Skip to content

[GEP-28] Deploy gardener-resource-manager and extension controllers (in bootstrap mode) #11853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Apr 16, 2025
Merged

[GEP-28] Deploy gardener-resource-manager and extension controllers (in bootstrap mode) #11853

merged 14 commits into from
Apr 16, 2025

Conversation

rfranzke
Copy link
Member

How to categorize this PR?

/area ipcei
/kind enhancement

What this PR does / why we need it:
This PR is the next increment for gardenadm init. It deploys gardener-resource-manager, the seed/shoot system components (which mostly are PriorityClasses, and the extension controllers in bootstrap mode).

Result:

root@machine-0:/# k get po,pc -A
NAMESPACE                     NAME                                                        READY   STATUS    RESTARTS   AGE
extension-networking-calico   pod/gardener-extension-networking-calico-6bb84d9879-zg4hm   1/1     Running   0          16m
extension-provider-local      pod/gardener-extension-provider-local-794c9976b7-tn8hx      1/1     Running   0          16m
kube-system                   pod/etcd-events-0-machine-0                                 1/1     Running   0          15m
kube-system                   pod/etcd-main-0-machine-0                                   1/1     Running   0          15m
kube-system                   pod/gardener-resource-manager-6f9cf4c994-2f8px              1/1     Running   0          17m
kube-system                   pod/kube-apiserver-machine-0                                1/1     Running   0          15m
kube-system                   pod/kube-controller-manager-machine-0                       1/1     Running   0          15m
kube-system                   pod/kube-scheduler-machine-0                                1/1     Running   0          15m

NAMESPACE   NAME                                                               VALUE        GLOBAL-DEFAULT   AGE   PREEMPTIONPOLICY
            priorityclass.scheduling.k8s.io/gardener-reserve-excess-capacity   -5           false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-shoot-system-600          999999600    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-shoot-system-700          999999700    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-shoot-system-800          999999800    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-shoot-system-900          999999900    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-100                999998100    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-200                999998200    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-300                999998300    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-400                999998400    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-500                999998500    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-600                999998600    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-700                999998700    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-800                999998800    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/gardener-system-900                999998900    false            16m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/system-cluster-critical            2000000000   false            17m   PreemptLowerPriority
            priorityclass.scheduling.k8s.io/system-node-critical               2000001000   false            17m   PreemptLowerPriority

Which issue(s) this PR fixes:
Part of #2906

Special notes for your reviewer:
/cc @ScheererJ

Release note:

NONE

@gardener-prow gardener-prow bot requested a review from ScheererJ April 10, 2025 07:49
@gardener-prow gardener-prow bot added area/ipcei IPCEI (Important Project of Common European Interest) kind/enhancement Enhancement, improvement, extension cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Apr 10, 2025
@rfranzke rfranzke mentioned this pull request Apr 10, 2025
Open
@ScheererJ
Copy link
Member

/assign

@rfranzke rfranzke force-pushed the gep28/grm branch 2 times, most recently from 3da5071 to 252920f Compare April 10, 2025 10:47
ScheererJ
ScheererJ reviewed Apr 10, 2025
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great progress. Thanks a lot.

The changes look very good already. I have only few comments/questions.

@rfranzke rfranzke requested a review from ScheererJ April 11, 2025 06:45
ScheererJ
ScheererJ approved these changes Apr 11, 2025
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 11, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 11, 2025

LGTM label has been added.

Git tree hash: 556ce0f82bde3d23822340b7c5a38fa3a24d7619

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 11, 2025
@ScheererJ
Copy link
Member

/test pull-gardener-e2e-kind-gardenadm

@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2025
@gardener-prow gardener-prow bot requested a review from ScheererJ April 15, 2025 10:24
ScheererJ
ScheererJ approved these changes Apr 15, 2025
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 15, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 15, 2025

LGTM label has been added.

Git tree hash: 8de0ae3f0a83fd817c52e44f2f237d33a7f1bfc1

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ScheererJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2025
@gardener-prow gardener-prow bot requested a review from ScheererJ April 16, 2025 07:04
@ScheererJ
Copy link
Member

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2025
@gardener-prow gardener-prow bot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 16, 2025
rfranzke added 14 commits April 16, 2025 12:15
@rfranzke
Nit: Set KUBECONFIG env var in machine pods
234a6f9 
This way, we can easily execute `kubectl` commands in the machine pods
without explicitly pointing to the admin kubeconfig file.
@rfranzke
Nit: Also set ShootClientSet in botanist
32aedd7
@rfranzke
Nit: Set namespace in static token kubeconfig
6dd2258 
This results in a more convenient use (the only use-case for this static
token kubeconfig are the autonomous shoot clusters, and here we usually
operate in the `kube-system` namespace, i.e., with this change, we can
simply do `kubectl get pods` and see all pods in `kube-system`).
@rfranzke
Nit: NewHelmRegistry no longer returns error
6d72749
@rfranzke
Build gardener-resource-manager in skaffold-gardenadm.yaml
1c663b9
@rfranzke
Support resource-manager reconciliation on all resource classes
6d8a227
@rfranzke
Deploy seed and shoot system components
cc9f48e 
This includes
- priority classes
- read-only clusterrole + clusterrolebindings (for viewers)
- some network policies
- KCM service accounts
- shoot-info config map
@rfranzke
Read and parse Controller{Registration,Deployment} manifests
17b4c85
@rfranzke
Prepare ControllerInstallation controller
bdc96b2 
- only consider injecting garden kubeconfig when "bootstrap" flag
  is disabled
- prevent nil pointer exceptions by checking explicitly if ingress
  domain is set
- change rolling update strategy for extension deployments to `Recreate`
  (to avoid host port conflicts)
- set `KUBERNETES_SERVICE_HOST` env var to `localhost` (extensions get
  deployed before kube-proxy, so the default kubernetes cluster IP does
  not work yet)
@rfranzke
Prepare provider-local for deployment
db1e3ae 
- disable coredns deployment (we don't need it in `gardenadm` scenarios)
- do not depend on garden `cluster.Cluster` object (this is only needed
  for shoot control plane migration at the moment)
- inject correct image ref built via skaffold into
  `ControllerDeployment`
@rfranzke
Deploy extension controllers to host network
3cdc71b
@rfranzke
Compute required extensions and deploy only them
2cc60b5 
- the list of ControllerRegistrations/ControllerDeployments can be quite
  long (later, this can be downloaded from an existing Gardener system
  via `gardenadm discover`, i.e., there can be a lot of extension)
- we should only deploy those we really need
@rfranzke
Address PR review feedback
fcd6613
@rfranzke
Webhooks handling pod creations skips static pods in bootstrap mode
f9f6a46 
Otherwise, the `kubelet` might fail for a while to create the mirror
pods for the static pods because a webhook might not be available yet.
Since the webhooks are anyways not needed for the mirror pods, we don't
want them to be called in the first place.
@gardener-prow gardener-prow bot removed lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 16, 2025
@ScheererJ
Copy link
Member

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Apr 16, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Apr 16, 2025

LGTM label has been added.

Git tree hash: 46c5f8973a199f1d2f786667d3b99e964502f509

@gardener-prow gardener-prow bot merged commit 2a8498c into gardener:master Apr 16, 2025
19 checks passed
@rfranzke rfranzke deleted the gep28/grm branch April 16, 2025 14:38
rfranzke added a commit to rfranzke/gardener that referenced this pull request May 9, 2025
@rfranzke
GRM pod-creation webhooks always skip static pods
9ca9606 
- With gardener@f9f6a46
  (part of gardener#11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.
rfranzke added a commit to rfranzke/gardener that referenced this pull request May 9, 2025
@rfranzke
GRM pod-creation webhooks always skip static pods
ee255dd 
- With gardener@f9f6a46
  (part of gardener#11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.
rfranzke added a commit to rfranzke/gardener that referenced this pull request May 9, 2025
@rfranzke
GRM pod-creation webhooks always skip static pods
1809c7b 
- With gardener@f9f6a46
  (part of gardener#11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.
rfranzke added a commit to rfranzke/gardener that referenced this pull request May 9, 2025
@rfranzke
GRM pod-creation webhooks always skip static pods
e4732c5 
- With gardener@f9f6a46
  (part of gardener#11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.
rfranzke added a commit to rfranzke/gardener that referenced this pull request May 12, 2025
@rfranzke
GRM pod-creation webhooks always skip static pods
6ab2bff 
- With gardener@f9f6a46
  (part of gardener#11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.
rfranzke added a commit to rfranzke/gardener that referenced this pull request May 13, 2025
@rfranzke
GRM pod-creation webhooks always skip static pods
9699288 
- With gardener@f9f6a46
  (part of gardener#11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.
gardener-prow bot pushed a commit that referenced this pull request May 13, 2025
@rfranzke
[GEP-28] Preparations for etcd-druid taking over management of `etc…
91df6e7 
…d` (#12038)

* Deploy `etcd-druid` CRDs

* Deploy `etcd-druid`

* Static pod translator: Remove service account names

This is not allowed for mirror pods

* Static pod translator: Translate STS volume claim templates

We just mount a path from the host instead.

* Prepare bootstrap etcd

- change names from `etcd-<role>-0` to `etcd-bootstrap-<role>` to make
  it more clear when `kubectl get pod`
- use the same data directory that etcd managed by etcd-druid would use
  later (it shall just take over the existing data dir)

* GRM pod-creation webhooks always skip static pods

- With f9f6a46
  (part of #11853) we only
  skipped static pods during the bootstrap phase. However, we actually
  never want GRM webhooks to react on static pod creations, even if we
  are beyond the bootstrap phase. Otherwise, the kubelet might fail to
  create mirror pods for control plane components if the GRM webhook is
  unavailable. This can lead to undesired behaviour.

* Bootstrap etcd must use same version as etcd-druid

- Otherwise, we might get issues when etcd-druid takes over etcd
  management later
- Review this commit with `git diff -w` (ignoring whitespaces)
- `yq` seems to enforce indentation, so let's live with it

Output:

$ go generate ./imagevector/imagevector.go
containers.go
Cloning etcd-druid...
Found etcd-wrapper tag: v0.4.4
Cloning etcd-wrapper at tag v0.4.4...
Found etcd version string: v0.0.0-20240911181550-c123b3ea3db3
Extracted commit hash: c123b3ea3db3
Cloning etcd repo to resolve tag...
Resolved etcd tag: v3.4.34
Updating containers.yaml with etcd v3.4.34 tag
charts.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ScheererJ ScheererJ Awaiting requested review from ScheererJ

Assignees

@ScheererJ ScheererJ

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipcei IPCEI (Important Project of Common European Interest) cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rfranzke @ScheererJ