From e299a5a4a5c7032259ce8d1fc08d9521f66dea55 Mon Sep 17 00:00:00 2001 From: Nuckal777 Date: Tue, 26 Nov 2024 11:43:49 +0100 Subject: [PATCH] Ensure MCM label in webhook to fix NetworkPolicies for local metal-api shoots --- pkg/controller/controlplane/valuesprovider_test.go | 9 ++++++++- pkg/webhook/controlplane/ensurer.go | 12 +++++++++++- pkg/webhook/controlplane/ensurer_test.go | 11 ++++++++++- 3 files changed, 29 insertions(+), 3 deletions(-) diff --git a/pkg/controller/controlplane/valuesprovider_test.go b/pkg/controller/controlplane/valuesprovider_test.go index a660950..acabb74 100644 --- a/pkg/controller/controlplane/valuesprovider_test.go +++ b/pkg/controller/controlplane/valuesprovider_test.go @@ -166,7 +166,13 @@ var _ = Describe("Valueprovider Reconcile", func() { }, }, }, - Seed: &gardencorev1beta1.Seed{}, + Seed: &gardencorev1beta1.Seed{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + metal.LocalMetalAPIAnnotation: "true", + }, + }, + }, } checksums := map[string]string{ @@ -187,6 +193,7 @@ var _ = Describe("Valueprovider Reconcile", func() { }, "podLabels": map[string]any{ "maintenance.gardener.cloud/restart": "true", + metal.AllowEgressToIstioIngressLabel: "allowed", }, "tlsCipherSuites": []string{ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", diff --git a/pkg/webhook/controlplane/ensurer.go b/pkg/webhook/controlplane/ensurer.go index 8da777c..4483c80 100644 --- a/pkg/webhook/controlplane/ensurer.go +++ b/pkg/webhook/controlplane/ensurer.go @@ -5,6 +5,7 @@ package controlplane import ( "context" + "fmt" "github.com/Masterminds/semver/v3" "github.com/coreos/go-systemd/v22/unit" @@ -40,15 +41,24 @@ type ensurer struct { var ImageVector = imagevector.ImageVector() // EnsureMachineControllerManagerDeployment ensures that the machine-controller-manager deployment conforms to the provider requirements. -func (e *ensurer) EnsureMachineControllerManagerDeployment(_ context.Context, _ extensionscontextwebhook.GardenContext, newObj, _ *appsv1.Deployment) error { +func (e *ensurer) EnsureMachineControllerManagerDeployment(ctx context.Context, gctx extensionscontextwebhook.GardenContext, newObj, _ *appsv1.Deployment) error { image, err := ImageVector.FindImage(metal.MachineControllerManagerProviderIroncoreImageName) if err != nil { return err } + cluster, err := gctx.GetCluster(ctx) + if err != nil { + return fmt.Errorf("failed to get cluster: %w", err) + } template := &newObj.Spec.Template ps := &template.Spec + localAPI, ok := cluster.Seed.Annotations[metal.LocalMetalAPIAnnotation] + if ok && localAPI == "true" { + template.Labels = extensionswebhook.EnsureAnnotationOrLabel(template.Labels, metal.AllowEgressToIstioIngressLabel, "allowed") + } + ps.Containers = extensionswebhook.EnsureContainerWithName( newObj.Spec.Template.Spec.Containers, machinecontrollermanager.ProviderSidecarContainer(newObj.Namespace, metal.ProviderName, image.String()), diff --git a/pkg/webhook/controlplane/ensurer_test.go b/pkg/webhook/controlplane/ensurer_test.go index aacd6d9..f123f4a 100644 --- a/pkg/webhook/controlplane/ensurer_test.go +++ b/pkg/webhook/controlplane/ensurer_test.go @@ -19,6 +19,7 @@ import ( gardenerutils "github.com/gardener/gardener/pkg/utils/gardener" imagevectorutils "github.com/gardener/gardener/pkg/utils/imagevector" testutils "github.com/gardener/gardener/pkg/utils/test" + "github.com/ironcore-dev/gardener-extension-provider-metal/pkg/metal" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" "go.uber.org/mock/gomock" @@ -61,6 +62,13 @@ var _ = Describe("Ensurer", func() { }, }, }, + Seed: &gardencorev1beta1.Seed{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + metal.LocalMetalAPIAnnotation: "true", + }, + }, + }, }, ) ) @@ -250,7 +258,8 @@ var _ = Describe("Ensurer", func() { It("should inject the sidecar container", func() { Expect(deployment.Spec.Template.Spec.Containers).To(BeEmpty()) - Expect(ensurer.EnsureMachineControllerManagerDeployment(ctx, nil, deployment, nil)).To(Succeed()) + Expect(ensurer.EnsureMachineControllerManagerDeployment(ctx, eContextK8s, deployment, nil)).To(Succeed()) + Expect(deployment.Spec.Template.Labels).To(HaveKeyWithValue(metal.AllowEgressToIstioIngressLabel, "allowed")) Expect(deployment.Spec.Template.Spec.Containers).To(ConsistOf(corev1.Container{ Name: "machine-controller-manager-provider-metal", Image: "foo:bar",