Merge tag 'v0.14.7' into multiple-remote-write-targets

control-plane/roles/gardener/defaults/main/extensions.yaml

@@ -6,11 +6,17 @@ gardener_extension_provider_gcp_enabled: true
 gardener_extension_provider_metal_enabled: true
 gardener_extension_shoot_cert_service_enabled: true
 gardener_extension_shoot_dns_service_enabled: true
+gardener_extension_dns_powerdns_enabled: false
+gardener_extension_backup_s3_enabled: false
+gardener_extension_csi_driver_lvm_enabled: false
 
 gardener_extension_provider_metal_repo_ref: "{{ gardener_extension_provider_metal_image_tag }}"
 gardener_networking_cilium_repo_ref: "gardener/gardener-extension-networking-cilium/{{ gardener_networking_cilium_image_tag }}"
 gardener_os_controller_repo_ref: "{{ gardener_os_controller_image_tag }}"
 gardener_shoot_dns_service_repo_ref: "gardener/gardener-extension-shoot-dns-service/{{ gardener_shoot_dns_service_image_tag }}"
+gardener_extension_backup_s3_repo_ref: "metal-stack/gardener-extension-backup-s3/{{ gardener_extension_backup_s3_image_tag }}"
+gardener_extension_dns_powerdns_repo_ref: "metal-stack/gardener-extension-dns-powerdns/{{ gardener_extension_dns_powerdns_image_tag }}"
+gardener_extension_csi_driver_lvm_repo_ref: "metal-stack/gardener-extension-csi-driver-lvm/{{ gardener_extension_csi_driver_lvm_image_tag }}"
 
 gardener_metal_admission_replicas: 1
 gardener_metal_admission_vpa: true
@@ -86,3 +92,5 @@ gardener_shoot_dns_service_image_vector_overwrite: []
   #   tag: "0.7.1"
 gardener_shoot_dns_service_dns_controller_manager_image_name:
 gardener_shoot_dns_service_dns_controller_manager_image_tag:
+
+gardener_shoot_dns_service_dns_provider_replication: false

control-plane/roles/gardener/defaults/main/virtual_garden.yaml

@@ -1,6 +1,7 @@
 ---
 gardener_virtual_api_server_svc_cluster_ip_add: 20
 gardener_virtual_api_server_public_dns: gardener-kube-apiserver.{{ metal_control_plane_ingress_dns }}
+gardener_virtual_api_server_public_port: 443
 gardener_virtual_api_server_healthcheck_static_token:
 
 gardener_etcd_backup_schedule: "0,5,10,15,20,25,30,35,40,45,50,55 * * * *"
@@ -15,6 +16,8 @@ gardener_etcd_resources:
     cpu: 800m
     memory: 8Gi
 
+gardener_virtual_api_replicas: 3
+
 gardener_virtual_api_oidc_issuer_url:
 gardener_virtual_api_oidc_client_id:
 gardener_virtual_api_oidc_username_claim:

control-plane/roles/gardener/files/kube-apiserver/templates/_helpers.tpl

@@ -66,7 +66,7 @@ contexts:
 clusters:
 - cluster:
     certificate-authority-data: {{ .Values.tls.kubeAPIServer.ca.crt | b64enc }}
-    server: https://{{ .Values.apiServer.hostname }}:443
+    server: https://{{ .Values.apiServer.hostname }}:{{ .Values.apiServer.adminKubeconfigPort }}
   name: garden
 users:
 - name: admin

control-plane/roles/gardener/files/kube-apiserver/values.yaml

@@ -22,6 +22,7 @@ replicas: 3
 apiServer:
   hostname: 127.0.0.1
   serviceName: garden-kube-apiserver
+  adminKubeconfigPort: 443
 
 oidc:
   issuerURL:

control-plane/roles/gardener/tasks/extensions.yaml

@@ -100,3 +100,47 @@
     - controller-deployment.yaml
     - controller-registration.yaml
   when: gardener_extension_shoot_dns_service_enabled
+
+- name: "Register controller: dns powerdns"
+  k8s:
+    definition: "{{ lookup('template', 'powerdns/{{ item }}', split_lines=False) }}"
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    apply: yes
+  register: result
+  until: result is success
+  retries: 10
+  delay: 6
+  loop:
+    - controller-deployment.yaml
+    - controller-registration.yaml
+  when: gardener_extension_dns_powerdns_enabled
+
+- name: "Register controller: backup s3"
+  k8s:
+    definition: "{{ lookup('template', 'backup-s3/{{ item }}', split_lines=False) }}"
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    apply: yes
+  tags: shoot-dns-service
+  register: result
+  until: result is success
+  retries: 10
+  delay: 6
+  loop:
+    - controller-deployment.yaml
+    - controller-registration.yaml
+  when: gardener_extension_backup_s3_enabled
+
+- name: "Register controller: csi-driver-lvm"
+  k8s:
+    definition: "{{ lookup('template', 'csi-driver-lvm/{{ item }}', split_lines=False) }}"
+    kubeconfig: "{{ gardener_kube_apiserver_kubeconfig_path }}"
+    apply: yes
+  tags: csi-driver-lvm
+  register: result
+  until: result is success
+  retries: 10
+  delay: 6
+  loop:
+    - controller-deployment.yaml
+    - controller-registration.yaml
+  when: gardener_extension_csi_driver_lvm_enabled

control-plane/roles/gardener/tasks/gardener.yaml

@@ -68,5 +68,5 @@
   delay: 6
   until:
     - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='gardener-apiserver').get('status', {}).get('readyReplicas', 0) >= 1
-    - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='garden-kube-apiserver').get('status', {}).get('readyReplicas', 0) >= 3
+    - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='garden-kube-apiserver').get('status', {}).get('readyReplicas', 0) >= gardener_virtual_api_replicas
     - lookup('k8s', api_version='apps/v1', kind='Deployment', namespace='garden', resource_name='gardener-controller-manager').get('status', {}).get('readyReplicas', 0) >= 1

control-plane/roles/gardener/tasks/virtual_garden.yaml

@@ -46,5 +46,5 @@
 - name: Wait for garden-kube-apiserver
   wait_for:
     host: "{{ gardener_virtual_api_server_public_dns }}"
-    port: "443"
+    port: "{{ gardener_virtual_api_server_public_port }}"
     timeout: 60

control-plane/roles/gardener/templates/backup-s3/controller-deployment.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: core.gardener.cloud/v1
+kind: ControllerDeployment
+metadata:
+  name: backup-s3
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_backup_s3_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
+  values:
+    image:
+      repository: "{{ gardener_extension_backup_s3_image_name }}"
+      tag: "{{ gardener_extension_backup_s3_image_tag }}"

control-plane/roles/gardener/templates/backup-s3/controller-registration.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerRegistration
+metadata:
+  name: backup-s3
+  annotations:
+    security.gardener.cloud/pod-security-enforce: baseline
+spec:
+  deployment:
+    deploymentRefs:
+    - name: backup-s3
+  resources:
+  - kind: BackupBucket
+    type: S3
+  - kind: BackupEntry
+    type: S3

control-plane/roles/gardener/templates/csi-driver-lvm/controller-deployment.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: core.gardener.cloud/v1
+kind: ControllerDeployment
+metadata:
+  name: csi-driver-lvm
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_csi_driver_lvm_image_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
+  values:
+    image:
+      repository: {{ gardener_extension_csi_driver_lvm_image_name }}
+      tag: {{ gardener_extension_csi_driver_lvm_image_tag }}
+      pullPolicy: Always

control-plane/roles/gardener/templates/csi-driver-lvm/controller-registration.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerRegistration
+metadata:
+  name: csi-driver-lvm
+spec:
+  deployment:
+    policy: Always
+    deploymentRefs:
+    - name: csi-driver-lvm
+  resources:
+  - kind: Extension
+    type: csi-driver-lvm

control-plane/roles/gardener/templates/etcd-values.j2

@@ -14,7 +14,7 @@ backup:
   ecs:
     endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}"
     accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}"
-    secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
+    secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode }}"
 {% endif %}
 {% endif %}
 

control-plane/roles/gardener/templates/gardener-soil-project.yaml.j2

@@ -29,7 +29,7 @@ spec:
         - owner
 {% for member in gardener_soil_project_members %}
     - apiGroup: rbac.authorization.k8s.io
-      kind: User
+      kind: "{{ member.kind | default('User') }}"
       name: "{{ member.name }}"
       role: "{{ member.role }}"
 {% if member.roles is defined %}

control-plane/roles/gardener/templates/kube-apiserver-values.j2

@@ -3,9 +3,12 @@ images:
   apiserver: {{ gardener_virtual_api_server_image_name }}:{{ gardener_virtual_api_server_image_tag }}
   controllermanager: {{ gardener_virtual_controller_manager_image_name }}:{{ gardener_virtual_controller_manager_image_tag }}
 
+replicas: {{ gardener_virtual_api_replicas }}
+
 apiServer:
   hostname: {{ gardener_virtual_api_server_public_dns }}
   serviceName: garden-kube-apiserver
+  adminKubeconfigPort: {{ gardener_virtual_api_server_public_port }}
 
 oidc:
   issuerURL: {% if gardener_virtual_api_oidc_issuer_url %}{{ gardener_virtual_api_oidc_issuer_url }}{% endif %}

control-plane/roles/gardener/templates/powerdns/controller-deployment.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: core.gardener.cloud/v1
+kind: ControllerDeployment
+metadata:
+  name: powerdns
+helm:
+  rawChart: "{{ (lookup('url', 'https://raw.githubusercontent.com/' + gardener_extension_dns_powerdns_repo_ref + '/example/controller-registration.yaml', split_lines=False) | from_yaml_all | list)[0].helm.rawChart }}"
+  values:
+    image:
+      repository: "{{ gardener_extension_dns_powerdns_image_name }}"
+      tag: "{{ gardener_extension_dns_powerdns_image_tag }}"

control-plane/roles/gardener/templates/powerdns/controller-registration.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: core.gardener.cloud/v1beta1
+kind: ControllerRegistration
+metadata:
+  name: powerdns
+  annotations:
+    security.gardener.cloud/pod-security-enforce: baseline
+spec:
+  deployment:
+    deploymentRefs:
+    - name: powerdns
+  resources:
+  - kind: DNSRecord
+    type: powerdns

control-plane/roles/gardener/templates/shoot-dns-service/controller-deployment.yaml

@@ -16,6 +16,9 @@ helm:
 {% endif %}
     dnsProviderManagement:
       enabled: true
+    dnsProviderReplication:
+      enabled: {{ gardener_shoot_dns_service_dns_provider_replication | lower }}
+
     dnsControllerManager:
       deploy: true
 {% if gardener_shoot_dns_service_dns_controller_manager_image_name or gardener_shoot_dns_service_dns_controller_manager_image_tag %}

control-plane/roles/gardener/test/dns_extension_template_test.py

@@ -40,6 +40,7 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
                     "tag": "0.7.1",
                 },
             ],
+            "gardener_shoot_dns_service_dns_provider_replication": True,
             "gardener_shoot_dns_service_dns_controller_manager_image_name": "dns-controller-image",
             "gardener_shoot_dns_service_dns_controller_manager_image_tag": "dns-controller-tag",
         })
@@ -65,8 +66,12 @@ def test_shoot_dns_extension_controller_deployment_template(self, mock_urlopen):
           repository: europe-docker.pkg.dev/gardener-project/public/dns-controller-manager
           sourceRepository: github.com/gardener/external-dns-management
           tag: 0.7.1
+
     dnsProviderManagement:
       enabled: true
+    dnsProviderReplication:
+      enabled: true
+
     dnsControllerManager:
       deploy: true
       image:

control-plane/roles/isolated-clusters/README.md

@@ -1,6 +1,6 @@
 # isolated clusters
 
-Contains roles for deploying addtional services for the isolated cluster feature as described [here](https://docs.metal-stack.io/stable/overview/isolated-kubernetes/).
+Contains roles for deploying additional services for the isolated cluster feature as described [here](https://docs.metal-stack.io/stable/overview/isolated-kubernetes/).
 
 It contains the services:
 
@@ -17,7 +17,7 @@ The `control-plane-defaults` folder contains defaults that are used by multiple
 
 | Name                                                             | Mandatory | Description                                                                                      |
 | ---------------------------------------------------------------- | --------- | ------------------------------------------------------------------------------------------------ |
-| isolated_clusters_virtual_garden_kubeconfig                      |           | The kubeconfig to access the virutal garden as a string value.                                              |
+| isolated_clusters_virtual_garden_kubeconfig                      |           | The kubeconfig to access the virtual garden as a string value.                                              |
 | isolated_clusters_ntp_image_name                                 |           | The image name of the ntp service for the partition.                                             |
 | isolated_clusters_ntp_image_tag                                  | yes       | The tag or version of the ntp service container image.                                           |
 | isolated_clusters_ntp_namespace                                  |           | The namespace to deploy the ntp server to.                                                       |

control-plane/roles/monitoring/templates/grafana-dashboards/gardener/gardener-usage-overview.yaml

@@ -441,7 +441,7 @@ data:
             }
           ],
           "thresholds": "",
-          "title": "Maximum Node Cound ($iaas)",
+          "title": "Maximum Node Count ($iaas)",
           "type": "singlestat",
           "valueFontSize": "80%",
           "valueMaps": [

control-plane/roles/monitoring/templates/grafana-dashboards/gardener/shoot-customization.yaml

