support extension on Garden resource

Makefile

@@ -15,6 +15,7 @@ VERSION                     := $(shell git describe --tag --always --dirty)
 export TAG                  := $(VERSION)
 LEADER_ELECTION             := false
 IGNORE_OPERATION_ANNOTATION := false
+REGISTRY := registry.local.gardener.cloud:5001
 
 SHELL=/usr/bin/env bash -o pipefail
 
@@ -109,9 +110,10 @@ generate: $(HELM) $(YQ)
 format: $(GOIMPORTS) $(GOIMPORTSREVISER)
 	@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg
 
-.PHONY: test
+.PHONY: test 
+test: DIRS ?= "./cmd/... ./pkg/..."
 test: $(REPORT_COLLECTOR) $(SETUP_ENVTEST)
-	@./hack/test.sh ./cmd/... ./pkg/...
+	@./hack/test.sh $(DIRS)
 
 .PHONY: test-cov
 test-cov:
@@ -145,7 +147,7 @@ verify-extended: verify-tidy verify-generate check format test artifacts
 
 # speed-up skaffold deployments by building all images concurrently
 extension-%: export SKAFFOLD_BUILD_CONCURRENCY = 0
-extension-%: export SKAFFOLD_DEFAULT_REPO ?= registry.local.gardener.cloud:5001
+extension-%: export SKAFFOLD_DEFAULT_REPO ?= $(REGISTRY)
 extension-%: export SKAFFOLD_PUSH = true
 # use static label for skaffold to prevent rolling all gardener components on every `skaffold` invocation
 extension-%: export SKAFFOLD_LABEL = skaffold.dev/run-id=acl

charts/gardener-extension-acl/templates/deployment.yaml

@@ -22,9 +22,10 @@ spec:
       labels:
         networking.gardener.cloud/to-dns: allowed
         networking.gardener.cloud/to-runtime-apiserver: allowed
+        networking.resources.gardener.cloud/to-garden-virtual-garden-kube-apiserver-tcp-443: allowed
 {{ include "labels" . | indent 8 }}
     spec:
-      priorityClassName: gardener-system-900
+      priorityClassName: {{ default "gardener-system-900" .Values.gardener.runtimeCluster.priorityClassName }}
       serviceAccountName: {{ include "name" . }}
       containers:
       - name: {{ include "name" . }}
@@ -43,7 +44,16 @@ spec:
         {{- if .Values.gardener.version }}
         - --gardener-version={{ .Values.gardener.version }}
         {{- end }}
+        {{- if .Values.gardener.runtimeCluster.enabled }}
+        - --extension-classes=garden
+        {{- else }}
+        - --extension-classes=shoot
+        {{- end }}
         env:
+        {{- if .Values.gardener.runtimeCluster.enabled }}
+        - name: GARDEN_KUBECONFIG
+          value: /var/run/secrets/gardener.cloud/garden/generic-kubeconfig/kubeconfig
+        {{- end }}
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:
             fieldRef:
@@ -65,16 +75,33 @@ spec:
           runAsGroup: 65532
           seccompProfile:
             type: RuntimeDefault
-        {{- if .Values.imageVectorOverwrite }}
         volumeMounts:
+        {{- if .Values.gardener.runtimeCluster.enabled }}
+        - name: kubeconfig
+          mountPath: /var/run/secrets/gardener.cloud/garden/generic-kubeconfig
+          readOnly: true
+        {{- end }}
+        {{- if .Values.imageVectorOverwrite }}
         - name: extension-imagevector-overwrite
           mountPath: /charts_overwrite/
           readOnly: true
         {{- end }}
-      {{- if .Values.imageVectorOverwrite }}
       volumes:
+      {{- if .Values.imageVectorOverwrite }}
       - name: extension-imagevector-overwrite
         configMap:
           name: {{ include "name" . }}-imagevector-overwrite
           defaultMode: 420
       {{- end }}
+      {{- if .Values.gardener.runtimeCluster.enabled }}
+      - name: kubeconfig
+        projected:
+          defaultMode: 420
+          sources:
+          - secret:
+              items:
+              - key: kubeconfig
+                path: kubeconfig
+              name: garden-kubeconfig
+              optional: false
+      {{- end }}

charts/gardener-extension-acl/templates/rbac-garden.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.gardener.runtimeCluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}:garden
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - operator.gardener.cloud
+  resources:
+  - gardens
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}:garden
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}:garden
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/gardener-extension-acl/templates/rbac-shoot.yaml

@@ -0,0 +1,42 @@
+{{- if not .Values.gardener.runtimeCluster.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "name" . }}:shoot
+  labels:
+{{ include "labels" . | indent 4 }}
+rules:
+- apiGroups:
+  - extensions.gardener.cloud
+  resources:
+  - clusters
+  - dnsrecords
+  - infrastructures
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "name" . }}:shoot
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "name" . }}:shoot
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/gardener-extension-acl/templates/rbac.yaml

@@ -18,24 +18,6 @@ rules:
   - delete
   resources:
   - envoyfilters
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - extensions.gardener.cloud
-  resources:
-  - clusters
-  - dnsrecords
-  - infrastructures
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - extensions.gardener.cloud
   resources:
@@ -67,28 +49,6 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
-  - create
-  - update
-  - patch
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterroles
-  - clusterrolebindings
-  - roles
-  - rolebindings
-  verbs:
-  - get
-  - create
-  - update
-  - patch
-  - delete
 - apiGroups:
   - ""
   resources:
@@ -197,4 +157,4 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ include "name" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}

charts/gardener-extension-acl/templates/secret.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  annotations:
+    serviceaccount.resources.gardener.cloud/name: extension-acl
+    serviceaccount.resources.gardener.cloud/inject-ca-bundle: "true"
+    serviceaccount.resources.gardener.cloud/labels: '{"extension": "acl"}'
+  labels:
+    resources.gardener.cloud/class: garden
+    resources.gardener.cloud/purpose: token-requestor
+  name: garden-kubeconfig
+  namespace: {{ .Release.Namespace }}
+stringData:
+  kubeconfig: |
+    apiVersion: v1
+    clusters:
+    - cluster:
+        server: https://virtual-garden-kube-apiserver.garden.svc.cluster.local
+      name: default
+    contexts:
+    - context:
+        cluster: default
+        user: token
+      name: default
+    current-context: default
+    kind: Config
+    users:
+    - name: token
+      user: {}

charts/gardener-extension-acl/values.yaml

@@ -38,3 +38,6 @@ additionalAllowedCidrs: []
 
 gardener:
   version: ""
+  runtimeCluster:
+    enabled: false
+    priorityClassName: ""

charts/seed/templates/envoyfilter/envoyfilter-api.yaml

@@ -1,7 +1,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-api-{{ .Values.shootName }}
+  name: acl-api-{{ .Values.suffix }}
   namespace: {{ .Values.targetNamespace }}
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}

charts/seed/templates/envoyfilter/envoyfilter-http-proxy.yaml

@@ -1,8 +1,10 @@
+{{- if .Values.httpProxyEnvoyFilterSpec }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-http-proxy-{{ .Values.shootName }}
+  name: acl-http-proxy-{{ .Values.suffix }}
   namespace: {{ .Values.targetNamespace }}
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}
 spec: {{- .Values.httpProxyEnvoyFilterSpec | toYaml | nindent 2 }}
+{{- end }}

charts/seed/templates/envoyfilter/envoyfilter-ingress.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-ingress-{{ .Values.shootName }}
+  name: acl-ingress-{{ .Values.suffix }}
   namespace: istio-ingress
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}

charts/seed/templates/envoyfilter/envoyfilter-vpn.yaml

@@ -1,8 +1,10 @@
+{{- if .Values.vpnEnvoyFilterSpec }}
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
 metadata:
-  name: acl-vpn-{{ .Values.shootName }}
+  name: acl-vpn-{{ .Values.suffix }}
   namespace: {{ .Values.targetNamespace }}
   labels:
     {{- include "gardener-extension.labels" . | nindent 4 }}
 spec: {{- .Values.vpnEnvoyFilterSpec | toYaml | nindent 2 }}
+{{- end }}

charts/seed/values.yaml

@@ -1 +1,3 @@
-# TODO
+suffix: ""
+targetNamespace: ""
+