-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🛡 Adapt generic {Worker
,ControlPlane
} actuators and terraformer
library for elimination of static credentials
#5163
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
21b1737
to
724dcf5
Compare
/assign |
BeckerMax
previously approved these changes
Jan 10, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm looks fine - one small question.
Will test it out out once the iaas-provider extensions revendors this.
extensions/pkg/controller/worker/genericactuator/machine_controller_manager.go
Show resolved
Hide resolved
The extension itself will be adapted separately with gardener#5193
7254d3e
to
7df3538
Compare
BeckerMax
approved these changes
Jan 11, 2022
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
This was referenced Jan 24, 2022
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Apr 21, 2022
… library for elimination of static credentials (gardener#5163) * Adapt generic `Worker` actuator for TokenRequestor * Adapt generic `Worker` actuator for projected token mount * Adapt generic `ControlPlane` actuator for TokenRequestor * Adapt `terraformer` library for projected token mount * Please compiler in provider-local package The extension itself will be adapted separately with gardener#5193 * Address PR review feedback
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
… library for elimination of static credentials (gardener#5163) * Adapt generic `Worker` actuator for TokenRequestor * Adapt generic `Worker` actuator for projected token mount * Adapt generic `ControlPlane` actuator for TokenRequestor * Adapt `terraformer` library for projected token mount * Please compiler in provider-local package The extension itself will be adapted separately with gardener#5193 * Address PR review feedback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
size/L
Denotes a PR that changes 100-499 lines, ignoring generated files.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area security
/kind enhancement
/merge squash
What this PR does / why we need it:
This PR adapts the generic {
Worker
,ControlPlane
} actuators as well as theterraformer
library for the elimination of static credentials (optionally).While the
terraformer
doesn't use a kubeconfig to talk to the shoot cluster (hence, just staticServiceAccount
token invalidation is required here), the generic actuators allow generating client certificate-based kubeconfigs for shoot control plane components (likecloud-controller-manager
,machine-controller-manager
, etc.). Those can now be optionally switched to the token requestor.Which issue(s) this PR fixes:
Part of #4661
Part of #4878
Release note: