Drop KonnectivityTunnel feature gate (gardener#4247)

* Drop KonnectivityTunnel feature gate

* Update GEP11 metadata

charts/images.yaml

@@ -90,10 +90,6 @@ images:
   sourceRepository: github.com/gardener/vpn2
   repository: eu.gcr.io/gardener-project/gardener/vpn-seed-server
   tag: "0.4.0"
-- name: konnectivity-server
-  sourceRepository: github.com/gardener/replica-reloader
-  repository: eu.gcr.io/gardener-project/gardener/replica-reloader
-  tag: "v0.2.0-konnectivity-server-v0.0.15"
 
 # Monitoring
 - name: alertmanager
@@ -138,10 +134,6 @@ images:
   sourceRepository: github.com/gardener/vpn2
   repository: eu.gcr.io/gardener-project/gardener/vpn-shoot-client
   tag: "0.4.0"
-- name: konnectivity-agent
-  sourceRepository: github.com/kubernetes-sigs/apiserver-network-proxy
-  repository: k8s.gcr.io/kas-network-proxy/proxy-agent
-  tag: "v0.0.15"
 - name: coredns
   sourceRepository: github.com/coredns/coredns
   repository: coredns/coredns

charts/seed-controlplane/charts/kube-apiserver/templates/configmap-egress-selection.yaml

@@ -1,37 +1,3 @@
-{{- if .Values.konnectivityTunnel.enabled }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kube-apiserver-egress-selector-configuration
-  namespace: {{.Release.Namespace}}
-data:
-  egress-selector-configuration.yaml: |-
-    apiVersion: apiserver.k8s.io/v1alpha1
-    kind: EgressSelectorConfiguration
-    egressSelections:
-    - name: cluster
-      connection:
-        proxyProtocol: HTTPConnect
-        transport:
-          {{- if .Values.sni.enabled }}
-          tcp:
-            url: https://konnectivity-server:9443
-            tlsConfig:
-              caBundle: /srv/kubernetes/ca/ca.crt
-              clientCert: /etc/srv/kubernetes/konnectivity-server-client-tls/tls.crt
-              clientKey: /etc/srv/kubernetes/konnectivity-server-client-tls/tls.key
-          {{- else }}
-          uds:
-            udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
-          {{- end }}
-    - name: {{ if semverCompare "< 1.20" .Values.kubernetesVersion }}master{{ else }}controlplane{{ end }}
-      connection:
-        proxyProtocol: Direct
-    - name: etcd
-      connection:
-        proxyProtocol: Direct
-{{- end }}
 {{- if .Values.reversedVPN.enabled }}
 ---
 apiVersion: v1

charts/seed-controlplane/charts/kube-apiserver/templates/deployment.yaml

@@ -34,7 +34,7 @@ spec:
         checksum/configmap-audit-policy: {{ include (print $.Template.BasePath "/configmap-audit-policy.yaml") . | sha256sum }}
         checksum/secret-oidc-cabundle: {{ include (print $.Template.BasePath "/secret-oidc-ca.yaml") . | sha256sum }}
         checksum/configmap-admission-config: {{ include (print $.Template.BasePath "/configmap-admission-config.yaml") . | sha256sum }}
-        {{- if or .Values.konnectivityTunnel.enabled .Values.reversedVPN.enabled }}
+        {{- if .Values.reversedVPN.enabled }}
         checksum/egress-selection-config: {{ include (print $.Template.BasePath "/configmap-egress-selection.yaml") . | sha256sum }}
         {{- end}}
 {{- if .Values.podAnnotations }}
@@ -51,9 +51,6 @@ spec:
         networking.gardener.cloud/to-shoot-networks: allowed
         networking.gardener.cloud/from-prometheus: allowed
     spec:
-      {{- if and .Values.konnectivityTunnel.enabled (not .Values.sni.enabled) }}
-      serviceAccountName: kube-apiserver
-      {{- end }}
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -71,7 +68,7 @@ spec:
                     values:
                     - apiserver
       priorityClassName: {{ .Values.priorityClassName }}
-      {{- if and (not .Values.konnectivityTunnel.enabled) (not .Values.reversedVPN.enabled)}}
+      {{- if (not .Values.reversedVPN.enabled) }}
       initContainers:
       - name: set-iptable-rules
         image: {{ index .Values.images "alpine-iptables" }}
@@ -96,7 +93,7 @@ spec:
         {{- else }}
         - /usr/local/bin/kube-apiserver
         {{- end }}
-        {{- if or .Values.konnectivityTunnel.enabled .Values.reversedVPN.enabled }}
+        {{- if .Values.reversedVPN.enabled }}
         - --egress-selector-config-file=/etc/kubernetes/egress/egress-selector-configuration.yaml
         {{- end}}
         - --enable-admission-plugins={{ include "kube-apiserver.admissionPlugins" . | trimSuffix "," }}
@@ -226,18 +223,6 @@ spec:
         - name: egress-selection-config
           mountPath: /etc/kubernetes/egress
         {{- end }}
-        {{- if .Values.konnectivityTunnel.enabled }}
-        - name: egress-selection-config
-          mountPath: /etc/kubernetes/egress
-        {{- if .Values.sni.enabled }}
-        - name: konnectivity-server-client-tls
-          mountPath: /etc/srv/kubernetes/konnectivity-server-client-tls
-        {{- else }}
-        - name: konnectivity-uds
-          mountPath: /etc/srv/kubernetes/konnectivity-server
-          readOnly: false
-        {{- end }}
-        {{- end }}
         - name: audit-policy-config
           mountPath: /etc/kubernetes/audit
         - name: ca
@@ -333,65 +318,7 @@ spec:
         - name: kube-apiserver
           mountPath: /srv/kubernetes/apiserver
       {{- end }}
-      {{- if and .Values.konnectivityTunnel.enabled (not .Values.sni.enabled ) }}
-      - name: konnectivity-server
-        image: {{ index .Values.images "konnectivity-server" }}
-        command:
-        - /replica-reloader
-        args:
-        - --namespace={{ .Release.Namespace }}
-        - --deployment-name=kube-apiserver
-        - --jitter=10s
-        - --jitter-factor=5
-        - --v=2
-        - --
-        - /proxy-server
-        - --uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
-        - --logtostderr=true
-        - --cluster-cert=/certs/konnectivity-server/konnectivity-server.crt
-        - --cluster-key=/certs/konnectivity-server/konnectivity-server.key
-        - --agent-namespace={{ .Values.konnectivityTunnel.agentNamespace }}
-        - --agent-service-account=konnectivity-agent
-        - --kubeconfig=/etc/srv/kubernetes/konnectivity-server-kubeconfig/kubeconfig
-        - --authentication-audience=system:konnectivity-server
-        - --keepalive-time=1h
-        - --log-file-max-size=0
-        - --delete-existing-uds-file=true
-        - --mode=http-connect
-        # the server port should always be 0 when using UDS
-        - --server-port=0
-        - --agent-port={{ .Values.konnectivityTunnel.agentPort }}
-        - --admin-port={{ .Values.konnectivityTunnel.adminPort }}
-        - --health-port={{ .Values.konnectivityTunnel.healthPort }}
-        - --v=2
-        # the last argument should be server-count - the reloader injects the actual count after it
-        - --server-count
-        resources:
-{{ toYaml .Values.konnectivityTunnelResources | indent 10 }}
-        livenessProbe:
-          httpGet:
-            scheme: HTTP
-            port: {{ .Values.konnectivityTunnel.healthPort }}
-            path: /healthz
-          initialDelaySeconds: 30
-          timeoutSeconds: 60
-        ports:
-        - name: agentport
-          containerPort: {{ .Values.konnectivityTunnel.agentPort }}
-        - name: adminport
-          containerPort: {{ .Values.konnectivityTunnel.adminPort }}
-        - name: healthport
-          containerPort: {{ .Values.konnectivityTunnel.healthPort }}
-        volumeMounts:
-        - name: konnectivity-server-certs
-          mountPath: /certs/konnectivity-server
-          readOnly: true
-        - name: konnectivity-server-kubeconfig
-          mountPath: /etc/srv/kubernetes/konnectivity-server-kubeconfig
-        - name: konnectivity-uds
-          mountPath: /etc/srv/kubernetes/konnectivity-server
-          readOnly: false
-      {{- else if and (not .Values.konnectivityTunnel.enabled) (not .Values.reversedVPN.enabled) }}
+      {{- if (not .Values.reversedVPN.enabled) }}
       - name: vpn-seed
         image: {{ index .Values.images "vpn-seed" }}
         imagePullPolicy: IfNotPresent
@@ -496,25 +423,7 @@ spec:
       - name: kube-apiserver-admission-config
         configMap:
           name: kube-apiserver-admission-config
-      {{- if .Values.konnectivityTunnel.enabled }}
-      - name: egress-selection-config
-        configMap:
-          name: kube-apiserver-egress-selector-configuration
-      {{- if .Values.sni.enabled }}
-      - name: konnectivity-server-client-tls
-        secret:
-          secretName: konnectivity-server-client-tls
-      {{- else }}
-      - name: konnectivity-server-certs
-        secret:
-          secretName: konnectivity-server
-      - name: konnectivity-server-kubeconfig
-        secret:
-          secretName: konnectivity-server-kubeconfig
-      - name: konnectivity-uds
-        emptyDir: {}
-      {{- end }}
-      {{- else if .Values.reversedVPN.enabled }}
+      {{- if .Values.reversedVPN.enabled }}
       - name: egress-selection-config
         configMap:
           name: kube-apiserver-egress-selector-configuration

charts/seed-controlplane/charts/kube-apiserver/templates/networkpolicy-allow-kube-apiserver-policy.yaml

@@ -23,25 +23,6 @@ spec:
     ports:
     - protocol: TCP
       port: {{ .Values.etcdServicePort }}
-  {{- if .Values.konnectivityTunnel.enabled }}
-  - to:
-    - podSelector:
-        matchLabels:
-  {{- if .Values.sni.enabled }}
-          # Allow connections from the apiserver pod to the konnectivity-server.
-          app: konnectivity-server
-    ports:
-    - protocol: TCP
-      port: {{ required ".konnectivityTunnel.serverPort is required" .Values.konnectivityTunnel.serverPort }}
-  {{- else }}
-          # Allow connections from the apiserver pod to itself (i.e., konnectivity-server to apiserver)
-          role: apiserver
-          garden.sapcloud.io/role: controlplane
-    ports:
-    - protocol: TCP
-      port: {{ required ".securePort is required" .Values.securePort }}
-  {{- end }}
-  {{- end }}
   {{- if .Values.reversedVPN.enabled }}
   - to:
     - podSelector:
@@ -63,23 +44,12 @@ spec:
     ports:
     - protocol: TCP
       port: {{ required ".securePort is required" .Values.securePort }}
-    {{- if and .Values.konnectivityTunnel.enabled (not .Values.sni.enabled) }}
-    - protocol: TCP
-      port: {{ required ".konnectivityTunnel.agentPort is required" .Values.konnectivityTunnel.agentPort }}
-    {{- end }}
   - from:
     - podSelector:
         matchLabels:
           app: prometheus
           garden.sapcloud.io/role: monitoring
           role: monitoring
-    {{- if and .Values.konnectivityTunnel.enabled (not .Values.sni.enabled) }}
-    # Allow connections from the apiserver pod to itself (i.e., konnectivity-server to apiserver)
-    - podSelector:
-        matchLabels:
-          role: apiserver
-          garden.sapcloud.io/role: controlplane
-    {{- end}}
     ports:
     - protocol: TCP
       port: {{ required ".blackboxExporterPort is required" .Values.blackboxExporterPort }}

charts/seed-controlplane/charts/kube-apiserver/values.yaml

@@ -2,13 +2,6 @@ replicas: 1
 kubernetesVersion: 1.15.2
 priorityClassName: foo
 securePort: 443
-konnectivityTunnel:
-  enabled: false
-  serverPort: 0
-  agentPort: 8132
-  adminPort: 8133
-  healthPort: 8134
-  agentNamespace: kube-system
 probeCredentials: base64(user:pass)
 shootNetworks:
   services: 10.0.1.0/24
@@ -62,7 +55,6 @@ admissionPlugins:
 images:
   kube-apiserver: image-repository
   vpn-seed: image-repository:image-tag
-  konnectivity-server: image-repository:image-tag
   apiserver-proxy-pod-webhook: image-repository:image-tag
 
 blackboxExporterPort: 9115
@@ -84,14 +76,6 @@ apiServerResources:
     cpu: 800m
     memory: 900M
 
-konnectivityTunnelResources:
-    requests:
-      cpu: 50m
-      memory: 128Mi
-    limits:
-      cpu: 200m
-      memory: 500M
-
 podMutatorResources:
   requests:
     cpu: 50m

charts/seed-monitoring/charts/core/charts/prometheus/rules/networking.rules.yaml

@@ -12,9 +12,3 @@ groups:
 
   - record: shoot:container_network_receive_bytes_total_vpn:sum
     expr: sum(rate(container_network_receive_bytes_total{pod=~"vpn-shoot(.+)"}[10m]))
-
-  - record: shoot:container_network_transmit_bytes_total_konnectivity:sum
-    expr: sum(rate(container_network_transmit_bytes_total{pod=~"konnectivity-agent(.+)"}[10m]))
-
-  - record: shoot:container_network_receive_bytes_total_konnectivity:sum
-    expr: sum(rate(container_network_receive_bytes_total{pod=~"konnectivity-agent(.+)"}[10m]))

charts/seed-monitoring/charts/core/charts/prometheus/templates/config.yaml

@@ -481,7 +481,7 @@ data:
         action: drop
 {{- end }}
 
-    # Fetch logs of the tunnel pod (vpn-shoot or konnectivity-agent) via the kube-apiserver, which requires a functional tunnel connection.
+    # Fetch logs of the tunnel pod (vpn-shoot) via the kube-apiserver, which requires a functional tunnel connection.
     - job_name: tunnel-probe-apiserver-proxy
       honor_labels: false
       metrics_path: /probe
@@ -498,15 +498,9 @@ data:
       relabel_configs:
       - target_label: type
         replacement: seed
-    {{- if .Values.konnectivityTunnel.enabled }}
-      - source_labels: [ __meta_kubernetes_pod_name ]
-        action: keep
-        regex: konnectivity-agent-(.+)
-    {{- else }}
       - source_labels: [ __meta_kubernetes_pod_name ]
         action: keep
         regex: vpn-shoot-(.+)
-    {{- end }}
       - source_labels: [ __meta_kubernetes_pod_name ]
         target_label: __param_target
         regex: (.+)