Bump github.com/gardener/gardener to 1.86.0 (#774)

* Update `github.com/gardener/gardener` to `v1.86.0`

* Remove vendor dir

* Adjust paths after vendor removal

* [make tidy]

* [make generate]

* Adjust admission webhook

* Enable leader election for admission controller

Since admission controllers now run the certificate controller, leader election must be enabled to prevent any interference.

* Restrict admission controller permissions

This change is mostly relevant for deployments without a virtual Garden cluster:
In this case, the admission controller needed cluster-wide list/watch permissions
for secrets. Restricting the cache to the `--webhook-config-namespace` namespace
eliminates this requirement.

* Address review comments

Address review comments from similar PR gardener/gardener-extension-networking-calico#327.

.ci/component_descriptor

@@ -1,4 +1,3 @@
 #!/usr/bin/env bash
 
-COMPONENT_PREFIXES="eu.gcr.io/gardener-project/gardener,europe-docker.pkg.dev/gardener-project" \
-  "$(dirname $0)"/../vendor/github.com/gardener/gardener/hack/.ci/component_descriptor "$(dirname $0)"/..
+"$(dirname $0)"/hack/component_descriptor "$(dirname $0)"/..

vendor/github.com/gardener/gardener/hack/.ci/component_descriptor → .ci/hack/component_descriptor

@@ -4,10 +4,7 @@
 #
 # COMPONENT_PREFIXES: Set the image prefix that should be used to
 #                     determine if an image is defined by another component.
-#                     Defaults to "eu.gcr.io/gardener-project/gardener"
-#
-# GENERIC_DEPENDENCIES: Set images that are generic dependencies with no specific tag.
-#                       Defaults to "hyperkube,kube-apiserver,kube-controller-manager,kube-scheduler,kube-proxy"
+#                     Defaults to "eu.gcr.io/gardener-project/gardener,europe-docker.pkg.dev/gardener-project"
 #
 # COMPONENT_CLI_ARGS: Set all component-cli arguments.
 #                     This should be used with care as all defaults are overwritten.
@@ -58,18 +55,14 @@ fi
 if [[ ! -z "$image_vector_path" ]]; then
   # default environment variables
   if [[ -z "${COMPONENT_PREFIXES}" ]]; then
-    COMPONENT_PREFIXES="eu.gcr.io/gardener-project/gardener"
-  fi
-  if [[ -z "${GENERIC_DEPENDENCIES}" ]]; then
-    GENERIC_DEPENDENCIES="hyperkube,kube-apiserver,kube-controller-manager,kube-scheduler,kube-proxy"
+    COMPONENT_PREFIXES="eu.gcr.io/gardener-project/gardener,europe-docker.pkg.dev/gardener-project"
   fi
 
   if [[ -z "${COMPONENT_CLI_ARGS}" ]]; then
     COMPONENT_CLI_ARGS="
     --comp-desc ${BASE_DEFINITION_PATH} \
     --image-vector "$image_vector_path" \
     --component-prefixes "${COMPONENT_PREFIXES}" \
-    --generic-dependencies "${GENERIC_DEPENDENCIES}" \
     "
   fi
 
@@ -96,14 +89,7 @@ if [[ -d "$repo_root_dir/charts/" ]]; then
       REPOSITORY=${imageAndTag[0]}
       TAG=${imageAndTag[1]}
 
-      gardener="eu.gcr.io/gardener-project/gardener"
-      if [[ "$NAME" == "hyperkube" ]]; then
-        ${ADD_DEPENDENCIES_CMD} --generic-dependencies "{\"name\": \"$NAME\", \"version\": \"$TAG\"}"
-      elif [[ $REPOSITORY =~ "eu.gcr.io/gardener-project/gardener"* ]]; then
-        ${ADD_DEPENDENCIES_CMD} --generic-dependencies "{\"name\": \"$NAME\", \"version\": \"$TAG\"}"
-      else
-        ${ADD_DEPENDENCIES_CMD} --container-image-dependencies "{\"name\": \"${NAME}\", \"image_reference\": \"${REPOSITORY}:${TAG}\", \"version\": \"$TAG\"}"
-      fi
+      ${ADD_DEPENDENCIES_CMD} --container-image-dependencies "{\"name\": \"${NAME}\", \"image_reference\": \"${REPOSITORY}:${TAG}\", \"version\": \"$TAG\"}"
     done < <(echo "$outputFile")
   done
 fi

vendor/github.com/gardener/gardener/hack/.ci/set_dependency_version → .ci/hack/set_dependency_version

@@ -125,7 +125,7 @@ elif name == 'logging':
 elif name == 'etcd-custom-image':
     names = ['etcd']
 elif name == 'egress-filter-refresher':
-    names = ['egress-filter-blackholer', 'egress-filter-firewaller']
+    names = ['egress-filter']
 elif name == 'apiserver-proxy':
     names = ['apiserver-proxy-sidecar']
 else:

.ci/prepare_release

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-"$(dirname $0)"/../vendor/github.com/gardener/gardener/hack/.ci/prepare_release "$(dirname $0)"/.. github.com/gardener gardener-extension-provider-azure
+"$(dirname $0)"/hack/prepare_release "$(dirname $0)"/.. github.com/gardener gardener-extension-provider-azure

.ci/set_dependency_version

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 
-"$(dirname $0)"/../vendor/github.com/gardener/gardener/hack/.ci/set_dependency_version
+"$(dirname $0)"/hack/set_dependency_version

.ci/verify

@@ -9,9 +9,4 @@ cd "$(dirname $0)/.."
 git config --global user.email "gardener@sap.com"
 git config --global user.name "Gardener CI/CD"
 
-# Required due to https://github.com/kubernetes/kubernetes/issues/86753 - can be removed once the issue is fixed.
-mkdir -p /go/src/github.com/gardener/gardener-extension-provider-azure
-cp -r . /go/src/github.com/gardener/gardener-extension-provider-azure
-cd /go/src/github.com/gardener/gardener-extension-provider-azure
-
 make verify-extended

.test-defs/bastion-test.yaml

@@ -9,7 +9,7 @@ spec:
   command: [bash, -c]
   args:
     - >-
-      go test -timeout=25m -mod=vendor ./test/integration/bastion
+      go test -timeout=25m ./test/integration/bastion
       --v -ginkgo.v -ginkgo.progress -ginkgo.no-color
       --kubeconfig=$TM_KUBECONFIG_PATH/testmachinery.config
       --subscription-id=${SUBSCRIPTION_ID}

.test-defs/infrastructure-test.yaml

@@ -11,7 +11,7 @@ spec:
   command: [bash, -c]
   args:
     - >-
-      go test -timeout=0 -mod=vendor ./test/integration/infrastructure
+      go test -timeout=0 ./test/integration/infrastructure
       --v -ginkgo.v -ginkgo.progress -ginkgo.no-color
       --kubeconfig=$TM_KUBECONFIG_PATH/testmachinery.config
       --subscription-id=${SUBSCRIPTION_ID}

.test-defs/provider-azure.yaml

@@ -9,7 +9,7 @@ spec:
   command: [bash, -c]
   args:
   - >-
-    go run -mod=vendor ./test/tm/generator.go
+    go run ./test/tm/generator.go
     --infrastructure-provider-config-filepath=$INFRASTRUCTURE_PROVIDER_CONFIG_FILEPATH
     --controlplane-provider-config-filepath=$CONTROLPLANE_PROVIDER_CONFIG_FILEPATH
     --network-vnet-cidr=$NETWORK_VNET_CIDR

Dockerfile

@@ -2,6 +2,12 @@
 FROM golang:1.21.1 AS builder
 
 WORKDIR /go/src/github.com/gardener/gardener-extension-provider-azure
+
+# cache deps before building and copying source so that we don't need to re-download as much
+# and so that source changes don't invalidate our downloaded layer
+COPY go.mod go.sum ./
+RUN go mod download
+
 COPY . .
 
 ARG EFFECTIVE_VERSION

Makefile

@@ -12,6 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+ENSURE_GARDENER_MOD         := $(shell go get github.com/gardener/gardener@$$(go list -m -f "{{.Version}}" github.com/gardener/gardener))
+GARDENER_HACK_DIR    		:= $(shell go list -m -f "{{.Dir}}" github.com/gardener/gardener)/hack
 EXTENSION_PREFIX            := gardener-extension
 NAME                        := provider-azure
 ADMISSION_NAME              := admission-azure
@@ -21,7 +23,7 @@ REPO_ROOT                   := $(shell dirname $(realpath $(lastword $(MAKEFILE_
 HACK_DIR                    := $(REPO_ROOT)/hack
 VERSION                     := $(shell cat "$(REPO_ROOT)/VERSION")
 EFFECTIVE_VERSION           := $(VERSION)-$(shell git rev-parse HEAD)
-LD_FLAGS                    := "-w $(shell $(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/get-build-ld-flags.sh k8s.io/component-base $(REPO_ROOT)/VERSION $(EXTENSION_PREFIX))"
+LD_FLAGS                    := "-w $(shell bash $(GARDENER_HACK_DIR)/get-build-ld-flags.sh k8s.io/component-base $(REPO_ROOT)/VERSION $(EXTENSION_PREFIX))"
 LEADER_ELECTION             := false
 IGNORE_OPERATION_ANNOTATION := true
 PLATFORM 					:= linux/amd64
@@ -51,17 +53,16 @@ endif
 # Tools                                 #
 #########################################
 
-TOOLS_DIR := hack/tools
-include vendor/github.com/gardener/gardener/hack/tools.mk
+TOOLS_DIR := $(HACK_DIR)/tools
+include $(GARDENER_HACK_DIR)/tools.mk
 
 #########################################
 # Rules for local development scenarios #
 #########################################
 
 .PHONY: start
 start:
-	@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
-		-mod=vendor \
+	@LEADER_ELECTION_NAMESPACE=garden go run \
 		-ldflags $(LD_FLAGS) \
 		./cmd/$(EXTENSION_PREFIX)-$(NAME) \
 		--config-file=./example/00-componentconfig.yaml \
@@ -76,13 +77,13 @@ start:
 
 .PHONY: start-admission
 start-admission:
-	@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
-		-mod=vendor \
+	@LEADER_ELECTION_NAMESPACE=garden go run \
 		-ldflags $(LD_FLAGS) \
 		./cmd/$(EXTENSION_PREFIX)-$(ADMISSION_NAME) \
 		--webhook-config-server-host=0.0.0.0 \
-		--webhook-config-server-port=9443 \
-		--webhook-config-cert-dir=./example/admission-azure-certs
+		--webhook-config-server-port=$(WEBHOOK_CONFIG_PORT) \
+        --webhook-config-mode=$(WEBHOOK_CONFIG_MODE) \
+        $(WEBHOOK_PARAM)
 
 #################################################################
 # Rules related to binary build, Docker image build and release #
@@ -91,7 +92,7 @@ start-admission:
 .PHONY: install
 install:
 	@LD_FLAGS=$(LD_FLAGS) EFFECTIVE_VERSION=$(EFFECTIVE_VERSION) \
-	$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/install.sh ./...
+	bash $(GARDENER_HACK_DIR)/install.sh ./...
 
 .PHONY: docker-login
 docker-login:
@@ -106,49 +107,47 @@ docker-images:
 # Rules for verification, formatting, linting, testing and cleaning #
 #####################################################################
 
-.PHONY: revendor
-revendor:
-	@GO111MODULE=on go mod tidy
-	@GO111MODULE=on go mod vendor
-	@chmod +x $(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/*
-	@chmod +x $(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/.ci/*
-	@$(REPO_ROOT)/hack/update-github-templates.sh
-	@ln -sf ../vendor/github.com/gardener/gardener/hack/cherry-pick-pull.sh $(HACK_DIR)/cherry-pick-pull.sh
+.PHONY: tidy
+tidy:
+	@go mod tidy
+	@mkdir -p $(REPO_ROOT)/.ci/hack && cp $(GARDENER_HACK_DIR)/.ci/* $(REPO_ROOT)/.ci/hack/ && chmod +xw $(REPO_ROOT)/.ci/hack/*
+	@GARDENER_HACK_DIR=$(GARDENER_HACK_DIR) bash $(REPO_ROOT)/hack/update-github-templates.sh
+	@cp $(GARDENER_HACK_DIR)/cherry-pick-pull.sh $(HACK_DIR)/cherry-pick-pull.sh && chmod +xw $(HACK_DIR)/cherry-pick-pull.sh
 
 .PHONY: clean
 clean:
 	@$(shell find ./example -type f -name "controller-registration.yaml" -exec rm '{}' \;)
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/clean.sh ./cmd/... ./pkg/... ./test/...
+	@bash $(GARDENER_HACK_DIR)/clean.sh ./cmd/... ./pkg/... ./test/...
 
 .PHONY: check-generate
 check-generate:
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/check-generate.sh $(REPO_ROOT)
+	@bash $(GARDENER_HACK_DIR)/check-generate.sh $(REPO_ROOT)
 
 .PHONY: check
 check: $(GOIMPORTS) $(GOLANGCI_LINT) $(HELM)
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/check.sh --golangci-lint-config=./.golangci.yaml ./cmd/... ./pkg/... ./test/...
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/check-charts.sh ./charts
+	@REPO_ROOT=$(REPO_ROOT) bash $(GARDENER_HACK_DIR)/check.sh --golangci-lint-config=./.golangci.yaml ./cmd/... ./pkg/... ./test/...
+	@REPO_ROOT=$(REPO_ROOT) bash $(GARDENER_HACK_DIR)/check-charts.sh ./charts
 
 .PHONY: generate
-generate: $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(MOCKGEN) $(YQ)
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/generate-sequential.sh ./charts/... ./cmd/... ./example/... ./pkg/...
+generate: $(VGOPATH) $(CONTROLLER_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(HELM) $(MOCKGEN) $(YQ)
+	@REPO_ROOT=$(REPO_ROOT) VGOPATH=$(VGOPATH) GARDENER_HACK_DIR=$(GARDENER_HACK_DIR) bash $(GARDENER_HACK_DIR)/generate-sequential.sh ./charts/... ./cmd/... ./example/... ./pkg/...
 	$(MAKE) format
 
 .PHONY: format
 format: $(GOIMPORTS) $(GOIMPORTSREVISER)
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/format.sh ./cmd ./pkg ./test
+	@bash $(GARDENER_HACK_DIR)/format.sh ./cmd ./pkg ./test
 
 .PHONY: test
 test:
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test.sh ./cmd/... ./pkg/...
+	@bash $(GARDENER_HACK_DIR)/test.sh ./cmd/... ./pkg/...
 
 .PHONY: test-cov
 test-cov:
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test-cover.sh ./cmd/... ./pkg/...
+	@bash $(GARDENER_HACK_DIR)/test-cover.sh ./cmd/... ./pkg/...
 
 .PHONY: test-clean
 test-clean:
-	@$(REPO_ROOT)/vendor/github.com/gardener/gardener/hack/test-cover-clean.sh
+	@bash $(GARDENER_HACK_DIR)/test-cover-clean.sh
 
 .PHONY: verify
 verify: check format test
@@ -158,7 +157,7 @@ verify-extended: check-generate check format test-cov test-clean
 
 .PHONY: integration-test-infra
 integration-test-infra:
-	@go test -timeout=0 -mod=vendor ./test/integration/infrastructure \
+	@go test -timeout=0 ./test/integration/infrastructure \
 		--v -ginkgo.v -ginkgo.progress \
 		--kubeconfig=${KUBECONFIG} \
 		--subscription-id='$(shell cat $(SUBSCRIPTION_ID_FILE))' \
@@ -170,7 +169,7 @@ integration-test-infra:
 
 .PHONY: integration-test-bastion
 integration-test-bastion:
-	@go test -timeout=0 -mod=vendor ./test/integration/bastion \
+	@go test -timeout=0 ./test/integration/bastion \
 		--v -ginkgo.v -ginkgo.progress \
 		--kubeconfig=${KUBECONFIG} \
 		--subscription-id='$(shell cat $(SUBSCRIPTION_ID_FILE))' \

charts/gardener-extension-admission-azure/charts/application/templates/rbac.yaml

@@ -20,6 +20,26 @@ rules:
   - secrets
   verbs:
   - get
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  - validatingwebhookconfigurations
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - patch
+  - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding