Remove legacy VPN solution (gardener#7167)

* Remove ReversedVPNEnabled from shoot.

and adapt uses.

* Remove Enabled field from ReverseVPNValues.

* Remove ReversedVPNEnabled from kubeapiserver.VPNConfig

and adapt uses.

* Remove reversedVPN.enabled value from prometheus charts.

* fix kube-api unit tests.

* Deprecate feature flag.

* Remove reversedVPN.enabled from monitoring config

* Address review comments:

* Simplify networkpolicy construction.
* Inline variable.
* Add VPNSeedServer directly to monitoringComponents.

* Make feature gate GA and lock it.

* Update reversed vpn docs.

* Fix indentation.

* Fix GA version

* Address review comments.

* Remove reference to unneeded images and adapt dependent tests.
* Lock feature gates ManagedIstio and APIServerSNI and adapt dependent
  tests.
* Inline some variables and functions.
* Update docs and examples.

* Update docs.

* Unlock feature APIServerSNI again, as it's still

needed for virtual garden deployment and
add tests again.

Remove unused variables.

* Lock feature gate APIServerSNI and remove tests.

* Add load balancer section again.

* Handle review comments.

* Fixed issues accidentially introduced by rebase.

* Remove image alpine-iptables and references.

* Adapt note on enable-seed-authorizer script.

* Address review comments.

* Delete emptyVPNShootService.

charts/images.yaml

@@ -94,10 +94,6 @@ images:
   repository: eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler
   tag: "v1.20.3"
   targetVersion: "< 1.21"
-- name: vpn-seed
-  sourceRepository: github.com/gardener/vpn
-  repository: eu.gcr.io/gardener-project/gardener/vpn-seed
-  tag: "0.20.0"
 - name: vpn-seed-server
   sourceRepository: github.com/gardener/vpn2
   repository: eu.gcr.io/gardener-project/gardener/vpn-seed-server
@@ -138,10 +134,6 @@ images:
   tag: v0.6.2
 
 # Shoot core addons
-- name: vpn-shoot
-  sourceRepository: github.com/gardener/vpn
-  repository: eu.gcr.io/gardener-project/gardener/vpn-shoot
-  tag: "0.20.0"
 - name: vpn-shoot-client
   sourceRepository: github.com/gardener/vpn2
   repository: eu.gcr.io/gardener-project/gardener/vpn-shoot-client
@@ -206,10 +198,6 @@ images:
 - name: alpine
   repository: alpine
   tag: "3.15.4"
-- name: alpine-iptables
-  sourceRepository: github.com/gardener/alpine-iptables
-  repository: eu.gcr.io/gardener-project/gardener/alpine-iptables
-  tag: "3.16.3"
 
 # Logging
 - name: fluent-bit

charts/seed-monitoring/charts/core/charts/prometheus/templates/prometheus.yaml

@@ -59,9 +59,6 @@ spec:
         role: monitoring
         networking.gardener.cloud/to-dns: allowed
         networking.gardener.cloud/to-public-networks: allowed
-{{- if not .Values.reversedVPN.enabled }}
-        networking.gardener.cloud/to-shoot-networks: allowed
-{{- end }}
         networking.gardener.cloud/to-shoot-apiserver: allowed
         networking.gardener.cloud/to-seed-apiserver: allowed
     spec:

charts/seed-monitoring/charts/core/charts/prometheus/values.yaml

@@ -24,9 +24,6 @@ secretNameClusterCA: ca
 secretNameEtcdCA: ca-etcd
 secretNameEtcdClientCert: etcd-client-tls
 
-reversedVPN:
-  enabled: false
-
 namespace:
   uid: 100c3bb5-48b9-4f88-96ef-48ed557d4212
 

cmd/gardenlet/app/app.go

@@ -57,7 +57,6 @@ import (
 	clientmapbuilder "github.com/gardener/gardener/pkg/client/kubernetes/clientmap/builder"
 	"github.com/gardener/gardener/pkg/controllerutils"
 	"github.com/gardener/gardener/pkg/controllerutils/routes"
-	"github.com/gardener/gardener/pkg/features"
 	"github.com/gardener/gardener/pkg/gardenlet/apis/config"
 	confighelper "github.com/gardener/gardener/pkg/gardenlet/apis/config/helper"
 	"github.com/gardener/gardener/pkg/gardenlet/bootstrap"
@@ -131,11 +130,6 @@ func run(ctx context.Context, cancel context.CancelFunc, log logr.Logger, cfg *c
 	}
 	log.Info("Feature Gates", "featureGates", gardenletfeatures.FeatureGate.String())
 
