Skip to content

[GEP-28] Make provider-local machine hostnames resolvable #12657

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 6, 2025
Merged

[GEP-28] Make provider-local machine hostnames resolvable #12657

merged 7 commits into from
Aug 6, 2025

Conversation

timebertt
Copy link
Member

@timebertt timebertt commented Aug 4, 2025
edited
Loading

How to categorize this PR?

/area ipcei
/kind enhancement

What this PR does / why we need it:

Typically, machines running in a cloud infrastructure environment can resolve the hostnames of other machines in the same cluster/network. To mimic this behavior in the local setup, the machine provider creates a Service for every Machine with the same name as the Pod. With this, local Nodes and Bastions can connect to other Nodes via their hostname.

When connecting to a Node via gardenctl ssh, gardenctl prefers the internal IP of a Node and falls back to the hostname. With this PR, both addresses also work in provider-local (follow-up to #12366).

In gardenadm bootstrap, we also need to connect to the control plane machines via the Bastion. But there is no Node object for the Machines (see gardener/machine-controller-manager#1007).
Note that this PR alone is not sufficient for successfully connecting from the Bastion to the control plane machine, as the hostname is different from the machine name (the pod has an additional machine- prefix).
#12489 will publish to the correct hostname in Machine.status.addresses.
Hence, this PR is rather a "cleanup" for harmonizing the provider-local machines' behavior with typical cloud infrastructure.

Which issue(s) this PR fixes:
Part of #2906

Special notes for your reviewer:

/cc @ScheererJ @rfranzke @maboehm

In draft until

obsolete with #12661 (comment)

Release note:

The hostname of provider-local `Machines`/`Nodes` can be resolved via DNS, similar to typical cloud infrastructure environments. This allows connecting from a `Bastion` to a `Node` via its hostname.

@gardener-prow gardener-prow bot requested a review from ScheererJ August 4, 2025 07:38
@gardener-prow gardener-prow bot added area/ipcei IPCEI (Important Project of Common European Interest) kind/enhancement Enhancement, improvement, extension labels Aug 4, 2025
@gardener-prow gardener-prow bot requested a review from rfranzke August 4, 2025 07:38
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 4, 2025

@timebertt: GitHub didn't allow me to request PR reviews from the following users: maboehm.

Note that only gardener members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

How to categorize this PR?

/area ipcei
/kind enhancement

What this PR does / why we need it:

Typically, machines running in a cloud infrastructure environment can resolve the hostnames of other machines in the same cluster/network. To mimic this behavior in the local setup, the machine provider creates a Service for every Machine with the same name as the Pod. With this, local Nodes and Bastions can connect to other Nodes via their hostname.

When connecting to a Node via gardenctl ssh, gardenctl prefers the internal IP of a Node and falls back to the hostname. With this PR, both addresses also work in provider-local (follow up to #12366).

In gardenadm bootstrap, we also need to connect to the control plane machines via the Bastion. But there is no Node object for the Machines (see gardener/machine-controller-manager#1007).
Note that this PR alone is not sufficient for successfully connecting from the Bastion to the control plane machine, as the hostname is different from the machine name (the pod has an additional machine- prefix).
#12489 will publish to the correct hostname in Machine.status.addresses.
Hence, this PR is rather a "cleanup" for harmonizing the provider-local machines' behavior with typical cloud infrastructure.

Which issue(s) this PR fixes:
Part of #2906

Special notes for your reviewer:

/cc @ScheererJ @rfranzke @maboehm

Release note:

The hostname of provider-local `Machines`/`Nodes` can be resolved via DNS, similar to typical cloud infrastructure environments. This allows connecting from a `Bastion` to a `Node` via its hostname.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@gardener-prow gardener-prow bot added cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 4, 2025
@timebertt timebertt mentioned this pull request Aug 1, 2025
Open
@timebertt
Copy link
Member Author

/hold
I just realized that we need to deploy the ControlPlane object in gardenadm bootstrap before this PR.
Without this, gardenadm e2e tests fail with (ref):

error during reconciliation: Error reconciling Worker: failed while waiting for all machine deployments to be ready: machine(s) failed: 1 error occurred: "shoot--garden--root-control-plane-695dc-gjcm8": Cloud provider message - machine codes error: code = [Internal] message = [error applying service: services "machine-shoot--garden--root-control-plane-695dc-gjcm8" is forbidden: User "system:serviceaccount:shoot--garden--root:machine-controller-manager" cannot patch resource "services" in API group "" in the namespace "shoot--garden--root"]

My original plan was to do this the other way round 🙈 Well, I will prepare the other PR now.

@gardener-prow gardener-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 4, 2025
@timebertt timebertt force-pushed the provider-local-resolvable-machine-hostnames branch from a9fbbf5 to 8e0fdac Compare August 4, 2025 08:12
@timebertt timebertt marked this pull request as draft August 4, 2025 10:02
@gardener-prow gardener-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 4, 2025
@timebertt timebertt mentioned this pull request Aug 4, 2025
Closed
@timebertt timebertt force-pushed the provider-local-resolvable-machine-hostnames branch from 8e0fdac to 0531d9d Compare August 4, 2025 10:36
@gardener-prow gardener-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 4, 2025
@timebertt
Copy link
Member Author

I just realized that we need to deploy the ControlPlane object in gardenadm bootstrap before this PR.

I rebased this PR onto #12661.
So the e2e tests should work now.

/test pull-gardener-e2e-kind pull-gardener-e2e-kind-gardenadm

@timebertt timebertt mentioned this pull request Aug 5, 2025
Merged
1 task
@timebertt timebertt force-pushed the provider-local-resolvable-machine-hostnames branch from 0531d9d to 0f6f57e Compare August 5, 2025 14:18
@gardener-prow gardener-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 5, 2025
@timebertt
Copy link
Member Author

I adapted this PR to the decision in #12661 (comment).
With this, it is ready for review as it no longer depends on the ControlPlane object.

@timebertt
Copy link
Member Author

/hold cancel

@timebertt timebertt marked this pull request as ready for review August 5, 2025 14:20
@gardener-prow gardener-prow bot removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Aug 5, 2025
rfranzke
rfranzke reviewed Aug 6, 2025
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, love it!
Thank you.

/lgtm
/approve

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 6, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 6, 2025

LGTM label has been added.

Git tree hash: 15d9f2403aa830903d315d3595c35a4a1210b620

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 6, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 6, 2025
@gardener-prow gardener-prow bot merged commit bd98f29 into gardener:master Aug 6, 2025
19 checks passed
@timebertt timebertt deleted the provider-local-resolvable-machine-hostnames branch August 6, 2025 11:24
Duciwuci pushed a commit to stackitcloud/gardener that referenced this pull request Sep 1, 2025
@timebertt @Duciwuci
[GEP-28] Make provider-local machine hostnames resolvable (gardener#1…
b6f1837 
…2657)

* Drop outdated docs

* Add docs for mcm-provider-local internals

* Create Service per Machine

* Add permissions for `services` to mcm `ServiceAccount`

* provider-local: allow Bastion to resolve node names

* Ensure functionality in e2e tests

* Drop obsolete TODO
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke left review comments

@ScheererJ ScheererJ Awaiting requested review from ScheererJ

Assignees

@rfranzke rfranzke

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipcei IPCEI (Important Project of Common European Interest) cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@timebertt @rfranzke