[GEP-26] Move CredentialsBinding to security.gardener.cloud group

charts/gardener/controlplane/charts/application/templates/apiservice-v1alpha1-authentication-gardener-cloud.yaml → charts/gardener/controlplane/charts/application/templates/apiservice-v1alpha1-security-gardener-cloud.yaml

@@ -2,7 +2,7 @@
 apiVersion: apiregistration.k8s.io/v1
 kind: APIService
 metadata:
-  name: v1alpha1.authentication.gardener.cloud
+  name: v1alpha1.security.gardener.cloud
   labels:
     app: gardener
     role: apiserver
@@ -14,7 +14,7 @@ spec:
   {{- if not .Values.global.apiserver.insecureSkipTLSVerify }}
   caBundle: {{ required ".Values.global.apiserver.caBundle is required" (b64enc .Values.global.apiserver.caBundle) }}
   {{- end }}
-  group: authentication.gardener.cloud
+  group: security.gardener.cloud
   version: v1alpha1
   groupPriorityMinimum: 10
   versionPriority: 10

cmd/gardener-apiserver/app/gardener_apiserver.go

@@ -39,22 +39,22 @@ import (
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 
 	"github.com/gardener/gardener/pkg/api"
-	authenticationv1alpha1 "github.com/gardener/gardener/pkg/apis/authentication/v1alpha1"
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
 	v1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	"github.com/gardener/gardener/pkg/apis/operations"
 	operationsv1alpha1 "github.com/gardener/gardener/pkg/apis/operations/v1alpha1"
+	securityv1alpha1 "github.com/gardener/gardener/pkg/apis/security/v1alpha1"
 	seedmanagementv1alpha1 "github.com/gardener/gardener/pkg/apis/seedmanagement/v1alpha1"
 	settingsv1alpha1 "github.com/gardener/gardener/pkg/apis/settings/v1alpha1"
 	"github.com/gardener/gardener/pkg/apiserver"
 	admissioninitializer "github.com/gardener/gardener/pkg/apiserver/admission/initializer"
 	"github.com/gardener/gardener/pkg/apiserver/openapi"
 	"github.com/gardener/gardener/pkg/apiserver/storage"
-	authenticationclientset "github.com/gardener/gardener/pkg/client/authentication/clientset/versioned"
-	authenticationinformers "github.com/gardener/gardener/pkg/client/authentication/informers/externalversions"
 	gardencoreclientset "github.com/gardener/gardener/pkg/client/core/clientset/versioned"
 	gardencoreinformers "github.com/gardener/gardener/pkg/client/core/informers/externalversions"
 	kubernetesclient "github.com/gardener/gardener/pkg/client/kubernetes"
+	securityclientset "github.com/gardener/gardener/pkg/client/security/clientset/versioned"
+	securityinformers "github.com/gardener/gardener/pkg/client/security/informers/externalversions"
 	seedmanagementclientset "github.com/gardener/gardener/pkg/client/seedmanagement/clientset/versioned"
 	seedmanagementinformers "github.com/gardener/gardener/pkg/client/seedmanagement/informers/externalversions"
 	settingsclientset "github.com/gardener/gardener/pkg/client/settings/clientset/versioned"
@@ -109,7 +109,7 @@ type Options struct {
 	KubeInformerFactory           kubeinformers.SharedInformerFactory
 	SeedManagementInformerFactory seedmanagementinformers.SharedInformerFactory
 	SettingsInformerFactory       settingsinformers.SharedInformerFactory
-	AuthenticationInformerFactory authenticationinformers.SharedInformerFactory
+	SecurityInformerFactory       securityinformers.SharedInformerFactory
 
 	Logs *logsv1.LoggingConfiguration
 }
@@ -123,7 +123,7 @@ func NewOptions() *Options {
 				seedmanagementv1alpha1.SchemeGroupVersion,
 				settingsv1alpha1.SchemeGroupVersion,
 				operationsv1alpha1.SchemeGroupVersion,
-				authenticationv1alpha1.SchemeGroupVersion,
+				securityv1alpha1.SchemeGroupVersion,
 			),
 		),
 		ServerRunOptions: genericoptions.NewServerRunOptions(),
@@ -212,12 +212,12 @@ func (o *Options) config(kubeAPIServerConfig *rest.Config, kubeClient *kubernete
 	}
 	o.SettingsInformerFactory = settingsinformers.NewSharedInformerFactory(settingsClient, protobufLoopbackConfig.Timeout)
 
-	// authentication client
-	authenticationClient, err := authenticationclientset.NewForConfig(&protobufLoopbackConfig)
+	// security client
+	securityClient, err := securityclientset.NewForConfig(&protobufLoopbackConfig)
 	if err != nil {
 		return nil, err
 	}
-	o.AuthenticationInformerFactory = authenticationinformers.NewSharedInformerFactory(authenticationClient, protobufLoopbackConfig.Timeout)
+	o.SecurityInformerFactory = securityinformers.NewSharedInformerFactory(securityClient, protobufLoopbackConfig.Timeout)
 
 	// dynamic client
 	dynamicClient, err := dynamic.NewForConfig(kubeAPIServerConfig)
@@ -234,8 +234,8 @@ func (o *Options) config(kubeAPIServerConfig *rest.Config, kubeClient *kubernete
 				o.SeedManagementInformerFactory,
 				seedManagementClient,
 				o.SettingsInformerFactory,
-				o.AuthenticationInformerFactory,
-				authenticationClient,
+				o.SecurityInformerFactory,
+				securityClient,
 				o.KubeInformerFactory,
 				kubeClient,
 				dynamicClient,
@@ -310,7 +310,7 @@ func (o *Options) Run(ctx context.Context) error {
 		o.CoreInformerFactory.Start(context.StopCh)
 		o.KubeInformerFactory.Start(context.StopCh)
 		o.SeedManagementInformerFactory.Start(context.StopCh)
-		o.AuthenticationInformerFactory.Start(context.StopCh)
+		o.SecurityInformerFactory.Start(context.StopCh)
 		o.SettingsInformerFactory.Start(context.StopCh)
 		return nil
 	}); err != nil {
@@ -422,7 +422,8 @@ func (o *Options) ApplyTo(config *apiserver.Config, kubeClient kubernetes.Interf
 		seedmanagementv1alpha1.SchemeGroupVersion,
 		settingsv1alpha1.SchemeGroupVersion,
 		operationsv1alpha1.SchemeGroupVersion,
-		authenticationv1alpha1.SchemeGroupVersion,
+		securityv1alpha1.SchemeGroupVersion,
+		// Note: "authentication.gardener.cloud/v1alpha1" API is already used for CRD registration and must not be served by the API server.
 	)
 
 	mergedResourceConfig, err := resourceconfig.MergeAPIResourceConfigs(resourceConfig, nil, api.Scheme)

docs/README.md

@@ -79,6 +79,7 @@
 * [`extensions.gardener.cloud` API Group](api-reference/extensions.md)
 * [`operations.gardener.cloud` API Group](api-reference/operations.md)
 * [`resources.gardener.cloud` API Group](api-reference/resources.md)
+* [`security.gardener.cloid` API Group](api-reference/security.md)
 * [`seedmanagement.gardener.cloud` API Group](api-reference/seedmanagement.md)
 * [`settings.gardener.cloud` API Group](api-reference/settings.md)
 

docs/api-reference/README.md

@@ -5,5 +5,6 @@
 * [`extensions.gardener.cloud` API Group](extensions.md)
 * [`operations.gardener.cloud` API Group](operations.md)
 * [`resources.gardener.cloud` API Group](resources.md)
+* [`security.gardener.cloid` API Group](security.md)
 * [`seedmanagement.gardener.cloud` API Group](seedmanagement.md)
 * [`settings.gardener.cloud` API Group](settings.md)

docs/api-reference/authentication.md

@@ -6,103 +6,11 @@
 </ul>
 <h2 id="authentication.gardener.cloud/v1alpha1">authentication.gardener.cloud/v1alpha1</h2>
 <p>
-<p>Package v1alpha1 is a version of the API.</p>
+<p>Package v1alpha1 is a version of the API.
+&ldquo;authentication.gardener.cloud/v1alpha1&rdquo; API is already used for CRD registration and must not be served by the API server.</p>
 </p>
 Resource Types:
-<ul><li>
-<a href="#authentication.gardener.cloud/v1alpha1.CredentialsBinding">CredentialsBinding</a>
-</li></ul>
-<h3 id="authentication.gardener.cloud/v1alpha1.CredentialsBinding">CredentialsBinding
-</h3>
-<p>
-<p>CredentialsBinding represents a binding to credentials in the same or another namespace.</p>
-</p>
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>apiVersion</code></br>
-string</td>
-<td>
-<code>
-authentication.gardener.cloud/v1alpha1
-</code>
-</td>
-</tr>
-<tr>
-<td>
-<code>kind</code></br>
-string
-</td>
-<td><code>CredentialsBinding</code></td>
-</tr>
-<tr>
-<td>
-<code>metadata</code></br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta">
-Kubernetes meta/v1.ObjectMeta
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Standard object metadata.</p>
-Refer to the Kubernetes API documentation for the fields of the
-<code>metadata</code> field.
-</td>
-</tr>
-<tr>
-<td>
-<code>provider</code></br>
-<em>
-<a href="#authentication.gardener.cloud/v1alpha1.CredentialsBindingProvider">
-CredentialsBindingProvider
-</a>
-</em>
-</td>
-<td>
-<p>Provider defines the provider type of the CredentialsBinding.
-This field is immutable.</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>credentialsRef</code></br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectreference-v1-core">
-Kubernetes core/v1.ObjectReference
-</a>
-</em>
-</td>
-<td>
-<p>CredentialsRef is a reference to a resource holding the credentials.
-Accepted resources are core/v1.Secret and authentication.gardener.cloud/v1alpha1.WorkloadIdentity</p>
-</td>
-</tr>
-<tr>
-<td>
-<code>quotas</code></br>
-<em>
-<a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectreference-v1-core">
-[]Kubernetes core/v1.ObjectReference
-</a>
-</em>
-</td>
-<td>
-<em>(Optional)</em>
-<p>Quotas is a list of references to Quota objects in the same or another namespace.
-This field is immutable.</p>
-</td>
-</tr>
-</tbody>
-</table>
+<ul></ul>
 <h3 id="authentication.gardener.cloud/v1alpha1.AdminKubeconfigRequest">AdminKubeconfigRequest
 </h3>
 <p>
@@ -257,36 +165,6 @@ Kubernetes meta/v1.Time
 </tr>
 </tbody>
 </table>
-<h3 id="authentication.gardener.cloud/v1alpha1.CredentialsBindingProvider">CredentialsBindingProvider
-</h3>
-<p>
-(<em>Appears on:</em>
-<a href="#authentication.gardener.cloud/v1alpha1.CredentialsBinding">CredentialsBinding</a>)
-</p>
-<p>
-<p>CredentialsBindingProvider defines the provider type of the CredentialsBinding.</p>
-</p>
-<table>
-<thead>
-<tr>
-<th>Field</th>
-<th>Description</th>
-</tr>
-</thead>
-<tbody>
-<tr>
-<td>
-<code>type</code></br>
-<em>
-string
-</em>
-</td>
-<td>
-<p>Type is the type of the provider.</p>
-</td>
-</tr>
-</tbody>
-</table>
 <h3 id="authentication.gardener.cloud/v1alpha1.ViewerKubeconfigRequest">ViewerKubeconfigRequest
 </h3>
 <p>