From 3a3f152454df9d9ec5e08234b70bbad25908595d Mon Sep 17 00:00:00 2001 From: Gerrit Date: Thu, 11 Jul 2024 12:52:28 +0200 Subject: [PATCH 1/3] Revendor to g/g 1.82. (#407) --- Makefile | 11 +- charts/charts.go | 3 + charts/images.yaml | 6 +- .../charts/utils-tls-cipher-suites | 1 - .../templates/cloud-controller-manager.yaml | 7 +- .../templates/{_helpers.tpl => helpers.tpl} | 0 ...l-stack.io_clusterwidenetworkpolicies.yaml | 218 +-- .../seed/Chart.yaml | 4 - .../seed/mcm-monitoring-dashboard.json | 1174 ----------------- .../seed/templates/clusterrole.yaml | 45 - .../seed/templates/clusterrolebinding.yaml | 20 - .../seed/templates/configmap-monitoring.yaml | 28 - .../seed/templates/deployment.yaml | 126 -- .../seed/templates/poddisruptionbudget.yaml | 14 - .../seed/templates/service.yaml | 19 - .../seed/templates/serviceaccount.yaml | 7 - .../seed/templates/vpa.yaml | 30 - .../seed/values.yaml | 47 - .../shoot/Chart.yaml | 4 - ...lusterrole-machine-controller-manager.yaml | 77 -- ...olebinding-machine-controller-manager.yaml | 13 - .../role-machine-controller-manager.yaml | 16 - ...olebinding-machine-controller-manager.yaml | 14 - .../shoot/values.yaml | 1 - .../templates/firewall-controller-crds | 1 - ...l-stack.io_clusterwidenetworkpolicies.yaml | 278 ++++ ...ewall.metal-stack.io_firewallmonitors.yaml | 318 ++++- .../templates/{_helpers.tpl => helpers.tpl} | 0 .../utils-tls-cipher-suites/Chart.yaml | 4 - .../templates/_tls_cipher_suites.tpl | 10 - .../app/app.go | 39 +- example/controller-registration.yaml | 2 +- go.mod | 15 +- go.sum | 32 +- pkg/controller/controlplane/add.go | 10 +- pkg/controller/controlplane/valuesprovider.go | 32 +- pkg/controller/healthcheck/add.go | 13 +- .../infrastructure/actuator_delete.go | 16 +- pkg/controller/worker/actuator.go | 20 +- pkg/controller/worker/add.go | 10 +- .../worker/machine_controller_manager.go | 58 - pkg/controller/worker/machines.go | 2 +- pkg/metal/types.go | 13 - pkg/webhook/controlplane/ensurer.go | 52 +- pkg/webhook/controlplaneexposure/ensurer.go | 31 - 45 files changed, 894 insertions(+), 1947 deletions(-) delete mode 120000 charts/internal/control-plane/charts/utils-tls-cipher-suites rename charts/internal/control-plane/templates/{_helpers.tpl => helpers.tpl} (100%) delete mode 100644 charts/internal/machine-controller-manager/seed/Chart.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json delete mode 100644 charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/deployment.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/service.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/templates/vpa.yaml delete mode 100644 charts/internal/machine-controller-manager/seed/values.yaml delete mode 100644 charts/internal/machine-controller-manager/shoot/Chart.yaml delete mode 100644 charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml delete mode 100644 charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml delete mode 100644 charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml delete mode 100644 charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml delete mode 100644 charts/internal/machine-controller-manager/shoot/values.yaml delete mode 120000 charts/internal/shoot-control-plane/templates/firewall-controller-crds create mode 100644 charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml mode change 120000 => 100644 charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml rename charts/internal/shoot-storageclasses/templates/{_helpers.tpl => helpers.tpl} (100%) delete mode 100644 charts/internal/utils-tls-cipher-suites/Chart.yaml delete mode 100644 charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl delete mode 100644 pkg/controller/worker/machine_controller_manager.go diff --git a/Makefile b/Makefile index ffaad513e..73fcfba61 100644 --- a/Makefile +++ b/Makefile @@ -48,6 +48,15 @@ docker-image: docker-push: @docker push $(IMAGE_PREFIX)/gardener-extension-provider-metal:$(IMAGE_TAG) +.PHONY: update-crds +update-crds: + go mod tidy + cp -f $(shell go list -mod=mod -m -f '{{.Dir}}' all | grep metal-stack/duros-controller)/config/crd/bases/* charts/internal/crds-storage/templates + cp -f $(shell go list -mod=mod -m -f '{{.Dir}}' all | grep metal-stack/firewall-controller-manager)/config/crds/* charts/internal/crds-firewall/templates/firewall-controller-manager/ + cp -f $(shell go list -mod=mod -m -f '{{.Dir}}' all | grep metal-stack/firewall-controller/v2)/config/crd/bases/* charts/internal/crds-firewall/templates/firewall-controller/ + cp -f charts/internal/crds-firewall/templates/firewall-controller-manager/*monitors.yaml charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/ + cp -f charts/internal/crds-firewall/templates/firewall-controller/* charts/internal/shoot-control-plane/templates/firewall-controller-crds/ + ##################################################################### # Rules for verification, formatting, linting, testing and cleaning # ##################################################################### @@ -79,7 +88,7 @@ generate: $(HELM) $(YQ) @$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate-sequential.sh ./charts/... ./cmd/... ./pkg/... .PHONY: generate-in-docker -generate-in-docker: revendor $(HELM) +generate-in-docker: revendor update-crds $(HELM) echo $(shell git describe --abbrev=0 --tags) > VERSION docker run --rm -i$(DOCKER_TTY_ARG) \ --volume $(PWD):/go/src/github.com/metal-stack/gardener-extension-provider-metal golang:$(GO_VERSION) \ diff --git a/charts/charts.go b/charts/charts.go index 4acd8c756..4c9b07eeb 100644 --- a/charts/charts.go +++ b/charts/charts.go @@ -8,3 +8,6 @@ import ( // //go:embed internal var InternalChart embed.FS + +// InternalChartsPath is the path to the internal charts +const InternalChartsPath = "internal" diff --git a/charts/images.yaml b/charts/images.yaml index 11a665ab1..662b63273 100644 --- a/charts/images.yaml +++ b/charts/images.yaml @@ -3,14 +3,10 @@ images: sourceRepository: github.com/metal-stack/metal-ccm repository: ghcr.io/metal-stack/metal-ccm tag: "v0.7.13" -- name: machine-controller-manager - sourceRepository: github.com/gardener/machine-controller-manager - repository: eu.gcr.io/gardener-project/gardener/machine-controller-manager - tag: "0.49.3" - name: machine-controller-manager-provider-metal sourceRepository: https://github.com/metal-stack/machine-controller-manager-provider-metal repository: ghcr.io/metal-stack/machine-controller-manager-provider-metal - tag: "v0.1.17" + tag: "v0.1.19" - name: droptailer sourceRepository: github.com/metal-stack/droptailer repository: ghcr.io/metal-stack/droptailer diff --git a/charts/internal/control-plane/charts/utils-tls-cipher-suites b/charts/internal/control-plane/charts/utils-tls-cipher-suites deleted file mode 120000 index bb8c882cb..000000000 --- a/charts/internal/control-plane/charts/utils-tls-cipher-suites +++ /dev/null @@ -1 +0,0 @@ -../../utils-tls-cipher-suites \ No newline at end of file diff --git a/charts/internal/control-plane/templates/cloud-controller-manager.yaml b/charts/internal/control-plane/templates/cloud-controller-manager.yaml index 27f091bd0..b4723300f 100644 --- a/charts/internal/control-plane/templates/cloud-controller-manager.yaml +++ b/charts/internal/control-plane/templates/cloud-controller-manager.yaml @@ -6,6 +6,11 @@ metadata: labels: app: kubernetes role: cloud-controller-manager + annotations: + networking.resources.gardener.cloud/from-all-scrape-targets-allowed-ports: '[{"port":{{ include "cloud-controller-manager.port" . }},"protocol":"TCP"}]' + # TODO: This label approach is deprecated and no longer needed in the future. Remove them as soon as gardener/gardener@v1.75 has been released. + networking.resources.gardener.cloud/from-policy-pod-label-selector: all-scrape-targets + networking.resources.gardener.cloud/from-policy-allowed-ports: '[{"port":{{ include "cloud-controller-manager.port" . }},"protocol":"TCP"}]' spec: type: ClusterIP clusterIP: None @@ -72,7 +77,7 @@ spec: - --authorization-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - --tls-cert-file=/var/lib/cloud-controller-manager-server/tls.crt - --tls-private-key-file=/var/lib/cloud-controller-manager-server/tls.key - - --tls-cipher-suites={{ include "kubernetes.tlsCipherSuites" . | replace "\n" "," | trimPrefix "," }} + - --tls-cipher-suites={{ .Values.cloudControllerManager.tlsCipherSuites | join "," }} - --use-service-account-credentials - --v=2 {{- range $index, $param := $.Values.cloudControllerManager.additionalParameters }} diff --git a/charts/internal/control-plane/templates/_helpers.tpl b/charts/internal/control-plane/templates/helpers.tpl similarity index 100% rename from charts/internal/control-plane/templates/_helpers.tpl rename to charts/internal/control-plane/templates/helpers.tpl diff --git a/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml b/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml index 8098ae91b..c8ea3b611 100644 --- a/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml +++ b/charts/internal/crds-firewall/templates/firewall-controller/metal-stack.io_clusterwidenetworkpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterwidenetworkpolicies.metal-stack.io spec: group: metal-stack.io @@ -30,14 +30,19 @@ spec: wide network policy to be applied. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -45,81 +50,82 @@ spec: description: PolicySpec defines the rules to create for ingress and egress properties: description: - description: Description is a free form string, it can be used by - the creator of the rule to store human-readable explanation of the - purpose of this rule. Rules cannot be identified by comment. + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human-readable explanation of the purpose of this + rule. Rules cannot be identified by comment. type: string egress: - description: List of egress rules to be applied. Outgoing traffic - is allowed if there is a ClusterwideNetworkPolicy that allows it. + description: |- + List of egress rules to be applied. Outgoing traffic is + allowed if there is a ClusterwideNetworkPolicy that allows it. Clusters are isolated by default. items: - description: EgressRule describes a particular set of traffic that - is allowed out of the cluster The traffic must match both ports - and to. + description: |- + EgressRule describes a particular set of traffic that is allowed out of the cluster + The traffic must match both ports and to. properties: ports: - description: List of destination ports for outgoing traffic. - Each item in this list is combined using a logical OR. If - this field is empty or missing, this rule matches all ports - (traffic not restricted by port). If this field is present - and contains at least one item, then this rule allows traffic - only if the traffic matches at least one port in the list. + description: |- + List of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: If set, indicates that the range of ports - from port to endPort, inclusive, should be allowed by - the policy. This field cannot be defined if the port - field is not defined or if the port field is defined - as a named (string) port. The endPort must be equal - or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can - either be a numerical or named port on a pod. If this - field is not provided, this matches all port names and - numbers. If present, only traffic on the specified protocol - AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic - must match. If not specified, this field defaults to - TCP. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string type: object type: array to: - description: List of destinations for outgoing traffic of a - cluster for this rule. Items in this list are combined using - a logical OR operation. If this field is empty or missing, - this rule matches all destinations (traffic not restricted - by destination). If this field is present and contains at - least one item, this rule allows traffic only if the traffic - matches at least one item in the to list. To rules can't contain - ToFQDNs rules. + description: |- + List of destinations for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. + To rules can't contain ToFQDNs rules. items: - description: IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") - that is allowed to the pods matched by a NetworkPolicySpec's - podSelector. The except entry describes CIDRs that should - not be included within this rule. + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. properties: cidr: - description: CIDR is a string representing the IP Block + description: |- + cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: Except is a slice of CIDRs that should not - be included within an IP Block Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will be rejected if - they are outside the CIDR range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array @@ -128,11 +134,11 @@ spec: type: object type: array toFQDNs: - description: List of FQDNs (fully qualified domain names) for - outgoing traffic of a cluster for this rule. Items in this - list are combined using a logical OR operation. This field - is used as whitelist for DNS names. If none specified, no - rule will be applied. ToFQDNs rules can't contain To rules. + description: |- + List of FQDNs (fully qualified domain names) for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. This field is used as + whitelist for DNS names. If none specified, no rule will be applied. + ToFQDNs rules can't contain To rules. items: description: FQDNSelector describes rules for matching DNS names. @@ -142,8 +148,9 @@ spec: pattern: ^([-a-zA-Z0-9_]+[.]?)+$ type: string matchPattern: - description: MatchPattern allows using "*" to match DNS - names. "*" matches 0 or more valid characters. + description: |- + MatchPattern allows using "*" to match DNS names. + "*" matches 0 or more valid characters. pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string type: object @@ -151,38 +158,38 @@ spec: type: object type: array ingress: - description: List of ingress rules to be applied. Traffic is allowed - to a cluster if there is a ClusterwideNetworkPolicy that allows - it, OR there is a service exposed with type Loadbalancer. Clusters - are isolated by default. + description: |- + List of ingress rules to be applied. Traffic is allowed to + a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service + exposed with type Loadbalancer. Clusters are isolated by default. items: - description: IngressRule describes a particular set of traffic that - is allowed to the cluster. The traffic must match both ports and - from. + description: |- + IngressRule describes a particular set of traffic that is allowed to the cluster. + The traffic must match both ports and from. properties: from: - description: List of sources which should be able to access - the cluster for this rule. Items in this list are combined - using a logical OR operation. If this field is empty or missing, - this rule matches all sources (traffic not restricted by source). - If this field is present and contains at least one item, this - rule allows traffic only if the traffic matches at least one - item in the from list. + description: |- + List of sources which should be able to access the cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. items: - description: IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") - that is allowed to the pods matched by a NetworkPolicySpec's - podSelector. The except entry describes CIDRs that should - not be included within this rule. + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. properties: cidr: - description: CIDR is a string representing the IP Block + description: |- + cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" type: string except: - description: Except is a slice of CIDRs that should not - be included within an IP Block Valid examples are "192.168.1.0/24" - or "2001:db8::/64" Except values will be rejected if - they are outside the CIDR range + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range items: type: string type: array @@ -191,41 +198,39 @@ spec: type: object type: array ports: - description: List of ports which should be made accessible on - the cluster for this rule. Each item in this list is combined - using a logical OR. If this field is empty or missing, this - rule matches all ports (traffic not restricted by port). If - this field is present and contains at least one item, then - this rule allows traffic only if the traffic matches at least - one port in the list. + description: |- + List of ports which should be made accessible on the cluster for this + rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. items: description: NetworkPolicyPort describes a port to allow traffic on properties: endPort: - description: If set, indicates that the range of ports - from port to endPort, inclusive, should be allowed by - the policy. This field cannot be defined if the port - field is not defined or if the port field is defined - as a named (string) port. The endPort must be equal - or greater than port. + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can - either be a numerical or named port on a pod. If this - field is not provided, this matches all port names and - numbers. If present, only traffic on the specified protocol - AND port will be matched. + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic - must match. If not specified, this field defaults to - TCP. + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string type: object type: array @@ -255,12 +260,15 @@ spec: type: string type: object type: array - description: FQDNState stores mapping from FQDN rules to nftables - sets used for a firewall rule. Key is either MatchName or MatchPattern + description: |- + FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule. + Key is either MatchName or MatchPattern type: object message: + description: Message describes why the state changed type: string state: + description: State of the CWNP, can be either deployed or ignored type: string type: object type: object diff --git a/charts/internal/machine-controller-manager/seed/Chart.yaml b/charts/internal/machine-controller-manager/seed/Chart.yaml deleted file mode 100644 index 20a7f72d2..000000000 --- a/charts/internal/machine-controller-manager/seed/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Helm chart for needed resource for machine-controller-manager in control cluster -name: machine-controller-manager -version: 0.1.0 diff --git a/charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json b/charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json deleted file mode 100644 index f69abde24..000000000 --- a/charts/internal/machine-controller-manager/seed/mcm-monitoring-dashboard.json +++ /dev/null @@ -1,1174 +0,0 @@ -{ - "description": "Information about the operations of the Machine Controller Manager", - "editable": false, - "gnetId": null, - "graphTooltip": 0, - "id": 16, - "iteration": 1564731005347, - "links": [ - { - "icon": "external link", - "tags": [], - "targetBlank": true, - "title": "Machine Controller Manager", - "tooltip": "", - "type": "link", - "url": "https://github.com/gardener/machine-controller-manager" - } - ], - "panels": [ - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "decimals": null, - "description": "State of the managed machines.\n\n| Code | Machine State |\n|---|---|\n| 0 | Running |\n| 1 | Terminating |\n| 2 | Unknown |\n| 3 | Failed |\n| -1 | Available |\n| -2 | Pending |", - "fill": 0, - "gridPos": { - "h": 7, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 5, - "legend": { - "alignAsTable": true, - "avg": false, - "current": false, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "mcm_machine_current_status_phase", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{name}}", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Managed Machines States", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": "3.2", - "min": "-2.2", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Shows the CPU usage of the Machine Controller Manager and shows the requests and limits.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 7 - }, - "id": 13, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(rate(container_cpu_usage_seconds_total{pod=~\"machine-controller-manager-(.+)\"}[5m])) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Current ({{pod}})", - "refId": "A" - }, - { - "expr": "sum(kube_pod_container_resource_limits{resource=\"cpu\", unit=\"core\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Limits ({{pod}})", - "refId": "C" - }, - { - "expr": "sum(kube_pod_container_resource_requests{resource=\"cpu\", unit=\"core\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Requests ({{pod}})", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "MCM CPU usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Shows the memory usage of the Machine Controller Manager.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 7 - }, - "id": 11, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "sum(container_memory_working_set_bytes{pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Current ({{pod}})", - "refId": "A" - }, - { - "expr": "sum(kube_pod_container_resource_limits{resource=\"memory\", unit=\"byte\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Limits ({{pod}})", - "refId": "B" - }, - { - "expr": "sum(kube_pod_container_resource_requests{resource=\"memory\", unit=\"byte\", pod=~\"machine-controller-manager-(.+)\"}) by (pod)", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Requests ({{pod}})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "MCM Memory Usage", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "bytes", - "label": null, - "logBase": 2, - "max": null, - "min": null, - "show": true - }, - { - "format": "none", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Indicates if the Machine Controller Manager is frozen due to unreachable API server.\n\n0 = ok; 1= frozen", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 13 - }, - "id": 2, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 2, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "mcm_machine_controller_frozen", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{pod}}", - "refId": "A" - } - ], - "thresholds": [ - { - "colorMode": "critical", - "fill": true, - "line": true, - "op": "gt", - "value": 0.5, - "yaxis": "left" - }, - { - "colorMode": "ok", - "fill": true, - "line": true, - "op": "lt", - "value": 0.5, - "yaxis": "left" - } - ], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "MCM Frozen Status (API Server reachable)", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": "", - "logBase": 1, - "max": "1.2", - "min": "-0.2", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "decimals": null, - "description": "Average per Second rate over 1m of IaaS provider api calls split by services. \n\nShows also the rate of failed iaas calls if at least one failed.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 13 - }, - "id": 4, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(mcm_cloud_api_requests_total[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "{{provider}} / {{service}} ({{pod}})", - "refId": "A" - }, - { - "expr": "rate(mcm_cloud_api_requests_failed_total[1m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "Error: {{provider}} / {{service}} ({{pod}})", - "refId": "B" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "IaaS API Calls", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": null, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "decimals": 0, - "description": "The count of kubernetes resources managed by the Machine Controller Manager.", - "fill": 0, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 19 - }, - "id": 3, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "mcm_machine_items_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "machine(s)", - "refId": "A" - }, - { - "expr": "mcm_machine_set_items_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "machine set(s)", - "refId": "B" - }, - { - "expr": "mcm_machine_deployment_items_total", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "machine deployment(s)", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Count of Managed Resouces", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": "0", - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 25 - }, - "id": 9, - "panels": [], - "title": "Control Loops", - "type": "row" - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Average processing time of items in the workqueue.", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 19, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "${controlloop}_work_duration{quantile=\"0.5\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p50 ({{pod}})", - "refId": "A" - }, - { - "expr": "${controlloop}_work_duration{quantile=\"0.9\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p90 ({{pod}})", - "refId": "B" - }, - { - "expr": "${controlloop}_work_duration{quantile=\"0.99\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p99 ({{pod}})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Workqueue item processing time: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "How long items stay in the workqueue before they get processed.", - "fill": 1, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 18, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": true, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "${controlloop}_queue_latency{quantile=\"0.5\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p50 ({{pod}})", - "refId": "A" - }, - { - "expr": "${controlloop}_queue_latency{quantile=\"0.9\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p90 ({{pod}})", - "refId": "B" - }, - { - "expr": "${controlloop}_queue_latency{quantile=\"0.99\"}", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "p99 ({{pod}})", - "refId": "C" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Workqueue item latency: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "ms", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Current amount of items in the workqueue.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 33 - }, - "id": 16, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "${controlloop}_depth", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "${controlloop} ({{pod}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Items in Workqueue: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Average per second rate over 5m of workqueue item adds.