Create virtual garden access kubeconfig.

control-plane/roles/gardener/filter_plugins/common.py

@@ -175,6 +175,43 @@ def kubeconfig_from_cert(server, ca, cert, key, prepend_https=False):
     })
 
 
+def kubeconfig_from_token(server, ca, token, prepend_https=False):
+    if prepend_https and not server.startswith("https"):
+        server = "https://" + server
+
+    return yaml.safe_dump({
+        "apiVersion": "v1",
+        "kind": "Config",
+        "clusters": [
+            {
+                "name": "default-cluster",
+                "cluster": {
+                    "certificate-authority-data": b64encode(ca),
+                    "server": server,
+                }
+            }
+        ],
+        "current-context": "default-context",
+        "contexts": [
+            {
+                "name": "default-context",
+                "context": {
+                    "cluster": "default-cluster",
+                    "user": "default-user",
+                }
+            }
+        ],
+        "users": [
+            {
+                "name": "default-user",
+                "user": {
+                    "token": token,
+                }
+            }
+        ],
+    })
+
+
 def machine_images_for_cloud_profile(image_list, cris=None):
     images = dict()
     for image in image_list:
@@ -241,6 +278,7 @@ def filters(self):
         return {
             'network_cidr_add': network_cidr_add,
             'kubeconfig_from_cert': kubeconfig_from_cert,
+            'kubeconfig_from_token': kubeconfig_from_token,
             'machine_images_for_cloud_profile': machine_images_for_cloud_profile,
             'kubeconfig_for_sa': kubeconfig_for_sa,
             'extract_gcp_node_network': extract_gcp_node_network,

control-plane/roles/gardener/tasks/gardener_operator.yaml

@@ -11,13 +11,11 @@
       data: "{{ gardener_backup_infrastructure_secret }}"
     apply: yes
 
-- name: Create backup directory for local deployment
-  import_tasks: local_backup.yaml
-  when:  gardener_backup_infrastructure.provider == "local"
-
 # TODO: prepare migration here
 # - label existing secrets like CA, ETCD encryption key, accordingly
 # - scale down existing components (gardener control plane + virtual garden with ETCD)
+#
+# https://github.com/gardener/gardener/blob/v1.100.2/docs/concepts/operator.md#migrating-an-existing-gardener-landscape-to-gardener-operator
 
 - name: Deploy Gardener Operator
   include_role:
@@ -120,7 +118,7 @@
             name: virtual-garden-user
             namespace: kube-system
 
-- name: Create virtual garden access managed resource secret
+- name: Create virtual garden access managed resource
   k8s:
     apply: yes
     definition:
@@ -132,3 +130,14 @@
       spec:
         secretRefs:
         - name: managedresource-virtual-garden-access
+
+- name: Create kubeconfig for accessing the virtual garden
+  copy:
+    dest: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    content: "{{ (gardener_virtual_api_server_public_dns + ':' + gardener_virtual_api_server_public_wait_port | string) | kubeconfig_from_token(gardener_kube_api_server_ca, lookup('k8s', api_version='v1', kind='Secret', namespace='garden', resource_name='shoot-access-virtual-garden').get('data', {}).get('token') | b64decode, prepend_https=true) }}"
+
+- name: Wait for garden-kube-apiserver
+  wait_for:
+    host: "{{ gardener_virtual_api_server_public_dns }}"
+    port: "{{ gardener_virtual_api_server_public_wait_port }}"
+    timeout: 60

control-plane/roles/gardener/tasks/main.yaml

@@ -93,6 +93,10 @@
   when:
     - metal_control_plane_host_provider == "metal"
 
+- name: Create backup directory for local deployment
+  import_tasks: local_backup.yaml
+  when:  gardener_backup_infrastructure.provider == "local"
+
 - name: Clone Gardener
   git:
     repo: "{{ gardener_repo_url }}"