From 1c07e77432776918ab061a7a11449416852e7080 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Mon, 28 Oct 2024 09:22:00 +0100 Subject: [PATCH 1/8] No NSQ used in metal-core (#341) --- partition/roles/metal-core/templates/metal-core-env.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/partition/roles/metal-core/templates/metal-core-env.j2 b/partition/roles/metal-core/templates/metal-core-env.j2 index 68409280..f71f9740 100644 --- a/partition/roles/metal-core/templates/metal-core-env.j2 +++ b/partition/roles/metal-core/templates/metal-core-env.j2 @@ -5,7 +5,6 @@ METAL_CORE_CIDR: "{{ metal_core_cidr }}" METAL_CORE_PARTITION_ID: "{{ metal_partition_id }}" METAL_CORE_RACK_ID: "{{ metal_core_rack_id }}" METAL_CORE_BIND_ADDRESS: 0.0.0.0 -METAL_CORE_SWITCH_TOPIC: "{{ metal_partition_id }}-switch" METAL_CORE_METAL_API_IP: "{{ metal_partition_metal_api_addr }}" METAL_CORE_METAL_API_PORT: "{{ metal_partition_metal_api_port }}" METAL_CORE_METAL_API_PROTOCOL: "{{ metal_partition_metal_api_protocol }}" From 7b0d452a5411410829b75bffe61a1465cad56645 Mon Sep 17 00:00:00 2001 From: Markus Fensterer Date: Thu, 31 Oct 2024 13:17:41 +0100 Subject: [PATCH 2/8] define vrfs mentioned in sonic_ports_dict, sonic_vlans (in addition to those occuring in sonic_interconnects) --- partition/roles/sonic/templates/metal.yaml.j2 | 9 +++++++++ partition/roles/sonic/test/data/exit/input.yaml | 7 ++++++- partition/roles/sonic/test/data/exit/metal.yaml | 12 +++++++++++- partition/roles/sonic/test/template_test.py | 0 4 files changed, 26 insertions(+), 2 deletions(-) mode change 100644 => 100755 partition/roles/sonic/test/template_test.py diff --git a/partition/roles/sonic/templates/metal.yaml.j2 b/partition/roles/sonic/templates/metal.yaml.j2 index 55d4c078..4038c00d 100644 --- a/partition/roles/sonic/templates/metal.yaml.j2 +++ b/partition/roles/sonic/templates/metal.yaml.j2 @@ -1,5 +1,6 @@ #jinja2: lstrip_blocks: "False", trim_blocks: "False" --- +{% set vrfs = [] %} DEVICE_METADATA: localhost: docker_routing_config_mode: "{{ sonic_docker_routing_config_mode }}" @@ -78,6 +79,7 @@ INTERFACE: ipv6_use_link_local_only: enable {% endif %} {% if port.vrf is defined %} + {% set vrfs = vrfs.append(port.vrf) %} vrf_name: "{{ port.vrf }}" {% endif %} {% elif port.ips is defined %} @@ -169,6 +171,7 @@ VLAN: VLAN_INTERFACE: {% for vlan in sonic_vlans %} {% if vlan.vrf is defined %} + {% set vrfs = vrfs.append(vlan.vrf) %} Vlan{{ vlan.id }}: {% if vlan.sag is defined and vlan.sag %} static_anycast_gateway: "true" @@ -220,9 +223,11 @@ VXLAN_TUNNEL_MAP: VRF: {% endif %} +{% set defined_vrfs = [] %} {% if sonic_interconnects is defined and sonic_interconnects|length > 0 %} {% for k, i in sonic_interconnects.items() %} {% if i.vrf is defined %} + {% set defined_vrfs = defined_vrfs.append(i.vrf) %} {% if i.vni is defined %} {{ i.vrf }}: vni: "{{ i.vni }}" @@ -232,6 +237,10 @@ VRF: {% endif %} {% endfor %} {% endif %} +{% set vrfs_to_add = vrfs | difference(defined_vrfs) | unique %} +{% for vrf in vrfs_to_add %} + {{ vrf }}: {} +{% endfor %} {% if sonic_lldp_hello_timer is defined %} LLDP: diff --git a/partition/roles/sonic/test/data/exit/input.yaml b/partition/roles/sonic/test/data/exit/input.yaml index f6dbdd15..80fc882b 100644 --- a/partition/roles/sonic/test/data/exit/input.yaml +++ b/partition/roles/sonic/test/data/exit/input.yaml @@ -15,6 +15,9 @@ sonic_ports_dict: vrf: VrfMpls ips: - 10.0.0.2/32 + Ethernet1: + speed: 10000 + vrf: VrfStorage # spine uplinks Ethernet112: Ethernet116: @@ -75,7 +78,9 @@ sonic_bgp_ports: sonic_vlans: - id: 4000 - vrf: vrfMpls + vrf: VrfMpls +- id: 4001 + vrf: VrfTest sonic_vteps: - comment: MPLS diff --git a/partition/roles/sonic/test/data/exit/metal.yaml b/partition/roles/sonic/test/data/exit/metal.yaml index 4c2a5bc8..1be9cdb3 100644 --- a/partition/roles/sonic/test/data/exit/metal.yaml +++ b/partition/roles/sonic/test/data/exit/metal.yaml @@ -38,6 +38,8 @@ INTERFACE: Ethernet0: vrf_name: "VrfMpls" Ethernet0|10.0.0.2/32: {} + Ethernet1: + vrf_name: "VrfStorage" Ethernet112: ipv6_use_link_local_only: enable Ethernet116: @@ -70,6 +72,8 @@ PORT: parent_port: Ethernet0 admin_status: up speed: "10000" + mtu: "9216" + fec: none Ethernet2: alias: Eth1/3(Port1) autoneg: "off" @@ -110,10 +114,14 @@ PORT: VLAN: Vlan4000: vlanid: 4000 + Vlan4001: + vlanid: 4001 VLAN_INTERFACE: Vlan4000: - vrf_name: "vrfMpls" + vrf_name: "VrfMpls" + Vlan4001: + vrf_name: "VrfTest" VLAN_MEMBER: @@ -134,6 +142,8 @@ VXLAN_TUNNEL_MAP: VRF: VrfMpls: vni: "104000" + VrfStorage: {} + VrfTest: {} LLDP: Global: diff --git a/partition/roles/sonic/test/template_test.py b/partition/roles/sonic/test/template_test.py old mode 100644 new mode 100755 From 867c016536fab319f7babb81dedef91d52e7670b Mon Sep 17 00:00:00 2001 From: Robert Volkmann <20912167+robertvolkmann@users.noreply.github.com> Date: Mon, 4 Nov 2024 09:57:19 +0100 Subject: [PATCH 3/8] Migrate to shoot_admin_kubeconfig (#342) --- .../tasks/deploy_cert.yaml | 24 ++++++++++++------- .../gardener-monitoring-certs/tasks/main.yaml | 5 ---- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/control-plane/roles/gardener-monitoring-certs/tasks/deploy_cert.yaml b/control-plane/roles/gardener-monitoring-certs/tasks/deploy_cert.yaml index 6eb113df..6a2dbe34 100644 --- a/control-plane/roles/gardener-monitoring-certs/tasks/deploy_cert.yaml +++ b/control-plane/roles/gardener-monitoring-certs/tasks/deploy_cert.yaml @@ -1,8 +1,7 @@ --- - name: Get seed kubeconfig - copy: - dest: "/tmp/kubeconfig.{{ gardener_shooted_seed.name }}" - content: "{{ lookup('k8s', kubeconfig='/tmp/kubeconfig.garden', api_version='v1', namespace='garden', kind='Secret', resource_name=gardener_shooted_seed.name+'.kubeconfig').get('data', {}).get('kubeconfig') | b64decode }}" + set_fact: + _seed_kubeconfig: "{{ gardener_seeds_virtual_garden_kubeconfig | shoot_admin_kubeconfig('garden', gardener_shooted_seed.name) | from_yaml }}" - name: Add seed ingress certificate k8s: @@ -19,15 +18,21 @@ secretRef: name: seed-ingress-certificate namespace: garden - kubeconfig: "/tmp/kubeconfig.{{ gardener_shooted_seed.name }}" + kubeconfig: "{{ _seed_kubeconfig }}" + apply: true - name: Wait until ingress secret is ready - command: echo + k8s_info: + api_version: v1 + kind: Secret + name: seed-ingress-certificate + namespace: garden + kubeconfig: "{{ _seed_kubeconfig }}" changed_when: false - retries: 60 + register: result delay: 10 - until: - - lookup('k8s', kubeconfig='/tmp/kubeconfig.'+gardener_shooted_seed.name, api_version='v1', namespace='garden', kind='Secret', resource_name='seed-ingress-certificate') + retries: 60 + until: result.resources | length > 0 - name: Prepare seed ingress certificate secret k8s: @@ -40,4 +45,5 @@ name: seed-ingress-certificate namespace: garden type: kubernetes.io/tls - kubeconfig: "/tmp/kubeconfig.{{ gardener_shooted_seed.name }}" + kubeconfig: "{{ _seed_kubeconfig }}" + apply: true diff --git a/control-plane/roles/gardener-monitoring-certs/tasks/main.yaml b/control-plane/roles/gardener-monitoring-certs/tasks/main.yaml index efb57ffc..f4185ff0 100644 --- a/control-plane/roles/gardener-monitoring-certs/tasks/main.yaml +++ b/control-plane/roles/gardener-monitoring-certs/tasks/main.yaml @@ -38,11 +38,6 @@ namespace: garden type: kubernetes.io/tls -- name: Write virtual garden kubeconfig - copy: - dest: "/tmp/kubeconfig.garden" - content: "{{ gardener_seeds_virtual_garden_kubeconfig }}" - - name: Loop over Gardener seeds include_tasks: deploy_cert.yaml loop: "{{ gardener_seeds_shooted_seeds }}" From 537d8cd5f6006994f0f1f096f86221d6dafa9dbb Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Wed, 6 Nov 2024 13:59:16 +0100 Subject: [PATCH 4/8] Add ssh options to mgmt_server role (#347) --- partition/roles/mgmt-server/README.md | 2 ++ partition/roles/mgmt-server/defaults/main.yaml | 1 + partition/roles/mgmt-server/templates/ssh_config.j2 | 3 +++ 3 files changed, 6 insertions(+) diff --git a/partition/roles/mgmt-server/README.md b/partition/roles/mgmt-server/README.md index 47fbda80..12628d8f 100644 --- a/partition/roles/mgmt-server/README.md +++ b/partition/roles/mgmt-server/README.md @@ -16,7 +16,9 @@ Configures a server to act as management server for a metal-stack partition. | mgmt_server_nameservers | | the nameservers to use (default is dns0.eu). | | mgmt_server_router_id | yes | the router-id to use for routing. | | mgmt_server_spine_facing_interface | yes | the interface where the management spine is connected at the management server. | +| mgmt_server_metal_ssh_key_filename | | the filename of the private ssh key | | mgmt_server_metal_ssh_groups | | the ansible group to include into the ssh config | +| mgmt_server_metal_ssh_options | | the options to add globally to the ssh config | | mgmt_server_metal_ssh_privkey | yes | the private SSH key of the `metal` admin user for connecting to the other components | | mgmt_server_metal_ssh_pubkey | yes | the public SSH key of the `metal` admin user for connecting to the other components | | mgmt_server_preserve_dhcp_route | no | preserve the dhcp (default) route the mgmt server got from the mgmt firewall | diff --git a/partition/roles/mgmt-server/defaults/main.yaml b/partition/roles/mgmt-server/defaults/main.yaml index cb467ef5..50eada60 100644 --- a/partition/roles/mgmt-server/defaults/main.yaml +++ b/partition/roles/mgmt-server/defaults/main.yaml @@ -22,4 +22,5 @@ mgmt_server_frr_repo: frr-8 mgmt_server_provide_default_route: false mgmt_server_metal_ssh_groups: "{{ groups.all }}" +mgmt_server_metal_ssh_options: [] mgmt_server_metal_ssh_key_filename: id_rsa diff --git a/partition/roles/mgmt-server/templates/ssh_config.j2 b/partition/roles/mgmt-server/templates/ssh_config.j2 index eaea27ff..fd49aac5 100644 --- a/partition/roles/mgmt-server/templates/ssh_config.j2 +++ b/partition/roles/mgmt-server/templates/ssh_config.j2 @@ -1,3 +1,6 @@ +{% for option in mgmt_server_metal_ssh_options %} +{{ option}} +{% endfor %} {% for host in mgmt_server_metal_ssh_groups %} {% if hostvars[host].ansible_host is defined %} {% if hostvars[host].ansible_user is defined %} From e0a6247f23cf0863993df610507eb827b6ffe691 Mon Sep 17 00:00:00 2001 From: Ilja Rotar <77339620+iljarotar@users.noreply.github.com> Date: Wed, 6 Nov 2024 14:16:58 +0100 Subject: [PATCH 5/8] reboot mgmtserver if interfaces were not renamed successfully (#346) --- partition/roles/systemd-networkd/tasks/main.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/partition/roles/systemd-networkd/tasks/main.yaml b/partition/roles/systemd-networkd/tasks/main.yaml index 84ff34f3..a14d9a86 100644 --- a/partition/roles/systemd-networkd/tasks/main.yaml +++ b/partition/roles/systemd-networkd/tasks/main.yaml @@ -52,6 +52,13 @@ loop_control: index_var: i +- name: Update ansible facts + setup: + +- name: Reboot if interfaces were not renamed successfully + reboot: + when: "(systemd_networkd_nics | map(attribute='name')) is not subset(ansible_facts.interfaces)" + - name: Render systemd-networkd vlan netdev config template: src: vlan.netdev.j2 From cc59b25e51c9b1265c0193d523f8ca2382a782af Mon Sep 17 00:00:00 2001 From: Gerrit Date: Fri, 8 Nov 2024 08:49:45 +0100 Subject: [PATCH 6/8] Fix deployment of updated networking-cilium extension. (#349) --- .../templates/networking-cilium/controller-deployment.yaml | 7 +++---- .../os-metal-extension/controller-deployment.yaml | 1 - 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml b/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml index e620be21..12133747 100644 --- a/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml @@ -1,11 +1,10 @@ --- -apiVersion: core.gardener.cloud/v1beta1 +apiVersion: core.gardener.cloud/v1 kind: ControllerDeployment metadata: name: networking-cilium -type: helm -providerConfig: - chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_networking_cilium_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}" +helm: + rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_networking_cilium_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}" values: image: repository: "{{ gardener_networking_cilium_image_name }}" diff --git a/control-plane/roles/gardener/templates/os-metal-extension/controller-deployment.yaml b/control-plane/roles/gardener/templates/os-metal-extension/controller-deployment.yaml index 03f37294..50bb8f7e 100644 --- a/control-plane/roles/gardener/templates/os-metal-extension/controller-deployment.yaml +++ b/control-plane/roles/gardener/templates/os-metal-extension/controller-deployment.yaml @@ -3,7 +3,6 @@ apiVersion: core.gardener.cloud/v1 kind: ControllerDeployment metadata: name: os-metal -type: helm helm: rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/metal-stack/os-metal-extension/' + gardener_os_controller_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}" values: From 7148cac71ffbf4dcdbddc1f44b1bdd4fc9c9fc0f Mon Sep 17 00:00:00 2001 From: Markus Fensterer Date: Fri, 8 Nov 2024 11:22:22 +0100 Subject: [PATCH 7/8] conditional address --- partition/roles/systemd-networkd/templates/vlan.network.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/partition/roles/systemd-networkd/templates/vlan.network.j2 b/partition/roles/systemd-networkd/templates/vlan.network.j2 index 4eb64f43..389236c5 100644 --- a/partition/roles/systemd-networkd/templates/vlan.network.j2 +++ b/partition/roles/systemd-networkd/templates/vlan.network.j2 @@ -5,5 +5,7 @@ Type=vlan [Link] MTUBytes={{ item.mtu | default(systemd_networkd_mtu) }} +{% if item.address is defined %} [Network] Address={{ item.address }} +{% endif %} From 0d5b93c3e8fbed17b70cf2965715cddb76d48c65 Mon Sep 17 00:00:00 2001 From: Simon Mayer <49491825+simcod@users.noreply.github.com> Date: Mon, 11 Nov 2024 14:12:11 +0100 Subject: [PATCH 8/8] Gardener logging stack (#344) --- control-plane/roles/gardener/README.md | 1 + control-plane/roles/gardener/defaults/main/gardener.yaml | 2 ++ control-plane/roles/gardener/templates/gardenlet-values.j2 | 7 ++++++- control-plane/roles/gardener/templates/managed-seed.j2 | 7 ++++++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md index 9030a3c0..f843fb47 100644 --- a/control-plane/roles/gardener/README.md +++ b/control-plane/roles/gardener/README.md @@ -38,6 +38,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt | gardener_kube_api_server_kubeconfig | | The kubeconfig for the Gardener Kubernetes API (virtual garden apiserver) | | gardener_kube_apiserver_kubeconfig_path | | The acts on multiple Kubernetes APIs, this is where it puts the kubeconfig of the Gardener Kubernetes API | | gardener_local_tmp_dir | | The acts on multiple Kubernetes APIs, this is a local folder in the deployment container to store the kubeconfigs (ephemeral) | +| gardener_logging_enabled | | Specifies whether the logging Gardener logging stack should be activated in the Gardenlet | ### Virtual Garden diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml index b062f5f6..eac992ff 100644 --- a/control-plane/roles/gardener/defaults/main/gardener.yaml +++ b/control-plane/roles/gardener/defaults/main/gardener.yaml @@ -110,3 +110,5 @@ gardener_shooted_seed_rollout_delay_minutes: gardener_kube_api_server_kubeconfig: "{{ 'garden-kube-apiserver' | kubeconfig_from_cert(gardener_kube_api_server_ca, gardener_kube_api_server_client_cert, gardener_kube_api_server_client_key, prepend_https=true) }}" gardener_kube_apiserver_kubeconfig_path: "{{ gardener_local_tmp_dir }}/garden-kube-apiserver-kubeconfig" gardener_local_tmp_dir: "{{ playbook_dir }}/.ansible/tmp" + +gardener_logging_enabled: false diff --git a/control-plane/roles/gardener/templates/gardenlet-values.j2 b/control-plane/roles/gardener/templates/gardenlet-values.j2 index d041d83c..b8e0f9f0 100644 --- a/control-plane/roles/gardener/templates/gardenlet-values.j2 +++ b/control-plane/roles/gardener/templates/gardenlet-values.j2 @@ -22,6 +22,11 @@ config: # allow setting shoot ignore annotation: respectSyncPeriodOverwrite: {{ gardener_gardenlet_shoot_respect_sync_period_overwrite }} +{% if gardener_logging_enabled %} + logging: + enabled: true +{% endif %} + seedConfig: apiVersion: core.gardener.cloud/v1beta1 kind: Seed @@ -78,4 +83,4 @@ imageVectorOverwrite: | {% if gardener_component_image_vector_overwrite %} componentImageVectorOverwrites: | {{ gardener_component_image_vector_overwrite | to_yaml | indent(width=4, first=false) }} -{% endif %} +{% endif %} \ No newline at end of file diff --git a/control-plane/roles/gardener/templates/managed-seed.j2 b/control-plane/roles/gardener/templates/managed-seed.j2 index 336a5297..a79b5f7c 100644 --- a/control-plane/roles/gardener/templates/managed-seed.j2 +++ b/control-plane/roles/gardener/templates/managed-seed.j2 @@ -40,6 +40,11 @@ spec: visible: {{ gardener_shooted_seed.visible | default(true) }} shootDNS: enabled: true +{% if gardener_logging_enabled %} + logging: + enabled: true +{% endif %} + deployment: image: pullPolicy: IfNotPresent @@ -48,4 +53,4 @@ spec: vpa: true mergeWithParent: true shoot: - name: "{{ gardener_shooted_seed.name }}" + name: "{{ gardener_shooted_seed.name }}" \ No newline at end of file