Ensure MCM label in webhook to fix NetworkPolicies for local metal-ap…

…i shoots

pkg/controller/controlplane/valuesprovider_test.go

@@ -166,7 +166,13 @@ var _ = Describe("Valueprovider Reconcile", func() {
 						},
 					},
 				},
-				Seed: &gardencorev1beta1.Seed{},
+				Seed: &gardencorev1beta1.Seed{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							metal.LocalMetalAPIAnnotation: "true",
+						},
+					},
+				},
 			}
 
 			checksums := map[string]string{
@@ -187,6 +193,7 @@ var _ = Describe("Valueprovider Reconcile", func() {
 					},
 					"podLabels": map[string]any{
 						"maintenance.gardener.cloud/restart": "true",
+						metal.AllowEgressToIstioIngressLabel: "allowed",
 					},
 					"tlsCipherSuites": []string{
 						"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",

pkg/webhook/controlplane/ensurer.go

@@ -5,6 +5,7 @@ package controlplane
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/Masterminds/semver/v3"
 	"github.com/coreos/go-systemd/v22/unit"
@@ -40,15 +41,24 @@ type ensurer struct {
 var ImageVector = imagevector.ImageVector()
 
 // EnsureMachineControllerManagerDeployment ensures that the machine-controller-manager deployment conforms to the provider requirements.
-func (e *ensurer) EnsureMachineControllerManagerDeployment(_ context.Context, _ extensionscontextwebhook.GardenContext, newObj, _ *appsv1.Deployment) error {
+func (e *ensurer) EnsureMachineControllerManagerDeployment(ctx context.Context, gctx extensionscontextwebhook.GardenContext, newObj, _ *appsv1.Deployment) error {
 	image, err := ImageVector.FindImage(metal.MachineControllerManagerProviderIroncoreImageName)
 	if err != nil {
 		return err
 	}
+	cluster, err := gctx.GetCluster(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to get cluster: %w", err)
+	}
 
 	template := &newObj.Spec.Template
 	ps := &template.Spec
 
+	localAPI, ok := cluster.Seed.Annotations[metal.LocalMetalAPIAnnotation]
+	if ok && localAPI == "true" {
+		template.Labels = extensionswebhook.EnsureAnnotationOrLabel(template.Labels, metal.AllowEgressToIstioIngressLabel, "allowed")
+	}
+
 	ps.Containers = extensionswebhook.EnsureContainerWithName(
 		newObj.Spec.Template.Spec.Containers,
 		machinecontrollermanager.ProviderSidecarContainer(newObj.Namespace, metal.ProviderName, image.String()),

pkg/webhook/controlplane/ensurer_test.go

@@ -19,6 +19,7 @@ import (
 	gardenerutils "github.com/gardener/gardener/pkg/utils/gardener"
 	imagevectorutils "github.com/gardener/gardener/pkg/utils/imagevector"
 	testutils "github.com/gardener/gardener/pkg/utils/test"
+	"github.com/ironcore-dev/gardener-extension-provider-metal/pkg/metal"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	"go.uber.org/mock/gomock"
@@ -61,6 +62,13 @@ var _ = Describe("Ensurer", func() {
 						},
 					},
 				},
+				Seed: &gardencorev1beta1.Seed{
+					ObjectMeta: metav1.ObjectMeta{
+						Annotations: map[string]string{
+							metal.LocalMetalAPIAnnotation: "true",
+						},
+					},
+				},
 			},
 		)
 	)
@@ -250,7 +258,8 @@ var _ = Describe("Ensurer", func() {
 
 			It("should inject the sidecar container", func() {
 				Expect(deployment.Spec.Template.Spec.Containers).To(BeEmpty())
-				Expect(ensurer.EnsureMachineControllerManagerDeployment(ctx, nil, deployment, nil)).To(Succeed())
+				Expect(ensurer.EnsureMachineControllerManagerDeployment(ctx, eContextK8s, deployment, nil)).To(Succeed())
+				Expect(deployment.Spec.Template.Labels).To(HaveKeyWithValue(metal.AllowEgressToIstioIngressLabel, "allowed"))
 				Expect(deployment.Spec.Template.Spec.Containers).To(ConsistOf(corev1.Container{
 					Name:            "machine-controller-manager-provider-metal",
 					Image:           "foo:bar",