Deprecate Shoot's .oidcConfig.clientAuthentication field (gardene…

…r#10253)

* Deprecate shoot `.oidcConfig.clientAuthentication` field

* Make generate

* Deprecate `.client` field from OpenIDConnectPreset

* Make generate

* Make generate

* Forbid field .oidcConfig.clientAuthentication from kubernetes version 1.31

* make generate

charts/gardener/operator/templates/crd-gardens.yaml

@@ -1267,8 +1267,11 @@ spec:
                                   be used.
                                 type: string
                               clientAuthentication:
-                                description: ClientAuthentication can optionally contain
-                                  client configuration used for kubeconfig generation.
+                                description: |-
+                                  ClientAuthentication can optionally contain client configuration used for kubeconfig generation.
+                                  Deprecated: This field has no implemented use and will be forbidden starting from Kubernetes 1.31.
+                                  It's use was planned for genereting OIDC kubeconfig https://github.com/gardener/gardener/issues/1433
+                                  TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.
                                 properties:
                                   extraConfig:
                                     additionalProperties:

docs/api-reference/core.md

@@ -8685,7 +8685,10 @@ OpenIDConnectClientAuthentication
 </td>
 <td>
 <em>(Optional)</em>
-<p>ClientAuthentication can optionally contain client configuration used for kubeconfig generation.</p>
+<p>ClientAuthentication can optionally contain client configuration used for kubeconfig generation.
+Deprecated: This field has no implemented use and will be forbidden starting from Kubernetes 1.31.
+It&rsquo;s use was planned for genereting OIDC kubeconfig <a href="https://github.com/gardener/gardener/issues/1433">https://github.com/gardener/gardener/issues/1433</a>
+TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.</p>
 </td>
 </tr>
 <tr>

docs/api-reference/settings.md

@@ -201,7 +201,10 @@ OpenIDConnectClientAuthentication
 <p>Client contains the configuration used for client OIDC authentication
 of Shoot clusters.
 This configuration is not overwriting any existing OpenID Connect
-client authentication already set on the Shoot object.</p>
+client authentication already set on the Shoot object.
+Deprecated: The OpenID Connect configuration this field specifies is not used and will be forbidden starting from Kubernetes 1.31.
+It&rsquo;s use was planned for genereting OIDC kubeconfig <a href="https://github.com/gardener/gardener/issues/1433">https://github.com/gardener/gardener/issues/1433</a>
+TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.</p>
 </td>
 </tr>
 <tr>
@@ -515,7 +518,10 @@ OpenIDConnectClientAuthentication
 <p>Client contains the configuration used for client OIDC authentication
 of Shoot clusters.
 This configuration is not overwriting any existing OpenID Connect
-client authentication already set on the Shoot object.</p>
+client authentication already set on the Shoot object.
+Deprecated: The OpenID Connect configuration this field specifies is not used and will be forbidden starting from Kubernetes 1.31.
+It&rsquo;s use was planned for genereting OIDC kubeconfig <a href="https://github.com/gardener/gardener/issues/1433">https://github.com/gardener/gardener/issues/1433</a>
+TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.</p>
 </td>
 </tr>
 <tr>

docs/usage/openidconnect-presets.md

@@ -56,11 +56,6 @@ spec:
     - RS256
     requiredClaims:
       key: value
-  client:
-    secret: oidc-client-secret
-    extraConfig:
-      extra-scopes: "email,offline_access,profile"
-      foo: bar
   weight: 90
 ```
 
@@ -119,11 +114,6 @@ spec:
   kubernetes:
     kubeAPIServer:
       oidcConfig:
-        clientAuthentication:
-          extraConfig:
-            extra-scopes: email,offline_access,profile
-            foo: bar
-          secret: oidc-client-secret
         clientID: test-1
         groupsClaim: groups-claim
         groupsPrefix: groups-prefix
@@ -200,11 +190,6 @@ spec:
     - RS256
     requiredClaims:
       key: value
-  client:
-    secret: oidc-client-secret
-    extraConfig:
-      extra-scopes: "email,offline_access,profile"
-      foo: bar
   weight: 90
 ```
 
@@ -261,11 +246,6 @@ spec:
   kubernetes:
     kubeAPIServer:
       oidcConfig:
-        clientAuthentication:
-          extraConfig:
-            extra-scopes: email,offline_access,profile
-            foo: bar
-          secret: oidc-client-secret
         clientID: cluster-preset
         groupsClaim: groups-claim
         groupsPrefix: groups-prefix

example/10-clusteropenidconnectpreset.yaml

@@ -26,9 +26,4 @@ spec:
     # - RS256
     # requiredClaims:
     #   key: value
-  client:
-    secret: oidc-client-secret
-    extraConfig:
-      extra-scopes: email,offline_access,profile
-      foo: bar
   weight: 90 # value from 1 to 100

example/10-openidconnectpreset.yaml

@@ -24,9 +24,4 @@ spec:
     # - RS256
     # requiredClaims:
     #   key: value
-  client:
-    secret: oidc-client-secret
-    extraConfig:
-      extra-scopes: email,offline_access,profile
-      foo: bar
   weight: 90 # value from 1 to 100

example/operator/10-crd-operator.gardener.cloud_gardens.yaml

@@ -1267,8 +1267,11 @@ spec:
                                   be used.
                                 type: string
                               clientAuthentication:
-                                description: ClientAuthentication can optionally contain
-                                  client configuration used for kubeconfig generation.
+                                description: |-
+                                  ClientAuthentication can optionally contain client configuration used for kubeconfig generation.
+                                  Deprecated: This field has no implemented use and will be forbidden starting from Kubernetes 1.31.
+                                  It's use was planned for genereting OIDC kubeconfig https://github.com/gardener/gardener/issues/1433
+                                  TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.
                                 properties:
                                   extraConfig:
                                     additionalProperties:

pkg/apis/core/types_shoot.go

@@ -694,6 +694,9 @@ type OIDCConfig struct {
 	// If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
 	CABundle *string
 	// ClientAuthentication can optionally contain client configuration used for kubeconfig generation.
+	// Deprecated: This field has no implemented use and will be forbidden starting from Kubernetes 1.31.
+	// It's use was planned for genereting OIDC kubeconfig https://github.com/gardener/gardener/issues/1433
+	// TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.
 	ClientAuthentication *OpenIDConnectClientAuthentication
 	// The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
 	ClientID *string

pkg/apis/core/v1beta1/types_shoot.go

@@ -910,6 +910,9 @@ type OIDCConfig struct {
 	// +optional
 	CABundle *string `json:"caBundle,omitempty" protobuf:"bytes,1,opt,name=caBundle"`
 	// ClientAuthentication can optionally contain client configuration used for kubeconfig generation.
+	// Deprecated: This field has no implemented use and will be forbidden starting from Kubernetes 1.31.
+	// It's use was planned for genereting OIDC kubeconfig https://github.com/gardener/gardener/issues/1433
+	// TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.
 	// +optional
 	ClientAuthentication *OpenIDConnectClientAuthentication `json:"clientAuthentication,omitempty" protobuf:"bytes,2,opt,name=clientAuthentication"`
 	// The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.

pkg/apis/core/validation/shoot.go

@@ -1322,6 +1322,11 @@ func ValidateKubeAPIServer(kubeAPIServer *core.KubeAPIServerConfig, version stri
 				allErrs = append(allErrs, field.Invalid(oidcPath.Child("caBundle"), *oidc.CABundle, "caBundle is not a valid PEM-encoded certificate"))
 			}
 		}
+		// TODO(AleksandarSavchev): Remove this check as soon as v1.31 is the least supported Kubernetes version in Gardener.
+		k8sGreaterEqual131, _ := versionutils.CheckVersionMeetsConstraint(version, ">= 1.31")
+		if oidc.ClientAuthentication != nil && k8sGreaterEqual131 {
+			allErrs = append(allErrs, field.Invalid(oidcPath.Child("clientAuthentication"), *oidc.ClientAuthentication, "for Kubernetes versions >= 1.31, clientAuthentication field is no longer supported"))
+		}
 		if oidc.GroupsClaim != nil && len(*oidc.GroupsClaim) == 0 {
 			allErrs = append(allErrs, field.Invalid(oidcPath.Child("groupsClaim"), *oidc.GroupsClaim, "groupsClaim cannot be empty when key is provided"))
 		}

pkg/apis/core/validation/shoot_test.go

@@ -1851,6 +1851,19 @@ var _ = Describe("Shoot Validation Tests", func() {
 					Entry("should add error if issuerURL is set but clientID is nil", 1, nil),
 					Entry("should add error if issuerURL is set but clientID is empty string ", 2, ptr.To("")),
 				)
+
+				It("should forbid setting clinetAuthentication from kubernetes version 1.31", func() {
+					shoot.Spec.Kubernetes.KubeAPIServer.OIDCConfig.ClientAuthentication = &core.OpenIDConnectClientAuthentication{}
+					shoot.Spec.Kubernetes.Version = "1.31"
+
+					errorList := ValidateShoot(shoot)
+
+					Expect(errorList).To(HaveLen(1))
+					Expect(*errorList[0]).To(MatchFields(IgnoreExtras, Fields{
+						"Type":  Equal(field.ErrorTypeInvalid),
+						"Field": Equal("spec.kubernetes.kubeAPIServer.oidcConfig.clientAuthentication"),
+					}))
+				})
 			})
 
 			Context("admission plugin validation", func() {

pkg/apis/settings/types_shared.go

@@ -21,6 +21,9 @@ type OpenIDConnectPresetSpec struct {
 	// of Shoot clusters.
 	// This configuration is not overwriting any existing OpenID Connect
 	// client authentication already set on the Shoot object.
+	// Deprecated: The OpenID Connect configuration this field specifies is not used and will be forbidden starting from Kubernetes 1.31.
+	// It's use was planned for genereting OIDC kubeconfig https://github.com/gardener/gardener/issues/1433
+	// TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.
 	Client *OpenIDConnectClientAuthentication
 
 	// ShootSelector decides whether to apply the configuration if the

pkg/apis/settings/v1alpha1/types_shared.go

@@ -28,6 +28,9 @@ type OpenIDConnectPresetSpec struct {
 	// of Shoot clusters.
 	// This configuration is not overwriting any existing OpenID Connect
 	// client authentication already set on the Shoot object.
+	// Deprecated: The OpenID Connect configuration this field specifies is not used and will be forbidden starting from Kubernetes 1.31.
+	// It's use was planned for genereting OIDC kubeconfig https://github.com/gardener/gardener/issues/1433
+	// TODO(AleksandarSavchev): Drop this field after support for Kubernetes 1.30 is dropped.
 	// +optional
 	Client *OpenIDConnectClientAuthentication `json:"client,omitempty" protobuf:"bytes,2,opt,name=client"`