Merge remote-tracking branch 'origin/master' into shoot-migration-for…

…-firewalls

.github/workflows/docker.yaml

@@ -22,7 +22,7 @@ jobs:
 
     steps:
     - name: Log in to the container registry
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         registry: ${{ env.REGISTRY }}
         username: ${{ secrets.DOCKER_REGISTRY_USER }}

.github/workflows/test.yaml

@@ -20,10 +20,10 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v3
 
-    - name: Set up Go 1.19
+    - name: Set up Go 1.21
       uses: actions/setup-go@v4
       with:
-        go-version: '1.19.x'
+        go-version: '1.21.x'
 
     - name: Check (lint) and Test
       run: |

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19 AS builder
+FROM golang:1.21 AS builder
 
 WORKDIR /go/src/github.com/metal-stack/gardener-extension-provider-metal
 COPY . .

Makefile

@@ -9,8 +9,8 @@ VERIFY                      := true
 LEADER_ELECTION             := false
 IGNORE_OPERATION_ANNOTATION := false
 WEBHOOK_CONFIG_URL          := localhost
-
-GOLANGCI_LINT_VERSION := v1.48.0
+GO_VERSION                  := 1.21
+GOLANGCI_LINT_VERSION       := v1.54.2
 
 ifeq ($(CI),true)
   DOCKER_TTY_ARG=""
@@ -23,33 +23,6 @@ export GO111MODULE := on
 TOOLS_DIR := hack/tools
 -include vendor/github.com/gardener/gardener/hack/tools.mk
 
-#########################################
-# Rules for local development scenarios #
-#########################################
-
-.PHONY: start-provider-metal
-start-provider-metal:
-	@LEADER_ELECTION_NAMESPACE=garden go run \
-		-ldflags $(LD_FLAGS) \
-		-tags netgo \
-		./cmd/gardener-extension-provider-metal \
-		--config-file=./example/00-componentconfig.yaml \
-		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
-		--leader-election=$(LEADER_ELECTION) \
-		--webhook-config-server-host=$(HOSTNAME) \
-		--webhook-config-server-port=8443 \
-		--webhook-config-mode=url \
-		--webhook-config-url=$(WEBHOOK_CONFIG_URL)
-
-.PHONY: start-admission-metal
-start-admission-metal:
-	@LEADER_ELECTION_NAMESPACE=garden go run \
-		-ldflags $(LD_FLAGS) \
-		-tags netgo \
-		./cmd/gardener-extension-admission-metal \
-		--webhook-config-server-host=0.0.0.0 \
-		--webhook-config-server-port=9443 \
-		--webhook-config-cert-dir=./example/admission-metal-certs
 
 #################################################################
 # Rules related to binary build, Docker image build and release #
@@ -108,10 +81,11 @@ generate: $(HELM)
 .PHONY: generate-in-docker
 generate-in-docker: revendor $(HELM)
 	echo $(shell git describe --abbrev=0 --tags) > VERSION
-	docker run --rm -i$(DOCKER_TTY_ARG) -v $(PWD):/go/src/github.com/metal-stack/gardener-extension-provider-metal golang:1.19.4 \
-		sh -c "cd /go/src/github.com/metal-stack/gardener-extension-provider-metal \
-				&& make generate \
-				&& chown -R $(shell id -u):$(shell id -g) ."
+	docker run --rm -i$(DOCKER_TTY_ARG) \
+		--volume $(PWD):/go/src/github.com/metal-stack/gardener-extension-provider-metal golang:$(GO_VERSION) \
+			sh -c "cd /go/src/github.com/metal-stack/gardener-extension-provider-metal \
+					&& make generate \
+					&& chown -R $(shell id -u):$(shell id -g) ."
 
 .PHONY: format
 format: $(GOIMPORTS)
@@ -123,9 +97,12 @@ test:
 
 .PHONY: test-in-docker
 test-in-docker: revendor
-	docker run --rm -i$(DOCKER_TTY_ARG) -v $(PWD):/go/src/github.com/metal-stack/gardener-extension-provider-metal golang:1.19.4 \
-		sh -c "cd /go/src/github.com/metal-stack/gardener-extension-provider-metal \
-				&& make install check test"
+	docker run --rm -i$(DOCKER_TTY_ARG) \
+		--user $$(id -u):$$(id -g) \
+		--mount type=tmpfs,destination=/.cache \
+		--volume $(PWD):/go/src/github.com/metal-stack/gardener-extension-provider-metal golang:$(GO_VERSION) \
+			sh -c "cd /go/src/github.com/metal-stack/gardener-extension-provider-metal \
+					&& make install check test"
 
 .PHONY: test-cov
 test-cov:

charts/gardener-extension-admission-metal/charts/runtime/templates/deployment.yaml

@@ -61,8 +61,8 @@ spec:
           initialDelaySeconds: 5
           periodSeconds: 10
         env:
-{{- range $key, $value := .Values.defaulter }}
-{{- if $value }}
+{{- range $key, $value := .Values.global.defaulter }}
+{{- if ne nil $value }}
           - name: DEFAULTER_{{ upper $key }}
             value: {{ $value | quote }}
 {{- end }}

charts/gardener-extension-admission-metal/values.yaml

@@ -35,22 +35,22 @@ global:
   # Kubeconfig to the target cluster. In-cluster configuration will be used if not specified.
   kubeconfig:
 
-defaulter:
-  allowedPrivilegedContainers:
-  maxPods:
-  nodeCIDRMaskSize:
-  podsCIDR:
-  servicesCIDR:
-  networkType:
-  calicoBackend:
-  calicoKubeProxyEnabled:
-  calicoPoolMode:
-  calicoTyphaEnabled:
-  ciliumDevices:
-  ciliumHubbleEnabled:
-  ciliumKubeProxyEnabled:
-  ciliumPSPEnabled:
-  ciliumTunnel:
-  ciliumIPv4NativeRoutingCIDREnabled:
-  ciliumLoadBalancingMode:
-  ciliumMTU:
+  defaulter:
+    allowedPrivilegedContainers:
+    maxPods:
+    nodeCIDRMaskSize:
+    podsCIDR:
+    servicesCIDR:
+    networkType:
+    calicoBackend:
+    calicoKubeProxyEnabled:
+    calicoPoolMode:
+    calicoTyphaEnabled:
+    ciliumDevices:
+    ciliumHubbleEnabled:
+    ciliumKubeProxyEnabled:
+    ciliumPSPEnabled:
+    ciliumTunnel:
+    ciliumIPv4NativeRoutingCIDREnabled:
+    ciliumLoadBalancingMode:
+    ciliumMTU:

charts/gardener-extension-provider-metal/templates/deployment.yaml

@@ -35,6 +35,8 @@ spec:
         - provider-metal-controller-manager
         - --config-file=/etc/{{ include "name" . }}/config/config.yaml
         - --controlplane-max-concurrent-reconciles={{ .Values.controllers.controlplane.concurrentSyncs }}
+        - --heartbeat-namespace={{ .Release.Namespace }}
+        - --heartbeat-renew-interval-seconds={{ .Values.controllers.heartbeat.renewIntervalSeconds }}
         - --infrastructure-max-concurrent-reconciles={{ .Values.controllers.infrastructure.concurrentSyncs }}
         - --ignore-operation-annotation={{ .Values.controllers.ignoreOperationAnnotation }}
         - --worker-max-concurrent-reconciles={{ .Values.controllers.worker.concurrentSyncs }}

charts/gardener-extension-provider-metal/templates/rbac.yaml

@@ -34,15 +34,17 @@ rules:
   - leases
   verbs:
   - create
+  - list
+  - watch
 - apiGroups:
   - coordination.k8s.io
   resources:
   - leases
   resourceNames:
   - provider-metal-leader-election
+  - gardener-extension-heartbeat
   verbs:
   - get
-  - watch
   - update
 - apiGroups:
   - ""

charts/gardener-extension-provider-metal/values.yaml

@@ -13,6 +13,8 @@ controllers:
     concurrentSyncs: 5
   infrastructure:
     concurrentSyncs: 5
+  heartbeat:
+    renewIntervalSeconds: 30
   worker:
     concurrentSyncs: 5
   ignoreOperationAnnotation: false

charts/internal/control-plane/templates/duros-controller.yaml

@@ -100,6 +100,7 @@ spec:
           - -admin-token=/duros/admin-token
           - -admin-key=/duros/admin-key
           - -shoot-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
+          - -psp-disabled={{ .Values.pspDisabled }}
 {{- if .Values.duros.controller.apiEndpoint }}
           - -api-endpoint={{ .Values.duros.controller.apiEndpoint }}
           - -api-ca=/duros/api-ca

charts/internal/shoot-control-plane/templates/audittailer.yaml

@@ -7,6 +7,30 @@ metadata:
     k8s-app: audittailer
   name: audit
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: audittailer-server
+  namespace: audit
+type: Opaque
+data:
+  ca.crt: {{ .Values.audittailer.server.ca }}
+  tls.crt: {{ .Values.audittailer.server.cert }}
+  tls.key: {{ .Values.audittailer.server.key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: audittailer-client
+  namespace: audit
+  labels:
+    name: audittailer-client
+type: Opaque
+data:
+  ca.crt: {{ .Values.audittailer.client.ca }}
+  tls.crt: {{ .Values.audittailer.client.cert }}
+  tls.key: {{ .Values.audittailer.client.key }}
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -23,13 +47,11 @@ spec:
       labels:
         k8s-app: audittailer
         app: audittailer
+{{- if .Values.audittailer.podAnnotations }}
+      annotations:
+{{ toYaml .Values.audittailer.podAnnotations | indent 8 }}
+{{- end }}
     spec:
-      securityContext:
-        runAsUser: 65534
-        allowPrivilegeEscalation: false
-        capabilities:
-          drop:
-          - ALL
       automountServiceAccountToken: false
       containers:
       - image: {{ index .Values.images "audittailer" }}
@@ -56,14 +78,25 @@ spec:
           limits:
             cpu: 150m
             memory: 512Mi
+        securityContext:
+          runAsUser: 65534
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+{{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }}
+          seccompProfile:
+            type: RuntimeDefault
+{{- end }}
+          capabilities:
+            drop:
+            - ALL
       restartPolicy: Always
       volumes:
       - name: fluentd-config
         configMap:
           name: audittailer-config
       - name: fluentd-certs
         secret:
-          secretName: {{ .Values.audittailer.secretName }}
+          secretName: audittailer-server
       - name: fluentbuffer
         emptyDir: {}
 ---

charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml

@@ -11,6 +11,28 @@ spec:
   policyTypes:
   - Egress
 ---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: droptailer-server
+  namespace: firewall
+type: Opaque
+data:
+  ca.crt: {{ .Values.droptailer.server.ca }}
+  tls.crt: {{ .Values.droptailer.server.cert }}
+  tls.key: {{ .Values.droptailer.server.key }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: droptailer-client
+  namespace: firewall
+type: Opaque
+data:
+  ca.crt: {{ .Values.droptailer.client.ca }}
+  tls.crt: {{ .Values.droptailer.client.cert }}
+  tls.key: {{ .Values.droptailer.client.key }}
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -28,6 +50,10 @@ spec:
         k8s-app: droptailer
         app: droptailer
         networking.gardener.cloud/from-prometheus: allowed
+{{- if .Values.droptailer.podAnnotations }}
+      annotations:
+{{ toYaml .Values.droptailer.podAnnotations | indent 8 }}
+{{- end }}
     spec:
       containers:
       - image: {{ index .Values.images "droptailer" }}
@@ -36,12 +62,6 @@ spec:
         ports:
         - protocol: TCP
           containerPort: 50051
-        securityContext:
-          runAsUser: 65534
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
         env:
         - name: SERVER_CERTIFICATE
           value: /certificates/tls.crt
@@ -57,9 +77,20 @@ spec:
           limits:
             cpu: 50m
             memory: 200Mi
+        securityContext:
+          runAsUser: 65534
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+{{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }}
+          seccompProfile:
+            type: RuntimeDefault
+{{- end }}
+          capabilities:
+            drop:
+            - ALL
       restartPolicy: Always
       automountServiceAccountToken: false
       volumes:
       - name: droptailer-server
         secret:
-          secretName: {{ .Values.droptailer.secretName }}
+          secretName: droptailer-server