Gardener

Appearance

Referenced Resources

Shoots, Seeds and Gardens can include a list of resources (usually secrets) that can be referenced by name in the extension providerConfig and other Shoot sections, for example:

yaml
kind: Shoot
apiVersion: core.gardener.cloud/v1beta1
metadata:
  name: crazy-botany
  namespace: garden-dev
  ...
spec:
  ...
  extensions:
  - type: foobar
    providerConfig:
      apiVersion: foobar.extensions.gardener.cloud/v1alpha1
      kind: FooBarConfig
      foo: bar
      secretRef: foobar-secret
  resources:
  - name: foobar-secret
    resourceRef:
      apiVersion: v1
      kind: Secret
      name: my-foobar-secret

Gardener expects these referenced resources to be located in the project namespace (e.g., garden-dev) for Shoots and in the garden namespace for Seeds and Gardens. In the case of Secrets and ConfigMaps, the Seed resources are copied to the garden namespace in the seed cluster, while Shoot resources are copied to the control-plane namespace of the shoot cluster. When the referenced resource is of kind WorkloadIdentity, a Kubernetes secret with the workload identity config and token data is provisioned in the seed cluster, respectively in the garden namespace for Seed resources and in the control plane namespace for Shoot resources. Gardens are not allowed to refer to WorkloadIdentity because they are not available in the Runtime cluster. To avoid conflicts with other resources in the shoot, all resources in the seed are prefixed with a static value. And to avoid conflict between referenced Secret and WorkloadIdentity, the workload identity secret is using own prefix.

Extension controllers can resolve the references to these resources by accessing the Shoot via the Cluster resource. To properly read a referenced resources, extension controllers should use the utility function GetObjectByReference from the extensions/pkg/controller package, for example:

go
    ...
    ref = &autoscalingv1.CrossVersionObjectReference{
        APIVersion: "v1",
        Kind:       "Secret",
        Name:       "foo",
    }
    secret := &corev1.Secret{}
    if err := controller.GetObjectByReference(ctx, client, ref, "shoot--test--foo", secret); err != nil {
        return err
    }
    // Use secret
    ...
EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Referenced Resources | Gardener is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.
Terms of Use|Privacy Statement|Legal Disclosure