support switching of network overlay mode (#504)

Author: DockToFuture

charts/gardener-extension-admission-openstack/charts/application/templates/mutatingwebhook-mutator.yaml

@@ -0,0 +1,38 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "name" . }}
+webhooks:
+- name: mutation.openstack.provider.extensions.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1alpha1
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  objectSelector:
+    {{- if .Values.global.webhookConfig.useObjectSelector }}
+    matchLabels:
+      provider.extensions.gardener.cloud/openstack: "true"
+    {{- end }}
+  namespaceSelector: {}
+  sideEffects: None
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    {{- if .Values.global.virtualGarden.enabled }}
+    url: {{ printf "https://%s.%s/webhooks/mutate" (include "name" .) (.Release.Namespace) }}
+    {{- else }}
+    service:
+      namespace: {{ .Release.Namespace }}
+      name: {{ include "name" . }}
+      path: /webhooks/mutate
+    {{- end }}
+    caBundle: {{ required ".Values.global.webhookConfig.caBundle is required" .Values.global.webhookConfig.caBundle | b64enc }}

charts/gardener-extension-admission-openstack/charts/application/templates/rbac.yaml

@@ -11,6 +11,7 @@ rules:
   resources:
   - cloudprofiles
   - secretbindings
+  - shoots
   verbs:
   - get
   - list

charts/internal/cloud-provider-config/templates/_cloud-provider-config-route.tpl

@@ -0,0 +1,6 @@
+{{- define "cloud-provider-config-route" -}}
+[Route]
+{{- if .Values.routerID }}
+router-id="{{ .Values.routerID }}"
+{{- end }}
+{{- end -}}

charts/internal/cloud-provider-config/templates/cloud-provider-config.yaml

@@ -4,6 +4,7 @@
 {{ include "cloud-provider-config-meta" . }}
 {{ include "cloud-provider-config-loadbalancer" . }}
 {{ include "cloud-provider-config-networking" . }}
+{{ include "cloud-provider-config-route" . }}
 {{- end -}}
 ---
 apiVersion: v1

charts/internal/cloud-provider-config/values.yaml

@@ -32,6 +32,7 @@ useOctavia: false
 #   floatingNetworkID: "1234"
 #   floatingSubnetTags: tag1,tag2
 # [Networking]
+# routerID: 25611bee-3143-4e81-be81-2d867fcd909f
 # internalNetworkName: shoot--my-project--my-cluster
 # [BlockStorage]
 rescanBlockStorageOnResize: false

docs/usage-as-end-user.md

@@ -63,14 +63,17 @@ If you don't know which floating pools are available look it up in the respectiv
 
 With `floatingPoolSubnetName` you can explicitly define to which subnet in the floating pool network (defined via `floatingPoolName`) the router should be attached to.
 
-If `networks.id` is an optional field. If it is given, you can specify the uuid of an existing private Neutron network (created manually, by other tooling, ...) that should be reused. A new subnet for the Shoot will be created in it.
+`networks.id` is an optional field. If it is given, you can specify the uuid of an existing private Neutron network (created manually, by other tooling, ...) that should be reused. A new subnet for the Shoot will be created in it.
+
+If a `networks.id` is given and calico shoot clusters are created without a network overlay within one network make sure that the pod CIDR specified in `shoot.spec.networking.pods` is not overlapping with any other pod CIDR used in that network.
+Overlapping pod CIDRs will lead to disfunctional shoot clusters.
 
 The `networks.router` section describes whether you want to create the shoot cluster in an already existing router or whether to create a new one:
 
 * If `networks.router.id` is given then you have to specify the router id of the existing router that was created by other means (manually, other tooling, ...).
 If you want to get a fresh router for the shoot then just omit the `networks.router` field.
 
-* In any case, the shoot cluster will be created in a **new** subnet. 
+* In any case, the shoot cluster will be created in a **new** subnet.
 
 The `networks.workers` section describes the CIDR for a subnet that is used for all shoot worker nodes, i.e., VMs which later run your applications.
 

example/50-mutatingwebhookconfiguration.yaml

@@ -0,0 +1,30 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: gardener-extension-admission-openstack
+webhooks:
+- name: mutation.openstack.provider.extensions.gardener.cloud
+  rules:
+  - apiGroups:
+    - "core.gardener.cloud"
+    apiVersions:
+    - v1alpha1
+    - v1beta1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - shoots
+  failurePolicy: Fail
+  # Please make sure you are running `gardener@v1.42` or later before enabling this object selector.
+  objectSelector:
+    matchLabels:
+      provider.extensions.gardener.cloud/openstack: "true"
+  namespaceSelector: {}
+  sideEffects: None
+  admissionReviewVersions:
+  - v1
+  - v1beta1
+  clientConfig:
+    url: "https://localhost:9443/webhooks/mutate"
+    caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrekNDQWVPZ0F3SUJBZ0lSQUkxdHdSZGtOQnlLSnBzdkcwT0tOUGt3RFFZSktvWklodmNOQVFFTEJRQXcKRnpFVk1CTUdBMVVFQXhNTVoyRnlaR1Z1WlhJdFpHVjJNQjRYRFRJeE1ERXlNVEV3TXpJeE5sb1hEVE14TURFeQpNVEV3TXpJeE5sb3dGekVWTUJNR0ExVUVBeE1NWjJGeVpHVnVaWEl0WkdWMk1JSUJJakFOQmdrcWhraUc5dzBCCkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXNaZ2JqOXFXTE8zZnNHRUFWVkdKNi9iQ0dpdmZwa2FqUGhuWWdUODkKa3BPOTNkemFoOFdiYUUvYWFYRzY5MWJuMnpmb1pPUG9RdmNjL25QMWxrWUdYcGhUR21yN24yeTRQUHhDSVRqVgp5WC9BN2gvb1ZPVEFHWnhoUW14UTdrUDBwSStheTJpa2tVdW1WTjVnWVJkQ1hKMEI4TEhHYXBJTDBOcXI2M1paCm9LRUNWa3Z0ODNwdW9ybG5TL3Z2OU1adzZ6YmFDNjBWbC91NXM1anRRNDlUUXYvdUdGOUNxZmUrckVCZ3hrMzEKeTRXazNuMVVJUkxWLzFOY1hXTzh3T3JRWXp3TS9jbXFlV0w4a253SFh1ZzFVRDE3T2x1SS80TDF0b3M0dG5IYQo5V2tJcXlTRnYxS3lQWm40RGI5bTRuUU5aNTBQOWVNUUFpekZTWk9pZGVrOUl3SURBUUFCbzBJd1FEQU9CZ05WCkhROEJBZjhFQkFNQ0FhWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVmRmFKQktzeWpkeUkKbjhkRWlwbGlSZEp3Zll3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFId3RqcENLUDZ5T21TUXdKT01XUGVxcApveFB1Y0JWNi9MT3FQam1Ga1AvMUtXRlNTWGtWMUMvSVZ1OEtzci9OTnRlSTcxamJWdEx2cVdIUEp0SFdWMTF4CjE4bk9nUWVGbnl3aXF2UXQrZVBRQ3BPeGpaMEJONThINXp0b0w2NzlTczBrdEdNWTEyN2p5S3ZURXEvbE1KWVEKKzFLRStMbDUzRTVCejBTQ04rQVNoYWcvNlBvT2svUU5VNUI0VCsrVlg3VGxscXlScTVGS2k0RXY0RkJpYlFKLwpldlJ6NGg5OEpLandjOU9wRnRkNUtiR001UUp6d1pzN2hGMFNHMjhMa2szOFVhclR1cThTNFl1SnBQOTU1L1VQCnNXR1UrclFRZEx6ZG1vYnk4Qjd0bWU1a04xc08yVTF3U0w5MkdBajU5Tk50aTk1YmtGQjVhUUR2cTgvV3FKND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.3.2
 	github.com/gardener/etcd-druid v0.12.3
 	github.com/gardener/gardener v1.59.0
+	github.com/gardener/gardener-extension-networking-calico v1.27.0
 	github.com/gardener/machine-controller-manager v0.45.0
 	github.com/go-logr/logr v1.2.3
 	github.com/golang/mock v1.6.0

go.sum

@@ -163,6 +163,8 @@ github.com/gardener/etcd-druid v0.12.3 h1:FBpsEe+FrBwJ1a2VhaPlXjZsfIAcHGSsF5DvDO
 github.com/gardener/etcd-druid v0.12.3/go.mod h1:EJF6z4Ghv2FGUe1UzZWOEF1MxCA186fxvjBO44oSJX4=
 github.com/gardener/gardener v1.59.0 h1:9T8C2lPwaFTKxUi3afpVjmbao/uDcn5lfYRmFqMFoYw=
 github.com/gardener/gardener v1.59.0/go.mod h1:4vopE/Pg4LJud1CRg80rAcp94v83MJIgktlHNcSKO84=
+github.com/gardener/gardener-extension-networking-calico v1.27.0 h1:L51BcYbrcpQjmGl+E9HsW+xcJVZOfjbe403DRDwuUME=
+github.com/gardener/gardener-extension-networking-calico v1.27.0/go.mod h1:MURFRmYPHiXSfmJ82S3nXH3qGcszeYQwhMVKn/J5XoU=
 github.com/gardener/hvpa-controller/api v0.5.0 h1:f4F3O7YUrenwh4S3TgPREPiB287JjjUiUL18OqPLyAA=
 github.com/gardener/hvpa-controller/api v0.5.0/go.mod h1:QQl3ELkCaki+8RhXl0FZMfvnm0WCGwGJlGmrxJj6lvM=
 github.com/gardener/machine-controller-manager v0.45.0 h1:rpf0PHRXJMGY93oMruNP+tnMawKJXhhzCACyNJsT8Lo=

pkg/admission/cmd/options.go

@@ -15,6 +15,7 @@
 package cmd
 
 import (
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/admission/mutator"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/admission/validator"
 
 	webhookcmd "github.com/gardener/gardener/extensions/pkg/webhook/cmd"
@@ -25,5 +26,6 @@ func GardenWebhookSwitchOptions() *webhookcmd.SwitchOptions {
 	return webhookcmd.NewSwitchOptions(
 		webhookcmd.Switch(validator.Name, validator.New),
 		webhookcmd.Switch(validator.SecretsValidatorName, validator.NewSecretsWebhook),
+		webhookcmd.Switch(mutator.Name, mutator.New),
 	)
 }