Merge branch 'main' into oidc-extender

Dockerfile

@@ -28,7 +28,6 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
 COPY --from=builder /project_workspace/manager .
-COPY  converter_config.json .
 USER 65532:65532
 
 ENTRYPOINT ["/manager"]

api/v1/runtime_types.go

@@ -65,6 +65,7 @@ const (
 	ConditionTypeRuntimeProvisionedDryRun RuntimeConditionType = "ProvisionedDryRun"
 	ConditionTypeRuntimeKubeconfigReady   RuntimeConditionType = "KubeconfigReady"
 	ConditionTypeRuntimeConfigured        RuntimeConditionType = "Configured"
+	ConditionTypeAuditLogConfigured       RuntimeConditionType = "AuditlogConfigured"
 	ConditionTypeRuntimeDeprovisioned     RuntimeConditionType = "Deprovisioned"
 )
 
@@ -94,6 +95,10 @@ const (
 	ConditionReasonKubernetesAPIErr     = RuntimeConditionReason("KubernetesErr")
 	ConditionReasonSerializationError   = RuntimeConditionReason("SerializationErr")
 	ConditionReasonDeleted              = RuntimeConditionReason("Deleted")
+
+	ConditionReasonAdministratorsConfigured = RuntimeConditionReason("AdministratorsConfigured")
+	ConditionReasonAuditLogConfigured       = RuntimeConditionReason("AuditLogConfigured")
+	ConditionReasonAuditLogError            = RuntimeConditionReason("AuditLogErr")
 )
 
 //+kubebuilder:object:root=true
@@ -139,17 +144,17 @@ type RuntimeStatus struct {
 }
 
 type RuntimeShoot struct {
-	Name                string                `json:"name"`
-	Purpose             gardener.ShootPurpose `json:"purpose"`
-	PlatformRegion      string                `json:"platformRegion"`
-	Region              string                `json:"region"`
-	LicenceType         *string               `json:"licenceType,omitempty"`
-	SecretBindingName   string                `json:"secretBindingName"`
-	EnforceSeedLocation *bool                 `json:"enforceSeedLocation,omitempty"`
-	Kubernetes          Kubernetes            `json:"kubernetes,omitempty"`
-	Provider            Provider              `json:"provider"`
-	Networking          Networking            `json:"networking"`
-	ControlPlane        gardener.ControlPlane `json:"controlPlane"`
+	Name                string                 `json:"name"`
+	Purpose             gardener.ShootPurpose  `json:"purpose"`
+	PlatformRegion      string                 `json:"platformRegion"`
+	Region              string                 `json:"region"`
+	LicenceType         *string                `json:"licenceType,omitempty"`
+	SecretBindingName   string                 `json:"secretBindingName"`
+	EnforceSeedLocation *bool                  `json:"enforceSeedLocation,omitempty"`
+	Kubernetes          Kubernetes             `json:"kubernetes,omitempty"`
+	Provider            Provider               `json:"provider"`
+	Networking          Networking             `json:"networking"`
+	ControlPlane        *gardener.ControlPlane `json:"controlPlane,omitempty"`
 }
 
 type Kubernetes struct {

cmd/main.go

@@ -236,6 +236,5 @@ func initGardenerClients(kubeconfigPath string, namespace string) (client.Client
 	if err != nil {
 		return nil, nil, nil, errors.Wrap(err, "failed to register Gardener schema")
 	}
-
 	return gardenerClient, shootClient, dynamicKubeconfigAPI, nil
 }

config/crd/bases/infrastructuremanager.kyma-project.io_runtimes.yaml

@@ -997,7 +997,6 @@ spec:
                   secretBindingName:
                     type: string
                 required:
-                - controlPlane
                 - name
                 - networking
                 - platformRegion

config/manager/manager.yaml

@@ -79,6 +79,7 @@ spec:
           capabilities:
             drop:
               - "ALL"
+          readOnlyRootFilesystem: true
         ports:
           - containerPort: 8080
             name: metrics

config/prometheus/monitor.yaml

@@ -18,9 +18,6 @@ spec:
     - path: /metrics
       port: metrics
       scheme: http
-      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
-      tlsConfig:
-        insecureSkipVerify: true
   selector:
     matchLabels:
       app.kubernetes.io/name: metrics

