From 856c7723dbe22f74e72c48205875a1cc7c3bd2bd Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Tue, 6 Dec 2022 10:44:12 +0100 Subject: [PATCH] Upgrade Gardener and extensions (#956) * Upgrade github_com_gardener_external-dns-management (#941) from v0.13.3 to v0.14.1 * Upgrade github_com_gardener_terminal-controller-manager (#931) from v0.21.0 to v0.22.0 Co-authored-by: gardener-robot-ci-3 * Upgrade github_com_gardener_gardener-extension-networking-calico (#928) from v1.26.0 to v1.27.0 Co-authored-by: gardener-robot-ci-1 * Upgrade github_com_gardener_dashboard (#927) from 1.61.2 to 1.62.0 Co-authored-by: gardener-robot-ci-2 * [ci:component:github.com/gardener/gardener-extension-os-suse-chost:v1.18.0->v1.19.0] (#921) * Upgrade github_com_gardener_gardener-extension-os-suse-chost from v1.18.0 to v1.19.0 Co-authored-by: gardener-robot-ci-2 Co-authored-by: Johannes Aubart Co-authored-by: gardener-robot-ci-3 Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> * [ci:component:github.com/gardener/gardener-extension-os-gardenlinux:v0.14.0->v0.15.0] (#920) * Upgrade github_com_gardener_gardener-extension-os-gardenlinux from v0.14.0 to v0.15.0 Co-authored-by: Gardener CI Robot 1 Co-authored-by: gardener-robot-ci-2 Co-authored-by: Johannes Aubart Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> * [ci:component:github.com/gardener/gardener-extension-os-ubuntu:v1.18.0->v1.19.0] (#919) * Upgrade github_com_gardener_gardener-extension-os-ubuntu from v1.18.0 to v1.19.0 Co-authored-by: Gardener CI Robot 1 Co-authored-by: gardener-robot-ci-2 Co-authored-by: Johannes Aubart Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> * Upgrade github_com_gardener_gardener (#905) from v1.54.1 to v1.57.1 Co-authored-by: gardener-robot-ci-3 Co-authored-by: Johannes Aubart * adapt dashboard component to chart changes * always checkout complete charts for extensions * make 'sow convertkubeconfig' work on clusters >= 1.24 * upgrade virtual cluster to v1.22.15 * upgrade virtual cluster to v1.23.13 * adapt Gardener helm chart Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> Co-authored-by: gardener-robot-ci-3 Co-authored-by: gardener-robot-ci-1 Co-authored-by: gardener-robot-ci-2 --- acre.yaml | 2 +- components/dashboard/deployment.yaml | 83 ++++++++++--------- components/gardener/extensions/component.yaml | 3 +- components/gardener/virtual/deployment.yaml | 2 +- .../templates/deployment-kube-apiserver.yaml | 6 +- dependency-versions.yaml | 16 ++-- lib/sow.sh | 28 ++++--- 7 files changed, 73 insertions(+), 67 deletions(-) diff --git a/acre.yaml b/acre.yaml index 6bdae981..f9064bac 100644 --- a/acre.yaml +++ b/acre.yaml @@ -27,7 +27,7 @@ landscape: versions: kube-apiserver: image_repo: k8s.gcr.io/kube-apiserver - image_tag: v1.21.14 + image_tag: v1.23.13 kube-controller-manager: image_repo: k8s.gcr.io/kube-controller-manager image_tag: (( kube-apiserver.image_tag )) diff --git a/components/dashboard/deployment.yaml b/components/dashboard/deployment.yaml index d6a2050f..aa12d7c0 100644 --- a/components/dashboard/deployment.yaml +++ b/components/dashboard/deployment.yaml @@ -42,47 +42,48 @@ dashboard: name: "dashboard" namespace: (( .landscape.namespace )) values: - apiServerUrl: (( imports.kube_apiserver.export.apiserver_url )) - apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert )) - sessionSecret: (( rand("[:alnum:]", 30) )) - ingress: - tls: - secretName: (( imports.cert.export.certificate.secret_name )) - hosts: - - (( imports.identity.export.dashboard_dns )) - - (( .landscape.dashboard.cname.domain || ~~ )) - annotations: - <<: (( .landscape.dashboard.ingress.annotations || ~~ )) - image: - repository: (( .dashboard_version.image_repo || ~~ )) - tag: (( .dashboard_version.image_tag || ~~ )) - pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" )) - oidc: - issuerUrl: (( imports.identity.export.issuer_url )) - ca: (( imports.cert-controller.export.ca.crt || ~~ )) - clientSecret: (( imports.identity.export.dashboardClientSecret )) - public: - clientId: kube-kubectl - clientSecret: (( imports.identity.export.kubectlClientSecret )) - kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) )) - podLabels: - <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ )) - networking.gardener.cloud/to-dns: allowed - networking.gardener.cloud/to-garden-kube-apiserver: allowed - networking.gardener.cloud/to-identity: allowed - networking.gardener.cloud/to-ingress: allowed - networking.gardener.cloud/to-world: allowed - networking.gardener.cloud/to-inside: allowed - gitHub: (( .landscape.dashboard.gitHub || ~~ )) - frontendConfig: - <<: (( .landscape.dashboard.frontendConfig || ~ )) - seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy )) - features: - <<: (( .landscape.dashboard.frontendConfig.features || ~ )) - terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) )) - terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ )) - resources: - <<: (( .landscape.dashboard.resources || ~~ )) + global: + apiServerUrl: (( imports.kube_apiserver.export.apiserver_url )) + apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert )) + sessionSecret: (( rand("[:alnum:]", 30) )) + ingress: + tls: + secretName: (( imports.cert.export.certificate.secret_name )) + hosts: + - (( imports.identity.export.dashboard_dns )) + - (( .landscape.dashboard.cname.domain || ~~ )) + annotations: + <<: (( .landscape.dashboard.ingress.annotations || ~~ )) + image: + repository: (( .dashboard_version.image_repo || ~~ )) + tag: (( .dashboard_version.image_tag || ~~ )) + pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" )) + oidc: + issuerUrl: (( imports.identity.export.issuer_url )) + ca: (( imports.cert-controller.export.ca.crt || ~~ )) + clientSecret: (( imports.identity.export.dashboardClientSecret )) + public: + clientId: kube-kubectl + clientSecret: (( imports.identity.export.kubectlClientSecret )) + kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) )) + podLabels: + <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ )) + networking.gardener.cloud/to-dns: allowed + networking.gardener.cloud/to-garden-kube-apiserver: allowed + networking.gardener.cloud/to-identity: allowed + networking.gardener.cloud/to-ingress: allowed + networking.gardener.cloud/to-world: allowed + networking.gardener.cloud/to-inside: allowed + gitHub: (( .landscape.dashboard.gitHub || ~~ )) + frontendConfig: + <<: (( .landscape.dashboard.frontendConfig || ~ )) + seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy )) + features: + <<: (( .landscape.dashboard.frontendConfig.features || ~ )) + terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) )) + terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ )) + resources: + <<: (( .landscape.dashboard.resources || ~~ )) terminal_config: <<: (( &temporary &template )) diff --git a/components/gardener/extensions/component.yaml b/components/gardener/extensions/component.yaml index 28516b41..22ff345e 100644 --- a/components/gardener/extensions/component.yaml +++ b/components/gardener/extensions/component.yaml @@ -26,8 +26,7 @@ spec_template: branch: (( version.branch || ~~ )) commit: (( version.commit || ~~ )) files: - - (( version.chart_path )) - - (( contains( deployment.admissionControllers, n ) ? ( "charts/" version.admission_controller_name ) :~~ )) + - charts deployment: # which extensions should be deployed diff --git a/components/gardener/virtual/deployment.yaml b/components/gardener/virtual/deployment.yaml index 0230f7d9..42f97577 100644 --- a/components/gardener/virtual/deployment.yaml +++ b/components/gardener/virtual/deployment.yaml @@ -174,7 +174,7 @@ gardener: qps: 100 burst: 130 server: - https: + webhooks: bindAddress: 0.0.0.0 port: 2719 tls: diff --git a/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml b/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml index b794bdb2..2000c582 100644 --- a/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml +++ b/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml @@ -122,7 +122,7 @@ spec: - --service-account-signing-key-file=/srv/kubernetes/service-account-key/service_account.key - --tls-cert-file=/srv/kubernetes/apiserver/tls.crt - --tls-private-key-file=/srv/kubernetes/apiserver/tls.key - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - --v=2 livenessProbe: httpGet: @@ -203,8 +203,8 @@ spec: failureThreshold: 2 httpGet: path: /healthz - port: 10252 - scheme: HTTP + port: 10257 + scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 diff --git a/dependency-versions.yaml b/dependency-versions.yaml index 9efc8495..70970e84 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -3,12 +3,12 @@ "gardener": { "core": { "repo": "https://github.com/gardener/gardener.git", - "version": "v1.56.1" + "version": "v1.57.1" }, "extensions": { "networking-calico": { "repo": "https://github.com/gardener/gardener-extension-networking-calico.git", - "version": "v1.26.0" + "version": "v1.27.0" }, "os-coreos": { "repo": "https://github.com/gardener/gardener-extension-os-coreos.git", @@ -16,15 +16,15 @@ }, "os-suse-chost": { "repo": "https://github.com/gardener/gardener-extension-os-suse-chost.git", - "version": "v1.18.0" + "version": "v1.19.0" }, "os-ubuntu": { "repo": "https://github.com/gardener/gardener-extension-os-ubuntu.git", - "version": "v1.18.0" + "version": "v1.19.0" }, "os-gardenlinux": { "repo": "https://github.com/gardener/gardener-extension-os-gardenlinux.git", - "version": "v0.14.0" + "version": "v0.15.0" }, "provider-aws": { "repo": "https://github.com/gardener/gardener-extension-provider-aws.git", @@ -67,7 +67,7 @@ "dashboard": { "core": { "repo": "https://github.com/gardener/dashboard.git", - "version": "1.61.2" + "version": "1.62.0" }, "identity": { "repo": "(( dashboard.core.repo ))", @@ -76,13 +76,13 @@ "terminals": { "terminal-controller-manager": { "repo": "https://github.com/gardener/terminal-controller-manager.git", - "version": "v0.21.0" + "version": "v0.22.0" } } }, "dns-controller-manager": { "repo": "https://github.com/gardener/external-dns-management.git", - "version": "v0.13.3" + "version": "v0.14.1" } } } \ No newline at end of file diff --git a/lib/sow.sh b/lib/sow.sh index 0e5d03a2..878e29c3 100644 --- a/lib/sow.sh +++ b/lib/sow.sh @@ -126,6 +126,18 @@ CMD_convertkubeconfig() { verbose "Creating serviceaccount '$sa', if it doesn't exist ..." exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns get serviceaccount $sa &>/dev/null || exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns create serviceaccount $sa + # create serviceaccount secret manually (required for clusters >=1.24) + verbose "Creating serviceaccount secret '$sa', if it doesn't exist ..." + exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns get secret $sa &>/dev/null || exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns apply -f - </dev/null); then - # secret name found, fetch token - debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get secret $secret -o jsonpath='{.data.token}'" - if token=$(kubectl --kubeconfig "$kubeconfig" -n $ns get secret $secret -o jsonpath='{.data.token}' 2>/dev/null | base64 -d) && [[ -n "$token" ]]; then - debug "found token" - break - else - echo "token cannot be retrieved from secret, retrying in $sleep_time seconds ..." - fi + debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get secret $sa -o jsonpath='{.data.token}'" + if token=$(kubectl --kubeconfig "$kubeconfig" -n $ns get secret $sa -o jsonpath='{.data.token}' 2>/dev/null | base64 -d) && [[ -n "$token" ]]; then + debug "found token" + break else - echo "secret name cannot be retrieved from serviceaccount, retrying in $sleep_time seconds ..." + echo "token cannot be retrieved from secret, retrying in $sleep_time seconds ..." fi local now=$(date +%s) if [[ $(($now - $start_time)) -gt $timeout ]]; then