From fe031469707b9979244c877276750ceed8ff8110 Mon Sep 17 00:00:00 2001 From: Andreas Burger Date: Thu, 30 Jan 2025 15:25:50 +0100 Subject: [PATCH] update image dependencies also contains removal of the csi-validator-webhook --- ...napshot-validation-webhook-deployment.yaml | 72 ------------------- ...alidation-webhook-poddisruptionbudget.yaml | 15 ---- ...i-snapshot-validation-webhook-service.yaml | 25 ------- .../csi-snapshot-validation-webhook-vpa.yaml | 16 ----- .../charts/csi-driver-controller/values.yaml | 11 --- ...lusterrolebinding-snapshot-validation.yaml | 13 ---- .../csi-snapshot-validation-webhook.yaml | 19 ----- imagevector/images.yaml | 29 +++----- pkg/controller/controlplane/valuesprovider.go | 51 +------------ .../controlplane/valuesprovider_test.go | 16 ----- pkg/controller/healthcheck/add.go | 4 -- pkg/openstack/types.go | 4 -- pkg/webhook/controlplane/ensurer.go | 5 -- pkg/webhook/controlplane/ensurer_test.go | 2 - 14 files changed, 10 insertions(+), 272 deletions(-) delete mode 100644 charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-deployment.yaml delete mode 100644 charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-poddisruptionbudget.yaml delete mode 100644 charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-service.yaml delete mode 100644 charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-vpa.yaml delete mode 100644 charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrolebinding-snapshot-validation.yaml delete mode 100644 charts/internal/shoot-system-components/charts/csi-driver-node/templates/csi-snapshot-validation-webhook.yaml diff --git a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-deployment.yaml b/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-deployment.yaml deleted file mode 100644 index 155620f87..000000000 --- a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-deployment.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: csi-snapshot-validation - namespace: {{ .Release.Namespace }} - labels: - app: snapshot-validation - high-availability-config.resources.gardener.cloud/type: server -spec: - replicas: {{ .Values.csiSnapshotValidationWebhook.replicas }} - selector: - matchLabels: - app: snapshot-validation - template: - metadata: - annotations: -{{- if .Values.csiSnapshotValidationWebhook.podAnnotations }} -{{ toYaml .Values.csiSnapshotValidationWebhook.podAnnotations | indent 8 }} -{{- end }} - labels: - app: snapshot-validation - networking.gardener.cloud/to-dns: allowed - networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed - spec: - automountServiceAccountToken: false - priorityClassName: gardener-system-200 - containers: - - name: openstack-csi-snapshot-validation - image: {{ index .Values.images "csi-snapshot-validation-webhook" }} - imagePullPolicy: IfNotPresent - args: - - --tls-cert-file=/etc/csi-snapshot-validation/tls.crt - - --tls-private-key-file=etc/csi-snapshot-validation/tls.key - - --kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig - ports: - - containerPort: 443 -{{- if .Values.csiSnapshotValidationWebhook.resources }} - resources: -{{ toYaml .Values.csiSnapshotValidationWebhook.resources | indent 10 }} -{{- end }} - readinessProbe: - tcpSocket: - port: 443 - initialDelaySeconds: 5 - volumeMounts: - - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig - name: kubeconfig - readOnly: true - - name: csi-snapshot-validation - mountPath: /etc/csi-snapshot-validation - readOnly: true - volumes: - - name: kubeconfig - projected: - defaultMode: 420 - sources: - - secret: - items: - - key: kubeconfig - path: kubeconfig - name: {{ .Values.global.genericTokenKubeconfigSecretName }} - optional: false - - secret: - items: - - key: token - path: token - name: shoot-access-csi-snapshot-validation - optional: false - - name: csi-snapshot-validation - secret: - secretName: {{ .Values.csiSnapshotValidationWebhook.secrets.server }} - diff --git a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-poddisruptionbudget.yaml b/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-poddisruptionbudget.yaml deleted file mode 100644 index 86a52db78..000000000 --- a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-poddisruptionbudget.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: policy/v1 -kind: PodDisruptionBudget -metadata: - name: csi-snapshot-validation - namespace: {{ .Release.Namespace }} - labels: - app: snapshot-validation -spec: - maxUnavailable: 1 - selector: - matchLabels: - app: snapshot-validation -{{- if semverCompare ">= 1.26-0" .Capabilities.KubeVersion.Version }} - unhealthyPodEvictionPolicy: AlwaysAllow -{{- end }} diff --git a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-service.yaml b/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-service.yaml deleted file mode 100644 index 6b5cb9a8a..000000000 --- a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: csi-snapshot-validation - namespace: {{ .Release.Namespace }} - annotations: - networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports: '[{"protocol":"TCP","port":443}]' - {{- if .Values.csiSnapshotValidationWebhook.topologyAwareRoutingEnabled }} - {{- if semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version }} - service.kubernetes.io/topology-mode: "auto" - {{- else }} - service.kubernetes.io/topology-aware-hints: "auto" - {{- end }} - {{- end }} - labels: - {{- if .Values.csiSnapshotValidationWebhook.topologyAwareRoutingEnabled }} - endpoint-slice-hints.resources.gardener.cloud/consider: "true" - {{- end }} -spec: - selector: - app: snapshot-validation - ports: - - protocol: TCP - port: 443 - targetPort: 443 diff --git a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-vpa.yaml b/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-vpa.yaml deleted file mode 100644 index b01454d4c..000000000 --- a/charts/internal/seed-controlplane/charts/csi-driver-controller/templates/csi-snapshot-validation-webhook-vpa.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: csi-snapshot-webhook-vpa - namespace: {{ .Release.Namespace }} -spec: - resourcePolicy: - containerPolicies: - - containerName: openstack-csi-snapshot-validation - controlledValues: RequestsOnly - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: csi-snapshot-validation - updatePolicy: - updateMode: Auto diff --git a/charts/internal/seed-controlplane/charts/csi-driver-controller/values.yaml b/charts/internal/seed-controlplane/charts/csi-driver-controller/values.yaml index 31298190f..ca285aed3 100644 --- a/charts/internal/seed-controlplane/charts/csi-driver-controller/values.yaml +++ b/charts/internal/seed-controlplane/charts/csi-driver-controller/values.yaml @@ -10,7 +10,6 @@ images: csi-resizer: image-repository:image-tag csi-liveness-probe: image-repository:image-tag csi-snapshot-controller: image-repository:image-tag - csi-snapshot-validation-webhook: image-repository:image-tag socketPath: /var/lib/csi/sockets/pluginproxy timeout: 3m @@ -60,13 +59,3 @@ csiSnapshotController: requests: cpu: 11m memory: 32Mi -csiSnapshotValidationWebhook: - replica: 1 - podAnnotations: {} - secrets: - server: csi-snapshot-validation-server - resources: - requests: - cpu: 10m - memory: 32Mi - topologyAwareRoutingEnabled: false diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrolebinding-snapshot-validation.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrolebinding-snapshot-validation.yaml deleted file mode 100644 index 0e4d37b50..000000000 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/clusterrolebinding-snapshot-validation.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-snapshot-validation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "csi-driver-node.extensionsGroup" . }}:{{ include "csi-driver-node.name" . }}:csi-snapshot-validation -subjects: - - kind: ServiceAccount - name: csi-snapshot-validation - namespace: kube-system \ No newline at end of file diff --git a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/csi-snapshot-validation-webhook.yaml b/charts/internal/shoot-system-components/charts/csi-driver-node/templates/csi-snapshot-validation-webhook.yaml deleted file mode 100644 index 01c668437..000000000 --- a/charts/internal/shoot-system-components/charts/csi-driver-node/templates/csi-snapshot-validation-webhook.