support switching of network overlay mode for cilium shoot cluster

charts/gardener-extension-admission-azure/charts/application/templates/mutatingwebhook-mutator.yaml

@@ -0,0 +1,38 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "name" . }}
+webhooks:
+- name: mutation.azure.provider.extensions.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  objectSelector:
+    {{- if .Values.global.webhookConfig.useObjectSelector }}
+    matchLabels:
+      provider.extensions.gardener.cloud/azure: "true"
+    {{- end }}
+  namespaceSelector: {}
+  sideEffects: None
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    {{- if .Values.global.virtualGarden.enabled }}
+    url: {{ printf "https://%s.%s/webhooks/mutate" (include "name" .) (.Release.Namespace) }}
+    {{- else }}
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: {{ include "name" . }}
+      path: /webhooks/mutate
+    {{- end }}
+    caBundle: {{ required ".Values.global.webhookConfig.caBundle is required" .Values.global.webhookConfig.caBundle | b64enc }}

docs/usage-as-end-user.md

@@ -103,6 +103,8 @@ The `networks.vnet` section describes whether you want to create the shoot clust
 You can freely choose a private CIDR range.
 * Either `networks.vnet.name` and `neworks.vnet.resourceGroup` or `networks.vnet.cidr` must be present, but not both at the same time.
 * The `networks.vnet.ddosProtectionPlanID` field can be used to specify the id of a ddos protection plan which should be assigned to the VNet. This will only work for a VNet managed by Gardener. For externally managed VNets the ddos protection plan must be assigned by other means.
+* If a vnet name is given and cilium shoot clusters are created without a network overlay within one vnet make sure that the pod CIDR specified in `shoot.spec.networking.pods` is not overlapping with any other pod CIDR used in that vnet.
+Overlapping pod CIDRs will lead to disfunctional shoot clusters.
 
 The `networks.workers` section describes the CIDR for a subnet that is used for all shoot worker nodes, i.e., VMs which later run your applications.
 The specified CIDR range must be contained in the VNet CIDR specified above, or the VNet CIDR of your already existing VNet.

example/50-mutatingwebhookconfiguration.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gardener-extension-admission-azure
+webhooks:
+- name: mutation.azure.provider.extensions.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  matchPolicy: Equivalent
+  # Please make sure you are running `gardener@v1.42` or later before enabling this object selector.
+  objectSelector:
+    matchLabels:
+      provider.extensions.gardener.cloud/azure: "true"
+  namespaceSelector: {}
+  sideEffects: None
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    url: "https://localhost:9443/webhooks/mutate"
+    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrekNDQWVPZ0F3SUJBZ0lSQU85Z2JoQ3dxZTVJTUplRERkVVVmaTB3RFFZSktvWklodmNOQVFFTEJRQXcKRnpFVk1CTUdBMVVFQXhNTVoyRnlaR1Z1WlhJdFpHVjJNQjRYRFRJeE1ERXlNVEV3TXpFMU5Wb1hEVE14TURFeQpNVEV3TXpFMU5Wb3dGekVWTUJNR0ExVUVBeE1NWjJGeVpHVnVaWEl0WkdWMk1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdLdGFKb0lVbHFHMWQ4MmZXQ0RrWXRCZVRCSnZHcExrdFo5WkZLTEsKWUo4VWE0ODZ2SjhlOUsyaGlCd0FSMEF5OC9pTVR4YVU3RlpCUE4zNHZIOWY5MHM1UitnM0ZMQXoxcUpkd1pKdgpOVlhUS3B6TFZsRml1N0p2bkgxYXV2TkN0RGhTUXhEZ0t1QWhKWEZzYms4cDl2bXJ0L2RvK1ZjdS9iYXZXSXoyCjJFZEVIbnJDZ2VCdGNUNkZTNnhaTjJFaW0zL3B0SUZlbFhvZldqcXBoM1drZ0tvTTErUWFOdWs3Q3lDZkFXeFUKN2VucFBaYWVHa2tReGtObVFkY1cyZHdxSms5TmhGRVFObW83ZHRibkE1SUNSeFpmeUd1c0IxL1lSbG5VMmlRYwp4WE50Y1JxMzJOMWFUVUtCemMySDM3Qk1GNHVxbWlHSkJjNTNBdmRXWjBrek13SURBUUFCbzBJd1FEQU9CZ05WCkhROEJBZjhFQkFNQ0FhWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVZcjZkQWhydTNGcXEKVG9Yb3E5ejk1bUUzWmVNd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFETzg3K2NXNk9PdHYxOTBIWlhrenhTMgpnZThtMW9LR3F3c3I5YnVOWnZFZktxWGZCMjk4UUU3ajRBR3R5YmFjV0RXTUVYelN6QXQzVkU5RnovLzNaNHU2CkpzS3Q2SHA4L2g1UnYrWENIbUY3K2JNU0pnSXdqOFhhSzdQcXZMbFRiUGVQOHRzOXRlSm5YV05FTHdqdnVwNVgKQ2R5RFZGQnUzWUF5NHNoT21TUWpLRWN5MHExM3pSZUdkSjdBTmY1V2xZVnZqYUVJc1NML1dTTnMxTGRKNXBLMgpubCtNNnNUcWY0TnhlTUVqQW9mcHdkUnZtaU1sdzhFMFM1UnNnM0ZsL1poMnNYUCtIU3hVbUk1MUU5N2RDU2cvCk1RYlhpcUxvbW1mZGY3elZpaFhsQldSczB5bVNJcHlTUW5MOXZuTVA4ZEpGV1FZSkhRQ3dpV3NqWkgyQmxtTT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

go.mod

@@ -16,6 +16,7 @@ require (
 	github.com/gardener/etcd-druid v0.12.3
 	github.com/gardener/gardener v1.59.0
 	github.com/gardener/gardener-extension-networking-calico v1.27.1
+	github.com/gardener/gardener-extension-networking-cilium v1.18.0
 	github.com/gardener/machine-controller-manager v0.45.0
 	github.com/gardener/remedy-controller v0.6.0
 	github.com/go-logr/logr v1.2.3
@@ -91,7 +92,6 @@ require (
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kubernetes-csi/external-snapshotter/v2 v2.1.4 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
@@ -118,6 +118,7 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/rogpeppe/go-internal v1.6.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.4.1 // indirect

go.sum

@@ -260,6 +260,8 @@ github.com/gardener/gardener v1.59.0 h1:9T8C2lPwaFTKxUi3afpVjmbao/uDcn5lfYRmFqMF
 github.com/gardener/gardener v1.59.0/go.mod h1:4vopE/Pg4LJud1CRg80rAcp94v83MJIgktlHNcSKO84=
 github.com/gardener/gardener-extension-networking-calico v1.27.1 h1:q/lsdqbwV+qlwNPxlqFxGeqKMDwPk+dPhUGXjxObzGE=
 github.com/gardener/gardener-extension-networking-calico v1.27.1/go.mod h1:MURFRmYPHiXSfmJ82S3nXH3qGcszeYQwhMVKn/J5XoU=
+github.com/gardener/gardener-extension-networking-cilium v1.18.0 h1:LNBMqVAkltHBDkP+C5Vq/dFgve/YOG8MIvTJJuWWCtU=
+github.com/gardener/gardener-extension-networking-cilium v1.18.0/go.mod h1:bXE/CwHLju+AMsqYXdFIQTt1r+GRHOTW8hJ9EIR84Z0=
 github.com/gardener/gardener-resource-manager v0.10.0/go.mod h1:0pKTHOhvU91eQB0EYr/6Ymd7lXc/5Hi8P8tF/gpV0VQ=
 github.com/gardener/hvpa-controller v0.0.0-20191014062307-fad3bdf06a25/go.mod h1:yj7YJ6ijo4adcpXQKutPFZfQuKLdM5UMZZUlpbM3vig=
 github.com/gardener/hvpa-controller/api v0.5.0 h1:f4F3O7YUrenwh4S3TgPREPiB287JjjUiUL18OqPLyAA=
@@ -563,7 +565,6 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=

pkg/admission/cmd/options.go

@@ -15,6 +15,7 @@
 package cmd
 
 import (
+	"github.com/gardener/gardener-extension-provider-azure/pkg/admission/mutator"
 	"github.com/gardener/gardener-extension-provider-azure/pkg/admission/validator"
 
 	webhookcmd "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
@@ -25,5 +26,6 @@ func GardenWebhookSwitchOptions() *webhookcmd.SwitchOptions {
 	return webhookcmd.NewSwitchOptions(
 		webhookcmd.Switch(validator.Name, validator.New),
 		webhookcmd.Switch(validator.SecretsValidatorName, validator.NewSecretsWebhook),
+		webhookcmd.Switch(mutator.Name, mutator.New),
 	)
 }

pkg/admission/mutator/mutator_suite_test.go

@@ -0,0 +1,27 @@
+// Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mutator_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestMutator(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Shoot Mutator Suite")
+}

pkg/admission/mutator/shoot.go

@@ -0,0 +1,136 @@
+// Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package mutator
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	ciliumv1alpha1 "github.com/gardener/gardener-extension-networking-cilium/pkg/apis/cilium/v1alpha1"
+	"github.com/gardener/gardener-extension-networking-cilium/pkg/cilium"
+	extensionswebhook "github.com/gardener/gardener/extensions/pkg/webhook"
+	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/serializer"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// NewShootMutator returns a new instance of a shoot mutator.
+func NewShootMutator() extensionswebhook.Mutator {
+	return &shoot{}
+}
+
+type shoot struct {
+	decoder runtime.Decoder
+}
+
+// InjectScheme injects the given scheme into the validator.
+func (s *shoot) InjectScheme(scheme *runtime.Scheme) error {
+	s.decoder = serializer.NewCodecFactory(scheme, serializer.EnableStrict).UniversalDecoder()
+	return nil
+}
+
+// Mutate mutates the given shoot object.
+func (s *shoot) Mutate(ctx context.Context, new, old client.Object) error {
+	overlay := &ciliumv1alpha1.Overlay{Enabled: false}
+
+	shoot, ok := new.(*gardencorev1beta1.Shoot)
+	if !ok {
+		return fmt.Errorf("wrong object type %T", new)
+	}
+
+	if shoot.Spec.Networking.Type != cilium.ReleaseName {
+		return nil
+	}
+
+	// Skip if shoot is in restore or migration phase
+	if wasShootRescheduledToNewSeed(shoot) {
+		return nil
+	}
+
+	var oldShoot *gardencorev1beta1.Shoot
+	if old != nil {
+		oldShoot, ok = old.(*gardencorev1beta1.Shoot)
+		if !ok {
+			return fmt.Errorf("wrong object type %T", old)
+		}
+	}
+
+	if oldShoot != nil && isShootInMigrationOrRestorePhase(shoot) {
+		return nil
+	}
+
+	// Skip if specs are matching
+	if oldShoot != nil && reflect.DeepEqual(shoot.Spec, oldShoot.Spec) {
+		return nil
+	}
+
+	// Skip if shoot is in deletion phase
+	if shoot.DeletionTimestamp != nil || oldShoot != nil && oldShoot.DeletionTimestamp != nil {
+		return nil
+	}
+
+	networkConfig, err := s.decodeNetworkingConfig(shoot.Spec.Networking.ProviderConfig)
+	if err != nil {
+		return err
+	}
+
+	if oldShoot == nil && networkConfig.Overlay == nil {
+		networkConfig.Overlay = overlay
+	}
+
+	if oldShoot != nil && networkConfig.Overlay == nil {
+		oldNetworkConfig, err := s.decodeNetworkingConfig(oldShoot.Spec.Networking.ProviderConfig)
+		if err != nil {
+			return err
+		}
+		if oldNetworkConfig.Overlay != nil {
+			networkConfig.Overlay = oldNetworkConfig.Overlay
+		}
+	}
+	shoot.Spec.Networking.ProviderConfig = &runtime.RawExtension{
+		Object: networkConfig,
+	}
+
+	return nil
+}
+
+func (s *shoot) decodeNetworkingConfig(network *runtime.RawExtension) (*ciliumv1alpha1.NetworkConfig, error) {
+	networkConfig := &ciliumv1alpha1.NetworkConfig{}
+	if network != nil && network.Raw != nil {
+		if _, _, err := s.decoder.Decode(network.Raw, nil, networkConfig); err != nil {
+			return nil, err
+		}
+	}
+	return networkConfig, nil
+}
+
+// wasShootRescheduledToNewSeed returns true if the shoot.Spec.SeedName has been changed, but the migration operation has not started yet.
+func wasShootRescheduledToNewSeed(shoot *gardencorev1beta1.Shoot) bool {
+	return shoot.Status.LastOperation != nil &&
+		shoot.Status.LastOperation.Type != gardencorev1beta1.LastOperationTypeMigrate &&
+		shoot.Spec.SeedName != nil &&
+		shoot.Status.SeedName != nil &&
+		*shoot.Spec.SeedName != *shoot.Status.SeedName
+}
+
+// isShootInMigrationOrRestorePhase returns true if the shoot is currently being migrated or restored.
+func isShootInMigrationOrRestorePhase(shoot *gardencorev1beta1.Shoot) bool {
+	return shoot.Status.LastOperation != nil &&
+		(shoot.Status.LastOperation.Type == gardencorev1beta1.LastOperationTypeRestore &&
+			shoot.Status.LastOperation.State != gardencorev1beta1.LastOperationStateSucceeded ||
+			shoot.Status.LastOperation.Type == gardencorev1beta1.LastOperationTypeMigrate)
+}