[Workerless Shoots] Introduce API changes in the Shoot (gardener#7828)

* Introduce `WorkerlessShoots` feature gate in `gardener-apiserver` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Introduce `IsWorkerless` method for Shoot Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] `spec.provider` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] `.spec.kubernetes` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] `spec.systemcomponents` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] Prevent going back and forth between workerless Shoot and Shoot with workers Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] Add/adapt unit tests Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [API] Make `spec.secretBindingName` optional Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] `spec.secretBindingName` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt usages of `spec.secretBindingName` to use pointer Handle nil secretbinding in controllers Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [API] Make `.spec.provider.workers` optional Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] `spec.provider.workersSettings` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [API] Make `MaintenanceAutoUpdate` fields optional Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] `spec.maintenance.autoUpdate.machineImageVersion` Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt usages for maintenance.autoUpdate.machineImageVersion Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [API] Make Networking optional in shoot spec Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt Networking usages to use pointer Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Handle optional networking field in tests Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [validation] spec.networking Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt Shoot validator plugin for workerless Shoot networking Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Handle optional networking field in controllers Adapt gardener-scheduler to not check network cidr disjointedness if networking is nil Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt defaulting of fields in Shoot spec [defaulting] `spec.maintenance` [defaulting] `spec.kubernetes` and `spec.networking` [defaulting] `spec.provider` and `spec.systemComponents` [defaulting] `spec.addons` [defaulting] Add/adapt unit tests Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Forbid managedseed and managedseedset creation with workerless shoot Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt size limit in admissioncontroller webhook test Now that many fields are optional, the resourceSize is lesser Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Adapt Shoot VPA and Shoot nodelocalDNS admission plugin Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Introduce field in botanist shoot for workless shoot Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * [botanist] Handle optional fields in botanist Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Address PR review feedback from rfranzke * Revert making `.spec.maintenance.autoUpdate.kubernetesVersion` optional * Run `make generate` * Use helper function for checking if shoot is workerless Co-Authored-By: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-Authored-By: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> * Address PR review feedback from acumino * Rework `ToNetworks` function * Adapt networkpolicy reconciler * Address Review * Return validation error if neither shoot have service cidr nor seed has shoot defaults for service cidr * Improve Shoot predicate for `controllerregistration` controller * Use static defaulting to default networking for workerless Shoots * Address PR review feedback --------- Co-authored-by: Ashish Ranjan Yadav <ashish.ranjan.yadav@sap.com> Co-authored-by: Sonu Kumar Singh <sonu.kumar.singh02@sap.com> Co-authored-by: acumino <sksgkpvks@gmail.com>
nickytd · May 2, 2023 · 4507f53 · 4507f53
1 parent 89b1839
commit 4507f53
Show file tree

Hide file tree

Showing 119 changed files with 4,006 additions and 2,374 deletions.
diff --git a/docs/api-reference/core.md b/docs/api-reference/core.md
@@ -1547,6 +1547,7 @@ Networking
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>Networking contains information about cluster networking such as CNI Plugin type, CIDRs, &hellip;etc.</p>
 </td>
 </tr>
@@ -1625,6 +1626,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>SecretBindingName is the name of the a SecretBinding that has a reference to the provider secret.
 The credentials inside the provider secret will be used to create the shoot in the respective account.
 This field is immutable.</p>
@@ -7080,6 +7082,7 @@ bool
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>MachineImageVersion indicates whether the machine image version may be automatically updated (default: true).</p>
 </td>
 </tr>
@@ -7230,6 +7233,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>Type identifies the type of the networking plugin. This field is immutable.</p>
 </td>
 </tr>
@@ -8026,6 +8030,7 @@ definition in the documentation of your provider extension.</p>
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>Workers is a list of worker groups.</p>
 </td>
 </tr>
@@ -10605,6 +10610,7 @@ Networking
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>Networking contains information about cluster networking such as CNI Plugin type, CIDRs, &hellip;etc.</p>
 </td>
 </tr>
@@ -10683,6 +10689,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>SecretBindingName is the name of the a SecretBinding that has a reference to the provider secret.
 The credentials inside the provider secret will be used to create the shoot in the respective account.
 This field is immutable.</p>
@@ -11230,6 +11237,7 @@ Networking
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>Networking contains information about cluster networking such as CNI Plugin type, CIDRs, &hellip;etc.</p>
 </td>
 </tr>
@@ -11308,6 +11316,7 @@ string
 </em>
 </td>
 <td>
+<em>(Optional)</em>
 <p>SecretBindingName is the name of the a SecretBinding that has a reference to the provider secret.
 The credentials inside the provider secret will be used to create the shoot in the respective account.
 This field is immutable.</p>

diff --git a/docs/deployment/feature_gates.md b/docs/deployment/feature_gates.md
@@ -31,6 +31,7 @@ The following tables are a summary of the feature gates that you can set on diff
 | IPv6SingleStack                            | `false` | `Alpha` | `1.63` |        |
 | MutableShootSpecNetworkingNodes            | `false` | `Alpha` | `1.64` |        |
 | FullNetworkPoliciesInRuntimeCluster        | `false` | `Alpha` | `1.66` |        |
+| WorkerlessShoots                           | `false` | `Alpha` | `1.70` |        |
 
 ## Feature Gates for Graduated or Deprecated Features
 
@@ -167,3 +168,4 @@ A *General Availability* (GA) feature is also referred to as a *stable* feature.
 | IPv6SingleStack                            | `gardener-apiserver`, `gardenlet` | Allows creating seed and shoot clusters with [IPv6 single-stack networking](../usage/ipv6.md) enabled in their spec ([GEP-21](../proposals/21-ipv6-singlestack-local.md)). If enabled in gardenlet, the default behavior is unchanged, but setting `ipFamilies=[IPv6]` in the `seedConfig` is allowed. Only if the `ipFamilies` setting is changed, gardenlet behaves differently.                                                                                                                               |
 | MutableShootSpecNetworkingNodes            | `gardener-apiserver`             | Allows updating the field `spec.networking.nodes`. The validity of the values has to be checked in the provider extensions. Only enable this feature gate when your system runs provider extensions which have implemented the validation.                                                                                                                                                                                                                                                                       |
 | FullNetworkPoliciesInRuntimeCluster        | `gardenlet`                      | Enables gardenlet's NetworkPolicy controller to place 'deny-all' network policies in all relevant namespaces in the runtime cluster.                                                                                                                                                                                                                                                                                                                                                                             |
+| WorkerlessShoots                           | `gardener-apiserver`             | WorkerlessShoots allows creation of Shoot clusters with no worker pools.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
diff --git a/docs/development/logging.md b/docs/development/logging.md
@@ -194,9 +194,9 @@ See [Dave Cheney's post](https://dave.cheney.net/2015/11/05/lets-talk-about-logg
   )
   
   // option a: full object key, manually constructed
-  log.Info("Shoot uses SecretBinding", "secretBinding", client.ObjectKey{Namespace: shoot.Namespace, Name: shoot.Spec.SecretBindingName})
+  log.Info("Shoot uses SecretBinding", "secretBinding", client.ObjectKey{Namespace: shoot.Namespace, Name: *shoot.Spec.SecretBindingName})
   // option b: only name under respective *Name log key
-  log.Info("Shoot uses SecretBinding", "secretBindingName", shoot.Spec.SecretBindingName)
+  log.Info("Shoot uses SecretBinding", "secretBindingName", *shoot.Spec.SecretBindingName)
   ```
 
   Both options result in well-structured logs, that are easy to interpret and process:

diff --git a/extensions/pkg/controller/shoot.go b/extensions/pkg/controller/shoot.go
@@ -35,15 +35,15 @@ func (f ChartRendererFactoryFunc) NewChartRendererForShoot(version string) (char
 
 // GetPodNetwork returns the pod network CIDR of the given Shoot.
 func GetPodNetwork(cluster *Cluster) string {
-	if cluster.Shoot.Spec.Networking.Pods != nil {
+	if cluster.Shoot.Spec.Networking != nil && cluster.Shoot.Spec.Networking.Pods != nil {
 		return *cluster.Shoot.Spec.Networking.Pods
 	}
 	return ""
 }
 
 // GetServiceNetwork returns the service network CIDR of the given Shoot.
 func GetServiceNetwork(cluster *Cluster) string {
-	if cluster.Shoot.Spec.Networking.Services != nil {
+	if cluster.Shoot.Spec.Networking != nil && cluster.Shoot.Spec.Networking.Services != nil {
 		return *cluster.Shoot.Spec.Networking.Services
 	}
 	return ""

diff --git a/extensions/pkg/controller/shoot_test.go b/extensions/pkg/controller/shoot_test.go
@@ -37,7 +37,7 @@ var _ = Describe("Shoot", func() {
 		Entry("pod cidr is given", &Cluster{
 			Shoot: &gardencorev1beta1.Shoot{
 				Spec: gardencorev1beta1.ShootSpec{
-					Networking: gardencorev1beta1.Networking{
+					Networking: &gardencorev1beta1.Networking{
 						Pods: &cidr,
 					},
 				},

diff --git a/extensions/pkg/util/index/index.go b/extensions/pkg/util/index/index.go
@@ -41,5 +41,8 @@ func SecretBindingNameIndexerFunc(rawObj client.Object) []string {
 	if !ok {
 		return []string{}
 	}
-	return []string{shoot.Spec.SecretBindingName}
+	if shoot.Spec.SecretBindingName == nil {
+		return []string{}
+	}
+	return []string{*shoot.Spec.SecretBindingName}
 }
diff --git a/extensions/pkg/util/index/index_test.go b/extensions/pkg/util/index/index_test.go
@@ -20,6 +20,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/utils/pointer"
 
 	"github.com/gardener/gardener/extensions/pkg/util/index"
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
@@ -31,7 +32,6 @@ func TestIndex(t *testing.T) {
 }
 
 var _ = Describe("Index", func() {
-
 	Context("#SecretRefNamespaceIndexerFunc", func() {
 		It("should return empty slice for non SecretBinding", func() {
 			actual := index.SecretRefNamespaceIndexerFunc(&corev1.Secret{})
@@ -53,13 +53,22 @@ var _ = Describe("Index", func() {
 	Context("#SecretBindingNameIndexerFunc", func() {
 		It("should return empty slice for non Shoot", func() {
 			actual := index.SecretBindingNameIndexerFunc(&corev1.Pod{})
-			Expect(actual).To(Equal([]string{}))
+			Expect(actual).To(BeEmpty())
+		})
+
+		It("should return empty slice for nil secretBindingName", func() {
+			shoot := &gardencorev1beta1.Shoot{
+				Spec: gardencorev1beta1.ShootSpec{},
+			}
+
+			actual := index.SecretBindingNameIndexerFunc(shoot)
+			Expect(actual).To(BeEmpty())
 		})
 
 		It("should return spec.secretBindingName for Shoot", func() {
 			shoot := &gardencorev1beta1.Shoot{
 				Spec: gardencorev1beta1.ShootSpec{
-					SecretBindingName: "foo",
+					SecretBindingName: pointer.String("foo"),
 				},
 			}
 

diff --git a/extensions/pkg/util/secret/secret_test.go b/extensions/pkg/util/secret/secret_test.go
@@ -23,6 +23,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/utils/pointer"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
@@ -76,7 +77,7 @@ var _ = Describe("Secret", func() {
 					Provider: gardencorev1beta1.Provider{
 						Type: "gcp",
 					},
-					SecretBindingName: secretBinding.Name,
+					SecretBindingName: pointer.String(secretBinding.Name),
 				},
 			}
 

diff --git a/pkg/admissioncontroller/webhook/admission/resourcesize/handler_test.go b/pkg/admissioncontroller/webhook/admission/resourcesize/handler_test.go
@@ -59,9 +59,9 @@ var _ = Describe("handler", func() {
 		projectsSizeLimit, _ = resource.ParseQuantity("0M")
 		secretSizeLimit, _   = resource.ParseQuantity("1Mi")
 		// size of shoot w/ namespace, name, w/o spec
-		shootsv1beta1SizeLimit, _ = resource.ParseQuantity("405")
+		shootsv1beta1SizeLimit, _ = resource.ParseQuantity("342")
 		// size of shoot w/ namespace, name, w/o spec -1 byte
-		shootsv1alpha1SizeLimit, _ = resource.ParseQuantity("405")
+		shootsv1alpha1SizeLimit, _ = resource.ParseQuantity("342")
 
 		restrictedUserName                  = "restrictedUser"
 		unrestrictedUserName                = "unrestrictedUser"

diff --git a/pkg/admissioncontroller/webhook/auth/seed/graph/eventhandler_shoot.go b/pkg/admissioncontroller/webhook/auth/seed/graph/eventhandler_shoot.go
@@ -91,14 +91,16 @@ func (g *graph) handleShootCreateOrUpdate(shoot *gardencorev1beta1.Shoot) {
 	g.deleteAllOutgoingEdges(VertexTypeShoot, shoot.Namespace, shoot.Name, VertexTypeSeed)
 
 	var (
-		shootVertex         = g.getOrCreateVertex(VertexTypeShoot, shoot.Namespace, shoot.Name)
-		namespaceVertex     = g.getOrCreateVertex(VertexTypeNamespace, "", shoot.Namespace)
-		secretBindingVertex = g.getOrCreateVertex(VertexTypeSecretBinding, shoot.Namespace, shoot.Spec.SecretBindingName)
-		cloudProfileVertex  = g.getOrCreateVertex(VertexTypeCloudProfile, "", shoot.Spec.CloudProfileName)
+		shootVertex        = g.getOrCreateVertex(VertexTypeShoot, shoot.Namespace, shoot.Name)
+		namespaceVertex    = g.getOrCreateVertex(VertexTypeNamespace, "", shoot.Namespace)
+		cloudProfileVertex = g.getOrCreateVertex(VertexTypeCloudProfile, "", shoot.Spec.CloudProfileName)
 	)
 
+	if shoot.Spec.SecretBindingName != nil {
+		secretBindingVertex := g.getOrCreateVertex(VertexTypeSecretBinding, shoot.Namespace, *shoot.Spec.SecretBindingName)
+		g.addEdge(secretBindingVertex, shootVertex)
+	}
 	g.addEdge(namespaceVertex, shootVertex)
-	g.addEdge(secretBindingVertex, shootVertex)
 	g.addEdge(cloudProfileVertex, shootVertex)
 
 	if shoot.Spec.SeedName != nil {