diff --git a/README.md b/README.md index 0910e40f..cf914b14 100644 --- a/README.md +++ b/README.md @@ -101,7 +101,7 @@ This file will be evaluated using `spiff`, a dynamic templating language for yam 
 landscape:
   name: <Identifier>                       # general Gardener landscape identifier, for example, `my-gardener`
-  domain: <prefix>.<cluster domain>        # Unique basis domain for DNS entries
+  domain: <prefix>.<cluster domain>        # Unique basis domain for DNS entries
 
   cluster:                                          # Information about your base cluster
     kubeconfig: <relative path + filename>          # Path to your `kubeconfig` file, rel. to directory `landscape` (defaults to `./kubeconfig`)
@@ -111,9 +111,9 @@ landscape:
       services: <CIDR IP range>
 
   iaas:
-    type: <gcp|aws|azure>                      # iaas provider (coming soon: openstack|alicloud)
+    type: <gcp|aws|azure|openstack>            # iaas provider (coming soon: alicloud)
     region: <major region>-<minor region>      # region for initial seed cluster
-    zones:                                     # Remove zones block for providers other than GCP or AWS
+    zones:                                     # Remove zones block for Azure
       - <major region>-<minor region>-<zone>   # Example: europe-west1-b
       - <major region>-<minor region>-<zone>   # Example: europe-west1-c     
       - <major region>-<minor region>-<zone>   # Example: europe-west1-d
@@ -121,14 +121,14 @@ landscape:
 
   etcd:                                       # optional, default values based on `landscape.iaas`
     backup:
-      type: <gcs|s3>                          # type of blob storage
+      type: <gcs|s3|abs|swift>               # type of blob storage
       resourceGroup:                          # Azure resource group you would like to use for your backup
       region: (( iaas.region ))               # region of blob storage (default: same as above)
       credentials: (( iaas.credentials ))     # credentials for the blob storage's IaaS provider (default: same as above)
 
-  dns:                                              # optional, default values based on `landscape.iaas`
-    type: <google-clouddns|aws-route53|azure-dns>   # dns provider
-    credentials: (( iaas.credentials ))             # credentials for the dns provider
+  dns:                                    # optional, default values based on `landscape.iaas`
+    type: <google-clouddns|aws-route53|azure-dns|openstack-designate>   # dns provider
+    credentials: (( iaas.credentials ))   # credentials for the dns provider
 
   identity:
     users:
@@ -144,21 +144,21 @@ landscape:
 ### landscape.name
 ```yaml
 landscape:
-  name:                        # general Gardener landscape identifier, for example, `my-gardener`
+  name: 
 ```
 Arbitrary name for your landscape. The name will be part of the names for resources, for example, the etcd buckets.
 
 ### landscape.domain
 ```yaml
-  domain: .                 # Unique basis domain for DNS entries
+  domain: .
 ```
 Basis domain for DNS entries. As a best practice, use an individual prefix together with the cluster domain of your base cluster.
 
 ### landscape.cluster
 ```yaml
-cluster:                                            # Information about your base cluster
-  kubeconfig:             # Path to your `kubeconfig` file, relative to directory `landscape`   
-  networks:                                 # CIDR IP ranges of base cluster
+cluster:
+  kubeconfig: 
+  networks:
     nodes: 
     pods: 
     services: 
@@ -174,13 +174,13 @@ Finding out CIDR ranges of your cluster is not trivial. For example, GKE only te
 ### landscape.iaas
 ```yaml
 iaas:
-  type:                              # IaaS provider (coming soon: openstack|alicloud)
-  region: -             # region for initial seed cluster
-  zones:                                            # Remove zones block for providers other than GCP or AWS
-    - --          # Example: europe-west1-b
-    - --          # Example: europe-west1-c     
-    - --          # Example: europe-west1-d
-  credentials:                                      # Provide access to IaaS layer used for creating resources for shoot clusters
+  type: 
+  region: -
+  zones:
+    - --
+    - --
+    - --
+  credentials:
 ```
 Contains the information where Gardener will create intial seed cluster and a default profile to create shoot cluster. By default, the *initial* seed component will create a seed resource using your base cluster as seed cluster. Other seed clusters and profiles can be added after the installation.
