Skip to content

[GEP-28] gardenadm bootstrap: Add gardener user to control plane machines #12653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 4, 2025
Merged

[GEP-28] gardenadm bootstrap: Add gardener user to control plane machines #12653

merged 2 commits into from
Aug 4, 2025

Conversation

timebertt
Copy link
Member

@timebertt timebertt commented Aug 1, 2025
edited
Loading

How to categorize this PR?

/area ipcei
/kind enhancement

What this PR does / why we need it:

This PR extends the bootstrap OSC introduced in #12267 to also add the gardener user along with the public SSH key to the control plane machines.
With this, we can connect to the control plane machines (via the Bastion) using the ssh-keypair secret – similar to usual shoot nodes.

Which issue(s) this PR fixes:
Part of #2906

Special notes for your reviewer:

/cc @ScheererJ @maboehm @rfranzke

With this PR, you can manually connect to the control plane machine as follows:

make kind-up gardenadm-up SCENARIO=medium-touch
export IMAGEVECTOR_OVERWRITE=$PWD/dev-setup/gardenadm/resources/generated/.imagevector-overwrite.yaml
go run ./cmd/gardenadm bootstrap -d ./dev-setup/gardenadm/resources/generated/medium-touch

machine_ip="$(k -n shoot--garden--root get po -l app=machine -oyaml | yq '.items[0].status.podIP')"

# get the ssh keys for bastion and shoot
k -n shoot--garden--root get secret -l name=bastion-gardenadm-bootstrap-ssh-keypair -oyaml | yq '.items[0].data.id_rsa | @base64d' | tee /tmp/id_rsa_bastion
k -n shoot--garden--root get secret -l name=ssh-keypair -oyaml | yq '.items[0].data.id_rsa | @base64d' | tee /tmp/id_rsa_shoot
# make ssh happy
chmod 0600 /tmp/id_rsa_*
# add ssh keys to ssh agent for simplifying the jump command
ssh-add /tmp/id_rsa_*

# ssh to the machine via the bastion
ssh -t -o "ProxyJump gardener@172.18.255.22" gardener@$machine_ip bash

# should show something like this:
$ id
uid=1000(gardener) gid=1000(gardener) groups=1000(gardener)
$ hostname
machine-shoot--garden--root-control-plane-695dc-nm6xh

Release note:

NONE

@gardener-prow gardener-prow bot requested a review from rfranzke August 1, 2025 10:09
@gardener-prow gardener-prow bot added area/ipcei IPCEI (Important Project of Common European Interest) kind/enhancement Enhancement, improvement, extension labels Aug 1, 2025
@gardener-prow gardener-prow bot requested a review from ScheererJ August 1, 2025 10:09
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 1, 2025

@timebertt: GitHub didn't allow me to request PR reviews from the following users: maboehm.

Note that only gardener members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

How to categorize this PR?

/area ipcei
/kind enhancement

What this PR does / why we need it:

This PR extends the bootstrap OSC introduced in #12267 to also add the gardener user along with the public SSH key to the control plane machines.
With this, we can connect to the control plane machines (via the Bastion) using the ssh-keypair secret – similar to usual shoot nodes.

Which issue(s) this PR fixes:
Part of #2906

Special notes for your reviewer:

/cc @ScheererJ @maboehm @rfranzke

With this PR, you can manually connect to the control plane machine as follows:

make kind-up gardenadm-up SCENARIO=medium-touch
export IMAGEVECTOR_OVERWRITE=$PWD/dev-setup/gardenadm/resources/generated/.imagevector-overwrite.yaml
go run ./cmd/gardenadm bootstrap -d ./dev-setup/gardenadm/resources/generated/medium-touch

machine_ip="$(k -n shoot--garden--root get po -l app=machine -oyaml | yq '.items[0].status.podIP')"

# get the ssh keys for bastion and shoot
k -n shoot--garden--root get secret -l name=bastion-gardenadm-bootstrap-ssh-keypair -oyaml | yq '.items[0].data.id_rsa | @base64d' | tee /tmp/id_rsa_bastion
k -n shoot--garden--root get secret -l name=ssh-keypair -oyaml | yq '.items[0].data.id_rsa | @base64d' | tee /tmp/id_rsa_shoot
# make ssh happy
chmod 0600 /tmp/id_rsa_*
# add ssh keys to ssh-agent
ssh-add /tmp/id_rsa_*

# ssh to the bastion (with agent forwarding enabled), then ssh to the machine
ssh -tA gardener@172.18.255.22 ssh -t gardener@$machine_ip bash

# should show something like this:
$ id
uid=1000(gardener) gid=1000(gardener) groups=1000(gardener)
$ hostname
machine-shoot--garden--root-control-plane-695dc-nm6xh

Release note:

NONE

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gardener-prow gardener-prow bot added cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 1, 2025
@timebertt timebertt mentioned this pull request Jul 30, 2025
Open
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 1, 2025

@timebertt: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-gardener-apidiff 552507f link false /test pull-gardener-apidiff

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rfranzke
rfranzke reviewed Aug 4, 2025
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 4, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 4, 2025

LGTM label has been added.

Git tree hash: f5bd0c3985486ba3ecdce801d264e8e53c435285

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 4, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 4, 2025
@gardener-prow gardener-prow bot merged commit a57dd89 into gardener:master Aug 4, 2025
18 of 19 checks passed
@timebertt timebertt deleted the gardenadm-bootstrap-gardener-user branch August 4, 2025 18:08
Duciwuci pushed a commit to stackitcloud/gardener that referenced this pull request Sep 1, 2025
@timebertt @Duciwuci
[GEP-28] gardenadm bootstrap: Add gardener user to control plane ma…
d6ccab3 
…chines (gardener#12653)

* Fix docs

* Add `gardener` user to control plane machines
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke left review comments

@ScheererJ ScheererJ Awaiting requested review from ScheererJ

Assignees

@rfranzke rfranzke

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipcei IPCEI (Important Project of Common European Interest) cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timebertt @rfranzke