Destroy shoot access for DWD if Shoot is workerless (gardener#10003)

* Destroy shoot access secret for DWD if Shoot is workerless * Address PR review feedback * Fix shoot deletion * Address PR review feedback * Address PR review feedback
nickytd · Jun 24, 2024 · cba5514 · cba5514
1 parent 5aa3472
commit cba5514
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 9 deletions.
diff --git a/cmd/gardenlet/app/app.go b/cmd/gardenlet/app/app.go
@@ -359,7 +359,7 @@ func (g *garden) Start(ctx context.Context) error {
 		return err
 	}
 
-	if err := g.runMigrations(ctx, log, gardenCluster); err != nil {
+	if err := g.runMigrations(ctx, log, gardenCluster, g.config.SeedConfig.Name); err != nil {
 		return err
 	}
 

diff --git a/cmd/gardenlet/app/migration.go b/cmd/gardenlet/app/migration.go
@@ -11,19 +11,26 @@ import (
 	"github.com/Masterminds/semver/v3"
 	"github.com/go-logr/logr"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/cluster"
 
+	"github.com/gardener/gardener/pkg/apis/core"
+	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
+	v1beta1helper "github.com/gardener/gardener/pkg/apis/core/v1beta1/helper"
 	"github.com/gardener/gardener/pkg/component/extensions/operatingsystemconfig"
+	"github.com/gardener/gardener/pkg/component/nodemanagement/dependencywatchdog"
 	"github.com/gardener/gardener/pkg/utils/flow"
+	kubernetesutils "github.com/gardener/gardener/pkg/utils/kubernetes"
+	"github.com/gardener/gardener/pkg/utils/managedresources"
 	versionutils "github.com/gardener/gardener/pkg/utils/version"
 )
 
-func (g *garden) runMigrations(ctx context.Context, log logr.Logger, _ cluster.Cluster) error {
+func (g *garden) runMigrations(ctx context.Context, log logr.Logger, gardenCluster cluster.Cluster, seedName string) error {
 	log.Info("Migrating deprecated failure-domain.beta.kubernetes.io labels to topology.kubernetes.io")
 	if err := migrateDeprecatedTopologyLabels(ctx, log, g.mgr.GetClient(), g.mgr.GetConfig()); err != nil {
 		return err
@@ -33,6 +40,12 @@ func (g *garden) runMigrations(ctx context.Context, log logr.Logger, _ cluster.C
 	if err := createOSCHashMigrationSecret(ctx, g.mgr.GetClient()); err != nil {
 		return err
 	}
+
+	log.Info("Cleaning up DWD access for workerless shoots")
+	if err := cleanupDWDAccess(ctx, gardenCluster.GetClient(), g.mgr.GetClient(), seedName); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -149,3 +162,36 @@ func createOSCHashMigrationSecret(ctx context.Context, seedClient client.Client)
 	}
 	return flow.Parallel(tasks...)(ctx)
 }
+
+// TODO (shafeeqes): Remove this function in gardener v1.100
+func cleanupDWDAccess(ctx context.Context, gardenClient client.Client, seedClient client.Client, seedName string) error {
+	shootList := &gardencorev1beta1.ShootList{}
+	if err := gardenClient.List(ctx, shootList, client.MatchingFields{core.ShootSeedName: seedName}); err != nil {
+		return err
+	}
+
+	var taskFns []flow.TaskFn
+
+	for _, shoot := range shootList.Items {
+		if !v1beta1helper.IsWorkerless(&shoot) || shoot.DeletionTimestamp != nil {
+			continue
+		}
+
+		namespace := shoot.Status.TechnicalID
+		taskFns = append(taskFns, func(ctx context.Context) error {
+			if err := kubernetesutils.DeleteObjects(ctx, seedClient,
+				&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: dependencywatchdog.KubeConfigSecretName, Namespace: namespace}},
+			); err != nil {
+				return fmt.Errorf("failed to delete DWD access secret for namespace %q: %w", namespace, err)
+			}
+
+			if err := managedresources.DeleteForShoot(ctx, seedClient, namespace, dependencywatchdog.ManagedResourceName); err != nil {
+				return fmt.Errorf("failed to delete DWD managed resource for namespace %q: %w", namespace, err)
+			}
+
+			return nil
+		})
+	}
+
+	return flow.Parallel(taskFns...)(ctx)
+}
diff --git a/pkg/component/nodemanagement/dependencywatchdog/access.go b/pkg/component/nodemanagement/dependencywatchdog/access.go
@@ -33,8 +33,8 @@ const (
 	DefaultWatchDuration = 5 * time.Minute
 	// KubeConfigSecretName is the name of the kubecfg secret with internal DNS for external access.
 	KubeConfigSecretName = gardenerutils.SecretNamePrefixShootAccess + "dependency-watchdog-probe"
-	// managedResourceName is the name of the managed resource created for DWD.
-	managedResourceName = "shoot-core-dependency-watchdog"
+	// ManagedResourceName is the name of the managed resource created for DWD.
+	ManagedResourceName = "shoot-core-dependency-watchdog"
 )
 
 // NewAccess creates a new instance of the deployer for shoot cluster access for the dependency-watchdog.
@@ -163,11 +163,11 @@ func (d *dependencyWatchdogAccess) createManagedResource(ctx context.Context) er
 		return err
 	}
 
-	return managedresources.CreateForShoot(ctx, d.client, d.namespace, managedResourceName, managedresources.LabelValueGardener, false, resources)
+	return managedresources.CreateForShoot(ctx, d.client, d.namespace, ManagedResourceName, managedresources.LabelValueGardener, false, resources)
 }
 
 func (d *dependencyWatchdogAccess) Destroy(ctx context.Context) error {
-	if err := managedresources.DeleteForShoot(ctx, d.client, d.namespace, managedResourceName); err != nil {
+	if err := managedresources.DeleteForShoot(ctx, d.client, d.namespace, ManagedResourceName); err != nil {
 		return err
 	}
 	return kubernetesutils.DeleteObjects(ctx, d.client,

diff --git a/pkg/gardenlet/controller/shoot/shoot/reconciler_delete.go b/pkg/gardenlet/controller/shoot/shoot/reconciler_delete.go
@@ -464,8 +464,10 @@ func (r *Reconciler) runDeleteShootFlow(ctx context.Context, o *operation.Operat
 			Dependencies: flow.NewTaskIDs(syncPointCleanedKubernetesResources, waitUntilWorkerDeleted),
 		})
 		deleteDWDResources = g.Add(flow.Task{
-			Name:         "Deleting DWD managed resource and secrets",
-			Fn:           flow.TaskFn(botanist.Shoot.Components.DependencyWatchdogAccess.Destroy).RetryUntilTimeout(defaultInterval, defaultTimeout),
+			Name: "Deleting DWD managed resource and secrets",
+			Fn: flow.TaskFn(func(ctx context.Context) error {
+				return botanist.Shoot.Components.DependencyWatchdogAccess.Destroy(ctx)
+			}).RetryUntilTimeout(defaultInterval, defaultTimeout),
 			SkipIf:       botanist.Shoot.IsWorkerless,
 			Dependencies: flow.NewTaskIDs(deleteManagedResources),
 		})

diff --git a/pkg/gardenlet/controller/shoot/shoot/reconciler_reconcile.go b/pkg/gardenlet/controller/shoot/shoot/reconciler_reconcile.go
@@ -498,6 +498,7 @@ func (r *Reconciler) runReconcileShootFlow(ctx context.Context, o *operation.Ope
 		_ = g.Add(flow.Task{
 			Name:         "Deploying dependency-watchdog shoot access resources",
 			Fn:           flow.TaskFn(botanist.DeployDependencyWatchdogAccess).RetryUntilTimeout(defaultInterval, defaultTimeout),
+			SkipIf:       o.Shoot.IsWorkerless,
 			Dependencies: flow.NewTaskIDs(initializeSecretsManagement, waitUntilGardenerResourceManagerReady),
 		})
 		deployKubeControllerManager = g.Add(flow.Task{

diff --git a/pkg/gardenlet/operation/botanist/botanist.go b/pkg/gardenlet/operation/botanist/botanist.go
@@ -217,8 +217,10 @@ func New(ctx context.Context, o *operation.Operation) (*Botanist, error) {
 	// other components
 	o.Shoot.Components.SourceBackupEntry = b.SourceBackupEntry()
 	o.Shoot.Components.BackupEntry = b.DefaultCoreBackupEntry()
-	o.Shoot.Components.DependencyWatchdogAccess = b.DefaultDependencyWatchdogAccess()
 	o.Shoot.Components.GardenerAccess = b.DefaultGardenerAccess()
+	if !o.Shoot.IsWorkerless {
+		o.Shoot.Components.DependencyWatchdogAccess = b.DefaultDependencyWatchdogAccess()
+	}
 
 	// Addons
 	if !o.Shoot.IsWorkerless {