 
@@ -197,27 +197,30 @@ The credentials will be used to give Gardener access to the IaaS layer:
 
 Use the following yaml keys depending on your provider (excerpts):
 
-| AWS  | GCP | Azure |
-|:--------------|:--------------|:--------------|
-|
    credentials: 
      accessKeyID: ...
      secretAccessKey: ... 
 |
    credentials: 
      serviceaccount.json: |
      {
        "type": "...",
        "project_id": "...",
        ...
      }
|
    credentials:
      clientID: ...
      clientSecret: ...
      subscriptionID: ...
      tenantID: ...
|
+| AWS  | GCP |
+|:--------------|:--------------|
+|
credentials: 
  accessKeyID: ...
  secretAccessKey: ... 
 |
credentials: 
  serviceaccount.json: |
    {
      "type": "...",
      "project_id": "...",
      ...
    }

+| Azure | Openstack |
+|
credentials:
  clientID: ...
  clientSecret: ...
  subscriptionID: ...
  tenantID: ...
|
credentials:
  username: ...
  password: ...
  tenantName: ...
  domainName: ...
  authURL: ...
|
 
+The openstack credentials additionally have an optional `region` field. It is only evaluated within the `dns` block (as `iaas` and `etcd.backup` have their own region fields, which will be used instead) and, if not specified, defaults to the value of `iaas.region`.
 
 
 ### landscape.etcd
 ```yaml
-etcd:                                   # optional, default values based on `landscape.iaas`
+etcd:
   backup:
-    type:                   # type of blob storage
-    resourceGroup: ...                  # Azure resource group you would like to use for your backup
-    region: (( iaas.region ))           # region of blob storage (default: same as above)
-    credentials: (( iaas.credentials )) # credentials for the blob storage's IaaS provider (default: same as above)
+    type: 
+    resourceGroup: ...
+    region: (( iaas.region ))
+    credentials: (( iaas.credentials ))
 ```
 Configuration of what blob storage to use for the etcd key-value store. If your IaaS provider offers a blob storage you can use the same values for `etc.backup.region` and `etc.backup.credentials` as above for `iaas.region` and `iaas.credentials` correspondingly by using the [(( foo ))](https://github.com/mandelsoft/spiff/blob/master/README.md#-foo-) expression of spiff.
 If you remove single values or the whole block, the missing values will be set to defaults derived from `landscape.iaas`. The `resourceGroup` cannot be defaulted and must be specified.
 
 | Field | Type | Description | Example                        | Iaas Provider Documentation |
 |:------|:--------|:--------|:--------|:---------|
-|`backup.type`|Fixed value| Type of your blob store. Supported blob stores: `gcs` ([Google Cloud Storage](https://cloud.google.com/storage/)), `s3` ([Amazon S3](https://aws.amazon.com/s3/)), and `abs` ([Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)).|`gcs`|n.a.|
+|`backup.type`|Fixed value| Type of your blob store. Supported blob stores: `gcs` ([Google Cloud Storage](https://cloud.google.com/storage/)), `s3` ([Amazon S3](https://aws.amazon.com/s3/)), `abs` ([Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)), and `swift` ([Openstack Swift](https://docs.openstack.org/swift/latest/)).|`gcs`|n.a.|
 |`backup.resourceGroup`|IaaS provider specific |Azure specific. Create an Azure blob store first which uses a resource group. Provide the resource group here. | `my-Azure-RG` | [Azure](https://docs.microsoft.com/en-us/azure/storage/common/storage-quickstart-create-account?tabs=azure-portal) (HowTo) |
 |`backup.region`|IaaS provider specific|Region of blob storage. |`(( iaas.region ))` |[GCP (overview)](https://cloud.google.com/docs/geography-and-regions), [AWS (overview)](https://docs.aws.amazon.com/general/latest/gr/rande.html)|
 |`backup.credentials`|IaaS provider specific|Service account credentials in a provider-specific format. |`(( iaas.creds ))` |[GCP](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys), [AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html#id_users_service_accounts), [Azure](https://docs.microsoft.com/en-us/rest/api/storageservices/authorization-for-the-azure-storage-services)|
@@ -225,16 +228,16 @@ If you remove single values or the whole block, the missing values will be set t
 
 ### landscape.dns
 ```yaml
-dns:                                              # optional, default values based on `landscape.iaas`
-  type:    # dns provider
-  credentials:                                    # credentials for the dns provider
+dns:
+  type: 
+  credentials:
 ```
 Configuration for the Domain Name Service (DNS) provider. If your IaaS provider also offers a DNS service you can use the same values for `dns.credentials` as for `iaas.creds` above by using the [(( foo ))](https://github.com/mandelsoft/spiff/blob/master/README.md#-foo-) expression of spiff. If they belong to another account (or to another IaaS provider) the appropriate credentials (and their type) have to be configured.
 Similar to `landscape.etcd`, missing values will be set to defaults based on the values given in `landscape.iaas`.
 
 | Field | Type | Description | Example |IaaS Provider Documentation
 |:------|:--------|:--------|:--------|:------------|
-|`type`|Fixed value|Your DNS provider. Supported providers: `google-clouddns` ([Google Cloud DNS](https://cloud.google.com/dns/docs/)), `aws-route53` ([Amazon Route 53](https://aws.amazon.com/route53/)), and `azure-dns` ([Azure DNS](https://azure.microsoft.com/de-de/services/dns/)).|`google-clouddns`|n.a.|
+|`type`|Fixed value|Your DNS provider. Supported providers: `google-clouddns` ([Google Cloud DNS](https://cloud.google.com/dns/docs/)), `aws-route53` ([Amazon Route 53](https://aws.amazon.com/route53/)), `azure-dns` ([Azure DNS](https://azure.microsoft.com/de-de/services/dns/)), and `openstack-designate` ([Openstack Designate](https://docs.openstack.org/designate/latest/)).|`google-clouddns`|n.a.|
 |`credentials`|IaaS provider specific|Service account credentials in a provider-specific format.|`(( iaas.credentials ))`|[GCP](https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys), [AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html#id_users_service_accounts), [Azure](https://docs.microsoft.com/en-us/azure/azure-stack/user/azure-stack-create-service-principals)|
 
 
@@ -242,12 +245,12 @@ Similar to `landscape.etcd`, missing values will be set to defaults based on the
 ```yaml
 identity:
   users:
-    - email:                                # email (used for Gardener dashboard login)
-      username:                             # username (displayed in Gardener dashboard)
-      password:                             # clear-text password (used for Gardener dashboard login)
-    - email:                                # see above
-      username:                             # see above
-      hash:                                 # bcrypted hash of password, see above
+    - email:
+      username:
+      password:
+    - email:
+      username:
+      hash:
 ```
 
 Configures the identity provider that allows access to the Gardener dashboard. The easiest method is to provide a list of `users`, each containing `email`, `username`, and either a clear-text `password` or a bcrypted `hash` of the password.
diff --git a/acre.yaml b/acre.yaml
index 7a0a3125..77990e5b 100644
--- a/acre.yaml
+++ b/acre.yaml
@@ -69,12 +69,14 @@ dns_type_mapping:
   gcp: google-clouddns
   aws: aws-route53
   azure: azure-dns
+  openstack: openstack-designate
 
 backup_type_mapping:
   <<: (( &temporary ))
   gcp: gcs
   aws: s3
   azure: abs
+  openstack: swift
 
 validation:
   <<: (( &temporary ))
@@ -100,18 +102,33 @@ validation:
           - subscriptionID
         - - mapfield
           - tenantID
+      openstack:
+        - and
+        - - mapfield
+          - domainName
+        - - mapfield
+          - tenantName
+        - - mapfield
+          - username
+        - - mapfield
+          - password
+        - - mapfield
+          - authURL
     etcd_backup:
       gcs: (( iaas.gcp ))
       s3: (( iaas.aws ))
       abs: (( iaas.azure ))
+      swift: (( iaas.openstack ))
     dns:
       google-clouddns: (( iaas.gcp ))
       aws-route53: (( iaas.aws ))
       azure-dns: (( iaas.azure ))
+      openstack-designate: (( iaas.openstack ))
   landscape_name: (( validate( landscape.name, "dnslabel" ) ))
   domain: (( validate( landscape.domain, "dnsdomain" ) ))
   cidrs: (( validate( landscape.clusters[0].networks, ["mapfield", "nodes", "cidr"], ["mapfield", "pods", "cidr"], ["mapfield", "services", "cidr"] ) ))
   iaas_type: (( validate( landscape.iaas.type, [is_in, keys( types.iaas )] ) ))
+  iaas_region: (( validate( landscape.iaas, ["mapfield", "region"] ) ))
   iaas_creds: (( validate( landscape.iaas.credentials, types.iaas[landscape.iaas.type] ) ))
   etcd_backup_type: (( validate( landscape.etcd.backup.type, [is_in, keys( types.etcd_backup )] ) ))
   etcd_backup_creds: (( validate( landscape.etcd.backup.credentials, types.etcd_backup[landscape.etcd.backup.type] ) ))
diff --git a/components/dns-controller/deployment.yaml b/components/dns-controller/deployment.yaml
index 05fd2cb4..c00af3d7 100644
--- a/components/dns-controller/deployment.yaml
+++ b/components/dns-controller/deployment.yaml
@@ -52,6 +52,16 @@ providers:
       AZURE_CLIENT_SECRET: (( landscape.dns.credentials.clientSecret ))
       AZURE_SUBSCRIPTION_ID: (( landscape.dns.credentials.subscriptionID ))
       AZURE_TENANT_ID: (( landscape.dns.credentials.tenantID ))
+  openstack-designate:
+    <<: (( &template ))
+    name: openstack
+    credentials:
+      OS_AUTH_URL: (( landscape.dns.credentials.authURL ))
+      OS_REGION_NAME: (( landscape.dns.credentials.region || landscape.iaas.region ))
+      OS_USERNAME: (( landscape.dns.credentials.username ))
+      OS_PASSWORD: (( landscape.dns.credentials.password ))
+      OS_DOMAIN_NAME: (( landscape.dns.credentials.domainName ))
+      OS_PROJECT_NAME: (( landscape.dns.credentials.tenantName ))
 
 spec:
   <<: (( &temporary ))
diff --git a/components/etcd/backupinfra/provider/swift/export.yaml b/components/etcd/backupinfra/provider/swift/export.yaml
new file mode 100644
index 00000000..61fa6f8e
--- /dev/null
+++ b/components/etcd/backupinfra/provider/swift/export.yaml
@@ -0,0 +1 @@
+bucketname: (( data.terraform.modules.[0].outputs.bucketName.value ))
\ No newline at end of file
diff --git a/components/etcd/backupinfra/provider/swift/main.tf b/components/etcd/backupinfra/provider/swift/main.tf
new file mode 100644
index 00000000..f9b49c7a
--- /dev/null
+++ b/components/etcd/backupinfra/provider/swift/main.tf
@@ -0,0 +1,41 @@
+// Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+provider "openstack" {
+  user_name   = "${var.USERNAME}"
+  password    = "${var.PASSWORD}"
+  tenant_name = "${var.TENANT_NAME}"
+  region      = "${var.REGION}"
+  auth_url    = "${var.AUTH_URL}"
+  domain_name = "${var.DOMAIN_NAME}"
+}
+
+
+//=====================================================================
+//= GCS bucket
+//=====================================================================
+
+resource "openstack_objectstorage_container_v1" "bucket" {
+  name          = "${var.BUCKETNAME}"
+  region        = "${var.REGION}"
+  force_destroy = true
+}
+
+//=====================================================================
+//= Output variables
+//=====================================================================
+
+output "bucketName" {
+  value = "${openstack_objectstorage_container_v1.bucket.name}"
+}
diff --git a/components/etcd/backupinfra/provider/swift/tfvars.yaml b/components/etcd/backupinfra/provider/swift/tfvars.yaml
new file mode 100644
index 00000000..d2f5e48d
--- /dev/null
+++ b/components/etcd/backupinfra/provider/swift/tfvars.yaml
@@ -0,0 +1,19 @@
+# Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+USERNAME: (( config.credentials.username ))
+PASSWORD: (( config.credentials.password ))
+TENANT_NAME: (( config.credentials.tenantName ))
+AUTH_URL: (( config.credentials.authURL ))
+DOMAIN_NAME: (( config.credentials.domainName ))
\ No newline at end of file
diff --git a/components/etcd/backupinfra/provider/swift/variables.tf b/components/etcd/backupinfra/provider/swift/variables.tf
new file mode 100644
index 00000000..10469bf4
--- /dev/null
+++ b/components/etcd/backupinfra/provider/swift/variables.tf
@@ -0,0 +1,48 @@
+// Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+variable "USERNAME" {
+  description = "Username"
+  type        = "string"
+}
+
+variable "PASSWORD" {
+  description = "Password"
+  type        = "string"
+}
+
+variable "REGION" {
+  description = "Region of the swift bucket"
+  type = "string"
+}
+
+variable "BUCKETNAME" {
+  description = "Name of the bucket"
+  type = "string"
+}
+
+variable "TENANT_NAME" {
+  description = "OpenStack Tenant"
+  type = "string"
+}
+
+variable "AUTH_URL" {
+  description = "OpenStack Auth URL"
+  type = "string"
+}
+
+variable "DOMAIN_NAME" {
+  description = "OpenStack Domain Name"
+  type = "string"
+}
\ No newline at end of file
diff --git a/components/etcd/cluster/provider/swift/provider.yaml b/components/etcd/cluster/provider/swift/provider.yaml
new file mode 100644
index 00000000..880f3125
--- /dev/null
+++ b/components/etcd/cluster/provider/swift/provider.yaml
@@ -0,0 +1,27 @@
+# Copyright 2019 Copyright (c) 2019 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+env:
+  - name: "OS_AUTH_URL"
+    value: (( config.credentials.authURL ))
+  - name: "OS_DOMAIN_NAME"
+    value: (( config.credentials.domainName ))
+  - name: "OS_USERNAME"
+    value: (( config.credentials.username ))
+  - name: "OS_PASSWORD"
+    value: (( config.credentials.password ))
+  - name: "OS_TENANT_NAME"
+    value: (( config.credentials.tenantName ))
+
+volumeMounts: []
\ No newline at end of file
diff --git a/components/gardencontent/initialseed/provider/openstack/iaas.yaml b/components/gardencontent/initialseed/provider/openstack/iaas.yaml
index 61360a4c..6052dae9 100644
--- a/components/gardencontent/initialseed/provider/openstack/iaas.yaml
+++ b/components/gardencontent/initialseed/provider/openstack/iaas.yaml
@@ -13,7 +13,7 @@
 # limitations under the License.
 
 floatingPools: (( landscape.iaas.floatingPools ))
-keystoneURL: (( landscape.iaas.keystoneURL ))
+keystoneURL: (( landscape.iaas.credentials.authURL ))
 zones:
 - region: (( providerconfig.seed.region ))
   names: (( providerconfig.seed.zones ))
\ No newline at end of file
diff --git a/components/gardencontent/profiles/provider/openstack/iaas.yaml b/components/gardencontent/profiles/provider/openstack/iaas.yaml
index fccdeedd..c1cad340 100644
--- a/components/gardencontent/profiles/provider/openstack/iaas.yaml
+++ b/components/gardencontent/profiles/provider/openstack/iaas.yaml
@@ -25,7 +25,7 @@ openstack:
     - name: haproxy
     machineImages:
     - name: coreos
-      image: coreos-1911.5.0
+      image: coreos-2023.5.0
     machineTypes:
     - name: medium_2_4
       cpu: "2"
diff --git a/components/gardener/virtual/deployment.yaml b/components/gardener/virtual/deployment.yaml
index 7988f67c..8eb70fe3 100644
--- a/components/gardener/virtual/deployment.yaml
+++ b/components/gardener/virtual/deployment.yaml
@@ -54,6 +54,14 @@ dns_credentials:
     AZURE_CLIENT_SECRET: (( base64( landscape.dns.credentials.clientSecret ) ))
     AZURE_SUBSCRIPTION_ID: (( base64( landscape.dns.credentials.subscriptionID ) ))
     AZURE_TENANT_ID: (( base64( landscape.dns.credentials.tenantID ) ))
+  openstack-designate:
+    <<: (( &template ))
+    OS_AUTH_URL: (( base64( landscape.dns.credentials.authURL ) ))
+    OS_REGION_NAME: (( base64( landscape.dns.credentials.region || landscape.iaas.region ) ))
+    OS_USERNAME: (( base64( landscape.dns.credentials.username ) ))
+    OS_PASSWORD: (( base64( landscape.dns.credentials.password ) ))
+    OS_DOMAIN_NAME: (( base64( landscape.dns.credentials.domainName ) ))
+    OS_PROJECT_NAME: (( base64( landscape.dns.credentials.tenantName ) ))
 
 
 state: