Handle removal of legacy access restriction

frontend/__fixtures__/cloudprofiles.js

@@ -399,9 +399,9 @@ export default [
               ],
             },
           ],
-          labels: {
-            'seed.gardener.cloud/eu-access': 'true',
-          },
+          accessRestrictions: [{
+            name: 'eu-access-only',
+          }],
         },
         {
           name: 'eu-west-1',
@@ -424,9 +424,9 @@ export default [
               ],
             },
           ],
-          labels: {
-            'seed.gardener.cloud/eu-access': 'true',
-          },
+          accessRestrictions: [{
+            name: 'eu-access-only',
+          }],
         },
         {
           name: 'us-east-1',
@@ -535,9 +535,9 @@ export default [
               ],
             },
           ],
-          labels: {
-            'seed.gardener.cloud/eu-access': 'true',
-          },
+          accessRestrictions: [{
+            name: 'eu-access-only',
+          }],
         },
         {
           name: 'eastus',
@@ -713,9 +713,9 @@ export default [
               ],
             },
           ],
-          labels: {
-            'seed.gardener.cloud/eu-access': 'true',
-          },
+          accessRestrictions: [{
+            name: 'eu-access-only',
+          }],
         },
         {
           name: 'na-us-1',
@@ -895,9 +895,9 @@ export default [
               ],
             },
           ],
-          labels: {
-            'seed.gardener.cloud/eu-access': 'true',
-          },
+          accessRestrictions: [{
+            name: 'eu-access-only',
+          }],
         },
         {
           name: 'na-us-2',

frontend/__fixtures__/config.js

@@ -57,7 +57,7 @@ export default {
     noItemsText: 'Limited Access services for certain cloud providers and regions',
     items: [
       {
-        key: 'seed.gardener.cloud/eu-access',
+        key: 'eu-access-only',
         display: {
           title: 'Limited Access',
           description: 'Clusters will not be migrated ...',

frontend/src/composables/useShootAccessRestrictions/index.js

@@ -4,13 +4,17 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
-import { computed } from 'vue'
+import {
+  computed,
+  ref,
+} from 'vue'
 
 import { useCloudProfileStore } from '@/store/cloudProfile'
 
 import { NAND } from './helper'
 
 import get from 'lodash/get'
+import isEmpty from 'lodash/isEmpty'
 import set from 'lodash/set'
 import unset from 'lodash/unset'
 import keyBy from 'lodash/keyBy'
@@ -33,6 +37,8 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
     return computed(() => get(shootItem.value, path))
   })
 
+  const unsetLegacyAccessRestriction = ref(false)
+
   const accessRestrictionDefinitionList = computed(() => {
     return cloudProfileStore.accessRestrictionDefinitionsByCloudProfileNameAndRegion({
       cloudProfileName: cloudProfileName.value,
@@ -100,10 +106,21 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
       if (index === -1) {
         accessRestrictions.push({ name: key })
       }
+
+      // TODO(petersutter): remove this block after gardener has dropped the access restriction sync logic for spec.seedSelector.matchLabels
+      if (key === 'eu-access-only') {
+        unsetLegacyAccessRestriction.value = false
+      }
     } else {
       if (index !== -1) {
         accessRestrictions.splice(index, 1)
       }
+
+      // TODO(petersutter): remove this block after gardener has dropped the access restriction sync logic for spec.seedSelector.matchLabels
+      if (key === 'eu-access-only') {
+        // Due to the migration/sync logic in g/g, to deactivate the `eu-access-only` access restriction, both `spec.AccessRestriction[@name="eu-access-only"]` and `spec.seedSelector.matchLabels["seed.gardener.cloud/eu-access"]` must be removed at the same time.
+        unsetLegacyAccessRestriction.value = true
+      }
     }
     setAccessRestrictions(accessRestrictions)
   }
@@ -141,11 +158,35 @@ export const useShootAccessRestrictions = (shootItem, options = {}) => {
 
   function getAccessRestrictionPatchData () {
     const accessRestrictions = get(shootItem.value, ['spec', 'accessRestrictions'], [])
-    return {
+    const data = {
       spec: {
         accessRestrictions,
       },
     }
+
+    // TODO(petersutter): remove this block after gardener has dropped the access restriction sync logic for spec.seedSelector.matchLabels
+    if (unsetLegacyAccessRestriction.value) {
+      let seedSelector = get(shootItem.value, ['spec', 'seedSelector'])
+
+      unset(seedSelector, ['matchLabels', 'seed.gardener.cloud/eu-access'])
+
+      if (isEmpty(get(seedSelector, ['matchLabels']))) {
+        unset(seedSelector, ['matchLabels'])
+      }
+
+      if (isEmpty(seedSelector)) {
+        seedSelector = null
+      }
+
+      data.spec.seedSelector = seedSelector
+      data.metadata = {
+        annotations: {
+          'support.gardener.cloud/eu-access-for-cluster-addons': null,
+          'support.gardener.cloud/eu-access-for-cluster-nodes': null,
+        },
+      }
+    }
+    return data
   }
 
   const accessRestrictionList = computed(() => {

frontend/src/store/config.js

@@ -149,7 +149,26 @@ export const useConfigStore = defineStore('config', () => {
   })
 
   const accessRestriction = computed(() => {
-    return state.value?.accessRestriction
+    // TODO(petersutter): remove mapping from seed.gardener.cloud/eu-access to eu-access-only in dashboard version >=1.80.0. Add breaking change release note.
+    const accessRestriction = state.value?.accessRestriction
+    if (!accessRestriction) {
+      return
+    }
+
+    const items = map(accessRestriction.items, item => {
+      if (item.key === 'seed.gardener.cloud/eu-access') {
+        return {
+          ...item,
+          key: 'eu-access-only',
+        }
+      }
+      return item
+    })
+
+    return {
+      ...accessRestriction,
+      items,
+    }
   })
 
   const sla = computed(() => {