feat(controlplane): hide pod identity webhook through a new feature gate EnableSTACKITWorkloadIdentity

jastBytes · jastBytes · commit 261f36ab59a0 · 2026-04-07T15:30:33.000+02:00
diff --git a/charts/gardener-extension-provider-stackit/values.yaml b/charts/gardener-extension-provider-stackit/values.yaml
@@ -77,11 +77,11 @@ config:
     # Must be base64 encoded
     caBundle: ""
   registryCaches:
-  # - server: reg.example.com
-  #   cache: reg-cache.example.com
-  #   caBundle: LS0tLS1C... #b64 encoded CA bundle, optional
-  #   capabilities: ["pull", "resolve"]
-  # deployALBIngressController: true
+    # - server: reg.example.com
+    #   cache: reg-cache.example.com
+    #   caBundle: LS0tLS1C... #b64 encoded CA bundle, optional
+    #   capabilities: ["pull", "resolve"]
+    # deployALBIngressController: true
 gardener:
   version: ""
   gardenlet:
@@ -98,5 +98,5 @@ usablePorts:
 - 8081 # health
 - 10250 # webhook server
 
-featureGates: {}
-# NoopFeature: false
+featureGates:
+  EnableSTACKITWorkloadIdentity: false
diff --git a/charts/internal/seed-controlplane/requirements.yaml b/charts/internal/seed-controlplane/requirements.yaml
@@ -22,3 +22,4 @@ dependencies:
 - name: stackit-pod-identity-webhook
   repository: http://localhost:10191
   version: 0.1.0
+  condition: stackit-pod-identity-webhook.enabled
diff --git a/charts/internal/shoot-system-components/requirements.yaml b/charts/internal/shoot-system-components/requirements.yaml
@@ -18,3 +18,4 @@ dependencies:
 - name: stackit-pod-identity-webhook
   repository: http://localhost:10191
   version: 0.1.0
+  condition: stackit-pod-identity-webhook.enabled
diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -1309,6 +1309,7 @@ func getPodIdentityWebhookChartValues(
 	}
 
 	return map[string]any{
+		"enabled":      feature.Gate.Enabled(feature.EnableSTACKITWorkloadIdentity),
 		"replicaCount": extensionscontroller.GetControlPlaneReplicas(cluster, scaledDown, 1),
 		"webhook": map[string]any{
 			"tlsSecretName": tlsSecret.Name,
@@ -1331,6 +1332,7 @@ func (vp *valuesProvider) getPodIdentityWebhookShootChartValues(
 	}
 
 	return map[string]any{
+		"enabled": feature.Gate.Enabled(feature.EnableSTACKITWorkloadIdentity),
 		"webhook": map[string]any{
 			"caBundle": caBundle,
 			"url":      fmt.Sprintf("https://%s.%s:443/mutate--v1-pod", stackit.PodIdentityWebhookName, controlPlaneNamespace),
diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go
@@ -497,6 +497,7 @@ var _ = Describe("ValuesProvider", func() {
 		})
 
 		stackitPodIdentityWebhookChartSeedValues := map[string]any{
+			"enabled":      false,
 			"replicaCount": 1,
 			"webhook": map[string]any{
 				"tlsSecretName": stackitPodIdentityWebhookServerName,
@@ -893,6 +894,7 @@ var _ = Describe("ValuesProvider", func() {
 
 	Describe("#GetControlPlaneShootChartValues", func() {
 		stackitPodIdentityWebhookChartShootValues := map[string]any{
+			"enabled": false,
 			"webhook": map[string]any{
 				"caBundle": []byte("fake-ca-cert"),
 				"url":      fmt.Sprintf("https://stackit-pod-identity-webhook.%s:443/mutate--v1-pod", namespace),
diff --git a/pkg/feature/feature.go b/pkg/feature/feature.go
@@ -14,7 +14,7 @@ const (
 	// // MyFeature enables Foo.
 	// MyFeature featuregate.Feature = "MyFeature"
 
-	// MutateDisableNTP enables the mutation that disables NTP if any worker's flatcar image version is greater than or eqaul to `FlatcarImageVersion`
+	// MutateDisableNTP enables the mutation that disables NTP if any worker's flatcar image version is greater than or equal to `FlatcarImageVersion`
 	MutateDisableNTP featuregate.Feature = "MutateDisableNTP"
 	// EnsureSTACKITLBDeletion enables the STACKIT LB deletion cleanup. The function checks for dangling/zombied LB's and then tries to delete them.
 	EnsureSTACKITLBDeletion featuregate.Feature = "EnsureSTACKITLBDeletion"
@@ -26,6 +26,8 @@ const (
 	ShootUseSTACKITMachineControllerManager = "shoot.gardener.cloud/use-stackit-machine-controller-manager"
 	// ShootUseSTACKITAPIInfrastructureController Uses the STACKIT API to create the shoot resources instead of OpenStack for a specific Shoot.
 	ShootUseSTACKITAPIInfrastructureController = "shoot.gardener.cloud/use-stackit-api-infrastructure-controller"
+	// EnableSTACKITWorkloadIdentity activates the deployment of the stackit-pod-identity-webhook to enable workload identity injection into pods.
+	EnableSTACKITWorkloadIdentity featuregate.Feature = "EnableSTACKITWorkloadIdentity"
 )
 
 var (
@@ -46,6 +48,7 @@ var (
 		EnsureSTACKITLBDeletion:               {Default: true, PreRelease: featuregate.Alpha},
 		UseSTACKITAPIInfrastructureController: {Default: true, PreRelease: featuregate.Alpha},
 		UseSTACKITMachineControllerManager:    {Default: true, PreRelease: featuregate.Alpha},
+		EnableSTACKITWorkloadIdentity:         {Default: false, PreRelease: featuregate.Alpha},
 	}
 )
 

Original file line number	Diff line number	Diff line change
`@@ -1309,6 +1309,7 @@ func getPodIdentityWebhookChartValues(`
`1309`	`1309`	`}`
`1310`	`1310`
`1311`	`1311`	`return map[string]any{`
	`1312`	`+ "enabled": feature.Gate.Enabled(feature.EnableSTACKITWorkloadIdentity),`
`1312`	`1313`	`"replicaCount": extensionscontroller.GetControlPlaneReplicas(cluster, scaledDown, 1),`
`1313`	`1314`	`"webhook": map[string]any{`
`1314`	`1315`	`"tlsSecretName": tlsSecret.Name,`
`@@ -1331,6 +1332,7 @@ func (vp *valuesProvider) getPodIdentityWebhookShootChartValues(`
`1331`	`1332`	`}`
`1332`	`1333`
`1333`	`1334`	`return map[string]any{`
	`1335`	`+ "enabled": feature.Gate.Enabled(feature.EnableSTACKITWorkloadIdentity),`
`1334`	`1336`	`"webhook": map[string]any{`
`1335`	`1337`	`"caBundle": caBundle,`
`1336`	`1338`	`"url": fmt.Sprintf("https://%s.%s:443/mutate--v1-pod", stackit.PodIdentityWebhookName, controlPlaneNamespace),`