gardener · Diaphteiros · Sep 18, 2023 · Apr 21, 2023 · Apr 21, 2023 · Apr 21, 2023
@@ -280,6 +280,18 @@ landscape:
     <<: (( merge ))
     type: (( .dns_type_mapping[iaas[0].type] ))
     credentials: (( iaas[0].credentials ))
+  domains:
+    <<: (( merge none ))
+    wildcard_ingress_dns: (( "*." ingress_dns ))
+    ingress_dns: (( "ing." landscape.domain ))
+    issuer_url: (( .landscape.identity.issuerUrl || "https://" identity_dns "/oidc" ))
+    callback_url: (( dashboard_url "/auth/callback" ))
+    connector_callback_url: (( dashboard_url "/oidc/callback" ))
+    dashboard_url: (( "https://" dashboard_dns ))
+    identity_url: (( "https://" identity_dns ))
+    identity_dns: (( ( .landscape.identity.useIdentityDomain || false ) ? "identity." ingress_dns :dashboard_dns ))
+    dashboard_dns: (( "gardener." ingress_dns ))
+
 dns_type_mapping:
   <<: (( &temporary ))
   gcp: google-clouddns

@@ -6,7 +6,7 @@ settings:
   certificate:
     name: dashboard-identity-ingress
     domains:
-      - (( "*." imports.ingress-controller.export.ingress_domain ))
+      - (( .landscape.domains.wildcard_ingress_dns ))
       - (( .landscape.dashboard.cname.domain || ~~ ))
     secret_name: identity-dashboard-tls
     namespace: (( landscape.namespace ))
@@ -26,8 +26,8 @@ cert:
         annotations:
           cert.gardener.cloud/class: (( imports.cert-controller.export.certClass ))
       spec:
-        commonName: (( .settings.certificate.domains[0] ))
-        dnsNames: (( .settings.certificate.domains[1..] ))
+        commonName: (( .landscape.domains.identity_dns ))
+        dnsNames: (( .settings.certificate.domains ))
         secretRef:
           name: (( .settings.certificate.secret_name ))
           namespace: (( .settings.certificate.namespace ))

@@ -45,48 +45,51 @@ dashboard:
     deploy: (( "--kube-version=" .imports.k8sversion.export.k8sVersions.base ))
   values:
     global:
-      apiServerUrl: (( imports.kube_apiserver.export.apiserver_url ))
-      apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert ))
-      sessionSecret: (( rand("[:alnum:]", 30) ))
-      ingress:
-        tls:
-          secretName: (( imports.cert.export.certificate.secret_name ))
-        hosts:
-          - (( imports.identity.export.dashboard_dns ))
-          - (( .landscape.dashboard.cname.domain || ~~ ))
-        annotations:
-          <<: (( .landscape.dashboard.ingress.annotations || ~~ ))
-      image:
-        repository: (( .dashboard_version.image_repo || ~~ ))
-        tag: (( .dashboard_version.image_tag || ~~ ))
-        pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" ))
-      oidc:
-        issuerUrl: (( imports.identity.export.issuer_url ))
-        ca: (( imports.cert-controller.export.ca.crt || ~~ ))
-        clientId: "dashboard"
-        clientSecret: (( imports.identity.export.dashboardClientSecret ))
-        public:
-          clientId: kube-kubectl
-          clientSecret: (( imports.identity.export.kubectlClientSecret ))
-      kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) ))
-      podLabels:
-        <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ ))
-        networking.gardener.cloud/to-dns: allowed
-        networking.gardener.cloud/to-garden-kube-apiserver: allowed
-        networking.gardener.cloud/to-identity: allowed
-        networking.gardener.cloud/to-ingress: allowed
-        networking.gardener.cloud/to-world: allowed
-        networking.gardener.cloud/to-inside: allowed
-      gitHub: (( .landscape.dashboard.gitHub || ~~ ))
-      frontendConfig:
-        <<: (( .landscape.dashboard.frontendConfig || ~ ))
-        seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy ))
-        features:
-          <<: (( .landscape.dashboard.frontendConfig.features || ~ ))
-          terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) ))
+      dashboard:
+        apiServerUrl: (( imports.kube_apiserver.export.apiserver_url ))
+        apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert ))
+        sessionSecret: (( rand("[:alnum:]", 30) ))
+        ingress:
+          tls:
+            secretName: (( imports.cert.export.certificate.secret_name ))
+          hosts:
+            - (( .landscape.domains.dashboard_dns ))
+            - (( .landscape.dashboard.cname.domain || ~~ ))
+          annotations:
+            <<: (( .landscape.dashboard.ingress.annotations || ~~ ))
+        image:
+          repository: (( .dashboard_version.image_repo || ~~ ))
+          tag: (( .dashboard_version.image_tag || ~~ ))
+          pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" ))
+        oidc:
+          issuerUrl: (( .landscape.domains.issuer_url ))
+          ca: (( imports.cert-controller.export.ca.crt || ~~ ))
+          clientId: "dashboard"
+          clientSecret: (( imports.identity.export.dashboardClientSecret ))
+          public:
+            clientId: kube-kubectl
+            clientSecret: (( imports.identity.export.kubectlClientSecret ))
+        kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) ))
+        podLabels:
+          <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ ))
+          networking.gardener.cloud/to-dns: allowed
+          networking.gardener.cloud/to-garden-kube-apiserver: allowed
+          networking.gardener.cloud/to-identity: allowed
+          networking.gardener.cloud/to-ingress: allowed
+          networking.gardener.cloud/to-world: allowed
+          networking.gardener.cloud/to-inside: allowed
+        gitHub: (( .landscape.dashboard.gitHub || ~~ ))
+        frontendConfig:
+          <<: (( .landscape.dashboard.frontendConfig || ~ ))
+          seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy ))
+          features:
+            <<: (( .landscape.dashboard.frontendConfig.features || ~ ))
+            terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) ))
+        resources:
+          <<: (( .landscape.dashboard.resources || ~~ ))
       terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ ))
-      resources:
-        <<: (( .landscape.dashboard.resources || ~~ ))
+      virtualGarden:
+        enabled: true
 
 terminal_config:
   <<: (( &temporary &template ))
@@ -129,7 +132,7 @@ cname_dnsentry:
       spec:
         dnsName: (( .landscape.dashboard.cname.domain || ~~ ))
         targets:
-        - (( .imports.identity.export.dashboard_dns ))
+        - (( .landscape.domains.dashboard_dns ))
         ttl: 120
 
 util:
@@ -138,7 +141,7 @@ util:
 
 settings:
   serviceaccount_name: gardener-dashboard
-  dashboard_url: (( .imports.identity.export.dashboard_url ))
+  dashboard_url: (( .landscape.domains.dashboard_url ))
 
 kubectl_sa:
   kubeconfig: (( .imports.kube_apiserver.export.kubeconfig ))

@@ -44,6 +44,10 @@ spec:
       labels:
         app: {{ .Values.name }}
         component: etcd
+        networking.gardener.cloud/to-world: allowed
+        networking.gardener.cloud/to-inside: allowed
+        networking.gardener.cloud/to-gardener-apiserver: allowed
+        networking.gardener.cloud/to-dns: allowed
     spec:
       containers:
       - name: etcd

@@ -33,17 +33,17 @@ defaults:
       - <<: (( defaults.providerspec.machineImages || ~ ))
       - name: gardenlinux
         versions:
-        - version: 576.12.0
+        - version: 934.9.0
           classification: supported
-          kubeletVersionConstraint: < 1.26
           architectures:
-          - amd64
+            - amd64
+            - arm64
           cri:
-          - name: docker
-          - containerRuntimes:
-            - type: gvisor
-            name: containerd
-        - version: 576.11.0
+            - name: docker
+            - containerRuntimes:
+                - type: gvisor
+              name: containerd
+        - version: 576.12.0
           classification: deprecated
           kubeletVersionConstraint: < 1.26
           architectures:
@@ -53,29 +53,19 @@ defaults:
           - containerRuntimes:
             - type: gvisor
             name: containerd
-      - name: ubuntu
-        versions:
-        - version: 18.4.20210415
-          classification: deprecated
-          architectures:
-          - amd64
-          cri:
-          - name: docker
-          - containerRuntimes:
-            - type: gvisor
-            name: containerd
       - name: suse-chost
         versions:
-        - version: 15.4.20221215
+        - version: 15.4.20230410
           classification: supported
           architectures:
-          - amd64
+            - amd64
+            - arm64
           cri:
-          - name: docker
-          - containerRuntimes:
-            - type: gvisor
-            name: containerd
-        - version: 15.3.20220411
+            - name: docker
+            - containerRuntimes:
+                - type: gvisor
+              name: containerd
+        - version: 15.4.20221215
           classification: deprecated
           architectures:
           - amd64
@@ -94,17 +84,11 @@ defaults:
   kubernetes:
     versions:
       - classification: supported
-        version: 1.25.5
+        version: 1.26.6
       - classification: supported
-        version: 1.24.9
+        version: 1.25.11
       - classification: supported
-        version: 1.23.15
-      - classification: deprecated
-        version: 1.22.17
-      - classification: deprecated
-        version: 1.21.14
-      - classification: deprecated
-        version: 1.21.10
+        version: 1.24.15
       - classification: deprecated
-        version: 1.20.15
+        version: 1.23.17
   providerspec: (( *values.providerspec ))