Merge remote-tracking branch 'origin' into monitoring-documentation

control-plane/roles/gardener/README.md

@@ -21,7 +21,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt
 | gardener_scheduler_resources                           |           | Set custom resource definitions for the gardener-scheduler                                                                                                                                                  |
 | gardener_dns_domain                                    |           | Specifies the DNS domain on which the Gardener will manage DNS entries                                                                                                                                      |
 | gardener_dns_provider                                  | yes       | Specifies the DNS provider                                                                                                                                                                                  |
-| gardener_backup_infrastructure                         |           | Specifies the Gardener backup infrastructure                                                                                                                                                                |
+| gardener_backup_infrastructure                         |           | Specifies the Gardener backup infrastructure, required when `gardener_backup_infrastructure_secret` is set                                                                                                  |
 | gardener_backup_infrastructure_secret                  |           | Specifies the secret for the backup infrastructure                                                                                                                                                          |
 | gardener_soil_name                                     |           | The name of the initial `Seed` (used for spinning up shooted seeds)                                                                                                                                         |
 | gardener_soil_kubeconfig_file_path                     |           | The kubeconfig path to the initial seed cluster                                                                                                                                                             |
@@ -112,6 +112,9 @@ This includes the metal-stack extension provider called [gardener-extension-prov
 | gardener_extension_provider_metal_image_pull_policy          |           | Sets the image pull policy for components deployed through this extension controller.                                                       |
 | gardener_extension_provider_metal_image_pull_secret          |           | Provide image pull secrets for deployed containers                                                                                          |
 | gardener_cert_management_issuer_private_key                  |           | The Let's Encrypt private key used by the cert-management extension controller to setup signed certificates                                 |
+| gardener_extension_networking_cilium_image_vector_overwrite  |           | Allows overriding the image vector for the networking cilium extension                                                                      |
+| gardener_cert_management_issuer_email                        |           | The issuer email used by the cert-management extension                                                                                      |
+| gardener_cert_management_issuer_server                       |           | The issuer server used by the cert-management extension                                                                                     |
 
 ### Certificates
 

control-plane/roles/gardener/defaults/main/extensions.yaml

@@ -65,5 +65,13 @@ gardener_extension_provider_metal_image_pull_secret:
   # ...
 
 gardener_cert_management_issuer_private_key: ""
+gardener_cert_management_issuer_server: https://acme-v02.api.letsencrypt.org/directory
+gardener_cert_management_issuer_email:
 
 gardener_extension_dns_external_controller_registration_url:
+
+gardener_extension_networking_cilium_image_vector_overwrite: []
+  # - name: <image-name>
+  #   sourceRepository: /source/repository
+  #   repository: /repository
+  #   tag: <tag>

control-plane/roles/gardener/defaults/main/gardener.yaml

@@ -35,7 +35,26 @@ gardener_dns_domain:
 gardener_dns_provider:
 
 gardener_backup_infrastructure:
+  # provider: gcp
+  # region:
+  # secretRef:
+  #  name: backup-secret
+  #  namespace: garden
+  # bucket:
+  #
+  # provider: S3
+  # endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}"
+  # accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}"
+  # secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
+
 gardener_backup_infrastructure_secret:
+  # for gcp:
+  # serviceaccount.json: "{{ gardener_backup_infrastructure_service_account_json | b64encode }}"
+  #
+  # for S3:
+  # endpoint:
+  # accessKeyID:
+  # secretAccessKey:
 
 gardener_soil_name: "{{ metal_control_plane_stage_name }}"
 gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}"

control-plane/roles/gardener/tasks/main.yaml

@@ -55,6 +55,8 @@
       - gardener_dns_provider is not none
       - gardener_cloud_profile_metal_api_url is not none
       - gardener_cloud_profile_metal_api_hmac is not none
+      - gardener_backup_infrastructure_secret is none or (gardener_backup_infrastructure is not none and gardener_backup_infrastructure.provider in ["gcp", "S3"])
+      - gardener_cert_management_issuer_email is not none
 
 - name: Deploy required Seed CRDs
   k8s:

control-plane/roles/gardener/tasks/shooted_seed.yaml

@@ -13,16 +13,6 @@
     apply: yes
   when: gardener_backup_infrastructure_secret
 
-- name: Create backup infrastructure config for shooted seed
-  set_fact:
-    gardener_shooted_seed_backup_infratructure:
-      provider: "{{ gardener_backup_infrastructure.provider }}"
-      region: "{{ gardener_backup_infrastructure.region }}"
-      secretRef:
-        name: "{{ gardener_shooted_seed.name }}-backup-secret"
-        namespace: garden
-  when: gardener_backup_infrastructure_secret
-
 - name: Add seed provider secret
   k8s:
     definition:

control-plane/roles/gardener/templates/etcd-values.j2

@@ -5,10 +5,16 @@ images:
 {% if gardener_backup_infrastructure_secret %}
 backup:
   storageContainer: {{ gardener_backup_infrastructure.bucket }}
-{% if metal_control_plane_host_provider == "gcp" %}
+{% if gardener_backup_infrastructure.provider == "gcp" %}
   storageProvider: "GCS"
   gcs:
     serviceAccountJson: {{ gardener_backup_infrastructure_service_account_json | to_json }}
+{% elif gardener_backup_infrastructure.provider == "S3" %}
+  storageProvider: "ECS"
+  ecs:
+    endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}"
+    accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}"
+    secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
 {% endif %}
 {% endif %}
 

control-plane/roles/gardener/templates/networking-cilium/controller-deployment.yaml

@@ -11,21 +11,8 @@ providerConfig:
       repository: "{{ gardener_networking_cilium_image_name }}"
       tag: "{{ gardener_networking_cilium_image_tag }}"
       pullPolicy: Always
+{% if gardener_extension_networking_cilium_image_vector_overwrite %}
     imageVectorOverwrite: |
       images:
-        - name: cilium-agent
-          sourceRepository: github.com/cilium/cilium
-          repository: quay.io/cilium/cilium
-          tag: v1.12.1
-        - name: cilium-preflight
-          sourceRepository: github.com/cilium/cilium
-          repository: quay.io/cilium/cilium
-          tag: v1.12.1
-        - name: cilium-operator
-          sourceRepository: github.com/cilium/cilium
-          repository: quay.io/cilium/operator
-          tag: v1.12.1
-        - name: hubble-relay
-          sourceRepository: github.com/cilium/hubble-ui
-          repository: quay.io/cilium/hubble-relay
-          tag: v1.12.1
+        {{ gardener_extension_networking_cilium_image_vector_overwrite | to_nice_yaml(indent=2) | indent(width=8, first=false) }}
+{% endif %}

control-plane/roles/gardener/templates/shoot-cert-service/controller-deployment.yaml

@@ -15,7 +15,7 @@ providerConfig:
       defaultIssuer:
         restricted: true # restrict default issuer to any sub-domain of shoot.spec.dns.domain
         acme:
-          email: [email protected]
-          server: https://acme-v02.api.letsencrypt.org/directory
+          email: "{{ gardener_cert_management_issuer_email }}"
+          server: "{{ gardener_cert_management_issuer_server }}"
           privateKey: |
             {{ gardener_cert_management_issuer_private_key | indent(width=12, first=false) }}

partition/roles/monitoring/prometheus/templates/prometheus.yaml.j2

@@ -34,9 +34,11 @@ alerting:
 {% if prometheus_remote_write_url %}
 remote_write:
 - url: {{ prometheus_remote_write_url }}
+  {% if prometheus_remote_write_basic_auth_username is defined and prometheus_remote_write_basic_auth_password is defined %}
   basic_auth:
     username: {{ prometheus_remote_write_basic_auth_username }}
     password: {{ prometheus_remote_write_basic_auth_password }}
+  {% endif %}
 {% endif %}
 
 # Load rules once and periodically evaluate them according to the global 'evaluation_interval'.

partition/roles/promtail/templates/promtail.yaml.j2

@@ -8,9 +8,11 @@ positions:
 clients:
   - url: {{ promtail_loki_push_endpoint }}
     timeout: 60s
+    {% if promtail_loki_basic_auth_username is defined and promtail_loki_basic_auth_password is defined %}
     basic_auth:
       username: {{ promtail_loki_basic_auth_username }}
       password: {{ promtail_loki_basic_auth_password }}
+    {% endif %}
 
 scrape_configs:
 {{ promtail_scrape_configs|to_yaml(indent=2) }}