diff --git a/SOW_VERSION b/SOW_VERSION index e5b82034..084e244c 100644 --- a/SOW_VERSION +++ b/SOW_VERSION @@ -1 +1 @@ -3.5.0 \ No newline at end of file +3.6.0 \ No newline at end of file diff --git a/acre.yaml b/acre.yaml index df64ec6d..69ed4787 100644 --- a/acre.yaml +++ b/acre.yaml @@ -27,7 +27,7 @@ landscape: versions: kube-apiserver: image_repo: k8s.gcr.io/kube-apiserver - image_tag: v1.19.15 + image_tag: v1.20.15 kube-controller-manager: image_repo: k8s.gcr.io/kube-controller-manager image_tag: (( kube-apiserver.image_tag )) @@ -179,7 +179,7 @@ landscape: repo: https://github.com/kubernetes/ingress-nginx.git image_tag: (( valid( tag ) ? substr(tag, length("controller-")) :~~ )) image_repo: eu.gcr.io/k8s-artifacts-prod/ingress-nginx/controller - tag: (( valid( branch ) -or valid( commit ) ? ~~ :"controller-v1.1.3" )) + tag: (( valid( branch ) -or valid( commit ) ? ~~ :"controller-v1.3.0" )) nginx-ingress-k8s-backend: <<: (( merge )) image_tag: "0.9.0" @@ -606,16 +606,29 @@ validation: - ["optionalfield", "HVPAForShootedSeed", ["type", "bool"]] - ["optionalfield", "ManagedIstio", ["type", "bool"]] - ["optionalfield", "APIServerSNI", ["type", "bool"]] - - ["optionalfield", "CachedRuntimeClients", ["type", "bool"]] - ["optionalfield", "SeedChange", ["type", "bool"]] - ["optionalfield", "SeedKubeScheduler", ["type", "bool"]] - ["optionalfield", "ReversedVPN", ["type", "bool"]] + - ["optionalfield", "CopyEtcdBackupsDuringControlPlaneMigration", ["type", "bool"]] + - ["optionalfield", "ForceRestore", ["type", "bool"]] + - ["optionalfield", "ShootCARotation", ["type", "bool"]] + - ["optionalfield", "ShootSARotation", ["type", "bool"]] + - ["optionalfield", "HAControlPlanes", ["type", "bool"]] + - ["optionalfield", "NodeLocalDNS", ["type", "bool"]] + - ["optionalfield", "KonnectivityTunnel", ["type", "bool"]] + - ["optionalfield", "MountHostCADirectories", ["type", "bool"]] + - ["optionalfield", "DisallowKubeconfigRotationForShootInDeletion", ["type", "bool"]] + - ["optionalfield", "Logging", ["type", "bool"]] - ["optionalfield", "AdminKubeconfigRequest", ["type", "bool"]] - ["optionalfield", "UseDNSRecords", ["type", "bool"]] - - ["optionalfield", "DisallowKubeconfigRotationForShootInDeletion", ["type", "bool"]] - - ["optionalfield", "DisallowKubeconfigRotationForShootInDeletion", ["type", "bool"]] - - ["optionalfield", "RotateSSHKeypairOnMaintenance", ["type", "bool"]] + - ["optionalfield", "CachedRuntimeClients", ["type", "bool"]] - ["optionalfield", "DenyInvalidExtensionResources", ["type", "bool"]] + - ["optionalfield", "RotateSSHKeypairOnMaintenance", ["type", "bool"]] + - ["optionalfield", "ShootMaxTokenExpirationOverwrite", ["type", "bool"]] + - ["optionalfield", "ShootMaxTokenExpirationValidation", ["type", "bool"]] + - ["optionalfield", "WorkerPoolKubernetesVersion", ["type", "bool"]] + - ["optionalfield", "DisableDNSProviderManagement", ["type", "bool"]] + - ["optionalfield", "SecretBindingProviderValidation", ["type", "bool"]] - - optionalfield - gardenClientConnection - - and diff --git a/components/etcd/backupinfra/provider/abs/main.tf b/components/etcd/backupinfra/provider/abs/main.tf index 2ac1fafe..64d49d4b 100644 --- a/components/etcd/backupinfra/provider/abs/main.tf +++ b/components/etcd/backupinfra/provider/abs/main.tf @@ -3,7 +3,7 @@ provider "azurerm" { client_secret = var.CLIENT_SECRET tenant_id = var.TENANT_ID subscription_id = var.SUBSCRIPTION_ID - version = "=2.8" + version = "=2.48" features {} } @@ -24,6 +24,7 @@ resource "azurerm_storage_account" "storageAccount" { access_tier = "Hot" account_tier = "Standard" account_replication_type = "LRS" + min_tls_version = "TLS1_2" } resource "azurerm_storage_container" "container" { diff --git a/components/etcd/backupinfra/provider/gcs/main.tf b/components/etcd/backupinfra/provider/gcs/main.tf index c9cf19a6..abd48781 100644 --- a/components/etcd/backupinfra/provider/gcs/main.tf +++ b/components/etcd/backupinfra/provider/gcs/main.tf @@ -16,7 +16,7 @@ provider "google" { credentials = var.SERVICEACCOUNT project = var.PROJECT region = var.REGION - version = "=3.20" + version = "=3.63" } //===================================================================== diff --git a/components/etcd/backupinfra/provider/s3/main.tf b/components/etcd/backupinfra/provider/s3/main.tf index 8c20def9..5f5ce6fd 100644 --- a/components/etcd/backupinfra/provider/s3/main.tf +++ b/components/etcd/backupinfra/provider/s3/main.tf @@ -16,7 +16,7 @@ provider "aws" { access_key = var.ACCESS_KEY secret_key = var.SECRET_KEY region = var.REGION - version = "=2.60" + version = "=3.30" } //===================================================================== @@ -25,7 +25,6 @@ provider "aws" { resource "aws_s3_bucket" "bucket" { bucket_prefix = var.BUCKETNAME - region = var.REGION force_destroy = true tags = { Name = var.LANDSCAPE diff --git a/components/gardencontent/seeds/manifests/seed_manifests.yaml b/components/gardencontent/seeds/manifests/seed_manifests.yaml index e4a885da..0391b19a 100644 --- a/components/gardencontent/seeds/manifests/seed_manifests.yaml +++ b/components/gardencontent/seeds/manifests/seed_manifests.yaml @@ -223,7 +223,7 @@ gardenletSpec: leaseDuration: 15s renewDeadline: 10s retryPeriod: 2s - resourceLock: configmaps + resourceLock: configmapsleases logLevel: info logging: <<: (( configValues.config.logging || ~~ )) diff --git a/components/gardener/virtual/deployment.yaml b/components/gardener/virtual/deployment.yaml index 48a5eef8..0230f7d9 100644 --- a/components/gardener/virtual/deployment.yaml +++ b/components/gardener/virtual/deployment.yaml @@ -224,7 +224,7 @@ gardener: leaderElect: true leaseDuration: 15s renewDeadline: 10s - resourceLock: configmaps + resourceLock: configmapsleases retryPeriod: 2s logLevel: info server: diff --git a/components/ingress-controller/deployment.yaml b/components/ingress-controller/deployment.yaml index bf4a4672..8d69a1f5 100644 --- a/components/ingress-controller/deployment.yaml +++ b/components/ingress-controller/deployment.yaml @@ -34,7 +34,7 @@ ingresscontroller: name: "nginx-ingress" namespace: "kube-system" flags: - deploy: "--kube-version=1.19.0" + deploy: "--kube-version=1.20.0" values: fullnameOverride: (( .ingresscontroller.name )) controller: diff --git a/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml b/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml index fffb89a0..b794bdb2 100644 --- a/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml +++ b/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml @@ -94,6 +94,7 @@ spec: - --etcd-certfile=/srv/kubernetes/etcd/client/tls.crt - --etcd-keyfile=/srv/kubernetes/etcd/client/tls.key - --etcd-servers={{ .Values.etcd.main.endpoints }} + - --external-hostname={{ .Values.apiServer.externalHostname }} {{ if .Values.etcd.events.endpoints }} {{ end }} - --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP @@ -116,7 +117,9 @@ spec: - --requestheader-username-headers=X-Remote-User - --secure-port=443 - --service-cluster-ip-range=100.64.0.0/13 + - --service-account-issuer={{ .Values.apiServer.serviceAccountIssuer }} - --service-account-key-file=/srv/kubernetes/service-account-key/service_account.key + - --service-account-signing-key-file=/srv/kubernetes/service-account-key/service_account.key - --tls-cert-file=/srv/kubernetes/apiserver/tls.crt - --tls-private-key-file=/srv/kubernetes/apiserver/tls.key - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA diff --git a/components/kube-apiserver/chart/values.yaml b/components/kube-apiserver/chart/values.yaml index aff7a7f7..0ef1e55a 100644 --- a/components/kube-apiserver/chart/values.yaml +++ b/components/kube-apiserver/chart/values.yaml @@ -21,6 +21,7 @@ images: replicas: 3 apiServer: hostname: 127.0.0.1 + externalHostname: api.foo.com serviceName: garden-kube-apiserver oidcIssuerURL: https://identity.URL diff --git a/components/kube-apiserver/deployment.yaml b/components/kube-apiserver/deployment.yaml index 2687fdb3..2d4b57f7 100644 --- a/components/kube-apiserver/deployment.yaml +++ b/components/kube-apiserver/deployment.yaml @@ -103,6 +103,8 @@ kubeapiserver: hostname: (( .settings.apiserver_dns )) serviceName: (( name )) oidcIssuerURL: (( .imports.identity.export.issuer_url )) + externalHostname: (( .settings.apiserver_dns )) + serviceAccountIssuer: (( "https://" externalHostname )) tls: kubeAPIServer: ca: (( spec.KeyCert(.state.kube_apiserver_ca) )) diff --git a/components/terminals/deployment.yaml b/components/terminals/deployment.yaml index 3f76fbc2..6a880549 100644 --- a/components/terminals/deployment.yaml +++ b/components/terminals/deployment.yaml @@ -37,7 +37,7 @@ kubectl_sa: - apiVersion: v1 kind: ServiceAccount metadata: - name: default + name: terminal-controller-manager namespace: terminal-system - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -101,7 +101,7 @@ settings: namespace: terminal-system # terminal controller manager namespace kubeconfig_secret_name: garden-kubeconfig-for-admin # name of admin kubeconfig secret kubeconfig_path: (( env.GENDIR "/" kubeconfig_secret_name ".kubeconfig" )) # path to admin kubeconfig - kubeconfig_secret_path_sa: (( env.GENDIR "/kubectl_sa/sa_default.kubeconfig" )) # path to secret manifest for sa kubeconfig + kubeconfig_secret_path_sa: (( env.GENDIR "/kubectl_sa/sa_terminal-controller-manager.kubeconfig" )) # path to secret manifest for sa kubeconfig kubeconfig_secret_path_admin: (( env.GENDIR "/kcfg_admin/secret_" kubeconfig_secret_name ".yaml" )) # path to secret manifest for admin kubeconfig repo_path: (( env.GENDIR "/git/repo" )) # path to checked-out git repo for easy access cert_path: (( repo_path "/config/secret/tls" )) # path to tls folder in checked-out git repo diff --git a/dependency-versions.yaml b/dependency-versions.yaml index be0ce887..dcb55318 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -3,16 +3,16 @@ "gardener": { "core": { "repo": "https://github.com/gardener/gardener.git", - "version": "v1.49.4" + "version": "v1.50.2" }, "extensions": { "dns-external": { "repo": "https://github.com/gardener/external-dns-management.git", - "version": "v0.12.3" + "version": "v0.13.0" }, "networking-calico": { "repo": "https://github.com/gardener/gardener-extension-networking-calico.git", - "version": "v1.24.3" + "version": "v1.25.0" }, "os-coreos": { "repo": "https://github.com/gardener/gardener-extension-os-coreos.git", @@ -20,27 +20,27 @@ }, "os-suse-chost": { "repo": "https://github.com/gardener/gardener-extension-os-suse-chost.git", - "version": "v1.16.0" + "version": "v1.18.0" }, "os-ubuntu": { "repo": "https://github.com/gardener/gardener-extension-os-ubuntu.git", - "version": "v1.16.0" + "version": "v1.18.0" }, "os-gardenlinux": { "repo": "https://github.com/gardener/gardener-extension-os-gardenlinux.git", - "version": "v0.12.0" + "version": "v0.14.0" }, "provider-aws": { "repo": "https://github.com/gardener/gardener-extension-provider-aws.git", - "version": "v1.35.0" + "version": "v1.37.0" }, "provider-azure": { "repo": "https://github.com/gardener/gardener-extension-provider-azure.git", - "version": "v1.28.1" + "version": "v1.29.0" }, "provider-gcp": { "repo": "https://github.com/gardener/gardener-extension-provider-gcp.git", - "version": "v1.22.1" + "version": "v1.24.0" }, "provider-alicloud": { "repo": "https://github.com/gardener/gardener-extension-provider-alicloud.git", @@ -48,11 +48,11 @@ }, "provider-openstack": { "repo": "https://github.com/gardener/gardener-extension-provider-openstack.git", - "version": "v1.26.3" + "version": "v1.28.0" }, "shoot-cert-service": { "repo": "https://github.com/gardener/gardener-extension-shoot-cert-service.git", - "version": "v1.21.0" + "version": "v1.23.0" }, "shoot-dns-service": { "repo": "https://github.com/gardener/gardener-extension-shoot-dns-service.git", @@ -60,7 +60,7 @@ }, "provider-vsphere": { "repo": "https://github.com/gardener/gardener-extension-provider-vsphere.git", - "version": "v0.14.1" + "version": "v0.17.0" }, "runtime-gvisor": { "repo": "https://github.com/gardener/gardener-extension-runtime-gvisor.git", @@ -71,7 +71,7 @@ "dashboard": { "core": { "repo": "https://github.com/gardener/dashboard.git", - "version": "1.56.0" + "version": "1.60.0" }, "identity": { "repo": "(( dashboard.core.repo ))", @@ -80,7 +80,7 @@ "terminals": { "terminal-controller-manager": { "repo": "https://github.com/gardener/terminal-controller-manager.git", - "version": "v0.18.0" + "version": "v0.21.0" } } }