diff --git a/charts/internal/shoot-control-plane/templates/audittailer.yaml b/charts/internal/shoot-control-plane/templates/audittailer.yaml index 997919c20..54d3469a9 100644 --- a/charts/internal/shoot-control-plane/templates/audittailer.yaml +++ b/charts/internal/shoot-control-plane/templates/audittailer.yaml @@ -7,6 +7,30 @@ metadata: k8s-app: audittailer name: audit --- +apiVersion: v1 +kind: Secret +metadata: + name: audittailer-server + namespace: audit +type: Opaque +data: + ca.crt: {{ .Values.audittailer.server.ca }} + tls.crt: {{ .Values.audittailer.server.cert }} + tls.key: {{ .Values.audittailer.server.key }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: audittailer-client + namespace: audit + labels: + name: audittailer-client +type: Opaque +data: + ca.crt: {{ .Values.audittailer.client.ca }} + tls.crt: {{ .Values.audittailer.client.cert }} + tls.key: {{ .Values.audittailer.client.key }} +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -23,6 +47,10 @@ spec: labels: k8s-app: audittailer app: audittailer +{{- if .Values.audittailer.podAnnotations }} + annotations: +{{ toYaml .Values.audittailer.podAnnotations | indent 8 }} +{{- end }} spec: automountServiceAccountToken: false containers: @@ -68,7 +96,7 @@ spec: name: audittailer-config - name: fluentd-certs secret: - secretName: {{ .Values.audittailer.secretName }} + secretName: audittailer-server - name: fluentbuffer emptyDir: {} --- diff --git a/charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml b/charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml index 7c537dbb4..768b5aae4 100644 --- a/charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml +++ b/charts/internal/shoot-control-plane/templates/firewall/droptailer.yaml @@ -11,6 +11,28 @@ spec: policyTypes: - Egress --- +apiVersion: v1 +kind: Secret +metadata: + name: droptailer-server + namespace: firewall +type: Opaque +data: + ca.crt: {{ .Values.droptailer.server.ca }} + tls.crt: {{ .Values.droptailer.server.cert }} + tls.key: {{ .Values.droptailer.server.key }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: droptailer-client + namespace: firewall +type: Opaque +data: + ca.crt: {{ .Values.droptailer.client.ca }} + tls.crt: {{ .Values.droptailer.client.cert }} + tls.key: {{ .Values.droptailer.client.key }} +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -28,6 +50,10 @@ spec: k8s-app: droptailer app: droptailer networking.gardener.cloud/from-prometheus: allowed +{{- if .Values.droptailer.podAnnotations }} + annotations: +{{ toYaml .Values.droptailer.podAnnotations | indent 8 }} +{{- end }} spec: containers: - image: {{ index .Values.images "droptailer" }} @@ -67,4 +93,4 @@ spec: volumes: - name: droptailer-server secret: - secretName: {{ .Values.droptailer.secretName }} + secretName: droptailer-server diff --git a/charts/internal/shoot-control-plane/values.yaml b/charts/internal/shoot-control-plane/values.yaml index c0257fa80..c9b2f7ffa 100644 --- a/charts/internal/shoot-control-plane/values.yaml +++ b/charts/internal/shoot-control-plane/values.yaml @@ -44,7 +44,23 @@ restrictEgress: port: 443 droptailer: - secretName: 'droptailer-server' + podAnnotations: {} + server: + ca: "" + cert: "" + key: "" + client: + ca: "" + cert: "" + key: "" audittailer: - secretName: 'audittailer-server' + podAnnotations: {} + server: + ca: "" + cert: "" + key: "" + client: + ca: "" + cert: "" + key: "" diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml index 673375564..f8fa87513 100644 --- a/example/controller-registration.yaml +++ b/example/controller-registration.yaml @@ -5,10 +5,10 @@ metadata: name: provider-metal type: helm providerConfig: - chart: H4sIAAAAAAAAA+0ca2/cNjKf9SuITQu0h6724fUDC+RwruMmvktsw/alOBwOAVeid1VrRZWUbG/T/PcbviRKK61WduokrQYBsiI5wyE5MxwOh55j5pOIsD65T0jEAxr1Y0ZvAx+KliTB4eDZo2EIsL+7K/8HKP8vf492JqPx7nhvT5SP9naGk2do9/FdN0PKE8wQesYoTTa1a6r/SmHeuP5HC8wSd4WX4UP7EAu8N5nUrv94Ulr/8XA83n2Ghp9yoHXwF19/HAfvCBPrPkW3IwfHcf45dMdD98DxCfdYECey8BC9JuESeUIo0DVlKFkQ9EoLEXorJAadawFCmUw5EV6SKWoUNue23Pnnnp8/OzTrv089d04f00eT/u/u7Jfs//5k2On/k8BgMKfTuZAAnBDEF6jvoZ7rDuDfLYl8ygbzIFmkM9ejy4ERlvzHAns3A4Pe92iUMBqGIDuMzAOeQClIlAtki0KFXPTNdx5OkOrp3fHF5cnZ6ff6k9zjZRySQR05sRehI1V5HuKITBXRk+iaYWiVeknKTOHPlN0Qpj56jjMYoHPgGc+JtmEkwrOQcFSYhjSOqbZvujCI5tLUeZQx4iUo5w0VeHNim/qXb76a9T8hsBgwK/zBnmBr/2883BmOO//vKaDN+r9fkDCGDdpN4la+YIP9H43He6X1H+91/t/TwIcPfeST6yAiqCectB7qf/zoNDtqAg/2B9nasYmEeEZC7oIj6d6QlSInP9IZYREBOXIDOhBdFWjUkLjFYap5+vABBZEXpn7GqYs04gZG1nHLDAoqU1TTQvcve1ofRRCB8EQekejuBQkJ5sQ9BeYqOctYC5awQyjOEBI1wTVaYH7OoP4e9fgCj3f3ptDtO9E9dCXauwmeowwjZkGUXKPet/wf3/JyS0ZiyoOEstUmEjBGUkVw+mCCMFhr3OUF8Ukc0tWSRIn28jPh4AM4etjT9bm14q8Dbew/+DzXwXyJ475c/FvwgyjrU1jNOxYkpDZG0OT/T/Z2SvZ/XxR19v8JQFufgla/kwt7ZtZV2b5CmOAmiPypcMFBHt7i2BGS4uMET8ESqKN+tbWuFhyNxMF1rjClslgZGWWYpxXmXJD/HQpBlhM0Ea0NO7JH/r4opVP0uyCycdRFcpZR+9xL9knhQfrfMhrYoP+7o/3dkv7vjCajTv+fAj6VYmey8Ycqs+olU2EE0O/35f/2QKTgukaO3Uy0uasJGKl3vZCmPngfOIwXeCQJZVOgz/dqMlJ1vndK9lLT88IAeIWWERgRaKZGCPyWyqeyFJj1PBKLcmAsuVrFhMupYuTXNGDER70G+u46ARTwDL/XxF8VvmZZTrIpbcmVhdmOHRsx4+PXuO2sAEa7fgVC1t8sZTxp2aPEadenQiluKdVStcTeAjznE7mDGT4LhVJ7EvofERDbiFy7mVX3fA1DucNheALLwiIcqpNJzkRd/QZ+akm2ZI3MGeH8JeFJEEmVzJhar9nATgWZWkYk8cTzjfZy8BNgVs2nUHPM+akxj+WeANPVKG7WMhc7QMdgFYNk1YytG1oyi72bNM454d6C+GlYz4hCcE07mw2fhAm+jHDMFzQ5JyygfhOZCpTc9MHOSthh6geJ4U/FWiup2s1d3c6QwqLwil7GYRrdbEGr0N4mVi1Rtc1VRwviXdEbEjX3ZFrmuEKg7psRZbNCj6+pNkVNHYqGBcxzyrbDFA1zzCTkx9vOaN620PPR4U+BkLyCa13Xu2qc69zBusqV1MxPGeW5pG9Yf6MuEqN5/Wubm65izJJA2AjlCmywKkVSJbx8sKNxhYWRh5DzNAzPaRh4lcag1KR+SFnDS+IxIhTKoz7xX1Lvxjg0/7w8O13rWjXPVawSayNnzR3+WU9SXye0Of/lAbx2B8DN57/RcDTZL5//dna789+TgH1sMpFYdQJ6ma321qfAP+Tsx2PiiY4ZuQ0En68DYWVXb4IlOBZoKGtiMIeYFwyTLjyiaaS3OQ68iBDPVPvRibd4sx0fe4qA0QRNwJoU6aVEEU2M32m2ji3Da5knCDvjDU+XVqhVKmF13KywDN/JAD76xr3SXLo/wsSf42SBeltFbnvfyyGrywfgweartFXVsLoxNPAAZrdiC2YXA2dmhmG6WOCZbfzSYyDg0bywmzMKjRYklVc4XLSAmewlLCW9rNFzcWuB0zBBmqAYfkwF00FkXf73GYhXsCQ11GPpjPUOhgfDXv1kbqkNB5ljpDVCLgOwguGcxzKh6zepqHZNhSAAb+UwqH3X8/HjdK1a3fj0inRq3BaFERcclkx+6HIJC5erSh8NKjYjJf6LVUyY1bK4Rdl5J0AT+rTb9rUA9q/B4XwxgOPLoHpqtOANrCBTmYzoJRYZJ9DPvSjwUsZgbfqMiA/ogL8oOkear+y3xHZzzMtV5HF7XkRPCwKe44zgpJ+Z0xcbrGkVItAmd/1AHLZvYYa44M+vZS7DcyXeiUa7VFjlXoJCnk37qSjiN01GMI8o9EJjokJw/dzQ1nYgUc4MxmGGUKZ9J5OD2o9A4TVxfkdmC0pvjPy1XMsSNocVAVaFRbG50q2O9PlDNiqe7BQ1P+DCIFqqUhicrs6jniIc8gvYO9T7oVdHS/ddRehnXbWBCshcmCz6M7Bufez7IhzzwjY3qr5qLJmZ0PfIdv9ZZFfX2bgkurXNjTKTb44PXx5fvD9+c3x0dXJ2+v708O3x5fnh0XHWEiGZBfATWPapVSiiYCT0L8h1sVSXi81smjkJbrb4D3UNDL8nbw9fHb8DZs8u3p+9O774+eLkao3XKRrI/DPr3mtQeRG2aYcPg1uYSc7PGZ0Re4yLJIlf5cdEBbEc70Ct2m/FqnJIonppBYi4lBjl66urc6siiOAcjcOXJMQrbZSmaDTMWjCC/aA1rwJr9SSs7jp2B3xdCo2yKwW2yGX7+1pcZxvNl/5IQj0aTtHV0Xk5WgA6R1PmkYLlygqr4hw5xu8oMtGMYUU0Q8AtDdMleSs88IohK7tmsboUDZXaNO/Sj1WjuovoKmbWVMlqJ2ToLArB7xEOZL06ifUJPHLoeYLwabOH9hzh62shTKtpViLExz8Eh/OwogpldxAvU/Cu55cqxAu/TuR2qIuP74mX2ndRz/W8SI/zsnBGMpVyQsR56fg+FnbaPuPkLfrohqxqM6myXKs1PITU3g69opOoolqatIoORZdb5G0V0RIa05DOV/8SvPaK+VwLyhO5EBpHCfCaZ12SQM/cltpGZuvLUgP6vPGW+oA3GRvb1kq8txPu9vw2KcsG3rtI35cNbeJ/YHzAvWOpfAo0S/052S4Q2Pj+Yy3+tzveH3fxv6cAbV/mCfpOBDeqomffo1E5BSyWx/nB7WgGImIChufUf5mJx49SPL6MyCEc7/4d4VschOJoIsnzdNY44EdHDL8G+9dG/9kMew95CNqg/5Pd/fL7j/Fo2OV/PgmI9Clbs+Ua4zRZUBb8pp403RxI5yjPDlNX9Rc0JG30u43msjQUbldfZHW9YjSNpQ/WR1YmVzGFyymcW0RTnVDA1YcVfKsoGYAMJKmqKAanKsvs5ioSVPidV4OrNNPsCGMoveyAqx93wprIX3H2K41hLsn6sLOhNY5ahT/9rLTIRO9vvXXiHqXM10kweq3X6UpbXKLmwdlHuoFro3pkH6Zcmn5VVwr4QlPxIc2zyMqTM7xuybKwZvVa1E13ryf/E9dh8scsW6Ba7VAI/jKQh6PCi0C7QRxYEmxVwAlECA8cz2pnJ9seeelzAEdBHAa/GSkERx3O2/Inl5fxmcCrM4dupa8z1Fd+s2sQ5Wm18IHV0ZXb2gUaRNYKREQPRqLK8xZrVb/QmfoBfmX+YwCHMyXKaSKfXeo4h2enYarmcMgL/IY2HrBFl2Yu5VOUIK/V8y7dmWArbdFpdS7HsVTByrUSmM2kQI4o93C4adWBRgJuSQgzY5qrdS4Rf65yXvvC5QmuAw/VWVDdLMHeTWWHJk2vsKp3gdCstlNlSLnt+sy+jOSagqKQNvVuUnGaOpepOlvQ87fYc6ANcMcCLfH5Z5st4TGbHvQoLi+Yz0ufrRh4lEvwo1LxP8wzgC50yN1M0wYOnSyd2/JZGviBo8EvsK1I5VHIl4XY3ac5yXxuv89AG/9fbwStjwCN5//heP39b+f/PwlUvv/QAv9lnN4T+Q5BK/DJeeFYvl3eTnbn0tf3O5PJjjzRFy9HZHQYM7CKre5aPvcKPg4eoP/aEdzeDDTp/3gyKun/ZAz/dfr/BLBJ/82G91nNwOeeoD85NOu/un17zB+Aa9D/nfFuWf+Hk/1O/58EVBqgPEmYtL8pmi88Jvx76+xUlZtX+pMgYvecT5HcK4SXHFtJgYfhHV5xx7HD7FM0cvLzC/rw0XHybIspOhgejBzHylfSD0CzsJ2KypdysFSuRTFgt6FhFiFSbaqy36ZoR1xoquDepj7rks6m6BrDadZx1pOspui//3NKKVOyDA70VVe94nGNuMgO9Ou/59alb4xTrvK7ZL6Ioy681fRe2Iub/z2v/Pbb/jkL6WywxMLdGszSIPQHkvRAPeYQWZSOyTewqCqJmVM6D8n7PCtV4fbx0t+baDQpJb0dd9jTBdkf/Ru5o5F7/3WParQ2qt7fX4iRjVWF67qOU/Anp45KDzE5PsI7dZ4/h7JExLa4/DNkOg35B0TcuYu4yWueraAZ8ft52jFgOrqxIAx0VCp0lshscGWlYx5SmUxpncfieBlr1W+Yq14w41gqt2g0+IXTyOhK/pq4soV85zsaqqwB/Qh3JHWu+NZV6EXlK09VUfsmVeNlDzhL78ryx5umwDzHVAwVXlhm7ysdk/mw/mbSqXr8mD1XU7ag8lHjWhvr8aH8Us8JTYV8I2g+pOioI0z+ks9U6pd5TmnshRd1FZ2vv3wTRroi5fvk+hRGD+tCZHik8jlZ3WMyJ/tjU0oPDNtmc9Gv+Ts/sIMOOuiggw466KCDDjrooIMOOuiggw466KCDDjrooIMOOuiggw7q4f89CbhWAHgAAA== + chart: H4sIAAAAAAAAA+0ca2/bOLKf9SsIdxfoHlbyI3ZSGOjhsmm2zV2bGEmui8PhUNASY6uRRS0lJfF2+99v+JIoWbKspJu2uxoUqEVyhkNyZjgcDrPAzCMhYTa5S0gY+zS0I0ZvfA+KViTBQf/Jg2EAcDCZiP8Byv+L38O98XA0Ge3v8/Lh/t5g/ARNHt51M6RxghlCTxilybZ2TfXfKCwa1/9oiVnirPEquG8ffIH3x+Pa9R+NR8X1Hw1Go4MnaPA5B1oHf/H1x5H/jjC+7lN0M7RwFOWfA2c0cIYTyyOxy/woEaWH6DUJVsjlUoGuKEPJkqBXSorQWy4yaKYkCGVCZYV4RaaoUdqsm43ev/QM/bmhWf896joL+pA+mvR/sndQsv8H48Gk0//HgH5/QacLLgE4ISheIttFPcfpw78bEnqU9Rd+skznjktXfS0s+Y8ldq/7Gt12aZgwGgQgO4ws/DiBUpAoB8gWhQo56LtnLk6Q7Ond8fnFydnpD+qT3OFVFJB+HTm+F6EjWTkLcEimkuhJeMUwtErdJGW68BfKrgmTHz3L6vfRDHjGC6JMGAnxPCAxKkxDGkVUmTdV6IcLYelcyhhxE5Tzhgq8WZFJ/es3Xs36nxBYDJiV+N6eYGv/bzTYG4w6/+8xoM36v1+SIIL92UmiVr5gg/0fjkb7pfUf7Y86+/8o8PGjjTxy5YcE9biP1kP2p09Ws5/G8WB/EK0tk0iA5ySIHXAknWuyluTERzonLCQgR45P+7yrAo0aEjc4SBVPHz8iP3SD1Ms4dZBC3MLIJm6ZQU5limpaqP5FT5uj8EMQntAlAt05JwHBMXFOgblKzjLW/BXsEJIzhHiNf4WWOJ4xqL9DvXiJR5P9KXT7jncPXfH2ToIXKMOImB8mV6j3ffyP7+NyS0YiGvsJZettJGCMpIrg9N4EYbDGuMsL4pEooOsVCRPl5GfCEffh6GFO15fWir8OtLH/4PNc+YsVjmyx+DfgB1FmU1jNW+YnpDZG0OT/j/f3Svb/gBd19v8RQFmfgla/Ewt7ptdV2r5CmODaD70pd8FBHt7iyOKS4uEET8ESyJN+tbWuFhyFFIPrXGFKRbE0MtIwTyvMOSf/OxSCLCdozFtrdkSP8fuilE7R75zI1lEXyRlG7Usv2WeFe+l/y2hgg/5PhgeTkv7vDcfDTv8fAz6XYmey8Ycqs+wlU2EEYNu2+N8ciBBcR8uxk4l27CgCWuodN6CpB94HDqIlHgpC2RSo872cjFSe762SvVT03MAHXqFlCEYEmskRAr+l8qkoBWZdl0S8HBhLLtcRicVUMfJr6jPioV4DfWeTAPLjDL/XxF8VvmJZTLIubcmVgdmOHRMx4+PXqO2sAEa7fjlC1t88ZXHSskeB065PiVLcUqqlaoXdJXjOJ2IH03wWCoX2JPQ/PCC2Fbl2M6vu+QqGcouD4ASWhYU4kCeTnIm6+i381JJsyRpZMBLHL0mc+KFQyYypzZot7FSQqWVEEE9cT2tvDH4CzKr+5GqO4/hUm8dyT4DpKBQna5mLHaBjsIp+sm7GVg0NmcXudRrlnMTuknhpUM+IRHB0O5MNjwQJvghxFC9pMiPMp14TmQqU3PTBzkrYYer5ieZPxlorqZrNHdVOk8K88JJeREEaXu9Aq9DeJFYtUbXNZUdL4l7SaxI296Rb5rhcoO6aEUWzQo+vqTJFTR3yhgXMGWW7YfKGOWYSxMe7zmjettDz0eHPPpe8gmtd17tsnOvc802VK6mZlzIa55K+Zf21ugiM5vWvba67ijBLfG4jpCuwxaoUSZXw8sEORxUWRhxCZmkQzGjgu5XGoNSkfkhZwwviMsIVyqUe8V5S91o7NP+8ODvd6Fo2z1WsEmsrZ80d/llPUt8mtDn/5QG8dgfA7ee/4WA4Piif//Ym3fnvUcA8NulIrDwBvcxWe+dT4B9y9osj4vKOGbnxOZ+vfW5l12/8FTgWaCBqIjCHOC4YJlV4RNNQbXMx8MJDPFPlRyfu8s1ufOxLAloTFAFjUoSXEoY00X6n3jp2DK9lniDsjNdxujJCrUIJq+NmhWV4JgL46DvnUnHp/AQTP8PJEvV2itz2fhBDlpcPwIPJV2mrqmF1a2jgHszuxBbMLgbO9AzDdDHf1dv4hctAwMNFYTdnFBotSSqucGLeAmayl7CU9LJGT/mtBU6DBCmCfPgR5Uz7oXH5bzMQL39FaqhHwhnrPR88H/TqJ3NHbXieOUZKI8QyACsYznksEzq7SUWVa8oFAXgrh0HNu55Pn6Yb1fLGp1ekU+O2SIyo4LBk8kNXK1i4XFVs1K/YjKT4L9cRYUbL4hZl5p0ATejTbGsrAbSvwOF80YfjS796apTg9Y0gU5kM7yXiGSfQzx0vcFPGYG1sRvgHdBC/KDpHiq/st8B2csyLdejG5rzwnpYEPMc5wYmdmdMXW6xpFSLQJre2zw/bNzBDMefPq2Uuw3ME3olCu5BY5V78Qp5N+6ko4jdNhr8IKfRCIyJDcHZuaGs7EChnGuMwQyjTvhXJQe1HIPGaOL8l8yWl11r+Wq5lCTuGFQFWuUUxuVKtjtT5QzQqnuwkNc+PuUE0VKUwOFWdRz15OOQD2DvU+7FXR0v1XUXoF1W1hQrIXJAs7TlYNxt7Hg/HvDDNjayvGktmJtQ9stl/FtlVdSYuCW9McyPN5Jvjw5fH5++P3xwfXZ6cnb4/PXx7fDE7PDrOWiIksgB+Bss+NQp5FIwE3jm5Kpaqcr6ZTTMnwckW/76ugeb35O3hq+N3wOzZ+fuzd8fnv5yfXG7wOkV9kX9m3Hv1Ky/Ctu3wgX8DMxnHM0bnxBzjMkmiV/kxUUIkxtuXq/ZbsaockqheWg48LsVH+frycmZU+CGco3HwkgR4rYzSFA0HWQtGsOe35pVjrR+F1YlldhBvSqFWdqnABrlsf9+I6+yi+cIfSahLgym6PJqVowWgczRlLilYrqywKs6RY/yOQh3NGFREMzjc0CBdkbfcA68YsrRrBqsr3lCqTfMu/VA1qruIrmJmQ5WMdlyGzsIA/B7uQNarE18f3yWHrssJnzZ7aE8RvrriwrSeZiVcfLxDcDgPK6pQdgfxMgXvenEhQ7zw60Rsh6r4+I64qXkX9VTNi/A4LwpnJF0pJoSfl47vIm6nzTNO3sJG12Rdm0mV5Vpt4CEk93boFZ2EFdXCpFV0yLvcIW+riJbQiAZ0sf4X57VXzOda0jgRC6FwpABveNYlCXT1balpZHa+LNWgzhtvqQd445G2ba3Eezfhbs9vk7Js4b2L9H3d0Cb+B8YH3DuWipdA89RbkN0CgY3vPzbif5PRwaiL/z0GKPuySNAzHtyoip79gIblFLBIHOf7N8M5iIgOGM6o9zITj5+EeHwdkUM43v07xDfYD/jRRJCP03njgB8cMfwW7F8b/Wdz7N7nIWiD/o8nB+X3H6PhoMv/fBTg6VOmZos1xmmypMz/TT5pun4unKM8O0xe1Z/TgLTR7zaay9KAu102z+p6xWgaCR/MRkYmVzGFyyqcW3hTlVAQyw8j+FZR0gcZSFJZUQxOVZaZzWUkqPA7rwZXaa7Y4cZQeNl+LH/ccmsifkXZrzSCuSSbw86G1jhqGf70stIiE72/9TaJu5QyTyXBqLXepCtscYmaC2cf4QZujOqBfehyYfplXSngC035hzDPPCtPzPCmJcvCmtVrUTfdvZ74j1+HiR/zbIFqtUMieCtfHI4KLwLNBpFvSLBRAScQLjxwPKudnWx7jEuffTgK4sD/TUshOOpw3hY/Y3EZnwm8PHOoVuo6Q37lN7saUZxWCx9YHl1jU7tAg8hGAY/owUhked5io+oDncsf4FfmP/pwOJOinCbi2aWKc7hmGqZsDoc832to4wJbdKXnUjxF8fNaNe/CnfF30haVVufEOBIqWLlWHLOZFMgRjV0cbFt1oJGAWxLAzOjmcp1LxJ/KnFebuzz+le+iOguqmiXYva7sUKfpFVb11uea1XaqNCmnXZ/Zl5ZcXVAU0qbedSpOU+ciVWcHet4Oew60Ae6YryQ+/2yzJTxk04Me+eUF8+LSZysGHuQS/CRV/A/zDKALFXLX07SFQytL5zZ8lgZ+4GjwAbYVoTwS+aIQu/s8J5kv7fdpaOP/q42g9RGg8fw/KP/9l9H+qPP/HwUq338ogf86Tu+JeIegFPhkVjiW75a3k9252Op+ZzzeEyf64uWIiA5jBlax1V3Ll17Bh8E99F85grubgSb9H42HJf0fj+C/Tv8fAbbpv97wvqgZ+NIT9CeHZv2Xt28P+QNwDfq/N5qU9X8wPuj0/1FApgGKk4RO+5uixdJl3L83zk5VuXmlPwnCd8/FFIm9gnvJkZEUeBjc4nVsWWaYfYqGVn5+QR8/WVaebTFFzwfPh5Zl5CupB6BZ2E5G5Us5WDLXohiw29IwixDJNlXZb1O0xy80ZXBvW591SWdTdIXhNGtZm0lWU/Tf/1mllClRBgf6qqte/riGX2T76vXfU+PSN8JpLPO7RL6IJS+85fSem4ub/z2v/Pbb/DkP6Ly/wtzd6s9TP/D6gnRfPubgWZSWzjcwqEqJWVC6CMj7PCtV4tp45e2PFZqQkt6eM+ipguxv/g2d4dC5+7ZHNdwYVe/vL/jIRrLCcRzLKviTU0umh+gcH+6dWk+fQlnCY1ux+DNkKg35R0SchYNindc8X0Mz4tl52jFgWqoxJwx0ZCp0lsiscUWlpR9S6UxplcdiuRlr1W+Yq14w40goN2/U/xDTUOtK/pq4soV45zscyKwB9Qh3KHSu+NaV60XlK09ZUfsmVeFlDzhL78ryx5u6QD/HlAwVXlhm7ystnfmw+WbSqnr8mD1Xk7ag8lHjRhvj8aH4ks8JdYV4I6g/hOjII0z+kk9Xqpd5VmnshRd1FZ1vvnzjRroi5fvk6hRGD+tCRHik8jlZ3WMyK/tjU1IPNNt6c1Gv+Ts/sIMOOuiggw466KCDDjrooIMOOuiggw466KCDDjrooIMOOuiggw7q4f9rGvEIAHgAAA== values: image: - tag: v0.20.8 + tag: v0.20.15 --- apiVersion: core.gardener.cloud/v1beta1 kind: ControllerRegistration diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index 09fb01e15..527c262df 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -76,6 +76,8 @@ import ( const ( caNameControlPlane = "ca-" + metal.Name + "-controlplane" + droptailerCAName = "ca-" + metal.Name + "-droptailer" + auditTailerCAName = "ca-" + metal.Name + "-audittailer" ) func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfigWithOptions { @@ -110,6 +112,68 @@ func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfig // config in phase Completing Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(caNameControlPlane, secretsmanager.UseCurrentCA)}, }, + // droptailer + { + Config: &secrets.CertificateSecretConfig{ + Name: droptailerCAName, + CommonName: droptailerCAName, + CertType: secrets.CACert, + }, + Options: []secretsmanager.GenerateOption{secretsmanager.Persist()}, + }, + { + Config: &secrets.CertificateSecretConfig{ + Name: metal.DroptailerClientSecretName, + CommonName: "droptailer", + DNSNames: []string{"droptailer"}, + Organization: []string{"droptailer-client"}, + CertType: secrets.ClientCert, + SkipPublishingCACertificate: false, + }, + Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(droptailerCAName, secretsmanager.UseCurrentCA)}, + }, + { + Config: &secrets.CertificateSecretConfig{ + Name: metal.DroptailerServerSecretName, + CommonName: "droptailer", + DNSNames: []string{"droptailer"}, + Organization: []string{"droptailer-server"}, + CertType: secrets.ServerCert, + SkipPublishingCACertificate: false, + }, + Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(droptailerCAName, secretsmanager.UseCurrentCA)}, + }, + // audit tailer + { + Config: &secrets.CertificateSecretConfig{ + Name: auditTailerCAName, + CommonName: auditTailerCAName, + CertType: secrets.CACert, + }, + Options: []secretsmanager.GenerateOption{secretsmanager.Persist()}, + }, + { + Config: &secrets.CertificateSecretConfig{ + Name: metal.AudittailerClientSecretName, + CommonName: "audittailer", + DNSNames: []string{"audittailer"}, + Organization: []string{"audittailer-client"}, + CertType: secrets.ClientCert, + SkipPublishingCACertificate: false, + }, + Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)}, + }, + { + Config: &secrets.CertificateSecretConfig{ + Name: metal.AudittailerServerSecretName, + CommonName: "audittailer", + DNSNames: []string{"audittailer"}, + Organization: []string{"audittailer-server"}, + CertType: secrets.ServerCert, + SkipPublishingCACertificate: false, + }, + Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)}, + }, } } @@ -579,17 +643,7 @@ func (vp *valuesProvider) GetControlPlaneShootChartValues(ctx context.Context, c return nil, err } - if !extensionscontroller.IsHibernated(cluster) { - if err := vp.deploySecretsToShoot(ctx, cluster, metal.AudittailerNamespace, vp.audittailerSecretConfigs); err != nil { - vp.logger.Error(err, "error deploying audittailer certs") - } - - if err := vp.deploySecretsToShoot(ctx, cluster, metal.DroptailerNamespace, vp.droptailerSecretConfigs); err != nil { - vp.logger.Error(err, "error deploying droptailer certs") - } - } - - values, err := vp.getControlPlaneShootChartValues(ctx, metalControlPlane, cpConfig, cluster, nws, infrastructure, infrastructureConfig, mclient) + values, err := vp.getControlPlaneShootChartValues(ctx, metalControlPlane, cpConfig, cluster, nws, infrastructure, infrastructureConfig, mclient, secretsReader, checksums) if err != nil { vp.logger.Error(err, "Error getting shoot control plane chart values") return nil, err @@ -599,7 +653,7 @@ func (vp *valuesProvider) GetControlPlaneShootChartValues(ctx context.Context, c } // getControlPlaneShootChartValues returns the values for the shoot control plane chart. -func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, metalControlPlane *apismetal.MetalControlPlane, cpConfig *apismetal.ControlPlaneConfig, cluster *extensionscontroller.Cluster, nws networkMap, infrastructure *extensionsv1alpha1.Infrastructure, infrastructureConfig *apismetal.InfrastructureConfig, mclient metalgo.Client) (map[string]interface{}, error) { +func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, metalControlPlane *apismetal.MetalControlPlane, cpConfig *apismetal.ControlPlaneConfig, cluster *extensionscontroller.Cluster, nws networkMap, infrastructure *extensionsv1alpha1.Infrastructure, infrastructureConfig *apismetal.InfrastructureConfig, mclient metalgo.Client, secretsReader secretsmanager.Reader, checksums map[string]string) (map[string]interface{}, error) { namespace := cluster.ObjectMeta.Name nodeCIDR, err := helper.GetNodeCIDR(infrastructure, cluster) @@ -676,17 +730,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, m }) } - droptailerServerSecretName := metal.DroptailerClientSecretName - droptailerServerSecret, err := vp.getSecretFromShoot(ctx, cluster, metal.DroptailerNamespace, metal.DroptailerServerSecretName) - if err == nil { - droptailerServerSecretName = droptailerServerSecret.Name - } - audittailerServerSecretName := metal.AudittailerClientSecretName - audittailerServerSecret, err := vp.getSecretFromShoot(ctx, cluster, metal.AudittailerNamespace, metal.AudittailerServerSecretName) - if err == nil { - audittailerServerSecretName = audittailerServerSecret.Name - } - values := map[string]any{ "imagePullPolicy": helper.ImagePullPolicyFromString(vp.controllerConfig.ImagePullPolicy), "pspDisabled": gardencorev1beta1helper.IsPSPDisabled(cluster.Shoot), @@ -701,12 +744,48 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, m "apiServerIngressDomain": "api." + *cluster.Shoot.Spec.DNS.Domain, "destinations": egressDestinations, }, - "droptailer": map[string]any{ - "secretName": droptailerServerSecretName, - }, - "audittailer": map[string]any{ - "secretName": audittailerServerSecretName, - }, + } + + droptailerServer, serverOK := secretsReader.Get(metal.DroptailerServerSecretName) + droptailerClient, clientOK := secretsReader.Get(metal.DroptailerClientSecretName) + if serverOK && clientOK { + values["droptailer"] = map[string]any{ + "podAnnotations": map[string]interface{}{ + "checksum/secret-droptailer-server": checksums[metal.DroptailerServerSecretName], + "checksum/secret-droptailer-client": checksums[metal.DroptailerClientSecretName], + }, + "server": map[string]any{ + "ca": droptailerServer.Data["ca.crt"], + "cert": droptailerServer.Data["tls.crt"], + "key": droptailerServer.Data["tls.key"], + }, + "client": map[string]any{ + "ca": droptailerClient.Data["ca.crt"], + "cert": droptailerClient.Data["tls.crt"], + "key": droptailerClient.Data["tls.key"], + }, + } + } + + audittailerServer, serverOK := secretsReader.Get(metal.AudittailerServerSecretName) + audittailerClient, clientOK := secretsReader.Get(metal.AudittailerClientSecretName) + if serverOK && clientOK { + values["audittailer"] = map[string]any{ + "podAnnotations": map[string]interface{}{ + "checksum/secret-audittailer-server": checksums[metal.AudittailerServerSecretName], + "checksum/secret-audittailer-client": checksums[metal.AudittailerClientSecretName], + }, + "server": map[string]any{ + "ca": audittailerServer.Data["ca.crt"], + "cert": audittailerServer.Data["tls.crt"], + "key": audittailerServer.Data["tls.key"], + }, + "client": map[string]any{ + "ca": audittailerClient.Data["ca.crt"], + "cert": audittailerClient.Data["tls.crt"], + "key": audittailerClient.Data["tls.key"], + }, + } } if vp.controllerConfig.Storage.Duros.Enabled { @@ -853,132 +932,6 @@ func (vp *valuesProvider) signFirewallValues(ctx context.Context, namespace stri return nil } -func (vp *valuesProvider) audittailerSecretConfigs() []extensionssecretsmanager.SecretConfigWithOptions { - if !vp.controllerConfig.ClusterAudit.Enabled { - return nil - } - - const auditTailerCAName = "ca-provider-metal-audittailer" - return []extensionssecretsmanager.SecretConfigWithOptions{ - { - Config: &secrets.CertificateSecretConfig{ - Name: auditTailerCAName, - CommonName: auditTailerCAName, - CertType: secrets.CACert, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.Persist()}, - }, - { - Config: &secrets.CertificateSecretConfig{ - Name: metal.AudittailerClientSecretName, - CommonName: "audittailer", - DNSNames: []string{"audittailer"}, - Organization: []string{"audittailer-client"}, - CertType: secrets.ClientCert, - SkipPublishingCACertificate: false, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)}, - }, - { - Config: &secrets.CertificateSecretConfig{ - Name: metal.AudittailerServerSecretName, - CommonName: "audittailer", - DNSNames: []string{"audittailer"}, - Organization: []string{"audittailer-server"}, - CertType: secrets.ServerCert, - SkipPublishingCACertificate: false, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)}, - }, - } -} - -func (vp *valuesProvider) droptailerSecretConfigs() []extensionssecretsmanager.SecretConfigWithOptions { - - const droptailerCAName = "ca-provider-metal-droptailer" - return []extensionssecretsmanager.SecretConfigWithOptions{ - { - Config: &secrets.CertificateSecretConfig{ - Name: droptailerCAName, - CommonName: droptailerCAName, - CertType: secrets.CACert, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.Persist()}, - }, - { - Config: &secrets.CertificateSecretConfig{ - Name: metal.DroptailerClientSecretName, - CommonName: "droptailer", - DNSNames: []string{"droptailer"}, - Organization: []string{"droptailer-client"}, - CertType: secrets.ClientCert, - SkipPublishingCACertificate: false, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(droptailerCAName, secretsmanager.UseCurrentCA)}, - }, - { - Config: &secrets.CertificateSecretConfig{ - Name: metal.DroptailerServerSecretName, - CommonName: "droptailer", - DNSNames: []string{"droptailer"}, - Organization: []string{"droptailer-server"}, - CertType: secrets.ServerCert, - SkipPublishingCACertificate: false, - }, - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(droptailerCAName, secretsmanager.UseCurrentCA)}, - }, - } -} - -func (vp *valuesProvider) deploySecretsToShoot(ctx context.Context, cluster *extensionscontroller.Cluster, namespace string, secretConfigsFn func() []extensionssecretsmanager.SecretConfigWithOptions) error { - shootConfig, _, err := util.NewClientForShoot(ctx, vp.Client(), cluster.ObjectMeta.Name, client.Options{}, extensionsconfig.RESTOptions{}) - if err != nil { - return fmt.Errorf("could not create shoot client %w", err) - } - - c, err := client.New(shootConfig, client.Options{}) - if err != nil { - return fmt.Errorf("could not create shoot kubernetes client %w", err) - } - - ns := &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: namespace, - }, - } - _, err = controllerutil.CreateOrUpdate(ctx, c, ns, func() error { - return nil - }) - if err != nil { - return fmt.Errorf("could not ensure namespace: %w", err) - } - - manager, err := secretsmanager.New(ctx, vp.logger.WithName("shoot-secrets-manager"), secrets.Clock, c, namespace, metal.ManagerIdentity, secretsmanager.Config{ - CASecretAutoRotation: false, - }) - if err != nil { - return fmt.Errorf("unable to create secrets manager: %w", err) - } - - _, err = extensionssecretsmanager.GenerateAllSecrets(ctx, manager, secretConfigsFn()) - - return err -} - -func (vp *valuesProvider) getSecretFromShoot(ctx context.Context, cluster *extensionscontroller.Cluster, namespace string, name string) (*corev1.Secret, error) { - shootConfig, _, err := util.NewClientForShoot(ctx, vp.Client(), cluster.ObjectMeta.Name, client.Options{}, extensionsconfig.RESTOptions{}) - if err != nil { - return nil, fmt.Errorf("could not create shoot client %w", err) - } - - c, err := client.New(shootConfig, client.Options{}) - if err != nil { - return nil, fmt.Errorf("could not create shoot kubernetes client %w", err) - } - - return helper.GetLatestSecret(ctx, c, namespace, name) -} - // getSecret returns the secret with the given namespace/secretName func (vp *valuesProvider) getSecret(ctx context.Context, namespace string, secretName string) (*corev1.Secret, error) { key := kutil.Key(namespace, secretName)