Merge branch 'master' into s3-backup-restore-sidecar

metal-stack · Jan 7, 2025 · 0113fa4 · 0113fa4
2 parents fb26bef + 05ea004
commit 0113fa4
Show file tree

Hide file tree

Showing 31 changed files with 272 additions and 179 deletions.
diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md
diff --git a/control-plane/roles/gardener/defaults/main/extensions.yaml b/control-plane/roles/gardener/defaults/main/extensions.yaml
@@ -90,3 +90,5 @@ gardener_shoot_dns_service_image_vector_overwrite: []
   #   tag: "0.7.1"
 gardener_shoot_dns_service_dns_controller_manager_image_name:
 gardener_shoot_dns_service_dns_controller_manager_image_tag:
+
+gardener_shoot_dns_service_dns_provider_replication: false
diff --git a/control-plane/roles/gardener/defaults/main/virtual_garden.yaml b/control-plane/roles/gardener/defaults/main/virtual_garden.yaml
@@ -1,6 +1,7 @@
 ---
 gardener_virtual_api_server_svc_cluster_ip_add: 20
 gardener_virtual_api_server_public_dns: gardener-kube-apiserver.{{ metal_control_plane_ingress_dns }}
+gardener_virtual_api_server_public_port: 443
 gardener_virtual_api_server_healthcheck_static_token:
 
 gardener_etcd_backup_schedule: "0,5,10,15,20,25,30,35,40,45,50,55 * * * *"
@@ -15,6 +16,8 @@ gardener_etcd_resources:
     cpu: 800m
     memory: 8Gi
 
+gardener_virtual_api_replicas: 3
+
 gardener_virtual_api_oidc_issuer_url:
 gardener_virtual_api_oidc_client_id:
 gardener_virtual_api_oidc_username_claim:

diff --git a/control-plane/roles/gardener/files/kube-apiserver/templates/_helpers.tpl b/control-plane/roles/gardener/files/kube-apiserver/templates/_helpers.tpl
@@ -66,7 +66,7 @@ contexts:
 clusters:
 - cluster:
     certificate-authority-data: {{ .Values.tls.kubeAPIServer.ca.crt | b64enc }}
-    server: https://{{ .Values.apiServer.hostname }}:443
+    server: https://{{ .Values.apiServer.hostname }}:{{ .Values.apiServer.adminKubeconfigPort }}
   name: garden
 users:
 - name: admin

diff --git a/control-plane/roles/gardener/files/kube-apiserver/values.yaml b/control-plane/roles/gardener/files/kube-apiserver/values.yaml
@@ -22,6 +22,7 @@ replicas: 3
 apiServer:
   hostname: 127.0.0.1
   serviceName: garden-kube-apiserver
+  adminKubeconfigPort: 443
 
 oidc:
   issuerURL:

diff --git a/control-plane/roles/gardener/tasks/gardener.yaml b/control-plane/roles/gardener/tasks/gardener.yaml
@@ -68,5 +68,5 @@
   delay: 6
   until:
     - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='gardener-apiserver').get('status', {}).get('readyReplicas', 0) >= 1
-    - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='garden-kube-apiserver').get('status', {}).get('readyReplicas', 0) >= 3
+    - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='garden-kube-apiserver').get('status', {}).get('readyReplicas', 0) >= gardener_virtual_api_replicas
     - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='gardener-controller-manager').get('status', {}).get('readyReplicas', 0) >= 1
diff --git a/control-plane/roles/gardener/tasks/virtual_garden.yaml b/control-plane/roles/gardener/tasks/virtual_garden.yaml
@@ -46,5 +46,5 @@
 - name: Wait for garden-kube-apiserver
   wait_for:
     host: "{{ gardener_virtual_api_server_public_dns }}"
-    port: "443"
+    port: "{{ gardener_virtual_api_server_public_port }}"
     timeout: 60
diff --git a/control-plane/roles/gardener/templates/etcd-values.j2 b/control-plane/roles/gardener/templates/etcd-values.j2
@@ -14,7 +14,7 @@ backup:
   ecs:
     endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}"
     accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}"
-    secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
+    secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode }}"
 {% endif %}
 {% endif %}
 

diff --git a/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2 b/control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2
@@ -29,7 +29,7 @@ spec:
         - owner
 {% for member in gardener_soil_project_members %}
     - apiGroup: rbac.authorization.k8s.io
-      kind: User
+      kind: "{{ member.kind | default('User') }}"
       name: "{{ member.name }}"
       role: "{{ member.role }}"
 {% if member.roles is defined %}

diff --git a/control-plane/roles/gardener/templates/kube-apiserver-values.j2 b/control-plane/roles/gardener/templates/kube-apiserver-values.j2
@@ -3,9 +3,12 @@ images:
   apiserver: {{ gardener_virtual_api_server_image_name }}:{{ gardener_virtual_api_server_image_tag }}
   controllermanager: {{ gardener_virtual_controller_manager_image_name }}:{{ gardener_virtual_controller_manager_image_tag }}
 
+replicas: {{ gardener_virtual_api_replicas }}
+
 apiServer:
   hostname: {{ gardener_virtual_api_server_public_dns }}
   serviceName: garden-kube-apiserver
+  adminKubeconfigPort: {{ gardener_virtual_api_server_public_port }}
 
 oidc:
   issuerURL: {% if gardener_virtual_api_oidc_issuer_url %}{{ gardener_virtual_api_oidc_issuer_url }}{% endif %}

diff --git a/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml b/control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml
@@ -16,6 +16,9 @@ helm:
 {% endif %}
     dnsProviderManagement:
       enabled: true
+    dnsProviderReplication:
+      enabled: {{ gardener_shoot_dns_service_dns_provider_replication | lower }}
+
     dnsControllerManager:
       deploy: true
 {% if gardener_shoot_dns_service_dns_controller_manager_image_name or gardener_shoot_dns_service_dns_controller_manager_image_tag %}

diff --git a/control-plane/roles/gardener/test/dns_extension_template_test.py b/control-plane/roles/gardener/test/dns_extension_template_test.py
@@ -40,6 +40,7 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
                     "tag": "0.7.1",
                 },
             ],
+            "gardener_shoot_dns_service_dns_provider_replication": True,
             "gardener_shoot_dns_service_dns_controller_manager_image_name": "dns-controller-image",
             "gardener_shoot_dns_service_dns_controller_manager_image_tag": "dns-controller-tag",
         })
@@ -65,8 +66,12 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
           repository: europe-docker.pkg.dev/gardener-project/public/dns-controller-manager
           sourceRepository: github.com/gardener/external-dns-management
           tag: 0.7.1
+
     dnsProviderManagement:
       enabled: true
+    dnsProviderReplication:
+      enabled: true
+
     dnsControllerManager:
       deploy: true
       image:

diff --git a/partition/roles/dhcp/defaults/main.yaml b/partition/roles/dhcp/defaults/main.yaml
@@ -19,7 +19,7 @@ dhcp_global_options: []
 # examples:
 # - default-url = "http://{{ ansible_host }}/onie-installer"
 # - ztp_provisioning_script_url code 239 = text
-# - ztp_provisioning_script_url "http://{{ ansible_host }}/ztp.sh"
+# - ztp_provisioning_script_url "http://{{ ansible_host }}/user.sh"
 
 dhcp_global_deny_list: []
 # examples:

diff --git a/partition/roles/dhcp/tasks/main.yaml b/partition/roles/dhcp/tasks/main.yaml
@@ -17,11 +17,14 @@
   loop_control:
     label: "{{ item.network }}"
 
-- name: install isc-dhcp-server
-  apt:
-    name:
-    - isc-dhcp-server
-    update_cache : yes
+- name: ensure config directories are present
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+  loop:
+    - /etc/dhcp
+    - /etc/default
 
 - name: render dhcpd conf
   template:
@@ -42,11 +45,20 @@
   when: dhcp_static_hosts is defined
   register: _hosts_conf
 
+- name: install isc-dhcp-server
+  apt:
+    name:
+    - isc-dhcp-server
+    update_cache : yes
+
+# we want this task to be run at this point and not at the end of the playbook
+# this is why we don't use a handler here
 - name: restart isc-dhcp-server on config change
   service:
     name: "{{ dhcp_service_name }}"
     enabled: true
     state: restarted
+    daemon-reload: true
   when: _dhcpd_conf is changed or _isc_dhcp_server is changed or _hosts_conf is changed
 
 - name: ensure isc-dhcp-server is running

diff --git a/partition/roles/sonic/README.md b/partition/roles/sonic/README.md
@@ -18,6 +18,7 @@ It depends on the `switch_facts` module from `ansible-common`, so make sure modu
 | sonic_ip_masquerade                                        |           | Enable ip masquerading on eth0.                                                                                      |
 | sonic_breakouts                                            |           | The breakout configuration for ports, e.g. `dict('Ethernet0'='4x25G')`                                               |
 | sonic_config_action                                        |           | Either `load` or `reload`. In the latter case all services will be restarted. If not given, defaults to `load`       |
+| sonic_render_config_db_template                            |           | When `true` the `metal.yaml.j2` template will be rendered into `/etc/sonic/config_db.json`                           |
 | sonic_ports                                                |           | Configuration for ports (mtu, fec, have highest precedence). These ports will be up by default.                      |
 | sonic_ports.name                                           |           | The port name.                                                                                                       |
 | sonic_ports.speed                                          |           | Speed of the port.                                                                                                   |

diff --git a/partition/roles/sonic/defaults/main.yaml b/partition/roles/sonic/defaults/main.yaml
@@ -5,6 +5,7 @@ sonic_nameservers: []
 sonic_ip_masquerade: false
 sonic_timezone: Europe/Berlin
 sonic_config_action: load
+sonic_render_config_db_template: true
 
