From 71f761a60337988ad7688d872d3c5f8c53c5737d Mon Sep 17 00:00:00 2001
From: Tim Ebert <timebertt@gmail.com>
Date: Mon, 6 May 2024 15:02:42 +0200
Subject: [PATCH] Support gardener versions < v1.89

---
 pkg/controller/actuator.go      | 26 ++++++++------
 pkg/controller/actuator_test.go | 62 +++++++++++++++++++++++++++++++++
 pkg/controller/suite_test.go    | 12 +++----
 3 files changed, 82 insertions(+), 18 deletions(-)

diff --git a/pkg/controller/actuator.go b/pkg/controller/actuator.go
index dbff463d..5cb4059d 100644
--- a/pkg/controller/actuator.go
+++ b/pkg/controller/actuator.go
@@ -380,19 +380,23 @@ func (a *actuator) createSeedResources(
 		return err
 	}
 
-	defaultLabels, err := a.findDefaultIstioLabels(ctx)
-	if err != nil {
-		return err
+	cfg := map[string]interface{}{
+		"shootName":          cluster.Shoot.Status.TechnicalID,
+		"targetNamespace":    istioNamespace,
+		"apiEnvoyFilterSpec": apiEnvoyFilterSpec,
 	}
 
-	ingressEnvoyFilterSpec := envoyfilters.BuildIngressEnvoyFilterSpecForHelmChart(
-		cluster, spec.Rule, alwaysAllowedCIDRs, defaultLabels)
-
-	cfg := map[string]interface{}{
-		"shootName":              cluster.Shoot.Status.TechnicalID,
-		"targetNamespace":        istioNamespace,
-		"apiEnvoyFilterSpec":     apiEnvoyFilterSpec,
-		"ingressEnvoyFilterSpec": ingressEnvoyFilterSpec,
+	defaultLabels, err := a.findDefaultIstioLabels(ctx)
+	if client.IgnoreNotFound(err) != nil {
+		return err
+	} else if err == nil {
+		// The `nginx-ingress-controller` Gateway object only exists in g/g@v1.89, (introduced with
+		// https://github.com/gardener/gardener/pull/9038).
+		// If it doesn't exist yet, we can't apply ACLs to shoot ingresses.
+		ingressEnvoyFilterSpec := envoyfilters.BuildIngressEnvoyFilterSpecForHelmChart(
+			cluster, spec.Rule, alwaysAllowedCIDRs, defaultLabels)
+
+		cfg["ingressEnvoyFilterSpec"] = ingressEnvoyFilterSpec
 	}
 
 	cfg, err = chart.InjectImages(cfg, imagevector.ImageVector(), []string{ImageName})
diff --git a/pkg/controller/actuator_test.go b/pkg/controller/actuator_test.go
index ee40aa95..c10fce87 100644
--- a/pkg/controller/actuator_test.go
+++ b/pkg/controller/actuator_test.go
@@ -5,6 +5,7 @@ import (
 
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	"github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
+	. "github.com/gardener/gardener/pkg/utils/test/matchers"
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	istionetworkingClientGo "istio.io/client-go/pkg/apis/networking/v1alpha3"
@@ -121,6 +122,67 @@ var _ = Describe("actuator test", func() {
 			Expect(extState.IstioNamespace).ToNot(BeNil())
 			Expect(*extState.IstioNamespace).To(Equal(istioNamespace1))
 		})
+
+		// gardener >= v1.89, including https://github.com/gardener/gardener/pull/9038
+		Context("ingress-nginx is exposed via istio", func() {
+			BeforeEach(func() {
+				gateway := createNewGateway("nginx-ingress-controller", "garden", map[string]string{
+					"app":   "istio-ingressgateway",
+					"istio": "ingressgateway",
+				})
+
+				DeferCleanup(func() {
+					Expect(k8sClient.Delete(ctx, gateway)).To(Or(Succeed(), BeNotFoundError()))
+				})
+			})
+
+			It("should create managed resource including acl-ingress-shoot EnvoyFilter object", func() {
+				extSpec := extensionspec.ExtensionSpec{
+					Rule: &envoyfilters.ACLRule{
+						Cidrs:  []string{"1.2.3.4/24"},
+						Action: "ALLOW",
+						Type:   "remote_ip",
+					},
+				}
+				extSpecJSON, err := json.Marshal(extSpec)
+				Expect(err).To(BeNil())
+				ext := createNewExtension(shootNamespace1, extSpecJSON)
+				Expect(ext).To(Not(BeNil()))
+
+				Expect(a.Reconcile(ctx, logger, ext)).To(Succeed())
+
+				mr := &v1alpha1.ManagedResource{}
+				Expect(k8sClient.Get(ctx, types.NamespacedName{Name: ResourceNameSeed, Namespace: shootNamespace1}, mr)).To(Succeed())
+				secret := &corev1.Secret{}
+				Expect(k8sClient.Get(ctx, types.NamespacedName{Name: mr.Spec.SecretRefs[0].Name, Namespace: shootNamespace1}, secret)).To(Succeed())
+				Expect(secret.Data["seed"]).To(ContainSubstring("acl-ingress-" + shootNamespace1))
+			})
+		})
+
+		// gardener < v1.89
+		Context("ingress-nginx is not exposed via istio", func() {
+			It("should create managed resource not including acl-ingress-shoot EnvoyFilter object", func() {
+				extSpec := extensionspec.ExtensionSpec{
+					Rule: &envoyfilters.ACLRule{
+						Cidrs:  []string{"1.2.3.4/24"},
+						Action: "ALLOW",
+						Type:   "remote_ip",
+					},
+				}
+				extSpecJSON, err := json.Marshal(extSpec)
+				Expect(err).To(BeNil())
+				ext := createNewExtension(shootNamespace1, extSpecJSON)
+				Expect(ext).To(Not(BeNil()))
+
+				Expect(a.Reconcile(ctx, logger, ext)).To(Succeed())
+
+				mr := &v1alpha1.ManagedResource{}
+				Expect(k8sClient.Get(ctx, types.NamespacedName{Name: ResourceNameSeed, Namespace: shootNamespace1}, mr)).To(Succeed())
+				secret := &corev1.Secret{}
+				Expect(k8sClient.Get(ctx, types.NamespacedName{Name: mr.Spec.SecretRefs[0].Name, Namespace: shootNamespace1}, secret)).To(Succeed())
+				Expect(secret.Data["seed"]).NotTo(ContainSubstring("acl-ingress-" + shootNamespace1))
+			})
+		})
 	})
 
 	Describe("reconciliation of an extension object with other ACL extensions being present", func() {
diff --git a/pkg/controller/suite_test.go b/pkg/controller/suite_test.go
index d01ae49d..22a6cfec 100644
--- a/pkg/controller/suite_test.go
+++ b/pkg/controller/suite_test.go
@@ -72,11 +72,6 @@ var _ = BeforeSuite(func() {
 	Expect(err).ToNot(HaveOccurred())
 	Expect(k8sClient).NotTo(BeNil())
 	createGardenNamespace()
-	istioNamespaceSelector := map[string]string{
-		"app":   "istio-ingressgateway",
-		"istio": "ingressgateway",
-	}
-	createNewGateway("nginx-ingress-controller", "garden", istioNamespaceSelector)
 })
 
 var _ = AfterSuite(func() {
@@ -150,7 +145,7 @@ func createNewIstioDeployment(namespace string, labels map[string]string) {
 	Expect(k8sClient.Create(ctx, deployment)).ShouldNot(HaveOccurred())
 }
 
-func createNewGateway(name, shootNamespace string, labels map[string]string) {
+func createNewGateway(name, shootNamespace string, labels map[string]string) *istionetworkingv1beta1.Gateway {
 	gw := &istionetworkingv1beta1.Gateway{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      name,
@@ -161,6 +156,7 @@ func createNewGateway(name, shootNamespace string, labels map[string]string) {
 		},
 	}
 	Expect(k8sClient.Create(ctx, gw)).ShouldNot(HaveOccurred())
+	return gw
 }
 
 func createNewExtension(shootNamespace string, providerConfig []byte) *extensionsv1alpha1.Extension {
@@ -235,7 +231,9 @@ func createNewCluster(shootNamespace string) {
 							Pods:  nil,
 						},
 					},
-					Status: gardencorev1beta1.ShootStatus{ // needed to wait until k8s server is up and running
+					Status: gardencorev1beta1.ShootStatus{
+						TechnicalID: shootNamespace,
+						// needed to wait until k8s server is up and running
 						AdvertisedAddresses: []gardencorev1beta1.ShootAdvertisedAddress{{
 							Name: "test",
 							URL:  "https://test",