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: csi-snapshot-validation -webhooks: -- name: "validation-webhook.snapshot.storage.k8s.io" - rules: - - apiGroups: ["snapshot.storage.k8s.io"] - apiVersions: ["v1"] - operations: ["CREATE", "UPDATE"] - resources: ["volumesnapshotclasses"] - scope: "*" - clientConfig: - url: {{ required ".Values.webhookConfig.url is required" .Values.webhookConfig.url }} - caBundle: {{ required ".Values.webhookConfig.caBundle is required" .Values.webhookConfig.caBundle | b64enc }} - admissionReviewVersions: ["v1"] - sideEffects: None - failurePolicy: Fail - timeoutSeconds: 10 \ No newline at end of file diff --git a/imagevector/images.yaml b/imagevector/images.yaml index 3c00f41c2..e75de28e2 100644 --- a/imagevector/images.yaml +++ b/imagevector/images.yaml @@ -327,7 +327,7 @@ images: - name: csi-driver-nfs sourceRepository: github.com/kubernetes-csi/csi-driver-nfs repository: registry.k8s.io/sig-storage/nfsplugin - tag: "v4.9.0" + tag: "v4.10.0" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -341,7 +341,7 @@ images: - name: csi-provisioner sourceRepository: github.com/kubernetes-csi/external-provisioner repository: registry.k8s.io/sig-storage/csi-provisioner - tag: "v5.1.0" + tag: "v5.2.0" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -354,7 +354,7 @@ images: - name: csi-attacher sourceRepository: github.com/kubernetes-csi/external-attacher repository: registry.k8s.io/sig-storage/csi-attacher - tag: "v4.7.0" + tag: "v4.8.0" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -367,7 +367,7 @@ images: - name: csi-snapshotter sourceRepository: github.com/kubernetes-csi/external-snapshotter repository: registry.k8s.io/sig-storage/csi-snapshotter - tag: "v8.1.0" + tag: "v8.2.0" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -380,20 +380,7 @@ images: - name: csi-snapshot-controller sourceRepository: github.com/kubernetes-csi/external-snapshotter repository: registry.k8s.io/sig-storage/snapshot-controller - tag: "v8.1.0" - labels: - - name: 'gardener.cloud/cve-categorisation' - value: - network_exposure: 'private' - authentication_enforced: false - user_interaction: 'gardener-operator' - confidentiality_requirement: 'low' - integrity_requirement: 'high' - availability_requirement: 'low' -- name: csi-snapshot-validation-webhook - sourceRepository: github.com/kubernetes-csi/external-snapshotter - repository: registry.k8s.io/sig-storage/snapshot-validation-webhook - tag: "v8.1.0" + tag: "v8.2.0" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -406,7 +393,7 @@ images: - name: csi-resizer sourceRepository: github.com/kubernetes-csi/external-resizer repository: registry.k8s.io/sig-storage/csi-resizer - tag: "v1.12.0" + tag: "v1.13.1" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -419,7 +406,7 @@ images: - name: csi-node-driver-registrar sourceRepository: github.com/kubernetes-csi/node-driver-registrar repository: registry.k8s.io/sig-storage/csi-node-driver-registrar - tag: "v2.12.0" + tag: "v2.13.0" labels: - name: 'gardener.cloud/cve-categorisation' value: @@ -432,7 +419,7 @@ images: - name: csi-liveness-probe sourceRepository: github.com/kubernetes-csi/livenessprobe repository: registry.k8s.io/sig-storage/livenessprobe - tag: "v2.14.0" + tag: "v2.15.0" labels: - name: 'gardener.cloud/cve-categorisation' value: diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go index 5a35596bd..a78a9111b 100644 --- a/pkg/controller/controlplane/valuesprovider.go +++ b/pkg/controller/controlplane/valuesprovider.go @@ -17,7 +17,6 @@ import ( extensionssecretsmanager "github.com/gardener/gardener/extensions/pkg/util/secret/manager" "github.com/gardener/gardener/pkg/apis/core/v1beta1" v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" - gardencorev1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" gardenerutils "github.com/gardener/gardener/pkg/utils" "github.com/gardener/gardener/pkg/utils/chart" @@ -26,7 +25,6 @@ import ( secretutils "github.com/gardener/gardener/pkg/utils/secrets" secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager" monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" - admissionregistrationv1 "k8s.io/api/admissionregistration/v1" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -53,7 +51,6 @@ import ( const ( caNameControlPlane = "ca-" + openstack.Name + "-controlplane" cloudControllerManagerServerName = openstack.CloudControllerManagerName + "-server" - csiSnapshotValidationServerName = openstack.CSISnapshotValidationName + "-server" ) func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfigWithOptions { @@ -76,18 +73,6 @@ func secretConfigsFunc(namespace string) []extensionssecretsmanager.SecretConfig }, Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(caNameControlPlane)}, }, - { - Config: &secretutils.CertificateSecretConfig{ - Name: csiSnapshotValidationServerName, - CommonName: openstack.UsernamePrefix + openstack.CSISnapshotValidationName, - DNSNames: kutil.DNSNamesForService(openstack.CSISnapshotValidationName, namespace), - CertType: secretutils.ServerCert, - SkipPublishingCACertificate: true, - }, - // use current CA for signing server cert to prevent mismatches when dropping the old CA from the webhook - // config in phase Completing - Options: []secretsmanager.GenerateOption{secretsmanager.SignedByCA(caNameControlPlane, secretsmanager.UseCurrentCA)}, - }, } } @@ -99,7 +84,6 @@ func shootAccessSecretsFunc(namespace string) []*gutil.AccessSecret { gutil.NewShootAccessSecret(openstack.CSISnapshotterName, namespace), gutil.NewShootAccessSecret(openstack.CSIResizerName, namespace), gutil.NewShootAccessSecret(openstack.CSISnapshotControllerName, namespace), - gutil.NewShootAccessSecret(openstack.CSISnapshotValidationName, namespace), } } @@ -146,7 +130,6 @@ var ( openstack.CSIResizerImageName, openstack.CSILivenessProbeImageName, openstack.CSISnapshotControllerImageName, - openstack.CSISnapshotValidationWebhookImageName, }, Objects: []*chart.Object{ // csi-driver-controller @@ -156,9 +139,6 @@ var ( // csi-snapshot-controller {Type: &appsv1.Deployment{}, Name: openstack.CSISnapshotControllerName}, {Type: &autoscalingv1.VerticalPodAutoscaler{}, Name: openstack.CSISnapshotControllerName + "-vpa"}, - // csi-snapshot-validation-webhook - {Type: &appsv1.Deployment{}, Name: openstack.CSISnapshotValidationName}, - {Type: &corev1.Service{}, Name: openstack.CSISnapshotValidationName}, }, }, { @@ -232,10 +212,6 @@ var ( {Type: &rbacv1.ClusterRoleBinding{}, Name: openstack.UsernamePrefix + openstack.CSIResizerName}, {Type: &rbacv1.Role{}, Name: openstack.UsernamePrefix + openstack.CSIResizerName}, {Type: &rbacv1.RoleBinding{}, Name: openstack.UsernamePrefix + openstack.CSIResizerName}, - // csi-snapshot-validation-webhook - {Type: &admissionregistrationv1.ValidatingWebhookConfiguration{}, Name: openstack.CSISnapshotValidationName}, - {Type: &rbacv1.ClusterRole{}, Name: openstack.UsernamePrefix + openstack.CSISnapshotValidationName}, - {Type: &rbacv1.ClusterRoleBinding{}, Name: openstack.UsernamePrefix + openstack.CSISnapshotValidationName}, }, }, { @@ -761,16 +737,11 @@ func getCCMChartValues( // getCSIControllerChartValues collects and returns the CSIController chart values. func getCSIControllerChartValues( cluster *extensionscontroller.Cluster, - secretsReader secretsmanager.Reader, + _ secretsmanager.Reader, userAgentHeaders []string, checksums map[string]string, scaledDown bool, ) (map[string]interface{}, error) { - serverSecret, found := secretsReader.Get(csiSnapshotValidationServerName) - if !found { - return nil, fmt.Errorf("secret %q not found", csiSnapshotValidationServerName) - } - values := map[string]interface{}{ "kubernetesVersion": cluster.Shoot.Spec.Kubernetes.Version, "enabled": true, @@ -781,13 +752,6 @@ func getCSIControllerChartValues( "csiSnapshotController": map[string]interface{}{ "replicas": extensionscontroller.GetControlPlaneReplicas(cluster, scaledDown, 1), }, - "csiSnapshotValidationWebhook": map[string]interface{}{ - "replicas": extensionscontroller.GetControlPlaneReplicas(cluster, scaledDown, 1), - "secrets": map[string]interface{}{ - "server": serverSecret.Name, - }, - "topologyAwareRoutingEnabled": gardencorev1beta1helper.IsTopologyAwareRoutingForShootControlPlaneEnabled(cluster.Seed, cluster.Shoot), - }, } if userAgentHeaders != nil { values["userAgentHeaders"] = userAgentHeaders @@ -833,7 +797,7 @@ func (vp *valuesProvider) getControlPlaneShootChartValues( cp *extensionsv1alpha1.ControlPlane, cloudProfileConfig *api.CloudProfileConfig, cluster *extensionscontroller.Cluster, - secretsReader secretsmanager.Reader, + _ secretsmanager.Reader, checksums map[string]string, ) ( map[string]interface{}, @@ -843,7 +807,6 @@ func (vp *valuesProvider) getControlPlaneShootChartValues( cloudProviderDiskConfig []byte userAgentHeader []string csiNodeDriverValues map[string]interface{} - caBundle string ) // TODO: remove this when v1.27 is removed. From v1.28 onwards, we do not need credentials on the csi-node. @@ -858,22 +821,12 @@ func (vp *valuesProvider) getControlPlaneShootChartValues( credentials, _ := vp.getCredentials(ctx, cp) // ignore missing credentials userAgentHeader = vp.getUserAgentHeaders(credentials, cluster) - caSecret, found := secretsReader.Get(caNameControlPlane) - if !found { - return nil, fmt.Errorf("secret %q not found", caNameControlPlane) - } - caBundle = string(caSecret.Data[secretutils.DataKeyCertificateBundle]) - csiNodeDriverValues = map[string]interface{}{ "enabled": true, "podAnnotations": map[string]interface{}{ "checksum/secret-" + openstack.CloudProviderCSIDiskConfigName: checksums[openstack.CloudProviderCSIDiskConfigName], }, "cloudProviderConfig": cloudProviderDiskConfig, - "webhookConfig": map[string]interface{}{ - "url": "https://" + openstack.CSISnapshotValidationName + "." + cp.Namespace + "/volumesnapshot", - "caBundle": caBundle, - }, "rescanBlockStorageOnResize": cloudProfileConfig.RescanBlockStorageOnResize != nil && *cloudProfileConfig.RescanBlockStorageOnResize, "nodeVolumeAttachLimit": cloudProfileConfig.NodeVolumeAttachLimit, diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go index 57cd1f137..b1e014a67 100644 --- a/pkg/controller/controlplane/valuesprovider_test.go +++ b/pkg/controller/controlplane/valuesprovider_test.go @@ -566,7 +566,6 @@ var _ = Describe("ValuesProvider", func() { By("creating secrets managed outside of this package for whose secretsmanager.Get() will be called") Expect(fakeClient.Create(context.TODO(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "ca-provider-openstack-controlplane", Namespace: namespace}})).To(Succeed()) - Expect(fakeClient.Create(context.TODO(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "csi-snapshot-validation-server", Namespace: namespace}})).To(Succeed()) Expect(fakeClient.Create(context.TODO(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "cloud-controller-manager-server", Namespace: namespace}})).To(Succeed()) }) @@ -595,13 +594,6 @@ var _ = Describe("ValuesProvider", func() { "csiSnapshotController": map[string]interface{}{ "replicas": 1, }, - "csiSnapshotValidationWebhook": map[string]interface{}{ - "replicas": 1, - "secrets": map[string]interface{}{ - "server": "csi-snapshot-validation-server", - }, - "topologyAwareRoutingEnabled": false, - }, }), openstack.CSIManilaControllerName: enabledFalse, })) @@ -633,13 +625,6 @@ var _ = Describe("ValuesProvider", func() { "csiSnapshotController": map[string]interface{}{ "replicas": 1, }, - "csiSnapshotValidationWebhook": map[string]interface{}{ - "replicas": 1, - "secrets": map[string]interface{}{ - "server": "csi-snapshot-validation-server", - }, - "topologyAwareRoutingEnabled": false, - }, }), openstack.CSIManilaControllerName: utils.MergeMaps(enabledTrue, map[string]interface{}{ "replicas": 1, @@ -725,7 +710,6 @@ var _ = Describe("ValuesProvider", func() { BeforeEach(func() { By("creating secrets managed outside of this package for whose secretsmanager.Get() will be called") Expect(fakeClient.Create(context.TODO(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "ca-provider-openstack-controlplane", Namespace: namespace}})).To(Succeed()) - Expect(fakeClient.Create(context.TODO(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "csi-snapshot-validation-server", Namespace: namespace}})).To(Succeed()) Expect(fakeClient.Create(context.TODO(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "cloud-controller-manager-server", Namespace: namespace}})).To(Succeed()) }) diff --git a/pkg/controller/healthcheck/add.go b/pkg/controller/healthcheck/add.go index aea959f36..dbca9c035 100644 --- a/pkg/controller/healthcheck/add.go +++ b/pkg/controller/healthcheck/add.go @@ -66,10 +66,6 @@ func RegisterHealthChecks(ctx context.Context, mgr manager.Manager, opts healthc ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy), HealthCheck: general.NewSeedDeploymentHealthChecker(openstack.CSISnapshotControllerName), }, - { - ConditionType: string(gardencorev1beta1.ShootControlPlaneHealthy), - HealthCheck: general.NewSeedDeploymentHealthChecker(openstack.CSISnapshotValidationName), - }, }, sets.New[gardencorev1beta1.ConditionType](), ); err != nil { diff --git a/pkg/openstack/types.go b/pkg/openstack/types.go index 905c08ff9..d40bd4a44 100644 --- a/pkg/openstack/types.go +++ b/pkg/openstack/types.go @@ -40,8 +40,6 @@ const ( CSILivenessProbeImageName = "csi-liveness-probe" // CSISnapshotControllerImageName is the name of the csi-snapshot-controller image. CSISnapshotControllerImageName = "csi-snapshot-controller" - // CSISnapshotValidationWebhookImageName is the name of the csi-snapshot-validation-webhook image. - CSISnapshotValidationWebhookImageName = "csi-snapshot-validation-webhook" // MachineControllerManagerProviderOpenStackImageName is the name of the MachineControllerManager OpenStack image. MachineControllerManagerProviderOpenStackImageName = "machine-controller-manager-provider-openstack" @@ -127,8 +125,6 @@ const ( CSIResizerName = "csi-resizer" // CSISnapshotControllerName is a constant for the name of the csi-snapshot-controller component. CSISnapshotControllerName = "csi-snapshot-controller" - // CSISnapshotValidationName is the constant for the name of the csi-snapshot-validation-webhook component. - CSISnapshotValidationName = "csi-snapshot-validation" // CSIStorageProvisioner is a constant with the storage provisioner name which is used in storageclasses. CSIStorageProvisioner = "cinder.csi.openstack.org" // CSIManilaStorageProvisionerNFS is a constant with the storage provisioner name which is used in storageclasses for Manila NFS. diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go index 7455ddcdd..7fa6381f5 100644 --- a/pkg/webhook/controlplane/ensurer.go +++ b/pkg/webhook/controlplane/ensurer.go @@ -17,12 +17,10 @@ import ( v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants" extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1" "github.com/gardener/gardener/pkg/component/nodemanagement/machinecontrollermanager" - gutil "github.com/gardener/gardener/pkg/utils/gardener" versionutils "github.com/gardener/gardener/pkg/utils/version" "github.com/go-logr/logr" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1" kubeletconfigv1beta1 "k8s.io/kubelet/config/v1beta1" "k8s.io/utils/ptr" @@ -80,9 +78,6 @@ func (e *ensurer) EnsureKubeAPIServerDeployment(ctx context.Context, gctx gconte template := &newObj.Spec.Template ps := &template.Spec - // TODO: This label approach is deprecated and no longer needed in the future. Remove it as soon as gardener/gardener@v1.75 has been released. - metav1.SetMetaDataLabel(&newObj.Spec.Template.ObjectMeta, gutil.NetworkPolicyLabel(openstack.CSISnapshotValidationName, 443), v1beta1constants.LabelNetworkPolicyAllowed) - cluster, err := gctx.GetCluster(ctx) if err != nil { return err diff --git a/pkg/webhook/controlplane/ensurer_test.go b/pkg/webhook/controlplane/ensurer_test.go index e8ee548f6..c3705cc8f 100644 --- a/pkg/webhook/controlplane/ensurer_test.go +++ b/pkg/webhook/controlplane/ensurer_test.go @@ -654,8 +654,6 @@ func checkKubeAPIServerDeployment(dep *appsv1.Deployment, k8sVersion string) { k8sVersionAtLeast127, _ := version.CompareVersions(k8sVersion, ">=", "1.27") k8sVersionAtLeast131, _ := version.CompareVersions(k8sVersion, ">=", "1.31") - Expect(dep.Spec.Template.Labels).To(HaveKeyWithValue("networking.resources.gardener.cloud/to-csi-snapshot-validation-tcp-443", "allowed")) - // Check that the kube-apiserver container still exists and contains all needed command line args, // env vars, and volume mounts c := extensionswebhook.ContainerWithName(dep.Spec.Template.Spec.Containers, "kube-apiserver")