From 07e7e0e748696788f4fa34046d6c61262a53c000 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Wed, 27 Nov 2024 16:20:41 +0100 Subject: [PATCH 01/47] Added extender taking DNS config from the shoot --- hack/runtime-migrator/cmd/migration.go | 1 - .../internal/runtime/verifier.go | 1 + hack/shoot-comparator/pkg/shoot/matcher.go | 5 +++-- .../runtime/fsm/runtime_fsm_patch_shoot.go | 1 + pkg/gardener/shoot/converter.go | 5 +++++ pkg/gardener/shoot/extender/dns.go | 20 +++++++++++++++++++ 6 files changed, 30 insertions(+), 3 deletions(-) diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index b8266813..7c454857 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -16,7 +16,6 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/config" "github.com/kyma-project/infrastructure-manager/pkg/gardener/kubeconfig" "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" - "github.com/pkg/errors" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" ) diff --git a/hack/runtime-migrator/internal/runtime/verifier.go b/hack/runtime-migrator/internal/runtime/verifier.go index af3e40b0..1d7e8f84 100644 --- a/hack/runtime-migrator/internal/runtime/verifier.go +++ b/hack/runtime-migrator/internal/runtime/verifier.go @@ -70,6 +70,7 @@ func (v Verifier) newConverter(shootToMatch v1beta1.Shoot) (gardener_shoot.Conve ConverterConfig: v.converterConfig, AuditLogData: auditLogData, Zones: getZones(shootToMatch.Spec.Provider.Workers), + Extensions: shootToMatch.Spec.Extensions, }), nil } diff --git a/hack/shoot-comparator/pkg/shoot/matcher.go b/hack/shoot-comparator/pkg/shoot/matcher.go index e90105df..908e93ed 100644 --- a/hack/shoot-comparator/pkg/shoot/matcher.go +++ b/hack/shoot-comparator/pkg/shoot/matcher.go @@ -2,6 +2,7 @@ package shoot import ( "fmt" + "github.com/kyma-project/infrastructure-manager/hack/shoot-comparator/pkg/runtime" "reflect" "strings" @@ -80,7 +81,7 @@ func (m *Matcher) Match(actual interface{}) (success bool, err error) { path: "metadata/namespace", }, { - GomegaMatcher: gstruct.MatchElements(idExtension, gstruct.IgnoreMissing, extensions(shootToMatch.Spec.Extensions)), + GomegaMatcher: gstruct.MatchElements(idExtension, gstruct.AllowDuplicates, extensions(shootToMatch.Spec.Extensions)), actual: shootActual.Spec.Extensions, path: "spec/extensions", }, @@ -393,7 +394,7 @@ func extensions(es []v1beta1.Extension) gstruct.Elements { ID := idExtension(e) out[ID] = gstruct.MatchAllFields(gstruct.Fields{ "Type": gomega.BeComparableTo(e.Type), - "ProviderConfig": newProviderCfgMatcher(e.Type, e.ProviderConfig), + "ProviderConfig": runtime.NewRawExtensionMatcher(e.ProviderConfig), "Disabled": gomega.BeComparableTo(e.Disabled), }) } diff --git a/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go b/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go index 664109ab..ff5ade32 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go +++ b/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go @@ -45,6 +45,7 @@ func sFnPatchExistingShoot(ctx context.Context, m *fsm, s *systemState) (stateFn ShootK8SVersion: s.shoot.Spec.Kubernetes.Version, ShootImageName: imgName, ShootImageVersion: imgVersion, + Extensions: s.shoot.Spec.Extensions, }) if err != nil { diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index f0ce449d..0d0f553e 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -52,6 +52,7 @@ type PatchOpts struct { ShootK8SVersion string ShootImageName string ShootImageVersion string + Extensions []gardener.Extension } func NewConverterCreate(opts CreateOpts) Converter { @@ -94,6 +95,10 @@ func NewConverterPatch(opts PatchOpts) Converter { opts.ShootImageVersion, opts.Zones)) + baseExtenders = append(baseExtenders, + extender2.NewDNSExtenderFromShoot(opts.Extensions), + ) + baseExtenders = append(baseExtenders, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion)) diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index 75b494a0..ff70488b 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -73,6 +73,26 @@ func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExten } } +func NewDNSExtenderFromShoot(extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + + return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + dnsExtension := func() *gardener.Extension { + for _, extension := range extensions { + if extension.Type == "shoot-dns-service" { + return &extension + } + } + return nil + }() + + if dnsExtension != nil { + shoot.Spec.Extensions = append(shoot.Spec.Extensions, *dnsExtension) + } + + return nil + } +} + func NewDNSExtender(secretName, domainPrefix, dnsProviderType string) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { domain := fmt.Sprintf("%s.%s", runtime.Spec.Shoot.Name, domainPrefix) From 86436ce5af24d37cc34a7742a04a02ac1c62db8c Mon Sep 17 00:00:00 2001 From: m00g3n Date: Thu, 28 Nov 2024 12:48:01 +0100 Subject: [PATCH 02/47] fix shoot extensions matching --- hack/shoot-comparator/pkg/shoot/matcher.go | 5 ++-- .../pkg/shoot/matcher_test.go | 26 ------------------- 2 files changed, 3 insertions(+), 28 deletions(-) diff --git a/hack/shoot-comparator/pkg/shoot/matcher.go b/hack/shoot-comparator/pkg/shoot/matcher.go index 908e93ed..a3566fda 100644 --- a/hack/shoot-comparator/pkg/shoot/matcher.go +++ b/hack/shoot-comparator/pkg/shoot/matcher.go @@ -2,10 +2,11 @@ package shoot import ( "fmt" - "github.com/kyma-project/infrastructure-manager/hack/shoot-comparator/pkg/runtime" "reflect" "strings" + "github.com/kyma-project/infrastructure-manager/hack/shoot-comparator/pkg/runtime" + "github.com/gardener/gardener/pkg/apis/core/v1beta1" "github.com/kyma-project/infrastructure-manager/hack/shoot-comparator/pkg/errors" "github.com/onsi/gomega" @@ -81,7 +82,7 @@ func (m *Matcher) Match(actual interface{}) (success bool, err error) { path: "metadata/namespace", }, { - GomegaMatcher: gstruct.MatchElements(idExtension, gstruct.AllowDuplicates, extensions(shootToMatch.Spec.Extensions)), + GomegaMatcher: gstruct.MatchElements(idExtension, gstruct.IgnoreMissing, extensions(shootToMatch.Spec.Extensions)), actual: shootActual.Spec.Extensions, path: "spec/extensions", }, diff --git a/hack/shoot-comparator/pkg/shoot/matcher_test.go b/hack/shoot-comparator/pkg/shoot/matcher_test.go index 86220456..9a9f56ec 100644 --- a/hack/shoot-comparator/pkg/shoot/matcher_test.go +++ b/hack/shoot-comparator/pkg/shoot/matcher_test.go @@ -934,32 +934,6 @@ var _ = Describe(":: shoot matcher :: ", func() { })), true, ), - Entry( - "should find no differences in spec/extensions #2", - deepCp(empty, withShootSpec(v1beta1.ShootSpec{ - Extensions: []v1beta1.Extension{ - { - Type: "shoot-dns-service", - Disabled: ptr.To[bool](true), - ProviderConfig: &runtime.RawExtension{ - Raw: []byte("{\"apiVersion\":\"service.dns.extensions.gardener.cloud/v1alpha1\",\"kind\":\"DNSConfig\",\"dnsProviderReplication\":{\"enabled\":true},\"providers\":[{\"domains\":{\"include\":[\"a50de45.dev.kyma.ondemand.com\"]},\"secretName\":\"route53-secret-dev\",\"type\":\"aws-route53\"}],\"syncProvidersFromShootSpecDNS\":true}"), - }, - }, - }, - })), - deepCp(empty, withShootSpec(v1beta1.ShootSpec{ - Extensions: []v1beta1.Extension{ - { - Type: "shoot-dns-service", - Disabled: ptr.To[bool](true), - ProviderConfig: &runtime.RawExtension{ - Raw: []byte("{\"apiVersion\":\"service.dns.extensions.gardener.cloud/v1alpha1\",\"kind\":\"DNSConfig\",\"dnsProviderReplication\":{\"enabled\":true},\"providers\":[{\"domains\":{\"include\":[\"a50de45.dev.kyma.ondemand.com\"]},\"secretName\":\"xxx-route53-secret-dev\",\"type\":\"aws-route53\"}],\"syncProvidersFromShootSpecDNS\":true}"), - }, - }, - }, - })), - true, - ), Entry( "should find no differences in spec/extensions #3", deepCp(empty, withShootSpec(v1beta1.ShootSpec{ From a03a67a16dbe7b69d72fe536a65aa114d8eb537a Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 13:03:04 +0100 Subject: [PATCH 03/47] Added OIDC extender for update scenario --- pkg/gardener/shoot/converter.go | 3 ++- pkg/gardener/shoot/extender/oidc.go | 32 +++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 0d0f553e..8feeb153 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -18,7 +18,6 @@ func baseExtenders(cfg config.ConverterConfig) []Extend { extender2.ExtendWithAnnotations, extender2.ExtendWithLabels, extender2.ExtendWithSeedSelector, - extender2.NewOidcExtender(cfg.Kubernetes.DefaultOperatorOidc), extender2.ExtendWithCloudProfile, extender2.ExtendWithNetworkFilter, extender2.ExtendWithCertConfig, @@ -67,6 +66,7 @@ func NewConverterCreate(opts CreateOpts) Converter { baseExtenders = append(baseExtenders, extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + extender2.NewOidcExtender(opts.Kubernetes.DefaultOperatorOidc), ) baseExtenders = append(baseExtenders, @@ -97,6 +97,7 @@ func NewConverterPatch(opts PatchOpts) Converter { baseExtenders = append(baseExtenders, extender2.NewDNSExtenderFromShoot(opts.Extensions), + extender2.NewOidcExtenderFromShoot(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), ) baseExtenders = append(baseExtenders, diff --git a/pkg/gardener/shoot/extender/oidc.go b/pkg/gardener/shoot/extender/oidc.go index 0b1e2759..c81890ba 100644 --- a/pkg/gardener/shoot/extender/oidc.go +++ b/pkg/gardener/shoot/extender/oidc.go @@ -15,6 +15,38 @@ func shouldDefaultOidcConfig(config gardener.OIDCConfig) bool { return config.ClientID == nil && config.IssuerURL == nil } +func NewOidcExtenderFromShoot(oidcProvider config.OidcProvider, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + oidcExtension := func() *gardener.Extension { + for _, extension := range extensions { + if extension.Type == "shoot-oidc-service" { + return &extension + } + } + return nil + }() + + if oidcExtension != nil { + shoot.Spec.Extensions = append(shoot.Spec.Extensions, *oidcExtension) + } + + oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig + if shouldDefaultOidcConfig(oidcConfig) { + oidcConfig = gardener.OIDCConfig{ + ClientID: &oidcProvider.ClientID, + GroupsClaim: &oidcProvider.GroupsClaim, + IssuerURL: &oidcProvider.IssuerURL, + SigningAlgs: oidcProvider.SigningAlgs, + UsernameClaim: &oidcProvider.UsernameClaim, + UsernamePrefix: &oidcProvider.UsernamePrefix, + } + } + setKubeAPIServerOIDCConfig(shoot, oidcConfig) + + return nil + } +} + func NewOidcExtender(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { if CanEnableExtension(runtime) { From 9f6daa63772fc35e6d2a0e70f977deee3ecaae05 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 14:22:59 +0100 Subject: [PATCH 04/47] Fixes for oidc --- .../runtime/fsm/runtime_fsm_configure_oidc.go | 16 ++++++++ .../fsm/runtime_fsm_configure_oidc_test.go | 39 +++++++++++++++++++ pkg/gardener/shoot/extender/oidc.go | 8 +--- pkg/gardener/shoot/extender/oidc_test.go | 5 --- 4 files changed, 56 insertions(+), 12 deletions(-) diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go index fa7b140a..e6112e52 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go @@ -28,6 +28,18 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct return switchState(sFnApplyClusterRoleBindings) } + if !multiOidcSupported(s.instance) { + // New OIDC functionality is supported only for new clusters + m.log.Info("Multi OIDC is not supported for migrated runtimes") + s.instance.UpdateStatePending( + imv1.ConditionTypeOidcConfigured, + imv1.ConditionReasonOidcConfigured, + "True", + "Multi OIDC not supported for migrated runtimes", + ) + return switchState(sFnApplyClusterRoleBindings) + } + defaultAdditionalOidcIfNotPresent(&s.instance, m.RCCfg) err := recreateOpenIDConnectResources(ctx, m, s) @@ -108,6 +120,10 @@ func isOidcExtensionEnabled(shoot gardener.Shoot) bool { return false } +func multiOidcSupported(runtime imv1.Runtime) bool { + return runtime.Labels["operator.kyma-project.io/created-by-migrator"] != "true" +} + func createOpenIDConnectResource(additionalOidcConfig gardener.OIDCConfig, oidcID int) *authenticationv1alpha1.OpenIDConnect { toSupportedSigningAlgs := func(signingAlgs []string) []authenticationv1alpha1.SigningAlgorithm { var supportedSigningAlgs []authenticationv1alpha1.SigningAlgorithm diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc_test.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc_test.go index e74ba1ab..f3e1639c 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc_test.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc_test.go @@ -53,6 +53,45 @@ func TestOidcState(t *testing.T) { assertEqualConditions(t, expectedRuntimeConditions, systemState.instance.Status.Conditions) }) + t.Run("Should switch state to ApplyClusterRoleBindings when multi OIDC support is disabled", func(t *testing.T) { + // given + ctx := context.Background() + fsm := &fsm{} + + runtimeStub := runtimeForTest() + runtimeStub.ObjectMeta.Labels = map[string]string{ + "operator.kyma-project.io/created-by-migrator": "true", + } + + shootStub := shootForTest() + oidcService := gardener.Extension{ + Type: "shoot-oidc-service", + Disabled: ptr.To(false), + } + shootStub.Spec.Extensions = append(shootStub.Spec.Extensions, oidcService) + + systemState := &systemState{ + instance: runtimeStub, + shoot: shootStub, + } + + expectedRuntimeConditions := []metav1.Condition{ + { + Type: string(imv1.ConditionTypeOidcConfigured), + Reason: string(imv1.ConditionReasonOidcConfigured), + Status: "True", + Message: "Multi OIDC not supported for migrated runtimes", + }, + } + + // when + stateFn, _, _ := sFnConfigureOidc(ctx, fsm, systemState) + + // then + require.Contains(t, stateFn.name(), "sFnApplyClusterRoleBindings") + assertEqualConditions(t, expectedRuntimeConditions, systemState.instance.Status.Conditions) + }) + t.Run("Should configure OIDC using defaults", func(t *testing.T) { // given ctx := context.Background() diff --git a/pkg/gardener/shoot/extender/oidc.go b/pkg/gardener/shoot/extender/oidc.go index c81890ba..b2deb8e2 100644 --- a/pkg/gardener/shoot/extender/oidc.go +++ b/pkg/gardener/shoot/extender/oidc.go @@ -49,9 +49,7 @@ func NewOidcExtenderFromShoot(oidcProvider config.OidcProvider, extensions []gar func NewOidcExtender(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - if CanEnableExtension(runtime) { - setOIDCExtension(shoot) - } + setOIDCExtension(shoot) oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig if shouldDefaultOidcConfig(oidcConfig) { @@ -70,10 +68,6 @@ func NewOidcExtender(oidcProvider config.OidcProvider) func(runtime imv1.Runtime } } -func CanEnableExtension(runtime imv1.Runtime) bool { - return runtime.Labels["operator.kyma-project.io/created-by-migrator"] != "true" -} - func setOIDCExtension(shoot *gardener.Shoot) { oidcService := gardener.Extension{ Type: OidcExtensionType, diff --git a/pkg/gardener/shoot/extender/oidc_test.go b/pkg/gardener/shoot/extender/oidc_test.go index 5a749484..c8250126 100644 --- a/pkg/gardener/shoot/extender/oidc_test.go +++ b/pkg/gardener/shoot/extender/oidc_test.go @@ -28,11 +28,6 @@ func TestOidcExtender(t *testing.T) { migratorLabel: map[string]string{migratorLabel: "false"}, expectedOidcExtensionEnabled: true, }, - { - name: "label created-by-migrator unset should configure OIDC", - migratorLabel: nil, - expectedOidcExtensionEnabled: true, - }, } { t.Run(testCase.name, func(t *testing.T) { // given From 0f2e2fad0a70a123c406000b557fdf85cc2b75a9 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 15:25:46 +0100 Subject: [PATCH 05/47] Added unit tests for new extenders --- pkg/gardener/shoot/converter.go | 32 +++--- pkg/gardener/shoot/extender/dns.go | 4 +- pkg/gardener/shoot/extender/dns_test.go | 38 ++++++- pkg/gardener/shoot/extender/oidc.go | 4 +- pkg/gardener/shoot/extender/oidc_test.go | 127 +++++++++++++++-------- 5 files changed, 137 insertions(+), 68 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 8feeb153..99020d8f 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -55,38 +55,38 @@ type PatchOpts struct { } func NewConverterCreate(opts CreateOpts) Converter { - baseExtenders := baseExtenders(opts.ConverterConfig) + extendersForCreate := baseExtenders(opts.ConverterConfig) - baseExtenders = append(baseExtenders, + extendersForCreate = append(extendersForCreate, extender2.NewProviderExtenderForCreateOperation( opts.Provider.AWS.EnableIMDSv2, opts.MachineImage.DefaultName, opts.MachineImage.DefaultVersion, )) - baseExtenders = append(baseExtenders, - extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), - extender2.NewOidcExtender(opts.Kubernetes.DefaultOperatorOidc), + extendersForCreate = append(extendersForCreate, + extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + extender2.NewOidcExtenderForCreate(opts.Kubernetes.DefaultOperatorOidc), ) - baseExtenders = append(baseExtenders, + extendersForCreate = append(extendersForCreate, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, "")) var zero auditlogs.AuditLogData if opts.AuditLogData != zero { - baseExtenders = append(baseExtenders, + extendersForCreate = append(extendersForCreate, auditlogs.NewAuditlogExtender( opts.AuditLog.PolicyConfigMapName, opts.AuditLogData)) } - return newConverter(opts.ConverterConfig, baseExtenders...) + return newConverter(opts.ConverterConfig, extendersForCreate...) } func NewConverterPatch(opts PatchOpts) Converter { - baseExtenders := baseExtenders(opts.ConverterConfig) + extendersForPatch := baseExtenders(opts.ConverterConfig) - baseExtenders = append(baseExtenders, + extendersForPatch = append(extendersForPatch, extender2.NewProviderExtenderPatchOperation( opts.Provider.AWS.EnableIMDSv2, opts.MachineImage.DefaultName, @@ -95,23 +95,23 @@ func NewConverterPatch(opts PatchOpts) Converter { opts.ShootImageVersion, opts.Zones)) - baseExtenders = append(baseExtenders, - extender2.NewDNSExtenderFromShoot(opts.Extensions), - extender2.NewOidcExtenderFromShoot(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), + extendersForPatch = append(extendersForPatch, + extender2.NewDNSExtenderForPatch(opts.Extensions), + extender2.NewOidcExtenderForPatch(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), ) - baseExtenders = append(baseExtenders, + extendersForPatch = append(extendersForPatch, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion)) var zero auditlogs.AuditLogData if opts.AuditLogData != zero { - baseExtenders = append(baseExtenders, + extendersForPatch = append(extendersForPatch, auditlogs.NewAuditlogExtender( opts.AuditLog.PolicyConfigMapName, opts.AuditLogData)) } - return newConverter(opts.ConverterConfig, baseExtenders...) + return newConverter(opts.ConverterConfig, extendersForPatch...) } func (c Converter) ToShoot(runtime imv1.Runtime) (gardener.Shoot, error) { diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index ff70488b..6c87c331 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -73,7 +73,7 @@ func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExten } } -func NewDNSExtenderFromShoot(extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewDNSExtenderForPatch(extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { dnsExtension := func() *gardener.Extension { @@ -93,7 +93,7 @@ func NewDNSExtenderFromShoot(extensions []gardener.Extension) func(runtime imv1. } } -func NewDNSExtender(secretName, domainPrefix, dnsProviderType string) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewDNSExtenderForCreate(secretName, domainPrefix, dnsProviderType string) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { domain := fmt.Sprintf("%s.%s", runtime.Spec.Shoot.Name, domainPrefix) isPrimary := true diff --git a/pkg/gardener/shoot/extender/dns_test.go b/pkg/gardener/shoot/extender/dns_test.go index 9bd42963..5215015c 100644 --- a/pkg/gardener/shoot/extender/dns_test.go +++ b/pkg/gardener/shoot/extender/dns_test.go @@ -2,6 +2,7 @@ package extender import ( "encoding/json" + "k8s.io/utils/ptr" "testing" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -13,7 +14,7 @@ import ( ) func TestDNSExtender(t *testing.T) { - t.Run("Create DNS config", func(t *testing.T) { + t.Run("Create DNS config for create scenario", func(t *testing.T) { // given secretName := "my-secret" domainPrefix := "dev.mydomain.com" @@ -25,7 +26,7 @@ func TestDNSExtender(t *testing.T) { }, }, } - extender := NewDNSExtender(secretName, domainPrefix, dnsProviderType) + extender := NewDNSExtenderForCreate(secretName, domainPrefix, dnsProviderType) shoot := fixEmptyGardenerShoot("test", "dev") // when @@ -43,6 +44,39 @@ func TestDNSExtender(t *testing.T) { assert.Equal(t, secretName, shoot.Spec.Resources[0].Name) assert.Equal(t, secretName, shoot.Spec.Resources[0].ResourceRef.Name) }) + + t.Run("Create DNS config for patch scenario", func(t *testing.T) { + // given + runtimeShoot := imv1.Runtime{ + Spec: imv1.RuntimeSpec{ + Shoot: imv1.RuntimeShoot{ + Name: "myshoot", + }, + }, + } + + shoot := fixEmptyGardenerShoot("test", "dev") + emptyDnsExtension := gardener.Extension{ + Type: "shoot-dns-service", + ProviderConfig: &runtime.RawExtension{}, + Disabled: ptr.To(false), + } + + shoot.Spec.Extensions = []gardener.Extension{ + emptyDnsExtension, + } + + extender := NewDNSExtenderForPatch(shoot.Spec.Extensions) + + // when + err := extender(runtimeShoot, &shoot) + + // then + require.NoError(t, err) + assert.Empty(t, shoot.Spec.DNS) + assert.Empty(t, shoot.Spec.Extensions[0].ProviderConfig) + assert.Equal(t, emptyDnsExtension, shoot.Spec.Extensions[0]) + }) } func assertExtensionConfig(t *testing.T, rawExtension *runtime.RawExtension) { diff --git a/pkg/gardener/shoot/extender/oidc.go b/pkg/gardener/shoot/extender/oidc.go index b2deb8e2..e7662555 100644 --- a/pkg/gardener/shoot/extender/oidc.go +++ b/pkg/gardener/shoot/extender/oidc.go @@ -15,7 +15,7 @@ func shouldDefaultOidcConfig(config gardener.OIDCConfig) bool { return config.ClientID == nil && config.IssuerURL == nil } -func NewOidcExtenderFromShoot(oidcProvider config.OidcProvider, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewOidcExtenderForPatch(oidcProvider config.OidcProvider, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { oidcExtension := func() *gardener.Extension { for _, extension := range extensions { @@ -47,7 +47,7 @@ func NewOidcExtenderFromShoot(oidcProvider config.OidcProvider, extensions []gar } } -func NewOidcExtender(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewOidcExtenderForCreate(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { setOIDCExtension(shoot) diff --git a/pkg/gardener/shoot/extender/oidc_test.go b/pkg/gardener/shoot/extender/oidc_test.go index c8250126..b0c068d8 100644 --- a/pkg/gardener/shoot/extender/oidc_test.go +++ b/pkg/gardener/shoot/extender/oidc_test.go @@ -1,6 +1,8 @@ package extender import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" "testing" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -12,72 +14,105 @@ import ( ) func TestOidcExtender(t *testing.T) { - const migratorLabel = "operator.kyma-project.io/created-by-migrator" + defaultOidc := config.OidcProvider{ + ClientID: "client-id", + GroupsClaim: "groups", + IssuerURL: "https://my.cool.tokens.com", + SigningAlgs: []string{"RS256"}, + UsernameClaim: "sub", + UsernamePrefix: "-", + } + + t.Run("OIDC should be added in create scenario", func(t *testing.T) { + // given + shoot := fixEmptyGardenerShoot("test", "kcp-system") + runtimeShoot := imv1.Runtime{ + ObjectMeta: metav1.ObjectMeta{}, + Spec: imv1.RuntimeSpec{ + Shoot: imv1.RuntimeShoot{ + Kubernetes: imv1.Kubernetes{ + KubeAPIServer: imv1.APIServer{ + OidcConfig: gardener.OIDCConfig{ + ClientID: &defaultOidc.ClientID, + GroupsClaim: &defaultOidc.GroupsClaim, + IssuerURL: &defaultOidc.IssuerURL, + SigningAlgs: defaultOidc.SigningAlgs, + UsernameClaim: &defaultOidc.UsernameClaim, + }, + }, + }, + }, + }, + } + + // when + extender := NewOidcExtenderForCreate(defaultOidc) + err := extender(runtimeShoot, &shoot) + + // then + require.NoError(t, err) + + assert.Equal(t, runtimeShoot.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig, *shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig) + assert.Equal(t, false, *shoot.Spec.Extensions[0].Disabled) + assert.Equal(t, "shoot-oidc-service", shoot.Spec.Extensions[0].Type) + }) + + emptyOidcExtension := gardener.Extension{ + Type: "shoot-oidc-service", + ProviderConfig: &runtime.RawExtension{}, + Disabled: ptr.To(false), + } + for _, testCase := range []struct { - name string - migratorLabel map[string]string - expectedOidcExtensionEnabled bool + name string + expectedExtension *gardener.Extension }{ { - name: "label created-by-migrator=true should not configure OIDC", - migratorLabel: map[string]string{migratorLabel: "true"}, - expectedOidcExtensionEnabled: false, + name: "OIDC extension should be added", + expectedExtension: &emptyOidcExtension, }, { - name: "label created-by-migrator=false should configure OIDC", - migratorLabel: map[string]string{migratorLabel: "false"}, - expectedOidcExtensionEnabled: true, + name: "OIDC extension should not be added", }, } { - t.Run(testCase.name, func(t *testing.T) { - // given - defaultOidc := config.OidcProvider{ - ClientID: "client-id", - GroupsClaim: "groups", - IssuerURL: "https://my.cool.tokens.com", - SigningAlgs: []string{"RS256"}, - UsernameClaim: "sub", - UsernamePrefix: "-", - } - - shoot := fixEmptyGardenerShoot("test", "kcp-system") - runtimeShoot := imv1.Runtime{ - ObjectMeta: metav1.ObjectMeta{ - Labels: map[string]string{ - migratorLabel: testCase.migratorLabel[migratorLabel], - }, - }, - Spec: imv1.RuntimeSpec{ - Shoot: imv1.RuntimeShoot{ - Kubernetes: imv1.Kubernetes{ - KubeAPIServer: imv1.APIServer{ - OidcConfig: gardener.OIDCConfig{ - ClientID: &defaultOidc.ClientID, - GroupsClaim: &defaultOidc.GroupsClaim, - IssuerURL: &defaultOidc.IssuerURL, - SigningAlgs: defaultOidc.SigningAlgs, - UsernameClaim: &defaultOidc.UsernameClaim, - }, + runtimeShoot := imv1.Runtime{ + Spec: imv1.RuntimeSpec{ + Shoot: imv1.RuntimeShoot{ + Kubernetes: imv1.Kubernetes{ + KubeAPIServer: imv1.APIServer{ + OidcConfig: gardener.OIDCConfig{ + ClientID: &defaultOidc.ClientID, + GroupsClaim: &defaultOidc.GroupsClaim, + IssuerURL: &defaultOidc.IssuerURL, + SigningAlgs: defaultOidc.SigningAlgs, + UsernameClaim: &defaultOidc.UsernameClaim, }, }, }, }, + }, + } + + shoot := fixEmptyGardenerShoot("test", "kcp-system") + + if testCase.expectedExtension != nil { + shoot.Spec.Extensions = []gardener.Extension{ + *testCase.expectedExtension, } - // when - extender := NewOidcExtender(defaultOidc) + extender := NewOidcExtenderForPatch(defaultOidc, shoot.Spec.Extensions) err := extender(runtimeShoot, &shoot) - // then require.NoError(t, err) - assert.Equal(t, runtimeShoot.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig, *shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig) - if testCase.expectedOidcExtensionEnabled { - assert.Equal(t, testCase.expectedOidcExtensionEnabled, !*shoot.Spec.Extensions[0].Disabled) + + if testCase.expectedExtension != nil { + assert.Equal(t, emptyOidcExtension, shoot.Spec.Extensions[0]) assert.Equal(t, "shoot-oidc-service", shoot.Spec.Extensions[0].Type) } else { assert.Equal(t, 0, len(shoot.Spec.Extensions)) } - }) + } } + } From d1dfc0969af7caf14572077c5369ceb9df7941e2 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 15:39:46 +0100 Subject: [PATCH 06/47] Minor refactor --- pkg/gardener/shoot/extender/dns.go | 11 +++++++---- pkg/gardener/shoot/extender/oidc.go | 14 ++++---------- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index 6c87c331..995eb6ea 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -74,19 +74,22 @@ func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExten } func NewDNSExtenderForPatch(extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return rewriteExtensionExtender("shoot-dns-service", extensions) +} +func rewriteExtensionExtender(extensionType string, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - dnsExtension := func() *gardener.Extension { + extensionToSet := func() *gardener.Extension { for _, extension := range extensions { - if extension.Type == "shoot-dns-service" { + if extension.Type == extensionType { return &extension } } return nil }() - if dnsExtension != nil { - shoot.Spec.Extensions = append(shoot.Spec.Extensions, *dnsExtension) + if extensionToSet != nil { + shoot.Spec.Extensions = append(shoot.Spec.Extensions, *extensionToSet) } return nil diff --git a/pkg/gardener/shoot/extender/oidc.go b/pkg/gardener/shoot/extender/oidc.go index e7662555..06d97468 100644 --- a/pkg/gardener/shoot/extender/oidc.go +++ b/pkg/gardener/shoot/extender/oidc.go @@ -17,17 +17,11 @@ func shouldDefaultOidcConfig(config gardener.OIDCConfig) bool { func NewOidcExtenderForPatch(oidcProvider config.OidcProvider, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - oidcExtension := func() *gardener.Extension { - for _, extension := range extensions { - if extension.Type == "shoot-oidc-service" { - return &extension - } - } - return nil - }() + extensionExtender := rewriteExtensionExtender("shoot-oidc-service", extensions) - if oidcExtension != nil { - shoot.Spec.Extensions = append(shoot.Spec.Extensions, *oidcExtension) + err := extensionExtender(runtime, shoot) + if err != nil { + return err } oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig From a86f8c314c0c1ad23b65a358c533306019d9ff45 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 15:45:02 +0100 Subject: [PATCH 07/47] Linter --- pkg/gardener/shoot/extender/dns_test.go | 2 +- pkg/gardener/shoot/extender/oidc_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/gardener/shoot/extender/dns_test.go b/pkg/gardener/shoot/extender/dns_test.go index 5215015c..8bbc2545 100644 --- a/pkg/gardener/shoot/extender/dns_test.go +++ b/pkg/gardener/shoot/extender/dns_test.go @@ -2,7 +2,6 @@ package extender import ( "encoding/json" - "k8s.io/utils/ptr" "testing" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -11,6 +10,7 @@ import ( "github.com/stretchr/testify/require" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) func TestDNSExtender(t *testing.T) { diff --git a/pkg/gardener/shoot/extender/oidc_test.go b/pkg/gardener/shoot/extender/oidc_test.go index b0c068d8..5e3676de 100644 --- a/pkg/gardener/shoot/extender/oidc_test.go +++ b/pkg/gardener/shoot/extender/oidc_test.go @@ -1,8 +1,6 @@ package extender import ( - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/utils/ptr" "testing" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -11,6 +9,8 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" ) func TestOidcExtender(t *testing.T) { From b87ae3c2a5d29d99007f6335c7dda81d283cff04 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 16:04:48 +0100 Subject: [PATCH 08/47] Linter --- .../runtime/fsm/runtime_fsm_configure_oidc.go | 29 ++++++++----------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go index e6112e52..7ecb23bf 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go @@ -19,24 +19,15 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct if !isOidcExtensionEnabled(*s.shoot) { m.log.Info("OIDC extension is disabled") - s.instance.UpdateStatePending( - imv1.ConditionTypeOidcConfigured, - imv1.ConditionReasonOidcConfigured, - "True", - "OIDC extension disabled", - ) + setPendingState(&s.instance, "OIDC extension disabled") + return switchState(sFnApplyClusterRoleBindings) } if !multiOidcSupported(s.instance) { // New OIDC functionality is supported only for new clusters m.log.Info("Multi OIDC is not supported for migrated runtimes") - s.instance.UpdateStatePending( - imv1.ConditionTypeOidcConfigured, - imv1.ConditionReasonOidcConfigured, - "True", - "Multi OIDC not supported for migrated runtimes", - ) + setPendingState(&s.instance, "Multi OIDC not supported for migrated runtimes") return switchState(sFnApplyClusterRoleBindings) } @@ -49,16 +40,20 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct return updateStatusAndStopWithError(err) } - s.instance.UpdateStatePending( + m.log.Info("OIDC has been configured", "Name", s.shoot.Name) + setPendingState(&s.instance, "OIDC configuration completed") + + return switchState(sFnApplyClusterRoleBindings) +} + +func setPendingState(instance *imv1.Runtime, message string) { + instance.UpdateStatePending( imv1.ConditionTypeOidcConfigured, imv1.ConditionReasonOidcConfigured, "True", - "OIDC configuration completed", + message, ) - m.log.Info("OIDC has been configured", "Name", s.shoot.Name) - - return switchState(sFnApplyClusterRoleBindings) } func defaultAdditionalOidcIfNotPresent(runtime *imv1.Runtime, cfg RCCfg) { From 7d3e7ef67b445715c6ecaa8999ca0e85f8238171 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 16:40:24 +0100 Subject: [PATCH 09/47] Linter --- internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go | 3 +-- pkg/gardener/shoot/extender/dns.go | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go index 7ecb23bf..69e3df90 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go @@ -53,7 +53,6 @@ func setPendingState(instance *imv1.Runtime, message string) { "True", message, ) - } func defaultAdditionalOidcIfNotPresent(runtime *imv1.Runtime, cfg RCCfg) { @@ -116,7 +115,7 @@ func isOidcExtensionEnabled(shoot gardener.Shoot) bool { } func multiOidcSupported(runtime imv1.Runtime) bool { - return runtime.Labels["operator.kyma-project.io/created-by-migrator"] != "true" + return runtime.Labels["operator.kyma-project.io/created-by-migrator"] != "true" //nolint:all } func createOpenIDConnectResource(additionalOidcConfig gardener.OIDCConfig, oidcID int) *authenticationv1alpha1.OpenIDConnect { diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index 995eb6ea..98012c09 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -78,7 +78,7 @@ func NewDNSExtenderForPatch(extensions []gardener.Extension) func(runtime imv1.R } func rewriteExtensionExtender(extensionType string, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return func(_ imv1.Runtime, shoot *gardener.Shoot) error { extensionToSet := func() *gardener.Extension { for _, extension := range extensions { if extension.Type == extensionType { From 0762970b3790d457634ddb13a11be57f893e8ac0 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 16:44:25 +0100 Subject: [PATCH 10/47] Liiiinteeeeeer --- .../runtime/fsm/runtime_fsm_configure_oidc.go | 26 ++++++++++++------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go index 69e3df90..58a04fcb 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go @@ -19,7 +19,12 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct if !isOidcExtensionEnabled(*s.shoot) { m.log.Info("OIDC extension is disabled") - setPendingState(&s.instance, "OIDC extension disabled") + (&s.instance).UpdateStatePending( + imv1.ConditionTypeOidcConfigured, + imv1.ConditionReasonOidcConfigured, + "True", + "OIDC extension disabled", + ) return switchState(sFnApplyClusterRoleBindings) } @@ -27,7 +32,12 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct if !multiOidcSupported(s.instance) { // New OIDC functionality is supported only for new clusters m.log.Info("Multi OIDC is not supported for migrated runtimes") - setPendingState(&s.instance, "Multi OIDC not supported for migrated runtimes") + (&s.instance).UpdateStatePending( + imv1.ConditionTypeOidcConfigured, + imv1.ConditionReasonOidcConfigured, + "True", + "Multi OIDC not supported for migrated runtimes", + ) return switchState(sFnApplyClusterRoleBindings) } @@ -41,18 +51,14 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct } m.log.Info("OIDC has been configured", "Name", s.shoot.Name) - setPendingState(&s.instance, "OIDC configuration completed") - - return switchState(sFnApplyClusterRoleBindings) -} - -func setPendingState(instance *imv1.Runtime, message string) { - instance.UpdateStatePending( + (&s.instance).UpdateStatePending( imv1.ConditionTypeOidcConfigured, imv1.ConditionReasonOidcConfigured, "True", - message, + "OIDC configuration completed", ) + + return switchState(sFnApplyClusterRoleBindings) } func defaultAdditionalOidcIfNotPresent(runtime *imv1.Runtime, cfg RCCfg) { From b5334f13117e1c979e8e79a7c3e1ed1713c4a171 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Thu, 28 Nov 2024 17:05:23 +0100 Subject: [PATCH 11/47] Added missing arguments to the patch converter --- .../internal/runtime/verifier.go | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/hack/runtime-migrator/internal/runtime/verifier.go b/hack/runtime-migrator/internal/runtime/verifier.go index 1d7e8f84..9982e528 100644 --- a/hack/runtime-migrator/internal/runtime/verifier.go +++ b/hack/runtime-migrator/internal/runtime/verifier.go @@ -66,14 +66,35 @@ func (v Verifier) newConverter(shootToMatch v1beta1.Shoot) (gardener_shoot.Conve return gardener_shoot.Converter{}, err } + imgName, imgVersion := getImageNameAndVersion(shootToMatch.Spec.Provider.Workers) + return gardener_shoot.NewConverterPatch(gardener_shoot.PatchOpts{ - ConverterConfig: v.converterConfig, - AuditLogData: auditLogData, - Zones: getZones(shootToMatch.Spec.Provider.Workers), - Extensions: shootToMatch.Spec.Extensions, + ConverterConfig: v.converterConfig, + AuditLogData: auditLogData, + Zones: getZones(shootToMatch.Spec.Provider.Workers), + ShootK8SVersion: shootToMatch.Spec.Kubernetes.Version, + ShootImageName: imgName, + ShootImageVersion: imgVersion, + Extensions: shootToMatch.Spec.Extensions, }), nil } +func getImageNameAndVersion(workers []v1beta1.Worker) (string, string) { + var imageName, imageVersion string + + for _, worker := range workers { + if worker.Machine.Image != nil { + imageName = worker.Machine.Image.Name + if worker.Machine.Image.Version != nil { + imageVersion = *worker.Machine.Image.Version + } + break + } + } + + return imageName, imageVersion +} + func getZones(workers []v1beta1.Worker) []string { var zones []string From b7b3aa282292d42c4100e31958525d0533592bb1 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 29 Nov 2024 08:42:46 +0100 Subject: [PATCH 12/47] Removed setting secret reference in DNS extender --- pkg/gardener/shoot/extender/dns.go | 11 ----------- pkg/gardener/shoot/extender/dns_test.go | 2 -- 2 files changed, 13 deletions(-) diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index 98012c09..f9896da2 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -6,7 +6,6 @@ import ( gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" - autoscaling "k8s.io/api/autoscaling/v1" apimachineryruntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/ptr" ) @@ -131,16 +130,6 @@ func NewDNSExtenderForCreate(secretName, domainPrefix, dnsProviderType string) f shoot.Spec.Extensions = append(shoot.Spec.Extensions, dnsExtension) - secretReference := gardener.NamedResourceReference{ - Name: secretName, - ResourceRef: autoscaling.CrossVersionObjectReference{ - Kind: "Secret", - Name: secretName, - APIVersion: "v1", - }, - } - shoot.Spec.Resources = append(shoot.Spec.Resources, secretReference) - return nil } } diff --git a/pkg/gardener/shoot/extender/dns_test.go b/pkg/gardener/shoot/extender/dns_test.go index 8bbc2545..a06180ba 100644 --- a/pkg/gardener/shoot/extender/dns_test.go +++ b/pkg/gardener/shoot/extender/dns_test.go @@ -41,8 +41,6 @@ func TestDNSExtender(t *testing.T) { assert.Equal(t, true, *shoot.Spec.DNS.Providers[0].Primary) assert.NotEmpty(t, shoot.Spec.Extensions[0].ProviderConfig) assertExtensionConfig(t, shoot.Spec.Extensions[0].ProviderConfig) - assert.Equal(t, secretName, shoot.Spec.Resources[0].Name) - assert.Equal(t, secretName, shoot.Spec.Resources[0].ResourceRef.Name) }) t.Run("Create DNS config for patch scenario", func(t *testing.T) { From 9d5814663a23ef6da31bf2cbbe28459c1a14d847 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 29 Nov 2024 09:19:47 +0100 Subject: [PATCH 13/47] Added comparing resources in the matchers --- hack/shoot-comparator/pkg/shoot/matcher.go | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/hack/shoot-comparator/pkg/shoot/matcher.go b/hack/shoot-comparator/pkg/shoot/matcher.go index a3566fda..4fc0c81d 100644 --- a/hack/shoot-comparator/pkg/shoot/matcher.go +++ b/hack/shoot-comparator/pkg/shoot/matcher.go @@ -166,6 +166,15 @@ func (m *Matcher) Match(actual interface{}) (success bool, err error) { actual: shootToMatch.Labels, path: "metadata/labels", }, + { + GomegaMatcher: gstruct.MatchElements( + idResource, + gstruct.IgnoreMissing, + resources(shootToMatch.Spec.Resources), + ), + actual: shootActual.Spec.Resources, + path: "spec/resources", + }, } for _, matcher := range matchers { @@ -232,6 +241,14 @@ func idToleration(v interface{}) string { return fmt.Sprintf("%s:%s", toleration.Key, val(toleration.Value)) } +func idResource(v interface{}) string { + res, ok := v.(v1beta1.NamedResourceReference) + if !ok { + panic("invalid type") + } + return fmt.Sprintf("%s", res.Name) +} + func tolerations(ts []v1beta1.Toleration) gstruct.Elements { out := map[string]types.GomegaMatcher{} for _, t := range ts { @@ -244,6 +261,18 @@ func tolerations(ts []v1beta1.Toleration) gstruct.Elements { return out } +func resources(ts []v1beta1.NamedResourceReference) gstruct.Elements { + out := map[string]types.GomegaMatcher{} + for _, t := range ts { + ID := idResource(t) + out[ID] = gstruct.MatchAllFields(gstruct.Fields{ + "Name": gomega.BeComparableTo(t.Name), + "ResourceRef": gomega.BeComparableTo(t.ResourceRef), + }) + } + return out +} + func idProvider(v interface{}) string { provider, ok := v.(v1beta1.DNSProvider) if !ok { From ff6905aae4b993e678d3a49819e145b6da2ef0ab Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 29 Nov 2024 09:22:43 +0100 Subject: [PATCH 14/47] Updated role.yaml and corrected a message in Migrator --- config/rbac/role.yaml | 23 +---------------------- hack/runtime-migrator/cmd/migration.go | 2 +- 2 files changed, 2 insertions(+), 23 deletions(-) diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 7681c444..e8c654a5 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -19,6 +19,7 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters + - runtimes verbs: - create - delete @@ -31,29 +32,7 @@ rules: - infrastructuremanager.kyma-project.io resources: - gardenerclusters/finalizers - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - gardenerclusters/status - verbs: - - update -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - - runtimes - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - infrastructuremanager.kyma-project.io - resources: - runtimes/finalizers verbs: - update diff --git a/hack/runtime-migrator/cmd/migration.go b/hack/runtime-migrator/cmd/migration.go index 7c454857..9de9e56a 100644 --- a/hack/runtime-migrator/cmd/migration.go +++ b/hack/runtime-migrator/cmd/migration.go @@ -138,7 +138,7 @@ func (m Migration) Do(ctx context.Context, runtimeIDs []string) error { return } - reportSuccess(runtimeID, shoot.Name, "Runtime have been applied") + reportSuccess(runtimeID, shoot.Name, "Runtime has been applied") } } From 90f1516776d1a69462ede58dfe47e348dc02f4c3 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 29 Nov 2024 09:43:05 +0100 Subject: [PATCH 15/47] Reverted useless change in oidc state --- .../controller/runtime/fsm/runtime_fsm_configure_oidc.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go index 58a04fcb..433cc3f0 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go +++ b/internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go @@ -19,7 +19,7 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct if !isOidcExtensionEnabled(*s.shoot) { m.log.Info("OIDC extension is disabled") - (&s.instance).UpdateStatePending( + s.instance.UpdateStatePending( imv1.ConditionTypeOidcConfigured, imv1.ConditionReasonOidcConfigured, "True", @@ -32,7 +32,7 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct if !multiOidcSupported(s.instance) { // New OIDC functionality is supported only for new clusters m.log.Info("Multi OIDC is not supported for migrated runtimes") - (&s.instance).UpdateStatePending( + s.instance.UpdateStatePending( imv1.ConditionTypeOidcConfigured, imv1.ConditionReasonOidcConfigured, "True", @@ -51,7 +51,7 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct } m.log.Info("OIDC has been configured", "Name", s.shoot.Name) - (&s.instance).UpdateStatePending( + s.instance.UpdateStatePending( imv1.ConditionTypeOidcConfigured, imv1.ConditionReasonOidcConfigured, "True", From f96e5022350da819af511e93c9bad0b13448a122 Mon Sep 17 00:00:00 2001 From: m00g3n Date: Thu, 28 Nov 2024 16:24:42 +0100 Subject: [PATCH 16/47] fix converter test --- pkg/gardener/shoot/converter_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/converter_test.go b/pkg/gardener/shoot/converter_test.go index afc00b40..1cacd116 100644 --- a/pkg/gardener/shoot/converter_test.go +++ b/pkg/gardener/shoot/converter_test.go @@ -83,7 +83,7 @@ func TestConverter(t *testing.T) { assert.Nil(t, shoot.Spec.DNS) extensionLen := len(shoot.Spec.Extensions) - require.Equalf(t, extensionLen, 3, "unexpected number of extensions: %d, expected: 3", extensionLen) + require.Equalf(t, extensionLen, 2, "unexpected number of extensions: %d, expected: 3", extensionLen) // consider switchin to NotElementsMatch, whem released https://github.com/Antonboom/testifylint/issues/99 for _, extension := range shoot.Spec.Extensions { assert.NotEqual(t, "shoot-dns-service", extension.Type, "unexpected immutable field extension: 'shoot-dns-service'") From 8278a4d336c22aa63d5934baa82f43d72f2ee993 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Fri, 29 Nov 2024 16:51:37 +0100 Subject: [PATCH 17/47] Started working on separate extender for extensions --- pkg/gardener/shoot/extender/extensions/dns.go | 89 +++++++++++++++++++ .../shoot/extender/extensions/extender.go | 55 ++++++++++++ .../shoot/extender/extensions/oidc.go | 17 ++++ 3 files changed, 161 insertions(+) create mode 100644 pkg/gardener/shoot/extender/extensions/dns.go create mode 100644 pkg/gardener/shoot/extender/extensions/extender.go create mode 100644 pkg/gardener/shoot/extender/extensions/oidc.go diff --git a/pkg/gardener/shoot/extender/extensions/dns.go b/pkg/gardener/shoot/extender/extensions/dns.go new file mode 100644 index 00000000..92b1ca5c --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/dns.go @@ -0,0 +1,89 @@ +package extensions + +import ( + "encoding/json" + "fmt" + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + apimachineryruntime "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" +) + +const DNSExtensionType = "shoot-dns-service" + +// The types were copied from the following file: https://github.com/gardener/gardener-extension-shoot-dns-service/blob/master/pkg/apis/service/types.go +type DNSExtensionProviderConfig struct { + // APIVersion is gardener extension api version + APIVersion string `json:"apiVersion"` + // Kind is extension type + Kind string `json:"kind"` + + // DnsProviderReplication indicates whether dnsProvider replication is on + DNSProviderReplication *DNSProviderReplication `json:"dnsProviderReplication,omitempty"` + // Providers is a list of additional DNS providers that shall be enabled for this shoot cluster. + // The primary ("external") provider at `spec.dns.provider` is added automatically + Providers []DNSProvider `json:"providers"` + // SyncProvidersFromShootSpecDNS is an optional flag for migrating and synchronising the providers given in the + // shoot manifest at section `spec.dns.providers`. If true, any direct changes on the `providers` section + // are overwritten with the content of section `spec.dns.providers`. + SyncProvidersFromShootSpecDNS *bool `json:"syncProvidersFromShootSpecDNS,omitempty"` +} + +// DNSProvider contains information about a DNS provider. +type DNSProvider struct { + // Domains contains information about which domains shall be included/excluded for this provider. + Domains *DNSIncludeExclude `json:"domains,omitempty"` + // SecretName is a name of a secret containing credentials for the stated domain and the + // provider. + SecretName *string `json:"secretName,omitempty"` + // Type is the DNS provider type. + Type *string `json:"type,omitempty"` + // Zones contains information about which hosted zones shall be included/excluded for this provider. + Zones *DNSIncludeExclude `json:"zones,omitempty"` +} + +// DNSIncludeExclude contains information about which domains shall be included/excluded. +type DNSIncludeExclude struct { + // Include is a list of domains that shall be included. + Include []string `json:"include,omitempty"` + // Exclude is a list of domains that shall be excluded. + Exclude []string `json:"exclude,omitempty"` +} + +type DNSProviderReplication struct { + // Enabled indicates whether replication is on + Enabled bool `json:"enabled"` +} + +func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExtensionProviderConfig { + return &DNSExtensionProviderConfig{ + APIVersion: "service.dns.extensions.gardener.cloud/v1alpha1", + Kind: "DNSConfig", + DNSProviderReplication: &DNSProviderReplication{Enabled: true}, + SyncProvidersFromShootSpecDNS: ptr.To(true), + Providers: []DNSProvider{ + { + Domains: &DNSIncludeExclude{ + Include: []string{domain}, + }, + SecretName: ptr.To(secretName), + Type: ptr.To(dnsProviderType), + }, + }, + } +} + +func NewDNSExtension(shootName, secretName, domainPrefix, dnsProviderType string) (gardener.Extension, error) { + domain := fmt.Sprintf("%s.%s", shootName, domainPrefix) + + extensionJSON, err := json.Marshal(newDNSExtensionConfig(domain, secretName, dnsProviderType)) + if err != nil { + return gardener.Extension{}, err + } + + return gardener.Extension{ + Type: DNSExtensionType, + ProviderConfig: &apimachineryruntime.RawExtension{ + Raw: extensionJSON, + }, + }, nil +} diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go new file mode 100644 index 00000000..d4fe85e4 --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -0,0 +1,55 @@ +package extensions + +import ( + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + imv1 "github.com/kyma-project/infrastructure-manager/api/v1" + "github.com/kyma-project/infrastructure-manager/pkg/config" + "slices" +) + +type CreateExtension func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) + +type Extension struct { + Type string + Factory CreateExtension +} + +func NewExtensionsExtenderForCreate(config config.ConverterConfig) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return newExtensionsExtender([]Extension{ + { + Type: DNSExtensionType, + Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + return NewDNSExtension(runtime.Spec.Shoot.Name, config.DNS.SecretName, config.DNS.DomainPrefix, config.DNS.ProviderType) + }, + }, + { + Type: OidcExtensionType, + Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + return NewOIDCExtension() + }, + }, + }, nil) +} + +func newExtensionsExtender(extensionsToApply []Extension, currentGardenerExtensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + for _, ext := range extensionsToApply { + gardenerExtension, err := ext.Factory(runtime, shoot) + if err != nil { + return err + } + + index := slices.IndexFunc(currentGardenerExtensions, func(e gardener.Extension) bool { + return e.Type == ext.Type + }) + + if index == -1 { + shoot.Spec.Extensions = append(shoot.Spec.Extensions, gardenerExtension) + } else { + shoot.Spec.Extensions[index] = gardenerExtension + } + } + + return nil + } +} diff --git a/pkg/gardener/shoot/extender/extensions/oidc.go b/pkg/gardener/shoot/extender/extensions/oidc.go new file mode 100644 index 00000000..3109f099 --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/oidc.go @@ -0,0 +1,17 @@ +package extensions + +import ( + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + "k8s.io/utils/ptr" +) + +const ( + OidcExtensionType = "shoot-oidc-service" +) + +func NewOIDCExtension() (gardener.Extension, error) { + return gardener.Extension{ + Type: OidcExtensionType, + Disabled: ptr.To(false), + }, nil +} From fdf9ef3a4ec4b20945ec8ba5bb5f7ad46151c90e Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 07:32:41 +0100 Subject: [PATCH 18/47] Add audit log matching --- hack/shoot-comparator/pkg/shoot/matcher.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/shoot-comparator/pkg/shoot/matcher.go b/hack/shoot-comparator/pkg/shoot/matcher.go index 4fc0c81d..911fb1d4 100644 --- a/hack/shoot-comparator/pkg/shoot/matcher.go +++ b/hack/shoot-comparator/pkg/shoot/matcher.go @@ -370,7 +370,7 @@ func newKubeAPIServerMatcher(k v1beta1.Kubernetes) types.GomegaMatcher { "KubernetesConfig": gstruct.Ignore(), "AdmissionPlugins": gstruct.Ignore(), "APIAudiences": gstruct.Ignore(), - "AuditConfig": gstruct.Ignore(), + "AuditConfig": gomega.BeComparableTo(k.KubeAPIServer.AuditConfig), "RuntimeConfig": gstruct.Ignore(), "ServiceAccountConfig": gstruct.Ignore(), "WatchCacheSizes": gstruct.Ignore(), From b77e32450aee077a442f2182cb21a218155fc7d1 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 14:29:02 +0100 Subject: [PATCH 19/47] Implementation of separate extension extender --- .../shoot/extender/extensions/auditlog.go | 58 +++++++++++++++++++ .../shoot/extender/extensions/cert.go | 49 ++++++++++++++++ pkg/gardener/shoot/extender/extensions/dns.go | 1 + .../shoot/extender/extensions/extender.go | 34 ++++++++++- 4 files changed, 140 insertions(+), 2 deletions(-) create mode 100644 pkg/gardener/shoot/extender/extensions/auditlog.go create mode 100644 pkg/gardener/shoot/extender/extensions/cert.go diff --git a/pkg/gardener/shoot/extender/extensions/auditlog.go b/pkg/gardener/shoot/extender/extensions/auditlog.go new file mode 100644 index 00000000..f933cc1c --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/auditlog.go @@ -0,0 +1,58 @@ +package extensions + +import ( + "bytes" + "encoding/json" + + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +const ( + auditlogExtensionType = "shoot-auditlog-service" + auditlogReferenceName = "auditlog-credentials" +) + +type AuditLogData struct { + TenantID string `json:"tenantID" validate:"required"` + ServiceURL string `json:"serviceURL" validate:"required,url"` + SecretName string `json:"secretName" validate:"required"` +} + +type AuditlogExtensionConfig struct { + metav1.TypeMeta `json:",inline"` + // Type is the type of auditlog service provider. + Type string `json:"type"` + // TenantID is the id of the tenant. + TenantID string `json:"tenantID"` + // ServiceURL is the URL of the auditlog service. + ServiceURL string `json:"serviceURL"` + // SecretReferenceName is the name of the reference for the secret containing the auditlog service credentials. + SecretReferenceName string `json:"secretReferenceName"` +} + +func NewAuditLogExtension(d AuditLogData) (gardener.Extension, error) { + cfg := AuditlogExtensionConfig{ + TypeMeta: metav1.TypeMeta{ + Kind: "AuditlogConfig", + APIVersion: "service.auditlog.extensions.gardener.cloud/v1alpha1", + }, + Type: "standard", + TenantID: d.TenantID, + ServiceURL: d.ServiceURL, + SecretReferenceName: auditlogReferenceName, + } + var buffer bytes.Buffer + if err := json.NewEncoder(&buffer).Encode(&cfg); err != nil { + return gardener.Extension{}, err + } + + return gardener.Extension{ + Type: auditlogExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: buffer.Bytes(), + }, + }, nil + +} diff --git a/pkg/gardener/shoot/extender/extensions/cert.go b/pkg/gardener/shoot/extender/extensions/cert.go new file mode 100644 index 00000000..b6c962a6 --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/cert.go @@ -0,0 +1,49 @@ +package extensions + +import ( + "encoding/json" + + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + apimachineryRuntime "k8s.io/apimachinery/pkg/runtime" +) + +const CertExtensionType = "shoot-cert-service" + +type ExtensionProviderConfig struct { + // APIVersion is gardener extension api version + APIVersion string `json:"apiVersion"` + // DnsProviderReplication indicates whether dnsProvider replication is on + DNSProviderReplication *DNSProviderReplication `json:"dnsProviderReplication,omitempty"` + // ShootIssuers indicates whether shoot Issuers are on + ShootIssuers *ShootIssuers `json:"shootIssuers,omitempty"` + // Kind is extension type + Kind string `json:"kind"` +} + +type ShootIssuers struct { + // Enabled indicates whether shoot Issuers are on + Enabled bool `json:"enabled"` +} + +func NewCertConfig() *ExtensionProviderConfig { + return &ExtensionProviderConfig{ + APIVersion: "service.cert.extensions.gardener.cloud/v1alpha1", + ShootIssuers: &ShootIssuers{Enabled: true}, + Kind: "CertConfig", + } +} + +func NewCertExtension() (gardener.Extension, error) { + certConfig := NewCertConfig() + jsonCertConfig, encodingErr := json.Marshal(certConfig) + if encodingErr != nil { + return gardener.Extension{}, encodingErr + } + + certServiceExtension := gardener.Extension{ + Type: CertExtensionType, + ProviderConfig: &apimachineryRuntime.RawExtension{Raw: jsonCertConfig}, + } + + return certServiceExtension, nil +} diff --git a/pkg/gardener/shoot/extender/extensions/dns.go b/pkg/gardener/shoot/extender/extensions/dns.go index 92b1ca5c..d06272fc 100644 --- a/pkg/gardener/shoot/extender/extensions/dns.go +++ b/pkg/gardener/shoot/extender/extensions/dns.go @@ -3,6 +3,7 @@ package extensions import ( "encoding/json" "fmt" + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" apimachineryruntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/ptr" diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index d4fe85e4..9c45bc01 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -1,10 +1,11 @@ package extensions import ( + "slices" + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" "github.com/kyma-project/infrastructure-manager/pkg/config" - "slices" ) type CreateExtension func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) @@ -14,8 +15,14 @@ type Extension struct { Factory CreateExtension } -func NewExtensionsExtenderForCreate(config config.ConverterConfig) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData AuditLogData) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ + { + Type: CertExtensionType, + Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + return NewCertExtension() + }, + }, { Type: DNSExtensionType, Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { @@ -28,9 +35,32 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig) func(runtime return NewOIDCExtension() }, }, + { + Type: auditlogExtensionType, + Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + return NewAuditLogExtension(auditLogData) + }, + }, }, nil) } +func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheShoot []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return newExtensionsExtender([]Extension{ + { + Type: OidcExtensionType, + Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + return NewOIDCExtension() + }, + }, + { + Type: auditlogExtensionType, + Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + return NewAuditLogExtension(auditLogData) + }, + }, + }, extensionsOnTheShoot) +} + func newExtensionsExtender(extensionsToApply []Extension, currentGardenerExtensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { for _, ext := range extensionsToApply { From faf18812794f3910bb82de0435e79a161c7bb700 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 14:50:47 +0100 Subject: [PATCH 20/47] Implementation of separate extension extender --- .../shoot/extender/extensions/extender.go | 23 +++++++++---------- 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 9c45bc01..6fa09d58 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -1,14 +1,13 @@ package extensions import ( - "slices" - gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" "github.com/kyma-project/infrastructure-manager/pkg/config" + "slices" ) -type CreateExtension func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) +type CreateExtension func(shoot *gardener.Shoot) (gardener.Extension, error) type Extension struct { Type string @@ -19,25 +18,25 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData return newExtensionsExtender([]Extension{ { Type: CertExtensionType, - Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + Factory: func(shoot *gardener.Shoot) (gardener.Extension, error) { return NewCertExtension() }, }, { Type: DNSExtensionType, - Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { - return NewDNSExtension(runtime.Spec.Shoot.Name, config.DNS.SecretName, config.DNS.DomainPrefix, config.DNS.ProviderType) + Factory: func(shoot *gardener.Shoot) (gardener.Extension, error) { + return NewDNSExtension(shoot.Name, config.DNS.SecretName, config.DNS.DomainPrefix, config.DNS.ProviderType) }, }, { Type: OidcExtensionType, - Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { return NewOIDCExtension() }, }, { Type: auditlogExtensionType, - Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, @@ -48,13 +47,13 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho return newExtensionsExtender([]Extension{ { Type: OidcExtensionType, - Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { return NewOIDCExtension() }, }, { Type: auditlogExtensionType, - Factory: func(runtime imv1.Runtime, shoot *gardener.Shoot) (gardener.Extension, error) { + Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, @@ -62,9 +61,9 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho } func newExtensionsExtender(extensionsToApply []Extension, currentGardenerExtensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return func(_ imv1.Runtime, shoot *gardener.Shoot) error { for _, ext := range extensionsToApply { - gardenerExtension, err := ext.Factory(runtime, shoot) + gardenerExtension, err := ext.Factory(shoot) if err != nil { return err } From a2379bdc5d02d3cda7929243c07d291ce8c62561 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 14:51:26 +0100 Subject: [PATCH 21/47] Linter --- pkg/gardener/shoot/extender/extensions/extender.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 6fa09d58..28e56e9d 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -1,10 +1,11 @@ package extensions import ( + "slices" + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" "github.com/kyma-project/infrastructure-manager/pkg/config" - "slices" ) type CreateExtension func(shoot *gardener.Shoot) (gardener.Extension, error) From 86012028484cc07e06ac4d65a9e653e9a1f088da Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 14:56:03 +0100 Subject: [PATCH 22/47] Linter --- pkg/gardener/shoot/extender/extensions/extender.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 28e56e9d..bafc4617 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -19,7 +19,7 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData return newExtensionsExtender([]Extension{ { Type: CertExtensionType, - Factory: func(shoot *gardener.Shoot) (gardener.Extension, error) { + Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { return NewCertExtension() }, }, From c63e7e58d9aaf443564cac35b9bd260e011117f9 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 15:00:39 +0100 Subject: [PATCH 23/47] Linter --- pkg/gardener/shoot/extender/extensions/auditlog.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/gardener/shoot/extender/extensions/auditlog.go b/pkg/gardener/shoot/extender/extensions/auditlog.go index f933cc1c..909ff587 100644 --- a/pkg/gardener/shoot/extender/extensions/auditlog.go +++ b/pkg/gardener/shoot/extender/extensions/auditlog.go @@ -54,5 +54,4 @@ func NewAuditLogExtension(d AuditLogData) (gardener.Extension, error) { Raw: buffer.Bytes(), }, }, nil - } From 7ca488ca1b75c662860384530ea218d8a9603291 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 15:13:17 +0100 Subject: [PATCH 24/47] Implemented logic for OIDC --- .../shoot/extender/extensions/auditlog.go | 6 +-- .../shoot/extender/extensions/cert.go | 6 +-- pkg/gardener/shoot/extender/extensions/dns.go | 6 +-- .../shoot/extender/extensions/extender.go | 37 +++++++++++++------ .../shoot/extender/extensions/oidc.go | 4 +- 5 files changed, 36 insertions(+), 23 deletions(-) diff --git a/pkg/gardener/shoot/extender/extensions/auditlog.go b/pkg/gardener/shoot/extender/extensions/auditlog.go index 909ff587..05af3596 100644 --- a/pkg/gardener/shoot/extender/extensions/auditlog.go +++ b/pkg/gardener/shoot/extender/extensions/auditlog.go @@ -32,7 +32,7 @@ type AuditlogExtensionConfig struct { SecretReferenceName string `json:"secretReferenceName"` } -func NewAuditLogExtension(d AuditLogData) (gardener.Extension, error) { +func NewAuditLogExtension(d AuditLogData) (*gardener.Extension, error) { cfg := AuditlogExtensionConfig{ TypeMeta: metav1.TypeMeta{ Kind: "AuditlogConfig", @@ -45,10 +45,10 @@ func NewAuditLogExtension(d AuditLogData) (gardener.Extension, error) { } var buffer bytes.Buffer if err := json.NewEncoder(&buffer).Encode(&cfg); err != nil { - return gardener.Extension{}, err + return nil, err } - return gardener.Extension{ + return &gardener.Extension{ Type: auditlogExtensionType, ProviderConfig: &runtime.RawExtension{ Raw: buffer.Bytes(), diff --git a/pkg/gardener/shoot/extender/extensions/cert.go b/pkg/gardener/shoot/extender/extensions/cert.go index b6c962a6..d9cb1bd5 100644 --- a/pkg/gardener/shoot/extender/extensions/cert.go +++ b/pkg/gardener/shoot/extender/extensions/cert.go @@ -33,14 +33,14 @@ func NewCertConfig() *ExtensionProviderConfig { } } -func NewCertExtension() (gardener.Extension, error) { +func NewCertExtension() (*gardener.Extension, error) { certConfig := NewCertConfig() jsonCertConfig, encodingErr := json.Marshal(certConfig) if encodingErr != nil { - return gardener.Extension{}, encodingErr + return nil, encodingErr } - certServiceExtension := gardener.Extension{ + certServiceExtension := &gardener.Extension{ Type: CertExtensionType, ProviderConfig: &apimachineryRuntime.RawExtension{Raw: jsonCertConfig}, } diff --git a/pkg/gardener/shoot/extender/extensions/dns.go b/pkg/gardener/shoot/extender/extensions/dns.go index d06272fc..0b2be3af 100644 --- a/pkg/gardener/shoot/extender/extensions/dns.go +++ b/pkg/gardener/shoot/extender/extensions/dns.go @@ -73,15 +73,15 @@ func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExten } } -func NewDNSExtension(shootName, secretName, domainPrefix, dnsProviderType string) (gardener.Extension, error) { +func NewDNSExtension(shootName, secretName, domainPrefix, dnsProviderType string) (*gardener.Extension, error) { domain := fmt.Sprintf("%s.%s", shootName, domainPrefix) extensionJSON, err := json.Marshal(newDNSExtensionConfig(domain, secretName, dnsProviderType)) if err != nil { - return gardener.Extension{}, err + return nil, err } - return gardener.Extension{ + return &gardener.Extension{ Type: DNSExtensionType, ProviderConfig: &apimachineryruntime.RawExtension{ Raw: extensionJSON, diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index bafc4617..e35f8df5 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -8,36 +8,36 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/config" ) -type CreateExtension func(shoot *gardener.Shoot) (gardener.Extension, error) +type CreateExtensionFunc func(shoot *gardener.Shoot) (*gardener.Extension, error) type Extension struct { - Type string - Factory CreateExtension + Type string + Create CreateExtensionFunc } func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData AuditLogData) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ { Type: CertExtensionType, - Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { + Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { return NewCertExtension() }, }, { Type: DNSExtensionType, - Factory: func(shoot *gardener.Shoot) (gardener.Extension, error) { + Create: func(shoot *gardener.Shoot) (*gardener.Extension, error) { return NewDNSExtension(shoot.Name, config.DNS.SecretName, config.DNS.DomainPrefix, config.DNS.ProviderType) }, }, { Type: OidcExtensionType, - Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { + Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { return NewOIDCExtension() }, }, { Type: auditlogExtensionType, - Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { + Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, @@ -48,13 +48,21 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho return newExtensionsExtender([]Extension{ { Type: OidcExtensionType, - Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { + Create: func(shoot *gardener.Shoot) (*gardener.Extension, error) { + // If oidc is not set on the shoot we skip it + oidcIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { + return e.Type == OidcExtensionType + }) + + if oidcIndex == -1 { + return nil, nil + } return NewOIDCExtension() }, }, { Type: auditlogExtensionType, - Factory: func(_ *gardener.Shoot) (gardener.Extension, error) { + Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, @@ -64,19 +72,24 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho func newExtensionsExtender(extensionsToApply []Extension, currentGardenerExtensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(_ imv1.Runtime, shoot *gardener.Shoot) error { for _, ext := range extensionsToApply { - gardenerExtension, err := ext.Factory(shoot) + gardenerExtension, err := ext.Create(shoot) if err != nil { return err } + // If the extension should not be applied we skip it + if gardenerExtension == nil { + continue + } + index := slices.IndexFunc(currentGardenerExtensions, func(e gardener.Extension) bool { return e.Type == ext.Type }) if index == -1 { - shoot.Spec.Extensions = append(shoot.Spec.Extensions, gardenerExtension) + shoot.Spec.Extensions = append(shoot.Spec.Extensions, *gardenerExtension) } else { - shoot.Spec.Extensions[index] = gardenerExtension + shoot.Spec.Extensions[index] = *gardenerExtension } } diff --git a/pkg/gardener/shoot/extender/extensions/oidc.go b/pkg/gardener/shoot/extender/extensions/oidc.go index 3109f099..a448fa68 100644 --- a/pkg/gardener/shoot/extender/extensions/oidc.go +++ b/pkg/gardener/shoot/extender/extensions/oidc.go @@ -9,8 +9,8 @@ const ( OidcExtensionType = "shoot-oidc-service" ) -func NewOIDCExtension() (gardener.Extension, error) { - return gardener.Extension{ +func NewOIDCExtension() (*gardener.Extension, error) { + return &gardener.Extension{ Type: OidcExtensionType, Disabled: ptr.To(false), }, nil From 363c6120a64eec8ade7832005638544e8627a8aa Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 15:50:49 +0100 Subject: [PATCH 25/47] Fixes in the new extender --- .../shoot/extender/extensions/extender.go | 24 ++++++++++++------- .../extender/extensions/networkfilter.go | 12 ++++++++++ 2 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 pkg/gardener/shoot/extender/extensions/networkfilter.go diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index e35f8df5..f1e16f3b 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -8,7 +8,7 @@ import ( "github.com/kyma-project/infrastructure-manager/pkg/config" ) -type CreateExtensionFunc func(shoot *gardener.Shoot) (*gardener.Extension, error) +type CreateExtensionFunc func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) type Extension struct { Type string @@ -17,27 +17,33 @@ type Extension struct { func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData AuditLogData) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ + { + Type: NetworkFilterType, + Create: func(runtime imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { + return NewNetworkFilterExtension(!runtime.Spec.Security.Networking.Filter.Egress.Enabled) + }, + }, { Type: CertExtensionType, - Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { return NewCertExtension() }, }, { Type: DNSExtensionType, - Create: func(shoot *gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { return NewDNSExtension(shoot.Name, config.DNS.SecretName, config.DNS.DomainPrefix, config.DNS.ProviderType) }, }, { Type: OidcExtensionType, - Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { + Create: func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { return NewOIDCExtension() }, }, { Type: auditlogExtensionType, - Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { + Create: func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, @@ -48,7 +54,7 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho return newExtensionsExtender([]Extension{ { Type: OidcExtensionType, - Create: func(shoot *gardener.Shoot) (*gardener.Extension, error) { + Create: func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { // If oidc is not set on the shoot we skip it oidcIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { return e.Type == OidcExtensionType @@ -62,7 +68,7 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho }, { Type: auditlogExtensionType, - Create: func(_ *gardener.Shoot) (*gardener.Extension, error) { + Create: func(runtime imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, @@ -70,9 +76,9 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho } func newExtensionsExtender(extensionsToApply []Extension, currentGardenerExtensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return func(_ imv1.Runtime, shoot *gardener.Shoot) error { + return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { for _, ext := range extensionsToApply { - gardenerExtension, err := ext.Create(shoot) + gardenerExtension, err := ext.Create(runtime, *shoot) if err != nil { return err } diff --git a/pkg/gardener/shoot/extender/extensions/networkfilter.go b/pkg/gardener/shoot/extender/extensions/networkfilter.go new file mode 100644 index 00000000..812f8059 --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/networkfilter.go @@ -0,0 +1,12 @@ +package extensions + +import gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + +const NetworkFilterType = "shoot-networking-filter" + +func NewNetworkFilterExtension(disabled bool) (*gardener.Extension, error) { + return &gardener.Extension{ + Type: NetworkFilterType, + Disabled: &disabled, + }, nil +} From c77e1d4bdb1138625e8840877e29e8b2d40fb380 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 16:01:07 +0100 Subject: [PATCH 26/47] Linter --- pkg/gardener/shoot/extender/extensions/extender.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index f1e16f3b..60b274aa 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -37,7 +37,7 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData }, { Type: OidcExtensionType, - Create: func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { return NewOIDCExtension() }, }, @@ -54,7 +54,7 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho return newExtensionsExtender([]Extension{ { Type: OidcExtensionType, - Create: func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { // If oidc is not set on the shoot we skip it oidcIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { return e.Type == OidcExtensionType @@ -68,7 +68,7 @@ func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheSho }, { Type: auditlogExtensionType, - Create: func(runtime imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, From 89d109af545ebfbdeba463c7ca72698cfddbbd5a Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 16:11:11 +0100 Subject: [PATCH 27/47] Code integrated --- hack/runtime-migrator/internal/runtime/verifier.go | 1 + .../controller/runtime/fsm/runtime_fsm_patch_shoot.go | 1 + pkg/gardener/shoot/extender/extensions/auditlog.go | 9 ++------- pkg/gardener/shoot/extender/extensions/extender.go | 5 +++-- 4 files changed, 7 insertions(+), 9 deletions(-) diff --git a/hack/runtime-migrator/internal/runtime/verifier.go b/hack/runtime-migrator/internal/runtime/verifier.go index 9982e528..f9cbe20c 100644 --- a/hack/runtime-migrator/internal/runtime/verifier.go +++ b/hack/runtime-migrator/internal/runtime/verifier.go @@ -76,6 +76,7 @@ func (v Verifier) newConverter(shootToMatch v1beta1.Shoot) (gardener_shoot.Conve ShootImageName: imgName, ShootImageVersion: imgVersion, Extensions: shootToMatch.Spec.Extensions, + Resources: shootToMatch.Spec.Resources, }), nil } diff --git a/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go b/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go index 041060b2..4b2795d8 100644 --- a/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go +++ b/internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go @@ -46,6 +46,7 @@ func sFnPatchExistingShoot(ctx context.Context, m *fsm, s *systemState) (stateFn ShootImageName: imgName, ShootImageVersion: imgVersion, Extensions: s.shoot.Spec.Extensions, + Resources: s.shoot.Spec.Resources, }) if err != nil { diff --git a/pkg/gardener/shoot/extender/extensions/auditlog.go b/pkg/gardener/shoot/extender/extensions/auditlog.go index 05af3596..5109247b 100644 --- a/pkg/gardener/shoot/extender/extensions/auditlog.go +++ b/pkg/gardener/shoot/extender/extensions/auditlog.go @@ -5,6 +5,7 @@ import ( "encoding/json" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" ) @@ -14,12 +15,6 @@ const ( auditlogReferenceName = "auditlog-credentials" ) -type AuditLogData struct { - TenantID string `json:"tenantID" validate:"required"` - ServiceURL string `json:"serviceURL" validate:"required,url"` - SecretName string `json:"secretName" validate:"required"` -} - type AuditlogExtensionConfig struct { metav1.TypeMeta `json:",inline"` // Type is the type of auditlog service provider. @@ -32,7 +27,7 @@ type AuditlogExtensionConfig struct { SecretReferenceName string `json:"secretReferenceName"` } -func NewAuditLogExtension(d AuditLogData) (*gardener.Extension, error) { +func NewAuditLogExtension(d auditlogs.AuditLogData) (*gardener.Extension, error) { cfg := AuditlogExtensionConfig{ TypeMeta: metav1.TypeMeta{ Kind: "AuditlogConfig", diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 60b274aa..46a5599f 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -6,6 +6,7 @@ import ( gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" "github.com/kyma-project/infrastructure-manager/pkg/config" + "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" ) type CreateExtensionFunc func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) @@ -15,7 +16,7 @@ type Extension struct { Create CreateExtensionFunc } -func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData AuditLogData) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData auditlogs.AuditLogData) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ { Type: NetworkFilterType, @@ -50,7 +51,7 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData }, nil) } -func NewExtensionsExtenderForPatch(auditLogData AuditLogData, extensionsOnTheShoot []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensionsOnTheShoot []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ { Type: OidcExtensionType, From f6c638310a288a50fb2e8550d05a38cd2716ebea Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 16:11:25 +0100 Subject: [PATCH 28/47] Code integrated --- pkg/gardener/shoot/converter.go | 26 ++++++++++++------- .../shoot/extender/auditlogs/extender.go | 2 +- pkg/gardener/shoot/extender/resources.go | 14 ++++++++++ 3 files changed, 32 insertions(+), 10 deletions(-) create mode 100644 pkg/gardener/shoot/extender/resources.go diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 99020d8f..d912b388 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -2,6 +2,7 @@ package shoot import ( "fmt" + "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/extensions" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" @@ -19,8 +20,8 @@ func baseExtenders(cfg config.ConverterConfig) []Extend { extender2.ExtendWithLabels, extender2.ExtendWithSeedSelector, extender2.ExtendWithCloudProfile, - extender2.ExtendWithNetworkFilter, - extender2.ExtendWithCertConfig, + //extender2.ExtendWithNetworkFilter, + //extender2.ExtendWithCertConfig, extender2.ExtendWithExposureClassName, extender2.ExtendWithTolerations, extender2.NewMaintenanceExtender(cfg.Kubernetes.EnableKubernetesVersionAutoUpdate, cfg.Kubernetes.EnableMachineImageVersionAutoUpdate), @@ -52,6 +53,7 @@ type PatchOpts struct { ShootImageName string ShootImageVersion string Extensions []gardener.Extension + Resources []gardener.NamedResourceReference } func NewConverterCreate(opts CreateOpts) Converter { @@ -64,10 +66,12 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.MachineImage.DefaultVersion, )) - extendersForCreate = append(extendersForCreate, - extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), - extender2.NewOidcExtenderForCreate(opts.Kubernetes.DefaultOperatorOidc), - ) + extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) + + //extendersForCreate = append(extendersForCreate, + // extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + // extender2.NewOidcExtenderForCreate(opts.Kubernetes.DefaultOperatorOidc), + //) extendersForCreate = append(extendersForCreate, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, "")) @@ -96,9 +100,13 @@ func NewConverterPatch(opts PatchOpts) Converter { opts.Zones)) extendersForPatch = append(extendersForPatch, - extender2.NewDNSExtenderForPatch(opts.Extensions), - extender2.NewOidcExtenderForPatch(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), - ) + extensions.NewExtensionsExtenderForPatch(opts.AuditLogData, opts.Extensions), + extender2.NewResourcesExtenderForPatch(opts.Resources)) + + //extendersForPatch = append(extendersForPatch, + // extender2.NewDNSExtenderForPatch(opts.Extensions), + // extender2.NewOidcExtenderForPatch(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), + //) extendersForPatch = append(extendersForPatch, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion)) diff --git a/pkg/gardener/shoot/extender/auditlogs/extender.go b/pkg/gardener/shoot/extender/auditlogs/extender.go index e35e44a3..02818c69 100644 --- a/pkg/gardener/shoot/extender/auditlogs/extender.go +++ b/pkg/gardener/shoot/extender/auditlogs/extender.go @@ -13,7 +13,7 @@ func NewAuditlogExtender(policyConfigMapName string, data AuditLogData) Extend { return func(_ imv1.Runtime, shoot *gardener.Shoot) error { for _, f := range []operation{ oSetSecret(data.SecretName), - oSetExtension(data), + //oSetExtension(data), oSetPolicyConfigmap(policyConfigMapName), } { if err := f(shoot); err != nil { diff --git a/pkg/gardener/shoot/extender/resources.go b/pkg/gardener/shoot/extender/resources.go new file mode 100644 index 00000000..e0eb34d5 --- /dev/null +++ b/pkg/gardener/shoot/extender/resources.go @@ -0,0 +1,14 @@ +package extender + +import ( + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + imv1 "github.com/kyma-project/infrastructure-manager/api/v1" +) + +func NewResourcesExtenderForPatch(resources []gardener.NamedResourceReference) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + shoot.Spec.Resources = resources + + return nil + } +} From 08dbb11b8ada6786819d5e2636474b812ac15a0d Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 16:14:46 +0100 Subject: [PATCH 29/47] Linter --- pkg/gardener/shoot/converter.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index d912b388..b4ad14ed 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -2,13 +2,13 @@ package shoot import ( "fmt" - "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/extensions" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" "github.com/kyma-project/infrastructure-manager/pkg/config" extender2 "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender" "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" + "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/extensions" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) From ea30bb701c318a11b5483381e9548958c4f111aa Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 17:01:09 +0100 Subject: [PATCH 30/47] Linter --- pkg/gardener/shoot/converter.go | 10 ---------- pkg/gardener/shoot/extender/auditlogs/extender.go | 1 - pkg/gardener/shoot/extender/resources.go | 2 +- 3 files changed, 1 insertion(+), 12 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index b4ad14ed..880a7452 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -68,11 +68,6 @@ func NewConverterCreate(opts CreateOpts) Converter { extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) - //extendersForCreate = append(extendersForCreate, - // extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), - // extender2.NewOidcExtenderForCreate(opts.Kubernetes.DefaultOperatorOidc), - //) - extendersForCreate = append(extendersForCreate, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, "")) @@ -103,11 +98,6 @@ func NewConverterPatch(opts PatchOpts) Converter { extensions.NewExtensionsExtenderForPatch(opts.AuditLogData, opts.Extensions), extender2.NewResourcesExtenderForPatch(opts.Resources)) - //extendersForPatch = append(extendersForPatch, - // extender2.NewDNSExtenderForPatch(opts.Extensions), - // extender2.NewOidcExtenderForPatch(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), - //) - extendersForPatch = append(extendersForPatch, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion)) diff --git a/pkg/gardener/shoot/extender/auditlogs/extender.go b/pkg/gardener/shoot/extender/auditlogs/extender.go index 02818c69..e6030b41 100644 --- a/pkg/gardener/shoot/extender/auditlogs/extender.go +++ b/pkg/gardener/shoot/extender/auditlogs/extender.go @@ -13,7 +13,6 @@ func NewAuditlogExtender(policyConfigMapName string, data AuditLogData) Extend { return func(_ imv1.Runtime, shoot *gardener.Shoot) error { for _, f := range []operation{ oSetSecret(data.SecretName), - //oSetExtension(data), oSetPolicyConfigmap(policyConfigMapName), } { if err := f(shoot); err != nil { diff --git a/pkg/gardener/shoot/extender/resources.go b/pkg/gardener/shoot/extender/resources.go index e0eb34d5..a5af2268 100644 --- a/pkg/gardener/shoot/extender/resources.go +++ b/pkg/gardener/shoot/extender/resources.go @@ -6,7 +6,7 @@ import ( ) func NewResourcesExtenderForPatch(resources []gardener.NamedResourceReference) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + return func(_ imv1.Runtime, shoot *gardener.Shoot) error { shoot.Spec.Resources = resources return nil From ed1cb3af0a55c1c177430b237df34624f7f6b9b0 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 17:05:19 +0100 Subject: [PATCH 31/47] Linter --- pkg/gardener/shoot/converter.go | 2 -- pkg/gardener/shoot/extender/extensions/extender.go | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 880a7452..7ec9343c 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -20,8 +20,6 @@ func baseExtenders(cfg config.ConverterConfig) []Extend { extender2.ExtendWithLabels, extender2.ExtendWithSeedSelector, extender2.ExtendWithCloudProfile, - //extender2.ExtendWithNetworkFilter, - //extender2.ExtendWithCertConfig, extender2.ExtendWithExposureClassName, extender2.ExtendWithTolerations, extender2.NewMaintenanceExtender(cfg.Kubernetes.EnableKubernetesVersionAutoUpdate, cfg.Kubernetes.EnableMachineImageVersionAutoUpdate), diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 46a5599f..848d7df8 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -44,7 +44,7 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData }, { Type: auditlogExtensionType, - Create: func(runtime imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, }, From 546ae884c117ddc3691f2edc3aa89880e4837092 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 17:14:26 +0100 Subject: [PATCH 32/47] Linter --- pkg/gardener/shoot/extender/extensions/extender.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 848d7df8..1552dc47 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -38,7 +38,7 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData }, { Type: OidcExtensionType, - Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + Create: func(_ imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { return NewOIDCExtension() }, }, From a3f99c1351b207119456857e1e10a11a2ff38ced Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 17:31:12 +0100 Subject: [PATCH 33/47] Unit tests --- pkg/gardener/shoot/converter_test.go | 2 +- pkg/gardener/shoot/extender/resources.go | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/gardener/shoot/converter_test.go b/pkg/gardener/shoot/converter_test.go index 1cacd116..de6a70aa 100644 --- a/pkg/gardener/shoot/converter_test.go +++ b/pkg/gardener/shoot/converter_test.go @@ -83,7 +83,7 @@ func TestConverter(t *testing.T) { assert.Nil(t, shoot.Spec.DNS) extensionLen := len(shoot.Spec.Extensions) - require.Equalf(t, extensionLen, 2, "unexpected number of extensions: %d, expected: 3", extensionLen) + require.Equalf(t, extensionLen, 1, "unexpected number of extensions: %d, expected: 3", extensionLen) // consider switchin to NotElementsMatch, whem released https://github.com/Antonboom/testifylint/issues/99 for _, extension := range shoot.Spec.Extensions { assert.NotEqual(t, "shoot-dns-service", extension.Type, "unexpected immutable field extension: 'shoot-dns-service'") diff --git a/pkg/gardener/shoot/extender/resources.go b/pkg/gardener/shoot/extender/resources.go index a5af2268..76f6f1e9 100644 --- a/pkg/gardener/shoot/extender/resources.go +++ b/pkg/gardener/shoot/extender/resources.go @@ -7,7 +7,9 @@ import ( func NewResourcesExtenderForPatch(resources []gardener.NamedResourceReference) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(_ imv1.Runtime, shoot *gardener.Shoot) error { - shoot.Spec.Resources = resources + if resources != nil { + shoot.Spec.Resources = resources + } return nil } From dbf4a29895e2aa5947d83b20a212b4c288a43c66 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 17:42:49 +0100 Subject: [PATCH 34/47] Unit tests --- internal/controller/runtime/suite_test.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/internal/controller/runtime/suite_test.go b/internal/controller/runtime/suite_test.go index 8eb94681..a8f22559 100644 --- a/internal/controller/runtime/suite_test.go +++ b/internal/controller/runtime/suite_test.go @@ -19,6 +19,7 @@ package runtime import ( "context" "encoding/json" + v12 "k8s.io/api/core/v1" "path/filepath" "testing" "time" @@ -36,7 +37,6 @@ import ( "github.com/pkg/errors" "github.com/stretchr/testify/mock" v1 "k8s.io/api/autoscaling/v1" - v12 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" //nolint:revive @@ -346,9 +346,13 @@ func fixConverterConfigForTests() config.Config { } func addAuditLogConfigToShoot(shoot *gardener_api.Shoot) { - shoot.Spec.Kubernetes.KubeAPIServer.AuditConfig = &gardener_api.AuditConfig{ - AuditPolicy: &gardener_api.AuditPolicy{ - ConfigMapRef: &v12.ObjectReference{Name: "policy-config-map"}, + shoot.Spec.Kubernetes = gardener_api.Kubernetes{ + KubeAPIServer: &gardener_api.KubeAPIServerConfig{ + AuditConfig: &gardener_api.AuditConfig{ + AuditPolicy: &gardener_api.AuditPolicy{ + ConfigMapRef: &v12.ObjectReference{Name: "policy-config-map"}, + }, + }, }, } From 367e5c9461536e06fd7e15bc55ca8a2854a7f02e Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 18:37:45 +0100 Subject: [PATCH 35/47] Fix for create scenario --- pkg/gardener/shoot/converter.go | 4 +++- pkg/gardener/shoot/extender/dns.go | 16 ---------------- pkg/gardener/shoot/extender/dns_test.go | 2 -- 3 files changed, 3 insertions(+), 19 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 7ec9343c..6efb2108 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -62,7 +62,9 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.Provider.AWS.EnableIMDSv2, opts.MachineImage.DefaultName, opts.MachineImage.DefaultVersion, - )) + ), + extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + ) extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index f9896da2..60dabc0b 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -1,12 +1,10 @@ package extender import ( - "encoding/json" "fmt" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" - apimachineryruntime "k8s.io/apimachinery/pkg/runtime" "k8s.io/utils/ptr" ) @@ -116,20 +114,6 @@ func NewDNSExtenderForCreate(secretName, domainPrefix, dnsProviderType string) f }, } - extensionJSON, err := json.Marshal(newDNSExtensionConfig(domain, secretName, dnsProviderType)) - if err != nil { - return err - } - - dnsExtension := gardener.Extension{ - Type: "shoot-dns-service", - ProviderConfig: &apimachineryruntime.RawExtension{ - Raw: extensionJSON, - }, - } - - shoot.Spec.Extensions = append(shoot.Spec.Extensions, dnsExtension) - return nil } } diff --git a/pkg/gardener/shoot/extender/dns_test.go b/pkg/gardener/shoot/extender/dns_test.go index a06180ba..67a3c7bb 100644 --- a/pkg/gardener/shoot/extender/dns_test.go +++ b/pkg/gardener/shoot/extender/dns_test.go @@ -39,8 +39,6 @@ func TestDNSExtender(t *testing.T) { assert.Equal(t, dnsProviderType, *shoot.Spec.DNS.Providers[0].Type) assert.Equal(t, secretName, *shoot.Spec.DNS.Providers[0].SecretName) assert.Equal(t, true, *shoot.Spec.DNS.Providers[0].Primary) - assert.NotEmpty(t, shoot.Spec.Extensions[0].ProviderConfig) - assertExtensionConfig(t, shoot.Spec.Extensions[0].ProviderConfig) }) t.Run("Create DNS config for patch scenario", func(t *testing.T) { From 237a8b88b3e759420a82bb42c5be55c3f994ee2f Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 19:31:03 +0100 Subject: [PATCH 36/47] Fix for index out of bound problem --- pkg/gardener/shoot/extender/extensions/extender.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 1552dc47..43348159 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -78,6 +78,8 @@ func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensio func newExtensionsExtender(extensionsToApply []Extension, currentGardenerExtensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { + shoot.Spec.Extensions = currentGardenerExtensions + for _, ext := range extensionsToApply { gardenerExtension, err := ext.Create(runtime, *shoot) if err != nil { From cf4a5f7790e948661439cd746b6a73992a2e2046 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 20:44:33 +0100 Subject: [PATCH 37/47] Escaping the rabbit hole --- .../shoot/extender/extensions/extender.go | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 43348159..e0d59940 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -1,6 +1,7 @@ package extensions import ( + "encoding/json" "slices" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -69,8 +70,35 @@ func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensio }, { Type: auditlogExtensionType, - Create: func(_ imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { - return NewAuditLogExtension(auditLogData) + Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + auditLogIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { + return e.Type == auditlogExtensionType + }) + + if auditLogIndex == -1 { + return nil, nil + } + + var existingAuditLogConfig auditlogs.AuditlogExtensionConfig + if err := json.Unmarshal(shoot.Spec.Extensions[auditLogIndex].ProviderConfig.Raw, &existingAuditLogConfig); err != nil { + return nil, err + } + + newAuditLogExtension, err := NewAuditLogExtension(auditLogData) + if err != nil { + return nil, err + } + + var newAuditLogConfig auditlogs.AuditlogExtensionConfig + if err := json.Unmarshal(newAuditLogExtension.ProviderConfig.Raw, &newAuditLogConfig); err != nil { + return nil, err + } + + if newAuditLogConfig != existingAuditLogConfig { + return newAuditLogExtension, nil + } + + return nil, nil }, }, }, extensionsOnTheShoot) From 672faa0580c1f610a2ef5da793ba6ab41c1c07cf Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Mon, 2 Dec 2024 20:59:58 +0100 Subject: [PATCH 38/47] Transferring to parallel universe --- pkg/gardener/shoot/converter.go | 5 +++- .../shoot/extender/extensions/extender.go | 28 +++++++++---------- 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 6efb2108..ab47be0a 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -64,6 +64,7 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.MachineImage.DefaultVersion, ), extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + extender2.NewOidcExtenderForCreate(opts.Kubernetes.DefaultOperatorOidc), ) extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) @@ -99,7 +100,9 @@ func NewConverterPatch(opts PatchOpts) Converter { extender2.NewResourcesExtenderForPatch(opts.Resources)) extendersForPatch = append(extendersForPatch, - extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion)) + extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion), + extender2.NewOidcExtenderForPatch(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), + ) var zero auditlogs.AuditLogData if opts.AuditLogData != zero { diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index e0d59940..fc125a70 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -54,20 +54,20 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensionsOnTheShoot []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ - { - Type: OidcExtensionType, - Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { - // If oidc is not set on the shoot we skip it - oidcIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { - return e.Type == OidcExtensionType - }) - - if oidcIndex == -1 { - return nil, nil - } - return NewOIDCExtension() - }, - }, + //{ + // Type: OidcExtensionType, + // Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + // // If oidc is not set on the shoot we skip it + // oidcIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { + // return e.Type == OidcExtensionType + // }) + // + // if oidcIndex == -1 { + // return nil, nil + // } + // return NewOIDCExtension() + // }, + //}, { Type: auditlogExtensionType, Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { From 707739b753a67b46afc3f1a15b4be6fddc01ec23 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Tue, 3 Dec 2024 07:18:03 +0100 Subject: [PATCH 39/47] Coming back to the future --- pkg/gardener/shoot/converter.go | 15 ++--- pkg/gardener/shoot/converter_test.go | 2 +- .../shoot/extender/auditlogs/extender.go | 8 ++- .../shoot/extender/auditlogs/extender_test.go | 2 +- pkg/gardener/shoot/extender/dns.go | 25 +------ pkg/gardener/shoot/extender/dns_test.go | 53 +-------------- .../shoot/extender/extensions/auditlog.go | 4 +- .../shoot/extender/extensions/extender.go | 20 +----- pkg/gardener/shoot/extender/oidc.go | 39 +---------- pkg/gardener/shoot/extender/oidc_test.go | 65 +------------------ 10 files changed, 23 insertions(+), 210 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index ab47be0a..753ed426 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -19,6 +19,7 @@ func baseExtenders(cfg config.ConverterConfig) []Extend { extender2.ExtendWithAnnotations, extender2.ExtendWithLabels, extender2.ExtendWithSeedSelector, + extender2.NewOidcExtender(cfg.Kubernetes.DefaultOperatorOidc), extender2.ExtendWithCloudProfile, extender2.ExtendWithExposureClassName, extender2.ExtendWithTolerations, @@ -63,8 +64,7 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.MachineImage.DefaultName, opts.MachineImage.DefaultVersion, ), - extender2.NewDNSExtenderForCreate(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), - extender2.NewOidcExtenderForCreate(opts.Kubernetes.DefaultOperatorOidc), + extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), ) extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) @@ -75,7 +75,7 @@ func NewConverterCreate(opts CreateOpts) Converter { var zero auditlogs.AuditLogData if opts.AuditLogData != zero { extendersForCreate = append(extendersForCreate, - auditlogs.NewAuditlogExtender( + auditlogs.NewAuditlogExtenderForCreate( opts.AuditLog.PolicyConfigMapName, opts.AuditLogData)) } @@ -99,17 +99,12 @@ func NewConverterPatch(opts PatchOpts) Converter { extensions.NewExtensionsExtenderForPatch(opts.AuditLogData, opts.Extensions), extender2.NewResourcesExtenderForPatch(opts.Resources)) - extendersForPatch = append(extendersForPatch, - extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion), - extender2.NewOidcExtenderForPatch(opts.Kubernetes.DefaultOperatorOidc, opts.Extensions), - ) + extendersForPatch = append(extendersForPatch, extender2.NewKubernetesExtender(opts.Kubernetes.DefaultVersion, opts.ShootK8SVersion)) var zero auditlogs.AuditLogData if opts.AuditLogData != zero { extendersForPatch = append(extendersForPatch, - auditlogs.NewAuditlogExtender( - opts.AuditLog.PolicyConfigMapName, - opts.AuditLogData)) + auditlogs.NewAuditlogExtenderForPatch(opts.AuditLog.PolicyConfigMapName)) } return newConverter(opts.ConverterConfig, extendersForPatch...) diff --git a/pkg/gardener/shoot/converter_test.go b/pkg/gardener/shoot/converter_test.go index de6a70aa..d0469fd1 100644 --- a/pkg/gardener/shoot/converter_test.go +++ b/pkg/gardener/shoot/converter_test.go @@ -83,7 +83,7 @@ func TestConverter(t *testing.T) { assert.Nil(t, shoot.Spec.DNS) extensionLen := len(shoot.Spec.Extensions) - require.Equalf(t, extensionLen, 1, "unexpected number of extensions: %d, expected: 3", extensionLen) + require.Equalf(t, extensionLen, 0, "unexpected number of extensions: %d, expected: 0", extensionLen) // consider switchin to NotElementsMatch, whem released https://github.com/Antonboom/testifylint/issues/99 for _, extension := range shoot.Spec.Extensions { assert.NotEqual(t, "shoot-dns-service", extension.Type, "unexpected immutable field extension: 'shoot-dns-service'") diff --git a/pkg/gardener/shoot/extender/auditlogs/extender.go b/pkg/gardener/shoot/extender/auditlogs/extender.go index e6030b41..93e2b369 100644 --- a/pkg/gardener/shoot/extender/auditlogs/extender.go +++ b/pkg/gardener/shoot/extender/auditlogs/extender.go @@ -9,7 +9,7 @@ type Extend = func(runtime imv1.Runtime, shoot *gardener.Shoot) error type operation = func(*gardener.Shoot) error -func NewAuditlogExtender(policyConfigMapName string, data AuditLogData) Extend { +func NewAuditlogExtenderForCreate(policyConfigMapName string, data AuditLogData) Extend { return func(_ imv1.Runtime, shoot *gardener.Shoot) error { for _, f := range []operation{ oSetSecret(data.SecretName), @@ -22,3 +22,9 @@ func NewAuditlogExtender(policyConfigMapName string, data AuditLogData) Extend { return nil } } + +func NewAuditlogExtenderForPatch(policyConfigMapName string) Extend { + return func(_ imv1.Runtime, shoot *gardener.Shoot) error { + return oSetPolicyConfigmap(policyConfigMapName)(shoot) + } +} diff --git a/pkg/gardener/shoot/extender/auditlogs/extender_test.go b/pkg/gardener/shoot/extender/auditlogs/extender_test.go index 87a41ba0..0c36b634 100644 --- a/pkg/gardener/shoot/extender/auditlogs/extender_test.go +++ b/pkg/gardener/shoot/extender/auditlogs/extender_test.go @@ -24,7 +24,7 @@ func Test_AuditlogExtender(t *testing.T) { }, } { // given - extendWithAuditlogs := NewAuditlogExtender(tc.policyConfigmapName, tc.data) + extendWithAuditlogs := NewAuditlogExtenderForCreate(tc.policyConfigmapName, tc.data) // when err := extendWithAuditlogs(zero, &tc.shoot) diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index 60dabc0b..d4126136 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -70,30 +70,7 @@ func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExten } } -func NewDNSExtenderForPatch(extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return rewriteExtensionExtender("shoot-dns-service", extensions) -} - -func rewriteExtensionExtender(extensionType string, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return func(_ imv1.Runtime, shoot *gardener.Shoot) error { - extensionToSet := func() *gardener.Extension { - for _, extension := range extensions { - if extension.Type == extensionType { - return &extension - } - } - return nil - }() - - if extensionToSet != nil { - shoot.Spec.Extensions = append(shoot.Spec.Extensions, *extensionToSet) - } - - return nil - } -} - -func NewDNSExtenderForCreate(secretName, domainPrefix, dnsProviderType string) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewDNSExtender(secretName, domainPrefix, dnsProviderType string) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { domain := fmt.Sprintf("%s.%s", runtime.Spec.Shoot.Name, domainPrefix) isPrimary := true diff --git a/pkg/gardener/shoot/extender/dns_test.go b/pkg/gardener/shoot/extender/dns_test.go index 67a3c7bb..4bb3b161 100644 --- a/pkg/gardener/shoot/extender/dns_test.go +++ b/pkg/gardener/shoot/extender/dns_test.go @@ -1,7 +1,6 @@ package extender import ( - "encoding/json" "testing" gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" @@ -9,8 +8,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/utils/ptr" ) func TestDNSExtender(t *testing.T) { @@ -26,7 +23,7 @@ func TestDNSExtender(t *testing.T) { }, }, } - extender := NewDNSExtenderForCreate(secretName, domainPrefix, dnsProviderType) + extender := NewDNSExtender(secretName, domainPrefix, dnsProviderType) shoot := fixEmptyGardenerShoot("test", "dev") // when @@ -40,54 +37,6 @@ func TestDNSExtender(t *testing.T) { assert.Equal(t, secretName, *shoot.Spec.DNS.Providers[0].SecretName) assert.Equal(t, true, *shoot.Spec.DNS.Providers[0].Primary) }) - - t.Run("Create DNS config for patch scenario", func(t *testing.T) { - // given - runtimeShoot := imv1.Runtime{ - Spec: imv1.RuntimeSpec{ - Shoot: imv1.RuntimeShoot{ - Name: "myshoot", - }, - }, - } - - shoot := fixEmptyGardenerShoot("test", "dev") - emptyDnsExtension := gardener.Extension{ - Type: "shoot-dns-service", - ProviderConfig: &runtime.RawExtension{}, - Disabled: ptr.To(false), - } - - shoot.Spec.Extensions = []gardener.Extension{ - emptyDnsExtension, - } - - extender := NewDNSExtenderForPatch(shoot.Spec.Extensions) - - // when - err := extender(runtimeShoot, &shoot) - - // then - require.NoError(t, err) - assert.Empty(t, shoot.Spec.DNS) - assert.Empty(t, shoot.Spec.Extensions[0].ProviderConfig) - assert.Equal(t, emptyDnsExtension, shoot.Spec.Extensions[0]) - }) -} - -func assertExtensionConfig(t *testing.T, rawExtension *runtime.RawExtension) { - var extension DNSExtensionProviderConfig - err := json.Unmarshal(rawExtension.Raw, &extension) - - require.NoError(t, err) - assert.Equal(t, "DNSConfig", extension.Kind) - assert.Equal(t, "service.dns.extensions.gardener.cloud/v1alpha1", extension.APIVersion) - assert.Equal(t, true, extension.DNSProviderReplication.Enabled) - assert.Equal(t, true, *extension.SyncProvidersFromShootSpecDNS) - assert.Equal(t, 1, len(extension.Providers)) - assert.Equal(t, "myshoot.dev.mydomain.com", extension.Providers[0].Domains.Include[0]) - assert.Equal(t, "my-secret", *extension.Providers[0].SecretName) - assert.Equal(t, "aws-route53", *extension.Providers[0].Type) } func fixEmptyGardenerShoot(name, namespace string) gardener.Shoot { diff --git a/pkg/gardener/shoot/extender/extensions/auditlog.go b/pkg/gardener/shoot/extender/extensions/auditlog.go index 5109247b..1e7563be 100644 --- a/pkg/gardener/shoot/extender/extensions/auditlog.go +++ b/pkg/gardener/shoot/extender/extensions/auditlog.go @@ -11,7 +11,7 @@ import ( ) const ( - auditlogExtensionType = "shoot-auditlog-service" + AuditlogExtensionType = "shoot-auditlog-service" auditlogReferenceName = "auditlog-credentials" ) @@ -44,7 +44,7 @@ func NewAuditLogExtension(d auditlogs.AuditLogData) (*gardener.Extension, error) } return &gardener.Extension{ - Type: auditlogExtensionType, + Type: AuditlogExtensionType, ProviderConfig: &runtime.RawExtension{ Raw: buffer.Bytes(), }, diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index fc125a70..8dc2d86c 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -44,7 +44,7 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData }, }, { - Type: auditlogExtensionType, + Type: AuditlogExtensionType, Create: func(_ imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { return NewAuditLogExtension(auditLogData) }, @@ -54,25 +54,11 @@ func NewExtensionsExtenderForCreate(config config.ConverterConfig, auditLogData func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensionsOnTheShoot []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return newExtensionsExtender([]Extension{ - //{ - // Type: OidcExtensionType, - // Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { - // // If oidc is not set on the shoot we skip it - // oidcIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { - // return e.Type == OidcExtensionType - // }) - // - // if oidcIndex == -1 { - // return nil, nil - // } - // return NewOIDCExtension() - // }, - //}, { - Type: auditlogExtensionType, + Type: AuditlogExtensionType, Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { auditLogIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { - return e.Type == auditlogExtensionType + return e.Type == AuditlogExtensionType }) if auditLogIndex == -1 { diff --git a/pkg/gardener/shoot/extender/oidc.go b/pkg/gardener/shoot/extender/oidc.go index 06d97468..20bc562f 100644 --- a/pkg/gardener/shoot/extender/oidc.go +++ b/pkg/gardener/shoot/extender/oidc.go @@ -4,7 +4,6 @@ import ( gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" "github.com/kyma-project/infrastructure-manager/pkg/config" - "k8s.io/utils/ptr" ) const ( @@ -15,14 +14,8 @@ func shouldDefaultOidcConfig(config gardener.OIDCConfig) bool { return config.ClientID == nil && config.IssuerURL == nil } -func NewOidcExtenderForPatch(oidcProvider config.OidcProvider, extensions []gardener.Extension) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { +func NewOidcExtender(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - extensionExtender := rewriteExtensionExtender("shoot-oidc-service", extensions) - - err := extensionExtender(runtime, shoot) - if err != nil { - return err - } oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig if shouldDefaultOidcConfig(oidcConfig) { @@ -41,36 +34,6 @@ func NewOidcExtenderForPatch(oidcProvider config.OidcProvider, extensions []gard } } -func NewOidcExtenderForCreate(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - setOIDCExtension(shoot) - - oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig - if shouldDefaultOidcConfig(oidcConfig) { - oidcConfig = gardener.OIDCConfig{ - ClientID: &oidcProvider.ClientID, - GroupsClaim: &oidcProvider.GroupsClaim, - IssuerURL: &oidcProvider.IssuerURL, - SigningAlgs: oidcProvider.SigningAlgs, - UsernameClaim: &oidcProvider.UsernameClaim, - UsernamePrefix: &oidcProvider.UsernamePrefix, - } - } - setKubeAPIServerOIDCConfig(shoot, oidcConfig) - - return nil - } -} - -func setOIDCExtension(shoot *gardener.Shoot) { - oidcService := gardener.Extension{ - Type: OidcExtensionType, - Disabled: ptr.To(false), - } - - shoot.Spec.Extensions = append(shoot.Spec.Extensions, oidcService) -} - func setKubeAPIServerOIDCConfig(shoot *gardener.Shoot, oidcConfig gardener.OIDCConfig) { shoot.Spec.Kubernetes.KubeAPIServer = &gardener.KubeAPIServerConfig{ OIDCConfig: &gardener.OIDCConfig{ diff --git a/pkg/gardener/shoot/extender/oidc_test.go b/pkg/gardener/shoot/extender/oidc_test.go index 5e3676de..f39b2541 100644 --- a/pkg/gardener/shoot/extender/oidc_test.go +++ b/pkg/gardener/shoot/extender/oidc_test.go @@ -9,8 +9,6 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/utils/ptr" ) func TestOidcExtender(t *testing.T) { @@ -46,73 +44,12 @@ func TestOidcExtender(t *testing.T) { } // when - extender := NewOidcExtenderForCreate(defaultOidc) + extender := NewOidcExtender(defaultOidc) err := extender(runtimeShoot, &shoot) // then require.NoError(t, err) assert.Equal(t, runtimeShoot.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig, *shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig) - assert.Equal(t, false, *shoot.Spec.Extensions[0].Disabled) - assert.Equal(t, "shoot-oidc-service", shoot.Spec.Extensions[0].Type) }) - - emptyOidcExtension := gardener.Extension{ - Type: "shoot-oidc-service", - ProviderConfig: &runtime.RawExtension{}, - Disabled: ptr.To(false), - } - - for _, testCase := range []struct { - name string - expectedExtension *gardener.Extension - }{ - { - name: "OIDC extension should be added", - expectedExtension: &emptyOidcExtension, - }, - { - name: "OIDC extension should not be added", - }, - } { - runtimeShoot := imv1.Runtime{ - Spec: imv1.RuntimeSpec{ - Shoot: imv1.RuntimeShoot{ - Kubernetes: imv1.Kubernetes{ - KubeAPIServer: imv1.APIServer{ - OidcConfig: gardener.OIDCConfig{ - ClientID: &defaultOidc.ClientID, - GroupsClaim: &defaultOidc.GroupsClaim, - IssuerURL: &defaultOidc.IssuerURL, - SigningAlgs: defaultOidc.SigningAlgs, - UsernameClaim: &defaultOidc.UsernameClaim, - }, - }, - }, - }, - }, - } - - shoot := fixEmptyGardenerShoot("test", "kcp-system") - - if testCase.expectedExtension != nil { - shoot.Spec.Extensions = []gardener.Extension{ - *testCase.expectedExtension, - } - - extender := NewOidcExtenderForPatch(defaultOidc, shoot.Spec.Extensions) - err := extender(runtimeShoot, &shoot) - - require.NoError(t, err) - assert.Equal(t, runtimeShoot.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig, *shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig) - - if testCase.expectedExtension != nil { - assert.Equal(t, emptyOidcExtension, shoot.Spec.Extensions[0]) - assert.Equal(t, "shoot-oidc-service", shoot.Spec.Extensions[0].Type) - } else { - assert.Equal(t, 0, len(shoot.Spec.Extensions)) - } - } - } - } From 95ed3f17edfb4ad30c4b7b5e0223cb8addd21d64 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Tue, 3 Dec 2024 07:21:53 +0100 Subject: [PATCH 40/47] Satisfying the linter --- pkg/gardener/shoot/extender/dns.go | 19 ------------------- pkg/gardener/shoot/extender/oidc.go | 1 - 2 files changed, 20 deletions(-) diff --git a/pkg/gardener/shoot/extender/dns.go b/pkg/gardener/shoot/extender/dns.go index d4126136..deee3dd8 100644 --- a/pkg/gardener/shoot/extender/dns.go +++ b/pkg/gardener/shoot/extender/dns.go @@ -5,7 +5,6 @@ import ( gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" imv1 "github.com/kyma-project/infrastructure-manager/api/v1" - "k8s.io/utils/ptr" ) // The types were copied from the following file: https://github.com/gardener/gardener-extension-shoot-dns-service/blob/master/pkg/apis/service/types.go @@ -52,24 +51,6 @@ type DNSProviderReplication struct { Enabled bool `json:"enabled"` } -func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExtensionProviderConfig { - return &DNSExtensionProviderConfig{ - APIVersion: "service.dns.extensions.gardener.cloud/v1alpha1", - Kind: "DNSConfig", - DNSProviderReplication: &DNSProviderReplication{Enabled: true}, - SyncProvidersFromShootSpecDNS: ptr.To(true), - Providers: []DNSProvider{ - { - Domains: &DNSIncludeExclude{ - Include: []string{domain}, - }, - SecretName: ptr.To(secretName), - Type: ptr.To(dnsProviderType), - }, - }, - } -} - func NewDNSExtender(secretName, domainPrefix, dnsProviderType string) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { domain := fmt.Sprintf("%s.%s", runtime.Spec.Shoot.Name, domainPrefix) diff --git a/pkg/gardener/shoot/extender/oidc.go b/pkg/gardener/shoot/extender/oidc.go index 20bc562f..6685bf6d 100644 --- a/pkg/gardener/shoot/extender/oidc.go +++ b/pkg/gardener/shoot/extender/oidc.go @@ -16,7 +16,6 @@ func shouldDefaultOidcConfig(config gardener.OIDCConfig) bool { func NewOidcExtender(oidcProvider config.OidcProvider) func(runtime imv1.Runtime, shoot *gardener.Shoot) error { return func(runtime imv1.Runtime, shoot *gardener.Shoot) error { - oidcConfig := runtime.Spec.Shoot.Kubernetes.KubeAPIServer.OidcConfig if shouldDefaultOidcConfig(oidcConfig) { oidcConfig = gardener.OIDCConfig{ From 2a345b84ec76742e3ab5af326cf05162108667b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Golicz?= Date: Tue, 3 Dec 2024 09:39:09 +0100 Subject: [PATCH 41/47] Add network filter extension extender to include for patch operation --- pkg/gardener/shoot/extender/extensions/extender.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 8dc2d86c..3693cc57 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -87,6 +87,12 @@ func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensio return nil, nil }, }, + { + Type: NetworkFilterType, + Create: func(runtime imv1.Runtime, _ gardener.Shoot) (*gardener.Extension, error) { + return NewNetworkFilterExtension(!runtime.Spec.Security.Networking.Filter.Egress.Enabled) + }, + }, }, extensionsOnTheShoot) } From a1b29a14a6eb6fe746340a780943392949919f16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Golicz?= Date: Tue, 3 Dec 2024 18:12:39 +0100 Subject: [PATCH 42/47] Adding unit tests for new extension extender --- pkg/gardener/shoot/extender/extensions/dns.go | 4 +- .../shoot/extender/extensions/extender.go | 14 +- .../extensions/extensions_extender_test.go | 402 ++++++++++++++++++ 3 files changed, 411 insertions(+), 9 deletions(-) create mode 100644 pkg/gardener/shoot/extender/extensions/extensions_extender_test.go diff --git a/pkg/gardener/shoot/extender/extensions/dns.go b/pkg/gardener/shoot/extender/extensions/dns.go index 0b2be3af..e2ab0ceb 100644 --- a/pkg/gardener/shoot/extender/extensions/dns.go +++ b/pkg/gardener/shoot/extender/extensions/dns.go @@ -73,8 +73,8 @@ func newDNSExtensionConfig(domain, secretName, dnsProviderType string) *DNSExten } } -func NewDNSExtension(shootName, secretName, domainPrefix, dnsProviderType string) (*gardener.Extension, error) { - domain := fmt.Sprintf("%s.%s", shootName, domainPrefix) +func NewDNSExtension(shootName, secretName, domainSuffix, dnsProviderType string) (*gardener.Extension, error) { + domain := fmt.Sprintf("%s.%s", shootName, domainSuffix) extensionJSON, err := json.Marshal(newDNSExtensionConfig(domain, secretName, dnsProviderType)) if err != nil { diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 3693cc57..a6411f6d 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -57,24 +57,24 @@ func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensio { Type: AuditlogExtensionType, Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { + + newAuditLogExtension, err := NewAuditLogExtension(auditLogData) + if err != nil { + return nil, err + } + auditLogIndex := slices.IndexFunc(shoot.Spec.Extensions, func(e gardener.Extension) bool { return e.Type == AuditlogExtensionType }) if auditLogIndex == -1 { - return nil, nil + return newAuditLogExtension, nil } - var existingAuditLogConfig auditlogs.AuditlogExtensionConfig if err := json.Unmarshal(shoot.Spec.Extensions[auditLogIndex].ProviderConfig.Raw, &existingAuditLogConfig); err != nil { return nil, err } - newAuditLogExtension, err := NewAuditLogExtension(auditLogData) - if err != nil { - return nil, err - } - var newAuditLogConfig auditlogs.AuditlogExtensionConfig if err := json.Unmarshal(newAuditLogExtension.ProviderConfig.Raw, &newAuditLogConfig); err != nil { return nil, err diff --git a/pkg/gardener/shoot/extender/extensions/extensions_extender_test.go b/pkg/gardener/shoot/extender/extensions/extensions_extender_test.go new file mode 100644 index 00000000..39ac8d46 --- /dev/null +++ b/pkg/gardener/shoot/extender/extensions/extensions_extender_test.go @@ -0,0 +1,402 @@ +package extensions + +import ( + "encoding/json" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/utils/ptr" + + "testing" + + gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" + imv1 "github.com/kyma-project/infrastructure-manager/api/v1" + "github.com/kyma-project/infrastructure-manager/pkg/config" + "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs" + "github.com/stretchr/testify/assert" +) + +func TestNewExtensionsExtenderForCreate(t *testing.T) { + config := config.ConverterConfig{ + DNS: config.DNSConfig{ + SecretName: "test-dns-secret", + DomainPrefix: "test-domain", + ProviderType: "test-provider", + }, + } + auditLogData := auditlogs.AuditLogData{ + TenantID: "test-auditlog-tenant", + ServiceURL: "test-auditlog-service-url", + SecretName: "doesnt matter", + } + + runtime := fixRuntimeCRForExtensionExtenderTests(false) + + shoot := &gardener.Shoot{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-shoot-name", + }, + } + + extender := NewExtensionsExtenderForCreate(config, auditLogData) + + err := extender(runtime, shoot) + assert.NoError(t, err) + assert.NotNil(t, shoot.Spec.Extensions) + require.Len(t, shoot.Spec.Extensions, 5) + + orderMap := getExpectedExtensionsOrderMapForCreate() + + // checks if all Shoot extensions are correctly filled with data and are generated in the right order + for idx, ext := range shoot.Spec.Extensions { + assert.NotEmpty(t, ext.Type) + assert.Equal(t, orderMap[ext.Type], idx) + switch ext.Type { + case NetworkFilterType: + verifyNetworkFilterExtension(t, ext, true) + + case CertExtensionType: + verifyCertExtension(t, ext) + + case DNSExtensionType: + verifyDNSExtension(t, ext) + + case OidcExtensionType: + verifyOIDCExtension(t, ext) + + case AuditlogExtensionType: + verifyAuditLogExtension(t, ext, auditLogData) + } + } +} + +func TestNewExtensionsExtenderForPatch(t *testing.T) { + + oldAuditLogData := auditlogs.AuditLogData{ + TenantID: "test-auditlog-tenant", + ServiceURL: "test-auditlog-service-url", + SecretName: "doesnt matter", + } + + newAuditLogData := auditlogs.AuditLogData{ + TenantID: "test-auditlog-new-tenant", + ServiceURL: "test-auditlog-new-service", + SecretName: "doesnt matter", + } + + for _, testCase := range []struct { + name string + auditLogData auditlogs.AuditLogData + disableNetworkFilter bool + previousExtensions []gardener.Extension + }{ + { + name: "Existing extensions should not change order during patching if nothing has changed", + previousExtensions: fixAllExtensionsOnTheShoot(), + auditLogData: oldAuditLogData, + disableNetworkFilter: true, + }, + { + name: "Should update Audit Log extension without changing order and data of other extensions", + previousExtensions: fixAllExtensionsOnTheShoot(), + auditLogData: newAuditLogData, + disableNetworkFilter: true, + }, + { + name: "Should update Network filter extension without changing order and data of other extensions", + previousExtensions: fixAllExtensionsOnTheShoot(), + auditLogData: oldAuditLogData, + disableNetworkFilter: false, + }, + { + name: "Should add Network filter extension at the end without changing order and data of other extensions", + previousExtensions: fixExtensionsOnTheShootWithoutNetworkFilter(), + auditLogData: oldAuditLogData, + disableNetworkFilter: true, + }, + { + name: "Should add Auditlog extension at the end without changing order and data of other extensions", + previousExtensions: fixExtensionsOnTheShootWithoutAuditLogs(), + auditLogData: oldAuditLogData, + disableNetworkFilter: true, + }, + { + name: "Should add Auditlog and Network filter extensions at the end without changing order and data of other extensions", + previousExtensions: fixExtensionsOnTheShootWithoutAuditLogsAndNetworkFilter(), + auditLogData: oldAuditLogData, + disableNetworkFilter: true, + }, + } { + t.Run(testCase.name, func(t *testing.T) { + runtime := fixRuntimeCRForExtensionExtenderTests(!testCase.disableNetworkFilter) + + shoot := &gardener.Shoot{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-shoot-name", + }, + } + + extender := NewExtensionsExtenderForPatch(testCase.auditLogData, testCase.previousExtensions) + orderMap := getExpectedExtensionsOrderMap(testCase.previousExtensions) + + err := extender(runtime, shoot) + assert.NoError(t, err) + assert.NotNil(t, shoot.Spec.Extensions) + require.Len(t, shoot.Spec.Extensions, 5) + + for idx, ext := range shoot.Spec.Extensions { + assert.NotEmpty(t, ext.Type) + assert.Equal(t, orderMap[ext.Type], idx) + + switch ext.Type { + case NetworkFilterType: + verifyNetworkFilterExtension(t, ext, testCase.disableNetworkFilter) + + case CertExtensionType: + verifyCertExtension(t, ext) + + case DNSExtensionType: + verifyDNSExtension(t, ext) + + case OidcExtensionType: + verifyOIDCExtension(t, ext) + + case AuditlogExtensionType: + verifyAuditLogExtension(t, ext, testCase.auditLogData) + } + } + }) + } +} + +func fixAllExtensionsOnTheShoot() []gardener.Extension { + return []gardener.Extension{ + { + Type: AuditlogExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"type":"standard","tenantID":"test-auditlog-tenant","serviceURL":"test-auditlog-service-url","secretReferenceName":"test-auditlog-secret"}`), + }, + }, + { + Type: DNSExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.dns.extensions.gardener.cloud/v1alpha1","dnsProviderReplication":{"enabled":true},"syncProvidersFromShootSpecDNS":true,"providers":[{"domains":{"include":["test-shoot-name.test-domain"],"exclude":null},"secretName":"test-dns-secret","type":"test-provider"}],"kind":"DNSConfig"}`), + }, + }, + { + Type: CertExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.cert.extensions.gardener.cloud/v1alpha1","kind":"CertConfig","shootIssuers":{"enabled":true}}`), + }, + }, + { + Type: NetworkFilterType, + Disabled: ptr.To(true), + }, + { + Type: OidcExtensionType, + Disabled: ptr.To(false), + }, + } +} + +func fixExtensionsOnTheShootWithoutAuditLogs() []gardener.Extension { + return []gardener.Extension{ + { + Type: DNSExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.dns.extensions.gardener.cloud/v1alpha1","dnsProviderReplication":{"enabled":true},"syncProvidersFromShootSpecDNS":true,"providers":[{"domains":{"include":["test-shoot-name.test-domain"],"exclude":null},"secretName":"test-dns-secret","type":"test-provider"}],"kind":"DNSConfig"}`), + }, + }, + { + Type: CertExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.cert.extensions.gardener.cloud/v1alpha1","kind":"CertConfig","shootIssuers":{"enabled":true}}`), + }, + }, + { + Type: NetworkFilterType, + Disabled: ptr.To(true), + }, + { + Type: OidcExtensionType, + Disabled: ptr.To(false), + }, + } +} + +func fixExtensionsOnTheShootWithoutNetworkFilter() []gardener.Extension { + return []gardener.Extension{ + { + Type: AuditlogExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"type":"standard","tenantID":"test-auditlog-tenant","serviceURL":"test-auditlog-service-url","secretReferenceName":"test-auditlog-secret"}`), + }, + }, + { + Type: DNSExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.dns.extensions.gardener.cloud/v1alpha1","dnsProviderReplication":{"enabled":true},"syncProvidersFromShootSpecDNS":true,"providers":[{"domains":{"include":["test-shoot-name.test-domain"],"exclude":null},"secretName":"test-dns-secret","type":"test-provider"}],"kind":"DNSConfig"}`), + }, + }, + { + Type: CertExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.cert.extensions.gardener.cloud/v1alpha1","kind":"CertConfig","shootIssuers":{"enabled":true}}`), + }, + }, + { + Type: OidcExtensionType, + Disabled: ptr.To(false), + }, + } +} + +func fixExtensionsOnTheShootWithoutAuditLogsAndNetworkFilter() []gardener.Extension { + return []gardener.Extension{ + { + Type: DNSExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.dns.extensions.gardener.cloud/v1alpha1","dnsProviderReplication":{"enabled":true},"syncProvidersFromShootSpecDNS":true,"providers":[{"domains":{"include":["test-shoot-name.test-domain"],"exclude":null},"secretName":"test-dns-secret","type":"test-provider"}],"kind":"DNSConfig"}`), + }, + }, + { + Type: CertExtensionType, + ProviderConfig: &runtime.RawExtension{ + Raw: []byte(`{"apiVersion":"service.cert.extensions.gardener.cloud/v1alpha1","kind":"CertConfig","shootIssuers":{"enabled":true}}`), + }, + }, + { + Type: OidcExtensionType, + Disabled: ptr.To(false), + }, + } +} + +// returns a map with the expected index order of extensions for different ExtenderForPatch unit tests +func getExpectedExtensionsOrderMap(extensions []gardener.Extension) map[string]int { + extensionOrderMap := make(map[string]int) + + for idx, ext := range extensions { + extensionOrderMap[ext.Type] = idx + } + + if len(extensions) == 4 { + if _, ok := extensionOrderMap[AuditlogExtensionType]; !ok { + extensionOrderMap[AuditlogExtensionType] = 4 + } + + if _, ok := extensionOrderMap[NetworkFilterType]; !ok { + extensionOrderMap[NetworkFilterType] = 4 + } + } + + if len(extensions) == 3 { + extensionOrderMap[AuditlogExtensionType] = 3 + extensionOrderMap[NetworkFilterType] = 4 + } + + return extensionOrderMap +} + +// returns a map with the expected index order of extensions for ExtenderForCreate create unit test +func getExpectedExtensionsOrderMapForCreate() map[string]int { + extensionOrderMap := make(map[string]int) + + extensionOrderMap[NetworkFilterType] = 0 + extensionOrderMap[CertExtensionType] = 1 + extensionOrderMap[DNSExtensionType] = 2 + extensionOrderMap[OidcExtensionType] = 3 + extensionOrderMap[AuditlogExtensionType] = 4 + + return extensionOrderMap +} + +func verifyAuditLogExtension(t *testing.T, ext gardener.Extension, expected auditlogs.AuditLogData) { + var auditlogConfig AuditlogExtensionConfig + + err := json.Unmarshal(ext.ProviderConfig.Raw, &auditlogConfig) + require.NoError(t, err) + + assert.Equal(t, "standard", auditlogConfig.Type) + assert.Equal(t, expected.TenantID, auditlogConfig.TenantID) + assert.Equal(t, expected.ServiceURL, auditlogConfig.ServiceURL) + assert.Equal(t, auditlogReferenceName, auditlogConfig.SecretReferenceName) + assert.Equal(t, "service.auditlog.extensions.gardener.cloud/v1alpha1", auditlogConfig.APIVersion) + assert.Equal(t, "AuditlogConfig", auditlogConfig.Kind) +} + +func verifyOIDCExtension(t *testing.T, ext gardener.Extension) { + require.NotNil(t, ext.Disabled) + assert.Equal(t, false, *ext.Disabled) +} + +func verifyDNSExtension(t *testing.T, ext gardener.Extension) { + require.NotNil(t, ext.ProviderConfig) + require.NotNil(t, ext.ProviderConfig.Raw) + + var dnsConfig DNSExtensionProviderConfig + + err := json.Unmarshal(ext.ProviderConfig.Raw, &dnsConfig) + require.NoError(t, err) + require.NotNil(t, dnsConfig.DNSProviderReplication) + require.NotNil(t, dnsConfig.SyncProvidersFromShootSpecDNS) + + assert.Equal(t, "service.dns.extensions.gardener.cloud/v1alpha1", dnsConfig.APIVersion) + assert.Equal(t, true, dnsConfig.DNSProviderReplication.Enabled) + assert.Equal(t, true, *dnsConfig.SyncProvidersFromShootSpecDNS) + assert.Equal(t, "DNSConfig", dnsConfig.Kind) + + require.Len(t, dnsConfig.Providers, 1) + provider := dnsConfig.Providers[0] + + require.NotNil(t, provider.Domains) + require.NotNil(t, provider.SecretName) + require.NotNil(t, provider.Type) + + assert.Equal(t, "test-dns-secret", *provider.SecretName) + assert.Equal(t, "test-provider", *provider.Type) + + require.Len(t, provider.Domains.Include, 1) + assert.Equal(t, "test-shoot-name.test-domain", provider.Domains.Include[0]) +} + +func verifyCertExtension(t *testing.T, ext gardener.Extension) { + require.NotNil(t, ext.ProviderConfig) + require.NotNil(t, ext.ProviderConfig.Raw) + + var certConfig ExtensionProviderConfig + + err := json.Unmarshal(ext.ProviderConfig.Raw, &certConfig) + require.NoError(t, err) + require.NotNil(t, certConfig.ShootIssuers) + assert.Equal(t, "service.cert.extensions.gardener.cloud/v1alpha1", certConfig.APIVersion) + assert.Equal(t, true, certConfig.ShootIssuers.Enabled) + assert.Equal(t, "CertConfig", certConfig.Kind) +} + +func verifyNetworkFilterExtension(t *testing.T, ext gardener.Extension, isDisabled bool) { + require.NotNil(t, ext.Disabled) + assert.Equal(t, isDisabled, *ext.Disabled) +} + +func fixRuntimeCRForExtensionExtenderTests(networkFilterEnabled bool) imv1.Runtime { + runtime := imv1.Runtime{ + Spec: imv1.RuntimeSpec{ + Shoot: imv1.RuntimeShoot{ + Name: "myshoot", + }, + Security: imv1.Security{ + Networking: imv1.NetworkingSecurity{ + Filter: imv1.Filter{ + Egress: imv1.Egress{ + Enabled: networkFilterEnabled, + }, + }, + }, + }, + }, + } + + return runtime +} From 90926fe8b3221f35ead716a3a65347172d2277d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Golicz?= Date: Tue, 3 Dec 2024 18:32:50 +0100 Subject: [PATCH 43/47] Removing unused code, and references to it --- internal/controller/runtime/suite_test.go | 3 +- pkg/gardener/shoot/converter_test.go | 2 +- .../auditlogs/auditlogs_configuration.go | 6 ++ .../shoot/extender/auditlogs/set_extension.go | 72 ------------------- .../extender/auditlogs/set_extension_test.go | 55 -------------- .../shoot/extender/extensions/extender.go | 4 +- 6 files changed, 11 insertions(+), 131 deletions(-) delete mode 100644 pkg/gardener/shoot/extender/auditlogs/set_extension.go delete mode 100644 pkg/gardener/shoot/extender/auditlogs/set_extension_test.go diff --git a/internal/controller/runtime/suite_test.go b/internal/controller/runtime/suite_test.go index a8f22559..52fd1155 100644 --- a/internal/controller/runtime/suite_test.go +++ b/internal/controller/runtime/suite_test.go @@ -19,6 +19,7 @@ package runtime import ( "context" "encoding/json" + "github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/extensions" v12 "k8s.io/api/core/v1" "path/filepath" "testing" @@ -377,7 +378,7 @@ func addAuditLogConfigToShoot(shoot *gardener_api.Shoot) { ext := &shoot.Spec.Extensions[len(shoot.Spec.Extensions)-1] - cfg := auditlogs.AuditlogExtensionConfig{ + cfg := extensions.AuditlogExtensionConfig{ TypeMeta: metav1.TypeMeta{ Kind: extensionKind, APIVersion: extensionVersion, diff --git a/pkg/gardener/shoot/converter_test.go b/pkg/gardener/shoot/converter_test.go index d0469fd1..2cf236c3 100644 --- a/pkg/gardener/shoot/converter_test.go +++ b/pkg/gardener/shoot/converter_test.go @@ -83,7 +83,7 @@ func TestConverter(t *testing.T) { assert.Nil(t, shoot.Spec.DNS) extensionLen := len(shoot.Spec.Extensions) - require.Equalf(t, extensionLen, 0, "unexpected number of extensions: %d, expected: 0", extensionLen) + require.Equalf(t, extensionLen, 2, "unexpected number of extensions: %d, expected: 2", extensionLen) // consider switchin to NotElementsMatch, whem released https://github.com/Antonboom/testifylint/issues/99 for _, extension := range shoot.Spec.Extensions { assert.NotEqual(t, "shoot-dns-service", extension.Type, "unexpected immutable field extension: 'shoot-dns-service'") diff --git a/pkg/gardener/shoot/extender/auditlogs/auditlogs_configuration.go b/pkg/gardener/shoot/extender/auditlogs/auditlogs_configuration.go index dd5fcff2..26ada3c1 100644 --- a/pkg/gardener/shoot/extender/auditlogs/auditlogs_configuration.go +++ b/pkg/gardener/shoot/extender/auditlogs/auditlogs_configuration.go @@ -10,6 +10,12 @@ type region = string type providerType = string +type AuditLogData struct { + TenantID string `json:"tenantID" validate:"required"` + ServiceURL string `json:"serviceURL" validate:"required,url"` + SecretName string `json:"secretName" validate:"required"` +} + type Configuration map[providerType]map[region]AuditLogData func (a Configuration) GetAuditLogData(providerType, region string) (AuditLogData, error) { diff --git a/pkg/gardener/shoot/extender/auditlogs/set_extension.go b/pkg/gardener/shoot/extender/auditlogs/set_extension.go deleted file mode 100644 index b3ac7be4..00000000 --- a/pkg/gardener/shoot/extender/auditlogs/set_extension.go +++ /dev/null @@ -1,72 +0,0 @@ -package auditlogs - -import ( - "bytes" - "slices" - - gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/json" -) - -const ( - auditlogExtensionType = "shoot-auditlog-service" - auditlogReferenceName = "auditlog-credentials" -) - -type AuditLogData struct { - TenantID string `json:"tenantID" validate:"required"` - ServiceURL string `json:"serviceURL" validate:"required,url"` - SecretName string `json:"secretName" validate:"required"` -} - -type AuditlogExtensionConfig struct { - metav1.TypeMeta `json:",inline"` - // Type is the type of auditlog service provider. - Type string `json:"type"` - // TenantID is the id of the tenant. - TenantID string `json:"tenantID"` - // ServiceURL is the URL of the auditlog service. - ServiceURL string `json:"serviceURL"` - // SecretReferenceName is the name of the reference for the secret containing the auditlog service credentials. - SecretReferenceName string `json:"secretReferenceName"` -} - -func oSetExtension(d AuditLogData) operation { - return func(s *gardener.Shoot) error { - cfg := AuditlogExtensionConfig{ - TypeMeta: metav1.TypeMeta{ - Kind: "AuditlogConfig", - APIVersion: "service.auditlog.extensions.gardener.cloud/v1alpha1", - }, - Type: "standard", - TenantID: d.TenantID, - ServiceURL: d.ServiceURL, - SecretReferenceName: auditlogReferenceName, - } - var buffer bytes.Buffer - if err := json.NewEncoder(&buffer).Encode(&cfg); err != nil { - return err - } - - extension := gardener.Extension{ - Type: auditlogExtensionType, - ProviderConfig: &runtime.RawExtension{ - Raw: buffer.Bytes(), - }, - } - - index := slices.IndexFunc(s.Spec.Extensions, func(e gardener.Extension) bool { - return e.Type == auditlogExtensionType - }) - - if index == -1 { // add extension - s.Spec.Extensions = append(s.Spec.Extensions, extension) - return nil - } - - s.Spec.Extensions[index] = extension // update extension - return nil - } -} diff --git a/pkg/gardener/shoot/extender/auditlogs/set_extension_test.go b/pkg/gardener/shoot/extender/auditlogs/set_extension_test.go deleted file mode 100644 index 2df89228..00000000 --- a/pkg/gardener/shoot/extender/auditlogs/set_extension_test.go +++ /dev/null @@ -1,55 +0,0 @@ -package auditlogs - -import ( - "bytes" - "encoding/json" - "slices" - "testing" - - gardener "github.com/gardener/gardener/pkg/apis/core/v1beta1" - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" -) - -func Test_oSetExtension(t *testing.T) { - for _, testCase := range []struct { - shoot gardener.Shoot - data AuditLogData - }{ - { - shoot: gardener.Shoot{}, - data: AuditLogData{ - TenantID: "tenant-id", - ServiceURL: "testme", - }, - }, - } { - // given - operate := oSetExtension(testCase.data) - - // when - err := operate(&testCase.shoot) - - // then - require.NoError(t, err) - requireNoErrorAssetContainsAuditlogExtension(t, testCase.data, testCase.shoot.Spec.Extensions) - } -} - -func requireNoErrorAssetContainsAuditlogExtension(t *testing.T, data AuditLogData, actual []gardener.Extension) { - index := slices.IndexFunc(actual, func(e gardener.Extension) bool { - return e.Type == auditlogExtensionType - }) - - assert.NotEqual(t, -1, index, "no %s extension found", auditlogExtensionType) - - reader := bytes.NewReader(actual[index].ProviderConfig.Raw) - var cfg AuditlogExtensionConfig - - err := json.NewDecoder(reader).Decode(&cfg) - require.NoError(t, err) - - assert.Equal(t, data.TenantID, cfg.TenantID) - assert.Equal(t, data.ServiceURL, cfg.ServiceURL) - assert.Equal(t, auditlogReferenceName, cfg.SecretReferenceName) -} diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index a6411f6d..4abca4db 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -70,12 +70,12 @@ func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensio if auditLogIndex == -1 { return newAuditLogExtension, nil } - var existingAuditLogConfig auditlogs.AuditlogExtensionConfig + var existingAuditLogConfig AuditlogExtensionConfig if err := json.Unmarshal(shoot.Spec.Extensions[auditLogIndex].ProviderConfig.Raw, &existingAuditLogConfig); err != nil { return nil, err } - var newAuditLogConfig auditlogs.AuditlogExtensionConfig + var newAuditLogConfig AuditlogExtensionConfig if err := json.Unmarshal(newAuditLogExtension.ProviderConfig.Raw, &newAuditLogConfig); err != nil { return nil, err } From 165eb392ea7e68c1b2c4bad2d7185db685f6c161 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Wed, 4 Dec 2024 10:39:31 +0100 Subject: [PATCH 44/47] Fix for the overwriting tolerations problem --- pkg/gardener/shoot/converter.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 753ed426..27c5c027 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -22,7 +22,6 @@ func baseExtenders(cfg config.ConverterConfig) []Extend { extender2.NewOidcExtender(cfg.Kubernetes.DefaultOperatorOidc), extender2.ExtendWithCloudProfile, extender2.ExtendWithExposureClassName, - extender2.ExtendWithTolerations, extender2.NewMaintenanceExtender(cfg.Kubernetes.EnableKubernetesVersionAutoUpdate, cfg.Kubernetes.EnableMachineImageVersionAutoUpdate), } } @@ -65,6 +64,7 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.MachineImage.DefaultVersion, ), extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + extender2.ExtendWithTolerations, ) extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) From 9ff933b7f6843578c5e64f82e1b7831305babb00 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Wed, 4 Dec 2024 10:43:23 +0100 Subject: [PATCH 45/47] Linter, please go away. --- pkg/gardener/shoot/extender/extensions/extender.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/gardener/shoot/extender/extensions/extender.go b/pkg/gardener/shoot/extender/extensions/extender.go index 4abca4db..7760e187 100644 --- a/pkg/gardener/shoot/extender/extensions/extender.go +++ b/pkg/gardener/shoot/extender/extensions/extender.go @@ -57,7 +57,6 @@ func NewExtensionsExtenderForPatch(auditLogData auditlogs.AuditLogData, extensio { Type: AuditlogExtensionType, Create: func(_ imv1.Runtime, shoot gardener.Shoot) (*gardener.Extension, error) { - newAuditLogExtension, err := NewAuditLogExtension(auditLogData) if err != nil { return nil, err From db657a46335782b7ede122598a70f03df8588403 Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Wed, 4 Dec 2024 10:59:09 +0100 Subject: [PATCH 46/47] Fix the fix --- pkg/gardener/shoot/converter.go | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 27c5c027..2361c46d 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -63,9 +63,7 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.MachineImage.DefaultName, opts.MachineImage.DefaultVersion, ), - extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), - extender2.ExtendWithTolerations, - ) + extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType)) extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) @@ -93,7 +91,8 @@ func NewConverterPatch(opts PatchOpts) Converter { opts.MachineImage.DefaultVersion, opts.ShootImageName, opts.ShootImageVersion, - opts.Zones)) + opts.Zones), + extender2.ExtendWithTolerations) extendersForPatch = append(extendersForPatch, extensions.NewExtensionsExtenderForPatch(opts.AuditLogData, opts.Extensions), From 1b72715a60736cd46cb5399def00bff165d5de7d Mon Sep 17 00:00:00 2001 From: Arkadiusz Galwas Date: Wed, 4 Dec 2024 11:04:53 +0100 Subject: [PATCH 47/47] Revert "Fix the fix" This reverts commit db657a46335782b7ede122598a70f03df8588403. --- pkg/gardener/shoot/converter.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/gardener/shoot/converter.go b/pkg/gardener/shoot/converter.go index 2361c46d..27c5c027 100644 --- a/pkg/gardener/shoot/converter.go +++ b/pkg/gardener/shoot/converter.go @@ -63,7 +63,9 @@ func NewConverterCreate(opts CreateOpts) Converter { opts.MachineImage.DefaultName, opts.MachineImage.DefaultVersion, ), - extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType)) + extender2.NewDNSExtender(opts.DNS.SecretName, opts.DNS.DomainPrefix, opts.DNS.ProviderType), + extender2.ExtendWithTolerations, + ) extendersForCreate = append(extendersForCreate, extensions.NewExtensionsExtenderForCreate(opts.ConverterConfig, opts.AuditLogData)) @@ -91,8 +93,7 @@ func NewConverterPatch(opts PatchOpts) Converter { opts.MachineImage.DefaultVersion, opts.ShootImageName, opts.ShootImageVersion, - opts.Zones), - extender2.ExtendWithTolerations) + opts.Zones)) extendersForPatch = append(extendersForPatch, extensions.NewExtensionsExtenderForPatch(opts.AuditLogData, opts.Extensions),