From 11c0ce086a64278cd6dc863f8390dfb4f1da87ba Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:25:20 +0100 Subject: [PATCH 01/14] Upgrade github_com_gardener_external-dns-management (#941) from v0.13.3 to v0.14.1 --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index 9efc8495..e3777e35 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -82,7 +82,7 @@ }, "dns-controller-manager": { "repo": "https://github.com/gardener/external-dns-management.git", - "version": "v0.13.3" + "version": "v0.14.1" } } } \ No newline at end of file From 8837530593c3a1889a0dadd15f5264d990c74176 Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:25:42 +0100 Subject: [PATCH 02/14] Upgrade github_com_gardener_terminal-controller-manager (#931) from v0.21.0 to v0.22.0 Co-authored-by: gardener-robot-ci-3 --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index e3777e35..d7289581 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -76,7 +76,7 @@ "terminals": { "terminal-controller-manager": { "repo": "https://github.com/gardener/terminal-controller-manager.git", - "version": "v0.21.0" + "version": "v0.22.0" } } }, From 7ea90d31dd2d99514519d355155716124ed3526e Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:26:11 +0100 Subject: [PATCH 03/14] Upgrade github_com_gardener_gardener-extension-networking-calico (#928) from v1.26.0 to v1.27.0 Co-authored-by: gardener-robot-ci-1 --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index d7289581..68da8ad4 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -8,7 +8,7 @@ "extensions": { "networking-calico": { "repo": "https://github.com/gardener/gardener-extension-networking-calico.git", - "version": "v1.26.0" + "version": "v1.27.0" }, "os-coreos": { "repo": "https://github.com/gardener/gardener-extension-os-coreos.git", From 1f82264a33742cbabecfd92ffedaaa4bc46fdede Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:26:25 +0100 Subject: [PATCH 04/14] Upgrade github_com_gardener_dashboard (#927) from 1.61.2 to 1.62.0 Co-authored-by: gardener-robot-ci-2 --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index 68da8ad4..d9521c71 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -67,7 +67,7 @@ "dashboard": { "core": { "repo": "https://github.com/gardener/dashboard.git", - "version": "1.61.2" + "version": "1.62.0" }, "identity": { "repo": "(( dashboard.core.repo ))", From ca0996c7e85deace6f7ba885d8a002c4e94edc17 Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 1 Date: Wed, 30 Nov 2022 10:27:59 +0100 Subject: [PATCH 05/14] [ci:component:github.com/gardener/gardener-extension-os-suse-chost:v1.18.0->v1.19.0] (#921) * Upgrade github_com_gardener_gardener-extension-os-suse-chost from v1.18.0 to v1.19.0 Co-authored-by: gardener-robot-ci-2 Co-authored-by: Johannes Aubart Co-authored-by: gardener-robot-ci-3 Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> Co-authored-by: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index d9521c71..93c9a4cc 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -16,7 +16,7 @@ }, "os-suse-chost": { "repo": "https://github.com/gardener/gardener-extension-os-suse-chost.git", - "version": "v1.18.0" + "version": "v1.19.0" }, "os-ubuntu": { "repo": "https://github.com/gardener/gardener-extension-os-ubuntu.git", From 6721ae0afc032ea3aef938c0348b1806f680ec85 Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:28:46 +0100 Subject: [PATCH 06/14] [ci:component:github.com/gardener/gardener-extension-os-gardenlinux:v0.14.0->v0.15.0] (#920) * Upgrade github_com_gardener_gardener-extension-os-gardenlinux from v0.14.0 to v0.15.0 Co-authored-by: Gardener CI Robot 1 Co-authored-by: gardener-robot-ci-2 Co-authored-by: Johannes Aubart Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index 93c9a4cc..e5594200 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -24,7 +24,7 @@ }, "os-gardenlinux": { "repo": "https://github.com/gardener/gardener-extension-os-gardenlinux.git", - "version": "v0.14.0" + "version": "v0.15.0" }, "provider-aws": { "repo": "https://github.com/gardener/gardener-extension-provider-aws.git", From dec13957c6b57ae257f219a8efeb359cddf276e3 Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 3 <55584046+gardener-robot-ci-3@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:29:31 +0100 Subject: [PATCH 07/14] [ci:component:github.com/gardener/gardener-extension-os-ubuntu:v1.18.0->v1.19.0] (#919) * Upgrade github_com_gardener_gardener-extension-os-ubuntu from v1.18.0 to v1.19.0 Co-authored-by: Gardener CI Robot 1 Co-authored-by: gardener-robot-ci-2 Co-authored-by: Johannes Aubart Co-authored-by: Gardener CI Robot 2 <52166830+gardener-robot-ci-2@users.noreply.github.com> --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index e5594200..5a248514 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -20,7 +20,7 @@ }, "os-ubuntu": { "repo": "https://github.com/gardener/gardener-extension-os-ubuntu.git", - "version": "v1.18.0" + "version": "v1.19.0" }, "os-gardenlinux": { "repo": "https://github.com/gardener/gardener-extension-os-gardenlinux.git", From 12e805bde993b6f7bfba2be8f70dc1ac4b6dd8b6 Mon Sep 17 00:00:00 2001 From: Gardener CI Robot 1 Date: Wed, 30 Nov 2022 10:30:18 +0100 Subject: [PATCH 08/14] Upgrade github_com_gardener_gardener (#905) from v1.54.1 to v1.57.1 Co-authored-by: gardener-robot-ci-3 Co-authored-by: Johannes Aubart --- dependency-versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-versions.yaml b/dependency-versions.yaml index 5a248514..70970e84 100644 --- a/dependency-versions.yaml +++ b/dependency-versions.yaml @@ -3,7 +3,7 @@ "gardener": { "core": { "repo": "https://github.com/gardener/gardener.git", - "version": "v1.56.1" + "version": "v1.57.1" }, "extensions": { "networking-calico": { From 01ed9bc9b9d634f6df2d940713d2fb36a312f474 Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Wed, 30 Nov 2022 13:42:50 +0100 Subject: [PATCH 09/14] adapt dashboard component to chart changes --- components/dashboard/deployment.yaml | 83 ++++++++++++++-------------- 1 file changed, 42 insertions(+), 41 deletions(-) diff --git a/components/dashboard/deployment.yaml b/components/dashboard/deployment.yaml index d6a2050f..aa12d7c0 100644 --- a/components/dashboard/deployment.yaml +++ b/components/dashboard/deployment.yaml @@ -42,47 +42,48 @@ dashboard: name: "dashboard" namespace: (( .landscape.namespace )) values: - apiServerUrl: (( imports.kube_apiserver.export.apiserver_url )) - apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert )) - sessionSecret: (( rand("[:alnum:]", 30) )) - ingress: - tls: - secretName: (( imports.cert.export.certificate.secret_name )) - hosts: - - (( imports.identity.export.dashboard_dns )) - - (( .landscape.dashboard.cname.domain || ~~ )) - annotations: - <<: (( .landscape.dashboard.ingress.annotations || ~~ )) - image: - repository: (( .dashboard_version.image_repo || ~~ )) - tag: (( .dashboard_version.image_tag || ~~ )) - pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" )) - oidc: - issuerUrl: (( imports.identity.export.issuer_url )) - ca: (( imports.cert-controller.export.ca.crt || ~~ )) - clientSecret: (( imports.identity.export.dashboardClientSecret )) - public: - clientId: kube-kubectl - clientSecret: (( imports.identity.export.kubectlClientSecret )) - kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) )) - podLabels: - <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ )) - networking.gardener.cloud/to-dns: allowed - networking.gardener.cloud/to-garden-kube-apiserver: allowed - networking.gardener.cloud/to-identity: allowed - networking.gardener.cloud/to-ingress: allowed - networking.gardener.cloud/to-world: allowed - networking.gardener.cloud/to-inside: allowed - gitHub: (( .landscape.dashboard.gitHub || ~~ )) - frontendConfig: - <<: (( .landscape.dashboard.frontendConfig || ~ )) - seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy )) - features: - <<: (( .landscape.dashboard.frontendConfig.features || ~ )) - terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) )) - terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ )) - resources: - <<: (( .landscape.dashboard.resources || ~~ )) + global: + apiServerUrl: (( imports.kube_apiserver.export.apiserver_url )) + apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert )) + sessionSecret: (( rand("[:alnum:]", 30) )) + ingress: + tls: + secretName: (( imports.cert.export.certificate.secret_name )) + hosts: + - (( imports.identity.export.dashboard_dns )) + - (( .landscape.dashboard.cname.domain || ~~ )) + annotations: + <<: (( .landscape.dashboard.ingress.annotations || ~~ )) + image: + repository: (( .dashboard_version.image_repo || ~~ )) + tag: (( .dashboard_version.image_tag || ~~ )) + pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" )) + oidc: + issuerUrl: (( imports.identity.export.issuer_url )) + ca: (( imports.cert-controller.export.ca.crt || ~~ )) + clientSecret: (( imports.identity.export.dashboardClientSecret )) + public: + clientId: kube-kubectl + clientSecret: (( imports.identity.export.kubectlClientSecret )) + kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) )) + podLabels: + <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ )) + networking.gardener.cloud/to-dns: allowed + networking.gardener.cloud/to-garden-kube-apiserver: allowed + networking.gardener.cloud/to-identity: allowed + networking.gardener.cloud/to-ingress: allowed + networking.gardener.cloud/to-world: allowed + networking.gardener.cloud/to-inside: allowed + gitHub: (( .landscape.dashboard.gitHub || ~~ )) + frontendConfig: + <<: (( .landscape.dashboard.frontendConfig || ~ )) + seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy )) + features: + <<: (( .landscape.dashboard.frontendConfig.features || ~ )) + terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) )) + terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ )) + resources: + <<: (( .landscape.dashboard.resources || ~~ )) terminal_config: <<: (( &temporary &template )) From e37f06840f79dc2e38107cc1d78a6df9509d6b00 Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Thu, 1 Dec 2022 09:00:36 +0100 Subject: [PATCH 10/14] always checkout complete charts for extensions --- components/gardener/extensions/component.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/components/gardener/extensions/component.yaml b/components/gardener/extensions/component.yaml index 28516b41..22ff345e 100644 --- a/components/gardener/extensions/component.yaml +++ b/components/gardener/extensions/component.yaml @@ -26,8 +26,7 @@ spec_template: branch: (( version.branch || ~~ )) commit: (( version.commit || ~~ )) files: - - (( version.chart_path )) - - (( contains( deployment.admissionControllers, n ) ? ( "charts/" version.admission_controller_name ) :~~ )) + - charts deployment: # which extensions should be deployed From 533a35d87aa65028e720a7bc920cb2df541dd125 Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Thu, 1 Dec 2022 13:38:59 +0100 Subject: [PATCH 11/14] make 'sow convertkubeconfig' work on clusters >= 1.24 --- lib/sow.sh | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/lib/sow.sh b/lib/sow.sh index 0e5d03a2..878e29c3 100644 --- a/lib/sow.sh +++ b/lib/sow.sh @@ -126,6 +126,18 @@ CMD_convertkubeconfig() { verbose "Creating serviceaccount '$sa', if it doesn't exist ..." exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns get serviceaccount $sa &>/dev/null || exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns create serviceaccount $sa + # create serviceaccount secret manually (required for clusters >=1.24) + verbose "Creating serviceaccount secret '$sa', if it doesn't exist ..." + exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns get secret $sa &>/dev/null || exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns apply -f - </dev/null); then - # secret name found, fetch token - debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get secret $secret -o jsonpath='{.data.token}'" - if token=$(kubectl --kubeconfig "$kubeconfig" -n $ns get secret $secret -o jsonpath='{.data.token}' 2>/dev/null | base64 -d) && [[ -n "$token" ]]; then - debug "found token" - break - else - echo "token cannot be retrieved from secret, retrying in $sleep_time seconds ..." - fi + debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get secret $sa -o jsonpath='{.data.token}'" + if token=$(kubectl --kubeconfig "$kubeconfig" -n $ns get secret $sa -o jsonpath='{.data.token}' 2>/dev/null | base64 -d) && [[ -n "$token" ]]; then + debug "found token" + break else - echo "secret name cannot be retrieved from serviceaccount, retrying in $sleep_time seconds ..." + echo "token cannot be retrieved from secret, retrying in $sleep_time seconds ..." fi local now=$(date +%s) if [[ $(($now - $start_time)) -gt $timeout ]]; then From e45eaa7d71bfaa85b2490c48a397dcd59e3d82ab Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Thu, 1 Dec 2022 15:50:57 +0100 Subject: [PATCH 12/14] upgrade virtual cluster to v1.22.15 --- acre.yaml | 2 +- .../chart/templates/deployment-kube-apiserver.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acre.yaml b/acre.yaml index 6bdae981..8357f0e9 100644 --- a/acre.yaml +++ b/acre.yaml @@ -27,7 +27,7 @@ landscape: versions: kube-apiserver: image_repo: k8s.gcr.io/kube-apiserver - image_tag: v1.21.14 + image_tag: v1.22.15 kube-controller-manager: image_repo: k8s.gcr.io/kube-controller-manager image_tag: (( kube-apiserver.image_tag )) diff --git a/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml b/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml index b794bdb2..2000c582 100644 --- a/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml +++ b/components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml @@ -122,7 +122,7 @@ spec: - --service-account-signing-key-file=/srv/kubernetes/service-account-key/service_account.key - --tls-cert-file=/srv/kubernetes/apiserver/tls.crt - --tls-private-key-file=/srv/kubernetes/apiserver/tls.key - - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - --v=2 livenessProbe: httpGet: @@ -203,8 +203,8 @@ spec: failureThreshold: 2 httpGet: path: /healthz - port: 10252 - scheme: HTTP + port: 10257 + scheme: HTTPS initialDelaySeconds: 15 periodSeconds: 10 successThreshold: 1 From da958afaa795fa13a0e7f72c527908b71f39647b Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Thu, 1 Dec 2022 16:45:07 +0100 Subject: [PATCH 13/14] upgrade virtual cluster to v1.23.13 --- acre.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acre.yaml b/acre.yaml index 8357f0e9..f9064bac 100644 --- a/acre.yaml +++ b/acre.yaml @@ -27,7 +27,7 @@ landscape: versions: kube-apiserver: image_repo: k8s.gcr.io/kube-apiserver - image_tag: v1.22.15 + image_tag: v1.23.13 kube-controller-manager: image_repo: k8s.gcr.io/kube-controller-manager image_tag: (( kube-apiserver.image_tag )) From 9f6a54c97318f39a889c9a6e2a02e3643cf384aa Mon Sep 17 00:00:00 2001 From: Johannes Aubart Date: Mon, 5 Dec 2022 11:02:41 +0100 Subject: [PATCH 14/14] adapt Gardener helm chart --- components/gardener/virtual/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/gardener/virtual/deployment.yaml b/components/gardener/virtual/deployment.yaml index 0230f7d9..42f97577 100644 --- a/components/gardener/virtual/deployment.yaml +++ b/components/gardener/virtual/deployment.yaml @@ -174,7 +174,7 @@ gardener: qps: 100 burst: 130 server: - https: + webhooks: bindAddress: 0.0.0.0 port: 2719 tls: