From 375af561804331f88c6da9fa570a39a29bd48edb Mon Sep 17 00:00:00 2001 From: Felix Breuer Date: Wed, 12 Apr 2023 12:56:37 +0200 Subject: [PATCH] [GEP-21] Handle Seed IPFamilies (IPv6) (#7561) * Replace decentralized FeatureGates with one centralized FeatureGate Signed-off-by: Niclas Schad * Regenerate certificate for gardener-admission-controller webhook * Enable featureGate IPv6SingleStack and load featuresGates before validating SeedConfig * Only filter envoyfilter via port number Currently filtering by name restricts traffic to IPv4 only. By filtering via port number this restriction is resolved and all traffic is respected. * Filter config files via ipFamily * Deploy IPv6 ready gardenlet * Set IPv6 CIDRs via skaffold * Set IPv6 IPs for local development setup * Update Documentation for IPv6 local development Signed-off-by: Felix Breuer * Use net package to join host with port Signed-off-by: Felix Breuer * Make `IPv6SingleStack` explanation clearer * Document purpose of central feature gate map * Clean up gardenlet `bootstrapKubeconfig` values Use the same `bootstrapKubeconfig` for all clusters with the in-cluster kubernetes service except for the kind2 cluster. With this, kind2 won't work with IPv6 single-stack, but we can live with this for now. * Fix SC2235 * Switch back to kind node's hostname We tried to use `kubernetes.default.svc` instead of the kind node's hostname as the garden cluster address for the gardenlet values. This works from within the kind cluster itself also if it is IPv6 single-stack. However, it doesn't work from within `ManagedSeeds`. Hence, the managed seed e2e fails because gardenlet cannot register itself in the garden cluster. * Document requirement for IPv6 `localhost` entry in `/etc/hosts` * Introduce `garden.local.gardener.cloud` hostname that works everywhere This replaces the use of kind container names to reach the garden cluster and to reach the registry mirrors. This works in - the first and the second kind cluster - in IPv4 and IPv6 kind clusters * Adapt `0.0.0.0/0` `NetworkPolicies` * Use `net.JoinHostPort` in all components * Drop `bindAddress=0.0.0.0` everywhere, drop unnecessary IPv6 switches `net.Listen` listens on all available IP addresses if the hostname (configured by `*bindAddress` fields) is omitted. I.e., this works for both IP families without explicit configuration. This simplifies a lot of config files and development scripts. * Make `bindAddress` chart values optional * Dump logs from containerd-configuration-local-setup service * Fix IP and cert handling in provider-local process-based setup * Add missing license header * Add missing comment for `gardener-admission-controller` `clusterIP` usage * Consistently set feature gates in `validate` * Manage kind network ourselves * Replace `jq` in `kind-up.sh` with `yq` * Move `DefaultFeatureGate.SetFromMap` to `options.complete` --------- Signed-off-by: Niclas Schad Signed-off-by: Felix Breuer Co-authored-by: Niclas Schad Co-authored-by: Tim Ebert --- Makefile | 15 +- .../configmap-componentconfig.yaml | 12 +- .../configmap-componentconfig.yaml | 8 +- .../scheduler/configmap-componentconfig.yaml | 8 +- charts/gardener/controlplane/values.yaml | 7 - .../gardener/gardenlet/templates/_helpers.tpl | 8 +- .../gardenlet/templates/networkpolicy.yaml | 2 + charts/gardener/gardenlet/values.yaml | 2 - charts/gardener/operator/values.yaml | 3 - charts/gardener/resource-manager/values.yaml | 3 - .../monitoring/templates/networkpolicy.yaml | 4 + cmd/gardener-admission-controller/app/app.go | 6 +- .../app/gardener_apiserver.go | 6 +- cmd/gardener-controller-manager/app/app.go | 14 +- .../app/options.go | 7 + cmd/gardener-operator/app/app.go | 14 +- cmd/gardener-operator/app/options.go | 7 + cmd/gardener-resource-manager/app/app.go | 6 +- cmd/gardener-scheduler/app/app.go | 14 +- cmd/gardener-scheduler/app/options.go | 7 + cmd/gardenlet/app/app.go | 14 +- cmd/gardenlet/app/options.go | 7 + docs/concepts/resource-manager.md | 2 + docs/deployment/feature_gates.md | 28 ++-- docs/deployment/getting_started_locally.md | 28 ++-- docs/development/getting_started_locally.md | 36 ++--- docs/usage/ipv6.md | 4 +- ...tconfig-gardener-admission-controller.yaml | 3 - ...entconfig-gardener-controller-manager.yaml | 2 - ...20-componentconfig-gardener-scheduler.yaml | 2 - example/20-componentconfig-gardenlet.yaml | 6 +- ...> auth-webhook-kubeconfig-local-ipv4.yaml} | 0 .../auth-webhook-kubeconfig-local-ipv6.yaml | 17 +++ ...uth-webhook-kubeconfig-skaffold-ipv4.yaml} | 0 ...auth-webhook-kubeconfig-skaffold-ipv6.yaml | 17 +++ .../controlplane/networkpolicy.yaml | 4 + .../gardener-local/controlplane/values.yaml | 132 +++++++++--------- .../gardener-local/gardenlet/values-ipv6.yaml | 16 +++ .../gardenlet/values-kind-ha-multi-zone.yaml | 25 ---- .../gardenlet/values-kind-ha-single-zone.yaml | 25 ---- .../gardenlet/values-kind2.yaml | 6 +- example/gardener-local/gardenlet/values.yaml | 10 +- .../templates/_kubeadm_config_patches.tpl | 6 +- .../gardener-local/kind/cluster/values.yaml | 2 +- .../kind/ha-multi-zone/values.yaml | 3 - .../kind/ha-single-zone/values.yaml | 3 - .../gardener-local/kind/local2/values.yaml | 1 - example/operator/10-componentconfig.yaml | 3 - .../seed-kind/local-ipv6/kustomization.yaml | 13 ++ .../seed-kind/local-ipv6/patch-seed.yaml | 11 ++ .../resource-manager/10-componentconfig.yaml | 3 - .../pkg/webhook/certificates/certificates.go | 8 +- hack/ci-common.sh | 2 +- hack/kind-up.sh | 75 ++++++++++ hack/local-development/common/helpers | 15 +- hack/local-development/dev-setup | 107 +++++++------- .../dev-setup-register-gardener | 38 +++-- .../generate-webhook-ca-bundle.sh | 68 +++++++++ .../start-extension-provider-local | 25 ++-- .../apis/config/v1alpha1/defaults.go | 3 - .../apis/config/v1alpha1/defaults_test.go | 2 +- pkg/apis/core/validation/seed_test.go | 5 +- pkg/apis/core/validation/shoot.go | 3 +- pkg/apis/core/validation/shoot_test.go | 7 +- pkg/apis/core/validation/utils.go | 3 +- pkg/apis/core/validation/utils_test.go | 3 +- pkg/apiserver/features/features.go | 5 +- pkg/controllermanager/features/features.go | 8 +- pkg/features/features.go | 24 ++++ .../controllerinstallation/reconciler.go | 4 +- .../managedseed/charttest/charttest.go | 6 +- .../charttest/gardenlet_chart_test.go | 44 +++--- .../managedseed/valueshelper_test.go | 2 +- .../controller/networkpolicy/add_test.go | 3 +- .../controller/networkpolicy/reconciler.go | 3 +- .../controller/seed/seed/components.go | 11 +- .../controller/seed/seed/reconciler_delete.go | 5 +- .../seed/seed/reconciler_reconcile.go | 23 ++- pkg/gardenlet/features/features.go | 9 +- .../istio-ingress/templates/envoy-filter.yaml | 1 - .../templates/proxy-protocol-envoyfilter.yaml | 1 - .../botanist/component/istio/istio_test.go | 2 - .../templates/envoyfilter.yaml | 1 - pkg/operation/botanist/coredns.go | 5 +- pkg/operation/botanist/coredns_test.go | 5 +- pkg/operation/botanist/dns_test.go | 6 +- pkg/operation/botanist/etcd.go | 5 +- pkg/operation/botanist/etcd_test.go | 9 +- pkg/operation/botanist/kubeapiserver.go | 5 +- pkg/operation/botanist/kubeapiserver_test.go | 5 +- .../botanist/kubeapiserverexposure.go | 5 +- .../botanist/kubeapiserverexposure_test.go | 4 +- .../botanist/kubecontrollermanager.go | 5 +- .../botanist/kubernetesdashboard_test.go | 3 +- pkg/operation/botanist/logging.go | 5 +- pkg/operation/botanist/metricsserver_test.go | 3 +- pkg/operation/botanist/nginxingress_test.go | 3 +- .../botanist/nodeproblemdetector_test.go | 3 +- pkg/operation/botanist/vpnseedserver_test.go | 5 +- pkg/operation/care/seed_health.go | 5 +- pkg/operation/care/seed_health_test.go | 5 +- pkg/operator/apis/config/v1alpha1/defaults.go | 3 - .../apis/config/v1alpha1/defaults_test.go | 2 +- pkg/operator/controller/garden/components.go | 3 +- pkg/operator/controller/garden/reconciler.go | 3 +- pkg/operator/features/features.go | 8 +- .../webhook/controlplane/ensurer.go | 15 +- .../scripts/configure-containerd.tpl.sh | 14 +- pkg/registry/core/shoot/strategy.go | 3 +- pkg/registry/core/shoot/strategy_test.go | 5 +- .../apis/config/v1alpha1/defaults.go | 3 - .../apis/config/v1alpha1/defaults_test.go | 2 +- .../controller/networkpolicy/reconciler.go | 1 + .../apis/config/v1alpha1/defaults.go | 8 -- .../apis/config/v1alpha1/defaults_test.go | 12 +- pkg/scheduler/features/features.go | 13 +- pkg/utils/test/test.go | 8 +- skaffold.yaml | 32 +++++ .../controllerinstallation_test.go | 5 +- .../networkpolicy/networkpolicy_suite_test.go | 2 +- .../gardenlet/seed/seed/seed_test.go | 3 +- .../operator/garden/garden_test.go | 3 +- .../networkpolicy/networkpolicy_test.go | 2 + 123 files changed, 773 insertions(+), 561 deletions(-) rename example/gardener-local/controlplane/{auth-webhook-kubeconfig-local.yaml => auth-webhook-kubeconfig-local-ipv4.yaml} (100%) create mode 100644 example/gardener-local/controlplane/auth-webhook-kubeconfig-local-ipv6.yaml rename example/gardener-local/controlplane/{auth-webhook-kubeconfig-skaffold.yaml => auth-webhook-kubeconfig-skaffold-ipv4.yaml} (100%) create mode 100644 example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold-ipv6.yaml create mode 100644 example/gardener-local/gardenlet/values-ipv6.yaml create mode 100644 example/provider-local/seed-kind/local-ipv6/kustomization.yaml create mode 100644 example/provider-local/seed-kind/local-ipv6/patch-seed.yaml create mode 100755 hack/local-development/generate-webhook-ca-bundle.sh diff --git a/Makefile b/Makefile index 4433b48a26d..db8d02482a0 100644 --- a/Makefile +++ b/Makefile @@ -72,6 +72,8 @@ GOMEGACHECK_DIR := $(TOOLS_DIR)/gomegacheck # Rules for local development scenarios # ######################################### +dev-setup register-local-env start-extension-provider-local: export IPFAMILY := $(IPFAMILY) + .PHONY: dev-setup dev-setup: @if [ "$(DEV_SETUP_WITH_WEBHOOKS)" = "true" ]; then ./hack/local-development/dev-setup --with-webhooks; else ./hack/local-development/dev-setup; fi @@ -310,12 +312,12 @@ kind-ha-single-zone-up kind-ha-single-zone-down gardener-ha-single-zone-up regis kind-ha-multi-zone-up kind-ha-multi-zone-down gardener-ha-multi-zone-up register-kind-ha-multi-zone-env tear-down-kind-ha-multi-zone-env ci-e2e-kind-ha-multi-zone ci-e2e-kind-ha-multi-zone-upgrade: export KUBECONFIG = $(GARDENER_LOCAL_HA_MULTI_ZONE_KUBECONFIG) kind-operator-up kind-operator-down operator-up operator-down test-e2e-local-operator ci-e2e-kind-operator: export KUBECONFIG = $(GARDENER_LOCAL_OPERATOR_KUBECONFIG) -kind-up: $(KIND) $(KUBECTL) $(HELM) +kind-up: $(KIND) $(KUBECTL) $(HELM) $(YQ) ./hack/kind-up.sh --cluster-name gardener-local --environment $(KIND_ENV) --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind/base/kubeconfig --path-cluster-values $(REPO_ROOT)/example/gardener-local/kind/local/values.yaml kind-down: $(KIND) ./hack/kind-down.sh --cluster-name gardener-local --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind/base/kubeconfig -kind2-up: $(KIND) $(KUBECTL) $(HELM) +kind2-up: $(KIND) $(KUBECTL) $(HELM) $(YQ) ./hack/kind-up.sh --cluster-name gardener-local2 --environment $(KIND_ENV) --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind2/base/kubeconfig --path-cluster-values $(REPO_ROOT)/example/gardener-local/kind/local2/values.yaml --skip-registry kind2-down: $(KIND) ./hack/kind-down.sh --cluster-name gardener-local2 --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind2/base/kubeconfig --keep-backupbuckets-dir @@ -327,17 +329,17 @@ kind-extensions-down: $(KIND) kind-extensions-clean: ./hack/kind-down.sh --cluster-name gardener-extensions --path-kubeconfig $(REPO_ROOT)/example/provider-extensions/garden/kubeconfig -kind-ha-single-zone-up: $(KIND) $(KUBECTL) $(HELM) +kind-ha-single-zone-up: $(KIND) $(KUBECTL) $(HELM) $(YQ) ./hack/kind-up.sh --cluster-name gardener-local-ha-single-zone --environment $(KIND_ENV) --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind-ha-single-zone/base/kubeconfig --path-cluster-values $(REPO_ROOT)/example/gardener-local/kind/ha-single-zone/values.yaml kind-ha-single-zone-down: $(KIND) ./hack/kind-down.sh --cluster-name gardener-local-ha-single-zone --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind-ha-single-zone/base/kubeconfig -kind-ha-multi-zone-up: $(KIND) $(KUBECTL) $(HELM) +kind-ha-multi-zone-up: $(KIND) $(KUBECTL) $(HELM) $(YQ) ./hack/kind-up.sh --cluster-name gardener-local-ha-multi-zone --environment $(KIND_ENV) --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind-ha-multi-zone/base/kubeconfig --path-cluster-values $(REPO_ROOT)/example/gardener-local/kind/ha-multi-zone/values.yaml --multi-zonal kind-ha-multi-zone-down: $(KIND) ./hack/kind-down.sh --cluster-name gardener-local-ha-multi-zone --path-kubeconfig $(REPO_ROOT)/example/provider-local/seed-kind-ha-multi-zone/base/kubeconfig -kind-operator-up: $(KIND) $(KUBECTL) $(HELM) +kind-operator-up: $(KIND) $(KUBECTL) $(HELM) $(YQ) ./hack/kind-up.sh --cluster-name gardener-operator-local --environment $(KIND_ENV) --path-kubeconfig $(REPO_ROOT)/example/gardener-local/kind/operator/kubeconfig --path-cluster-values $(REPO_ROOT)/example/gardener-local/kind/operator/values.yaml mkdir -p $(REPO_ROOT)/dev/local-backupbuckets/gardener-operator kind-operator-down: $(KIND) @@ -375,7 +377,8 @@ gardener-extensions-down: $(SKAFFOLD) $(HELM) $(KUBECTL) register-local-env: $(KUBECTL) $(KUBECTL) apply -k $(REPO_ROOT)/example/provider-local/garden/local - $(KUBECTL) apply -k $(REPO_ROOT)/example/provider-local/seed-kind/local + @if [[ -z "$(IPFAMILY)" ]]; then $(KUBECTL) apply -k $(REPO_ROOT)/example/provider-local/seed-kind/local; else $(KUBECTL) apply -k $(REPO_ROOT)/example/provider-local/seed-kind/local-ipv6; fi + tear-down-local-env: $(KUBECTL) $(KUBECTL) annotate project local confirmation.gardener.cloud/deletion=true $(KUBECTL) delete -k $(REPO_ROOT)/example/provider-local/seed-kind/local diff --git a/charts/gardener/controlplane/charts/runtime/templates/admission-controller/configmap-componentconfig.yaml b/charts/gardener/controlplane/charts/runtime/templates/admission-controller/configmap-componentconfig.yaml index ea11831c8bb..0a5acbeccfe 100644 --- a/charts/gardener/controlplane/charts/runtime/templates/admission-controller/configmap-componentconfig.yaml +++ b/charts/gardener/controlplane/charts/runtime/templates/admission-controller/configmap-componentconfig.yaml @@ -34,15 +34,21 @@ data: logFormat: {{ .Values.global.admission.config.logFormat | default "json" }} server: webhooks: - bindAddress: {{ required ".Values.global.admission.config.server.webhooks.bindAddress is required" .Values.global.admission.config.server.webhooks.bindAddress }} + {{- if .Values.global.admission.config.server.webhooks.bindAddress }} + bindAddress: {{ .Values.global.admission.config.server.webhooks.bindAddress }} + {{- end }} port: {{ required ".Values.global.admission.config.server.webhooks.port is required" .Values.global.admission.config.server.webhooks.port }} tls: serverCertDir: /etc/gardener-admission-controller/srv healthProbes: - bindAddress: {{ required ".Values.global.admission.config.server.healthProbes.bindAddress is required" .Values.global.admission.config.server.healthProbes.bindAddress }} + {{- if .Values.global.admission.config.server.healthProbes.bindAddress }} + bindAddress: {{ .Values.global.admission.config.server.healthProbes.bindAddress }} + {{- end }} port: {{ required ".Values.global.admission.config.server.healthProbes.port is required" .Values.global.admission.config.server.healthProbes.port }} metrics: - bindAddress: {{ required ".Values.global.admission.config.server.metrics.bindAddress is required" .Values.global.admission.config.server.metrics.bindAddress }} + {{- if .Values.global.admission.config.server.metrics.bindAddress }} + bindAddress: {{ .Values.global.admission.config.server.metrics.bindAddress }} + {{- end }} port: {{ required ".Values.global.admission.config.server.metrics.port is required" .Values.global.admission.config.server.metrics.port }} {{- if .Values.global.admission.config.server.resourceAdmissionConfiguration }} resourceAdmissionConfiguration: diff --git a/charts/gardener/controlplane/charts/runtime/templates/controller-manager/configmap-componentconfig.yaml b/charts/gardener/controlplane/charts/runtime/templates/controller-manager/configmap-componentconfig.yaml index 559f2df8123..2b5201680e1 100644 --- a/charts/gardener/controlplane/charts/runtime/templates/controller-manager/configmap-componentconfig.yaml +++ b/charts/gardener/controlplane/charts/runtime/templates/controller-manager/configmap-componentconfig.yaml @@ -167,11 +167,15 @@ data: logLevel: {{ required ".Values.global.controller.config.logLevel is required" .Values.global.controller.config.logLevel }} server: healthProbes: - bindAddress: {{ required ".Values.global.controller.config.server.healthProbes.bindAddress is required" .Values.global.controller.config.server.healthProbes.bindAddress }} + {{- if .Values.global.controller.config.server.healthProbes.bindAddress }} + bindAddress: {{ .Values.global.controller.config.server.healthProbes.bindAddress }} + {{- end }} port: {{ required ".Values.global.controller.config.server.healthProbes.port is required" .Values.global.controller.config.server.healthProbes.port }} {{- if .Values.global.controller.config.server.metrics }} metrics: - bindAddress: {{ required ".Values.global.controller.config.server.metrics.bindAddress is required" .Values.global.controller.config.server.metrics.bindAddress }} + {{- if .Values.global.controller.config.server.metrics.bindAddress }} + bindAddress: {{ .Values.global.controller.config.server.metrics.bindAddress }} + {{- end }} port: {{ required ".Values.global.controller.config.server.metrics.port is required" .Values.global.controller.config.server.metrics.port }} {{- end }} {{- if .Values.global.controller.config.debugging }} diff --git a/charts/gardener/controlplane/charts/runtime/templates/scheduler/configmap-componentconfig.yaml b/charts/gardener/controlplane/charts/runtime/templates/scheduler/configmap-componentconfig.yaml index 7d3175566bb..55136f0bfbb 100644 --- a/charts/gardener/controlplane/charts/runtime/templates/scheduler/configmap-componentconfig.yaml +++ b/charts/gardener/controlplane/charts/runtime/templates/scheduler/configmap-componentconfig.yaml @@ -45,10 +45,14 @@ data: logLevel: {{ required ".Values.global.scheduler.config.logLevel is required" .Values.global.scheduler.config.logLevel }} server: healthProbes: - bindAddress: {{ required ".Values.global.scheduler.config.server.healthProbes.bindAddress is required" .Values.global.scheduler.config.server.healthProbes.bindAddress }} + {{- if .Values.global.scheduler.config.server.healthProbes.bindAddress }} + bindAddress: {{ .Values.global.scheduler.config.server.healthProbes.bindAddress }} + {{- end }} port: {{ required ".Values.global.scheduler.config.server.healthProbes.port is required" .Values.global.scheduler.config.server.healthProbes.port }} metrics: - bindAddress: {{ required ".Values.global.scheduler.config.server.metrics.bindAddress is required" .Values.global.scheduler.config.server.metrics.bindAddress }} + {{- if .Values.global.scheduler.config.server.metrics.bindAddress }} + bindAddress: {{ .Values.global.scheduler.config.server.metrics.bindAddress }} + {{- end }} port: {{ required ".Values.global.scheduler.config.server.metrics.port is required" .Values.global.scheduler.config.server.metrics.port }} {{- if .Values.global.scheduler.config.debugging }} debugging: diff --git a/charts/gardener/controlplane/values.yaml b/charts/gardener/controlplane/values.yaml index 6226d81c9bb..31aede93e3f 100644 --- a/charts/gardener/controlplane/values.yaml +++ b/charts/gardener/controlplane/values.yaml @@ -303,7 +303,6 @@ global: logFormat: json server: webhooks: - bindAddress: 0.0.0.0 port: 2719 tlsSecretName: tls: @@ -320,10 +319,8 @@ global: ... -----END RSA PRIVATE KEY----- healthProbes: - bindAddress: 0.0.0.0 port: 2722 metrics: - bindAddress: 0.0.0.0 port: 2723 # resourceAdmissionConfiguration: # limits: @@ -447,10 +444,8 @@ global: logLevel: info server: healthProbes: - bindAddress: 0.0.0.0 port: 2718 metrics: - bindAddress: 0.0.0.0 port: 2719 debugging: enableProfiling: false @@ -494,10 +489,8 @@ global: logLevel: info server: healthProbes: - bindAddress: 0.0.0.0 port: 10251 metrics: - bindAddress: 0.0.0.0 port: 19251 debugging: enableProfiling: false diff --git a/charts/gardener/gardenlet/templates/_helpers.tpl b/charts/gardener/gardenlet/templates/_helpers.tpl index 4dd77f74b37..94e76eb362c 100644 --- a/charts/gardener/gardenlet/templates/_helpers.tpl +++ b/charts/gardener/gardenlet/templates/_helpers.tpl @@ -249,11 +249,15 @@ config.yaml: | logFormat: {{ .Values.config.logFormat }} server: healthProbes: - bindAddress: {{ required ".Values.config.server.healthProbes.bindAddress is required" .Values.config.server.healthProbes.bindAddress }} + {{- if .Values.config.server.healthProbes.bindAddress }} + bindAddress: {{ .Values.config.server.healthProbes.bindAddress }} + {{- end }} port: {{ required ".Values.config.server.healthProbes.port is required" .Values.config.server.healthProbes.port }} {{- if .Values.config.server.metrics }} metrics: - bindAddress: {{ required ".Values.config.server.metrics.bindAddress is required" .Values.config.server.metrics.bindAddress }} + {{- if .Values.config.server.metrics.bindAddress }} + bindAddress: {{ .Values.config.server.metrics.bindAddress }} + {{- end }} port: {{ required ".Values.config.server.metrics.port is required" .Values.config.server.metrics.port }} {{- end }} {{- if .Values.config.debugging }} diff --git a/charts/gardener/gardenlet/templates/networkpolicy.yaml b/charts/gardener/gardenlet/templates/networkpolicy.yaml index e291b0ea703..5d8701cdcfe 100644 --- a/charts/gardener/gardenlet/templates/networkpolicy.yaml +++ b/charts/gardener/gardenlet/templates/networkpolicy.yaml @@ -21,5 +21,7 @@ spec: podSelector: {} - ipBlock: cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 policyTypes: - Egress diff --git a/charts/gardener/gardenlet/values.yaml b/charts/gardener/gardenlet/values.yaml index ae2f09d61e6..3b312c78ee1 100644 --- a/charts/gardener/gardenlet/values.yaml +++ b/charts/gardener/gardenlet/values.yaml @@ -138,10 +138,8 @@ config: logFormat: json server: healthProbes: - bindAddress: 0.0.0.0 port: 2728 metrics: - bindAddress: 0.0.0.0 port: 2729 debugging: enableProfiling: false diff --git a/charts/gardener/operator/values.yaml b/charts/gardener/operator/values.yaml index 17f466f5b16..185b636cc3d 100644 --- a/charts/gardener/operator/values.yaml +++ b/charts/gardener/operator/values.yaml @@ -39,13 +39,10 @@ config: logFormat: json server: webhooks: - bindAddress: 0.0.0.0 port: 2750 healthProbes: - bindAddress: 0.0.0.0 port: 2751 metrics: - bindAddress: 0.0.0.0 port: 2752 debugging: enableProfiling: false diff --git a/charts/gardener/resource-manager/values.yaml b/charts/gardener/resource-manager/values.yaml index 1772355a0aa..2264dbece4b 100644 --- a/charts/gardener/resource-manager/values.yaml +++ b/charts/gardener/resource-manager/values.yaml @@ -52,7 +52,6 @@ global: logFormat: text server: webhooks: - bindAddress: 0.0.0.0 port: 10250 # ca: | # some-tls-certificate @@ -61,10 +60,8 @@ global: # privateKey: | # some-private-key healthProbes: - bindAddress: 0.0.0.0 port: 8081 metrics: - bindAddress: 0.0.0.0 port: 8080 debugging: enableProfiling: false diff --git a/charts/seed-bootstrap/charts/monitoring/templates/networkpolicy.yaml b/charts/seed-bootstrap/charts/monitoring/templates/networkpolicy.yaml index c57c5f1b64b..3a1a3bafd9c 100644 --- a/charts/seed-bootstrap/charts/monitoring/templates/networkpolicy.yaml +++ b/charts/seed-bootstrap/charts/monitoring/templates/networkpolicy.yaml @@ -16,12 +16,16 @@ spec: namespaceSelector: {} - ipBlock: cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 ingress: - from: - podSelector: {} namespaceSelector: {} - ipBlock: cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 policyTypes: - Egress - Ingress diff --git a/cmd/gardener-admission-controller/app/app.go b/cmd/gardener-admission-controller/app/app.go index 5f4a9f7625d..b003ff6c686 100644 --- a/cmd/gardener-admission-controller/app/app.go +++ b/cmd/gardener-admission-controller/app/app.go @@ -17,8 +17,10 @@ package app import ( "context" "fmt" + "net" "os" goruntime "runtime" + "strconv" "time" "github.com/go-logr/logr" @@ -111,8 +113,8 @@ func run(ctx context.Context, log logr.Logger, cfg *config.AdmissionControllerCo Port: cfg.Server.Webhooks.Port, CertDir: cfg.Server.Webhooks.TLS.ServerCertDir, - HealthProbeBindAddress: fmt.Sprintf("%s:%d", cfg.Server.HealthProbes.BindAddress, cfg.Server.HealthProbes.Port), - MetricsBindAddress: fmt.Sprintf("%s:%d", cfg.Server.Metrics.BindAddress, cfg.Server.Metrics.Port), + HealthProbeBindAddress: net.JoinHostPort(cfg.Server.HealthProbes.BindAddress, strconv.Itoa(cfg.Server.HealthProbes.Port)), + MetricsBindAddress: net.JoinHostPort(cfg.Server.Metrics.BindAddress, strconv.Itoa(cfg.Server.Metrics.Port)), LeaderElection: false, }) diff --git a/cmd/gardener-apiserver/app/gardener_apiserver.go b/cmd/gardener-apiserver/app/gardener_apiserver.go index 4e57b840a4f..8a5472c09ed 100644 --- a/cmd/gardener-apiserver/app/gardener_apiserver.go +++ b/cmd/gardener-apiserver/app/gardener_apiserver.go @@ -34,7 +34,6 @@ import ( genericoptions "k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/pkg/server/resourceconfig" serverstorage "k8s.io/apiserver/pkg/server/storage" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/client-go/dynamic" kubeinformers "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" @@ -68,6 +67,7 @@ import ( seedmanagementinformers "github.com/gardener/gardener/pkg/client/seedmanagement/informers/externalversions" settingsclientset "github.com/gardener/gardener/pkg/client/settings/clientset/versioned" settingsinformers "github.com/gardener/gardener/pkg/client/settings/informers/externalversions" + "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/logger" "github.com/gardener/gardener/pkg/openapi" ) @@ -270,7 +270,7 @@ func (o *Options) Run(ctx context.Context) error { klog.SetLogger(log) log.Info("Starting gardener-apiserver", "version", version.Get()) - log.Info("Feature Gates", "featureGates", utilfeature.DefaultFeatureGate) + log.Info("Feature Gates", "featureGates", features.DefaultFeatureGate) // Create clientset for the native Kubernetes API group // Use remote kubeconfig file (if set) or in-cluster config to create a new Kubernetes client for the native Kubernetes API groups @@ -398,7 +398,7 @@ func (o *Options) ApplyTo(config *apiserver.Config) error { } if initializers, err := o.Recommended.ExtraAdmissionInitializers(gardenerAPIServerConfig); err != nil { return err - } else if err := o.Recommended.Admission.ApplyTo(&gardenerAPIServerConfig.Config, gardenerAPIServerConfig.SharedInformerFactory, gardenerAPIServerConfig.ClientConfig, utilfeature.DefaultFeatureGate, initializers...); err != nil { + } else if err := o.Recommended.Admission.ApplyTo(&gardenerAPIServerConfig.Config, gardenerAPIServerConfig.SharedInformerFactory, gardenerAPIServerConfig.ClientConfig, features.DefaultFeatureGate, initializers...); err != nil { return err } if err := o.ExtraOptions.ApplyTo(config); err != nil { diff --git a/cmd/gardener-controller-manager/app/app.go b/cmd/gardener-controller-manager/app/app.go index 11cb58017c4..2d951cc713c 100644 --- a/cmd/gardener-controller-manager/app/app.go +++ b/cmd/gardener-controller-manager/app/app.go @@ -17,8 +17,10 @@ package app import ( "context" "fmt" + "net" "os" goruntime "runtime" + "strconv" "time" "github.com/go-logr/logr" @@ -40,8 +42,8 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/controllermanager/apis/config" "github.com/gardener/gardener/pkg/controllermanager/controller" - controllermanagerfeatures "github.com/gardener/gardener/pkg/controllermanager/features" "github.com/gardener/gardener/pkg/controllerutils/routes" + "github.com/gardener/gardener/pkg/features" gardenerhealthz "github.com/gardener/gardener/pkg/healthz" "github.com/gardener/gardener/pkg/logger" ) @@ -97,11 +99,7 @@ func NewCommand() *cobra.Command { } func run(ctx context.Context, log logr.Logger, cfg *config.ControllerManagerConfiguration) error { - // Add feature flags - if err := controllermanagerfeatures.FeatureGate.SetFromMap(cfg.FeatureGates); err != nil { - return err - } - log.Info("Feature Gates", "featureGates", controllermanagerfeatures.FeatureGate.String()) + log.Info("Feature Gates", "featureGates", features.DefaultFeatureGate) // This is like importing the automaxprocs package for its init func (it will in turn call maxprocs.Set). // Here we pass a custom logger, so that the result of the library gets logged to the same logger we use for the @@ -128,8 +126,8 @@ func run(ctx context.Context, log logr.Logger, cfg *config.ControllerManagerConf Scheme: kubernetes.GardenScheme, GracefulShutdownTimeout: pointer.Duration(5 * time.Second), - HealthProbeBindAddress: fmt.Sprintf("%s:%d", cfg.Server.HealthProbes.BindAddress, cfg.Server.HealthProbes.Port), - MetricsBindAddress: fmt.Sprintf("%s:%d", cfg.Server.Metrics.BindAddress, cfg.Server.Metrics.Port), + HealthProbeBindAddress: net.JoinHostPort(cfg.Server.HealthProbes.BindAddress, strconv.Itoa(cfg.Server.HealthProbes.Port)), + MetricsBindAddress: net.JoinHostPort(cfg.Server.Metrics.BindAddress, strconv.Itoa(cfg.Server.Metrics.Port)), LeaderElection: cfg.LeaderElection.LeaderElect, LeaderElectionResourceLock: cfg.LeaderElection.ResourceLock, diff --git a/cmd/gardener-controller-manager/app/options.go b/cmd/gardener-controller-manager/app/options.go index 8c9bceb7e10..51419088467 100644 --- a/cmd/gardener-controller-manager/app/options.go +++ b/cmd/gardener-controller-manager/app/options.go @@ -26,6 +26,7 @@ import ( "github.com/gardener/gardener/pkg/controllermanager/apis/config" controllermanagerv1alpha1 "github.com/gardener/gardener/pkg/controllermanager/apis/config/v1alpha1" controllermanagervalidation "github.com/gardener/gardener/pkg/controllermanager/apis/config/validation" + "github.com/gardener/gardener/pkg/features" ) var configDecoder runtime.Decoder @@ -64,6 +65,12 @@ func (o *options) complete() error { return fmt.Errorf("error decoding config: %w", err) } + // Set feature gates immediately after decoding the config. + // Feature gates might influence the next steps, e.g., validating the config. + if err := features.DefaultFeatureGate.SetFromMap(o.config.FeatureGates); err != nil { + return err + } + return nil } diff --git a/cmd/gardener-operator/app/app.go b/cmd/gardener-operator/app/app.go index 02409bdbca8..eadb69c5839 100644 --- a/cmd/gardener-operator/app/app.go +++ b/cmd/gardener-operator/app/app.go @@ -17,8 +17,10 @@ package app import ( "context" "fmt" + "net" "os" goruntime "runtime" + "strconv" "time" "github.com/go-logr/logr" @@ -44,12 +46,12 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/controllerutils" "github.com/gardener/gardener/pkg/controllerutils/routes" + "github.com/gardener/gardener/pkg/features" gardenerhealthz "github.com/gardener/gardener/pkg/healthz" "github.com/gardener/gardener/pkg/logger" "github.com/gardener/gardener/pkg/operator/apis/config" operatorclient "github.com/gardener/gardener/pkg/operator/client" "github.com/gardener/gardener/pkg/operator/controller" - operatorfeatures "github.com/gardener/gardener/pkg/operator/features" "github.com/gardener/gardener/pkg/operator/webhook" ) @@ -104,11 +106,7 @@ func NewCommand() *cobra.Command { } func run(ctx context.Context, log logr.Logger, cfg *config.OperatorConfiguration) error { - // Add feature flags - if err := operatorfeatures.FeatureGate.SetFromMap(cfg.FeatureGates); err != nil { - return err - } - log.Info("Feature Gates", "featureGates", operatorfeatures.FeatureGate.String()) + log.Info("Feature Gates", "featureGates", features.DefaultFeatureGate) log.Info("Getting rest config") if kubeconfig := os.Getenv("KUBECONFIG"); kubeconfig != "" { @@ -130,8 +128,8 @@ func run(ctx context.Context, log logr.Logger, cfg *config.OperatorConfiguration Host: cfg.Server.Webhooks.BindAddress, Port: cfg.Server.Webhooks.Port, CertDir: "/tmp/gardener-operator-cert", - HealthProbeBindAddress: fmt.Sprintf("%s:%d", cfg.Server.HealthProbes.BindAddress, cfg.Server.HealthProbes.Port), - MetricsBindAddress: fmt.Sprintf("%s:%d", cfg.Server.Metrics.BindAddress, cfg.Server.Metrics.Port), + HealthProbeBindAddress: net.JoinHostPort(cfg.Server.HealthProbes.BindAddress, strconv.Itoa(cfg.Server.HealthProbes.Port)), + MetricsBindAddress: net.JoinHostPort(cfg.Server.Metrics.BindAddress, strconv.Itoa(cfg.Server.Metrics.Port)), LeaderElection: cfg.LeaderElection.LeaderElect, LeaderElectionResourceLock: cfg.LeaderElection.ResourceLock, diff --git a/cmd/gardener-operator/app/options.go b/cmd/gardener-operator/app/options.go index e68acdb363c..3ad400c4a02 100644 --- a/cmd/gardener-operator/app/options.go +++ b/cmd/gardener-operator/app/options.go @@ -23,6 +23,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/operator/apis/config" operatorv1alpha1 "github.com/gardener/gardener/pkg/operator/apis/config/v1alpha1" operatorvalidation "github.com/gardener/gardener/pkg/operator/apis/config/validation" @@ -64,6 +65,12 @@ func (o *options) complete() error { return fmt.Errorf("error decoding config: %w", err) } + // Set feature gates immediately after decoding the config. + // Feature gates might influence the next steps, e.g., validating the config. + if err := features.DefaultFeatureGate.SetFromMap(o.config.FeatureGates); err != nil { + return err + } + return nil } diff --git a/cmd/gardener-resource-manager/app/app.go b/cmd/gardener-resource-manager/app/app.go index 53469ac34bf..2788e7c5f73 100644 --- a/cmd/gardener-resource-manager/app/app.go +++ b/cmd/gardener-resource-manager/app/app.go @@ -17,8 +17,10 @@ package app import ( "context" "fmt" + "net" "os" goruntime "runtime" + "strconv" "time" "github.com/go-logr/logr" @@ -149,8 +151,8 @@ func run(ctx context.Context, log logr.Logger, cfg *config.ResourceManagerConfig Host: cfg.Server.Webhooks.BindAddress, Port: cfg.Server.Webhooks.Port, CertDir: cfg.Server.Webhooks.TLS.ServerCertDir, - HealthProbeBindAddress: fmt.Sprintf("%s:%d", cfg.Server.HealthProbes.BindAddress, cfg.Server.HealthProbes.Port), - MetricsBindAddress: fmt.Sprintf("%s:%d", cfg.Server.Metrics.BindAddress, cfg.Server.Metrics.Port), + HealthProbeBindAddress: net.JoinHostPort(cfg.Server.HealthProbes.BindAddress, strconv.Itoa(cfg.Server.HealthProbes.Port)), + MetricsBindAddress: net.JoinHostPort(cfg.Server.Metrics.BindAddress, strconv.Itoa(cfg.Server.Metrics.Port)), LeaderElection: cfg.LeaderElection.LeaderElect, LeaderElectionResourceLock: cfg.LeaderElection.ResourceLock, diff --git a/cmd/gardener-scheduler/app/app.go b/cmd/gardener-scheduler/app/app.go index aae9d9e1efa..4fc291317a8 100644 --- a/cmd/gardener-scheduler/app/app.go +++ b/cmd/gardener-scheduler/app/app.go @@ -17,8 +17,10 @@ package app import ( "context" "fmt" + "net" "os" goruntime "runtime" + "strconv" "time" "github.com/go-logr/logr" @@ -35,11 +37,11 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/controllerutils/routes" + "github.com/gardener/gardener/pkg/features" gardenerhealthz "github.com/gardener/gardener/pkg/healthz" "github.com/gardener/gardener/pkg/logger" "github.com/gardener/gardener/pkg/scheduler/apis/config" "github.com/gardener/gardener/pkg/scheduler/controller" - schedulerfeatures "github.com/gardener/gardener/pkg/scheduler/features" ) // Name is a const for the name of this component. @@ -93,11 +95,7 @@ func NewCommand() *cobra.Command { } func run(ctx context.Context, log logr.Logger, cfg *config.SchedulerConfiguration) error { - // Add feature flags - if err := schedulerfeatures.FeatureGate.SetFromMap(cfg.FeatureGates); err != nil { - return fmt.Errorf("failed to set feature gates: %w", err) - } - log.Info("Feature Gates", "featureGates", schedulerfeatures.FeatureGate.String()) + log.Info("Feature Gates", "featureGates", features.DefaultFeatureGate) log.Info("Getting rest config") if kubeconfig := os.Getenv("KUBECONFIG"); kubeconfig != "" { @@ -115,8 +113,8 @@ func run(ctx context.Context, log logr.Logger, cfg *config.SchedulerConfiguratio Scheme: kubernetes.GardenScheme, GracefulShutdownTimeout: pointer.Duration(5 * time.Second), - HealthProbeBindAddress: fmt.Sprintf("%s:%d", cfg.Server.HealthProbes.BindAddress, cfg.Server.HealthProbes.Port), - MetricsBindAddress: fmt.Sprintf("%s:%d", cfg.Server.Metrics.BindAddress, cfg.Server.Metrics.Port), + HealthProbeBindAddress: net.JoinHostPort(cfg.Server.HealthProbes.BindAddress, strconv.Itoa(cfg.Server.HealthProbes.Port)), + MetricsBindAddress: net.JoinHostPort(cfg.Server.Metrics.BindAddress, strconv.Itoa(cfg.Server.Metrics.Port)), LeaderElection: cfg.LeaderElection.LeaderElect, LeaderElectionResourceLock: cfg.LeaderElection.ResourceLock, diff --git a/cmd/gardener-scheduler/app/options.go b/cmd/gardener-scheduler/app/options.go index 70003750283..98baea5016d 100644 --- a/cmd/gardener-scheduler/app/options.go +++ b/cmd/gardener-scheduler/app/options.go @@ -23,6 +23,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/serializer" utilruntime "k8s.io/apimachinery/pkg/util/runtime" + "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/scheduler/apis/config" schedulerv1alpha1 "github.com/gardener/gardener/pkg/scheduler/apis/config/v1alpha1" schedulervalidation "github.com/gardener/gardener/pkg/scheduler/apis/config/validation" @@ -64,6 +65,12 @@ func (o *options) complete() error { return fmt.Errorf("error decoding config: %w", err) } + // Set feature gates immediately after decoding the config. + // Feature gates might influence the next steps, e.g., validating the config. + if err := features.DefaultFeatureGate.SetFromMap(o.config.FeatureGates); err != nil { + return err + } + return nil } diff --git a/cmd/gardenlet/app/app.go b/cmd/gardenlet/app/app.go index 551e1364456..204ab22ecc5 100644 --- a/cmd/gardenlet/app/app.go +++ b/cmd/gardenlet/app/app.go @@ -17,8 +17,10 @@ package app import ( "context" "fmt" + "net" "os" goruntime "runtime" + "strconv" "strings" "time" @@ -62,12 +64,12 @@ import ( clientmapbuilder "github.com/gardener/gardener/pkg/client/kubernetes/clientmap/builder" "github.com/gardener/gardener/pkg/controllerutils" "github.com/gardener/gardener/pkg/controllerutils/routes" + "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" gardenlethelper "github.com/gardener/gardener/pkg/gardenlet/apis/config/helper" "github.com/gardener/gardener/pkg/gardenlet/bootstrap" "github.com/gardener/gardener/pkg/gardenlet/bootstrap/certificate" "github.com/gardener/gardener/pkg/gardenlet/controller" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" gardenerhealthz "github.com/gardener/gardener/pkg/healthz" "github.com/gardener/gardener/pkg/logger" kubeapiserverconstants "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver/constants" @@ -131,11 +133,7 @@ func NewCommand() *cobra.Command { } func run(ctx context.Context, cancel context.CancelFunc, log logr.Logger, cfg *config.GardenletConfiguration) error { - // Add feature flags - if err := gardenletfeatures.FeatureGate.SetFromMap(cfg.FeatureGates); err != nil { - return err - } - log.Info("Feature Gates", "featureGates", gardenletfeatures.FeatureGate.String()) + log.Info("Feature Gates", "featureGates", features.DefaultFeatureGate) if kubeconfig := os.Getenv("GARDEN_KUBECONFIG"); kubeconfig != "" { cfg.GardenClientConnection.Kubeconfig = kubeconfig @@ -156,8 +154,8 @@ func run(ctx context.Context, cancel context.CancelFunc, log logr.Logger, cfg *c Scheme: kubernetes.SeedScheme, GracefulShutdownTimeout: pointer.Duration(5 * time.Second), - HealthProbeBindAddress: fmt.Sprintf("%s:%d", cfg.Server.HealthProbes.BindAddress, cfg.Server.HealthProbes.Port), - MetricsBindAddress: fmt.Sprintf("%s:%d", cfg.Server.Metrics.BindAddress, cfg.Server.Metrics.Port), + HealthProbeBindAddress: net.JoinHostPort(cfg.Server.HealthProbes.BindAddress, strconv.Itoa(cfg.Server.HealthProbes.Port)), + MetricsBindAddress: net.JoinHostPort(cfg.Server.Metrics.BindAddress, strconv.Itoa(cfg.Server.Metrics.Port)), LeaderElection: cfg.LeaderElection.LeaderElect, LeaderElectionResourceLock: cfg.LeaderElection.ResourceLock, diff --git a/cmd/gardenlet/app/options.go b/cmd/gardenlet/app/options.go index df551f529dc..92a4dcd3445 100644 --- a/cmd/gardenlet/app/options.go +++ b/cmd/gardenlet/app/options.go @@ -25,6 +25,7 @@ import ( gardencore "github.com/gardener/gardener/pkg/apis/core" gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" + "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" gardenletv1alpha1 "github.com/gardener/gardener/pkg/gardenlet/apis/config/v1alpha1" gardenletvalidation "github.com/gardener/gardener/pkg/gardenlet/apis/config/validation" @@ -68,6 +69,12 @@ func (o *options) complete() error { return fmt.Errorf("error decoding config: %w", err) } + // Set feature gates immediately after decoding the config. + // Feature gates might influence the next steps, e.g., validating the config. + if err := features.DefaultFeatureGate.SetFromMap(o.config.FeatureGates); err != nil { + return err + } + return nil } diff --git a/docs/concepts/resource-manager.md b/docs/concepts/resource-manager.md index 119e5c0f26c..416b14c58a2 100644 --- a/docs/concepts/resource-manager.md +++ b/docs/concepts/resource-manager.md @@ -721,6 +721,8 @@ spec: podSelector: {} - ipBlock: cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 ports: - port: 10250 protocol: TCP diff --git a/docs/deployment/feature_gates.md b/docs/deployment/feature_gates.md index 0c89540442f..6914cfdb167 100644 --- a/docs/deployment/feature_gates.md +++ b/docs/deployment/feature_gates.md @@ -151,19 +151,19 @@ A *General Availability* (GA) feature is also referred to as a *stable* feature. ## List of Feature Gates -| Feature | Relevant Components | Description | -|--------------------------------------------|----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| HVPA | `gardenlet`, `gardener-operator` | Enables simultaneous horizontal and vertical scaling in garden or seed clusters. | -| HVPAForShootedSeed | `gardenlet` | Enables simultaneous horizontal and vertical scaling in managed seed (aka "shooted seed") clusters. | -| ManagedIstio (deprecated) | `gardenlet` | Enables a Gardener-tailored [Istio](https://istio.io) in each Seed cluster. Disable this feature if Istio is already installed in the cluster. Istio is not automatically removed if this feature is disabled. See the [detailed documentation](../usage/istio.md) for more information. | -| APIServerSNI (deprecated) | `gardenlet` | Enables only one LoadBalancer to be used for every Shoot cluster API server in a Seed. Enable this feature when `ManagedIstio` is enabled or Istio is manually deployed in the Seed cluster. See [GEP-8](../proposals/08-shoot-apiserver-via-sni.md) for more details. | -| SeedChange | `gardener-apiserver` | Enables updating the `spec.seedName` field during shoot validation from a non-empty value in order to trigger shoot control plane migration. | -| ReversedVPN | `gardenlet` | Reverses the connection setup of the VPN tunnel between the Seed and the Shoot cluster(s). It allows Seed and Shoot clusters to be in different networks with only direct access in one direction (Shoot -> Seed). In addition to that, it reduces the amount of load balancers required, i.e. no load balancers are required for the VPN tunnel anymore. It requires `APIServerSNI` and kubernetes version `1.18` or higher to work. Details can be found in [GEP-14](../proposals/14-reversed-cluster-vpn.md). | -| CopyEtcdBackupsDuringControlPlaneMigration | `gardenlet` | Enables the copy of etcd backups from the object store of the source seed to the object store of the destination seed during control plane migration. | -| SecretBindingProviderValidation | `gardener-apiserver` | Enables validations on Gardener API server that:
- requires the provider type of a SecretBinding to be set (on SecretBinding creation)
- requires the SecretBinding provider type to match the Shoot provider type (on Shoot creation)
- enforces immutability on the provider type of a SecretBinding | -| HAControlPlanes | `gardener-apiserver` | HAControlPlanes allows shoot control planes to be run in high availability mode. | -| DefaultSeccompProfile | `gardenlet`, `gardener-operator` | Enables the defaulting of the seccomp profile for Gardener managed workload in the garden or seed to `RuntimeDefault`. | -| CoreDNSQueryRewriting | `gardenlet` | Enables automatic DNS query rewriting in shoot cluster's CoreDNS to shortcut name resolution of fully qualified in-cluster and out-of-cluster names, which follow a user-defined pattern. Details can be found in [DNS Search Path Optimization](../usage/dns-search-path-optimization.md). | -| IPv6SingleStack | `gardener-apiserver` | Allows creating shoot clusters with [IPv6 single-stack networking](../usage/ipv6.md) ([GEP-21](../proposals/21-ipv6-singlestack-local.md)). | +| Feature | Relevant Components | Description | +|--------------------------------------------|---------------------------------- |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| HVPA | `gardenlet`, `gardener-operator` | Enables simultaneous horizontal and vertical scaling in garden or seed clusters. | +| HVPAForShootedSeed | `gardenlet` | Enables simultaneous horizontal and vertical scaling in managed seed (aka "shooted seed") clusters. | +| ManagedIstio (deprecated) | `gardenlet` | Enables a Gardener-tailored [Istio](https://istio.io) in each Seed cluster. Disable this feature if Istio is already installed in the cluster. Istio is not automatically removed if this feature is disabled. See the [detailed documentation](../usage/istio.md) for more information. | +| APIServerSNI (deprecated) | `gardenlet` | Enables only one LoadBalancer to be used for every Shoot cluster API server in a Seed. Enable this feature when `ManagedIstio` is enabled or Istio is manually deployed in the Seed cluster. See [GEP-8](../proposals/08-shoot-apiserver-via-sni.md) for more details. | +| SeedChange | `gardener-apiserver` | Enables updating the `spec.seedName` field during shoot validation from a non-empty value in order to trigger shoot control plane migration. | +| ReversedVPN | `gardenlet` | Reverses the connection setup of the VPN tunnel between the Seed and the Shoot cluster(s). It allows Seed and Shoot clusters to be in different networks with only direct access in one direction (Shoot -> Seed). In addition to that, it reduces the amount of load balancers required, i.e. no load balancers are required for the VPN tunnel anymore. It requires `APIServerSNI` and kubernetes version `1.18` or higher to work. Details can be found in [GEP-14](../proposals/14-reversed-cluster-vpn.md). | +| CopyEtcdBackupsDuringControlPlaneMigration | `gardenlet` | Enables the copy of etcd backups from the object store of the source seed to the object store of the destination seed during control plane migration. | +| SecretBindingProviderValidation | `gardener-apiserver` | Enables validations on Gardener API server that:
- requires the provider type of a SecretBinding to be set (on SecretBinding creation)
- requires the SecretBinding provider type to match the Shoot provider type (on Shoot creation)
- enforces immutability on the provider type of a SecretBinding | +| HAControlPlanes | `gardener-apiserver` | HAControlPlanes allows shoot control planes to be run in high availability mode. | +| DefaultSeccompProfile | `gardenlet`, `gardener-operator` | Enables the defaulting of the seccomp profile for Gardener managed workload in the garden or seed to `RuntimeDefault`. | +| CoreDNSQueryRewriting | `gardenlet` | Enables automatic DNS query rewriting in shoot cluster's CoreDNS to shortcut name resolution of fully qualified in-cluster and out-of-cluster names, which follow a user-defined pattern. Details can be found in [DNS Search Path Optimization](../usage/dns-search-path-optimization.md). | +| IPv6SingleStack | `gardener-apiserver`, `gardenlet` | Allows creating seed and shoot clusters with [IPv6 single-stack networking](../usage/ipv6.md) enabled in their spec ([GEP-21](../proposals/21-ipv6-singlestack-local.md)). If enabled in gardenlet, the default behavior is unchanged, but setting `ipFamilies=[IPv6]` in the `seedConfig` is allowed. Only if the `ipFamilies` setting is changed, gardenlet behaves differently. | | MutableShootSpecNetworkingNodes | `gardener-apiserver` | Allows updating the field `spec.networking.nodes`. The validity of the values has to be checked in the provider extensions. Only enable this feature gate when your system runs provider extensions which have implemented the validation. | | FullNetworkPoliciesInRuntimeCluster | `gardenlet` | Enables gardenlet's NetworkPolicy controller to place 'deny-all' network policies in all relevant namespaces in the runtime cluster. | diff --git a/docs/deployment/getting_started_locally.md b/docs/deployment/getting_started_locally.md index a24ea359dad..cc6ea7c5f3a 100644 --- a/docs/deployment/getting_started_locally.md +++ b/docs/deployment/getting_started_locally.md @@ -32,9 +32,6 @@ In these cases, you might want to check out one of the following options that ru > If you plan on following the optional steps to [create a second seed cluster](#optional-setting-up-a-second-seed-cluster), the required resources will be more - at least `10` CPUs and `18Gi` memory. Additionally, please configure at least `120Gi` of disk size for the Docker daemon. > Tip: You can clean up unused data with `docker system df` and `docker system prune -a`. -- Make sure the `kind` docker network is using the CIDR `172.18.0.0/16`. - - If the network does not exist, it can be created with `docker network create kind --subnet 172.18.0.0/16` - - If the network already exists, the CIDR can be checked with `docker network inspect kind | jq '.[].IPAM.Config[].Subnet'`. If it is not `172.18.0.0/16`, delete the network with `docker network rm kind` and create it with the command above. ## Setting Up the KinD Cluster (Garden and Seed) @@ -60,27 +57,22 @@ With this, mirrored images don't have to be pulled again after recreating the cl The command also deploys a default [calico](https://github.com/projectcalico/calico) installation as the cluster's CNI implementation with `NetworkPolicy` support (the default `kindnet` CNI doesn't provide `NetworkPolicy` support). Furthermore, it deploys the [metrics-server](https://github.com/kubernetes-sigs/metrics-server) in order to support HPA and VPA on the seed cluster. -## Outgoing IPv6 Single-Stack Networking (optional) +## Setting Up IPv6 Single-Stack Networking (optional) -If you want to test IPv6-related features, we need to configure NAT for outgoing traffic from the kind network to the internet. -After `make kind-up IPFAMILY=ipv6`, check the network created by kind: +First, ensure that your `/etc/hosts` file contains an entry resolving `localhost` to the IPv6 loopback address: -```bash -$ docker network inspect kind | jq '.[].IPAM.Config[].Subnet' -"172.18.0.0/16" -"fc00:f853:ccd:e793::/64" +```text +::1 localhost ``` -Determine which device is used for outgoing internet traffic by looking at the default route: +Typically, only `ip6-localhost` is mapped to `::1` on linux machines. +However, we need `localhost` to resolve to both `127.0.0.1` and `::1` so that we can talk to our registry via a single address (`localhost:5001`). -```bash -$ ip route show default -default via 192.168.195.1 dev enp3s0 proto dhcp src 192.168.195.34 metric 100 -``` +Next, we need to configure NAT for outgoing traffic from the kind network to the internet. +After executing `make kind-up IPFAMILY=ipv6`, execute the following command to set up the corresponding iptables rules: -Configure NAT for traffic from the kind cluster to the internet using the IPv6 range and the network device from the previous two steps: ```bash -ip6tables -t nat -A POSTROUTING -o enp3s0 -s fc00:f853:ccd:e793::/64 -j MASQUERADE +ip6tables -t nat -A POSTROUTING -o $(ip route show default | awk '{print $5}') -s fd00:10::/64 -j MASQUERADE ``` ## Setting Up Gardener @@ -89,6 +81,8 @@ ip6tables -t nat -A POSTROUTING -o enp3s0 -s fc00:f853:ccd:e793::/64 -j MASQUERA make gardener-up ``` +> If you want to setup an IPv6 ready Gardener, use `make gardener-up IPFAMILY=ipv6` instead. + This will first build the base images (which might take a bit if you do it for the first time). Afterwards, the Gardener resources will be deployed into the cluster. diff --git a/docs/development/getting_started_locally.md b/docs/development/getting_started_locally.md index 25f3e93a67d..dcd058518e5 100644 --- a/docs/development/getting_started_locally.md +++ b/docs/development/getting_started_locally.md @@ -31,9 +31,6 @@ In these cases, you might want to check out one of the following options that ru Additionally, please configure at least `120Gi` of disk size for the Docker daemon. > Tip: With `docker system df` and `docker system prune -a` you can cleanup unused data. -- Make sure the `kind` docker network is using the CIDR `172.18.0.0/16`. - - If the network does not exist, it can be created with `docker network create kind --subnet 172.18.0.0/16` - - If the network already exists, the CIDR can be checked with `docker network inspect kind | jq '.[].IPAM.Config[].Subnet'`. If it is not `172.18.0.0/16`, delete the network with `docker network rm kind` and create it with the command above. - Make sure that you increase the maximum number of open files on your host: - On Mac, run `sudo launchctl limit maxfiles 65536 200000` - On Linux, extend the `/etc/security/limits.conf` file with @@ -51,7 +48,7 @@ In these cases, you might want to check out one of the following options that ru make kind-up KIND_ENV=local ``` -> If you want to setup an IPv6 KinD cluster, use `make kind-up IPFAMILY=ipv6` instead. +> If you want to setup an IPv6 KinD cluster, use `make kind-up KIND_ENV=local IPFAMILY=ipv6` instead. This command sets up a new KinD cluster named `gardener-local` and stores the kubeconfig in the `./example/gardener-local/kind/local/kubeconfig` file. @@ -69,27 +66,22 @@ With this, mirrored images don't have to be pulled again after recreating the cl The command also deploys a default [calico](https://github.com/projectcalico/calico) installation as the cluster's CNI implementation with `NetworkPolicy` support (the default `kindnet` CNI doesn't provide `NetworkPolicy` support). Furthermore, it deploys the [metrics-server](https://github.com/kubernetes-sigs/metrics-server) in order to support HPA and VPA on the seed cluster. -## Outgoing IPv6 Single-Stack Networking (optional) +## Setting Up IPv6 Single-Stack Networking (optional) -If you want to test IPv6-related features, we need to configure NAT for outgoing traffic from the kind network to the internet. -After `make kind-up IPFAMILY=ipv6`, check the network created by kind: +First, ensure that your `/etc/hosts` file contains an entry resolving `localhost` to the IPv6 loopback address: -```bash -$ docker network inspect kind | jq '.[].IPAM.Config[].Subnet' -"172.18.0.0/16" -"fc00:f853:ccd:e793::/64" +```text +::1 localhost ``` -Determine which device is used for outgoing internet traffic by looking at the default route: +Typically, only `ip6-localhost` is mapped to `::1` on linux machines. +However, we need `localhost` to resolve to both `127.0.0.1` and `::1` so that we can talk to our registry via a single address (`localhost:5001`). -```bash -$ ip route show default -default via 192.168.195.1 dev enp3s0 proto dhcp src 192.168.195.34 metric 100 -``` +Next, we need to configure NAT for outgoing traffic from the kind network to the internet. +After executing `make kind-up IPFAMILY=ipv6`, execute the following command to set up the corresponding iptables rules: -Configure NAT for traffic from the kind cluster to the internet using the IPv6 range and the network device from the previous two steps: ```bash -ip6tables -t nat -A POSTROUTING -o enp3s0 -s fc00:f853:ccd:e793::/64 -j MASQUERADE +ip6tables -t nat -A POSTROUTING -o $(ip route show default | awk '{print $5}') -s fd00:10::/64 -j MASQUERADE ``` ## Setting Up Gardener @@ -102,6 +94,8 @@ kubectl wait --for=condition=ready pod -l run=etcd -n garden --timeout 2m # make start-apiserver # starting gardener-apiserver ``` +> For IPv6 use `make dev-setup IPFAMILY=ipv6` instead. + In a new terminal pane, run: ```bash @@ -116,6 +110,8 @@ make dev-setup DEV_SETUP_WITH_WEBHOOKS=true # make start-controller-manager # starting gardener-controller-manager ``` +> For IPv6 use `make dev-setup DEV_SETUP_WITH_WEBHOOKS=true IPFAMILY=ipv6` instead. + (Optional): In a new terminal pane, run: ```bash @@ -129,12 +125,16 @@ make register-local-env # make start-gardenlet SEED_NAME=local # starting gardenlet ``` +> For IPv6 use `make register-local-env IPFAMILY=ipv6` instead. + In a new terminal pane, run: ```bash make start-extension-provider-local # starting gardener-extension-provider-local ``` +> For IPv6 use `make start-extension-provider-local IPFAMILY=ipv6` instead. + ℹ️ The [`provider-local`](../extensions/provider-local.md) is started with elevated privileges since it needs to manipulate your `/etc/hosts` file to enable you accessing the created shoot clusters from your local machine, see [this](../extensions/provider-local.md#dnsrecord) for more details. ## Creating a `Shoot` Cluster diff --git a/docs/usage/ipv6.md b/docs/usage/ipv6.md index f290a93742b..20b4df2cc8a 100644 --- a/docs/usage/ipv6.md +++ b/docs/usage/ipv6.md @@ -7,13 +7,15 @@ [GEP-21](../proposals/21-ipv6-singlestack-local.md) proposes IPv6 Single-Stack Support in the local Gardener environment. This documentation will be enhanced while implementing GEP-21, see [gardener/gardener#7051](https://github.com/gardener/gardener/issues/7051). -To use IPv6 single-stack networking, the [feature gate](../deployment/feature_gates.md) `IPv6SingleStack` must be enabled on gardener-apiserver. +To use IPv6 single-stack networking, the [feature gate](../deployment/feature_gates.md) `IPv6SingleStack` must be enabled on gardener-apiserver and gardenlet. ## Development Setup Developing or testing IPv6-related features requires a Linux machine (docker only supports IPv6 on Linux) and native IPv6 connectivity to the internet. If you're on a different OS or don't have IPv6 connectivity in your office environment or via your home ISP, make sure to check out [gardener-community/dev-box-gcp](https://github.com/gardener-community/dev-box-gcp), which allows you to circumvent these limitations. +You can follow the guide on [Deploying Gardener Locally](../deployment/getting_started_locally.md) for setting up an IPv6 gardener for testing or development purposes. + ## Container Images If you plan on using custom images, make sure your registry supports IPv6 access. diff --git a/example/20-componentconfig-gardener-admission-controller.yaml b/example/20-componentconfig-gardener-admission-controller.yaml index ad721d44b39..174eb804f38 100644 --- a/example/20-componentconfig-gardener-admission-controller.yaml +++ b/example/20-componentconfig-gardener-admission-controller.yaml @@ -8,15 +8,12 @@ logLevel: info logFormat: json server: webhooks: - bindAddress: 0.0.0.0 port: 2721 tls: serverCertDir: dev/tls/gardener-admission-controller healthProbes: - bindAddress: 0.0.0.0 port: 2722 metrics: - bindAddress: 0.0.0.0 port: 2723 resourceAdmissionConfiguration: limits: diff --git a/example/20-componentconfig-gardener-controller-manager.yaml b/example/20-componentconfig-gardener-controller-manager.yaml index c63fdf3b70b..d537d7d550b 100644 --- a/example/20-componentconfig-gardener-controller-manager.yaml +++ b/example/20-componentconfig-gardener-controller-manager.yaml @@ -85,10 +85,8 @@ logLevel: info logFormat: text server: healthProbes: - bindAddress: 0.0.0.0 port: 2718 metrics: - bindAddress: 0.0.0.0 port: 2719 debugging: enableProfiling: false diff --git a/example/20-componentconfig-gardener-scheduler.yaml b/example/20-componentconfig-gardener-scheduler.yaml index cd988c3d159..59fa806368e 100644 --- a/example/20-componentconfig-gardener-scheduler.yaml +++ b/example/20-componentconfig-gardener-scheduler.yaml @@ -16,10 +16,8 @@ logLevel: info logFormat: text server: healthProbes: - bindAddress: 0.0.0.0 port: 10251 metrics: - bindAddress: 0.0.0.0 port: 19252 debugging: enableProfiling: false diff --git a/example/20-componentconfig-gardenlet.yaml b/example/20-componentconfig-gardenlet.yaml index 0f6947f8f3c..d7e621d54d5 100644 --- a/example/20-componentconfig-gardenlet.yaml +++ b/example/20-componentconfig-gardenlet.yaml @@ -98,10 +98,8 @@ logLevel: info logFormat: text server: healthProbes: - bindAddress: 0.0.0.0 port: 2728 metrics: - bindAddress: 0.0.0.0 port: 2729 debugging: enableProfiling: false @@ -113,6 +111,10 @@ featureGates: APIServerSNI: true DefaultSeccompProfile: true CoreDNSQueryRewriting: true + # Enable IPv6SingleStack to allow creating IPv6 seed clusters without changing the config. + # This feature gate doesn't change gardenlet's default behavior, it only allows setting `ipFamilies=[IPv6]` in the + # Seed config. Only when this is set, gardenlet's behavior changes. + IPv6SingleStack: true # seedConfig: # metadata: # name: my-seed diff --git a/example/gardener-local/controlplane/auth-webhook-kubeconfig-local.yaml b/example/gardener-local/controlplane/auth-webhook-kubeconfig-local-ipv4.yaml similarity index 100% rename from example/gardener-local/controlplane/auth-webhook-kubeconfig-local.yaml rename to example/gardener-local/controlplane/auth-webhook-kubeconfig-local-ipv4.yaml diff --git a/example/gardener-local/controlplane/auth-webhook-kubeconfig-local-ipv6.yaml b/example/gardener-local/controlplane/auth-webhook-kubeconfig-local-ipv6.yaml new file mode 100644 index 00000000000..88a82015f88 --- /dev/null +++ b/example/gardener-local/controlplane/auth-webhook-kubeconfig-local-ipv6.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Config +clusters: +- name: garden + cluster: + insecure-skip-tls-verify: true + # This is the IP of the `gardener-admission-controller` service in the `garden` namespace. + server: https://[fd00:10:2::1000]/webhooks/auth/seed +users: +- name: kube-apiserver + user: {} +contexts: +- name: auth-webhook + context: + cluster: garden + user: kube-apiserver +current-context: auth-webhook diff --git a/example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold.yaml b/example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold-ipv4.yaml similarity index 100% rename from example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold.yaml rename to example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold-ipv4.yaml diff --git a/example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold-ipv6.yaml b/example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold-ipv6.yaml new file mode 100644 index 00000000000..88a82015f88 --- /dev/null +++ b/example/gardener-local/controlplane/auth-webhook-kubeconfig-skaffold-ipv6.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Config +clusters: +- name: garden + cluster: + insecure-skip-tls-verify: true + # This is the IP of the `gardener-admission-controller` service in the `garden` namespace. + server: https://[fd00:10:2::1000]/webhooks/auth/seed +users: +- name: kube-apiserver + user: {} +contexts: +- name: auth-webhook + context: + cluster: garden + user: kube-apiserver +current-context: auth-webhook diff --git a/example/gardener-local/controlplane/networkpolicy.yaml b/example/gardener-local/controlplane/networkpolicy.yaml index c2427111d6a..dfce8b60f7f 100644 --- a/example/gardener-local/controlplane/networkpolicy.yaml +++ b/example/gardener-local/controlplane/networkpolicy.yaml @@ -23,12 +23,16 @@ spec: podSelector: {} - ipBlock: cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 egress: - to: - namespaceSelector: {} podSelector: {} - ipBlock: cidr: 0.0.0.0/0 + - ipBlock: + cidr: ::/0 policyTypes: - Egress - Ingress diff --git a/example/gardener-local/controlplane/values.yaml b/example/gardener-local/controlplane/values.yaml index c2473e8a248..572e7cf7e01 100644 --- a/example/gardener-local/controlplane/values.yaml +++ b/example/gardener-local/controlplane/values.yaml @@ -173,80 +173,83 @@ global: config: server: webhooks: - bindAddress: 0.0.0.0 port: 2719 tls: caBundle: | -----BEGIN CERTIFICATE----- - MIIDJjCCAg6gAwIBAgIUUaSpEaJfy6lXiwagtBuGsRr0HtEwDQYJKoZIhvcNAQEL - BQAwKzEpMCcGA1UEAxMgZ2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXItY2Ew - HhcNMjIwNTAzMDY0MjAwWhcNMjcwNTAyMDY0MjAwWjArMSkwJwYDVQQDEyBnYXJk - ZW5lci1hZG1pc3Npb24tY29udHJvbGxlci1jYTCCASIwDQYJKoZIhvcNAQEBBQAD - ggEPADCCAQoCggEBAK/aKhVzDGDt5jnIDhHIqgdJpigoBIR0qhRDW0B2GKAURizO - p/nJzDA98Pjn6XEs6H93u7pGCSi/TE0hyDGwajDKm55xPE4/KSrnb1xubZ9FSBwP - SYL801yWhrBlCVBUAxDsQ3rbJBH17B6zsZ9UYzAEz+gncm4XYCv02V6Zt6N8HjtK - T0n0pRiBJBwjQVPXNHUyzZhvlzCDa/gCu5GvLQ1kORcgji9nE6KUbARySCm4clFD - l4r5Yij8Zp8D8fo0WhmA5+ZEmubJG8SnGxxGpAtwOddjRHZs2YMCJrK8IIasg5AH - uK/OR2o1uVbpXZLIaC1YyNPgGqj7ar7pUReDBQ0CAwEAAaNCMEAwDgYDVR0PAQH/ - BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEW+SbKZtbxUpiyOp90M - 9PlXJ2u0MA0GCSqGSIb3DQEBCwUAA4IBAQA8VldEkYcdkvake9SsaSh4DV2V0uJ/ - atElLeGva1YNVoG99YsKGjJbJw+LrIdsguKhKbir7fS/rRAXxKY6cMyc+F0uwbGZ - RtpaqXOEh/r7fCbuyt2KxAnCvIIbnx0L+TETPoagWsb56TGT7us0mjj9CH8zYlAv - eYK3m5QDZWQTDzSCunWwQToQPIUibyFkR+BnIF8H0NJ61oDsZP4VH+rOiUaj0v3H - KKWOXzAusn7RCzXAemXVD02Dx0urpt7z/O00415lvj7MUPfRQJscyySpnK9hkdOs - 1aTC6iwUjozjF1Fe2mANbKWERNaZIoVaTAVhtgMYL0jf2Zr6oZkX22dT + MIIDMTCCAhmgAwIBAgIUA+ORkSwJPvTa6OsXD7nAOMW4+z4wDQYJKoZIhvcNAQEL + BQAwKDEmMCQGA1UEAwwdZ2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXIwHhcN + MjMwMjEzMDk1NDIwWhcNNDcxMDA1MDk1NDIwWjAoMSYwJAYDVQQDDB1nYXJkZW5l + ci1hZG1pc3Npb24tY29udHJvbGxlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBANmCdziSoo72HJ2WZnDxL7909Q8FMXMlqyz4sedyYpdu5wcHNPrGhPs2 + s5w75yCxkOogUh9iyj2rNYsxUW433ae9aVITHwRFgd6EPOQfUcCjrVXDuAKqLsTg + jjYc8I0IWTxqyK8qY8+NsJVBX5i51BxxigZdhbY20cp3okjnf/dIq7+suWg+Zts4 + x7uCxG4hCniSH/Hi6i1hvJkjjRIrFkRWZjGNctaZ3Otahh7qiI8lCz/URDI/SgmT + K/4L6B0PPoqB+Gf19iRsxjZUqm6fzSQh396YBOWtzqSspBFz/TOz8866Fu1pzXrY + W7bGpTnMlMQD4vJtQ845/O4SMwKUQXcCAwEAAaNTMFEwHQYDVR0OBBYEFLTw5n6N + EXcpiathNX5B9hG9WM3zMB8GA1UdIwQYMBaAFLTw5n6NEXcpiathNX5B9hG9WM3z + MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJiABfnbo7VverQJ + kV3Pt0o6X8+2H4DcsBMoyhuf6ib0ZyLFnG6JbdCjFMvgyoDgT1drWkWXvdvwk1lM + kOksuZ4n/k6nJNAqncuqfzxJI+sD1cDIirzwHznrgwpEGw4QYcOYvdprq1fDjV2y + 3IlFRH6dpbhUyk8zMXQwvinfKKOBFJG4eaQJkRvTeRhJDkuuJ/g5SwnRYlQQFltG + rbI3N81CtuFpRUJLGyuhiYG5JXXh0mFwOEGAwfWBynhdr5atszLOVDCbw2cunPdD + yXD51VfQb1jYKxT9IzdPRls03KYwgnG/YhWbZe2MH1VvsM6vnToutGg7OpS/Qbk7 + 9PEumeY= -----END CERTIFICATE----- crt: | -----BEGIN CERTIFICATE----- - MIID6DCCAtCgAwIBAgIUJl4x4/SAELgFsXIGJcWlt9YF70kwDQYJKoZIhvcNAQEL - BQAwKzEpMCcGA1UEAxMgZ2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXItY2Ew - HhcNMjIwNTAzMDY0NDAwWhcNMzIwNDMwMDY0NDAwWjAoMSYwJAYDVQQDEx1nYXJk - ZW5lci1hZG1pc3Npb24tY29udHJvbGxlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP - ADCCAQoCggEBAKupPy1XWFSZjbdihItv7RSP7baCAtrDNo0SRXjIk9+tE0rsa1lm - f8N5IYMl9uKIhHLUbLeoetryrDqm75rUw9DbwB0W0w0Jk16WBFH7E5bQ5nbhJDbs - s4PfRWpu03p0uEI8dY5XkW3F1hIGlt4kOBOngGLorLe6lF96bbc/wtZCDiEN9JbK - X1k45fDqIkoO3SbzIohKSe+JMmgD5ZxeqSvzcGKzLtfavShUcQBmGKsnTF1hiN0F - 47+b7HqfAvWwNPiwXSstmlkYn47wHoSTElMHVq17OsCnPWl8ygYQxdsd4p0ETCij - ujwWemUeW1KMEjs2EM7Wj7NOjcdOQGNSQKkCAwEAAaOCAQUwggEBMA4GA1UdDwEB - /wQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1Ud - DgQWBBTg6DoeCYVVNqetjpL57+7vjInTCTAfBgNVHSMEGDAWgBRFvkmymbW8VKYs - jqfdDPT5VydrtDCBiwYDVR0RBIGDMIGAgglsb2NhbGhvc3SCHWdhcmRlbmVyLWFk - bWlzc2lvbi1jb250cm9sbGVygiRnYXJkZW5lci1hZG1pc3Npb24tY29udHJvbGxl - ci5nYXJkZW6CKGdhcmRlbmVyLWFkbWlzc2lvbi1jb250cm9sbGVyLmdhcmRlbi5z - dmOHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAFUkROHqmJmgas6Df3Bj9L0IiZsS - kZNqa+Qu0o0/5b7ePDAFHg9uiobwchGIfLUvUWovJTPa89jm1yBoVZ6aMIvqQqhg - jwmof/BtR/nh1MSQjSx+O0raJjVk7xj0Z8fhGs44OAbzsoMec/yldiMLiP0+ybVp - BGd+9Pcl5/pkngfcLtxPB0Vu/CWaLXCCOa/sOoWOz9kKGLuiizBKIK8ESL7Z0Jtm - rfqIQ9A0r/d+jjWe3l3+sl56lFQ7agri8O40rBMyDE66BQfvER4ndicjeX4SjaH8 - R/y7S53DvrJ3xsogoQ60ETmqez9OJF+dcdECxqw8J1lebkbD8yz9b03cK3o= + MIIEeTCCA2GgAwIBAgIUCX6GUtDIFah9BiYrQxj3oiRKGcYwDQYJKoZIhvcNAQEL + BQAwKDEmMCQGA1UEAwwdZ2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXIwHhcN + MjMwMjEzMDk1NDIwWhcNNDcxMDA1MDk1NDIwWjAiMSAwHgYDVQQKDBdTZWxmLXNp + Z25lZCBjZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB + AK94aw0IEpQn9WGDmyvlYoZ0BoAmhegZQcHqKEeYW479m0w1LrtbTtSyhcw7+uz8 + GUyrgPLHygkDDE/w9gQk9YaR31r/EiQFYTGOVMg494Fx5KvAhoqyOFEFTtk6U1/H + 1NSMIGoU0ru0LAFR2itM8q/9sKAHbpzztjbI8MHIaSsRl7c339ODxODG42WyhfiR + SZlf9PId3fUjCtWZ2K+1YcVgicihz/31Pu/35qKBwzSrDIGerDkvbx0dO358dwAs + MD2zVCcbuFtBvM2LgZDbUA6K5RHtH1WREsCat+ThqPybHF1pV759ebLBwbSlYoG1 + 9qK4xZEPtwyovsruHOblThcCAwEAAaOCAZ8wggGbMGMGA1UdIwRcMFqAFLTw5n6N + EXcpiathNX5B9hG9WM3zoSykKjAoMSYwJAYDVQQDDB1nYXJkZW5lci1hZG1pc3Np + b24tY29udHJvbGxlcoIUA+ORkSwJPvTa6OsXD7nAOMW4+z4wCQYDVR0TBAIwADAL + BgNVHQ8EBAMCBDAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIH8BgNV + HREEgfQwgfGHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCHWdhcmRlbmVyLWFkbWlz + c2lvbi1jb250cm9sbGVygiRnYXJkZW5lci1hZG1pc3Npb24tY29udHJvbGxlci5n + YXJkZW6CKGdhcmRlbmVyLWFkbWlzc2lvbi1jb250cm9sbGVyLmdhcmRlbi5zdmOC + MGdhcmRlbmVyLWFkbWlzc2lvbi1jb250cm9sbGVyLmdhcmRlbi5zdmMuY2x1c3Rl + coI2Z2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXIuZ2FyZGVuLnN2Yy5jbHVz + dGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQAgreIsj8va08G8sKWtCl4amzcL + Q9E4ITELb7LIXbLxACd95epyT/dZnPz7H1EpsYJLpFYWcMO955EN5inl7VLNK96m + YsFJaHSd2hT2Gn/NdwH4UkVjjlz9O9guH91NCJb2U36tzbryawxWnLpOQDIl4IP7 + AyBeC7TKzrotc6oKi5NenOzAkEGV+5FfHGqLfJsc998mBBRiVnqssrSiSm8LWSlP + l4tmEjC10MC31am45f6IJWUBXychYvspGCCA04pWNneRgU+91UvR3vrUXTW59OY8 + puUrA+9H1VHmOFgzwgvnmfhlGi6S23zA8BN82YujM9CtCXFJmb5I1s4Ha9jd -----END CERTIFICATE----- key: | -----BEGIN RSA PRIVATE KEY----- - MIIEowIBAAKCAQEAq6k/LVdYVJmNt2KEi2/tFI/ttoIC2sM2jRJFeMiT360TSuxr - WWZ/w3khgyX24oiEctRst6h62vKsOqbvmtTD0NvAHRbTDQmTXpYEUfsTltDmduEk - Nuyzg99Fam7TenS4Qjx1jleRbcXWEgaW3iQ4E6eAYuist7qUX3pttz/C1kIOIQ30 - lspfWTjl8OoiSg7dJvMiiEpJ74kyaAPlnF6pK/NwYrMu19q9KFRxAGYYqydMXWGI - 3QXjv5vsep8C9bA0+LBdKy2aWRifjvAehJMSUwdWrXs6wKc9aXzKBhDF2x3inQRM - KKO6PBZ6ZR5bUowSOzYQztaPs06Nx05AY1JAqQIDAQABAoIBADsbbbuJBcsrjFaG - v6jbg0C/RlS/c4gsC46Lqgwq1HACQlBcE6KW3otKHDXyTo41/5Uie8TJaHQXdyJC - 9OHVPQ+fewkJIOauU2YQNbCcyWP2zkRExZl761wO9vHs8ziJFCEKfFfk4xhvNITE - bBJVWlG6LUThZQdmYUx29WxRsh7f01rRwwG8Ce3y7yel49HU0DHlttP/MsNkzQxv - oLMjD5ETyxnYQghJL3IYdHIODKFrCPCuzpDM3dP8ICFTmiM8yzTb5wISLShaBNv9 - Nx9jXXPG7GBjXV+rrbksstei+IMpmwfJPVLN1OX0v3VCd1qRAUt2gz8kLBphEM+Z - xoQslWECgYEA2C4Le5M7IDhCQUN/h63HFaj4z0oWxgs9Vyw2TPgNyPWjFJx2Czel - 2Y8BI94KWkzGPu+NBOgo8XM2I08ccJ9eT29O958I396dEIkT+Tx1XmjSUyoU9hwH - yDU2qUTzgPW782V+Mn7nvuzTSKdOZGySMQAwuau7KMVpPjOte54vAw0CgYEAy0fs - AzfkJxQcluYJS/8J1obfedFLMaMvDxv8Rv+HRqyThBL69Oz47NGeMQoZJMUqAT+M - JWSogUwr1jjsGrBFb3G/pfY5Sx1mJjMZ2Nu5on/cBpWH6ysoHtzk0IuAmZHivNqt - aF7kk1+rrw1/OuK0bitYTlZ1dpnjRyyXMUrJPQ0CgYAN4I7OJPpjrBjctaeHHymr - g0hNjjT+C5SpduYZdMb1wobweMa/G5hi6eIp2kQR3eHQAnKsAPc34Kx2AcsSk7hr - IvsPvD7GmDS+7f3BPxdNsy7lNctYrR32xSu4G/wBqESjcD10ol7gC7XYcR0AJ1QP - HzMBiDugd2O1IX4edF4SNQKBgHv4wNa1n0611Tmx0LmoMDfEyUVhfponCuwMBS7H - Z5iSZuSFLsdwPd8vd2ow3mSuWY+pUa78VEeGTLW4wUUFe1Mb6+Uq5IYKx+FECN9Y - IT4Y+/aH+vxQtYcc7+6/JQ6DCeRi+J5OQNgf4HRBpvYijCckCBa+Y6SQ9SrS5uII - 2fGBAoGBAKPqoceWtJNPlT/2F8XWde3B9+Yu4v9deTL9hqMcmd3DSQRlstua6pXn - 2gdfX1KfoWJn/MxI5UKf5RZ2ygmNCTqdLFK/5v7zr4aMw5fSxc9Hf0WuKA8EGzfw - 8dNU6RXARJRSWWKk7wAxSoiNZT/L9VdB0DxZNgZiPBNzdSN6ovgG + MIIEpAIBAAKCAQEAr3hrDQgSlCf1YYObK+VihnQGgCaF6BlBweooR5hbjv2bTDUu + u1tO1LKFzDv67PwZTKuA8sfKCQMMT/D2BCT1hpHfWv8SJAVhMY5UyDj3gXHkq8CG + irI4UQVO2TpTX8fU1IwgahTSu7QsAVHaK0zyr/2woAdunPO2NsjwwchpKxGXtzff + 04PE4MbjZbKF+JFJmV/08h3d9SMK1ZnYr7VhxWCJyKHP/fU+7/fmooHDNKsMgZ6s + OS9vHR07fnx3ACwwPbNUJxu4W0G8zYuBkNtQDorlEe0fVZESwJq35OGo/JscXWlX + vn15ssHBtKVigbX2orjFkQ+3DKi+yu4c5uVOFwIDAQABAoIBABuv74xV2sCf8Xsa + jhCGGF7IzgHIklaGLbcQYJyzcLcGU0vaFG6hwLWVGcGZMUXVnZRYd3dXiQyU+4td + pSQQROGgANNV7iHa63QrVjtlqcA2HXPwZApchsBaCxABwQga+v0ywyaZ9IqDqnHm + 3Xr5oE2exRDrO0vutLC+UibxnY6a6/OS6v7927degm3R8Wa8cYSomMQ8LlrTL2SH + p9WNzlznRuKJQCY+Nbh38EN8nA0GKvcvn2F+3E4qFxvOYe5rGXElGLjF4fXegO1O + 9wZ4nC4xe/RCIPlro7QnebM7OQpkTX1toDlMLt504uLllueN+2iDcNPptUnPWXxY + o9nZQUkCgYEA5SciL1VaJlDJ9rfHMNZCTJqH3PSkTsO7xErBWZjIUtIHNaza+til + eRsFKvHb4Etg/jSk4kOeVAnFcL45tZOxP0psEPkph1/4vnfNihH6E9sM7L6RYVvj + SE8NxnXrZxvbazawkwL5kVQeRcmE9XTd/bf5cSU7KRFd4A3n/zie9wUCgYEAxAc2 + hrtjKL5soLhoElnKSm3fA8slxWIiX+yUm2FZ1mpb7uL1bkw+Xs5YyIccYRN3wWAl + nhByF3XpLRvFWVrtdxJCY4nfzeo3hVucox3x7eDqOT3knH3ox+YYt9V6TFWc0GAA + /WaEuHOJ4MdxFdtJCHnjqbI/Uk6nf8H/J5iDA2sCgYBDoGnxSCIjvqHr4s6xNfo4 + +z3vUm+PIyqtwlYPaAxujLc9+vZhI0CqXfQHeXsnVXeZbdXfRI9cQ8n1/N2xHZYo + lIER/UZpQkR5iYeqIKYJ6BKHZ7Il5mVL+LCbCj/fnRQDLw+rQyx93DJW7CMGAWhm + MT43SwKLmyl2LwRxiLc5NQKBgQCO2Ka+RZz7mtAzyk1kWfQUir4B2K58iId+GTst + gyJhIf4+NTseFgc5NOrzralbgEE7NCIVbeyF9hFmIp+L/ruekjq4qEbjmbK9xkV9 + hBvA+a4U6mpGM2ZHDQCkLbdCGvz7x4nRHjzG4MLvfsaEY9hziccB6PdFtjVO3wJd + S0DlYwKBgQDYl/adJqYUJwSs4GL/gX/e1HAMVyrOrgvQsRuMLaAFSiUlD3BS7D4v + jIqVBfSaZOwHlGASrABFeL9HMP7R6WTJu/+FQqPALZP7zBmMoL1S7aq/ZXu3hxV9 + lWog4o4uxBXqPcv3j5Ujp6C/Vk3ki+U77D1s5GKZwwiiyu3qDQAX9Q== -----END RSA PRIVATE KEY----- replicaCount: 2 resources: {} @@ -256,7 +259,6 @@ global: config: server: http: - bindAddress: 0.0.0.0 port: 2718 resources: {} diff --git a/example/gardener-local/gardenlet/values-ipv6.yaml b/example/gardener-local/gardenlet/values-ipv6.yaml new file mode 100644 index 00000000000..9bd9b45ac11 --- /dev/null +++ b/example/gardener-local/gardenlet/values-ipv6.yaml @@ -0,0 +1,16 @@ +config: + seedConfig: + spec: + networks: + ipFamilies: + - IPv6 + nodes: fd00:10::/64 + # Those CIDRs must match those specified in the kind Cluster configuration. + pods: fd00:10:1::/56 + services: fd00:10:2::/112 + shootDefaults: + ipFamilies: + - IPv6 + pods: fd00:10:3::/56 + services: fd00:10:4::/112 + diff --git a/example/gardener-local/gardenlet/values-kind-ha-multi-zone.yaml b/example/gardener-local/gardenlet/values-kind-ha-multi-zone.yaml index 6f3583e1600..be80689956f 100644 --- a/example/gardener-local/gardenlet/values-kind-ha-multi-zone.yaml +++ b/example/gardener-local/gardenlet/values-kind-ha-multi-zone.yaml @@ -1,30 +1,5 @@ replicaCount: 2 config: - gardenClientConnection: - kubeconfigSecret: - name: gardenlet-kubeconfig - namespace: garden - bootstrapKubeconfig: - name: gardenlet-kubeconfig-bootstrap - namespace: garden - kubeconfig: | - apiVersion: v1 - kind: Config - current-context: gardenlet-bootstrap - clusters: - - cluster: - insecure-skip-tls-verify: true - server: https://gardener-local-ha-multi-zone-control-plane:6443 - name: default - contexts: - - context: - cluster: default - user: gardenlet-bootstrap - name: gardenlet-bootstrap - users: - - name: gardenlet-bootstrap - user: - token: 07401b.f395accd246ae52d seedConfig: metadata: name: local-ha-multi-zone diff --git a/example/gardener-local/gardenlet/values-kind-ha-single-zone.yaml b/example/gardener-local/gardenlet/values-kind-ha-single-zone.yaml index 81713075ea2..180178a1d1b 100644 --- a/example/gardener-local/gardenlet/values-kind-ha-single-zone.yaml +++ b/example/gardener-local/gardenlet/values-kind-ha-single-zone.yaml @@ -1,30 +1,5 @@ replicaCount: 2 config: - gardenClientConnection: - kubeconfigSecret: - name: gardenlet-kubeconfig - namespace: garden - bootstrapKubeconfig: - name: gardenlet-kubeconfig-bootstrap - namespace: garden - kubeconfig: | - apiVersion: v1 - kind: Config - current-context: gardenlet-bootstrap - clusters: - - cluster: - insecure-skip-tls-verify: true - server: https://gardener-local-ha-single-zone-control-plane:6443 - name: default - contexts: - - context: - cluster: default - user: gardenlet-bootstrap - name: gardenlet-bootstrap - users: - - name: gardenlet-bootstrap - user: - token: 07401b.f395accd246ae52d seedConfig: metadata: name: local-ha-single-zone diff --git a/example/gardener-local/gardenlet/values-kind2.yaml b/example/gardener-local/gardenlet/values-kind2.yaml index 602e3b929f6..c42ea1e52ee 100644 --- a/example/gardener-local/gardenlet/values-kind2.yaml +++ b/example/gardener-local/gardenlet/values-kind2.yaml @@ -8,7 +8,11 @@ config: clusters: - cluster: insecure-skip-tls-verify: true - server: https://gardener-local-control-plane:6443 + # We use the kind node's hostname (docker container name) as the garden cluster address. + # This works from within the kind cluster itself, from within ManagedSeeds, and from within additional kind clusters. + # Note that this doesn't work in IPv6 single-stack kind clusters, + # ref https://github.com/kubernetes-sigs/kind/issues/3114 + server: https://garden.local.gardener.cloud:6443 name: default contexts: - context: diff --git a/example/gardener-local/gardenlet/values.yaml b/example/gardener-local/gardenlet/values.yaml index 99a2fef8246..ace86fdc033 100644 --- a/example/gardener-local/gardenlet/values.yaml +++ b/example/gardener-local/gardenlet/values.yaml @@ -14,7 +14,11 @@ config: clusters: - cluster: insecure-skip-tls-verify: true - server: https://gardener-local-control-plane:6443 + # We use the kind node's hostname (docker container name) as the garden cluster address. + # This works from within the kind cluster itself, from within ManagedSeeds, and from within additional kind clusters. + # Note that this doesn't work in IPv6 single-stack kind clusters, + # ref https://github.com/kubernetes-sigs/kind/issues/3114 + server: https://garden.local.gardener.cloud:6443 name: default contexts: - context: @@ -35,6 +39,10 @@ config: APIServerSNI: true DefaultSeccompProfile: true CoreDNSQueryRewriting: true + # Enable IPv6SingleStack to allow creating IPv6 seed clusters without changing the config. + # This feature gate doesn't change gardenlet's default behavior, it only allows setting `ipFamilies=[IPv6]` in the + # Seed config. Only when this is set, gardenlet's behavior changes. + IPv6SingleStack: true FullNetworkPoliciesInRuntimeCluster: true logging: enabled: true diff --git a/example/gardener-local/kind/cluster/templates/_kubeadm_config_patches.tpl b/example/gardener-local/kind/cluster/templates/_kubeadm_config_patches.tpl index b913294611d..88b4c4565ab 100644 --- a/example/gardener-local/kind/cluster/templates/_kubeadm_config_patches.tpl +++ b/example/gardener-local/kind/cluster/templates/_kubeadm_config_patches.tpl @@ -13,13 +13,13 @@ authorization-mode: RBAC,Node {{- else }} authorization-mode: RBAC,Node,Webhook - authorization-webhook-config-file: /etc/gardener/controlplane/auth-webhook-kubeconfig-{{ .Values.environment }}.yaml + authorization-webhook-config-file: /etc/gardener/controlplane/auth-webhook-kubeconfig-{{ .Values.environment }}-{{ .Values.networking.ipFamily }}.yaml authorization-webhook-cache-authorized-ttl: "0" authorization-webhook-cache-unauthorized-ttl: "0" extraVolumes: - name: gardener - hostPath: /etc/gardener/controlplane/auth-webhook-kubeconfig-{{ .Values.environment }}.yaml - mountPath: /etc/gardener/controlplane/auth-webhook-kubeconfig-{{ .Values.environment }}.yaml + hostPath: /etc/gardener/controlplane/auth-webhook-kubeconfig-{{ .Values.environment }}-{{ .Values.networking.ipFamily }}.yaml + mountPath: /etc/gardener/controlplane/auth-webhook-kubeconfig-{{ .Values.environment }}-{{ .Values.networking.ipFamily }}.yaml readOnly: true pathType: File {{- end }} diff --git a/example/gardener-local/kind/cluster/values.yaml b/example/gardener-local/kind/cluster/values.yaml index 1b91c90ab13..f19bf3c9804 100644 --- a/example/gardener-local/kind/cluster/values.yaml +++ b/example/gardener-local/kind/cluster/values.yaml @@ -20,7 +20,7 @@ backupBucket: registry: deployed: true - hostname: gardener-local-control-plane + hostname: garden.local.gardener.cloud networking: ipFamily: ipv4 diff --git a/example/gardener-local/kind/ha-multi-zone/values.yaml b/example/gardener-local/kind/ha-multi-zone/values.yaml index b96959fdb85..8eec3a44786 100644 --- a/example/gardener-local/kind/ha-multi-zone/values.yaml +++ b/example/gardener-local/kind/ha-multi-zone/values.yaml @@ -8,9 +8,6 @@ gardener: - 127.0.0.11 - 127.0.0.12 -registry: - hostname: gardener-local-ha-multi-zone-control-plane - workers: - zone: "1" - zone: "2" diff --git a/example/gardener-local/kind/ha-single-zone/values.yaml b/example/gardener-local/kind/ha-single-zone/values.yaml index 9207c3fba18..a4eb9414448 100644 --- a/example/gardener-local/kind/ha-single-zone/values.yaml +++ b/example/gardener-local/kind/ha-single-zone/values.yaml @@ -1,6 +1,3 @@ -registry: - hostname: gardener-local-ha-single-zone-control-plane - workers: - zone: "0" - zone: "0" diff --git a/example/gardener-local/kind/local2/values.yaml b/example/gardener-local/kind/local2/values.yaml index 6d862e9dd7c..f5cae5248d1 100644 --- a/example/gardener-local/kind/local2/values.yaml +++ b/example/gardener-local/kind/local2/values.yaml @@ -8,4 +8,3 @@ gardener: registry: deployed: false - hostname: gardener-local-control-plane diff --git a/example/operator/10-componentconfig.yaml b/example/operator/10-componentconfig.yaml index beed2e29118..7a22d0cece8 100644 --- a/example/operator/10-componentconfig.yaml +++ b/example/operator/10-componentconfig.yaml @@ -19,13 +19,10 @@ logLevel: info logFormat: text server: webhooks: - bindAddress: 0.0.0.0 port: 2750 healthProbes: - bindAddress: 0.0.0.0 port: 2751 metrics: - bindAddress: 0.0.0.0 port: 2752 debugging: enableProfiling: false diff --git a/example/provider-local/seed-kind/local-ipv6/kustomization.yaml b/example/provider-local/seed-kind/local-ipv6/kustomization.yaml new file mode 100644 index 00000000000..01f3fb2e855 --- /dev/null +++ b/example/provider-local/seed-kind/local-ipv6/kustomization.yaml @@ -0,0 +1,13 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../local + +patchesJson6902: +- target: + group: core.gardener.cloud + version: v1beta1 + kind: Seed + name: local + path: patch-seed.yaml diff --git a/example/provider-local/seed-kind/local-ipv6/patch-seed.yaml b/example/provider-local/seed-kind/local-ipv6/patch-seed.yaml new file mode 100644 index 00000000000..b7b7a04d08f --- /dev/null +++ b/example/provider-local/seed-kind/local-ipv6/patch-seed.yaml @@ -0,0 +1,11 @@ +- op: replace + path: /spec/networks + value: + ipFamilies: + - IPv6 + nodes: fd00:10::/64 + pods: fd00:10:1::/56 + services: fd00:10:2::/112 + shootDefaults: + pods: fd00:10:3::/56 + services: fd00:10:4::/112 diff --git a/example/resource-manager/10-componentconfig.yaml b/example/resource-manager/10-componentconfig.yaml index 56d93b59055..6023845dad5 100644 --- a/example/resource-manager/10-componentconfig.yaml +++ b/example/resource-manager/10-componentconfig.yaml @@ -24,15 +24,12 @@ logLevel: info logFormat: text server: webhooks: - bindAddress: 0.0.0.0 port: 9449 tls: serverCertDir: example/resource-manager healthProbes: - bindAddress: 0.0.0.0 port: 8081 metrics: - bindAddress: 0.0.0.0 port: 8080 debugging: enableProfiling: false diff --git a/extensions/pkg/webhook/certificates/certificates.go b/extensions/pkg/webhook/certificates/certificates.go index c2bd8895798..560fd35d95e 100644 --- a/extensions/pkg/webhook/certificates/certificates.go +++ b/extensions/pkg/webhook/certificates/certificates.go @@ -19,7 +19,6 @@ import ( "net" "os" "path/filepath" - "strings" "time" "k8s.io/utils/pointer" @@ -67,12 +66,11 @@ func getWebhookServerCertConfig(name, namespace, componentName, mode, url string dnsNames []string ipAddresses []net.IP - serverName = url - serverNameData = strings.SplitN(url, ":", 3) + serverName = url ) - if len(serverNameData) == 2 { - serverName = serverNameData[0] + if host, _, err := net.SplitHostPort(url); err == nil { + serverName = host } switch mode { diff --git a/hack/ci-common.sh b/hack/ci-common.sh index 358e430bc05..779b53962bf 100644 --- a/hack/ci-common.sh +++ b/hack/ci-common.sh @@ -39,7 +39,7 @@ export_artifacts() { kubectl -n "$namespace" get pod "$node" --show-managed-fields -oyaml >"$node_dir/pod.yaml" || true # systemd units - for unit in cloud-config-downloader kubelet containerd; do + for unit in cloud-config-downloader kubelet containerd containerd-configuration-local-setup; do kubectl -n "$namespace" exec "$node" -- journalctl --no-pager -u $unit.service >"$node_dir/$unit.log" || true done kubectl -n "$namespace" exec "$node" -- journalctl --no-pager >"$node_dir/journal.log" || true diff --git a/hack/kind-up.sh b/hack/kind-up.sh index c74da585657..7dd89c2ef53 100755 --- a/hack/kind-up.sh +++ b/hack/kind-up.sh @@ -57,6 +57,37 @@ parse_flags() { done } +# setup_kind_network is similar to kind's network creation logic, ref https://github.com/kubernetes-sigs/kind/blob/23d2ac0e9c41028fa252dd1340411d70d46e2fd4/pkg/cluster/internal/providers/docker/network.go#L50 +# In addition to kind's logic, we ensure stable CIDRs that we can rely on in our local setup manifests and code. +setup_kind_network() { + # check if network already exists + local existing_network_id + existing_network_id="$(docker network list --filter=name=^kind$ --format='{{.ID}}')" + + if [ -n "$existing_network_id" ] ; then + # ensure the network is configured correctly + local network network_options network_ipam expected_network_ipam + network="$(docker network inspect $existing_network_id | yq '.[]')" + network_options="$(echo "$network" | yq '.EnableIPv6 + "," + .Options["com.docker.network.bridge.enable_ip_masquerade"]')" + network_ipam="$(echo "$network" | yq '.IPAM.Config' -o=json -I=0)" + expected_network_ipam='[{"Subnet":"172.18.0.0/16","Gateway":"172.18.0.1"},{"Subnet":"fd00:10::/64","Gateway":"fd00:10::1"}]' + + if [ "$network_options" = 'true,true' ] && [ "$network_ipam" = "$expected_network_ipam" ] ; then + # kind network is already configured correctly, nothing to do + return 0 + else + echo "kind network is not configured correctly for local gardener setup, recreating network with correct configuration..." + docker network rm $existing_network_id + fi + fi + + # (re-)create kind network with expected settings + docker network create kind --driver=bridge \ + --subnet 172.18.0.0/16 --gateway 172.18.0.1 \ + --ipv6 --subnet fd00:10::/64 --gateway fd00:10::1 \ + --opt com.docker.network.bridge.enable_ip_masquerade=true +} + setup_loopback_device() { if ! command -v ip &>/dev/null; then if [[ "$OSTYPE" == "darwin"* ]]; then @@ -93,6 +124,8 @@ if [[ "$MULTI_ZONAL" == "true" ]]; then setup_loopback_device fi +setup_kind_network + if [[ "$IPFAMILY" == "ipv6" ]]; then ADDITIONAL_ARGS="$ADDITIONAL_ARGS --values $CHART/values-ipv6.yaml" fi @@ -115,6 +148,48 @@ if [[ "$KUBECONFIG" != "$PATH_KUBECONFIG" ]]; then cp "$KUBECONFIG" "$PATH_KUBECONFIG" fi +# Prepare garden.local.gardener.cloud hostname that can be used everywhere to talk to the garden cluster. +# Historically, we used the docker container name for this, but this differs between clusters with different names +# and doesn't work in IPv6 kind clusters: https://github.com/kubernetes-sigs/kind/issues/3114 +# Hence, we "manually" inject a host configuration into the cluster that always resolves to the kind container's IP, +# that serves our garden cluster API. +# This works in +# - the first and the second kind cluster +# - in IPv4 and IPv6 kind clusters +# - in ManagedSeeds + +garden_cluster="$CLUSTER_NAME" +if [[ "$CLUSTER_NAME" == "gardener-local2" ]] ; then + # garden-local2 is used as a second seed cluster, the first kind cluster runs the gardener control plane + garden_cluster="gardener-local" +fi + +ip_address_field="IPAddress" +if [[ "$IPFAMILY" == "ipv6" ]]; then + ip_address_field="GlobalIPv6Address" +fi + +garden_cluster_ip="$(docker inspect "$garden_cluster"-control-plane | yq ".[].NetworkSettings.Networks.kind.$ip_address_field")" + +# Inject garden.local.gardener.cloud into all nodes +kubectl get nodes -o name |\ + cut -d/ -f2 |\ + xargs -I {} docker exec {} sh -c "echo $garden_cluster_ip garden.local.gardener.cloud >> /etc/hosts" + +# Inject garden.local.gardener.cloud into coredns config (after ready plugin, before kubernetes plugin) +kubectl -n kube-system get configmap coredns -ojson | \ + yq '.data.Corefile' | \ + sed '0,/ready.*$/s//&'" \n\ + hosts { \n\ + $garden_cluster_ip garden.local.gardener.cloud \n\ + fallthrough \n\ + } \ +"'/' | \ + kubectl -n kube-system create configmap coredns --from-file Corefile=/dev/stdin --dry-run=client -oyaml | \ + kubectl -n kube-system patch configmap coredns --patch-file /dev/stdin + +kubectl -n kube-system rollout restart deployment coredns + if [[ "$DEPLOY_REGISTRY" == "true" ]]; then kubectl apply -k "$(dirname "$0")/../example/gardener-local/registry" --server-side kubectl wait --for=condition=available deployment -l app=registry -n registry --timeout 5m diff --git a/hack/local-development/common/helpers b/hack/local-development/common/helpers index c0671721e7a..d97bd74f59d 100755 --- a/hack/local-development/common/helpers +++ b/hack/local-development/common/helpers @@ -142,10 +142,19 @@ get_host_address () { local ip_route="" local ip_address="" - if ! ( [[ "$(uname -s)" == *"Darwin"* ]] || [[ "$(uname -s)" == "Linux" && "$(uname -r)" =~ "microsoft-standard" ]] ); then - ip_route=$(ip route get 1) + if ! [[ "$(uname -s)" == *"Darwin"* ]] && ! [[ "$(uname -s)" == "Linux" && "$(uname -r)" =~ "microsoft-standard" ]]; then + if [[ "$IPFAMILY" == "ipv6" ]]; then + ip_route=$(ip route get 1::) + else + ip_route=$(ip route get 1) + fi + ip_address=$(echo ${ip_route#*src} | awk '{print $1}') - echo "$ip_address" + if [[ "$IPFAMILY" == "ipv6" ]]; then + echo "[$ip_address]" + else + echo "$ip_address" + fi else echo "host.docker.internal" fi diff --git a/hack/local-development/dev-setup b/hack/local-development/dev-setup index 49befdd1ad0..76edf7eb5da 100755 --- a/hack/local-development/dev-setup +++ b/hack/local-development/dev-setup @@ -57,6 +57,14 @@ cp ${EXAMPLE_DIR}/20-componentconfig-*.yaml ${DEV_DIR}/ kubectl apply -f ${EXAMPLE_DIR}/00-namespace-garden.yaml kubectl apply -f ${EXAMPLE_DIR}/00-namespace-garden-dev.yaml +LISTEN_CLIENT_URL="0.0.0.0" + +if [[ "$IPFAMILY" == "ipv6" ]]; then + LOCAL_K8S_HOST_IP="[$LOCAL_K8S_HOST_IP]" + LISTEN_CLIENT_URL="[::]" +fi + + if [ "${kubernetes_env}" != $NODELESS ] && [ "${kubernetes_env}" != $REMOTE ] ; then cat < "${DEV_DIR}/tls/gardener-admission-controller/tls.crt" -----BEGIN CERTIFICATE----- -MIID6DCCAtCgAwIBAgIUJl4x4/SAELgFsXIGJcWlt9YF70kwDQYJKoZIhvcNAQEL -BQAwKzEpMCcGA1UEAxMgZ2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXItY2Ew -HhcNMjIwNTAzMDY0NDAwWhcNMzIwNDMwMDY0NDAwWjAoMSYwJAYDVQQDEx1nYXJk -ZW5lci1hZG1pc3Npb24tY29udHJvbGxlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBAKupPy1XWFSZjbdihItv7RSP7baCAtrDNo0SRXjIk9+tE0rsa1lm -f8N5IYMl9uKIhHLUbLeoetryrDqm75rUw9DbwB0W0w0Jk16WBFH7E5bQ5nbhJDbs -s4PfRWpu03p0uEI8dY5XkW3F1hIGlt4kOBOngGLorLe6lF96bbc/wtZCDiEN9JbK -X1k45fDqIkoO3SbzIohKSe+JMmgD5ZxeqSvzcGKzLtfavShUcQBmGKsnTF1hiN0F -47+b7HqfAvWwNPiwXSstmlkYn47wHoSTElMHVq17OsCnPWl8ygYQxdsd4p0ETCij -ujwWemUeW1KMEjs2EM7Wj7NOjcdOQGNSQKkCAwEAAaOCAQUwggEBMA4GA1UdDwEB -/wQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1Ud -DgQWBBTg6DoeCYVVNqetjpL57+7vjInTCTAfBgNVHSMEGDAWgBRFvkmymbW8VKYs -jqfdDPT5VydrtDCBiwYDVR0RBIGDMIGAgglsb2NhbGhvc3SCHWdhcmRlbmVyLWFk -bWlzc2lvbi1jb250cm9sbGVygiRnYXJkZW5lci1hZG1pc3Npb24tY29udHJvbGxl -ci5nYXJkZW6CKGdhcmRlbmVyLWFkbWlzc2lvbi1jb250cm9sbGVyLmdhcmRlbi5z -dmOHBH8AAAEwDQYJKoZIhvcNAQELBQADggEBAFUkROHqmJmgas6Df3Bj9L0IiZsS -kZNqa+Qu0o0/5b7ePDAFHg9uiobwchGIfLUvUWovJTPa89jm1yBoVZ6aMIvqQqhg -jwmof/BtR/nh1MSQjSx+O0raJjVk7xj0Z8fhGs44OAbzsoMec/yldiMLiP0+ybVp -BGd+9Pcl5/pkngfcLtxPB0Vu/CWaLXCCOa/sOoWOz9kKGLuiizBKIK8ESL7Z0Jtm -rfqIQ9A0r/d+jjWe3l3+sl56lFQ7agri8O40rBMyDE66BQfvER4ndicjeX4SjaH8 -R/y7S53DvrJ3xsogoQ60ETmqez9OJF+dcdECxqw8J1lebkbD8yz9b03cK3o= +MIIEeTCCA2GgAwIBAgIUCX6GUtDIFah9BiYrQxj3oiRKGcYwDQYJKoZIhvcNAQEL +BQAwKDEmMCQGA1UEAwwdZ2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXIwHhcN +MjMwMjEzMDk1NDIwWhcNNDcxMDA1MDk1NDIwWjAiMSAwHgYDVQQKDBdTZWxmLXNp +Z25lZCBjZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AK94aw0IEpQn9WGDmyvlYoZ0BoAmhegZQcHqKEeYW479m0w1LrtbTtSyhcw7+uz8 +GUyrgPLHygkDDE/w9gQk9YaR31r/EiQFYTGOVMg494Fx5KvAhoqyOFEFTtk6U1/H +1NSMIGoU0ru0LAFR2itM8q/9sKAHbpzztjbI8MHIaSsRl7c339ODxODG42WyhfiR +SZlf9PId3fUjCtWZ2K+1YcVgicihz/31Pu/35qKBwzSrDIGerDkvbx0dO358dwAs +MD2zVCcbuFtBvM2LgZDbUA6K5RHtH1WREsCat+ThqPybHF1pV759ebLBwbSlYoG1 +9qK4xZEPtwyovsruHOblThcCAwEAAaOCAZ8wggGbMGMGA1UdIwRcMFqAFLTw5n6N +EXcpiathNX5B9hG9WM3zoSykKjAoMSYwJAYDVQQDDB1nYXJkZW5lci1hZG1pc3Np +b24tY29udHJvbGxlcoIUA+ORkSwJPvTa6OsXD7nAOMW4+z4wCQYDVR0TBAIwADAL +BgNVHQ8EBAMCBDAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMIH8BgNV +HREEgfQwgfGHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAGCHWdhcmRlbmVyLWFkbWlz +c2lvbi1jb250cm9sbGVygiRnYXJkZW5lci1hZG1pc3Npb24tY29udHJvbGxlci5n +YXJkZW6CKGdhcmRlbmVyLWFkbWlzc2lvbi1jb250cm9sbGVyLmdhcmRlbi5zdmOC +MGdhcmRlbmVyLWFkbWlzc2lvbi1jb250cm9sbGVyLmdhcmRlbi5zdmMuY2x1c3Rl +coI2Z2FyZGVuZXItYWRtaXNzaW9uLWNvbnRyb2xsZXIuZ2FyZGVuLnN2Yy5jbHVz +dGVyLmxvY2FsMA0GCSqGSIb3DQEBCwUAA4IBAQAgreIsj8va08G8sKWtCl4amzcL +Q9E4ITELb7LIXbLxACd95epyT/dZnPz7H1EpsYJLpFYWcMO955EN5inl7VLNK96m +YsFJaHSd2hT2Gn/NdwH4UkVjjlz9O9guH91NCJb2U36tzbryawxWnLpOQDIl4IP7 +AyBeC7TKzrotc6oKi5NenOzAkEGV+5FfHGqLfJsc998mBBRiVnqssrSiSm8LWSlP +l4tmEjC10MC31am45f6IJWUBXychYvspGCCA04pWNneRgU+91UvR3vrUXTW59OY8 +puUrA+9H1VHmOFgzwgvnmfhlGi6S23zA8BN82YujM9CtCXFJmb5I1s4Ha9jd -----END CERTIFICATE----- EOF cat < "${DEV_DIR}/tls/gardener-admission-controller/tls.key" -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAq6k/LVdYVJmNt2KEi2/tFI/ttoIC2sM2jRJFeMiT360TSuxr -WWZ/w3khgyX24oiEctRst6h62vKsOqbvmtTD0NvAHRbTDQmTXpYEUfsTltDmduEk -Nuyzg99Fam7TenS4Qjx1jleRbcXWEgaW3iQ4E6eAYuist7qUX3pttz/C1kIOIQ30 -lspfWTjl8OoiSg7dJvMiiEpJ74kyaAPlnF6pK/NwYrMu19q9KFRxAGYYqydMXWGI -3QXjv5vsep8C9bA0+LBdKy2aWRifjvAehJMSUwdWrXs6wKc9aXzKBhDF2x3inQRM -KKO6PBZ6ZR5bUowSOzYQztaPs06Nx05AY1JAqQIDAQABAoIBADsbbbuJBcsrjFaG -v6jbg0C/RlS/c4gsC46Lqgwq1HACQlBcE6KW3otKHDXyTo41/5Uie8TJaHQXdyJC -9OHVPQ+fewkJIOauU2YQNbCcyWP2zkRExZl761wO9vHs8ziJFCEKfFfk4xhvNITE -bBJVWlG6LUThZQdmYUx29WxRsh7f01rRwwG8Ce3y7yel49HU0DHlttP/MsNkzQxv -oLMjD5ETyxnYQghJL3IYdHIODKFrCPCuzpDM3dP8ICFTmiM8yzTb5wISLShaBNv9 -Nx9jXXPG7GBjXV+rrbksstei+IMpmwfJPVLN1OX0v3VCd1qRAUt2gz8kLBphEM+Z -xoQslWECgYEA2C4Le5M7IDhCQUN/h63HFaj4z0oWxgs9Vyw2TPgNyPWjFJx2Czel -2Y8BI94KWkzGPu+NBOgo8XM2I08ccJ9eT29O958I396dEIkT+Tx1XmjSUyoU9hwH -yDU2qUTzgPW782V+Mn7nvuzTSKdOZGySMQAwuau7KMVpPjOte54vAw0CgYEAy0fs -AzfkJxQcluYJS/8J1obfedFLMaMvDxv8Rv+HRqyThBL69Oz47NGeMQoZJMUqAT+M -JWSogUwr1jjsGrBFb3G/pfY5Sx1mJjMZ2Nu5on/cBpWH6ysoHtzk0IuAmZHivNqt -aF7kk1+rrw1/OuK0bitYTlZ1dpnjRyyXMUrJPQ0CgYAN4I7OJPpjrBjctaeHHymr -g0hNjjT+C5SpduYZdMb1wobweMa/G5hi6eIp2kQR3eHQAnKsAPc34Kx2AcsSk7hr -IvsPvD7GmDS+7f3BPxdNsy7lNctYrR32xSu4G/wBqESjcD10ol7gC7XYcR0AJ1QP -HzMBiDugd2O1IX4edF4SNQKBgHv4wNa1n0611Tmx0LmoMDfEyUVhfponCuwMBS7H -Z5iSZuSFLsdwPd8vd2ow3mSuWY+pUa78VEeGTLW4wUUFe1Mb6+Uq5IYKx+FECN9Y -IT4Y+/aH+vxQtYcc7+6/JQ6DCeRi+J5OQNgf4HRBpvYijCckCBa+Y6SQ9SrS5uII -2fGBAoGBAKPqoceWtJNPlT/2F8XWde3B9+Yu4v9deTL9hqMcmd3DSQRlstua6pXn -2gdfX1KfoWJn/MxI5UKf5RZ2ygmNCTqdLFK/5v7zr4aMw5fSxc9Hf0WuKA8EGzfw -8dNU6RXARJRSWWKk7wAxSoiNZT/L9VdB0DxZNgZiPBNzdSN6ovgG +MIIEpAIBAAKCAQEAr3hrDQgSlCf1YYObK+VihnQGgCaF6BlBweooR5hbjv2bTDUu +u1tO1LKFzDv67PwZTKuA8sfKCQMMT/D2BCT1hpHfWv8SJAVhMY5UyDj3gXHkq8CG +irI4UQVO2TpTX8fU1IwgahTSu7QsAVHaK0zyr/2woAdunPO2NsjwwchpKxGXtzff +04PE4MbjZbKF+JFJmV/08h3d9SMK1ZnYr7VhxWCJyKHP/fU+7/fmooHDNKsMgZ6s +OS9vHR07fnx3ACwwPbNUJxu4W0G8zYuBkNtQDorlEe0fVZESwJq35OGo/JscXWlX +vn15ssHBtKVigbX2orjFkQ+3DKi+yu4c5uVOFwIDAQABAoIBABuv74xV2sCf8Xsa +jhCGGF7IzgHIklaGLbcQYJyzcLcGU0vaFG6hwLWVGcGZMUXVnZRYd3dXiQyU+4td +pSQQROGgANNV7iHa63QrVjtlqcA2HXPwZApchsBaCxABwQga+v0ywyaZ9IqDqnHm +3Xr5oE2exRDrO0vutLC+UibxnY6a6/OS6v7927degm3R8Wa8cYSomMQ8LlrTL2SH +p9WNzlznRuKJQCY+Nbh38EN8nA0GKvcvn2F+3E4qFxvOYe5rGXElGLjF4fXegO1O +9wZ4nC4xe/RCIPlro7QnebM7OQpkTX1toDlMLt504uLllueN+2iDcNPptUnPWXxY +o9nZQUkCgYEA5SciL1VaJlDJ9rfHMNZCTJqH3PSkTsO7xErBWZjIUtIHNaza+til +eRsFKvHb4Etg/jSk4kOeVAnFcL45tZOxP0psEPkph1/4vnfNihH6E9sM7L6RYVvj +SE8NxnXrZxvbazawkwL5kVQeRcmE9XTd/bf5cSU7KRFd4A3n/zie9wUCgYEAxAc2 +hrtjKL5soLhoElnKSm3fA8slxWIiX+yUm2FZ1mpb7uL1bkw+Xs5YyIccYRN3wWAl +nhByF3XpLRvFWVrtdxJCY4nfzeo3hVucox3x7eDqOT3knH3ox+YYt9V6TFWc0GAA +/WaEuHOJ4MdxFdtJCHnjqbI/Uk6nf8H/J5iDA2sCgYBDoGnxSCIjvqHr4s6xNfo4 ++z3vUm+PIyqtwlYPaAxujLc9+vZhI0CqXfQHeXsnVXeZbdXfRI9cQ8n1/N2xHZYo +lIER/UZpQkR5iYeqIKYJ6BKHZ7Il5mVL+LCbCj/fnRQDLw+rQyx93DJW7CMGAWhm +MT43SwKLmyl2LwRxiLc5NQKBgQCO2Ka+RZz7mtAzyk1kWfQUir4B2K58iId+GTst +gyJhIf4+NTseFgc5NOrzralbgEE7NCIVbeyF9hFmIp+L/ruekjq4qEbjmbK9xkV9 +hBvA+a4U6mpGM2ZHDQCkLbdCGvz7x4nRHjzG4MLvfsaEY9hziccB6PdFtjVO3wJd +S0DlYwKBgQDYl/adJqYUJwSs4GL/gX/e1HAMVyrOrgvQsRuMLaAFSiUlD3BS7D4v +jIqVBfSaZOwHlGASrABFeL9HMP7R6WTJu/+FQqPALZP7zBmMoL1S7aq/ZXu3hxV9 +lWog4o4uxBXqPcv3j5Ujp6C/Vk3ki+U77D1s5GKZwwiiyu3qDQAX9Q== -----END RSA PRIVATE KEY----- EOF @@ -294,7 +305,7 @@ $(dirname "${0}")/dev-setup-register-gardener "$@" if [[ "$kubernetes_env" == "$KIND" ]]; then echo "# Configuring RBAC resources for Gardener components" seedauthorizer_enabled=false - if [[ "$(kubectl -n kube-system get pod -l component=kube-apiserver -o json | jq -r '.items[0].spec.containers[0].command | map(select(. == "--authorization-webhook-config-file=/etc/gardener/controlplane/auth-webhook-kubeconfig-local.yaml")) | length')" == "1" ]]; then + if [[ "$(kubectl -n kube-system get pod -l component=kube-apiserver -o json | jq -r '.items[0].spec.containers[0].command | map(select(. == "--authorization-webhook-config-file=/etc/gardener/controlplane/auth-webhook-kubeconfig-local-'${IPFAMILY}'.yaml")) | length')" == "1" ]]; then seedauthorizer_enabled=true fi $(dirname $0)/dev-setup-configure-rbac "" "$seedauthorizer_enabled" "serviceaccounts" diff --git a/hack/local-development/dev-setup-register-gardener b/hack/local-development/dev-setup-register-gardener index f31ba8820d4..576b22c2114 100755 --- a/hack/local-development/dev-setup-register-gardener +++ b/hack/local-development/dev-setup-register-gardener @@ -19,6 +19,15 @@ set -e source $(dirname "${0}")/common/helpers IP_ROUTE=$(ip route get 1) +LOCALHOST="127.0.0.1" +ADMISSION_CONTROLLER_SERVICE_CLUSTERIP="" + +if [[ "$IPFAMILY" == "ipv6" ]]; then + IP_ROUTE=$(ip -6 route get 1::) + LOCALHOST="[::1]" + ADMISSION_CONTROLLER_SERVICE_CLUSTERIP="fd00:10:2::1000" +fi + IP_ADDRESS=$(echo ${IP_ROUTE#*src} | awk '{print $1}') APISERVER_SERVICE_NAME="gardener-apiserver" @@ -129,6 +138,7 @@ metadata: name: $ADMISSION_CONTROLLER_SERVICE_NAME namespace: garden spec: + clusterIP: $ADMISSION_CONTROLLER_SERVICE_CLUSTERIP ports: - name: https protocol: TCP @@ -142,7 +152,7 @@ metadata: namespace: garden subsets: - addresses: - - ip: ${IP_ADDRESS} + - ip: "${IP_ADDRESS}" ports: - port: $API_SERVER_SECURE_PORT --- @@ -153,7 +163,7 @@ metadata: namespace: garden subsets: - addresses: - - ip: ${IP_ADDRESS} + - ip: "${IP_ADDRESS}" ports: - name: http port: 2718 @@ -268,7 +278,7 @@ webhooks: name: gardener-admission-controller path: /webhooks/validate-namespace-deletion $ADMISSION_CONTROLLER_PORT_STRING - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== sideEffects: None - name: validate-kubeconfig-secrets.gardener.cloud rules: @@ -293,7 +303,7 @@ $ADMISSION_CONTROLLER_PORT_STRING name: gardener-admission-controller path: /webhooks/validate-kubeconfig-secrets $ADMISSION_CONTROLLER_PORT_STRING - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== sideEffects: None - name: validate-resource-size-kubernetes.gardener.cloud rules: @@ -329,7 +339,7 @@ $ADMISSION_CONTROLLER_PORT_STRING name: gardener-admission-controller path: /webhooks/validate-resource-size $ADMISSION_CONTROLLER_PORT_STRING - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== sideEffects: None - name: validate-resource-size-gardener.gardener.cloud rules: @@ -360,8 +370,8 @@ $ADMISSION_CONTROLLER_PORT_STRING admissionReviewVersions: ["v1", "v1beta1"] timeoutSeconds: 10 clientConfig: - url: https://127.0.0.1:$ADMISSION_CONTROLLER_SECURE_PORT/webhooks/validate-resource-size - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + url: https://$LOCALHOST:$ADMISSION_CONTROLLER_SECURE_PORT/webhooks/validate-resource-size + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== sideEffects: None - name: seed-restriction-kubernetes.gardener.cloud rules: @@ -406,7 +416,7 @@ $ADMISSION_CONTROLLER_PORT_STRING name: gardener-admission-controller path: /webhooks/admission/seedrestriction $ADMISSION_CONTROLLER_PORT_STRING - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None - name: seed-restriction-gardener.gardener.cloud @@ -450,8 +460,8 @@ $ADMISSION_CONTROLLER_PORT_STRING failurePolicy: Fail matchPolicy: Equivalent clientConfig: - url: https://127.0.0.1:$ADMISSION_CONTROLLER_SECURE_PORT/webhooks/admission/seedrestriction - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + url: https://$LOCALHOST:$ADMISSION_CONTROLLER_SECURE_PORT/webhooks/admission/seedrestriction + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None - name: internal-domain-secret.gardener.cloud @@ -476,7 +486,7 @@ $ADMISSION_CONTROLLER_PORT_STRING name: gardener-admission-controller path: /webhooks/admission/validate-internal-domain $ADMISSION_CONTROLLER_PORT_STRING - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None - name: audit-policies-cm.gardener.cloud @@ -501,7 +511,7 @@ $ADMISSION_CONTROLLER_PORT_STRING name: gardener-admission-controller path: /webhooks/audit-policies $ADMISSION_CONTROLLER_PORT_STRING - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== sideEffects: None - name: audit-policies-shoot.gardener.cloud rules: @@ -521,8 +531,8 @@ $ADMISSION_CONTROLLER_PORT_STRING admissionReviewVersions: ["v1", "v1beta1"] timeoutSeconds: 10 clientConfig: - url: https://127.0.0.1:$ADMISSION_CONTROLLER_SECURE_PORT/webhooks/audit-policies - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKakNDQWc2Z0F3SUJBZ0lVVWFTcEVhSmZ5NmxYaXdhZ3RCdUdzUnIwSHRFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0t6RXBNQ2NHQTFVRUF4TWdaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl0WTJFdwpIaGNOTWpJd05UQXpNRFkwTWpBd1doY05NamN3TlRBeU1EWTBNakF3V2pBck1Ta3dKd1lEVlFRREV5Qm5ZWEprClpXNWxjaTFoWkcxcGMzTnBiMjR0WTI5dWRISnZiR3hsY2kxallUQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLL2FLaFZ6REdEdDVqbklEaEhJcWdkSnBpZ29CSVIwcWhSRFcwQjJHS0FVUml6TwpwL25KekRBOThQam42WEVzNkg5M3U3cEdDU2kvVEUwaHlER3dhakRLbTU1eFBFNC9LU3JuYjF4dWJaOUZTQndQClNZTDgwMXlXaHJCbENWQlVBeERzUTNyYkpCSDE3QjZ6c1o5VVl6QUV6K2duY200WFlDdjAyVjZadDZOOEhqdEsKVDBuMHBSaUJKQndqUVZQWE5IVXl6Wmh2bHpDRGEvZ0N1NUd2TFExa09SY2dqaTluRTZLVWJBUnlTQ200Y2xGRApsNHI1WWlqOFpwOEQ4Zm8wV2htQTUrWkVtdWJKRzhTbkd4eEdwQXR3T2RkalJIWnMyWU1DSnJLOElJYXNnNUFICnVLL09SMm8xdVZicFhaTElhQzFZeU5QZ0dxajdhcjdwVVJlREJRMENBd0VBQWFOQ01FQXdEZ1lEVlIwUEFRSC8KQkFRREFnRUdNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdIUVlEVlIwT0JCWUVGRVcrU2JLWnRieFVwaXlPcDkwTQo5UGxYSjJ1ME1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQThWbGRFa1ljZGt2YWtlOVNzYVNoNERWMlYwdUovCmF0RWxMZUd2YTFZTlZvRzk5WXNLR2pKYkp3K0xySWRzZ3VLaEtiaXI3ZlMvclJBWHhLWTZjTXljK0YwdXdiR1oKUnRwYXFYT0VoL3I3ZkNidXl0Mkt4QW5DdklJYm54MEwrVEVUUG9hZ1dzYjU2VEdUN3VzMG1qajlDSDh6WWxBdgplWUszbTVRRFpXUVREelNDdW5Xd1FUb1FQSVVpYnlGa1IrQm5JRjhIME5KNjFvRHNaUDRWSCtyT2lVYWowdjNICktLV09YekF1c243UkN6WEFlbVhWRDAyRHgwdXJwdDd6L08wMDQxNWx2ajdNVVBmUlFKc2N5eVNwbks5aGtkT3MKMWFUQzZpd1Vqb3pqRjFGZTJtQU5iS1dFUk5hWklvVmFUQVZodGdNWUwwamYyWnI2b1prWDIyZFQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + url: https://$LOCALHOST:$ADMISSION_CONTROLLER_SECURE_PORT/webhooks/audit-policies + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNVENDQWhtZ0F3SUJBZ0lVQStPUmtTd0pQdlRhNk9zWEQ3bkFPTVc0K3o0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0tERW1NQ1FHQTFVRUF3d2RaMkZ5WkdWdVpYSXRZV1J0YVhOemFXOXVMV052Ym5SeWIyeHNaWEl3SGhjTgpNak13TWpFek1EazFOREl3V2hjTk5EY3hNREExTURrMU5ESXdXakFvTVNZd0pBWURWUVFEREIxbllYSmtaVzVsCmNpMWhaRzFwYzNOcGIyNHRZMjl1ZEhKdmJHeGxjakNDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0MKQVFvQ2dnRUJBTm1DZHppU29vNzJISjJXWm5EeEw3OTA5UThGTVhNbHF5ejRzZWR5WXBkdTV3Y0hOUHJHaFBzMgpzNXc3NXlDeGtPb2dVaDlpeWoyck5Zc3hVVzQzM2FlOWFWSVRId1JGZ2Q2RVBPUWZVY0NqclZYRHVBS3FMc1RnCmpqWWM4STBJV1R4cXlLOHFZOCtOc0pWQlg1aTUxQnh4aWdaZGhiWTIwY3Azb2tqbmYvZElxNytzdVdnK1p0czQKeDd1Q3hHNGhDbmlTSC9IaTZpMWh2SmtqalJJckZrUldaakdOY3RhWjNPdGFoaDdxaUk4bEN6L1VSREkvU2dtVApLLzRMNkIwUFBvcUIrR2YxOWlSc3hqWlVxbTZmelNRaDM5NllCT1d0enFTc3BCRnovVE96ODg2NkZ1MXB6WHJZClc3YkdwVG5NbE1RRDR2SnRRODQ1L080U013S1VRWGNDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkxUdzVuNk4KRVhjcGlhdGhOWDVCOWhHOVdNM3pNQjhHQTFVZEl3UVlNQmFBRkxUdzVuNk5FWGNwaWF0aE5YNUI5aEc5V00zegpNQThHQTFVZEV3RUIvd1FGTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSmlBQmZuYm83VnZlclFKCmtWM1B0MG82WDgrMkg0RGNzQk1veWh1ZjZpYjBaeUxGbkc2SmJkQ2pGTXZneW9EZ1QxZHJXa1dYdmR2d2sxbE0Ka09rc3VaNG4vazZuSk5BcW5jdXFmenhKSStzRDFjRElpcnp3SHpucmd3cEVHdzRRWWNPWXZkcHJxMWZEalYyeQozSWxGUkg2ZHBiaFV5azh6TVhRd3ZpbmZLS09CRkpHNGVhUUprUnZUZVJoSkRrdXVKL2c1U3duUllsUVFGbHRHCnJiSTNOODFDdHVGcFJVSkxHeXVoaVlHNUpYWGgwbUZ3T0VHQXdmV0J5bmhkcjVhdHN6TE9WRENidzJjdW5QZEQKeVhENTFWZlFiMWpZS3hUOUl6ZFBSbHMwM0tZd2duRy9ZaFdiWmUyTUgxVnZzTTZ2blRvdXRHZzdPcFMvUWJrNwo5UEV1bWVZPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== sideEffects: None EOF cat <> "$tmpdir/csr.conf" +[req] +default_bits = 2048 +prompt = no +default_md = sha256 +req_extensions = req_ext +distinguished_name = req_distinguished_name + +[req_distinguished_name] +organizationName = Self-signed certificate + +[v3_ext] +authorityKeyIdentifier = keyid,issuer:always +basicConstraints = CA:FALSE +keyUsage = keyEncipherment,dataEncipherment +extendedKeyUsage = serverAuth,clientAuth +subjectAltName = @alt_names + +[req_ext] +subjectAltName = @alt_names + +[alt_names] +IP.1 = 127.0.0.1 +IP.2 = ::1 +DNS.1 = ${service} +DNS.2 = ${service}.${namespace} +DNS.3 = ${service}.${namespace}.svc +DNS.4 = ${service}.${namespace}.svc.cluster +DNS.5 = ${service}.${namespace}.svc.cluster.local +EOF + + +openssl genrsa -out "$tmpdir/ca.key" 2048 + +# CA +openssl req -x509 -new -nodes -key "$tmpdir/ca.key" -out "$tmpdir/ca.crt" -days 9000 -subj "/CN=gardener-admission-controller" +openssl genrsa -out "$tmpdir/server.key" 2048 + +# CSR +openssl req -new -key "$tmpdir/server.key" -out "$tmpdir/server.csr" -config "$tmpdir/csr.conf" + +# Signing +openssl x509 -req -in "$tmpdir/server.csr" -CA "$tmpdir/ca.crt" -CAkey "$tmpdir/ca.key" -CAcreateserial -out "$tmpdir/server.crt" -extfile "$tmpdir/csr.conf" \ + -days 9000 -sha256 -extensions v3_ext + +caBundle=$(openssl enc -a -A < "$tmpdir/ca.crt") +echo "$caBundle" > ../../dev/gardener-admission-controller-caBundle +cat "$tmpdir/server.key" > ../../dev/gardener-admission-controller-server.key +cat "$tmpdir/server.crt" > ../../dev/gardener-admission-controller-server.crt diff --git a/hack/local-development/start-extension-provider-local b/hack/local-development/start-extension-provider-local index 54bd4e33c2b..ee70535861d 100755 --- a/hack/local-development/start-extension-provider-local +++ b/hack/local-development/start-extension-provider-local @@ -23,10 +23,16 @@ CONTAINER_PATH=/etc/gardener/local-backupbuckets WEBHOOK_SERVER_PORT=${WEBHOOK_SERVER_PORT:-8444} WEBHOOK_CERT_DIR=${WEBHOOK_CERT_DIR:-/tmp/gardener-extensions-cert} -SERVICE_HOST_IP=${SERVICE_HOST_IP:-127.0.0.1} -SERVICE_ZONE_0_IP=${SERVICE_ZONE_0_IP:-127.0.0.10} -SERVICE_ZONE_1_IP=${SERVICE_ZONE_1_IP:-127.0.0.11} -SERVICE_ZONE_2_IP=${SERVICE_ZONE_2_IP:-127.0.0.12} +service_host_ip=${SERVICE_HOST_IP:-127.0.0.1} +service_zone_0_ip=${SERVICE_ZONE_0_IP:-127.0.0.10} +service_zone_1_ip=${SERVICE_ZONE_1_IP:-127.0.0.11} +service_zone_2_ip=${SERVICE_ZONE_2_IP:-127.0.0.12} +if [[ "$IPFAMILY" == "ipv6" ]]; then + service_host_ip=${SERVICE_HOST_IP:-::1} + service_zone_0_ip=${SERVICE_ZONE_0_IP:-::10} + service_zone_1_ip=${SERVICE_ZONE_1_IP:-::11} + service_zone_2_ip=${SERVICE_ZONE_2_IP:-::12} +fi METRICS_BIND_ADDRESS=${METRICS_BIND_ADDRESS:-:8080} HEALTH_BIND_ADDRESS=${HEALTH_BIND_ADDRESS:-:8081} @@ -59,15 +65,14 @@ $SUDO go run \ --kubeconfig="${KUBECONFIG:-$kubeconfig}" \ --leader-election=false \ --webhook-config-mode=url \ - --webhook-config-server-host=0.0.0.0 \ --webhook-config-server-port="${WEBHOOK_SERVER_PORT}" \ - --webhook-config-url=$(get_host_address):${WEBHOOK_SERVER_PORT} \ + --webhook-config-url="$(get_host_address)":${WEBHOOK_SERVER_PORT} \ --webhook-config-cert-dir="${WEBHOOK_CERT_DIR}" \ --webhook-config-namespace="${EXTENSION_NAMESPACE}" \ - --service-host-ip="${SERVICE_HOST_IP}" \ - --service-zone-0-ip="${SERVICE_ZONE_0_IP}" \ - --service-zone-1-ip="${SERVICE_ZONE_1_IP}" \ - --service-zone-2-ip="${SERVICE_ZONE_2_IP}" \ + --service-host-ip="${service_host_ip}" \ + --service-zone-0-ip="${service_zone_0_ip}" \ + --service-zone-1-ip="${service_zone_1_ip}" \ + --service-zone-2-ip="${service_zone_2_ip}" \ --metrics-bind-address="${METRICS_BIND_ADDRESS}" \ --health-bind-address="${HEALTH_BIND_ADDRESS}" \ --heartbeat-namespace="${EXTENSION_NAMESPACE}" \ diff --git a/pkg/admissioncontroller/apis/config/v1alpha1/defaults.go b/pkg/admissioncontroller/apis/config/v1alpha1/defaults.go index ebbe56dde84..726524a4f5a 100644 --- a/pkg/admissioncontroller/apis/config/v1alpha1/defaults.go +++ b/pkg/admissioncontroller/apis/config/v1alpha1/defaults.go @@ -32,9 +32,6 @@ func SetDefaults_AdmissionControllerConfiguration(obj *AdmissionControllerConfig if len(obj.LogFormat) == 0 { obj.LogFormat = "json" } - if len(obj.Server.Webhooks.BindAddress) == 0 { - obj.Server.Webhooks.BindAddress = "0.0.0.0" - } if obj.Server.Webhooks.Port == 0 { obj.Server.Webhooks.Port = 2721 } diff --git a/pkg/admissioncontroller/apis/config/v1alpha1/defaults_test.go b/pkg/admissioncontroller/apis/config/v1alpha1/defaults_test.go index 293bd862268..8183c64c67d 100644 --- a/pkg/admissioncontroller/apis/config/v1alpha1/defaults_test.go +++ b/pkg/admissioncontroller/apis/config/v1alpha1/defaults_test.go @@ -37,7 +37,7 @@ var _ = Describe("Defaults", func() { Expect(obj.LogLevel).To(Equal("info")) Expect(obj.LogFormat).To(Equal("json")) - Expect(obj.Server.Webhooks.BindAddress).To(Equal("0.0.0.0")) + Expect(obj.Server.Webhooks.BindAddress).To(BeEmpty()) Expect(obj.Server.Webhooks.Port).To(Equal(2721)) Expect(obj.Server.ResourceAdmissionConfiguration).To(Equal(&ResourceAdmissionConfiguration{})) Expect(obj.Server.HealthProbes.BindAddress).To(BeEmpty()) diff --git a/pkg/apis/core/validation/seed_test.go b/pkg/apis/core/validation/seed_test.go index 8fb05ab2bfb..1a3357264b3 100644 --- a/pkg/apis/core/validation/seed_test.go +++ b/pkg/apis/core/validation/seed_test.go @@ -26,7 +26,6 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/validation/field" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/utils/pointer" "github.com/gardener/gardener/pkg/apis/core" @@ -495,7 +494,7 @@ var _ = Describe("Seed Validation Tests", func() { Context("IPv6", func() { BeforeEach(func() { - DeferCleanup(test.WithFeatureGate(utilfeature.DefaultMutableFeatureGate, features.IPv6SingleStack, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.IPv6SingleStack, true)) seed.Spec.Networks.IPFamilies = []core.IPFamily{core.IPFamilyIPv6} }) @@ -584,7 +583,7 @@ var _ = Describe("Seed Validation Tests", func() { }) It("should fail updating immutable fields with featureGate IPv6SingleStack enabled", func() { - defer test.WithFeatureGate(utilfeature.DefaultMutableFeatureGate, features.IPv6SingleStack, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.IPv6SingleStack, true)() oldSeed.Spec.Networks.IPFamilies = []core.IPFamily{core.IPFamilyIPv4} diff --git a/pkg/apis/core/validation/shoot.go b/pkg/apis/core/validation/shoot.go index f1ed6e7a4f7..e8a34e18d2d 100644 --- a/pkg/apis/core/validation/shoot.go +++ b/pkg/apis/core/validation/shoot.go @@ -37,7 +37,6 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/utils/pointer" "k8s.io/utils/strings/slices" @@ -602,7 +601,7 @@ func validateNetworkingUpdate(newNetworking, oldNetworking core.Networking, fldP if oldNetworking.Services != nil { allErrs = append(allErrs, apivalidation.ValidateImmutableField(newNetworking.Services, oldNetworking.Services, fldPath.Child("services"))...) } - if !utilfeature.DefaultFeatureGate.Enabled(features.MutableShootSpecNetworkingNodes) && oldNetworking.Nodes != nil { + if !features.DefaultFeatureGate.Enabled(features.MutableShootSpecNetworkingNodes) && oldNetworking.Nodes != nil { allErrs = append(allErrs, apivalidation.ValidateImmutableField(newNetworking.Nodes, oldNetworking.Nodes, fldPath.Child("nodes"))...) } diff --git a/pkg/apis/core/validation/shoot_test.go b/pkg/apis/core/validation/shoot_test.go index 304424c8dbc..129625359f7 100644 --- a/pkg/apis/core/validation/shoot_test.go +++ b/pkg/apis/core/validation/shoot_test.go @@ -34,7 +34,6 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation/field" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/utils/pointer" "github.com/gardener/gardener/pkg/apis/core" @@ -1957,7 +1956,7 @@ var _ = Describe("Shoot Validation Tests", func() { Context("IPv6", func() { BeforeEach(func() { - DeferCleanup(test.WithFeatureGate(utilfeature.DefaultMutableFeatureGate, features.IPv6SingleStack, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.IPv6SingleStack, true)) shoot.Spec.Networking.IPFamilies = []core.IPFamily{core.IPFamilyIPv6} // /64 CIDR can host a lot of pod IPs (prefix is small enough for the largest maxPods setting) @@ -2678,7 +2677,7 @@ var _ = Describe("Shoot Validation Tests", func() { }) It("should allow increasing the networking nodes range if feature gate is enabled", func() { - DeferCleanup(test.WithFeatureGate(utilfeature.DefaultMutableFeatureGate, features.MutableShootSpecNetworkingNodes, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.MutableShootSpecNetworkingNodes, true)) shoot.Spec.Networking.Nodes = pointer.String("10.181.0.0/18") newShoot := prepareShootForUpdate(shoot) newShoot.Spec.Networking.Nodes = pointer.String("10.181.0.0/16") @@ -2777,7 +2776,7 @@ var _ = Describe("Shoot Validation Tests", func() { Context("IPv6", func() { BeforeEach(func() { - DeferCleanup(test.WithFeatureGate(utilfeature.DefaultMutableFeatureGate, features.IPv6SingleStack, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.IPv6SingleStack, true)) shoot.Spec.Networking.IPFamilies = []core.IPFamily{core.IPFamilyIPv6} }) diff --git a/pkg/apis/core/validation/utils.go b/pkg/apis/core/validation/utils.go index 6f8db424c69..df3ada342bc 100644 --- a/pkg/apis/core/validation/utils.go +++ b/pkg/apis/core/validation/utils.go @@ -26,7 +26,6 @@ import ( "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/validation" "k8s.io/apimachinery/pkg/util/validation/field" - utilfeature "k8s.io/apiserver/pkg/util/feature" "github.com/gardener/gardener/pkg/apis/core" "github.com/gardener/gardener/pkg/features" @@ -189,7 +188,7 @@ func ValidateIPFamilies(ipFamilies []core.IPFamily, fldPath *field.Path) field.E if len(ipFamilies) > 1 { allErrs = append(allErrs, field.Invalid(fldPath, ipFamilies, "dual-stack networking is not supported")) } - if len(ipFamilies) > 0 && ipFamilies[0] == core.IPFamilyIPv6 && !utilfeature.DefaultFeatureGate.Enabled(features.IPv6SingleStack) { + if len(ipFamilies) > 0 && ipFamilies[0] == core.IPFamilyIPv6 && !features.DefaultFeatureGate.Enabled(features.IPv6SingleStack) { allErrs = append(allErrs, field.Invalid(fldPath, ipFamilies, "IPv6 single-stack networking is not supported")) } diff --git a/pkg/apis/core/validation/utils_test.go b/pkg/apis/core/validation/utils_test.go index 78ed7590eb1..582a91a12ec 100644 --- a/pkg/apis/core/validation/utils_test.go +++ b/pkg/apis/core/validation/utils_test.go @@ -22,7 +22,6 @@ import ( . "github.com/onsi/gomega/gstruct" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/validation/field" - utilfeature "k8s.io/apiserver/pkg/util/feature" "github.com/gardener/gardener/pkg/apis/core" . "github.com/gardener/gardener/pkg/apis/core/validation" @@ -133,7 +132,7 @@ var _ = Describe("Utils tests", func() { }) It("should allow IPv6 single-stack if feature gate is enabled", func() { - defer test.WithFeatureGate(utilfeature.DefaultMutableFeatureGate, features.IPv6SingleStack, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.IPv6SingleStack, true)() errorList := ValidateIPFamilies([]core.IPFamily{core.IPFamilyIPv6}, fldPath) Expect(errorList).To(BeEmpty()) diff --git a/pkg/apiserver/features/features.go b/pkg/apiserver/features/features.go index 0324dd20332..a25997f2d61 100644 --- a/pkg/apiserver/features/features.go +++ b/pkg/apiserver/features/features.go @@ -16,14 +16,13 @@ package features import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" - utilfeature "k8s.io/apiserver/pkg/util/feature" "github.com/gardener/gardener/pkg/features" ) -// RegisterFeatureGates registers the feature gates of the gardener-apiserver. +// RegisterFeatureGates registers the feature gates of gardener-apiserver. func RegisterFeatureGates() { - utilruntime.Must(utilfeature.DefaultMutableFeatureGate.Add(features.GetFeatures( + utilruntime.Must(features.DefaultFeatureGate.Add(features.GetFeatures( features.HAControlPlanes, features.SeedChange, features.IPv6SingleStack, diff --git a/pkg/controllermanager/features/features.go b/pkg/controllermanager/features/features.go index 977b90f9f82..2cf9cbd0b94 100644 --- a/pkg/controllermanager/features/features.go +++ b/pkg/controllermanager/features/features.go @@ -16,15 +16,11 @@ package features import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/component-base/featuregate" "github.com/gardener/gardener/pkg/features" ) -// FeatureGate is a shared global FeatureGate for Gardener Controller Manager flags. -var FeatureGate = featuregate.NewFeatureGate() - -// RegisterFeatureGates registers the feature gates of the Gardener Controller Manager. +// RegisterFeatureGates registers the feature gates of gardener-controller-manager. func RegisterFeatureGates() { - utilruntime.Must(FeatureGate.Add(features.GetFeatures())) + utilruntime.Must(features.DefaultFeatureGate.Add(features.GetFeatures())) } diff --git a/pkg/features/features.go b/pkg/features/features.go index e37a2094f14..4968e8e321c 100644 --- a/pkg/features/features.go +++ b/pkg/features/features.go @@ -15,6 +15,7 @@ package features import ( + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/featuregate" ) @@ -112,6 +113,29 @@ const ( FullNetworkPoliciesInRuntimeCluster featuregate.Feature = "FullNetworkPoliciesInRuntimeCluster" ) +// DefaultFeatureGate is the central feature gate map used by all gardener components. +// On startup, the component needs to register all feature gates that are available for this component via `Add`, e.g.: +// +// utilruntime.Must(features.DefaultFeatureGate.Add(features.GetFeatures( +// features.HAControlPlanes, +// ))) +// +// With this, every component has its individual set of available feature gates (different to Kubernetes, where all +// components have all feature gates even if irrelevant). +// Additionally, the component needs to set the feature gates' states based on the operator's configuration, e.g.: +// +// features.DefaultFeatureGate.SetFromMap(o.config.FeatureGates) +// +// For checking whether a given feature gate is enabled (regardless of which component the code is executed in), use: +// +// features.DefaultFeatureGate.Enabled(features.IPv6SingleStack) +// +// With this, code that needs to check a given feature gate's state can be shared across components, e.g. in API +// validation code for Seeds (executed in gardener-apiserver and gardenlet). +// This variable is an alias to the feature gate map in the apiserver library. The library doesn't allow using a custom +// feature gate map for gardener-apiserver. Hence, we reuse it for all our components. +var DefaultFeatureGate = utilfeature.DefaultMutableFeatureGate + var allFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{ HVPA: {Default: false, PreRelease: featuregate.Alpha}, HVPAForShootedSeed: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/pkg/gardenlet/controller/controllerinstallation/controllerinstallation/reconciler.go b/pkg/gardenlet/controller/controllerinstallation/controllerinstallation/reconciler.go index 404e4f778ab..e5d167a18bc 100644 --- a/pkg/gardenlet/controller/controllerinstallation/controllerinstallation/reconciler.go +++ b/pkg/gardenlet/controller/controllerinstallation/controllerinstallation/reconciler.go @@ -42,7 +42,6 @@ import ( "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" ctrlinstutils "github.com/gardener/gardener/pkg/gardenlet/controller/controllerinstallation/utils" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/utils" gardenerutils "github.com/gardener/gardener/pkg/utils/gardener" kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes" @@ -354,6 +353,7 @@ func (r *Reconciler) reconcileNetworkPoliciesInSeed(ctx context.Context, namespa peers = []networkingv1.NetworkPolicyPeer{ {PodSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{}}, {IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}, + {IPBlock: &networkingv1.IPBlock{CIDR: "::/0"}}, } allowAllTrafficNetworkPolicy = &networkingv1.NetworkPolicy{ @@ -369,7 +369,7 @@ func (r *Reconciler) reconcileNetworkPoliciesInSeed(ctx context.Context, namespa } ) - if !gardenletfeatures.FeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster) { + if !features.DefaultFeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster) { return client.IgnoreAlreadyExists(r.SeedClientSet.Client().Create(ctx, allowAllTrafficNetworkPolicy)) } return client.IgnoreNotFound(r.SeedClientSet.Client().Delete(ctx, allowAllTrafficNetworkPolicy)) diff --git a/pkg/gardenlet/controller/managedseed/charttest/charttest.go b/pkg/gardenlet/controller/managedseed/charttest/charttest.go index ddb4f74839e..35b2946d850 100644 --- a/pkg/gardenlet/controller/managedseed/charttest/charttest.go +++ b/pkg/gardenlet/controller/managedseed/charttest/charttest.go @@ -847,12 +847,10 @@ func ComputeExpectedGardenletConfiguration( }, Server: gardenletv1alpha1.ServerConfiguration{ HealthProbes: &gardenletv1alpha1.Server{ - BindAddress: "0.0.0.0", - Port: 2728, + Port: 2728, }, Metrics: &gardenletv1alpha1.Server{ - BindAddress: "0.0.0.0", - Port: 2729, + Port: 2729, }, }, Debugging: &baseconfigv1alpha1.DebuggingConfiguration{ diff --git a/pkg/gardenlet/controller/managedseed/charttest/gardenlet_chart_test.go b/pkg/gardenlet/controller/managedseed/charttest/gardenlet_chart_test.go index ab0129593f2..9b9f5857c90 100644 --- a/pkg/gardenlet/controller/managedseed/charttest/gardenlet_chart_test.go +++ b/pkg/gardenlet/controller/managedseed/charttest/gardenlet_chart_test.go @@ -350,13 +350,13 @@ var _ = Describe("#Gardenlet Chart Test", func() { ValidateGardenletChartVPA(ctx, c) } }, - Entry("verify the default values for the Gardenlet chart & the Gardenlet component config", nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + Entry("verify the default values for the Gardenlet chart & the Gardenlet component config", nil, nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify Gardenlet with component config having the Garden client connection kubeconfig set", pointer.String("dummy garden kubeconfig"), nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{ - "gardenlet-configmap": "gardenlet-configmap-8181475a", + "gardenlet-configmap": "gardenlet-configmap-7bc9435f", "gardenlet-kubeconfig-garden": "gardenlet-kubeconfig-garden-8c9ae097", }), Entry("verify Gardenlet with component config having the Seed client connection kubeconfig set", nil, pointer.String("dummy seed kubeconfig"), nil, nil, nil, nil, nil, nil, nil, nil, map[string]string{ - "gardenlet-configmap": "gardenlet-configmap-8ec89870", + "gardenlet-configmap": "gardenlet-configmap-22a1cd6d", "gardenlet-kubeconfig-seed": "gardenlet-kubeconfig-seed-662d92ae", }), Entry("verify Gardenlet with component config having a Bootstrap kubeconfig set", nil, nil, &corev1.SecretReference{ @@ -366,7 +366,7 @@ var _ = Describe("#Gardenlet Chart Test", func() { Name: "gardenlet-kubeconfig", Namespace: v1beta1constants.GardenNamespace, }, pointer.String("dummy bootstrap kubeconfig"), nil, nil, nil, nil, nil, map[string]string{ - "gardenlet-configmap": "gardenlet-configmap-02b0072d", + "gardenlet-configmap": "gardenlet-configmap-29d65fea", }), Entry("verify that the SeedConfig is set in the component config Config Map", nil, nil, nil, nil, nil, &gardenletv1alpha1.SeedConfig{ @@ -378,7 +378,7 @@ var _ = Describe("#Gardenlet Chart Test", func() { Provider: gardencorev1beta1.SeedProvider{}, }, }, - }, nil, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-0b86ba50"}), + }, nil, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-9295c8ef"}), Entry("verify deployment with two replica and three zones", nil, nil, nil, nil, nil, &gardenletv1alpha1.SeedConfig{ SeedTemplate: gardencorev1beta1.SeedTemplate{ @@ -393,7 +393,7 @@ var _ = Describe("#Gardenlet Chart Test", func() { }, }, &seedmanagement.GardenletDeployment{ ReplicaCount: pointer.Int32(2), - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-e4f5329f"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-1420c767"}), Entry("verify deployment with only one replica", nil, nil, nil, nil, nil, &gardenletv1alpha1.SeedConfig{ SeedTemplate: gardencorev1beta1.SeedTemplate{ @@ -408,7 +408,7 @@ var _ = Describe("#Gardenlet Chart Test", func() { }, }, &seedmanagement.GardenletDeployment{ ReplicaCount: pointer.Int32(1), - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-e4f5329f"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-1420c767"}), Entry("verify deployment with only one zone", nil, nil, nil, nil, nil, &gardenletv1alpha1.SeedConfig{ SeedTemplate: gardencorev1beta1.SeedTemplate{ @@ -421,23 +421,23 @@ var _ = Describe("#Gardenlet Chart Test", func() { }, }, }, - }, nil, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-2ae6f940"}), + }, nil, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-c4f591f5"}), Entry("verify deployment with image vector override", nil, nil, nil, nil, nil, nil, nil, pointer.String("dummy-override-content"), nil, nil, map[string]string{ - "gardenlet-configmap": "gardenlet-configmap-5cbb3efe", + "gardenlet-configmap": "gardenlet-configmap-ece40d96", "gardenlet-imagevector-overwrite": "gardenlet-imagevector-overwrite-32ecb769", }), Entry("verify deployment with component image vector override", nil, nil, nil, nil, nil, nil, nil, nil, pointer.String("dummy-override-content"), nil, map[string]string{ - "gardenlet-configmap": "gardenlet-configmap-5cbb3efe", + "gardenlet-configmap": "gardenlet-configmap-ece40d96", "gardenlet-imagevector-overwrite-components": "gardenlet-imagevector-overwrite-components-53f94952", }), Entry("verify deployment with custom replica count", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ ReplicaCount: pointer.Int32(3), - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with service account", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ ServiceAccountName: pointer.String("ax"), - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with resources", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ Resources: &corev1.ResourceRequirements{ @@ -449,19 +449,19 @@ var _ = Describe("#Gardenlet Chart Test", func() { corev1.ResourceMemory: resource.MustParse("25Mi"), }, }, - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with pod labels", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ PodLabels: map[string]string{ "x": "y", }, - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with pod annotations", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ PodAnnotations: map[string]string{ "x": "y", }, - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with additional volumes", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ AdditionalVolumes: []corev1.Volume{ @@ -470,7 +470,7 @@ var _ = Describe("#Gardenlet Chart Test", func() { VolumeSource: corev1.VolumeSource{}, }, }, - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with additional volume mounts", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ AdditionalVolumeMounts: []corev1.VolumeMount{ @@ -478,7 +478,7 @@ var _ = Describe("#Gardenlet Chart Test", func() { Name: "a", }, }, - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with env variables", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ Env: []corev1.EnvVar{ @@ -487,14 +487,14 @@ var _ = Describe("#Gardenlet Chart Test", func() { Value: "XY", }, }, - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), Entry("verify deployment with VPA enabled", nil, nil, nil, nil, nil, nil, &seedmanagement.GardenletDeployment{ VPA: pointer.Bool(true), - }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5cbb3efe"}), - Entry("verify Gardenlet RBACs when ManagedIstio is enabled", nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]bool{string(features.ManagedIstio): true}, map[string]string{"gardenlet-configmap": "gardenlet-configmap-e31125e2"}), - Entry("verify Gardenlet RBACs when APIServerSNI is enabled", nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]bool{string(features.APIServerSNI): true}, map[string]string{"gardenlet-configmap": "gardenlet-configmap-5f214020"}), - Entry("verify Gardenlet RBACs when APIServerSNI is disabled", nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]bool{string(features.APIServerSNI): false}, map[string]string{"gardenlet-configmap": "gardenlet-configmap-84af476b"}), + }, nil, nil, nil, map[string]string{"gardenlet-configmap": "gardenlet-configmap-ece40d96"}), + Entry("verify Gardenlet RBACs when ManagedIstio is enabled", nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]bool{string(features.ManagedIstio): true}, map[string]string{"gardenlet-configmap": "gardenlet-configmap-46206a6e"}), + Entry("verify Gardenlet RBACs when APIServerSNI is enabled", nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]bool{string(features.APIServerSNI): true}, map[string]string{"gardenlet-configmap": "gardenlet-configmap-d391dbc4"}), + Entry("verify Gardenlet RBACs when APIServerSNI is disabled", nil, nil, nil, nil, nil, nil, nil, nil, nil, map[string]bool{string(features.APIServerSNI): false}, map[string]string{"gardenlet-configmap": "gardenlet-configmap-2229d713"}), ) }) diff --git a/pkg/gardenlet/controller/managedseed/valueshelper_test.go b/pkg/gardenlet/controller/managedseed/valueshelper_test.go index f9c0749f31f..5cae524c64a 100644 --- a/pkg/gardenlet/controller/managedseed/valueshelper_test.go +++ b/pkg/gardenlet/controller/managedseed/valueshelper_test.go @@ -62,7 +62,7 @@ var _ = Describe("ValuesHelper", func() { gardenletfeatures.RegisterFeatureGates() cleanupFuncs = []func(){ - test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true), + test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true), test.WithTempFile("", "image-vector-overwrite", []byte("image vector overwrite"), &imageVectorOverwritePath), test.WithTempFile("", "component-image-vector-overwrites", []byte("component image vector overwrites"), &componentImageVectorOverwritesPath), test.WithTempFile("", "garden-kubeconfig", []byte("garden kubeconfig"), &gardenKubeconfigPath), diff --git a/pkg/gardenlet/controller/networkpolicy/add_test.go b/pkg/gardenlet/controller/networkpolicy/add_test.go index 5a1bf442045..1c228ba6ef6 100644 --- a/pkg/gardenlet/controller/networkpolicy/add_test.go +++ b/pkg/gardenlet/controller/networkpolicy/add_test.go @@ -34,7 +34,6 @@ import ( v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" "github.com/gardener/gardener/pkg/features" . "github.com/gardener/gardener/pkg/gardenlet/controller/networkpolicy" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/utils/test" ) @@ -97,7 +96,7 @@ var _ = Describe("Add", func() { ) BeforeEach(func() { - DeferCleanup(test.WithFeatureGate(gardenletfeatures.FeatureGate, features.FullNetworkPoliciesInRuntimeCluster, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.FullNetworkPoliciesInRuntimeCluster, true)) fakeClient = fakeclient.NewClientBuilder().WithScheme(scheme.Scheme).Build() reconciler.RuntimeClient = fakeClient diff --git a/pkg/gardenlet/controller/networkpolicy/reconciler.go b/pkg/gardenlet/controller/networkpolicy/reconciler.go index f9c10e90fb5..e8c56a9885f 100644 --- a/pkg/gardenlet/controller/networkpolicy/reconciler.go +++ b/pkg/gardenlet/controller/networkpolicy/reconciler.go @@ -42,7 +42,6 @@ import ( "github.com/gardener/gardener/pkg/gardenlet/apis/config" "github.com/gardener/gardener/pkg/gardenlet/controller/networkpolicy/helper" "github.com/gardener/gardener/pkg/gardenlet/controller/networkpolicy/hostnameresolver" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" corednsconstants "github.com/gardener/gardener/pkg/operation/botanist/component/coredns/constants" nodelocaldnsconstants "github.com/gardener/gardener/pkg/operation/botanist/component/nodelocaldns/constants" "github.com/gardener/gardener/pkg/operation/common" @@ -143,7 +142,7 @@ type networkPolicyConfig struct { func (r *Reconciler) networkPolicyConfigs() []networkPolicyConfig { extendLabelSelectorsIfFeatureGateEnabled := func(in []labels.Selector) []labels.Selector { - if !gardenletfeatures.FeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster) { + if !features.DefaultFeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster) { return in } return append(in, labels.SelectorFromSet(labels.Set{v1beta1constants.GardenRole: v1beta1constants.GardenRoleExtension})) diff --git a/pkg/gardenlet/controller/seed/seed/components.go b/pkg/gardenlet/controller/seed/seed/components.go index de22b007273..b5986b09b13 100644 --- a/pkg/gardenlet/controller/seed/seed/components.go +++ b/pkg/gardenlet/controller/seed/seed/components.go @@ -33,7 +33,6 @@ import ( "github.com/gardener/gardener/pkg/chartrenderer" "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" "github.com/gardener/gardener/pkg/operation/botanist/component" "github.com/gardener/gardener/pkg/operation/botanist/component/dependencywatchdog" @@ -124,7 +123,7 @@ func defaultIstio( LoadBalancerIP: conf.SNI.Ingress.ServiceExternalIP, Labels: operation.GetIstioZoneLabels(conf.SNI.Ingress.Labels, nil), Namespace: *conf.SNI.Ingress.Namespace, - ProxyProtocolEnabled: gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI), + ProxyProtocolEnabled: features.DefaultFeatureGate.Enabled(features.APIServerSNI), VPNEnabled: true, } @@ -159,7 +158,7 @@ func defaultIstio( Labels: operation.GetIstioZoneLabels(defaultIngressGatewayConfig.Labels, &zone), Zones: []string{zone}, Namespace: namespace, - ProxyProtocolEnabled: gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI), + ProxyProtocolEnabled: features.DefaultFeatureGate.Enabled(features.APIServerSNI), VPNEnabled: true, }) } @@ -179,7 +178,7 @@ func defaultIstio( LoadBalancerIP: handler.SNI.Ingress.ServiceExternalIP, Labels: operation.GetIstioZoneLabels(gardenerutils.GetMandatoryExposureClassHandlerSNILabels(handler.SNI.Ingress.Labels, handler.Name), nil), Namespace: *handler.SNI.Ingress.Namespace, - ProxyProtocolEnabled: gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI), + ProxyProtocolEnabled: features.DefaultFeatureGate.Enabled(features.APIServerSNI), VPNEnabled: true, }) @@ -199,7 +198,7 @@ func defaultIstio( Labels: operation.GetIstioZoneLabels(gardenerutils.GetMandatoryExposureClassHandlerSNILabels(handler.SNI.Ingress.Labels, handler.Name), &zone), Zones: []string{zone}, Namespace: namespace, - ProxyProtocolEnabled: gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI), + ProxyProtocolEnabled: features.DefaultFeatureGate.Enabled(features.APIServerSNI), VPNEnabled: true, }) } @@ -336,7 +335,7 @@ func defaultVPNAuthzServer( seedVersion, ) - if gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio) { + if features.DefaultFeatureGate.Enabled(features.ManagedIstio) { return vpnAuthzServer, nil } diff --git a/pkg/gardenlet/controller/seed/seed/reconciler_delete.go b/pkg/gardenlet/controller/seed/seed/reconciler_delete.go index 395a7402cca..09956c2405f 100644 --- a/pkg/gardenlet/controller/seed/seed/reconciler_delete.go +++ b/pkg/gardenlet/controller/seed/seed/reconciler_delete.go @@ -37,7 +37,6 @@ import ( resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1" "github.com/gardener/gardener/pkg/controllerutils" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" "github.com/gardener/gardener/pkg/operation/botanist/component" "github.com/gardener/gardener/pkg/operation/botanist/component/clusterautoscaler" @@ -268,13 +267,13 @@ func (r *Reconciler) runDeleteSeedFlow( Name: "Destroy Istio", Fn: flow.TaskFn(func(ctx context.Context) error { return component.OpDestroyAndWait(istio).Destroy(ctx) - }).DoIf(gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio)), + }).DoIf(features.DefaultFeatureGate.Enabled(features.ManagedIstio)), }) destroyIstioCRDs = g.Add(flow.Task{ Name: "Destroy Istio CRDs", Fn: flow.TaskFn(func(ctx context.Context) error { return component.OpDestroyAndWait(istioCRDs).Destroy(ctx) - }).DoIf(gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio)), + }).DoIf(features.DefaultFeatureGate.Enabled(features.ManagedIstio)), Dependencies: flow.NewTaskIDs(destroyIstio), }) destroyFluentOperatorCRDs = g.Add(flow.Task{ diff --git a/pkg/gardenlet/controller/seed/seed/reconciler_reconcile.go b/pkg/gardenlet/controller/seed/seed/reconciler_reconcile.go index 9286225fe81..bedaa70c701 100644 --- a/pkg/gardenlet/controller/seed/seed/reconciler_reconcile.go +++ b/pkg/gardenlet/controller/seed/seed/reconciler_reconcile.go @@ -52,7 +52,6 @@ import ( "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" gardenlethelper "github.com/gardener/gardener/pkg/gardenlet/apis/config/helper" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" "github.com/gardener/gardener/pkg/operation/botanist/component" "github.com/gardener/gardener/pkg/operation/botanist/component/clusterautoscaler" @@ -276,7 +275,7 @@ func (r *Reconciler) runReconcileSeedFlow( vpaEnabled = seed.GetInfo().Spec.Settings == nil || seed.GetInfo().Spec.Settings.VerticalPodAutoscaler == nil || seed.GetInfo().Spec.Settings.VerticalPodAutoscaler.Enabled loggingEnabled = gardenlethelper.IsLoggingEnabled(&r.Config) - hvpaEnabled = gardenletfeatures.FeatureGate.Enabled(features.HVPA) + hvpaEnabled = features.DefaultFeatureGate.Enabled(features.HVPA) loggingConfig = r.Config.Logging gardenNamespace = &corev1.Namespace{ @@ -382,7 +381,7 @@ func (r *Reconciler) runReconcileSeedFlow( } } - if gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio) { + if features.DefaultFeatureGate.Enabled(features.ManagedIstio) { istioCRDs := istio.NewCRD(chartApplier, seedClient) if err := istioCRDs.Deploy(ctx); err != nil { return err @@ -416,9 +415,9 @@ func (r *Reconciler) runReconcileSeedFlow( r.Config.LogLevel, r.Config.LogFormat, v1beta1constants.SecretNameCASeed, v1beta1constants.PriorityClassNameSeedSystemCritical, - gardenletfeatures.FeatureGate.Enabled(features.DefaultSeccompProfile), + features.DefaultFeatureGate.Enabled(features.DefaultSeccompProfile), v1beta1helper.SeedSettingTopologyAwareRoutingEnabled(seed.GetInfo().Spec.Settings), - gardenletfeatures.FeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster), + features.DefaultFeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster), true, &resourcemanagerv1alpha1.IngressControllerSelector{ Namespace: v1beta1constants.GardenNamespace, @@ -452,7 +451,7 @@ func (r *Reconciler) runReconcileSeedFlow( } ) - if gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio) { + if features.DefaultFeatureGate.Enabled(features.ManagedIstio) { aggregateMonitoringComponentFunctions = append(aggregateMonitoringComponentFunctions, istio.AggregateMonitoringConfiguration) } @@ -743,7 +742,7 @@ func (r *Reconciler) runReconcileSeedFlow( if err != nil { return err } - sniEnabledOrInUse := anySNIInUse || gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI) + sniEnabledOrInUse := anySNIInUse || features.DefaultFeatureGate.Enabled(features.APIServerSNI) seedIsOriginOfClusterIdentity, err := clusteridentity.IsClusterIdentityEmptyOrFromOrigin(ctx, seedClient, v1beta1constants.ClusterIdentityOriginSeed) if err != nil { @@ -765,7 +764,7 @@ func (r *Reconciler) runReconcileSeedFlow( "images": imagevector.ImageMapToValues(seedImages), }, "prometheus": map[string]interface{}{ - "deployAllowAllAccessNetworkPolicy": !gardenletfeatures.FeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster), + "deployAllowAllAccessNetworkPolicy": !features.DefaultFeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster), "resources": monitoringResources["prometheus"], "storage": seed.GetValidVolumeSize("10Gi"), "additionalScrapeConfigs": centralScrapeConfigs.String(), @@ -799,7 +798,7 @@ func (r *Reconciler) runReconcileSeedFlow( "enabled": hvpaEnabled, }, "istio": map[string]interface{}{ - "enabled": gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio), + "enabled": features.DefaultFeatureGate.Enabled(features.ManagedIstio), }, "ingress": map[string]interface{}{ "authSecretName": globalMonitoringSecretSeed.Name, @@ -828,7 +827,7 @@ func (r *Reconciler) runReconcileSeedFlow( istio component.DeployWaiter ) - if gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio) { + if features.DefaultFeatureGate.Enabled(features.ManagedIstio) { istio, err = defaultIstio(seedClient, r.ImageVector, chartRenderer, seed, &r.Config, sniEnabledOrInUse) if err != nil { return err @@ -868,7 +867,7 @@ func (r *Reconciler) runReconcileSeedFlow( } - if gardenletfeatures.FeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster) { + if features.DefaultFeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster) { if err := kubernetesutils.DeleteObject(ctx, seedClient, &networkingv1.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: "allow-seed-prometheus", Namespace: r.GardenNamespace}}); err != nil { return err } @@ -878,7 +877,7 @@ func (r *Reconciler) runReconcileSeedFlow( g = flow.NewGraph("Seed cluster creation") _ = g.Add(flow.Task{ Name: "Deploying Istio", - Fn: flow.TaskFn(func(ctx context.Context) error { return istio.Deploy(ctx) }).DoIf(gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio)), + Fn: flow.TaskFn(func(ctx context.Context) error { return istio.Deploy(ctx) }).DoIf(features.DefaultFeatureGate.Enabled(features.ManagedIstio)), }) _ = g.Add(flow.Task{ Name: "Ensuring network policies", diff --git a/pkg/gardenlet/features/features.go b/pkg/gardenlet/features/features.go index 8b8c89c9da8..cb4b0848984 100644 --- a/pkg/gardenlet/features/features.go +++ b/pkg/gardenlet/features/features.go @@ -16,17 +16,13 @@ package features import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/component-base/featuregate" "github.com/gardener/gardener/pkg/features" ) -// FeatureGate is a shared global FeatureGate for Gardenlet flags. -var FeatureGate = featuregate.NewFeatureGate() - -// RegisterFeatureGates registers the feature gates of the Gardenlet. +// RegisterFeatureGates registers the feature gates of gardenlet. func RegisterFeatureGates() { - utilruntime.Must(FeatureGate.Add(features.GetFeatures( + utilruntime.Must(features.DefaultFeatureGate.Add(features.GetFeatures( features.HVPA, features.HVPAForShootedSeed, features.ManagedIstio, @@ -35,6 +31,7 @@ func RegisterFeatureGates() { features.CopyEtcdBackupsDuringControlPlaneMigration, features.DefaultSeccompProfile, features.CoreDNSQueryRewriting, + features.IPv6SingleStack, features.FullNetworkPoliciesInRuntimeCluster, ))) } diff --git a/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/envoy-filter.yaml b/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/envoy-filter.yaml index d3711f7396e..3ab184a10de 100644 --- a/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/envoy-filter.yaml +++ b/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/envoy-filter.yaml @@ -36,7 +36,6 @@ spec: match: context: GATEWAY listener: - name: 0.0.0.0_{{ .targetPort }} portNumber: {{ .targetPort }} patch: operation: MERGE diff --git a/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/proxy-protocol-envoyfilter.yaml b/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/proxy-protocol-envoyfilter.yaml index 9264acc4110..29505712008 100644 --- a/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/proxy-protocol-envoyfilter.yaml +++ b/pkg/operation/botanist/component/istio/charts/istio/istio-ingress/templates/proxy-protocol-envoyfilter.yaml @@ -17,7 +17,6 @@ spec: context: GATEWAY listener: portNumber: 8443 - name: 0.0.0.0_8443 patch: operation: MERGE value: diff --git a/pkg/operation/botanist/component/istio/istio_test.go b/pkg/operation/botanist/component/istio/istio_test.go index 171bdd2d051..64b086c054f 100644 --- a/pkg/operation/botanist/component/istio/istio_test.go +++ b/pkg/operation/botanist/component/istio/istio_test.go @@ -1202,7 +1202,6 @@ spec: match: context: GATEWAY listener: - name: 0.0.0.0_999 portNumber: 999 patch: operation: MERGE @@ -2077,7 +2076,6 @@ spec: context: GATEWAY listener: portNumber: 8443 - name: 0.0.0.0_8443 patch: operation: MERGE value: diff --git a/pkg/operation/botanist/component/kubeapiserverexposure/templates/envoyfilter.yaml b/pkg/operation/botanist/component/kubeapiserverexposure/templates/envoyfilter.yaml index e746c4209c0..5d899c4ac77 100644 --- a/pkg/operation/botanist/component/kubeapiserverexposure/templates/envoyfilter.yaml +++ b/pkg/operation/botanist/component/kubeapiserverexposure/templates/envoyfilter.yaml @@ -23,7 +23,6 @@ spec: context: ANY listener: portNumber: 8443 - name: 0.0.0.0_8443 patch: operation: ADD value: diff --git a/pkg/operation/botanist/coredns.go b/pkg/operation/botanist/coredns.go index e2f19424bdb..be34065169a 100644 --- a/pkg/operation/botanist/coredns.go +++ b/pkg/operation/botanist/coredns.go @@ -28,7 +28,6 @@ import ( v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" "github.com/gardener/gardener/pkg/controllerutils" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/coredns" "github.com/gardener/gardener/pkg/utils/images" "github.com/gardener/gardener/pkg/utils/imagevector" @@ -51,7 +50,7 @@ func (b *Botanist) DefaultCoreDNS() (coredns.Interface, error) { NodeNetworkCIDR: b.Shoot.GetInfo().Spec.Networking.Nodes, AutoscalingMode: gardencorev1beta1.CoreDNSAutoscalingModeHorizontal, KubernetesVersion: b.Shoot.KubernetesVersion, - SearchPathRewritesEnabled: v1beta1helper.IsCoreDNSRewritingEnabled(gardenletfeatures.FeatureGate.Enabled(features.CoreDNSQueryRewriting), b.Shoot.GetInfo().GetAnnotations()), + SearchPathRewritesEnabled: v1beta1helper.IsCoreDNSRewritingEnabled(features.DefaultFeatureGate.Enabled(features.CoreDNSQueryRewriting), b.Shoot.GetInfo().GetAnnotations()), SearchPathRewriteCommonSuffixes: getCommonSuffixesForRewriting(b.Shoot.GetInfo().Spec.SystemComponents), } @@ -107,7 +106,7 @@ func (b *Botanist) getCoreDNSRestartedAtAnnotations(ctx context.Context) (map[st } func getCommonSuffixesForRewriting(systemComponents *gardencorev1beta1.SystemComponents) []string { - if gardenletfeatures.FeatureGate.Enabled(features.CoreDNSQueryRewriting) && systemComponents != nil && systemComponents.CoreDNS != nil && systemComponents.CoreDNS.Rewriting != nil { + if features.DefaultFeatureGate.Enabled(features.CoreDNSQueryRewriting) && systemComponents != nil && systemComponents.CoreDNS != nil && systemComponents.CoreDNS.Rewriting != nil { return systemComponents.CoreDNS.Rewriting.CommonSuffixes } return []string{} diff --git a/pkg/operation/botanist/coredns_test.go b/pkg/operation/botanist/coredns_test.go index af8728e784f..76aa7010473 100644 --- a/pkg/operation/botanist/coredns_test.go +++ b/pkg/operation/botanist/coredns_test.go @@ -33,7 +33,6 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" mockcoredns "github.com/gardener/gardener/pkg/operation/botanist/component/coredns/mock" @@ -81,7 +80,7 @@ var _ = Describe("CoreDNS", func() { }) It("should successfully create a coredns interface", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() botanist.ImageVector = imagevector.ImageVector{{Name: "coredns"}} @@ -118,7 +117,7 @@ var _ = Describe("CoreDNS", func() { }) It("should successfully create a coredns interface with cluster-proportional autoscaling enabled", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() botanist.ImageVector = imagevector.ImageVector{{Name: "coredns"}, {Name: "cluster-proportional-autoscaler"}} diff --git a/pkg/operation/botanist/dns_test.go b/pkg/operation/botanist/dns_test.go index 37ba8b06b57..8dad061efb5 100644 --- a/pkg/operation/botanist/dns_test.go +++ b/pkg/operation/botanist/dns_test.go @@ -35,6 +35,7 @@ import ( "github.com/gardener/gardener/pkg/chartrenderer" "github.com/gardener/gardener/pkg/client/kubernetes" kubernetesfake "github.com/gardener/gardener/pkg/client/kubernetes/fake" + "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" @@ -42,6 +43,7 @@ import ( "github.com/gardener/gardener/pkg/operation/garden" shootpkg "github.com/gardener/gardener/pkg/operation/shoot" gardenerutils "github.com/gardener/gardener/pkg/utils/gardener" + "github.com/gardener/gardener/pkg/utils/test" ) var _ = Describe("dns", func() { @@ -170,7 +172,7 @@ var _ = Describe("dns", func() { }) It("returns true when feature gate is enabled", func() { - Expect(gardenletfeatures.FeatureGate.Set("APIServerSNI=true")).ToNot(HaveOccurred()) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)) b.Garden.InternalDomain = &gardenerutils.Domain{Provider: "some-provider"} b.Shoot.GetInfo().Spec.DNS = &gardencorev1beta1.DNS{Domain: pointer.String("foo")} b.Shoot.ExternalClusterDomain = pointer.String("baz") @@ -187,7 +189,7 @@ var _ = Describe("dns", func() { Context("APIServerSNI feature gate is enabled", func() { BeforeEach(func() { - Expect(gardenletfeatures.FeatureGate.Set("APIServerSNI=true")).ToNot(HaveOccurred()) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)) b.Garden.InternalDomain = &gardenerutils.Domain{Provider: "some-provider"} b.Shoot.GetInfo().Spec.DNS = &gardencorev1beta1.DNS{Domain: pointer.String("foo")} b.Shoot.ExternalClusterDomain = pointer.String("baz") diff --git a/pkg/operation/botanist/etcd.go b/pkg/operation/botanist/etcd.go index 6b524ddb624..d1b03a14dae 100644 --- a/pkg/operation/botanist/etcd.go +++ b/pkg/operation/botanist/etcd.go @@ -28,7 +28,6 @@ import ( seedmanagementv1alpha1 "github.com/gardener/gardener/pkg/apis/seedmanagement/v1alpha1" "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/etcd" "github.com/gardener/gardener/pkg/operation/botanist/component/shared" "github.com/gardener/gardener/pkg/operation/shoot" @@ -71,9 +70,9 @@ func (b *Botanist) DefaultEtcd(role string, class etcd.Class) (etcd.Interface, e }, ) - hvpaEnabled := gardenletfeatures.FeatureGate.Enabled(features.HVPA) + hvpaEnabled := features.DefaultFeatureGate.Enabled(features.HVPA) if b.ManagedSeed != nil { - hvpaEnabled = gardenletfeatures.FeatureGate.Enabled(features.HVPAForShootedSeed) + hvpaEnabled = features.DefaultFeatureGate.Enabled(features.HVPAForShootedSeed) } e.SetHVPAConfig(&etcd.HVPAConfig{ diff --git a/pkg/operation/botanist/etcd_test.go b/pkg/operation/botanist/etcd_test.go index 7df4bd5fd62..5ad97b4a80a 100644 --- a/pkg/operation/botanist/etcd_test.go +++ b/pkg/operation/botanist/etcd_test.go @@ -42,7 +42,6 @@ import ( kubernetesfake "github.com/gardener/gardener/pkg/client/kubernetes/fake" "github.com/gardener/gardener/pkg/features" gardenletconfig "github.com/gardener/gardener/pkg/gardenlet/apis/config" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" mockclient "github.com/gardener/gardener/pkg/mock/controller-runtime/client" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" @@ -136,7 +135,7 @@ var _ = Describe("Etcd", func() { purpose = shootPurpose ) It(fmt.Sprintf("should successfully create an etcd interface: class = %q, purpose = %q", class, purpose), func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPA, hvpaEnabled)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.HVPA, hvpaEnabled)() botanist.Shoot.Purpose = purpose @@ -178,7 +177,7 @@ var _ = Describe("Etcd", func() { }) It("should successfully create an etcd interface (normal class)", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPAForShootedSeed, hvpaForShootedSeedEnabled)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.HVPAForShootedSeed, hvpaForShootedSeedEnabled)() validator := &newEtcdValidator{ expectedClient: Equal(c), @@ -210,7 +209,7 @@ var _ = Describe("Etcd", func() { It("should successfully create an etcd interface (important class)", func() { class := etcd.ClassImportant - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPAForShootedSeed, hvpaForShootedSeedEnabled)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.HVPAForShootedSeed, hvpaForShootedSeedEnabled)() validator := &newEtcdValidator{ expectedClient: Equal(c), @@ -241,7 +240,7 @@ var _ = Describe("Etcd", func() { }) It("should return an error because the maintenance time window cannot be parsed", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPA, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.HVPA, true)() botanist.Shoot.GetInfo().Spec.Maintenance.TimeWindow = &gardencorev1beta1.MaintenanceTimeWindow{ Begin: "foobar", End: "barfoo", diff --git a/pkg/operation/botanist/kubeapiserver.go b/pkg/operation/botanist/kubeapiserver.go index 7a2dc03d16b..d738060763e 100644 --- a/pkg/operation/botanist/kubeapiserver.go +++ b/pkg/operation/botanist/kubeapiserver.go @@ -30,7 +30,6 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/client/kubernetes/clientmap/keys" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver" "github.com/gardener/gardener/pkg/operation/botanist/component/shared" gardenerutils "github.com/gardener/gardener/pkg/utils/gardener" @@ -74,7 +73,7 @@ func (b *Botanist) DefaultKubeAPIServer(ctx context.Context) (kubeapiserver.Inte func (b *Botanist) computeKubeAPIServerAutoscalingConfig() kubeapiserver.AutoscalingConfig { var ( - hvpaEnabled = gardenletfeatures.FeatureGate.Enabled(features.HVPA) + hvpaEnabled = features.DefaultFeatureGate.Enabled(features.HVPA) useMemoryMetricForHvpaHPA = false scaleDownDisabledForHvpa = false defaultReplicas *int32 @@ -103,7 +102,7 @@ func (b *Botanist) computeKubeAPIServerAutoscalingConfig() kubeapiserver.Autosca apiServerResources = resourcesRequirementsForKubeAPIServer(nodeCount, b.Shoot.GetInfo().Annotations[v1beta1constants.ShootAlphaScalingAPIServerClass]) if b.ManagedSeed != nil { - hvpaEnabled = gardenletfeatures.FeatureGate.Enabled(features.HVPAForShootedSeed) + hvpaEnabled = features.DefaultFeatureGate.Enabled(features.HVPAForShootedSeed) useMemoryMetricForHvpaHPA = true if b.ManagedSeedAPIServer != nil { diff --git a/pkg/operation/botanist/kubeapiserver_test.go b/pkg/operation/botanist/kubeapiserver_test.go index fa44359658e..76dc36892bf 100644 --- a/pkg/operation/botanist/kubeapiserver_test.go +++ b/pkg/operation/botanist/kubeapiserver_test.go @@ -39,7 +39,6 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes/clientmap/keys" "github.com/gardener/gardener/pkg/client/kubernetes/fake" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver" mockkubeapiserver "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver/mock" @@ -184,7 +183,7 @@ var _ = Describe("KubeAPIServer", func() { } if featureGate != nil && value != nil { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, *featureGate, *value)() + defer test.WithFeatureGate(features.DefaultFeatureGate, *featureGate, *value)() } kubeAPIServer, err := botanist.DefaultKubeAPIServer(ctx) @@ -395,7 +394,7 @@ var _ = Describe("KubeAPIServer", func() { } if featureGate != nil && value != nil { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, *featureGate, *value)() + defer test.WithFeatureGate(features.DefaultFeatureGate, *featureGate, *value)() } kubeAPIServer.EXPECT().GetValues() diff --git a/pkg/operation/botanist/kubeapiserverexposure.go b/pkg/operation/botanist/kubeapiserverexposure.go index 2fba979921d..39b6703ddc0 100644 --- a/pkg/operation/botanist/kubeapiserverexposure.go +++ b/pkg/operation/botanist/kubeapiserverexposure.go @@ -22,7 +22,6 @@ import ( v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component" "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserverexposure" gardenerutils "github.com/gardener/gardener/pkg/utils/gardener" @@ -49,7 +48,7 @@ func (b *Botanist) newKubeAPIServiceServiceComponent(sniPhase component.Phase) c b.APIServerAddress = address b.newDNSComponentsTargetingAPIServerAddress() }, - gardenletfeatures.FeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster), + features.DefaultFeatureGate.Enabled(features.FullNetworkPoliciesInRuntimeCluster), "", ) } @@ -67,7 +66,7 @@ func (b *Botanist) DeployKubeAPIService(ctx context.Context, sniPhase component. // APIServerSNIEnabled returns true if APIServerSNI feature gate is enabled and the shoot uses internal and external // DNS. func (b *Botanist) APIServerSNIEnabled() bool { - return gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI) && b.NeedsInternalDNS() && b.NeedsExternalDNS() + return features.DefaultFeatureGate.Enabled(features.APIServerSNI) && b.NeedsInternalDNS() && b.NeedsExternalDNS() } // DefaultKubeAPIServerSNI returns a deployer for the kube-apiserver SNI. diff --git a/pkg/operation/botanist/kubeapiserverexposure_test.go b/pkg/operation/botanist/kubeapiserverexposure_test.go index e95ac32030a..04bb50ccab3 100644 --- a/pkg/operation/botanist/kubeapiserverexposure_test.go +++ b/pkg/operation/botanist/kubeapiserverexposure_test.go @@ -31,6 +31,7 @@ import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" kubernetesfake "github.com/gardener/gardener/pkg/client/kubernetes/fake" + "github.com/gardener/gardener/pkg/features" gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" "github.com/gardener/gardener/pkg/operation/botanist/component" @@ -38,6 +39,7 @@ import ( "github.com/gardener/gardener/pkg/operation/seed" "github.com/gardener/gardener/pkg/operation/shoot" gardenerutils "github.com/gardener/gardener/pkg/utils/gardener" + "github.com/gardener/gardener/pkg/utils/test" . "github.com/gardener/gardener/pkg/utils/test/matchers" ) @@ -99,7 +101,7 @@ var _ = Describe("KubeAPIServerExposure", func() { Context("sni enabled", func() { BeforeEach(func() { - Expect(gardenletfeatures.FeatureGate.Set("APIServerSNI=true")).ToNot(HaveOccurred()) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)) botanist.Garden.InternalDomain = &gardenerutils.Domain{Provider: "some-provider"} botanist.Shoot.GetInfo().Spec.DNS = &gardencorev1beta1.DNS{Domain: pointer.String("foo")} botanist.Shoot.ExternalClusterDomain = pointer.String("baz") diff --git a/pkg/operation/botanist/kubecontrollermanager.go b/pkg/operation/botanist/kubecontrollermanager.go index ef9a8083105..ef012013a5e 100644 --- a/pkg/operation/botanist/kubecontrollermanager.go +++ b/pkg/operation/botanist/kubecontrollermanager.go @@ -23,7 +23,6 @@ import ( v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/kubecontrollermanager" "github.com/gardener/gardener/pkg/utils/images" "github.com/gardener/gardener/pkg/utils/imagevector" @@ -37,9 +36,9 @@ func (b *Botanist) DefaultKubeControllerManager() (kubecontrollermanager.Interfa return nil, err } - hvpaEnabled := gardenletfeatures.FeatureGate.Enabled(features.HVPA) + hvpaEnabled := features.DefaultFeatureGate.Enabled(features.HVPA) if b.ManagedSeed != nil { - hvpaEnabled = gardenletfeatures.FeatureGate.Enabled(features.HVPAForShootedSeed) + hvpaEnabled = features.DefaultFeatureGate.Enabled(features.HVPAForShootedSeed) } scaleDownUpdateMode := hvpav1alpha1.UpdateModeAuto diff --git a/pkg/operation/botanist/kubernetesdashboard_test.go b/pkg/operation/botanist/kubernetesdashboard_test.go index 48058a5074d..b1e1d9b3ad4 100644 --- a/pkg/operation/botanist/kubernetesdashboard_test.go +++ b/pkg/operation/botanist/kubernetesdashboard_test.go @@ -25,7 +25,6 @@ import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" mockkubernetesdashboard "github.com/gardener/gardener/pkg/operation/botanist/component/kubernetesdashboard/mock" @@ -78,7 +77,7 @@ var _ = Describe("Kubernetes Dashboard", func() { }) It("should successfully create a Kubernetes Dashboard interface", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() botanist.ImageVector = imagevector.ImageVector{ {Name: "kubernetes-dashboard"}, diff --git a/pkg/operation/botanist/logging.go b/pkg/operation/botanist/logging.go index 219bc9d25da..0ce04cb8ee0 100644 --- a/pkg/operation/botanist/logging.go +++ b/pkg/operation/botanist/logging.go @@ -28,7 +28,6 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/features" gardenlethelper "github.com/gardener/gardener/pkg/gardenlet/apis/config/helper" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component" "github.com/gardener/gardener/pkg/operation/botanist/component/logging/eventlogger" "github.com/gardener/gardener/pkg/operation/common" @@ -84,9 +83,9 @@ func (b *Botanist) DeploySeedLogging(ctx context.Context) error { } hvpaValues := make(map[string]interface{}) - hvpaEnabled := gardenletfeatures.FeatureGate.Enabled(features.HVPA) + hvpaEnabled := features.DefaultFeatureGate.Enabled(features.HVPA) if b.ManagedSeed != nil { - hvpaEnabled = gardenletfeatures.FeatureGate.Enabled(features.HVPAForShootedSeed) + hvpaEnabled = features.DefaultFeatureGate.Enabled(features.HVPAForShootedSeed) } if b.isShootNodeLoggingEnabled() { diff --git a/pkg/operation/botanist/metricsserver_test.go b/pkg/operation/botanist/metricsserver_test.go index dc0f1b4cb54..52ba672f695 100644 --- a/pkg/operation/botanist/metricsserver_test.go +++ b/pkg/operation/botanist/metricsserver_test.go @@ -22,7 +22,6 @@ import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" "github.com/gardener/gardener/pkg/operation/garden" @@ -66,7 +65,7 @@ var _ = Describe("MetricsServer", func() { }) It("should successfully create a metrics-server interface", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() botanist.ImageVector = imagevector.ImageVector{{Name: "metrics-server"}} diff --git a/pkg/operation/botanist/nginxingress_test.go b/pkg/operation/botanist/nginxingress_test.go index f727b59ef9e..4a0f8c56561 100644 --- a/pkg/operation/botanist/nginxingress_test.go +++ b/pkg/operation/botanist/nginxingress_test.go @@ -43,7 +43,6 @@ import ( kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock" "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" "github.com/gardener/gardener/pkg/operation/botanist/component/extensions/dnsrecord" @@ -99,7 +98,7 @@ var _ = Describe("NginxIngress", func() { }) It("should successfully create a nginxingress interface", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() botanist.ImageVector = imagevector.ImageVector{{Name: "nginx-ingress-controller"}, {Name: "ingress-default-backend"}} diff --git a/pkg/operation/botanist/nodeproblemdetector_test.go b/pkg/operation/botanist/nodeproblemdetector_test.go index c787ebf3946..7bb099bd1e7 100644 --- a/pkg/operation/botanist/nodeproblemdetector_test.go +++ b/pkg/operation/botanist/nodeproblemdetector_test.go @@ -22,7 +22,6 @@ import ( gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1" kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" "github.com/gardener/gardener/pkg/operation/garden" @@ -65,7 +64,7 @@ var _ = Describe("NodeProblemDetector", func() { }) It("should successfully create a nodeproblemdetector interface", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() botanist.ImageVector = imagevector.ImageVector{{Name: "node-problem-detector"}} diff --git a/pkg/operation/botanist/vpnseedserver_test.go b/pkg/operation/botanist/vpnseedserver_test.go index 0933bd110b7..24da70f3168 100644 --- a/pkg/operation/botanist/vpnseedserver_test.go +++ b/pkg/operation/botanist/vpnseedserver_test.go @@ -33,7 +33,6 @@ import ( kubernetesmock "github.com/gardener/gardener/pkg/client/kubernetes/mock" "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation" . "github.com/gardener/gardener/pkg/operation/botanist" "github.com/gardener/gardener/pkg/operation/botanist/component" @@ -101,7 +100,7 @@ var _ = Describe("VPNSeedServer", func() { }) It("should successfully create a vpn seed server interface", func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() kubernetesClient.EXPECT().Version() botanist.ImageVector = imagevector.ImageVector{{Name: images.ImageNameVpnSeedServer}, {Name: images.ImageNameApiserverProxy}} @@ -113,7 +112,7 @@ var _ = Describe("VPNSeedServer", func() { DescribeTable("should correctly set the deployment replicas", func(hibernated, highAvailable bool, expectedReplicas int) { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.APIServerSNI, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.APIServerSNI, true)() kubernetesClient.EXPECT().Client() kubernetesClient.EXPECT().Version() botanist.ImageVector = imagevector.ImageVector{{Name: images.ImageNameVpnSeedServer}, {Name: images.ImageNameApiserverProxy}} diff --git a/pkg/operation/care/seed_health.go b/pkg/operation/care/seed_health.go index 61c2c2889aa..f96c2650051 100644 --- a/pkg/operation/care/seed_health.go +++ b/pkg/operation/care/seed_health.go @@ -29,7 +29,6 @@ import ( v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/clusterautoscaler" "github.com/gardener/gardener/pkg/operation/botanist/component/clusteridentity" "github.com/gardener/gardener/pkg/operation/botanist/component/dependencywatchdog" @@ -107,11 +106,11 @@ func (h *SeedHealth) checkSeedSystemComponents( managedResources = append(managedResources, clusteridentity.ManagedResourceControlName) } - if gardenletfeatures.FeatureGate.Enabled(features.ManagedIstio) { + if features.DefaultFeatureGate.Enabled(features.ManagedIstio) { managedResources = append(managedResources, istio.ManagedResourceControlName) managedResources = append(managedResources, istio.ManagedResourceIstioSystemName) } - if gardenletfeatures.FeatureGate.Enabled(features.HVPA) { + if features.DefaultFeatureGate.Enabled(features.HVPA) { managedResources = append(managedResources, hvpa.ManagedResourceName) } if v1beta1helper.SeedSettingDependencyWatchdogWeederEnabled(h.seed.Spec.Settings) { diff --git a/pkg/operation/care/seed_health_test.go b/pkg/operation/care/seed_health_test.go index 39938c52be1..8f92cb936e3 100644 --- a/pkg/operation/care/seed_health_test.go +++ b/pkg/operation/care/seed_health_test.go @@ -31,7 +31,6 @@ import ( resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1" "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/features" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/clusterautoscaler" "github.com/gardener/gardener/pkg/operation/botanist/component/clusteridentity" "github.com/gardener/gardener/pkg/operation/botanist/component/dependencywatchdog" @@ -79,7 +78,7 @@ var _ = Describe("Seed health", func() { ) BeforeEach(func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPA, true)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.HVPA, true)() ctx = context.TODO() c = fakeclient.NewClientBuilder().WithScheme(kubernetes.SeedScheme).Build() @@ -139,7 +138,7 @@ var _ = Describe("Seed health", func() { Context("When optional managed resources are turned off, and required resources are deployed successfully", func() { JustBeforeEach(func() { - defer test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPA, false)() + defer test.WithFeatureGate(features.DefaultFeatureGate, features.HVPA, false)() seed.Spec.Ingress.Controller.Kind = "foo" seed.Spec.Settings.DependencyWatchdog.Endpoint.Enabled = false seed.Spec.Settings.DependencyWatchdog.Probe.Enabled = false diff --git a/pkg/operator/apis/config/v1alpha1/defaults.go b/pkg/operator/apis/config/v1alpha1/defaults.go index bf289d02a88..be87551f266 100644 --- a/pkg/operator/apis/config/v1alpha1/defaults.go +++ b/pkg/operator/apis/config/v1alpha1/defaults.go @@ -75,9 +75,6 @@ func SetDefaults_LeaderElectionConfiguration(obj *componentbaseconfigv1alpha1.Le // SetDefaults_ServerConfiguration sets defaults for the server configuration. func SetDefaults_ServerConfiguration(obj *ServerConfiguration) { - if len(obj.Webhooks.BindAddress) == 0 { - obj.Webhooks.BindAddress = "0.0.0.0" - } if obj.Webhooks.Port == 0 { obj.Webhooks.Port = 2750 } diff --git a/pkg/operator/apis/config/v1alpha1/defaults_test.go b/pkg/operator/apis/config/v1alpha1/defaults_test.go index 9fe533a93a9..4d70abff4d1 100644 --- a/pkg/operator/apis/config/v1alpha1/defaults_test.go +++ b/pkg/operator/apis/config/v1alpha1/defaults_test.go @@ -42,7 +42,7 @@ var _ = Describe("Defaults", func() { Expect(obj.LogLevel).To(Equal(logger.InfoLevel)) Expect(obj.LogFormat).To(Equal(logger.FormatJSON)) - Expect(obj.Server.Webhooks.BindAddress).To(Equal("0.0.0.0")) + Expect(obj.Server.Webhooks.BindAddress).To(BeEmpty()) Expect(obj.Server.Webhooks.Port).To(Equal(2750)) Expect(obj.Server.HealthProbes.BindAddress).To(BeEmpty()) Expect(obj.Server.HealthProbes.Port).To(Equal(2751)) diff --git a/pkg/operator/controller/garden/components.go b/pkg/operator/controller/garden/components.go index 28262ad6df6..f750e47378b 100644 --- a/pkg/operator/controller/garden/components.go +++ b/pkg/operator/controller/garden/components.go @@ -42,7 +42,6 @@ import ( "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver" "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserverexposure" sharedcomponent "github.com/gardener/gardener/pkg/operation/botanist/component/shared" - operatorfeatures "github.com/gardener/gardener/pkg/operator/features" secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager" "github.com/gardener/gardener/pkg/utils/timewindow" ) @@ -59,7 +58,7 @@ func (r *Reconciler) newGardenerResourceManager(garden *operatorv1alpha1.Garden, r.Config.LogLevel, r.Config.LogFormat, operatorv1alpha1.SecretNameCARuntime, v1beta1constants.PriorityClassNameGardenSystemCritical, - operatorfeatures.FeatureGate.Enabled(features.DefaultSeccompProfile), + features.DefaultFeatureGate.Enabled(features.DefaultSeccompProfile), helper.TopologyAwareRoutingEnabled(garden.Spec.RuntimeCluster.Settings), false, false, diff --git a/pkg/operator/controller/garden/reconciler.go b/pkg/operator/controller/garden/reconciler.go index 243509fe50c..bfdbdc53e2b 100644 --- a/pkg/operator/controller/garden/reconciler.go +++ b/pkg/operator/controller/garden/reconciler.go @@ -39,7 +39,6 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/operator/apis/config" - operatorfeatures "github.com/gardener/gardener/pkg/operator/features" "github.com/gardener/gardener/pkg/utils/flow" "github.com/gardener/gardener/pkg/utils/imagevector" secretsutils "github.com/gardener/gardener/pkg/utils/secrets" @@ -386,5 +385,5 @@ func vpaEnabled(settings *operatorv1alpha1.Settings) bool { } func hvpaEnabled() bool { - return operatorfeatures.FeatureGate.Enabled(features.HVPA) + return features.DefaultFeatureGate.Enabled(features.HVPA) } diff --git a/pkg/operator/features/features.go b/pkg/operator/features/features.go index d396330ece8..9d922b5ae86 100644 --- a/pkg/operator/features/features.go +++ b/pkg/operator/features/features.go @@ -16,17 +16,13 @@ package features import ( utilruntime "k8s.io/apimachinery/pkg/util/runtime" - "k8s.io/component-base/featuregate" "github.com/gardener/gardener/pkg/features" ) -// FeatureGate is a shared global FeatureGate for Gardener Operator flags. -var FeatureGate = featuregate.NewFeatureGate() - -// RegisterFeatureGates registers the feature gates of the Gardener Operator. +// RegisterFeatureGates registers the feature gates of gardener-operator. func RegisterFeatureGates() { - utilruntime.Must(FeatureGate.Add(features.GetFeatures( + utilruntime.Must(features.DefaultFeatureGate.Add(features.GetFeatures( features.DefaultSeccompProfile, features.HVPA, ))) diff --git a/pkg/provider-local/webhook/controlplane/ensurer.go b/pkg/provider-local/webhook/controlplane/ensurer.go index 3e2eb90d6ea..65ac1bed35e 100644 --- a/pkg/provider-local/webhook/controlplane/ensurer.go +++ b/pkg/provider-local/webhook/controlplane/ensurer.go @@ -29,7 +29,6 @@ import ( extensionscontextwebhook "github.com/gardener/gardener/extensions/pkg/webhook/context" "github.com/gardener/gardener/extensions/pkg/webhook/controlplane/genericmutator" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" - v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" "github.com/gardener/gardener/pkg/utils" ) @@ -73,20 +72,8 @@ func (e *ensurer) EnsureKubeletConfiguration(_ context.Context, _ extensionscont // EnsureAdditionalFiles ensures that additional required system files are added. func (e *ensurer) EnsureAdditionalFiles(ctx context.Context, gc extensionscontextwebhook.GardenContext, new, _ *[]extensionsv1alpha1.File) error { - cluster, err := gc.GetCluster(ctx) - if err != nil { - return err - } - - kindClusterName := "gardener-local-control-plane" - if v1beta1helper.IsHAControlPlaneConfigured(cluster.Shoot) { - kindClusterName = "gardener-local-ha-control-plane" - } - var script bytes.Buffer - if err := tplInitializer.Execute(&script, map[string]interface{}{ - "kindClusterName": kindClusterName, - }); err != nil { + if err := tplInitializer.Execute(&script, nil); err != nil { return err } diff --git a/pkg/provider-local/webhook/controlplane/templates/scripts/configure-containerd.tpl.sh b/pkg/provider-local/webhook/controlplane/templates/scripts/configure-containerd.tpl.sh index ed38411e42e..4e05a8e0f03 100644 --- a/pkg/provider-local/webhook/controlplane/templates/scripts/configure-containerd.tpl.sh +++ b/pkg/provider-local/webhook/controlplane/templates/scripts/configure-containerd.tpl.sh @@ -14,23 +14,23 @@ # limitations under the License. -cluster_name={{ .kindClusterName }} +hostname=garden.local.gardener.cloud FILENAME=/etc/containerd/config.toml if ! grep -q plugins.\"io.containerd.grpc.v1.cri\".registry.mirrors.\"localhost:5001\" "$FILENAME"; then cat <> $FILENAME [plugins."io.containerd.grpc.v1.cri".registry.mirrors."localhost:5001"] - endpoint = ["http://$cluster_name:5001"] + endpoint = ["http://$hostname:5001"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"] - endpoint = ["http://$cluster_name:5003"] + endpoint = ["http://$hostname:5003"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."eu.gcr.io"] - endpoint = ["http://$cluster_name:5004"] + endpoint = ["http://$hostname:5004"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."ghcr.io"] - endpoint = ["http://$cluster_name:5005"] + endpoint = ["http://$hostname:5005"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."registry.k8s.io"] - endpoint = ["http://$cluster_name:5006"] + endpoint = ["http://$hostname:5006"] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."quay.io"] - endpoint = ["http://$cluster_name:5007"] + endpoint = ["http://$hostname:5007"] EOF echo "Configured containerd with registry mirrors for local-setup." else diff --git a/pkg/registry/core/shoot/strategy.go b/pkg/registry/core/shoot/strategy.go index ba509b5e94f..c86319565a5 100644 --- a/pkg/registry/core/shoot/strategy.go +++ b/pkg/registry/core/shoot/strategy.go @@ -29,7 +29,6 @@ import ( "k8s.io/apiserver/pkg/registry/rest" "k8s.io/apiserver/pkg/storage" "k8s.io/apiserver/pkg/storage/names" - utilfeature "k8s.io/apiserver/pkg/util/feature" "github.com/gardener/gardener/pkg/api" "github.com/gardener/gardener/pkg/api/core/shoot" @@ -87,7 +86,7 @@ func (shootStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Obje func dropDisabledFields(newShoot, oldShoot *core.Shoot) { // Removes disabled HighAvailability related fields from shoot spec if it is not already used by the old spec oldShootIsHA := oldShoot != nil && helper.IsHAControlPlaneConfigured(oldShoot) - if !utilfeature.DefaultFeatureGate.Enabled(features.HAControlPlanes) && !oldShootIsHA && newShoot.Spec.ControlPlane != nil { + if !features.DefaultFeatureGate.Enabled(features.HAControlPlanes) && !oldShootIsHA && newShoot.Spec.ControlPlane != nil { newShoot.Spec.ControlPlane.HighAvailability = nil } } diff --git a/pkg/registry/core/shoot/strategy_test.go b/pkg/registry/core/shoot/strategy_test.go index dcfd676a084..f22d9b4069f 100644 --- a/pkg/registry/core/shoot/strategy_test.go +++ b/pkg/registry/core/shoot/strategy_test.go @@ -24,7 +24,6 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/runtime" - utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/component-base/featuregate" "k8s.io/utils/pointer" @@ -55,7 +54,7 @@ var _ = Describe("Strategy", func() { Expect(testFeatureGate.Set(fmt.Sprintf("%s=%v", features.HAControlPlanes, featureGateEnabled))).To(Succeed()) DeferCleanup(test.WithVars( - &utilfeature.DefaultFeatureGate, + &features.DefaultFeatureGate, testFeatureGate, )) @@ -307,7 +306,7 @@ var _ = Describe("Strategy", func() { Expect(testFeatureGate.Set(fmt.Sprintf("%s=%v", features.HAControlPlanes, featureGateEnabled))).To(Succeed()) DeferCleanup(test.WithVars( - &utilfeature.DefaultFeatureGate, + &features.DefaultFeatureGate, testFeatureGate, )) diff --git a/pkg/resourcemanager/apis/config/v1alpha1/defaults.go b/pkg/resourcemanager/apis/config/v1alpha1/defaults.go index d23a5f56ba1..840ba2d2cf0 100644 --- a/pkg/resourcemanager/apis/config/v1alpha1/defaults.go +++ b/pkg/resourcemanager/apis/config/v1alpha1/defaults.go @@ -94,9 +94,6 @@ func SetDefaults_LeaderElectionConfiguration(obj *componentbaseconfigv1alpha1.Le // SetDefaults_ServerConfiguration sets defaults for the server configuration. func SetDefaults_ServerConfiguration(obj *ServerConfiguration) { - if len(obj.Webhooks.BindAddress) == 0 { - obj.Webhooks.BindAddress = "0.0.0.0" - } if obj.Webhooks.Port == 0 { obj.Webhooks.Port = 9449 } diff --git a/pkg/resourcemanager/apis/config/v1alpha1/defaults_test.go b/pkg/resourcemanager/apis/config/v1alpha1/defaults_test.go index 3127815c431..fa82381324f 100644 --- a/pkg/resourcemanager/apis/config/v1alpha1/defaults_test.go +++ b/pkg/resourcemanager/apis/config/v1alpha1/defaults_test.go @@ -160,7 +160,7 @@ var _ = Describe("Defaults", func() { SetDefaults_ServerConfiguration(obj) - Expect(obj.Webhooks.BindAddress).To(Equal("0.0.0.0")) + Expect(obj.Webhooks.BindAddress).To(BeEmpty()) Expect(obj.Webhooks.Port).To(Equal(9449)) Expect(obj.HealthProbes.Port).To(Equal(8081)) Expect(obj.Metrics.Port).To(Equal(8080)) diff --git a/pkg/resourcemanager/controller/networkpolicy/reconciler.go b/pkg/resourcemanager/controller/networkpolicy/reconciler.go index a17b2a78b04..3746ff6d7dd 100644 --- a/pkg/resourcemanager/controller/networkpolicy/reconciler.go +++ b/pkg/resourcemanager/controller/networkpolicy/reconciler.go @@ -346,6 +346,7 @@ func (r *Reconciler) reconcileIngressFromWorldPolicy(ctx context.Context, servic From: []networkingv1.NetworkPolicyPeer{ {PodSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{}}, {IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}, + {IPBlock: &networkingv1.IPBlock{CIDR: "::/0"}}, }, Ports: ports, }} diff --git a/pkg/scheduler/apis/config/v1alpha1/defaults.go b/pkg/scheduler/apis/config/v1alpha1/defaults.go index fb12eac5ae4..d330fdb99d6 100644 --- a/pkg/scheduler/apis/config/v1alpha1/defaults.go +++ b/pkg/scheduler/apis/config/v1alpha1/defaults.go @@ -92,10 +92,6 @@ func SetDefaults_ServerConfiguration(obj *ServerConfiguration) { obj.HealthProbes = &Server{} } - if len(obj.HealthProbes.BindAddress) == 0 { - obj.HealthProbes.BindAddress = "0.0.0.0" - } - if obj.HealthProbes.Port == 0 { obj.HealthProbes.Port = 10251 } @@ -104,10 +100,6 @@ func SetDefaults_ServerConfiguration(obj *ServerConfiguration) { obj.Metrics = &Server{} } - if len(obj.Metrics.BindAddress) == 0 { - obj.Metrics.BindAddress = "0.0.0.0" - } - if obj.Metrics.Port == 0 { obj.Metrics.Port = 19251 } diff --git a/pkg/scheduler/apis/config/v1alpha1/defaults_test.go b/pkg/scheduler/apis/config/v1alpha1/defaults_test.go index 4f1e573a7e1..0b5df7c2c63 100644 --- a/pkg/scheduler/apis/config/v1alpha1/defaults_test.go +++ b/pkg/scheduler/apis/config/v1alpha1/defaults_test.go @@ -58,12 +58,10 @@ var _ = Describe("Defaults", func() { It("should not default any values for ServerConfiguration", func() { serverConfiguration := &schedulerv1alpha1.ServerConfiguration{ HealthProbes: &schedulerv1alpha1.Server{ - BindAddress: "127.0.0.1", - Port: 1234, + Port: 1234, }, Metrics: &schedulerv1alpha1.Server{ - BindAddress: "10.0.0.1", - Port: 1235, + Port: 1235, }, } @@ -78,12 +76,10 @@ var _ = Describe("Defaults", func() { expectedServerConfiguration := &schedulerv1alpha1.ServerConfiguration{ HealthProbes: &schedulerv1alpha1.Server{ - BindAddress: "0.0.0.0", - Port: 10251, + Port: 10251, }, Metrics: &schedulerv1alpha1.Server{ - BindAddress: "0.0.0.0", - Port: 19251, + Port: 19251, }, } diff --git a/pkg/scheduler/features/features.go b/pkg/scheduler/features/features.go index 3051f70ea8f..c6cb22069a5 100644 --- a/pkg/scheduler/features/features.go +++ b/pkg/scheduler/features/features.go @@ -15,11 +15,12 @@ package features import ( - "k8s.io/component-base/featuregate" -) + utilruntime "k8s.io/apimachinery/pkg/util/runtime" -// FeatureGate is a shared global FeatureGate for Gardener Scheduler flags. -var FeatureGate = featuregate.NewFeatureGate() + "github.com/gardener/gardener/pkg/features" +) -// RegisterFeatureGates registers the feature gates of the Gardener Scheduler. -func RegisterFeatureGates() {} +// RegisterFeatureGates registers the feature gates of gardener-scheduler. +func RegisterFeatureGates() { + utilruntime.Must(features.DefaultFeatureGate.Add(features.GetFeatures())) +} diff --git a/pkg/utils/test/test.go b/pkg/utils/test/test.go index 2ae8d4630d7..379e80724e6 100644 --- a/pkg/utils/test/test.go +++ b/pkg/utils/test/test.go @@ -39,7 +39,7 @@ import ( // Example usage: // // v := "foo" -// defer WithVar(&v, "bar")() +// DeferCleanup(WithVar(&v, "bar")) func WithVar(dst, src interface{}) func() { dstValue := reflect.ValueOf(dst) if dstValue.Type().Kind() != reflect.Ptr { @@ -67,7 +67,7 @@ func WithVar(dst, src interface{}) func() { // // Example usage: // -// defer WithVars(&v, "foo", &x, "bar")() +// DeferCleanup(WithVars(&v, "foo", &x, "bar")) func WithVars(dstsAndSrcs ...interface{}) func() { if len(dstsAndSrcs)%2 != 0 { ginkgo.Fail(fmt.Sprintf("dsts and srcs are not of equal length: %v", dstsAndSrcs)) @@ -138,7 +138,7 @@ func WithWd(path string) func() { // Failures to set or restore cause the test to fail. // Example use: // -// defer WithFeatureGate(utilfeature.DefaultFeatureGate, features., true)() +// DeferCleanup(WithFeatureGate(features.DefaultFeatureGate, features., true)) func WithFeatureGate(gate featuregate.FeatureGate, f featuregate.Feature, value bool) func() { originalValue := gate.Enabled(f) @@ -163,7 +163,7 @@ func WithFeatureGate(gate featuregate.FeatureGate, f featuregate.Feature, value // Example usage: // // var fileName string -// defer WithTempFile("", "test", []byte("test file content"), &fileName)() +// DeferCleanup(WithTempFile("", "test", []byte("test file content"), &fileName)) func WithTempFile(dir, pattern string, content []byte, fileName *string) func() { file, err := os.CreateTemp(dir, pattern) if err != nil { diff --git a/skaffold.yaml b/skaffold.yaml index 8d989325bad..18580f62d6a 100644 --- a/skaffold.yaml +++ b/skaffold.yaml @@ -345,6 +345,7 @@ build: - pkg/controllerutils - pkg/controllerutils/predicate - pkg/controllerutils/routes + - pkg/features - pkg/gardenlet/apis/config - pkg/gardenlet/apis/config/v1alpha1 - pkg/healthz @@ -506,6 +507,15 @@ profiles: - op: add path: /deploy/helm/releases/0/valuesFiles/- value: example/provider-extensions/garden/controlplane/values.yaml +- name: ipv6 + activation: + - env: IPFAMILY=ipv6 + patches: + - op: add + path: /deploy/helm/releases/0/setValues + value: + global.admission.service.clusterIP: fd00:10:2::1000 + global.apiserver.featureGates.IPv6SingleStack: true --- apiVersion: skaffold/v4beta3 kind: Config @@ -666,6 +676,20 @@ deploy: upgrade: - --disable-openapi-validation profiles: +- name: ipv6 + activation: + - env: IPFAMILY=ipv6 + patches: + - op: add + path: /deploy/helm/releases/0/setValues + value: + values: + controllers: + service: + hostIP: "::1" + zone0IP: "::10" + zone1IP: "::11" + zone2IP: "::12" - name: kind2 patches: # The deploy stage must be skipped because provider-local can only be registered in the garden cluster. @@ -1123,3 +1147,11 @@ profiles: - bash - -ec - TIMEOUT=1200 hack/usage/wait-for.sh seed local-ha-multi-zone GardenletReady Bootstrapped SeedSystemComponentsHealthy ExtensionsReady BackupBucketsReady + +- name: ipv6 + activation: + - env: IPFAMILY=ipv6 + patches: + - op: add + path: /deploy/helm/releases/0/valuesFiles/- + value: example/gardener-local/gardenlet/values-ipv6.yaml diff --git a/test/integration/gardenlet/controllerinstallation/controllerinstallation/controllerinstallation_test.go b/test/integration/gardenlet/controllerinstallation/controllerinstallation/controllerinstallation_test.go index 917dd8b9408..583531a073f 100644 --- a/test/integration/gardenlet/controllerinstallation/controllerinstallation/controllerinstallation_test.go +++ b/test/integration/gardenlet/controllerinstallation/controllerinstallation/controllerinstallation_test.go @@ -32,7 +32,6 @@ import ( "github.com/gardener/gardener/pkg/client/kubernetes" "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/controller/controllerinstallation/controllerinstallation" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/utils/test" . "github.com/gardener/gardener/pkg/utils/test/matchers" ) @@ -157,7 +156,7 @@ var _ = Describe("ControllerInstallation controller tests", func() { }) It("should create a namespace and deploy the chart", func() { - DeferCleanup(test.WithFeatureGate(gardenletfeatures.FeatureGate, features.FullNetworkPoliciesInRuntimeCluster, false)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.FullNetworkPoliciesInRuntimeCluster, false)) By("Ensure namespace was created") namespace := &corev1.Namespace{} @@ -322,7 +321,7 @@ var _ = Describe("ControllerInstallation controller tests", func() { }) It("should delete the 'gardenlet-allow-all-traffic' network policy", func() { - DeferCleanup(test.WithFeatureGate(gardenletfeatures.FeatureGate, features.FullNetworkPoliciesInRuntimeCluster, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.FullNetworkPoliciesInRuntimeCluster, true)) By("Ensure namespace was created") namespace := &corev1.Namespace{} diff --git a/test/integration/gardenlet/networkpolicy/networkpolicy_suite_test.go b/test/integration/gardenlet/networkpolicy/networkpolicy_suite_test.go index 09811a61b66..06ecee111a1 100644 --- a/test/integration/gardenlet/networkpolicy/networkpolicy_suite_test.go +++ b/test/integration/gardenlet/networkpolicy/networkpolicy_suite_test.go @@ -76,7 +76,7 @@ var _ = BeforeSuite(func() { logf.SetLogger(logger.MustNewZapLogger(logger.DebugLevel, logger.FormatJSON, zap.WriteTo(GinkgoWriter))) log = logf.Log.WithName(testID) - DeferCleanup(test.WithFeatureGate(gardenletfeatures.FeatureGate, features.FullNetworkPoliciesInRuntimeCluster, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.FullNetworkPoliciesInRuntimeCluster, true)) By("Start test environment") testEnv = &gardenerenvtest.GardenerTestEnvironment{ diff --git a/test/integration/gardenlet/seed/seed/seed_test.go b/test/integration/gardenlet/seed/seed/seed_test.go index 787e891fe02..5e30374db8d 100644 --- a/test/integration/gardenlet/seed/seed/seed_test.go +++ b/test/integration/gardenlet/seed/seed/seed_test.go @@ -47,7 +47,6 @@ import ( "github.com/gardener/gardener/pkg/features" "github.com/gardener/gardener/pkg/gardenlet/apis/config" seedcontroller "github.com/gardener/gardener/pkg/gardenlet/controller/seed/seed" - gardenletfeatures "github.com/gardener/gardener/pkg/gardenlet/features" "github.com/gardener/gardener/pkg/operation/botanist/component/extensions/dnsrecord" "github.com/gardener/gardener/pkg/operation/botanist/component/nginxingress" "github.com/gardener/gardener/pkg/operation/botanist/component/resourcemanager" @@ -190,7 +189,7 @@ var _ = Describe("Seed controller tests", func() { &secretsutils.GenerateKey, secretsutils.FakeGenerateKey, &resourcemanager.SkipWebhookDeployment, true, )) - DeferCleanup(test.WithFeatureGate(gardenletfeatures.FeatureGate, features.HVPA, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.HVPA, true)) By("Create DNS provider secret in garden namespace") dnsProviderSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{ diff --git a/test/integration/operator/garden/garden_test.go b/test/integration/operator/garden/garden_test.go index 51773f6a9b6..95fac911537 100644 --- a/test/integration/operator/garden/garden_test.go +++ b/test/integration/operator/garden/garden_test.go @@ -50,7 +50,6 @@ import ( "github.com/gardener/gardener/pkg/operator/apis/config" operatorclient "github.com/gardener/gardener/pkg/operator/client" gardencontroller "github.com/gardener/gardener/pkg/operator/controller/garden" - operatorfeatures "github.com/gardener/gardener/pkg/operator/features" "github.com/gardener/gardener/pkg/utils" "github.com/gardener/gardener/pkg/utils/imagevector" secretsutils "github.com/gardener/gardener/pkg/utils/secrets" @@ -69,7 +68,7 @@ var _ = Describe("Garden controller tests", func() { BeforeEach(func() { DeferCleanup(test.WithVar(&secretsutils.GenerateKey, secretsutils.FakeGenerateKey)) - DeferCleanup(test.WithFeatureGate(operatorfeatures.FeatureGate, features.HVPA, true)) + DeferCleanup(test.WithFeatureGate(features.DefaultFeatureGate, features.HVPA, true)) DeferCleanup(test.WithVars( &etcd.DefaultInterval, 100*time.Millisecond, &etcd.DefaultTimeout, 500*time.Millisecond, diff --git a/test/integration/resourcemanager/networkpolicy/networkpolicy_test.go b/test/integration/resourcemanager/networkpolicy/networkpolicy_test.go index 1c06bb58a2c..31092c508f7 100644 --- a/test/integration/resourcemanager/networkpolicy/networkpolicy_test.go +++ b/test/integration/resourcemanager/networkpolicy/networkpolicy_test.go @@ -852,6 +852,7 @@ var _ = Describe("NetworkPolicy Controller tests", func() { From: []networkingv1.NetworkPolicyPeer{ {PodSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{}}, {IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}, + {IPBlock: &networkingv1.IPBlock{CIDR: "::/0"}}, }, Ports: []networkingv1.NetworkPolicyPort{ {Protocol: &port1Protocol, Port: &port1TargetPort}, @@ -882,6 +883,7 @@ var _ = Describe("NetworkPolicy Controller tests", func() { From: []networkingv1.NetworkPolicyPeer{ {PodSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{}}, {IPBlock: &networkingv1.IPBlock{CIDR: "0.0.0.0/0"}}, + {IPBlock: &networkingv1.IPBlock{CIDR: "::/0"}}, }, }}, }))