Skip to main content

metal-stack v0.22.0 ๐ŸŽƒ

ยท 7 min read
Gerrit Schwerthelm
Gerrit Schwerthelm
Maintainer @ x-cellent technologies GmbH

This release has come a long way, and it's finally here. In this version of metal-stack, we expect all users with an existing Gardener integration to migrate to the Gardener Operator. This blog article briefly describes how this can be done and what other changes are included in this release.

Check out the direct link to the release here.

Gardener Operatorโ€‹

With the introduction of the Gardener Operator, the Gardener Project has started to provide a standardized way to deploy and manage Gardener installations for the community. It comes with a lot of beneficial traits allowing high-availability of the Virtual Garden (no downtime during updates anymore), provisioning extensions through OCI artifacts and enforced kubeconfig secret rotation such that there is no static admin kubeconfig anymore, etc.

Historically, metal-stack shipped with an own approach for deploying the Gardener through the metal-roles based on Ansible. It utilized the upstream helm charts for the Gardener Control Plane and a self-managed Virtual Garden Helm chart (which was based on the garden-setup repository). Luckily, some of these charts are now obsolete, minimizing the maintenance burden, and it's sufficient to rely on a single Helm chart during the deployment: The one that sets up the Gardener Operator. So, we still ship the Ansible roles but with a new set of Ansible roles that are using Gardener Operator resources to install the Gardener.

In general, the migration path that we use is described here. The idea is to restore the data of the Virtual Garden from the backup, re-registering the existing Gardenlets and migrating the shooted seeds to a new Gardenlet. As the migration of existing production setups can be pretty complex, please reach out to us at our Slack Community. We're here to help if necessary.

After this release, we will try to catch up with the most recent Gardener releases again in order to be able to provide K8s 1.33 support soon.

Cluster API Integrationโ€‹

Another big aspect of this release are extended integration tests for the cluster-api-provider-metal-stack. The tests are running in the big integration suite hosted at the FI-TS, ensuring compatibility with our metal-stack components for every release from now on. This makes Cluster API an integral part for providing Kubernetes on metal-stack for users that do not rely on the Gardener integration.

The release adds new OS images on images.metal-stack.io that include expected components for Cluster API bootstrapping like kubeadm.

The tests for the provider are based on the official e2e framework. For now, they only include cluster creation tests. In the following releases we will work on extending the test cases and we are also planning to run CNCF conformance tests against CAPI clusters, too.

SBOMs for Release Artifactsโ€‹

In order to provide a common basis for identifying software vulnerabilities, all our release artifacts consistently contain an SPDX-formatted software bill of material now. Usually, we embed the SBOM directly into the container artifacts using Buildx. Please note that these SBOMs are also available for the OS images of metal-stack.

Using these artifacts for CVE scanning can be done pretty easily. Please find examples for this in our documentation on metal-stack.io/docs.

This task was mainly driven by @mac641. Kudos to him!

MEP-4 in Alpha Stageโ€‹

MEP-4 is definitely the longest running enhancement proposal that we have ever worked on. It finally makes it to the alpha stage and is soon to be expected to become GA. It contains an entire update of the metal-stack API, deprecating the Swagger-based REST API and replacing it with protobuf and ConnectRPC.

The project that implements our V2 API definition is called the metal-apiserver. The implementation is capable of creating API tokens with fine-grained access permissions, such that technical components can access the metal-stack API with minimum access privileges and without the possibility to reach into unintended project and tenant scopes.

In addition to that, the network business layer was completely modernized, such that it will be possible to set up namespaced networks for allocating IP addresses, creating super networks (scoped and unscoped) instead of just having a single super network for a partition, and more.

Also, the metal-apiserver drops the dependency on NSQ and will instead use valkey to introduce asynchronous task queueing for the implementation of more complex endpoints.

The metal-apiserver is already deployed in mini-lab by default. You can access it using the metalctlv2 CLI. There are also first Ansible modules available using the fairly new and awesome connect-python project for implementation.

We will keep you informed on the development progress. If you want to contribute thoughts to the new API you may want to visit our public planning meetings and discuss ideas together with us.

Improvements on SONiC Integrationโ€‹

A lot of work from our contributor @iljarotar was put into improving and stabilizing SONiC switches over the course of this year. The deployment now follows a completely new approach using a generator to provide a config_db.json.

In case you still use the sonic role we advise operators to migrate to the sonic-config, which utilizes the generator for the switch configuration.

Another important step was made in the mini-lab, which now allows spinning up the lab with different versions of SONiC. In our integration tests we can also ensure support for Enterprise SONiC now. We're aiming for more sophisticated testing of different flavors of SONiC to suit more real-world scenarios.

Gardener Ontap Extensionโ€‹

As another storage solutation in Gardener setups, we included beta integration for NetApp ONTAP storage. This integration is provided by a dedicated Gardener extension, which is called gardener-extension-ontap.

The person who made this possible is @honigeintopf and we'd like to thank him for the huge amount of efforts that went into this extension.

More Informationโ€‹

Please check out the release notes to find a full overview over every change that went part of this release.

As always, feel free to visit our Slack channel and ask if there are any questions. ๐Ÿ˜„