Allow s3 for virtual garden etcd (#314)

metal-stack · Sep 11, 2024 · f2c3897 · f2c3897
1 parent 1018381
commit f2c3897
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 12 deletions.
diff --git a/control-plane/roles/gardener/README.md b/control-plane/roles/gardener/README.md
@@ -21,7 +21,7 @@ Check out the Gardener project for further documentation on [gardener.cloud](htt
 | gardener_scheduler_resources                           |           | Set custom resource definitions for the gardener-scheduler                                                                                                                                                  |
 | gardener_dns_domain                                    |           | Specifies the DNS domain on which the Gardener will manage DNS entries                                                                                                                                      |
 | gardener_dns_provider                                  | yes       | Specifies the DNS provider                                                                                                                                                                                  |
-| gardener_backup_infrastructure                         |           | Specifies the Gardener backup infrastructure                                                                                                                                                                |
+| gardener_backup_infrastructure                         |           | Specifies the Gardener backup infrastructure, required when `gardener_backup_infrastructure_secret` is set                                                                                                  |
 | gardener_backup_infrastructure_secret                  |           | Specifies the secret for the backup infrastructure                                                                                                                                                          |
 | gardener_soil_name                                     |           | The name of the initial `Seed` (used for spinning up shooted seeds)                                                                                                                                         |
 | gardener_soil_kubeconfig_file_path                     |           | The kubeconfig path to the initial seed cluster                                                                                                                                                             |

diff --git a/control-plane/roles/gardener/defaults/main/gardener.yaml b/control-plane/roles/gardener/defaults/main/gardener.yaml
@@ -35,7 +35,26 @@ gardener_dns_domain:
 gardener_dns_provider:
 
 gardener_backup_infrastructure:
+  # provider: gcp
+  # region:
+  # secretRef:
+  #  name: backup-secret
+  #  namespace: garden
+  # bucket:
+  #
+  # provider: S3
+  # endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}"
+  # accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}"
+  # secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
+
 gardener_backup_infrastructure_secret:
+  # for gcp:
+  # serviceaccount.json: "{{ gardener_backup_infrastructure_service_account_json | b64encode }}"
+  #
+  # for S3:
+  # endpoint:
+  # accessKeyID:
+  # secretAccessKey:
 
 gardener_soil_name: "{{ metal_control_plane_stage_name }}"
 gardener_soil_kubeconfig_file_path: "{{ lookup('env', 'KUBECONFIG') }}"

diff --git a/control-plane/roles/gardener/tasks/main.yaml b/control-plane/roles/gardener/tasks/main.yaml
@@ -55,6 +55,7 @@
       - gardener_dns_provider is not none
       - gardener_cloud_profile_metal_api_url is not none
       - gardener_cloud_profile_metal_api_hmac is not none
+      - gardener_backup_infrastructure_secret is none or (gardener_backup_infrastructure is not none and gardener_backup_infrastructure.provider in ["gcp", "S3"])
       - gardener_cert_management_issuer_email is not none
 
 - name: Deploy required Seed CRDs

diff --git a/control-plane/roles/gardener/tasks/shooted_seed.yaml b/control-plane/roles/gardener/tasks/shooted_seed.yaml
@@ -13,16 +13,6 @@
     apply: yes
   when: gardener_backup_infrastructure_secret
 
-- name: Create backup infrastructure config for shooted seed
-  set_fact:
-    gardener_shooted_seed_backup_infratructure:
-      provider: "{{ gardener_backup_infrastructure.provider }}"
-      region: "{{ gardener_backup_infrastructure.region }}"
-      secretRef:
-        name: "{{ gardener_shooted_seed.name }}-backup-secret"
-        namespace: garden
-  when: gardener_backup_infrastructure_secret
-
 - name: Add seed provider secret
   k8s:
     definition:

diff --git a/control-plane/roles/gardener/templates/etcd-values.j2 b/control-plane/roles/gardener/templates/etcd-values.j2
@@ -5,10 +5,16 @@ images:
 {% if gardener_backup_infrastructure_secret %}
 backup:
   storageContainer: {{ gardener_backup_infrastructure.bucket }}
-{% if metal_control_plane_host_provider == "gcp" %}
+{% if gardener_backup_infrastructure.provider == "gcp" %}
   storageProvider: "GCS"
   gcs:
     serviceAccountJson: {{ gardener_backup_infrastructure_service_account_json | to_json }}
+{% elif gardener_backup_infrastructure.provider == "S3" %}
+  storageProvider: "ECS"
+  ecs:
+    endpoint: "{{ gardener_backup_infrastructure_secret.endpoint | b64decode }}"
+    accessKeyID: "{{ gardener_backup_infrastructure_secret.accessKeyID | b64decode }}"
+    secretAccessKey: "{{ gardener_backup_infrastructure_secret.secretAccessKey | b64decode}}"
 {% endif %}
 {% endif %}