[GEP-28] gardenadm join: Support joining worker nodes
#11942
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/assign |
|
/assign |
ScheererJ
reviewed
Apr 30, 2025
|
/lgtm |
timebertt
reviewed
May 6, 2025
|
/assign |
timebertt
reviewed
May 7, 2025
|
I tested the |
timebertt
approved these changes
May 8, 2025
|
LGTM label has been added. Git tree hash: 1596408e7c16ba88a6a7695f59f8627a8520f5d7
|
After gardener@4970ff1, we have a static DNS name for the control plane, so let's use it when computing the kubeconfig. This will be helpful later when we generate a `gardenadm join` command.
This will make `gardenadm init` automatically create and prepare an `Secret` containing an `OperatingSystemConfig` for the worker pool. This `Secret` is later downloaded by `gardener-node-agent` when running `gardenadm join` on the to-be-joined machine.
Similar to gardener@a1bac58 This allows use to drop the `nodeagentosc` webhook in `provider-local` (as anticipated in above mentioned commit).
We don't have `Shoot`, `CloudProfile`, etc. resources when running `gardenadm join`. Yet, we would like to use functionality of the `AutonomousBotanist`.
In the next commit, we will use this to check if the GNA unit has been created already (with the ultimate goal to make `gardenadm join` idempotent).
See e.g. https://prow.gardener.cloud/view/gs/gardener-prow/pr-logs/pull/gardener_gardener/11942/pull-gardener-e2e-kind-gardenadm/1920423004655849472: - it might take > 1m for the images to be pulled, the containers to be started, and the controller to remove the taint
timebertt
approved these changes
May 8, 2025
|
LGTM label has been added. Git tree hash: 77a7675d56842958186e1e1c213e13aa0fdd52f5
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timebertt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area ipcei
/kind enhancement
What this PR does / why we need it:
This PR implements
gardenadm joinfor worker nodes. This works by adding a worker pool to theShootmanifest, creating or generating a new bootstrap token on the control plane node, and then runningon the worker node that should be joined.
In the future, we could generate a separate discovery token to use it for reading the CA bundle from the
kube-public/cluster-infoConfigMap(similar approach as withkubeadm).Also, we could think about how to simplify finding the correct name of the
gardener-node-agentSecretin case there are multiple worker pools defined in theShoot(currently, you have to look it up usingkubectl -n kube-system get secret -l gardener.cloud/role=operating-system-config,worker.gardener.cloud/pool=<worker-pool-name>if you are not using the--print-join-commandflag when runninggardenadm token {create,generate}, see #11934). Perhaps we could also implement a dedicated command for it if needed.Which issue(s) this PR fixes:
Part of #2906
Special notes for your reviewer:
Note
The e2e test fails because #11934 must be merged first (pending).
Release note: