Put managed application credential behind a feature gate

cmd/gardener-extension-provider-openstack/app/app.go

@@ -31,6 +31,7 @@ import (
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/controller/healthcheck"
 	openstackinfrastructure "github.com/gardener/gardener-extension-provider-openstack/pkg/controller/infrastructure"
 	openstackworker "github.com/gardener/gardener-extension-provider-openstack/pkg/controller/worker"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/features"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 	openstackcontrolplaneexposure "github.com/gardener/gardener-extension-provider-openstack/pkg/webhook/controlplaneexposure"
 
@@ -168,6 +169,10 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 				return fmt.Errorf("invalid controller config: %w", err)
 			}
 
+			if err := features.ExtensionFeatureGate.SetFromMap(configFileOpts.Completed().Config.FeatureGates); err != nil {
+				return err
+			}
+
 			util.ApplyClientConnectionConfigurationToRESTConfig(configFileOpts.Completed().Config.ClientConnection, restOpts.Completed().Config)
 
 			if workerReconcileOpts.Completed().DeployCRDs {

cmd/gardener-extension-provider-openstack/main.go

@@ -18,13 +18,15 @@ import (
 	"os"
 
 	"github.com/gardener/gardener-extension-provider-openstack/cmd/gardener-extension-provider-openstack/app"
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/features"
 
 	"github.com/gardener/gardener/pkg/logger"
 	runtimelog "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 )
 
 func main() {
+	features.RegisterExtensionFeatureGate()
 	runtimelog.SetLogger(logger.ZapLogger(false))
 	cmd := app.NewControllerManagerCommand(signals.SetupSignalHandler())
 

hack/api-reference/config.md

@@ -112,6 +112,20 @@ ApplicationCredentialConfig
 <p>ApplicationCrednentialConfig defines the configuration for managed application credentials.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>featureGates</code></br>
+<em>
+map[string]bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>FeatureGates is a map of feature names to bools that enable
+or disable alpha/experimental features.
+Default: nil</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="openstack.provider.extensions.config.gardener.cloud/v1alpha1.ApplicationCredentialConfig">ApplicationCredentialConfig
@@ -133,18 +147,6 @@ ApplicationCredentialConfig
 <tbody>
 <tr>
 <td>
-<code>enabled</code></br>
-<em>
-bool
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Enabled indicate if managed application credentials should be used.</p>
-</td>
-</tr>
-<tr>
-<td>
 <code>lifetime</code></br>
 <em>
 <a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.15/#duration-v1-meta">

pkg/apis/config/types.go

@@ -39,6 +39,10 @@ type ControllerConfiguration struct {
 	BastionConfig *BastionConfig
 	// ApplicationCrednentialConfig defines the configuration for managed application credentials.
 	ApplicationCredentialConfig *ApplicationCredentialConfig
+	// FeatureGates is a map of feature names to bools that enable
+	// or disable alpha/experimental features.
+	// Default: nil
+	FeatureGates map[string]bool
 }
 
 // ETCD is an etcd configuration.
@@ -73,8 +77,6 @@ type BastionConfig struct {
 
 // ApplicationCredentialConfig defines the configuration for managed application credentials.
 type ApplicationCredentialConfig struct {
-	// Enabled indicate if managed application credentials should be used.
-	Enabled bool
 	// Lifetime define how long a managed application credentials are valid.
 	// Once the creation time + lifetime of an application credential is expired
 	// it will be renewed once it is next reconciled.

pkg/apis/config/v1alpha1/types.go

@@ -44,6 +44,11 @@ type ControllerConfiguration struct {
 	// ApplicationCrednentialConfig defines the configuration for managed application credentials.
 	// +optional
 	ApplicationCredentialConfig *ApplicationCredentialConfig `json:"managedApplicationCredential,omitempty"`
+	// FeatureGates is a map of feature names to bools that enable
+	// or disable alpha/experimental features.
+	// Default: nil
+	// +optional
+	FeatureGates map[string]bool `json:"featureGates,omitempty"`
 }
 
 // ETCD is an etcd configuration.
@@ -81,9 +86,6 @@ type BastionConfig struct {
 
 // ApplicationCredentialConfig defines the configuration for managed application credentials.
 type ApplicationCredentialConfig struct {
-	// Enabled indicate if managed application credentials should be used.
-	// +optional
-	Enabled bool `json:"enabled,omitempty"`
 	// Lifetime define how long a managed application credentials are valid.
 	// Once the creation time + lifetime of an application credential is expired
 	// it will be renewed once it is next reconciled.

pkg/apis/config/validation/config.go

@@ -37,10 +37,6 @@ func ValidateControllerConfig(cfg *config.ControllerConfiguration) error {
 func validateApplicationCredentialConfig(cfg *config.ApplicationCredentialConfig, fldPath *field.Path) field.ErrorList {
 	allErrs := field.ErrorList{}
 
-	if !cfg.Enabled {
-		return allErrs
-	}
-
 	if cfg.Lifetime.Duration > cfg.OpenstackExpirationPeriod.Duration {
 		allErrs = append(allErrs, field.Invalid(fldPath.Child("lifetime"), cfg.Lifetime.Duration, "application credential lifetime cannot be lower than the openstack layer expiration time"))
 	}

pkg/apis/config/validation/config_test.go

@@ -35,25 +35,15 @@ var _ = Describe("ControllerConfig validation", func() {
 		Entry("should pass with valid application credential config",
 			&config.ControllerConfiguration{
 				ApplicationCredentialConfig: &config.ApplicationCredentialConfig{
-					Enabled:                   true,
 					Lifetime:                  &metav1.Duration{Duration: 24 * time.Hour},
 					OpenstackExpirationPeriod: &metav1.Duration{Duration: 72 * time.Hour},
 				},
 			},
 			BeNil(),
 		),
-		Entry("should pass when application credential usage is disabled",
-			&config.ControllerConfiguration{
-				ApplicationCredentialConfig: &config.ApplicationCredentialConfig{
-					Enabled: false,
-				},
-			},
-			BeNil(),
-		),
 		Entry("should forbid application credential lifetime larger than openstack expiration time",
 			&config.ControllerConfiguration{
 				ApplicationCredentialConfig: &config.ApplicationCredentialConfig{
-					Enabled:                   true,
 					Lifetime:                  &metav1.Duration{Duration: 73 * time.Hour},
 					OpenstackExpirationPeriod: &metav1.Duration{Duration: 72 * time.Hour},
 				},

pkg/features/features.go

@@ -0,0 +1,38 @@
+// Copyright (c) 2022 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package features
+
+import (
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/component-base/featuregate"
+)
+
+const (
+	// ManagedApplicationCredential allows to manage application credentials for Shoots
+	// to interact with the Openstack layer on behalf of an Openstack user.
+	// owner @dkistner
+	// alpha: v1.27.0
+	ManagedApplicationCredential featuregate.Feature = "ManagedApplicationCredential"
+)
+
+// ExtensionFeatureGate is the feature gate for the extension controllers.
+var ExtensionFeatureGate = featuregate.NewFeatureGate()
+
+// RegisterExtensionFeatureGate registers features to the extension feature gate.
+func RegisterExtensionFeatureGate() {
+	runtime.Must(ExtensionFeatureGate.Add(map[featuregate.Feature]featuregate.FeatureSpec{
+		ManagedApplicationCredential: {Default: false, PreRelease: featuregate.Alpha},
+	}))
+}

pkg/internal/managedappcredential/manager_ensure.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"time"
 
+	"github.com/gardener/gardener-extension-provider-openstack/pkg/features"
 	"github.com/gardener/gardener-extension-provider-openstack/pkg/openstack"
 	openstackclient "github.com/gardener/gardener-extension-provider-openstack/pkg/openstack/client"
 	"github.com/gardener/gardener/pkg/utils"
@@ -76,7 +77,7 @@ func (m *Manager) Ensure(ctx context.Context, credentials *openstack.Credentials
 
 	// In case the application credential usage is disabled or the new parent user
 	// itself is an appplication, it is tried to clean up old application credentials before aborting.
-	if !m.config.Enabled || newParentUser.isApplicationCredential() {
+	if newParentUser.isApplicationCredential() || !features.ExtensionFeatureGate.Enabled(features.ManagedApplicationCredential) {
 		if oldParentUserUsable {
 			if err := m.runGarbageCollection(ctx, oldParentUser, nil); err != nil {
 				return err