diff --git a/charts/gardener-extension-provider-metal/templates/configmap.yaml b/charts/gardener-extension-provider-metal/templates/configmap.yaml
index a30ae7972..d4d491909 100644
--- a/charts/gardener-extension-provider-metal/templates/configmap.yaml
+++ b/charts/gardener-extension-provider-metal/templates/configmap.yaml
@@ -37,19 +37,6 @@ data:
backup:
schedule: {{ .Values.config.etcd.backup.schedule }}
deltaSnapshotPeriod: {{ .Values.config.etcd.backup.deltaSnapshotPeriod }}
- clusterAudit:
- enabled: {{ .Values.config.clusterAudit.enabled }}
- auditToSplunk:
- enabled: {{ .Values.config.auditToSplunk.enabled }}
-{{- if .Values.config.auditToSplunk.enabled }}
- hecToken: {{ .Values.config.auditToSplunk.hecToken }}
- index: {{ .Values.config.auditToSplunk.index }}
- hecHost: {{ .Values.config.auditToSplunk.hecHost }}
- hecPort: {{ .Values.config.auditToSplunk.hecPort }}
- tlsEnabled: {{ .Values.config.auditToSplunk.tlsEnabled }}
- hecCAFile: |
-{{ .Values.config.auditToSplunk.hecCAFile | indent 8}}
-{{- end }}
storage:
duros:
enabled: {{ .Values.config.storage.duros.enabled }}
diff --git a/charts/gardener-extension-provider-metal/values.yaml b/charts/gardener-extension-provider-metal/values.yaml
index eca54b708..0d07b4e1a 100644
--- a/charts/gardener-extension-provider-metal/values.yaml
+++ b/charts/gardener-extension-provider-metal/values.yaml
@@ -64,16 +64,6 @@ config:
backup:
schedule:
deltaSnapshotPeriod:
- clusterAudit:
- enabled: false
- auditToSplunk:
- enabled: false
- hecToken:
- index:
- hecHost:
- hecPort:
- tlsEnabled:
- hecCAFile:
storage:
duros:
enabled: false
diff --git a/charts/images.yaml b/charts/images.yaml
index f13bf4608..11a665ab1 100644
--- a/charts/images.yaml
+++ b/charts/images.yaml
@@ -11,14 +11,6 @@ images:
sourceRepository: https://github.com/metal-stack/machine-controller-manager-provider-metal
repository: ghcr.io/metal-stack/machine-controller-manager-provider-metal
tag: "v0.1.17"
-- name: auditforwarder
- sourceRepository: https://github.com/metal-stack/audit-forwarder
- repository: ghcr.io/metal-stack/audit-forwarder
- tag: "v0.2.5"
-- name: audittailer
- sourceRepository: https://github.com/fluent/fluentd
- repository: fluent/fluentd
- tag: "v1.12"
- name: droptailer
sourceRepository: github.com/metal-stack/droptailer
repository: ghcr.io/metal-stack/droptailer
diff --git a/charts/internal/cloud-provider-config/Chart.yaml b/charts/internal/cloud-provider-config/Chart.yaml
deleted file mode 100644
index 72db75452..000000000
--- a/charts/internal/cloud-provider-config/Chart.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-description: Helm chart for kubernetes cloud-provider-config
-name: cloud-provider-config
-version: 0.1.0
diff --git a/charts/internal/cloud-provider-config/templates/audit-policy-config.yaml b/charts/internal/cloud-provider-config/templates/audit-policy-config.yaml
deleted file mode 100644
index 2a31449ee..000000000
--- a/charts/internal/cloud-provider-config/templates/audit-policy-config.yaml
+++ /dev/null
@@ -1,186 +0,0 @@
-{{- if .Values.clusterAudit.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: audit-policy-override
- namespace: {{ .Release.Namespace }}
-data:
- audit-policy.yaml: |
- ---
- apiVersion: audit.k8s.io/v1
- kind: Policy
- rules:
- # The following requests were manually identified as high-volume and low-risk,
- # so drop them.
- - level: None
- resources:
- - group: ""
- resources:
- - endpoints
- - services
- - services/status
- users:
- - 'system:kube-proxy'
- verbs:
- - watch
- - level: None
- resources:
- - group: ""
- resources:
- - nodes
- - nodes/status
- userGroups:
- - 'system:nodes'
- verbs:
- - get
- - level: None
- namespaces:
- - kube-system
- resources:
- - group: ""
- resources:
- - endpoints
- users:
- - 'system:kube-controller-manager'
- - 'system:kube-scheduler'
- - 'system:serviceaccount:kube-system:endpoint-controller'
- verbs:
- - get
- - update
- - level: None
- resources:
- - group: ""
- resources:
- - namespaces
- - namespaces/status
- - namespaces/finalize
- users:
- - 'system:apiserver'
- verbs:
- - get
- # Don't log HPA fetching metrics.
- - level: None
- resources:
- - group: metrics.k8s.io
- users:
- - 'system:kube-controller-manager'
- verbs:
- - get
- - list
- # Don't log these read-only URLs.
- - level: None
- nonResourceURLs:
- - '/healthz*'
- - /version
- - '/swagger*'
- # Don't log events requests.
- - level: None
- resources:
- - group: ""
- resources:
- - events
- # node and pod status calls from nodes are high-volume and can be large, don't log responses for expected updates from nodes
- - level: Request
- omitStages:
- - RequestReceived
- resources:
- - group: ""
- resources:
- - nodes/status
- - pods/status
- users:
- - kubelet
- - 'system:node-problem-detector'
- - 'system:serviceaccount:kube-system:node-problem-detector'
- verbs:
- - update
- - patch
- - level: Request
- omitStages:
- - RequestReceived
- resources:
- - group: ""
- resources:
- - nodes/status
- - pods/status
- userGroups:
- - 'system:nodes'
- verbs:
- - update
- - patch
- # deletecollection calls can be large, don't log responses for expected namespace deletions
- - level: Request
- omitStages:
- - RequestReceived
- users:
- - 'system:serviceaccount:kube-system:namespace-controller'
- verbs:
- - deletecollection
- # Secrets, ConfigMaps, and TokenReviews can contain sensitive & binary data,
- # so only log at the Metadata level.
- - level: Metadata
- omitStages:
- - RequestReceived
- resources:
- - group: ""
- resources:
- - secrets
- - configmaps
- - group: authentication.k8s.io
- resources:
- - tokenreviews
- # Get repsonses can be large; skip them.
- - level: Request
- omitStages:
- - RequestReceived
- resources:
- - group: ""
- - group: admissionregistration.k8s.io
- - group: apiextensions.k8s.io
- - group: apiregistration.k8s.io
- - group: apps
- - group: authentication.k8s.io
- - group: authorization.k8s.io
- - group: autoscaling
- - group: batch
- - group: certificates.k8s.io
- - group: extensions
- - group: metrics.k8s.io
- - group: networking.k8s.io
- - group: policy
- - group: rbac.authorization.k8s.io
- - group: scheduling.k8s.io
- - group: settings.k8s.io
- - group: storage.k8s.io
- verbs:
- - get
- - list
- - watch
- # Default level for known APIs
- - level: RequestResponse
- omitStages:
- - RequestReceived
- resources:
- - group: ""
- - group: admissionregistration.k8s.io
- - group: apiextensions.k8s.io
- - group: apiregistration.k8s.io
- - group: apps
- - group: authentication.k8s.io
- - group: authorization.k8s.io
- - group: autoscaling
- - group: batch
- - group: certificates.k8s.io
- - group: extensions
- - group: metrics.k8s.io
- - group: networking.k8s.io
- - group: policy
- - group: rbac.authorization.k8s.io
- - group: scheduling.k8s.io
- - group: settings.k8s.io
- - group: storage.k8s.io
- # Default level for all other requests.
- - level: Metadata
- omitStages:
- - RequestReceived
-{{- end }}
diff --git a/charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml b/charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml
deleted file mode 100644
index 3c9d1c4a7..000000000
--- a/charts/internal/cloud-provider-config/templates/audit-to-splunk.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-{{- if .Values.auditToSplunk.enabled }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: audit-to-splunk-secret
- namespace: {{ .Release.Namespace }}
-type: Opaque
-data:
- splunk_hec_token: {{ .Values.auditToSplunk.hecToken | b64enc }}
-{{- if .Values.auditToSplunk.hecCAFile }}
- splunk-ca.pem: {{ .Values.auditToSplunk.hecCAFile | b64enc }}
-{{- end }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: audit-to-splunk-config
- namespace: {{ .Release.Namespace }}
-data:
- splunk.conf: |
- [FILTER]
- Name rewrite_tag
- Match audit
- Rule $kind Event tosplunk true
-
- [OUTPUT]
- Name splunk
- Match tosplunk
- Host {{ .Values.auditToSplunk.hecHost }}
- Port {{ .Values.auditToSplunk.hecPort }}
- Splunk_Token ${SPLUNK_HEC_TOKEN}
-{{- if .Values.auditToSplunk.tlsEnabled }}
- TLS On
- TLS.Verify On
-{{- end }}
-{{- if .Values.auditToSplunk.hecCAFile }}
- TLS.CA_File /fluent-bit/etc/splunkca/splunk-ca.pem
-{{- end }}
- Retry_Limit False
- Splunk_Send_Raw Off
- Event_Source ${MY_POD_NAME}
- Event_Sourcetype kube:apiserver:auditlog
- Event_Index {{ .Values.auditToSplunk.index }}
- Event_Host {{ .Values.auditToSplunk.clusterName }}
-{{- end }}
diff --git a/charts/internal/cloud-provider-config/values.yaml b/charts/internal/cloud-provider-config/values.yaml
deleted file mode 100644
index 006d31970..000000000
--- a/charts/internal/cloud-provider-config/values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-clusterAudit:
- enabled: false
-auditToSplunk:
- enabled: false
- hecToken: dummy-token
- index: splunk-logging-index
- hecHost: splunk.example.org
- hecPort: 8123
- tlsEnabled: false
- hecCAFile: base64-encoded ca cert for the splunk hec endpoint
- clusterName: cluster-name
diff --git a/charts/internal/shoot-control-plane/templates/audittailer.yaml b/charts/internal/shoot-control-plane/templates/audittailer.yaml
deleted file mode 100644
index 54d3469a9..000000000
--- a/charts/internal/shoot-control-plane/templates/audittailer.yaml
+++ /dev/null
@@ -1,177 +0,0 @@
-{{- if .Values.clusterAudit.enabled }}
----
-apiVersion: v1
-kind: Namespace
-metadata:
- labels:
- k8s-app: audittailer
- name: audit
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: audittailer-server
- namespace: audit
-type: Opaque
-data:
- ca.crt: {{ .Values.audittailer.server.ca }}
- tls.crt: {{ .Values.audittailer.server.cert }}
- tls.key: {{ .Values.audittailer.server.key }}
----
-apiVersion: v1
-kind: Secret
-metadata:
- name: audittailer-client
- namespace: audit
- labels:
- name: audittailer-client
-type: Opaque
-data:
- ca.crt: {{ .Values.audittailer.client.ca }}
- tls.crt: {{ .Values.audittailer.client.cert }}
- tls.key: {{ .Values.audittailer.client.key }}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: audittailer
- namespace: audit
- labels:
- k8s-app: audittailer
-spec:
- selector:
- matchLabels:
- k8s-app: audittailer
- template:
- metadata:
- labels:
- k8s-app: audittailer
- app: audittailer
-{{- if .Values.audittailer.podAnnotations }}
- annotations:
-{{ toYaml .Values.audittailer.podAnnotations | indent 8 }}
-{{- end }}
- spec:
- automountServiceAccountToken: false
- containers:
- - image: {{ index .Values.images "audittailer" }}
- imagePullPolicy: {{ .Values.imagePullPolicy }}
- name: audittailer
- env:
- # This is supposed to limit fluentd memory usage. See https://docs.fluentd.org/deployment/performance-tuning-single-process#reduce-memory-usage.
- - name: RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR
- value: "1.2"
- ports:
- - containerPort: 24224
- protocol: TCP
- volumeMounts:
- - name: fluentd-config
- mountPath: /fluentd/etc
- - name: fluentd-certs
- mountPath: /fluentd/etc/ssl
- - name: fluentbuffer
- mountPath: /fluentbuffer
- resources:
- requests:
- cpu: 100m
- memory: 200Mi
- limits:
- cpu: 150m
- memory: 512Mi
- securityContext:
- runAsUser: 65534
- allowPrivilegeEscalation: false
- runAsNonRoot: true
-{{- if semverCompare ">= 1.19" .Capabilities.KubeVersion.GitVersion }}
- seccompProfile:
- type: RuntimeDefault
-{{- end }}
- capabilities:
- drop:
- - ALL
- restartPolicy: Always
- volumes:
- - name: fluentd-config
- configMap:
- name: audittailer-config
- - name: fluentd-certs
- secret:
- secretName: audittailer-server
- - name: fluentbuffer
- emptyDir: {}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: audittailer-config
- namespace: audit
- labels:
- app.kubernetes.io/name: audittailer
-data:
- fluent.conf: |
-
- @type forward
- port 24224
- bind 0.0.0.0
-
- ca_path /fluentd/etc/ssl/ca.crt
- cert_path /fluentd/etc/ssl/tls.crt
- private_key_path /fluentd/etc/ssl/tls.key
- client_cert_auth true
-
-
-
- @type stdout
-
- @type file
- path /fluentbuffer/auditlog-*
- chunk_limit_size 256Mb
-
-
- @type json
-
-
----
-apiVersion: v1
-kind: Service
-metadata:
- name: audittailer
- namespace: audit
- labels:
- app: audittailer
-spec:
- selector:
- app: audittailer
- ports:
- - port: 24224
- targetPort: 24224
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: audittailer
- namespace: audit
-rules:
-- apiGroups:
- - ""
- resources:
- - services
- - secrets
- verbs:
- - get
- - list
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
- name: audittailer
- namespace: audit
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: audittailer
-subjects:
-- kind: ServiceAccount
- name: audittailer-client
- namespace: kube-system
-{{- end }}
diff --git a/charts/internal/shoot-control-plane/values.yaml b/charts/internal/shoot-control-plane/values.yaml
index e006201d3..50b003537 100644
--- a/charts/internal/shoot-control-plane/values.yaml
+++ b/charts/internal/shoot-control-plane/values.yaml
@@ -5,11 +5,9 @@ nodeCIDR:
pspDisabled: false
images:
- audittailer: image-repository:image-tag
droptailer: image-repository:image-tag
metallb-speaker: image-repository:image-tag
metallb-controller: image-repository:image-tag
- fluentd-splunk-audit: image-repository:image-tag
node-init: image-repository:image-tag
metallb-health-sidecar: image-repository:image-tag
@@ -19,9 +17,6 @@ duros:
enabled: false
endpoints: []
-clusterAudit:
- enabled: false
-
nodeInit:
enabled: true
@@ -54,14 +49,3 @@ droptailer:
ca: ""
cert: ""
key: ""
-
-audittailer:
- podAnnotations: {}
- server:
- ca: ""
- cert: ""
- key: ""
- client:
- ca: ""
- cert: ""
- key: ""
diff --git a/example/controller-registration.yaml b/example/controller-registration.yaml
index 4e6334ff5..ed6d9a55f 100644
--- a/example/controller-registration.yaml
+++ b/example/controller-registration.yaml
@@ -5,10 +5,10 @@ metadata:
name: provider-metal
type: helm
providerConfig:
- chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoa7uJ7xLbsH3pHYoi0Er0rmKtqIqSH03z32/4kqjXamWnTtOKMOAVyRkOyZnhcDjkwk18HOHEwrcpjmhAIitOyHXgQ9YKp244evLgNIb0bGeH/4dU/c9/T7Znk+nOdHeX5U92t8ezJ2jn4U13p4ymboLQk4SQdF29rvIvNC06539/6Sapfeeuwvu2wSZ4dzZrnf/p9qw8/1PIGj9B40/Z0bb0N59/Nw7e4oTNu4OuJ4Ybx/mnObHHpuFj6iVBnPKsPfQKhyvkMZZAlyRB6RKjl5KF0BvGL+hUsg/KOcqI3BV2UCerGdeq6bENbRufe2z+Dqlb/n3i2QvykDa65H9n+1lF/z+bjXcG+X+MNBotiLNgHOCmGNElsjxk2vYI/q5x5JNktAjSZTa3PbIaKWYpfixd72qkwC2PRGlCwhB4J8GLgKaQCxxlA9oyUyEbffWt56ZItPT28Oz86OT4O/mJb91VHOJRGzq2FqF9UXgauhF2BNKj6DJxoVbmpVmiMn8iyRVOxIdpGKMROgWa3QWWWgxH7jzEFJWGIYtjIjWczAyiBVd2HkkS7KWooA2VaDNiHfufX4V1y3+KYTJgVOi9LcHe9t90vD2eDvbfY6Q+8/9uicMYlmg7jXvZgh36fzKd7lbmf7o7HfT/o6QPHyzk48sgwshkZpqJrI8fjW5TjcHB+sBrGzqS0J3jkNpgSNpX+E6g4x/ZHCcRBj6yAzJiTZVwtKC4dsNM0vThAwoiL8z8nFIbScA1hNRhqwQyLA5qqSHb5y3VexFEwDyRhzm4fYZD7FJsHwNxjZTlpAUrWCEEZQixkuASLV16mkD5LTLp0p3u7DrQ7FvWPDTF6tupu0A5RJwEUXqJzK/p91/Tas0Ex4QGKUnu1qGAPuImhM69EUJntX5XJ8THcUjuVjhKpZ2fMwcdwdZDH67PLRV/n9RH/4PNcxksVm5s8cm/BjuIJBaB2bxJghS3+gi67P/Z7nZF/z9jWYP+f4QktU9Jqt/yiT1R8yp0X8lNcBVEvsNMcOCHN25sME7x3dR1QBOIzX6ztm5mHAlEwXRuUKU8WygZoZidBnXO0P8OmcDLKZqx2ooc3iJ9V+ZSB/3OkKztdRmdptQ+95R90nQv+e/pDeyQ/53ptGr/b08G/9/jpE8l2Dlv/KHCLFrJRRhBsiyL/9c7whnXVnxs56xNbYlAcb3thSTzwfpww3jpTjiifAjk/l4MRib290ZFX0p8XhgArVAzAiUC1UQPgd5KvsNzgVjPwzHLB8LSi7sYUz5UCf41CxLsI7MDv11HgAKaw5td9DXBS5L5IKvcnlRpkP3I0QFzOn6N+44KQPRrlwHk7c2zhKY9W+Qw/doUIOUlpZmrVq63BMv5iK9gis5SJpeelPyPOcTWArcuZs0tX0JXbtwwPIJpSSI3FDuTgoi28jX0tKJsJY01tIV+PPrvm0MY3hWs4C3U4kWCKT3ANA0iLqU5nfWSNRQ2oFlLG049Xwk0BdMBBlp9Msl3KT1WGrPaEkDaEsTOaxacCOAuKMogveuGlhU1Nna9qywuKKHeEvtZ2E6IALBVPZ0MH4epex65MV2S9BQnAfG70DSAFNoQFluc7GV+kCr6hPu1Eate3Zb1FCqXZV6Q8zjMoqsNcJXq68iaOaq1umhoib0LcoWj7pZUzQKWMdRtNyCvVmrxFZHaqatBVrEEeUqSzSBZxQIyDenhpiNa1C21vL/3Y8A4r2Rtt7UuKhcy97wuchUx87OE0ILT18y/EhcO0T3/rdVVU7GbpAHTEcI6WKNVyqgqcEVnJ9MGDcP3JadZGJ6SMPAalUGlSnuX8orn2EswEyiP+Ng/IN6VsnH+dX5yXGtaVC9ErBFqLWXdDf5VN1dfQOqz/ysceP02gOv3f5PJZKca/7G9vTPs/x4l6dsm5YkVO6CDfLY33gX+IXs/GmOPNZzg64DR+SpgKvXudbACKwKNeUkMus+lJS0kM/dJFsk1jQItzMXjSDs69ZavN6NjVyBQkiARaIPCTZIoIqkyMtU6saF7LTf7YBm8otlKc7VyIWz2m5Wm4VvuwEdf2ReSSvsHGPhTN10icyPPrfkd77I4fAAadLoq61ILqWtdA/cgdiOyYHRdoEyNMAxXEnhqzT73EmDwaFFauhMClZY4yw+iHGQ2nN+YLRCU4WQwaZLhotIWO+dwszBFkgQ2YDFh3QwiLVzASoAhgxVuwR5zW83UGFmik7aZ2T4nSqhUhQinNyQBYa75O1KiqLBgeChOgBFA/MOQ3GB/M3gfuLwfRJzNQSAtWac3dBJcsxCTjcBhH0eyxIPBqyMCMAu2JiSlFjvMKwbASr3Yms22C8wdWuF5bpVKDcXFAibahX13kk+E1aUyReKCWZ752tnbx49OrVicwJllPC02o4CIS9ZiLs9ktQJBKtjHQqMG40Coo+VdjBOtZtlk0OOAACe0qde1pEKwLsHafzGCveOoeWikIhhpTr8qGtZKzCKAoJ1bluFlSQJzYyWYfUAD9EXZMpV05b85tF1Ant9FHtXHhbW0xGC2z7GbWvny9mLN6tYECLjxjRUw58c1jBBl9PmtxOVwNoc7kmDnAqraSlCKe+o/FGX4rsEIFhGBVkiMhUvUKha+1gY4yImC2MsBqrhveLBW/x4IuC7Kb/AcBP9K8V/PuaxAS6XB9LVOlay1Lzd/vFJ5Wy2w+QFlC5QmKqXOyeLCC818Ue9hNUHmU7MNl2y7CdFPsqgFS8VMKS85pbZkkTUHJWi5vs9cZi+c1uVqnQUhBSRMl+3YRHkTIbluksEEeqdzrS/LdFgcXes6Tujm14d7B4dn7w5fH+5fHJ0cvzvee3N4frq3f5jXRIiHgvwIi7WjZTJXKA79M3xZzpX5zKJxckvRzjnuvvahovfozd7Lw7dA7MnZu5O3h2c/nR1d1Gh10IgHIWqHn6PG09B1kxQG1zCSlJ4mZI71Pi7TNH5ZOAZEinl/R2LWfisXVZ1QzVPLEvNEsl6+urg41QqCKEgDNzzAoXsnNaGDJuO8RoJdP+hNK4O6exRSdwy9AVrnQqVhhNbQ0OVGRc2Tt4m64SZmSjwSOuhi/7TqH8qNJR0mz2zybBUQv6NI+a/GDf4rlq5JmK3wG7YNa+iyUKYaqStWUYhNt2nwUDFqi0ZoIqYmSlo9xkMnUQjGFtsTtIsTm5/Aw3uexxAfd5uFW8i9vGTMdOfkOYx9/D2w3vcailB+EHWQwRZrcS6c+vDriK/BMvvwFnuZfiC5JceFm7nnpY2yKuQDwjbNh7cx09P6RreoYaErfNcaTpcH3NXgEBIGBbSKjqKGYq7SGhpkTW4QvFcGS0lMQrK4+zej1SwH9S0JTflESBjBwDVzvsKBnjoy15XMxifmKskt5BviA9xsqnRbL/bejLn709slLGtoH3y7f9rUx/8LegfMySTjl8Hmmb/AmzmCO+//zCr3f+DHs+ng/32MJFXLIkXfMldVk/f0OzSphgDG3H0wup7MgUWUw/iU+Ac5e/zA2ePP4TmG7eR/IvfaDUK2FeLoaTbv7PCDPcZfgurrI//J3PXucxG4M/5vtyr/08n42SD/j5FY+Jwu2XyO3SxdkiT4TVxpu3rO7aIiOlDEZZyREPeR7z6Sm2Qhs7gsFtX3MiFZzM0vC2mRfGXPrlHasrCqIhxlnnlXOKX1nBFMe5rpBdB4EuCGnHJVyk94Sh96BRm0Ij80H2NDjg7nR5S5uRK/+qlXKjvqGvP06sIrVvpdFIMFN5dDxRQ1N/4DKn7cME3Hf8X5ryyGecb1KWnztddnRLiC/Ty3TIT5D7OO3CMwBDIaS/JhHS9fJyrYPNiSceu01qsHtqHy+bIkyirOb6jKPvjSwSJG+QjXtWzu4m2ei7bhNk3+jx3VSh5UE9QquQLAXwV8z1a6rapXiANNurQC7VylbXTypZtWPkewQ3XD4DfFhbB/iKQ0Uh4VkkuF2ArJWvLgTIpCfg5d+x5Rzw2xRMe31lT/cMU+uySYIHy4lsHcj9A/kV/UqBW9J3PxAyzh4scIdpKCwbOUXxSWThlPDxwW1WFHGvgddTwgi6zUCPPLU0FRKmeDG2DBRjIkA0Ft6sZcMBtnkEHWUG2JQGqL2VHBZeChNrUsq6WgNRuxq9jP0sDfBEwk+vZGobL7tZl/KZZTGWXu6mpdBXN1Nc6DvTbA52+wkEEdfWkqPvvo8oespBssTfcgADQVYeK7Tq8A2hSM8hCkTFUXmqRrXMX+pI6wYQfbvnD0WRaFYgoxU9kPsqh+EPrmDzOsoAl5WKGGbA2FRn4bQjP5OuiBndV7WPm4mhDA5yWvZ3d/NtkIfm6z+S+T+uz/5LLaewvYsf+b7syq8X/T3e3h/uejpMb7X1JiP733phYjt0nQzmVCViwyIPQtFgjEz87QNz9/MNWxlumYF/un5lOTlZnOZsdjH3/5ph8FPHAIY98SAWAWsA1bPiwZLVQirEpH+VD8aZXye9GiTgvX0fFYA5TPvqVcZpICzWcG7VZOWkrn4kCjQGrCANUAK+2xZQwAeByX2YtSsAAsvjjmlBZxIDCEAYsiLWwjQxwaXZwcnDjoYhlQsdiy7VdCwK5mN7/AggR7CBSkzwMRI4JCEi1wAuSA9e6z6D/2cNBlxoNr0Bm/ycSyVsiliBISsf+1p5W+v57Yz3bYsxBojnEElgyXKN/uxynCErLq3eZhbk0MfS/8n0wI7uPfTflNRWmjHLFz+MJxu1lkb34gb8nD/9lsm49D+eScHx3yUep1EP+5dfy6dI/1X26rNzcDus5/prNJZf2fTcdD/P+jpHXrv7LYP+shzuceoL946pZ/EXjxkAdgO+R/e3syrb7/NtvdHeT/MZIIO+eeEhVm7qDF0kuUgSbdXE2x4JUnwdjauHAQXyvYNj/WgtD3whv3jhqGfszqoIlR+GfQh4+GoZkIDno+fj42itA7njExDC1iVj4JkZ+oiD1FJQpYBN6Vj0nWVMz98qJOU/y1g7ZZdIs4UlnXZlvYs4Mu3ZBiw6iH+Tro51+MStAuzzO2UFPcD7tby6KaAvkewJYWARS7GRURxjx40BDRT2LAz/TpLl74LAx0/ec8JPPRymXm1WieBSGY0Qz1SNzlZHH8hgo+07AKHloQsgjxu+JehIC13JW/O5NgnG/MbfbcsMjIHwKe2JOJfftl92pS65X5zxesZ1NRYNu2YZTsR8cQsYIq4JNZo8bWFuSl7OyA8odJpaw8Rdhe2Iiqm07zO8SN+uJaEUAqwWKIAY+4HJVfVFKwvNBQ96jV3SkZ1Gh4OWnNr5o0vWkC+yQm7qzS6D0lkZKV4n2Rxhr85Y/JWISQyWc5Jlzmyq9fMLmovBDR+OYDq7fm0QpRXDznULllXjzloDLU4wyCvtJ7C/lrC4aKiqu/oGA0PYWQX14XqqHxiYNaHe0pAv4lHhdQBfzFAPXBOUnsYIp7/apQ3tM3Kn0v3a9vaLx+D55p8YY7SEeXx9B7mBfMHcCNl8vbrpYb+WuUQiwU2Wr1kc/9DIbikIY0pCENaUhDGtKQhjSkIQ1pSEMa0pCGNKQhDWlIefo/JJQQJAB4AAA=
+ chart: H4sIAAAAAAAAA+0ca2/cNjKf9SsIuUXbQ6R9eO0EAnKoG7up7xJ7YfvSOxRFoJXoXcVaURUlO26a/37Dl0S9Vis7ddJGAwNeUZzhkJwZDodDLd3ExxFOLPwuxRENSGTFCbkOfCha49QNR4/uDWOAJ3t7/D9A9T//PdmdTaZ70/19Vj7Z3x3PHqG9+zfdDRlN3QShRwkh6aZ6Xe//orDsnP/nKzdJ7Vt3Hd61DTbB+7NZ6/xPd2fl+Z9C0fgRGn/MjrbBFz7/bhy8xgmbdwddTww3jvNHc2KPTcPH1EuCOOVFB+gnHK6Rx0QCXZIEpSuMXkgRQq+YvKC5FB+US5QRuWvsoE5RM65V02Mb2jY+9dh8CdCt/z7x7CW5Txtd+r+3+6Ri/5/MxnuD/j8EjEZL4iyZBLgpRnSFLA+Ztj2Cv2sc+SQZLYN0lS1sj6xHSliKHyvXuxopdMsjUZqQMATZSfAyoCmUgkTZQLYsVMhGX33ruSkSLb0+Ojs/Pj35Tj7id+46DvGojRxbi9Bz8XIeuhF2BNHj6DJxoVbmpVmiCn8myRVOxINpGKMRmgPP7hJLK4YjdxFiikrDkMUxkRZOFgbRkhs7jyQJ9lJU8IZKvBmxTv3zN2Hd+p9imAwYFXpnT7C3/zcd746ng//3ENBn/t+scBjDEm2ncS9fsMP+T6bT/cr8T/eng/1/EHj/3kI+vgwijEzmppnI+vDB6HbVGB6sD7y2oRMJ3QUOqQ2OpH2FbwU5/pAtcBJhkCM7ICPWVIlGC4lrN8wkT+/foyDywszPObWRRNzASB23yiCj4qCWGrJ93lK9F0EEwhN5mKPbZzjELsX2CTDXyFnOWrCGFUJwhhB7E1yilUvnCbx/h0y6cqd7+w40+5o1D02x+nbqLlGOESdBlF4i82v6/de0WjPBMaFBSpLbTSSgj7iJoHNngtBZrd/VCfFxHJLbNY5S6efnwkFHsPXQh+tTa8WXA33sP/g8l8Fy7cYWn/xr8INIYhGYzZskSHFrjKDL/5/t71bs/xNWNNj/BwBpfUpa/ZpP7KmaV2H7SmGCqyDyHeaCgzy8cmODSYrvpq4DlkBs9putdbPgSCQKrnODKeXFwsgIw+w0mHNG/g8oBFlO0YzVVuzwFumbspQ66A9GZGOvy+Q0o/app+yjwp30v2c0sEP/Z5NJ1f/bnewO+v8g8LEUO5eNP1WZRSu5CiMAy7L4f70jXHBtJcd2LtrUlgSU1NteSDIfvA83jFfuhBPKh0Du78VgZGJ/b1TspaTnhQHwCjUjMCJQTfQQ+K2UO7wUmPU8HLNyYCy9uI0x5UOV4N+yIME+Mjvo23UCKKA5vtnFXxO+ZJkPsirtyZWG2Y8dHTHn47e476gARr92GULe3iJLaNqzRY7Tr02BUl5SmqVq7Xor8JyP+Qqm+CwVcu1Jyf9YQGwjcuti1tzyJXTlxg3DY5iWJHJDsTMpmGh7v4GfVpKtrLGGdtCPx/99dQTDu4YVvIVbvEwwpYeYpkHEtTTns/5mA4cNZDbyhlPPVwpNwXWAgVaPTPNdSk+Uxay2BJi2RLHzmoUkAroLhjJIb7uxZUVNjF3vKosLTqi3wn4WtjMiEGxVT2fDx2HqnkduTFckneMkIH4XmQYURbEySH6WEFrwKQKxjfRVZzmGLSu2S29rddVU7CZpwGZY2PYNMlEmVcErxGMybZAP7lXOszCckzDwGqeyUqW9S3nFc+wlOIVOecTH/iHxrtQK9a/z05Na06K6GuQWrI2cdTf4d3WNvwjo4/8XAZx+G4DN/v9kMtmrnv/v7u4N5/8PArrbrCJxwgM+zGd7613An+L70xh7rOEEXweMz58CZpRvXwbrALy1MX8Tg/V0acmOycLnJItS0SgFXtgW35F+VOqtXm7Hx74goDRBEtAGhfv0UURS5WSolWbL8Eq+7K+wd0WztRZq40rYHDcpTcO3PICLvrIvJJf2DzDwczddIXOryJ35He+yCD4DDzpflZWthdWNW8M7MLsVWzC6LnCmRhiGKwk8teqfewkIeLQsLf4JgUornOUHEQ4yG+L3ZgsGZTQZTppkuKi0w+LcbhamSLLABiwmrJtBpB0XWwkIZLDGLdTZubPkp9yjOTuQ1rmqzYlSKlUhwukNSUCZa/vdlCguLBgeihMQBFD/MCQ32N8O3wcp74cRZwtQSEvW6Y2dBNcsxWArdPDjSZZ4MHh1QoBmgWtKUmqxw5xiAKzUi63ZbLeg3GEVnuZ+rbRQXC1gol3YdyX5RFhdJlMAV8zyzNfOXj58cGqvxQmMWabT4nUKjLjkb+b6TNZrUKRCfCw0anAOhDlawUY90WqWXQY9DwRoQpt6XUsaBOsyCPGzEewdRs1DIw3BSAv6VMmwVmKWAQLtvGMFXpYkMDdWgtkDNECflX1byVf+m2PbBeb5beRRfVxYSysMjv8Cu6mVL2/PNqxuTYhAG99YAdv8XsMIUcaf38pcjmdzvGOJdi6wqq0EpbyX/kNRxu8ajGAZEWiFxFiExKxi4WttgKOcKoyDHKFK+4Yn6/TvgcDr4vwGL0Dxr5T89ZzLCrY0Gsxe61zJWs/l9pFXkqa7RM0PKFugNFUpdU6+LqKQLBbxFlYTZD4222jJtpsI/SxftVCpuCnlJafUlnxlLcAIWq7vs5DJM6d1udrkQUgFCdNVOzXxvomR3DbJw2S907nVl+90XBxd6zZO2OaXRweHR2dvjl4ePb84Pj15c3Lw6uh8fvD8KK+JEE8F+BEWa0crZKEwHPpn+LJcKsuZR+PknqKdS9xd/UPF7/GrgxdHr4HZ07M3p6+Pzn4+O76o8eqgEU9C0w6/Ro2nYZsmKQyuYSQpnSdkgfU+rtI0flGEFgTEvL8jMWu/l19xx6ZzahmwSBTr5U8XF3PtRRAFaeCGhzh0b6UldNBknNdIsOsHvXllWLcPwuqeoTdA61KoLIywGhq53KmYVznbxtxwFzMlHgkddPF8Xo0w5c6SjpMXNsXGCow/UKQiYOOGCBiDaxJma/yKbcMauiyMqcbqmlUUatPtGtxXjdpOo5uYqamSVo/J0GkUgrPF9gTt6sTmJ/DwgecxwifdbuEOci8vmTDdOnkJEx//ALz3g4ZXKD+IOMxgi7U8F0Fd+HXM12BZfPQOe5l+ILUjx4W7ueeljbJ6yQeEbZqP3sXMTusb3aKGha7wbWs6VZ5wVcNDSDgU0Co6jhpec5PW0CBrcovkrTJaSmISkuXtvxmvZjmpa0VoyidC4ggBrrnzFQn01JGpbmS2PjFVILeQr4gPeLOpsm29xHs74e7Pb5eybOB9iA5/ttAn/gt2B9zJJOOXgRaZv8TbBYI773/MKvc/4MeT6RD/fQiQpmWZom9ZqKopevodmlRTwGIePhhdTxYgIipgPCf+YS4eP3Dx+Dwix7Cd/E/kXrtByLZCnDzNFp0dvnfE+K9g+vrof7JwvbtcBO3Qf9D6qv5PJ+Mng/4/BLD0KV2z+Ry7WboiSfC7uNJ09ZT7RUV2WAhjhpMzEuI++t1Hc5MsZB6XxbK6XiQki7n7ZSEtk6sc2TVKWxZWVaQjLDLvCqe0XjKCaU8z/QU0ngS4oaRclfITntKDXsETgyMftBhjQ4mO50eUhbkSv/qoVyoH6hrL9OoiKlb6XbwGD24hh4oZau78B1T8uGGWjv+K819ZDPOM61PSFmuvz4gIBft5aZkJ8x9mnbhHYAhkNo6Uwzpdvk5UqHmwJePeaa1X92xDlfNlSbyrBL+hKnvgSwfLGOQjXLeyeYi3eS7ahts0+T92VCtlUE1Qq+YKBH8d8D1b6baiXiEONO3SXmjnKm2jky/dtPI4gh2qGwa/KymE/UMktZHyvJJcK8RWSNaSB2dSFfJz6NrziHpuiCU5vrWm+oMr9tklxQTlw7UCFn6E/onyokbt1VuyED/AEy5+jGAnKQQ8S/lFURmU8fTEUVEddqSB31HHA7bIWo0wvzwTFG/lbHAHLNhKh2QioE3dmCtm4wwyzBqpHZFIazE/KrgMPNRmlmW1FKxmI3WV+1ca+JuAqUTf3ihSdr828yclcqqgLF1drat0sK7GebrYFvT8LRYyqKMvTcVjH1t+n5V0i6XpDgyApSJMfTfZFSCbglMegpap6sKSdI2r2J/UCTbsYNsXjj7LojBMIWYm+14e1Q/C3vxpjhU0IQ8r1JBt4NDIs+E1l6+DH9hZvYWVj5sJgXxeinp292ebjeCndpv/NtBn/yeX1d5bwI7933RvVs3/m+4P938eBhrv/0iN/fjRm1qO3DZJO5cJWbPMgNC3WCIQPztD3/zy3lTHWqZjXjyfm49N9s50tjse+/DrN/044IlDGPuWSACzQGzY8mHJbKESY1U+yofij6uc34kXdVq4iY+HGqB89i0VMpMcaDEzaLdy0lI6FwceBVETBqiGWGmPLWOAwPO4zF6cggdg8cUx57TIA4EhDFgWaeEbGeLQ6OL08NRBF6uAisWWbb8SAn41u/kDHiT4Q2AgfZ6IGBEUkmiJE2AHvHefZf+xD8dcZjy5Bp3xmyysaI1ciighEftf+7TO99cT+8ke+ywAWmAcgSfDNcq3+0mK8ISserd5mluTQN+J/kdTgrvEd1N+U036KMfsHL4I3G6X2ZsfyFvy8H822+XjUD4550eHfJR6HcR/ahu/Ce6w/stt9fZuQNf5z3Q2qaz/s+l4yP9/ENi0/iuP/ZMe4nzqAfqbQ7f+i8SL+3wAtEP/d8f7Vf0fz/aH858HAZF2ziMlKs3cQcuVlygHTYa5mnLBK5+EYmvj0kF8rWDb/FhLQj8Ib9xbahj6MauDJkYRn0HvPxiG5iI46On46dgoUu94wcQwtIxZ+UmA/ERF7CkqWcAi8a58TLKhYh6XF3Wa8q8dtMuyW8SRyqY229KeHXTphhQbRj3N10G//GpUknZ5mbGDmvJ+2GcQWFZTIO+D72gZQLGbUZFhzJMHDZH9JAb8TJ/u4guPhYOu/1yEZDFau8y9Gi2yIAQ3mpEeidugLI/fUMlnGlUhQ0tCliF+U9yLELiWu/b3ZxKNy425yz43KwryD8FO7MnEfvfX7tWk1ivzn89Yz6bihW3bhlHyHx1D5AqqhE/mjRo7O1CWsrMDyj9MKXXlMcL20kZU3XRa3CLu1BfXigBTKRYjDHTE5aj8opLC5S8NdRNb3Z2SSY2Gl7PW/FWLpm9awD6JqTurNHpLSaR0pfi+RGMN/uWHyVikkMnPMky4zpW/fsD0ovKFgMY7/6zeho8WiNfFdf7KPfXiKr8qUJfzBX+l+/b5bXtDZcXVb9AblSZKF+Hza/DCRIjC6oV1ZiwbrvocX55AI9B9zOOsjbfA2+6AG/lH/4T0YTkYysjLr6oM/tgAAwwwwAADDDDAAAMMMMAAAwwwwAADDDDAAAMMMMDnDf8HJasSEQB4AAA=
values:
image:
- tag: v0.22.11
+ tag: v0.22.12
---
apiVersion: core.gardener.cloud/v1beta1
kind: ControllerRegistration
diff --git a/pkg/apis/config/types.go b/pkg/apis/config/types.go
index df7ec5265..8ab5fbeb2 100644
--- a/pkg/apis/config/types.go
+++ b/pkg/apis/config/types.go
@@ -30,12 +30,6 @@ type ControllerConfiguration struct {
// ETCD is the etcd configuration.
ETCD ETCD
- // ClusterAudit is the configuration for cluster auditing.
- ClusterAudit ClusterAudit
-
- // AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk.
- AuditToSplunk AuditToSplunk
-
// HealthCheckConfig is the config for the health check controller
HealthCheckConfig *healthcheckconfig.HealthCheckConfig
@@ -91,26 +85,7 @@ type ETCDBackup struct {
DeltaSnapshotPeriod *string
}
-// ClusterAudit is the configuration for cluster auditing.
-type ClusterAudit struct {
- // Enabled enables collecting of the kube-apiserver auditlog.
- Enabled bool
-}
-
-// AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk.
-type AuditToSplunk struct {
- // Enabled enables forwarding of the kube-apiserver auditlog to splunk.
- Enabled bool
- // This defines the default splunk endpoint unless otherwise specified by the cluster user
- HECToken string
- Index string
- HECHost string
- HECPort int
- TLSEnabled bool
- HECCAFile string
-}
-
-// StorageConfiguration contains the configuration for provider specific storage solutions.
+// StorageConfiguration contains the configuration for provider specfic storage solutions.
type StorageConfiguration struct {
// Duros contains the configuration for duros cloud storage
Duros DurosConfiguration
diff --git a/pkg/apis/config/v1alpha1/types.go b/pkg/apis/config/v1alpha1/types.go
index 116e5d271..324e410b8 100644
--- a/pkg/apis/config/v1alpha1/types.go
+++ b/pkg/apis/config/v1alpha1/types.go
@@ -31,12 +31,6 @@ type ControllerConfiguration struct {
// ETCD is the etcd configuration.
ETCD ETCD `json:"etcd"`
- // ClusterAudit is the configuration for cluster auditing.
- ClusterAudit ClusterAudit `json:"clusterAudit"`
-
- // AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk.
- AuditToSplunk AuditToSplunk `json:"auditToSplunk"`
-
// HealthCheckConfig is the config for the health check controller
// +optional
HealthCheckConfig *healthcheckconfigv1alpha1.HealthCheckConfig `json:"healthCheckConfig,omitempty"`
@@ -97,26 +91,7 @@ type ETCDBackup struct {
DeltaSnapshotPeriod *string `json:"deltaSnapshotPeriod,omitempty"`
}
-// ClusterAudit is the configuration for cluster auditing.
-type ClusterAudit struct {
- // Enabled enables collecting of the kube-apiserver audit log.
- Enabled bool `json:"enabled"`
-}
-
-// AuditToSplunk is the configuration for forwarding audit (and firewall) logs to Splunk.
-type AuditToSplunk struct {
- // Enabled enables forwarding of the kube-apiserver auditlogto splunk.
- Enabled bool `json:"enabled"`
- // This defines the default splunk endpoint unless otherwise specified by the cluster user
- HECToken string `json:"hecToken"`
- Index string `json:"index"`
- HECHost string `json:"hecHost"`
- HECPort int `json:"hecPort"`
- TLSEnabled bool `json:"tlsEnabled"`
- HECCAFile string `json:"hecCAFile"`
-}
-
-// StorageConfiguration contains the configuration for provider specific storage solutions.
+// StorageConfiguration contains the configuration for provider specfic storage solutions.
type StorageConfiguration struct {
// Duros contains the configuration for duros cloud storage
Duros DurosConfiguration `json:"duros"`
diff --git a/pkg/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/apis/config/v1alpha1/zz_generated.conversion.go
index c9e2c6fbd..3785c1d57 100644
--- a/pkg/apis/config/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/config/v1alpha1/zz_generated.conversion.go
@@ -29,26 +29,6 @@ func init() {
// RegisterConversions adds conversion functions to the given scheme.
// Public to allow building arbitrary schemes.
func RegisterConversions(s *runtime.Scheme) error {
- if err := s.AddGeneratedConversionFunc((*AuditToSplunk)(nil), (*config.AuditToSplunk)(nil), func(a, b interface{}, scope conversion.Scope) error {
- return Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(a.(*AuditToSplunk), b.(*config.AuditToSplunk), scope)
- }); err != nil {
- return err
- }
- if err := s.AddGeneratedConversionFunc((*config.AuditToSplunk)(nil), (*AuditToSplunk)(nil), func(a, b interface{}, scope conversion.Scope) error {
- return Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(a.(*config.AuditToSplunk), b.(*AuditToSplunk), scope)
- }); err != nil {
- return err
- }
- if err := s.AddGeneratedConversionFunc((*ClusterAudit)(nil), (*config.ClusterAudit)(nil), func(a, b interface{}, scope conversion.Scope) error {
- return Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit(a.(*ClusterAudit), b.(*config.ClusterAudit), scope)
- }); err != nil {
- return err
- }
- if err := s.AddGeneratedConversionFunc((*config.ClusterAudit)(nil), (*ClusterAudit)(nil), func(a, b interface{}, scope conversion.Scope) error {
- return Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit(a.(*config.ClusterAudit), b.(*ClusterAudit), scope)
- }); err != nil {
- return err
- }
if err := s.AddGeneratedConversionFunc((*ControllerConfiguration)(nil), (*config.ControllerConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_ControllerConfiguration_To_config_ControllerConfiguration(a.(*ControllerConfiguration), b.(*config.ControllerConfiguration), scope)
}); err != nil {
@@ -162,58 +142,6 @@ func RegisterConversions(s *runtime.Scheme) error {
return nil
}
-func autoConvert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(in *AuditToSplunk, out *config.AuditToSplunk, s conversion.Scope) error {
- out.Enabled = in.Enabled
- out.HECToken = in.HECToken
- out.Index = in.Index
- out.HECHost = in.HECHost
- out.HECPort = in.HECPort
- out.TLSEnabled = in.TLSEnabled
- out.HECCAFile = in.HECCAFile
- return nil
-}
-
-// Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk is an autogenerated conversion function.
-func Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(in *AuditToSplunk, out *config.AuditToSplunk, s conversion.Scope) error {
- return autoConvert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(in, out, s)
-}
-
-func autoConvert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(in *config.AuditToSplunk, out *AuditToSplunk, s conversion.Scope) error {
- out.Enabled = in.Enabled
- out.HECToken = in.HECToken
- out.Index = in.Index
- out.HECHost = in.HECHost
- out.HECPort = in.HECPort
- out.TLSEnabled = in.TLSEnabled
- out.HECCAFile = in.HECCAFile
- return nil
-}
-
-// Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk is an autogenerated conversion function.
-func Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(in *config.AuditToSplunk, out *AuditToSplunk, s conversion.Scope) error {
- return autoConvert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(in, out, s)
-}
-
-func autoConvert_v1alpha1_ClusterAudit_To_config_ClusterAudit(in *ClusterAudit, out *config.ClusterAudit, s conversion.Scope) error {
- out.Enabled = in.Enabled
- return nil
-}
-
-// Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit is an autogenerated conversion function.
-func Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit(in *ClusterAudit, out *config.ClusterAudit, s conversion.Scope) error {
- return autoConvert_v1alpha1_ClusterAudit_To_config_ClusterAudit(in, out, s)
-}
-
-func autoConvert_config_ClusterAudit_To_v1alpha1_ClusterAudit(in *config.ClusterAudit, out *ClusterAudit, s conversion.Scope) error {
- out.Enabled = in.Enabled
- return nil
-}
-
-// Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit is an autogenerated conversion function.
-func Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit(in *config.ClusterAudit, out *ClusterAudit, s conversion.Scope) error {
- return autoConvert_config_ClusterAudit_To_v1alpha1_ClusterAudit(in, out, s)
-}
-
func autoConvert_v1alpha1_ControllerConfiguration_To_config_ControllerConfiguration(in *ControllerConfiguration, out *config.ControllerConfiguration, s conversion.Scope) error {
out.ClientConnection = (*componentbaseconfig.ClientConnectionConfiguration)(unsafe.Pointer(in.ClientConnection))
out.MachineImages = *(*[]config.MachineImage)(unsafe.Pointer(&in.MachineImages))
@@ -221,12 +149,6 @@ func autoConvert_v1alpha1_ControllerConfiguration_To_config_ControllerConfigurat
if err := Convert_v1alpha1_ETCD_To_config_ETCD(&in.ETCD, &out.ETCD, s); err != nil {
return err
}
- if err := Convert_v1alpha1_ClusterAudit_To_config_ClusterAudit(&in.ClusterAudit, &out.ClusterAudit, s); err != nil {
- return err
- }
- if err := Convert_v1alpha1_AuditToSplunk_To_config_AuditToSplunk(&in.AuditToSplunk, &out.AuditToSplunk, s); err != nil {
- return err
- }
out.HealthCheckConfig = (*apisconfig.HealthCheckConfig)(unsafe.Pointer(in.HealthCheckConfig))
if err := Convert_v1alpha1_StorageConfiguration_To_config_StorageConfiguration(&in.Storage, &out.Storage, s); err != nil {
return err
@@ -249,12 +171,6 @@ func autoConvert_config_ControllerConfiguration_To_v1alpha1_ControllerConfigurat
if err := Convert_config_ETCD_To_v1alpha1_ETCD(&in.ETCD, &out.ETCD, s); err != nil {
return err
}
- if err := Convert_config_ClusterAudit_To_v1alpha1_ClusterAudit(&in.ClusterAudit, &out.ClusterAudit, s); err != nil {
- return err
- }
- if err := Convert_config_AuditToSplunk_To_v1alpha1_AuditToSplunk(&in.AuditToSplunk, &out.AuditToSplunk, s); err != nil {
- return err
- }
out.HealthCheckConfig = (*apisconfigv1alpha1.HealthCheckConfig)(unsafe.Pointer(in.HealthCheckConfig))
if err := Convert_config_StorageConfiguration_To_v1alpha1_StorageConfiguration(&in.Storage, &out.Storage, s); err != nil {
return err
diff --git a/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go
index 0299746cb..9ff9c4f32 100644
--- a/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/config/v1alpha1/zz_generated.deepcopy.go
@@ -15,38 +15,6 @@ import (
configv1alpha1 "k8s.io/component-base/config/v1alpha1"
)
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AuditToSplunk) DeepCopyInto(out *AuditToSplunk) {
- *out = *in
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditToSplunk.
-func (in *AuditToSplunk) DeepCopy() *AuditToSplunk {
- if in == nil {
- return nil
- }
- out := new(AuditToSplunk)
- in.DeepCopyInto(out)
- return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterAudit) DeepCopyInto(out *ClusterAudit) {
- *out = *in
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAudit.
-func (in *ClusterAudit) DeepCopy() *ClusterAudit {
- if in == nil {
- return nil
- }
- out := new(ClusterAudit)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) {
*out = *in
@@ -67,8 +35,6 @@ func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) {
copy(*out, *in)
}
in.ETCD.DeepCopyInto(&out.ETCD)
- out.ClusterAudit = in.ClusterAudit
- out.AuditToSplunk = in.AuditToSplunk
if in.HealthCheckConfig != nil {
in, out := &in.HealthCheckConfig, &out.HealthCheckConfig
*out = new(apisconfigv1alpha1.HealthCheckConfig)
diff --git a/pkg/apis/config/zz_generated.deepcopy.go b/pkg/apis/config/zz_generated.deepcopy.go
index 318204967..455d6366f 100644
--- a/pkg/apis/config/zz_generated.deepcopy.go
+++ b/pkg/apis/config/zz_generated.deepcopy.go
@@ -15,38 +15,6 @@ import (
componentbaseconfig "k8s.io/component-base/config"
)
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AuditToSplunk) DeepCopyInto(out *AuditToSplunk) {
- *out = *in
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditToSplunk.
-func (in *AuditToSplunk) DeepCopy() *AuditToSplunk {
- if in == nil {
- return nil
- }
- out := new(AuditToSplunk)
- in.DeepCopyInto(out)
- return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterAudit) DeepCopyInto(out *ClusterAudit) {
- *out = *in
- return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAudit.
-func (in *ClusterAudit) DeepCopy() *ClusterAudit {
- if in == nil {
- return nil
- }
- out := new(ClusterAudit)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) {
*out = *in
@@ -67,8 +35,6 @@ func (in *ControllerConfiguration) DeepCopyInto(out *ControllerConfiguration) {
copy(*out, *in)
}
in.ETCD.DeepCopyInto(&out.ETCD)
- out.ClusterAudit = in.ClusterAudit
- out.AuditToSplunk = in.AuditToSplunk
if in.HealthCheckConfig != nil {
in, out := &in.HealthCheckConfig, &out.HealthCheckConfig
*out = new(apisconfig.HealthCheckConfig)
diff --git a/pkg/apis/metal/types_controlplane.go b/pkg/apis/metal/types_controlplane.go
index 9589f9bc4..365c40886 100644
--- a/pkg/apis/metal/types_controlplane.go
+++ b/pkg/apis/metal/types_controlplane.go
@@ -41,24 +41,28 @@ type ControlPlaneFeatures struct {
// Deprecated: This is now default and always on. Toggle does not have an effect anymore.
// +optional
MachineControllerManagerOOT *bool
+
+ // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller.
+ // +optional
+ DurosStorageEncryption *bool
+ // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries)
+ // by using DNS egress policies.
+ // Requires firewall-controller >= 1.2.0.
+ // Deprecated: Will be replaced by NetworkAccessRestricted.
+ // +optional
+ RestrictEgress *bool
+
// ClusterAudit enables the deployment of a non-null audit policy to the apiserver and the forwarding
// of the audit events into the cluster where they appear as container log of an audittailer pod, where they
// can be picked up by any of the available Kubernetes logging solutions.
+ // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing.
// +optional
ClusterAudit *bool
// AuditToSplunk enables the forwarding of the apiserver auditlog to a defined splunk instance in addition to
// forwarding it into the cluster. Needs the clusterAudit featureGate to be active.
+ // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing.
// +optional
AuditToSplunk *bool
- // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller.
- // +optional
- DurosStorageEncryption *bool
- // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries)
- // by using DNS egress policies.
- // Requires firewall-controller >= 1.2.0.
- // Deprecated: Will be replaced by NetworkAccessRestricted.
- // +optional
- RestrictEgress *bool `json:"restrictEgress,omitempty"`
}
// CloudControllerManagerConfig contains configuration settings for the cloud-controller-manager.
diff --git a/pkg/apis/metal/v1alpha1/types_controlplane.go b/pkg/apis/metal/v1alpha1/types_controlplane.go
index e67fcc8ec..4f3a9b564 100644
--- a/pkg/apis/metal/v1alpha1/types_controlplane.go
+++ b/pkg/apis/metal/v1alpha1/types_controlplane.go
@@ -41,23 +41,27 @@ type ControlPlaneFeatures struct {
// Deprecated: This is now default and always on. Toggle does not have an effect anymore.
// +optional
MachineControllerManagerOOT *bool `json:"machineControllerManagerOOT,omitempty"`
+
+ // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller.
+ // +optional
+ DurosStorageEncryption *bool `json:"durosStorageEncryption,omitempty"`
+ // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries)
+ // by using DNS egress policies.
+ // Requires firewall-controller >= 1.2.0.
+ // +optional
+ RestrictEgress *bool `json:"restrictEgress,omitempty"`
+
// ClusterAudit enables the deployment of a non-null audit policy to the apiserver and the forwarding
// of the audit events into the cluster where they appear as container log of an audittailer pod, where they
// can be picked up by any of the available Kubernetes logging solutions.
+ // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing.
// +optional
ClusterAudit *bool `json:"clusterAudit,omitempty"`
// AuditToSplunk enables the forwarding of the apiserver auditlog to a defined splunk instance in addition to
// forwarding it into the cluster. Needs the clusterAudit featureGate to be active.
+ // Deprecated: This is not used anymore. The gardener-extension-audit handles cluster auditing.
// +optional
AuditToSplunk *bool `json:"auditToSplunk,omitempty"`
- // DurosStorageEncryption enables the deployment of configured encrypted storage classes for the duros-controller.
- // +optional
- DurosStorageEncryption *bool `json:"durosStorageEncryption,omitempty"`
- // RestrictEgress limits the cluster egress to the API server and necessary external dependencies (like container registries)
- // by using DNS egress policies.
- // Requires firewall-controller >= 1.2.0.
- // +optional
- RestrictEgress *bool `json:"restrictEgress,omitempty"`
}
// CloudControllerManagerConfig contains configuration settings for the cloud-controller-manager.
diff --git a/pkg/apis/metal/v1alpha1/zz_generated.conversion.go b/pkg/apis/metal/v1alpha1/zz_generated.conversion.go
index 627ac9607..a13f891bb 100644
--- a/pkg/apis/metal/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/metal/v1alpha1/zz_generated.conversion.go
@@ -333,10 +333,10 @@ func Convert_metal_ControlPlaneConfig_To_v1alpha1_ControlPlaneConfig(in *metal.C
func autoConvert_v1alpha1_ControlPlaneFeatures_To_metal_ControlPlaneFeatures(in *ControlPlaneFeatures, out *metal.ControlPlaneFeatures, s conversion.Scope) error {
out.MachineControllerManagerOOT = (*bool)(unsafe.Pointer(in.MachineControllerManagerOOT))
- out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit))
- out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk))
out.DurosStorageEncryption = (*bool)(unsafe.Pointer(in.DurosStorageEncryption))
out.RestrictEgress = (*bool)(unsafe.Pointer(in.RestrictEgress))
+ out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit))
+ out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk))
return nil
}
@@ -347,10 +347,10 @@ func Convert_v1alpha1_ControlPlaneFeatures_To_metal_ControlPlaneFeatures(in *Con
func autoConvert_metal_ControlPlaneFeatures_To_v1alpha1_ControlPlaneFeatures(in *metal.ControlPlaneFeatures, out *ControlPlaneFeatures, s conversion.Scope) error {
out.MachineControllerManagerOOT = (*bool)(unsafe.Pointer(in.MachineControllerManagerOOT))
- out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit))
- out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk))
out.DurosStorageEncryption = (*bool)(unsafe.Pointer(in.DurosStorageEncryption))
out.RestrictEgress = (*bool)(unsafe.Pointer(in.RestrictEgress))
+ out.ClusterAudit = (*bool)(unsafe.Pointer(in.ClusterAudit))
+ out.AuditToSplunk = (*bool)(unsafe.Pointer(in.AuditToSplunk))
return nil
}
diff --git a/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go
index 9956a7d45..f3a544fb4 100644
--- a/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/apis/metal/v1alpha1/zz_generated.deepcopy.go
@@ -148,23 +148,23 @@ func (in *ControlPlaneFeatures) DeepCopyInto(out *ControlPlaneFeatures) {
*out = new(bool)
**out = **in
}
- if in.ClusterAudit != nil {
- in, out := &in.ClusterAudit, &out.ClusterAudit
+ if in.DurosStorageEncryption != nil {
+ in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption
*out = new(bool)
**out = **in
}
- if in.AuditToSplunk != nil {
- in, out := &in.AuditToSplunk, &out.AuditToSplunk
+ if in.RestrictEgress != nil {
+ in, out := &in.RestrictEgress, &out.RestrictEgress
*out = new(bool)
**out = **in
}
- if in.DurosStorageEncryption != nil {
- in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption
+ if in.ClusterAudit != nil {
+ in, out := &in.ClusterAudit, &out.ClusterAudit
*out = new(bool)
**out = **in
}
- if in.RestrictEgress != nil {
- in, out := &in.RestrictEgress, &out.RestrictEgress
+ if in.AuditToSplunk != nil {
+ in, out := &in.AuditToSplunk, &out.AuditToSplunk
*out = new(bool)
**out = **in
}
diff --git a/pkg/apis/metal/validation/control_plane.go b/pkg/apis/metal/validation/control_plane.go
index 96d0389e6..ae5496b98 100644
--- a/pkg/apis/metal/validation/control_plane.go
+++ b/pkg/apis/metal/validation/control_plane.go
@@ -2,7 +2,6 @@ package validation
import (
gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
- "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config"
apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal"
"k8s.io/apimachinery/pkg/util/validation/field"
@@ -20,40 +19,5 @@ func ValidateControlPlaneConfig(controlPlaneConfig *apismetal.ControlPlaneConfig
func validateFeatureGates(controlPlaneConfig *apismetal.ControlPlaneConfig, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
- fgPath := fldPath.Child("featureGates")
- auditToSplunkPath := fgPath.Child("auditToSplunk")
-
- if auditToSplunkEnabled(controlPlaneConfig) && !clusterAuditEnabled(controlPlaneConfig) {
- allErrs = append(allErrs, field.Invalid(auditToSplunkPath, true, "cluster audit feature gate has to be enabled when using audit to splunk feature gate"))
- }
-
return allErrs
}
-
-func ClusterAuditEnabled(controllerConfig *config.ControllerConfiguration, cpConfig *apismetal.ControlPlaneConfig) bool {
- if !controllerConfig.ClusterAudit.Enabled {
- return false
- }
- return clusterAuditEnabled(cpConfig)
-}
-
-func clusterAuditEnabled(cpConfig *apismetal.ControlPlaneConfig) bool {
- if cpConfig.FeatureGates.ClusterAudit != nil && *cpConfig.FeatureGates.ClusterAudit {
- return true
- }
- return false
-}
-
-func AuditToSplunkEnabled(controllerConfig *config.ControllerConfiguration, cpConfig *apismetal.ControlPlaneConfig) bool {
- if !controllerConfig.AuditToSplunk.Enabled {
- return false
- }
- return auditToSplunkEnabled(cpConfig)
-}
-
-func auditToSplunkEnabled(cpConfig *apismetal.ControlPlaneConfig) bool {
- if cpConfig.FeatureGates.AuditToSplunk != nil && *cpConfig.FeatureGates.AuditToSplunk {
- return true
- }
- return false
-}
diff --git a/pkg/apis/metal/validation/control_plane_test.go b/pkg/apis/metal/validation/control_plane_test.go
index 9e7ad6a18..3b888fc34 100644
--- a/pkg/apis/metal/validation/control_plane_test.go
+++ b/pkg/apis/metal/validation/control_plane_test.go
@@ -9,7 +9,6 @@ import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
- . "github.com/onsi/gomega/gstruct"
)
var _ = Describe("ControlPlaneconfig validation", func() {
@@ -20,13 +19,9 @@ var _ = Describe("ControlPlaneconfig validation", func() {
BeforeEach(func() {
oot := true
- ca := true
- as := false
controlPlaneConfig = &apismetal.ControlPlaneConfig{
FeatureGates: apismetal.ControlPlaneFeatures{
MachineControllerManagerOOT: &oot,
- ClusterAudit: &ca,
- AuditToSplunk: &as,
},
}
})
@@ -35,19 +30,5 @@ var _ = Describe("ControlPlaneconfig validation", func() {
It("should return no errors for an unchanged config", func() {
Expect(ValidateControlPlaneConfig(controlPlaneConfig, cloudProfile, field.NewPath("spec"))).To(BeEmpty())
})
-
- It("should not allow auditToSplunk without clusterAudit", func() {
- *controlPlaneConfig.FeatureGates.ClusterAudit = false
- *controlPlaneConfig.FeatureGates.AuditToSplunk = true
-
- errorList := ValidateControlPlaneConfig(controlPlaneConfig, cloudProfile, field.NewPath("spec"))
-
- Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
- "Type": Equal(field.ErrorTypeInvalid),
- "Field": Equal("spec.featureGates.auditToSplunk"),
- "BadValue": Equal(true),
- "Detail": Equal("cluster audit feature gate has to be enabled when using audit to splunk feature gate"),
- }))))
- })
})
})
diff --git a/pkg/apis/metal/zz_generated.deepcopy.go b/pkg/apis/metal/zz_generated.deepcopy.go
index 2c8e382ab..d855557c4 100644
--- a/pkg/apis/metal/zz_generated.deepcopy.go
+++ b/pkg/apis/metal/zz_generated.deepcopy.go
@@ -148,23 +148,23 @@ func (in *ControlPlaneFeatures) DeepCopyInto(out *ControlPlaneFeatures) {
*out = new(bool)
**out = **in
}
- if in.ClusterAudit != nil {
- in, out := &in.ClusterAudit, &out.ClusterAudit
+ if in.DurosStorageEncryption != nil {
+ in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption
*out = new(bool)
**out = **in
}
- if in.AuditToSplunk != nil {
- in, out := &in.AuditToSplunk, &out.AuditToSplunk
+ if in.RestrictEgress != nil {
+ in, out := &in.RestrictEgress, &out.RestrictEgress
*out = new(bool)
**out = **in
}
- if in.DurosStorageEncryption != nil {
- in, out := &in.DurosStorageEncryption, &out.DurosStorageEncryption
+ if in.ClusterAudit != nil {
+ in, out := &in.ClusterAudit, &out.ClusterAudit
*out = new(bool)
**out = **in
}
- if in.RestrictEgress != nil {
- in, out := &in.RestrictEgress, &out.RestrictEgress
+ if in.AuditToSplunk != nil {
+ in, out := &in.AuditToSplunk, &out.AuditToSplunk
*out = new(bool)
**out = **in
}
diff --git a/pkg/controller/controlplane/add.go b/pkg/controller/controlplane/add.go
index e1ec37158..24bf3b06a 100644
--- a/pkg/controller/controlplane/add.go
+++ b/pkg/controller/controlplane/add.go
@@ -49,7 +49,7 @@ func AddToManagerWithOptions(ctx context.Context, mgr manager.Manager, opts AddO
actuator, err := genericactuator.NewActuator(mgr, metal.Name,
secretConfigsFunc, shootAccessSecretsFunc, nil, nil,
- configChart, controlPlaneChart, cpShootChart, nil, storageClassChart, nil,
+ nil, controlPlaneChart, cpShootChart, nil, storageClassChart, nil,
NewValuesProvider(mgr, opts.ControllerConfig), extensionscontroller.ChartRendererFactoryFunc(util.NewChartRendererForShoot),
imagevector.ImageVector(), "", opts.ShootWebhookConfig, opts.WebhookServerNamespace, defaultServer.Options.Port,
)
diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
index fd3ad82c5..94f0ebd0c 100644
--- a/pkg/controller/controlplane/valuesprovider.go
+++ b/pkg/controller/controlplane/valuesprovider.go
@@ -2,7 +2,6 @@ package controlplane
import (
"context"
- "errors"
"fmt"
"net/netip"
"net/url"
@@ -12,7 +11,6 @@ import (
"strings"
"time"
- "github.com/gardener/gardener/extensions/pkg/util"
"github.com/metal-stack/metal-go/api/client/network"
"github.com/metal-stack/metal-go/api/models"
"github.com/metal-stack/metal-lib/pkg/pointer"
@@ -22,7 +20,6 @@ import (
durosv1 "github.com/metal-stack/duros-controller/api/v1"
firewallv1 "github.com/metal-stack/firewall-controller/v2/api/v1"
- extensionsconfig "github.com/gardener/gardener/extensions/pkg/apis/config"
extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
gardencorev1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper"
@@ -32,20 +29,25 @@ import (
apismetal "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal"
"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper"
- metalgo "github.com/metal-stack/metal-go"
-
metalclient "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal/client"
+ metalgo "github.com/metal-stack/metal-go"
- "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/validation"
+ admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+ appsv1 "k8s.io/api/apps/v1"
+ corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
+ policyv1beta1 "k8s.io/api/policy/v1beta1"
+ rbacv1 "k8s.io/api/rbac/v1"
+ storagev1 "k8s.io/api/storage/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"github.com/metal-stack/gardener-extension-provider-metal/pkg/metal"
gutil "github.com/gardener/gardener/pkg/utils/gardener"
kutil "github.com/gardener/gardener/pkg/utils/kubernetes"
- v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
-
extensionssecretsmanager "github.com/gardener/gardener/extensions/pkg/util/secret/manager"
+ v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
"github.com/gardener/gardener/pkg/utils/chart"
"github.com/gardener/gardener/pkg/utils/secrets"
@@ -53,17 +55,6 @@ import (
"github.com/go-logr/logr"
- admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
- appsv1 "k8s.io/api/apps/v1"
- corev1 "k8s.io/api/core/v1"
- networkingv1 "k8s.io/api/networking/v1"
- policyv1beta1 "k8s.io/api/policy/v1beta1"
- rbacv1 "k8s.io/api/rbac/v1"
- storagev1 "k8s.io/api/storage/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
- "k8s.io/client-go/kubernetes"
-
apierrors "k8s.io/apimachinery/pkg/api/errors"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/serializer"
@@ -77,7 +68,6 @@ import (
const (
caNameControlPlane = "ca-" + metal.Name + "-controlplane"
droptailerCAName = "ca-" + metal.Name + "-droptailer"
- auditTailerCAName = "ca-" + metal.Name + "-audittailer"
ipv4HostMask = "/32"
ipv6HostMask = "/128"
@@ -147,37 +137,6 @@ func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfig
},
Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(droptailerCAName, secretsmanager.UseCurrentCA)},
},
- // audit tailer
- {
- Config: &secrets.CertificateSecretConfig{
- Name: auditTailerCAName,
- CommonName: auditTailerCAName,
- CertType: secrets.CACert,
- },
- Options: []secretsmanager.GenerateOption{secretsmanager.Persist()},
- },
- {
- Config: &secrets.CertificateSecretConfig{
- Name: metal.AudittailerClientSecretName,
- CommonName: "audittailer",
- DNSNames: []string{"audittailer"},
- Organization: []string{"audittailer-client"},
- CertType: secrets.ClientCert,
- SkipPublishingCACertificate: false,
- },
- Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)},
- },
- {
- Config: &secrets.CertificateSecretConfig{
- Name: metal.AudittailerServerSecretName,
- CommonName: "audittailer",
- DNSNames: []string{"audittailer"},
- Organization: []string{"audittailer-server"},
- CertType: secrets.ServerCert,
- SkipPublishingCACertificate: false,
- },
- Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(auditTailerCAName, secretsmanager.UseCurrentCA)},
- },
}
}
@@ -187,17 +146,9 @@ func shootAccessSecretsFunc(namespace string) []*gutil.AccessSecret {
gutil.NewShootAccessSecret(metal.CloudControllerManagerDeploymentName, namespace),
gutil.NewShootAccessSecret(metal.DurosControllerDeploymentName, namespace),
gutil.NewShootAccessSecret(metal.MachineControllerManagerName, namespace),
- gutil.NewShootAccessSecret(metal.AudittailerClientSecretName, namespace),
}
}
-var configChart = &chart.Chart{
- Name: "config",
- Path: filepath.Join(metal.InternalChartsPath, "cloud-provider-config"),
- Images: []string{},
- Objects: []*chart.Object{},
-}
-
var controlPlaneChart = &chart.Chart{
Name: "control-plane",
Path: filepath.Join(metal.InternalChartsPath, "control-plane"),
@@ -324,27 +275,6 @@ func NewValuesProvider(mgr manager.Manager, controllerConfig config.ControllerCo
{Type: &rbacv1.ClusterRoleBinding{}, Name: "system:duros-controller"},
}...)
}
- if controllerConfig.ClusterAudit.Enabled {
- configChart.Objects = append(configChart.Objects, []*chart.Object{
- {Type: &corev1.ConfigMap{}, Name: "audit-policy-override"},
- }...)
- cpShootChart.Images = append(cpShootChart.Images, []string{metal.AudittailerImageName}...)
- cpShootChart.Objects = append(cpShootChart.Objects, []*chart.Object{
- // audittailer
- {Type: &corev1.Namespace{}, Name: "audit"},
- {Type: &appsv1.Deployment{}, Name: "audittailer"},
- {Type: &corev1.ConfigMap{}, Name: "audittailer-config"},
- {Type: &corev1.Service{}, Name: "audittailer"},
- {Type: &rbacv1.Role{}, Name: "audittailer"},
- {Type: &rbacv1.RoleBinding{}, Name: "audittailer"},
- }...)
- if controllerConfig.AuditToSplunk.Enabled {
- configChart.Objects = append(configChart.Objects, []*chart.Object{
- {Type: &corev1.Secret{}, Name: "audit-to-splunk-secret"},
- {Type: &corev1.ConfigMap{}, Name: "audit-to-splunk-config"},
- }...)
- }
- }
return &valuesProvider{
controllerConfig: controllerConfig,
@@ -368,106 +298,7 @@ func (vp *valuesProvider) GetConfigChartValues(
cp *extensionsv1alpha1.ControlPlane,
cluster *extensionscontroller.Cluster,
) (map[string]interface{}, error) {
- clusterAuditValues, err := vp.getClusterAuditConfigValues(ctx, cp, cluster)
- if err != nil {
- return nil, err
- }
-
- return clusterAuditValues, nil
-}
-
-func (vp *valuesProvider) getClusterAuditConfigValues(ctx context.Context, cp *extensionsv1alpha1.ControlPlane, cluster *extensionscontroller.Cluster) (map[string]interface{}, error) {
- cpConfig, err := helper.ControlPlaneConfigFromControlPlane(cp)
- if err != nil {
- return nil, err
- }
-
- var (
- clusterAuditValues = map[string]interface{}{
- "enabled": false,
- }
- auditToSplunkValues = map[string]interface{}{
- "enabled": false,
- }
- values = map[string]interface{}{
- "clusterAudit": clusterAuditValues,
- "auditToSplunk": auditToSplunkValues,
- }
- )
-
- if !validation.ClusterAuditEnabled(&vp.controllerConfig, cpConfig) {
- return values, nil
- }
-
- clusterAuditValues["enabled"] = true
-
- if !validation.AuditToSplunkEnabled(&vp.controllerConfig, cpConfig) {
- return values, nil
- }
-
- auditToSplunkValues["enabled"] = true
- auditToSplunkValues["hecToken"] = vp.controllerConfig.AuditToSplunk.HECToken
- auditToSplunkValues["index"] = vp.controllerConfig.AuditToSplunk.Index
- auditToSplunkValues["hecHost"] = vp.controllerConfig.AuditToSplunk.HECHost
- auditToSplunkValues["hecPort"] = vp.controllerConfig.AuditToSplunk.HECPort
- auditToSplunkValues["tlsEnabled"] = vp.controllerConfig.AuditToSplunk.TLSEnabled
- auditToSplunkValues["hecCAFile"] = vp.controllerConfig.AuditToSplunk.HECCAFile
- auditToSplunkValues["clusterName"] = cluster.ObjectMeta.Name
-
- if !extensionscontroller.IsHibernated(cluster) {
- customValues, err := vp.getCustomSplunkValues(ctx, cluster.ObjectMeta.Name, auditToSplunkValues)
- if err != nil {
- vp.logger.Error(err, "could not read custom splunk values")
- } else {
- values["auditToSplunk"] = customValues
- }
- }
-
- return values, nil
-}
-
-func (vp *valuesProvider) getCustomSplunkValues(ctx context.Context, clusterName string, auditToSplunkValues map[string]interface{}) (map[string]interface{}, error) {
- shootConfig, _, err := util.NewClientForShoot(ctx, vp.client, clusterName, client.Options{}, extensionsconfig.RESTOptions{})
- if err != nil {
- return auditToSplunkValues, err
- }
-
- cs, err := kubernetes.NewForConfig(shootConfig)
- if err != nil {
- return auditToSplunkValues, err
- }
-
- splunkConfigSecret, err := cs.CoreV1().Secrets("kube-system").Get(ctx, "splunk-config", metav1.GetOptions{})
- if err != nil {
- if apierrors.IsNotFound(err) {
- return auditToSplunkValues, nil
- }
- return nil, err
- }
-
- if splunkConfigSecret.Data == nil {
- vp.logger.Error(errors.New("secret is empty"), "custom splunk config secret contains no data")
- return auditToSplunkValues, nil
- }
-
- for key, value := range splunkConfigSecret.Data {
- switch key {
- case "hecToken":
- auditToSplunkValues[key] = string(value)
- case "index":
- auditToSplunkValues[key] = string(value)
- case "hecHost":
- auditToSplunkValues[key] = string(value)
- case "hecPort":
- auditToSplunkValues[key] = string(value)
- case "tlsEnabled":
- auditToSplunkValues[key] = string(value)
- case "hecCAFile":
- auditToSplunkValues[key] = string(value)
- }
- }
-
- return auditToSplunkValues, nil
+ return nil, nil
}
// GetControlPlaneChartValues returns the values for the control plane chart applied by the generic actuator.
@@ -662,13 +493,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
"enabled": vp.controllerConfig.Storage.Duros.Enabled,
}
- clusterAuditValues := map[string]interface{}{
- "enabled": false,
- }
- if validation.ClusterAuditEnabled(&vp.controllerConfig, cpConfig) {
- clusterAuditValues["enabled"] = true
- }
-
nodeInitValues := map[string]any{
"enabled": true,
}
@@ -790,7 +614,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
"apiserverIPs": apiserverIPs,
"nodeCIDR": nodeCIDR,
"duros": durosValues,
- "clusterAudit": clusterAuditValues,
"nodeInit": nodeInitValues,
"restrictEgress": map[string]any{ // FIXME remove
"enabled": cpConfig.FeatureGates.RestrictEgress != nil && *cpConfig.FeatureGates.RestrictEgress,
@@ -826,27 +649,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
}
}
- audittailerServer, serverOK := secretsReader.Get(metal.AudittailerServerSecretName)
- audittailerClient, clientOK := secretsReader.Get(metal.AudittailerClientSecretName)
- if serverOK && clientOK {
- values["audittailer"] = map[string]any{
- "podAnnotations": map[string]interface{}{
- "checksum/secret-audittailer-server": checksums[metal.AudittailerServerSecretName],
- "checksum/secret-audittailer-client": checksums[metal.AudittailerClientSecretName],
- },
- "server": map[string]any{
- "ca": audittailerServer.Data["ca.crt"],
- "cert": audittailerServer.Data["tls.crt"],
- "key": audittailerServer.Data["tls.key"],
- },
- "client": map[string]any{
- "ca": audittailerClient.Data["ca.crt"],
- "cert": audittailerClient.Data["tls.crt"],
- "key": audittailerClient.Data["tls.key"],
- },
- }
- }
-
if vp.controllerConfig.Storage.Duros.Enabled {
partitionConfig, ok := vp.controllerConfig.Storage.Duros.PartitionConfig[infrastructureConfig.PartitionID]
diff --git a/pkg/metal/types.go b/pkg/metal/types.go
index b6ceeb9a5..3e8d25e25 100644
--- a/pkg/metal/types.go
+++ b/pkg/metal/types.go
@@ -12,8 +12,6 @@ const (
MCMProviderMetalImageName = "machine-controller-manager-provider-metal"
// CCMImageName is the name of the cloud controller manager image.
CCMImageName = "metalccm"
- // AudittailerImageName is the name of the Audittailer to deploy to the shoot.
- AudittailerImageName = "audittailer"
// DroptailerImageName is the name of the Droptailer to deploy to the shoot.
DroptailerImageName = "droptailer"
// MetallbSpeakerImageName is the name of the metallb speaker to deploy to the shoot.
@@ -45,18 +43,6 @@ const (
// ShootExtensionTypeTokenIssuer appears unused? CHECKME
ShootExtensionTypeTokenIssuer = "tokenissuer"
- // AuditPolicyName is the name of the configmap containing the audit policy.
- AuditPolicyName = "audit-policy-override"
- // AudittailerNamespace is the namespace where the audit tailer will get deployed.
- AudittailerNamespace = "audit"
- // AudittailerClientSecretName is the name of the secret containing the certificates for the audittailer client.
- AudittailerClientSecretName = "audittailer-client" // nolint:gosec
- // AudittailerServerSecretName is the name of the secret containing the certificates for the audittailer server.
- AudittailerServerSecretName = "audittailer-server" // nolint:gosec
- // AuditForwarderSplunkConfigName is the name of the configmap containing the splunk configuration for the auditforwarder.
- AuditForwarderSplunkConfigName = "audit-to-splunk-config"
- // AuditForwarderSplunkSecretName is the name of the secret containing the splunk hec token and, if required, the ca certificate.
- AuditForwarderSplunkSecretName = "audit-to-splunk-secret" // nolint:gosec
// DroptailerNamespace is the namespace where the firewall droptailer will get deployed.
DroptailerNamespace = "firewall"
// DroptailerClientSecretName is the name of the secret containing the certificates for the droptailer client.
diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go
index 73eed251f..b4660a5c6 100644
--- a/pkg/webhook/controlplane/ensurer.go
+++ b/pkg/webhook/controlplane/ensurer.go
@@ -4,12 +4,10 @@ import (
"context"
"encoding/base64"
"fmt"
- "path"
"strings"
"github.com/Masterminds/semver"
"github.com/coreos/go-systemd/v22/unit"
- extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook"
gcontext "github.com/gardener/gardener/extensions/pkg/webhook/context"
@@ -18,22 +16,16 @@ import (
v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
- gutil "github.com/gardener/gardener/pkg/utils/gardener"
kutil "github.com/gardener/gardener/pkg/utils/kubernetes"
"github.com/go-logr/logr"
"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/helper"
- "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal/validation"
- "github.com/metal-stack/metal-lib/pkg/pointer"
"github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/config"
metalapi "github.com/metal-stack/gardener-extension-provider-metal/pkg/apis/metal"
- "github.com/metal-stack/gardener-extension-provider-metal/pkg/imagevector"
- "github.com/metal-stack/gardener-extension-provider-metal/pkg/metal"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
- "k8s.io/apimachinery/pkg/api/resource"
kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -62,12 +54,6 @@ func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gconte
return err
}
- cpConfig, err := helper.ControlPlaneConfigFromClusterShootSpec(cluster)
- if err != nil {
- logger.Error(err, "could not read ControlPlaneConfig from cluster shoot spec", "Cluster name", cluster.ObjectMeta.Name)
- return err
- }
-
infrastructure := &extensionsv1alpha1.Infrastructure{}
if err := e.client.Get(ctx, kutil.Key(cluster.ObjectMeta.Name, cluster.Shoot.Name), infrastructure); err != nil {
logger.Error(err, "could not read Infrastructure for cluster", "cluster name", cluster.ObjectMeta.Name)
@@ -79,292 +65,20 @@ func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gconte
return err
}
- makeAuditForwarder := false
- if validation.ClusterAuditEnabled(&e.controllerConfig, cpConfig) {
- makeAuditForwarder = true
- }
- if makeAuditForwarder {
- audittailersecret := &corev1.Secret{}
- if err := e.client.Get(ctx, kutil.Key(cluster.ObjectMeta.Name, gutil.SecretNamePrefixShootAccess+metal.AudittailerClientSecretName), audittailersecret); err != nil {
- logger.Error(err, "could not get secret for cluster", "secret", gutil.SecretNamePrefixShootAccess+metal.AudittailerClientSecretName, "cluster name", cluster.ObjectMeta.Name)
- makeAuditForwarder = false
- }
- if len(audittailersecret.Data) == 0 {
- logger.Error(err, "token for secret not yet set in cluster", "secret", gutil.SecretNamePrefixShootAccess+metal.AudittailerClientSecretName, "cluster name", cluster.ObjectMeta.Name)
- makeAuditForwarder = false
- }
- }
-
- genericTokenKubeconfigSecretName := extensionscontroller.GenericTokenKubeconfigSecretNameFromCluster(cluster)
-
- auditToSplunk := false
- if validation.AuditToSplunkEnabled(&e.controllerConfig, cpConfig) {
- auditToSplunk = true
- }
-
template := &new.Spec.Template
ps := &template.Spec
if c := extensionswebhook.ContainerWithName(ps.Containers, "kube-apiserver"); c != nil {
- ensureKubeAPIServerCommandLineArgs(c, makeAuditForwarder)
- ensureVolumeMounts(c, makeAuditForwarder)
- ensureVolumes(ps, genericTokenKubeconfigSecretName, makeAuditForwarder, auditToSplunk)
+ ensureKubeAPIServerCommandLineArgs(c)
}
if c := extensionswebhook.ContainerWithName(ps.Containers, "vpn-seed"); c != nil {
ensureVPNSeedEnvVars(c, nodeCIDR)
}
- if makeAuditForwarder {
- // required because auditforwarder uses kube-apiserver and not localhost
- template.Labels["networking.resources.gardener.cloud/to-kube-apiserver-tcp-443"] = "allowed"
-
- err := ensureAuditForwarder(ps, auditToSplunk)
- if err != nil {
- logger.Error(err, "could not ensure the audit forwarder", "Cluster name", cluster.ObjectMeta.Name)
- return err
- }
- if auditToSplunk {
- err := controlplane.EnsureConfigMapChecksumAnnotation(ctx, &new.Spec.Template, e.client, new.Namespace, metal.AuditForwarderSplunkConfigName)
- if err != nil {
- logger.Error(err, "could not ensure the splunk config map checksum annotation", "cluster name", cluster.ObjectMeta.Name, "configmap", metal.AuditForwarderSplunkConfigName)
- return err
- }
- err = controlplane.EnsureSecretChecksumAnnotation(ctx, &new.Spec.Template, e.client, new.Namespace, metal.AuditForwarderSplunkSecretName)
- if err != nil {
- logger.Error(err, "could not ensure the splunk secret checksum annotation", "cluster name", cluster.ObjectMeta.Name, "secret", metal.AuditForwarderSplunkSecretName)
- return err
- }
- }
- }
return e.ensureChecksumAnnotations(ctx, &new.Spec.Template, new.Namespace)
}
-var (
- // config mount for the audit policy; it gets mounted where the kube-apiserver expects its audit policy.
- auditPolicyVolumeMount = corev1.VolumeMount{
- Name: metal.AuditPolicyName,
- MountPath: "/etc/kubernetes/audit-override",
- ReadOnly: true,
- }
- auditPolicyVolume = corev1.Volume{
- Name: metal.AuditPolicyName,
- VolumeSource: corev1.VolumeSource{
- ConfigMap: &corev1.ConfigMapVolumeSource{
- LocalObjectReference: corev1.LocalObjectReference{Name: metal.AuditPolicyName},
- },
- },
- }
- auditForwarderSplunkConfigVolumeMount = corev1.VolumeMount{
- Name: metal.AuditForwarderSplunkConfigName,
- MountPath: "/fluent-bit/etc/add",
- ReadOnly: true,
- }
- auditForwarderSplunkConfigVolume = corev1.Volume{
- Name: metal.AuditForwarderSplunkConfigName,
- VolumeSource: corev1.VolumeSource{
- ConfigMap: &corev1.ConfigMapVolumeSource{
- LocalObjectReference: corev1.LocalObjectReference{Name: metal.AuditForwarderSplunkConfigName},
- },
- },
- }
- auditForwarderSplunkSecretVolumeMount = corev1.VolumeMount{
- Name: metal.AuditForwarderSplunkSecretName,
- MountPath: "/fluent-bit/etc/splunkca",
- ReadOnly: true,
- }
- auditForwarderSplunkSecretVolume = corev1.Volume{
- Name: metal.AuditForwarderSplunkSecretName,
- VolumeSource: corev1.VolumeSource{
- Secret: &corev1.SecretVolumeSource{
- SecretName: metal.AuditForwarderSplunkSecretName,
- },
- },
- }
- auditForwarderSplunkPodNameEnvVar = corev1.EnvVar{
- Name: "MY_POD_NAME",
- ValueFrom: &corev1.EnvVarSource{
- FieldRef: &corev1.ObjectFieldSelector{FieldPath: "metadata.name"},
- },
- }
- auditForwarderSplunkHECTokenEnvVar = corev1.EnvVar{
- Name: "SPLUNK_HEC_TOKEN",
- ValueFrom: &corev1.EnvVarSource{
- SecretKeyRef: &corev1.SecretKeySelector{
- LocalObjectReference: corev1.LocalObjectReference{
- Name: metal.AuditForwarderSplunkSecretName,
- },
- Key: "splunk_hec_token",
- },
- },
- }
- auditLogVolumeMount = corev1.VolumeMount{
- Name: "auditlog",
- MountPath: "/auditlog",
- ReadOnly: false,
- }
- auditLogVolume = corev1.Volume{
- Name: "auditlog",
- VolumeSource: corev1.VolumeSource{
- EmptyDir: &corev1.EmptyDirVolumeSource{},
- },
- }
- auditKubeconfig = func(genericKubeconfigSecretName string) corev1.Volume {
- return corev1.Volume{
- Name: "kubeconfig",
- VolumeSource: corev1.VolumeSource{
- Projected: &corev1.ProjectedVolumeSource{
- DefaultMode: pointer.Pointer(int32(420)),
- Sources: []corev1.VolumeProjection{
- {
- Secret: &corev1.SecretProjection{
- Items: []corev1.KeyToPath{
- {
- Key: "kubeconfig",
- Path: "kubeconfig",
- },
- },
- Optional: pointer.Pointer(false),
- LocalObjectReference: corev1.LocalObjectReference{
- Name: genericKubeconfigSecretName,
- },
- },
- },
- {
- Secret: &corev1.SecretProjection{
- Items: []corev1.KeyToPath{
- {
- Key: "token",
- Path: "token",
- },
- },
- Optional: pointer.Pointer(false),
- LocalObjectReference: corev1.LocalObjectReference{
- Name: gutil.SecretNamePrefixShootAccess + metal.AudittailerClientSecretName,
- },
- },
- },
- },
- },
- },
- }
- }
- reversedVpnVolumeMounts = []corev1.VolumeMount{
- {
- Name: "ca-vpn",
- MountPath: "/proxy/ca",
- ReadOnly: true,
- },
- {
- Name: "http-proxy",
- MountPath: "/proxy/client",
- ReadOnly: true,
- },
- }
- kubeAggregatorClientTlsEnvVars = []corev1.EnvVar{
- {
- Name: "AUDIT_PROXY_CA_FILE",
- Value: "/proxy/ca/bundle.crt",
- },
- {
- Name: "AUDIT_PROXY_CLIENT_CRT_FILE",
- Value: "/proxy/client/tls.crt",
- },
- {
- Name: "AUDIT_PROXY_CLIENT_KEY_FILE",
- Value: "/proxy/client/tls.key",
- },
- }
- auditForwarderSidecarTemplate = corev1.Container{
- Name: "auditforwarder",
- // Image: // is added from the image vector in the ensure function
- ImagePullPolicy: "Always",
- Env: []corev1.EnvVar{
- {
- Name: "AUDIT_KUBECFG",
- Value: path.Join(gutil.VolumeMountPathGenericKubeconfig, "kubeconfig"),
- },
- {
- Name: "AUDIT_NAMESPACE",
- Value: metal.AudittailerNamespace,
- },
- {
- Name: "AUDIT_SERVICE_NAME",
- Value: "audittailer",
- },
- {
- Name: "AUDIT_SECRET_NAME",
- Value: metal.AudittailerClientSecretName,
- },
- {
- Name: "AUDIT_AUDIT_LOG_PATH",
- Value: "/auditlog/audit.log",
- },
- {
- Name: "AUDIT_TLS_CA_FILE",
- Value: "ca.crt",
- },
- {
- Name: "AUDIT_TLS_CRT_FILE",
- Value: "tls.crt",
- },
- {
- Name: "AUDIT_TLS_KEY_FILE",
- Value: "tls.key",
- },
- {
- Name: "AUDIT_TLS_VHOST",
- Value: "audittailer",
- },
- },
- Resources: corev1.ResourceRequirements{
- Requests: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("50m"),
- corev1.ResourceMemory: resource.MustParse("100Mi"),
- },
- Limits: corev1.ResourceList{
- corev1.ResourceCPU: resource.MustParse("100m"),
- corev1.ResourceMemory: resource.MustParse("500Mi"),
- },
- },
- VolumeMounts: []corev1.VolumeMount{
- {
- Name: "kubeconfig",
- MountPath: gutil.VolumeMountPathGenericKubeconfig,
- ReadOnly: true,
- },
- auditLogVolumeMount,
- },
- }
-)
-
-func ensureVolumeMounts(c *corev1.Container, makeAuditForwarder bool) {
- if makeAuditForwarder {
- c.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(c.VolumeMounts, auditPolicyVolumeMount)
- c.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(c.VolumeMounts, auditLogVolumeMount)
- }
-}
-
-func ensureVolumes(ps *corev1.PodSpec, genericKubeconfigSecretName string, makeAuditForwarder, auditToSplunk bool) {
- if makeAuditForwarder {
-
- ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditKubeconfig(genericKubeconfigSecretName))
- ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditPolicyVolume)
- ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditLogVolume)
- }
- if auditToSplunk {
- ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditForwarderSplunkConfigVolume)
- ps.Volumes = extensionswebhook.EnsureVolumeWithName(ps.Volumes, auditForwarderSplunkSecretVolume)
- }
-}
-
-func ensureKubeAPIServerCommandLineArgs(c *corev1.Container, makeAuditForwarder bool) {
+func ensureKubeAPIServerCommandLineArgs(c *corev1.Container) {
c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--cloud-provider=", "external")
-
- if makeAuditForwarder {
- c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-policy-file=", "/etc/kubernetes/audit-override/audit-policy.yaml")
- c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-log-path=", "/auditlog/audit.log")
- c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-log-maxsize=", "100")
- c.Command = extensionswebhook.EnsureStringWithPrefix(c.Command, "--audit-log-maxbackup=", "1")
- }
}
func ensureVPNSeedEnvVars(c *corev1.Container, nodeCIDR string) {
@@ -379,77 +93,6 @@ func ensureVPNSeedEnvVars(c *corev1.Container, nodeCIDR string) {
})
}
-func ensureAuditForwarder(ps *corev1.PodSpec, auditToSplunk bool) error {
- auditForwarderSidecar := auditForwarderSidecarTemplate.DeepCopy()
- auditForwarderImage, err := imagevector.ImageVector().FindImage("auditforwarder")
- if err != nil {
- logger.Error(err, "Could not find auditforwarder image in imagevector")
- return err
- }
- auditForwarderSidecar.Image = auditForwarderImage.String()
-
- var proxyHost string
-
- for _, volume := range ps.Volumes {
- switch volume.Name {
- case "egress-selection-config":
- proxyHost = "vpn-seed-server"
- }
- }
-
- if proxyHost != "" {
- err := ensureAuditForwarderProxy(auditForwarderSidecar, proxyHost)
- if err != nil {
- logger.Error(err, "could not ensure auditForwarder proxy")
- return err
- }
- }
-
- if auditToSplunk {
- auditForwarderSidecar.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(auditForwarderSidecar.VolumeMounts, auditForwarderSplunkConfigVolumeMount)
- auditForwarderSidecar.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(auditForwarderSidecar.VolumeMounts, auditForwarderSplunkSecretVolumeMount)
- auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, auditForwarderSplunkPodNameEnvVar)
- auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, auditForwarderSplunkHECTokenEnvVar)
- }
-
- logger.Info("ensuring audit forwarder sidecar", "container", auditForwarderSidecar.Name)
-
- ps.Containers = extensionswebhook.EnsureContainerWithName(ps.Containers, *auditForwarderSidecar)
- return nil
-}
-
-func ensureAuditForwarderProxy(auditForwarderSidecar *corev1.Container, proxyHost string) error {
- logger.Info("ensureAuditForwarderProxy called", "proxyHost=", proxyHost)
- proxyEnvVars := []corev1.EnvVar{
- {
- Name: "AUDIT_PROXY_HOST",
- Value: proxyHost,
- },
- {
- Name: "AUDIT_PROXY_PORT",
- Value: "9443",
- },
- }
-
- for _, envVar := range proxyEnvVars {
- auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, envVar)
- }
-
- switch proxyHost {
- case "vpn-seed-server":
- for _, envVar := range kubeAggregatorClientTlsEnvVars {
- auditForwarderSidecar.Env = extensionswebhook.EnsureEnvVarWithName(auditForwarderSidecar.Env, envVar)
- }
- for _, mount := range reversedVpnVolumeMounts {
- auditForwarderSidecar.VolumeMounts = extensionswebhook.EnsureVolumeMountWithName(auditForwarderSidecar.VolumeMounts, mount)
- }
- default:
- return fmt.Errorf("%q is not a valid proxy name", proxyHost)
- }
-
- return nil
-}
-
// EnsureKubeControllerManagerDeployment ensures that the kube-controller-manager deployment conforms to the provider requirements.
func (e *ensurer) EnsureKubeControllerManagerDeployment(ctx context.Context, gctx gcontext.GardenContext, new, _ *appsv1.Deployment) error {
template := &new.Spec.Template