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 33 - }, - "id": 7, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(${controlloop}_adds[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "${controlloop} ({{pod}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Adds to Workqueue: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - }, - { - "aliasColors": {}, - "bars": false, - "dashLength": 10, - "dashes": false, - "description": "Average per second rate over 5m of workqueue item retries.", - "fill": 1, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 33 - }, - "id": 17, - "legend": { - "avg": false, - "current": false, - "max": false, - "min": false, - "show": false, - "total": false, - "values": false - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "null", - "percentage": false, - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "expr": "rate(${controlloop}_retries[5m])", - "format": "time_series", - "intervalFactor": 1, - "legendFormat": "${controlloop} ({{pod}})", - "refId": "A" - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Workqueue item retries: ${controlloop}", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } - } - ], - "schemaVersion": 18, - "style": "dark", - "tags": [ - "controlplane", - "seed" - ], - "templating": { - "list": [ - { - "allValue": null, - "current": { - "tags": [], - "text": "machine", - "value": "machine" - }, - "hide": 0, - "includeAll": false, - "label": "Control Loop", - "multi": false, - "name": "controlloop", - "options": [ - { - "selected": true, - "text": "machine", - "value": "machine" - }, - { - "selected": false, - "text": "machineset", - "value": "machineset" - }, - { - "selected": false, - "text": "machinedeployment", - "value": "machinedeployment" - }, - { - "selected": false, - "text": "node", - "value": "node" - }, - { - "selected": false, - "text": "secret", - "value": "secret" - }, - { - "selected": false, - "text": "machinesafetyapiserver", - "value": "machinesafetyapiserver" - }, - { - "selected": false, - "text": "machinesafetyorphanvms", - "value": "machinesafetyorphanvms" - }, - { - "selected": false, - "text": "machinesafetyovershooting", - "value": "machinesafetyovershooting" - } - ], - "query": "machine, machineset, machinedeployment, node, secret, machinesafetyapiserver, machinesafetyorphanvms, machinesafetyovershooting", - "skipUrlSync": false, - "type": "custom" - } - ] - }, - "time": { - "from": "now-3h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "5s", - "10s", - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ], - "time_options": [ - "5m", - "15m", - "1h", - "6h", - "12h", - "24h", - "2d", - "7d", - "14d" - ] - }, - "timezone": "utc", - "title": "Machine Controller Manager", - "uid": "machine-controller-manager", - "version": 1 -} diff --git a/charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml b/charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml deleted file mode 100644 index 05f91bcb8..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/clusterrole.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:{{ .Release.Namespace }}:machine-controller-manager - ownerReferences: - - apiVersion: v1 - kind: Namespace - name: {{ .Release.Namespace }} - uid: {{ .Values.namespace.uid }} - controller: true - blockOwnerDeletion: true -rules: -- apiGroups: - - machine.sapcloud.io - resources: - - "*" - verbs: - - "*" -- apiGroups: - - "" - resources: - - configmaps - - secrets - - endpoints - - events - verbs: - - "*" -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - coordination.k8s.io - resources: - - leases - resourceNames: - - machine-controller - - machine-controller-manager - verbs: - - get - - watch - - update diff --git a/charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml b/charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml deleted file mode 100644 index bc3368ebf..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:{{ .Release.Namespace }}:machine-controller-manager - ownerReferences: - - apiVersion: v1 - kind: Namespace - name: {{ .Release.Namespace }} - uid: {{ .Values.namespace.uid }} - controller: true - blockOwnerDeletion: true -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: extensions.gardener.cloud:{{ .Values.providerName }}:{{ .Release.Namespace }}:machine-controller-manager -subjects: -- kind: ServiceAccount - name: machine-controller-manager - namespace: {{ .Release.Namespace }} diff --git a/charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml b/charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml deleted file mode 100644 index e46804f47..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: machine-controller-manager-monitoring-config - namespace: {{ .Release.Namespace }} - labels: - extensions.gardener.cloud/configuration: monitoring -data: - alerting_rules: | - machine-controller-manager.rules.yaml: | - groups: - - name: machine-controller-manager.rules - rules: - - alert: MachineControllerManagerDown - expr: absent(up{job="machine-controller-manager"} == 1) - for: 15m - labels: - service: machine-controller-manager - severity: critical - type: seed - visibility: operator - annotations: - description: There are no running machine controller manager instances. No shoot nodes can be created/maintained. - summary: Machine controller manager is down. - - dashboard_operators: | - machine-controller-manager-dashboard.json: |- -{{ .Files.Get "mcm-monitoring-dashboard.json" | indent 6 }} diff --git a/charts/internal/machine-controller-manager/seed/templates/deployment.yaml b/charts/internal/machine-controller-manager/seed/templates/deployment.yaml deleted file mode 100644 index 2d9388f78..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/deployment.yaml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} - labels: - app: kubernetes - role: machine-controller-manager - high-availability-config.resources.gardener.cloud/type: controller -spec: - revisionHistoryLimit: 1 - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: kubernetes - role: machine-controller-manager - template: - metadata: -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - labels: - gardener.cloud/role: controlplane - app: kubernetes - role: machine-controller-manager - networking.gardener.cloud/to-dns: allowed - networking.gardener.cloud/to-public-networks: allowed - networking.gardener.cloud/to-private-networks: allowed - networking.gardener.cloud/to-runtime-apiserver: allowed - networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed -{{- if .Values.podLabels }} -{{ toYaml .Values.podLabels | indent 8 }} -{{- end }} - spec: - priorityClassName: gardener-system-300 - serviceAccountName: machine-controller-manager - terminationGracePeriodSeconds: 5 - containers: - - name: machine-controller-manager-provider-metal - image: {{ index .Values.images "machine-controller-manager-provider-metal" }} - imagePullPolicy: IfNotPresent - command: - - ./machine-controller - - --control-kubeconfig=inClusterConfig - - --target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - - --machine-creation-timeout=20m - - --machine-drain-timeout=2h - - --machine-health-timeout=10080m - - --machine-safety-apiserver-statuscheck-timeout=30s - - --machine-safety-apiserver-statuscheck-period=1m - - --machine-safety-orphan-vms-period=30m - - --namespace={{ .Release.Namespace }} - - --port={{ .Values.metricsPort2 }} - - --v=3 - resources: -{{ toYaml .Values.resources.mcmProviderMetal | indent 10 }} - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: {{ .Values.metricsPort2 }} - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig - name: kubeconfig - readOnly: true - - name: metal-machine-controller-manager - image: {{ index .Values.images "machine-controller-manager" }} - imagePullPolicy: IfNotPresent - command: - - ./machine-controller-manager - - --control-kubeconfig=inClusterConfig - # this flag does not work for metal-stack because we never were officially in-tree - # - --delete-migrated-machine-class=true - - --target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - - --namespace={{ .Release.Namespace }} - - --port={{ .Values.metricsPort }} - - --machine-safety-overshooting-period=1m - - --safety-up=2 - - --safety-down=1 - - --v=3 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: {{ .Values.metricsPort }} - scheme: HTTP - initialDelaySeconds: 30 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - ports: - - name: metrics - containerPort: {{ .Values.metricsPort }} - protocol: TCP - resources: -{{ toYaml .Values.resources.mcm | indent 10 }} - volumeMounts: - - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig - name: kubeconfig - readOnly: true - volumes: - - name: kubeconfig - projected: - defaultMode: 420 - sources: - - secret: - items: - - key: kubeconfig - path: kubeconfig - name: {{ .Values.genericTokenKubeconfigSecretName }} - optional: false - - secret: - items: - - key: token - path: token - name: shoot-access-machine-controller-manager - optional: false diff --git a/charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml b/charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml deleted file mode 100644 index 5c5ad6ae9..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} - labels: - app: kubernetes - role: machine-controller-manager -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: kubernetes - role: machine-controller-manager diff --git a/charts/internal/machine-controller-manager/seed/templates/service.yaml b/charts/internal/machine-controller-manager/seed/templates/service.yaml deleted file mode 100644 index 69d436784..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} - labels: - app: kubernetes - role: machine-controller-manager -spec: - type: ClusterIP - clusterIP: None - ports: - - name: metrics - port: {{ .Values.metricsPort }} - protocol: TCP - selector: - app: kubernetes - role: machine-controller-manager diff --git a/charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml b/charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml deleted file mode 100644 index dc56ec2c3..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/serviceaccount.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: machine-controller-manager - namespace: {{ .Release.Namespace }} -automountServiceAccountToken: false diff --git a/charts/internal/machine-controller-manager/seed/templates/vpa.yaml b/charts/internal/machine-controller-manager/seed/templates/vpa.yaml deleted file mode 100644 index c964fb688..000000000 --- a/charts/internal/machine-controller-manager/seed/templates/vpa.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.vpa.enabled }} -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: machine-controller-manager-vpa - namespace: {{ .Release.Namespace }} -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: machine-controller-manager - updatePolicy: - updateMode: {{ .Values.vpa.updatePolicy.updateMode | quote }} - resourcePolicy: - containerPolicies: - - containerName: machine-controller-manager-provider-metal - minAllowed: - memory: {{ .Values.resources.mcmProviderMetal.requests.memory }} - maxAllowed: - cpu: {{ .Values.vpa.resourcePolicy.mcmProviderMetal.maxAllowed.cpu }} - memory: {{ .Values.vpa.resourcePolicy.mcmProviderMetal.maxAllowed.memory }} - controlledValues: RequestsOnly - - containerName: metal-machine-controller-manager - minAllowed: - memory: {{ .Values.resources.mcm.requests.memory }} - maxAllowed: - cpu: {{ .Values.vpa.resourcePolicy.mcm.maxAllowed.cpu }} - memory: {{ .Values.vpa.resourcePolicy.mcm.maxAllowed.memory }} - controlledValues: RequestsOnly -{{- end }} diff --git a/charts/internal/machine-controller-manager/seed/values.yaml b/charts/internal/machine-controller-manager/seed/values.yaml deleted file mode 100644 index 756453853..000000000 --- a/charts/internal/machine-controller-manager/seed/values.yaml +++ /dev/null @@ -1,47 +0,0 @@ -images: - machine-controller-manager: image-repository:image-tag - machine-controller-manager-provider-metal: image-repository:image-tag - -replicas: 1 - -podAnnotations: {} - -podLabels: {} - -providerName: provider-foo - -# injected by generic worker actuator -genericTokenKubeconfigSecretName: generic-token-kubeconfig - -namespace: - uid: uuid-of-namespace - -metricsPort: 10258 -metricsPort2: 10259 - -vpa: - enabled: true - updatePolicy: - updateMode: "Auto" - resourcePolicy: - mcm: - maxAllowed: - cpu: 2 - memory: 5G - mcmProviderMetal: - maxAllowed: - cpu: 2 - memory: 5G - -resources: - mcm: - requests: - cpu: 31m - memory: 70Mi - mcmProviderMetal: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: "2" - memory: 5G diff --git a/charts/internal/machine-controller-manager/shoot/Chart.yaml b/charts/internal/machine-controller-manager/shoot/Chart.yaml deleted file mode 100644 index 8a921ab3f..000000000 --- a/charts/internal/machine-controller-manager/shoot/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Helm chart for needed resource for machine-controller-manager in target cluster -name: machine-controller-manager -version: 0.1.0 diff --git a/charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml deleted file mode 100644 index 0e99cdc77..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/clusterrole-machine-controller-manager.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -rules: -- apiGroups: - - "" - resources: - - nodes - - nodes/status - - endpoints - - replicationcontrollers - - pods - - persistentvolumes - - persistentvolumeclaims - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/eviction - verbs: - - create -- apiGroups: - - extensions - - apps - resources: - - replicasets - - statefulsets - - daemonsets - - deployments - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - list - - watch -- apiGroups: - - storage.k8s.io - resources: - - volumeattachments - verbs: - - get - - list - - watch diff --git a/charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml deleted file mode 100644 index 712604780..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/clusterrolebinding-machine-controller-manager.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -subjects: -- kind: ServiceAccount - name: machine-controller-manager - namespace: kube-system diff --git a/charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml deleted file mode 100644 index 20fba7fdb..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/role-machine-controller-manager.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: kube-system - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list diff --git a/charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml b/charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml deleted file mode 100644 index c1245f38c..000000000 --- a/charts/internal/machine-controller-manager/shoot/templates/rolebinding-machine-controller-manager.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extensions.gardener.cloud:{{ .Values.providerName }}:machine-controller-manager -subjects: -- kind: ServiceAccount - name: machine-controller-manager - namespace: kube-system diff --git a/charts/internal/machine-controller-manager/shoot/values.yaml b/charts/internal/machine-controller-manager/shoot/values.yaml deleted file mode 100644 index 7bc5d27da..000000000 --- a/charts/internal/machine-controller-manager/shoot/values.yaml +++ /dev/null @@ -1 +0,0 @@ -providerName: provider-foo diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-crds b/charts/internal/shoot-control-plane/templates/firewall-controller-crds deleted file mode 120000 index a23e449be..000000000 --- a/charts/internal/shoot-control-plane/templates/firewall-controller-crds +++ /dev/null @@ -1 +0,0 @@ -../../crds-firewall/templates/firewall-controller \ No newline at end of file diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml b/charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml new file mode 100644 index 000000000..c8ea3b611 --- /dev/null +++ b/charts/internal/shoot-control-plane/templates/firewall-controller-crds/metal-stack.io_clusterwidenetworkpolicies.yaml @@ -0,0 +1,278 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: clusterwidenetworkpolicies.metal-stack.io +spec: + group: metal-stack.io + names: + kind: ClusterwideNetworkPolicy + listKind: ClusterwideNetworkPolicyList + plural: clusterwidenetworkpolicies + shortNames: + - cwnp + singular: clusterwidenetworkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: Status + type: string + - jsonPath: .status.message + name: Message + type: string + name: v1 + schema: + openAPIV3Schema: + description: ClusterwideNetworkPolicy contains the desired state for a cluster + wide network policy to be applied. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: PolicySpec defines the rules to create for ingress and egress + properties: + description: + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human-readable explanation of the purpose of this + rule. Rules cannot be identified by comment. + type: string + egress: + description: |- + List of egress rules to be applied. Outgoing traffic is + allowed if there is a ClusterwideNetworkPolicy that allows it. + Clusters are isolated by default. + items: + description: |- + EgressRule describes a particular set of traffic that is allowed out of the cluster + The traffic must match both ports and to. + properties: + ports: + description: |- + List of destination ports for outgoing traffic. + Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow traffic + on + properties: + endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: |- + List of destinations for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all destinations (traffic not restricted by + destination). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the to list. + To rules can't contain ToFQDNs rules. + items: + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. + properties: + cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range + items: + type: string + type: array + required: + - cidr + type: object + type: array + toFQDNs: + description: |- + List of FQDNs (fully qualified domain names) for outgoing traffic of a cluster for this rule. + Items in this list are combined using a logical OR operation. This field is used as + whitelist for DNS names. If none specified, no rule will be applied. + ToFQDNs rules can't contain To rules. + items: + description: FQDNSelector describes rules for matching DNS + names. + properties: + matchName: + description: MatchName matches FQDN. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using "*" to match DNS names. + "*" matches 0 or more valid characters. + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + type: object + type: array + ingress: + description: |- + List of ingress rules to be applied. Traffic is allowed to + a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service + exposed with type Loadbalancer. Clusters are isolated by default. + items: + description: |- + IngressRule describes a particular set of traffic that is allowed to the cluster. + The traffic must match both ports and from. + properties: + from: + description: |- + List of sources which should be able to access the cluster for this rule. + Items in this list are combined using a logical OR operation. If this field is + empty or missing, this rule matches all sources (traffic not restricted by + source). If this field is present and contains at least one item, this rule + allows traffic only if the traffic matches at least one item in the from list. + items: + description: |- + IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed + to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs + that should not be included within this rule. + properties: + cidr: + description: |- + cidr is a string representing the IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + type: string + except: + description: |- + except is a slice of CIDRs that should not be included within an IPBlock + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + Except values will be rejected if they are outside the cidr range + items: + type: string + type: array + required: + - cidr + type: object + type: array + ports: + description: |- + List of ports which should be made accessible on the cluster for this + rule. Each item in this list is combined using a logical OR. If this field is + empty or missing, this rule matches all ports (traffic not restricted by port). + If this field is present and contains at least one item, then this rule allows + traffic only if the traffic matches at least one port in the list. + items: + description: NetworkPolicyPort describes a port to allow traffic + on + properties: + endPort: + description: |- + endPort indicates that the range of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field cannot be defined if the port field + is not defined or if the port field is defined as a named (string) port. + The endPort must be equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: |- + port represents the port on the given protocol. This can either be a numerical or named + port on a pod. If this field is not provided, this matches all port names and + numbers. + If present, only traffic on the specified protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: |- + protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array + type: object + status: + description: PolicyStatus defines the observed state for CWNP resource + properties: + fqdn_state: + additionalProperties: + items: + description: IPSet stores set name association to IP addresses + properties: + expirationTime: + format: date-time + type: string + fqdn: + type: string + ips: + items: + type: string + type: array + setName: + type: string + version: + type: string + type: object + type: array + description: |- + FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule. + Key is either MatchName or MatchPattern + type: object + message: + description: Message describes why the state changed + type: string + state: + description: State of the CWNP, can be either deployed or ignored + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml b/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml deleted file mode 120000 index 32160e5bc..000000000 --- a/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../crds-firewall/templates/firewall-controller-manager/firewall.metal-stack.io_firewallmonitors.yaml \ No newline at end of file diff --git a/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml b/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml new file mode 100644 index 000000000..dc859c3f8 --- /dev/null +++ b/charts/internal/shoot-control-plane/templates/firewall-controller-manager-crds/firewall.metal-stack.io_firewallmonitors.yaml @@ -0,0 +1,317 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: firewallmonitors.firewall.metal-stack.io +spec: + group: firewall.metal-stack.io + names: + kind: FirewallMonitor + listKind: FirewallMonitorList + plural: firewallmonitors + shortNames: + - fwmon + singular: firewallmonitor + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .machineStatus.machineID + name: Machine ID + type: string + - jsonPath: .image + name: Image + type: string + - jsonPath: .size + name: Size + type: string + - jsonPath: .machineStatus.lastEvent.event + name: Last Event + type: string + - jsonPath: .machineStatus.allocationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: |- + FirewallMonitor is typically deployed into the shoot cluster in comparison to the other resources of this controller + which are deployed into the seed cluster's shoot namespace. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + conditions: + description: Conditions contain the latest available observations of a + firewall's current state. + items: + description: Condition holds the information about the state of a resource. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: Last time the condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about the + transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of the condition. + type: string + required: + - lastTransitionTime + - lastUpdateTime + - message + - reason + - status + - type + type: object + type: array + controllerStatus: + description: ControllerStatus holds the status of the firewall-controller + reconciling this firewall + properties: + controllerVersion: + type: string + distance: + description: |- + FirewallDistance defines the as-path length of firewalls, influencing how strong they attract + network traffic for routing traffic in and out of the cluster. + This is of particular interest during rolling firewall updates, i.e. when there is + more than a single firewall running in front of the cluster. + During a rolling update, new firewalls start with a longer distance such that + traffic is only attracted by the existing firewalls ("firewall staging"). + When the new firewall has connected successfully to the firewall monitor, the deployment + controller throws away the old firewalls and the new firewall takes over the routing. + The deployment controller will then shorten the distance of the new firewall. + This approach reduces service interruption of the external user traffic of the cluster + (for firewall-controller versions that support this feature). + type: integer + distanceSupported: + type: boolean + lastRun: + format: date-time + type: string + lastRunAgainstSeed: + format: date-time + type: string + message: + type: string + nftablesExporterVersion: + type: string + stats: + description: FirewallStats contains firewall statistics + properties: + devices: + additionalProperties: + description: DeviceStat contains statistics of a device + properties: + in: + format: int64 + type: integer + out: + format: int64 + type: integer + required: + - in + - out + type: object + description: DeviceStatsByDevice contains DeviceStatistics grouped + by device name + type: object + idsStats: + additionalProperties: + properties: + drop: + type: integer + invalidChecksums: + type: integer + packets: + type: integer + required: + - drop + - invalidChecksums + - packets + type: object + type: object + rules: + additionalProperties: + additionalProperties: + description: RuleStat contains the statistics for a single + nftables rule + properties: + counter: + description: Counter holds values of a nftables counter + object + properties: + bytes: + format: int64 + type: integer + packets: + format: int64 + type: integer + required: + - bytes + - packets + type: object + required: + - counter + type: object + description: RuleStats contains firewall rule statistics of + all rules of an action + type: object + description: 'RuleStatsByAction contains firewall rule statistics + groups by action: e.g. accept, drop, policy, masquerade' + type: object + required: + - devices + - idsStats + - rules + type: object + type: object + egressRules: + description: EgressRules contains egress rules configured for this firewall. + items: + description: EgressRuleSNAT holds a Source-NAT rule + properties: + ips: + description: IPs contains the ips used as source addresses for packets + leaving the specified network. + items: + type: string + type: array + networkID: + description: NetworkID is the network for which the egress rule + will be configured. + type: string + required: + - ips + - networkID + type: object + type: array + image: + description: Image is the os image of the firewall. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + logAcceptedConnections: + description: LogAcceptedConnections if set to true, also log accepted + connections in the droptailer log. + type: boolean + machineStatus: + description: MachineStatus holds the status of the firewall machine + properties: + allocationTimestamp: + description: AllocationTimestamp is the timestamp when the machine + was allocated. + format: date-time + type: string + crashLoop: + description: CrashLoop can occur during provisioning of the firewall + causing the firewall not to get ready. + type: boolean + imageID: + description: ImageID contains the used os image id of the firewall + (the fully qualified version, no shorthand version). + type: string + lastEvent: + description: LastEvent contains the last provisioning event of the + machine. + properties: + event: + description: Event is the provisioning event. + type: string + message: + description: Message contains a message further describing the + event. + type: string + timestamp: + description: Timestamp is the point in time when the provisioning + event was received. + format: date-time + type: string + required: + - event + - message + - timestamp + type: object + liveliness: + description: Liveliness expresses the liveliness of the firewall and + can be used to determine the general health state of the machine. + type: string + machineID: + description: MachineID is the id of the firewall in the metal-stack + api. + type: string + required: + - allocationTimestamp + - liveliness + - machineID + type: object + metadata: + type: object + networks: + description: Networks are the networks to which this firewall is connected. + items: + type: string + type: array + partition: + description: Partition is the partition in which the firewall resides. + type: string + project: + description: Project is the project in which the firewall resides. + type: string + rateLimits: + description: RateLimits allows configuration of rate limit rules for interfaces. + items: + description: RateLimit contains the rate limit rule for a network. + properties: + networkID: + description: NetworkID specifies the network which should be rate + limited. + type: string + rate: + description: Rate is the input rate in MiB/s. + format: int32 + type: integer + required: + - networkID + - rate + type: object + type: array + size: + description: Size is the machine size of the firewall. + type: string + required: + - conditions + - image + - networks + - partition + - project + - size + type: object + served: true + storage: true + subresources: {} diff --git a/charts/internal/shoot-storageclasses/templates/_helpers.tpl b/charts/internal/shoot-storageclasses/templates/helpers.tpl similarity index 100% rename from charts/internal/shoot-storageclasses/templates/_helpers.tpl rename to charts/internal/shoot-storageclasses/templates/helpers.tpl diff --git a/charts/internal/utils-tls-cipher-suites/Chart.yaml b/charts/internal/utils-tls-cipher-suites/Chart.yaml deleted file mode 100644 index 11d39bd14..000000000 --- a/charts/internal/utils-tls-cipher-suites/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Util chart for cipher-suites -name: utils-tls-cipher-suites -version: 0.1.0 diff --git a/charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl b/charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl deleted file mode 100644 index 364d206a6..000000000 --- a/charts/internal/utils-tls-cipher-suites/templates/_tls_cipher_suites.tpl +++ /dev/null @@ -1,10 +0,0 @@ -{{- define "kubernetes.tlsCipherSuites" }} -TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 -TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 -TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 -TLS_RSA_WITH_AES_128_CBC_SHA -TLS_RSA_WITH_AES_256_CBC_SHA -TLS_RSA_WITH_AES_128_GCM_SHA256 -TLS_RSA_WITH_AES_256_GCM_SHA384 -TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA -{{- end -}} diff --git a/cmd/gardener-extension-provider-metal/app/app.go b/cmd/gardener-extension-provider-metal/app/app.go index 83471a96d..0ace37a92 100644 --- a/cmd/gardener-extension-provider-metal/app/app.go +++ b/cmd/gardener-extension-provider-metal/app/app.go @@ -11,6 +11,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" gardenerhealthz "github.com/gardener/gardener/pkg/healthz" + "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/charts" metalinstall "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/install" metalcmd "github.com/metal-stack/gardener-extension-provider-metal/pkg/cmd" @@ -21,6 +22,7 @@ import ( "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" shootcontrolplanewebhook "github.com/metal-stack/gardener-extension-provider-metal/pkg/webhook/controlplane" metalcontrolplaneexposure "github.com/metal-stack/gardener-extension-provider-metal/pkg/webhook/controlplaneexposure" + autoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" "github.com/gardener/gardener/extensions/pkg/controller/heartbeat" heartbeatcmd "github.com/gardener/gardener/extensions/pkg/controller/heartbeat/cmd" @@ -35,6 +37,7 @@ import ( "github.com/spf13/cobra" "k8s.io/component-base/version/verflag" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/healthz" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -171,14 +174,27 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command { if err := controller.AddToScheme(scheme); err != nil { return fmt.Errorf("could not update manager scheme: %w", err) } - if err := metalinstall.AddToScheme(scheme); err != nil { return fmt.Errorf("could not update manager scheme: %w", err) } - if err := druidv1alpha1.AddToScheme(scheme); err != nil { return fmt.Errorf("could not update manager scheme: %w", err) } + if err := autoscalingv1.AddToScheme(scheme); err != nil { + return fmt.Errorf("could not update manager scheme: %w", err) + } + + log := mgr.GetLogger() + gardenCluster, err := getGardenCluster(log) + if err != nil { + return err + } + log.Info("Adding garden cluster to manager") + if err := mgr.Add(gardenCluster); err != nil { + return fmt.Errorf("failed adding garden cluster to manager: %w", err) + } + + log.Info("Adding controllers to manager") configFileOpts.Completed().ApplyETCD(&metalcontrolplaneexposure.DefaultAddOptions.ETCD) configFileOpts.Completed().ApplyMachineImages(&metalworker.DefaultAddOptions.MachineImages) @@ -195,6 +211,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command { reconcileOpts.Completed().Apply(&metalcontrolplane.DefaultAddOptions.IgnoreOperationAnnotation) reconcileOpts.Completed().Apply(&metalworker.DefaultAddOptions.IgnoreOperationAnnotation) workerCtrlOpts.Completed().Apply(&metalworker.DefaultAddOptions.Controller) + metalworker.DefaultAddOptions.GardenCluster = gardenCluster atomicShootWebhookConfig, err := webhookOptions.Completed().AddToManager(ctx, mgr) if err != nil { @@ -232,3 +249,21 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command { return cmd } + +func getGardenCluster(log logr.Logger) (cluster.Cluster, error) { + log.Info("Getting rest config for garden") + gardenRESTConfig, err := kubernetes.RESTConfigFromKubeconfigFile(os.Getenv("GARDEN_KUBECONFIG"), kubernetes.AuthTokenFile) + if err != nil { + return nil, err + } + + log.Info("Setting up cluster object for garden") + gardenCluster, err := cluster.New(gardenRESTConfig, func(opts *cluster.Options) { + opts.Scheme = kubernetes.GardenScheme + opts.Logger = log + }) + if err != nil { + return nil, fmt.Errorf("failed creating garden cluster object: %w", err) + } + return gardenCluster, nil +} diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index ed6d9a55f..9dccca3c9 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -8,7 +8,7 @@ providerConfig: chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoG7up7xJ7YfvSOxRFoJXoXcVaURUlO26a/37Dl0S9Vis7ddJGAwNeUZzhkJwZDodDLd3ExxFOLPwuxRENSGTFCbkOfCha49QNR4/uDWOAJ3t7/D9A9T//PdmdTaZ70/19Vj7Z3x3PHqG9+zfdDRlN3QShRwkh6aZ6Xe//orDsnP/nKzdJ7Vt3Hd61DTbB+7NZ6/xPd2fl+Z9C0fgRGn/MjrbBFz7/bhy8xgmbdwddTww3jvNHc2KPTcPH1EuCOOVFB+gnHK6Rx0QCXZIEpSuMXkgRQq+YvKC5FB+US5QRuWvsoE5RM65V02Mb2jY+9dh8CdCt/z7x7CW5Txtd+r+3+6Ri/5/MxnuD/j8EjEZL4iyZBLgpRnSFLA+Ztj2Cv2sc+SQZLYN0lS1sj6xHSliKHyvXuxopdMsjUZqQMATZSfAyoCmUgkTZQLYsVMhGX33ruSkSLb0+Ojs/Pj35Tj7id+46DvGojRxbi9Bz8XIeuhF2BNHj6DJxoVbmpVmiCn8myRVOxINpGKMRmgPP7hJLK4YjdxFiikrDkMUxkRZOFgbRkhs7jyQJ9lJU8IZKvBmxTv3zN2Hd+p9imAwYFXpnT7C3/zcd746ng//3ENBn/t+scBjDEm2ncS9fsMP+T6bT/cr8T/eng/1/EHj/3kI+vgwijEzmppnI+vDB6HbVGB6sD7y2oRMJ3QUOqQ2OpH2FbwU5/pAtcBJhkCM7ICPWVIlGC4lrN8wkT+/foyDywszPObWRRNzASB23yiCj4qCWGrJ93lK9F0EEwhN5mKPbZzjELsX2CTDXyFnOWrCGFUJwhhB7E1yilUvnCbx/h0y6cqd7+w40+5o1D02x+nbqLlGOESdBlF4i82v6/de0WjPBMaFBSpLbTSSgj7iJoHNngtBZrd/VCfFxHJLbNY5S6efnwkFHsPXQh+tTa8WXA33sP/g8l8Fy7cYWn/xr8INIYhGYzZskSHFrjKDL/5/t71bs/xNWNNj/BwBpfUpa/ZpP7KmaV2H7SmGCqyDyHeaCgzy8cmODSYrvpq4DlkBs9putdbPgSCQKrnODKeXFwsgIw+w0mHNG/g8oBFlO0YzVVuzwFumbspQ66A9GZGOvy+Q0o/app+yjwp30v2c0sEP/Z5NJ1f/bnewO+v8g8LEUO5eNP1WZRSu5CiMAy7L4f70jXHBtJcd2LtrUlgSU1NteSDIfvA83jFfuhBPKh0Du78VgZGJ/b1TspaTnhQHwCjUjMCJQTfQQ+K2UO7wUmPU8HLNyYCy9uI0x5UOV4N+yIME+Mjvo23UCKKA5vtnFXxO+ZJkPsirtyZWG2Y8dHTHn47e476gARr92GULe3iJLaNqzRY7Tr02BUl5SmqVq7Xor8JyP+Qqm+CwVcu1Jyf9YQGwjcuti1tzyJXTlxg3DY5iWJHJDsTMpmGh7v4GfVpKtrLGGdtCPx/99dQTDu4YVvIVbvEwwpYeYpkHEtTTns/5mA4cNZDbyhlPPVwpNwXWAgVaPTPNdSk+Uxay2BJi2RLHzmoUkAroLhjJIb7uxZUVNjF3vKosLTqi3wn4WtjMiEGxVT2fDx2HqnkduTFckneMkIH4XmQYURbEySH6WEFrwKQKxjfRVZzmGLSu2S29rddVU7CZpwGZY2PYNMlEmVcErxGMybZAP7lXOszCckzDwGqeyUqW9S3nFc+wlOIVOecTH/iHxrtQK9a/z05Na06K6GuQWrI2cdTf4d3WNvwjo4/8XAZx+G4DN/v9kMtmrnv/v7u4N5/8PArrbrCJxwgM+zGd7613An+L70xh7rOEEXweMz58CZpRvXwbrALy1MX8Tg/V0acmOycLnJItS0SgFXtgW35F+VOqtXm7Hx74goDRBEtAGhfv0UURS5WSolWbL8Eq+7K+wd0WztRZq40rYHDcpTcO3PICLvrIvJJf2DzDwczddIXOryJ35He+yCD4DDzpflZWthdWNW8M7MLsVWzC6LnCmRhiGKwk8teqfewkIeLQsLf4JgUornOUHEQ4yG+L3ZgsGZTQZTppkuKi0w+LcbhamSLLABiwmrJtBpB0XWwkIZLDGLdTZubPkp9yjOTuQ1rmqzYlSKlUhwukNSUCZa/vdlCguLBgeihMQBFD/MCQ32N8O3wcp74cRZwtQSEvW6Y2dBNcsxWArdPDjSZZ4MHh1QoBmgWtKUmqxw5xiAKzUi63ZbLeg3GEVnuZ+rbRQXC1gol3YdyX5RFhdJlMAV8zyzNfOXj58cGqvxQmMWabT4nUKjLjkb+b6TNZrUKRCfCw0anAOhDlawUY90WqWXQY9DwRoQpt6XUsaBOsyCPGzEewdRs1DIw3BSAv6VMmwVmKWAQLtvGMFXpYkMDdWgtkDNECflX1byVf+m2PbBeb5beRRfVxYSysMjv8Cu6mVL2/PNqxuTYhAG99YAdv8XsMIUcaf38pcjmdzvGOJdi6wqq0EpbyX/kNRxu8ajGAZEWiFxFiExKxi4WttgKOcKoyDHKFK+4Yn6/TvgcDr4vwGL0Dxr5T89ZzLCrY0Gsxe61zJWs/l9pFXkqa7RM0PKFugNFUpdU6+LqKQLBbxFlYTZD4222jJtpsI/SxftVCpuCnlJafUlnxlLcAIWq7vs5DJM6d1udrkQUgFCdNVOzXxvomR3DbJw2S907nVl+90XBxd6zZO2OaXRweHR2dvjl4ePb84Pj15c3Lw6uh8fvD8KK+JEE8F+BEWa0crZKEwHPpn+LJcKsuZR+PknqKdS9xd/UPF7/GrgxdHr4HZ07M3p6+Pzn4+O76o8eqgEU9C0w6/Ro2nYZsmKQyuYSQpnSdkgfU+rtI0flGEFgTEvL8jMWu/l19xx6ZzahmwSBTr5U8XF3PtRRAFaeCGhzh0b6UldNBknNdIsOsHvXllWLcPwuqeoTdA61KoLIywGhq53KmYVznbxtxwFzMlHgkddPF8Xo0w5c6SjpMXNsXGCow/UKQiYOOGCBiDaxJma/yKbcMauiyMqcbqmlUUatPtGtxXjdpOo5uYqamSVo/J0GkUgrPF9gTt6sTmJ/DwgecxwifdbuEOci8vmTDdOnkJEx//ALz3g4ZXKD+IOMxgi7U8F0Fd+HXM12BZfPQOe5l+ILUjx4W7ueeljbJ6yQeEbZqP3sXMTusb3aKGha7wbWs6VZ5wVcNDSDgU0Co6jhpec5PW0CBrcovkrTJaSmISkuXtvxmvZjmpa0VoyidC4ggBrrnzFQn01JGpbmS2PjFVILeQr4gPeLOpsm29xHs74e7Pb5eybOB9iA5/ttAn/gt2B9zJJOOXgRaZv8TbBYI773/MKvc/4MeT6RD/fQiQpmWZom9ZqKopevodmlRTwGIePhhdTxYgIipgPCf+YS4eP3Dx+Dwix7Cd/E/kXrtByLZCnDzNFp0dvnfE+K9g+vrof7JwvbtcBO3Qf9D6qv5PJ+Mng/4/BLD0KV2z+Ry7WboiSfC7uNJ09ZT7RUV2WAhjhpMzEuI++t1Hc5MsZB6XxbK6XiQki7n7ZSEtk6sc2TVKWxZWVaQjLDLvCqe0XjKCaU8z/QU0ngS4oaRclfITntKDXsETgyMftBhjQ4mO50eUhbkSv/qoVyoH6hrL9OoiKlb6XbwGD24hh4oZau78B1T8uGGWjv+K819ZDPOM61PSFmuvz4gIBft5aZkJ8x9mnbhHYAhkNo6Uwzpdvk5UqHmwJePeaa1X92xDlfNlSbyrBL+hKnvgSwfLGOQjXLeyeYi3eS7ahts0+T92VCtlUE1Qq+YKBH8d8D1b6baiXiEONO3SXmjnKm2jky/dtPI4gh2qGwa/KymE/UMktZHyvJJcK8RWSNaSB2dSFfJz6NrziHpuiCU5vrWm+oMr9tklxQTlw7UCFn6E/onyokbt1VuyED/AEy5+jGAnKQQ8S/lFURmU8fTEUVEddqSB31HHA7bIWo0wvzwTFG/lbHAHLNhKh2QioE3dmCtm4wwyzBqpHZFIazE/KrgMPNRmlmW1FKxmI3WV+1ca+JuAqUTf3ihSdr828yclcqqgLF1drat0sK7GebrYFvT8LRYyqKMvTcVjH1t+n5V0i6XpDgyApSJMfTfZFSCbglMegpap6sKSdI2r2J/UCTbsYNsXjj7LojBMIWYm+14e1Q/C3vxpjhU0IQ8r1JBt4NDIs+E1l6+DH9hZvYWVj5sJgXxeinp292ebjeCndpv/NtBn/yeX1d5bwI7933RvVs3/m+4P938eBhrv/0iN/fjRm1qO3DZJO5cJWbPMgNC3WCIQPztD3/zy3lTHWqZjXjyfm49N9s50tjse+/DrN/044IlDGPuWSACzQGzY8mHJbKESY1U+yofij6uc34kXdVq4iY+HGqB89i0VMpMcaDEzaLdy0lI6FwceBVETBqiGWGmPLWOAwPO4zF6cggdg8cUx57TIA4EhDFgWaeEbGeLQ6OL08NRBF6uAisWWbb8SAn41u/kDHiT4Q2AgfZ6IGBEUkmiJE2AHvHefZf+xD8dcZjy5Bp3xmyysaI1ciighEftf+7TO99cT+8ke+ywAWmAcgSfDNcq3+0mK8ISserd5mluTQN+J/kdTgrvEd1N+U036KMfsHL4I3G6X2ZsfyFvy8H822+XjUD4550eHfJR6HcR/ahu/Ce6w/stt9fZuQNf5z3Q2qaz/s+l4yP9/ENi0/iuP/ZMe4nzqAfqbQ7f+i8SL+3wAtEP/d8f7Vf0fz/aH858HAZF2ziMlKs3cQcuVlygHTYa5mnLBK5+EYmvj0kF8rWDb/FhLQj8Ib9xbahj6MauDJkYRn0HvPxiG5iI46On46dgoUu94wcQwtIxZ+UmA/ERF7CkqWcAi8a58TLKhYh6XF3Wa8q8dtMuyW8SRyqY229KeHXTphhQbRj3N10G//GpUknZ5mbGDmvJ+2GcQWFZTIO+D72gZQLGbUZFhzJMHDZH9JAb8TJ/u4guPhYOu/1yEZDFau8y9Gi2yIAQ3mpEeidugLI/fUMlnGlUhQ0tCliF+U9yLELiWu/b3ZxKNy425yz43KwryD8FO7MnEfvfX7tWk1ivzn89Yz6bihW3bhlHyHx1D5AqqhE/mjRo7O1CWsrMDyj9MKXXlMcL20kZU3XRa3CLu1BfXigBTKRYjDHTE5aj8opLC5S8NdRNb3Z2SSY2Gl7PW/FWLpm9awD6JqTurNHpLSaR0pfi+RGMN/uWHyVikkMnPMky4zpW/fsD0ovKFgMY7/6zeho8WiNfFdf7KPfXiKr8qUJfzBX+l+/b5bXtDZcXVb9AblSZKF+Hza/DCRIjC6oV1ZiwbrvocX55AI9B9zOOsjbfA2+6AG/lH/4T0YTkYysjLr6oM/tgAAwwwwAADDDDAAAMMMMAAAwwwwAADDDDAAAMMMMDnDf8HJasSEQB4AAA= values: image: - tag: v0.22.12 + tag: v0.23.1 --- apiVersion: core.gardener.cloud/v1beta1 kind: ControllerRegistration diff --git a/go.mod b/go.mod index 822ee9ccc..435040d8a 100644 --- a/go.mod +++ b/go.mod @@ -3,15 +3,14 @@ module github.com/metal-stack/gardener-extension-provider-metal go 1.22 require ( - github.com/Masterminds/semver v1.5.0 github.com/Masterminds/semver/v3 v3.2.1 github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 github.com/coreos/go-systemd/v22 v22.5.0 - github.com/gardener/etcd-druid v0.19.2 - github.com/gardener/gardener v1.80.7 + github.com/gardener/etcd-druid v0.20.1 + github.com/gardener/gardener v1.82.3 github.com/gardener/gardener-extension-networking-calico v1.36.1 github.com/gardener/gardener-extension-networking-cilium v1.26.0 - github.com/gardener/machine-controller-manager v0.49.3 + github.com/gardener/machine-controller-manager v0.50.1 github.com/go-logr/logr v1.4.1 github.com/go-openapi/strfmt v0.23.0 github.com/golang/mock v1.6.0 @@ -29,6 +28,7 @@ require ( k8s.io/api v0.29.3 k8s.io/apiextensions-apiserver v0.29.3 k8s.io/apimachinery v0.29.3 + k8s.io/autoscaler/vertical-pod-autoscaler v0.14.0 k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible k8s.io/code-generator v0.29.3 k8s.io/component-base v0.29.3 @@ -40,7 +40,9 @@ require ( require ( github.com/BurntSushi/toml v1.3.2 // indirect github.com/Masterminds/goutils v1.1.1 // indirect + github.com/Masterminds/semver v1.5.0 // indirect github.com/Masterminds/sprig v2.22.0+incompatible // indirect + github.com/Masterminds/sprig/v3 v3.2.2 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect @@ -122,7 +124,9 @@ require ( github.com/prometheus/procfs v0.13.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/segmentio/asm v1.2.0 // indirect + github.com/shopspring/decimal v1.2.0 // indirect github.com/spf13/afero v1.11.0 // indirect + github.com/spf13/cast v1.6.0 // indirect github.com/stretchr/objx v0.5.2 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opentelemetry.io/otel v1.24.0 // indirect @@ -152,10 +156,9 @@ require ( istio.io/api v0.0.0-20230217221049-9d422bf48675 // indirect istio.io/client-go v1.17.1 // indirect k8s.io/apiserver v0.28.3 // indirect - k8s.io/autoscaler/vertical-pod-autoscaler v0.14.0 // indirect k8s.io/cluster-bootstrap v0.28.3 // indirect k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect - k8s.io/helm v2.16.1+incompatible // indirect + k8s.io/helm v2.17.0+incompatible // indirect k8s.io/klog v1.0.0 // indirect k8s.io/klog/v2 v2.110.1 // indirect k8s.io/kube-aggregator v0.28.3 // indirect diff --git a/go.sum b/go.sum index 6661519c6..d2bcea464 100644 --- a/go.sum +++ b/go.sum @@ -604,10 +604,13 @@ github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJ github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww= github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y= +github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs= github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0= github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ= github.com/Masterminds/sprig v2.22.0+incompatible h1:z4yfnGrZ7netVz+0EDJ0Wi+5VZCSYp4Z0m2dk6cEM60= github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o= +github.com/Masterminds/sprig/v3 v3.2.2 h1:17jRggJu518dr3QaafizSXOjKYp94wKfABxUmyxvxX8= +github.com/Masterminds/sprig/v3 v3.2.2/go.mod h1:UoaO7Yp8KlPnJIYWTFkMaqPUYKTfGFPhxNuwnnxkKlk= github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 h1:+XfOU14S4bGuwyvCijJwhhBIjYN+YXS18jrCY2EzJaY= @@ -718,23 +721,25 @@ github.com/fluent/fluent-operator/v2 v2.2.0 h1:97CiP6WKOHRM7zY/zCynX187Rg+T8hgx2 github.com/fluent/fluent-operator/v2 v2.2.0/go.mod h1:v/q0zLEOWP6MKHP7xvrhtASZTwlrk4LcCne/kgPQ7J0= github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k= +github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/gardener/etcd-druid v0.19.2 h1:Z8TTbmVUxZ7UWU5iJAwUHUI6A9E5Mfd5JcvokVfYH1A= -github.com/gardener/etcd-druid v0.19.2/go.mod h1:0Q9nKPiONDac/Gr0SZYFkVXHGt/Yt//rcRfDIUfftZo= -github.com/gardener/gardener v1.80.7 h1:Ex0raWkTu3JjPVYOMyHpK3ZetohrMfwAXAU+btM18Kc= -github.com/gardener/gardener v1.80.7/go.mod h1:lE2AGgezR4QZbYJhs0nTPw2dDFY0puYreIYPbDS8HWc= +github.com/gardener/etcd-druid v0.20.1 h1:o6F4higujfg7dvBXvk+yPb86+3t2+XLE0Hmw5W1kXtM= +github.com/gardener/etcd-druid v0.20.1/go.mod h1:1tAeHycB0Vb2GfCX6sUCc6V6frGrCQI//quVg4K3GNA= +github.com/gardener/gardener v1.82.3 h1:GVx7wmmodv9++ZnZrJHyI8fhCJSG35s0o3pvLWD7u0k= +github.com/gardener/gardener v1.82.3/go.mod h1:ZdLfUC8Ia/Qo+e13FspxHsMJZ9c3DTek6Iy0ff0QQzc= github.com/gardener/gardener-extension-networking-calico v1.36.1 h1:WyAdADamhxQgcCBrQOZAeSM/wm/urmmwBaqd2YLc7MY= github.com/gardener/gardener-extension-networking-calico v1.36.1/go.mod h1:GFmktIEzLxrOV6uNrCREeKjIkwYK6TlVOEPP7dffjAM= github.com/gardener/gardener-extension-networking-cilium v1.26.0 h1:hghmB83FfCzUqFX/q9lxh/u5CsqjEKf6ANQdDGYFcXk= github.com/gardener/gardener-extension-networking-cilium v1.26.0/go.mod h1:ixbT/aEudk7+5IJpsZJB34ZjR+oLvn0WZd+xMdIVu9M= github.com/gardener/hvpa-controller/api v0.5.0 h1:f4F3O7YUrenwh4S3TgPREPiB287JjjUiUL18OqPLyAA= github.com/gardener/hvpa-controller/api v0.5.0/go.mod h1:QQl3ELkCaki+8RhXl0FZMfvnm0WCGwGJlGmrxJj6lvM= -github.com/gardener/machine-controller-manager v0.49.3 h1:/ghxZVMij00SpeaORMZJlodosePWWByrIOr8fcp45sU= -github.com/gardener/machine-controller-manager v0.49.3/go.mod h1:ypFf18+Y6mJpohfZrOJI+vq7NQ3Yn7Ke4ujW23u/6nM= +github.com/gardener/machine-controller-manager v0.50.1 h1:lL2q0O+K6jkgYzHPz85wIc9MzASZaiDvLYnTxW7P5ws= +github.com/gardener/machine-controller-manager v0.50.1/go.mod h1:RySZ40AgbNV/wMq60G/w49kb+okbj5Xs1A6usz5Pm/I= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g= @@ -910,6 +915,7 @@ github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg= github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= +github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= @@ -947,12 +953,14 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= +github.com/huandu/xstrings v1.3.1/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= +github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -1035,12 +1043,14 @@ github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4= github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY= github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY= github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4= github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= @@ -1170,6 +1180,8 @@ github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfF github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= +github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= +github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= @@ -1181,6 +1193,9 @@ github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= +github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= +github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= @@ -1268,6 +1283,7 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200221231518-2aa609cf4a9d/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/crypto v0.0.0-20200414173820-0848c9571904/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= @@ -2009,8 +2025,8 @@ k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/helm v2.16.1+incompatible h1:L+k810plJlaGWEw1EszeT4deK8XVaKxac1oGcuB+WDc= -k8s.io/helm v2.16.1+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= +k8s.io/helm v2.17.0+incompatible h1:Bpn6o1wKLYqKM3+Osh8e+1/K2g/GsQJ4F4yNF2+deao= +k8s.io/helm v2.17.0+incompatible/go.mod h1:LZzlS4LQBHfciFOurYBFkCMTaZ0D1l+p0teMg7TSULI= k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= diff --git a/pkg/controller/controlplane/add.go b/pkg/controller/controlplane/add.go index 24bf3b06a..9a92f7547 100644 --- a/pkg/controller/controlplane/add.go +++ b/pkg/controller/controlplane/add.go @@ -2,7 +2,6 @@ package controlplane import ( "context" - "fmt" "sync/atomic" extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" @@ -15,7 +14,6 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" - "sigs.k8s.io/controller-runtime/pkg/webhook" ) var ( @@ -41,17 +39,11 @@ type AddOptions struct { // AddToManagerWithOptions adds a controller with the given Options to the given manager. // The opts.Reconciler is being set with a newly instantiated actuator. func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddOptions) error { - webhookServer := mgr.GetWebhookServer() - defaultServer, ok := webhookServer.(*webhook.DefaultServer) - if !ok { - return fmt.Errorf("expected *webhook.DefaultServer, got %T", webhookServer) - } - actuator, err := genericactuator.NewActuator(mgr, metal.Name, secretConfigsFunc, shootAccessSecretsFunc, nil, nil, nil, controlPlaneChart, cpShootChart, nil, storageClassChart, nil, NewValuesProvider(mgr, opts.ControllerConfig), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot), - imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, defaultServer.Options.Port, + imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, ) if err != nil { return err diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index 645b459fe..c0e3b919c 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -25,6 +25,7 @@ import ( "github.com/gardener/gardener/extensions/pkg/controller/controlplane/genericactuator" + "github.com/metal-stack/gardener-extension-provider-metal/charts" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" @@ -145,14 +146,14 @@ func shootAccessSecretsFunc(namespace string) []*gutil.AccessSecret { gutil.NewShootAccessSecret(metal.FirewallControllerManagerDeploymentName, namespace), gutil.NewShootAccessSecret(metal.CloudControllerManagerDeploymentName, namespace), gutil.NewShootAccessSecret(metal.DurosControllerDeploymentName, namespace), - gutil.NewShootAccessSecret(metal.MachineControllerManagerName, namespace), } } var controlPlaneChart = &chart.Chart{ - Name: "control-plane", - Path: filepath.Join(metal.InternalChartsPath, "control-plane"), - Images: []string{metal.CCMImageName, metal.FirewallControllerManagerDeploymentName}, + Name: "control-plane", + EmbeddedFS: charts.InternalChart, + Path: filepath.Join(charts.InternalChartsPath, "control-plane"), + Images: []string{metal.CCMImageName, metal.FirewallControllerManagerDeploymentName}, Objects: []*chart.Object{ // cloud controller manager {Type: &corev1.Service{}, Name: "cloud-controller-manager"}, @@ -161,9 +162,10 @@ var controlPlaneChart = &chart.Chart{ } var cpShootChart = &chart.Chart{ - Name: "shoot-control-plane", - Path: filepath.Join(metal.InternalChartsPath, "shoot-control-plane"), - Images: []string{metal.DroptailerImageName, metal.MetallbSpeakerImageName, metal.MetallbControllerImageName, metal.NodeInitImageName, metal.MetallbHealthSidecarImageName}, + Name: "shoot-control-plane", + EmbeddedFS: charts.InternalChart, + Path: filepath.Join(charts.InternalChartsPath, "shoot-control-plane"), + Images: []string{metal.DroptailerImageName, metal.MetallbSpeakerImageName, metal.MetallbControllerImageName, metal.NodeInitImageName, metal.MetallbHealthSidecarImageName}, Objects: []*chart.Object{ // metallb {Type: &corev1.Namespace{}, Name: "metallb-system"}, @@ -229,9 +231,10 @@ var cpShootChart = &chart.Chart{ } var storageClassChart = &chart.Chart{ - Name: "shoot-storageclasses", - Path: filepath.Join(metal.InternalChartsPath, "shoot-storageclasses"), - Images: []string{metal.CSIControllerImageName, metal.CSIProvisionerImageName}, + Name: "shoot-storageclasses", + EmbeddedFS: charts.InternalChart, + Path: filepath.Join(charts.InternalChartsPath, "shoot-storageclasses"), + Images: []string{metal.CSIControllerImageName, metal.CSIProvisionerImageName}, Objects: []*chart.Object{ {Type: &corev1.Namespace{}, Name: "csi-lvm"}, {Type: &storagev1.StorageClass{}, Name: "csi-lvm"}, @@ -600,11 +603,11 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c var networkAccessMirrors []map[string]any if restrictedOrForbidden && partition.NetworkIsolation != nil { for _, r := range partition.NetworkIsolation.RegistryMirrors { - nam, err := registryMirrorToValueMap(r) + mirror, err := registryMirrorToValueMap(r) if err != nil { return nil, err } - networkAccessMirrors = append(networkAccessMirrors, nam) + networkAccessMirrors = append(networkAccessMirrors, mirror) } } @@ -761,6 +764,7 @@ func getCCMChartValues( "checksum/secret-cloudprovider": checksums[v1beta1constants.SecretNameCloudProvider], "checksum/configmap-cloud-provider-config": checksums[metal.CloudProviderConfigName], }, + "tlsCipherSuites": kutil.TLSCipherSuites, "secrets": map[string]any{ "server": serverSecret.Name, }, @@ -1090,12 +1094,12 @@ func getDefaultExternalNetwork(nws networkMap, cpConfig *apismetal.ControlPlaneC continue } - pn, ok := nws[nw.Parentnetworkid] + parent, ok := nws[nw.Parentnetworkid] if !ok { return "", fmt.Errorf("network defined in firewall networks specified a parent network that does not exist in metal-api") } - if *pn.Privatesuper { + if *parent.Privatesuper { dmzNetworks = append(dmzNetworks, nw) continue } diff --git a/pkg/controller/healthcheck/add.go b/pkg/controller/healthcheck/add.go index 48264b460..920501a8d 100644 --- a/pkg/controller/healthcheck/add.go +++ b/pkg/controller/healthcheck/add.go @@ -13,7 +13,6 @@ import ( "github.com/gardener/gardener/extensions/pkg/controller/healthcheck" "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/general" "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/worker" - genericworkeractuator "github.com/gardener/gardener/extensions/pkg/controller/worker/genericactuator" extensionspredicate "github.com/gardener/gardener/extensions/pkg/predicate" gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -86,7 +85,7 @@ func RegisterHealthChecks(ctx context.Context, mgr manager.Manager, opts AddOpti }, }, // TODO(acumino): Remove this condition in a future release. - sets.New[gardencorev1beta1.ConditionType](gardencorev1beta1.ShootSystemComponentsHealthy), + sets.New(gardencorev1beta1.ShootSystemComponentsHealthy), ); err != nil { return err } @@ -101,21 +100,13 @@ func RegisterHealthChecks(ctx context.Context, mgr manager.Manager, opts AddOpti opts.HealthCheckDefaults, nil, []healthcheck.ConditionTypeToHealthCheck{ - { - ConditionType: string(gardencorev1beta1.ShootSystemComponentsHealthy), - HealthCheck: general.CheckManagedResource(genericworkeractuator.McmShootResourceName), - }, - { - ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy), - HealthCheck: general.NewSeedDeploymentHealthChecker("machine-controller-manager"), - }, { ConditionType: string(gardencorev1beta1.ShootEveryNodeReady), HealthCheck: worker.NewNodesChecker(), }, }, // TODO(acumino): Remove this condition in a future release. - sets.New[gardencorev1beta1.ConditionType](gardencorev1beta1.ShootSystemComponentsHealthy), + sets.New(gardencorev1beta1.ShootSystemComponentsHealthy), ) } diff --git a/pkg/controller/infrastructure/actuator_delete.go b/pkg/controller/infrastructure/actuator_delete.go index d55bf17ff..84b644d3d 100644 --- a/pkg/controller/infrastructure/actuator_delete.go +++ b/pkg/controller/infrastructure/actuator_delete.go @@ -15,7 +15,7 @@ import ( "github.com/metal-stack/metal-go/api/client/network" "github.com/metal-stack/metal-go/api/models" - extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" + "github.com/gardener/gardener/extensions/pkg/controller" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" "github.com/gardener/gardener/pkg/controllerutils/reconciler" @@ -27,14 +27,14 @@ import ( type networkDeleter struct { ctx context.Context logger logr.Logger - cluster *extensionscontroller.Cluster + cluster *controller.Cluster infrastructure *extensionsv1alpha1.Infrastructure infrastructureConfig *metalapi.InfrastructureConfig mclient metalgo.Client clusterID string } -func (a *actuator) Delete(ctx context.Context, logger logr.Logger, infrastructure *extensionsv1alpha1.Infrastructure, cluster *extensionscontroller.Cluster) error { +func (a *actuator) Delete(ctx context.Context, logger logr.Logger, infrastructure *extensionsv1alpha1.Infrastructure, cluster *controller.Cluster) error { internalInfrastructureConfig, _, err := decodeInfrastructure(infrastructure, a.decoder) if err != nil { return err @@ -103,6 +103,10 @@ func (a *actuator) Delete(ctx context.Context, logger logr.Logger, infrastructur return nil } +func (a *actuator) ForceDelete(_ context.Context, _ logr.Logger, _ *extensionsv1alpha1.Infrastructure, _ *controller.Cluster) error { + return nil +} + func (a *actuator) releaseNetworkResources(d *networkDeleter) error { ipsToFree, ipsToUpdate, err := metalclient.GetEphemeralIPsFromCluster(d.ctx, d.mclient, d.infrastructureConfig.ProjectID, d.clusterID) if err != nil { @@ -152,10 +156,10 @@ func (a *actuator) releaseNetworkResources(d *networkDeleter) error { return err } - for _, pn := range privateNetworks { - _, err := d.mclient.Network().FreeNetwork(network.NewFreeNetworkParams().WithID(*pn.ID).WithContext(d.ctx), nil) + for _, privateNetwork := range privateNetworks { + _, err := d.mclient.Network().FreeNetwork(network.NewFreeNetworkParams().WithID(*privateNetwork.ID).WithContext(d.ctx), nil) if err != nil { - d.logger.Error(err, "failed to release private network", "infrastructure", d.infrastructure.Name, "networkID", *pn.ID) + d.logger.Error(err, "failed to release private network", "infrastructure", d.infrastructure.Name, "networkID", *privateNetwork.ID) return err } } diff --git a/pkg/controller/worker/actuator.go b/pkg/controller/worker/actuator.go index 8f00ff735..646729363 100644 --- a/pkg/controller/worker/actuator.go +++ b/pkg/controller/worker/actuator.go @@ -13,8 +13,6 @@ import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" metalclient "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal/client" metalgo "github.com/metal-stack/metal-go" "github.com/metal-stack/metal-go/api/models" @@ -31,6 +29,7 @@ import ( "k8s.io/client-go/rest" "sigs.k8s.io/controller-runtime/pkg/client" + "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/log" "sigs.k8s.io/controller-runtime/pkg/manager" ) @@ -91,7 +90,7 @@ type ( } ) -func NewActuator(mgr manager.Manager, machineImages []config.MachineImage, controllerConfig config.ControllerConfiguration) (worker.Actuator, error) { +func NewActuator(mgr manager.Manager, gardenCluster cluster.Cluster, machineImages []config.MachineImage, controllerConfig config.ControllerConfiguration) worker.Actuator { a := &actuator{ controllerConfig: controllerConfig, networkCache: cache.New(15*time.Minute, func(ctx context.Context, accessor *cacheKey) (*models.V1NetworkResponse, error) { @@ -120,21 +119,16 @@ func NewActuator(mgr manager.Manager, machineImages []config.MachineImage, contr machineImageMapping: machineImages, } - var err error - a.workerActuator, err = genericactuator.NewActuator( + a.workerActuator = genericactuator.NewActuator( mgr, + gardenCluster, delegateFactory, - metal.MachineControllerManagerName, - mcmChart, - mcmShootChart, - imagevector.ImageVector(), - extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot), func(err error) []gardencorev1beta1.ErrorCode { return util.DetermineErrorCodes(err, map[gardencorev1beta1.ErrorCode]func(string) bool{}) // TODO: implement our error codes? }, ) - return a, err + return a } func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { @@ -146,6 +140,10 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, worker *exten return a.workerActuator.Reconcile(ctx, log, worker, cluster) } +func (a *actuator) ForceDelete(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { + return nil +} + func (a *actuator) Delete(ctx context.Context, log logr.Logger, worker *extensionsv1alpha1.Worker, cluster *extensionscontroller.Cluster) error { err := a.workerActuator.Delete(ctx, log, worker, cluster) if err != nil { diff --git a/pkg/controller/worker/add.go b/pkg/controller/worker/add.go index 203097bfe..d1fd8f590 100644 --- a/pkg/controller/worker/add.go +++ b/pkg/controller/worker/add.go @@ -10,6 +10,7 @@ import ( machinescheme "github.com/gardener/machine-controller-manager/pkg/client/clientset/versioned/scheme" apiextensionsscheme "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/scheme" "k8s.io/apimachinery/pkg/runtime" + "sigs.k8s.io/controller-runtime/pkg/cluster" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/manager" ) @@ -28,6 +29,8 @@ type AddOptions struct { MachineImages []config.MachineImage // IgnoreOperationAnnotation specifies whether to ignore the operation annotation or not. IgnoreOperationAnnotation bool + // GardenCluster is the garden cluster object. + GardenCluster cluster.Cluster } // AddToManagerWithOptions adds a controller with the given Options to the given manager. @@ -41,13 +44,8 @@ func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddO return err } - actuator, err := NewActuator(mgr, opts.MachineImages, opts.ControllerConfig) - if err != nil { - return err - } - return worker.Add(ctx, mgr, worker.AddArgs{ - Actuator: actuator, + Actuator: NewActuator(mgr, opts.GardenCluster, opts.MachineImages, opts.ControllerConfig), ControllerOptions: opts.Controller, Predicates: worker.DefaultPredicates(ctx, mgr, opts.IgnoreOperationAnnotation), Type: metal.Type, diff --git a/pkg/controller/worker/machine_controller_manager.go b/pkg/controller/worker/machine_controller_manager.go deleted file mode 100644 index f6a9815f2..000000000 --- a/pkg/controller/worker/machine_controller_manager.go +++ /dev/null @@ -1,58 +0,0 @@ -package worker - -import ( - "context" - "fmt" - "path/filepath" - - "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" - - "github.com/gardener/gardener/pkg/utils/chart" - kutil "github.com/gardener/gardener/pkg/utils/kubernetes" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - rbacv1 "k8s.io/api/rbac/v1" -) - -var ( - mcmChart = &chart.Chart{ - Name: metal.MachineControllerManagerName, - Path: filepath.Join(metal.InternalChartsPath, metal.MachineControllerManagerName, "seed"), - Images: []string{metal.MachineControllerManagerImageName, metal.MCMProviderMetalImageName}, - Objects: []*chart.Object{ - {Type: &appsv1.Deployment{}, Name: metal.MachineControllerManagerName}, - {Type: &corev1.Service{}, Name: metal.MachineControllerManagerName}, - {Type: &corev1.ServiceAccount{}, Name: metal.MachineControllerManagerName}, - {Type: &corev1.Secret{}, Name: metal.MachineControllerManagerName}, - }, - } - - mcmShootChart = &chart.Chart{ - Name: metal.MachineControllerManagerName, - Path: filepath.Join(metal.InternalChartsPath, metal.MachineControllerManagerName, "shoot"), - Objects: []*chart.Object{ - {Type: &rbacv1.ClusterRole{}, Name: fmt.Sprintf("extensions.gardener.cloud:%s:%s", metal.Name, metal.MachineControllerManagerName)}, - {Type: &rbacv1.ClusterRoleBinding{}, Name: fmt.Sprintf("extensions.gardener.cloud:%s:%s", metal.Name, metal.MachineControllerManagerName)}, - }, - } -) - -func (w *workerDelegate) GetMachineControllerManagerChartValues(ctx context.Context) (map[string]interface{}, error) { - namespace := &corev1.Namespace{} - if err := w.client.Get(ctx, kutil.Key(w.worker.Namespace), namespace); err != nil { - return nil, err - } - - return map[string]interface{}{ - "providerName": metal.Name, - "namespace": map[string]interface{}{ - "uid": namespace.UID, - }, - }, nil -} - -func (w *workerDelegate) GetMachineControllerManagerShootChartValues(ctx context.Context) (map[string]interface{}, error) { - return map[string]interface{}{ - "providerName": metal.Name, - }, nil -} diff --git a/pkg/controller/worker/machines.go b/pkg/controller/worker/machines.go index 2b06d0f47..7101c8bd4 100644 --- a/pkg/controller/worker/machines.go +++ b/pkg/controller/worker/machines.go @@ -204,7 +204,7 @@ func (w *workerDelegate) generateMachineConfig(ctx context.Context) error { machineClassSpec["name"] = className machineClassSpec["labels"] = map[string]string{ - v1beta1constants.GardenerPurpose: genericworkeractuator.GardenPurposeMachineClass, + v1beta1constants.GardenerPurpose: v1beta1constants.GardenPurposeMachineClass, } // if we'd move the endpoint out of this secret into the deployment spec (which would be the way to go) diff --git a/pkg/metal/types.go b/pkg/metal/types.go index 3e8d25e25..8c10536bf 100644 --- a/pkg/metal/types.go +++ b/pkg/metal/types.go @@ -1,13 +1,9 @@ package metal -import "path/filepath" - const ( // Name is the name of the Metal provider. Name = "provider-metal" - // MachineControllerManagerImageName is the name of the MachineControllerManager image. - MachineControllerManagerImageName = "machine-controller-manager" // MCMProviderMetalImageName is the name of the metal provider plugin image. MCMProviderMetalImageName = "machine-controller-manager-provider-metal" // CCMImageName is the name of the cloud controller manager image. @@ -38,8 +34,6 @@ const ( // CloudProviderConfigName is the name of the configmap containing the cloud provider config. CloudProviderConfigName = "cloud-provider-config" - // MachineControllerManagerName is a constant for the name of the machine-controller-manager. - MachineControllerManagerName = "machine-controller-manager" // ShootExtensionTypeTokenIssuer appears unused? CHECKME ShootExtensionTypeTokenIssuer = "tokenissuer" @@ -63,13 +57,6 @@ const ( ManagerIdentity = "provider-" + Type + "-controlplane" ) -var ( - // ChartsPath is the path to the charts - ChartsPath = filepath.Join("charts") - // InternalChartsPath is the path to the internal charts - InternalChartsPath = filepath.Join(ChartsPath, "internal") -) - // Credentials stores Metal credentials. type Credentials struct { MetalAPIKey string diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go index b4660a5c6..b19738f18 100644 --- a/pkg/webhook/controlplane/ensurer.go +++ b/pkg/webhook/controlplane/ensurer.go @@ -6,13 +6,13 @@ import ( "fmt" "strings" - "github.com/Masterminds/semver" + "github.com/Masterminds/semver/v3" "github.com/coreos/go-systemd/v22/unit" extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" gcontext "github.com/gardener/gardener/extensions/pkg/webhook/context" - "github.com/gardener/gardener/extensions/pkg/webhook/controlplane" "github.com/gardener/gardener/extensions/pkg/webhook/controlplane/genericmutator" + "github.com/gardener/gardener/pkg/component/machinecontrollermanager" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" @@ -21,11 +21,15 @@ import ( "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" + "github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector" + "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" metalapi "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" + vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -138,6 +142,7 @@ func ensureKubeletCommandLineArgs(command []string) []string { // EnsureKubeletConfiguration ensures that the kubelet configuration conforms to the provider requirements. func (e *ensurer) EnsureKubeletConfiguration(ctx context.Context, gctx gcontext.GardenContext, kubeletVersion *semver.Version, new, _ *kubeletconfigv1beta1.KubeletConfiguration) error { + // Make sure CSI-related feature gates are not enabled // TODO Leaving these enabled shouldn't do any harm, perhaps remove this code when properly tested? // FIXME Why ? @@ -335,3 +340,46 @@ version = 2 }, } } + +// ImageVector is exposed for testing. +var ImageVector = imagevector.ImageVector() + +// EnsureMachineControllerManagerDeployment ensures that the machine-controller-manager deployment conforms to the provider requirements. +func (e *ensurer) EnsureMachineControllerManagerDeployment(_ context.Context, _ gcontext.GardenContext, newObj, _ *appsv1.Deployment) error { + image, err := ImageVector.FindImage(metal.MCMProviderMetalImageName) + if err != nil { + return err + } + + c := machinecontrollermanager.ProviderSidecarContainer(newObj.Namespace, metal.Name, image.String()) + c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--machine-health-timeout=", "10080m") + + newObj.Spec.Template.Spec.Containers = extensionswebhook.EnsureContainerWithName( + newObj.Spec.Template.Spec.Containers, + c, + ) + return nil +} + +// EnsureMachineControllerManagerVPA ensures that the machine-controller-manager VPA conforms to the provider requirements. +func (e *ensurer) EnsureMachineControllerManagerVPA(_ context.Context, _ gcontext.GardenContext, newObj, _ *vpaautoscalingv1.VerticalPodAutoscaler) error { + var ( + minAllowed = corev1.ResourceList{ + corev1.ResourceMemory: resource.MustParse("64Mi"), + } + maxAllowed = corev1.ResourceList{ + corev1.ResourceCPU: resource.MustParse("2"), + corev1.ResourceMemory: resource.MustParse("5G"), + } + ) + + if newObj.Spec.ResourcePolicy == nil { + newObj.Spec.ResourcePolicy = &vpaautoscalingv1.PodResourcePolicy{} + } + + newObj.Spec.ResourcePolicy.ContainerPolicies = extensionswebhook.EnsureVPAContainerResourcePolicyWithName( + newObj.Spec.ResourcePolicy.ContainerPolicies, + machinecontrollermanager.ProviderSidecarVPAContainerPolicy(metal.Name, minAllowed, maxAllowed), + ) + return nil +} diff --git a/pkg/webhook/controlplaneexposure/ensurer.go b/pkg/webhook/controlplaneexposure/ensurer.go index bac65123a..29ff491ec 100644 --- a/pkg/webhook/controlplaneexposure/ensurer.go +++ b/pkg/webhook/controlplaneexposure/ensurer.go @@ -10,20 +10,14 @@ import ( "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" "github.com/metal-stack/metal-lib/pkg/pointer" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" - extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" gcontext "github.com/gardener/gardener/extensions/pkg/webhook/context" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" - v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" - - kutil "github.com/gardener/gardener/pkg/utils/kubernetes" ) // NewEnsurer creates a new controlplaneexposure ensurer. @@ -42,31 +36,6 @@ type ensurer struct { logger logr.Logger } -// EnsureKubeAPIServerService ensures that the kube-apiserver service conforms to the provider requirements. -func (e *ensurer) EnsureKubeAPIServerService(ctx context.Context, gctx gcontext.GardenContext, new, old *corev1.Service) error { - return nil -} - -// EnsureKubeAPIServerDeployment ensures that the kube-apiserver deployment conforms to the provider requirements. -func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gcontext.GardenContext, new, old *appsv1.Deployment) error { - // ignore gardener managed (APIServerSNI-enabled) apiservers. - if v1beta1helper.IsAPIServerExposureManaged(new) { - return nil - } - - // Get load balancer address of the kube-apiserver service - address, err := kutil.GetLoadBalancerIngress(ctx, e.client, &corev1.Service{ObjectMeta: v1.ObjectMeta{Namespace: new.Namespace, Name: v1beta1constants.DeploymentNameKubeAPIServer}}) - if err != nil { - return fmt.Errorf("could not get kube-apiserver service load balancer address %w", err) - } - - if c := extensionswebhook.ContainerWithName(new.Spec.Template.Spec.Containers, "kube-apiserver"); c != nil { - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--advertise-address=", address) - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--external-hostname=", address) - } - return nil -} - // EnsureETCD ensures that the etcd conform to the provider requirements. func (e *ensurer) EnsureETCD(ctx context.Context, gctx gcontext.GardenContext, new, old *druidv1alpha1.Etcd) error { new.Spec.StorageCapacity = pointer.Pointer(resource.MustParse("16Gi")) From 0c6266ca38e7e9d3880431aebd391c1ce7466e48 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 12 Jul 2024 15:31:57 +0200 Subject: [PATCH 2/3] Revendor to g/g 1.83. (#408) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 435040d8a..206a96d3b 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 github.com/coreos/go-systemd/v22 v22.5.0 github.com/gardener/etcd-druid v0.20.1 - github.com/gardener/gardener v1.82.3 + github.com/gardener/gardener v1.83.3 github.com/gardener/gardener-extension-networking-calico v1.36.1 github.com/gardener/gardener-extension-networking-cilium v1.26.0 github.com/gardener/machine-controller-manager v0.50.1 diff --git a/go.sum b/go.sum index d2bcea464..56ffd8710 100644 --- a/go.sum +++ b/go.sum @@ -730,8 +730,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/gardener/etcd-druid v0.20.1 h1:o6F4higujfg7dvBXvk+yPb86+3t2+XLE0Hmw5W1kXtM= github.com/gardener/etcd-druid v0.20.1/go.mod h1:1tAeHycB0Vb2GfCX6sUCc6V6frGrCQI//quVg4K3GNA= -github.com/gardener/gardener v1.82.3 h1:GVx7wmmodv9++ZnZrJHyI8fhCJSG35s0o3pvLWD7u0k= -github.com/gardener/gardener v1.82.3/go.mod h1:ZdLfUC8Ia/Qo+e13FspxHsMJZ9c3DTek6Iy0ff0QQzc= +github.com/gardener/gardener v1.83.3 h1:ZnN5W0JWeUrheHHVpLfZc2xnl/vxLTQNRKCEB2VqrEM= +github.com/gardener/gardener v1.83.3/go.mod h1:WbCEy0CuG3fk1QFDeQeagwvWRtA7FaiuP9ska9EA7Xc= github.com/gardener/gardener-extension-networking-calico v1.36.1 h1:WyAdADamhxQgcCBrQOZAeSM/wm/urmmwBaqd2YLc7MY= github.com/gardener/gardener-extension-networking-calico v1.36.1/go.mod h1:GFmktIEzLxrOV6uNrCREeKjIkwYK6TlVOEPP7dffjAM= github.com/gardener/gardener-extension-networking-cilium v1.26.0 h1:hghmB83FfCzUqFX/q9lxh/u5CsqjEKf6ANQdDGYFcXk= From 26dd3be9ea38fce0bfde5e592fced45b7c335a12 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 26 Jul 2024 10:49:53 +0200 Subject: [PATCH 3/3] Fix firewall auto update gets reverted. (#409) --- go.mod | 2 +- go.sum | 4 +- .../infrastructure/actuator_reconcile.go | 2 +- pkg/controller/worker/firewall_reconcile.go | 31 ++++++- .../worker/firewall_reconcile_test.go | 80 +++++++++++++++++++ 5 files changed, 114 insertions(+), 5 deletions(-) create mode 100644 pkg/controller/worker/firewall_reconcile_test.go diff --git a/go.mod b/go.mod index 206a96d3b..76e91984a 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( github.com/metal-stack/firewall-controller-manager v0.4.0 github.com/metal-stack/firewall-controller/v2 v2.3.3 github.com/metal-stack/metal-go v0.31.1 - github.com/metal-stack/metal-lib v0.16.2 + github.com/metal-stack/metal-lib v0.17.2 github.com/onsi/ginkgo v1.16.5 github.com/onsi/gomega v1.33.1 github.com/spf13/cobra v1.8.0 diff --git a/go.sum b/go.sum index 56ffd8710..d6c62740b 100644 --- a/go.sum +++ b/go.sum @@ -1035,8 +1035,8 @@ github.com/metal-stack/firewall-controller/v2 v2.3.3 h1:4NrSFGl9NdUHQpKZK867ti6z github.com/metal-stack/firewall-controller/v2 v2.3.3/go.mod h1:Zo3HIlqqzWyvPGIpfWzsxkQjrIkmZHYtKgld71q24FE= github.com/metal-stack/metal-go v0.31.1 h1:1U31FuqhUveKxlIYrlrzjIhQLEqrlsm7ohZnZGMZz/E= github.com/metal-stack/metal-go v0.31.1/go.mod h1:3MJTYCS4YJz8D8oteTKhjpaAKNMMjMKYDrIy9awHGtQ= -github.com/metal-stack/metal-lib v0.16.2 h1:RJls/Spai4h5xr3BEmQt9UdWNN4RB9+SOINoZcjYaA8= -github.com/metal-stack/metal-lib v0.16.2/go.mod h1:nyNGI4DZFOcWbSoq2Y6V3SHpFxuXBIqYBZHTb6cy//s= +github.com/metal-stack/metal-lib v0.17.2 h1:T1rxCPgagHW/M0wWSrOj4hWsPZMSt1pYw90Z3vBm88Q= +github.com/metal-stack/metal-lib v0.17.2/go.mod h1:nyNGI4DZFOcWbSoq2Y6V3SHpFxuXBIqYBZHTb6cy//s= github.com/metal-stack/security v0.8.0 h1:tVaSDB9m5clwYrnLyaXfPy7mQlJTnmeoHscG+RUy/xo= github.com/metal-stack/security v0.8.0/go.mod h1:7GAcQb+pOgflW30ohJygxpqc3i0dQ2ahGJK1CU5tqa0= github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4= diff --git a/pkg/controller/infrastructure/actuator_reconcile.go b/pkg/controller/infrastructure/actuator_reconcile.go index a10d67027..2d01e4af9 100644 --- a/pkg/controller/infrastructure/actuator_reconcile.go +++ b/pkg/controller/infrastructure/actuator_reconcile.go @@ -121,7 +121,7 @@ func (a *actuator) maintainFirewallDeployment(ctx context.Context, logger logr.L // so it cannot be put to the worker controller. if !gardener.EffectiveShootMaintenanceTimeWindow(cluster.Shoot).Contains(time.Now()) { - // note that this prevents updating the firewall image even when annotating the shoot explicitly with the maintainenance annotation + // note that this prevents updating the firewall image even when annotating the shoot explicitly with the maintenance annotation // if a user wants to update the firewall immediately he needs to specify the new firewall image in the spec logger.Info("not maintaining firewall deployment as shoot not in effective maintenance time window") return nil diff --git a/pkg/controller/worker/firewall_reconcile.go b/pkg/controller/worker/firewall_reconcile.go index 4d05412a6..ed6eaebad 100644 --- a/pkg/controller/worker/firewall_reconcile.go +++ b/pkg/controller/worker/firewall_reconcile.go @@ -14,6 +14,7 @@ import ( "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/validation" "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" + metalcommon "github.com/metal-stack/metal-lib/pkg/metal" "github.com/metal-stack/metal-lib/pkg/tag" admissionregistrationv1 "k8s.io/api/admissionregistration/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -132,7 +133,17 @@ func (a *actuator) ensureFirewallDeployment(ctx context.Context, log logr.Logger deploy.Spec.Template.Labels[tag.ClusterID] = clusterID deploy.Spec.Template.Spec.Size = d.infrastructureConfig.Firewall.Size - deploy.Spec.Template.Spec.Image = d.infrastructureConfig.Firewall.Image + if deploy.Spec.AutoUpdate.MachineImage && d.infrastructureConfig.Firewall.Image != "" { + isPatch, err := patchUpdate(deploy.Spec.Template.Spec.Image, d.infrastructureConfig.Firewall.Image) + if err != nil { + return err + } + if !isPatch { + deploy.Spec.Template.Spec.Image = d.infrastructureConfig.Firewall.Image + } + } else { + deploy.Spec.Template.Spec.Image = d.infrastructureConfig.Firewall.Image + } deploy.Spec.Template.Spec.Networks = append(d.infrastructureConfig.Firewall.Networks, d.privateNetworkID) deploy.Spec.Template.Spec.RateLimits = mapRateLimits(d.infrastructureConfig.Firewall.RateLimits) deploy.Spec.Template.Spec.InternalPrefixes = a.controllerConfig.FirewallInternalPrefixes @@ -206,3 +217,21 @@ func mapEgressRules(egress []apismetal.EgressRule) []fcmv2.EgressRuleSNAT { } return result } + +func patchUpdate(old, new string) (bool, error) { + oldKind, o, err := metalcommon.GetOsAndSemverFromImage(old) + if err != nil { + return false, fmt.Errorf("unable to parse firewall image: %w", err) + } + + newKind, n, err := metalcommon.GetOsAndSemverFromImage(new) + if err != nil { + return false, fmt.Errorf("unable to parse firewall image: %w", err) + } + + if oldKind == newKind && o.Major() == n.Major() && o.Minor() == n.Minor() && o.Patch() != n.Patch() { + return true, nil + } + + return false, nil +} diff --git a/pkg/controller/worker/firewall_reconcile_test.go b/pkg/controller/worker/firewall_reconcile_test.go new file mode 100644 index 000000000..ec66dc2ac --- /dev/null +++ b/pkg/controller/worker/firewall_reconcile_test.go @@ -0,0 +1,80 @@ +package worker + +import ( + "github.com/google/go-cmp/cmp" + "github.com/metal-stack/metal-lib/pkg/testcommon" + + "testing" +) + +func Test_patchUpdate(t *testing.T) { + tests := []struct { + name string + old string + new string + want bool + wantErr error + }{ + { + name: "no update", + old: "firewall-ubuntu-3.0", + new: "firewall-ubuntu-3.0", + want: false, + wantErr: nil, + }, + { + name: "no update fully qualified", + old: "firewall-ubuntu-3.0.20240101", + new: "firewall-ubuntu-3.0.20240101", + want: false, + wantErr: nil, + }, + { + name: "patch update", + old: "firewall-ubuntu-3.0.20240101", + new: "firewall-ubuntu-3.0.20240201", + want: true, + wantErr: nil, + }, + { + name: "minor update", + old: "firewall-ubuntu-3.0.20240101", + new: "firewall-ubuntu-3.1.20240101", + want: false, + wantErr: nil, + }, + { + name: "major update", + old: "firewall-ubuntu-3.0.20240101", + new: "firewall-ubuntu-4.0.20240101", + want: false, + wantErr: nil, + }, + { + name: "os update", + old: "firewall-ubuntu-3.0.20240101", + new: "firewall-debian-3.0.20240101", + want: false, + wantErr: nil, + }, + { + name: "update to fully qualified", + old: "firewall-ubuntu-3.0", + new: "firewall-ubuntu-3.0.20240101", + want: true, + wantErr: nil, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := patchUpdate(tt.old, tt.new) + if diff := cmp.Diff(tt.wantErr, err, testcommon.ErrorStringComparer()); diff != "" { + t.Errorf("error diff (+got -want):\n %s", diff) + } + + if diff := cmp.Diff(got, tt.want, testcommon.StrFmtDateComparer()); diff != "" { + t.Errorf("diff (+got -want):\n %s", diff) + } + }) + } +}