Upgrade Gardener and extensions

acre.yaml

@@ -27,7 +27,7 @@ landscape:
   versions:
     kube-apiserver:
       image_repo: k8s.gcr.io/kube-apiserver
-      image_tag: v1.21.14
+      image_tag: v1.23.13
     kube-controller-manager:
       image_repo: k8s.gcr.io/kube-controller-manager
       image_tag: (( kube-apiserver.image_tag ))

components/dashboard/deployment.yaml

@@ -42,47 +42,48 @@ dashboard:
   name: "dashboard"
   namespace: (( .landscape.namespace ))
   values:
-    apiServerUrl: (( imports.kube_apiserver.export.apiserver_url ))
-    apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert ))
-    sessionSecret: (( rand("[:alnum:]", 30) ))
-    ingress:
-      tls:
-        secretName: (( imports.cert.export.certificate.secret_name ))
-      hosts:
-        - (( imports.identity.export.dashboard_dns ))
-        - (( .landscape.dashboard.cname.domain || ~~ ))
-      annotations:
-        <<: (( .landscape.dashboard.ingress.annotations || ~~ ))
-    image:
-      repository: (( .dashboard_version.image_repo || ~~ ))
-      tag: (( .dashboard_version.image_tag || ~~ ))
-      pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" ))
-    oidc:
-      issuerUrl: (( imports.identity.export.issuer_url ))
-      ca: (( imports.cert-controller.export.ca.crt || ~~ ))
-      clientSecret: (( imports.identity.export.dashboardClientSecret ))
-      public:
-        clientId: kube-kubectl
-        clientSecret: (( imports.identity.export.kubectlClientSecret ))
-    kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) ))
-    podLabels:
-      <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ ))
-      networking.gardener.cloud/to-dns: allowed
-      networking.gardener.cloud/to-garden-kube-apiserver: allowed
-      networking.gardener.cloud/to-identity: allowed
-      networking.gardener.cloud/to-ingress: allowed
-      networking.gardener.cloud/to-world: allowed
-      networking.gardener.cloud/to-inside: allowed
-    gitHub: (( .landscape.dashboard.gitHub || ~~ ))
-    frontendConfig:
-      <<: (( .landscape.dashboard.frontendConfig || ~ ))
-      seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy ))
-      features:
-        <<: (( .landscape.dashboard.frontendConfig.features || ~ ))
-        terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) ))
-    terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ ))
-    resources:
-      <<: (( .landscape.dashboard.resources || ~~ ))
+    global:
+      apiServerUrl: (( imports.kube_apiserver.export.apiserver_url ))
+      apiServerCa: (( imports.kube_apiserver.export.kube_apiserver_ca.cert ))
+      sessionSecret: (( rand("[:alnum:]", 30) ))
+      ingress:
+        tls:
+          secretName: (( imports.cert.export.certificate.secret_name ))
+        hosts:
+          - (( imports.identity.export.dashboard_dns ))
+          - (( .landscape.dashboard.cname.domain || ~~ ))
+        annotations:
+          <<: (( .landscape.dashboard.ingress.annotations || ~~ ))
+      image:
+        repository: (( .dashboard_version.image_repo || ~~ ))
+        tag: (( .dashboard_version.image_tag || ~~ ))
+        pullPolicy: (( defined( tag ) -and tag != "latest" ? "IfNotPresent" :"Always" ))
+      oidc:
+        issuerUrl: (( imports.identity.export.issuer_url ))
+        ca: (( imports.cert-controller.export.ca.crt || ~~ ))
+        clientSecret: (( imports.identity.export.dashboardClientSecret ))
+        public:
+          clientId: kube-kubectl
+          clientSecret: (( imports.identity.export.kubectlClientSecret ))
+      kubeconfig: (( format( "((!!! asyaml( merge( read( \"%s/export/kube-apiserver/kubeconfig_internal_merge_snippet\", \"yaml\" ), read( \"%s/kubectl_sa/sa_%s.kubeconfig\" , \"yaml\") ) ) ))", env.ROOTDIR, env.GENDIR, .settings.serviceaccount_name ) ))
+      podLabels:
+        <<: (( ( .landscape.gardener.network-policies.active || false ) ? ~ :~~ ))
+        networking.gardener.cloud/to-dns: allowed
+        networking.gardener.cloud/to-garden-kube-apiserver: allowed
+        networking.gardener.cloud/to-identity: allowed
+        networking.gardener.cloud/to-ingress: allowed
+        networking.gardener.cloud/to-world: allowed
+        networking.gardener.cloud/to-inside: allowed
+      gitHub: (( .landscape.dashboard.gitHub || ~~ ))
+      frontendConfig:
+        <<: (( .landscape.dashboard.frontendConfig || ~ ))
+        seedCandidateDeterminationStrategy: (( .imports.gardener_virtual.export.gardener.seedCandidateDeterminationStrategy ))
+        features:
+          <<: (( .landscape.dashboard.frontendConfig.features || ~ ))
+          terminalEnabled: (( ( .landscape.dashboard.terminals.active || false ) ))
+      terminal: (( ( .landscape.dashboard.terminals.active || false ) ? *.terminal_config :~~ ))
+      resources:
+        <<: (( .landscape.dashboard.resources || ~~ ))
 
 terminal_config:
   <<: (( &temporary &template ))

components/gardener/extensions/component.yaml

@@ -26,8 +26,7 @@ spec_template:
   branch: (( version.branch || ~~ ))
   commit: (( version.commit || ~~ ))
   files:
-    - (( version.chart_path ))
-    - (( contains( deployment.admissionControllers, n ) ? ( "charts/" version.admission_controller_name ) :~~ ))
+    - charts
 
 deployment:
   # which extensions should be deployed

components/gardener/virtual/deployment.yaml

@@ -174,7 +174,7 @@ gardener:
             qps: 100
             burst: 130
           server:
-            https:
+            webhooks:
               bindAddress: 0.0.0.0
               port: 2719
               tls:

components/kube-apiserver/chart/templates/deployment-kube-apiserver.yaml

@@ -122,7 +122,7 @@ spec:
         - --service-account-signing-key-file=/srv/kubernetes/service-account-key/service_account.key
         - --tls-cert-file=/srv/kubernetes/apiserver/tls.crt
         - --tls-private-key-file=/srv/kubernetes/apiserver/tls.key
-        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+        - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         - --v=2
         livenessProbe:
           httpGet:
@@ -203,8 +203,8 @@ spec:
           failureThreshold: 2
           httpGet:
             path: /healthz
-            port: 10252
-            scheme: HTTP
+            port: 10257
+            scheme: HTTPS
           initialDelaySeconds: 15
           periodSeconds: 10
           successThreshold: 1

dependency-versions.yaml

@@ -3,28 +3,28 @@
     "gardener": {
       "core": {
         "repo": "https://github.com/gardener/gardener.git",
-        "version": "v1.56.1"
+        "version": "v1.57.1"
       },
       "extensions": {
         "networking-calico": {
           "repo": "https://github.com/gardener/gardener-extension-networking-calico.git",
-          "version": "v1.26.0"
+          "version": "v1.27.0"
         },
         "os-coreos": {
           "repo": "https://github.com/gardener/gardener-extension-os-coreos.git",
           "version": "v1.12.0"
         },
         "os-suse-chost": {
           "repo": "https://github.com/gardener/gardener-extension-os-suse-chost.git",
-          "version": "v1.18.0"
+          "version": "v1.19.0"
         },
         "os-ubuntu": {
           "repo": "https://github.com/gardener/gardener-extension-os-ubuntu.git",
-          "version": "v1.18.0"
+          "version": "v1.19.0"
         },
         "os-gardenlinux": {
           "repo": "https://github.com/gardener/gardener-extension-os-gardenlinux.git",
-          "version": "v0.14.0"
+          "version": "v0.15.0"
         },
         "provider-aws": {
           "repo": "https://github.com/gardener/gardener-extension-provider-aws.git",
@@ -67,7 +67,7 @@
     "dashboard": {
       "core": {
         "repo": "https://github.com/gardener/dashboard.git",
-        "version": "1.61.2"
+        "version": "1.62.0"
       },
       "identity": {
         "repo": "(( dashboard.core.repo ))",
@@ -76,13 +76,13 @@
       "terminals": {
         "terminal-controller-manager": {
           "repo": "https://github.com/gardener/terminal-controller-manager.git",
-          "version": "v0.21.0"
+          "version": "v0.22.0"
         }
       }
     },
     "dns-controller-manager": {
       "repo": "https://github.com/gardener/external-dns-management.git",
-      "version": "v0.13.3"
+      "version": "v0.14.1"
     }
   }
 }

lib/sow.sh

@@ -126,6 +126,18 @@ CMD_convertkubeconfig() {
   verbose "Creating serviceaccount '$sa', if it doesn't exist ..."
   exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns get serviceaccount $sa &>/dev/null || exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns create serviceaccount $sa
 
+  # create serviceaccount secret manually (required for clusters >=1.24)
+  verbose "Creating serviceaccount secret '$sa', if it doesn't exist ..."
+  exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns get secret $sa &>/dev/null || exec_cmd kubectl --kubeconfig "$kubeconfig" -n $ns apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: $sa
+  annotations:
+    kubernetes.io/service-account.name: $sa
+type: kubernetes.io/service-account-token
+EOF
+
   # wait for serviceaccount to get token
   local timeout=180
   local sleep_time=5
@@ -134,18 +146,12 @@ CMD_convertkubeconfig() {
   local secret=
   verbose "Fetching serviceaccount token. This might take few seconds."
   while true; do
-    debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get serviceaccount $sa -o jsonpath='{.secrets[0].name}'"
-    if secret=$(kubectl --kubeconfig "$kubeconfig" -n $ns get serviceaccount $sa -o jsonpath='{.secrets[0].name}' 2>/dev/null); then
-      # secret name found, fetch token
-      debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get secret $secret -o jsonpath='{.data.token}'"
-      if token=$(kubectl --kubeconfig "$kubeconfig" -n $ns get secret $secret -o jsonpath='{.data.token}' 2>/dev/null | base64 -d) && [[ -n "$token" ]]; then
-        debug "found token"
-        break
-      else
-        echo "token cannot be retrieved from secret, retrying in $sleep_time seconds ..."
-      fi
+    debug "kubectl --kubeconfig \"$kubeconfig\" -n $ns get secret $sa -o jsonpath='{.data.token}'"
+    if token=$(kubectl --kubeconfig "$kubeconfig" -n $ns get secret $sa -o jsonpath='{.data.token}' 2>/dev/null | base64 -d) && [[ -n "$token" ]]; then
+      debug "found token"
+      break
     else
-      echo "secret name cannot be retrieved from serviceaccount, retrying in $sleep_time seconds ..."
+      echo "token cannot be retrieved from secret, retrying in $sleep_time seconds ..."
     fi
     local now=$(date +%s)
     if [[ $(($now - $start_time)) -gt $timeout ]]; then