Allow egress ips on managedseeds

charts/gardener-extension-acl/templates/rbac.yaml

@@ -144,6 +144,23 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+{{ include "labels" . | indent 4 }}
+  name: {{ include "name" . }}
+  namespace: kube-system
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - shoot-info
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ include "name" . }}
@@ -157,3 +174,19 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "name" . }}
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "name" . }}
+  namespace: kube-system
+  labels:
+{{ include "labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "name" . }}
+  namespace: {{ .Release.Namespace }}

deploy/extension/base/controller-registration.yaml

@@ -4,7 +4,7 @@ kind: ControllerDeployment
 metadata:
   name: acl
 helm:
-  rawChart: H4sIAAAAAAAAA+0ba3PbNjKf+StwynWadErqYUluNZOZKrYv9YxfY6e+uel0PBAJUahJggVIOcrjfvstAIqESMqUH3EujfaDRC4WiwX2gcWDPuYeiQi3ybuERIKyyMZu0H72mNAB2B0M1D9A+V89d3f63d6gNxxKfLff7XafocGjSrEGUpFgjtAzzlhyG11T+VcKfr3+nRkJQupHjJOHtyEVPOz31+of1F7S/7DXHz5DnYc33QzfuP6fozOcJIRHAiUMaY2jmxmJ0CSlgUcjH8XYvcY+EY71HL2dUYFEGseMJ/AAVhIgP2ATFOLEnQH1j4iTACd0TqBeMjPwOPKAQUR8KGURehFzMqXviIduKND946WDTqNggVikakqRUEw4CmhEHMvZv7i6SEA2YLHHwhAYXO5dII9yYTk+TdrqV4tvOZP3vK1+l4iZ35Y/y1cxj9oFown0L43RlAZEWD844iaG3wm+ht8khOf/Aukl5pSlAh3uH0CDMWd/EjexHOoR3NZ0gLKcuXCZR9rWl9bq5rDG//dmmCfOAofBI7TR5P+9zm7Z/zs7g63/PwXgmF4SLvU+QvOuheM4f211nU7L8ohwOY0ThRqjX2FeQK60DjRlHCUzgt5kJoTGe0coNyPHinBIRqjewKz5spWOA818RQ7zN4M1/p+QMIYwTsRjZIJ3z/+GXQgJ2/zvCaBR/1cwx8M8LJwkvu9c0BD/u71eKf73Ov2dnW38fwr48MFGHiRikHW1ZMBuIfvTJ2tN0JbEJPIUiWXWDPCEBMKB2cO5JgvNQ72kE8jjCNiRQ1lb8l/hsYbFHAdpJsiHD4hGbpB6uXgOyireIki1bllAyWWE1lBk7auWqr2gEVhM5BJV3TknAcGCOCcg3K2S0RByaC0YQrKATtE1jbxDgVoi4ZAiQ4uXsmVoRdKinHINGsQlkssMizOVSwOjGe4NhqMSJyfBflEthraSKWp9J375TpQpOYmZoJBoL25joVquYTi6N0MYMWPwPn360m7xzUBj/HdZNKV+iGNb6W0O6x7GbQb52w2nCdlkjdCU//eHpfU/POxu4/+TQBaJVnzzUun4dKli6Zm2bVulpYIMXiNYQ0vzOMaxFZIEezjBI/BpnfrXB+96O8oqiRjXRVaF1uFCx+lRTXSX7D8CEuw5QX1JvRRHtSiuVo12hD5KJrf2fJXd3zE8Nfq/R+KALUIYhHtvBzT4/2CwU87/ut3hdv3/JFB2bMh3RDv37v1c+Ru7950dGQHMqD+z8RxTQNKAJgtbTzuQPgiWchf8c2mojhuw1GsnixjYA1XCWRAQvlE8EDFxZYOczKns7q9UyMzkiIY0GaGOKokD6mKhJc9CQ4bcYykwUrIL6JKMFFp6tcd5tFlcGmoGS//KGBhjKwFHEUvUNqlYojaM0ygDd0bca5GGxvRdOHhtAF7R5wuV06F/Om8zOZ3XoMEzuaHb2igjaL1Undb5KMhRyGakexph2oEESLRvGAf78ys6Z7YHI4JwELAb4m1Wg4PSaEhsMHJBOAhZ1G9Q1U9LGZdmIwEGhkEvF3sBFuJkdYdLLATo1f6508mIZYPUJWPXlaZzcrvXKLWBPWNYLvB8POwmZ9OgNLFKlS04qmRnaRCcMbDoxYqVl8rMapj7hoJsZNshfidd1E05h6GyOZEvcgP9lcGx8E71nBFfLCJXmNwlvxnBQTJTVnt33kblpnY8KvAkILZR3eSaFe8VpWAOfzIaodaPrTIvfZpgs5hw5at24bbrJNVVTpc1xnmFMm+ImJ6clGWYUS7rvVqTTZUoV7iofVpbnsO8aqtnkReX4gn2PCqr42CsnWOPerwyegWVnfmQ7Uo6s7trONUPYyUYVATLHTrbMC6LlDtfVm6KclvdmpZJNDeNXPvd0cF4/+D86uDoYO/t4enJ1cn4+ODibLx3kFMipPYL/sVZODKQCE0pCbxzMl3FZngZS0d54HfyKXPdODQF/KW8h8fjNweXIOzp+dXp5cH5v88P31ZkHaHMHIqUuF2bI99BUflMbdLkSDUvJuw/wLOmxkeUcBoWkbfbaVCVIODkMgqDb8G8Zo6wMswzTucQMXxyIFwcYH14McWBIAali2OdbVAiVnXkcRaP0O/jo6M/DDzMJGNxwqJzyARHIHFKyoW/CTm9DCGh7ZWL3nCWxtUy6IjLwviMM3n8uCqFTnHO9fy1T6Y4DZL7msecBWlIjuU0JKpG3pAaGFKFkoO23aoJmX2GqCSPc0vjVFHlnbqhO1GZGjeV3l0uVc1hvtdKNbcTrZRj5gGPfq9jdCrr5ZdO7xuhcf0XMwjogqfqBHCSej6580Kw8f5Hv7z/s9PZ3d7/eBLIHNBP0AuZ8dcteV6ibt0WUKzSxGKteMa8/dxQXitD+XyLxrus9iCf/C3KFpeBZi/SSWN/H7zK+yrCQKP/8wl2H3gRpMH/+zuD8v2P3d3udv/3SaDs1UrdOE1msMp9rxIn5/onde5VbPkGMGaEn7OA3MXB7+K6PA3kPG8jEE1lTmrSt82VPhUgHMgFeJiZJxmBDDryP4Bi9XAjvVY9xflTGoPIRD26kKhkjx54u3o0klaJh2UBW0B2Bl0WVYlytynvUFUZuXrchG4tEnJhyz39SqMpxwJyJTdJodpGnXqILAVp6bUN7pCkmwlQO6oVqdZt4VWFCnEE+ZaXYxuEMHR3U6fbQrRMtRXRWq2qEPk8dE8lwKuhB+07NbYApsDCJVKdEatV85pGja5WOlgd8HUuvNYkOQuIKCMm4JDgaBpfUJSK7ijsXbXRggUSJ4lo6TdIxiP98pkNQ26D14lTnIY0SlE0fd8BcRnEBxrdrkKVJpU0kTX4QIZLvErBdNnGe1CGMEaXl2O0znW8kArpN5z4MIr8djnDVG6dRf4NmcwYu9aru1RX2jx+3Vc39TNRSUQf+N3gxYaR5EEz8Wvtkp9tQoYmsq2s5UDcIiFQVVOFBnkgJZd3qtWsrytfrOyeN/dnkxXEl063/u+gMf/PzjCw1sK9VgJN6/+dbre0/u8Bcpv/PwWsvdhR8r4vupKHGMPUzuOqUG/ZNcn3db/0QH6l0Oj/8xg/9DuQpvu/O+X7X93dwXB36/9PAaUNeKltEsl9Mq9uz086ojxRkWlPORkBooRC2RnzxhkZ4Y8dN/SeXo3Qy8zLPLxexeldvPyEXSGpeZqQF+mD+u9/+N7Kjz1olJ1mmmcHbpwqUTn5K6UcRqy1XiKnYOFAPURFXq11S0fK1YwjHXltJGR8cS8RdNX7SJHVXN3fRAicCPLa/LSz7kqRxFeuFTWdwQCBzstNJWqMPnYxznul4CaxU9B9NfuxTw1r4v9cj+jjfADYGP8HO5Xvf7fnP08D+uKQCpbLi/oj5M9cLmM7DI17TRN9l2rNNyHS9f0RUslCYlUuGB1OT1hyBuFEOrtlHrOMUE8ijAWzDEXAJAvJKrq2Bp2wZZnBrjXsH9OWZYGzS7psssrPmetifjV6K97A2loNpJJ1Y8BpnRO9aQBCGHd7JGHp8hE0Aci1d36KGwnGBaZ8liozsqp3k0bo9z8sq/7CjS57jupO1OXN5+doeS16pJ6Lw3QMmR9ROIT0WJ4bpjFLkliM2m3hzm4wf0+TXzwyd/D7lBPHZWGBL54ccU3aV/Ij7Yy5cfsqa8c0Pk58R22Hy3oOSTtdJ7PD7FKfZLcqprLAVsfpOT+DUpaGOtLbLtnHrK1t0N/CFrawhS1sYQtb2MIWtvBtw/8AAsQ90gBQAAA=
+  rawChart: H4sIAAAAAAAAA+0ba2/jNnI/61fwvFd0t6jkR2KnNbBA3SS3DZAXkm0Oh6IIaIm22UiiSlLOeh/3229IyrKsR2Q7Wee29XywJXI4HHIeHA6pMeYeCQm3yXtJQkFZaGPXb754SmgBHHS7+h8g/6+f23v77U630+up8vZ+u91+gbpPykUFxEJijtALzph8CK+u/iuFcbn8nQnxAzoOGSeP70MJuLe/Xyl/EHtO/r3Ofu8Faj2+63r4m8v/JbrEUhIeCiQZMhJH9xMSomFMfY+GYxRh9w6PiXCsl+jdhAok4ihiXMIDaImPxj4bogBLdwLY3yNOfCzplEA7OcmU49ADAiEZQy0L0auIkxF9Tzx0TwHvH68ddBH6M8RC3VKxhCLCkU9D4ljO0fXttQTegMQhCwIgcHN4jTzKheWMqWzqX8O+5Qw/8Kb+nRdMxk31M38V07C5IDSE8cURGlGfCOs7R9xH8DvEd/ArA3j+L6DeYE5ZLNDJ0TF0GHH2B3Gl5VCP4KbBgyLLmQqXeaRpPbdUV4cK+z+cYC6dGQ78J+ijzv47rYO8/bf2ujv73wbgiN4QruTeR9O2haMofW20nVbD8ohwOY2kLhqgX2BdQK7SDjRiHMkJQW8TFUKDw1OUqpFjhTggfVSuYNZ03kvLgW6+IoP5i0GF/UsSRODGiXiKSHD9+K/XBpewi/+2ALXyv4U1HtZh4cho07Wgxv+3O52c/++09vf2dv5/G/Dxo408CMQg6mooh91A9ufPVoXTVsgk9DSKlW3p4yHxhQOrh3NHZoaGfomHEMcR0COHsqaiv0SjgsQU+3HCyMePiIauH3spew5KGj7ASLFtnkFFpY8qMJL+dU/FUdAQNCZ0iW7uXBGfYEGcc2DuQc5oADG0YQwhVUFH6I6G3olADSE5hMjQ443qGXpRuCjFrCgGdomiMsHiUsfSQGiCO91eP0fJkXi8aBZBX3KEGt+In74ReUxOIiYoBNqzh0jonksI9jcmCDOWmbzPn5/bLP42UOv/XRaO6DjAka3lNoV9D+M2g/jtnlNJVtkj1MX/+73c/h8eDnb+fyuQeKIl27zRMr6Yi1hZpm3bVm6roJxXH/bQSj3OcGQFRGIPS9wHmzahf7nzLtejpJGIcJln1cXGXRg/3S/x7or8JygEfZZoX2HP2dE9ittlpe2jT4rIgyNfJvdXdE+19u+RyGezACZh43RAjf13u3v5+K/d7u32/1uBvGFDvCOaqXUfpcJf2bzXNmQEMKHjiY2nmEIh9amc2WbZgfBBsJi7YJ9zRXVcn8VeU84iIA9YkjPfJ3wlfyAi4qoOOZlSNdxfqFCRySkNqOyjlq6JfOpiYThPXENSeMhiIKR5FzAk5SkM9zrHebqaX+oZAnP7Sghk5lYBDkMmdZpUzItW9NMoAXdC3DsRB5nle2HgpQ54SZ6vdEyH/um8S/h0fgYJXqqEbmOliKDxWg/axKPAx4K3TLhnCrJ6oAAC7XvGQf/GBZkz24MZQdj32T3xVmvBQWg0IDYouSAcmFy0rxHVD3Me52qjACaGwShnhz4W4nw5wyVmAuRq/9hqJciqQ+qSgesq1Tl/2Gq02ECfMWwXeDofdp2xGdCSWMZKNhxFtMvY9y8ZaPRsSctzddlmmI8zArKRbQf4vTJRN+YcpsrmRL2oBPqbDMWFdernBPl6FroiS13RmxDsy4nW2vVpZxrX9eNRgYc+sTPNs1ST6sNFLajDH4yGqPF9I0/LnCbYLCJc26q9MNsqTk2Ti3mLQdogTxs8pqcWZeVmtMl6byqiqRzmEhWdp7XVOcybpn4WaXXOn2DPo6o59gfGOA6pxwuzt8CyExuyXYWXHW4FpfJpLDiDAmOpQScJ4zxLqfEl9VlWHmpb0jMJp1klN3Z3ejw4Or66PT49Pnx3cnF+ez44O76+HBwep5gI6XzBvzgL+plChEaU+N4VGS2XJuXKl/ZTx++kS2bVPNQ5/Dm/J2eDt8c3wOzF1e3FzfHVv69O3hV47aNEHRYhcbM0Rl5DUOlKncVJC/W6KNl/gGZJi09IchosPG+7VSMqQcDIlRcG24J1LTvDWjEvOZ2CxxiTY+FiH5vDixH2Bclgujgy0QYlYllGHmdRH/02OD39PVMOK8lAnLPwCiLBPnAck3zlr0ItLz0IaDv5qrecxVGxDgbisiC65EwdPy5zYUKcK7N+HZERjn25qXpMmR8H5EwtQ6Ko5DWhQYarQFEwultUoeyYwSup49zcPBVEudYwzCAKS+Oq3LvzrWp2mjfaqaZ6YoRyxjygsd9pZQaVjPK5w/taqN3/RQwcuuCxPgEcxt6YrL0RrL3/sZ/P/+y1Dnb3P7YCiQGOJXqlIv6yLc9r1C5LAUU6TFzsFS+Zd5Qqys9aUb7cpnGd3R7Ek7+GyebSN+RFPKwd76N3eV+FG6i1fz7E7iMvgtTmf7r5+18HB+1d/mcrkLdqLW4cywnscj/owMm5+0Gfey1Svj7MGeFXzCfrGPg6pstjX63zNgLWdOSkF307u9OnApgDvqAcVuZhgqCcjvr3oVo/3Cur1U9R+hRHwDLRjy4EKsmjB9auHzNBqyqHbQGbQXQGQxZFjlKzyWeoioRcM2/C9BYKtbHlnnml4YhjAbGSK2NottKgHsPLAjX32gRzkPFqDJTOaoGrqhRekakAhxBveWlpDRMZ2d2XyXbBWiLaAmuNRpGJdB3aUAjwmpGDsZ0SXQBVYMG8UJ8R611zRaeZoRYGWJzwKhOuVEnOfCLyBUMwSDA0U77AyFWtyey60mjABokTKRrmDYLx0Lx8YcVQafAydhanIbVcLLredEJcBv6Bhg+LUIdJOUkkHT6S4Lxch2CmbuUcVIaZzJDnc1RlOl5AhbIbTsYwi/xhPoNYpc7C8T0ZThi7M7u72DRa3X9tKpvylSjH4hjo3ePZip5k/ZW4sASvs8auE5GrGzBJertybS4z3/SooEKfBEhO2rD4lSzjj4tMfjYu6osFKNBFktqbT8MDHAJWMXSq4Qe2KOqOuZ5p0/h66TRhLflV7qg2VLoNZrdCm7Yy7f838/3c0X4Ravd/yRkWNrOw0U6wLv+z127n8j8dKNzt/7YBlRd7ctr/rJkcMG6mM8/LTL1jdyTN6z/3RH6lUGv/0wg/9juguvvfe/n7f+2Dbu9gZ//bgNwBjJI2CVWe1CsLD5QhqhM1Ffbm4wJAkhTqLpk3SNAIf2q/YXK6JUzPg8vs5YXlMpPFTW9Y6EKaPU1Kq8xFjW+/+9ZKj71omJxmZ8+O3CjWrHLyZ0w5zFijmiNnQcKBdoiKtFnjgYHkm2WO9NS1oYDx2UYsmKabcJG0XM5vIwRGBEF7etpddqVMlReuldWdwQGC2ZdlhWhKzLFb5rxfMZ5FdhZ4X00+fttQ4f+nZkaf5gPQWv/f3St8/707/9sOmItj2lnOP9Too/HE5cq3w9S4d1Sau3QV3wQp0x/3kQ4WpFW4YHYyOmfyEtyJMnYre8zWRx1VkMkXKFcERBKXrL1ro9sKGlbW2TV6+2e0YVlg7AovWazSewZlPr/ovTVtIG0tO1JFutbhNK6ISRoBE5m7XQoxd/kMuoDCyjtfixspmQts6SqVJ2QV76b10W+/W1b5hStT9xKV3ahQN99fovm1+L5+XlymwBD5EV2GkJnLq4xqTKSMRL/ZFO7kHvMPVP7kkamDP8ScOC4LFuWLJ0fckeat+kg/IZ65fZf0k1U+TsaOPg5R7RwSt9pOoofJpU5FbplNrYGNltNxfgShzBW1b3JKycfMjZ3T38EOdrCDHexgBzvYwQ7+B6z5p1QAUAAA
   values:
     image:
       tag: latest

pkg/controller/actuator.go

@@ -36,6 +36,7 @@ import (
 	"github.com/pkg/errors"
 	istionetworkv1beta1 "istio.io/client-go/pkg/apis/networking/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/serializer"
 	"k8s.io/client-go/rest"
@@ -48,6 +49,8 @@ import (
 	"github.com/stackitcloud/gardener-extension-acl/pkg/extensionspec"
 	"github.com/stackitcloud/gardener-extension-acl/pkg/helper"
 	"github.com/stackitcloud/gardener-extension-acl/pkg/imagevector"
+
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 const (
@@ -147,6 +150,16 @@ func (a *actuator) Reconcile(ctx context.Context, log logr.Logger, ex *extension
 
 	alwaysAllowedCIDRs = append(alwaysAllowedCIDRs, helper.GetSeedSpecificAllowedCIDRs(cluster.Seed)...)
 
+	// On Seeds using cilium as the kube-proxy replacement we need the egress IP
+	// of the cluster to be allowed in order for the alertmanager
+	// ApiServerNoteReachable check to work. In that case the traffic to the
+	// kubernetes API will be externally routed and not dnatted.
+	egressCIDRs, err := a.getSeedEgressIPOnManagedSeeds(ctx)
+	if err != nil {
+		return err
+	}
+	alwaysAllowedCIDRs = append(alwaysAllowedCIDRs, egressCIDRs...)
+
 	if len(a.extensionConfig.AdditionalAllowedCIDRs) >= 1 {
 		alwaysAllowedCIDRs = append(alwaysAllowedCIDRs, a.extensionConfig.AdditionalAllowedCIDRs...)
 	}
@@ -260,14 +273,14 @@ func (a *actuator) createSeedResources(
 	spec *extensionspec.ExtensionSpec,
 	cluster *controller.Cluster,
 	hosts []string,
-	shootSpecificCIRDs []string,
+	shootSpecificCIDRs []string,
 	alwaysAllowedCIDRs []string,
 	istioNamespace string,
 	istioLabels map[string]string,
 ) error {
 	var err error
 
-	alwaysAllowedCIDRs = append(alwaysAllowedCIDRs, shootSpecificCIRDs...)
+	alwaysAllowedCIDRs = append(alwaysAllowedCIDRs, shootSpecificCIDRs...)
 
 	apiEnvoyFilterSpec, err := envoyfilters.BuildAPIEnvoyFilterSpecForHelmChart(
 		spec.Rule, hosts, alwaysAllowedCIDRs, istioLabels,
@@ -446,3 +459,36 @@ func (a *actuator) findDefaultIstioLabels(
 
 	return gw.Spec.Selector, nil
 }
+
+// getSeedEgressIPOnManagedSeeds returns the egressIP CIDRs of the ManagedSeed, if the
+// Seed is not a shoot, it will return an empty list
+func (a *actuator) getSeedEgressIPOnManagedSeeds(ctx context.Context) ([]string, error) {
+	cm := corev1.ConfigMap{}
+	if err := a.client.Get(ctx,
+		client.ObjectKey{
+			Name:      v1beta1constants.ConfigMapNameShootInfo,
+			Namespace: "kube-system",
+		},
+		&cm); err != nil {
+		if apierrors.IsNotFound(err) {
+			return []string{}, nil
+		}
+		return nil, err
+	}
+
+	cidrsStr, ok := cm.Data["egressCIDRs"]
+	if !ok {
+		return nil, errors.New("unable to get egress CIDRs from shoot-info ConfigMap")
+	}
+
+	var cidrs []string
+	for _, i := range strings.Split(cidrsStr, ",") {
+		_, _, err := net.ParseCIDR(i)
+		if err != nil {
+			return nil, err
+		}
+		cidrs = append(cidrs, i)
+	}
+
+	return cidrs, nil
+}

pkg/controller/actuator_test.go

@@ -222,6 +222,60 @@ var _ = Describe("actuator test", func() {
 		})
 	})
 
+	Describe("reconciliation of an extension object running on a managedSeed", func() {
+		AfterEach(func() {
+			deleteShootInfo()
+		})
+
+		It("should return an empty slice of egressIPs if no shoot-info ConfigMap exists", func() {
+			cidrs, err := a.getSeedEgressIPOnManagedSeeds(ctx)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(cidrs).To(BeEmpty())
+		})
+
+		It("should fail to return egressIPs if the shoot-info ConfigMap contains invalid CIDRs", func() {
+			createShootInfo([]string{"1.1.1.1", "1.1.1.2/32"})
+
+			_, err := a.getSeedEgressIPOnManagedSeeds(ctx)
+			Expect(err).To(HaveOccurred())
+		})
+
+		It("should return the egressIP CIDRs of the shoot-info ConfigMap", func() {
+			c := []string{"1.1.1.1/32", "1.1.1.2/32"}
+			createShootInfo(c)
+
+			cidrs, err := a.getSeedEgressIPOnManagedSeeds(ctx)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(cidrs).To(BeEquivalentTo(c))
+		})
+
+		It("should create ACLs including egressIPs of managedSeed", func() {
+			createShootInfo([]string{"1.1.1.1/32", "1.1.1.2/32"})
+
+			extSpec := extensionspec.ExtensionSpec{
+				Rule: &envoyfilters.ACLRule{
+					Cidrs:  []string{"1.2.3.4/24"},
+					Action: "ALLOW",
+					Type:   "remote_ip",
+				},
+			}
+			extSpecJSON, err := json.Marshal(extSpec)
+			Expect(err).NotTo(HaveOccurred())
+			ext := createNewExtension(shootNamespace1, extSpecJSON)
+			Expect(ext).To(Not(BeNil()))
+
+			Expect(a.Reconcile(ctx, logger, ext)).To(Succeed())
+
+			mr := &v1alpha1.ManagedResource{}
+			Expect(k8sClient.Get(ctx, types.NamespacedName{Name: ResourceNameSeed, Namespace: shootNamespace1}, mr)).To(Succeed())
+			secret := &corev1.Secret{}
+			Expect(k8sClient.Get(ctx, types.NamespacedName{Name: mr.Spec.SecretRefs[0].Name, Namespace: shootNamespace1}, secret)).To(Succeed())
+			Expect(secret.Data["seed"]).To(ContainSubstring("1.2.3.4"))
+			Expect(secret.Data["seed"]).To(ContainSubstring("1.1.1.1"))
+			Expect(secret.Data["seed"]).To(ContainSubstring("1.1.1.2"))
+		})
+	})
+
 	Describe("a shoot switching the istio namespace (e.g. when being migrated to HA)", func() {
 		It("should modify the EnvoyFilter objects accordingly", func() {
 			By("1) creating the EnvoyFilter object correctly in the ORIGINAL namespace")

pkg/controller/suite_test.go

@@ -4,9 +4,11 @@ import (
 	"context"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"testing"
 
 	gardencorev1beta1 "github.com/gardener/gardener/pkg/apis/core/v1beta1"
+	gardenercorev1beta1constants "github.com/gardener/gardener/pkg/apis/core/v1beta1/constants"
 	extensionsv1alpha1 "github.com/gardener/gardener/pkg/apis/extensions/v1alpha1"
 	resourcesv1alpha1 "github.com/gardener/gardener/pkg/apis/resources/v1alpha1"
 	"github.com/go-logr/logr"
@@ -19,6 +21,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
@@ -247,6 +250,35 @@ func createNewCluster(shootNamespace string) {
 	Expect(k8sClient.Create(ctx, cluster)).ShouldNot(HaveOccurred())
 }
 
+func createShootInfo(cidrs []string) {
+	cm := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      gardenercorev1beta1constants.ConfigMapNameShootInfo,
+			Namespace: "kube-system",
+		},
+		Data: map[string]string{
+			"egressCIDRs": strings.Join(cidrs, ","),
+		},
+	}
+	Expect(k8sClient.Create(ctx, cm)).ShouldNot(HaveOccurred())
+}
+
+func deleteShootInfo() {
+	cm := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      gardenercorev1beta1constants.ConfigMapNameShootInfo,
+			Namespace: "kube-system",
+		},
+	}
+	Expect(func() error {
+		err := k8sClient.Delete(ctx, cm)
+		if err != nil && !apierrors.IsNotFound(err) {
+			return err
+		}
+		return nil
+	}()).ShouldNot(HaveOccurred())
+}
+
 func deleteNamespace(name string) {
 	namespace := &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{