Changing way extensions are handled in KIM and matchers

config/rbac/role.yaml

@@ -20,6 +20,7 @@ rules:
   - infrastructuremanager.kyma-project.io
   resources:
   - gardenerclusters
+  - runtimes
   verbs:
   - create
   - delete

hack/runtime-migrator/cmd/migration.go

@@ -16,7 +16,6 @@ import (
 	"github.com/kyma-project/infrastructure-manager/pkg/config"
 	"github.com/kyma-project/infrastructure-manager/pkg/gardener/kubeconfig"
 	"github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/auditlogs"
-	"github.com/pkg/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -139,7 +138,7 @@ func (m Migration) Do(ctx context.Context, runtimeIDs []string) error {
 				return
 			}
 
-			reportSuccess(runtimeID, shoot.Name, "Runtime have been applied")
+			reportSuccess(runtimeID, shoot.Name, "Runtime has been applied")
 		}
 	}
 

hack/runtime-migrator/internal/runtime/verifier.go

@@ -66,13 +66,36 @@ func (v Verifier) newConverter(shootToMatch v1beta1.Shoot) (gardener_shoot.Conve
 		return gardener_shoot.Converter{}, err
 	}
 
+	imgName, imgVersion := getImageNameAndVersion(shootToMatch.Spec.Provider.Workers)
+
 	return gardener_shoot.NewConverterPatch(gardener_shoot.PatchOpts{
-		ConverterConfig: v.converterConfig,
-		AuditLogData:    auditLogData,
-		Zones:           getZones(shootToMatch.Spec.Provider.Workers),
+		ConverterConfig:   v.converterConfig,
+		AuditLogData:      auditLogData,
+		Zones:             getZones(shootToMatch.Spec.Provider.Workers),
+		ShootK8SVersion:   shootToMatch.Spec.Kubernetes.Version,
+		ShootImageName:    imgName,
+		ShootImageVersion: imgVersion,
+		Extensions:        shootToMatch.Spec.Extensions,
+		Resources:         shootToMatch.Spec.Resources,
 	}), nil
 }
 
+func getImageNameAndVersion(workers []v1beta1.Worker) (string, string) {
+	var imageName, imageVersion string
+
+	for _, worker := range workers {
+		if worker.Machine.Image != nil {
+			imageName = worker.Machine.Image.Name
+			if worker.Machine.Image.Version != nil {
+				imageVersion = *worker.Machine.Image.Version
+			}
+			break
+		}
+	}
+
+	return imageName, imageVersion
+}
+
 func getZones(workers []v1beta1.Worker) []string {
 	var zones []string
 

hack/shoot-comparator/pkg/shoot/matcher.go

@@ -5,6 +5,8 @@ import (
 	"reflect"
 	"strings"
 
+	"github.com/kyma-project/infrastructure-manager/hack/shoot-comparator/pkg/runtime"
+
 	"github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	"github.com/kyma-project/infrastructure-manager/hack/shoot-comparator/pkg/errors"
 	"github.com/onsi/gomega"
@@ -164,6 +166,15 @@ func (m *Matcher) Match(actual interface{}) (success bool, err error) {
 			actual:        shootToMatch.Labels,
 			path:          "metadata/labels",
 		},
+		{
+			GomegaMatcher: gstruct.MatchElements(
+				idResource,
+				gstruct.IgnoreMissing,
+				resources(shootToMatch.Spec.Resources),
+			),
+			actual: shootActual.Spec.Resources,
+			path:   "spec/resources",
+		},
 	}
 
 	for _, matcher := range matchers {
@@ -230,6 +241,14 @@ func idToleration(v interface{}) string {
 	return fmt.Sprintf("%s:%s", toleration.Key, val(toleration.Value))
 }
 
+func idResource(v interface{}) string {
+	res, ok := v.(v1beta1.NamedResourceReference)
+	if !ok {
+		panic("invalid type")
+	}
+	return fmt.Sprintf("%s", res.Name)
+}
+
 func tolerations(ts []v1beta1.Toleration) gstruct.Elements {
 	out := map[string]types.GomegaMatcher{}
 	for _, t := range ts {
@@ -242,6 +261,18 @@ func tolerations(ts []v1beta1.Toleration) gstruct.Elements {
 	return out
 }
 
+func resources(ts []v1beta1.NamedResourceReference) gstruct.Elements {
+	out := map[string]types.GomegaMatcher{}
+	for _, t := range ts {
+		ID := idResource(t)
+		out[ID] = gstruct.MatchAllFields(gstruct.Fields{
+			"Name":        gomega.BeComparableTo(t.Name),
+			"ResourceRef": gomega.BeComparableTo(t.ResourceRef),
+		})
+	}
+	return out
+}
+
 func idProvider(v interface{}) string {
 	provider, ok := v.(v1beta1.DNSProvider)
 	if !ok {
@@ -339,7 +370,7 @@ func newKubeAPIServerMatcher(k v1beta1.Kubernetes) types.GomegaMatcher {
 			"KubernetesConfig":                    gstruct.Ignore(),
 			"AdmissionPlugins":                    gstruct.Ignore(),
 			"APIAudiences":                        gstruct.Ignore(),
-			"AuditConfig":                         gstruct.Ignore(),
+			"AuditConfig":                         gomega.BeComparableTo(k.KubeAPIServer.AuditConfig),
 			"RuntimeConfig":                       gstruct.Ignore(),
 			"ServiceAccountConfig":                gstruct.Ignore(),
 			"WatchCacheSizes":                     gstruct.Ignore(),
@@ -393,7 +424,7 @@ func extensions(es []v1beta1.Extension) gstruct.Elements {
 		ID := idExtension(e)
 		out[ID] = gstruct.MatchAllFields(gstruct.Fields{
 			"Type":           gomega.BeComparableTo(e.Type),
-			"ProviderConfig": newProviderCfgMatcher(e.Type, e.ProviderConfig),
+			"ProviderConfig": runtime.NewRawExtensionMatcher(e.ProviderConfig),
 			"Disabled":       gomega.BeComparableTo(e.Disabled),
 		})
 	}

hack/shoot-comparator/pkg/shoot/matcher_test.go

@@ -934,32 +934,6 @@ var _ = Describe(":: shoot matcher :: ", func() {
 			})),
 			true,
 		),
-		Entry(
-			"should find no differences in spec/extensions #2",
-			deepCp(empty, withShootSpec(v1beta1.ShootSpec{
-				Extensions: []v1beta1.Extension{
-					{
-						Type:     "shoot-dns-service",
-						Disabled: ptr.To[bool](true),
-						ProviderConfig: &runtime.RawExtension{
-							Raw: []byte("{\"apiVersion\":\"service.dns.extensions.gardener.cloud/v1alpha1\",\"kind\":\"DNSConfig\",\"dnsProviderReplication\":{\"enabled\":true},\"providers\":[{\"domains\":{\"include\":[\"a50de45.dev.kyma.ondemand.com\"]},\"secretName\":\"route53-secret-dev\",\"type\":\"aws-route53\"}],\"syncProvidersFromShootSpecDNS\":true}"),
-						},
-					},
-				},
-			})),
-			deepCp(empty, withShootSpec(v1beta1.ShootSpec{
-				Extensions: []v1beta1.Extension{
-					{
-						Type:     "shoot-dns-service",
-						Disabled: ptr.To[bool](true),
-						ProviderConfig: &runtime.RawExtension{
-							Raw: []byte("{\"apiVersion\":\"service.dns.extensions.gardener.cloud/v1alpha1\",\"kind\":\"DNSConfig\",\"dnsProviderReplication\":{\"enabled\":true},\"providers\":[{\"domains\":{\"include\":[\"a50de45.dev.kyma.ondemand.com\"]},\"secretName\":\"xxx-route53-secret-dev\",\"type\":\"aws-route53\"}],\"syncProvidersFromShootSpecDNS\":true}"),
-						},
-					},
-				},
-			})),
-			true,
-		),
 		Entry(
 			"should find no differences in spec/extensions #3",
 			deepCp(empty, withShootSpec(v1beta1.ShootSpec{

internal/controller/runtime/fsm/runtime_fsm_configure_oidc.go

@@ -25,6 +25,19 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct
 			"True",
 			"OIDC extension disabled",
 		)
+
+		return switchState(sFnApplyClusterRoleBindings)
+	}
+
+	if !multiOidcSupported(s.instance) {
+		// New OIDC functionality is supported only for new clusters
+		m.log.Info("Multi OIDC is not supported for migrated runtimes")
+		s.instance.UpdateStatePending(
+			imv1.ConditionTypeOidcConfigured,
+			imv1.ConditionReasonOidcConfigured,
+			"True",
+			"Multi OIDC not supported for migrated runtimes",
+		)
 		return switchState(sFnApplyClusterRoleBindings)
 	}
 
@@ -37,15 +50,14 @@ func sFnConfigureOidc(ctx context.Context, m *fsm, s *systemState) (stateFn, *ct
 		return updateStatusAndStopWithError(err)
 	}
 
+	m.log.Info("OIDC has been configured", "Name", s.shoot.Name)
 	s.instance.UpdateStatePending(
 		imv1.ConditionTypeOidcConfigured,
 		imv1.ConditionReasonOidcConfigured,
 		"True",
 		"OIDC configuration completed",
 	)
 
-	m.log.Info("OIDC has been configured", "Name", s.shoot.Name)
-
 	return switchState(sFnApplyClusterRoleBindings)
 }
 
@@ -108,6 +120,10 @@ func isOidcExtensionEnabled(shoot gardener.Shoot) bool {
 	return false
 }
 
+func multiOidcSupported(runtime imv1.Runtime) bool {
+	return runtime.Labels["operator.kyma-project.io/created-by-migrator"] != "true" //nolint:all
+}
+
 func createOpenIDConnectResource(additionalOidcConfig gardener.OIDCConfig, oidcID int) *authenticationv1alpha1.OpenIDConnect {
 	toSupportedSigningAlgs := func(signingAlgs []string) []authenticationv1alpha1.SigningAlgorithm {
 		var supportedSigningAlgs []authenticationv1alpha1.SigningAlgorithm

internal/controller/runtime/fsm/runtime_fsm_configure_oidc_test.go

@@ -53,6 +53,45 @@ func TestOidcState(t *testing.T) {
 		assertEqualConditions(t, expectedRuntimeConditions, systemState.instance.Status.Conditions)
 	})
 
+	t.Run("Should switch state to ApplyClusterRoleBindings when  multi OIDC support is disabled", func(t *testing.T) {
+		// given
+		ctx := context.Background()
+		fsm := &fsm{}
+
+		runtimeStub := runtimeForTest()
+		runtimeStub.ObjectMeta.Labels = map[string]string{
+			"operator.kyma-project.io/created-by-migrator": "true",
+		}
+
+		shootStub := shootForTest()
+		oidcService := gardener.Extension{
+			Type:     "shoot-oidc-service",
+			Disabled: ptr.To(false),
+		}
+		shootStub.Spec.Extensions = append(shootStub.Spec.Extensions, oidcService)
+
+		systemState := &systemState{
+			instance: runtimeStub,
+			shoot:    shootStub,
+		}
+
+		expectedRuntimeConditions := []metav1.Condition{
+			{
+				Type:    string(imv1.ConditionTypeOidcConfigured),
+				Reason:  string(imv1.ConditionReasonOidcConfigured),
+				Status:  "True",
+				Message: "Multi OIDC not supported for migrated runtimes",
+			},
+		}
+
+		// when
+		stateFn, _, _ := sFnConfigureOidc(ctx, fsm, systemState)
+
+		// then
+		require.Contains(t, stateFn.name(), "sFnApplyClusterRoleBindings")
+		assertEqualConditions(t, expectedRuntimeConditions, systemState.instance.Status.Conditions)
+	})
+
 	t.Run("Should configure OIDC using defaults", func(t *testing.T) {
 		// given
 		ctx := context.Background()

internal/controller/runtime/fsm/runtime_fsm_patch_shoot.go

@@ -45,6 +45,8 @@ func sFnPatchExistingShoot(ctx context.Context, m *fsm, s *systemState) (stateFn
 		ShootK8SVersion:   s.shoot.Spec.Kubernetes.Version,
 		ShootImageName:    imgName,
 		ShootImageVersion: imgVersion,
+		Extensions:        s.shoot.Spec.Extensions,
+		Resources:         s.shoot.Spec.Resources,
 	})
 
 	if err != nil {

internal/controller/runtime/suite_test.go

@@ -19,6 +19,8 @@ package runtime
 import (
 	"context"
 	"encoding/json"
+	"github.com/kyma-project/infrastructure-manager/pkg/gardener/shoot/extender/extensions"
+	v12 "k8s.io/api/core/v1"
 	"path/filepath"
 	"testing"
 	"time"
@@ -36,7 +38,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/mock"
 	v1 "k8s.io/api/autoscaling/v1"
-	v12 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	//nolint:revive
@@ -346,9 +347,13 @@ func fixConverterConfigForTests() config.Config {
 }
 
 func addAuditLogConfigToShoot(shoot *gardener_api.Shoot) {
-	shoot.Spec.Kubernetes.KubeAPIServer.AuditConfig = &gardener_api.AuditConfig{
-		AuditPolicy: &gardener_api.AuditPolicy{
-			ConfigMapRef: &v12.ObjectReference{Name: "policy-config-map"},
+	shoot.Spec.Kubernetes = gardener_api.Kubernetes{
+		KubeAPIServer: &gardener_api.KubeAPIServerConfig{
+			AuditConfig: &gardener_api.AuditConfig{
+				AuditPolicy: &gardener_api.AuditPolicy{
+					ConfigMapRef: &v12.ObjectReference{Name: "policy-config-map"},
+				},
+			},
 		},
 	}
 
@@ -373,7 +378,7 @@ func addAuditLogConfigToShoot(shoot *gardener_api.Shoot) {
 
 	ext := &shoot.Spec.Extensions[len(shoot.Spec.Extensions)-1]
 
-	cfg := auditlogs.AuditlogExtensionConfig{
+	cfg := extensions.AuditlogExtensionConfig{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       extensionKind,
 			APIVersion: extensionVersion,