feat(valuesprovider.go): add isShoot method to determine cluster type

Author: jastBytes

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/templates/mutatingwebhookconfiguration.yaml

@@ -27,7 +27,7 @@ webhooks:
           operator: NotIn
           values: ["kube-system", "garden"]
         - key: gardener.cloud/role
-          operator: Exists
+          operator: DoesNotExist
         - key: workload-identity.stackit.cloud/skip-pod-identity-webhook
           operator: DoesNotExist
     objectSelector:

charts/internal/shoot-system-components/charts/stackit-pod-identity-webhook/values.yaml

@@ -1,3 +1,4 @@
+enabled: true
 webhook:
   caBundle: "" # will be set by valuesprovider
   # failurePolicy for the webhook (Ignore or Fail).

pkg/controller/controlplane/valuesprovider.go

@@ -29,6 +29,7 @@ import (
 	secretsmanager "github.com/gardener/gardener/pkg/utils/secrets/manager"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	appsv1 "k8s.io/api/apps/v1"
+	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	policyv1 "k8s.io/api/policy/v1"
@@ -56,8 +57,8 @@ import (
 )
 
 const (
-	caNameControlPlane               = "ca-" + openstack.Name + "-controlplane"
-	cloudControllerManagerServerName = openstack.CloudControllerManagerName + "-server"
+	caNameControlPlane                  = "ca-" + openstack.Name + "-controlplane"
+	cloudControllerManagerServerName    = openstack.CloudControllerManagerName + "-server"
 	stackitPodIdentityWebhookServerName = stackit.STACKITPodIdentityWebhookName + "-server"
 
 	CSIStackitPrefix = "stackit-blockstorage"
@@ -367,6 +368,12 @@ type valuesProvider struct {
 	customLabelDomain          string
 }
 
+// isShoot returns if the cluster is a shoot or a seed by checking if the gardenlet is present in cluster
+func (vp *valuesProvider) isShoot(ctx context.Context, cluster *extensionscontroller.Cluster) bool {
+	err := vp.client.Get(ctx, k8sclient.ObjectKey{Name: "gardenlet", Namespace: "garden"}, &v1.Deployment{})
+	return errors.IsNotFound(err)
+}
+
 // GetConfigChartValues returns the values for the config chart applied by the generic actuator.
 func (vp *valuesProvider) GetConfigChartValues(
 	ctx context.Context,
@@ -751,7 +758,7 @@ func (vp *valuesProvider) getControlPlaneChartValues(ctx context.Context, cpConf
 		},
 		openstack.CloudControllerManagerName:        ccm,
 		openstack.STACKITCloudControllerManagerName: stackitccm,
-		stackit.STACKITPodIdentityWebhookName:     podIdentityWebhook,
+		stackit.STACKITPodIdentityWebhookName:       podIdentityWebhook,
 	})
 
 	if vp.deployALBIngressController {
@@ -1076,13 +1083,14 @@ func (vp *valuesProvider) getControlPlaneShootChartValues(ctx context.Context, c
 		return nil, err
 	}
 
-	podIdentityWebhook, err := getSTACKITPodIdentityWebhookShootChartValues(cp.Namespace, secretsReader)
+	isShoot := vp.isShoot(ctx, cluster)
+	podIdentityWebhook, err := vp.getSTACKITPodIdentityWebhookShootChartValues(isShoot, secretsReader)
 	if err != nil {
 		return nil, err
 	}
 
 	maps.Copy(values, map[string]any{
-		openstack.CloudControllerManagerName:    map[string]any{"enabled": true},
+		openstack.CloudControllerManagerName:  map[string]any{"enabled": true},
 		stackit.STACKITPodIdentityWebhookName: podIdentityWebhook,
 	})
 
@@ -1310,8 +1318,8 @@ func getSTACKITPodIdentityWebhookChartValues(
 	}, nil
 }
 
-func getSTACKITPodIdentityWebhookShootChartValues(
-	namespace string,
+func (vp *valuesProvider) getSTACKITPodIdentityWebhookShootChartValues(
+	isShoot bool,
 	secretsReader secretsmanager.Reader,
 ) (map[string]any, error) {
 	caSecret, found := secretsReader.Get(caNameControlPlane)
@@ -1320,8 +1328,9 @@ func getSTACKITPodIdentityWebhookShootChartValues(
 	}
 
 	return map[string]any{
+		"enabled": isShoot,
 		"webhook": map[string]any{
-			"caBundle":  gardenerutils.EncodeBase64(caSecret.Data[secretutils.DataKeyCertificateBundle]),
+			"caBundle": gardenerutils.EncodeBase64(caSecret.Data[secretutils.DataKeyCertificateBundle]),
 		},
 	}, nil
 }

pkg/controller/controlplane/valuesprovider_test.go

@@ -503,7 +503,6 @@ var _ = Describe("ValuesProvider", func() {
 			},
 		}
 
-
 		BeforeEach(func() {
 			c.EXPECT().Get(ctx, cpConfigKey, &corev1.Secret{}).DoAndReturn(clientGet(cpConfig))
 			c.EXPECT().Delete(context.TODO(), &networkingv1.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: "allow-kube-apiserver-to-csi-snapshot-validation", Namespace: cp.Namespace}})
@@ -567,7 +566,7 @@ var _ = Describe("ValuesProvider", func() {
 						"replicas": 1,
 					},
 				}),
-				stackit.STACKITPodIdentityWebhookName:    stackitPodIdentityWebhookChartSeedValues,
+				stackit.STACKITPodIdentityWebhookName:     stackitPodIdentityWebhookChartSeedValues,
 				openstack.STACKITALBControllerManagerName: empty(),
 			}))
 		})
@@ -611,7 +610,7 @@ var _ = Describe("ValuesProvider", func() {
 						"replicas": 1,
 					},
 				}),
-				stackit.STACKITPodIdentityWebhookName:    stackitPodIdentityWebhookChartSeedValues,
+				stackit.STACKITPodIdentityWebhookName:     stackitPodIdentityWebhookChartSeedValues,
 				openstack.STACKITALBControllerManagerName: empty(),
 			}))
 		})
@@ -894,8 +893,9 @@ var _ = Describe("ValuesProvider", func() {
 
 	Describe("#GetControlPlaneShootChartValues", func() {
 		stackitPodIdentityWebhookChartShootValues := map[string]any{
+			"enabled": true,
 			"webhook": map[string]any{
-				"caBundle":   "",
+				"caBundle": "",
 			},
 		}
 
@@ -910,6 +910,7 @@ var _ = Describe("ValuesProvider", func() {
 				// Refactoring led to retrieving it three times at a lower level
 				// This is the vp.getCredentials() call
 				c.EXPECT().Get(ctx, cpSecretKey, &corev1.Secret{}).DoAndReturn(clientGet(cpSecret)).Times(2)
+				c.EXPECT().Get(ctx, client.ObjectKey{Name: "gardenlet", Namespace: "garden"}, &appsv1.Deployment{}).Return(errors.NewNotFound(schema.GroupResource{Group: "apps", Resource: "deployments"}, "gardenlet"))
 
 				expectCSICleanupinControlPlane(ctx, c, openstack.CSIControllerName)
 
@@ -921,13 +922,14 @@ var _ = Describe("ValuesProvider", func() {
 						"rescanBlockStorageOnResize": rescanBlockStorageOnResize,
 						"userAgentHeaders":           []string{domainName, tenantName, technicalID},
 					}),
-					openstack.CSINodeName: enabledFalse,
+					openstack.CSINodeName:                 enabledFalse,
 					stackit.STACKITPodIdentityWebhookName: stackitPodIdentityWebhookChartShootValues,
 				}))
 			})
 
 			It("should return correct shoot control plane chart if CSI STACKIT is enabled", func() {
 				c.EXPECT().Get(ctx, cpSecretKey, &corev1.Secret{}).DoAndReturn(clientGet(cpSecret)).Times(2)
+				c.EXPECT().Get(ctx, client.ObjectKey{Name: "gardenlet", Namespace: "garden"}, &appsv1.Deployment{}).Return(errors.NewNotFound(schema.GroupResource{Group: "apps", Resource: "deployments"}, "gardenlet"))
 
 				expectCSICleanupinControlPlane(ctx, c, openstack.CSIControllerName)
 
@@ -940,7 +942,7 @@ var _ = Describe("ValuesProvider", func() {
 						"rescanBlockStorageOnResize": rescanBlockStorageOnResize,
 						"userAgentHeaders":           []string{domainName, tenantName, technicalID},
 					}),
-					openstack.CSINodeName: enabledFalse,
+					openstack.CSINodeName:                 enabledFalse,
 					stackit.STACKITPodIdentityWebhookName: stackitPodIdentityWebhookChartShootValues,
 				}))
 			})