Enable ServiceAccount token projection and token requestor for prov…

…ider-local

charts/gardener/provider-local/extension/templates/deployment.yaml

@@ -60,6 +60,9 @@ spec:
         - --webhook-config-server-port={{ .Values.webhookConfig.serverPort }}
         - --disable-controllers={{ .Values.disableControllers | join "," }}
         - --disable-webhooks={{ .Values.disableWebhooks | join "," }}
+        {{- if .Values.gardener.version }}
+        - --gardener-version={{ .Values.gardener.version }}
+        {{- end }}
         env:
         - name: LEADER_ELECTION_NAMESPACE
           valueFrom:

charts/gardener/provider-local/extension/values.yaml

@@ -78,5 +78,6 @@ coredns:
   enabled: true
 
 gardener:
+  version: ""
   seed:
     provider: local

charts/gardener/provider-local/internal/machine-controller-manager/seed/templates/deployment.yaml

@@ -21,6 +21,10 @@ spec:
 {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
 {{- end }}
+        {{- if .Values.useProjectedTokenMount }}
+        # TODO(rfranzke): Remove in a future release.
+        security.gardener.cloud/trigger: rollout
+        {{- end }}
       labels:
         gardener.cloud/role: controlplane
         app: kubernetes
@@ -49,7 +53,11 @@ spec:
         - --machine-health-timeout=10m
         - --namespace={{ .Release.Namespace }}
         - --port={{ .Values.metricsPortLocal }}
+        {{- if .Values.useTokenRequestor }}
+        - --target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
+        {{- else }}
         - --target-kubeconfig=/var/lib/machine-controller-manager/kubeconfig
+        {{- end }}
         - --v=3
         livenessProbe:
           failureThreshold: 3
@@ -64,9 +72,15 @@ spec:
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
+        {{- if .Values.useTokenRequestor }}
+        - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig
+          name: kubeconfig
+          readOnly: true
+        {{- else }}
         - mountPath: /var/lib/machine-controller-manager
           name: machine-controller-manager
           readOnly: true
+        {{- end }}
       - name: local-machine-controller-manager
         image: {{ index .Values.images "machine-controller-manager" }}
         imagePullPolicy: IfNotPresent
@@ -82,7 +96,11 @@ spec:
         - --port={{ .Values.metricsPort }}
         - --safety-up=2
         - --safety-down=1
+        {{- if .Values.useTokenRequestor }}
+        - --target-kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
+        {{- else }}
         - --target-kubeconfig=/var/lib/machine-controller-manager/kubeconfig
+        {{- end }}
         - --v=3
         livenessProbe:
           failureThreshold: 3
@@ -106,10 +124,35 @@ spec:
             cpu: 350m
             memory: 256Mi
         volumeMounts:
+        {{- if .Values.useTokenRequestor }}
+        - mountPath: /var/run/secrets/gardener.cloud/shoot/generic-kubeconfig
+          name: kubeconfig
+          readOnly: true
+        {{- else }}
         - mountPath: /var/lib/machine-controller-manager
           name: machine-controller-manager
           readOnly: true
+        {{- end }}
       volumes:
+      {{- if .Values.useTokenRequestor }}
+      - name: kubeconfig
+        projected:
+          defaultMode: 420
+          sources:
+          - secret:
+              items:
+              - key: kubeconfig
+                path: kubeconfig
+              name: generic-token-kubeconfig
+              optional: false
+          - secret:
+              items:
+              - key: token
+                path: token
+              name: shoot-access-machine-controller-manager
+              optional: false
+      {{- else }}
       - name: machine-controller-manager
         secret:
           secretName: machine-controller-manager
+      {{- end }}

charts/gardener/provider-local/internal/machine-controller-manager/seed/templates/serviceaccount.yaml

@@ -3,3 +3,6 @@ kind: ServiceAccount
 metadata:
   name: machine-controller-manager
   namespace: {{ .Release.Namespace }}
+{{- if .Values.useProjectedTokenMount }}
+automountServiceAccountToken: false
+{{- end }}

charts/gardener/provider-local/internal/machine-controller-manager/seed/values.yaml

@@ -5,11 +5,13 @@ images:
 replicas: 1
 
 podAnnotations: {}
-
 podLabels: {}
 
 providerName: provider-foo
 
+useTokenRequestor: false
+useProjectedTokenMount: false
+
 namespace:
   uid: uuid-of-namespace
 

charts/gardener/provider-local/registration/templates/controller-registration.yaml

@@ -5,7 +5,7 @@ metadata:
   name: provider-local
 type: helm
 providerConfig:
-  chart: H4sIAAAAAAAAA+09a3PbtrL5rF+BUW6nSU5IiXrYqc703qvabuupY2ssJ5nOybkeioQk1hTBy4ccndT//SxeJPiQKCmufJpy+7CEx2IB7C4WiwU0MwMbezjQ8KcIe6FDPM0PyNKxIckllum2nn0xtAGO+332FyD/l302uj2j0+8cHdF046hz3HuG+l/edDXEYWQGCD0LCIk2lavK/5PCrHL+T+ZmEOkrc+Hu2wad4KNeb+38d/q5+e+0O8bRM9R+zI6ug7/4/Ju+8x4HdN4HaGk0TN9Xvurd7/S2ZuNlw8ahFTh+xDKG6GfsLpBFGQNNSYCiOUY/CUZCF5Rr0EgwEUr4quGZCzxAlQzXWJYR8NTj9LVCtfzbxNJn5EvaqJD/bqfdzen/4+5RLf8HgVYLnRB/FTizeYReWC8R1b1oPByh8RkC0TY99sWcTh3XMSOMLLLwTW+lo6HrIlYtRAEOcbDEto5u5k6IoChG8Nd1LGApbKPYo5qAaomhb1rwZ0ym0b0ZYHTBi7xGSx11QFdY2I+QGSKPRFCPQJXg3gkBm8eqX5yfnF0CYbSFRqsF/0oMJY0kuIVGQx29jV7QAk2R1Xz5d4piRWK0MFe0URRDY1HSCUEQtE67DQPgWRjdO9GcU8Ox6BTHrwIHmUQmFDehgg/fpmpBZEaCaAbzKPIHrdb9/b1uMop1EsxaYtDCluirBlSLWu88F4d0tP8/dgLo8WSFQF9DBXMCtLrmPZuwWYAhLyKU6vvAiRxv9hqFYsApGtsJo8CZxFFm0CSN0HW1AAwbsEBzOEbn4yb6YTg+H7+mSD6c3/x89e4GfRheXw8vb87PxujqGp1cXZ6e35xfXcK3H9Hw8lf0y/nl6WuEHTqTMJx+QHsAZDp0OIFjKK4xxhkS5JIS+thypo4FXfNmsTnDaEZgcfCgR8jHwcIJ6bSGQKBN0bjOwonMiCUV+qU3oMiMDGZU2VE+1vVW8u/ctO5aMkeziBcFxHVBAwZ4RseCIdXDOcqqRqRnsLw/ux5D1zNp+JMJHcWtnE6dmCFurWuHmlro9HIsl9ABbwxSrrFFAlt8P+HVRzA4WCSde9PABDyxFcWBTLzE0T0J7sS3K592EkZwvAojvAAkU2cm8j5AMdlcbrQs/3G6pSJh9kPYkitQHplauQWk+i4QEm5EnyMaJkyzUJMqB81B34ZM7pwFMNKg9fkziMivjKT3phvjUF+yP+h3kBugJ0I99PDQmn37B5Pc3IZmhCJzNkD6q9YhCKKyNAKJoALHbTzsUQ0Togyhse8TYf+JRCqXVOSASQNsRShtBmWaafgq9tq0e0qotv9Sttm3jZ33/2CDHHfq/f8hYJf5v51jF5aPUI/8nXwBFfa/YXSPcvPfOTL6tf1/CPj8WUM2njoeWMV0g95E2sNDo3qTTuthz2alGyoS15xgNwSL1tfv8IqjY1/iCZhuGPhId0iLNpXBsQYFW5SbogSszJYb2wmlOhIVNxBSrJsnkGIZoDUlRPuspWIvHA+YB7YErLp+jV0MBpB+CcSVUpaQxmwQThlCNMeZorkZjgLI/wSL/9zs9I8GzcQ0YeV1sAFQUsMPHC+aouY34f9+E+ZLBtgnoRORYLUJBfQRlyEc7I0QOqv0Gz4+NXfXUAW76H+LbRYWpq+xyV+CjUcCjW7J6D4Tr/URV/l/e0c5/0/nuNfv1vr/ECC0T0aq37OJvZLzynVfxk18B3ukAeKbx7em31jgyLTNyByAJuBu3nJtXc44olII24ISVcqSuZLhinlQos4p+szOrSHJYS2Gt1kuHaDfKZKNvc6i+1qV2n7y75LZDHZ7W54KVch/x2gf5+S/1+/V9t9B4LEEW3CExnkkK9GcxxT5pR6NhN9CXfKgbrkktgWbxdxZMEACcyLQU8eNgDkVS4xWoBJN0f7jx/OLm7PrfzaQAGaN5cA3gxAHSZG3ZmTNc0UU9K8WpjUHu011DC5MD1RG8IqJiLahQNLIL3h1m6cFupbkjxhNRSJggphzPRhlib7mPvfbUxgWmXYTxLjxFMOwPiunTf6jx2NBbGe62no8koIgLrZDmVUpSLvHNg+3C4oGh9SFh/4vrf8R9hbBRx26/JEyMD01ADn8qG8YSv1v/3NL/3tRxXW/bz0fL5NODG07Px7o9laK5u0idiNYFT3Ti24d+/YWEeZIJsHfYzoLT63GatgTdlv/A2x7u/sBd/f/Gced49r/dwjYZ/4TO/Bx7D+jV/D/9fpHndr+OwTk9n9iinV+4mML792OJqJAUmYEbmA0TVaTyE4I9Ye5WJp2+uC7dr+LPidLFg4CEoTJ1zk23Wiu5CNqcS6wHVt3qJ+We0g+Bdi0+XpfGAa5boY6NSscC+swDGNmeIwvz8/E8DyouPi2kXaZHnfhTwhqfNRf6K9eZv/PevsxsXo/crMXOSGYEBpYuvSIfAYCd2+u9EyiHi4tKAwcC7Yyd8NK2lNf3iNRQw0VLbG19HAO7K9pnzsP8D/jYRMlXmZYYI6BQeY4DtHgO6PfTTKmJLiHNmH30MKR1YL+EXfJTPnsDC7MT7eQasVBQDfjBiiMkpm0WMRHN81yCfGVLzNlZFxi2kqWaU9Ml3pxGxyl6rZ9aun842Ef/W9j3yWrBUzHdgtAhf7vdY76Of3fb7dr/X8Q2FH/m74ftpJF4DRhhMwqoG7zoUJ+QfjiBYLGBVHsAWbBT+EAGezb0qG1fgadSYLVBY0GGqAO5ITYZb49ThHbj10oJBaIZIEKeLbi2XQdAAX8zofuYVkDtNI4DmZAdqf/TZr2zjOXpuPSseNEIRStfPh8rSKBdClUgiRl8Bg9nkdEJNMgVXFzbN2F8SI1vzLOmBfsAAf9l34jUOs/mCEembAiNtdYbs2XzGvKj5sAc6q33czwFAYIITkFLDOOyILEXjTmK+XQsui3G3KHgWOmJixNomS6z5V1NWQGM6UhDTEPkvKdrQ6SfmkSJPk8mgfdvQn1mRXQM7m0q+zvYGnob/R2tsIodt0RAd5ZDdD59JJEIxrBCFycrArOElgxDEcBmeCUOli1YHbjAN/MocKcuCADfSWXRvT9hCO1AvWyRPMBanHrJJtDAuDQN+037UxyCDNNpeTnm5uRkuF4TuSY7il2zdUYwyjZwPhHalXYkTvETvIMNS+MLQs6pBBuKLmRs8AkjpKqaafyAptSnpm1ZGZHrE/UUFPQcyQqAmYYRMQi7gC9Ox3tjkmLLL8U283JJmxGCTaQvsCxymlTsVFr0dmSK7pbckVqgapDC0xhvDG2YYrHm3JD6WdI4gCqqhSz4Mow24cFXoCiharH7beOkkMDVHGYL235MSWwvSjFkUERYjD3nGhFQxxhNVDxmK5L7keBswQtMMNnIawLwk+sKhrWnumbE8cFocE5SuyA+NkUjeLN9MC0rzx3dQ2L/o/QUsiCJQcoog5FWWhJ3HiB31Jdl5EFpgtHfH4V5VXgO66MNY6mpPFMcx6x8TizjlHIhiMQmEZYZeJPDYmI2jaR1HRDF3YUkgzeqqKHLbmhU0fGxlMzdqO30PgA9Toqd8HuYpEZVw3d4dUAFVQ0Bc7tJVnl6qVsfP5aZvnBYB/7PzHaHsf/0+4YneL5X23/HwT29f8kJ/Ml/p/tLflaqJ8a9pF/6RHb9k5olfz3jwvy3+kf1/J/CNhX/sVe70n2/XxLfcLdj+ejwg4/13ayWdEEGXLrwE1tsSMo2vzAFzMcZbYhEkNsb8QgdzQFDP95+m4X+d/V7ydhs/wb7d5R/vyv2+3W8n8Q2Nm5tykKqLFdIB+LhVaDDmceCOu13HZyRAUfWLItzccL8eoD1KTbpWYjcwixS8Rg6lYscyT2Mw5HJXhQJJ7QXR9vdIO/sYKOI4FgKwdkxtmoEJTNSp16qc8yW5gl8mJ7uCW3DCCVxYtezPKY0F18m9VRyes9naWHVqJPJqQm48SdRGJhHFsBCI43Kz/ponvxkJZImVIWei631NLrRJv2Ce0du2Sc3ssDbnIUt0AWO193mtR12FzfkS2Z/42soTp1YcQJc8G4ZhhebpZ5Vjfj+92iQpkvuEK3cBAuX7WUuE9RLKY6evPxvrqfZGYYlCwWMPGqQ6dVfR0mLaxpoPFoBlMCtKhUXLTo3fcKGbzgmSiny3IXUEyliOIUnOHTy74ayKyWHokCfvqFeqlU5OoRtlpbT2uOV54V5lsCmynp284NKZW3aCdg15n3aoVXrWqD+9yZytm9FaVyVTtO5t717k1l61e2xtY7jQfgUQZL9fLaBliVK1ljmFTI475nV8B37wGvV0U5kZfPuT9VOPh2bqwUTVXbHr8Gv3tromIlfmLvMfO0VhVmoVp3Ry736Vvin5Mw0hy/Chstdj5ahyQJGdFCz9HENrIKZUVoDWNMPJkTcifiy7XEzPx+w3WRtbUlsXQZVWkTxXhsk6SObt+2wEdDayvR8XOogip0QtpnJVo3M6Ui+yTNhbX7N7AZUPN1cx0u0XYZog8iaw0W7C3VxY+vyRdnw9Oz69uzi7MT+rzH7eXw7dl4NDw5U3z5LNz5R7BTsmcrUwe79jWeZlNFOj8mkYamnkzrvualpPf87fCns/dA7NX17dX7s+sP1+c3BVoHSLyfkN4OapVeF9pkKxaOQjkBkkP4rKvHUtkTyR3ZJe+nyA1PkN1DcVDO84qvXqQ1fkeeMAiNdu7G056Tse6AjI/QuqtgEtRjtMI0VR2XlUwVfcLIA4t2oEydPQQre1jIQMkbO6dxQN9KASvAjukm7JwtpCL57BO2Ynb4mDkGYyZ28axO9IruBs/4OzjZjZSszk7Rqi4s52qhJBwfWN8rZPKnTfJN0ca2uPasVoiIT1wyW/1CaWxmTx/pusDM9UY6AVszS+E4chseKT2y3Ov6oYQ1551f6+W/Z7v5/0BeYAkJYvYM4CS2Z3g7R2Cl/7+Xv/8HH+rzv4OAkNJZhF5QJ0SZU+slMvJXgH22bW4tjQms3NJhOCL2acIePzD2eGzP4X4OvRJfWRhPKjv8xY68P4Pa2En+hU/Ioj6hHY4AKs//j3v587/2cbuW/0OAKtVhYuboNKAS1vTkMGCkugO3l2phZhtyptuNmUsmNIiRrbMyaCvzuqxsCjE2Y++LrcH+1GP3NcAu8h9MTGufh6Cr4v/bvfz7H512/f7rYUDTtMzKzubYjKM5yOC/+HN9eV0gDt6viVsW/LN2fd9l5Q5il24GNHpp6aeAxL44v1/7aEAjF7aqIXE7KWzIMGDpAC9JaQEPRDHPSJzL+a9qoazDtjRNLS5ciNkvaoFSj+amLLUy971mPqfZsMmZiBGh9hjbnzoh/3BPDRr2yU8+xfyGQmHk7S2GXPH+h4WExydp3YFwkTB+991OUrNENF81i8gtAnPueKoEFPEyCzWHzQpwKbW7IZTpzPrlebmgmNwpU/m43lcOYrPJ/tCjf/ZhktRYqwl4BVs8v5t52VMt4DuKtCoZgv9TK6M4DMlWIMx9bU1hBF3nX5LBYC/vRfxjiGHko0S4+ZGwKCWOWAVTJnENsiJz82a/ZKSX2Fj5pGaJ4iY/9QxVxQPKBRcSJqDkqCjzAU5KFLJ+IxP+Abbc6YcWv8cI/BxHTCUIj2HmwRTRJjRJFnJY2btzTporpoDt4pytxEE8KKGHps9krHTaaM1qVPS6EA3b38QAgCOC3ZgLvZbF+ZTnkX/R6vUDH/I/bBGDJoTfWw7BBgqhVHF5raAHdrG/gfizlTITlieO4R9n0/3UJkoNfyDsYv/vGvcroWr/f2zk/X+do079/t9BYOvg3q8/7m9TWPF2cXtKpLFffbqXO1veHIC85TnhzvO/h/wLa2d7NVDp/+sZef+fUfv/DgOb5F9aEU/qxH/qAfrKYRf5X/rmXr8DVyH/Rve4+P5X/f7nYSB3Sk+nWARt5Y78msV9mzj/6zSF2ngvdm0jYg+TXdv2T4hC21tqELlilxAvrQU1sDebxq0KJQyHb4J5svJiAI9h/vbVtw0RueF4Q3r5HCuxwexOO5CZ/CRTcz0teopAh3r0h5ZkteaGLuSrKREZ8u78HgTwqvvQIGrmH32X1koS6FV2sYSmFy6XVAVtQAHuvFKnj6fwOA3FNKKkq4X1tNyf5UD2wFCt/3nw0Jf8AGiF/u8a3cLvv/T6vVr/HwL4bQqmJOVPPAwQjuVrOgl7AFNQV1P6S1Opc7dVuAvBfq2K2QxUvP11r+001KAL+gJJ8QWl9M5Sv/0NrSDdhOjzQwOknVIu1qsk/q9M3ReVN1Pd/eQ1EqlLj3rsHZLNGqdJl7dmo6EE7NJC6plSssqokdf8FplyKrKmlMFL8YOnDZiyR04bCvJjoQ0FSk+ZNpQXHuRNJehIre+e2EtuQIAQjzSH4TY6x3ob/jGacmnJh4snk6/c2tg0cOvuQ8iIhEYx6HqA/vHPRi6EmqXl3BgJiueoLOaRvmb5HMnfJRiwzzLc0TfjkIeBMwuE5cFQMbzXinzOnGgeT3SLLFppDKb6ceKSSWthUkdGaxI7rt1iqFunxAI+YG+wcNyq1EuRJ2Tm4tv0fhavq5kL+6gnqjEBb3b1dlMkJL/Za+iGoX/6c/fKKPSq+d/f0551eIau641GxgszSDmau2t6va5IkoHeBn3VsNHI3vkaKOqKXvsayBPAxvPnUDtiEslCYMR1wdcI6zMdhfL+4WQFxbCtpdcDoWZDFKbYAQ/Xj8mFQ1mXZSbqU95oFILUkM+nFfRr8ttQvM9SoSYaDfFF4KnXtRpqqKGGGmqooYYaaqihhhpqqKGGGmqooYYaaqihhhpqqKGGGmqooYa/Cvwba0rrOwCgAAA=
