address PR feedback

Author: Wieneo

Makefile

@@ -47,11 +47,7 @@ run:
 		./cmd/$(EXTENSION_PREFIX)-$(NAME) \
 		--kubeconfig=${KUBECONFIG} \
 		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
-		--leader-election=$(LEADER_ELECTION) \
-		--webhook-config-mode=url \
-		--webhook-config-url="host.docker.internal:9443" \
-		--webhook-config-cert-dir=example/certs \
-		--webhook-config-server-port=9443
+		--leader-election=$(LEADER_ELECTION)
 
 .PHONY: debug
 debug:

README.md

@@ -48,6 +48,8 @@ Broadly speaking, there are two different external traffic flows:
 1. Kubernetes API Listener (via SNI name)
 2. Apiserver-Proxy / Reversed-VPN Listener
 
+*Please note that this changed with [GEP-30](https://github.com/gardener/gardener/blob/master/docs/proposals/30-apiserver-proxy.md) as the dedicated Kubernetes Service Listener for the apiserver-proxy was removed.*
+
 These ways are described in more detail in the aforementioned GEP. Essentially,
 these two ways are all represented by a specific Envoy listener with filters.
 The extension needs to hook into each of these filters (and their filter chains)
@@ -67,10 +69,6 @@ require a unique way of handling them, respectively.
    but also an "inverted" policy which matches all shoots that don't have ACL
    enabled. All these policies are then put in a single EnvoyFilter patch.
 
-![Listener Overview](./docs/listener-overview.svg)
-
-*Please note that the `Kubernetes Service Listener` doesn't exist anymore in current versions of Gardener.*
-
 Because of the last point, we currently see no way of allowing the user to
 define multiple rules of different action types (`ALLOW` or `DENY`). Instead, we
 only support a single `ALLOW` rule per shoot, which is in our opinion the best

charts/gardener-extension-acl/templates/deployment.yaml

@@ -5,6 +5,7 @@ metadata:
   name: {{ include "name" . }}
   namespace: {{ .Release.Namespace }}
   labels:
+    high-availability-config.resources.gardener.cloud/type: controller
 {{ include "labels" . | indent 4 }}
 spec:
   revisionHistoryLimit: 0

cmd/gardener-extension-acl/app/app.go

@@ -24,7 +24,9 @@ import (
 	"github.com/spf13/cobra"
 	istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
 	istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -103,6 +105,12 @@ func (o *Options) run(ctx context.Context) error {
 		return fmt.Errorf("could not add controllers to manager: %s", err)
 	}
 
+	// TODO(Wieneo): Remove this once a couple extension versions included the migration code
+	// migration code: remove mutating webhook from cluster as it is not served by this controller anymore
+	if err := client.IgnoreNotFound(mgr.GetClient().Delete(ctx, &admissionregistrationv1.MutatingWebhookConfiguration{ObjectMeta: metav1.ObjectMeta{Name: ExtensionName}})); err != nil {
+		return fmt.Errorf("could not delete mutatingwebhook %s: %s", ExtensionName, err)
+	}
+
 	if err := mgr.Start(ctx); err != nil {
 		return fmt.Errorf("error running manager: %s", err)
 	}

deploy/extension/base/controller-registration.yaml

@@ -4,7 +4,7 @@ kind: ControllerDeployment
 metadata:
   name: acl
 helm:
-  rawChart: H4sIAAAAAAAAA+1b62/juBHfz/orWG+B2z2c5Ecc587AAs1l070FNg8k2xRFUQS0RNu8SKJKUvZ6H/3bOyT1siRHdpJNLq3mQyJR5HDImd9whqRnmHskJNwmnyQJBWWhjV2/++IhqQd0sL+v/wOV/+vn/t6wP9gfjEaqvD/s9/sv0P6DSrGBYiExR+gFZ0zeVq/p+zOlWb3+nTnxAzoLGSf370MpeDQcbtQ/qL2k/9FgOHqBevfvupn+z/X/Ep1jKQkPBZIMGY2j5ZyEaBJT36PhDEXYvcEzIhzrJfo4pwKJOIoYl/AAVuKjmc8mKMDSnUPtnxAnPpZ0QaCdnBfKcegBg5DM4CsL0auIkyn9RDy0pFDvT68ddBb6K8RC3VKJhCLCkU9D4ljO28vrSwmyAYsjFgTA4OroEnmUC8uZUdnVf434ljP5zLv6b1own3XVn/RVLMJuzmgC44sjNKU+EdaPjlhG8HeCb+CvDOD5P1D1CnPKYoHevz2GDiPOfieutBzqEdw19aDIchbCZR7pWk+t1e1pA/6P5phLZ4UD/wH6aML/oHdQxn9vb7/F/2MQjugV4UrvY7ToWziKstdO3+l1LI8Il9NI6qJD9BusC8hV1oGmjCM5J+hdYkLo8OgDyszIsUIckDGqNzBrkfbSc6CbZwSY/zHagH9JggjcOBEPEQnuHv+N+uAS2vjvEahR/9ewxsM6LBwZ3XUtaIz/9vbW9T/oDfcGrf9/DPryxUYeBGIQdXWUw+4g+9s3a4PTVpVJ6OkqVrGljyfEFw6sHs4NWRke+iWeQBxHwI4cyrqK/xqPDSwW2I8TQb58QTR0/djLxHNQ0vAWQaptywIqLmO0oUbSv+6pOgoagsWELtHNnQviEyyIcwrClSR7atVuRY34d1k4pbMARzYNIAtYQNzLuM1g/V5yKsk2MWIT/oejUvwHDwfDFv+PQcpe6RQ5V8rmwb6Vjq+0js9SFSuztm3bKoWKNzT0xpBDKfM4wZEVEIk9LPHYQsiEfvXgrbejpJGAZLMGWbpYyYGQwem4Bt2K/VcoBHuWaAi1v1mpPLpLcb1utWP0VXG5dehr/DJwPxNsb0ON+PdI5LNVAHNw53SwAf/7APwS/vv9/Xb/51GoDGxY70Q3Q/fbTPlbw/t7ANkSEXFVx5wsqJLzNyoApqsPNKASUkj9JfKpi4XpMoF0UnjEYmCkOxUgi0K4YobM5tSH7eQYGQYpMBIGhUlRhMOQSb2/JdKiLR0sSsidE/dGxEFh3c2RWes51xTxKuIUhP2z8zGR0/kVpv5c7cR1tlrKO6/1oMUcD/ZHIEcuW+78koJUganoECEtGQfDmTmpV3Fcn8VeVzLbgxlB2PfZknjbteCgNBoQG6xTEA5C5u0bVPVzKmNqNopgYhiMcnXkYyFO17cmxEqAXu1fer2ksuqQuuTQdZXpnN5u7lptLJQYIlCezYfdhBJDWhNrRqtLKlXOY98/Z2DNq2rl/FuxGeazgnJsZNsB/mSDoG7MOUyTzYl6Ubuebwoc1Ug4832V8uWVL1ehK4rcFb85wb6ca4vdnXehcVM/HhV44hO70LzINfl8lH8FU/id0RB1fuqUeZktYJtBSqtxaueQ3SSpaXKWtjjMGpR5g5vz1EqqXIyGq/dmQwhUqrnGRW+u2Wrz/E1XP4vsc8mXYM+jqjn2Dw0wjqjHK7OX17IT/Niuqlcc7gZO9dNYcQQVwTIwJ7t8ZZEy4CXfi6Lc1ramZxIuikZuMPfh+PDt8cX18Yfjo4/vz06vTw9Pji/PD4+Os5oI6STvr5wF40IhQlNKfO+CTNdLk3LlR8eZ03eydW7TPDQ5+1Te9yeH746vQNizi+uzq+OLv1+8/1iRdYwSc8jD2G5tXLuDojgRLOYuWTOarFCviZL9A3jWtPiKJKdB7nX7vd2MpGlyBAGfoBw2QBGWwKJCtB2fc7oABzMjx8LFPjYb1FPsi1wdC+bHATlRPlxUraRhXS30FygORvlVHRTqcYC1OsQaw9TEZPNc7DQTZhCVdWVb6d00QStO4J3ys5Q8MsWxL0+YBzyGg15hUMkonzqobWlrasz/IgZrg+CxPgGaxN6M7JwINu7/Dkvn/4O93kGb/z0KJa5oJtErlTjUZU6vUb9uCyjSEWeeK54z721mKL9qQ/ljJI0Qmv4txAtMfRUmavYinjSO997J4rNwiI345xPs3vMiQAP+h3vwbf387+BAnf+1+P/+VEa1VjeO5RyS5c86qHJuftbnHvmWrw9zRvgF88kuAN8Fujz2VcRjIxDtHWdxpMMfu7hhQAUIB3JBOcQok6SCcjrqvw+f9cNSoVY/RdlTHIHIRD+6ELIljx6gXT8W4l9VDhkGW02pD0MWVYky2IjSFkaVkWvmTZjeQqFyZO6ZVxpOORYQNboyhmZbDeo+suRVS69dgIOMtxOgdlYrUmU9NwoV4BAiTy8rbRCioLtlnW5z0RLVVkTrdKpCZOvQHZUArwU9GOzU2AKYAgvSQn16qRPwDZ0WhloZYHXCN0F4o0ly5hNRLpgAIAFopjyvUfq0o7C7aqMDWSAnUnTMG6QloXn5zoahtsHrxMlPQxqlyLu+64S4DPwDDW9XoQ6TSppIOrwnw7Rch2Dm29bbWQVhCkNO52gTdLyACoUbTmYwi/x2OYNY7cKFsyWZzBm7MXlubBpt7792Qlb98lOSawZMlni1pfu41/L7q8Hhd1uFoYtkKyydiFskhFrV+KBBHojD1UVavdSbxpdrO+/N49kmbXjqGOuPTI3xf3IUgo1C7pQJNOX/e/1+Kf8fQGEb/z8GbbzYUQLik2by4G6Y3oNdF+ojuyHZnu9TT+QzpUb8LyJ8398BNOC/vzcq//7nYH/U5v+PQqWjCKVtEqp9Mq9uz08BUZ22qAioHJdAJUnh2znzDpNqhD+03zB7ejVCp0FY8Rx8vczs4mUH9bqQFs9Vsk/mvP+HH3+wsgMgGiYHo8VTFDeKtaic/DumHGass1kiJ2fhQDtERdasc8tAys0K52Pq9knA+OpOIpimd5Eiabm+v4kQgAhC3OzgtO5KkSqvXCtqOo2CCiYuLyrRlJgDqMLRsRK8WNnJ6z2b/djHpg3+f2Fm9GF+ANbo/weDyu8/D9r7/49Cyf2j2dzlypvDZLg3VJpLWPW2MdZxgbQq15LeT0+ZPAfPoXBtFU9UxmigCgppsvI6wCTxvtqRdvZ7Qccq+rXOaHhCO5YFuFb1knUpO1yvc+9VR615A2tr3Wcq1o2+paMWMhCgcBtIVSpdVwL2ULjxllB+KaFw5SlbjMqMrOptpjH6578sq/6Kjvn2EtVdIVD3m1+i9PLzWD/ntwcwBHhElyFk5vGCRExQqadnLmUkxt2ucOdLzD9T+RePLBz8OebEcVmQl+dPjrgh3Wv1W9yEeeG+VtIPL/TAyczRu96qnUPiXt9JjC+5AqjYrYsp8Qx00nMGzi+glNQ6x2ajJfnNYqf17S211FJLLbXUUksttdRSSy21VKH/AhO14U4AUAAA
+  rawChart: H4sIAAAAAAAAA+1bbW/juBHez/oVrLfA7R5O8ksc587AAs1l070FNi9ItimKoghoiZZ5kUSVpOz1vvS3d0jKkizJkZ1kk6an+ZBIFDkccuYZzpC0j7lHIsJt8kmSSFAW2dgNui8eknpAB/v7+j9Q+b9+7u8N+4P9wWikyvvDfr//Au0/qBQbKBESc4RecMbkbfWavj9T8uv178xIEFI/Ypzcvw+l4NFwuFH/oPaS/keD4egF6t2/62b6g+v/JTrHUhIeCSQZMhpHixmJ0CShgUcjH8XYvcE+EY71En2cUYFEEseMS3gAKwmQH7AJCrF0Z1D7J8RJgCWdE2gnZ4VyHHnAICI+fGURehVzMqWfiIcWFOr96bWDzqJgiVikWyqRUEw4CmhEHMt5e3l9KUE2YHHEwhAYXB1dIo9yYTk+lV3914hvOZPPvKv/rgpmflf9Wb2KedTNGU1gfEmMpjQgwvrREYsY/k7wDfyVITz/B6peYU5ZItD7t8fQYczZ78SVlkM9grumHhRZzly4zCNd66m1uj1twP/RDHPpLHEYPEAfTfgf9A7K+O/t7bf4fwzCMb0iXOl9jOZ9C8dx9trpO72O5RHhchpLXXSIfoN1AbnKOtCUcSRnBL1LTQgdHn1AmRk5VoRDMkb1BmbNV730HOjmGQHm/4w24F+SMAY3TsRDRIK7x3+jPriENv57BGrU/zWs8bAOC0fGd10LGuO/vb11/Q96w71B6/8fg758sZEHgRhEXR3lsDvI/vbN2uC0VWUSebqKVWwZ4AkJhAOrh3NDloaHfkkmEMcRsCOHsq7iv8ZjA4s5DpJUkC9fEI3cIPEy8RyUNrxFkGrbsoCKyxhtqJH2r3uqjoJGYDGRS3Rz54IEBAvinIJwJcmeWrVbUSP+XRZNqR/i2KYhZAFziHsZtxms3wtOJdkmRmzC/3BUiv/g4WDY4v8xSNkrnSLnStk82LfS8ZXW8dlKxcqsbdu2SqHiDY28MeRQyjxOcGyFRGIPSzy2EDKhXz146+0obSQg2axBli5WciBkcDquQbdi/xUKwZ4lGkLtb9ZKHt2luF632jH6qrjcOvQ1fhm4nwm2t6FG/HskDtgyhDm4czrYgP/9wd6whP9+f/+gxf9jUBnYsN6Jbobut5nyt4b3zkBGQDPqz2w8xxQKaUDl0jbLjsOJYAl3AZ4rQ3XcgCVeVy5jYA+1JGdBQPg2/sASMXFVh5zMqRrub1QA2pcfaEglZKL6SxxQFwsjeeoZ0sIjlgAjLbuAISlHYaTXe1wftvNLI8Ngha+UQWFuFeEoYlJvk4lV0ZZ+GqXkzoh7I5KwsHznAK91wGv6fBVzCsL+2fmYyun8Cho8Vxt6na0igs5rPWgxw4P9EciRy5b70LSgaAeKINBaMA7251d0zmwPZgThIGAL4m3XgoPSaEhsMHJBOAiZt29Q1c8rGVdmowgmhsEol0cBFuJ0fYdDLAXo1f6l10srqw6pSw5dV5nO6e2o0WoDe8YQyPJsPuwmsBnSmlgzWl1SqXKeBME5A2teVivn34rNMPcLyrGRbYf4k4Knm3AO02Rzol7U5umbAsccmfo5rXy5jFxR5K74zQgO5Exb7O68C42b+vGowJOA2IXmRa7p56P8K5jC74xGqPNTp8zL7CTbDDJjjVM7h+wmSU2Ts1WLw6xBmTd4S08tyMrFaLh6bzZEUqWaa1z0Hp2t9uDfdPWzyD6XfAn2PKqa4+DQAOOIerwye3ktO8WP7ap6xeFu4FQ/jRVHUBEsA3O6WVgWKQNe+r0oym1ta3om0bxo5AZzH44P3x5fXB9/OD76+P7s9Pr08OT48vzw6DiriZDOFf/KWTguFCI0pSTwLsh0vTQtV350nDl9J1suN81Dk7Nfyfv+5PDd8RUIe3ZxfXZ1fPH3i/cfK7KOUWoOeTTcrQ2Pd1BUtkoX62SFek2U7B/As6bFVyQ5DXOv2+/tZiRNkyMI+ATlsAGKsAQWFaLt+JzTOTgYnxwLFwfY7HNPcSBydcxZkITkRPlwUbWShnW10F+oOBjlV3VQqMcB1uosbAxTk5DNc7HTTJhBVNaVbaV3V3lecQLvlOatyCNTnATyhHnAYzjoFQaVjvKpY+M/AjXmfzEDpy54ok+AJonnk50Twcb932Hp/H+w1ztoz/8fhVIf4kv0SkX8dSnPa9Sv2wKKdaiY54rnzHubGcqv2lC+X9K4S7YHMeXfojS5DAx7kUwax3vvLO9ZeLJG/PMJdu95EaAB/8O9YWn/p39w0Gv3fx6FyqjW6saJnEGW+1lHQ87Nz/rcI9/yDWDOCL9gAdkF4LtAlyeBClVsBKK94yyJddxiFzN9KkA4kAvKIbiYpBWU01H/A/isHxYKtfopzp6SGEQm+tGFWCt99ADt+rEQuKpySA3YckoDGLKoSpTBprxDVWXkmnkTprdIqOSWe+aVRlOOBYR7rkyg2VaDuo8sedXSaxfgIJPtBKid1YpUm7bwqkKFOIKQ0ctKG4Qo6G5Rp9tctFS1FdE6naoQ2Tp0RyXAa0EPBjs1tgCmwMJVoT691Jnzhk4LQ60MsDrhmyC80SQ5C4goF0wAkAA0U57XKH3aUdhdtdGB9I0TKTrmDfKJyLx8Z8NQ2+B14uSnIY1S5F3fdUJcBv6BRrerUIdJJU2kHd6T4apch2Dm29b7UAVhCkNezdEm6HghFQo3nPgwi/x2OcNEbZ9F/oJMZozdmAQ1MY229187Iat++SnJ5QOTBV5u6T7utfz+anD43VZh6CLdw1pNxC0SQq1qfNAgD8Th6iKtXupN48u1LfPm8WyTNjx1jPW/TI3xf3qGgY1C7pQJNOX/e/1+Kf8fQGEb/z8GbbzYUQLik2by4G6Y3jxdF+ojuyHZZu1TT+QzpUb8z2N8398BNOC/vzcq//7nYH/U5v+PQqUzBKVtEql9Mq9uz08BUR2TqAioHJdAJUnh2znzDtNqhD+03zB7ejVCr4Kw4gH2epnZxctO2HUhLR6IZJ/MQf0PP/5gZSc3NEpPNIvHH26caFE5+XdCOcxYZ7NETs7CgXaIiqxZ55aBlJsVDrbUtZGQ8eWdRDBN7yJF2nJ9fxMhABGEuNmJZ92VIlVeuVbUdIwEFUxcXlSiKTEnR4UzXyV4sbKT13s2+7GPTRv8/9zM6MP8AKzR/w8Gld9/HrT3/x+F0otD/szlypvDZLg3VJrbU/W2MdZxgbQq94neT0+ZPAfPoXBtFU9UxmigCgppsvI6wCT1vtqRdvZ7Yccq+rXOaHhCO5YFuFb10nUpOxWvc+9VR615A2tr3Wcq1o2+paMWMhCgcI1HVSrdMwL2ULjxek9+m6BwVylbjMqMrOo1pDH6578sq/5ujfn2EtWd/av7zS/R6vLzWD/nx/4YAjyiyxAy83hBYiao1NMzkzIW425XuLMF5p+p/ItH5g7+nHDiuCzMy/MnR9yQ7rX6LW7KvHDRKu2HF3rgxHf0rrdq55Ck13dS40vv7il262JK7INOes7A+QWUsrLOsdloSX+z2Gl9e0sttdRSSy211FJLLbXUUkstVei/OmhDrwBQAAA=
   values:
     image: ghcr.io/stackitcloud/gardener-extension-acl:latest
 ---