 ## Physical settings
 sonic_ports: []

diff --git a/partition/roles/sonic/tasks/config_db.yaml b/partition/roles/sonic/tasks/config_db.yaml
@@ -0,0 +1,79 @@
+---
+- name: Check mandatory variables on non-empty sonic_ports are set
+  assert:
+    fail_msg: "default port configuration is necessary on non-empty sonic_ports"
+    quiet: yes
+    that:
+      - sonic_ports_default_speed
+      - sonic_ports_default_mtu
+  when: sonic_ports
+
+- name: Check mandatory variables on non-empty sonic_portchannels are set
+  assert:
+    fail_msg: "default configuration is necessary on non-empty sonic_portchannels"
+    quiet: yes
+    that:
+      - sonic_portchannels_default_mtu
+  when: sonic_portchannels
+
+- name: Populate sonic_ports_dict
+  set_fact:
+    sonic_ports_dict: "{{ sonic_ports_dict|default({}) | combine( {item.name: item} ) }}"
+  loop: "{{ sonic_ports }}"
+
+# Dependencies are returned by config.
+- name: Configure breakouts
+  command: "config interface breakout --yes {{ item.key }} '{{ item.value }}'"
+  register: breakout_result
+  changed_when: "'Breakout process got successfully completed.' in breakout_result.stdout"
+  failed_when: "breakout_result.rc != 0 or 'Dependecies Exist. No further action will be taken' in breakout_result.stdout"
+  with_dict: "{{ sonic_breakouts }}"
+  when: sonic_breakouts is defined
+
+- name: Delete deprecated metal.yaml
+  ansible.builtin.file:
+    path: "/etc/sonic/metal.yaml"
+    state: absent
+
+- name: Get running configuration
+  ansible.builtin.command: show runningconfiguration all
+  register: sonic_running_cfg_result
+  changed_when: false
+
+- name: Parse running configuration
+  ansible.builtin.set_fact:
+    sonic_running_cfg: "{{ sonic_running_cfg_result.stdout | from_json }}"
+
+- name: Extract running configuration for breakouts and ports
+  ansible.builtin.set_fact:
+    sonic_running_cfg_breakouts: "{{ sonic_running_cfg | community.general.json_query('BREAKOUT_CFG') }}"
+    sonic_running_cfg_hwsku: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.hwsku') }}"
+    sonic_running_cfg_mac: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.mac') }}"
+    sonic_running_cfg_platform: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.platform') }}"
+    sonic_running_cfg_ports: "{{ sonic_running_cfg | community.general.json_query('PORT')  }}"
+
+- name: Fail if running configuration doesn't contain required information
+  ansible.builtin.assert:
+    that:
+      - sonic_running_cfg_hwsku
+      - sonic_running_cfg_mac
+      - sonic_running_cfg_platform
+      - sonic_running_cfg_ports
+    fail_msg: The running configuration is incomplete because it does not contain 'PORT' or complete 'DEVICE_METADATA'.
+
+- name: Fail if running configuration doesn't contain breakout configuration
+  ansible.builtin.assert:
+    that:
+      - sonic_running_cfg_breakouts
+    fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG'.
+  when: sonic_breakouts is defined
+
+- name: Render config_db
+  set_fact:
+    config_db: "{{ lookup('template', 'metal.yaml.j2') }}"
+
+- name: Save config_db as JSON file
+  copy:
+    content: "{{ config_db | from_yaml | to_nice_json }}"
+    dest: /etc/sonic/config_db.json
+  notify: "config {{ sonic_config_action }}"
diff --git a/partition/roles/sonic/tasks/main.yaml b/partition/roles/sonic/tasks/main.yaml
@@ -15,28 +15,6 @@
       - sonic_nameservers is defined
       - metal_stack_switch_os_is_sonic
 
-- name: Check mandatory variables on non-empty sonic_ports are set
-  assert:
-    fail_msg: "default port configuration is necessary on non-empty sonic_ports"
-    quiet: yes
-    that:
-      - sonic_ports_default_speed
-      - sonic_ports_default_mtu
-  when: sonic_ports
-
-- name: Check mandatory variables on non-empty sonic_portchannels are set
-  assert:
-    fail_msg: "default configuration is necessary on non-empty sonic_portchannels"
-    quiet: yes
-    that:
-      - sonic_portchannels_default_mtu
-  when: sonic_portchannels
-
-- name: Populate sonic_ports_dict
-  set_fact:
-    sonic_ports_dict: "{{ sonic_ports_dict|default({}) | combine( {item.name: item} ) }}"
-  loop: "{{ sonic_ports }}"
-
 - name: render resolv.conf
   template:
     src: resolv.conf.j2
@@ -58,62 +36,9 @@
     value: "1"
   when: sonic_ip_masquerade
 
-# Dependencies are returned by config.
-- name: Configure breakouts
-  command: "config interface breakout --yes {{ item.key }} '{{ item.value }}'"
-  register: breakout_result
-  changed_when: "'Breakout process got successfully completed.' in breakout_result.stdout"
-  failed_when: "breakout_result.rc != 0 or 'Dependecies Exist. No further action will be taken' in breakout_result.stdout"
-  with_dict: "{{ sonic_breakouts }}"
-  when: sonic_breakouts is defined
-
-- name: Delete deprecated metal.yaml
-  ansible.builtin.file:
-    path: "/etc/sonic/metal.yaml"
-    state: absent
-
-- name: Get running configuration
-  ansible.builtin.command: show runningconfiguration all
-  register: sonic_running_cfg_result
-  changed_when: false
-
-- name: Parse running configuration
-  ansible.builtin.set_fact:
-    sonic_running_cfg: "{{ sonic_running_cfg_result.stdout | from_json }}"
-
-- name: Extract running configuration for breakouts and ports
-  ansible.builtin.set_fact:
-    sonic_running_cfg_breakouts: "{{ sonic_running_cfg | community.general.json_query('BREAKOUT_CFG') }}"
-    sonic_running_cfg_hwsku: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.hwsku') }}"
-    sonic_running_cfg_mac: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.mac') }}"
-    sonic_running_cfg_platform: "{{ sonic_running_cfg | community.general.json_query('DEVICE_METADATA.localhost.platform') }}"
-    sonic_running_cfg_ports: "{{ sonic_running_cfg | community.general.json_query('PORT')  }}"
-
-- name: Fail if running configuration doesn't contain required information
-  ansible.builtin.assert:
-    that:
-      - sonic_running_cfg_hwsku
-      - sonic_running_cfg_mac
-      - sonic_running_cfg_platform
-      - sonic_running_cfg_ports
-    fail_msg: The running configuration is incomplete because it does not contain 'PORT' or complete 'DEVICE_METADATA'.
-
-- name: Fail if running configuration doesn't contain breakout configuration
-  ansible.builtin.assert:
-    that:
-      - sonic_running_cfg_breakouts
-    fail_msg: The running configuration is incomplete because it does not contain 'BREAKOUT_CFG'.
-  when: sonic_breakouts is defined
-
-- name: Render config_db
-  set_fact:
-    config_db: "{{ lookup('template', 'metal.yaml.j2') }}"
-
-- name: Save config_db as JSON file
-  copy:
-    content: "{{ config_db | from_yaml | to_nice_json }}"
-    dest: /etc/sonic/config_db.json
-  notify: "config {{ sonic_config_action }}"
+- name: Render and save config_db
+  import_tasks: config_db.yaml
+  when: sonic_render_config_db_template
 
 - name: Set NTP timezone
   timezone:

diff --git a/partition/roles/sonic/templates/frr.conf.j2 b/partition/roles/sonic/templates/frr.conf.j2
@@ -4,6 +4,7 @@ hostname {{ inventory_hostname }}
 !
 service integrated-vtysh-config
 !
+agentx
 log syslog {{ sonic_frr_syslog_level }}
 {% if sonic_frr_debug_options is defined %}
 {% for option in sonic_frr_debug_options %}

diff --git a/partition/roles/sonic/test/data/exit/frr.conf b/partition/roles/sonic/test/data/exit/frr.conf
@@ -3,6 +3,7 @@ hostname exit01
 !
 service integrated-vtysh-config
 !
+agentx
 log syslog informational
 !
 vrf VrfMpls
@@ -105,4 +106,4 @@ route-map LOOPBACKS permit 10
 ip route 0.0.0.0/0 10.1.2.1
 !
 line vty
-!
+!
diff --git a/partition/roles/sonic/test/data/l2_leaf/frr.conf b/partition/roles/sonic/test/data/l2_leaf/frr.conf
@@ -3,6 +3,7 @@ hostname l2leaf01
 !
 service integrated-vtysh-config
 !
+agentx
 log syslog informational
 !
 vrf Vrf46
@@ -62,4 +63,4 @@ route-map LOOPBACKS permit 10
   match interface Loopback0
 !
 line vty
-!
+!