docs/adr/assets/runtime-examples/aws-freemium.yaml

@@ -1,22 +1,23 @@
-apiVersion: infrastructuremanager.kyma-project.io/v1alpha1
+apiVersion: infrastructuremanager.kyma-project.io/v1
 kind: Runtime
 metadata:
   labels:
+    kyma-project.io/controlled-by-provisioner: "false"
     kyma-project.io/instance-id: instance-id
     kyma-project.io/runtime-id: runtime-id
     kyma-project.io/broker-plan-id: plan-id
     kyma-project.io/broker-plan-name: plan-name
     kyma-project.io/global-account-id: global-account-id
     kyma-project.io/subaccount-id: subAccount-id
-    kyma-project.io/shoot-name: shoot-name
+    kyma-project.io/shoot-name: aws-fremium
     kyma-project.io/region: region
     operator.kyma-project.io/kyma-name: kymaName
-  name: runtime-id
+  name: aws-fremium
   namespace: kcp-system
 spec:
   shoot:
     # spec.shoot.name is required
-    name: shoot-name
+    name: aws-fremium
     # spec.shoot.purpose is required
     purpose: evaluation
     # spec.shoot.region is required
@@ -42,17 +43,12 @@ spec:
       workers:
         - machine:
             # spec.shoot.workers.machine.type is required
-            type: m5.xlarge
+            type: m6i.xlarge
             # spec.shoot.workers.machine.image is optional, when not provider default will be used
             # Will be modified by the SRE
             image:
               name: gardenlinux
-              version: 1312.3.0
-          # spec.shoot.workers.volume is required for the first release
-          # Probably can be moved into KIM, as it is hardcoded in KEB, and not dependent on plan
-          volume:
-            type: gp2
-            size: 50Gi
+              version: 1443.9.0
           # spec.shoot.worker.zones is required
           zones:
             - eu-central-1b
@@ -68,8 +64,14 @@ spec:
           # spec.shoot.workers.maxUnavailable is required in the first release.
           # It can be optional in the future, as it is always set to 0
           maxUnavailable: 0
+          # spec.shoot.workers.volume is required for the first release
+          # Probably can be moved into KIM, as it is hardcoded in KEB, and not dependent on plan
+          volume:
+            type: gp2
+            size: 50Gi
     # spec.shoot.Networking is required
     networking:
+      type: calico
       pods: 100.64.0.0/12
       nodes: 10.250.0.0/16
       services: 100.104.0.0/13

docs/adr/assets/runtime-examples/aws-minimal.yaml

@@ -1,22 +1,23 @@
-apiVersion: infrastructuremanager.kyma-project.io/v1alpha1
+apiVersion: infrastructuremanager.kyma-project.io/v1
 kind: Runtime
 metadata:
   labels:
+    kyma-project.io/controlled-by-provisioner: "false"
     kyma-project.io/instance-id: instance-id
     kyma-project.io/runtime-id: runtime-id
     kyma-project.io/broker-plan-id: plan-id
     kyma-project.io/broker-plan-name: plan-name
     kyma-project.io/global-account-id: global-account-id
     kyma-project.io/subaccount-id: subAccount-id
-    kyma-project.io/shoot-name: shoot-name
+    kyma-project.io/shoot-name: aws-minimal
     kyma-project.io/region: region
     operator.kyma-project.io/kyma-name: kymaName
-  name: runtime-id
+  name: aws-minimal
   namespace: kcp-system
 spec:
   shoot:
     # spec.shoot.name is required
-    name: shoot-name
+    name: aws-minimal
     # spec.shoot.purpose is required
     purpose: production
     # spec.shoot.region is required
@@ -41,8 +42,12 @@ spec:
       # spec.shoot.provider.workers is required
       workers:
         - machine:
-          # spec.shoot.workers.machine.type is required
-          type: m6i.large
+            # spec.shoot.workers.machine.type is required
+            type: m6i.large
+            image:
+              name: gardenlinux
+              version: 1443.9.0
+          name: "worker-0"
           # spec.shoot.workers.zones is required
           zones:
             - eu-central-1a
@@ -58,8 +63,14 @@ spec:
           # spec.shoot.workers.maxUnavailable is required in the first release.
           # It can be optional in the future, as it is always set to 0
           maxUnavailable: 0
+          # spec.shoot.workers.volume is required for the first release
+          # Probably can be moved into KIM, as it is hardcoded in KEB, and not dependent on plan
+          volume:
+            type: gp2
+            size: 50Gi
     # spec.shoot.Networking is required
     networking:
+      type: calico
       pods: 100.64.0.0/12
       nodes: 10.250.0.0/16
       services: 100.104.0.0/13
@@ -71,7 +82,7 @@ spec:
   security:
     networking:
       filter:
-        # spec.security.networking is required
+        # spec.security.networking.filter.egress.enabled is required
         egress:
           enabled: false
     # spec.security.administrators is required

docs/adr/assets/runtime-examples/aws-trial.yaml

@@ -1,22 +1,23 @@
-apiVersion: infrastructuremanager.kyma-project.io/v1alpha1
+apiVersion: infrastructuremanager.kyma-project.io/v1
 kind: Runtime
 metadata:
   labels:
+    kyma-project.io/controlled-by-provisioner: "false"
     kyma-project.io/instance-id: instance-id
     kyma-project.io/runtime-id: runtime-id
     kyma-project.io/broker-plan-id: plan-id
     kyma-project.io/broker-plan-name: plan-name
     kyma-project.io/global-account-id: global-account-id
     kyma-project.io/subaccount-id: subAccount-id
-    kyma-project.io/shoot-name: shoot-name
+    kyma-project.io/shoot-name: aws-trial
     kyma-project.io/region: region
     operator.kyma-project.io/kyma-name: kymaName
-  name: runtime-id
+  name: aws-trial
   namespace: kcp-system
 spec:
   shoot:
     # spec.shoot.name is required
-    name: shoot-name
+    name: aws-trial
     # spec.shoot.purpose is required
     purpose: evaluation
     # spec.shoot.licenceType is optional, default=nil
@@ -44,7 +45,11 @@ spec:
       workers:
         - machine:
             # spec.shoot.workers.machine.type is required
-            type: mx5.large
+            type: m6i.large
+            image:
+              name: gardenlinux
+              version: 1443.9.0
+          name: "worker-0"
           # spec.shoot.workers.zones is required
           zones:
             - eu-central-1b
@@ -58,8 +63,14 @@ spec:
           # spec.shoot.workers.maxUnavailable is required in the first release.
           # It can be optional in the future, as it is always set to 0
           maxUnavailable: 0
+          # spec.shoot.workers.volume is required for the first release
+          # Probably can be moved into KIM, as it is hardcoded in KEB, and not dependent on plan
+          volume:
+            type: gp2
+            size: 50Gi
     # spec.shoot.Networking is required
     networking:
+      type: calico
       pods: 10.96.0.0/13
       nodes: 10.250.0.0/22
       services: 10.104.0.0/13

docs/adr/assets/runtime-examples/aws.yaml

@@ -1,32 +1,33 @@
-apiVersion: infrastructuremanager.kyma-project.io/v1alpha1
+apiVersion: infrastructuremanager.kyma-project.io/v1
 kind: Runtime
 metadata:
   labels:
+    kyma-project.io/controlled-by-provisioner: "false"
     kyma-project.io/instance-id: instance-id
     kyma-project.io/runtime-id: runtime-id
     kyma-project.io/broker-plan-id: plan-id
     kyma-project.io/broker-plan-name: plan-name
     kyma-project.io/global-account-id: global-account-id
     kyma-project.io/subaccount-id: subAccount-id
-    kyma-project.io/shoot-name: shoot-name
+    kyma-project.io/shoot-name: aws-full
     kyma-project.io/region: region
     operator.kyma-project.io/kyma-name: kymaName
-  name: runtime-id
+  name: aws-full
   namespace: kcp-system
 spec:
   shoot:
     # spec.shoot.name is required
-    name: shoot-name
+    name: aws-full
     # spec.shoot.purpose is required
     purpose: production
     # spec.shoot.region is required
     region: eu-central-1
     # spec.shoot.platformRegion is required
-    platformRegion: "cd-eu11"
+    platformRegion: "cf-eu11"
     # spec.shoot.secretBindingName is required
     secretBindingName: "hyperscaler secret"
     # spec.shoot.enforceSeedLocation is optional ; it allows to make sure the seed cluster will be located in the same region as the runtime
-    enforceSeedLocation: "true"
+    enforceSeedLocation: true
     kubernetes:
       # spec.shoot.kubernetes.version is optional, when not provided default will be used
       # Will be modified by the SRE
@@ -61,19 +62,13 @@ spec:
             # Will be modified by the SRE
             image:
               name: gardenlinux
-              version: 1312.3.0
-          # spec.shoot.workers.volume is required for the first release
-          # Probably can be moved into KIM, as it is hardcoded in KEB, and not dependent on plan
-          volume:
-            type: gp2
-            size: 50Gi
+              version: 1443.9.0
+          name: "worker-0"
           # spec.shoot.workers.zones is required
           zones:
             - eu-central-1a
             - eu-central-1b
             - eu-central-1c
-          # spec.shoot.workers.name is optional, if not provided default will be used
-          name: cpu-worker-0
           # spec.shoot.workers.minimum is required
           minimum: 3
           # spec.shoot.workers.maximum is required
@@ -84,8 +79,14 @@ spec:
           # spec.shoot.workers.maxUnavailable is required in the first release.
           # It can be optional in the future, as it is always set to 0
           maxUnavailable: 0
+          # spec.shoot.workers.volume is required for the first release
+          # Probably can be moved into KIM, as it is hardcoded in KEB, and not dependent on plan
+          volume:
+            type: gp2
+            size: 50Gi
     # spec.shoot.Networking is required
     networking:
+      type: calico
       pods: 100.64.0.0/12
       nodes: 10.250.0.0/16
       services: 100.104.0.0/13