-	if gardenletfeatures.FeatureGate.Enabled(features.ReversedVPN) && !gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI) {
-		return fmt.Errorf("inconsistent feature gate: APIServerSNI is required for ReversedVPN (APIServerSNI: %t, ReversedVPN: %t)",
-			gardenletfeatures.FeatureGate.Enabled(features.APIServerSNI), gardenletfeatures.FeatureGate.Enabled(features.ReversedVPN))
-	}
-
 	if kubeconfig := os.Getenv("GARDEN_KUBECONFIG"); kubeconfig != "" {
 		cfg.GardenClientConnection.Kubeconfig = kubeconfig
 	}

docs/deployment/feature_gates.md

@@ -30,8 +30,6 @@ The following tables are a summary of the feature gates that you can set on diff
 | APIServerSNI (deprecated)                    | `true`  | `Beta`  | `1.48` |        |
 | SeedChange                                   | `false` | `Alpha` | `1.12` | `1.52` |
 | SeedChange                                   | `true`  | `Beta`  | `1.53` |        |
-| ReversedVPN                                  | `false` | `Alpha` | `1.22` | `1.41` |
-| ReversedVPN                                  | `true`  | `Beta`  | `1.42` |        |
 | CopyEtcdBackupsDuringControlPlaneMigration   | `false` | `Alpha` | `1.37` | `1.52` |
 | CopyEtcdBackupsDuringControlPlaneMigration   | `true`  | `Beta`  | `1.53` |        |
 | ForceRestore                                 | `false` | `Alpha` | `1.39` |        |
@@ -108,6 +106,9 @@ The following tables are a summary of the feature gates that you can set on diff
 | ShootSARotation                              | `true`  | `Beta`       | `1.51` | `1.56` |
 | ShootSARotation                              | `true`  | `GA`         | `1.57` | `1.59` |
 | ShootSARotation                              |         | `Removed`    | `1.60` |        |
+| ReversedVPN                                  | `false` | `Alpha`      | `1.22` | `1.41` |
+| ReversedVPN                                  | `true`  | `Beta`       | `1.42` | `1.62` |
+| ReversedVPN                                  | `true`  | `GA`         | `1.63` |        |
 
 ## Using a feature
 

docs/development/local_setup.md

@@ -260,7 +260,7 @@ If your remote Garden cluster is a Gardener shoot, and you can access the seed o
 hack/local-development/remote-garden/enable-seed-authorizer <seed kubeconfig> <namespace>
 ```
 
-> Note: The configuration changes introduced by this script result in a working `SeedAuthorization` feature only on shoots for which the `ReversedVPN` feature is not enabled. If the corresponding feature gate is enabled in `gardenlet`, add the annotation `alpha.featuregates.shoot.gardener.cloud/reversed-vpn: 'false'` to the remote Garden shoot to disable it for that particular shoot.
+> Note: This script is not working anymore, as the `ReversedVPN` feature can't be disabled. The annotation `alpha.featuregates.shoot.gardener.cloud/reversed-vpn` on `Shoot`s is no longer respected.
 
 To prevent Gardener from reconciling the shoot and overwriting your changes, add the annotation `shoot.gardener.cloud/ignore: 'true'` to the remote Garden shoot. Note that this annotation takes effect only if it is enabled via the `constollers.shoot.respectSyncPeriodOverwrite: true` option in the `gardenlet` configuration.
 

docs/extensions/provider-local.md

@@ -28,12 +28,7 @@ Please note that all of them are no technical limitations/blockers but simply ad
 
 3. No load balancers for Shoot clusters.
 
-   _We have not yet developed a `cloud-controller-manager` which could reconcile load balancer `Service`s in the shoot cluster. Hence, when the gardenlet's `ReversedVPN` feature gate is disabled then the `kube-system/vpn-shoot` `Service` must be manually patched (with `{"status": {"loadBalancer": {"ingress": [{"hostname": "vpn-shoot"}]}}}`) to make the reconciliation work._
-
-4. Only one shoot cluster possible when gardenlet's `APIServerSNI` feature gate is disabled.
-
-   _When [`APIServerSNI`](../proposals/08-shoot-apiserver-via-sni.md) is disabled then gardenlet uses load balancer `Service`s in order to expose the shoot clusters' `kube-apiserver`s. Typically, local Kubernetes clusters don't support this. In this case, the local extension uses the host IP to expose the `kube-apiserver`, however, this can only be done once._\
-   _However, given that the `APIServerSNI` feature gate is deprecated and will be removed in the future (see [gardener/gardener#6007](https://github.com/gardener/gardener/pull/6007)), we will probably not invest into this._
+   _We have not yet developed a `cloud-controller-manager` which could reconcile load balancer `Service`s in the shoot cluster.
 
 5. In case a seed cluster with multiple availability zones, i.e. multiple entries in `.spec.provider.zones`, is used in conjunction with a single-zone shoot control plane, i.e. a shoot cluster without `.spec.controlPlane.highAvailability` or with `.spec.controlPlane.highAvailability.failureTolerance.type` set to `node`, the local address of the API server endpoint needs to be determined manually or via the in cluster `coredns`.
 
@@ -114,9 +109,6 @@ data:
 
 This controller generates a `NetworkPolicy` which allows the control plane pods (like `kube-apiserver`) to communicate with the worker machine pods (see [`Worker` section](#worker))).
 
-In addition, it creates a `Service` named `vpn-shoot` which is only used in case the gardenlet's `ReversedVPN` feature gate is disabled.
-This `Service` enables the `vpn-seed` containers in the `kube-apiserver` pods in the seed cluster to communicate with the `vpn-shoot` pod running in the shoot cluster.
-
 #### `Network`
 
 This controller is not implemented anymore. In the initial version of `provider-local`, there was a `Network` controller deploying [kindnetd](https://github.com/kubernetes-sigs/kind/blob/main/images/kindnetd/README.md) (see https://github.com/gardener/gardener/tree/v1.44.1/pkg/provider-local/controller/network).

docs/usage/reversed-vpn-tunnel.md

@@ -4,52 +4,23 @@ title: Reversed VPN Tunnel
 
 # Reversed VPN Tunnel Setup and Configuration 
 
-This is a short guide describing how to enable tunneling traffic from shoot cluster to seed cluster instead of the default "seed to shoot" direction. 
+The Reversed VPN Tunnel is enabled by default.
