Use host.docker.internal in local-garden

[timebertt]

How to categorize this PR?

/area dev-productivity
/kind enhancement
/priority normal

What this PR does / why we need it:
This PR replaces docker.for.mac.localhost by host.docker.internal in our scripts for spinning up the local nodeless garden.
This way, connection from the docker VM to the host is unified for Mac and Windows users.
It also adds host.docker.internal to the local garden API server cert, so you can talk to it from within a docker container without TLS verification errors.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

The `local-garden`'s kube-apiserver cert has been updated to include `host.docker.internal` as an alternative DNS Name, so clients running in docker containers can successfully validate the TLS cert when talking to the local garden. If you have copied the `local-garden` kubeconfig to somewhere else, please update your copy with the newly generate one.

[gardener-robot]

@timebertt Thank you for your contribution.

[gardener-robot-ci-2]

Thank you @timebertt for your contribution. I will start a build for your PR. Once started, the build URL will be posted here.

[gardener-robot-ci-2]

A build of this pull request has started. You can check on its progress here: https://concourse.ci.gardener.cloud/teams/gardener/pipelines/gardener-master/jobs/master-pull-request-job/builds/166

[gardener-robot-ci-1]

A build of this pull request has started. You can check on its progress here: https://concourse.ci.gardener.cloud/teams/gardener/pipelines/gardener-master/jobs/master-pull-request-job/builds/167

[timuthy]

What about host.docker.internal? 👀

[timebertt]

What about host.docker.internal? 👀

Well, good idea. host.docker.internal is available both on Windows and Mac, right?

[timuthy]

What about host.docker.internal? 👀

Well, good idea. host.docker.internal is available both on Windows and Mac, right?

It was already advertised by 17.12.0 as the release notes say. So we can probably completely drop docker.for.mac.localhost.
/cc @rfranzke

[timebertt]

Nice suggestion.
I've updated the PR to basically replace docker.for.mac.localhost with host.docker.internal.
/title Use host.docker.internal in local-garden

/invite @guydaichs @vpnachev
Can you check, that the local-garden still works as expected before on windows and linux?

[vpnachev]

I can confirm that local-garden is working fine for me (on ubuntu 18.04) with and without this change.
But I would like to mention that I cannot resolve host.docker.internal from whithin containers because simply this feature is available only on Docker for Windoes/Mac - ref: docker/for-linux#264.

/lgtm

[rfranzke]

When I run make start-apiserver after I ran make local-garden-up then I get following error:

$ make start-apiserver
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes-ca")
Found Nodeless Kubernetes ...
I0803 07:23:46.788772   92804 plugins.go:84] Registered admission plugin "ResourceReferenceManager"
I0803 07:23:46.788858   92804 plugins.go:84] Registered admission plugin "DeletionConfirmation"
I0803 07:23:46.788862   92804 plugins.go:84] Registered admission plugin "ExtensionValidator"
I0803 07:23:46.788865   92804 plugins.go:84] Registered admission plugin "ShootTolerationRestriction"
I0803 07:23:46.788870   92804 plugins.go:84] Registered admission plugin "ShootQuotaValidator"
I0803 07:23:46.788875   92804 plugins.go:84] Registered admission plugin "ShootDNS"
I0803 07:23:46.788879   92804 plugins.go:84] Registered admission plugin "ShootValidator"
I0803 07:23:46.788882   92804 plugins.go:84] Registered admission plugin "ControllerRegistrationResources"
I0803 07:23:46.788885   92804 plugins.go:84] Registered admission plugin "PlantValidator"
I0803 07:23:46.788889   92804 plugins.go:84] Registered admission plugin "OpenIDConnectPreset"
I0803 07:23:46.788893   92804 plugins.go:84] Registered admission plugin "ClusterOpenIDConnectPreset"
I0803 07:23:46.788915   92804 plugins.go:84] Registered admission plugin "ShootStateDeletionValidator"
I0803 07:23:46.788922   92804 plugins.go:84] Registered admission plugin "CustomVerbAuthorizer"
W0803 07:23:47.093386   92804 configmap_cafile_content.go:102] unable to load initial CA bundle for: "client-ca::kube-system::extension-apiserver-authentication::client-ca-file" due to: configmap "extension-apiserver-authentication" not found
W0803 07:23:47.093422   92804 configmap_cafile_content.go:102] unable to load initial CA bundle for: "client-ca::kube-system::extension-apiserver-authentication::requestheader-client-ca-file" due to: configmap "extension-apiserver-authentication" not found
Error: unable to load configmap based request-header-client-ca-file: Get "https://localhost:2443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes-ca")

[rfranzke]

Turns out that I had to update my local ~/.kube.config file to the new default admin kubeconfig.. thanks for the pointers! With it, it works as expected!

/lgtm

[guydc]

works in my WSL2 env as well

[rfranzke]

Thanks @guydaichs for your feedback!

[timebertt]

Added a release note for action developer to make developers aware, that they need to refresh copies of the local-garden kubeconfig.