardener-extension-networking-cilium v1.26.0 - github.com/gardener/machine-controller-manager v0.49.3 + github.com/gardener/machine-controller-manager v0.50.1 github.com/go-logr/logr v1.4.1 github.com/go-openapi/strfmt v0.23.0 github.com/golang/mock v1.6.0 @@ -21,7 +21,7 @@ require ( github.com/metal-stack/firewall-controller-manager v0.4.0 github.com/metal-stack/firewall-controller/v2 v2.3.3 github.com/metal-stack/metal-go v0.31.1 - github.com/metal-stack/metal-lib v0.16.3 + github.com/metal-stack/metal-lib v0.16.2 github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.33.1 github.com/spf13/cobra v1.8.0 @@ -30,6 +30,7 @@ require ( k8s.io/api v0.29.3 k8s.io/apiextensions-apiserver v0.29.3 k8s.io/apimachinery v0.29.3 + k8s.io/autoscaler/vertical-pod-autoscaler v0.14.0 k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible k8s.io/code-generator v0.29.3 k8s.io/component-base v0.29.3 @@ -157,10 +158,9 @@ require ( istio.io/api v0.0.0-20230217221049-9d422bf48675 // indirect istio.io/client-go v1.17.1 // indirect k8s.io/apiserver v0.28.3 // indirect - k8s.io/autoscaler/vertical-pod-autoscaler v0.14.0 // indirect k8s.io/cluster-bootstrap v0.28.3 // indirect k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect - k8s.io/helm v2.16.1+incompatible // indirect + k8s.io/helm v2.17.0+incompatible // indirect k8s.io/klog v1.0.0 // indirect k8s.io/klog/v2 v2.110.1 // indirect k8s.io/kube-aggregator v0.28.3 // indirect diff --git a/go.sum b/go.sum index 0d5c19bc2..9a8eba8f9 100644 --- a/go.sum +++ b/go.sum @@ -728,16 +728,16 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/gardener/etcd-druid v0.19.2 h1:Z8TTbmVUxZ7UWU5iJAwUHUI6A9E5Mfd5JcvokVfYH1A= -github.com/gardener/etcd-druid v0.19.2/go.mod h1:0Q9nKPiONDac/Gr0SZYFkVXHGt/Yt//rcRfDIUfftZo= -github.com/gardener/gardener v1.81.0 h1:pFmDRTCnImXD4H1B6guBZRtCUBBTonib8Ua5DmGlUSk= -github.com/gardener/gardener v1.81.0/go.mod h1:HPeLu4C0lD0B4m40pdMxIy9tiIOrAe1GLCTKnKqgmdg= +github.com/gardener/etcd-druid v0.20.1 h1:o6F4higujfg7dvBXvk+yPb86+3t2+XLE0Hmw5W1kXtM= +github.com/gardener/etcd-druid v0.20.1/go.mod h1:1tAeHycB0Vb2GfCX6sUCc6V6frGrCQI//quVg4K3GNA= +github.com/gardener/gardener v1.82.3 h1:GVx7wmmodv9++ZnZrJHyI8fhCJSG35s0o3pvLWD7u0k= +github.com/gardener/gardener v1.82.3/go.mod h1:ZdLfUC8Ia/Qo+e13FspxHsMJZ9c3DTek6Iy0ff0QQzc= github.com/gardener/gardener-extension-networking-calico v1.36.1 h1:WyAdADamhxQgcCBrQOZAeSM/wm/urmmwBaqd2YLc7MY= github.com/gardener/gardener-extension-networking-calico v1.36.1/go.mod h1:GFmktIEzLxrOV6uNrCREeKjIkwYK6TlVOEPP7dffjAM= github.com/gardener/hvpa-controller/api v0.5.0 h1:f4F3O7YUrenwh4S3TgPREPiB287JjjUiUL18OqPLyAA= github.com/gardener/hvpa-controller/api v0.5.0/go.mod h1:QQl3ELkCaki+8RhXl0FZMfvnm0WCGwGJlGmrxJj6lvM= -github.com/gardener/machine-controller-manager v0.49.3 h1:/ghxZVMij00SpeaORMZJlodosePWWByrIOr8fcp45sU= -github.com/gardener/machine-controller-manager v0.49.3/go.mod h1:ypFf18+Y6mJpohfZrOJI+vq7NQ3Yn7Ke4ujW23u/6nM= +github.com/gardener/machine-controller-manager v0.50.1 h1:lL2q0O+K6jkgYzHPz85wIc9MzASZaiDvLYnTxW7P5ws= +github.com/gardener/machine-controller-manager v0.50.1/go.mod h1:RySZ40AgbNV/wMq60G/w49kb+okbj5Xs1A6usz5Pm/I= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= @@ -1035,8 +1035,8 @@ github.com/metal-stack/gardener-extension-networking-cilium v1.16.1-0.2024051013 github.com/metal-stack/gardener-extension-networking-cilium v1.16.1-0.20240510132804-f1f2b0fdce23/go.mod h1:m2c6m3UNI3fLiqna/2m40Tdveep4CLUByIRfci2yw64= github.com/metal-stack/metal-go v0.31.1 h1:1U31FuqhUveKxlIYrlrzjIhQLEqrlsm7ohZnZGMZz/E= github.com/metal-stack/metal-go v0.31.1/go.mod h1:3MJTYCS4YJz8D8oteTKhjpaAKNMMjMKYDrIy9awHGtQ= -github.com/metal-stack/metal-lib v0.16.3 h1:xJr6P9GauQK49aoFH0bFyye5kRGmt87PomokulUm4Go= -github.com/metal-stack/metal-lib v0.16.3/go.mod h1:nyNGI4DZFOcWbSoq2Y6V3SHpFxuXBIqYBZHTb6cy//s= +github.com/metal-stack/metal-lib v0.16.2 h1:RJls/Spai4h5xr3BEmQt9UdWNN4RB9+SOINoZcjYaA8= +github.com/metal-stack/metal-lib v0.16.2/go.mod h1:nyNGI4DZFOcWbSoq2Y6V3SHpFxuXBIqYBZHTb6cy//s= github.com/metal-stack/security v0.8.0 h1:tVaSDB9m5clwYrnLyaXfPy7mQlJTnmeoHscG+RUy/xo= github.com/metal-stack/security v0.8.0/go.mod h1:7GAcQb+pOgflW30ohJygxpqc3i0dQ2ahGJK1CU5tqa0= github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4= @@ -2025,8 +2025,8 @@ k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/helm v2.16.1+incompatible h1:L+k810plJlaGWEw1EszeT4deK8XVaKxac1oGcuB+WDc= -k8s.io/helm v2.16.1+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= +k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= +k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= diff --git a/pkg/controller/controlplane/add.go b/pkg/controller/controlplane/add.go index b82fca079..9a92f7547 100644 --- a/pkg/controller/controlplane/add.go +++ b/pkg/controller/controlplane/add.go @@ -2,7 +2,6 @@ package controlplane import ( "context" - "fmt" "sync/atomic" extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" @@ -15,7 +14,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" - "sigs.k8s.io/controller-runtime/pkg/webhook" ) var ( @@ -41,17 +39,11 @@ type AddOptions struct { // AddToManagerWithOptions adds a controller with the given Options to the given manager. // The opts.Reconciler is being set with a newly instantiated actuator. func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddOptions) error { - webhookServer := mgr.GetWebhookServer() - defaultServer, ok := webhookServer.(*webhook.DefaultServer) - if !ok { - return fmt.Errorf("expected *webhook.DefaultServer, got %T", webhookServer) - } - actuator, err := genericactuator.NewActuator(mgr, metal.Name, secretConfigsFunc, shootAccessSecretsFunc, nil, nil, nil, controlPlaneChart, cpShootChart, nil, storageClassChart, nil, NewValuesProvider(mgr, opts.ControllerConfig), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot), - imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, int32(defaultServer.Options.Port), + imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, ) if err != nil { return err diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index fe1f5e0fa..1913d80f1 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -25,6 +25,7 @@ import ( "github.com/gardener/gardener/extensions/pkg/controller/controlplane/genericactuator" + "github.com/metal-stack/gardener-extension-provider-metal/charts" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" @@ -146,14 +147,14 @@ func shootAccessSecretsFunc(namespace string) []*gutil.AccessSecret { gutil.NewShootAccessSecret(metal.FirewallControllerManagerDeploymentName, namespace), gutil.NewShootAccessSecret(metal.CloudControllerManagerDeploymentName, namespace), gutil.NewShootAccessSecret(metal.DurosControllerDeploymentName, namespace), - gutil.NewShootAccessSecret(metal.MachineControllerManagerName, namespace), } } var controlPlaneChart = &chart.Chart{ - Name: "control-plane", - Path: filepath.Join(metal.InternalChartsPath, "control-plane"), - Images: []string{metal.CCMImageName, metal.FirewallControllerManagerDeploymentName}, + Name: "control-plane", + EmbeddedFS: charts.InternalChart, + Path: filepath.Join(charts.InternalChartsPath, "control-plane"), + Images: []string{metal.CCMImageName, metal.FirewallControllerManagerDeploymentName}, Objects: []*chart.Object{ // cloud controller manager {Type: &corev1.Service{}, Name: "cloud-controller-manager"}, @@ -162,9 +163,10 @@ var controlPlaneChart = &chart.Chart{ } var cpShootChart = &chart.Chart{ - Name: "shoot-control-plane", - Path: filepath.Join(metal.InternalChartsPath, "shoot-control-plane"), - Images: []string{metal.DroptailerImageName, metal.MetallbSpeakerImageName, metal.MetallbControllerImageName, metal.NodeInitImageName, metal.MetallbHealthSidecarImageName}, + Name: "shoot-control-plane", + EmbeddedFS: charts.InternalChart, + Path: filepath.Join(charts.InternalChartsPath, "shoot-control-plane"), + Images: []string{metal.DroptailerImageName, metal.MetallbSpeakerImageName, metal.MetallbControllerImageName, metal.NodeInitImageName, metal.MetallbHealthSidecarImageName}, Objects: []*chart.Object{ // metallb {Type: &corev1.Namespace{}, Name: "metallb-system"}, @@ -230,9 +232,10 @@ var cpShootChart = &chart.Chart{ } var storageClassChart = &chart.Chart{ - Name: "shoot-storageclasses", - Path: filepath.Join(metal.InternalChartsPath, "shoot-storageclasses"), - Images: []string{metal.CSIControllerImageName, metal.CSIProvisionerImageName}, + Name: "shoot-storageclasses", + EmbeddedFS: charts.InternalChart, + Path: filepath.Join(charts.InternalChartsPath, "shoot-storageclasses"), + Images: []string{metal.CSIControllerImageName, metal.CSIProvisionerImageName}, Objects: []*chart.Object{ {Type: &corev1.Namespace{}, Name: "csi-lvm"}, {Type: &storagev1.StorageClass{}, Name: "csi-lvm"}, @@ -609,11 +612,11 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c var networkAccessMirrors []map[string]any if restrictedOrForbidden && partition.NetworkIsolation != nil { for _, r := range partition.NetworkIsolation.RegistryMirrors { - nam, err := registryMirrorToValueMap(r) + mirror, err := registryMirrorToValueMap(r) if err != nil { return nil, err } - networkAccessMirrors = append(networkAccessMirrors, nam) + networkAccessMirrors = append(networkAccessMirrors, mirror) } } @@ -778,6 +781,7 @@ func getCCMChartValues( "checksum/secret-cloudprovider": checksums[v1beta1constants.SecretNameCloudProvider], "checksum/configmap-cloud-provider-config": checksums[metal.CloudProviderConfigName], }, + "tlsCipherSuites": kutil.TLSCipherSuites, "secrets": map[string]any{ "server": serverSecret.Name, }, @@ -1107,12 +1111,12 @@ func getDefaultExternalNetwork(nws networkMap, cpConfig *apismetal.ControlPlaneC continue } - pn, ok := nws[nw.Parentnetworkid] + parent, ok := nws[nw.Parentnetworkid] if !ok { return "", fmt.Errorf("network defined in firewall networks specified a parent network that does not exist in metal-api") } - if *pn.Privatesuper { + if *parent.Privatesuper { dmzNetworks = append(dmzNetworks, nw) continue } diff --git a/pkg/controller/healthcheck/add.go b/pkg/controller/healthcheck/add.go index fc2239fb1..44e8521bd 100644 --- a/pkg/controller/healthcheck/add.go +++ b/pkg/controller/healthcheck/add.go @@ -14,7 +14,6 @@ import ( "github.com/gardener/gardener/extensions/pkg/controller/healthcheck" "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/general" "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/worker" - genericworkeractuator "github.com/gardener/gardener/extensions/pkg/controller/worker/genericactuator" extensionspredicate "github.com/gardener/gardener/extensions/pkg/predicate" gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -106,14 +105,6 @@ func RegisterHealthChecks(ctx context.Context, mgr manager.Manager, opts AddOpti opts.HealthCheckDefaults, nil, []healthcheck.ConditionTypeToHealthCheck{ - { - ConditionType: string(gardencorev1beta1.ShootSystemComponentsHealthy), - HealthCheck: general.CheckManagedResource(genericworkeractuator.McmShootResourceName), - }, - { - ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy), - HealthCheck: general.NewSeedDeploymentHealthChecker("machine-controller-manager"), - }, { ConditionType: string(gardencorev1beta1.ShootEveryNodeReady), HealthCheck: worker.NewNodesChecker(), diff --git a/pkg/controller/infrastructure/actuator_delete.go b/pkg/controller/infrastructure/actuator_delete.go index d55bf17ff..84b644d3d 100644 --- a/pkg/controller/infrastructure/actuator_delete.go +++ b/pkg/controller/infrastructure/actuator_delete.go @@ -15,7 +15,7 @@ import ( "github.com/metal-stack/metal-go/api/client/network" "github.com/metal-stack/metal-go/api/models" - extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" + "github.com/gardener/gardener/extensions/pkg/controller" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" "github.com/gardener/gardener/pkg/controllerutils/reconciler" @@ -27,14 +27,14 @@ import ( type networkDeleter struct { ctx context.Context logger logr.Logger - cluster *extensionscontroller.Cluster + cluster *controller.Cluster infrastructure *extensionsv1alpha1.Infrastructure infrastructureConfig *metalapi.InfrastructureConfig mclient metalgo.Client clusterID string } -func (a *actuator) Delete(ctx context.Context, logger logr.Logger, infrastructure *extensionsv1alpha1.Infrastructure, cluster *extensionscontroller.Cluster) error { +func (a *actuator) Delete(ctx context.Context, logger logr.Logger, infrastructure *extensionsv1alpha1.Infrastructure, cluster *controller.Cluster) error { internalInfrastructureConfig, _, err := decodeInfrastructure(infrastructure, a.decoder) if err != nil { return err @@ -103,6 +103,10 @@ func (a *actuator) Delete(ctx context.Context, logger logr.Logger, infrastructur return nil } +func (a *actuator) ForceDelete(_ context.Context, _ logr.Logger, _ *extensionsv1alpha1.Infrastructure, _ *controller.Cluster) error { + return nil +} + func (a *actuator) releaseNetworkResources(d *networkDeleter) error { ipsToFree, ipsToUpdate, err := metalclient.GetEphemeralIPsFromCluster(d.ctx, d.mclient, d.infrastructureConfig.ProjectID, d.clusterID) if err != nil { @@ -152,10 +156,10 @@ func (a *actuator) releaseNetworkResources(d *networkDeleter) error { return err } - for _, pn := range privateNetworks { - _, err := d.mclient.Network().FreeNetwork(network.NewFreeNetworkParams().WithID(*pn.ID).WithContext(d.ctx), nil) + for _, privateNetwork := range privateNetworks { + _, err := d.mclient.Network().FreeNetwork(network.NewFreeNetworkParams().WithID(*privateNetwork.ID).WithContext(d.ctx), nil) if err != nil { - d.logger.Error(err, "failed to release private network", "infrastructure", d.infrastructure.Name, "networkID", *pn.ID) + d.logger.Error(err, "failed to release private network", "infrastructure", d.infrastructure.Name, "networkID", *privateNetwork.ID) return err } } diff --git a/pkg/controller/infrastructure/actuator_force_delete.go b/pkg/controller/infrastructure/actuator_force_delete.go deleted file mode 100644 index b0a93f8f1..000000000 --- a/pkg/controller/infrastructure/actuator_force_delete.go +++ /dev/null @@ -1,14 +0,0 @@ -package infrastructure - -import ( - "context" - - extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" - extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" - "github.com/go-logr/logr" -) - -func (a *actuator) ForceDelete(context.Context, logr.Logger, *extensionsv1alpha1.Infrastructure, *extensionscontroller.Cluster) error { - // TODO: implement - return nil -} diff --git a/pkg/controller/worker/actuator.go b/pkg/controller/worker/actuator.go index 7942c1d97..c8001fb5b 100644 --- a/pkg/controller/worker/actuator.go +++ b/pkg/controller/worker/actuator.go @@ -11,15 +11,14 @@ import ( "github.com/gardener/gardener/extensions/pkg/controller/worker" "github.com/gardener/gardener/extensions/pkg/controller/worker/genericactuator" gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" - apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" - metalclient "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal/client" metalgo "github.com/metal-stack/metal-go" "github.com/metal-stack/metal-go/api/models" "github.com/metal-stack/metal-lib/pkg/cache" + "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" + apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" + metalclient "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal/client" + extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" gardener "github.com/gardener/gardener/pkg/client/kubernetes" @@ -31,6 +30,7 @@ import ( "k8s.io/client-go/rest" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" ) @@ -91,7 +91,7 @@ type ( } ) -func NewActuator(mgr manager.Manager, machineImages []config.MachineImage, controllerConfig config.ControllerConfiguration) (worker.Actuator, error) { +func NewActuator(mgr manager.Manager, gardenCluster cluster.Cluster, machineImages []config.MachineImage, controllerConfig config.ControllerConfiguration) worker.Actuator { a := &actuator{ controllerConfig: controllerConfig, networkCache: cache.New(15*time.Minute, func(ctx context.Context, accessor *cacheKey) (*models.V1NetworkResponse, error) { @@ -120,21 +120,16 @@ func NewActuator(mgr manager.Manager, machineImages []config.MachineImage, contr machineImageMapping: machineImages, } - var err error - a.workerActuator, err = genericactuator.NewActuator( + a.workerActuator = genericactuator.NewActuator( mgr, + gardenCluster, delegateFactory, - metal.MachineControllerManagerName, - mcmChart, - mcmShootChart, - imagevector.ImageVector(), - extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot), func(err error) []gardencorev1beta1.ErrorCode { return util.DetermineErrorCodes(err, map[gardencorev1beta1.ErrorCode]func(string) bool{}) // TODO: implement our error codes? }, ) - return a, err + return a } func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { @@ -146,6 +141,10 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, worker *exten return a.workerActuator.Reconcile(ctx, log, worker, cluster) } +func (a *actuator) ForceDelete(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { + return nil +} + func (a *actuator) Delete(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { err := a.workerActuator.Delete(ctx, log, worker, cluster) if err != nil { @@ -155,11 +154,6 @@ func (a *actuator) Delete(ctx context.Context, log logr.Logger, worker *extensio return a.firewallDelete(ctx, log, cluster) } -func (a *actuator) ForceDelete(context.Context, logr.Logger, *extensionsv1alpha1.Worker, *extensionscontroller.Cluster) error { - // TODO: implement - return nil -} - func (a *actuator) Migrate(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { err := a.workerActuator.Migrate(ctx, log, worker, cluster) if err != nil { diff --git a/pkg/controller/worker/add.go b/pkg/controller/worker/add.go index 203097bfe..d1fd8f590 100644 --- a/pkg/controller/worker/add.go +++ b/pkg/controller/worker/add.go @@ -10,6 +10,7 @@ import ( machinescheme "github.com/gardener/machine-controller-manager/pkg/client/clientset/versioned/scheme" apiextensionsscheme "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme" "k8s.io/apimachinery/pkg/runtime" + "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/manager" ) @@ -28,6 +29,8 @@ type AddOptions struct { MachineImages []config.MachineImage // IgnoreOperationAnnotation specifies whether to ignore the operation annotation or not. IgnoreOperationAnnotation bool + // GardenCluster is the garden cluster object. + GardenCluster cluster.Cluster } // AddToManagerWithOptions adds a controller with the given Options to the given manager. @@ -41,13 +44,8 @@ func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddO return err } - actuator, err := NewActuator(mgr, opts.MachineImages, opts.ControllerConfig) - if err != nil { - return err - } - return worker.Add(ctx, mgr, worker.AddArgs{ - Actuator: actuator, + Actuator: NewActuator(mgr, opts.GardenCluster, opts.MachineImages, opts.ControllerConfig), ControllerOptions: opts.Controller, Predicates: worker.DefaultPredicates(ctx, mgr, opts.IgnoreOperationAnnotation), Type: metal.Type, diff --git a/pkg/controller/worker/machine_controller_manager.go b/pkg/controller/worker/machine_controller_manager.go deleted file mode 100644 index f6a9815f2..000000000 --- a/pkg/controller/worker/machine_controller_manager.go +++ /dev/null @@ -1,58 +0,0 @@ -package worker - -import ( - "context" - "fmt" - "path/filepath" - - "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" - - "github.com/gardener/gardener/pkg/utils/chart" - kutil "github.com/gardener/gardener/pkg/utils/kubernetes" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" -) - -var ( - mcmChart = &chart.Chart{ - Name: metal.MachineControllerManagerName, - Path: filepath.Join(metal.InternalChartsPath, metal.MachineControllerManagerName, "seed"), - Images: []string{metal.MachineControllerManagerImageName, metal.MCMProviderMetalImageName}, - Objects: []*chart.Object{ - {Type: &appsv1.Deployment{}, Name: metal.MachineControllerManagerName}, - {Type: &corev1.Service{}, Name: metal.MachineControllerManagerName}, - {Type: &corev1.ServiceAccount{}, Name: metal.MachineControllerManagerName}, - {Type: &corev1.Secret{}, Name: metal.MachineControllerManagerName}, - }, - } - - mcmShootChart = &chart.Chart{ - Name: metal.MachineControllerManagerName, - Path: filepath.Join(metal.InternalChartsPath, metal.MachineControllerManagerName, "shoot"), - Objects: []*chart.Object{ - {Type: &rbacv1.ClusterRole{}, Name: fmt.Sprintf("extensions.gardener.cloud:%s:%s", metal.Name, metal.MachineControllerManagerName)}, - {Type: &rbacv1.ClusterRoleBinding{}, Name: fmt.Sprintf("extensions.gardener.cloud:%s:%s", metal.Name, metal.MachineControllerManagerName)}, - }, - } -) - -func (w *workerDelegate) GetMachineControllerManagerChartValues(ctx context.Context) (map[string]interface{}, error) { - namespace := &corev1.Namespace{} - if err := w.client.Get(ctx, kutil.Key(w.worker.Namespace), namespace); err != nil { - return nil, err - } - - return map[string]interface{}{ - "providerName": metal.Name, - "namespace": map[string]interface{}{ - "uid": namespace.UID, - }, - }, nil -} - -func (w *workerDelegate) GetMachineControllerManagerShootChartValues(ctx context.Context) (map[string]interface{}, error) { - return map[string]interface{}{ - "providerName": metal.Name, - }, nil -} diff --git a/pkg/controller/worker/machines.go b/pkg/controller/worker/machines.go index 2b06d0f47..7101c8bd4 100644 --- a/pkg/controller/worker/machines.go +++ b/pkg/controller/worker/machines.go @@ -204,7 +204,7 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error { machineClassSpec["name"] = className machineClassSpec["labels"] = map[string]string{ - v1beta1constants.GardenerPurpose: genericworkeractuator.GardenPurposeMachineClass, + v1beta1constants.GardenerPurpose: v1beta1constants.GardenPurposeMachineClass, } // if we'd move the endpoint out of this secret into the deployment spec (which would be the way to go) diff --git a/pkg/metal/types.go b/pkg/metal/types.go index 3e8d25e25..8c10536bf 100644 --- a/pkg/metal/types.go +++ b/pkg/metal/types.go @@ -1,13 +1,9 @@ package metal -import "path/filepath" - const ( // Name is the name of the Metal provider. Name = "provider-metal" - // MachineControllerManagerImageName is the name of the MachineControllerManager image. - MachineControllerManagerImageName = "machine-controller-manager" // MCMProviderMetalImageName is the name of the metal provider plugin image. MCMProviderMetalImageName = "machine-controller-manager-provider-metal" // CCMImageName is the name of the cloud controller manager image. @@ -38,8 +34,6 @@ const ( // CloudProviderConfigName is the name of the configmap containing the cloud provider config. CloudProviderConfigName = "cloud-provider-config" - // MachineControllerManagerName is a constant for the name of the machine-controller-manager. - MachineControllerManagerName = "machine-controller-manager" // ShootExtensionTypeTokenIssuer appears unused? CHECKME ShootExtensionTypeTokenIssuer = "tokenissuer" @@ -63,13 +57,6 @@ const ( ManagerIdentity = "provider-" + Type + "-controlplane" ) -var ( - // ChartsPath is the path to the charts - ChartsPath = filepath.Join("charts") - // InternalChartsPath is the path to the internal charts - InternalChartsPath = filepath.Join(ChartsPath, "internal") -) - // Credentials stores Metal credentials. type Credentials struct { MetalAPIKey string diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go index 8bc013134..b19738f18 100644 --- a/pkg/webhook/controlplane/ensurer.go +++ b/pkg/webhook/controlplane/ensurer.go @@ -9,11 +9,10 @@ import ( "github.com/Masterminds/semver/v3" "github.com/coreos/go-systemd/v22/unit" extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" - extensionscontextwebhook "github.com/gardener/gardener/extensions/pkg/webhook/context" gcontext "github.com/gardener/gardener/extensions/pkg/webhook/context" - "github.com/gardener/gardener/extensions/pkg/webhook/controlplane" "github.com/gardener/gardener/extensions/pkg/webhook/controlplane/genericmutator" + "github.com/gardener/gardener/pkg/component/machinecontrollermanager" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" @@ -22,11 +21,15 @@ import ( "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" + "github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector" + "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" metalapi "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" + vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -138,7 +141,8 @@ func ensureKubeletCommandLineArgs(command []string) []string { } // EnsureKubeletConfiguration ensures that the kubelet configuration conforms to the provider requirements. -func (e *ensurer) EnsureKubeletConfiguration(ctx context.Context, gctx extensionscontextwebhook.GardenContext, kubeletVersion *semver.Version, new, _ *kubeletconfigv1beta1.KubeletConfiguration) error { +func (e *ensurer) EnsureKubeletConfiguration(ctx context.Context, gctx gcontext.GardenContext, kubeletVersion *semver.Version, new, _ *kubeletconfigv1beta1.KubeletConfiguration) error { + // Make sure CSI-related feature gates are not enabled // TODO Leaving these enabled shouldn't do any harm, perhaps remove this code when properly tested? // FIXME Why ? @@ -336,3 +340,46 @@ version = 2 }, } } + +// ImageVector is exposed for testing. +var ImageVector = imagevector.ImageVector() + +// EnsureMachineControllerManagerDeployment ensures that the machine-controller-manager deployment conforms to the provider requirements. +func (e *ensurer) EnsureMachineControllerManagerDeployment(_ context.Context, _ gcontext.GardenContext, newObj, _ *appsv1.Deployment) error { + image, err := ImageVector.FindImage(metal.MCMProviderMetalImageName) + if err != nil { + return err + } + + c := machinecontrollermanager.ProviderSidecarContainer(newObj.Namespace, metal.Name, image.String()) + c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--machine-health-timeout=", "10080m") + + newObj.Spec.Template.Spec.Containers = extensionswebhook.EnsureContainerWithName( + newObj.Spec.Template.Spec.Containers, + c, + ) + return nil +} + +// EnsureMachineControllerManagerVPA ensures that the machine-controller-manager VPA conforms to the provider requirements. +func (e *ensurer) EnsureMachineControllerManagerVPA(_ context.Context, _ gcontext.GardenContext, newObj, _ *vpaautoscalingv1.VerticalPodAutoscaler) error { + var ( + minAllowed = corev1.ResourceList{ + corev1.ResourceMemory: resource.MustParse("64Mi"), + } + maxAllowed = corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("2"), + corev1.ResourceMemory: resource.MustParse("5G"), + } + ) + + if newObj.Spec.ResourcePolicy == nil { + newObj.Spec.ResourcePolicy = &vpaautoscalingv1.PodResourcePolicy{} + } + + newObj.Spec.ResourcePolicy.ContainerPolicies = extensionswebhook.EnsureVPAContainerResourcePolicyWithName( + newObj.Spec.ResourcePolicy.ContainerPolicies, + machinecontrollermanager.ProviderSidecarVPAContainerPolicy(metal.Name, minAllowed, maxAllowed), + ) + return nil +} diff --git a/pkg/webhook/controlplaneexposure/ensurer.go b/pkg/webhook/controlplaneexposure/ensurer.go index bac65123a..29ff491ec 100644 --- a/pkg/webhook/controlplaneexposure/ensurer.go +++ b/pkg/webhook/controlplaneexposure/ensurer.go @@ -10,20 +10,14 @@ import ( "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" "github.com/metal-stack/metal-lib/pkg/pointer" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" - extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" gcontext "github.com/gardener/gardener/extensions/pkg/webhook/context" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" - v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" - - kutil "github.com/gardener/gardener/pkg/utils/kubernetes" ) // NewEnsurer creates a new controlplaneexposure ensurer. @@ -42,31 +36,6 @@ type ensurer struct { logger logr.Logger } -// EnsureKubeAPIServerService ensures that the kube-apiserver service conforms to the provider requirements. -func (e *ensurer) EnsureKubeAPIServerService(ctx context.Context, gctx gcontext.GardenContext, new, old *corev1.Service) error { - return nil -} - -// EnsureKubeAPIServerDeployment ensures that the kube-apiserver deployment conforms to the provider requirements. -func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gcontext.GardenContext, new, old *appsv1.Deployment) error { - // ignore gardener managed (APIServerSNI-enabled) apiservers. - if v1beta1helper.IsAPIServerExposureManaged(new) { - return nil - } - - // Get load balancer address of the kube-apiserver service - address, err := kutil.GetLoadBalancerIngress(ctx, e.client, &corev1.Service{ObjectMeta: v1.ObjectMeta{Namespace: new.Namespace, Name: v1beta1constants.DeploymentNameKubeAPIServer}}) - if err != nil { - return fmt.Errorf("could not get kube-apiserver service load balancer address %w", err) - } - - if c := extensionswebhook.ContainerWithName(new.Spec.Template.Spec.Containers, "kube-apiserver"); c != nil { - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--advertise-address=", address) - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--external-hostname=", address) - } - return nil -} - // EnsureETCD ensures that the etcd conform to the provider requirements. func (e *ensurer) EnsureETCD(ctx context.Context, gctx gcontext.GardenContext, new, old *druidv1alpha1.Etcd) error { new.Spec.StorageCapacity = pointer.Pointer(resource.MustParse("16Gi"))