Skip to content

[GEP-28] gardenadm bootstrap: enable provider-local DNS config #12836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 2, 2025
Merged

[GEP-28] gardenadm bootstrap: enable provider-local DNS config #12836

merged 3 commits into from
Sep 2, 2025

Conversation

timebertt
Copy link
Member

How to categorize this PR?

/area ipcei
/kind enhancement

What this PR does / why we need it:

In gardenadm bootstrap, we need to create a DNSRecord for pointing to the first control plane machine's internal address. This is needed during the bootstrap phase, where we don't need/have an externally accessible control plane address, but running gardenadm init on the control plane machine requires a resolvable control plane address.

This PR prepares for creating DNSRecords in gardenadm bootstrap.
To resolve local DNSRecords, the machine pods need to use the provider-local coredns for resolution instead of the cluster's default coredns.
This PR enables the provider-local coredns in gardenadm bootstrap as well as the dnsconfig webhook, that injects the coredns IP into machine pods.

Which issue(s) this PR fixes:
Part of #2906

Special notes for your reviewer:

/cc @rfranzke @ScheererJ
@maboehm

Release note:

NONE

@gardener-prow gardener-prow bot requested review from rfranzke and ScheererJ August 28, 2025 16:31
@gardener-prow gardener-prow bot added area/ipcei IPCEI (Important Project of Common European Interest) kind/enhancement Enhancement, improvement, extension size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 28, 2025
@timebertt timebertt mentioned this pull request Aug 22, 2025
Open
@gardener-prow gardener-prow bot added cla: no Indicates the PR's author has not signed the cla-assistant.io CLA. cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. and removed cla: no Indicates the PR's author has not signed the cla-assistant.io CLA. labels Aug 28, 2025
@timebertt
Enable provider-local-coredns in gardenadm bootstrap
05da7ec 
Don't enable it within the autonomous shoot cluster itself (both scenarios)
Also, don't mutate high-touch machine pods when deploying both scenarios on the same cluster simultaneously (e.g., in CI).
@timebertt
Replace explicit NetworkPolicies with generated ones
7904470 
Instead of explicitly creating `NetworkPolicies` in the `garden` and shoot namespaces, we enable the `NetworkPolicy` controllers
on the `gardener-extension-provider-local-coredns` namespace, and generate `NetworkPolicies` in the `garden` and shoot namespaces.
The `dnsconfig` webhook injects the corresponding labels along with the DNS configuration itself.
For enabling the `NetworkPolicy` controllers, we also need to explicitly allow the provider-local coredns to talk to the cluster's
coredns in `kube-system`.

We're doing this now, because the explicit `NetworkPolicy` `allow-to-provider-local-coredns` cannot be deployed to `garden` namespace
because it doesn't exist in `gardenadm bootstrap`.
@timebertt timebertt force-pushed the gardenadm-bootstrap-dnsconfig branch from b75d5ce to 7904470 Compare August 29, 2025 09:13
@rfranzke rfranzke changed the title [GEP-28] gardenadm bootstrap: enable provider-local DNS config [GEP-28] gardenadm bootstrap: enable provider-local DNS config Aug 29, 2025
@rfranzke
Copy link
Member

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 29, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 29, 2025

LGTM label has been added.

Git tree hash: 7ffdb04daf1d99f44b6d327d35cfad3a9655e280

@ScheererJ
Copy link
Member

/assign

ScheererJ
ScheererJ approved these changes Sep 1, 2025
View reviewed changes
Copy link
Member

@ScheererJ ScheererJ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the next step in the medium-touch GEP-28 story.

Please check the tests. Apart from that, the change looks good.

/lgtm
/approve

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Sep 1, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ScheererJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 1, 2025
@gardener-prow gardener-prow bot removed the lgtm Indicates that a PR is ready to be merged. label Sep 1, 2025
@gardener-prow gardener-prow bot requested a review from ScheererJ September 1, 2025 13:56
@timebertt
Copy link
Member Author

After a long debugging session on Friday, @hown3d and I discovered the reason for the broken e2e tests.
In short, machine pods don't have IPs within the kind pod network (see #9752), so kube-proxy SNATs it. After calico IPIP encapsulation, such traffic reaches the destination (local coredns) with the source node's IP on the tunl0 interface. With this, the usual NetworkPolicies don't work anymore. Hence, machine pods running on a different node than the local coredns can't resolve DNS names anymore.
I will try to come up with a proper fix for this (WIP branch). But for now, I added a workaround to this PR. Let's see if the tests succeed...

@ScheererJ
Copy link
Member

@timebertt I did not completely get the problem, but do you want to fix it properly in this PR or a separate one? The mitigation seem to have worked as the tests passed.

@timebertt
Copy link
Member Author

I want to fix it properly in a dedicated PR with a proper explanation 😄
The commit in this PR is just a temporary workaround to unblock this change.
Is that fine for you?

@ScheererJ
Copy link
Member

/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Sep 2, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Sep 2, 2025

LGTM label has been added.

Git tree hash: 7f788705e12693614db0ae91a15350ea493a9dce

@timebertt timebertt mentioned this pull request Sep 2, 2025
Open
@gardener-prow gardener-prow bot merged commit 92b908a into gardener:master Sep 2, 2025
19 checks passed
@timebertt timebertt deleted the gardenadm-bootstrap-dnsconfig branch September 2, 2025 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke Awaiting requested review from rfranzke

@ScheererJ ScheererJ Awaiting requested review from ScheererJ

Assignees

@rfranzke rfranzke

@ScheererJ ScheererJ

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipcei IPCEI (Important Project of Common European Interest) cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@timebertt @rfranzke @ScheererJ