gardener · MrBatschner · May 20, 2022 · May 30, 2022 · May 30, 2022 · Jun 1, 2022
@@ -60,6 +60,8 @@ docker-images:
 
 .PHONY: install-requirements
 install-requirements:
+	@go install -mod=vendor $(REPO_ROOT)/vendor/github.com/ahmetb/gen-crd-api-reference-docs
+	@go install -mod=vendor $(REPO_ROOT)/vendor/github.com/golang/mock/mockgen
 	@go install -mod=vendor $(REPO_ROOT)/vendor/golang.org/x/tools/cmd/goimports
 	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/install-requirements.sh
 

@@ -1,4 +1,4 @@
-// Copyright (c) 2020 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+// Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 
+	"github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis/gardenlinux"
 	"github.com/gardener/gardener-extension-os-gardenlinux/pkg/generator"
 
 	extcontroller "github.com/gardener/gardener/extensions/pkg/controller"
@@ -36,14 +37,13 @@ import (
 )
 
 var (
-	ctrlName = "gardenlinux"
-	osTypes  = []string{"gardenlinux"}
+	osTypes = []string{"gardenlinux"}
 )
 
 // NewControllerCommand returns a new Command with a new Generator
 func NewControllerCommand(ctx context.Context) *cobra.Command {
-	g := generator.CloudInitGenerator()
-	if g == nil {
+	gardenLinuxGenerator := generator.CloudInitGenerator(ctx)
+	if gardenLinuxGenerator == nil {
 		runtimelog.Log.Error(fmt.Errorf("generator is nil"), "Error executing the main controller command")
 		os.Exit(1)
 	}
@@ -54,7 +54,7 @@ func NewControllerCommand(ctx context.Context) *cobra.Command {
 		mgrOpts     = &controllercmd.ManagerOptions{
 			LeaderElection:             true,
 			LeaderElectionResourceLock: resourcelock.LeasesResourceLock,
-			LeaderElectionID:           controllercmd.LeaderElectionNameID(ctrlName),
+			LeaderElectionID:           controllercmd.LeaderElectionNameID(gardenlinux.Name),
 			LeaderElectionNamespace:    os.Getenv("LEADER_ELECTION_NAMESPACE"),
 		}
 		ctrlOpts = &controllercmd.ControllerOptions{
@@ -63,7 +63,7 @@ func NewControllerCommand(ctx context.Context) *cobra.Command {
 
 		reconcileOpts = &controllercmd.ReconcilerOptions{}
 
-		controllerSwitches = oscommoncmd.SwitchOptions(ctrlName, osTypes, g)
+		controllerSwitches = oscommoncmd.SwitchOptions(gardenlinux.Name, osTypes, gardenLinuxGenerator)
 
 		aggOption = controllercmd.NewOptionAggregator(
 			generalOpts,
@@ -76,7 +76,7 @@ func NewControllerCommand(ctx context.Context) *cobra.Command {
 	)
 
 	cmd := &cobra.Command{
-		Use: "os-" + ctrlName + "-controller-manager",
+		Use: "os-" + gardenlinux.Name + "-controller-manager",
 
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if err := aggOption.Complete(); err != nil {
@@ -107,6 +107,8 @@ func NewControllerCommand(ctx context.Context) *cobra.Command {
 
 			reconcileOpts.Completed().Apply(&oscommon.DefaultAddOptions.IgnoreOperationAnnotation)
 
+			generator.InjectClient(mgr.GetClient())
+
 			if err := controllerSwitches.Completed().AddToManager(mgr); err != nil {
 				return fmt.Errorf("could not add controller to manager: %w", err)
 			}

@@ -0,0 +1,61 @@
+# Using the Garden Linux extension with Gardener as end-user
+
+The [`core.gardener.cloud/v1beta1.Shoot` resource](https://github.com/gardener/gardener/blob/master/example/90-shoot.yaml) declares a few fields that should be considered when this OS extension is used. It essentially allows you to configure [Garden Linux](https://github.com/gardenlinux/gardenlinux) specific settings from the `Shoot` manifest.
+
+In this document we describe how this configuration looks like and under which circumstances your attention may be required.
+
+## Declaring Garden Linux specific configuration
+
+To configure Garden Linux specific settings, you can declare a `OperatingSystemConfiguration` in the `Shoot` manifest for each worker pool at `.spec.provider.workers[].machine.image.providerConfig`. 
+
+An example `OperatingSystemConfiguration` would look like this:
+
+```yaml
+providerConfig:
+  apiVersion: gardenlinux.os.extensions.gardener.cloud/v1alpha1
+  kind: OperatingSystemConfiguration
+  cgroupVersion: v2
+  linuxSecurityModule: SELinux
+```
+
+Configuration of these settings is done by deploying configuration shell scripts and corresponding systemd units into Garden Linux and running them before the kubelet is started.
+
+## Setting cgroup version of Garden Linux
+
+Kubernetes version `>= v1.19` support the unified cgroup hierarchy (a.k.a. cgroup v2) on the worker nodes' operating system.
+
+To configure cgroup v2, the following line can be included into the `OperatingSystemConfiguration`:
+
+```yaml
+  cgroupVersion: v2
+```
+
+If not specified, this setting will default to cgroup `v1`. Also, for Shoot clusters with K8S `< v1.19`, cgroup `v1` will be enforced. Changing this setting will trigger a reboot of the node during bootstrap. A reboot will not be performed if the kubelet is found to be running.
+
+Setting the system to cgroup `v2` will reconfigure Garden Linux to have systemd use the unified cgroup hierarchy and will configure kubelet and containerd to use systemd as a cgroup driver.
+
+### Possible values for `cgroupVersion` (case matters):
+
+| value | result |
+|---|---|
+| `v1` | Garden Linux will be configured to use the classic cgroup hierarchy (cgroup v1) |
+| `v2` | Garden Linux will be configured to use the unified cgroup hierarchy (cgroup v2) |
+
+## Setting the Linux Security Module
+
+This setting allows you to configure the Linux Security Module (lsm) to be `SELinux` or `AppArmor`. Certain Kubernetes workloads might require either lsm to be loaded at boot of the worker node and will fail to run if it is not active.
+
+To configure SELinux, the following line can be included into the `OperatingSystemConfiguration`:
+
+```yaml
+  linuxSecurityModule: SELinux
+```
+
+If not specifief, this setting will default to `AppArmor`. Changing this setting will trigger a reboot of the node during bootstrap. A reboot will not be performed if the kubelet is found to be running.
+
+### Possible values for `linuxSecurityModule` (case matters):
+
+| value | result |
+|---|---|
+| `AppArmor` | Garden Linux will be configured with _AppArmor_ as lsm |
+| `SELinux` | Garden Linux will be configured with _SELinux_ as lsm |
@@ -5,6 +5,7 @@ go 1.16
 require (
 	github.com/ahmetb/gen-crd-api-reference-docs v0.2.0
 	github.com/gardener/gardener v1.45.0
+	github.com/golang/mock v1.6.0
 	github.com/onsi/ginkgo/v2 v2.1.3
 	github.com/onsi/gomega v1.18.0
 	github.com/spf13/cobra v1.2.1

@@ -0,0 +1,24 @@
+{
+    "hideMemberFields": [
+      "TypeMeta"
+    ],
+    "hideTypePatterns": [
+      "ParseError$",
+      "List$"
+    ],
+    "externalPackages": [
+      {
+        "typeMatchPrefix": "^k8s\\.io/(api|apimachinery/pkg/apis)/",
+        "docsURLTemplate": "https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#{{lower .TypeIdentifier}}-{{arrIndex .PackageSegments -1}}-{{arrIndex .PackageSegments -2}}"
+      },
+      {
+        "typeMatchPrefix": "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config",
+        "docsURLTemplate": "https://github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config"
+      }
+    ],
+    "typeDisplayNamePrefixOverrides": {
+      "k8s.io/api/": "Kubernetes ",
+      "k8s.io/apimachinery/pkg/apis/": "Kubernetes "
+    },
+    "markdownDisabled": false
+  }
@@ -0,0 +1,96 @@
+<p>Packages:</p>
+<ul>
+<li>
+<a href="#gardenlinux.os.extensions.gardener.cloud%2fv1alpha1">gardenlinux.os.extensions.gardener.cloud/v1alpha1</a>
+</li>
+</ul>
+<h2 id="gardenlinux.os.extensions.gardener.cloud/v1alpha1">gardenlinux.os.extensions.gardener.cloud/v1alpha1</h2>
+<p>
+<p>Package v1alpha1 contains the v1alpha1 version of the API.</p>
+</p>
+Resource Types:
+<ul><li>
+<a href="#gardenlinux.os.extensions.gardener.cloud/v1alpha1.OperatingSystemConfiguration">OperatingSystemConfiguration</a>
+</li></ul>
+<h3 id="gardenlinux.os.extensions.gardener.cloud/v1alpha1.OperatingSystemConfiguration">OperatingSystemConfiguration
+</h3>
+<p>
+<p>OperatingSystemConfiguration allows to specify configuration for the operating system.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>apiVersion</code></br>
+string</td>
+<td>
+<code>
+gardenlinux.os.extensions.gardener.cloud/v1alpha1
+</code>
+</td>
+</tr>
+<tr>
+<td>
+<code>kind</code></br>
+string
+</td>
+<td><code>OperatingSystemConfiguration</code></td>
+</tr>
+<tr>
+<td>
+<code>linuxSecurityModule</code></br>
+<em>
+<a href="#gardenlinux.os.extensions.gardener.cloud/v1alpha1.LinuxSecurityModule">
+LinuxSecurityModule
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>LinuxSecurityModule allows to configure default Linux Security Module for Garden Linux.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>cgroupVersion</code></br>
+<em>
+<a href="#gardenlinux.os.extensions.gardener.cloud/v1alpha1.CgroupVersion">
+CgroupVersion
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>CgroupVersion allows to configure which cgroup version will be used on Garden Linux</p>
+</td>
+</tr>
+</tbody>
+</table>
+<h3 id="gardenlinux.os.extensions.gardener.cloud/v1alpha1.CgroupVersion">CgroupVersion
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#gardenlinux.os.extensions.gardener.cloud/v1alpha1.OperatingSystemConfiguration">OperatingSystemConfiguration</a>)
+</p>
+<p>
+<p>CgroupVersion defines the cgroup version (v1 or v2) to be configured on Garden Linux</p>
+</p>
+<h3 id="gardenlinux.os.extensions.gardener.cloud/v1alpha1.LinuxSecurityModule">LinuxSecurityModule
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#gardenlinux.os.extensions.gardener.cloud/v1alpha1.OperatingSystemConfiguration">OperatingSystemConfiguration</a>)
+</p>
+<p>
+<p>LinuxSecurityModule defines the Linux Security Module (LSM) for Garden Linux</p>
+</p>
+<hr/>
+<p><em>
+Generated with <a href="https://github.com/ahmetb/gen-crd-api-reference-docs">gen-crd-api-reference-docs</a>
+</em></p>
@@ -0,0 +1,45 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# We need to explicitly pass GO111MODULE=off to k8s.io/code-generator as it is significantly slower otherwise,
+# see https://github.com/kubernetes/code-generator/issues/100.
+export GO111MODULE=off
+
+rm -f $GOPATH/bin/*-gen
+
+PROJECT_ROOT=$(dirname $0)/..
+
+bash "${PROJECT_ROOT}"/vendor/k8s.io/code-generator/generate-internal-groups.sh \
+  deepcopy,defaulter \
+  github.com/gardener/gardener-extension-os-gardenlinux/pkg/client \
+  github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis \
+  github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis \
+  "gardenlinux:v1alpha1" \
+  --go-header-file "${PROJECT_ROOT}/vendor/github.com/gardener/gardener/hack/LICENSE_BOILERPLATE.txt"
+
+bash "${PROJECT_ROOT}"/vendor/k8s.io/code-generator/generate-internal-groups.sh \
+  conversion \
+  github.com/gardener/gardener-extension-os-gardenlinux/pkg/client \
+  github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis \
+  github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis \
+  "gardenlinux:v1alpha1" \
+  --extra-peer-dirs=github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis/gardenlinux,github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis/gardenlinux/v1alpha1,k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/conversion,k8s.io/apimachinery/pkg/runtime \
+  --go-header-file "${PROJECT_ROOT}/vendor/github.com/gardener/gardener/hack/LICENSE_BOILERPLATE.txt"
+
@@ -0,0 +1,20 @@
+// Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +k8s:deepcopy-gen=package
+// +groupName="gardenlinux.os.extensions.gardener.cloud"
+
+//go:generate ../../../hack/update-codegen.sh
+
+package gardenlinux // import "github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis/gardenlinux"
@@ -0,0 +1,43 @@
+// Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package install
+
+import (
+	"github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis/gardenlinux"
+	"github.com/gardener/gardener-extension-os-gardenlinux/pkg/apis/gardenlinux/v1alpha1"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+)
+
+var (
+	schemeBuilder = runtime.NewSchemeBuilder(
+		v1alpha1.AddToScheme,
+		gardenlinux.AddToScheme,
+		setVersionPriority,
+	)
+
+	// AddToScheme adds all APIs to the scheme.
+	AddToScheme = schemeBuilder.AddToScheme
+)
+
+func setVersionPriority(scheme *runtime.Scheme) error {
+	return scheme.SetVersionPriority(v1alpha1.SchemeGroupVersion)
+}
+
+// Install installs all APIs in the scheme.
+func Install(scheme *runtime.Scheme) {
+	utilruntime.Must(AddToScheme(scheme))
+}