🧹 Cleanup a few TODOs (gardener#7868)

* Switch local machine pods to new `NetworkPolicy` labels

* Drop `allow-{to,from}-shoot-apiserver` `NetworkPolicy`s

* Drop `allow-{from-}prometheus` `NetworkPolicy`s

* Drop finalizer removal migration code

* Drop labeling of ETCD encryption config secrets

* Drop reseting worker state when it contained `null`-ed fields

* No longer label Terraformer with `to-seed-apiserver`

* Drop cleanup of `ManagedResource`s for `gardener-seed-admission-controller`

* Drop cleanup of `allow-{to-loki,loki,from-aggregate-prometheus}` `NetworkPolicy`s

* Drop cleanup of `ManagedResource` for shoot addons

* Drop cleanup of `allow-{to-loki,from-prometheus-to-loki-telegraf}` `NetworkPolicy`s

* Drop cleanup of `generic-token-kubeconfig` secret

* Drop cleanup of `allow-etcd` `NetworkPolicy`

* Drop cleanup of `allow-kube-apiserver-to-{gardener-resource-manager,vpa-admission-controller}` `NetworkPolicy`s

* Drop cleanup of `allow-to-vpn-seed-server` `NetworkPolicy`

* Drop legacy `apiserver-proxy` Helm chart

* Drop `NetworkPolicy` migration code on `gardenlet` start-up

* Enforce non-internal API versions for all provider configs

* Adapt TODO statement for zone pinning in HA config webhook

* Check for `status != True` in `Etcd` health check

* Drop fallback to `LastUpdateTime` of extension conditions

* Drop cleanup of legacy zone enforcement label

* Drop migration worker settings for `etcd-druid`

* Add missing `ignore` annotations for istio resources

Those were forgotten in gardener#7397

* Drop `nodes/stats` permission for `metrics-server`

* Drop `networkpolicies` component

* Drop cleanup of orphaned `DNSRecord` secrets

* Switch ETCD from `to-seed-apiserver` to `to-runtime-apiserver` label

* Drop custom `allow-etcd-peer` `NetworkPolicy`

* Drop `identity` value from Helm chart values

* Remove TODO for dropping zone pinning migration code

Since we allow `.spec.provider.zones=null` for `Seed`s, we might need this code if zones are added later to the spec while `Shoot`s have been created already.

* Bump extension versions for local deployment

and adapt related TODO statements

* Remove actionless TODOs

* Use `scale` subresource for scaling

* Revert "Drop `NetworkPolicy` migration code on `gardenlet` start-up"

This reverts commit 3e64510.

charts/gardener/gardenlet/templates/clusterrole-gardenlet.yaml

@@ -167,9 +167,11 @@ rules:
   - apps
   resources:
   - deployments
+  - deployments/scale
   # TODO(Kristian-ZH): remove this when the old fluent-bit deletion logic is removed
   - daemonsets
   - statefulsets
+  - statefulsets/scale
   - replicasets
   verbs:
   - create

charts/gardener/provider-local/extension/templates/rbac.yaml

@@ -91,6 +91,7 @@ rules:
   - configmaps
   - endpoints
   - deployments
+  - deployments/scale
   - services
   - services/status
   - nodes

charts/gardener/provider-local/internal/machine-controller-manager/seed/templates/clusterrole.yaml

@@ -25,6 +25,7 @@ rules:
   - endpoints
   - events
   - pods
+  - services
   verbs:
   - "*"
 - apiGroups:

charts/seed-bootstrap/charts/monitoring/templates/networkpolicy.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.prometheus.deployAllowAllAccessNetworkPolicy }}
-# TODO(rfranzke): Drop this network policy in a future release.
+# TODO(rfranzke): Drop this network policy when FullNetworkPoliciesInRuntimeCluster feature gate is locked to true.
 apiVersion: {{ include "networkpolicyversion" . }}
 kind: NetworkPolicy
 metadata:

charts/shoot-core/components/requirements.yaml

@@ -1,8 +1,4 @@
 dependencies:
-- name: apiserver-proxy
-  repository: http://localhost:10191
-  version: 0.1.0
-  condition: apiserver-proxy.enabled
 - name: monitoring
   repository: http://localhost:10191
   version: 0.1.0

charts/shoot-core/components/values.yaml

@@ -2,17 +2,6 @@ global:
   vpaEnabled: false
   pspDisabled: false
   hasWorkers: true
-apiserver-proxy:
-  enabled: false
-  images:
-    apiserver-proxy: image-repository
-    apiserver-proxy-sidecar: image-repository
-  advertiseIPAddress: 1.1.1.1
-  # webhook:
-    # caBundle: LS0tLS1C
-  proxySeedServer:
-    host: dummy.127.0.0.1.nip.io
-    port: 8443
 monitoring:
   enabled: true
   node-exporter:

cmd/gardener-extension-provider-local/app/app.go

@@ -32,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	vpaautoscalingv1 "k8s.io/autoscaler/vertical-pod-autoscaler/pkg/apis/autoscaling.k8s.io/v1"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
@@ -47,6 +48,7 @@ import (
 	"github.com/gardener/gardener/extensions/pkg/controller/operatingsystemconfig/oscommon"
 	"github.com/gardener/gardener/extensions/pkg/controller/worker"
 	extensionscmdwebhook "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
+	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	gardenerhealthz "github.com/gardener/gardener/pkg/healthz"
 	localinstall "github.com/gardener/gardener/pkg/provider-local/apis/local/install"
 	localbackupbucket "github.com/gardener/gardener/pkg/provider-local/controller/backupbucket"
@@ -271,6 +273,65 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 				return fmt.Errorf("error adding runnable for triggering DNS config webhook: %w", err)
 			}
 
+			// TODO(rfranzke): Remove this block after v1.71 got released.
+			// Migrate existing machine pods to new NetworkPolicy labels to make upgrade e2e tests work.
+			{
+				if err := mgr.Add(manager.RunnableFunc(func(ctx context.Context) error {
+					machinePods := &corev1.PodList{}
+					if err := mgr.GetClient().List(ctx, machinePods, client.MatchingLabels{
+						"app":              "machine",
+						"machine-provider": "local",
+					}); err != nil {
+						return err
+					}
+
+					for _, p := range machinePods.Items {
+						pod := p
+						patch := client.MergeFrom(pod.DeepCopy())
+						metav1.SetMetaDataLabel(&pod.ObjectMeta, "networking.gardener.cloud/to-runtime-apiserver", "allowed")
+						metav1.SetMetaDataLabel(&pod.ObjectMeta, "networking.resources.gardener.cloud/to-kube-apiserver-tcp-443", "allowed")
+						if err := mgr.GetClient().Patch(ctx, &pod, patch); err != nil {
+							return err
+						}
+					}
+
+					shootNamespaces := &corev1.NamespaceList{}
+					if err := mgr.GetClient().List(ctx, shootNamespaces, client.MatchingLabels{v1beta1constants.GardenRole: v1beta1constants.GardenRoleShoot}); err != nil {
+						return err
+					}
+
+					for _, namespace := range shootNamespaces.Items {
+						service := &corev1.Service{
+							ObjectMeta: metav1.ObjectMeta{
+								Name:      "machines",
+								Namespace: namespace.Name,
+							},
+							Spec: corev1.ServiceSpec{
+								Type:      corev1.ServiceTypeClusterIP,
+								ClusterIP: corev1.ClusterIPNone,
+								Selector: map[string]string{
+									"app":              "machine",
+									"machine-provider": "local",
+								},
+								Ports: []corev1.ServicePort{{
+									Port:       10250,
+									Protocol:   corev1.ProtocolTCP,
+									TargetPort: intstr.FromInt(10250),
+								}},
+							},
+						}
+
+						if err := mgr.GetClient().Create(ctx, service); client.IgnoreAlreadyExists(err) != nil {
+							return err
+						}
+					}
+
+					return nil
+				})); err != nil {
+					return fmt.Errorf("error adding runnable for machine pod network policy label migration: %w", err)
+				}
+			}
+
 			if err := controllerSwitches.Completed().AddToManager(mgr); err != nil {
 				return fmt.Errorf("could not add controllers to manager: %w", err)
 			}

cmd/gardener-resource-manager/app/app.go

@@ -42,7 +42,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/cluster"
 	controllerconfigv1alpha1 "sigs.k8s.io/controller-runtime/pkg/config/v1alpha1"
-	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
@@ -57,7 +56,6 @@ import (
 	resourcemanagerclient "github.com/gardener/gardener/pkg/resourcemanager/client"
 	"github.com/gardener/gardener/pkg/resourcemanager/controller"
 	"github.com/gardener/gardener/pkg/resourcemanager/webhook"
-	"github.com/gardener/gardener/pkg/utils/flow"
 )
 
 // Name is a const for the name of this component.
@@ -254,38 +252,7 @@ func run(ctx context.Context, log logr.Logger, cfg *config.ResourceManagerConfig
 	if err := mgr.Add(&controllerutils.ControlledRunner{
 		Manager:            mgr,
 		BootstrapRunnables: []manager.Runnable{&bootstrappers.IdentityDeterminer{Logger: log, SourceClient: mgr.GetClient(), Config: cfg}},
-		ActualRunnables: []manager.Runnable{
-			manager.RunnableFunc(func(context.Context) error { return controller.AddToManager(mgr, mgr, targetCluster, cfg) }),
-			// Remove all old network policy controller related finalizers from existing Service objects.
-			// TODO(rfranzke): Remove this code in a future version.
-			manager.RunnableFunc(func(context.Context) error {
-				if !cfg.Controllers.NetworkPolicy.Enabled {
-					return nil
-				}
-
-				var (
-					finalizer = "resources.gardener.cloud/networkpolicy-controller"
-					fns       []flow.TaskFn
-				)
-
-				serviceList := &corev1.ServiceList{}
-				if err := mgr.GetClient().List(ctx, serviceList); err != nil {
-					return err
-				}
-
-				for _, svc := range serviceList.Items {
-					service := svc
-
-					if controllerutil.ContainsFinalizer(&service, finalizer) {
-						fns = append(fns, func(ctx context.Context) error {
-							return controllerutils.RemoveFinalizers(ctx, mgr.GetClient(), &service, finalizer)
-						})
-					}
-				}
-
-				return flow.Parallel(fns...)(ctx)
-			}),
-		},
+		ActualRunnables:    []manager.Runnable{manager.RunnableFunc(func(context.Context) error { return controller.AddToManager(mgr, mgr, targetCluster, cfg) })},
 	}); err != nil {
 		return fmt.Errorf("failed adding controllers to manager: %w", err)
 	}

cmd/gardenlet/app/app.go

@@ -74,7 +74,6 @@ import (
 	"github.com/gardener/gardener/pkg/logger"
 	kubeapiserverconstants "github.com/gardener/gardener/pkg/operation/botanist/component/kubeapiserver/constants"
 	"github.com/gardener/gardener/pkg/operation/botanist/component/vpnseedserver"
-	"github.com/gardener/gardener/pkg/resourcemanager/controller/garbagecollector/references"
 	"github.com/gardener/gardener/pkg/utils"
 	"github.com/gardener/gardener/pkg/utils/flow"
 	gardenerutils "github.com/gardener/gardener/pkg/utils/gardener"
@@ -219,30 +218,6 @@ func run(ctx context.Context, cancel context.CancelFunc, log logr.Logger, cfg *c
 				Config:     cfg,
 				Result:     kubeconfigBootstrapResult,
 			},
-
-			// TODO(rfranzke): Remove this in a future version.
-			// Ensure all existing ETCD encryption secrets get the 'garbage-collectable' label. There was a bug which
-			// prevented this from happening, see https://github.com/gardener/gardener/pull/7244.
-			manager.RunnableFunc(func(ctx context.Context) error {
-				secretList := &corev1.SecretList{}
-				if err := mgr.GetClient().List(ctx, secretList, client.MatchingLabels{v1beta1constants.LabelRole: v1beta1constants.SecretNamePrefixETCDEncryptionConfiguration}); err != nil {
-					return err
-				}
-
-				var tasks []flow.TaskFn
-
-				for _, obj := range secretList.Items {
-					secret := obj
-
-					tasks = append(tasks, func(ctx context.Context) error {
-						patch := client.MergeFrom(secret.DeepCopy())
-						metav1.SetMetaDataLabel(&secret.ObjectMeta, references.LabelKeyGarbageCollectable, references.LabelValueGarbageCollectable)
-						return mgr.GetClient().Patch(ctx, &secret, patch)
-					})
-				}
-
-				return flow.Parallel(tasks...)(ctx)
-			}),
 		},
 		ActualRunnables: []manager.Runnable{
 			&garden{