Add validation of Kubernetes feature gates

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/ahmetb/gen-crd-api-reference-docs v0.2.0
 	github.com/coreos/go-systemd/v22 v22.1.0
+	github.com/dsnet/compress v0.0.1 // indirect
 	github.com/frankban/quicktest v1.9.0 // indirect
 	github.com/gardener/etcd-druid v0.5.0
 	github.com/gardener/gardener v1.23.1
@@ -26,33 +27,35 @@ require (
 	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/ulikunitz/xz v0.5.7 // indirect
+	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	google.golang.org/api v0.20.0
-	k8s.io/api v0.20.6
-	k8s.io/apiextensions-apiserver v0.20.6
-	k8s.io/apimachinery v0.20.6
-	k8s.io/apiserver v0.20.6
+	k8s.io/api v0.20.7
+	k8s.io/apiextensions-apiserver v0.20.7
+	k8s.io/apimachinery v0.20.7
+	k8s.io/apiserver v0.20.7
 	k8s.io/autoscaler v0.0.0-20190805135949-100e91ba756e
 	k8s.io/client-go v11.0.1-0.20190409021438-1a26190bd76a+incompatible
-	k8s.io/code-generator v0.20.6
-	k8s.io/component-base v0.20.6
+	k8s.io/code-generator v0.20.7
+	k8s.io/component-base v0.20.7
 	k8s.io/gengo v0.0.0-20201113003025-83324d819ded
 	k8s.io/klog v1.0.0
-	k8s.io/kubelet v0.20.6
+	k8s.io/kubelet v0.20.7
 	k8s.io/utils v0.0.0-20210111153108-fddb29f9d009
 	sigs.k8s.io/controller-runtime v0.8.3
 )
 
 replace (
+	github.com/gardener/gardener => github.com/stoyanr/gardener v1.25.0-dev-1
 	github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.7.1 // keep this value in sync with sigs.k8s.io/controller-runtime
-	k8s.io/api => k8s.io/api v0.20.6
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.6
-	k8s.io/apimachinery => k8s.io/apimachinery v0.20.6
-	k8s.io/apiserver => k8s.io/apiserver v0.20.6
-	k8s.io/client-go => k8s.io/client-go v0.20.6
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.6
-	k8s.io/code-generator => k8s.io/code-generator v0.20.6
-	k8s.io/component-base => k8s.io/component-base v0.20.6
+	k8s.io/api => k8s.io/api v0.20.7
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.7
+	k8s.io/apimachinery => k8s.io/apimachinery v0.20.7
+	k8s.io/apiserver => k8s.io/apiserver v0.20.7
+	k8s.io/client-go => k8s.io/client-go v0.20.7
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.7
+	k8s.io/code-generator => k8s.io/code-generator v0.20.7
+	k8s.io/component-base => k8s.io/component-base v0.20.7
 	k8s.io/helm => k8s.io/helm v2.13.1+incompatible
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.6
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.7
 )

pkg/admission/validator/shoot.go

@@ -135,7 +135,7 @@ func (s *shoot) validateContext(valContext *validationContext) field.ErrorList {
 	allErrors = append(allErrors, gcpvalidation.ValidateNetworking(valContext.shoot.Spec.Networking, networkPath)...)
 	allErrors = append(allErrors, gcpvalidation.ValidateInfrastructureConfig(valContext.infrastructureConfig, valContext.shoot.Spec.Networking.Nodes, valContext.shoot.Spec.Networking.Pods, valContext.shoot.Spec.Networking.Services, infrastructureConfigPath)...)
 	allErrors = append(allErrors, gcpvalidation.ValidateWorkers(valContext.shoot.Spec.Provider.Workers, workersPath)...)
-	allErrors = append(allErrors, gcpvalidation.ValidateControlPlaneConfig(valContext.controlPlaneConfig, allowedZones, workersZones(valContext.shoot.Spec.Provider.Workers), controlPlaneConfigPath)...)
+	allErrors = append(allErrors, gcpvalidation.ValidateControlPlaneConfig(valContext.controlPlaneConfig, allowedZones, workersZones(valContext.shoot.Spec.Provider.Workers), valContext.shoot.Spec.Kubernetes.Version, controlPlaneConfigPath)...)
 
 	// WorkerConfig
 	for i, worker := range valContext.shoot.Spec.Provider.Workers {

pkg/apis/gcp/validation/controlplane.go

@@ -16,14 +16,15 @@ package validation
 
 import (
 	apisgcp "github.com/gardener/gardener-extension-provider-gcp/pkg/apis/gcp"
-	"k8s.io/apimachinery/pkg/util/sets"
 
+	corevalidation "github.com/gardener/gardener/pkg/apis/core/validation"
 	apivalidation "k8s.io/apimachinery/pkg/api/validation"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
 // ValidateControlPlaneConfig validates a ControlPlaneConfig object.
-func ValidateControlPlaneConfig(controlPlaneConfig *apisgcp.ControlPlaneConfig, allowedZones, workerZones sets.String, fldPath *field.Path) field.ErrorList {
+func ValidateControlPlaneConfig(controlPlaneConfig *apisgcp.ControlPlaneConfig, allowedZones, workerZones sets.String, version string, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
 	if len(controlPlaneConfig.Zone) == 0 {
@@ -35,6 +36,11 @@ func ValidateControlPlaneConfig(controlPlaneConfig *apisgcp.ControlPlaneConfig,
 	if !workerZones.Has(controlPlaneConfig.Zone) {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("zone"), controlPlaneConfig.Zone, "must be part of at least one worker zone"))
 	}
+
+	if controlPlaneConfig.CloudControllerManager != nil {
+		allErrs = append(allErrs, corevalidation.ValidateFeatureGates(controlPlaneConfig.CloudControllerManager.FeatureGates, version, fldPath.Child("cloudControllerManager", "featureGates"))...)
+	}
+
 	return allErrs
 }
 

pkg/apis/gcp/validation/controlplane_test.go

@@ -42,13 +42,13 @@ var _ = Describe("ControlPlaneConfig validation", func() {
 
 	Describe("#ValidateControlPlaneConfig", func() {
 		It("should return no errors for a valid configuration", func() {
-			Expect(ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, fldPath)).To(BeEmpty())
+			Expect(ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, "", fldPath)).To(BeEmpty())
 		})
 
 		It("should require that the control-plane config zone be part of the worker pool zone configuration", func() {
 			controlPlane.Zone = ""
 			workerZonesNotSupported := sets.NewString("zone3", "zone4")
-			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZonesNotSupported, fldPath)
+			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZonesNotSupported, "", fldPath)
 
 			Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
 				"Type":  Equal(field.ErrorTypeInvalid),
@@ -62,7 +62,7 @@ var _ = Describe("ControlPlaneConfig validation", func() {
 		It("should require the name of a zone", func() {
 			controlPlane.Zone = ""
 
-			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, fldPath)
+			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, "", fldPath)
 
 			Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
 				"Type":  Equal(field.ErrorTypeRequired),
@@ -76,7 +76,7 @@ var _ = Describe("ControlPlaneConfig validation", func() {
 		It("should require a name of a zone that is part of the regions", func() {
 			controlPlane.Zone = "bar"
 
-			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, fldPath)
+			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, "", fldPath)
 
 			Expect(errorList).To(ConsistOf(PointTo(MatchFields(IgnoreExtras, Fields{
 				"Type":  Equal(field.ErrorTypeNotSupported),
@@ -86,6 +86,29 @@ var _ = Describe("ControlPlaneConfig validation", func() {
 				"Field": Equal("zone"),
 			}))))
 		})
+
+		It("should fail with invalid CCM feature gates", func() {
+			controlPlane.CloudControllerManager = &apisgcp.CloudControllerManagerConfig{
+				FeatureGates: map[string]bool{
+					"AnyVolumeDataSource":      true,
+					"CustomResourceValidation": true,
+					"Foo":                      true,
+				},
+			}
+
+			errorList := ValidateControlPlaneConfig(controlPlane, allowedZones, workerZones, "1.18.14", fldPath)
+
+			Expect(errorList).To(ConsistOf(
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":  Equal(field.ErrorTypeForbidden),
+					"Field": Equal("cloudControllerManager.featureGates.CustomResourceValidation"),
+				})),
+				PointTo(MatchFields(IgnoreExtras, Fields{
+					"Type":  Equal(field.ErrorTypeInvalid),
+					"Field": Equal("cloudControllerManager.featureGates.Foo"),
+				})),
+			))
+		})
 	})
 
 	Describe("#ValidateControlPlaneConfigUpdate", func() {

test/integration/infrastructure/infrastructure_test.go

@@ -238,14 +238,12 @@ func runTest(
 		Expect(client.IgnoreNotFound(c.Delete(ctx, infra))).To(Succeed())
 
 		By("wait until infrastructure is deleted")
-		err := extensions.WaitUntilExtensionCRDeleted(
+		err := extensions.WaitUntilExtensionObjectDeleted(
 			ctx,
 			c,
 			gardenerlog,
-			func() extensionsv1alpha1.Object { return &extensionsv1alpha1.Infrastructure{} },
+			infra,
 			"Infrastructure",
-			infra.Namespace,
-			infra.Name,
 			10*time.Second,
 			16*time.Minute,
 		)
@@ -305,14 +303,12 @@ func runTest(
 	}
 
 	By("wait until infrastructure is created")
-	if err := extensions.WaitUntilExtensionCRReady(
+	if err := extensions.WaitUntilExtensionObjectReady(
 		ctx,
 		c,
 		gardenerlog,
-		func() client.Object { return &extensionsv1alpha1.Infrastructure{} },
+		infra,
 		extensionsv1alpha1.InfrastructureResource,
-		infra.Namespace,
-		infra.Name,
 		10*time.Second,
 		30*time.Second,
 		16*time.Minute,