-
Notifications
You must be signed in to change notification settings - Fork 450
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[provider-local] Harmonize local VPN setup with real-world scenario #9752
[provider-local] Harmonize local VPN setup with real-world scenario #9752
Conversation
Skipping CI for Draft Pull Request. |
/test pull-gardener-e2e-kind pull-gardener-e2e-kind-ipv6 |
928e29f
to
a483ac7
Compare
/test pull-gardener-e2e-kind pull-gardener-e2e-kind-ipv6 |
a483ac7
to
d8873a1
Compare
/test pull-gardener-e2e-kind pull-gardener-e2e-kind-ipv6 |
305949a
to
6259b95
Compare
EDIT: we added workarounds to make the upgrade tests past even we perform the |
90822ed
to
1caa265
Compare
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for bringing the local setup closer to Gardener in the real world.
It looks like there are still some end-to-end tests failing, though.
1caa265
to
993a8bd
Compare
63bca2e
to
dca9c39
Compare
dca9c39
to
220cc9e
Compare
/lgtm |
LGTM label has been added. Git tree hash: bfc26186529edb2e4164aba58322fc8b01aaf476
|
220cc9e
to
7218483
Compare
…ovider-local#42" This reverts commit 7ec12fe.
no longer needed now that MCM-provider-local no longer deploys a `Service`
This network policy is not needed since packets to the shoot networks are always encapsulated in the VPN tunnel and never handled by the seed network policies. Co-authored-by: Tim Ebert <[email protected]>
The shoot networks are always "contacted" via the VPN tunnel (which is established FROM the machine pods TO the `vpn-seed-server`). Co-authored-by: Tim Ebert <[email protected]>
Co-authored-by: Tim Ebert <[email protected]>
Co-Authored-By: Rafael Franzke <[email protected]> Co-Authored-By: Marcel Boehm <[email protected]>
Co-Authored-By: Johannes Scheerer <[email protected]>
7218483
to
e4f54b4
Compare
/lgtm |
LGTM label has been added. Git tree hash: 3126d936a08bf1c4238dcf512c1b1fd428a9d7e4
|
Kaum macht man's richtig, schon geht's 😉 |
…N fix (from gardener#9752, released with `v1.96.0`)
…N fix (from gardener#9752, released with `v1.96.0`)
How to categorize this PR?
/area dev-productivity
/kind enhancement
What this PR does / why we need it:
Currently, in the local scenario, some pods talk to the machine pods directly (instead of using the VPN tunnel). See the referenced issue for a more detailed description.
This PR harmonizes the local VPN setup by specifying the node network for
Shoot
s and creating a dedicated IP pool.With this, the VPN components correctly configure IP routes for talking to the shoot node network.
As a consequence, all traffic correctly traverses the VPN tunnel and gardenlet's tunnel health check reliably detects a broken tunnel.
Which issue(s) this PR fixes:
Part of #9604
Fixes #9020
See also: https://github.com/gardener-community/hackathon/blob/main/2024-05_Schelklingen/README.md#-harmonize-local-vpn-setup-with-real-world-scenario
Special notes for your reviewer:
/cc @timebertt
We need to do some workarounds for making the e2e upgrade tests pass for this specific version. The workarounds are only active until the next minor release.
Release note: