From a62e4bb6f59789a0574c6a9003c1ac85623b9138 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 31 May 2024 15:11:11 +0200 Subject: [PATCH] Remove audit functionality, was moved to separate extension controller. (#353) --- .../templates/configmap.yaml | 13 - .../values.yaml | 10 - charts/images.yaml | 8 - .../internal/cloud-provider-config/Chart.yaml | 4 - .../templates/audit-policy-config.yaml | 186 --------- .../templates/audit-to-splunk.yaml | 46 --- .../cloud-provider-config/values.yaml | 12 - .../templates/audittailer.yaml | 177 --------- .../internal/shoot-control-plane/values.yaml | 16 - example/controller-registration.yaml | 4 +- pkg/apis/config/types.go | 27 +- pkg/apis/config/v1alpha1/types.go | 27 +- .../v1alpha1/zz_generated.conversion.go | 84 ---- .../config/v1alpha1/zz_generated.deepcopy.go | 34 -- pkg/apis/config/zz_generated.deepcopy.go | 34 -- pkg/apis/metal/types_controlplane.go | 22 +- pkg/apis/metal/v1alpha1/types_controlplane.go | 20 +- .../metal/v1alpha1/zz_generated.conversion.go | 8 +- .../metal/v1alpha1/zz_generated.deepcopy.go | 16 +- pkg/apis/metal/validation/control_plane.go | 36 -- .../metal/validation/control_plane_test.go | 19 - pkg/apis/metal/zz_generated.deepcopy.go | 16 +- pkg/controller/controlplane/add.go | 2 +- pkg/controller/controlplane/valuesprovider.go | 220 +---------- pkg/metal/types.go | 14 - pkg/webhook/controlplane/ensurer.go | 361 +----------------- 26 files changed, 63 insertions(+), 1353 deletions(-) delete mode 100644 charts/internal/cloud-provider-config/Chart.yaml delete mode 100644 charts/internal/cloud-provider-config/templates/audit-policy-config.yaml delete mode 100644 charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml delete mode 100644 charts/internal/cloud-provider-config/values.yaml delete mode 100644 charts/internal/shoot-control-plane/templates/audittailer.yaml diff --git a/charts/gardener-extension-provider-metal/templates/configmap.yaml b/charts/gardener-extension-provider-metal/templates/configmap.yaml index a30ae7972..d4d491909 100644 --- a/charts/gardener-extension-provider-metal/templates/configmap.yaml +++ b/charts/gardener-extension-provider-metal/templates/configmap.yaml @@ -37,19 +37,6 @@ data: backup: schedule: {{ .Values.config.etcd.backup.schedule }} deltaSnapshotPeriod: {{ .Values.config.etcd.backup.deltaSnapshotPeriod }} - clusterAudit: - enabled: {{ .Values.config.clusterAudit.enabled }} - auditToSplunk: - enabled: {{ .Values.config.auditToSplunk.enabled }} -{{- if .Values.config.auditToSplunk.enabled }} - hecToken: {{ .Values.config.auditToSplunk.hecToken }} - index: {{ .Values.config.auditToSplunk.index }} - hecHost: {{ .Values.config.auditToSplunk.hecHost }} - hecPort: {{ .Values.config.auditToSplunk.hecPort }} - tlsEnabled: {{ .Values.config.auditToSplunk.tlsEnabled }} - hecCAFile: | -{{ .Values.config.auditToSplunk.hecCAFile | indent 8}} -{{- end }} storage: duros: enabled: {{ .Values.config.storage.duros.enabled }} diff --git a/charts/gardener-extension-provider-metal/values.yaml b/charts/gardener-extension-provider-metal/values.yaml index eca54b708..0d07b4e1a 100644 --- a/charts/gardener-extension-provider-metal/values.yaml +++ b/charts/gardener-extension-provider-metal/values.yaml @@ -64,16 +64,6 @@ config: backup: schedule: deltaSnapshotPeriod: - clusterAudit: - enabled: false - auditToSplunk: - enabled: false - hecToken: - index: - hecHost: - hecPort: - tlsEnabled: - hecCAFile: storage: duros: enabled: false diff --git a/charts/images.yaml b/charts/images.yaml index f13bf4608..11a665ab1 100644 --- a/charts/images.yaml +++ b/charts/images.yaml @@ -11,14 +11,6 @@ images: sourceRepository: https://github.com/metal-stack/machine-controller-manager-provider-metal repository: ghcr.io/metal-stack/machine-controller-manager-provider-metal tag: "v0.1.17" -- name: auditforwarder - sourceRepository: https://github.com/metal-stack/audit-forwarder - repository: ghcr.io/metal-stack/audit-forwarder - tag: "v0.2.5" -- name: audittailer - sourceRepository: https://github.com/fluent/fluentd - repository: fluent/fluentd - tag: "v1.12" - name: droptailer sourceRepository: github.com/metal-stack/droptailer repository: ghcr.io/metal-stack/droptailer diff --git a/charts/internal/cloud-provider-config/Chart.yaml b/charts/internal/cloud-provider-config/Chart.yaml deleted file mode 100644 index 72db75452..000000000 --- a/charts/internal/cloud-provider-config/Chart.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -description: Helm chart for kubernetes cloud-provider-config -name: cloud-provider-config -version: 0.1.0 diff --git a/charts/internal/cloud-provider-config/templates/audit-policy-config.yaml b/charts/internal/cloud-provider-config/templates/audit-policy-config.yaml deleted file mode 100644 index 2a31449ee..000000000 --- a/charts/internal/cloud-provider-config/templates/audit-policy-config.yaml +++ /dev/null @@ -1,186 +0,0 @@ -{{- if .Values.clusterAudit.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: audit-policy-override - namespace: {{ .Release.Namespace }} -data: - audit-policy.yaml: | - --- - apiVersion: audit.k8s.io/v1 - kind: Policy - rules: - # The following requests were manually identified as high-volume and low-risk, - # so drop them. - - level: None - resources: - - group: "" - resources: - - endpoints - - services - - services/status - users: - - 'system:kube-proxy' - verbs: - - watch - - level: None - resources: - - group: "" - resources: - - nodes - - nodes/status - userGroups: - - 'system:nodes' - verbs: - - get - - level: None - namespaces: - - kube-system - resources: - - group: "" - resources: - - endpoints - users: - - 'system:kube-controller-manager' - - 'system:kube-scheduler' - - 'system:serviceaccount:kube-system:endpoint-controller' - verbs: - - get - - update - - level: None - resources: - - group: "" - resources: - - namespaces - - namespaces/status - - namespaces/finalize - users: - - 'system:apiserver' - verbs: - - get - # Don't log HPA fetching metrics. - - level: None - resources: - - group: metrics.k8s.io - users: - - 'system:kube-controller-manager' - verbs: - - get - - list - # Don't log these read-only URLs. - - level: None - nonResourceURLs: - - '/healthz*' - - /version - - '/swagger*' - # Don't log events requests. - - level: None - resources: - - group: "" - resources: - - events - # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes - - level: Request - omitStages: - - RequestReceived - resources: - - group: "" - resources: - - nodes/status - - pods/status - users: - - kubelet - - 'system:node-problem-detector' - - 'system:serviceaccount:kube-system:node-problem-detector' - verbs: - - update - - patch - - level: Request - omitStages: - - RequestReceived - resources: - - group: "" - resources: - - nodes/status - - pods/status - userGroups: - - 'system:nodes' - verbs: - - update - - patch - # deletecollection calls can be large, don't log responses for expected namespace deletions - - level: Request - omitStages: - - RequestReceived - users: - - 'system:serviceaccount:kube-system:namespace-controller' - verbs: - - deletecollection - # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data, - # so only log at the Metadata level. - - level: Metadata - omitStages: - - RequestReceived - resources: - - group: "" - resources: - - secrets - - configmaps - - group: authentication.k8s.io - resources: - - tokenreviews - # Get repsonses can be large; skip them. - - level: Request - omitStages: - - RequestReceived - resources: - - group: "" - - group: admissionregistration.k8s.io - - group: apiextensions.k8s.io - - group: apiregistration.k8s.io - - group: apps - - group: authentication.k8s.io - - group: authorization.k8s.io - - group: autoscaling - - group: batch - - group: certificates.k8s.io - - group: extensions - - group: metrics.k8s.io - - group: networking.k8s.io - - group: policy - - group: rbac.authorization.k8s.io - - group: scheduling.k8s.io - - group: settings.k8s.io - - group: storage.k8s.io - verbs: - - get - - list - - watch - # Default level for known APIs - - level: RequestResponse - omitStages: - - RequestReceived - resources: - - group: "" - - group: admissionregistration.k8s.io - - group: apiextensions.k8s.io - - group: apiregistration.k8s.io - - group: apps - - group: authentication.k8s.io - - group: authorization.k8s.io - - group: autoscaling - - group: batch - - group: certificates.k8s.io - - group: extensions - - group: metrics.k8s.io - - group: networking.k8s.io - - group: policy - - group: rbac.authorization.k8s.io - - group: scheduling.k8s.io - - group: settings.k8s.io - - group: storage.k8s.io - # Default level for all other requests. - - level: Metadata - omitStages: - - RequestReceived -{{- end }} diff --git a/charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml b/charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml deleted file mode 100644 index 3c9d1c4a7..000000000 --- a/charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if .Values.auditToSplunk.enabled }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: audit-to-splunk-secret - namespace: {{ .Release.Namespace }} -type: Opaque -data: - splunk_hec_token: {{ .Values.auditToSplunk.hecToken | b64enc }} -{{- if .Values.auditToSplunk.hecCAFile }} - splunk-ca.pem: {{ .Values.auditToSplunk.hecCAFile | b64enc }} -{{- end }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: audit-to-splunk-config - namespace: {{ .Release.Namespace }} -data: - splunk.conf: | - [FILTER] - Name rewrite_tag - Match audit - Rule $kind Event tosplunk true - - [OUTPUT] - Name splunk - Match tosplunk - Host {{ .Values.auditToSplunk.hecHost }} - Port {{ .Values.auditToSplunk.hecPort }} - Splunk_Token ${SPLUNK_HEC_TOKEN} -{{- if .Values.auditToSplunk.tlsEnabled }} - TLS On - TLS.Verify On -{{- end }} -{{- if .Values.auditToSplunk.hecCAFile }} - TLS.CA_File /fluent-bit/etc/splunkca/splunk-ca.pem -{{- end }} - Retry_Limit False - Splunk_Send_Raw Off - Event_Source ${MY_POD_NAME} - Event_Sourcetype kube:apiserver:auditlog - Event_Index {{ .Values.auditToSplunk.index }} - Event_Host {{ .Values.auditToSplunk.clusterName }} -{{- end }} diff --git a/charts/internal/cloud-provider-config/values.yaml b/charts/internal/cloud-provider-config/values.yaml deleted file mode 100644 index 006d31970..000000000 --- a/charts/internal/cloud-provider-config/values.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -clusterAudit: - enabled: false -auditToSplunk: - enabled: false - hecToken: dummy-token - index: splunk-logging-index - hecHost: splunk.example.org - hecPort: 8123 - tlsEnabled: false - hecCAFile: base64-encoded ca cert for the splunk hec endpoint - clusterName: cluster-name diff --git a/charts/internal/shoot-control-plane/templates/audittailer.yaml b/charts/internal/shoot-control-plane/templates/audittailer.yaml deleted file mode 100644 index 54d3469a9..000000000 --- a/charts/internal/shoot-control-plane/templates/audittailer.yaml +++ /dev/null @@ -1,177 +0,0 @@ -{{- if .Values.clusterAudit.enabled }} ---- -apiVersion: v1 -kind: Namespace -metadata: - labels: - k8s-app: audittailer - name: audit ---- -apiVersion: v1 -kind: Secret -metadata: - name: audittailer-server - namespace: audit -type: Opaque -data: - ca.crt: {{ .Values.audittailer.server.ca }} - tls.crt: {{ .Values.audittailer.server.cert }} - tls.key: {{ .Values.audittailer.server.key }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: audittailer-client - namespace: audit - labels: - name: audittailer-client -type: Opaque -data: - ca.crt: {{ .Values.audittailer.client.ca }} - tls.crt: {{ .Values.audittailer.client.cert }} - tls.key: {{ .Values.audittailer.client.key }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: audittailer - namespace: audit - labels: - k8s-app: audittailer -spec: - selector: - matchLabels: - k8s-app: audittailer - template: - metadata: - labels: - k8s-app: audittailer - app: audittailer -{{- if .Values.audittailer.podAnnotations }} - annotations: -{{ toYaml .Values.audittailer.podAnnotations | indent 8 }} -{{- end }} - spec: - automountServiceAccountToken: false - containers: - - image: {{ index .Values.images "audittailer" }} - imagePullPolicy: {{ .Values.imagePullPolicy }} - name: audittailer - env: - # This is supposed to limit fluentd memory usage. See https://docs.fluentd.org/deployment/performance-tuning-single-process#reduce-memory-usage. - - name: RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR - value: "1.2" - ports: - - containerPort: 24224 - protocol: TCP - volumeMounts: - - name: fluentd-config - mountPath: /fluentd/etc - - name: fluentd-certs - mountPath: /fluentd/etc/ssl - - name: fluentbuffer - mountPath: /fluentbuffer - resources: - requests: - cpu: 100m - memory: 200Mi - limits: - cpu: 150m - memory: 512Mi - securityContext: - runAsUser: 65534 - allowPrivilegeEscalation: false - runAsNonRoot: true -{{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }} - seccompProfile: - type: RuntimeDefault -{{- end }} - capabilities: - drop: - - ALL - restartPolicy: Always - volumes: - - name: fluentd-config - configMap: - name: audittailer-config - - name: fluentd-certs - secret: - secretName: audittailer-server - - name: fluentbuffer - emptyDir: {} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: audittailer-config - namespace: audit - labels: - app.kubernetes.io/name: audittailer -data: - fluent.conf: | - - @type forward - port 24224 - bind 0.0.0.0 - - ca_path /fluentd/etc/ssl/ca.crt - cert_path /fluentd/etc/ssl/tls.crt - private_key_path /fluentd/etc/ssl/tls.key - client_cert_auth true - - - - @type stdout - - @type file - path /fluentbuffer/auditlog-* - chunk_limit_size 256Mb - - - @type json - - ---- -apiVersion: v1 -kind: Service -metadata: - name: audittailer - namespace: audit - labels: - app: audittailer -spec: - selector: - app: audittailer - ports: - - port: 24224 - targetPort: 24224 ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: audittailer - namespace: audit -rules: -- apiGroups: - - "" - resources: - - services - - secrets - verbs: - - get - - list ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: audittailer - namespace: audit -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: audittailer -subjects: -- kind: ServiceAccount - name: audittailer-client - namespace: kube-system -{{- end }} diff --git a/charts/internal/shoot-control-plane/values.yaml b/charts/internal/shoot-control-plane/values.yaml index e006201d3..50b003537 100644 --- a/charts/internal/shoot-control-plane/values.yaml +++ b/charts/internal/shoot-control-plane/values.yaml @@ -5,11 +5,9 @@ nodeCIDR: pspDisabled: false images: - audittailer: image-repository:image-tag droptailer: image-repository:image-tag metallb-speaker: image-repository:image-tag metallb-controller: image-repository:image-tag - fluentd-splunk-audit: image-repository:image-tag node-init: image-repository:image-tag metallb-health-sidecar: image-repository:image-tag @@ -19,9 +17,6 @@ duros: enabled: false endpoints: [] -clusterAudit: - enabled: false - nodeInit: enabled: true @@ -54,14 +49,3 @@ droptailer: ca: "" cert: "" key: "" - -audittailer: - podAnnotations: {} - server: - ca: "" - cert: "" - key: "" - client: - ca: "" - cert: "" - key: "" diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index 4e6334ff5..ed6d9a55f 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -5,10 +5,10 @@ metadata: name: provider-metal type: helm providerConfig: - chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoa7uJ7xLbsH3pHYoi0Er0rmKtqIqSH03z32/4kqjXamWnTtOKMOAVyRkOyZnhcDjkwk18HOHEwrcpjmhAIitOyHXgQ9YKp244evLgNIb0bGeH/4dU/c9/T7Znk+nOdHeX5U92t8ezJ2jn4U13p4ymboLQk4SQdF29rvIvNC06539/6Sapfeeuwvu2wSZ4dzZrnf/p9qw8/1PIGj9B40/Z0bb0N59/Nw7e4oTNu4OuJ4Ybx/mnObHHpuFj6iVBnPKsPfQKhyvkMZZAlyRB6RKjl5KF0BvGL+hUsg/KOcqI3BV2UCerGdeq6bENbRufe2z+Dqlb/n3i2QvykDa65H9n+1lF/z+bjXcG+X+MNBotiLNgHOCmGNElsjxk2vYI/q5x5JNktAjSZTa3PbIaKWYpfixd72qkwC2PRGlCwhB4J8GLgKaQCxxlA9oyUyEbffWt56ZItPT28Oz86OT4O/mJb91VHOJRGzq2FqF9UXgauhF2BNKj6DJxoVbmpVmiMn8iyRVOxIdpGKMROgWa3QWWWgxH7jzEFJWGIYtjIjWczAyiBVd2HkkS7KWooA2VaDNiHfufX4V1y3+KYTJgVOi9LcHe9t90vD2eDvbfY6Q+8/9uicMYlmg7jXvZgh36fzKd7lbmf7o7HfT/o6QPHyzk48sgwshkZpqJrI8fjW5TjcHB+sBrGzqS0J3jkNpgSNpX+E6g4x/ZHCcRBj6yAzJiTZVwtKC4dsNM0vThAwoiL8z8nFIbScA1hNRhqwQyLA5qqSHb5y3VexFEwDyRhzm4fYZD7FJsHwNxjZTlpAUrWCEEZQixkuASLV16mkD5LTLp0p3u7DrQ7FvWPDTF6tupu0A5RJwEUXqJzK/p91/Tas0Ex4QGKUnu1qGAPuImhM69EUJntX5XJ8THcUjuVjhKpZ2fMwcdwdZDH67PLRV/n9RH/4PNcxksVm5s8cm/BjuIJBaB2bxJghS3+gi67P/Z7nZF/z9jWYP+f4QktU9Jqt/yiT1R8yp0X8lNcBVEvsNMcOCHN25sME7x3dR1QBOIzX6ztm5mHAlEwXRuUKU8WygZoZidBnXO0P8OmcDLKZqx2ooc3iJ9V+ZSB/3OkKztdRmdptQ+95R90nQv+e/pDeyQ/53ptGr/b08G/9/jpE8l2Dlv/KHCLFrJRRhBsiyL/9c7whnXVnxs56xNbYlAcb3thSTzwfpww3jpTjiifAjk/l4MRib290ZFX0p8XhgArVAzAiUC1UQPgd5KvsNzgVjPwzHLB8LSi7sYUz5UCf41CxLsI7MDv11HgAKaw5td9DXBS5L5IKvcnlRpkP3I0QFzOn6N+44KQPRrlwHk7c2zhKY9W+Qw/doUIOUlpZmrVq63BMv5iK9gis5SJpeelPyPOcTWArcuZs0tX0JXbtwwPIJpSSI3FDuTgoi28jX0tKJsJY01tIV+PPrvm0MY3hWs4C3U4kWCKT3ANA0iLqU5nfWSNRQ2oFlLG049Xwk0BdMBBlp9Msl3KT1WGrPaEkDaEsTOaxacCOAuKMogveuGlhU1Nna9qywuKKHeEvtZ2E6IALBVPZ0MH4epex65MV2S9BQnAfG70DSAFNoQFluc7GV+kCr6hPu1Eate3Zb1FCqXZV6Q8zjMoqsNcJXq68iaOaq1umhoib0LcoWj7pZUzQKWMdRtNyCvVmrxFZHaqatBVrEEeUqSzSBZxQIyDenhpiNa1C21vL/3Y8A4r2Rtt7UuKhcy97wuchUx87OE0ILT18y/EhcO0T3/rdVVU7GbpAHTEcI6WKNVyqgqcEVnJ9MGDcP3JadZGJ6SMPAalUGlSnuX8orn2EswEyiP+Ng/IN6VsnH+dX5yXGtaVC9ErBFqLWXdDf5VN1dfQOqz/ysceP02gOv3f5PJZKca/7G9vTPs/x4l6dsm5YkVO6CDfLY33gX+IXs/GmOPNZzg64DR+SpgKvXudbACKwKNeUkMus+lJS0kM/dJFsk1jQItzMXjSDs69ZavN6NjVyBQkiARaIPCTZIoIqkyMtU6saF7LTf7YBm8otlKc7VyIWz2m5Wm4VvuwEdf2ReSSvsHGPhTN10icyPPrfkd77I4fAAadLoq61ILqWtdA/cgdiOyYHRdoEyNMAxXEnhqzT73EmDwaFFauhMClZY4yw+iHGQ2nN+YLRCU4WQwaZLhotIWO+dwszBFkgQ2YDFh3QwiLVzASoAhgxVuwR5zW83UGFmik7aZ2T4nSqhUhQinNyQBYa75O1KiqLBgeChOgBFA/MOQ3GB/M3gfuLwfRJzNQSAtWac3dBJcsxCTjcBhH0eyxIPBqyMCMAu2JiSlFjvMKwbASr3Yms22C8wdWuF5bpVKDcXFAibahX13kk+E1aUyReKCWZ752tnbx49OrVicwJllPC02o4CIS9ZiLs9ktQJBKtjHQqMG40Coo+VdjBOtZtlk0OOAACe0qde1pEKwLsHafzGCveOoeWikIhhpTr8qGtZKzCKAoJ1bluFlSQJzYyWYfUAD9EXZMpV05b85tF1Ant9FHtXHhbW0xGC2z7GbWvny9mLN6tYECLjxjRUw58c1jBBl9PmtxOVwNoc7kmDnAqraSlCKe+o/FGX4rsEIFhGBVkiMhUvUKha+1gY4yImC2MsBqrhveLBW/x4IuC7Kb/AcBP9K8V/PuaxAS6XB9LVOlay1Lzd/vFJ5Wy2w+QFlC5QmKqXOyeLCC818Ue9hNUHmU7MNl2y7CdFPsqgFS8VMKS85pbZkkTUHJWi5vs9cZi+c1uVqnQUhBSRMl+3YRHkTIbluksEEeqdzrS/LdFgcXes6Tujm14d7B4dn7w5fH+5fHJ0cvzvee3N4frq3f5jXRIiHgvwIi7WjZTJXKA79M3xZzpX5zKJxckvRzjnuvvahovfozd7Lw7dA7MnZu5O3h2c/nR1d1Gh10IgHIWqHn6PG09B1kxQG1zCSlJ4mZI71Pi7TNH5ZOAZEinl/R2LWfisXVZ1QzVPLEvNEsl6+urg41QqCKEgDNzzAoXsnNaGDJuO8RoJdP+hNK4O6exRSdwy9AVrnQqVhhNbQ0OVGRc2Tt4m64SZmSjwSOuhi/7TqH8qNJR0mz2zybBUQv6NI+a/GDf4rlq5JmK3wG7YNa+iyUKYaqStWUYhNt2nwUDFqi0ZoIqYmSlo9xkMnUQjGFtsTtIsTm5/Aw3uexxAfd5uFW8i9vGTMdOfkOYx9/D2w3vcailB+EHWQwRZrcS6c+vDriK/BMvvwFnuZfiC5JceFm7nnpY2yKuQDwjbNh7cx09P6RreoYaErfNcaTpcH3NXgEBIGBbSKjqKGYq7SGhpkTW4QvFcGS0lMQrK4+zej1SwH9S0JTflESBjBwDVzvsKBnjoy15XMxifmKskt5BviA9xsqnRbL/bejLn709slLGtoH3y7f9rUx/8LegfMySTjl8Hmmb/AmzmCO+//zCr3f+DHs+ng/32MJFXLIkXfMldVk/f0OzSphgDG3H0wup7MgUWUw/iU+Ac5e/zA2ePP4TmG7eR/IvfaDUK2FeLoaTbv7PCDPcZfgurrI//J3PXucxG4M/5vtyr/08n42SD/j5FY+Jwu2XyO3SxdkiT4TVxpu3rO7aIiOlDEZZyREPeR7z6Sm2Qhs7gsFtX3MiFZzM0vC2mRfGXPrlHasrCqIhxlnnlXOKX1nBFMe5rpBdB4EuCGnHJVyk94Sh96BRm0Ij80H2NDjg7nR5S5uRK/+qlXKjvqGvP06sIrVvpdFIMFN5dDxRQ1N/4DKn7cME3Hf8X5ryyGecb1KWnztddnRLiC/Ty3TIT5D7OO3CMwBDIaS/JhHS9fJyrYPNiSceu01qsHtqHy+bIkyirOb6jKPvjSwSJG+QjXtWzu4m2ei7bhNk3+jx3VSh5UE9QquQLAXwV8z1a6rapXiANNurQC7VylbXTypZtWPkewQ3XD4DfFhbB/iKQ0Uh4VkkuF2ArJWvLgTIpCfg5d+x5Rzw2xRMe31lT/cMU+uySYIHy4lsHcj9A/kV/UqBW9J3PxAyzh4scIdpKCwbOUXxSWThlPDxwW1WFHGvgddTwgi6zUCPPLU0FRKmeDG2DBRjIkA0Ft6sZcMBtnkEHWUG2JQGqL2VHBZeChNrUsq6WgNRuxq9jP0sDfBEwk+vZGobL7tZl/KZZTGWXu6mpdBXN1Nc6DvTbA52+wkEEdfWkqPvvo8oespBssTfcgADQVYeK7Tq8A2hSM8hCkTFUXmqRrXMX+pI6wYQfbvnD0WRaFYgoxU9kPsqh+EPrmDzOsoAl5WKGGbA2FRn4bQjP5OuiBndV7WPm4mhDA5yWvZ3d/NtkIfm6z+S+T+uz/5LLaewvYsf+b7syq8X/T3e3h/uejpMb7X1JiP733phYjt0nQzmVCViwyIPQtFgjEz87QNz9/MNWxlumYF/un5lOTlZnOZsdjH3/5ph8FPHAIY98SAWAWsA1bPiwZLVQirEpH+VD8aZXye9GiTgvX0fFYA5TPvqVcZpICzWcG7VZOWkrn4kCjQGrCANUAK+2xZQwAeByX2YtSsAAsvjjmlBZxIDCEAYsiLWwjQxwaXZwcnDjoYhlQsdiy7VdCwK5mN7/AggR7CBSkzwMRI4JCEi1wAuSA9e6z6D/2cNBlxoNr0Bm/ycSyVsiliBISsf+1p5W+v57Yz3bYsxBojnEElgyXKN/uxynCErLq3eZhbk0MfS/8n0wI7uPfTflNRWmjHLFz+MJxu1lkb34gb8nD/9lsm49D+eScHx3yUep1EP+5dfy6dI/1X26rNzcDus5/prNJZf2fTcdD/P+jpHXrv7LYP+shzuceoL946pZ/EXjxkAdgO+R/e3syrb7/NtvdHeT/MZIIO+eeEhVm7qDF0kuUgSbdXE2x4JUnwdjauHAQXyvYNj/WgtD3whv3jhqGfszqoIlR+GfQh4+GoZkIDno+fj42itA7njExDC1iVj4JkZ+oiD1FJQpYBN6Vj0nWVMz98qJOU/y1g7ZZdIs4UlnXZlvYs4Mu3ZBiw6iH+Tro51+MStAuzzO2UFPcD7tby6KaAvkewJYWARS7GRURxjx40BDRT2LAz/TpLl74LAx0/ec8JPPRymXm1WieBSGY0Qz1SNzlZHH8hgo+07AKHloQsgjxu+JehIC13JW/O5NgnG/MbfbcsMjIHwKe2JOJfftl92pS65X5zxesZ1NRYNu2YZTsR8cQsYIq4JNZo8bWFuSl7OyA8odJpaw8Rdhe2Iiqm07zO8SN+uJaEUAqwWKIAY+4HJVfVFKwvNBQ96jV3SkZ1Gh4OWnNr5o0vWkC+yQm7qzS6D0lkZKV4n2Rxhr85Y/JWISQyWc5Jlzmyq9fMLmovBDR+OYDq7fm0QpRXDznULllXjzloDLU4wyCvtJ7C/lrC4aKiqu/oGA0PYWQX14XqqHxiYNaHe0pAv4lHhdQBfzFAPXBOUnsYIp7/apQ3tM3Kn0v3a9vaLx+D55p8YY7SEeXx9B7mBfMHcCNl8vbrpYb+WuUQiwU2Wr1kc/9DIbikIY0pCENaUhDGtKQhjSkIQ1pSEMa0pCGNKQhDWlIefo/JJQQJAB4AAA= + chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoG7up7xJ7YfvSOxRFoJXoXcVaURUlO26a/37Dl0S9Vis7ddJGAwNeUZzhkJwZDodDLd3ExxFOLPwuxRENSGTFCbkOfCha49QNR4/uDWOAJ3t7/D9A9T//PdmdTaZ70/19Vj7Z3x3PHqG9+zfdDRlN3QShRwkh6aZ6Xe//orDsnP/nKzdJ7Vt3Hd61DTbB+7NZ6/xPd2fl+Z9C0fgRGn/MjrbBFz7/bhy8xgmbdwddTww3jvNHc2KPTcPH1EuCOOVFB+gnHK6Rx0QCXZIEpSuMXkgRQq+YvKC5FB+US5QRuWvsoE5RM65V02Mb2jY+9dh8CdCt/z7x7CW5Txtd+r+3+6Ri/5/MxnuD/j8EjEZL4iyZBLgpRnSFLA+Ztj2Cv2sc+SQZLYN0lS1sj6xHSliKHyvXuxopdMsjUZqQMATZSfAyoCmUgkTZQLYsVMhGX33ruSkSLb0+Ojs/Pj35Tj7id+46DvGojRxbi9Bz8XIeuhF2BNHj6DJxoVbmpVmiCn8myRVOxINpGKMRmgPP7hJLK4YjdxFiikrDkMUxkRZOFgbRkhs7jyQJ9lJU8IZKvBmxTv3zN2Hd+p9imAwYFXpnT7C3/zcd746ng//3ENBn/t+scBjDEm2ncS9fsMP+T6bT/cr8T/eng/1/EHj/3kI+vgwijEzmppnI+vDB6HbVGB6sD7y2oRMJ3QUOqQ2OpH2FbwU5/pAtcBJhkCM7ICPWVIlGC4lrN8wkT+/foyDywszPObWRRNzASB23yiCj4qCWGrJ93lK9F0EEwhN5mKPbZzjELsX2CTDXyFnOWrCGFUJwhhB7E1yilUvnCbx/h0y6cqd7+w40+5o1D02x+nbqLlGOESdBlF4i82v6/de0WjPBMaFBSpLbTSSgj7iJoHNngtBZrd/VCfFxHJLbNY5S6efnwkFHsPXQh+tTa8WXA33sP/g8l8Fy7cYWn/xr8INIYhGYzZskSHFrjKDL/5/t71bs/xNWNNj/BwBpfUpa/ZpP7KmaV2H7SmGCqyDyHeaCgzy8cmODSYrvpq4DlkBs9putdbPgSCQKrnODKeXFwsgIw+w0mHNG/g8oBFlO0YzVVuzwFumbspQ66A9GZGOvy+Q0o/app+yjwp30v2c0sEP/Z5NJ1f/bnewO+v8g8LEUO5eNP1WZRSu5CiMAy7L4f70jXHBtJcd2LtrUlgSU1NteSDIfvA83jFfuhBPKh0Du78VgZGJ/b1TspaTnhQHwCjUjMCJQTfQQ+K2UO7wUmPU8HLNyYCy9uI0x5UOV4N+yIME+Mjvo23UCKKA5vtnFXxO+ZJkPsirtyZWG2Y8dHTHn47e476gARr92GULe3iJLaNqzRY7Tr02BUl5SmqVq7Xor8JyP+Qqm+CwVcu1Jyf9YQGwjcuti1tzyJXTlxg3DY5iWJHJDsTMpmGh7v4GfVpKtrLGGdtCPx/99dQTDu4YVvIVbvEwwpYeYpkHEtTTns/5mA4cNZDbyhlPPVwpNwXWAgVaPTPNdSk+Uxay2BJi2RLHzmoUkAroLhjJIb7uxZUVNjF3vKosLTqi3wn4WtjMiEGxVT2fDx2HqnkduTFckneMkIH4XmQYURbEySH6WEFrwKQKxjfRVZzmGLSu2S29rddVU7CZpwGZY2PYNMlEmVcErxGMybZAP7lXOszCckzDwGqeyUqW9S3nFc+wlOIVOecTH/iHxrtQK9a/z05Na06K6GuQWrI2cdTf4d3WNvwjo4/8XAZx+G4DN/v9kMtmrnv/v7u4N5/8PArrbrCJxwgM+zGd7613An+L70xh7rOEEXweMz58CZpRvXwbrALy1MX8Tg/V0acmOycLnJItS0SgFXtgW35F+VOqtXm7Hx74goDRBEtAGhfv0UURS5WSolWbL8Eq+7K+wd0WztRZq40rYHDcpTcO3PICLvrIvJJf2DzDwczddIXOryJ35He+yCD4DDzpflZWthdWNW8M7MLsVWzC6LnCmRhiGKwk8teqfewkIeLQsLf4JgUornOUHEQ4yG+L3ZgsGZTQZTppkuKi0w+LcbhamSLLABiwmrJtBpB0XWwkIZLDGLdTZubPkp9yjOTuQ1rmqzYlSKlUhwukNSUCZa/vdlCguLBgeihMQBFD/MCQ32N8O3wcp74cRZwtQSEvW6Y2dBNcsxWArdPDjSZZ4MHh1QoBmgWtKUmqxw5xiAKzUi63ZbLeg3GEVnuZ+rbRQXC1gol3YdyX5RFhdJlMAV8zyzNfOXj58cGqvxQmMWabT4nUKjLjkb+b6TNZrUKRCfCw0anAOhDlawUY90WqWXQY9DwRoQpt6XUsaBOsyCPGzEewdRs1DIw3BSAv6VMmwVmKWAQLtvGMFXpYkMDdWgtkDNECflX1byVf+m2PbBeb5beRRfVxYSysMjv8Cu6mVL2/PNqxuTYhAG99YAdv8XsMIUcaf38pcjmdzvGOJdi6wqq0EpbyX/kNRxu8ajGAZEWiFxFiExKxi4WttgKOcKoyDHKFK+4Yn6/TvgcDr4vwGL0Dxr5T89ZzLCrY0Gsxe61zJWs/l9pFXkqa7RM0PKFugNFUpdU6+LqKQLBbxFlYTZD4222jJtpsI/SxftVCpuCnlJafUlnxlLcAIWq7vs5DJM6d1udrkQUgFCdNVOzXxvomR3DbJw2S907nVl+90XBxd6zZO2OaXRweHR2dvjl4ePb84Pj15c3Lw6uh8fvD8KK+JEE8F+BEWa0crZKEwHPpn+LJcKsuZR+PknqKdS9xd/UPF7/GrgxdHr4HZ07M3p6+Pzn4+O76o8eqgEU9C0w6/Ro2nYZsmKQyuYSQpnSdkgfU+rtI0flGEFgTEvL8jMWu/l19xx6ZzahmwSBTr5U8XF3PtRRAFaeCGhzh0b6UldNBknNdIsOsHvXllWLcPwuqeoTdA61KoLIywGhq53KmYVznbxtxwFzMlHgkddPF8Xo0w5c6SjpMXNsXGCow/UKQiYOOGCBiDaxJma/yKbcMauiyMqcbqmlUUatPtGtxXjdpOo5uYqamSVo/J0GkUgrPF9gTt6sTmJ/DwgecxwifdbuEOci8vmTDdOnkJEx//ALz3g4ZXKD+IOMxgi7U8F0Fd+HXM12BZfPQOe5l+ILUjx4W7ueeljbJ6yQeEbZqP3sXMTusb3aKGha7wbWs6VZ5wVcNDSDgU0Co6jhpec5PW0CBrcovkrTJaSmISkuXtvxmvZjmpa0VoyidC4ggBrrnzFQn01JGpbmS2PjFVILeQr4gPeLOpsm29xHs74e7Pb5eybOB9iA5/ttAn/gt2B9zJJOOXgRaZv8TbBYI773/MKvc/4MeT6RD/fQiQpmWZom9ZqKopevodmlRTwGIePhhdTxYgIipgPCf+YS4eP3Dx+Dwix7Cd/E/kXrtByLZCnDzNFp0dvnfE+K9g+vrof7JwvbtcBO3Qf9D6qv5PJ+Mng/4/BLD0KV2z+Ry7WboiSfC7uNJ09ZT7RUV2WAhjhpMzEuI++t1Hc5MsZB6XxbK6XiQki7n7ZSEtk6sc2TVKWxZWVaQjLDLvCqe0XjKCaU8z/QU0ngS4oaRclfITntKDXsETgyMftBhjQ4mO50eUhbkSv/qoVyoH6hrL9OoiKlb6XbwGD24hh4oZau78B1T8uGGWjv+K819ZDPOM61PSFmuvz4gIBft5aZkJ8x9mnbhHYAhkNo6Uwzpdvk5UqHmwJePeaa1X92xDlfNlSbyrBL+hKnvgSwfLGOQjXLeyeYi3eS7ahts0+T92VCtlUE1Qq+YKBH8d8D1b6baiXiEONO3SXmjnKm2jky/dtPI4gh2qGwa/KymE/UMktZHyvJJcK8RWSNaSB2dSFfJz6NrziHpuiCU5vrWm+oMr9tklxQTlw7UCFn6E/onyokbt1VuyED/AEy5+jGAnKQQ8S/lFURmU8fTEUVEddqSB31HHA7bIWo0wvzwTFG/lbHAHLNhKh2QioE3dmCtm4wwyzBqpHZFIazE/KrgMPNRmlmW1FKxmI3WV+1ca+JuAqUTf3ihSdr828yclcqqgLF1drat0sK7GebrYFvT8LRYyqKMvTcVjH1t+n5V0i6XpDgyApSJMfTfZFSCbglMegpap6sKSdI2r2J/UCTbsYNsXjj7LojBMIWYm+14e1Q/C3vxpjhU0IQ8r1JBt4NDIs+E1l6+DH9hZvYWVj5sJgXxeinp292ebjeCndpv/NtBn/yeX1d5bwI7933RvVs3/m+4P938eBhrv/0iN/fjRm1qO3DZJO5cJWbPMgNC3WCIQPztD3/zy3lTHWqZjXjyfm49N9s50tjse+/DrN/044IlDGPuWSACzQGzY8mHJbKESY1U+yofij6uc34kXdVq4iY+HGqB89i0VMpMcaDEzaLdy0lI6FwceBVETBqiGWGmPLWOAwPO4zF6cggdg8cUx57TIA4EhDFgWaeEbGeLQ6OL08NRBF6uAisWWbb8SAn41u/kDHiT4Q2AgfZ6IGBEUkmiJE2AHvHefZf+xD8dcZjy5Bp3xmyysaI1ciighEftf+7TO99cT+8ke+ywAWmAcgSfDNcq3+0mK8ISserd5mluTQN+J/kdTgrvEd1N+U036KMfsHL4I3G6X2ZsfyFvy8H822+XjUD4550eHfJR6HcR/ahu/Ce6w/stt9fZuQNf5z3Q2qaz/s+l4yP9/ENi0/iuP/ZMe4nzqAfqbQ7f+i8SL+3wAtEP/d8f7Vf0fz/aH858HAZF2ziMlKs3cQcuVlygHTYa5mnLBK5+EYmvj0kF8rWDb/FhLQj8Ib9xbahj6MauDJkYRn0HvPxiG5iI46On46dgoUu94wcQwtIxZ+UmA/ERF7CkqWcAi8a58TLKhYh6XF3Wa8q8dtMuyW8SRyqY229KeHXTphhQbRj3N10G//GpUknZ5mbGDmvJ+2GcQWFZTIO+D72gZQLGbUZFhzJMHDZH9JAb8TJ/u4guPhYOu/1yEZDFau8y9Gi2yIAQ3mpEeidugLI/fUMlnGlUhQ0tCliF+U9yLELiWu/b3ZxKNy425yz43KwryD8FO7MnEfvfX7tWk1ivzn89Yz6bihW3bhlHyHx1D5AqqhE/mjRo7O1CWsrMDyj9MKXXlMcL20kZU3XRa3CLu1BfXigBTKRYjDHTE5aj8opLC5S8NdRNb3Z2SSY2Gl7PW/FWLpm9awD6JqTurNHpLSaR0pfi+RGMN/uWHyVikkMnPMky4zpW/fsD0ovKFgMY7/6zeho8WiNfFdf7KPfXiKr8qUJfzBX+l+/b5bXtDZcXVb9AblSZKF+Hza/DCRIjC6oV1ZiwbrvocX55AI9B9zOOsjbfA2+6AG/lH/4T0YTkYysjLr6oM/tgAAwwwwAADDDDAAAMMMMAAAwwwwAADDDDAAAMMMMDnDf8HJasSEQB4AAA= values: image: - tag: v0.22.11 + tag: v0.22.12 --- apiVersion: core.gardener.cloud/v1beta1 kind: ControllerRegistration diff --git a/pkg/apis/config/types.go b/pkg/apis/config/types.go index df7ec5265..8ab5fbeb2 100644 --- a/pkg/apis/config/types.go +++ b/pkg/apis/config/types.go @@ -30,12 +30,6 @@ type ControllerConfiguration struct { // ETCD is the etcd configuration. ETCD ETCD - // ClusterAudit is the configuration for cluster auditing. - ClusterAudit ClusterAudit - - // AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk. - AuditToSplunk AuditToSplunk - // HealthCheckConfig is the config for the health check controller HealthCheckConfig *healthcheckconfig.HealthCheckConfig @@ -91,26 +85,7 @@ type ETCDBackup struct { DeltaSnapshotPeriod *string } -// ClusterAudit is the configuration for cluster auditing. -type ClusterAudit struct { - // Enabled enables collecting of the kube-apiserver auditlog. - Enabled bool -} - -// AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk. -type AuditToSplunk struct { - // Enabled enables forwarding of the kube-apiserver auditlog to splunk. - Enabled bool - // This defines the default splunk endpoint unless otherwise specified by the cluster user - HECToken string - Index string - HECHost string - HECPort int - TLSEnabled bool - HECCAFile string -} - -// StorageConfiguration contains the configuration for provider specific storage solutions. +// StorageConfiguration contains the configuration for provider specfic storage solutions. type StorageConfiguration struct { // Duros contains the configuration for duros cloud storage Duros DurosConfiguration diff --git a/pkg/apis/config/v1alpha1/types.go b/pkg/apis/config/v1alpha1/types.go index 116e5d271..324e410b8 100644 --- a/pkg/apis/config/v1alpha1/types.go +++ b/pkg/apis/config/v1alpha1/types.go @@ -31,12 +31,6 @@ type ControllerConfiguration struct { // ETCD is the etcd configuration. ETCD ETCD `json:"etcd"` - // ClusterAudit is the configuration for cluster auditing. - ClusterAudit ClusterAudit `json:"clusterAudit"` - - // AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk. - AuditToSplunk AuditToSplunk `json:"auditToSplunk"` - // HealthCheckConfig is the config for the health check controller // +optional HealthCheckConfig *healthcheckconfigv1alpha1.HealthCheckConfig `json:"healthCheckConfig,omitempty"` @@ -97,26 +91,7 @@ type ETCDBackup struct { DeltaSnapshotPeriod *string `json:"deltaSnapshotPeriod,omitempty"` } -// ClusterAudit is the configuration for cluster auditing. -type ClusterAudit struct { - // Enabled enables collecting of the kube-apiserver audit log. - Enabled bool `json:"enabled"` -} - -// AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk. -type AuditToSplunk struct { - // Enabled enables forwarding of the kube-apiserver auditlogto splunk. - Enabled bool `json:"enabled"` - // This defines the default splunk endpoint unless otherwise specified by the cluster user - HECToken string `json:"hecToken"` - Index string `json:"index"` - HECHost string `json:"hecHost"` - HECPort int `json:"hecPort"` - TLSEnabled bool `json:"tlsEnabled"` - HECCAFile string `json:"hecCAFile"` -} - -// StorageConfiguration contains the configuration for provider specific storage solutions. +// StorageConfiguration contains the configuration for provider specfic storage solutions. type StorageConfiguration struct { // Duros contains the configuration for duros cloud storage Duros DurosConfiguration `json:"duros"` diff --git a/pkg/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/apis/config/v1alpha1/zz_generated.conversion.go index c9e2c6fbd..3785c1d57 100644 --- a/pkg/apis/config/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/config/v1alpha1/zz_generated.conversion.go @@ -29,26 +29,6 @@ func init() { // RegisterConversions adds conversion functions to the given scheme. // Public to allow building arbitrary schemes. func RegisterConversions(s *runtime.Scheme) error { - if err := s.AddGeneratedConversionFunc((*AuditToSplunk)(nil), (*config.AuditToSplunk)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(a.(*AuditToSplunk), b.(*config.AuditToSplunk), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*config.AuditToSplunk)(nil), (*AuditToSplunk)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(a.(*config.AuditToSplunk), b.(*AuditToSplunk), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*ClusterAudit)(nil), (*config.ClusterAudit)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit(a.(*ClusterAudit), b.(*config.ClusterAudit), scope) - }); err != nil { - return err - } - if err := s.AddGeneratedConversionFunc((*config.ClusterAudit)(nil), (*ClusterAudit)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit(a.(*config.ClusterAudit), b.(*ClusterAudit), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*ControllerConfiguration)(nil), (*config.ControllerConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_v1alpha1_ControllerConfiguration_To_config_ControllerConfiguration(a.(*ControllerConfiguration), b.(*config.ControllerConfiguration), scope) }); err != nil { @@ -162,58 +142,6 @@ func RegisterConversions(s *runtime.Scheme) error { return nil } -func autoConvert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(in *AuditToSplunk, out *config.AuditToSplunk, s conversion.Scope) error { - out.Enabled = in.Enabled - out.HECToken = in.HECToken - out.Index = in.Index - out.HECHost = in.HECHost - out.HECPort = in.HECPort - out.TLSEnabled = in.TLSEnabled - out.HECCAFile = in.HECCAFile - return nil -} - -// Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk is an autogenerated conversion function. -func Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(in *AuditToSplunk, out *config.AuditToSplunk, s conversion.Scope) error { - return autoConvert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(in, out, s) -} - -func autoConvert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(in *config.AuditToSplunk, out *AuditToSplunk, s conversion.Scope) error { - out.Enabled = in.Enabled - out.HECToken = in.HECToken - out.Index = in.Index - out.HECHost = in.HECHost - out.HECPort = in.HECPort - out.TLSEnabled = in.TLSEnabled - out.HECCAFile = in.HECCAFile - return nil -} - -// Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk is an autogenerated conversion function. -func Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(in *config.AuditToSplunk, out *AuditToSplunk, s conversion.Scope) error { - return autoConvert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(in, out, s) -} - -func autoConvert_v1alpha1_ClusterAudit_To_config_ClusterAudit(in *ClusterAudit, out *config.ClusterAudit, s conversion.Scope) error { - out.Enabled = in.Enabled - return nil -} - -// Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit is an autogenerated conversion function. -func Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit(in *ClusterAudit, out *config.ClusterAudit, s conversion.Scope) error { - return autoConvert_v1alpha1_ClusterAudit_To_config_ClusterAudit(in, out, s) -} - -func autoConvert_config_ClusterAudit_To_v1alpha1_ClusterAudit(in *config.ClusterAudit, out *ClusterAudit, s conversion.Scope) error { - out.Enabled = in.Enabled - return nil -} - -// Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit is an autogenerated conversion function. -func Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit(in *config.ClusterAudit, out *ClusterAudit, s conversion.Scope) error { - return autoConvert_config_ClusterAudit_To_v1alpha1_ClusterAudit(in, out, s) -} - func autoConvert_v1alpha1_ControllerConfiguration_To_config_ControllerConfiguration(in *ControllerConfiguration, out *config.ControllerConfiguration, s conversion.Scope) error { out.ClientConnection = (*componentbaseconfig.ClientConnectionConfiguration)(unsafe.Pointer(in.ClientConnection)) out.MachineImages = *(*[]config.MachineImage)(unsafe.Pointer(&in.MachineImages)) @@ -221,12 +149,6 @@ func autoConvert_v1alpha1_ControllerConfiguration_To_config_ControllerConfigurat if err := Convert_v1alpha1_ETCD_To_config_ETCD(&in.ETCD, &out.ETCD, s); err != nil { return err } - if err := Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit(&in.ClusterAudit, &out.ClusterAudit, s); err != nil { - return err - } - if err := Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(&in.AuditToSplunk, &out.AuditToSplunk, s); err != nil { - return err - } out.HealthCheckConfig = (*apisconfig.HealthCheckConfig)(unsafe.Pointer(in.HealthCheckConfig)) if err := Convert_v1alpha1_StorageConfiguration_To_config_StorageConfiguration(&in.Storage, &out.Storage, s); err != nil { return err @@ -249,12 +171,6 @@ func autoConvert_config_ControllerConfiguration_To_v1alpha1_ControllerConfigurat if err := Convert_config_ETCD_To_v1alpha1_ETCD(&in.ETCD, &out.ETCD, s); err != nil { return err } - if err := Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit(&in.ClusterAudit, &out.ClusterAudit, s); err != nil { - return err - } - if err := Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(&in.AuditToSplunk, &out.AuditToSplunk, s); err != nil { - return err - } out.HealthCheckConfig = (*apisconfigv1alpha1.HealthCheckConfig)(unsafe.Pointer(in.HealthCheckConfig)) if err := Convert_config_StorageConfiguration_To_v1alpha1_StorageConfiguration(&in.Storage, &out.Storage, s); err != nil { return err diff --git a/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go index 0299746cb..9ff9c4f32 100644 --- a/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go @@ -15,38 +15,6 @@ import ( configv1alpha1 "k8s.io/component-base/config/v1alpha1" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuditToSplunk) DeepCopyInto(out *AuditToSplunk) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditToSplunk. -func (in *AuditToSplunk) DeepCopy() *AuditToSplunk { - if in == nil { - return nil - } - out := new(AuditToSplunk) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ClusterAudit) DeepCopyInto(out *ClusterAudit) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAudit. -func (in *ClusterAudit) DeepCopy() *ClusterAudit { - if in == nil { - return nil - } - out := new(ClusterAudit) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) { *out = *in @@ -67,8 +35,6 @@ func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) { copy(*out, *in) } in.ETCD.DeepCopyInto(&out.ETCD) - out.ClusterAudit = in.ClusterAudit - out.AuditToSplunk = in.AuditToSplunk if in.HealthCheckConfig != nil { in, out := &in.HealthCheckConfig, &out.HealthCheckConfig *out = new(apisconfigv1alpha1.HealthCheckConfig) diff --git a/pkg/apis/config/zz_generated.deepcopy.go b/pkg/apis/config/zz_generated.deepcopy.go index 318204967..455d6366f 100644 --- a/pkg/apis/config/zz_generated.deepcopy.go +++ b/pkg/apis/config/zz_generated.deepcopy.go @@ -15,38 +15,6 @@ import ( componentbaseconfig "k8s.io/component-base/config" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *AuditToSplunk) DeepCopyInto(out *AuditToSplunk) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditToSplunk. -func (in *AuditToSplunk) DeepCopy() *AuditToSplunk { - if in == nil { - return nil - } - out := new(AuditToSplunk) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ClusterAudit) DeepCopyInto(out *ClusterAudit) { - *out = *in - return -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAudit. -func (in *ClusterAudit) DeepCopy() *ClusterAudit { - if in == nil { - return nil - } - out := new(ClusterAudit) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) { *out = *in @@ -67,8 +35,6 @@ func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) { copy(*out, *in) } in.ETCD.DeepCopyInto(&out.ETCD) - out.ClusterAudit = in.ClusterAudit - out.AuditToSplunk = in.AuditToSplunk if in.HealthCheckConfig != nil { in, out := &in.HealthCheckConfig, &out.HealthCheckConfig *out = new(apisconfig.HealthCheckConfig) diff --git a/pkg/apis/metal/types_controlplane.go b/pkg/apis/metal/types_controlplane.go index 9589f9bc4..365c40886 100644 --- a/pkg/apis/metal/types_controlplane.go +++ b/pkg/apis/metal/types_controlplane.go @@ -41,24 +41,28 @@ type ControlPlaneFeatures struct { // Deprecated: This is now default and always on. Toggle does not have an effect anymore. // +optional MachineControllerManagerOOT *bool + + // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller. + // +optional + DurosStorageEncryption *bool + // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries) + // by using DNS egress policies. + // Requires firewall-controller >= 1.2.0. + // Deprecated: Will be replaced by NetworkAccessRestricted. + // +optional + RestrictEgress *bool + // ClusterAudit enables the deployment of a non-null audit policy to the apiserver and the forwarding // of the audit events into the cluster where they appear as container log of an audittailer pod, where they // can be picked up by any of the available Kubernetes logging solutions. + // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing. // +optional ClusterAudit *bool // AuditToSplunk enables the forwarding of the apiserver auditlog to a defined splunk instance in addition to // forwarding it into the cluster. Needs the clusterAudit featureGate to be active. + // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing. // +optional AuditToSplunk *bool - // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller. - // +optional - DurosStorageEncryption *bool - // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries) - // by using DNS egress policies. - // Requires firewall-controller >= 1.2.0. - // Deprecated: Will be replaced by NetworkAccessRestricted. - // +optional - RestrictEgress *bool `json:"restrictEgress,omitempty"` } // CloudControllerManagerConfig contains configuration settings for the cloud-controller-manager. diff --git a/pkg/apis/metal/v1alpha1/types_controlplane.go b/pkg/apis/metal/v1alpha1/types_controlplane.go index e67fcc8ec..4f3a9b564 100644 --- a/pkg/apis/metal/v1alpha1/types_controlplane.go +++ b/pkg/apis/metal/v1alpha1/types_controlplane.go @@ -41,23 +41,27 @@ type ControlPlaneFeatures struct { // Deprecated: This is now default and always on. Toggle does not have an effect anymore. // +optional MachineControllerManagerOOT *bool `json:"machineControllerManagerOOT,omitempty"` + + // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller. + // +optional + DurosStorageEncryption *bool `json:"durosStorageEncryption,omitempty"` + // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries) + // by using DNS egress policies. + // Requires firewall-controller >= 1.2.0. + // +optional + RestrictEgress *bool `json:"restrictEgress,omitempty"` + // ClusterAudit enables the deployment of a non-null audit policy to the apiserver and the forwarding // of the audit events into the cluster where they appear as container log of an audittailer pod, where they // can be picked up by any of the available Kubernetes logging solutions. + // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing. // +optional ClusterAudit *bool `json:"clusterAudit,omitempty"` // AuditToSplunk enables the forwarding of the apiserver auditlog to a defined splunk instance in addition to // forwarding it into the cluster. Needs the clusterAudit featureGate to be active. + // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing. // +optional AuditToSplunk *bool `json:"auditToSplunk,omitempty"` - // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller. - // +optional - DurosStorageEncryption *bool `json:"durosStorageEncryption,omitempty"` - // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries) - // by using DNS egress policies. - // Requires firewall-controller >= 1.2.0. - // +optional - RestrictEgress *bool `json:"restrictEgress,omitempty"` } // CloudControllerManagerConfig contains configuration settings for the cloud-controller-manager. diff --git a/pkg/apis/metal/v1alpha1/zz_generated.conversion.go b/pkg/apis/metal/v1alpha1/zz_generated.conversion.go index 627ac9607..a13f891bb 100644 --- a/pkg/apis/metal/v1alpha1/zz_generated.conversion.go +++ b/pkg/apis/metal/v1alpha1/zz_generated.conversion.go @@ -333,10 +333,10 @@ func Convert_metal_ControlPlaneConfig_To_v1alpha1_ControlPlaneConfig(in *metal.C func autoConvert_v1alpha1_ControlPlaneFeatures_To_metal_ControlPlaneFeatures(in *ControlPlaneFeatures, out *metal.ControlPlaneFeatures, s conversion.Scope) error { out.MachineControllerManagerOOT = (*bool)(unsafe.Pointer(in.MachineControllerManagerOOT)) - out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit)) - out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk)) out.DurosStorageEncryption = (*bool)(unsafe.Pointer(in.DurosStorageEncryption)) out.RestrictEgress = (*bool)(unsafe.Pointer(in.RestrictEgress)) + out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit)) + out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk)) return nil } @@ -347,10 +347,10 @@ func Convert_v1alpha1_ControlPlaneFeatures_To_metal_ControlPlaneFeatures(in *Con func autoConvert_metal_ControlPlaneFeatures_To_v1alpha1_ControlPlaneFeatures(in *metal.ControlPlaneFeatures, out *ControlPlaneFeatures, s conversion.Scope) error { out.MachineControllerManagerOOT = (*bool)(unsafe.Pointer(in.MachineControllerManagerOOT)) - out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit)) - out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk)) out.DurosStorageEncryption = (*bool)(unsafe.Pointer(in.DurosStorageEncryption)) out.RestrictEgress = (*bool)(unsafe.Pointer(in.RestrictEgress)) + out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit)) + out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk)) return nil } diff --git a/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go index 9956a7d45..f3a544fb4 100644 --- a/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go @@ -148,23 +148,23 @@ func (in *ControlPlaneFeatures) DeepCopyInto(out *ControlPlaneFeatures) { *out = new(bool) **out = **in } - if in.ClusterAudit != nil { - in, out := &in.ClusterAudit, &out.ClusterAudit + if in.DurosStorageEncryption != nil { + in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption *out = new(bool) **out = **in } - if in.AuditToSplunk != nil { - in, out := &in.AuditToSplunk, &out.AuditToSplunk + if in.RestrictEgress != nil { + in, out := &in.RestrictEgress, &out.RestrictEgress *out = new(bool) **out = **in } - if in.DurosStorageEncryption != nil { - in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption + if in.ClusterAudit != nil { + in, out := &in.ClusterAudit, &out.ClusterAudit *out = new(bool) **out = **in } - if in.RestrictEgress != nil { - in, out := &in.RestrictEgress, &out.RestrictEgress + if in.AuditToSplunk != nil { + in, out := &in.AuditToSplunk, &out.AuditToSplunk *out = new(bool) **out = **in } diff --git a/pkg/apis/metal/validation/control_plane.go b/pkg/apis/metal/validation/control_plane.go index 96d0389e6..ae5496b98 100644 --- a/pkg/apis/metal/validation/control_plane.go +++ b/pkg/apis/metal/validation/control_plane.go @@ -2,7 +2,6 @@ package validation import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" "k8s.io/apimachinery/pkg/util/validation/field" @@ -20,40 +19,5 @@ func ValidateControlPlaneConfig(controlPlaneConfig *apismetal.ControlPlaneConfig func validateFeatureGates(controlPlaneConfig *apismetal.ControlPlaneConfig, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} - fgPath := fldPath.Child("featureGates") - auditToSplunkPath := fgPath.Child("auditToSplunk") - - if auditToSplunkEnabled(controlPlaneConfig) && !clusterAuditEnabled(controlPlaneConfig) { - allErrs = append(allErrs, field.Invalid(auditToSplunkPath, true, "cluster audit feature gate has to be enabled when using audit to splunk feature gate")) - } - return allErrs } - -func ClusterAuditEnabled(controllerConfig *config.ControllerConfiguration, cpConfig *apismetal.ControlPlaneConfig) bool { - if !controllerConfig.ClusterAudit.Enabled { - return false - } - return clusterAuditEnabled(cpConfig) -} - -func clusterAuditEnabled(cpConfig *apismetal.ControlPlaneConfig) bool { - if cpConfig.FeatureGates.ClusterAudit != nil && *cpConfig.FeatureGates.ClusterAudit { - return true - } - return false -} - -func AuditToSplunkEnabled(controllerConfig *config.ControllerConfiguration, cpConfig *apismetal.ControlPlaneConfig) bool { - if !controllerConfig.AuditToSplunk.Enabled { - return false - } - return auditToSplunkEnabled(cpConfig) -} - -func auditToSplunkEnabled(cpConfig *apismetal.ControlPlaneConfig) bool { - if cpConfig.FeatureGates.AuditToSplunk != nil && *cpConfig.FeatureGates.AuditToSplunk { - return true - } - return false -} diff --git a/pkg/apis/metal/validation/control_plane_test.go b/pkg/apis/metal/validation/control_plane_test.go index 9e7ad6a18..3b888fc34 100644 --- a/pkg/apis/metal/validation/control_plane_test.go +++ b/pkg/apis/metal/validation/control_plane_test.go @@ -9,7 +9,6 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - . "github.com/onsi/gomega/gstruct" ) var _ = Describe("ControlPlaneconfig validation", func() { @@ -20,13 +19,9 @@ var _ = Describe("ControlPlaneconfig validation", func() { BeforeEach(func() { oot := true - ca := true - as := false controlPlaneConfig = &apismetal.ControlPlaneConfig{ FeatureGates: apismetal.ControlPlaneFeatures{ MachineControllerManagerOOT: &oot, - ClusterAudit: &ca, - AuditToSplunk: &as, }, } }) @@ -35,19 +30,5 @@ var _ = Describe("ControlPlaneconfig validation", func() { It("should return no errors for an unchanged config", func() { Expect(ValidateControlPlaneConfig(controlPlaneConfig, cloudProfile, field.NewPath("spec"))).To(BeEmpty()) }) - - It("should not allow auditToSplunk without clusterAudit", func() { - *controlPlaneConfig.FeatureGates.ClusterAudit = false - *controlPlaneConfig.FeatureGates.AuditToSplunk = true - - errorList := ValidateControlPlaneConfig(controlPlaneConfig, cloudProfile, field.NewPath("spec")) - - Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{ - "Type": Equal(field.ErrorTypeInvalid), - "Field": Equal("spec.featureGates.auditToSplunk"), - "BadValue": Equal(true), - "Detail": Equal("cluster audit feature gate has to be enabled when using audit to splunk feature gate"), - })))) - }) }) }) diff --git a/pkg/apis/metal/zz_generated.deepcopy.go b/pkg/apis/metal/zz_generated.deepcopy.go index 2c8e382ab..d855557c4 100644 --- a/pkg/apis/metal/zz_generated.deepcopy.go +++ b/pkg/apis/metal/zz_generated.deepcopy.go @@ -148,23 +148,23 @@ func (in *ControlPlaneFeatures) DeepCopyInto(out *ControlPlaneFeatures) { *out = new(bool) **out = **in } - if in.ClusterAudit != nil { - in, out := &in.ClusterAudit, &out.ClusterAudit + if in.DurosStorageEncryption != nil { + in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption *out = new(bool) **out = **in } - if in.AuditToSplunk != nil { - in, out := &in.AuditToSplunk, &out.AuditToSplunk + if in.RestrictEgress != nil { + in, out := &in.RestrictEgress, &out.RestrictEgress *out = new(bool) **out = **in } - if in.DurosStorageEncryption != nil { - in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption + if in.ClusterAudit != nil { + in, out := &in.ClusterAudit, &out.ClusterAudit *out = new(bool) **out = **in } - if in.RestrictEgress != nil { - in, out := &in.RestrictEgress, &out.RestrictEgress + if in.AuditToSplunk != nil { + in, out := &in.AuditToSplunk, &out.AuditToSplunk *out = new(bool) **out = **in } diff --git a/pkg/controller/controlplane/add.go b/pkg/controller/controlplane/add.go index e1ec37158..24bf3b06a 100644 --- a/pkg/controller/controlplane/add.go +++ b/pkg/controller/controlplane/add.go @@ -49,7 +49,7 @@ func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddO actuator, err := genericactuator.NewActuator(mgr, metal.Name, secretConfigsFunc, shootAccessSecretsFunc, nil, nil, - configChart, controlPlaneChart, cpShootChart, nil, storageClassChart, nil, + nil, controlPlaneChart, cpShootChart, nil, storageClassChart, nil, NewValuesProvider(mgr, opts.ControllerConfig), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot), imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, defaultServer.Options.Port, ) diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index fd3ad82c5..94f0ebd0c 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -2,7 +2,6 @@ package controlplane import ( "context" - "errors" "fmt" "net/netip" "net/url" @@ -12,7 +11,6 @@ import ( "strings" "time" - "github.com/gardener/gardener/extensions/pkg/util" "github.com/metal-stack/metal-go/api/client/network" "github.com/metal-stack/metal-go/api/models" "github.com/metal-stack/metal-lib/pkg/pointer" @@ -22,7 +20,6 @@ import ( durosv1 "github.com/metal-stack/duros-controller/api/v1" firewallv1 "github.com/metal-stack/firewall-controller/v2/api/v1" - extensionsconfig "github.com/gardener/gardener/extensions/pkg/apis/config" extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" gardencorev1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" @@ -32,20 +29,25 @@ import ( apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" - metalgo "github.com/metal-stack/metal-go" - metalclient "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal/client" + metalgo "github.com/metal-stack/metal-go" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/validation" + admissionregistrationv1 "k8s.io/api/admissionregistration/v1" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" + policyv1beta1 "k8s.io/api/policy/v1beta1" + rbacv1 "k8s.io/api/rbac/v1" + storagev1 "k8s.io/api/storage/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" gutil "github.com/gardener/gardener/pkg/utils/gardener" kutil "github.com/gardener/gardener/pkg/utils/kubernetes" - v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" - extensionssecretsmanager "github.com/gardener/gardener/extensions/pkg/util/secret/manager" + v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" "github.com/gardener/gardener/pkg/utils/chart" "github.com/gardener/gardener/pkg/utils/secrets" @@ -53,17 +55,6 @@ import ( "github.com/go-logr/logr" - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" - appsv1 "k8s.io/api/apps/v1" - corev1 "k8s.io/api/core/v1" - networkingv1 "k8s.io/api/networking/v1" - policyv1beta1 "k8s.io/api/policy/v1beta1" - rbacv1 "k8s.io/api/rbac/v1" - storagev1 "k8s.io/api/storage/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "k8s.io/client-go/kubernetes" - apierrors "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/serializer" @@ -77,7 +68,6 @@ import ( const ( caNameControlPlane = "ca-" + metal.Name + "-controlplane" droptailerCAName = "ca-" + metal.Name + "-droptailer" - auditTailerCAName = "ca-" + metal.Name + "-audittailer" ipv4HostMask = "/32" ipv6HostMask = "/128" @@ -147,37 +137,6 @@ func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfig }, Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(droptailerCAName, secretsmanager.UseCurrentCA)}, }, - // audit tailer - { - Config: &secrets.CertificateSecretConfig{ - Name: auditTailerCAName, - CommonName: auditTailerCAName, - CertType: secrets.CACert, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.Persist()}, - }, - { - Config: &secrets.CertificateSecretConfig{ - Name: metal.AudittailerClientSecretName, - CommonName: "audittailer", - DNSNames: []string{"audittailer"}, - Organization: []string{"audittailer-client"}, - CertType: secrets.ClientCert, - SkipPublishingCACertificate: false, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)}, - }, - { - Config: &secrets.CertificateSecretConfig{ - Name: metal.AudittailerServerSecretName, - CommonName: "audittailer", - DNSNames: []string{"audittailer"}, - Organization: []string{"audittailer-server"}, - CertType: secrets.ServerCert, - SkipPublishingCACertificate: false, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)}, - }, } } @@ -187,17 +146,9 @@ func shootAccessSecretsFunc(namespace string) []*gutil.AccessSecret { gutil.NewShootAccessSecret(metal.CloudControllerManagerDeploymentName, namespace), gutil.NewShootAccessSecret(metal.DurosControllerDeploymentName, namespace), gutil.NewShootAccessSecret(metal.MachineControllerManagerName, namespace), - gutil.NewShootAccessSecret(metal.AudittailerClientSecretName, namespace), } } -var configChart = &chart.Chart{ - Name: "config", - Path: filepath.Join(metal.InternalChartsPath, "cloud-provider-config"), - Images: []string{}, - Objects: []*chart.Object{}, -} - var controlPlaneChart = &chart.Chart{ Name: "control-plane", Path: filepath.Join(metal.InternalChartsPath, "control-plane"), @@ -324,27 +275,6 @@ func NewValuesProvider(mgr manager.Manager, controllerConfig config.ControllerCo {Type: &rbacv1.ClusterRoleBinding{}, Name: "system:duros-controller"}, }...) } - if controllerConfig.ClusterAudit.Enabled { - configChart.Objects = append(configChart.Objects, []*chart.Object{ - {Type: &corev1.ConfigMap{}, Name: "audit-policy-override"}, - }...) - cpShootChart.Images = append(cpShootChart.Images, []string{metal.AudittailerImageName}...) - cpShootChart.Objects = append(cpShootChart.Objects, []*chart.Object{ - // audittailer - {Type: &corev1.Namespace{}, Name: "audit"}, - {Type: &appsv1.Deployment{}, Name: "audittailer"}, - {Type: &corev1.ConfigMap{}, Name: "audittailer-config"}, - {Type: &corev1.Service{}, Name: "audittailer"}, - {Type: &rbacv1.Role{}, Name: "audittailer"}, - {Type: &rbacv1.RoleBinding{}, Name: "audittailer"}, - }...) - if controllerConfig.AuditToSplunk.Enabled { - configChart.Objects = append(configChart.Objects, []*chart.Object{ - {Type: &corev1.Secret{}, Name: "audit-to-splunk-secret"}, - {Type: &corev1.ConfigMap{}, Name: "audit-to-splunk-config"}, - }...) - } - } return &valuesProvider{ controllerConfig: controllerConfig, @@ -368,106 +298,7 @@ func (vp *valuesProvider) GetConfigChartValues( cp *extensionsv1alpha1.ControlPlane, cluster *extensionscontroller.Cluster, ) (map[string]interface{}, error) { - clusterAuditValues, err := vp.getClusterAuditConfigValues(ctx, cp, cluster) - if err != nil { - return nil, err - } - - return clusterAuditValues, nil -} - -func (vp *valuesProvider) getClusterAuditConfigValues(ctx context.Context, cp *extensionsv1alpha1.ControlPlane, cluster *extensionscontroller.Cluster) (map[string]interface{}, error) { - cpConfig, err := helper.ControlPlaneConfigFromControlPlane(cp) - if err != nil { - return nil, err - } - - var ( - clusterAuditValues = map[string]interface{}{ - "enabled": false, - } - auditToSplunkValues = map[string]interface{}{ - "enabled": false, - } - values = map[string]interface{}{ - "clusterAudit": clusterAuditValues, - "auditToSplunk": auditToSplunkValues, - } - ) - - if !validation.ClusterAuditEnabled(&vp.controllerConfig, cpConfig) { - return values, nil - } - - clusterAuditValues["enabled"] = true - - if !validation.AuditToSplunkEnabled(&vp.controllerConfig, cpConfig) { - return values, nil - } - - auditToSplunkValues["enabled"] = true - auditToSplunkValues["hecToken"] = vp.controllerConfig.AuditToSplunk.HECToken - auditToSplunkValues["index"] = vp.controllerConfig.AuditToSplunk.Index - auditToSplunkValues["hecHost"] = vp.controllerConfig.AuditToSplunk.HECHost - auditToSplunkValues["hecPort"] = vp.controllerConfig.AuditToSplunk.HECPort - auditToSplunkValues["tlsEnabled"] = vp.controllerConfig.AuditToSplunk.TLSEnabled - auditToSplunkValues["hecCAFile"] = vp.controllerConfig.AuditToSplunk.HECCAFile - auditToSplunkValues["clusterName"] = cluster.ObjectMeta.Name - - if !extensionscontroller.IsHibernated(cluster) { - customValues, err := vp.getCustomSplunkValues(ctx, cluster.ObjectMeta.Name, auditToSplunkValues) - if err != nil { - vp.logger.Error(err, "could not read custom splunk values") - } else { - values["auditToSplunk"] = customValues - } - } - - return values, nil -} - -func (vp *valuesProvider) getCustomSplunkValues(ctx context.Context, clusterName string, auditToSplunkValues map[string]interface{}) (map[string]interface{}, error) { - shootConfig, _, err := util.NewClientForShoot(ctx, vp.client, clusterName, client.Options{}, extensionsconfig.RESTOptions{}) - if err != nil { - return auditToSplunkValues, err - } - - cs, err := kubernetes.NewForConfig(shootConfig) - if err != nil { - return auditToSplunkValues, err - } - - splunkConfigSecret, err := cs.CoreV1().Secrets("kube-system").Get(ctx, "splunk-config", metav1.GetOptions{}) - if err != nil { - if apierrors.IsNotFound(err) { - return auditToSplunkValues, nil - } - return nil, err - } - - if splunkConfigSecret.Data == nil { - vp.logger.Error(errors.New("secret is empty"), "custom splunk config secret contains no data") - return auditToSplunkValues, nil - } - - for key, value := range splunkConfigSecret.Data { - switch key { - case "hecToken": - auditToSplunkValues[key] = string(value) - case "index": - auditToSplunkValues[key] = string(value) - case "hecHost": - auditToSplunkValues[key] = string(value) - case "hecPort": - auditToSplunkValues[key] = string(value) - case "tlsEnabled": - auditToSplunkValues[key] = string(value) - case "hecCAFile": - auditToSplunkValues[key] = string(value) - } - } - - return auditToSplunkValues, nil + return nil, nil } // GetControlPlaneChartValues returns the values for the control plane chart applied by the generic actuator. @@ -662,13 +493,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c "enabled": vp.controllerConfig.Storage.Duros.Enabled, } - clusterAuditValues := map[string]interface{}{ - "enabled": false, - } - if validation.ClusterAuditEnabled(&vp.controllerConfig, cpConfig) { - clusterAuditValues["enabled"] = true - } - nodeInitValues := map[string]any{ "enabled": true, } @@ -790,7 +614,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c "apiserverIPs": apiserverIPs, "nodeCIDR": nodeCIDR, "duros": durosValues, - "clusterAudit": clusterAuditValues, "nodeInit": nodeInitValues, "restrictEgress": map[string]any{ // FIXME remove "enabled": cpConfig.FeatureGates.RestrictEgress != nil && *cpConfig.FeatureGates.RestrictEgress, @@ -826,27 +649,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c } } - audittailerServer, serverOK := secretsReader.Get(metal.AudittailerServerSecretName) - audittailerClient, clientOK := secretsReader.Get(metal.AudittailerClientSecretName) - if serverOK && clientOK { - values["audittailer"] = map[string]any{ - "podAnnotations": map[string]interface{}{ - "checksum/secret-audittailer-server": checksums[metal.AudittailerServerSecretName], - "checksum/secret-audittailer-client": checksums[metal.AudittailerClientSecretName], - }, - "server": map[string]any{ - "ca": audittailerServer.Data["ca.crt"], - "cert": audittailerServer.Data["tls.crt"], - "key": audittailerServer.Data["tls.key"], - }, - "client": map[string]any{ - "ca": audittailerClient.Data["ca.crt"], - "cert": audittailerClient.Data["tls.crt"], - "key": audittailerClient.Data["tls.key"], - }, - } - } - if vp.controllerConfig.Storage.Duros.Enabled { partitionConfig, ok := vp.controllerConfig.Storage.Duros.PartitionConfig[infrastructureConfig.PartitionID] diff --git a/pkg/metal/types.go b/pkg/metal/types.go index b6ceeb9a5..3e8d25e25 100644 --- a/pkg/metal/types.go +++ b/pkg/metal/types.go @@ -12,8 +12,6 @@ const ( MCMProviderMetalImageName = "machine-controller-manager-provider-metal" // CCMImageName is the name of the cloud controller manager image. CCMImageName = "metalccm" - // AudittailerImageName is the name of the Audittailer to deploy to the shoot. - AudittailerImageName = "audittailer" // DroptailerImageName is the name of the Droptailer to deploy to the shoot. DroptailerImageName = "droptailer" // MetallbSpeakerImageName is the name of the metallb speaker to deploy to the shoot. @@ -45,18 +43,6 @@ const ( // ShootExtensionTypeTokenIssuer appears unused? CHECKME ShootExtensionTypeTokenIssuer = "tokenissuer" - // AuditPolicyName is the name of the configmap containing the audit policy. - AuditPolicyName = "audit-policy-override" - // AudittailerNamespace is the namespace where the audit tailer will get deployed. - AudittailerNamespace = "audit" - // AudittailerClientSecretName is the name of the secret containing the certificates for the audittailer client. - AudittailerClientSecretName = "audittailer-client" // nolint:gosec - // AudittailerServerSecretName is the name of the secret containing the certificates for the audittailer server. - AudittailerServerSecretName = "audittailer-server" // nolint:gosec - // AuditForwarderSplunkConfigName is the name of the configmap containing the splunk configuration for the auditforwarder. - AuditForwarderSplunkConfigName = "audit-to-splunk-config" - // AuditForwarderSplunkSecretName is the name of the secret containing the splunk hec token and, if required, the ca certificate. - AuditForwarderSplunkSecretName = "audit-to-splunk-secret" // nolint:gosec // DroptailerNamespace is the namespace where the firewall droptailer will get deployed. DroptailerNamespace = "firewall" // DroptailerClientSecretName is the name of the secret containing the certificates for the droptailer client. diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go index 73eed251f..b4660a5c6 100644 --- a/pkg/webhook/controlplane/ensurer.go +++ b/pkg/webhook/controlplane/ensurer.go @@ -4,12 +4,10 @@ import ( "context" "encoding/base64" "fmt" - "path" "strings" "github.com/Masterminds/semver" "github.com/coreos/go-systemd/v22/unit" - extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller" extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook" gcontext "github.com/gardener/gardener/extensions/pkg/webhook/context" @@ -18,22 +16,16 @@ import ( v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" - gutil "github.com/gardener/gardener/pkg/utils/gardener" kutil "github.com/gardener/gardener/pkg/utils/kubernetes" "github.com/go-logr/logr" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/validation" - "github.com/metal-stack/metal-lib/pkg/pointer" "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config" metalapi "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector" - "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/resource" kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1" "sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/manager" @@ -62,12 +54,6 @@ func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gconte return err } - cpConfig, err := helper.ControlPlaneConfigFromClusterShootSpec(cluster) - if err != nil { - logger.Error(err, "could not read ControlPlaneConfig from cluster shoot spec", "Cluster name", cluster.ObjectMeta.Name) - return err - } - infrastructure := &extensionsv1alpha1.Infrastructure{} if err := e.client.Get(ctx, kutil.Key(cluster.ObjectMeta.Name, cluster.Shoot.Name), infrastructure); err != nil { logger.Error(err, "could not read Infrastructure for cluster", "cluster name", cluster.ObjectMeta.Name) @@ -79,292 +65,20 @@ func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gconte return err } - makeAuditForwarder := false - if validation.ClusterAuditEnabled(&e.controllerConfig, cpConfig) { - makeAuditForwarder = true - } - if makeAuditForwarder { - audittailersecret := &corev1.Secret{} - if err := e.client.Get(ctx, kutil.Key(cluster.ObjectMeta.Name, gutil.SecretNamePrefixShootAccess+metal.AudittailerClientSecretName), audittailersecret); err != nil { - logger.Error(err, "could not get secret for cluster", "secret", gutil.SecretNamePrefixShootAccess+metal.AudittailerClientSecretName, "cluster name", cluster.ObjectMeta.Name) - makeAuditForwarder = false - } - if len(audittailersecret.Data) == 0 { - logger.Error(err, "token for secret not yet set in cluster", "secret", gutil.SecretNamePrefixShootAccess+metal.AudittailerClientSecretName, "cluster name", cluster.ObjectMeta.Name) - makeAuditForwarder = false - } - } - - genericTokenKubeconfigSecretName := extensionscontroller.GenericTokenKubeconfigSecretNameFromCluster(cluster) - - auditToSplunk := false - if validation.AuditToSplunkEnabled(&e.controllerConfig, cpConfig) { - auditToSplunk = true - } - template := &new.Spec.Template ps := &template.Spec if c := extensionswebhook.ContainerWithName(ps.Containers, "kube-apiserver"); c != nil { - ensureKubeAPIServerCommandLineArgs(c, makeAuditForwarder) - ensureVolumeMounts(c, makeAuditForwarder) - ensureVolumes(ps, genericTokenKubeconfigSecretName, makeAuditForwarder, auditToSplunk) + ensureKubeAPIServerCommandLineArgs(c) } if c := extensionswebhook.ContainerWithName(ps.Containers, "vpn-seed"); c != nil { ensureVPNSeedEnvVars(c, nodeCIDR) } - if makeAuditForwarder { - // required because auditforwarder uses kube-apiserver and not localhost - template.Labels["networking.resources.gardener.cloud/to-kube-apiserver-tcp-443"] = "allowed" - - err := ensureAuditForwarder(ps, auditToSplunk) - if err != nil { - logger.Error(err, "could not ensure the audit forwarder", "Cluster name", cluster.ObjectMeta.Name) - return err - } - if auditToSplunk { - err := controlplane.EnsureConfigMapChecksumAnnotation(ctx, &new.Spec.Template, e.client, new.Namespace, metal.AuditForwarderSplunkConfigName) - if err != nil { - logger.Error(err, "could not ensure the splunk config map checksum annotation", "cluster name", cluster.ObjectMeta.Name, "configmap", metal.AuditForwarderSplunkConfigName) - return err - } - err = controlplane.EnsureSecretChecksumAnnotation(ctx, &new.Spec.Template, e.client, new.Namespace, metal.AuditForwarderSplunkSecretName) - if err != nil { - logger.Error(err, "could not ensure the splunk secret checksum annotation", "cluster name", cluster.ObjectMeta.Name, "secret", metal.AuditForwarderSplunkSecretName) - return err - } - } - } return e.ensureChecksumAnnotations(ctx, &new.Spec.Template, new.Namespace) } -var ( - // config mount for the audit policy; it gets mounted where the kube-apiserver expects its audit policy. - auditPolicyVolumeMount = corev1.VolumeMount{ - Name: metal.AuditPolicyName, - MountPath: "/etc/kubernetes/audit-override", - ReadOnly: true, - } - auditPolicyVolume = corev1.Volume{ - Name: metal.AuditPolicyName, - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{Name: metal.AuditPolicyName}, - }, - }, - } - auditForwarderSplunkConfigVolumeMount = corev1.VolumeMount{ - Name: metal.AuditForwarderSplunkConfigName, - MountPath: "/fluent-bit/etc/add", - ReadOnly: true, - } - auditForwarderSplunkConfigVolume = corev1.Volume{ - Name: metal.AuditForwarderSplunkConfigName, - VolumeSource: corev1.VolumeSource{ - ConfigMap: &corev1.ConfigMapVolumeSource{ - LocalObjectReference: corev1.LocalObjectReference{Name: metal.AuditForwarderSplunkConfigName}, - }, - }, - } - auditForwarderSplunkSecretVolumeMount = corev1.VolumeMount{ - Name: metal.AuditForwarderSplunkSecretName, - MountPath: "/fluent-bit/etc/splunkca", - ReadOnly: true, - } - auditForwarderSplunkSecretVolume = corev1.Volume{ - Name: metal.AuditForwarderSplunkSecretName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: metal.AuditForwarderSplunkSecretName, - }, - }, - } - auditForwarderSplunkPodNameEnvVar = corev1.EnvVar{ - Name: "MY_POD_NAME", - ValueFrom: &corev1.EnvVarSource{ - FieldRef: &corev1.ObjectFieldSelector{FieldPath: "metadata.name"}, - }, - } - auditForwarderSplunkHECTokenEnvVar = corev1.EnvVar{ - Name: "SPLUNK_HEC_TOKEN", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: metal.AuditForwarderSplunkSecretName, - }, - Key: "splunk_hec_token", - }, - }, - } - auditLogVolumeMount = corev1.VolumeMount{ - Name: "auditlog", - MountPath: "/auditlog", - ReadOnly: false, - } - auditLogVolume = corev1.Volume{ - Name: "auditlog", - VolumeSource: corev1.VolumeSource{ - EmptyDir: &corev1.EmptyDirVolumeSource{}, - }, - } - auditKubeconfig = func(genericKubeconfigSecretName string) corev1.Volume { - return corev1.Volume{ - Name: "kubeconfig", - VolumeSource: corev1.VolumeSource{ - Projected: &corev1.ProjectedVolumeSource{ - DefaultMode: pointer.Pointer(int32(420)), - Sources: []corev1.VolumeProjection{ - { - Secret: &corev1.SecretProjection{ - Items: []corev1.KeyToPath{ - { - Key: "kubeconfig", - Path: "kubeconfig", - }, - }, - Optional: pointer.Pointer(false), - LocalObjectReference: corev1.LocalObjectReference{ - Name: genericKubeconfigSecretName, - }, - }, - }, - { - Secret: &corev1.SecretProjection{ - Items: []corev1.KeyToPath{ - { - Key: "token", - Path: "token", - }, - }, - Optional: pointer.Pointer(false), - LocalObjectReference: corev1.LocalObjectReference{ - Name: gutil.SecretNamePrefixShootAccess + metal.AudittailerClientSecretName, - }, - }, - }, - }, - }, - }, - } - } - reversedVpnVolumeMounts = []corev1.VolumeMount{ - { - Name: "ca-vpn", - MountPath: "/proxy/ca", - ReadOnly: true, - }, - { - Name: "http-proxy", - MountPath: "/proxy/client", - ReadOnly: true, - }, - } - kubeAggregatorClientTlsEnvVars = []corev1.EnvVar{ - { - Name: "AUDIT_PROXY_CA_FILE", - Value: "/proxy/ca/bundle.crt", - }, - { - Name: "AUDIT_PROXY_CLIENT_CRT_FILE", - Value: "/proxy/client/tls.crt", - }, - { - Name: "AUDIT_PROXY_CLIENT_KEY_FILE", - Value: "/proxy/client/tls.key", - }, - } - auditForwarderSidecarTemplate = corev1.Container{ - Name: "auditforwarder", - // Image: // is added from the image vector in the ensure function - ImagePullPolicy: "Always", - Env: []corev1.EnvVar{ - { - Name: "AUDIT_KUBECFG", - Value: path.Join(gutil.VolumeMountPathGenericKubeconfig, "kubeconfig"), - }, - { - Name: "AUDIT_NAMESPACE", - Value: metal.AudittailerNamespace, - }, - { - Name: "AUDIT_SERVICE_NAME", - Value: "audittailer", - }, - { - Name: "AUDIT_SECRET_NAME", - Value: metal.AudittailerClientSecretName, - }, - { - Name: "AUDIT_AUDIT_LOG_PATH", - Value: "/auditlog/audit.log", - }, - { - Name: "AUDIT_TLS_CA_FILE", - Value: "ca.crt", - }, - { - Name: "AUDIT_TLS_CRT_FILE", - Value: "tls.crt", - }, - { - Name: "AUDIT_TLS_KEY_FILE", - Value: "tls.key", - }, - { - Name: "AUDIT_TLS_VHOST", - Value: "audittailer", - }, - }, - Resources: corev1.ResourceRequirements{ - Requests: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("50m"), - corev1.ResourceMemory: resource.MustParse("100Mi"), - }, - Limits: corev1.ResourceList{ - corev1.ResourceCPU: resource.MustParse("100m"), - corev1.ResourceMemory: resource.MustParse("500Mi"), - }, - }, - VolumeMounts: []corev1.VolumeMount{ - { - Name: "kubeconfig", - MountPath: gutil.VolumeMountPathGenericKubeconfig, - ReadOnly: true, - }, - auditLogVolumeMount, - }, - } -) - -func ensureVolumeMounts(c *corev1.Container, makeAuditForwarder bool) { - if makeAuditForwarder { - c.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(c.VolumeMounts, auditPolicyVolumeMount) - c.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(c.VolumeMounts, auditLogVolumeMount) - } -} - -func ensureVolumes(ps *corev1.PodSpec, genericKubeconfigSecretName string, makeAuditForwarder, auditToSplunk bool) { - if makeAuditForwarder { - - ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditKubeconfig(genericKubeconfigSecretName)) - ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditPolicyVolume) - ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditLogVolume) - } - if auditToSplunk { - ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditForwarderSplunkConfigVolume) - ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditForwarderSplunkSecretVolume) - } -} - -func ensureKubeAPIServerCommandLineArgs(c *corev1.Container, makeAuditForwarder bool) { +func ensureKubeAPIServerCommandLineArgs(c *corev1.Container) { c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--cloud-provider=", "external") - - if makeAuditForwarder { - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-policy-file=", "/etc/kubernetes/audit-override/audit-policy.yaml") - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-log-path=", "/auditlog/audit.log") - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-log-maxsize=", "100") - c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-log-maxbackup=", "1") - } } func ensureVPNSeedEnvVars(c *corev1.Container, nodeCIDR string) { @@ -379,77 +93,6 @@ func ensureVPNSeedEnvVars(c *corev1.Container, nodeCIDR string) { }) } -func ensureAuditForwarder(ps *corev1.PodSpec, auditToSplunk bool) error { - auditForwarderSidecar := auditForwarderSidecarTemplate.DeepCopy() - auditForwarderImage, err := imagevector.ImageVector().FindImage("auditforwarder") - if err != nil { - logger.Error(err, "Could not find auditforwarder image in imagevector") - return err - } - auditForwarderSidecar.Image = auditForwarderImage.String() - - var proxyHost string - - for _, volume := range ps.Volumes { - switch volume.Name { - case "egress-selection-config": - proxyHost = "vpn-seed-server" - } - } - - if proxyHost != "" { - err := ensureAuditForwarderProxy(auditForwarderSidecar, proxyHost) - if err != nil { - logger.Error(err, "could not ensure auditForwarder proxy") - return err - } - } - - if auditToSplunk { - auditForwarderSidecar.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(auditForwarderSidecar.VolumeMounts, auditForwarderSplunkConfigVolumeMount) - auditForwarderSidecar.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(auditForwarderSidecar.VolumeMounts, auditForwarderSplunkSecretVolumeMount) - auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, auditForwarderSplunkPodNameEnvVar) - auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, auditForwarderSplunkHECTokenEnvVar) - } - - logger.Info("ensuring audit forwarder sidecar", "container", auditForwarderSidecar.Name) - - ps.Containers = extensionswebhook.EnsureContainerWithName(ps.Containers, *auditForwarderSidecar) - return nil -} - -func ensureAuditForwarderProxy(auditForwarderSidecar *corev1.Container, proxyHost string) error { - logger.Info("ensureAuditForwarderProxy called", "proxyHost=", proxyHost) - proxyEnvVars := []corev1.EnvVar{ - { - Name: "AUDIT_PROXY_HOST", - Value: proxyHost, - }, - { - Name: "AUDIT_PROXY_PORT", - Value: "9443", - }, - } - - for _, envVar := range proxyEnvVars { - auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, envVar) - } - - switch proxyHost { - case "vpn-seed-server": - for _, envVar := range kubeAggregatorClientTlsEnvVars { - auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, envVar) - } - for _, mount := range reversedVpnVolumeMounts { - auditForwarderSidecar.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(auditForwarderSidecar.VolumeMounts, mount) - } - default: - return fmt.Errorf("%q is not a valid proxy name", proxyHost) - } - - return nil -} - // EnsureKubeControllerManagerDeployment ensures that the kube-controller-manager deployment conforms to the provider requirements. func (e *ensurer) EnsureKubeControllerManagerDeployment(ctx context.Context, gctx gcontext.GardenContext, new, _ *appsv1.Deployment) error { template := &new.Spec.Template