Introduce secret to track hash version used by OperatingSystemConfig

[MichaelEischer]

How to categorize this PR?

/area control-plane
/kind enhancement

What this PR does / why we need it:

This PR implements the pool-hashes secret, proposed in #9699, that is stored in the shoot namespaces on each seed cluster. The secret contains information on which hash version is used for the OperatingSystemConfig as well as the calculated hash values. If the calculated and stored hash values differ, then the hash is upgraded to the latest version.

Currently, only hash version 1 exists. Version 2 will be introduced in a follow-up PR.

The PR includes migration code, that creates a placeholder secret in each shoot namespace. As a small difference to the proposal in #9699, that secret only contains a "migrated" field. This field causes the normal reconcile for the secret to bootstrap the secret with version 1 instead of the latest version (which currently is still 1, but version 2 will be added in a follow-up PR). This minimizes the complexity of the migration code, but might require keeping a part of it around for some time.

Which issue(s) this PR fixes:
Part of #9699

Special notes for your reviewer:

I'm somewhat unsure what the best approach is to check that the pool-hashes secret properly survives a control plane migration. I've extended the corresponding e2e test to add a special label to the secret, which will be checked by the existing test code.

Release note:

gardenlet now creates a secret called `worker-pools-operatingsystemconfig-hashes` in the shoot namespace on seed clusters. This secret will be used to upgrade the operating system config key calculation in the future.

[gardener-prow]

Hi @MichaelEischer. Thanks for your PR.

I'm waiting for a gardener member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[rfranzke]

/assign
/ok-to-test

[rfranzke]

Thank you for the nice PR 🎉

[MichaelEischer]

@rfranzke I've addressed the review comment. However, some E2E tests still fail, and I don't have a clue why. pull-gardener-e2e-kind now yields an HTTP 401 error which seems to be unrelated. And in pull-gardener-e2e-kind-ha-single-zone-upgrade it looks like the old API server keeps getting contacted, which looks like a flake. At least during the previous attempts, that error caused pull-gardener-e2e-kind-upgrade to fail which passes now.

[rfranzke]

Minor nits left :)

[rfranzke]

Cool, looks good @MichaelEischer. Please fix the tests so that we can get this PR merged.

[MichaelEischer]

Please fix the tests so that we can get this PR merged.

I forgot to run make check once again 🙈 , sorry, for the PR update spam.

/retest

[rfranzke]

/lgtm
/approve

[gardener-prow]

LGTM label has been added.

Git tree hash: 0502dcf3985fa2ab99400799bf0747093bbd382d

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rfranzke]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment