Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛡 Enable ServiceAccount token projection and token requestor for provider-local #5193

Merged
merged 1 commit into from
Jan 14, 2022
Merged

🛡 Enable ServiceAccount token projection and token requestor for provider-local #5193

merged 1 commit into from
Jan 14, 2022

Conversation

rfranzke
Copy link
Member

@rfranzke rfranzke commented Dec 21, 2021
edited

How to categorize this PR?

/area security
/kind enhancement
/merge squash

What this PR does / why we need it:

  • When the provider-local extension is running on a seed with a gardenlet of at least v1.37 then
    • ServiceAccount token projection is enabled.
    • the machine-controller-manager deployed into shoot namespaces
      • uses ServiceAccount token projection.
      • uses a token managed by GRM's token requestor instead of a client certificate.

Which issue(s) this PR fixes:
Part of #4659
Part of #4878

Special notes for your reviewer:
Depends on #5162, hence, PR is in draft state.
Depends on #5163, hence PR is in draft state.

Release note:

NONE

@gardener-prow
Copy link
Contributor

gardener-prow bot commented Dec 21, 2021

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@gardener-robot gardener-robot added area/security Security related kind/enhancement Enhancement, improvement, extension merge/squash size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 21, 2021
@gardener-robot gardener-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 21, 2021
rfranzke added a commit to rfranzke/gardener that referenced this pull request Dec 21, 2021
@rfranzke
Please compiler in provider-local package
d2b0894 
The extension itself will be adapted separately with gardener#5193
@gardener-robot gardener-robot marked this pull request as ready for review January 10, 2022 07:35
@gardener-robot gardener-robot requested a review from a team as a code owner January 10, 2022 07:35
@rfranzke rfranzke marked this pull request as draft January 10, 2022 07:43
rfranzke added a commit to rfranzke/gardener that referenced this pull request Jan 10, 2022
@rfranzke
Please compiler in provider-local package
cb3f9a5 
The extension itself will be adapted separately with gardener#5193
rfranzke added a commit that referenced this pull request Jan 11, 2022
@rfranzke
🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer
fa624ab 
… library for elimination of static credentials (#5163)

* Adapt generic `Worker` actuator for TokenRequestor

* Adapt generic `Worker` actuator for projected token mount

* Adapt generic `ControlPlane` actuator for TokenRequestor

* Adapt `terraformer` library for projected token mount

* Please compiler in provider-local package

The extension itself will be adapted separately with #5193

* Address PR review feedback
@gardener-robot
Copy link

@rfranzke You need rebase this pull request with latest master branch. Please check.

@rfranzke
Copy link
Member Author

/ready

@gardener-robot gardener-robot marked this pull request as ready for review January 11, 2022 10:26
@timuthy
Copy link
Member

timuthy commented Jan 12, 2022

/assign

timuthy
timuthy approved these changes Jan 13, 2022
View reviewed changes
Copy link
Member

@timuthy timuthy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Also tested it, works like a charm 🙂

timebertt
timebertt approved these changes Jan 14, 2022
View reviewed changes
Copy link
Member

@timebertt timebertt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, I like it!
/lgtm

@rfranzke rfranzke merged commit d744a34 into gardener:master Jan 14, 2022
@rfranzke rfranzke deleted the enh/tr-local branch January 14, 2022 15:31
@rfranzke rfranzke mentioned this pull request Jan 24, 2022
Closed
27 tasks
krgostev pushed a commit to krgostev/gardener that referenced this pull request Apr 21, 2022
@rfranzke
🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer
556e06e 
… library for elimination of static credentials (gardener#5163)

* Adapt generic `Worker` actuator for TokenRequestor

* Adapt generic `Worker` actuator for projected token mount

* Adapt generic `ControlPlane` actuator for TokenRequestor

* Adapt `terraformer` library for projected token mount

* Please compiler in provider-local package

The extension itself will be adapted separately with gardener#5193

* Address PR review feedback
krgostev pushed a commit to krgostev/gardener that referenced this pull request Apr 21, 2022
@rfranzke
Enable ServiceAccount token projection and token requestor for prov…
bd52c9a 
…ider-local (gardener#5193)
krgostev pushed a commit to krgostev/gardener that referenced this pull request Jul 5, 2022
@rfranzke
🛡 Adapt generic {Worker,ControlPlane} actuators and terraformer
a442e94 
… library for elimination of static credentials (gardener#5163)

* Adapt generic `Worker` actuator for TokenRequestor

* Adapt generic `Worker` actuator for projected token mount

* Adapt generic `ControlPlane` actuator for TokenRequestor

* Adapt `terraformer` library for projected token mount

* Please compiler in provider-local package

The extension itself will be adapted separately with gardener#5193

* Address PR review feedback
krgostev pushed a commit to krgostev/gardener that referenced this pull request Jul 5, 2022
@rfranzke
Enable ServiceAccount token projection and token requestor for prov…
b85678b 
…ider-local (gardener#5193)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timuthy timuthy timuthy approved these changes

@timebertt timebertt timebertt approved these changes

Assignees

@timuthy timuthy

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@rfranzke @gardener-robot @timuthy @timebertt @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3