Hello operator.

metal-stack · Nov 25, 2024 · c8da7cc · c8da7cc
1 parent 78fe958
commit c8da7cc
Show file tree

Hide file tree

Showing 9 changed files with 583 additions and 46 deletions.
diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml
@@ -2,6 +2,8 @@
 gardener_image_vector_overwrite:
 gardener_component_image_vector_overwrite:
 
+gardener_operator_enabled: false
+
 gardener_apiserver_replicas: 1
 gardener_apiserver_vpa: true
 gardener_apiserver_feature_gates: {}
@@ -35,6 +37,9 @@ gardener_dns_domain:
 gardener_dns_provider:
 
 gardener_backup_infrastructure:
+  provider: local
+  bucket: gardener-operator
+
   # provider: gcp
   # region:
   # secretRef:
@@ -48,6 +53,8 @@ gardener_backup_infrastructure:
   # secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
 
 gardener_backup_infrastructure_secret:
+  hostPath: "{{ '/etc/gardener/local-backupbuckets' | b64encode }}"
+
   # for gcp:
   # serviceaccount.json: "{{ gardener_backup_infrastructure_service_account_json | b64encode }}"
   #

diff --git a/control-plane/roles/gardener/defaults/main/operator.yaml b/control-plane/roles/gardener/defaults/main/operator.yaml
@@ -0,0 +1,4 @@
+---
+# TODO: move to image vector:
+gardener_operator_image_name: europe-docker.pkg.dev/gardener-project/releases/gardener/operator
+gardener_operator_image_tag: "{{ gardener_gardenlet_image_tag }}"
diff --git a/...-plane/roles/gardener/tasks/gardener.yaml → ...asks/gardener_control_plane_obsolete.yaml b/...-plane/roles/gardener/tasks/gardener.yaml → ...asks/gardener_control_plane_obsolete.yaml
@@ -1,45 +1,4 @@
 ---
-- name: Clone Gardener
-  git:
-    repo: "{{ gardener_repo_url }}"
-    dest: "{{ gardener_local_tmp_dir }}/gardener"
-    depth: 1
-    version: "{{ gardener_repo_ref }}"
-
-- name: Create garden namespace (in virtual apiserver)
-  k8s:
-    definition:
-      apiVersion: v1
-      kind: Namespace
-      metadata:
-        name: garden
-        labels:
-          app: gardener
-    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
-
-- name: Deploy domain secrets (in virtual apiserver)
-  k8s:
-    definition:
-      apiVersion: v1
-      kind: Secret
-      metadata:
-        namespace: garden
-        annotations:
-          helm.sh/resource-policy: keep
-          dns.gardener.cloud/domain: "{{ gardener_dns_domain }}"
-          dns.gardener.cloud/provider: "{{ gardener_dns_provider }}"
-        labels:
-          app: gardener
-          gardener.cloud/role: "{{ item }}"
-        name: "{{ item }}-{{ gardener_dns_domain | regex_replace('\\.', '-') }}"
-      type: Opaque
-      data: "{{ gardener_dns_credentials }}"
-    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
-    apply: true
-  loop:
-    - internal-domain
-    - default-domain
-
 - name: Deploy Gardener Control Plane (in virtual apiserver)
   include_role:
     name: ansible-common/roles/helm-chart

