Merge branch 'master' into enh/gardenctl-v2-link

gardener · Apr 4, 2022 · 1312f90 · 1312f90
2 parents 8fc6b54 + de87c10
commit 1312f90
Show file tree

Hide file tree

Showing 34 changed files with 366 additions and 107 deletions.
diff --git a/.pnp.js b/.pnp.js
diff --git a/.yarn/cache/@braintree-sanitize-url-npm-5.0.2-ef365f598a-16a022d29d.zip b/.yarn/cache/@braintree-sanitize-url-npm-5.0.2-ef365f598a-16a022d29d.zip
diff --git a/.yarn/cache/@braintree-sanitize-url-npm-6.0.0-c4f0ae4c7f-fc4b9572f5.zip b/.yarn/cache/@braintree-sanitize-url-npm-6.0.0-c4f0ae4c7f-fc4b9572f5.zip
diff --git a/.yarn/versions/0ccfed92.yml b/.yarn/versions/0ccfed92.yml
diff --git a/Dockerfile b/Dockerfile
@@ -55,7 +55,6 @@ RUN apk add --no-cache tini libstdc++
 WORKDIR /usr/src/app
 
 ENV NODE_ENV "production"
-ENV NODE_OPTIONS "--require /usr/src/app/.pnp.js"
 
 ARG PORT=8080
 ENV PORT $PORT
@@ -72,4 +71,5 @@ EXPOSE $PORT
 
 VOLUME ["/home/node"]
 
-ENTRYPOINT [ "/sbin/tini", "--", "node", "server" ]
+ENTRYPOINT [ "/sbin/tini", "--", "node", "--require=/usr/src/app/.pnp.js"]
+CMD ["server.js"]
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.55.0-dev
+1.56.0-dev
diff --git a/backend/__fixtures__/helper.js b/backend/__fixtures__/helper.js
@@ -102,6 +102,11 @@ function parseSelector (name) {
         selector = obj.get(name)
       }
     }
+
+    if (!selector) {
+      return {}
+    }
+
     return _
       .chain(selector)
       .split(',')

diff --git a/backend/__fixtures__/secrets.js b/backend/__fixtures__/secrets.js
@@ -10,21 +10,26 @@ const yaml = require('js-yaml')
 const { cloneDeep, merge, find, filter, has, get, set, mapValues, split, startsWith, endsWith, isEmpty } = require('lodash')
 const createError = require('http-errors')
 const pathToRegexp = require('path-to-regexp')
-const { toBase64 } = require('./helper')
+const { toBase64, createUrl, parseLabelSelector } = require('./helper')
 const seeds = require('./seeds')
 
 const certificateAuthorityData = toBase64('certificate-authority-data')
 const clientCertificateData = toBase64('client-certificate-data')
 const clientKeyData = toBase64('client-key-data')
 
-function getSecret ({ namespace, name, labels, data = {} }) {
+function getSecret ({ namespace, name, labels, creationTimestamp, data = {} }) {
   const metadata = {
     namespace,
     name
   }
   if (!isEmpty(labels)) {
     metadata.labels = labels
   }
+
+  if (creationTimestamp) {
+    metadata.creationTimestamp = creationTimestamp
+  }
+
   if (!isEmpty(data)) {
     data = mapValues(data, toBase64)
   }
@@ -106,6 +111,12 @@ const secrets = {
       ? filter(items, ['metadata.namespace', namespace])
       : items
   },
+  listMonitoringSecrets (namespace) {
+    return [
+      secrets.getMonitoringSecret(namespace, 'foo.monitoring', '2019-03-13T13:11:36Z'),
+      secrets.getMonitoringSecret(namespace, 'bar.monitoring', '2022-03-13T13:11:36Z')
+    ]
+  },
   getTerminalShortcutsSecret (namespace, options = {}) {
     const {
       valid = false,
@@ -171,14 +182,14 @@ const secrets = {
       }
     })
   },
-  getMonitoringSecret (namespace, name = 'monitoring-ingress-credentials') {
-    const [, projectName, shootName] = split(namespace, '--')
+  getMonitoringSecret (namespace, name, creationTimestamp) {
     return getSecret({
       name,
       namespace,
+      creationTimestamp,
       data: {
-        username: `user-${projectName}-${shootName}`,
-        password: `pass-${projectName}-${shootName}`
+        username: `user-${namespace}-${name}`,
+        password: `pass-${namespace}-${name}`
       }
     })
   },
@@ -187,7 +198,6 @@ const secrets = {
       name,
       namespace,
       data: {
-        'ca.crt': 'ca.crt',
         namespace,
         token: name
       }
@@ -200,15 +210,24 @@ const matchList = pathToRegexp.match('/api/v1/namespaces/:namespace/secrets', ma
 const matchItem = pathToRegexp.match('/api/v1/namespaces/:namespace/secrets/:name', matchOptions)
 
 const mocks = {
-  list () {
+  list ({ forceEmpty = false } = {}) {
     return headers => {
-      const matchResult = matchList(headers[':path'])
-      if (matchResult === false) {
-        return Promise.reject(createError(503))
+      if (forceEmpty) {
+        return Promise.resolve({ items: [] })
       }
-      const { params: { namespace } = {} } = matchResult
-      const items = secrets.list(namespace)
-      return Promise.resolve({ items })
+
+      const url = createUrl(headers)
+      const labelSelector = parseLabelSelector(url)
+      const matchResult = matchList(url.pathname)
+      if (matchResult) {
+        const { params: { namespace } = {} } = matchResult
+        const items = labelSelector.name === 'observability-ingress' && labelSelector['managed-by'] === 'secrets-manager'
+          ? secrets.listMonitoringSecrets(namespace)
+          : secrets.list(namespace)
+        return Promise.resolve({ items })
+      }
+
+      return Promise.reject(createError(503))
     }
   },
   create ({ resourceVersion = '42' } = {}) {
@@ -255,6 +274,11 @@ const mocks = {
         if (item) {
           return Promise.resolve(item)
         }
+
+        if (endsWith(name, '.monitoring')) {
+          const item = secrets.getMonitoringSecret(namespace, name)
+          return Promise.resolve(item)
+        }
       } else if (endsWith(hostname, 'seed.cluster')) {
         if (name === 'monitoring-ingress-credentials') {
           const item = secrets.getMonitoringSecret(namespace, name)

diff --git a/backend/lib/services/members/MemberManager.js b/backend/lib/services/members/MemberManager.js
@@ -218,15 +218,15 @@ class MemberManager {
     const secret = await this.client.core.secrets.get(namespace, secretName)
     const token = decodeBase64(secret.data.token)
     const server = config.apiServerUrl
-    const caData = secret.data['ca.crt']
+    const caData = config.apiServerCaData
     const projectName = this.projectName
     const clusterName = 'garden'
     const contextName = `${clusterName}-${projectName}-${name}`
 
     return dumpKubeconfig({
-      user: name,
-      context: contextName,
-      cluster: clusterName,
+      userName: name,
+      contextName,
+      clusterName,
       namespace,
       token,
       server,

diff --git a/backend/lib/services/shoots.js b/backend/lib/services/shoots.js
@@ -331,9 +331,37 @@ async function getSecret (client, { namespace, name }) {
   }
 }
 
+async function getMonitoringSecret (client, namespace, shootName) {
+  let name
+  if (!shootName) {
+    try {
+      // read operator secret from seed
+      const labelSelector = 'name=observability-ingress,managed-by=secrets-manager,manager-identity=gardenlet'
+      const secretList = await client.core.secrets.list(namespace, { labelSelector })
+      const secret = _
+        .chain(secretList.items)
+        .orderBy(['metadata.creationTimestamp'], ['desc'])
+        .head()
+        .value()
+      if (secret) {
+        return secret
+      }
+      // fallback to old secret name
+      name = 'monitoring-ingress-credentials'
+    } catch (err) {
+      logger.error('failed to fetch %s secret: %s', name, err)
+      throw err
+    }
+  } else {
+    // read user secret from garden cluster
+    name = `${shootName}.monitoring`
+  }
+  return getSecret(client, { namespace, name })
+}
+
 async function assignMonitoringSecret (client, data, namespace, shootName) {
-  const name = shootName ? `${shootName}.monitoring` : 'monitoring-ingress-credentials'
-  const secret = await getSecret(client, { namespace, name })
+  const secret = await getMonitoringSecret(client, namespace, shootName)
+
   if (secret) {
     _
       .chain(secret)

diff --git a/backend/lib/services/terminals/terminalBootstrap.js b/backend/lib/services/terminals/terminalBootstrap.js
@@ -217,10 +217,15 @@ function replaceIngressApiServer (client, { name = TERMINAL_KUBE_APISERVER, name
           paths: [
             {
               backend: {
-                serviceName,
-                servicePort: 443
+                service: {
+                  name: serviceName,
+                  port: {
+                    number: 443
+                  }
+                }
               },
-              path: '/'
+              path: '/',
+              pathType: 'Prefix'
             }
           ]
         }
@@ -238,7 +243,7 @@ function replaceIngressApiServer (client, { name = TERMINAL_KUBE_APISERVER, name
 
   const body = toIngressResource({ name, annotations, spec, ownerReferences })
 
-  return replaceResource(client.extensions.ingresses, { namespace, name, body })
+  return replaceResource(client['networking.k8s.io'].ingresses, { namespace, name, body })
 }
 
 function replaceEndpointKubeApiServer (client, { name = TERMINAL_KUBE_APISERVER, namespace, ip, port, ownerReferences }) {
@@ -718,6 +723,7 @@ class Bootstrapper extends Queue {
       id: taskId, // with the id we make sure that the task for one shoot is not added multiple times (e.g. on another ADDED event when the shoot watch is re-established)
       description
     })
+
     this.push(handler)
   }
 

diff --git a/backend/package.json b/backend/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@gardener-dashboard/backend",
-  "version": "1.54.0",
+  "version": "1.55.0",
   "description": "Gardener Dashboard Server",
   "license": "Apache-2.0",
   "author": "Koser, Holger <[email protected]>",

diff --git a/backend/test/acceptance/__snapshots__/api.members.spec.js.snap b/backend/test/acceptance/__snapshots__/api.members.spec.js.snap
@@ -1216,8 +1216,9 @@ contexts:
 clusters:
   - name: garden
     cluster:
-      certificate-authority-data: Y2EuY3J0
       server: 'https://kubernetes.external.foo.bar'
+      certificate-authority-data: >-
+        LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkxpNHUKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
 users:
   - name: robot
     user: