-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[provider-local] Harmonize local VPN setup with real-world scenario #9752
[provider-local] Harmonize local VPN setup with real-world scenario #9752
Conversation
Skipping CI for Draft Pull Request. |
/test pull-gardener-e2e-kind pull-gardener-e2e-kind-ipv6 |
928e29f
to
a483ac7
Compare
/test pull-gardener-e2e-kind pull-gardener-e2e-kind-ipv6 |
a483ac7
to
d8873a1
Compare
/test pull-gardener-e2e-kind pull-gardener-e2e-kind-ipv6 |
305949a
to
6259b95
Compare
EDIT: we added workarounds to make the upgrade tests past even we perform the |
90822ed
to
1caa265
Compare
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for bringing the local setup closer to Gardener in the real world.
It looks like there are still some end-to-end tests failing, though.
1caa265
to
993a8bd
Compare
…ovider-local#42" This reverts commit 7ec12fe.
no longer needed now that MCM-provider-local no longer deploys a `Service`
This network policy is not needed since packets to the shoot networks are always encapsulated in the VPN tunnel and never handled by the seed network policies. Co-authored-by: Tim Ebert <timebertt@gmail.com>
The shoot networks are always "contacted" via the VPN tunnel (which is established FROM the machine pods TO the `vpn-seed-server`). Co-authored-by: Tim Ebert <timebertt@gmail.com>
Co-authored-by: Tim Ebert <timebertt@gmail.com>
Co-Authored-By: Rafael Franzke <rafael.franzke@sap.com> Co-Authored-By: Marcel Boehm <marcel.boehm@inovex.de>
Co-Authored-By: Johannes Scheerer <johannes.scheerer@sap.com>
7218483
to
e4f54b4
Compare
/lgtm |
LGTM label has been added. Git tree hash: 3126d936a08bf1c4238dcf512c1b1fd428a9d7e4
|
Kaum macht man's richtig, schon geht's 😉 |
…N fix (from gardener#9752, released with `v1.96.0`)
…N fix (from gardener#9752, released with `v1.96.0`)
* Bump github.com/gardener/gardener from 1.95.1 to 1.96.0 Bumps [github.com/gardener/gardener](https://github.com/gardener/gardener) from 1.95.1 to 1.96.0. - [Release notes](https://github.com/gardener/gardener/releases) - [Commits](gardener/gardener@v1.95.1...v1.96.0) --- updated-dependencies: - dependency-name: github.com/gardener/gardener dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * [dependabot skip] make tidy * Adapt to change in the monitoring API * Run make generate * Fix script to work with already cloned repo and v1.ControllerDeployment * Nodes CIDR becomes mandatory since gardener/gardener#9752 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: gardener-robot-ci-1 <gardener.ci.user@gmail.com> Co-authored-by: vpnachev <vladimir.nachev@sap.com>
* Remove deprecated fields from `OperatingSystemConfig` (from #9477, released with `v1.92.0`) * Remove cleanup of old `kube-apiserver` `Ingress` resource (from #9300, released with `v1.91.0`) * Remove Istio zone migration code (from #9304 and #9457, released with `v1.91.0` and `v1.92.0`) * Increase removal period of `<name>.ca-cluster` `Secret` To give users more time to adapt * Remove PVC migration for `garden` Prometheus (from #9543, released with `v1.93.0`) * Remove PVC migration for `longterm` Prometheus (from #9606, released with `v1.94.0`) * Drop migration code in `skaffold.yaml` for `core.gardener.cloud/v1` API (from #9771, released with `v1.96.0`) * Remove migration code for e2e upgrade tests after `provider-local` VPN fix (from #9752, released with `v1.96.0`) * Remove cleanup of old `vali` `VerticalPodAutoscaler`s (from #9681, released with `v1.94.0`) * Remove cleanuop code after making `Secret`s of `ManagedResource`s immutable (from #8116, released with `v1.77.0`) * Remove cleanup code of resources of legacy `cloud-config-downloader` (from #8847, released with `v1.85.0`) * Revert "Remove Istio zone migration code" This reverts commit 8850346. * Increase removal period of Istio zone migration code
* Bump github.com/gardener/gardener from 1.95.2 to 1.96.1 Bumps [github.com/gardener/gardener](https://github.com/gardener/gardener) from 1.95.2 to 1.96.1. - [Release notes](https://github.com/gardener/gardener/releases) - [Commits](gardener/gardener@v1.95.2...v1.96.1) --- updated-dependencies: - dependency-name: github.com/gardener/gardener dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * [GEP-19] Adapt monitoring configuration * Use `core.gardener.cloud/v1.ControllerDeployment` - ref: gardener/gardener#9771. Exclude local-setup from the REUSE compliance check. Fix the skaffold dependencies check - ref: gardener/gardener#9778 & gardener/gardener#8766. * Fix e2e tests Ref: gardener/gardener#9752 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dimitar Kostadinov <dimitar.kostadinov@sap.com>
How to categorize this PR?
/area dev-productivity
/kind enhancement
What this PR does / why we need it:
Currently, in the local scenario, some pods talk to the machine pods directly (instead of using the VPN tunnel). See the referenced issue for a more detailed description.
This PR harmonizes the local VPN setup by specifying the node network for
Shoot
s and creating a dedicated IP pool.With this, the VPN components correctly configure IP routes for talking to the shoot node network.
As a consequence, all traffic correctly traverses the VPN tunnel and gardenlet's tunnel health check reliably detects a broken tunnel.
Which issue(s) this PR fixes:
Part of #9604
Fixes #9020
See also: https://github.com/gardener-community/hackathon/blob/main/2024-05_Schelklingen/README.md#-harmonize-local-vpn-setup-with-real-world-scenario
Special notes for your reviewer:
/cc @timebertt
We need to do some workarounds for making the e2e upgrade tests pass for this specific version. The workarounds are only active until the next minor release.
Release note: