Merge branch 'master' into monitoring-documentation

control-plane/roles/gardener/defaults/main/extensions.yaml

@@ -6,11 +6,15 @@ gardener_extension_provider_gcp_enabled: true
 gardener_extension_provider_metal_enabled: true
 gardener_extension_shoot_cert_service_enabled: true
 gardener_extension_shoot_dns_service_enabled: true
+gardener_extension_dns_powerdns_enabled: false
+gardener_extension_backup_s3_enabled: false
 
 gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}"
 gardener_networking_cilium_repo_ref: "gardener/gardener-extension-networking-cilium/{{ gardener_networking_cilium_image_tag }}"
 gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}"
 gardener_shoot_dns_service_repo_ref: "gardener/gardener-extension-shoot-dns-service/{{ gardener_shoot_dns_service_image_tag }}"
+gardener_extension_backup_s3_repo_ref: "metal-stack/gardener-extension-backup-s3/{{ gardener_extension_backup_s3_image_tag }}"
+gardener_extension_dns_powerdns_repo_ref: "metal-stack/gardener-extension-dns-powerdns/{{ gardener_extension_dns_powerdns_image_tag }}"
 
 gardener_metal_admission_replicas: 1
 gardener_metal_admission_vpa: true
@@ -86,3 +90,5 @@ gardener_shoot_dns_service_image_vector_overwrite: []
   #   tag: "0.7.1"
 gardener_shoot_dns_service_dns_controller_manager_image_name:
 gardener_shoot_dns_service_dns_controller_manager_image_tag:
+
+gardener_shoot_dns_service_dns_provider_replication: false

control-plane/roles/gardener/tasks/extensions.yaml

@@ -100,3 +100,32 @@
     - controller-deployment.yaml
     - controller-registration.yaml
   when: gardener_extension_shoot_dns_service_enabled
+
+- name: "Register controller: dns powerdns"
+  k8s:
+    definition: "{{ lookup('template', 'powerdns/{{ item }}', split_lines=False) }}"
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    apply: yes
+  register: result
+  until: result is success
+  retries: 10
+  delay: 6
+  loop:
+    - controller-deployment.yaml
+    - controller-registration.yaml
+  when: gardener_extension_dns_powerdns_enabled
+
+- name: "Register controller: backup s3"
+  k8s:
+    definition: "{{ lookup('template', 'backup-s3/{{ item }}', split_lines=False) }}"
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    apply: yes
+  tags: shoot-dns-service
+  register: result
+  until: result is success
+  retries: 10
+  delay: 6
+  loop:
+    - controller-deployment.yaml
+    - controller-registration.yaml
+  when: gardener_extension_backup_s3_enabled

control-plane/roles/gardener/templates/backup-s3/controller-deployment.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: core.gardener.cloud/v1
+kind: ControllerDeployment
+metadata:
+  name: backup-s3
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_backup_s3_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
+  values:
+    image:
+      repository: "{{ gardener_extension_backup_s3_image_name }}"
+      tag: "{{ gardener_extension_backup_s3_image_tag }}"

control-plane/roles/gardener/templates/backup-s3/controller-registration.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerRegistration
+metadata:
+  name: backup-s3
+  annotations:
+    security.gardener.cloud/pod-security-enforce: baseline
+spec:
+  deployment:
+    deploymentRefs:
+    - name: backup-s3
+  resources:
+  - kind: BackupBucket
+    type: S3
+  - kind: BackupEntry
+    type: S3

control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2

@@ -29,7 +29,7 @@ spec:
         - owner
 {% for member in gardener_soil_project_members %}
     - apiGroup: rbac.authorization.k8s.io
-      kind: User
+      kind: "{{ member.kind | default('User') }}"
       name: "{{ member.name }}"
       role: "{{ member.role }}"
 {% if member.roles is defined %}

control-plane/roles/gardener/templates/networking-calico/controller-deployment.yaml

@@ -1,11 +1,10 @@
 ---
-apiVersion: core.gardener.cloud/v1beta1
+apiVersion: core.gardener.cloud/v1
 kind: ControllerDeployment
 metadata:
   name: networking-calico
-type: helm
-providerConfig:
-  chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener-extension-networking-calico/' + gardener_networking_calico_image_tag + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}"
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/gardener/gardener-extension-networking-calico/' + gardener_networking_calico_image_tag + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
   values:
     image:
       repository: "{{ gardener_networking_calico_image_name }}"

control-plane/roles/gardener/templates/powerdns/controller-deployment.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: core.gardener.cloud/v1
+kind: ControllerDeployment
+metadata:
+  name: powerdns
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_dns_powerdns_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
+  values:
+    image:
+      repository: "{{ gardener_extension_dns_powerdns_image_name }}"
+      tag: "{{ gardener_extension_dns_powerdns_image_tag }}"

control-plane/roles/gardener/templates/powerdns/controller-registration.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerRegistration
+metadata:
+  name: powerdns
+  annotations:
+    security.gardener.cloud/pod-security-enforce: baseline
+spec:
+  deployment:
+    deploymentRefs:
+    - name: powerdns
+  resources:
+  - kind: DNSRecord
+    type: powerdns

control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml

@@ -1,11 +1,10 @@
 ---
-apiVersion: core.gardener.cloud/v1beta1
+apiVersion: core.gardener.cloud/v1
 kind: ControllerDeployment
 metadata:
   name: extension-shoot-dns-service
-type: helm
-providerConfig:
-  chart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_shoot_dns_service_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].providerConfig.chart }}"
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_shoot_dns_service_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
   values:
     image:
       repository: "{{ gardener_shoot_dns_service_image_name }}"
@@ -17,6 +16,9 @@ providerConfig:
 {% endif %}
     dnsProviderManagement:
       enabled: true
+    dnsProviderReplication:
+      enabled: {{ gardener_shoot_dns_service_dns_provider_replication | lower }}
+
     dnsControllerManager:
       deploy: true
 {% if gardener_shoot_dns_service_dns_controller_manager_image_name or gardener_shoot_dns_service_dns_controller_manager_image_tag %}

control-plane/roles/gardener/test/dns_extension_template_test.py

@@ -13,13 +13,12 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
         cm.getcode.return_value = 200
         cm.read.return_value = '''
 ---
-apiVersion: core.gardener.cloud/v1beta1
+apiVersion: core.gardener.cloud/v1
 kind: ControllerDeployment
 metadata:
   name: extension-shoot-dns-service
-type: helm
-providerConfig:
-  chart: a-chart
+helm:
+  rawChart: a-chart
   values:
     image:
       tag: v1.48.0
@@ -41,6 +40,7 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
                     "tag": "0.7.1",
                 },
             ],
+            "gardener_shoot_dns_service_dns_provider_replication": True,
             "gardener_shoot_dns_service_dns_controller_manager_image_name": "dns-controller-image",
             "gardener_shoot_dns_service_dns_controller_manager_image_tag": "dns-controller-tag",
         })
@@ -50,13 +50,12 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
 
         expected = '''
 ---
-apiVersion: core.gardener.cloud/v1beta1
+apiVersion: core.gardener.cloud/v1
 kind: ControllerDeployment
 metadata:
   name: extension-shoot-dns-service
-type: helm
-providerConfig:
-  chart: "a-chart"
+helm:
+  rawChart: "a-chart"
   values:
     image:
       repository: "extension-image"
@@ -67,8 +66,12 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
           repository: europe-docker.pkg.dev/gardener-project/public/dns-controller-manager
           sourceRepository: github.com/gardener/external-dns-management
           tag: 0.7.1
+
     dnsProviderManagement:
       enabled: true
+    dnsProviderReplication:
+      enabled: true
+
     dnsControllerManager:
       deploy: true
       image:

control-plane/roles/isolated-clusters/README.md

@@ -1,6 +1,6 @@
 # isolated clusters
 
-Contains roles for deploying addtional services for the isolated cluster feature as described [here](https://docs.metal-stack.io/stable/overview/isolated-kubernetes/).
+Contains roles for deploying additional services for the isolated cluster feature as described [here](https://docs.metal-stack.io/stable/overview/isolated-kubernetes/).
 
 It contains the services:
 
@@ -17,7 +17,7 @@ The `control-plane-defaults` folder contains defaults that are used by multiple
 
 | Name                                                             | Mandatory | Description                                                                                      |
 | ---------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------ |
-| isolated_clusters_virtual_garden_kubeconfig                      |           | The kubeconfig to access the virutal garden as a string value.                                              |
+| isolated_clusters_virtual_garden_kubeconfig                      |           | The kubeconfig to access the virtual garden as a string value.                                              |
 | isolated_clusters_ntp_image_name                                 |           | The image name of the ntp service for the partition.                                             |
 | isolated_clusters_ntp_image_tag                                  | yes       | The tag or version of the ntp service container image.                                           |
 | isolated_clusters_ntp_namespace                                  |           | The namespace to deploy the ntp server to.                                                       |

control-plane/roles/monitoring/templates/grafana-dashboards/gardener/gardener-usage-overview.yaml

@@ -441,7 +441,7 @@ data:
             }
           ],
           "thresholds": "",
-          "title": "Maximum Node Cound ($iaas)",
+          "title": "Maximum Node Count ($iaas)",
           "type": "singlestat",
           "valueFontSize": "80%",
           "valueMaps": [

control-plane/roles/monitoring/templates/grafana-dashboards/gardener/shoot-customization.yaml

@@ -2323,7 +2323,7 @@ data:
             "uid": "prometheus"
           },
           "decimals": null,
-          "description": "Count of Shoots which have nginx ingress conroller addon enabled.",
+          "description": "Count of Shoots which have nginx ingress controller addon enabled.",
           "format": "none",
           "gauge": {
             "maxValue": 100,

control-plane/roles/monitoring/templates/grafana-dashboards/sonic-exporter.yaml

@@ -2086,7 +2086,7 @@ data:
                   "refId": "A"
                 }
               ],
-              "title": "Tranceiver Info",
+              "title": "Transceiver Info",
               "transformations": [
                 {
                   "id": "seriesToRows",

control-plane/roles/monitoring/templates/prometheus-stack-values.yaml

@@ -403,7 +403,7 @@ additionalPrometheusRulesMap:
         labels:
           severity: "warning"
         annotations:
-          description: "{{ $value }}% of {{ $labels.networkId }} Internet IP adresses in {{ $labels.partition }} are in use."
+          description: "{{ $value }}% of {{ $labels.networkId }} Internet IP addresses in {{ $labels.partition }} are in use."
       - alert: NetworkPrefixCapacityLow
         expr: avg(metal_network_prefix_used{isPrivateSuper="true"}) by (partition, networkId) / avg(metal_network_prefix_available{isPrivateSuper="true"}) by (partition, networkId)  * 100 > 80
         for: 10m

defaults/main.yaml

@@ -58,6 +58,10 @@ metal_stack_release:
     gardener_mcm_provider_metal_image_tag: "docker-images.metal-stack.gardener.machine-controller-manager-provider-metal.tag"
     gardener_extension_audit_image_name: "docker-images.metal-stack.gardener.gardener-extension-audit.name"
     gardener_extension_audit_image_tag: "docker-images.metal-stack.gardener.gardener-extension-audit.tag"
+    gardener_extension_backup_s3_image_tag: "docker-images.metal-stack.gardener.gardener-extension-backup-s3.tag"
+    gardener_extension_backup_s3_image_name: "docker-images.metal-stack.gardener.gardener-extension-backup-s3.name"
+    gardener_extension_dns_powerdns_image_tag: "docker-images.metal-stack.gardener.gardener-extension-dns-powerdns.tag"
+    gardener_extension_dns_powerdns_image_name: "docker-images.metal-stack.gardener.gardener-extension-dns-powerdns.name"
     # kubernetes
     csi_lvm_controller_image_tag: "docker-images.metal-stack.kubernetes.csi-lvm-controller.tag"
     csi_lvm_controller_image_name: "docker-images.metal-stack.kubernetes.csi-lvm-controller.name"

partition/roles/dhcp/tasks/main.yaml

@@ -17,11 +17,14 @@
   loop_control:
     label: "{{ item.network }}"
 
-- name: install isc-dhcp-server
-  apt:
-    name:
-    - isc-dhcp-server
-    update_cache : yes
+- name: ensure config directories are present
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+  loop:
+    - /etc/dhcp
+    - /etc/default
 
 - name: render dhcpd conf
   template:
@@ -42,11 +45,20 @@
   when: dhcp_static_hosts is defined
   register: _hosts_conf
 
+- name: install isc-dhcp-server
+  apt:
+    name:
+    - isc-dhcp-server
+    update_cache : yes
+
+# we want this task to be run at this point and not at the end of the playbook
+# this is why we don't use a handler here
 - name: restart isc-dhcp-server on config change
   service:
     name: "{{ dhcp_service_name }}"
     enabled: true
     state: restarted
+    daemon-reload: true
   when: _dhcpd_conf is changed or _isc_dhcp_server is changed or _hosts_conf is changed
 
 - name: ensure isc-dhcp-server is running

partition/roles/monitoring/prometheus/files/rules/haproxy.yaml

@@ -7,4 +7,4 @@ groups:
     labels:
       severity: critical
     annotations:
-      descritption: "HAProxy reports all servers are unhealthy for {{ $labels.proxy }}"
+      description: "HAProxy reports all servers are unhealthy for {{ $labels.proxy }}"

partition/roles/sonic-upgrade/README.md

@@ -8,7 +8,7 @@ It depends on the `switch_facts` module from `ansible-common`, so make sure modu
 
 | Name                     | Mandatory | Description                                                                                                         |
 | ------------------------ | --------- | ------------------------------------------------------------------------------------------------------------------- |
-| sonic_upgrade_host       | yes       | The host from which to dowload the image.                                                                           |
+| sonic_upgrade_host       | yes       | The host from which to download the image.                                                                           |
 | sonic_upgrade_image_path |           | The path to the image. If this is given and not `sonic_upgrade_host`, the image is pushed to the device by ansible. |
 | sonic_upgrade_vrf        |           | The vrf used for pulling the upgrade image.                                                                         |
 | sonic_upgrade_protocol   |           | The protocol (http or https) to use when downloading the sonic image.                                               |