# Hack The Garden 05/2023 - Topics ## Votings See all proposals [here](#proposals). ### Most Voted w/ Initial Assignments - 😬 Shoot node bootstrapping: replace `cloud-config-downloader` (9 votes) - Tim Ebert - Gerrit Schwerthelm - Maximilian Geberl - Robin Schneider - Stefan Majer - Demo in Review: Gerrit/Stefan (10m) - Next steps: Gerrit, Stefan - open motivation issue: Gerrit, Stefan - make first PR ready: Stefan sends invite - 🚧 IPv6 single-stack on cloud provider (9 votes) - Andreas Fritzler - Alexander Predeschly - Johannes Scheerer - Axel Siebenborn - Demo in Review: Alex (10m) - Next steps: Alex - make IPv6 seed setup reproducible: Alex - finish implementing GEP-21: STACKIT - start adapting provider extensions - fix cloud provider implementations - make stuff working with guide, open tracking issue for this: Alex - make stuff working without manual actions - later: propose GEP - 🚧 Initial cluster in "Gardener style" (7 votes) - Martin Weindel - Lothar Bach - Valentin Knabel - (Johannes Scheerer) - Demo in Review: Jens (10m) - Next steps: Jens/Martin - write down open questions/next experimentation step in some github repo (gardener-community org) - topic will only prove useful once the shoot can become its own seed - collect feedback whether topic is interesting for people to continue -> Review Meeting - 😬 Move `machine-controller-manager` reconciliation responsibility from extensions to `gardenlet` (4 votes) - Rafael Franzke - Michael Reiger - Jens Schneider - (Stefan Majer) - (Tim Usner) - (Martin Weindel) - Demo in Review: TDB - Next steps: TBD - 🙅🏼‍♂️ (Support bridge between Cluster-API and Gardener API) (5 votes) - (Tim Usner) - (Jens Schneider) - (Stefan Majer) ### Least Voted w/ Interested People - 😬 Enable extensions to access garden cluster (3 votes) - Maximilian Geberl - Tim Ebert - Rafael Franzke - Demo in Review: Tim (5m) - Next steps: Tim - open motivational issue - make PR ready - 🚧 Replace `ShootState` with S3 Buckets - Tim Ebert - Rafael Franzke - Maximilian Geberl - Demo in Review: Rafael (5m) - Next Steps: Rafael - open motivation issue/GEP: Rafael - manage encryption key in `InternalSecret` in garden using secretsmanager - perform regular reconciliation (~1h?) - make PRs ready - [ ] adapt logic for deploying ControllerInstallation for a) source BackupEntry to destination seed, b) Backup{Down,Up}load extension - [ ] migration path: 2 FeatureGates, first for starting uploading backups during CPM, second for restoring from them - [ ] drop `ShootState` once both FeatureGates have been graduated, other dependenants have been switched to `InternalSecrets` - [ ] fix `BackupEntry` convention that name equals path prefix in `BackupBucket`: introduce `BackupEntry.spec.pathPrefix`, adapt extensions, drop workarounds in provider-local (`strings.TrimPrefix`) - 🙅🏼‍♂️ Add support for single/multiple provider to automatically manage NAT IPs for ACL extension (3 votes) - Gerrit Schwerthelm - Michael Reiger - Johannes Scheerer - 🙅🏼‍♂️ Control Plane Migration w/o downtime (3 votes) - Tim Usner - Johannes Scheerer - 🙅🏼‍♂️ Continuation of `gardener-operator` stories (3 votes) - Rafael Franzke - Tim Usner - 🙅🏼‍♂️ Rework gardener-extension-shoot-flux (2 votes) - Tim Ebert - Jens Schneider ## Open Topics From Previous Hackathon Events - 🙅🏼‍♂️ E2E Tests for Provider Extensions - part of https://github.com/gardener/gardener/issues/6016 - 🙅🏼‍♂️ Gardener Development Productivity (https://github.com/gardener/gardener/issues/6016): - provider-local: enhance DNS handling - 🙅🏼‍♂️ work on [gardener-extension-registry-cache](https://github.com/gardener/gardener-extension-registry-cache/issues/3) - Most important steps are covered in the linked issue ## Fast Track - ✅ move apiserver-proxy-mutator webhook to gardener-resource-manager -> https://github.com/gardener/gardener/pull/7980 - ✅ improve accuracy of CPM e2e tests with provider-local -> https://github.com/gardener/gardener/pull/7981 - 😬 update shoot-state from extension while extension is in opertation state "migrate" ([ref](https://github.com/gardener/gardener/blob/0c3a83e464e01991bfbd73514a8aa3a4b3585714/pkg/gardenlet/controller/shootstate/extensions/add.go#L98-L110)) - 😬 Introduce `core.gardener.cloud/InternalSecrets` resource - Rafael Franzke - Tim Ebert - Demo in Review: Tim (5m) - Next steps: Tim - motivational issue: Tim - make PRs ready: Tim - 🚧 [ETCD Encryption for Custom Resources](https://github.com/gardener/gardener/issues/4606) - Rafael Franzke - Time Ebert - Demo in Review: n/a - Next steps: Rafael - implement dynamic re-encryption of resources, and rotating encryption key - 🙅🏼‍♂️ metrics for shoot operations - add metrics for flows and flow tasks - e.g., collect metrics for how long shoot creation and individual steps take - such metrics could be collected in e2e tests to detect changes/regressions - 🙅🏼‍♂️ persist local image registry cache in prow cluster for faster e2e tests - 🙅🏼‍♂️ replace nginx-ingress with istio - 🙅🏼‍♂️ move containerd into desired cgroup - 🙅🏼‍♂️ g/g: `hack/check-skaffold-deps.sh`: embedded files not recognized <hr /> ## All Proposals - shoot node bootstrapping: replace `cloud-config-downloader` - introduce go binary: `gardener-node-agent` - improve maintainability, testability, code reuse - improve scalability: watch individual `Node` objects instead of polling regularly in `kubelet-monitor`, `cloud-config-executor` - IPv6 single-stack on cloud provider - next step beyond IPv6 single-stack support in local setup ([GEP-21](https://github.com/gardener/gardener/issues/7051)) - maybe use GCP as first infrastructure? IPv6 GKE cluster as seed cluster? - Control Plane Migration w/o downtime - span istio multi-cluster service mesh accross seed clusters - move etcd cluster members to new seed cluster one-by-one - initial cluster in "Gardener style" - a.k.a. "autonomous shoot clusters" - gardener-installer - next steps with 23T gardener-installer (in the process of being open-sourced, used by several companies including 23T and STACKIT) - gardener-extension-kyverno - deploy and configure kyverno for shoot clusters - can be used in seed clusters for operations purposes (e.g., snow-flake clusters) - make small permanent changes to gardener landscape/behaviour without forking - replacement for kupid: https://github.com/gardener/kupid/issues/33 - rework [gardener-extension-shoot-flux](https://github.com/23technologies/gardener-extension-shoot-flux) - use `providerConfig` in `Shoot.spec.extensions` instead of single `ConfigMap` per `Project` - allow configuring a set of flux resources, e.g. `GitRepository` that contains more flux resources - or reference a single `GitRepository`/`OCIRepository` from which flux should be bootstrapped - improve SSH key usage - put SSH key into secret in garden - reference secret in `Shoot.spec.resources` and extension's `providerConfig` - extension controller transports SSH key to shoot into `flux-system` - drop hacky access to garden cluster (currently reusing gardenlet kubeconfig secret) - enable extensions to access garden cluster - gardener-controller-manager: create `ServiceAccount` per `ControllerInstallation` in `seed-*` namespace - gardener-admission-controller: handle extension access in `SeedAuthorizer` similar to gardenlet - gardenlet: sync token of `ServiceAccount` to extension namespace - drop `Cluster` resource (workaround for missing garden cluster access) - replace `ShootState` with S3 buckets - `ShootStates` limits scalability of gardener control plane (large resources, high update frequency) - reuse etcd backup buckets instead of `ShootState` in central garden etc - move `ShootState` to seed (CRD in `extensions.gardener.cloud`) - gardenlet populates `ShootState` like before - `ShootState` references a `BackupEntry` - `BackupEntry` extension is also responsible for syncing `ShootState` to S3 - add support for single/multiple provider to automatically manage NAT IPs for ACL extension - Make https://github.com/stackitcloud/gardener-extension-acl more usable on different providers by automatically adding NAT IPs so that you do not prevent data plane from accessing api server - "Multicloud" shoots, controlplane + nodes in IaaS1 + nodes in IaaS2 - Wireguard mesh as CNI? - Storage? - Make ACL extension aware of ExposureClasses - currently, ACL extension can only be used in combination with default istio-ingressgateway - Continuation of `gardener-operator` stories (https://github.com/gardener/gardener/issues/7016) - e.g., Manage Gardener Control Plane Components - etc. - Move `machine-controller-manager` reconciliation responsibility from extensions to `gardenlet` (https://github.com/gardener/gardener/issues/7594) - Harmonise development setup options (drop local setups as part of https://github.com/gardener/gardener/issues/6016) - Support bridge between [Cluster-API](https://github.com/kubernetes-sigs/cluster-api) and Gardener API - Multi-cluster mesh with cilium