/
shoot.go
765 lines (657 loc) · 30.9 KB
/
shoot.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
// SPDX-FileCopyrightText: 2024 SAP SE or an SAP affiliate company and Gardener contributors
//
// SPDX-License-Identifier: Apache-2.0
package gardener
import (
"cmp"
"context"
"encoding/json"
"fmt"
"slices"
"strconv"
"strings"
"time"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets"
clientcmdlatest "k8s.io/client-go/tools/clientcmd/api/latest"
clientcmdv1 "k8s.io/client-go/tools/clientcmd/api/v1"
"k8s.io/component-base/version"
"k8s.io/utils/clock"
"k8s.io/utils/ptr"
"sigs.k8s.io/controller-runtime/pkg/client"
"github.com/gardener/gardener/pkg/apis/core"
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper"
extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
"github.com/gardener/gardener/pkg/controllerutils"
"github.com/gardener/gardener/pkg/utils"
kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
"github.com/gardener/gardener/pkg/utils/secrets"
"github.com/gardener/gardener/pkg/utils/timewindow"
)
// RespectShootSyncPeriodOverwrite checks whether to respect the sync period overwrite of a Shoot or not.
func RespectShootSyncPeriodOverwrite(respectSyncPeriodOverwrite bool, shoot *gardencorev1beta1.Shoot) bool {
return respectSyncPeriodOverwrite || shoot.Namespace == v1beta1constants.GardenNamespace
}
// ShouldIgnoreShoot determines whether a Shoot should be ignored or not.
func ShouldIgnoreShoot(respectSyncPeriodOverwrite bool, shoot *gardencorev1beta1.Shoot) bool {
if !RespectShootSyncPeriodOverwrite(respectSyncPeriodOverwrite, shoot) {
return false
}
value, ok := shoot.Annotations[v1beta1constants.ShootIgnore]
if !ok {
return false
}
ignore, _ := strconv.ParseBool(value)
return ignore
}
// IsShootFailedAndUpToDate checks if a Shoot is failed and the observed generation and gardener version are up-to-date.
func IsShootFailedAndUpToDate(shoot *gardencorev1beta1.Shoot) bool {
lastOperation := shoot.Status.LastOperation
return lastOperation != nil && lastOperation.State == gardencorev1beta1.LastOperationStateFailed &&
shoot.Generation == shoot.Status.ObservedGeneration &&
shoot.Status.Gardener.Version == version.Get().GitVersion
}
// IsNowInEffectiveShootMaintenanceTimeWindow checks if the current time is in the effective
// maintenance time window of the Shoot.
func IsNowInEffectiveShootMaintenanceTimeWindow(shoot *gardencorev1beta1.Shoot, clock clock.Clock) bool {
return EffectiveShootMaintenanceTimeWindow(shoot).Contains(clock.Now())
}
// LastReconciliationDuringThisTimeWindow returns true if <now> is contained in the given effective maintenance time
// window of the shoot and if the <lastReconciliation> did not happen longer than the longest possible duration of a
// maintenance time window.
func LastReconciliationDuringThisTimeWindow(shoot *gardencorev1beta1.Shoot, clock clock.Clock) bool {
if shoot.Status.LastOperation == nil {
return false
}
var (
timeWindow = EffectiveShootMaintenanceTimeWindow(shoot)
now = clock.Now()
lastReconciliation = shoot.Status.LastOperation.LastUpdateTime.Time
)
return timeWindow.Contains(lastReconciliation) && now.UTC().Sub(lastReconciliation.UTC()) <= gardencorev1beta1.MaintenanceTimeWindowDurationMaximum
}
// IsObservedAtLatestGenerationAndSucceeded checks whether the Shoot's generation has changed or if the LastOperation status
// is Succeeded.
func IsObservedAtLatestGenerationAndSucceeded(shoot *gardencorev1beta1.Shoot) bool {
lastOperation := shoot.Status.LastOperation
return shoot.Generation == shoot.Status.ObservedGeneration &&
(lastOperation != nil && lastOperation.State == gardencorev1beta1.LastOperationStateSucceeded)
}
// SyncPeriodOfShoot determines the sync period of the given shoot.
//
// If no overwrite is allowed, the defaultMinSyncPeriod is returned.
// Otherwise, the overwrite is parsed. If an error occurs or it is smaller than the defaultMinSyncPeriod,
// the defaultMinSyncPeriod is returned. Otherwise, the overwrite is returned.
func SyncPeriodOfShoot(respectSyncPeriodOverwrite bool, defaultMinSyncPeriod time.Duration, shoot *gardencorev1beta1.Shoot) time.Duration {
if !RespectShootSyncPeriodOverwrite(respectSyncPeriodOverwrite, shoot) {
return defaultMinSyncPeriod
}
syncPeriodOverwrite, ok := shoot.Annotations[v1beta1constants.ShootSyncPeriod]
if !ok {
return defaultMinSyncPeriod
}
syncPeriod, err := time.ParseDuration(syncPeriodOverwrite)
if err != nil {
return defaultMinSyncPeriod
}
if syncPeriod < defaultMinSyncPeriod {
return defaultMinSyncPeriod
}
return syncPeriod
}
// EffectiveMaintenanceTimeWindow cuts a maintenance time window at the end with a guess of 15 minutes. It is subtracted from the end
// of a maintenance time window to use a best-effort kind of finishing the operation before the end.
// Generally, we can't make sure that the maintenance operation is done by the end of the time window anyway (considering large
// clusters with hundreds of nodes, a rolling update will take several hours).
func EffectiveMaintenanceTimeWindow(timeWindow *timewindow.MaintenanceTimeWindow) *timewindow.MaintenanceTimeWindow {
return timeWindow.WithEnd(timeWindow.End().Add(0, -15, 0))
}
// EffectiveShootMaintenanceTimeWindow returns the effective MaintenanceTimeWindow of the given Shoot.
func EffectiveShootMaintenanceTimeWindow(shoot *gardencorev1beta1.Shoot) *timewindow.MaintenanceTimeWindow {
maintenance := shoot.Spec.Maintenance
if maintenance == nil || maintenance.TimeWindow == nil {
return timewindow.AlwaysTimeWindow
}
timeWindow, err := timewindow.ParseMaintenanceTimeWindow(maintenance.TimeWindow.Begin, maintenance.TimeWindow.End)
if err != nil {
return timewindow.AlwaysTimeWindow
}
return EffectiveMaintenanceTimeWindow(timeWindow)
}
// GetShootNameFromOwnerReferences attempts to get the name of the Shoot object which owns the passed in object.
// If it is not owned by a Shoot, an empty string is returned.
func GetShootNameFromOwnerReferences(objectMeta metav1.Object) string {
for _, ownerRef := range objectMeta.GetOwnerReferences() {
if ownerRef.Kind == "Shoot" {
return ownerRef.Name
}
}
return ""
}
// NodeLabelsForWorkerPool returns a combined map of all user-specified and gardener-managed node labels.
func NodeLabelsForWorkerPool(workerPool gardencorev1beta1.Worker, nodeLocalDNSEnabled bool) map[string]string {
// copy worker pool labels map
labels := utils.MergeStringMaps(workerPool.Labels)
if labels == nil {
labels = map[string]string{}
}
labels["node.kubernetes.io/role"] = "node"
labels["kubernetes.io/arch"] = *workerPool.Machine.Architecture
labels[v1beta1constants.LabelNodeLocalDNS] = strconv.FormatBool(nodeLocalDNSEnabled)
if v1beta1helper.SystemComponentsAllowed(&workerPool) {
labels[v1beta1constants.LabelWorkerPoolSystemComponents] = "true"
}
// worker pool name labels
labels[v1beta1constants.LabelWorkerPool] = workerPool.Name
labels[v1beta1constants.LabelWorkerPoolDeprecated] = workerPool.Name
// add CRI labels selected by the RuntimeClass
if workerPool.CRI != nil {
labels[extensionsv1alpha1.CRINameWorkerLabel] = string(workerPool.CRI.Name)
if len(workerPool.CRI.ContainerRuntimes) > 0 {
for _, cr := range workerPool.CRI.ContainerRuntimes {
key := fmt.Sprintf(extensionsv1alpha1.ContainerRuntimeNameWorkerLabel, cr.Type)
labels[key] = "true"
}
}
}
return labels
}
const (
// ShootProjectSecretSuffixKubeconfig is a constant for a shoot project secret with suffix 'kubeconfig'.
ShootProjectSecretSuffixKubeconfig = "kubeconfig"
// ShootProjectSecretSuffixCACluster is a constant for a shoot project secret with suffix 'ca-cluster'.
// Deprecated: This constant is deprecated in favor of ShootProjectConfigMapSuffixCACluster
ShootProjectSecretSuffixCACluster = "ca-cluster"
// ShootProjectSecretSuffixCAClient is a constant for a shoot project secret with suffix 'ca-client'.
ShootProjectSecretSuffixCAClient = "ca-client"
// ShootProjectSecretSuffixSSHKeypair is a constant for a shoot project secret with suffix 'ssh-keypair'.
ShootProjectSecretSuffixSSHKeypair = v1beta1constants.SecretNameSSHKeyPair
// ShootProjectSecretSuffixOldSSHKeypair is a constant for a shoot project secret with suffix 'ssh-keypair.old'.
ShootProjectSecretSuffixOldSSHKeypair = v1beta1constants.SecretNameSSHKeyPair + ".old"
// ShootProjectSecretSuffixMonitoring is a constant for a shoot project secret with suffix 'monitoring'.
ShootProjectSecretSuffixMonitoring = "monitoring"
// ShootProjectConfigMapSuffixCACluster is a constant for a shoot project secret with suffix 'ca-cluster'.
ShootProjectConfigMapSuffixCACluster = "ca-cluster"
)
// GetShootProjectSecretSuffixes returns the list of shoot-related project secret suffixes.
func GetShootProjectSecretSuffixes() []string {
return []string{
ShootProjectSecretSuffixKubeconfig,
ShootProjectSecretSuffixCACluster,
ShootProjectSecretSuffixSSHKeypair,
ShootProjectSecretSuffixOldSSHKeypair,
ShootProjectSecretSuffixMonitoring,
}
}
// GetShootProjectInternalSecretSuffixes returns the list of shoot-related project internal secret suffixes.
func GetShootProjectInternalSecretSuffixes() []string {
return []string{
ShootProjectSecretSuffixCAClient,
}
}
// GetShootProjectConfigMapSuffixes returns the list of shoot-related project config map suffixes.
func GetShootProjectConfigMapSuffixes() []string {
return []string{
ShootProjectConfigMapSuffixCACluster,
}
}
func shootProjectResourceSuffix(suffix string) string {
return "." + suffix
}
// ComputeShootProjectResourceName computes the name of a shoot-related project resource.
func ComputeShootProjectResourceName(shootName, suffix string) string {
return shootName + shootProjectResourceSuffix(suffix)
}
// IsShootProjectSecret checks if the given name matches the name of a shoot-related project secret. If no, it returns
// an empty string and <false>. Otherwise, it returns the shoot name and <true>.
func IsShootProjectSecret(secretName string) (string, bool) {
for _, v := range GetShootProjectSecretSuffixes() {
if suffix := shootProjectResourceSuffix(v); strings.HasSuffix(secretName, suffix) {
return strings.TrimSuffix(secretName, suffix), true
}
}
return "", false
}
// IsShootProjectInternalSecret checks if the given name matches the name of a shoot-related project internal secret.
// If no, it returns an empty string and <false>. Otherwise, it returns the shoot name and <true>.
func IsShootProjectInternalSecret(secretName string) (string, bool) {
for _, v := range GetShootProjectInternalSecretSuffixes() {
if suffix := shootProjectResourceSuffix(v); strings.HasSuffix(secretName, suffix) {
return strings.TrimSuffix(secretName, suffix), true
}
}
return "", false
}
// ComputeManagedShootIssuerSecretName returns the name that should be used for
// storing the service account public keys of a shoot's kube-apiserver
// in the gardener-system-shoot-issuer namespace in the Garden cluster.
func ComputeManagedShootIssuerSecretName(projectName string, shootUID types.UID) string {
return projectName + "--" + string(shootUID)
}
// IsShootProjectConfigMap checks if the given name matches the name of a shoot-related project config map. If no, it returns
// an empty string and <false>. Otherwise, it returns the shoot name and <true>.
func IsShootProjectConfigMap(configMapName string) (string, bool) {
for _, v := range GetShootProjectConfigMapSuffixes() {
if suffix := shootProjectResourceSuffix(v); strings.HasSuffix(configMapName, suffix) {
return strings.TrimSuffix(configMapName, suffix), true
}
}
return "", false
}
const (
// SecretNamePrefixShootAccess is the prefix of all secrets containing credentials for accessing shoot clusters.