@@ -2323,7 +2323,7 @@ data:
             "uid": "prometheus"
           },
           "decimals": null,
-          "description": "Count of Shoots which have nginx ingress conroller addon enabled.",
+          "description": "Count of Shoots which have nginx ingress controller addon enabled.",
           "format": "none",
           "gauge": {
             "maxValue": 100,

control-plane/roles/monitoring/templates/grafana-dashboards/sonic-exporter.yaml

@@ -2086,7 +2086,7 @@ data:
                   "refId": "A"
                 }
               ],
-              "title": "Tranceiver Info",
+              "title": "Transceiver Info",
               "transformations": [
                 {
                   "id": "seriesToRows",

control-plane/roles/monitoring/templates/prometheus-stack-values.yaml

@@ -403,7 +403,7 @@ additionalPrometheusRulesMap:
         labels:
           severity: "warning"
         annotations:
-          description: "{{ $value }}% of {{ $labels.networkId }} Internet IP adresses in {{ $labels.partition }} are in use."
+          description: "{{ $value }}% of {{ $labels.networkId }} Internet IP addresses in {{ $labels.partition }} are in use."
       - alert: NetworkPrefixCapacityLow
         expr: avg(metal_network_prefix_used{isPrivateSuper="true"}) by (partition, networkId) / avg(metal_network_prefix_available{isPrivateSuper="true"}) by (partition, networkId)  * 100 > 80
         for: 10m

defaults/main.yaml

@@ -58,6 +58,12 @@ metal_stack_release:
     gardener_mcm_provider_metal_image_tag: "docker-images.metal-stack.gardener.machine-controller-manager-provider-metal.tag"
     gardener_extension_audit_image_name: "docker-images.metal-stack.gardener.gardener-extension-audit.name"
     gardener_extension_audit_image_tag: "docker-images.metal-stack.gardener.gardener-extension-audit.tag"
+    gardener_extension_backup_s3_image_tag: "docker-images.metal-stack.gardener.gardener-extension-backup-s3.tag"
+    gardener_extension_backup_s3_image_name: "docker-images.metal-stack.gardener.gardener-extension-backup-s3.name"
+    gardener_extension_dns_powerdns_image_tag: "docker-images.metal-stack.gardener.gardener-extension-dns-powerdns.tag"
+    gardener_extension_dns_powerdns_image_name: "docker-images.metal-stack.gardener.gardener-extension-dns-powerdns.name"
+    gardener_extension_csi_driver_lvm_image_tag: "docker-images.metal-stack.gardener.gardener-extension-csi-driver-lvm.tag"
+    gardener_extension_csi_driver_lvm_image_name: "docker-images.metal-stack.gardener.gardener-extension-csi-driver-lvm.name"
     # kubernetes
     csi_lvm_controller_image_tag: "docker-images.metal-stack.kubernetes.csi-lvm-controller.tag"
     csi_lvm_controller_image_name: "docker-images.metal-stack.kubernetes.csi-lvm-controller.name"

partition/roles/dhcp/defaults/main.yaml

@@ -19,7 +19,7 @@ dhcp_global_options: []
 # examples:
 # - default-url = "http://{{ ansible_host }}/onie-installer"
 # - ztp_provisioning_script_url code 239 = text
-# - ztp_provisioning_script_url "http://{{ ansible_host }}/ztp.sh"
+# - ztp_provisioning_script_url "http://{{ ansible_host }}/user.sh"
 
 dhcp_global_deny_list: []
 # examples:

partition/roles/dhcp/tasks/main.yaml

@@ -17,11 +17,14 @@
   loop_control:
     label: "{{ item.network }}"
 
-- name: install isc-dhcp-server
-  apt:
-    name:
-    - isc-dhcp-server
-    update_cache : yes
+- name: ensure config directories are present
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0755
+  loop:
+    - /etc/dhcp
+    - /etc/default
 
 - name: render dhcpd conf
   template:
@@ -42,11 +45,20 @@
   when: dhcp_static_hosts is defined
   register: _hosts_conf
 
+- name: install isc-dhcp-server
+  apt:
+    name:
+    - isc-dhcp-server
+    update_cache : yes
+
+# we want this task to be run at this point and not at the end of the playbook
+# this is why we don't use a handler here
 - name: restart isc-dhcp-server on config change
   service:
     name: "{{ dhcp_service_name }}"
     enabled: true
     state: restarted
+    daemon-reload: true
   when: _dhcpd_conf is changed or _isc_dhcp_server is changed or _hosts_conf is changed
 
 - name: ensure isc-dhcp-server is running

partition/roles/monitoring/blackbox-exporter/README.md

@@ -0,0 +1,14 @@
+# blackbox-exporter
+
+Deploys the blackbox-exporter in a systemd-managed Docker container.
+
+## Variables
+
+This role uses variables from [partition-defaults](/partition). So, make sure you define them adequately as well.
+
+| Name                                      | Mandatory | Description                                  |
+| ----------------------------------------- | --------- | -------------------------------------------- |
+| monitoring_blackbox_exporter_etc_host_dir |           | The host directory for the blackbox exporter |
+| monitoring_blackbox_exporter_image_name   |           | Image name of the blackblox exporter         |
+| monitoring_blackbox_exporter_image_tag    |           | Image tag of the blackbox exporter           |
+| monitoring_blackbox_exporter_port         |           | Port for the blackblox exporter              |