Remove OpenVPN support by enforcing Konnectivity (#13316)

* Ensure that enableKonnectivity has to be set to true

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Update CRDs

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Update fixtures

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Check for Konnectivity in installer

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Use internal diff package for mutator tests

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Reduce cyclomatic complexity of `ValidateClusterNetworkConfig`

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Add konnectivity defaulting to all tests that create new cluster objects

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

* Update fixtures

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

---------

Signed-off-by: Marvin Beckers <marvin@kubermatic.com>

pkg/apis/kubermatic/v1/cluster.go

@@ -895,9 +895,11 @@ type ClusterNetworkingConfig struct {
 	// CoreDNSReplicas is the number of desired pods of user cluster coredns deployment.
 	CoreDNSReplicas *int32 `json:"coreDNSReplicas,omitempty"`
 
+	// +kubebuilder:default=true
+
 	// Deprecated: KonnectivityEnabled enables konnectivity for controlplane to node network communication.
-	// As OpenVPN will be removed in the future KKP versions, clusters with konnectivity disabled will not be supported.
-	// All existing clusters with OpenVPN should migrate to the Konnectivity.
+	// Konnectivity is the only supported choice for controlplane to node network communication. This field is
+	// defaulted to true and setting it to false is rejected. It will be removed in a future release.
 	KonnectivityEnabled *bool `json:"konnectivityEnabled,omitempty"`
 
 	// TunnelingAgentIP is the address used by the tunneling agents

pkg/crd/k8c.io/kubermatic.k8c.io_clusters.yaml

@@ -1502,10 +1502,11 @@ spec:
                           type: boolean
                       type: object
                     konnectivityEnabled:
+                      default: true
                       description: |-
                         Deprecated: KonnectivityEnabled enables konnectivity for controlplane to node network communication.
-                        As OpenVPN will be removed in the future KKP versions, clusters with konnectivity disabled will not be supported.
-                        All existing clusters with OpenVPN should migrate to the Konnectivity.
+                        Konnectivity is the only supported choice for controlplane to node network communication. This field is
+                        defaulted to true and setting it to false is rejected. It will be removed in a future release.
                       type: boolean
                     nodeCidrMaskSizeIPv4:
                       description: |-

pkg/crd/k8c.io/kubermatic.k8c.io_clustertemplates.yaml

@@ -1493,10 +1493,11 @@ spec:
                           type: boolean
                       type: object
                     konnectivityEnabled:
+                      default: true
                       description: |-
                         Deprecated: KonnectivityEnabled enables konnectivity for controlplane to node network communication.
-                        As OpenVPN will be removed in the future KKP versions, clusters with konnectivity disabled will not be supported.
-                        All existing clusters with OpenVPN should migrate to the Konnectivity.
+                        Konnectivity is the only supported choice for controlplane to node network communication. This field is
+                        defaulted to true and setting it to false is rejected. It will be removed in a future release.
                       type: boolean
                     nodeCidrMaskSizeIPv4:
                       description: |-

pkg/install/stack/common/validation.go

@@ -106,6 +106,11 @@ func ValidateAllUserClustersAreCompatible(ctx context.Context, seed *kubermaticv
 		if !validVersion {
 			errs = append(errs, fmt.Errorf("cluster %s (version %s) on Seed %s would not be supported anymore", cluster.Name, clusterVersion, seed.Name))
 		}
+
+		// TODO(embik): Remove in KKP 2.27.
+		if cluster.Spec.ClusterNetwork.KonnectivityEnabled == nil || !*cluster.Spec.ClusterNetwork.KonnectivityEnabled { //nolint:staticcheck
+			errs = append(errs, fmt.Errorf("cluster %s on Seed %s has not been migrated to Konnectivity yet, which is mandatory for this KKP version", cluster.Name, seed.Name))
+		}
 	}
 
 	return errs

pkg/mutation/cluster/mutation.go

@@ -68,6 +68,10 @@ func MutateCreate(newCluster *kubermaticv1.Cluster, config *kubermaticv1.Kuberma
 		}
 	}
 
+	if newCluster.Spec.ClusterNetwork.KonnectivityEnabled == nil { //nolint:staticcheck
+		newCluster.Spec.ClusterNetwork.KonnectivityEnabled = ptr.To(true) //nolint:staticcheck
+	}
+
 	return nil
 }
 

pkg/resources/test/fixtures/configmap-aws-1.27.0-kube-apiserver-egress-externalCloudProvider.yaml

@@ -0,0 +1,18 @@
+# This file has been generated, DO NOT EDIT.
+
+data:
+  egress-selector-configuration.yaml: |
+    EgressSelections:
+    - Connection:
+        ProxyProtocol: GRPC
+        Transport:
+          TCP: null
+          UDS:
+            UDSName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
+      Name: cluster
+    apiVersion: apiserver.k8s.io/v1beta1
+    kind: EgressSelectorConfiguration
+metadata:
+  creationTimestamp: null
+  name: kube-apiserver-egress
+  namespace: cluster-de-test-01

pkg/resources/test/fixtures/configmap-aws-1.27.0-kube-apiserver-egress.yaml

@@ -0,0 +1,18 @@
+# This file has been generated, DO NOT EDIT.
+
+data:
+  egress-selector-configuration.yaml: |
+    EgressSelections:
+    - Connection:
+        ProxyProtocol: GRPC
+        Transport:
+          TCP: null
+          UDS:
+            UDSName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
+      Name: cluster
+    apiVersion: apiserver.k8s.io/v1beta1
+    kind: EgressSelectorConfiguration
+metadata:
+  creationTimestamp: null
+  name: kube-apiserver-egress
+  namespace: cluster-de-test-01

pkg/resources/test/fixtures/configmap-aws-1.27.0-prometheus-externalCloudProvider.yaml

@@ -643,14 +643,6 @@ data:
         for: 15m
         labels:
           severity: warning
-
-      - alert: DNSResolverDown
-        annotations:
-          message: DNS resolver has disappeared from Prometheus target discovery.
-        expr: absent(up{job="dns-resolver"} == 1)
-        for: 15m
-        labels:
-          severity: warning
 metadata:
   creationTimestamp: null
   labels:

pkg/resources/test/fixtures/configmap-aws-1.27.0-prometheus.yaml

@@ -643,14 +643,6 @@ data:
         for: 15m
         labels:
           severity: warning
-
-      - alert: DNSResolverDown
-        annotations:
-          message: DNS resolver has disappeared from Prometheus target discovery.
-        expr: absent(up{job="dns-resolver"} == 1)
-        for: 15m
-        labels:
-          severity: warning
 metadata:
   creationTimestamp: null
   labels:

pkg/resources/test/fixtures/configmap-aws-1.28.0-kube-apiserver-egress-externalCloudProvider.yaml

@@ -0,0 +1,18 @@
+# This file has been generated, DO NOT EDIT.
+
+data:
+  egress-selector-configuration.yaml: |
+    EgressSelections:
+    - Connection:
+        ProxyProtocol: GRPC
+        Transport:
+          TCP: null
+          UDS:
+            UDSName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
+      Name: cluster
+    apiVersion: apiserver.k8s.io/v1beta1
+    kind: EgressSelectorConfiguration
+metadata:
+  creationTimestamp: null
+  name: kube-apiserver-egress
+  namespace: cluster-de-test-01

pkg/resources/test/fixtures/configmap-aws-1.28.0-kube-apiserver-egress.yaml

@@ -0,0 +1,18 @@
+# This file has been generated, DO NOT EDIT.
+
+data:
+  egress-selector-configuration.yaml: |
+    EgressSelections:
+    - Connection:
+        ProxyProtocol: GRPC
+        Transport:
+          TCP: null
+          UDS:
+            UDSName: /etc/kubernetes/konnectivity-server/konnectivity-server.socket
+      Name: cluster
+    apiVersion: apiserver.k8s.io/v1beta1
+    kind: EgressSelectorConfiguration
+metadata:
+  creationTimestamp: null
+  name: kube-apiserver-egress
+  namespace: cluster-de-test-01

pkg/resources/test/fixtures/configmap-aws-1.28.0-prometheus-externalCloudProvider.yaml

@@ -643,14 +643,6 @@ data:
         for: 15m
         labels:
           severity: warning
-
-      - alert: DNSResolverDown
-        annotations:
-          message: DNS resolver has disappeared from Prometheus target discovery.
-        expr: absent(up{job="dns-resolver"} == 1)
-        for: 15m
-        labels:
-          severity: warning
 metadata:
   creationTimestamp: null
   labels:

pkg/resources/test/fixtures/configmap-aws-1.28.0-prometheus.yaml

@@ -643,14 +643,6 @@ data:
         for: 15m
         labels:
           severity: warning
-
-      - alert: DNSResolverDown
-        annotations:
-          message: DNS resolver has disappeared from Prometheus target discovery.
-        expr: absent(up{job="dns-resolver"} == 1)
-        for: 15m
-        labels:
-          severity: warning
 metadata:
   creationTimestamp: null
   labels: