Remove hyperkube dependency from cloud-config-downloader script

```noteworthy operator
The cloud-config-downloader script does no longer depend on `hyperkube`/`kubectl`.
```

charts/seed-operatingsystemconfig/downloader/templates/osc.yaml

@@ -22,12 +22,36 @@ spec:
       EnvironmentFile=/etc/environment
       ExecStart=/var/lib/cloud-config-downloader/download-cloud-config.sh
   files:
-  - path: /var/lib/cloud-config-downloader/kubeconfig
+  - path: /var/lib/cloud-config-downloader/credentials/kubeconfig
     permissions: 0644
     content:
       secretRef:
         name: cloud-config-downloader
         dataKey: kubeconfig
+  - path: /var/lib/cloud-config-downloader/credentials/server
+    permissions: 0644
+    content:
+      inline:
+        encoding: b64
+        data: {{ .Values.server | b64enc }}
+  - path: /var/lib/cloud-config-downloader/credentials/ca.crt
+    permissions: 0644
+    content:
+      secretRef:
+        name: cloud-config-downloader
+        dataKey: ca.crt
+  - path: /var/lib/cloud-config-downloader/credentials/client.crt
+    permissions: 0644
+    content:
+      secretRef:
+        name: cloud-config-downloader
+        dataKey: cloud-config-downloader.crt
+  - path: /var/lib/cloud-config-downloader/credentials/client.key
+    permissions: 0644
+    content:
+      secretRef:
+        name: cloud-config-downloader
+        dataKey: cloud-config-downloader.key
   - path: /var/lib/cloud-config-downloader/download-cloud-config.sh
     permissions: 0744
     content:

charts/seed-operatingsystemconfig/downloader/templates/scripts/_download-cloud-config.sh

@@ -2,19 +2,22 @@
 #!/bin/bash -eu
 
 SECRET_NAME="{{ required "secretName is required" .Values.secretName }}"
-PATH_KUBECONFIG="/var/lib/cloud-config-downloader/kubeconfig"
 
-function kubectl() {
-  /bin/docker run \
-    --rm \
-    --net host \
-    -v "$PATH_KUBECONFIG":"$PATH_KUBECONFIG" \
-    -e "KUBECONFIG=$PATH_KUBECONFIG" \
-    {{ index .Values.images "hyperkube" }} \
-    kubectl "$@"
-}
+DIR_CLOUDCONFIG_DOWNLOADER_CREDENTIALS="/var/lib/cloud-config-downloader/credentials"
+PATH_CLOUDCONFIG_DOWNLOADER_SERVER="$DIR_CLOUDCONFIG_DOWNLOADER_CREDENTIALS/server"
+PATH_CLOUDCONFIG_DOWNLOADER_CA_CERT="$DIR_CLOUDCONFIG_DOWNLOADER_CREDENTIALS/ca.crt"
+PATH_CLOUDCONFIG_DOWNLOADER_CLIENT_CERT="$DIR_CLOUDCONFIG_DOWNLOADER_CREDENTIALS/client.crt"
+PATH_CLOUDCONFIG_DOWNLOADER_CLIENT_KEY="$DIR_CLOUDCONFIG_DOWNLOADER_CREDENTIALS/client.key"
+
+if ! SCRIPT="$(wget \
+  -qO- \
+  --header         "Accept: application/yaml" \
+  --ca-certificate "$PATH_CLOUDCONFIG_DOWNLOADER_CA_CERT" \
+  --certificate    "$PATH_CLOUDCONFIG_DOWNLOADER_CLIENT_CERT" \
+  --private-key    "$PATH_CLOUDCONFIG_DOWNLOADER_CLIENT_KEY" \
+  "$(cat "$PATH_CLOUDCONFIG_DOWNLOADER_SERVER")/api/v1/namespaces/kube-system/secrets/$SECRET_NAME" \
+  | sed -rn 's/  script: (.*)/\1/p')"; then
 
-if ! SCRIPT="$(kubectl --namespace=kube-system get secret "$SECRET_NAME" -o jsonpath='{.data.script}')"; then
   echo "Could not retrieve the cloud config script in secret with name $SECRET_NAME"
   exit 1
 fi

charts/seed-operatingsystemconfig/downloader/values.yaml

@@ -1,5 +1,4 @@
 type: coreos
 purpose: bootstrap
 secretName: cpu-worker-0
-images:
-  hyperkube: image-repository
+server: api.shoot-cluster.example.com

charts/shoot-cloud-config/templates/scripts/_cloud-config-script.sh

@@ -5,7 +5,7 @@ DIR_KUBELET="/var/lib/kubelet"
 DIR_CLOUDCONFIG_DOWNLOADER="/var/lib/cloud-config-downloader"
 DIR_CLOUDCONFIG="$DIR_CLOUDCONFIG_DOWNLOADER/downloads"
 
-PATH_KUBECONFIG="$DIR_CLOUDCONFIG_DOWNLOADER/kubeconfig"
+PATH_KUBECONFIG="$DIR_CLOUDCONFIG_DOWNLOADER/credentials/kubeconfig"
 PATH_CLOUDCONFIG="{{ .configFilePath }}"
 PATH_CLOUDCONFIG_OLD="${PATH_CLOUDCONFIG}.old"
 

docs/extensions/operatingsystemconfig.md

@@ -7,9 +7,12 @@ MCM does not have any restrictions regarding supported operating systems as it d
 Consequently, Gardener needs to provide this information when interacting with the machine-controller-manager.
 This means that basically every operating system is possible to be used as long as there is some implementation that generates the OS-specific configuration in order to provision/bootstrap the machines.
 
-:warning: Currently, there are two requirements:
+:warning: Currently, there are a few requirements:
+
 1) The operating system must have built-in [Docker](https://www.docker.com/) support.
 2) The operating system must have [systemd](https://www.freedesktop.org/wiki/Software/systemd/) support.
+3) The operating system must have [`wget`](https://www.gnu.org/software/wget/) pre-installed.
+
 The reasons for that will become evident later.
 
 ## What does the user-data bootstrapping the machines contain?

docs/proposals/01-extensibility.md

@@ -401,7 +401,7 @@ spec:
       EnvironmentFile=/etc/environment
       ExecStart=/bin/sh /var/lib/cloud-config-downloader/download-cloud-config.sh
   files:
-  - path: /var/lib/cloud-config-downloader/kubeconfig
+  - path: /var/lib/cloud-config-downloader/credentials/kubeconfig
     permissions: 0644
     content:
       secretRef:

pkg/operation/botanist/secrets.go

@@ -174,7 +174,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 			},
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -209,7 +209,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -244,7 +244,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -264,7 +264,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -299,7 +299,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -319,7 +319,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -339,7 +339,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -359,7 +359,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(false, true),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(false, true),
 			},
 		},
 
@@ -379,7 +379,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -399,7 +399,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(true, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(true, false),
 			},
 		},
 
@@ -436,7 +436,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(false, false),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(false, false),
 			},
 		},
 
@@ -456,7 +456,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(false, true),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(false, true),
 			},
 		},
 
@@ -476,7 +476,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 			KubeConfigRequest: &secrets.KubeConfigRequest{
 				ClusterName:  b.Shoot.SeedNamespace,
-				APIServerURL: b.computeAPIServerURL(false, true),
+				APIServerURL: b.Shoot.ComputeAPIServerURL(false, true),
 			},
 		},
 
@@ -652,7 +652,7 @@ func (b *Botanist) generateWantedSecrets(basicAuthAPIServer *secrets.BasicAuth,
 
 				KubeConfigRequest: &secrets.KubeConfigRequest{
 					ClusterName:  b.Shoot.SeedNamespace,
-					APIServerURL: b.computeAPIServerURL(true, true),
+					APIServerURL: b.Shoot.ComputeAPIServerURL(true, true),
 				},
 			})
 	}
@@ -899,20 +899,6 @@ func (b *Botanist) appendLoadBalancerIngresses(ipAddresses []net.IP, dnsNames []
 	return ipAddresses, dnsNames
 }
 
-// computeAPIServerURL takes a boolean value identifying whether the component connecting to the API server
-// runs in the Seed cluster <runsInSeed>, and a boolean value <useInternalClusterDomain> which determines whether the
-// internal or the external cluster domain should be used.
-func (b *Botanist) computeAPIServerURL(runsInSeed, useInternalClusterDomain bool) string {
-	if runsInSeed {
-		return "kube-apiserver"
-	}
-	dnsProvider := b.Shoot.Info.Spec.DNS.Provider
-	if dnsProvider == gardenv1beta1.DNSUnmanaged || (dnsProvider != gardenv1beta1.DNSUnmanaged && useInternalClusterDomain) {
-		return b.Shoot.InternalClusterDomain
-	}
-	return *(b.Shoot.ExternalClusterDomain)
-}
-
 func generateOpenVPNTLSAuth() ([]byte, error) {
 	var (
 		out bytes.Buffer

pkg/operation/common/types.go

@@ -508,10 +508,6 @@ const (
 	// CertBrokerResourceName is the name of the Cert-Broker resources.
 	CertBrokerResourceName = "cert-broker"
 
-	// KubectlVersion specifies the version of kubectl that is used by the scripts bootstrapping shoot worker nodes,
-	// e.g. the cloud-config-downloader script.
-	KubectlVersion = "1.12.3"
-
 	// SeedSpecHash is a constant for a label on `ControllerInstallation`s (similar to `pod-template-hash` on `Pod`s).
 	SeedSpecHash = "seed-spec-hash"
 

pkg/operation/hybridbotanist/cloud_config.go

@@ -63,10 +63,7 @@ func (b *HybridBotanist) ComputeShootOperatingSystemConfig() error {
 		machineImageName = b.Shoot.GetMachineImageName()
 	)
 
-	downloaderConfig, err := b.generateDownloaderConfig(machineImageName)
-	if err != nil {
-		return err
-	}
+	downloaderConfig := b.generateDownloaderConfig(machineImageName)
 	originalConfig, err := b.generateOriginalConfig()
 	if err != nil {
 		return err
@@ -113,13 +110,12 @@ func (b *HybridBotanist) ComputeShootOperatingSystemConfig() error {
 	return nil
 }
 
-func (b *HybridBotanist) generateDownloaderConfig(machineImageName gardenv1beta1.MachineImageName) (map[string]interface{}, error) {
-	downloaderConfig := map[string]interface{}{
+func (b *HybridBotanist) generateDownloaderConfig(machineImageName gardenv1beta1.MachineImageName) map[string]interface{} {
+	return map[string]interface{}{
 		"type":    machineImageName,
 		"purpose": extensionsv1alpha1.OperatingSystemConfigPurposeProvision,
+		"server":  fmt.Sprintf("https://%s", b.Shoot.ComputeAPIServerURL(false, true)),
 	}
-
-	return b.InjectImages(downloaderConfig, b.ShootVersion(), common.KubectlVersion, common.HyperkubeImageName)
 }
 
 func (b *HybridBotanist) generateOriginalConfig() (map[string]interface{}, error) {

pkg/operation/shoot/shoot.go

@@ -223,6 +223,21 @@ func (s *Shoot) UsesCSI() bool {
 	return s.CloudProvider == gardenv1beta1.CloudProviderAlicloud
 }
 
+// ComputeAPIServerURL takes a boolean value identifying whether the component connecting to the API server
+// runs in the Seed cluster <runsInSeed>, and a boolean value <useInternalClusterDomain> which determines whether the
+// internal or the external cluster domain should be used.
+func (s *Shoot) ComputeAPIServerURL(runsInSeed, useInternalClusterDomain bool) string {
+	if runsInSeed {
+		return common.KubeAPIServerDeploymentName
+	}
+
+	if dnsProvider := s.Info.Spec.DNS.Provider; dnsProvider == gardenv1beta1.DNSUnmanaged || (dnsProvider != gardenv1beta1.DNSUnmanaged && useInternalClusterDomain) {
+		return s.InternalClusterDomain
+	}
+
+	return *(s.ExternalClusterDomain)
+}
+
 // ComputeTechnicalID determines the technical id of that Shoot which is later used for the name of the
 // namespace and for tagging all the resources created in the infrastructure.
 func ComputeTechnicalID(projectName string, shoot *gardenv1beta1.Shoot) string {

pkg/utils/secrets/certificates.go

@@ -297,7 +297,7 @@ func GenerateCertificateAuthorities(k8sClusterClient kubernetes.Interface, exist
 }
 
 // GenerateClusterSecrets try to deploy in the k8s cluster each secret in the wantedSecretsList. If the secret already exist it jumps to the next one.
-// The function returns a map with all of the successfuly deployed wanted secrets plus those alredy deployed(only from the wantedSecretsList)
+// The function returns a map with all of the successfully deployed wanted secrets plus those already deployed (only from the wantedSecretsList).
 func GenerateClusterSecrets(k8sClusterClient kubernetes.Interface, existingSecretsMap map[string]*corev1.Secret, wantedSecretsList []ConfigInterface, namespace string) (map[string]*corev1.Secret, error) {
 	type secretOutput struct {
 		secret *corev1.Secret