[GEP-30] Rework API Server Proxy to Drop Proxy Protocol

[knht]

How to categorize this PR?

/area networking
/kind enhancement

What this PR does / why we need it:

This GEP proposes to rework the API server proxy to use HTTP CONNECT instead of the proxy protocol, so that we can support more scenarios like using the ACL extension with opaque (non-transparent) LoadBalancers.

Which issue(s) this PR fixes:
Part of #11214

Special notes for your reviewer:

Release note:

NONE

[CLAassistant]

All committers have signed the CLA.

[gardener-prow]

Welcome @knht!

It looks like this is your first PR to gardener/gardener 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if gardener/gardener has its own contribution guidelines.

Thank you, and welcome to Gardener. 😃

[gardener-prow]

Hi @knht. Thanks for your PR.

I'm waiting for a gardener member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[timebertt]

/assign

[ScheererJ]

/assign

[ScheererJ]

Thanks for providing this enhancement proposal.

Please find below the first round of feedback.

[ScheererJ]

Thanks a lot for bearing with my feedback and applying it. I had a second read through the GEP and the major remaining issues from my point of view are the following:

• Reuse of the VPN infrastructure including the existing port
• Rollout

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 15d of inactivity, lifecycle/stale is applied
• After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Mark this PR as rotten with /lifecycle rotten
• Close this PR with /close

/lifecycle stale

[timebertt]

/remove-lifecycle stale

I will take over this PR and the GEP implementation (in the new year though)

[gardener-ci-robot]

The Gardener project currently lacks enough active contributors to adequately respond to all PRs.
This bot triages PRs according to the following rules:

• After 15d of inactivity, lifecycle/stale is applied
• After 15d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 7d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Mark this PR as rotten with /lifecycle rotten
• Close this PR with /close

/lifecycle stale

[timebertt]

/remove-lifecycle stale

[timebertt]

I incorporated all feedback into the GEP. The diagrams still need to be updated though.

[ScheererJ]

Thanks a lot for taking the time to rework the proposal. It looks very good now.
I only have a few minor remarks.

[timebertt]

@ScheererJ thanks for your feedback and patience :)
I addressed the latest round of feedback in a new commit.

[DockToFuture]

/lgtm

Looks like a great unification and I like that we get rid of the separate ext-authz-server.

[gardener-prow]

LGTM label has been added.

Git tree hash: 7662bc2c3358898d623a51098ac04e7aaf35160a

[ScheererJ]

Thanks a lot for all the changes.

/lgtm
/approve

[gardener-prow]

LGTM label has been added.

Git tree hash: 4c0d8e832710e0511c2439b6eab636cabc03586e

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: DockToFuture, ScheererJ

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ScheererJ]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment