Add annotation to mark seeds containing a metal-api shoot to fix Netw…

…orkPolicies (#83)
ironcore-dev · Nov 25, 2024 · 862aeda · 862aeda
1 parent 33e7842
commit 862aeda
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 6 deletions.
diff --git a/pkg/controller/controlplane/valuesprovider.go b/pkg/controller/controlplane/valuesprovider.go
@@ -276,6 +276,14 @@ func getCCMChartValues(
 		return nil, fmt.Errorf("secret %q not found", cloudControllerManagerServerName)
 	}
 
+	podLabels := map[string]any{
+		v1beta1constants.LabelPodMaintenanceRestart: "true",
+	}
+	localAPI, ok := cluster.Seed.Annotations[metal.LocalMetalAPIAnnotation]
+	if ok && localAPI == "true" {
+		podLabels[metal.AllowEgressToIstioIngressLabel] = "allowed"
+	}
+
 	values := map[string]any{
 		"enabled":     true,
 		"replicas":    extensionscontroller.GetControlPlaneReplicas(cluster, scaledDown, 1),
@@ -284,9 +292,7 @@ func getCCMChartValues(
 		"podAnnotations": map[string]any{
 			"checksum/secret-" + internal.CloudProviderConfigMapName: checksums[internal.CloudProviderConfigMapName],
 		},
-		"podLabels": map[string]any{
-			v1beta1constants.LabelPodMaintenanceRestart: "true",
-		},
+		"podLabels":       podLabels,
 		"tlsCipherSuites": kutil.TLSCipherSuites,
 		"secrets": map[string]any{
 			"server": serverSecret.Name,

diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go
@@ -166,6 +166,7 @@ var _ = Describe("Valueprovider Reconcile", func() {
 						},
 					},
 				},
+				Seed: &gardencorev1beta1.Seed{},
 			}
 
 			checksums := map[string]string{

diff --git a/pkg/controller/worker/machine_controller_manager.go b/pkg/controller/worker/machine_controller_manager.go
@@ -19,14 +19,20 @@ func (w *workerDelegate) GetMachineControllerManagerChartValues(ctx context.Cont
 		return nil, err
 	}
 
+	podLabels := map[string]any{
+		v1beta1constants.LabelPodMaintenanceRestart: "true",
+	}
+	localAPI, ok := w.cluster.Seed.Annotations[metal.LocalMetalAPIAnnotation]
+	if ok && localAPI == "true" {
+		podLabels[metal.AllowEgressToIstioIngressLabel] = "allowed"
+	}
+
 	return map[string]any{
 		"providerName": metal.ProviderName,
 		"namespace": map[string]any{
 			"uid": namespace.UID,
 		},
-		"podLabels": map[string]any{
-			v1beta1constants.LabelPodMaintenanceRestart: "true",
-		},
+		"podLabels": podLabels,
 	}, nil
 }
 

diff --git a/pkg/metal/types.go b/pkg/metal/types.go
@@ -47,6 +47,10 @@ const (
 	IgnitionOverrideFieldName = "ignitionOverride"
 	// ClusterNameLabel is the name is the label key of the cluster name
 	ClusterNameLabel = "extension.metal.dev/cluster-name"
+	// LocalMetalAPIAnnotation is the name of the annotation to mark a seed, which contains a local metal API shoot
+	LocalMetalAPIAnnotation = "metal.ironcore.dev/local-metal-api"
+	// AllowEgressToIstioIngressLabel is the label key to allow egress to the istio ingress gateway
+	AllowEgressToIstioIngressLabel = "networking.resources.gardener.cloud/to-all-istio-ingresses-istio-ingressgateway-tcp-9443"
 
 	// CloudProviderConfigName is the name of the secret containing the cloud provider config.
 	CloudProviderConfigName = "cloud-provider-config"
-Original file line number
+Diff line change
@@ Expand Up / @@ -166,6 +166,7 @@ var _ = Describe("Valueprovider Reconcile", func() { @@
     						},
     					},
     				},
+    				Seed: &gardencorev1beta1.Seed{},
     			}
     			checksums := map[string]string{
@@ Expand Down @@