Merge remote-tracking branch 'origin/master' into partition-prometheu…

…s-role # Conflicts: # control-plane/roles/monitoring/README.md
metal-stack · Jul 7, 2023 · 74c0275 · 74c0275
2 parents b86041e + 95c1436
commit 74c0275
Show file tree

Hide file tree

Showing 128 changed files with 5,450 additions and 45 deletions.
diff --git a/Makefile b/Makefile
@@ -1,5 +1,6 @@
 .PHONY: test
 test:
+	python -m pip install mock
 	for file in $(shell find . -name test -type d); do python -m unittest discover -v -p '*_test.py' -s $$(dirname $$file); done
 
 .PHONY: test-local

diff --git a/control-plane/roles/auditing-meili/defaults/main/main.yaml b/control-plane/roles/auditing-meili/defaults/main/main.yaml
@@ -25,3 +25,11 @@ auditing_meili_persistence:
   # volume:
   #   name: data
   #   mountPath: /meili_data
+
+auditing_meili_registry_enabled: "{{ metal_registry_auth_enabled }}"
+auditing_meili_registry_auth:
+  auths:
+    https://index.docker.io/v1/:
+      username: "{{ metal_registry_auth_user }}"
+      password: "{{ metal_registry_auth_password }}"
+      auth: "{{ (metal_registry_auth_user + ':' + metal_registry_auth_password) | b64encode }}"
diff --git a/control-plane/roles/auditing-meili/tasks/main.yaml b/control-plane/roles/auditing-meili/tasks/main.yaml
@@ -24,6 +24,19 @@
         MEILI_MASTER_KEY: "{{ auditing_meili_secret }}"
   when: auditing_meili_secret
 
+- name: Create registry pull secret
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Secret
+      metadata:
+        name: metal-auditing-registry-pull-secret
+        namespace: "{{ auditing_meili_namespace }}"
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ auditing_meili_registry_auth | to_json | b64encode }}"
+  when: auditing_meili_registry_enabled
+
 - name: Deploy meilisearch
   include_role:
     name: ansible-common/roles/helm-chart

diff --git a/control-plane/roles/auditing-meili/templates/values.yaml b/control-plane/roles/auditing-meili/templates/values.yaml
@@ -2,6 +2,9 @@
 image:
   repository: "{{ metal_auditing_meili_image_name }}"
   tag: "{{ metal_auditing_meili_image_tag }}"
+{% if auditing_meili_registry_enabled %}
+  pullSecret: "metal-auditing-registry-pull-secret"
+{% endif %}
 
 readinessProbe:
   periodSeconds: 5
@@ -17,5 +20,5 @@ environment:
 auth:
   existingMasterKeySecret: metal-auditing-master-key
 
-persistence: {{ auditing_meili_persistence }}
-ingress: {{ auditing_meili_ingress }}
+persistence: {{ auditing_meili_persistence | to_json }}
+ingress: {{ auditing_meili_ingress | to_json }}
diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md
diff --git a/control-plane/roles/gardener/defaults/main/certs.yaml b/control-plane/roles/gardener/defaults/main/certs.yaml
@@ -0,0 +1,37 @@
+---
+gardener_kube_api_server_ca:
+gardener_kube_api_server_ca_key:
+gardener_kube_api_server_cert:
+gardener_kube_api_server_key:
+gardener_kube_api_server_client_cert:
+gardener_kube_api_server_client_key:
+
+gardener_kube_aggregator_client_cert:
+gardener_kube_aggregator_client_key:
+gardener_kube_controller_manager_client_cert:
+gardener_kube_controller_manager_client_key:
+gardener_admin_client_cert:
+gardener_admin_client_key:
+gardener_service_account_client_key:
+
+gardener_api_server_ca:
+gardener_api_server_cert:
+gardener_api_server_key:
+
+gardener_admission_controller_ca:
+gardener_admission_controller_cert:
+gardener_admission_controller_key:
+
+gardener_controller_manager_ca:
+gardener_controller_manager_cert:
+gardener_controller_manager_key:
+
+gardener_metal_admission_controller_ca:
+gardener_metal_admission_controller_cert:
+gardener_metal_admission_controller_key:
+
+gardener_etcd_ca_cert:
+gardener_etcd_cert:
+gardener_etcd_cert_key:
+gardener_etcd_client_cert:
+gardener_etcd_client_key:
diff --git a/control-plane/roles/gardener/defaults/main/cloud_profile.yaml b/control-plane/roles/gardener/defaults/main/cloud_profile.yaml
@@ -0,0 +1,32 @@
+---
+gardener_cloud_profile_stage_name: "{{ metal_control_plane_stage_name }}"
+gardener_cloud_profile_metal_api_url: https://api.{{ metal_control_plane_ingress_dns }}
+gardener_cloud_profile_metal_api_hmac:
+gardener_cloud_profile_machine_images: "{{ metal_api_images | default([]) }}"
+gardener_cloud_profile_firewall_images: []
+gardener_cloud_profile_firewall_images_from_machine_images: true
+gardener_cloud_profile_firewall_controller_versions: []
+gardener_cloud_profile_kubernetes:
+gardener_cloud_profile_machine_types: []
+gardener_cloud_profile_regions:
+gardener_cloud_profile_partitions: {}
+  # <partition>:
+  #   default-machine-types:
+  #     firewall:
+  #       - c1-xlarge-x86
+
+gardener_os_cri_mapping:
+  ubuntu:
+    when:
+    cris:
+    - name: containerd
+      containerRuntimes: []
+    - name: docker
+      containerRuntimes: []
+  debian:
+    when:
+    cris:
+    - name: containerd
+      containerRuntimes: []
+    - name: docker
+      containerRuntimes: []
diff --git a/control-plane/roles/gardener/defaults/main/control-plane-defaults b/control-plane/roles/gardener/defaults/main/control-plane-defaults
@@ -0,0 +1 @@
+../../../../control-plane-defaults/
diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml
@@ -0,0 +1,60 @@
+---
+gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}"
+# TODO: the ref to the official controller can be used as soon as we are compatible with g/g 1.59
+gardener_networking_cilium_repo_ref: "metal-stack/gardener-extension-networking-cilium/{{ gardener_networking_cilium_image_tag }}"
+
+gardener_metal_admission_replicas: 1
+gardener_metal_admission_vpa: true
+
+gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}"
+
+gardener_extension_provider_metal_cluster_audit_enabled: false
+gardener_extension_provider_metal_audit_to_splunk_enabled: false
+gardener_extension_provider_metal_audit_to_splunk:
+  # ...
+  # hecToken: ""
+  # index: ""
+  # hecHost: ""
+  # hecPort: 443
+  # tlsEnabled: true
+  # hecCAFile: ""
+
+gardener_extension_provider_metal_etcd_backup_schedule: "0,5,10,15,20,25,30,35,40,45,50,55 * * * *"
+gardener_extension_provider_metal_etcd_delta_snapshot_period: "0s"
+
+gardener_extension_provider_metal_internal_networks:
+  - 10.0.0.0/8
+  - 100.64.0.0/10
+
+gardener_extension_provider_metal_egress_destinations: []
+
+gardener_extension_provider_metal_duros_storage_enabled: false
+gardener_extension_provider_metal_duros_storage_config:
+  # <partition>:
+  #   apiEndpoint:
+  #   apiCA:
+  #   apiKey:
+  #   apiCert:
+  #   endpoints: []
+  #   adminKey:
+  #   adminToken:
+  #   storageClasses:
+  #   - replicaCount: 2
+  #     name: duros-silver
+  #     compression: true
+  #   - replicaCount: 3
+  #     name: duros-gold
+  #     compression: false
+  #     encryption: true
+  # ...
+
+gardener_extension_provider_metal_image_pull_policy: "{{ metal_control_plane_image_pull_policy | default('IfNotPresent') }}"
+gardener_extension_provider_metal_image_pull_secret:
+  # auths:
+  #   <registry>:
+  #     username: ""
+  #     password: ""
+  #     auth: ""
+  # ...
+
+gardener_cert_management_issuer_private_key: ""
diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml
@@ -0,0 +1,86 @@
+---
+gardener_image_vector_overwrite:
+gardener_component_image_vector_overwrite:
+
+gardener_apiserver_replicas: 1
+gardener_apiserver_vpa: true
+
+gardener_apiserver_resources:
+  requests:
+    cpu: 100m
+    memory: 100Mi
+  limits:
+    cpu: 400m
+    memory: 1Gi
+
+gardener_controller_manager_resources:
+  requests:
+    cpu: 100m
+    memory: 100Mi
+  limits:
+    cpu: 750m
+    memory: 512Mi
+
+gardener_scheduler_resources:
+  requests:
+    cpu: 50m
+    memory: 50Mi
+  limits:
+    cpu: 300m
+    memory: 256Mi
+
+gardener_dns_domain:
+gardener_dns_provider:
+
+gardener_backup_infrastructure:
+gardener_backup_infrastructure_secret:
+
+gardener_soil_name: "{{ metal_control_plane_stage_name }}"
+gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}"
+gardener_soil_vertical_pod_autoscaler_enabled: false
+gardener_soil_project_owner_name: admin
+
+gardener_gardenlet_shoot_concurrent_syncs: 5
+gardener_gardenlet_shoot_reconcile_in_maintenance_only: false
+gardener_gardenlet_shoot_respect_sync_period_overwrite: true
+
+gardener_shooted_seeds: []
+# - name: shoot-1
+#   project_id: 00000000-0000-0000-0000-000000000001
+#   feature_gates:
+#     clusterAudit: false
+#     auditToSplunk: false
+#   region: region
+#   partition: partition
+#   networks:
+#     - internet
+#     - e77400fe-e993-47b1-a0dd-64c9b7457b76
+#   k8s_version: 1.23.4
+#   worker_groups:
+#   - worker_count: 1
+#     worker_size: size
+#     worker_cri: containerd
+#     worker_max_surge: 3
+#     worker_max_unavailable: 0
+#     worker_image:
+#       name: debian
+#       version: "10.0"
+#   firewall_size: size
+#   firewall_image: firewall-ubuntu
+#   firewall_controller_version: auto
+#   api_server:
+#     autoscaler:
+#       min_replicas: 1
+#       max_replicas: 5
+#   verticalPodAutoscaler: false
+#   pod_cidr:
+#   service_cidr:
+
+gardener_shooted_seed_max_pods: 250
+gardener_shooted_seed_node_cidr_mask_size: 23
+# can be useful for rollouts where the shooted seed or managed seed resource changes:
+gardener_shooted_seed_rollout_delay_minutes:
+
+gardener_kube_api_server_kubeconfig: "{{ 'garden-kube-apiserver' | kubeconfig_from_cert(gardener_kube_api_server_ca, gardener_kube_api_server_client_cert, gardener_kube_api_server_client_key, prepend_https=true) }}"
+gardener_kube_apiserver_kubeconfig_path: "{{ gardener_local_tmp_dir }}/garden-kube-apiserver-kubeconfig"
+gardener_local_tmp_dir: "{{ playbook_dir }}/.ansible/tmp"
diff --git a/control-plane/roles/gardener/defaults/main/global-defaults b/control-plane/roles/gardener/defaults/main/global-defaults
@@ -0,0 +1 @@
+../../../../../defaults
diff --git a/control-plane/roles/gardener/defaults/main/virtual_garden.yaml b/control-plane/roles/gardener/defaults/main/virtual_garden.yaml
@@ -0,0 +1,16 @@
+---
+gardener_virtual_api_server_svc_cluster_ip_add: 20
+gardener_virtual_api_server_public_dns: gardener-kube-apiserver.{{ metal_control_plane_ingress_dns }}
+gardener_virtual_api_server_healthcheck_static_token:
+
+gardener_etcd_backup_schedule: "0,5,10,15,20,25,30,35,40,45,50,55 * * * *"
+gardener_etcd_snapshot_period: "0"
+gardener_etcd_garbage_collection_period: "12h"
+
+gardener_etcd_resources:
+  requests:
+    cpu: 200m
+    memory: 256Mi
+  limits:
+    cpu: 800m
+    memory: 8Gi
diff --git a/control-plane/roles/gardener/files/kube-apiserver/Chart.yaml b/control-plane/roles/gardener/files/kube-apiserver/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+description: Helm chart for garden
+name: garden
+version: 0.1.0
diff --git a/control-plane/roles/gardener/files/kube-apiserver/templates/_helpers.tpl b/control-plane/roles/gardener/files/kube-apiserver/templates/_helpers.tpl
@@ -0,0 +1,76 @@
+# Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- define "garden.kubeconfig-controller-manager" -}}
+apiVersion: v1
+kind: Config
+current-context: garden
+contexts:
+- context:
+    cluster: garden
+    user: kube-controller-manager
+  name: garden
+clusters:
+- cluster:
+    certificate-authority-data: {{ .Values.tls.kubeAPIServer.ca.crt | b64enc }}
+    server: https://localhost:443
+  name: garden
+users:
+- name: kube-controller-manager
+  user:
+    client-certificate-data: {{ .Values.tls.kubeControllerManager.crt | b64enc }}
+    client-key-data: {{ .Values.tls.kubeControllerManager.key | b64enc }}
+{{- end -}}
+
+{{- define "garden.kubeconfig-gardener" -}}
+apiVersion: v1
+kind: Config
+current-context: garden
+contexts:
+- context:
+    cluster: garden
+    user: gardener
+  name: garden
+clusters:
+- cluster:
+    certificate-authority-data: {{ .Values.tls.kubeAPIServer.ca.crt | b64enc }}
+    server: https://{{ .Values.apiServer.serviceName }}:443
+  name: garden
+users:
+- name: gardener
+  user:
+    client-certificate-data: {{ .Values.tls.gardener.crt | b64enc }}
+    client-key-data: {{ .Values.tls.gardener.key | b64enc }}
+{{- end -}}
+
+{{- define "garden.kubeconfig-admin" -}}
+apiVersion: v1
+kind: Config
+current-context: garden
+contexts:
+- context:
+    cluster: garden
+    user: admin
+  name: garden
+clusters:
+- cluster:
+    certificate-authority-data: {{ .Values.tls.kubeAPIServer.ca.crt | b64enc }}
+    server: https://{{ .Values.apiServer.hostname }}:443
+  name: garden
+users:
+- name: admin
+  user:
+    client-certificate-data: {{ .Values.tls.admin.crt | b64enc }}
+    client-key-data: {{ .Values.tls.admin.key | b64enc }}
+{{- end -}}