[operator] Extend operatorv1alpha1.VirtualCluster with API for future kube-apiserver deployment
#7693
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gardener-prow
bot
added
area/usability
65 tasks
gardener-prow
bot
added
size/XXL
rfranzke
changed the title
operatorv1alpha1.VirtualCluster with API for kube-apiserver configurationoperatorv1alpha1.VirtualCluster with API for Kubernetes version and kube-apiserver configuration
|
/assign |
ScheererJ
reviewed
Mar 23, 2023
rfranzke
force-pushed
the
enh/operator-kapi-api
branch
from
de66f0a to
779f76b
Compare
rfranzke
changed the title
operatorv1alpha1.VirtualCluster with API for Kubernetes version and kube-apiserver configurationoperatorv1alpha1.VirtualCluster with API for future kube-apiserver deployment
|
@ScheererJ Thanks for your review, I've answered comments and addressed the feedback with 6cb480a. I've also added two more commits which expose the DNS and networking section with configuration fields required for the future deployment of the API server, cc @timuthy (I forgot about them initially). |
rfranzke
force-pushed
the
enh/operator-kapi-api
branch
from
779f76b to
98c17f5
Compare
ScheererJ
reviewed
Mar 24, 2023
rfranzke
force-pushed
the
enh/operator-kapi-api
branch
from
98c17f5 to
1186d37
Compare
|
OK, next round @ScheererJ :) I've addressed your feedback in the last commit. There are two more new commits:
|
ScheererJ
reviewed
Mar 27, 2023
|
/lgtm |
|
LGTM label has been added. Git tree hash: 31f17d15b625b1ef4a543ec257d1af8f2052e973
|
This will be called from the operator in the future
`.import-restrictions` file copied from https://github.com/gardener/gardener/blob/master/pkg/apis/core/validation/.import-restrictions
This commit also enhances the webhook controllers to reconcile multiple webhook configs in the source cluster (now that `gardener-operator` no longer only serves a validating webhook but also a defaulting webhook).
Without this commit, the certificate management reconciler can race with the code that updates the webhook configurations. Since both is started at the same time, it might happen that the reconciler is faster with updating the CA bundle in all webhooks (ref https://github.com/gardener/gardener/blob/5abed1bfedd6f2188e5dcec9af161d1b5c286236/extensions/pkg/webhook/certificates/reconciler.go#L169-L174), and afterwards the code removes the CA bundle again.
rfranzke
force-pushed
the
enh/operator-kapi-api
branch
from
1186d37 to
17020e2
Compare
|
@rfranzke: The following test failed, say
Full PR test history. Your PR dashboard. Command help for this repository. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
LGTM label has been added. Git tree hash: aaa4e80c79cd2f23a2659e7e43cdf3d954530864
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timuthy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
gardener-prow
bot
added
the
approved
andrerun
pushed a commit
to andrerun/gardener
that referenced
this pull request
Jul 6, 2023
…re `kube-apiserver` deployment (gardener#7693) * Copy example API from `Shoot` example YAML file * Add kubeconfig secret reference for admission plugins * Add configuration for TLS SNI * Add configuration for resources to be stored in `etcd-events` * Add configuration options for {audit,auth{n,z}} webhooks * Export common validation and defaulting code This will be called from the operator in the future * Validation for new fields `.import-restrictions` file copied from https://github.com/gardener/gardener/blob/master/pkg/apis/core/validation/.import-restrictions * Defaulting for new fields This commit also enhances the webhook controllers to reconcile multiple webhook configs in the source cluster (now that `gardener-operator` no longer only serves a validating webhook but also a defaulting webhook). * Run `make generate` * Fix race causing CA bundles to be removed from webhook configs Without this commit, the certificate management reconciler can race with the code that updates the webhook configurations. Since both is started at the same time, it might happen that the reconciler is faster with updating the CA bundle in all webhooks (ref https://github.com/gardener/gardener/blob/5abed1bfedd6f2188e5dcec9af161d1b5c286236/extensions/pkg/webhook/certificates/reconciler.go#L169-L174), and afterwards the code removes the CA bundle again. * Address PR review feedback * Add DNS and networking fields to `Garden` * [make generate] * Do not overwrite inlined config in defaulting webhook * Validate Kubernetes version against supported versions * Address PR review feedback * Address PR review feedback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area usability
/kind enhancement
What this PR does / why we need it:
This PR extends the
GardenAPI with configuration options for the virtual cluster for thekube-apiserver.gardener-operatorstill does not deploykube-apiserver, though this will be supported by the upcoming releases.The API reuses the vast majority of the existing types as well as validation/defaulting code already present for
Shoots. For the fields ofgardencorev1beta1.KubeAPIServerConfigthat are now exposed via theGarden, validation and defaulting happens via the webhook instead of via CRD validation/defaulting to prevent duplicating the logic. As a result, a new mutating webhook has been introduced which performs the defaulting.For the fields that are not part of
gardencorev1beta1.KubeAPIServerConfigbut only ofoperatorv1alpha1.KubeAPIServerConfig, the validation/defaulting is done as part of the CRD validation/defaulting (just like it was done before for other fields).Which issue(s) this PR fixes:
Part of #7016
Special notes for your reviewer:
/cc @ScheererJ @timuthy @oliver-goetz
Release note:
The `Garden` API was extended with the new `.spec.virtualCluster.{dns,kubernetes,networking}` sections. For now, they only allow configuring the necessary information for the deployment of `kube-apiserver`. Since the API server is not deployed yet, any configuration does not have any effect. Still, you must make sure to already specify at least `.spec.virtualCluster.kubernetes.version`, `.spec.virtualCluster.dns.domain`, and `.spec.virtualCluster.networking.services`. In the upcoming releases, `gardener-operator` will also take over the management of the `kube-apiserver` deployment whilst taking the configuration into account.