+  chart: H4sIAAAAAAAAA+09+3PbNtL9WX8FRvk6TXIhJcqSnfKmd59qu62nia2xnGQ6l/s8FAlJrCmCHx9ydGn+91u8SPAhUVIc+Zrj9mEJj8UC2F0sFgtoZoUO9nGo4Q8x9iOX+FoQkqXrQJJHbMvrfPPZ0AU4GQzYX4DiX/bZOOobvUHv+JimG8e9k/43aPD5TddDEsVWiNA3ISHxpnJ1+X9SmNXO/+ncCmN9ZS28fdugE3zc76+d/96gMP+9bs84/gZ1H7Kj6+C/fP6twH2LQzrvJloaLSsIlK/60fd6V3PwsuXgyA7dIGYZQ/QL9hbIpoyBpiRE8RyjnwUjoVeUa9BIMBFK+arlWwtsolqGay2rCHjscfpaoV7+HWLrM/I5bdTI/1Gve1TQ/ydHx438HwQ6HXRKglXozuYxemo/Q1T3ovFwhMbnCETb8tkXazp1PdeKMbLJIrD8lY6GnodYtQiFOMLhEjs6upm7EYKiGMFfz7WBpbCDEp9qAqolhoFlw58xmcb3VojRK17kBVrqqAe6wsZBjKwI+SSGegSqhPduBNh8Vv3Vxen5JRBGW2h1OvCvxFDRSIpbaDTU07voKS3QFlntZ3+lKFYkQQtrRRtFCTQWp50QBEHrtNswAL6N0b0bzzk1HItOcfwmcJBJbEFxCyoE8G2qFkRWLIhmMI/jwOx07u/vdYtRrJNw1hGDFnVEXzWgWtR643s4oqP9/4kbQo8nKwT6GipYE6DVs+7ZhM1CDHkxoVTfh27s+rMXKBIDTtE4bhSH7iSJc4MmaYSuqwVg2IAF2sMxuhi30Y/D8cX4BUXy7uLml6s3N+jd8Pp6eHlzcT5GV9fo9Ory7OLm4uoSvv2Ehpe/oV8vLs9eIOzSmYThDELaAyDTpcMJHENxjTHOkSCXlCjAtjt1beiaP0usGUYzAouDDz1CAQ4XbkSnNQICHYrGcxdubMUsqdQvvQVFZsScUWVH+VjXO+m/c8u+68gczSZ+HBLPAw0Y4hkdC4ZUj+YorxqRnsPy9vx6DF3PpeEPFnQUdwo6dWJFuLOuHWpqobPLsVxCTd4YpFxjm4SO+H7Kq49gcLBIuvCnoQV4EjtOQpl4ieN7Et6Jb1cB7SSM4HgVxXgBSKbuTOS9g2KyucJo2cHDdEtFwuyHqCNXoCIytXIHSA08ICTaiL5ANEyYZqM2VQ6ai76LmNy5C2Aks/PxI4jIb4ykt5aX4Ehfsj/oD5AboCdGffTpU2f23Rcmub0NzQjF1sxE+vPOIQiisjQCiaACx2087FMNE6EcoUkQEGH/iUQql1TkgElDbMcoawblmmkFKvbGtHtMqLf/MrbZt42d9/9gg5z0mv3/IWCX+b+dYw+Wj0iPg518ATX2v2EcHRfmv3dsDBr7/xDw8aOGHDx1fbCK6Qa9jbRPn1r1m3RaD/sOK91SkXjWBHsRWLSBfodXHB37kkzAdMPAR7pLOrSpHI41KNii3BYlYGW2vcRJKdWRqLiBkHLdIoEUi4nWlBDts5bKvXB9YB7YErDq+jX2MBhA+iUQV0lZShqzQThlCNEcd4rmVjQKIf8DLP5zqzc4NtupacLK62ADoLRGELp+PEXtb6P//TYqlgxxQCI3JuFqEwroI65CaO6NEDqr9Bs+PjZ3N1AHu+h/m20WFlagsclfgo1HQo1uyeg+E6/1Edf5f/vHBf9P76Q/OGr0/yFAaJ+cVL9lE3sl55Xrvpyb+A72SCbim8fXVtBa4NhyrNgyQRNwN2+1tq5mHFEpgm1BhSplyVzJcMVsVqhzij63c2tJcliL0W2eS030B0Wysdd5dF+rUttP/j0ym8Fub8tToRr57xndk4L89wf9xv47CDyUYAuO0DiP5CWa85giv9SjkfJbpEse1G2PJI5gs4Q7C0wkMKcCPXW9GJhTscRoBSrRFO0/frp4dXN+/c8WEsCssQIEVhjhMC3y2orteaGIgv75wrLnYLepjsGF5YPKCJ8zEdE2FEgb+RWvbou0QNfS/BGjqUwETBBzroejPNHX3Od+ewbDItNuwgS3HmMY1mcVtMl/9HgsiONOV1uPR1oQxMVxKbMqBWn32ObhdkHR4Ii68ND/ZfXfw94ifK9Dl99TBqanBiCH7/UNQ6n/5e+39L+ndVz3x9bz8SztxNBxiuOBbm+laN4uEi+GVdG3/PjWdW5vEWGOZBL+NaGz8NhqrIE9Ybf1P8SOv7sfcHf/n3HSO2n8f4eAfeY/tQMfxv4z+iX/X39w3Gvsv0NAYf8npljnJz6O8N7taCIKJFVG4AZG02Q1ieyUUH+Yh6Vpp5vfdwdH6GO6ZOEwJGGUfp1jy4vnSj6iFucCO4l9hwZZuU/ppxBbDl/vS8Mg181Ip2aFa2MdhmHMDI/x5cW5GJ5PKi6+baRdpsdd+AOCGu/1p/rzZ/n/s96+T63e99zsRW4EJoQGli49Ip+BwN1bKz2XqEdLGwoDx4KtzN2wkvbMl/dA1FBDRUttLT2aA/tr2sfeJ/if8WkTJX5uWGCOgUHmOImQ+b0xOEozpiS8hzZh99DBsd2B/hFvyUz5/AwurA+3kGonYUg34wYojIqZtFnEx1GW5RESKF9mysh4xHKULMuZWB714rY4StVt+9jS+eVhH/3v4MAjqwVMx3YLQI3+7/eOBwX9P+h2G/1/ENhR/1tBEHXSReAsZYTcKqBu86FCcUH47AWCxgVR7CFmwU+RiQz2benSWr+AziTh6hWNBjJRD3Ii7DHfHqeI7cdeKSSWiGSBCni24tl0HQAF/CaA7mFZA7TSOAlnQHZv8G2W9sa3lpbr0bHjRCEUrwL4fK0igXQpVIIkZfAYPb5PRCSTmam4ObbvomSRmV85Z8xTdoCD/ke/Eaj1H60IjyxYEdtrLLf2M+Y15cdNgDnT215ueEoDhJCcApaZxGRBEj8e85VyaNv02w25w8AxUwuWJlEy2+fKuhqywpnSkIaYB0n5zlYHSb80CdJ8Hs2D7l5G+swO6Zlc1lX211wa+ku9m68wSjxvRIB3Via6mF6SeEQjGIGL01XBXQIrRtEoJBOcUQerFsxuEuKbOVSYEw9kYKDk0oi+n3GsVqBelnhuog63TvI5JAQOfdl92c0lRzDTVEp+ubkZKRmu78au5Z1hz1qNMYySA4x/rFaFHblLnDTPUPOixLahQwrhhpIbuwtMkjitmnWqKLAZ5blZS2d2xPpEDTUFPUeiImCGQUxs4pnozdlod0xabAeV2G5ON2EzKrCB9IWuXU2bio1ai+6WXHG0JVdkFqg6tMAUxktjG6Z4uCk3lH5GJAmhqkoxC66M8n1Y4AUoWqh60n3tKjk0QBVHxdJ2kFACu4tKHDkUEQZzz41XNMQRVgMVj+V55H4UukvQAjN8HsG6IPzEqqJh7VmBNXE9EBpcoMQJSZBP0SjeXA8s58r3Vtew6P8ELUUsWNJEMXUoykJL4iUL/JrqupwsMF044vOrKK8S33FlrHE0FY3nmvOJg8e5dYxCPhyBwDTCKpN8aElE1LaJpaYberCjkGTwVhU9bMsNnToyDp5aiRe/hsZN1O+p3AW7i0VuXDV0h1cmKqloCpzbK7Kq1UvV+Px3meUHg33s/9Roexj/T7dn9Mrnf439fxDY1/+TnsxX+H+2t+QboX5s2Ef+pUds2zuhdfI/OCnJf29w0sj/IWBf+Rd7vUfZ9/Mt9Sl3P16MSjv8QtvpZkUTZMitAze1xY6gbPMDX8xwnNuGSAyJsxGD3NGUMPzn6btd5H9Xv5+EzfJvdI8HRfk/OmrW/8PAzs69TVFAre0C+VgstBp0OPNBWK/ltpMjKvnA0m1pMV6IVzdRm26X2q3cIcQuEYOZW7HKkTjIORyV4EGReEp3fbzRDf7GGjqOBYKtHJA5Z6NCUD4rc+plPst8YZbIi+3hltwygFQWL3sxq2NCd/Ft1kclr/d0Vh5aiT5ZkJqOE3cSiYVxbIcgOP6s+qSL7sUjWiJjSlnoidxSS68TbTogtHfsknF2Lw+4yVXcAnnsfN1pU9dhe31HtmT+l7KG6tSFESfMBeNZUXS5WeZZ3Zzvd4sKVb7gGt3CQbh81VLiPkW5mOroLcb76kGamWNQsljAxKsOnU79dZissKaBxqMZTAnQolJx0aJ3Pyhk8ILnopwuy72CYipFFKfgjIBe9tVAZrXsSBTw0y/US6UiV4+w1dp6VnO88u2o2BLYTGnfdm5IqbxFOyG7zrxXK7xqXRvc585Uzu6tKJXr2nFz9653bypfv7Y1tt5pPACPMliml9c2wKpcyRrDtEIR9z27Ar57D3i9OsqJvHzO/anCwbdzY5Vo6tr2+TX43VsTFWvxE2ePmae16jAL1bo7crlP3xL/nESx5gZ12Gixi9E6JGnIiBb5ria2kXUoa0JrGGPiyZyQOxFfrqVm5g8brousrS2JpcuoSpsoxmObJHV0+7YFPhpaW4uOn0OVVKEb0T4r0bq5KRXZp1kurN2/g82A2i/a63CJtqsQvRNZa7AUDLrU2BbPMhUbTNdGka82uKluhdmF/aW67HJr4NX58Oz8+vb81fkpfVjk9nL4+nw8Gp6eK6cILND6J7CQ8qc6Uxd7zjWe5lNFOj+gkSaunjLUvoatpPfi9fDn87dA7NX17dXb8+t31xc3JVpNJF5uyO4ldSovKm0artIhLCdA8ibnN/VALH8WuiOjFj0kheEJ87s3DspJYvm9jazGH8gXpqjRLdy12nMy1h3N8RFadwlNgnqAV5qmuoO6iqmijyf5YEubytQ5Q7Dvh6UMlL7uc5aE9JUWsD+chG7/LtgSLpLPP2A7YceeuQM4ZtyXTwlFr+g+9Jy/wJPfwsnq7Pyu7qp0oRZKLwIA6/ulTP6oSrEp2tgWF67VCjEJiEdmq18pje38uSddkdhGoZVNwNbMUjoI3YZHKg9L97r4KGHNSesXv3a4i/8PuBaWkDBhzwBOEmeGt3ME1vr/+8X7f/Ch8f8dBISszGL0lDohqpxaz5BRvAIcsG1zZ2lMYP2UDsMRcc5S9viRscdDew73c+hV+MqiZFLb4c925P0Z7gzvJP/CJ2RTn9AORwC15/8n/eL5X/ek28j/IUCV6ig1NnQaUAkra3oYMFLdgdtLtTB2DTnT3dbMIxMaxMhWOxm0lXtdVjaFGJux98XWYH/ssfsaYBf5DyeWvc9D0HXx/91+8f2PXrd5//UwoGlabmVnc2wl8Rxk8F/8ub6iLhAH79fEqwr+Wbu+77Jyh4lHTXKNXlr6OSRJIM7v1z4a0CqErWpI3E6KWjIMWDrAK1I6wANxwjNS53Lxq1oo77CtTFOLCxdi/otaoNKjuSlLrcx9r7nPWTZsNSZiRKg9xnaJbsQ/3FODhn0K0k8Jv6FQGnlniyFXvP9RKeHhSVp3IFwmjN99d9LUPBHt5+0ycpvAnLu+KgFlvMxCLWCzQ1xJ7W4IZTqzfnleISimcMpUPa73tYPYbrM/9OiffZikNdZqAl7BEc/v5l72VAsEriKtSobg/8zKKA9DuhWICl87UxhBz/2XZDDYUfsx/xhhGPk4FW5+JCxKiSNWwZRpXIOsyNy8+S856YU9ufJJzRLFLX7qGamKB5QLLiVMQMlRUeYDnJYoZf1OJvwDbLmzDx1+jxH4OYmZShB+u9yDKaJNaJIs5LCyd+fcLFdMAdvFuVuJg3hQQo+sgMlY5bTRmvWo6HUhGra/iQEARwy7MQ96LYvzKS8i/6zV60c+5F9sEYMmhPdZDsEGCqFUeXmtoQd2sb+D+LOVMheWJ47hH2bT/dgmSgNfEHax/3eN+5VQt/8/MYr+v95xr3n/7yCwdXDv1x/3tymseLu4PSXSOKg/YyucLW8OQN7ytG7n+d9D/oW1s70aqPX/9Y2i/89o/H+HgU3yL62IR3XiP/YAfeWwi/wvA2uv34GrkX/j6KT8/lfz/udhoHBWTqdYBG0Vjvza5X2bOP/rtYXaeCt2bSPiDNNd2/ZPiELbW2oQuWJXEC+tBTWwN5/GrQolGIZvgnmy8mIAj2H+7vl3LRE/4fpDevkcK7HB7E47kJn+JFN7PS16hkCHevSHlmS19oYuFKspcRHy7vweBPCq+9AgahYffZfWShpuVXWxhKaXLpfUhU5AAe68UqePp/BoCcU0oqSrhfWs3J/lQPbAUK//eQjP5/wAaI3+PzL6xff/2JPwjf4/APDbFExJyp94MBFO5Gs6KXsAU1BXU/ZLU5lzt1O6C8F+rYrZDFS8g3Wv7bTUoAv6Akn5BaXsztKg+y2tIN2E6OOnFkg7pVysV2kUXpW6LytvproH6WskUpce99k7JJs1Tpsub+1WSwnYpYXUM6V0lVEjr/ktMuVUZE0pg5fiB08bMOWPnDYU5MdCGwpUnjJtKC88yJtK0JFa3z2xl9yAACEeaQ7DbfRO9C78Y7Tl0lIMF08nX7m1sWng1t2HkBEJrXLQtYn+8c9WIYSapRXcGCmKJ6gq8pC+ZvkEyd8lMNlnGXQYWEnEw8CZBcLyYKgY3mtFPmduPE8muk0WnSwSUv048ciks7CoI6MzSVzP6TDUnTNiAx+wN1g4blXqpcgTMvPwbXY/i9fVrIVz3BfVmIC3j/RuWySkv9lr6Iahf/hz98oo9ar9tx9oz3o8Q9f1VivnhTEzjubumn7/SCTJcGuDvmrYauXvfJmKuqLXvkx5Ath68gRqx0wiWQiMuC74AmF9pqNI3j+crKAYdrTseiDUbInCFDvg4foxvXAo67LMVH3KG41CkFry+bSSfk1/G8psqQPUZt2V6jXVb4gvCY+9yjXQQAMNNNBAAw000EADDTTQQAMNNNBAAw000EADDTTQQAMNNNBAAw18vfBvu4QpbgCgAAA=
   values:
 {{ toYaml .Values.values | indent 4 }}
 

cmd/gardener-extension-provider-local/app/app.go

@@ -77,6 +77,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 			WebhookServerPort:          443,
 			WebhookCertDir:             "/tmp/gardener-extensions-cert",
 		}
+		generalOpts = &controllercmd.GeneralOptions{}
 
 		// options for the health care controller
 		healthCheckCtrlOpts = &controllercmd.ControllerOptions{
@@ -147,6 +148,7 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 		aggOption = controllercmd.NewOptionAggregator(
 			restOpts,
 			mgrOpts,
+			generalOpts,
 			controllercmd.PrefixOption("controlplane-", controlPlaneCtrlOpts),
 			controllercmd.PrefixOption("dnsprovider-", dnsProviderCtrlOpts),
 			controllercmd.PrefixOption("dnsrecord-", dnsRecordCtrlOpts),
@@ -201,6 +203,18 @@ func NewControllerManagerCommand(ctx context.Context) *cobra.Command {
 			// add common meta types to schema for controller-runtime to use v1.ListOptions
 			metav1.AddToGroupVersion(scheme, machinev1alpha1.SchemeGroupVersion)
 
+			useTokenRequestor, err := controller.UseTokenRequestor(generalOpts.Completed().GardenerVersion)
+			if err != nil {
+				controllercmd.LogErrAndExit(err, "Could not determine whether token requestor should be used")
+			}
+			localworker.DefaultAddOptions.UseTokenRequestor = useTokenRequestor
+
+			useProjectedTokenMount, err := controller.UseServiceAccountTokenVolumeProjection(generalOpts.Completed().GardenerVersion)
+			if err != nil {
+				controllercmd.LogErrAndExit(err, "Could not determine whether service account token volume projection should be used")
+			}
+			localworker.DefaultAddOptions.UseProjectedTokenMount = useProjectedTokenMount
+
 			controlPlaneCtrlOpts.Completed().Apply(&localcontrolplane.DefaultAddOptions.Controller)
 			dnsProviderCtrlOpts.Completed().Apply(&localdnsprovider.DefaultAddOptions.Controller)
 			dnsRecordCtrlOpts.Completed().Apply(&localdnsrecord.DefaultAddOptions.Controller)