From 10183812871da7fb420b75bf2c073792b937b4e5 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Tue, 10 Sep 2024 16:05:58 +0200 Subject: [PATCH 1/4] Allow to configure email and server of cert management issuer (#315) --- control-plane/roles/gardener/README.md | 2 ++ control-plane/roles/gardener/defaults/main/extensions.yaml | 2 ++ control-plane/roles/gardener/tasks/main.yaml | 1 + .../templates/shoot-cert-service/controller-deployment.yaml | 4 ++-- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 5fc40550..12dc60a5 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -112,6 +112,8 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_provider_metal_image_pull_policy | | Sets the image pull policy for components deployed through this extension controller. | | gardener_extension_provider_metal_image_pull_secret | | Provide image pull secrets for deployed containers | | gardener_cert_management_issuer_private_key | | The Let's Encrypt private key used by the cert-management extension controller to setup signed certificates | +| gardener_cert_management_issuer_email | | The issuer email used by the cert-management extension | +| gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | ### Certificates diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 4ddf1919..02d915e9 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -65,5 +65,7 @@ gardener_extension_provider_metal_image_pull_secret: # ... gardener_cert_management_issuer_private_key: "" +gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/directory +gardener_cert_management_issuer_email: gardener_extension_dns_external_controller_registration_url: diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index dccd291a..690d7569 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -55,6 +55,7 @@ - gardener_dns_provider is not none - gardener_cloud_profile_metal_api_url is not none - gardener_cloud_profile_metal_api_hmac is not none + - gardener_cert_management_issuer_email is not none - name: Deploy required Seed CRDs k8s: diff --git a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml index 434bdd7c..9df45b84 100644 --- a/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml @@ -15,7 +15,7 @@ providerConfig: defaultIssuer: restricted: true # restrict default issuer to any sub-domain of shoot.spec.dns.domain acme: - email: cert-expiry@metal-pod.io - server: https://acme-v02.api.letsencrypt.org/directory + email: "{{ gardener_cert_management_issuer_email }}" + server: "{{ gardener_cert_management_issuer_server }}" privateKey: | {{ gardener_cert_management_issuer_private_key | indent(width=12, first=false) }} From f2c38970b872c2ab7c139c4c8448cd7243e65996 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:21:43 +0200 Subject: [PATCH 2/4] Allow s3 for virtual garden etcd (#314) --- control-plane/roles/gardener/README.md | 2 +- .../gardener/defaults/main/gardener.yaml | 19 +++++++++++++++++++ control-plane/roles/gardener/tasks/main.yaml | 1 + .../roles/gardener/tasks/shooted_seed.yaml | 10 ---------- .../roles/gardener/templates/etcd-values.j2 | 8 +++++++- 5 files changed, 28 insertions(+), 12 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 12dc60a5..a71bc779 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -21,7 +21,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt | gardener_scheduler_resources | | Set custom resource definitions for the gardener-scheduler | | gardener_dns_domain | | Specifies the DNS domain on which the Gardener will manage DNS entries | | gardener_dns_provider | yes | Specifies the DNS provider | -| gardener_backup_infrastructure | | Specifies the Gardener backup infrastructure | +| gardener_backup_infrastructure | | Specifies the Gardener backup infrastructure, required when `gardener_backup_infrastructure_secret` is set | | gardener_backup_infrastructure_secret | | Specifies the secret for the backup infrastructure | | gardener_soil_name | | The name of the initial `Seed` (used for spinning up shooted seeds) | | gardener_soil_kubeconfig_file_path | | The kubeconfig path to the initial seed cluster | diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml index dc94a021..b062f5f6 100644 --- a/control-plane/roles/gardener/defaults/main/gardener.yaml +++ b/control-plane/roles/gardener/defaults/main/gardener.yaml @@ -35,7 +35,26 @@ gardener_dns_domain: gardener_dns_provider: gardener_backup_infrastructure: + # provider: gcp + # region: + # secretRef: + # name: backup-secret + # namespace: garden + # bucket: + # + # provider: S3 + # endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}" + # accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}" + # secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}" + gardener_backup_infrastructure_secret: + # for gcp: + # serviceaccount.json: "{{ gardener_backup_infrastructure_service_account_json | b64encode }}" + # + # for S3: + # endpoint: + # accessKeyID: + # secretAccessKey: gardener_soil_name: "{{ metal_control_plane_stage_name }}" gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}" diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml index 690d7569..f81a54f9 100644 --- a/control-plane/roles/gardener/tasks/main.yaml +++ b/control-plane/roles/gardener/tasks/main.yaml @@ -55,6 +55,7 @@ - gardener_dns_provider is not none - gardener_cloud_profile_metal_api_url is not none - gardener_cloud_profile_metal_api_hmac is not none + - gardener_backup_infrastructure_secret is none or (gardener_backup_infrastructure is not none and gardener_backup_infrastructure.provider in ["gcp", "S3"]) - gardener_cert_management_issuer_email is not none - name: Deploy required Seed CRDs diff --git a/control-plane/roles/gardener/tasks/shooted_seed.yaml b/control-plane/roles/gardener/tasks/shooted_seed.yaml index 4073d0d6..b494b059 100644 --- a/control-plane/roles/gardener/tasks/shooted_seed.yaml +++ b/control-plane/roles/gardener/tasks/shooted_seed.yaml @@ -13,16 +13,6 @@ apply: yes when: gardener_backup_infrastructure_secret -- name: Create backup infrastructure config for shooted seed - set_fact: - gardener_shooted_seed_backup_infratructure: - provider: "{{ gardener_backup_infrastructure.provider }}" - region: "{{ gardener_backup_infrastructure.region }}" - secretRef: - name: "{{ gardener_shooted_seed.name }}-backup-secret" - namespace: garden - when: gardener_backup_infrastructure_secret - - name: Add seed provider secret k8s: definition: diff --git a/control-plane/roles/gardener/templates/etcd-values.j2 b/control-plane/roles/gardener/templates/etcd-values.j2 index e29e1fdd..59639fb8 100644 --- a/control-plane/roles/gardener/templates/etcd-values.j2 +++ b/control-plane/roles/gardener/templates/etcd-values.j2 @@ -5,10 +5,16 @@ images: {% if gardener_backup_infrastructure_secret %} backup: storageContainer: {{ gardener_backup_infrastructure.bucket }} -{% if metal_control_plane_host_provider == "gcp" %} +{% if gardener_backup_infrastructure.provider == "gcp" %} storageProvider: "GCS" gcs: serviceAccountJson: {{ gardener_backup_infrastructure_service_account_json | to_json }} +{% elif gardener_backup_infrastructure.provider == "S3" %} + storageProvider: "ECS" + ecs: + endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}" + accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}" + secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}" {% endif %} {% endif %} From 9d22b647958ed6fdd4fdf9dc559ea3773ba15d46 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:30:47 +0200 Subject: [PATCH 3/4] Make basic_auth for prometheus and promtail optional (#316) --- .../roles/monitoring/prometheus/templates/prometheus.yaml.j2 | 2 ++ partition/roles/promtail/templates/promtail.yaml.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 b/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 index f9cf7df0..06006bd8 100644 --- a/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 +++ b/partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2 @@ -34,9 +34,11 @@ alerting: {% if prometheus_remote_write_url %} remote_write: - url: {{ prometheus_remote_write_url }} + {% if prometheus_remote_write_basic_auth_username is defined and prometheus_remote_write_basic_auth_password is defined %} basic_auth: username: {{ prometheus_remote_write_basic_auth_username }} password: {{ prometheus_remote_write_basic_auth_password }} + {% endif %} {% endif %} # Load rules once and periodically evaluate them according to the global 'evaluation_interval'. diff --git a/partition/roles/promtail/templates/promtail.yaml.j2 b/partition/roles/promtail/templates/promtail.yaml.j2 index 7df42b07..daca6ef0 100644 --- a/partition/roles/promtail/templates/promtail.yaml.j2 +++ b/partition/roles/promtail/templates/promtail.yaml.j2 @@ -8,9 +8,11 @@ positions: clients: - url: {{ promtail_loki_push_endpoint }} timeout: 60s + {% if promtail_loki_basic_auth_username is defined and promtail_loki_basic_auth_password is defined %} basic_auth: username: {{ promtail_loki_basic_auth_username }} password: {{ promtail_loki_basic_auth_password }} + {% endif %} scrape_configs: {{ promtail_scrape_configs|to_yaml(indent=2) }} From 5327bbda28bf35768f61de120e0462d11c2728ee Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Wed, 11 Sep 2024 13:45:50 +0200 Subject: [PATCH 4/4] Allow to provide the imageVectorOverwrite for the cilium extension (#318) --- control-plane/roles/gardener/README.md | 1 + .../gardener/defaults/main/extensions.yaml | 6 ++++++ .../controller-deployment.yaml | 19 +++---------------- 3 files changed, 10 insertions(+), 16 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index a71bc779..cfe77146 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -112,6 +112,7 @@ This includes the metal-stack extension provider called [gardener-extension-prov | gardener_extension_provider_metal_image_pull_policy | | Sets the image pull policy for components deployed through this extension controller. | | gardener_extension_provider_metal_image_pull_secret | | Provide image pull secrets for deployed containers | | gardener_cert_management_issuer_private_key | | The Let's Encrypt private key used by the cert-management extension controller to setup signed certificates | +| gardener_extension_networking_cilium_image_vector_overwrite | | Allows overriding the image vector for the networking cilium extension | | gardener_cert_management_issuer_email | | The issuer email used by the cert-management extension | | gardener_cert_management_issuer_server | | The issuer server used by the cert-management extension | diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml index 02d915e9..8c87eeac 100644 --- a/control-plane/roles/gardener/defaults/main/extensions.yaml +++ b/control-plane/roles/gardener/defaults/main/extensions.yaml @@ -69,3 +69,9 @@ gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/dir gardener_cert_management_issuer_email: gardener_extension_dns_external_controller_registration_url: + +gardener_extension_networking_cilium_image_vector_overwrite: [] + # - name: + # sourceRepository: /source/repository + # repository: /repository + # tag: diff --git a/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml b/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml index fdf02722..0e832f65 100644 --- a/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml @@ -11,21 +11,8 @@ providerConfig: repository: "{{ gardener_networking_cilium_image_name }}" tag: "{{ gardener_networking_cilium_image_tag }}" pullPolicy: Always +{% if gardener_extension_networking_cilium_image_vector_overwrite %} imageVectorOverwrite: | images: - - name: cilium-agent - sourceRepository: github.com/cilium/cilium - repository: quay.io/cilium/cilium - tag: v1.12.1 - - name: cilium-preflight - sourceRepository: github.com/cilium/cilium - repository: quay.io/cilium/cilium - tag: v1.12.1 - - name: cilium-operator - sourceRepository: github.com/cilium/cilium - repository: quay.io/cilium/operator - tag: v1.12.1 - - name: hubble-relay - sourceRepository: github.com/cilium/hubble-ui - repository: quay.io/cilium/hubble-relay - tag: v1.12.1 + {{ gardener_extension_networking_cilium_image_vector_overwrite | to_nice_yaml(indent=2) | indent(width=8, first=false) }} +{% endif %} \ No newline at end of file