diff --git a/control-plane/roles/gardener/tasks/gardener_operator.yaml b/control-plane/roles/gardener/tasks/gardener_operator.yaml
@@ -0,0 +1,134 @@
+---
+- name: Create backup infrastructure secret
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: virtual-garden-etcd-main-backup-secret
+        namespace: garden
+      type: Opaque
+      data: "{{ gardener_backup_infrastructure_secret }}"
+    apply: yes
+
+- name: Create backup directory for local deployment
+  import_tasks: local_backup.yaml
+  when:  gardener_backup_infrastructure.provider == "local"
+
+# TODO: prepare migration here
+# - label existing secrets like CA, ETCD encryption key, accordingly
+# - scale down existing components (gardener control plane + virtual garden with ETCD)
+
+- name: Deploy Gardener Operator
+  include_role:
+    name: ansible-common/roles/helm-chart
+  vars:
+    helm_timeout: "600s"
+    helm_chart: "{{ gardener_local_tmp_dir }}/gardener/charts/gardener/operator"
+    helm_release_name: operator
+    helm_target_namespace: garden
+    helm_value_file_template: gardener-operator-values.j2
+
+- name: Create Garden
+  k8s:
+    definition: "{{ lookup('template', 'garden.yaml') }}"
+    apply: yes
+
+- name: Wait until Garden is ready
+  kubernetes.core.k8s_info:
+    api_version: "operator.gardener.cloud/v1alpha1"
+    kind: Garden
+    name: "local"
+    wait: yes
+    wait_condition:
+      status: "True"
+      type: "{{ item }}"
+    wait_timeout: 900
+  loop:
+    - VirtualComponentsHealthy
+    - RuntimeComponentsHealthy
+
+# TODO: we should expose through istio and Gardener Operator in the future?
+- name: Create ingress for virtual kube-apiserver
+  k8s:
+    definition:
+      apiVersion: networking.k8s.io/v1
+      kind: Ingress
+      metadata:
+        annotations:
+          nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+        name: apiserver-ingress
+        namespace: garden
+      spec:
+        ingressClassName: nginx
+        rules:
+        - host: "{{ gardener_virtual_api_server_public_dns }}"
+          http:
+            paths:
+            - path: /
+              pathType: Prefix
+              backend:
+                service:
+                  name: virtual-garden-kube-apiserver
+                  port:
+                    number: 443
+        tls:
+        - hosts:
+          - "{{ gardener_virtual_api_server_public_dns }}"
+      apply: yes
+
+- name: Create virtual garden access secret
+  k8s:
+    apply: yes
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: Opaque
+      metadata:
+        name: shoot-access-virtual-garden
+        namespace: garden
+        labels:
+          resources.gardener.cloud/purpose: token-requestor
+          resources.gardener.cloud/class: shoot
+        annotations:
+          serviceaccount.resources.gardener.cloud/name: virtual-garden-user
+          serviceaccount.resources.gardener.cloud/namespace: kube-system
+          serviceaccount.resources.gardener.cloud/token-expiration-duration: 3h
+
+- name: Create virtual garden access managed resource secret
+  k8s:
+    apply: yes
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: managedresource-virtual-garden-access
+        namespace: garden
+      type: Opaque
+      stringData:
+        clusterrolebinding____gardener.cloud.virtual-garden-access.yaml: |
+          apiVersion: rbac.authorization.k8s.io/v1
+          kind: ClusterRoleBinding
+          metadata:
+            name: gardener.cloud.sap:virtual-garden
+          roleRef:
+            apiGroup: rbac.authorization.k8s.io
+            kind: ClusterRole
+            name: cluster-admin
+          subjects:
+          - kind: ServiceAccount
+            name: virtual-garden-user
+            namespace: kube-system
+
+- name: Create virtual garden access managed resource secret
+  k8s:
+    apply: yes
+    definition:
+      apiVersion: resources.gardener.cloud/v1alpha1
+      kind: ManagedResource
+      metadata:
+        name: virtual-garden-access
+        namespace: garden
+      spec:
+        secretRefs:
+        - name: managedresource-virtual-garden-access
diff --git a/control-plane/roles/gardener/tasks/local_backup.yaml b/control-plane/roles/gardener/tasks/local_backup.yaml
@@ -0,0 +1,33 @@
+---
+# this is only intended to used when running this on local kind setups
+- name: Create local backup directory
+  k8s:
+    definition:
+      apiVersion: batch/v1
+      kind: Job
+      metadata:
+        name: create-local-backup-dir
+      spec:
+        completions: 1
+        parallelism: 1
+        backoffLimit: 0
+        template:
+          spec:
+            containers:
+            - image: alpine
+              imagePullPolicy: IfNotPresent
+              name: create
+              command:
+                - mkdir
+                - -p
+                - "{{ gardener_backup_infrastructure_secret.hostPath | b64decode }}"
+            restartPolicy: Never
+    namespace: "garden"
+    wait: yes
+    apply: yes
+    wait_timeout: 30
+    wait_condition:
+      type: Complete
+      status: "True"
+  when:
+    - not lookup('k8s', api_version='batch/v1', namespace='garden', kind='Job', resource_name='create-local-backup-dir')
diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml
@@ -54,7 +54,7 @@
       - gardener_dns_provider is not none
       - gardener_cloud_profile_metal_api_url is not none
       - gardener_cloud_profile_metal_api_hmac is not none
-      - gardener_backup_infrastructure_secret is none or (gardener_backup_infrastructure is not none and gardener_backup_infrastructure.provider in ["gcp", "S3"])
+      - gardener_backup_infrastructure is not none and gardener_backup_infrastructure.provider in ["local", "gcp", "S3"]
       - gardener_cert_management_issuer_email is not none
 
 - name: Deploy required Seed CRDs
@@ -93,11 +93,58 @@
   when:
     - metal_control_plane_host_provider == "metal"
 
-- name: Deploy virtual garden
+- name: Clone Gardener
+  git:
+    repo: "{{ gardener_repo_url }}"
+    dest: "{{ gardener_local_tmp_dir }}/gardener"
+    depth: 1
+    version: "{{ gardener_repo_ref }}"
+
+- name: Deploy Gardener Operator
+  import_tasks: gardener_operator.yaml
+  when: gardener_operator_enabled
+
+- name: Deploy virtual garden (old way without operator)
   import_tasks: virtual_garden.yaml
+  when: not gardener_operator_enabled
+
+- name: Create garden namespace (in virtual apiserver)
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: garden
+        labels:
+          app: gardener
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+
+- name: Deploy domain secrets (in virtual apiserver)
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        namespace: garden
+        annotations:
+          helm.sh/resource-policy: keep
+          dns.gardener.cloud/domain: "{{ gardener_dns_domain }}"
+          dns.gardener.cloud/provider: "{{ gardener_dns_provider }}"
+        labels:
+          app: gardener
+          gardener.cloud/role: "{{ item }}"
+        name: "{{ item }}-{{ gardener_dns_domain | regex_replace('\\.', '-') }}"
+      type: Opaque
+      data: "{{ gardener_dns_credentials }}"
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    apply: true
+  loop:
+    - internal-domain
+    - default-domain
 
-- name: Deploy Gardener
-  import_tasks: gardener.yaml
+- name: Deploy Gardener Control Plane (old way without operator)
+  import_tasks: gardener_control_plane_obsolete.yaml
+  when: not gardener_operator_enabled
 
 - name: Register admission controllers
   import_tasks: admission_controllers.yaml

diff --git a/control-plane/roles/gardener/tasks/shooted_seed.yaml b/control-plane/roles/gardener/tasks/shooted_seed.yaml
@@ -11,7 +11,6 @@
       data: "{{ gardener_backup_infrastructure_secret }}"
     kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
     apply: yes
-  when: gardener_backup_infrastructure_secret
 
 - name: Add seed provider secret
   k8s: