Skip to content

[GEP-30] Drop webhook code unneeded with RemoveAPIServerProxyLegacyPort #120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

[GEP-30] Drop webhook code unneeded with RemoveAPIServerProxyLegacyPort #120

wants to merge 4 commits into from

Conversation

Wieneo
Copy link
Contributor

@Wieneo Wieneo commented Mar 27, 2025
edited by timebertt
Loading

What this PR does / why we need it:
This PR drops all code related to handling pre-existing EnvoyFilters.

Before the GEP-30 work and the RemoveAPIServerProxyLegacyPort feature gate, this was needed to modify gardener-supplied EnvoyFilters and ensure the ACLs get applied correctly.

If / When the mentioned feature gate goes GA / is enabled, this code does nothing and is unneeded.

Which issue(s) this PR fixes:
Part of gardener/gardener#11214

Special notes for your reviewer:
I would suggest we only merge this once the mentioned feature gate is GA, in order to not introduce more complexity for extension operators.
Otherwise we would need to specify, that this extension can only be used when the feature gate is enabled.
/hold

@Wieneo Wieneo added the hold label Mar 27, 2025
@Wieneo
Copy link
Contributor Author

Wieneo commented Mar 31, 2025

Tested changes on ondemand: https://github.com/stackitcloud/ske-stages/issues/4391

controllerdeployment:

apiVersion: core.gardener.cloud/v1
helm:
  rawChart: H4sIAAAAAAAAA+1b62/bOBLvZ/0VhPaAfeCk2I7t7BoocG6a6xbIC2kvh8PhEDASbXMjiTqSctZ9/O87pF60JEd2krpbrOaLJYocDjnzG86Q9Bxzn0SEO+R3SSJBWeRgLzh48ZzUAzoajfQvUPVXP/cPh/3BaDAeq/L+sN/vv0CjZ5ViAyVCYo7QC86YfKhe2/dvlObN+j9eYC7dFQ6DZ+hDKXg8HG7U/6B3VNH/uHc4eoF6z9B3K/3F9Y9jek240vsELfsWjuPi1e67PdvyifA4jaUumqJfSRAiT1kHmjGO5IKgN5kJoenxKSrMyLUiHJIJajYwa5n30nOhG+trT8NfljbgX5IwDrAk4jlWgt39/7gPLqHz/3ugVv3fLEgQA1hdGT92LWjz/6PDw3X9D3rDw0Hn//dBHz86yCczGhFkK4dtI+fzZ2uD01aVSeTrKpbZMsC3JBAurB7uHVmlPPRLckt4RMCOXMoOFP81HhtYLHGQZIJ8/Iho5AWJX4jnoqzhA4LU21YFVFwmaEONrH/dU30UNAKLiTyim7tXJCBYEPcchKtI9rVVuxW14t9j0YzOQxw7NMRzsiSeZNxhsH7fcyrJNjFiG/6H40r8Bw9Hww7/+yBlr3SG3Gtl82DfSsfXWscXuYqVWTuOY1VCxTsa+RN0rM3jDMdWSCT2scQTC6E09GsGb7MdZY1EjJuQpYuVHAilOJ00oFux/wSFYM8SDaH2ZyuXR3cpbtatdoI+KS4PDn2NXwHubwTb21Ar/n0SB2wVwhw8Oh1swf+oNxhU8N/vj7r1fy9UBTasd+KgQPfrQvlbw/tLANkSMfFUx5wsqZLzVyoApqtTGlIJKaT+EgfUwyLtMoN0VnjMEmCkOxUgi0K4YoZQiKW3ON1OjnHKIAdGxsCYFEU4ipjEKlcWedGWDhZl5C2IdyeS0Fh3S2Q2es41RfwQcwrC/s19n8npvoKpv8RygeytlnL7Rz1oscCD0RjkKGUrnV9WkCswFx0ipHvGwXDmbu5VXC9giX8gmePDjCAcBOye+Nu14KA0GhIHrFMQDkKW7VtU9XMuY242imBiGIxydRxgIc7XtybESoBenV96vayy6pB6ZOp5ynTOHzZ3rTYWSQwRKC/mw2lDSUpaE2tGq0tqVS6TILhkYM2reuXym9kM87mhHAc5Toh/d0BQL+EcpsnhRL3QgIiXBkc1Es6CQKV8ZeV3q8gTJnfFb0FwIBfaYnfnbTRu68enAt8GxDGam1yzz8flVzCF3xiNkP13u8qLziPGicMgpdU4dUrIbpI0bXKRt5gWDaq8wc35aiVVLkbD1X+5IQSq1FzjojfXnBgg+/JAP4vic8WXYN+nqjkOpikwjqnPa7NX1nIy/DieqmcOdwOn5mmsOYKaYAWYs12+qkgF8LLvpigPtW3omURL08hTzJ2eTF+fXN2cnJ4cv397cX5zPj07eXc5PT4paiKkk7x/chZOjEKEZpQE/hWZrZdm5cqPTgqn7xbr3KZ5aHP2ubxvz6ZvTq5B2Iurm4vrk6t/X719X5N1gjJzKMPYg8a4dgdFcSJYwj2yZjRFoV4TJfsP8Gxo8QlJTsPS6/Z7uxlJ2+QsWZCE5Ew5YFFXccuiaExeqDikmqtPoFGPAyYvogD8q+QJ2TyQnYaRDqK2KGwrvZdnV6Y5Piq5ysknM5wE8oz5wGM46BmDykb5tSPSjvZJrflfzGBtEDzRJ0C3iT8nOyeCrfu/w3El/zvsHY27/G8flHmzuUQ/qMShKXP6EfWbtoBiHXGWueIl818XhvJKG8qfI2mE0PRfEV5iGqgwUbMXyW3reJ+cLH4TPrUV//wWe0+8CNCC/+EhfFs//zs6Uud/Hf6/PFVRrdWNE7mAZPmDznLcu5/1uUe55RvAnBF+xQKyC8B3gS5PAhU0OQhEe8NZEusIyjE3DKgA4UAuKIcw5zaroJyO+g3gs364V6jVT3HxlMQgMtGPHkR92aMPaNePRvyryiHDYKsZDWDIoi5RARtR2cKoM/LSeRNpb5FQOTL301cazTgWEHh6MoFmWw3qKbKUVSuvBwAHmWwnQOOs1qQqem4VKsQRBK9+UdoihKG7+ybdlqJlqq2JZtt1IYp16JFKgFdDDyl2GmwBTIGFeaE+vdQJ+IZOjaHWBlif8E0Q3miSHKAsqgW3AEgAWlpe1qh82lHYXbVhCwLspLDTN8hsovTlCxuG2gZvEqc8DWmVouz6sRPiMfAPNHpYhTpMqmgi6/CJDPNyHYKl37bezjKEMYacz9Em6PghFQo3nMxhFvnDcoaJ2oWL5vfkdsHYXZoqJ2mj7f3XTshqXn4qcs2ByT1ebek+nrT8vkpx+MVWYegi2wrLJ+IBCaFWPT5okQfi8N/AZvRSnzZ+t7bz3j6ebdKGrx1j/ZmpNf7PjkJwqpBHZQJt+f9hv1/J/wdQ2MX/+6CNFzsqQPyqmTy4G6a3cdeFes/uCIg8w4EgHcgfR634X8b4qf8DaMF//3A8rub/o3GX/++FKqcZStskUvtkftOenwKi8HCgIqBqXAKVJIVvl8yfZtUIf26/ke7pNQidB2HmOfh6WbqLVxzU60JqHs0Un9Lz/u9/+t4qzpBolB2MmgcxXpxoUTn5f0I5zJi9WSK3ZOFCO0RF0cx+YCDVZsb5mLp9EjK+epQIadPHSJG1XN/fRAhABCFucXDadKVIldeuFbUdaEGFNC43lZiWpGdYxtGxEtys7Jb1vpn92H3TBv+/TGf0ef4A1ur/q/f/+uPBUXf/by+U3T+aLzyuvDlMhndHZXoJq9k2JjoukFbtWtLb2TmTl+A5FK4t80RlggaqwEiTldcBJpn31Y7UHvVC2zL9mj0enlHbsgDXql62LhXn803uve6oNW9gba37TMW61bfYaiEDAYzbQKpS5boSsIfCjbeE8gAVIePKU7EYVRlZ9dtME/Tf/1lW8xWd9Nt3qOkWgrrf/B3KLz9P9HN5AQFDgEd0GULpPF6RmAkq9fQspIzF5OBAeIt7zD9Q+Q+fLF38IeHE9VhYlpdPrrgjBzdzKMqYG/e1sn640QMnc1fveqt2Lkl6fTczvuwKoGK3LqbEc9BJzx24v4BScuucpBst2X8W7c63d9RRRx111FFHHXXUUUcdddRRRx111FFBfwCZAuwAAFAAAA==
  values:
    additionalAllowedCidrs:
    - 192.0.2.1/32
    - 193.148.171.216/32
    image: ghcr.io/stackitcloud/gardener-extension-acl:v1.5.0-9-gb9e6a4f2
    vpa:
      enabled: true
      resourcePolicy:
        minAllowed:
          cpu: 50m
          memory: 128Mi
kind: ControllerDeployment
metadata:
  creationTimestamp: "2025-03-28T10:05:28Z"
  finalizers:
  - core.gardener.cloud/controllerdeployment
  generation: 3
  labels:
    kustomize.toolkit.fluxcd.io/name: extensions-deployments
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: acl
  resourceVersion: "1309806"
  uid: 5d66dbd9-4765-41dd-9b55-aa147a98b5e9

ACL extension seems to still be working:

gardenctl target --garden ond-a85597 --shoot no-acl
Successfully targeted shoot "no-acl"
❯ k get ns
NAME              STATUS   AGE
default           Active   11m
kube-node-lease   Active   11m
kube-public       Active   11m
kube-system       Active   11m


❯ gardenctl target --garden ond-a85597 --shoot acl
Successfully targeted shoot "acl"
❯ k get ns
E0331 14:44:55.290602   37441 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: Get \"https://api.acl.ondemand.s.ond-a85597.ci.ske.eu01.stackit.cloud/api?timeout=32s\": EOF"

Ingress:

curl -kv https://gu-ondemand--acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud/
* Host gu-ondemand--acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud:443 was resolved.
* IPv6: (none)
* IPv4: 100.64.1.79
*   Trying 100.64.1.79:443...
* Connected to gu-ondemand--acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud (100.64.1.79) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to gu-ondemand--acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud:443
* Closing connection
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to gu-ondemand--acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud:443



❯ curl -kv https://gu-ondemand--no-acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud/
* Host gu-ondemand--no-acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud:443 was resolved.
* IPv6: (none)
* IPv4: 100.64.1.80
*   Trying 100.64.1.80:443...
* Connected to gu-ondemand--no-acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud (100.64.1.80) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Mar 28 13:43:17 2025 GMT
*  expire date: Mar 28 13:43:17 2026 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://gu-ondemand--no-acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: gu-ondemand--no-acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: gu-ondemand--no-acl.ingress.s-eu01-000.garden.s.ond-a85597.ci.ske.eu01.stackit.cloud
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 404
< date: Mon, 31 Mar 2025 12:45:31 GMT
< content-type: text/html; charset=utf-8
< content-length: 1329
< strict-transport-security: max-age=31536000; includeSubDomains
<


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Ingress Default Backend - 404 Not Found</title>
[...]

@Wieneo Wieneo added hold and removed hold labels Mar 31, 2025
@Wieneo
Copy link
Contributor Author

Wieneo commented Mar 31, 2025

This can only be released once the feature gate "RemoveAPIServerProxyLegacyPort" reaches GA in Gardener.

@Wieneo Wieneo force-pushed the drop-unused-webhook branch from d9764b9 to 6c3752b Compare April 16, 2025 11:45
@timebertt timebertt changed the title Drop unneeded webhook code [GEP-30] Drop webhook code unneeded with RemoveAPIServerProxyLegacyPort Apr 17, 2025
@timebertt timebertt mentioned this pull request Mar 27, 2025
Open
25 tasks
timebertt
timebertt requested changes Apr 17, 2025
View reviewed changes
Copy link
Member

@timebertt timebertt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, thank you!

@timebertt timebertt self-assigned this Apr 17, 2025
@Wieneo Wieneo force-pushed the drop-unused-webhook branch from 6c3752b to f8bce24 Compare April 17, 2025 09:44
timebertt
timebertt requested changes Apr 17, 2025
View reviewed changes
@timebertt
Copy link
Member

You need to rebase this PR :)

@Wieneo Wieneo force-pushed the drop-unused-webhook branch from 8d15d2d to 120d4e4 Compare April 17, 2025 12:54
@Wieneo Wieneo force-pushed the drop-unused-webhook branch from 120d4e4 to 8438f81 Compare April 17, 2025 13:06
timebertt
timebertt reviewed Apr 28, 2025
View reviewed changes
Copy link
Member

@timebertt timebertt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this PR looks good apart from the two nits.
As you suggested, let's keep it open until the feature gate RemoveAPIServerProxyLegacyPort has been promoted to GA.

timebertt
timebertt approved these changes Apr 29, 2025
View reviewed changes
Copy link
Member

@timebertt timebertt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll put this back in to draft so that nobody merges this accidentally 😄

@timebertt timebertt marked this pull request as draft April 29, 2025 07:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timebertt timebertt timebertt approved these changes

@dergeberl dergeberl Awaiting requested review from dergeberl dergeberl is a code owner

@robinschneider robinschneider Awaiting requested review from robinschneider robinschneider is a code owner

Assignees

@timebertt timebertt

Labels
hold
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Wieneo @timebertt