Fix hook-me.sh script

[vpnachev]

How to categorize this PR?

/area dev-productivity
/kind bug

What this PR does / why we need it:
Fix hook-me.sh script to

• configure the network policies in the extension namespace
• properly clean-up deployed resources
• revert the extension service spec
• unify the indentation
• properly backup the original service
• log the file where the service spec is backed up

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

`hack/hook-me.sh` now ensures the required network connectivity so that the quic tunnel can be successfully established. 

[oliver-goetz]

I never used this script, so I don't know exactly for which use cases it is build.
However, the quic images referenced in the script are 3 years old and probably contain lots of security issues. The script creates a public LB, so we should update the images or find an alternative solution for the tunnel.

[vpnachev]

The script is used mainly in the provider extensions in development scenarios where the extension controller is also an admission webhook and runs locally while the seed cluster is a real k8s cluster running on some infrastructure. For example, take a look at https://github.com/gardener/gardener-extension-provider-gcp/blob/master/hack/hook-me.sh.

I do agree the images are not maintained recently, though this should be handled separately.

[plkokanov]

/assign

[oliver-goetz]

Ok, I see the use case.

I had some problems pulling the image from ghcr.io the last days. Now it works again.
According to docker scout there are 6 critical and 60 high CVE entries for the quic-server image. That's not surprising, but still quite a lot.
When we fix the script now and leave the image as it is, it may stay untouched for the next three years. Thus, I prefer to solve this issue right now.

❯ docker scout quickview ghcr.io/mvladev/quic-reverse-http-tunnel/quic-server:v0.1.2
    i New version 1.2.2 available (installed version is 1.2.0) at https://github.com/docker/scout-cli
    ✓ SBOM of image already cached, 29 packages indexed

  Target               │  ghcr.io/mvladev/quic-reverse-http-tunnel/quic-server:v0.1.2  │    6C    60H    23M     2L     3?
    digest             │  4641d237ff3d                                                 │
  Base image           │  alpine:3                                                     │    3C    17H     5M     1L     1?
  Refreshed base image │  alpine:3                                                     │    0C     0H     0M     0L
                       │                                                               │    -3    -17     -5     -1     -1
  Updated base image   │  alpine:3.18                                                  │    0C     0H     0M     0L
                       │                                                               │    -3    -17     -5     -1     -1

I see these options:

• forking the repo and maintain it by ourselves
• replace the quic tunnel by an SSH tunnel similar to how it is done in the provider-extensions setup (ref)
• create a VPN based solution

[vpnachev]

it may stay untouched for the next three years. Thus, I prefer to solve this issue right now.

A github issue can be used as a reminder to not forget about this task, what do you think?

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 15d of inactivity, lifecycle/stale is applied
• After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Mark this PR as rotten with /lifecycle rotten
• Close this PR with /close

/lifecycle stale

[plkokanov]

/remove-lifecycle stale

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 15d of inactivity, lifecycle/stale is applied
• After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Mark this PR as rotten with /lifecycle rotten
• Close this PR with /close

/lifecycle stale

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 15d of inactivity, lifecycle/stale is applied
• After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle rotten
• Close this PR with /close

/lifecycle rotten

[vpnachev]

/remove-lifecycle rotten

[vpnachev]

/retest-required

[vpnachev]

/retest-required

[plkokanov]

I still plan to finish my review on this. Should be done today or tomorrow.

Already looks good and I've found a few minor nits.
One suggestion I have wrt @oliver-goetz's comments is to possibly add a warning that this will open a tunnel to your local machine with a link to the quic tunnel repository. The extensions will (hopefully soonish) move to a setup that uses skaffold to push the necessary images to the seed cluster and we will probably no-longer need this hack script. This should remove the need to maintain/update https://github.com/mvladev/quic-reverse-http-tunnel

[vpnachev]

c87bdd3 now requires user's consent the tunnel to be opened.

[vpnachev]

/retest-required

[plkokanov]

Extremely sorry for taking so long to review it.

I tested it on both aws and gcp and it seems to work fine.

[vpnachev]

The feedback has been addressed, the PR is ready for another look.

[plkokanov]

Thanks for addressing my comments!
Just one final suggestion as the quic tunnel images are now updated and available from our gardener ghcr.io registry.

After that I think we can merge it.

[oliver-goetz]

Thank 🚀
It's looking good now with the new version of quic tunnel 👍

I have some small suggestions.

[vpnachev]

/retest-required

[vpnachev]

@oliver-goetz @plkokanov I hope this PR can be merged now?

[plkokanov]

🚀
/lgtm

[gardener-prow]

LGTM label has been added.

Git tree hash: a17e318242fb8bd796e7f87c9151f3ace399ca23

[oliver-goetz]

thanks @vpnachev 🚀
/approve

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: oliver-goetz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [oliver-goetz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment