Replace Ingress resources for kube apiserver with direct Istio exposure
#9300
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… a prerequisite for the seed kube-apiserver ingress switch
…sources using kubernetes.default.svc.cluster.local
…lowed to communicate with runtime API server
|
/assign |
|
/lgtm Thank you! |
|
LGTM label has been added. Git tree hash: 7ec5ae211a3aaab910fa62aa9f710ae834c5a074
|
kube apiserver with direct istio exposureIngress resources for kube apiserver with direct Istio exposure
…lity zones. Due to initialization order the istio ingress gateway responsible for a shoot cluster cannot be determined when the ingress component is created. This change resolves this problem by delaying the evaluation of the expression to a point in time when the information is available. In other words a function is passed instead of the a function return value.
|
/lgtm |
|
LGTM label has been added. Git tree hash: 3d3b250b6c0b6a00ffa233d22309773cb73ee8bf
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rfranzke The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
rfranzke
added a commit
to rfranzke/gardener
that referenced
this pull request
May 31, 2024
(from gardener#9300, released with `v1.91.0`)
Merged
rfranzke
added a commit
to rfranzke/gardener
that referenced
this pull request
May 31, 2024
(from gardener#9300, released with `v1.91.0`)
gardener-prow bot
pushed a commit
that referenced
this pull request
Jun 4, 2024
* Remove deprecated fields from `OperatingSystemConfig` (from #9477, released with `v1.92.0`) * Remove cleanup of old `kube-apiserver` `Ingress` resource (from #9300, released with `v1.91.0`) * Remove Istio zone migration code (from #9304 and #9457, released with `v1.91.0` and `v1.92.0`) * Increase removal period of `<name>.ca-cluster` `Secret` To give users more time to adapt * Remove PVC migration for `garden` Prometheus (from #9543, released with `v1.93.0`) * Remove PVC migration for `longterm` Prometheus (from #9606, released with `v1.94.0`) * Drop migration code in `skaffold.yaml` for `core.gardener.cloud/v1` API (from #9771, released with `v1.96.0`) * Remove migration code for e2e upgrade tests after `provider-local` VPN fix (from #9752, released with `v1.96.0`) * Remove cleanup of old `vali` `VerticalPodAutoscaler`s (from #9681, released with `v1.94.0`) * Remove cleanuop code after making `Secret`s of `ManagedResource`s immutable (from #8116, released with `v1.77.0`) * Remove cleanup code of resources of legacy `cloud-config-downloader` (from #8847, released with `v1.85.0`) * Revert "Remove Istio zone migration code" This reverts commit 8850346. * Increase removal period of Istio zone migration code
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area networking
/kind enhancement
What this PR does / why we need it:
Replace ingress resources for
kube-apiserverwith direct istio exposure.The terminal feature of the gardener dashboard requires kubernetes API servers to be reachable via an ingress domain due to cross-site restrictions in web browsers. In the past, this was handled via an ingress resource, exposed via nginx ingress controller. However, this led to
kube-apiserverbeing exposed via multiple different endpoints, i.e. istio and nginx.Now, that ingress resources are anyway (indirectly) exposed via istio, it makes a lot of sense to simply get rid of the additional hop for
kube-apiserveras its exposure is very similar to the existing one (for shoot clusters).The seed cluster API server was also exposed via ingress resource. However, this setup was more sophisticated as it used a service resource with
externalNamepointing tokubernetes.default.svc.cluster.local. Now, istio points directly tokubernetes.default.svc.cluster.localinstead of using an additional service.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: