🎆 Add Support for HA and ExposureClasses (#35)

* Add fake deploment to test locally
* Add support for multiple istio namespaces
* add ExposureClass support
* Implement support for workerless shoots
* Trigger webhook with empty patch instead of hash annotation

Co-authored-by: Simon Kienzler <[email protected]>

Makefile

@@ -11,7 +11,6 @@ REPO_ROOT                   := $(shell dirname $(realpath $(lastword $(MAKEFILE_
 HACK_DIR                    := $(REPO_ROOT)/hack
 VERSION                     := $(shell git describe --tag --always --dirty)
 TAG							:= $(VERSION)
-LD_FLAGS                    := -w $(shell EFFECTIVE_VERSION=$(VERSION) bash $(HACK_DIRECTORY)/get-build-ld-flags.sh k8s.io/component-base $(REPO_ROOT)/go.mod $(EXTENSION_PREFIX)-$(NAME) 2>&1 | grep -v .dockerignore)
 LEADER_ELECTION             := false
 IGNORE_OPERATION_ANNOTATION := false
 
@@ -25,14 +24,19 @@ TOOLS_DIR := hack/tools
 -include $(HACK_DIRECTORY)/tools.mk
 include hack/tools.mk
 
-.PHONY: start
-start:
+GOIMPORTSREVISER_VERSION := v3.5.6
+
+.PHONY: run
+run:
 	@LEADER_ELECTION_NAMESPACE=garden GO111MODULE=on go run \
-		-ldflags $(LD_FLAGS) \
 		./cmd/$(EXTENSION_PREFIX)-$(NAME) \
 		--kubeconfig=${KUBECONFIG} \
 		--ignore-operation-annotation=$(IGNORE_OPERATION_ANNOTATION) \
-		--leader-election=$(LEADER_ELECTION)
+		--leader-election=$(LEADER_ELECTION) \
+		--webhook-config-mode=url \
+		--webhook-config-url="host.docker.internal:9443" \
+		--webhook-config-cert-dir=example/certs \
+		--webhook-config-server-port=9443
 
 .PHONY: debug
 debug:
@@ -48,7 +52,6 @@ debug:
 
 PUSH ?= false
 images: export KO_DOCKER_REPO = $(REPO)
-images: export LD_FLAGS := $(LD_FLAGS)
 
 .PHONY: images
 images: $(KO)

README.md

@@ -18,6 +18,10 @@ spec:
           - ...
 ```
 
+The extension also supports multiple ingress namespaces, e.g. when using
+Gardener `ExposureClasses` or deploying Highly Available Control Planes (see
+[ADR03](./docs/adr/03_multiple_istio_namespaces.md) for more information).
+
 Please read on for more information.
 
 ## Installation
@@ -162,6 +166,7 @@ kubectl scale deployment -n extension-acl-XXXXXXX --replicas=0 gardener-extensio
 ```
 
 Now you can run the acl-extension locally to debug it.
+
 ```bash
-go run cmd/gardener-extension-acl/main.go --webhook-config-mode=url --webhook-config-url="host.docker.internal:9443" --webhook-config-cert-dir=example/certs --leader-election=false --webhook-config-server-port=9443
+make run
 ```

charts/gardener-extension-acl/templates/rbac.yaml

@@ -15,6 +15,7 @@ rules:
   - patch
   - update
   - create
+  - delete
   resources:
   - envoyfilters
 - apiGroups:
@@ -99,6 +100,8 @@ rules:
   - "deployments"
   verbs:
   - get
+  - list
+  - watch
   - create
   - update
   - patch
@@ -130,6 +133,14 @@ rules:
   - create
   - update
   - patch
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - gateways
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

cmd/gardener-extension-acl/app/app.go

@@ -22,7 +22,8 @@ import (
 	extensionscontroller "github.com/gardener/gardener/extensions/pkg/controller"
 	"github.com/gardener/gardener/extensions/pkg/util"
 	"github.com/spf13/cobra"
-	istionetworkingClientGo "istio.io/client-go/pkg/apis/networking/v1alpha3"
+	istionetworkv1alpha3 "istio.io/client-go/pkg/apis/networking/v1alpha3"
+	istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
 	corev1 "k8s.io/api/core/v1"
 	componentbaseconfig "k8s.io/component-base/config"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -80,15 +81,17 @@ func (o *Options) run(ctx context.Context) error {
 		return fmt.Errorf("could not update manager scheme: %s", err)
 	}
 
-	if err := istionetworkingClientGo.AddToScheme(mgr.GetScheme()); err != nil {
+	if err := istionetworkv1alpha3.AddToScheme(mgr.GetScheme()); err != nil {
+		return fmt.Errorf("could not update manager scheme: %s", err)
+	}
+	if err := istionetworkv1beta1.AddToScheme(mgr.GetScheme()); err != nil {
 		return fmt.Errorf("could not update manager scheme: %s", err)
 	}
 
 	ctrlConfig := o.extensionOptions.Completed()
 	ctrlConfig.ApplyHealthCheckConfig(&healthcheck.DefaultAddOptions.HealthCheckConfig)
 	ctrlConfig.Apply(&controller.DefaultAddOptions.ExtensionConfig)
 	webhook.DefaultAddOptions.AllowedCIDRs = ctrlConfig.AdditionalAllowedCIDRs
-	ctrlConfig.Apply(&controller.DefaultAddOptions.ExtensionConfig)
 
 	o.controllerOptions.Completed().Apply(&controller.DefaultAddOptions.ControllerOptions)
 	o.healthOptions.Completed().Apply(&healthcheck.DefaultAddOptions.Controller)

deploy/extension/base/controller-registration.yaml

@@ -5,7 +5,7 @@ metadata:
   name: acl
 type: helm
 providerConfig:
-  chart: H4sIAAAAAAAAA+0ba2/jNnI/61cQ6gHbHirFdmxnK2CBy2Zz2wB5Ibu3xaEoAkaibTaSqCMlp97Hf78hRT2sh2Un2eR61XyxRA2HQ86bpOeYeyQk3CJ/xCQUlIUWdv29F48JA4CDyUT9AlR/1fNwfzwcTUbTqWwfjofD4Qs0eVQuWiARMeYIveCMxZvwur7/SWHeLP+jBeaxvcKB/whjSAFPx+NW+Y8GBxX5Twf7kxdo8Ahjd8JfXP44oh8Jl3J30HJo4CjKX82hPTANjwiX0yhWTYfoZ+IHyJXagWaMo3hB0DutQujw6BTlamQbIQ6Ig5oVzFhmowxsGMZ47mX4y0KL/cckiHwcE/EYkWB3/z8dgkvo/f8TQKf8rxfEj8BY7Ti6byzo8v+T/f11+Y8G4/1R7/+fAj5/tpBHZjQkyJQO20TW169Gi9OWyCT0FIpR7unjG+ILG6KHfUtWKQ31ktwQHhLQI5uyPUl/jUYLiSX2E83I58+Ihq6feDl7NtIdNzBS71tlUFJxUAuGHl+NVJ8FDUFjQpeo7vYV8QkWxD4H5iqcPbdot4JO+3dZOKPzAEcWDfCcLIkbM24xiN93nMZkmxyxy/7H00r+Bw8H497+nwKkvtIZsj9KnQf9ljL+qGR8kYlYqrVlWUYlVbyloeegI6UeZzgyAhJjD8fYMRBKU79m423WI91JRLjJslSz5AOh1E6dBuuW5L9AI+hzjMaA/dXI+FFDiut1rXXQF0ll49TX6OXG/Sex7W2g0/49EvlsFcAa3Lsc7LD/ycFwXLH/4XDax/8ngaphQ7wTe7l1v82Fv7V572zICGBB5wsLLzGFRurTeGWlYcfmRLCEu2CemaLars8Sby9eRUD+jtwsGLvdxhkYIiKuHI2TJZVz/ZkKMPXVKQ1oDGWo+hL51MUiZVu7Bd14xBIgpBgXMB/pJVLWAxy7i9PtnNI0JZAZlyZQWlgJOAxZjGW9LbKmLZ000uAuiHsrkqAUuwvrbvS+a8L8PuIUmP2b/UHzab8B8V3ieIHMrdIB8wc1abHAo8kU+Ch4KxyobigrgQTIsu4YB+Wb1wTOLA9WBGHfZ3fE264HB6HRgFig4YJwYLLo3yGqVxmPmdpIgIVhMMvVkY+FOF/f3hArAXK1fhoMNLIckLrk0HWl6pxvNhklNhbGGLJYnq+H1WVpKShJrCmtaqmhXCa+f8lAm1d15OJbuRvm85JwLGRZAf5D2qabcA7LZHEiX6hPxOsSRTkTznxflo0F8vtV6IoydUlvQbAfL5TG7k671LlrHI8KfOMTq9S9TFV/Piq+gir8zmiIzB/NKi06DxknFoOyWNmpVZhsG6dpl4usx2HeoUobXKUno7F0McpcvdctaVQFcyOVzI1aPnNvyzymiMcaL3e3p4BW5Uxt+lkRuIHXe+pZ5J8r/gl7HpXksH+YGtsR9XhNIgWWpW3SciVemb0WSs2iqTmXGmO5g9C7j1WWcmPW38usbOrbMLIkp6OTjmVWHhZfb4iKrb21O7EixuMyXxotzcNtjXUJSFvQg5l2kyO8iVpmTxq/yZh+0Z9axEXCZdm1pJ7u9Pjw7fHV9fHp8dGHk4vz6/PDs+P3l4dHxzkmQqo8/ydngVNqRGhGie9dkdl6q26X0cvJQ62di6JNU7pCbMbvydnhu+OPwOzF1fXFx+OrX65OPtR4dZA2mKIA2WusSHZQ5TwxKuPkjSoTidm/gWZDjy8o5jQoYt1wsJsZdS3OkvlJQM5k2BN1EXekIqXFCySFVHL1BSzhcXBiF6EPUS3mCWmfyE7TSCdRC8Xbcu9mdXFZHe9VFmfgkRlO/PiMeUBjPBqUJqVneZ/8v7P+ixj4YMETdQJ0k3hzsnMh2Ln/O55W6r/9wcG0r/+eArRNzGP0vUz6m6qeH9CwaQsoUtliUSteMu9trihvlKJ8u6Jxl4IP0sp/hbq49FPyIrnpnO+DC70HWubTQKf98xvsPvAiQIf9j4fjyvnP8OBg0O//PglUrVqJGyfxAgrdT6pCsW9fqXOPYsvXhzUj/Ir5ZBcD38V0eeLL0GshYO0dZ0mk4rBVLvapAOaAL2iHYHmjEaTTkb8+fFYPd9Jq1VOUPyURsEzUowu5g3ospU6yHZJTtppRH+Yp6mzktlLdlqoTctPFEurFC4UsarmXvtJwxrGAnMWNE+i21UwewkuBWnndAxuIk+0YaFzKGldt+3Z1pgIcQt7j5a0dTOQCK/NTEmjBmgfeu4k106wzkQefewoBXktySA2mQRdAFViQNaojS1XdtgxammptgvUFb7PbVpXkYL+i2nADVgjWlbYXGJVPOzK7qzRMQYBcLMz0DZLiMH35xooh976b2CmOQNq4uO/sXQbOgIab5aUSocqy6wEfSDBrV0lW+m3rzaYSM6UpZwvSZideQIU0Ek7mIDi+mc8gkXtk4VzvMaQlVZJ22t5ZbTSjB0W/N6lFfLMgCEPo/YxsGTdwCFj18NzBD6TBv4NAVaRNO79f27R+nKz9uVOcHjZAZ/6vdxQfUgJ05P+Q+lfvfwzG40Gf/z8FtF7s0J7g8Uv42vlmKalvPe6dcRZYgOV7VszUprVw0MtfP5sRZzFzmW865oejS/NHU34zne12tL/+9nI3DrDv5/vooDYQdUR+ePEcTEXMs1T4sLK9iuKUARij8ix7Leu/z/5JetSuw8rJpVHeGNmGDkLp0qRxFx7XTh87zy+yxXQQrKVqSVf+sptScXTx3Gb2Pwvb+n+cZgT3CgNd+7/7w2HF/4+gsff/TwFd/j/LBJ91JxfyXaYOg9aZ+sBuCbA8w74gvYXfDzrtfxnhh/4PrDP/OxhX938n0/7850mgciYqpU1CeU7iNZ35mNIShQuZBWQleWV8A75hZGq/AbgxBYxL5h1qZMIf232kqUkD71mmVL7KtN6W5pz5XSvVSMvnvPmn9MrWy7+/NPIDaRrqeyjlU103ShSrnPwnoRwWzmznyC5I2NAPUZF3MzdMpNqtdNguLxAGjK/uxULa9T5c6J7rx1xZapbfwmi6WSrba7dLu07HASHdvCkLMW1JD8RLeaBkvIxsF3j/p5e4HwAt/n+ZLuXj/AG4y/9PplX/P90f9Pe/nwT03dH5wuXSmcNiuLc0TqvLZt1wVF4QG7UrpSezcxZfgsuQBm2UT9QdNDKM9auGTskxy9uGTrYrbaxtAku3BINp96w8rTkZBKZRdnzmdHxGZZMv73Kv4Q4HNeTh6JXENsBNSEwd7fK7Q03Rou73FXVgxFh3wZKRTldlyrgIDJTuh0qkygVWIA+NrfdGs7QXodIl2Dy2VQkZ9futDvr1N8NYq5kdI7+1nBbX4/G+bkoraQcNB6PJICeX3fBLaTVf1ky/fYeablvJf+B8h7K/5zjqubhohSEFJaoNeFAyuSIREzRWS72I40g4e3vCXdxh/onG//DI0safEk5slwVFe/Fki1uydz2HJk28dBtYj8NLI3Ayt9URrexnk2QwtLV56N0XSW6dzRjPQb4De2T/BALO7MdJzyp0CmX2pUoPPfTQQw899NBDDz308CzwXwBHOl4AUAAA
+  chart: H4sIAAAAAAAAA+0ba2/btraf9SsI7QLdhkmxHdvpBBS4aZp1BfJC2nW4GIaAkWibiyTqklIy9/Hf7+FDD+sR2UmabHc+XyxRh4eHPG+SnmMekJhwh/yZklhQFjvYD3eePSQMAPYmE/ULUP9Vz8Pd8XA0GU2nsn04Hg6Hz9DkQbnogEykmCP0jDOW3obX9/1vCvN2+R8sME/dJY7CBxhDCng6HnfKfzTYq8l/OtidPEODBxi7F/7h8scJ/UC4lLuHrocWTpLi1R66A9sKiPA5TVLVtI9+JmGEfKkdaMY4ShcEvTEqhPYPjlChRq4V44h4qF3BrOt8lIELw1hPvQz/WOiw/5RESYhTIh4iEmzu/6dDcAlb//8I0Cv/iwUJEzBWN03uGgv6/P9kd3dV/qPBeHe09f+PAZ8+OSggMxoTZEuHbSPnyxerw2lLZBIHCsWq9gzxJQmFC9HDvSJLTUO9ZJeExwT0yKVsR9JfodFB4hqHmWHk0ydEYz/MgoI9F5mOtzDS7FtnUFLxUAeGGV+N1JwFjUFjYp+o7u45CQkWxD0B5mqcPbVo14Je+/dZPKPzCCcOjfCcXBM/ZdxhEL9vOE3JOjlin/2Pp7X8Dx72xlv7fwyQ+kpnyP0gdR70W8r4g5LxaS5iqdaO41i1VPGKxoGHDpR6HOPEikiKA5xiz0JIp37txtuuR6aTSHCbZalmyQdC2k69FuuW5D9DI+hzisaA/cXK+VFDiotVrfXQZ0nl1qmv0CuM+29i2+tAr/0HJAnZMoI1uHM52GP/k73huGb/w+F0G/8fBeqGDfFO7BTW/boQ/trmvbEhI4AFnS8cfI0pNNKQpktHhx2XE8Ey7oN55orq+iHLgp10mQD5G3K5YOxqHWdgiYT4cjROrqmc689UgKkvj2hEUyhD1ZckpD4Wmm3jFkzjAcuAkGJcwHykl9CsRzj1F0frOaWpJpAblyFQWVgJOI5ZimW9LfKmNZ00MuAviH8lsqgSu0vrbvW+K8L8NuEUmP2X+97w6b4C8Z3hdIHstdIB+zs1abHAo8kU+Ch5Kx2oaagqgQTIsm4YB+WbNwTOnABWBOEwZDckWK8HB6HRiDig4YJwYLLs3yOqFzmPudpIgIVhMMvlQYiFOFnd3hBLAXJ1fhwMDLIckPpk3/el6pzcbjJKbCxOMWSxvFgPp8/SNChJrCitammgnGVheMZAm5dN5PJbtRvm84pwHOQ4Ef5T2qafcQ7L5HAiX2hIxMsKRTkTzsJQlo0l8rtl7IsqdUlvQXCYLpTGbk670rlvnIAKfBkSp9K9StV8Pii/gir8wWiM7B/sOi06jxknDoOyWNmpU5psF6e6y2neY7/oUKcNrjKQ0Vi6GGWuwcuONKqGeSuV3I06IfOvqjxqxEODV7jbI0Crc6Y2/ZwE3MDLHfUsis81/4SDgEpyONzXxnZAA96QSInlGJt0fIlXZa+DUrtoGs6lwVjhIMzuY52lwpjN9yort/VtGVmSM9HJxDKnCIsvb4mKnb2NO3ESxtMqXwZN5+GuwToDpDXowUz7yRHeRi23J4PfZky/mk8d4iLxddW1aE93dLj/+vD84vDo8OD929OTi5P948N3Z/sHhwUmQqo8/4mzyKs0IjSjJAzOyWy11bTL6OUVodYtRNGlKX0hNuf37fH+m8MPwOzp+cXph8PzX8/fvm/w6iFjMGUBstNakWygykViVMUpGlUmkrL/AM2WHp9RymlUxrrhYDMz6lucaxZmETmWYU80RdyTilQWL5IUtOSaC1jB4+DETuMQolrKM9I9kY2moSfRCMXrcu/ndXFVHe9UFucQkBnOwvSYBUBjPBpUJmVmeZf8v7f+Sxj4YMEzdQJ0mQVzsnEh2Lv/O57W6r/dwd50W/89BhibmKfoW5n0t1U936Fh2xZQorLFslY8Y8HrQlFeKUX5ekXjJgUfpJW/xKa4DDV5kV32zvfehd49LfNxoNf++SX273kRoMf+x7vj2v7PcG9Pnv9t7f/rQ92qlbhxli6g0P2oKhT36oU69yi3fENYM8LPWUg2MfBNTJdnoQy9DgLW3nCWJSoOO9VinwpgDviCdgiWlwZBOh35G8Jn9XAjrVY9JcVTlgDLRD36kDuYxwCsXT1WsijZDnkqW85oCFMWTY4Ks6nvUDUJ+XrdhB4tFrK+5YF+pfGMYwHpi59m0G2tSd2HlxK19roD5pBm6zHQuqoNrrq28JpMRTiGFCgoWnuYqMjupk22JWtGtA3WbLvJRBGH7igEeK3IQdtOiy6AKrAob1Snl6rQ7Ri0MtXGBJsL3mXCnSrJwZRFveESDBIMTbeXGLVPGzK7qTRsQYBcKmz9BvlxrF++smLIbfA2dsrTkF4uyqHvuiA+A/9A49tFqNKkmiTMgPckmLerFEx/W3srqsJMZcr5GnWZThBRIe2GkzmsIr+dzyiTO2jx3OxA6IIr053W918bWVZ7+KnxNQciN3i5pvu4V/h9pe3wq0VhGMJsqOQLcQuHgNXMD3r4gTz8D9AZFep153cru+b981mnbHjqHOuvDL35v9lRvE8J0JP/Q+pfv/8xGI8H2/z/MaDzYocxxIcv4RvnmxWv2nncO+MscgArDJyUqU1r4aHnv32yE85S5rPQ9uz3B2f2D7b8Znvr7Wh/+f35ZhzgMCz20UFtwKmL4vDiKZhKWOAo7+3kexXlKQMwRuVZ9kqqf5f9E33Ubrz62zOrujGyDh2E9NLoyAqPK6ePvecX+WJ6CNZSteiVP+unVB5dPLWZ/WVhXf+PdUC+Uxjo2//dHQ5r/n8EjVv//xjQ5//zROxJd3Ih3WTqMGiVqffsigDLMxwKsrXwu0Gv/V8n+L7/A+vN//Ya+7+T6fb851GgdiYqpU1ieU4StJ352NIShQ+ZBWQlRWF6Cb5hZBu/AbgpBYwzFuwbZMIf2n3o1KSF9zxTql5lWm3TOWdx10o10uo5b/FJX9l6/v1zqziQprG5h1I91fWTTLHKyX8zymHh7G6O3JKEC/0QFUU3+5aJ1LtVDtvlBcKI8eWdWNBd78KF6bl6zJWnZsUtjLabpbK9cbu073QcEPT2TFWIukUfiFfyQMl4Fdkt8f5PL3HfAzr8/7Veyof5A3Cf/59M6/5/ujvY3v9+FDB3R+cLn0tnDovhX9FUV5ftuuGpvCC1GldK385OWHoGLkMatFU9UffQyLJWrxp6Fccsbxt6+b6ztbKdKt0SDGbcs/K09mQQ2VbV8dnT8TGVTaG8y72COxw0kIejFxLbAjchMU20K+4OtUWLpt9X1IERa9UFS0Z6XZUt4yIwULkfKpFqF1iBPDR23hvN016EKpdgi9hWJ2Q177d66LffLWulZvas4tayLq7H413TpCtpDw0Ho8mgIJff8NO02i9r6m/foLbbVvIfON+g/O85nnouL1phSEGJagMelEzOScIETdVSL9I0Ed7OjvAXN5h/pOm/A3Lt4o8ZJ67PorK9fHLFFdm5mEOTIV65DWzG4ZUROJm76lxW9nNJNhi6xjzM7oskt8pmiucg34E7cn8EAef24+mjAJNC2dtSZQtb2MIWtrCFLWxhC1vYwpPA/wAcVGBmAFAAAA==
   values:
     image: ghcr.io/stackitcloud/gardener-extension-acl:latest
 ---

docs/adr/02_envoyfilter_patching.md

@@ -79,6 +79,9 @@ containing the internal networking configuration. We then check if there is an
 it contains rules, we patch the incoming `EnvoyFilter` with those rules and send
 the result back to the API server.
 
+> The following description of the hashing procedure to trigger the webhook has
+> been superseded by [ADR04](04_trigger_webhook.md).
+
 A challenge with this approach is that the webhook (in contrast to the extension
 controller) is only triggered when `EnvoyFilters` are created or updated.
 However, the webhook also needs to act when a change is made to the `Extension`

docs/adr/03_multiple_istio_namespaces.md

@@ -0,0 +1,33 @@
+# Supporting Multiple Istio Namespaces
+
+Before this change, the `Namespace` used by the extension was hardcoded to
+`istio-ingress`. This is the default name for the Istio namespace, where the
+Ingress is deployed. In case of High Availability Shoots (see
+[Gardener HA Control Plane Best Practices](https://gardener.cloud/docs/gardener/shoot_high_availability_best_practices/)),
+or when using
+[ExposureClasses](https://gardener.cloud/docs/gardener/exposureclasses/), the
+name of this Ingress namespace can change dynamically.
+
+Therefore, the extension is rewritten to dynamically determine the correct
+namespace in which to create/mutate `EnvoyFilter` objects. This is achieved
+using the following logic:
+
+1. The extension gets the `Gateway` object called `kube-apiserver` in the
+   current shoot namespace. This object is created by Gardener for every Shoot.
+   The
+   [Gateway](https://istio.io/latest/docs/reference/config/networking/gateway/)
+   resource contains a `spec.selector` field, which contains label selectors for
+   the `Deployment` of the gateway controller that is  responsible for the
+   defined `Gateway`.
+2. From these label selectors, we can obtain the `Namespace` where the Istio
+   Ingress Gateway is deployed. This is achieved by a `LIST` operation
+   on `Deployments`, filtered by the selector labels.
+
+The namespace where this Deployment runs is the target namespace for all
+`EnvoyFilters` deployed/mutated by the extension. It is also recorded in the
+`Status` of the ACL `Extension` object. This enables the extension to support
+changing the istio namespace for a  running shoot. This will happen for example
+if a shoot is updated to High Availability or when using an `ExposureClass`.
+Also, when the ingress namespaces changes, the old `acl-vpn` `EnvoyFilter` will
+be cleaned up or get deleted (to "free" the previous ingress namespace from
+restrictive filter policies.)

docs/adr/04_trigger_webhook.md

@@ -0,0 +1,23 @@
+# Changing How the Webhook is Triggered
+
+In [ADR02](02_envoyfilter_patching.md), we defined how we create/mutate
+`EnvoyFilters` in order to provide ACL functionality.
+
+In the "Complicated Case 1: Mutating Webhook for Specific `EnvoyFilters`"
+section, ADR02 described how a hashing mechanism is used to update an annotation
+every time the contents of the `Extension.spec` changes, causing the
+`MutatingWebhook` to execute.
+
+This however neglected that there can be changes to the ACL configuration of a
+`Shoot` even when the `Extension.spec` hasn't changed, namely in the form of the
+`additionalAllowedCIDRs` configuration. This setting can be changed for the
+entire extension using the Helm chart it is deployed with. Adding additional
+CIDRs to this field would update all associated `EnvoyFilters`, except the ones
+the Webhook is responsible for.
+
+The new implementation of the trigger mechanism is both simpler and more
+thorough: Every time an `Extension` is reconciled, the actuator sends an empty
+patch for the associated `EnvoyFilter` that the Webhook is responsible for.
+This removes the need for the hashing logic, and makes sure that the Webhook is
+run every time the extension is reconciled. The problem with the neglected
+`additionalAllowedCIDRs` setting is solved by this approach.

example/fake-deployment.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerDeployment
+metadata:
+  name: acl
+type: helm
+providerConfig:
+  chart: H4sIAAAAAAAAA+2WTY+bMBCGc+ZXjPYeAjQQidtqK3UPqz1UVe9TM01QbYNsE21U5b93IB8iUVerPZBW2nk4GH/gd+yxZ4gXs8lJmFWeDyVzXQ7v6adlmuVZUQztRcoF5NObNpt1PqADuIXU/0i8eNigC/EOjZ5Ko3dwsVy+6v8sWV36n72fLWeQTGXQmA/uf2zr7+R83dgStmmEbXuu3qVxchdV5JWr2zA03cMjaQOqPzLws3EQNgRf0FVkycH9wxPQSyDbfx9HFg2VsD72zs89c1Q62p5Ukphlon+9DR+WeBHItBoD+ckywbvjP9//VSHx/xaM/V91xuwmyARvxf8iv/Z/lqaFxP9bMI7/HPz9gpPAr9pWJXymVjc7QzZEhgJWGLCMAJQj7JPBt9oQb51pS7Cd1tyj8Qdp34+BfqoShvPE1UMiGNd8i4qbfvMTfyVN6Cl+PrXDHvaRb0n1Uzm2olboS0i55nmsCo07iBgMavM0Ur3S9cHxuV7vWGjP1dNBP348WlPP6+vq0RcqVzqsdLR2mKixAWvOeOfhc6gNrnm9dl3bl/Mch225bHPkm84p8oPNbEfoDq9T+T9ebFF35Kf8AXzr/v8l/md5KvdfEARBEARBEARBEARBEARBEARBEN7LH7tBDWIAKAAA
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerRegistration
+metadata:
+  name: acl
+spec:
+  deployment:
+    deploymentRefs:
+      - name: acl
+  resources:
+    - kind: Extension
+      type: acl
+

example/fake-deployment/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for the Gardener ACL extension.
+name: gardener-extension-acl
+version: 0.1.0

example/fake-deployment/templates/dummy.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: dummy
+  name: dummy
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dummy
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: dummy
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        resources: {}

go.mod

@@ -10,15 +10,16 @@ require (
 	github.com/gardener/gardener-extension-provider-openstack v1.30.1-0.20221215131400-b390fb780945
 	github.com/go-logr/logr v1.2.4
 	github.com/golang/mock v1.6.0
-	github.com/onsi/ginkgo v1.16.5
+	github.com/onsi/ginkgo/v2 v2.9.2
 	github.com/onsi/gomega v1.27.6
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
 	github.com/tidwall/gjson v1.14.3
-	golang.org/x/tools v0.7.0
+	golang.org/x/tools v0.15.0
 	gomodules.xyz/jsonpatch/v2 v2.2.0
 	gopkg.in/yaml.v3 v3.0.1
+	istio.io/api v0.0.0-20230217221049-9d422bf48675
 	istio.io/client-go v1.17.1
 	k8s.io/api v0.26.10
 	k8s.io/apiextensions-apiserver v0.26.10
@@ -86,8 +87,6 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.2 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
@@ -100,21 +99,19 @@ require (
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.14.0 // indirect
-	golang.org/x/mod v0.9.0 // indirect
-	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/crypto v0.15.0 // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.18.0 // indirect
 	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.13.0 // indirect
-	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/term v0.14.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	istio.io/api v0.0.0-20230217221049-9d422bf48675 // indirect
 	k8s.io/autoscaler v0.0.0-20190805135949-100e91ba756e // indirect
 	k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect
 	k8s.io/helm v2.16.1+incompatible // indirect