+A highly available VPN connection is automatically deployed in all shoots that configure an HA control-plane.
 
-## The OpenVPN Default
+## Reversed VPN Tunnel
 
-By default, Gardener makes use of OpenVPN to connect the shoot controlplane running on the seed cluster to the dataplane 
-running on the shoot worker nodes, usually in isolated networks. This is achieved by having a sidecar to certain control plane components such as the `kube-apiserver` and `prometheus`. 
+In the first VPN solution, connection establishment was initiated by a VPN client in the seed cluster.
+Due to several issues with this solution, the tunnel establishment direction has been reverted.
+The client is deployed in the shoot and initiates the connection from there. This way, there is no need to deploy a special purpose
+loadbalancer for the sake of addressing the data-plane, in addition to saving costs, this is considered the more secure alternative.
+For more information on how this is achieved, please have a look at the following [GEP](../proposals/14-reversed-cluster-vpn.md).
 
-With a sidecar, all traffic directed to the cluster is intercepted by iptables rules and redirected 
-to the tunnel endpoint in the shoot cluster deployed behind a cloud loadbalancer. This has the following disadvantages: 
-
-- Every shoot would require an additional loadbalancer, this accounts for additional overhead in terms of both costs and troubleshooting efforts.
-- Private access use-cases would not be possible without having a seed residing in the same private domain as a hard requirement. For example, have a look at [this issue](https://github.com/gardener/gardener-extension-provider-gcp/issues/56)
-- Providing a public endpoint to access components in the shoot poses a security risk.
-
-This is how it looks like today with the OpenVPN solution:
-
-`APIServer | VPN-seed ---> internet ---> LB --> VPN-Shoot (4314) --> Pods | Nodes | Services`
-
-
-## Reversing the Tunnel
-
-To address the above issues, the tunnel can establishment direction can be reverted, i.e. instead of having the client reside in the seed, 
-we deploy the client in the shoot and initiate the connection from there. This way, there is no need to deploy a special purpose 
-loadbalancer for the sake of addressing the dataplane, in addition to saving costs, this is considered the more secure alternative. 
-For more information on how this is achieved, please have a look at the following [GEP](../proposals/14-reversed-cluster-vpn.md). 
-
-How it should look like at the end:
+Connection establishment with a reversed tunnel:
 
 `APIServer --> Envoy-Proxy | VPN-Seed-Server <-- Istio/Envoy-Proxy <-- SNI API Server Endpoint <-- LB (one for all clusters of a seed) <--- internet <--- VPN-Shoot-Client --> Pods | Nodes | Services`
 
-### How to Configure
-
-To enable the usage of the reversed vpn tunnel feature, either the Gardenlet `ReversedVPN` feature-gate must be set to `true` as shown below or the shoot must be annotated with `"alpha.featuregates.shoot.gardener.cloud/reversed-vpn: true"`.
-
-```yaml
-featureGates:
-  ReversedVPN: true
-``` 
-Please refer to the examples [here](https://github.com/gardener/gardener/blob/master/example/20-componentconfig-gardenlet.yaml) for more information.
-
-To disable the feature-gate the shoot must be annotated with `"alpha.featuregates.shoot.gardener.cloud/reversed-vpn: false"`
-
-Once the feature-gate is enabled, a `vpn-seed-server` deployment will be added to the controlplane. The `kube-apiserver` will be configured to connect to resources in the dataplane such as pods, services and nodes though the `vpn-seed-service` via http proxy/connect protocol.
-In the dataplane of the cluster, the `vpn-shoot` will establish the connection to the `vpn-seed-server` indirectly using the SNI API Server endpoint as a http proxy. After the connection has been established requests from the `kube-apiserver` will be handled by the tunnel.
-
-> Please note this feature is still in Beta, so you might see instabilities every now and then.
+The reversed VPN tunnel is always deployed.
+The feature gate `ReversedVPN` is GA and will be removed in a future release.
 
 ## High Availability for Reversed VPN Tunnel
 

example/20-componentconfig-gardenlet.yaml

@@ -118,7 +118,6 @@ featureGates:
   HVPAForShootedSeed: true
   ManagedIstio: true
   APIServerSNI: true
-  ReversedVPN: true
   CopyEtcdBackupsDuringControlPlaneMigration: true
   ForceRestore: false
   DefaultSeccompProfile: true

example/gardener-local/gardenlet/values.yaml

@@ -33,7 +33,6 @@ config:
     HVPAForShootedSeed: true
     ManagedIstio: true
     APIServerSNI: true
-    ReversedVPN: true
     CopyEtcdBackupsDuringControlPlaneMigration: true
     DefaultSeccompProfile: true
     CoreDNSQueryRewriting: true

extensions/pkg/webhook/controlplane/genericmutator/mutator.go

@@ -63,8 +63,7 @@ type Ensurer interface {
 	// "old" might be "nil" and must always be checked.
 	EnsureETCD(ctx context.Context, gctx gcontext.GardenContext, new, old *druidv1alpha1.Etcd) error
 	// EnsureVPNSeedServerDeployment ensures that the vpn-seed-server deployment conforms to the provider requirements.
-	// "old" might be "nil" and must always be checked. Please note that the vpn-seed-server deployment will only exist
-	// if the gardenlet's ReversedVPN feature gate is enabeld.
+	// "old" might be "nil" and must always be checked.
 	EnsureVPNSeedServerDeployment(ctx context.Context, gctx gcontext.GardenContext, new, old *appsv1.Deployment) error
 	// EnsureKubeletServiceUnitOptions ensures that the kubelet.service unit options conform to the provider requirements.
 	EnsureKubeletServiceUnitOptions(ctx context.Context, gctx gcontext.GardenContext, kubeletVersion *semver.Version, new, old []*unit.UnitOption) ([]*unit.UnitOption, error)

hack/.ci/set_dependency_version

@@ -116,8 +116,6 @@ if name in injectedSpecialCases:
     names = injectedSpecialCases[name]
 elif name == 'autoscaler':
     names = ['cluster-autoscaler']
-elif name == 'vpn':
-    names = ['vpn-seed', 'vpn-shoot']
 elif name == 'vpn2':
     names = ['vpn-seed-server', 'vpn-shoot-client']
 elif name == 'external-dns-management':

pkg/apis/core/v1beta1/constants/types_constants.go

@@ -557,8 +557,6 @@ const (
 	AnnotationShootCloudConfigExecutionMaxDelaySeconds = "shoot.gardener.cloud/cloud-config-execution-max-delay-seconds"
 	// AnnotationShootForceRestore is a key for an annotation on a Shoot or BackupEntry resource to trigger a forceful restoration to a different seed.
 	AnnotationShootForceRestore = "shoot.gardener.cloud/force-restore"
-	// AnnotationReversedVPN moves the vpn-server to the seed.
-	AnnotationReversedVPN = "alpha.featuregates.shoot.gardener.cloud/reversed-vpn"
 	// AnnotationNodeLocalDNS enables a per node dns cache on the shoot cluster.
 	AnnotationNodeLocalDNS = "alpha.featuregates.shoot.gardener.cloud/node-local-dns"
 	// AnnotationNodeLocalDNSForceTcpToClusterDns enforces upgrade to tcp connections for communication between node local and cluster dns.

pkg/features/features.go

@@ -67,6 +67,7 @@ const (
 	// owner: @ScheererJ @DockToFuture
 	// alpha: v1.22.0
 	// beta: v1.42.0
+	// GA: v1.63.0
 	ReversedVPN featuregate.Feature = "ReversedVPN"
 
 	// CopyEtcdBackupsDuringControlPlaneMigration enables the copy of etcd backups from the object store of the source seed
@@ -103,10 +104,10 @@ const (
 var allFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
 	HVPA:               {Default: false, PreRelease: featuregate.Alpha},
 	HVPAForShootedSeed: {Default: false, PreRelease: featuregate.Alpha},
-	ManagedIstio:       {Default: true, PreRelease: featuregate.Deprecated},
-	APIServerSNI:       {Default: true, PreRelease: featuregate.Deprecated},
+	ManagedIstio:       {Default: true, PreRelease: featuregate.Deprecated, LockToDefault: true},
+	APIServerSNI:       {Default: true, PreRelease: featuregate.Deprecated, LockToDefault: true},
 	SeedChange:         {Default: true, PreRelease: featuregate.Beta},
-	ReversedVPN:        {Default: true, PreRelease: featuregate.Beta},
+	ReversedVPN:        {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
 	CopyEtcdBackupsDuringControlPlaneMigration: {Default: true, PreRelease: featuregate.Beta},
 	ForceRestore:          {Default: false, PreRelease: featuregate.Alpha},
 	HAControlPlanes:       {Default: false, PreRelease: featuregate.Alpha},

pkg/gardenlet/controller/managedseed/valueshelper_test.go

@@ -105,8 +105,8 @@ var _ = Describe("ValuesHelper", func() {
 				},
 			},
 			FeatureGates: map[string]bool{
-				string(features.ReversedVPN): true,
-				string(features.HVPA):        true,
+				string("FooFeature"): true,
+				string("BarFeature"): true,
 			},
 			Logging: &config.Logging{
 				Enabled: pointer.Bool(true),
@@ -146,7 +146,7 @@ var _ = Describe("ValuesHelper", func() {
 				Kind:       "GardenletConfiguration",
 			},
 			FeatureGates: map[string]bool{
-				string(features.ReversedVPN): false,
+				"FooFeature": false,
 			},
 		}
 		shoot = &gardencorev1beta1.Shoot{
@@ -224,8 +224,8 @@ var _ = Describe("ValuesHelper", func() {
 					},
 				},
 				FeatureGates: map[string]bool{
-					string(features.ReversedVPN): false,
-					string(features.HVPA):        true,
+					string("FooFeature"): false,
+					string("BarFeature"): true,
 				},
 				Logging: &configv1alpha1.Logging{
 					Enabled: pointer.Bool(true),
@@ -281,8 +281,8 @@ var _ = Describe("ValuesHelper", func() {
 						},
 					},
 					"featureGates": map[string]interface{}{
-						"ReversedVPN": false,
-						"HVPA":        true,
+						"FooFeature": false,
+						"BarFeature": true,
 					},
 					"logging": map[string]interface{}{
 						"enabled": true,

pkg/gardenlet/controller/shoot/shoot/reconciler_reconcile.go

@@ -511,7 +511,7 @@ func (r *Reconciler) runReconcileShootFlow(ctx context.Context, o *operation.Ope
 		})
 		deployVPNShoot = g.Add(flow.Task{
 			Name:         "Deploying vpn-shoot system component",
-			Fn:           flow.TaskFn(botanist.DeployVPNShoot).RetryUntilTimeout(defaultInterval, defaultTimeout).SkipIf(o.Shoot.HibernationEnabled),
+			Fn:           flow.TaskFn(botanist.Shoot.Components.SystemComponents.VPNShoot.Deploy).RetryUntilTimeout(defaultInterval, defaultTimeout).SkipIf(o.Shoot.HibernationEnabled),
 			Dependencies: flow.NewTaskIDs(deployGardenerResourceManager, deployKubeScheduler, deployVPNSeedServer, waitUntilShootNamespacesReady),
 		})
 		deployNodeProblemDetector = g.Add(flow.Task{
@@ -592,15 +592,10 @@ func (r *Reconciler) runReconcileShootFlow(ctx context.Context, o *operation.Ope
 			Fn:           flow.TaskFn(botanist.CleanupOrphanedDNSRecordSecrets).DoIf(!o.Shoot.HibernationEnabled),
 			Dependencies: flow.NewTaskIDs(deployInternalDomainDNSRecord, deployExternalDomainDNSRecord, deployOwnerDomainDNSRecord, deployIngressDomainDNSRecord),
 		})
-		vpnLBReady = g.Add(flow.Task{
-			Name:         "Waiting until vpn-shoot LoadBalancer is ready",
-			Fn:           flow.TaskFn(botanist.WaitUntilVpnShootServiceIsReady).SkipIf(o.Shoot.HibernationEnabled || o.Shoot.ReversedVPNEnabled),
-			Dependencies: flow.NewTaskIDs(syncPointAllSystemComponentsDeployed, waitUntilNetworkIsReady, waitUntilWorkerReady),
-		})
 		waitUntilTunnelConnectionExists = g.Add(flow.Task{
 			Name:         "Waiting until the Kubernetes API server can connect to the Shoot workers",
 			Fn:           flow.TaskFn(botanist.WaitUntilTunnelConnectionExists).SkipIf(o.Shoot.HibernationEnabled),
-			Dependencies: flow.NewTaskIDs(syncPointAllSystemComponentsDeployed, waitUntilNetworkIsReady, waitUntilWorkerReady, vpnLBReady),
+			Dependencies: flow.NewTaskIDs(syncPointAllSystemComponentsDeployed, waitUntilNetworkIsReady, waitUntilWorkerReady),
 		})
 		_ = g.Add(flow.Task{
 			Name:         "Waiting until all shoot worker nodes have updated the cloud config user data",

pkg/operation/botanist/component/kubeapiserver/configmaps.go

@@ -101,7 +101,7 @@ func (k *kubeAPIServer) reconcileConfigMapAuditPolicy(ctx context.Context, confi
 }
 
 func (k *kubeAPIServer) reconcileConfigMapEgressSelector(ctx context.Context, configMap *corev1.ConfigMap) error {
-	if !k.values.VPN.ReversedVPNEnabled || k.values.VPN.HighAvailabilityEnabled {
+	if k.values.VPN.HighAvailabilityEnabled {
 		// We don't delete the confimap here as we don't know its name (as it's unique). Instead, we rely on the usual
 		// garbage collection for unique secrets/configmaps.
 		return nil