SecretNamePrefixShootAccess = "shoot-access-"
// VolumeMountPathGenericKubeconfig is a constant for the path to which the generic shoot kubeconfig will be mounted.
VolumeMountPathGenericKubeconfig = "/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig"
// PathShootToken is a constant for the path at which the shoot token file is accessible.
PathShootToken = VolumeMountPathGenericKubeconfig + "/" + resourcesv1alpha1.DataKeyToken
// PathGenericKubeconfig is a constant for the path at which the kubeconfig file is accessible.
PathGenericKubeconfig = VolumeMountPathGenericKubeconfig + "/" + secrets.DataKeyKubeconfig
)
// AccessSecret contains settings for a shoot/garden access secret consumed by a component communicating with a shoot
// or the garden API server.
type AccessSecret struct {
Secret *corev1.Secret
ServiceAccountName string
Class string
tokenExpirationDuration string
kubeconfig *clientcmdv1.Config
targetSecretName string
targetSecretNamespace string
serviceAccountLabels map[string]string
}
// NewShootAccessSecret returns a new AccessSecret object and initializes it with an empty corev1.Secret object
// with the given name and namespace. If not already done, the name will be prefixed with the
// SecretNamePrefixShootAccess. The ServiceAccountName field will be defaulted with the name.
func NewShootAccessSecret(name, namespace string) *AccessSecret {
if !strings.HasPrefix(name, SecretNamePrefixShootAccess) {
name = SecretNamePrefixShootAccess + name
}
return &AccessSecret{
Secret: &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
},
},
ServiceAccountName: strings.TrimPrefix(name, SecretNamePrefixShootAccess),
Class: resourcesv1alpha1.ResourceManagerClassShoot,
}
}
// WithNameOverride sets the ObjectMeta.Name field of the *corev1.Secret inside the AccessSecret.
func (s *AccessSecret) WithNameOverride(name string) *AccessSecret {
s.Secret.Name = name
return s
}
// WithNamespaceOverride sets the ObjectMeta.Namespace field of the *corev1.Secret inside the AccessSecret.
func (s *AccessSecret) WithNamespaceOverride(namespace string) *AccessSecret {
s.Secret.Namespace = namespace
return s
}
// WithServiceAccountName sets the ServiceAccountName field of the AccessSecret.
func (s *AccessSecret) WithServiceAccountName(name string) *AccessSecret {
s.ServiceAccountName = name
return s
}
// WithServiceAccountLabels sets the serviceAccountLabels field of the AccessSecret.
func (s *AccessSecret) WithServiceAccountLabels(labels map[string]string) *AccessSecret {
s.serviceAccountLabels = labels
return s
}
// WithTokenExpirationDuration sets the tokenExpirationDuration field of the AccessSecret.
func (s *AccessSecret) WithTokenExpirationDuration(duration string) *AccessSecret {
s.tokenExpirationDuration = duration
return s
}
// WithKubeconfig sets the kubeconfig field of the AccessSecret.
func (s *AccessSecret) WithKubeconfig(kubeconfigRaw *clientcmdv1.Config) *AccessSecret {
s.kubeconfig = kubeconfigRaw
return s
}
// WithTargetSecret sets the kubeconfig field of the AccessSecret.
func (s *AccessSecret) WithTargetSecret(name, namespace string) *AccessSecret {
s.targetSecretName = name
s.targetSecretNamespace = namespace
return s
}
// Reconcile creates or patches the given shoot access secret. Based on the struct configuration, it adds the required
// annotations for the token requestor controller of gardener-resource-manager.
func (s *AccessSecret) Reconcile(ctx context.Context, c client.Client) error {
_, err := controllerutils.GetAndCreateOrMergePatch(ctx, c, s.Secret, func() error {
s.Secret.Type = corev1.SecretTypeOpaque
metav1.SetMetaDataLabel(&s.Secret.ObjectMeta, resourcesv1alpha1.ResourceManagerPurpose, resourcesv1alpha1.LabelPurposeTokenRequest)
metav1.SetMetaDataLabel(&s.Secret.ObjectMeta, resourcesv1alpha1.ResourceManagerClass, s.Class)
metav1.SetMetaDataAnnotation(&s.Secret.ObjectMeta, resourcesv1alpha1.ServiceAccountName, s.ServiceAccountName)
if s.Class == resourcesv1alpha1.ResourceManagerClassShoot {
metav1.SetMetaDataAnnotation(&s.Secret.ObjectMeta, resourcesv1alpha1.ServiceAccountNamespace, metav1.NamespaceSystem)
}
if s.serviceAccountLabels != nil {
labelsJSON, err := json.Marshal(s.serviceAccountLabels)
if err != nil {
return fmt.Errorf("failed marshaling the service account labels to JSON: %w", err)
}
metav1.SetMetaDataAnnotation(&s.Secret.ObjectMeta, resourcesv1alpha1.ServiceAccountLabels, string(labelsJSON))
}
if s.tokenExpirationDuration != "" {
metav1.SetMetaDataAnnotation(&s.Secret.ObjectMeta, resourcesv1alpha1.ServiceAccountTokenExpirationDuration, s.tokenExpirationDuration)
}
if s.targetSecretName != "" {
metav1.SetMetaDataAnnotation(&s.Secret.ObjectMeta, resourcesv1alpha1.TokenRequestorTargetSecretName, s.targetSecretName)
}
if s.targetSecretNamespace != "" {
metav1.SetMetaDataAnnotation(&s.Secret.ObjectMeta, resourcesv1alpha1.TokenRequestorTargetSecretNamespace, s.targetSecretNamespace)
}
if s.kubeconfig == nil {
delete(s.Secret.Data, resourcesv1alpha1.DataKeyKubeconfig)
} else {
delete(s.Secret.Data, resourcesv1alpha1.DataKeyToken)
if kubeconfigRaw, ok := s.Secret.Data[resourcesv1alpha1.DataKeyKubeconfig]; ok {
existingKubeconfig := &clientcmdv1.Config{}
if _, _, err := clientcmdlatest.Codec.Decode(kubeconfigRaw, nil, existingKubeconfig); err != nil {
return err
}
s.kubeconfig.AuthInfos = existingKubeconfig.AuthInfos
}
kubeconfigRaw, err := runtime.Encode(clientcmdlatest.Codec, s.kubeconfig)
if err != nil {
return err
}
if s.Secret.Data == nil {
s.Secret.Data = make(map[string][]byte, 1)
}
s.Secret.Data[resourcesv1alpha1.DataKeyKubeconfig] = kubeconfigRaw
}
return nil
},
// The token-requestor might concurrently update the kubeconfig secret key to populate the token.
// Hence, we need to use optimistic locking here to ensure we don't accidentally overwrite the concurrent update.
// ref https://github.com/gardener/gardener/issues/6092#issuecomment-1156244514
controllerutils.MergeFromOption{MergeFromOption: client.MergeFromWithOptimisticLock{}})
return err
}
// InjectGenericKubeconfig injects the volumes and volume mounts for the generic shoot kubeconfig into the provided
// object. The access secret name must be the name of a secret containing a JWT token which should be used by the
// kubeconfig. If the object has multiple containers then the default is to inject it into all of them. If it should
// only be done for a selection of containers then their respective names must be provided.
func InjectGenericKubeconfig(obj runtime.Object, genericKubeconfigName, accessSecretName string, containerNames ...string) error {
return injectGenericKubeconfig(obj, genericKubeconfigName, accessSecretName, "kubeconfig", VolumeMountPathGenericKubeconfig, containerNames...)
}
func injectGenericKubeconfig(obj runtime.Object, genericKubeconfigName, accessSecretName, volumeName, mountPath string, containerNames ...string) error {
var (
volume = corev1.Volume{
Name: volumeName,
VolumeSource: corev1.VolumeSource{
Projected: &corev1.ProjectedVolumeSource{
DefaultMode: ptr.To[int32](420),
Sources: []corev1.VolumeProjection{
{
Secret: &corev1.SecretProjection{
LocalObjectReference: corev1.LocalObjectReference{
Name: genericKubeconfigName,
},
Items: []corev1.KeyToPath{{
Key: secrets.DataKeyKubeconfig,
Path: secrets.DataKeyKubeconfig,
}},
Optional: ptr.To(false),
},
},
{
Secret: &corev1.SecretProjection{
LocalObjectReference: corev1.LocalObjectReference{
Name: accessSecretName,
},
Items: []corev1.KeyToPath{{
Key: resourcesv1alpha1.DataKeyToken,
Path: resourcesv1alpha1.DataKeyToken,
}},
Optional: ptr.To(false),
},
},
},
},
},
}
volumeMount = corev1.VolumeMount{
Name: volume.Name,
MountPath: mountPath,
ReadOnly: true,
}
)
return kubernetesutils.VisitPodSpec(obj, func(podSpec *corev1.PodSpec) {
kubernetesutils.AddVolume(podSpec, volume, true)
kubernetesutils.VisitContainers(podSpec, func(container *corev1.Container) {
kubernetesutils.AddVolumeMount(container, volumeMount, true)
}, containerNames...)
})
}
// GetShootSeedNames returns the spec.seedName and the status.seedName field in case the provided object is a Shoot.
func GetShootSeedNames(obj client.Object) (*string, *string) {
shoot, ok := obj.(*gardencorev1beta1.Shoot)
if !ok {
return nil, nil
}
return shoot.Spec.SeedName, shoot.Status.SeedName
}
// ExtractSystemComponentsTolerations returns tolerations that are required to schedule shoot system components
// on the given workers. Tolerations are only considered for workers which have `SystemComponents.Allow: true`.
func ExtractSystemComponentsTolerations(workers []gardencorev1beta1.Worker) []corev1.Toleration {
var (
tolerations = sets.New[corev1.Toleration]()
// We need to use semantically equal tolerations, i.e. equality of underlying values of pointers,
// before they are added to the tolerations set.
comparableTolerations = &kubernetesutils.ComparableTolerations{}
)
for _, worker := range workers {
if v1beta1helper.SystemComponentsAllowed(&worker) {
for _, taint := range worker.Taints {
toleration := kubernetesutils.TolerationForTaint(taint)
tolerations.Insert(comparableTolerations.Transform(toleration))
}
}
}
sortedTolerations := tolerations.UnsortedList()
// sort system component tolerations for a stable output
slices.SortFunc(sortedTolerations, func(a, b corev1.Toleration) int {
return cmp.Compare(a.Key, b.Key)
})
return sortedTolerations
}
// IncompleteDNSConfigError is a custom error type.
type IncompleteDNSConfigError struct{}
// Error prints the error message of the IncompleteDNSConfigError error.
func (e *IncompleteDNSConfigError) Error() string {
return "unable to figure out which secret should be used for dns"
}
// IsIncompleteDNSConfigError returns true if the error indicates that not the DNS config is incomplete.
func IsIncompleteDNSConfigError(err error) bool {
_, ok := err.(*IncompleteDNSConfigError)
return ok
}
// ConstructInternalClusterDomain constructs the internal base domain for this shoot cluster.
// It is only used for internal purposes (all kubeconfigs except the one which is received by the
// user will only talk with the kube-apiserver via a DNS record of domain). In case the given <internalDomain>
// already contains "internal", the result is constructed as "<shootName>.<shootProject>.<internalDomain>."
// In case it does not, the word "internal" will be appended, resulting in
// "<shootName>.<shootProject>.internal.<internalDomain>".
func ConstructInternalClusterDomain(shootName, shootProject string, internalDomain *Domain) string {
if internalDomain == nil {
return ""
}
if strings.Contains(internalDomain.Domain, InternalDomainKey) {
return fmt.Sprintf("%s.%s.%s", shootName, shootProject, internalDomain.Domain)
}
return fmt.Sprintf("%s.%s.%s.%s", shootName, shootProject, InternalDomainKey, internalDomain.Domain)
}
// ConstructExternalClusterDomain constructs the external Shoot cluster domain, i.e. the domain which will be put
// into the Kubeconfig handed out to the user.
func ConstructExternalClusterDomain(shoot *gardencorev1beta1.Shoot) *string {
if shoot.Spec.DNS == nil || shoot.Spec.DNS.Domain == nil {
return nil
}
return shoot.Spec.DNS.Domain
}
// ConstructExternalDomain constructs an object containing all relevant information of the external domain that
// shall be used for a shoot cluster - based on the configuration of the Garden cluster and the shoot itself.
func ConstructExternalDomain(ctx context.Context, c client.Reader, shoot *gardencorev1beta1.Shoot, shootSecret *corev1.Secret, defaultDomains []*Domain) (*Domain, error) {
externalClusterDomain := ConstructExternalClusterDomain(shoot)
if externalClusterDomain == nil {
return nil, nil
}
var (
externalDomain = &Domain{Domain: *shoot.Spec.DNS.Domain}
defaultDomain = DomainIsDefaultDomain(*externalClusterDomain, defaultDomains)
primaryProvider = v1beta1helper.FindPrimaryDNSProvider(shoot.Spec.DNS.Providers)
)
switch {
case defaultDomain != nil:
externalDomain.SecretData = defaultDomain.SecretData
externalDomain.Provider = defaultDomain.Provider
externalDomain.Zone = defaultDomain.Zone
case primaryProvider != nil:
if primaryProvider.SecretName != nil {
secret := &corev1.Secret{}
if err := c.Get(ctx, kubernetesutils.Key(shoot.Namespace, *primaryProvider.SecretName), secret); err != nil {
return nil, fmt.Errorf("could not get dns provider secret %q: %+v", *shoot.Spec.DNS.Providers[0].SecretName, err)
}
externalDomain.SecretData = secret.Data
} else {
if shootSecret == nil {
return nil, fmt.Errorf("default domain is not present, secret for primary dns provider is required")
}
externalDomain.SecretData = shootSecret.Data
}
if primaryProvider.Type != nil {
externalDomain.Provider = *primaryProvider.Type
}
if zones := primaryProvider.Zones; zones != nil {
if len(zones.Include) == 1 {
externalDomain.Zone = zones.Include[0]
}
}
default:
return nil, &IncompleteDNSConfigError{}
}
return externalDomain, nil
}
// ComputeRequiredExtensionsForShoot computes the extension kind/type combinations that are required for the
// shoot reconciliation flow.
func ComputeRequiredExtensionsForShoot(shoot *gardencorev1beta1.Shoot, seed *gardencorev1beta1.Seed, controllerRegistrationList *gardencorev1beta1.ControllerRegistrationList, internalDomain, externalDomain *Domain) sets.Set[string] {
requiredExtensions := sets.New[string]()
if seed.Spec.Backup != nil {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.BackupBucketResource, seed.Spec.Backup.Provider))
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.BackupEntryResource, seed.Spec.Backup.Provider))
}
// Hint: This is actually a temporary work-around to request the control plane extension of the seed provider type as
// it might come with webhooks that are configuring the exposure of shoot control planes. The ControllerRegistration resource
// does not reflect this today.
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.ControlPlaneResource, seed.Spec.Provider.Type))
if !v1beta1helper.IsWorkerless(shoot) {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.ControlPlaneResource, shoot.Spec.Provider.Type))
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.InfrastructureResource, shoot.Spec.Provider.Type))
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.WorkerResource, shoot.Spec.Provider.Type))
if shoot.Spec.Networking != nil && shoot.Spec.Networking.Type != nil {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.NetworkResource, *shoot.Spec.Networking.Type))
}
}
disabledExtensions := sets.New[string]()
for _, extension := range shoot.Spec.Extensions {
id := ExtensionsID(extensionsv1alpha1.ExtensionResource, extension.Type)
if ptr.Deref(extension.Disabled, false) {
disabledExtensions.Insert(id)
} else {
requiredExtensions.Insert(id)
}
}
for _, pool := range shoot.Spec.Provider.Workers {
if pool.Machine.Image != nil {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.OperatingSystemConfigResource, pool.Machine.Image.Name))
}
if pool.CRI != nil {
for _, cr := range pool.CRI.ContainerRuntimes {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.ContainerRuntimeResource, cr.Type))
}
}
}
if shoot.Spec.DNS != nil {
for _, provider := range shoot.Spec.DNS.Providers {
if provider.Type != nil && *provider.Type != core.DNSUnmanaged {
if provider.Primary != nil && *provider.Primary {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.DNSRecordResource, *provider.Type))
}
}
}
}
if internalDomain != nil && internalDomain.Provider != core.DNSUnmanaged {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.DNSRecordResource, internalDomain.Provider))
}
if externalDomain != nil && externalDomain.Provider != core.DNSUnmanaged {
requiredExtensions.Insert(ExtensionsID(extensionsv1alpha1.DNSRecordResource, externalDomain.Provider))
}
for _, controllerRegistration := range controllerRegistrationList.Items {
for _, resource := range controllerRegistration.Spec.Resources {
id := ExtensionsID(extensionsv1alpha1.ExtensionResource, resource.Type)
if resource.Kind == extensionsv1alpha1.ExtensionResource && ptr.Deref(resource.GloballyEnabled, false) && !disabledExtensions.Has(id) {
if v1beta1helper.IsWorkerless(shoot) && !ptr.Deref(resource.WorkerlessSupported, false) {
continue
}
requiredExtensions.Insert(id)
}
}
}
return requiredExtensions
}
// ExtensionsID returns an identifier for the given extension kind/type.
func ExtensionsID(extensionKind, extensionType string) string {
return fmt.Sprintf("%s/%s", extensionKind, extensionType)
}
// ComputeTechnicalID determines the technical id of the given Shoot which is later used for the name of the
// namespace and for tagging all the resources created in the infrastructure.
func ComputeTechnicalID(projectName string, shoot *gardencorev1beta1.Shoot) string {
// Use the stored technical ID in the Shoot's status field if it's there.
// For backwards compatibility we keep the pattern as it was before we had to change it
// (double hyphens).
if len(shoot.Status.TechnicalID) > 0 {
return shoot.Status.TechnicalID
}
// New clusters shall be created with the new technical id (double hyphens).
return fmt.Sprintf("%s-%s--%s", v1beta1constants.TechnicalIDPrefix, projectName, shoot.Name)
}
// GetShootConditionTypes returns all known shoot condition types.
func GetShootConditionTypes(workerless bool) []gardencorev1beta1.ConditionType {
shootConditionTypes := []gardencorev1beta1.ConditionType{
gardencorev1beta1.ShootAPIServerAvailable,
gardencorev1beta1.ShootControlPlaneHealthy,
gardencorev1beta1.ShootObservabilityComponentsHealthy,
}
if !workerless {
shootConditionTypes = append(shootConditionTypes, gardencorev1beta1.ShootEveryNodeReady)
}
return append(shootConditionTypes, gardencorev1beta1.ShootSystemComponentsHealthy)
}
// DefaultGVKsForEncryption returns the list of GroupVersionKinds which are encrypted by default.
func DefaultGVKsForEncryption() []schema.GroupVersionKind {
return []schema.GroupVersionKind{
corev1.SchemeGroupVersion.WithKind("Secret"),
}
}
// DefaultResourcesForEncryption returns the list of resources which are encrypted by default.
func DefaultResourcesForEncryption() sets.Set[string] {
return sets.New(corev1.Resource("secrets").String())
}
// GetIPStackForShoot returns the value for the AnnotationKeyIPStack annotation based on the given shoot.
// It falls back to IPv4 if no IP families are available, e.g. in a workerless shoot cluster.
func GetIPStackForShoot(shoot *gardencorev1beta1.Shoot) string {
var ipFamilies []gardencorev1beta1.IPFamily
if networking := shoot.Spec.Networking; networking != nil {
ipFamilies = networking.IPFamilies
}
return getIPStackForFamilies(ipFamilies)
}