Merge branch 'master' into enh/fix-1621

* master:
  Update vitest monorepo to v1.5.2 (#1844)
  Promote `experimentalUseWatchCacheForListShoots` to stable (#1822)
  Update dependency supertest to v7 (#1843)
  Update vitest monorepo to v1.5.1 (#1840)
  Add hack/cherry-pick-pull.sh (#1831)
  Make OIDC clientSecret optional (#1835)
  Create `Lease` during runtime, if not found (#1823)
  Update actions/checkout action to v4.1.4 (#1841)
  Update dependency vuetify to v3.5.17 (#1839)
  Update actions/checkout action to v4.1.3 (#1834)
  Update dependency vue to v3.4.25 (#1837)
  Update renovate.json5
  migrate to new @xterm scoped packages (#1832)

.github/renovate.json5

@@ -6,7 +6,10 @@
     "regexManagers:githubActionsVersions",
     "group:monorepos"
   ],
-  labels: ["kind/enhancement"],
+  labels: [
+    "kind/enhancement",
+    "renovate"
+  ],
   ignorePaths: [
     "**/node_modules/**",
     "**/.yarn/**",

.github/workflows/reuse-tool-lint.yaml

@@ -6,6 +6,6 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: REUSE Compliance Check
         uses: fsfe/reuse-action@a46482ca367aef4454a87620aa37c2be4b2f8106 # v3.0.0

backend/__fixtures__/config.js

@@ -22,7 +22,6 @@ const defaultConfig = {
   apiServerUrl: 'https://kubernetes.external.foo.bar',
   apiServerCaData: toBase64(ca),
   tokenRequestAudiences: ['aud1', 'aud2'],
-  experimentalUseWatchCacheForListShoots: 'no',
   gitHub: {
     apiUrl: 'https://api.github.com',
     org: 'gardener',
@@ -38,7 +37,6 @@ const defaultConfig = {
     rejectUnauthorized: true,
     ca,
     client_id: 'dashboard',
-    client_secret: toHex('dashboard-secret'),
     redirect_uris: [
       'http://localhost:8080/auth/callback'
     ],

backend/lib/config/gardener.js

@@ -111,7 +111,6 @@ module.exports = {
       requiredConfigurationProperties.push(
         'oidc.issuer',
         'oidc.client_id',
-        'oidc.client_secret',
         'oidc.redirect_uris'
       )
     }

backend/lib/github/webhook/handler.js

@@ -8,6 +8,7 @@
 
 const createError = require('http-errors')
 const { dashboardClient } = require('@gardener-dashboard/kube-client')
+const { isHttpError } = require('@gardener-dashboard/request')
 
 function currentMicroDateStr () {
   const date = new Date().toISOString()
@@ -26,7 +27,19 @@ async function updateLease () {
   try {
     await dashboardClient['coordination.k8s.io'].leases.mergePatch(namespace, name, body)
   } catch (err) {
-    throw createError(500, `Failed to update lease: ${err.message}`)
+    if (isHttpError(err, 404)) {
+      // Lease not found, create it
+      try {
+        body.metadata = {
+          name
+        }
+        await dashboardClient['coordination.k8s.io'].leases.create(namespace, body)
+      } catch (createErr) {
+        throw createError(500, `Failed to create lease: ${createErr.message}`)
+      }
+    } else {
+      throw createError(500, `Failed to update lease: ${err.message}`)
+    }
   }
 }
 

backend/lib/routes/shoots.js

@@ -9,7 +9,7 @@
 const express = require('express')
 const { shoots } = require('../services')
 const { metricsRoute } = require('../middleware')
-const { trimObjectMetadata, useWatchCacheForListShoots } = require('../utils')
+const { trimObjectMetadata } = require('../utils')
 
 const router = module.exports = express.Router({
   mergeParams: true
@@ -24,8 +24,7 @@ router.route('/')
       const user = req.user
       const namespace = req.params.namespace
       const labelSelector = req.query.labelSelector
-      const useCache = useWatchCacheForListShoots(req.query.useCache)
-      const shootList = await shoots.list({ user, namespace, labelSelector, useCache })
+      const shootList = await shoots.list({ user, namespace, labelSelector })
       for (const object of shootList.items) {
         trimObjectMetadata(object)
       }

backend/lib/services/shoots.js

@@ -28,62 +28,45 @@ const {
 } = utils
 const { getSeed } = cache
 
-exports.list = async function ({ user, namespace, labelSelector, useCache = false }) {
-  const client = user.client
+exports.list = async function ({ user, namespace, labelSelector }) {
   const query = {}
   if (labelSelector) {
     query.labelSelector = labelSelector
   }
   if (namespace === '_all') {
     if (await authorization.canListShoots(user)) {
       // user is permitted to list shoots in all namespaces
-      if (useCache) {
-        return {
-          apiVersion: 'v1',
-          kind: 'List',
-          items: cache.getShoots(namespace, query)
-        }
+      return {
+        apiVersion: 'v1',
+        kind: 'List',
+        items: cache.getShoots(namespace, query)
       }
-      return client['core.gardener.cloud'].shoots.listAllNamespaces(query)
     } else {
       // user is permitted to list shoots only in namespaces associated with their projects
       const namespaces = _
         .chain(cache.getProjects())
         .filter(projectFilter(user, false))
         .map('spec.namespace')
         .value()
-      if (useCache) {
-        const statuses = await Promise.allSettled(namespaces.map(namespace => authorization.canListShoots(user, namespace)))
-        return {
-          apiVersion: 'v1',
-          kind: 'List',
-          items: namespaces
-            .filter((_, i) => statuses[i].status === 'fulfilled' && statuses[i].value)
-            .flatMap(namespace => cache.getShoots(namespace, query))
-        }
-      }
-      const statuses = await Promise.allSettled(namespaces.map(namespace => client['core.gardener.cloud'].shoots.list(namespace, query)))
+      const statuses = await Promise.allSettled(namespaces.map(namespace => authorization.canListShoots(user, namespace)))
       return {
         apiVersion: 'v1',
         kind: 'List',
-        items: statuses
-          .filter(({ status }) => status === 'fulfilled')
-          .flatMap(({ value }) => value.items)
+        items: namespaces
+          .filter((_, i) => statuses[i].status === 'fulfilled' && statuses[i].value)
+          .flatMap(namespace => cache.getShoots(namespace, query))
       }
     }
   }
-  if (useCache) {
-    const isAllowed = await authorization.canListShoots(user, namespace)
-    if (!isAllowed) {
-      throw createError(403, `No authorization to list shoots in namespace ${namespace}`)
-    }
-    return {
-      apiVersion: 'v1',
-      kind: 'List',
-      items: cache.getShoots(namespace, query)
-    }
+  const isAllowed = await authorization.canListShoots(user, namespace)
+  if (!isAllowed) {
+    throw createError(403, `No authorization to list shoots in namespace ${namespace}`)
+  }
+  return {
+    apiVersion: 'v1',
+    kind: 'List',
+    items: cache.getShoots(namespace, query)
   }
-  return client['core.gardener.cloud'].shoots.list(namespace, query)
 }
 
 exports.create = async function ({ user, namespace, body }) {

backend/lib/utils/index.js

@@ -162,23 +162,6 @@ function filterBySelectors (selectors) {
   }
 }
 
-function useWatchCacheForListShoots (useCache) {
-  switch ('' + config.experimentalUseWatchCacheForListShoots) {
-    case 'never':
-      return false
-    case 'always':
-      return true
-    case 'no':
-    case 'false':
-      return ['true', 'yes', 'on'].includes(useCache)
-    case 'yes':
-    case 'true':
-      return !['false', 'no', 'off'].includes(useCache)
-    default:
-      return false
-  }
-}
-
 function getConfigValue (path, defaultValue) {
   const value = _.get(config, path, defaultValue)
   if (arguments.length === 1 && typeof value === 'undefined') {
@@ -217,7 +200,6 @@ module.exports = {
   trimObjectMetadata,
   parseSelectors,
   filterBySelectors,
-  useWatchCacheForListShoots,
   getConfigValue,
   getSeedNameFromShoot,
   shootHasIssue,

backend/package.json

@@ -87,7 +87,7 @@
     "path-to-regexp": "^6.2.1",
     "set-cookie-parser": "^2.6.0",
     "socket.io-client": "^4.7.5",
-    "supertest": "^6.3.4"
+    "supertest": "^7.0.0"
   },
   "eslintConfig": {
     "env": {

backend/test/acceptance/__snapshots__/api.cloudProviderSecrets.spec.js.snap

@@ -189,11 +189,24 @@ Array [
   Array [
     Object {
       ":authority": "kubernetes:6443",
-      ":method": "get",
-      ":path": "/apis/core.gardener.cloud/v1beta1/namespaces/garden-foo/shoots",
+      ":method": "post",
+      ":path": "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews",
       ":scheme": "https",
       "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImJhckBleGFtcGxlLm9yZyIsImlhdCI6MTU3NzgzNjgwMCwiYXVkIjpbImdhcmRlbmVyIl0sImV4cCI6MzE1NTcxNjgwMCwianRpIjoianRpIn0.7WKy0sNVkJzIqh3QJIF1zk3QjzwFe_zMTv8PmnOCsxg",
     },
+    Object {
+      "apiVersion": "authorization.k8s.io/v1",
+      "kind": "SelfSubjectAccessReview",
+      "spec": Object {
+        "nonResourceAttributes": undefined,
+        "resourceAttributes": Object {
+          "group": "core.gardener.cloud",
+          "namespace": "garden-foo",
+          "resource": "shoots",
+          "verb": "list",
+        },
+      },
+    },
   ],
   Array [
     Object {
@@ -267,11 +280,24 @@ Array [
   Array [
     Object {
       ":authority": "kubernetes:6443",
-      ":method": "get",
-      ":path": "/apis/core.gardener.cloud/v1beta1/namespaces/garden-foo/shoots",
+      ":method": "post",
+      ":path": "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews",
       ":scheme": "https",
       "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImJhckBleGFtcGxlLm9yZyIsImlhdCI6MTU3NzgzNjgwMCwiYXVkIjpbImdhcmRlbmVyIl0sImV4cCI6MzE1NTcxNjgwMCwianRpIjoianRpIn0.7WKy0sNVkJzIqh3QJIF1zk3QjzwFe_zMTv8PmnOCsxg",
     },
+    Object {
+      "apiVersion": "authorization.k8s.io/v1",
+      "kind": "SelfSubjectAccessReview",
+      "spec": Object {
+        "nonResourceAttributes": undefined,
+        "resourceAttributes": Object {
+          "group": "core.gardener.cloud",
+          "namespace": "garden-foo",
+          "resource": "shoots",
+          "verb": "list",
+        },
+      },
+    },
   ],
 ]
 `;

backend/test/acceptance/__snapshots__/api.projects.spec.js.snap

@@ -71,11 +71,24 @@ Array [
   Array [
     Object {
       ":authority": "kubernetes:6443",
-      ":method": "get",
-      ":path": "/apis/core.gardener.cloud/v1beta1/namespaces/garden-bar/shoots",
+      ":method": "post",
+      ":path": "/apis/authorization.k8s.io/v1/selfsubjectaccessreviews",
       ":scheme": "https",
       "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImZvb0BleGFtcGxlLm9yZyIsImlhdCI6MTU3NzgzNjgwMCwiYXVkIjpbImdhcmRlbmVyIl0sImdyb3VwcyI6WyJncm91cDEiXSwiZXhwIjozMTU1NzE2ODAwLCJqdGkiOiJqdGkifQ.iLqu05bZNRweB_7pr3cM6ZGO5gl2wYNf4d-hCazuo7o",
     },
+    Object {
+      "apiVersion": "authorization.k8s.io/v1",
+      "kind": "SelfSubjectAccessReview",
+      "spec": Object {
+        "nonResourceAttributes": undefined,
+        "resourceAttributes": Object {
+          "group": "core.gardener.cloud",
+          "namespace": "garden-bar",
+          "resource": "shoots",
+          "verb": "list",
+        },
+      },
+    },
   ],
   Array [
     Object {