Skip to content

Commit

Permalink
Merge branch 'master' into s3-backup-restore-sidecar
Browse files Browse the repository at this point in the history
  • Loading branch information
@robertvolkmann
robertvolkmann authored Nov 26, 2024
2 parents 8adb0a8 + b2f3a1f commit fb26bef
Show file tree
Hide file tree
Showing 59 changed files with 331 additions and 162 deletions.
1 change: 1 addition & 0 deletions control-plane/roles/auditing-meili/defaults/main/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ auditing_meili_backup_restore_sidecar_backup_cron_schedule: "0 * * * *"
auditing_meili_backup_restore_sidecar_log_level: debug
auditing_meili_backup_restore_sidecar_object_prefix: "{{ auditing_meili_name }}-{{ metal_control_plane_stage_name }}"
auditing_meili_backup_restore_sidecar_object_max_keep:
auditing_meili_backup_restore_sidecar_encryption_key:

auditing_meili_backup_restore_sidecar_gcp_bucket_name:
auditing_meili_backup_restore_sidecar_gcp_backup_location:
Expand Down
1 change: 1 addition & 0 deletions control-plane/roles/auditing-meili/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,4 @@
meilisearch_backup_restore_sidecar_s3_secret_key: "{{ auditing_meili_backup_restore_sidecar_s3_secret_key }}"
meilisearch_resources: "{{ auditing_meili_resources }}"
meilisearch_backup_restore_sidecar_object_max_keep: "{{ auditing_meili_backup_restore_sidecar_object_max_keep }}"
meilisearch_backup_restore_sidecar_encryption_key: "{{ auditing_meili_backup_restore_sidecar_encryption_key }}"
24 changes: 15 additions & 9 deletions control-plane/roles/gardener-monitoring-certs/tasks/deploy_cert.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
---
- name: Get seed kubeconfig
copy:
dest: "/tmp/kubeconfig.{{ gardener_shooted_seed.name }}"
content: "{{ lookup('k8s', kubeconfig='/tmp/kubeconfig.garden', api_version='v1', namespace='garden', kind='Secret', resource_name=gardener_shooted_seed.name+'.kubeconfig').get('data', {}).get('kubeconfig') | b64decode }}"
set_fact:
_seed_kubeconfig: "{{ gardener_seeds_virtual_garden_kubeconfig | shoot_admin_kubeconfig('garden', gardener_shooted_seed.name) | from_yaml }}"

- name: Add seed ingress certificate
k8s:
Expand All @@ -19,15 +18,21 @@
secretRef:
name: seed-ingress-certificate
namespace: garden
kubeconfig: "/tmp/kubeconfig.{{ gardener_shooted_seed.name }}"
kubeconfig: "{{ _seed_kubeconfig }}"
apply: true

- name: Wait until ingress secret is ready
command: echo
k8s_info:
api_version: v1
kind: Secret
name: seed-ingress-certificate
namespace: garden
kubeconfig: "{{ _seed_kubeconfig }}"
changed_when: false
retries: 60
register: result
delay: 10
until:
- lookup('k8s', kubeconfig='/tmp/kubeconfig.'+gardener_shooted_seed.name, api_version='v1', namespace='garden', kind='Secret', resource_name='seed-ingress-certificate')
retries: 60
until: result.resources | length > 0

- name: Prepare seed ingress certificate secret
k8s:
Expand All @@ -40,4 +45,5 @@
name: seed-ingress-certificate
namespace: garden
type: kubernetes.io/tls
kubeconfig: "/tmp/kubeconfig.{{ gardener_shooted_seed.name }}"
kubeconfig: "{{ _seed_kubeconfig }}"
apply: true
5 changes: 0 additions & 5 deletions control-plane/roles/gardener-monitoring-certs/tasks/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,11 +38,6 @@
namespace: garden
type: kubernetes.io/tls

- name: Write virtual garden kubeconfig
copy:
dest: "/tmp/kubeconfig.garden"
content: "{{ gardener_seeds_virtual_garden_kubeconfig }}"

- name: Loop over Gardener seeds
include_tasks: deploy_cert.yaml
loop: "{{ gardener_seeds_shooted_seeds }}"
Expand Down
11 changes: 10 additions & 1 deletion control-plane/roles/gardener/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt
| gardener_backup_infrastructure_secret | | Specifies the secret for the backup infrastructure |
| gardener_soil_name | | The name of the initial `Seed` (used for spinning up shooted seeds) |
| gardener_soil_kubeconfig_file_path | | The kubeconfig path to the initial seed cluster |
| gardener_soil_vertical_pod_autoscaler_enabled | | Enables the VPA for the intial seed cluster |
| gardener_soil_vertical_pod_autoscaler_enabled | | Enables the VPA for the initial seed cluster |
| gardener_soil_project_owner_name | | Specifies the owner name for the project that the initial seed uses to set up shooted seeds |
| gardener_soil_project_members | | Specifies the members of the soil project. Each member requires a `name` and a `role`. Optionally, and array of `roles` can be specified. Example: `{"name": "admin", "role": "admin", "roles": ["owner"]}` |
| gardener_gardenlet_shoot_concurrent_syncs | | Specifies the amount of concurrent shoot syncs for the Gardenlet |
Expand All @@ -38,6 +38,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt
| gardener_kube_api_server_kubeconfig | | The kubeconfig for the Gardener Kubernetes API (virtual garden apiserver) |
| gardener_kube_apiserver_kubeconfig_path | | The acts on multiple Kubernetes APIs, this is where it puts the kubeconfig of the Gardener Kubernetes API |
| gardener_local_tmp_dir | | The acts on multiple Kubernetes APIs, this is a local folder in the deployment container to store the kubeconfigs (ephemeral) |
| gardener_logging_enabled | | Specifies whether the logging Gardener logging stack should be activated in the Gardenlet |

### Virtual Garden

Expand Down Expand Up @@ -95,10 +96,14 @@ This includes the metal-stack extension provider called [gardener-extension-prov
| gardener_extension_networking_cilium_enabled | | If enabled, deploys the gardener-networking-extension-cilium |
| gardener_extension_shoot_cert_service_enabled | | If enabled, deploys the gardener-extension-shoot-cert-service |
| gardener_extension_shoot_dns_service_enabled | | If enabled, deploys the gardener-extension-shoot-dns-service |
| gardener_extension_backup_s3_enabled | | If enabled, deploys the gardener-extension-backup-s3 |
| gardener_extension_dns_powerdns_enabled | | If enabled, deploys the gardener-extension-dns-powerdns |
| gardener_os_controller_repo_ref | | A repo reference for deploying the [os-metal-extension](https://github.com/metal-stack/os-metal-extension/) |
| gardener_networking_cilium_repo_ref | | A repo reference for deploying the [gardener-extension-networking-cilium](https://github.com/gardener/gardener-extension-networking-cilium) |
| gardener_extension_provider_metal_repo_ref | | A repo reference for deploying the [gardener-extension-provider-metal](https://github.com/metal-stack/gardener-extension-provider-metal) |
| gardener_shoot_dns_service_repo_ref | | A repo reference for deploying the [gardener-extension-shoot-dns-service](https://github.com/gardener/gardener-extension-shoot-dns-service) |
| gardener_extension_backup_s3_repo_ref | | A repo reference for deploying the [gardener-extension-backup-s3](https://github.com/metal-stack/gardener-extension-backup-s3) |
| gardener_extension_dns_powerdns_repo_ref | | A repo reference for deploying the [gardener-extension-dns-powerdns](https://github.com/metal-stack/gardener-extension-dns-powerdns) |
| gardener_metal_admission_replicas | | Specifies the amount of metal-admission webhook replicas |
| gardener_metal_admission_vpa | | Enables the VPA for the metal-admission webhook |
| gardener_extension_provider_metal_cluster_audit_enabled | | Enables the audit functionality of the GEPM |
Expand All @@ -121,6 +126,10 @@ This includes the metal-stack extension provider called [gardener-extension-prov
| gardener_shoot_dns_service_image_vector_overwrite | | Allows overriding the image vector for the shoot-dns-service extension |
| gardener_shoot_dns_service_dns_controller_manager_image_name | | Setting an explicit image name for the dns-controller-manager |
| gardener_shoot_dns_service_dns_controller_manager_image_tag | | Setting an explicit image tag for the dns-controller-manager |
| gardener_extension_backup_s3_image_name | | Setting an explicit image name for the gardener-extension-backup-s3 |
| gardener_extension_backup_s3_image_tag | | Setting an explicit image tag for the gardener-extension-backup-s3 |
| gardener_extension_dns_powerdns_image_name | | Setting an explicit image name for the gardener-extension-dns-powerdns |
| gardener_extension_dns_powerdns_image_tag | | Setting an explicit image tag for the gardener-extension-dns-powerdns |

### Certificates

Expand Down
4 changes: 4 additions & 0 deletions control-plane/roles/gardener/defaults/main/extensions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,15 @@ gardener_extension_provider_gcp_enabled: true
gardener_extension_provider_metal_enabled: true
gardener_extension_shoot_cert_service_enabled: true
gardener_extension_shoot_dns_service_enabled: true
gardener_extension_dns_powerdns_enabled: false
gardener_extension_backup_s3_enabled: false

gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}"
gardener_networking_cilium_repo_ref: "gardener/gardener-extension-networking-cilium/{{ gardener_networking_cilium_image_tag }}"
gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}"
gardener_shoot_dns_service_repo_ref: "gardener/gardener-extension-shoot-dns-service/{{ gardener_shoot_dns_service_image_tag }}"
gardener_extension_backup_s3_repo_ref: "metal-stack/gardener-extension-backup-s3/{{ gardener_extension_backup_s3_image_tag }}"
gardener_extension_dns_powerdns_repo_ref: "metal-stack/gardener-extension-dns-powerdns/{{ gardener_extension_dns_powerdns_image_tag }}"

gardener_metal_admission_replicas: 1
gardener_metal_admission_vpa: true
Expand Down
2 changes: 2 additions & 0 deletions control-plane/roles/gardener/defaults/main/gardener.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,3 +110,5 @@ gardener_shooted_seed_rollout_delay_minutes:
gardener_kube_api_server_kubeconfig: "{{ 'garden-kube-apiserver' | kubeconfig_from_cert(gardener_kube_api_server_ca, gardener_kube_api_server_client_cert, gardener_kube_api_server_client_key, prepend_https=true) }}"
gardener_kube_apiserver_kubeconfig_path: "{{ gardener_local_tmp_dir }}/garden-kube-apiserver-kubeconfig"
gardener_local_tmp_dir: "{{ playbook_dir }}/.ansible/tmp"

gardener_logging_enabled: false
29 changes: 29 additions & 0 deletions control-plane/roles/gardener/tasks/extensions.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,3 +100,32 @@
- controller-deployment.yaml
- controller-registration.yaml
when: gardener_extension_shoot_dns_service_enabled

- name: "Register controller: dns powerdns"
k8s:
definition: "{{ lookup('template', 'powerdns/{{ item }}', split_lines=False) }}"
kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
apply: yes
register: result
until: result is success
retries: 10
delay: 6
loop:
- controller-deployment.yaml
- controller-registration.yaml
when: gardener_extension_dns_powerdns_enabled

- name: "Register controller: backup s3"
k8s:
definition: "{{ lookup('template', 'backup-s3/{{ item }}', split_lines=False) }}"
kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
apply: yes
tags: shoot-dns-service
register: result
until: result is success
retries: 10
delay: 6
loop:
- controller-deployment.yaml
- controller-registration.yaml
when: gardener_extension_backup_s3_enabled
11 changes: 11 additions & 0 deletions control-plane/roles/gardener/templates/backup-s3/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: core.gardener.cloud/v1
kind: ControllerDeployment
metadata:
name: backup-s3
helm:
rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_backup_s3_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
values:
image:
repository: "{{ gardener_extension_backup_s3_image_name }}"
tag: "{{ gardener_extension_backup_s3_image_tag }}"
16 changes: 16 additions & 0 deletions control-plane/roles/gardener/templates/backup-s3/controller-registration.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
apiVersion: core.gardener.cloud/v1beta1
kind: ControllerRegistration
metadata:
name: backup-s3
annotations:
security.gardener.cloud/pod-security-enforce: baseline
spec:
deployment:
deploymentRefs:
- name: backup-s3
resources:
- kind: BackupBucket
type: S3
- kind: BackupEntry
type: S3
7 changes: 3 additions & 4 deletions control-plane/roles/gardener/templates/extension-provider-metal/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
---
apiVersion: core.gardener.cloud/v1beta1
apiVersion: core.gardener.cloud/v1
kind: ControllerDeployment
metadata:
name: provider-metal
type: helm
providerConfig:
chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/metal-stack/gardener-extension-provider-metal/' + gardener_extension_provider_metal_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}"
helm:
rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/metal-stack/gardener-extension-provider-metal/' + gardener_extension_provider_metal_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
values:
image:
repository: "{{ gardener_extension_provider_metal_image_name }}"
Expand Down
7 changes: 6 additions & 1 deletion control-plane/roles/gardener/templates/gardenlet-values.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ config:
# allow setting shoot ignore annotation:
respectSyncPeriodOverwrite: {{ gardener_gardenlet_shoot_respect_sync_period_overwrite }}

{% if gardener_logging_enabled %}
logging:
enabled: true
{% endif %}

seedConfig:
apiVersion: core.gardener.cloud/v1beta1
kind: Seed
Expand Down Expand Up @@ -78,4 +83,4 @@ imageVectorOverwrite: |
{% if gardener_component_image_vector_overwrite %}
componentImageVectorOverwrites: |
{{ gardener_component_image_vector_overwrite | to_yaml | indent(width=4, first=false) }}
{% endif %}
{% endif %}
7 changes: 6 additions & 1 deletion control-plane/roles/gardener/templates/managed-seed.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ spec:
visible: {{ gardener_shooted_seed.visible | default(true) }}
shootDNS:
enabled: true
{% if gardener_logging_enabled %}
logging:
enabled: true
{% endif %}

deployment:
image:
pullPolicy: IfNotPresent
Expand All @@ -48,4 +53,4 @@ spec:
vpa: true
mergeWithParent: true
shoot:
name: "{{ gardener_shooted_seed.name }}"
name: "{{ gardener_shooted_seed.name }}"
7 changes: 3 additions & 4 deletions control-plane/roles/gardener/templates/networking-calico/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
---
apiVersion: core.gardener.cloud/v1beta1
apiVersion: core.gardener.cloud/v1
kind: ControllerDeployment
metadata:
name: networking-calico
type: helm
providerConfig:
chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener-extension-networking-calico/' + gardener_networking_calico_image_tag + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}"
helm:
rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener-extension-networking-calico/' + gardener_networking_calico_image_tag + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
values:
image:
repository: "{{ gardener_networking_calico_image_name }}"
Expand Down
9 changes: 4 additions & 5 deletions control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
---
apiVersion: core.gardener.cloud/v1beta1
apiVersion: core.gardener.cloud/v1
kind: ControllerDeployment
metadata:
name: networking-cilium
type: helm
providerConfig:
chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_networking_cilium_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}"
helm:
rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_networking_cilium_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
values:
image:
repository: "{{ gardener_networking_cilium_image_name }}"
Expand All @@ -15,4 +14,4 @@ providerConfig:
imageVectorOverwrite: |
images:
{{ gardener_extension_networking_cilium_image_vector_overwrite | to_nice_yaml(indent=2) | indent(width=8, first=false) }}
{% endif %}
{% endif %}
7 changes: 3 additions & 4 deletions control-plane/roles/gardener/templates/os-metal-extension/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
---
apiVersion: core.gardener.cloud/v1beta1
apiVersion: core.gardener.cloud/v1
kind: ControllerDeployment
metadata:
name: os-metal
type: helm
providerConfig:
chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/metal-stack/os-metal-extension/' + gardener_os_controller_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}"
helm:
rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/metal-stack/os-metal-extension/' + gardener_os_controller_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
values:
image:
repository: "{{ gardener_os_controller_image_name }}"
Expand Down
11 changes: 11 additions & 0 deletions control-plane/roles/gardener/templates/powerdns/controller-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: core.gardener.cloud/v1
kind: ControllerDeployment
metadata:
name: powerdns
helm:
rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_dns_powerdns_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
values:
image:
repository: "{{ gardener_extension_dns_powerdns_image_name }}"
tag: "{{ gardener_extension_dns_powerdns_image_tag }}"
14 changes: 14 additions & 0 deletions control-plane/roles/gardener/templates/powerdns/controller-registration.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
apiVersion: core.gardener.cloud/v1beta1
kind: ControllerRegistration
metadata:
name: powerdns
annotations:
security.gardener.cloud/pod-security-enforce: baseline
spec:
deployment:
deploymentRefs:
- name: powerdns
resources:
- kind: DNSRecord
type: powerdns
Loading

0 comments on commit fb26bef

Please sign in to comment.