From f5517c6c19587fd2c8ed35315c2cb8bfb4f12e64 Mon Sep 17 00:00:00 2001 From: vpnachev Date: Wed, 7 Jun 2023 14:57:09 +0300 Subject: [PATCH] Rename seed resources --- pkg/constants/constants.go | 10 +++-- pkg/controller/seed/reconciler.go | 51 ++++++++++++----------- pkg/controller/seed/reconciler_test.go | 56 +++++++++++++------------- pkg/controller/seed/secrets.go | 8 ++-- 4 files changed, 65 insertions(+), 60 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 3458f914..2648c599 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -7,8 +7,6 @@ package constants const ( // ApplicationName is the name for resource describing the components deployed by the extension controller. ApplicationName = "lakom" - // SeedApplicationName is the name for resource describing the components bootstrapping the seed by the extension controller. - SeedApplicationName = ApplicationName + "-seed" // ImageName is the name of the lakom admission controller image. ImageName = ApplicationName // ExtensionType is the name of the extension type. @@ -23,8 +21,14 @@ const ( ManagedResourceNamesShoot = ExtensionServiceName + "-shoot" // WebhookConfigurationName is the name of the webhook configuration(s) deployed in the shoot cluster. WebhookConfigurationName = GardenerExtensionName + "-shoot" - // WebhookTLSSecretName is the name of the TLS secret resource used by the Lakom webhook in the seed cluster. + // WebhookTLSSecretName is the name of the TLS secret resource used by the shoot lakom webhook. WebhookTLSSecretName = ExtensionServiceName + "-tls" + // SeedApplicationName is the name for resource describing the components bootstrapping the seed by the extension controller. + SeedApplicationName = ApplicationName + "-seed" + // SeedExtensionServiceName is the extension service name bootstrapping the seed. + SeedExtensionServiceName = ExtensionServiceName + "-seed" + // SeedWebhookTLSSecretName is the name of the TLS secret resource used by the lakom webhook in the seed cluster. + SeedWebhookTLSSecretName = SeedExtensionServiceName + "-tls" // LakomResourceReader is the name of the RBAC resources created in the shoot cluster that allow reading image pull secrets LakomResourceReader = GardenerExtensionName + "-resource-reader" // LakomResolveTagPath is the URL path to the hook resolving image tag to digest. diff --git a/pkg/controller/seed/reconciler.go b/pkg/controller/seed/reconciler.go index 8f5e0316..4388956e 100644 --- a/pkg/controller/seed/reconciler.go +++ b/pkg/controller/seed/reconciler.go @@ -108,7 +108,7 @@ func (kcr *kubeSystemReconciler) reconcile(ctx context.Context, logger logr.Logg } resources, err := getResources( - generatedSecrets[constants.WebhookTLSSecretName].Name, + generatedSecrets[constants.SeedWebhookTLSSecretName].Name, image.String(), kcr.serviceConfig.CosignPublicKeys, caBundleSecret.Data[secretutils.DataKeyCertificateBundle], @@ -124,9 +124,9 @@ func (kcr *kubeSystemReconciler) reconcile(ctx context.Context, logger logr.Logg } twoMinutes := 2 * time.Minute - timeoutSeedCtx, cancelSeedCtx := context.WithTimeout(ctx, twoMinutes) - defer cancelSeedCtx() - if err := managedresources.WaitUntilHealthy(timeoutSeedCtx, kcr.client, kcr.ownerNamespace, constants.ManagedResourceNamesSeed); err != nil { + timeoutHealthCtx, cancelHealthCtx := context.WithTimeout(ctx, twoMinutes) + defer cancelHealthCtx() + if err := managedresources.WaitUntilHealthy(timeoutHealthCtx, kcr.client, kcr.ownerNamespace, constants.ManagedResourceNamesSeed); err != nil { return err } @@ -159,7 +159,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, cacheTTL = time.Minute * 10 cacheRefreshInterval = time.Second * 30 cosignPublicKeysDir = "/etc/lakom/cosign" - cosignPublicKeysSecretName = constants.ExtensionServiceName + "-cosign-public-keys" + cosignPublicKeysSecretName = constants.SeedExtensionServiceName + "-cosign-public-keys" webhookTLSCertDir = "/etc/lakom/tls" registry = managedresources.NewRegistry(kubernetes.SeedScheme, kubernetes.SeedCodec, kubernetes.SeedSerializer) requestCPU, _ = resource.ParseQuantity("50m") @@ -207,7 +207,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, lakomDeployment := &appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Namespace: kubeSystemNamespace, Labels: utils.MergeStringMaps(getLabels(), map[string]string{ resourcesv1alpha1.HighAvailabilityConfigType: resourcesv1alpha1.HighAvailabilityConfigTypeServer, @@ -230,6 +230,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, v1beta1constants.LabelNetworkPolicyToDNS: v1beta1constants.LabelNetworkPolicyAllowed, v1beta1constants.LabelNetworkPolicyToPublicNetworks: v1beta1constants.LabelNetworkPolicyAllowed, v1beta1constants.LabelNetworkPolicyToRuntimeAPIServer: v1beta1constants.LabelNetworkPolicyAllowed, + v1beta1constants.LabelNetworkPolicyToBlockedCIDRs: v1beta1constants.LabelNetworkPolicyAllowed, }), }, Spec: corev1.PodSpec{ @@ -244,7 +245,8 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, }}, }, }, - ServiceAccountName: constants.ExtensionServiceName, + ServiceAccountName: constants.SeedExtensionServiceName, + AutomountServiceAccountToken: pointer.Bool(true), Containers: []corev1.Container{{ Name: constants.SeedApplicationName, Image: image, @@ -257,7 +259,6 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, "--health-bind-address=:" + healthPort.String(), "--metrics-bind-address=:" + metricsPort.String(), "--port=" + serverPort.String(), - // "--kubeconfig=/etc/lakom/client/kubeconfig", // Should discover automatically the in-cluster kubeconfig }, Ports: []corev1.ContainerPort{ { @@ -346,13 +347,13 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, lakomService := &corev1.Service{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Namespace: kubeSystemNamespace, Labels: getLabels(), Annotations: map[string]string{ "networking.resources.gardener.cloud/from-all-scrape-targets-allowed-ports": `[{"protocol":"TCP","port":` + metricsPort.String() + `}]`, "networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports": `[{"protocol":"TCP","port":` + serverPort.String() + `}]`, - "networking.resources.gardener.cloud/pod-label-selector-namespace-alias": "extensions", + "networking.resources.gardener.cloud/pod-label-selector-namespace-alias": "extensions", // TODO(vpnachev): does this work from the kube-system namespace? }, }, Spec: corev1.ServiceSpec{ @@ -375,15 +376,13 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, }, } - var () - resources, err := registry.AddAllAndSerialize( lakomDeployment, lakomPDB, &cosignPublicKeysSecret, &corev1.ServiceAccount{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Namespace: kubeSystemNamespace, Labels: getLabels(), }, @@ -392,7 +391,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, lakomService, &vpaautoscalingv1.VerticalPodAutoscaler{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Namespace: kubeSystemNamespace, Labels: getLabels(), }, @@ -400,7 +399,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, ResourcePolicy: &vpaautoscalingv1.PodResourcePolicy{ ContainerPolicies: []vpaautoscalingv1.ContainerResourcePolicy{ { - ContainerName: constants.ApplicationName, + ContainerName: constants.SeedApplicationName, MinAllowed: corev1.ResourceList{ corev1.ResourceMemory: resource.MustParse("32Mi"), }, @@ -419,12 +418,12 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, }, &corev1.ConfigMap{ // TODO(vpnachev): Is this working outside of shoot namespaces? ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName + "-monitoring", + Name: constants.SeedExtensionServiceName + "-monitoring", Namespace: kubeSystemNamespace, Labels: utils.MergeStringMaps(getLabels(), map[string]string{v1beta1constants.LabelExtensionConfiguration: v1beta1constants.LabelMonitoring}), }, Data: map[string]string{ - v1beta1constants.PrometheusConfigMapScrapeConfig: `- job_name: ` + constants.ExtensionServiceName + ` + v1beta1constants.PrometheusConfigMapScrapeConfig: `- job_name: ` + constants.SeedExtensionServiceName + ` honor_labels: false kubernetes_sd_configs: - role: endpoints @@ -435,7 +434,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, - __meta_kubernetes_service_name - __meta_kubernetes_endpoint_port_name action: keep - regex: ` + constants.ExtensionServiceName + `;metrics + regex: ` + constants.SeedExtensionServiceName + `;metrics # common metrics - action: drop regex: __meta_kubernetes_service_label_(.+) @@ -467,7 +466,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, ClientConfig: admissionregistration.WebhookClientConfig{ Service: &admissionregistration.ServiceReference{ Namespace: kubeSystemNamespace, - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Path: pointer.String(constants.LakomResolveTagPath), }, CABundle: webhookCaBundle, @@ -491,7 +490,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, ClientConfig: admissionregistration.WebhookClientConfig{ Service: &admissionregistration.ServiceReference{ Namespace: kubeSystemNamespace, - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Path: pointer.String(constants.LakomVerifyCosignSignaturePath), }, CABundle: webhookCaBundle, @@ -501,7 +500,7 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, }, &rbacv1.ClusterRole{ ObjectMeta: metav1.ObjectMeta{ - Name: webhookName, + Name: constants.SeedExtensionServiceName, Labels: getLabels(), }, Rules: []rbacv1.PolicyRule{ @@ -514,18 +513,18 @@ func getResources(serverTLSSecretName, image string, cosignPublicKeys []string, }, &rbacv1.ClusterRoleBinding{ ObjectMeta: metav1.ObjectMeta{ - Name: webhookName, + Name: constants.SeedExtensionServiceName, Labels: getLabels(), }, RoleRef: rbacv1.RoleRef{ APIGroup: "rbac.authorization.k8s.io", Kind: "ClusterRole", - Name: webhookName, + Name: constants.SeedExtensionServiceName, }, Subjects: []rbacv1.Subject{ { Kind: rbacv1.ServiceAccountKind, - Name: constants.ExtensionServiceName, // TODO(vpnachev): For managed seeds, there is already such service account! + Name: constants.SeedExtensionServiceName, Namespace: kubeSystemNamespace, }, }, @@ -553,7 +552,7 @@ func getPDB(namespaceName string, k8sVersion *semver.Version) (client.Object, er if constraintK8sLess121.Check(k8sVersion) { return &policyv1beta1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Namespace: namespaceName, Labels: getLabels(), }, @@ -566,7 +565,7 @@ func getPDB(namespaceName string, k8sVersion *semver.Version) (client.Object, er return &policyv1.PodDisruptionBudget{ ObjectMeta: metav1.ObjectMeta{ - Name: constants.ExtensionServiceName, + Name: constants.SeedExtensionServiceName, Namespace: namespaceName, Labels: getLabels(), }, diff --git a/pkg/controller/seed/reconciler_test.go b/pkg/controller/seed/reconciler_test.go index 3d9473b9..0182c618 100644 --- a/pkg/controller/seed/reconciler_test.go +++ b/pkg/controller/seed/reconciler_test.go @@ -101,21 +101,21 @@ var _ = Describe("Reconciler", func() { namespace = "kube-system" ownerNamespace = "garden" failurePolicy = admissionregistrationv1.Ignore - cosignSecretName = "extension-shoot-lakom-service-cosign-public-keys-e3b0c442" - serverTLSSecretName = "shoot-lakom-service-tls" //#nosec G101 -- this is false positive + cosignSecretName = "extension-shoot-lakom-service-seed-cosign-public-keys-e3b0c442" + serverTLSSecretName = "shoot-lakom-service-seed-tls" //#nosec G101 -- this is false positive image = "eu.gcr.io/gardener-project/gardener/extensions/lakom:v0.0.0" validatingWebhookKey = "validatingwebhookconfiguration____gardener-extension-shoot-lakom-service-seed.yaml" mutatingWebhookKey = "mutatingwebhookconfiguration____gardener-extension-shoot-lakom-service-seed.yaml" - clusterRoleKey = "clusterrole____gardener-extension-shoot-lakom-service-seed.yaml" - clusterRoleBindingKey = "clusterrolebinding____gardener-extension-shoot-lakom-service-seed.yaml" + clusterRoleKey = "clusterrole____extension-shoot-lakom-service-seed.yaml" + clusterRoleBindingKey = "clusterrolebinding____extension-shoot-lakom-service-seed.yaml" cosignSecretNameKey = "secret__" + namespace + "__" + cosignSecretName + ".yaml" - configMapKey = "configmap__" + namespace + "__extension-shoot-lakom-service-monitoring.yaml" - deploymentKey = "deployment__" + namespace + "__extension-shoot-lakom-service.yaml" - pdbKey = "poddisruptionbudget__" + namespace + "__extension-shoot-lakom-service.yaml" - serviceKey = "service__" + namespace + "__extension-shoot-lakom-service.yaml" - serviceAccountKey = "serviceaccount__" + namespace + "__extension-shoot-lakom-service.yaml" - vpaKey = "verticalpodautoscaler__" + namespace + "__extension-shoot-lakom-service.yaml" + configMapKey = "configmap__" + namespace + "__extension-shoot-lakom-service-seed-monitoring.yaml" + deploymentKey = "deployment__" + namespace + "__extension-shoot-lakom-service-seed.yaml" + pdbKey = "poddisruptionbudget__" + namespace + "__extension-shoot-lakom-service-seed.yaml" + serviceKey = "service__" + namespace + "__extension-shoot-lakom-service-seed.yaml" + serviceAccountKey = "serviceaccount__" + namespace + "__extension-shoot-lakom-service-seed.yaml" + vpaKey = "verticalpodautoscaler__" + namespace + "__extension-shoot-lakom-service-seed.yaml" ) var ( @@ -258,7 +258,7 @@ webhooks: clientConfig: caBundle: ` + caBundleEncoded + ` service: - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: kube-system path: /lakom/resolve-tag-to-digest failurePolicy: ` + strFailurePolicy + ` @@ -306,7 +306,7 @@ webhooks: clientConfig: caBundle: ` + caBundleEncoded + ` service: - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: kube-system path: /lakom/verify-cosign-signature failurePolicy: ` + strFailurePolicy + ` @@ -342,7 +342,7 @@ metadata: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service - name: gardener-extension-shoot-lakom-service-seed + name: extension-shoot-lakom-service-seed rules: - apiGroups: - "" @@ -361,14 +361,14 @@ metadata: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service - name: gardener-extension-shoot-lakom-service-seed + name: extension-shoot-lakom-service-seed roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: gardener-extension-shoot-lakom-service-seed + name: extension-shoot-lakom-service-seed subjects: - kind: ServiceAccount - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: kube-system ` } @@ -377,7 +377,7 @@ func expectedConfigMap(namespace string) string { return `apiVersion: v1 data: scrape_config: | - - job_name: extension-shoot-lakom-service + - job_name: extension-shoot-lakom-service-seed honor_labels: false kubernetes_sd_configs: - role: endpoints @@ -388,7 +388,7 @@ data: - __meta_kubernetes_service_name - __meta_kubernetes_endpoint_port_name action: keep - regex: extension-shoot-lakom-service;metrics + regex: extension-shoot-lakom-service-seed;metrics # common metrics - action: drop regex: __meta_kubernetes_service_label_(.+) @@ -407,7 +407,7 @@ metadata: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service extensions.gardener.cloud/configuration: monitoring - name: extension-shoot-lakom-service-monitoring + name: extension-shoot-lakom-service-seed-monitoring namespace: ` + namespace + ` ` } @@ -433,7 +433,7 @@ metadata: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service high-availability-config.resources.gardener.cloud/type: server - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: ` + namespace + ` spec: replicas: 3 @@ -455,6 +455,7 @@ spec: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service + networking.gardener.cloud/to-blocked-cidrs: allowed networking.gardener.cloud/to-dns: allowed networking.gardener.cloud/to-public-networks: allowed networking.gardener.cloud/to-runtime-apiserver: allowed @@ -469,6 +470,7 @@ spec: app.kubernetes.io/part-of: shoot-lakom-service topologyKey: kubernetes.io/hostname weight: 100 + automountServiceAccountToken: true containers: - args: - --cache-ttl=10m0s @@ -512,7 +514,7 @@ spec: name: lakom-server-tls readOnly: true priorityClassName: gardener-system-900 - serviceAccountName: extension-shoot-lakom-service + serviceAccountName: extension-shoot-lakom-service-seed volumes: - name: lakom-public-keys secret: @@ -533,7 +535,7 @@ metadata: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: ` + namespace + ` spec: maxUnavailable: 1 @@ -585,7 +587,7 @@ metadata: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: ` + namespace + ` spec: ports: @@ -615,7 +617,7 @@ metadata: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: ` + namespace + ` ` } @@ -628,18 +630,18 @@ metadata: labels: app.kubernetes.io/name: lakom-seed app.kubernetes.io/part-of: shoot-lakom-service - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed namespace: ` + namespace + ` spec: resourcePolicy: containerPolicies: - - containerName: lakom + - containerName: lakom-seed minAllowed: memory: 32Mi targetRef: apiVersion: apps/v1 kind: Deployment - name: extension-shoot-lakom-service + name: extension-shoot-lakom-service-seed updatePolicy: updateMode: Auto status: {} diff --git a/pkg/controller/seed/secrets.go b/pkg/controller/seed/secrets.go index 6eaf7ee4..859d76ef 100644 --- a/pkg/controller/seed/secrets.go +++ b/pkg/controller/seed/secrets.go @@ -15,7 +15,7 @@ import ( const ( // ManagerIdentity is the identity used for the secrets manager. - ManagerIdentity = "extension-" + constants.ExtensionType + "-seed" + ManagerIdentity = constants.SeedExtensionServiceName // CAName is the name of the CA secret. CAName = "ca-" + ManagerIdentity ) @@ -33,9 +33,9 @@ func ConfigsFor(namespace string) []extensionssecretsmanager.SecretConfigWithOpt }, { Config: &secretutils.CertificateSecretConfig{ - Name: constants.WebhookTLSSecretName, - CommonName: constants.ExtensionServiceName, - DNSNames: kutil.DNSNamesForService(constants.ExtensionServiceName, namespace), + Name: constants.SeedWebhookTLSSecretName, + CommonName: constants.SeedExtensionServiceName, + DNSNames: kutil.DNSNamesForService(constants.SeedExtensionServiceName, namespace), CertType: secretutils.ServerCert, SkipPublishingCACertificate: true, },