Cherry-pick patches to ske-v1.38

VERSION

@@ -1 +1 @@
-v1.38.2
+v1.38.2-ske-1

charts/internal/cloud-provider-config/templates/cloud-provider-config-global.tpl

@@ -2,6 +2,7 @@
 auth-url="{{ .Values.authUrl }}"
 domain-name="{{ .Values.domainName }}"
 tenant-name="{{ .Values.tenantName }}"
+project-name="{{ .Values.tenantName }}"
 username="{{ .Values.username }}"
 {{- if .Values.password }}
 password="{{ .Values.password }}"

charts/internal/machine-controller-manager/seed/templates/configmap-monitoring.yaml

@@ -26,7 +26,7 @@ data:
         target_label: pod
       metric_relabel_configs:
       - source_labels: [ __name__ ]
-        regex: ^(mcm_cloud_api_requests_failed_total|mcm_cloud_api_requests_total|mcm_machine_controller_frozen|mcm_machine_current_status_phase|mcm_machine_deployment_failed_machines|mcm_machine_items_total|mcm_machine_set_failed_machines|mcm_machine_deployment_items_total|mcm_machine_set_items_total|mcm_machine_set_stale_machines_total|mcm_scrape_failure_total|process_max_fds|process_open_fds|mcm_workqueue_adds_total|mcm_workqueue_depth|mcm_workqueue_queue_duration_seconds_bucket|mcm_workqueue_queue_duration_seconds_sum|mcm_workqueue_queue_duration_seconds_count|mcm_workqueue_work_duration_seconds_bucket|mcm_workqueue_work_duration_seconds_sum|mcm_workqueue_work_duration_seconds_count|mcm_workqueue_unfinished_work_seconds|mcm_workqueue_longest_running_processor_seconds|mcm_workqueue_retries_total)$
+        regex: ^(mcm_cloud_api_requests_failed_total|mcm_cloud_api_requests_total|mcm_machine_controller_frozen|mcm_machine_current_status_phase|mcm_machine_deployment_failed_machines|mcm_machine_items_total|mcm_machine_set_failed_machines|mcm_machine_deployment_items_total|mcm_machine_set_items_total|mcm_machine_set_stale_machines_total|mcm_scrape_failure_total|process_max_fds|process_open_fds|mcm_workqueue_adds_total|mcm_workqueue_depth|mcm_workqueue_queue_duration_seconds_bucket|mcm_workqueue_queue_duration_seconds_sum|mcm_workqueue_queue_duration_seconds_count|mcm_workqueue_work_duration_seconds_bucket|mcm_workqueue_work_duration_seconds_sum|mcm_workqueue_work_duration_seconds_count|mcm_workqueue_unfinished_work_seconds|mcm_workqueue_longest_running_processor_seconds|mcm_workqueue_retries_total|mcm_machine_status_condition|mcm_machine_info)$
         action: keep
 
   alerting_rules: |

charts/internal/seed-controlplane/charts/cloud-controller-manager/templates/cloud-controller-manager.yaml

@@ -40,6 +40,9 @@ spec:
         imagePullPolicy: IfNotPresent
         command:
         - /bin/openstack-cloud-controller-manager
+        {{- if .Values.controllers }}
+        - --controllers={{ .Values.controllers }}
+        {{- end }}
         - --allocate-node-cidrs=true
         - --cloud-provider=openstack
         - --cloud-config=/etc/kubernetes/cloudprovider/cloudprovider.conf
@@ -69,8 +72,8 @@ spec:
           successThreshold: 1
           failureThreshold: 2
           initialDelaySeconds: 15
-          periodSeconds: 10
-          timeoutSeconds: 15
+          periodSeconds: 30
+          timeoutSeconds: 180
         ports:
         - containerPort: {{ include "cloud-controller-manager.port" . }}
           name: metrics

charts/internal/seed-controlplane/charts/cloud-controller-manager/values.yaml

@@ -4,6 +4,7 @@ kubernetesVersion: 1.27.4
 podNetwork: 192.168.0.0/16
 podAnnotations: {}
 podLabels: {}
+#controllers: "*"
 featureGates: {}
   # CustomResourceValidation: true
   # RotateKubeletServerCertificate: false

charts/internal/seed-controlplane/charts/csi-driver-controller/templates/configmap-observability.yaml

@@ -10,3 +10,26 @@ data:
     observedPods:
     - podPrefix: csi-driver-controller
       isExposedToUser: true
+
+  scrape_config: |
+    - job_name: csi-driver-controller
+      scheme: http
+      kubernetes_sd_configs:
+      - role: endpoints
+        namespaces:
+          names: [{{ .Release.Namespace }}]
+      relabel_configs:
+      - source_labels:
+        - __meta_kubernetes_service_name
+        - __meta_kubernetes_endpoint_port_name
+        action: keep
+        regex: csi-driver-controller;(openstack-csi-provisioner-metrics|openstack-csi-attacher-metrics)
+      # common metrics
+      - action: labelmap
+        regex: __meta_kubernetes_service_label_(.+)
+      - source_labels: [ __meta_kubernetes_pod_name ]
+        target_label: pod
+      metric_relabel_configs:
+      - source_labels: [ __name__ ]
+        regex: ^(csi_sidecar_operations_seconds_bucket|csi_sidecar_operations_seconds_count|csi_sidecar_operations_seconds_sum)$
+        action: keep

charts/internal/seed-controlplane/charts/csi-driver-controller/templates/deployment-csi-driver-controller.yaml

@@ -31,6 +31,7 @@ spec:
         role: controller
         gardener.cloud/role: controlplane
         networking.gardener.cloud/to-dns: allowed
+        networking.gardener.cloud/from-prometheus: allowed
         networking.gardener.cloud/to-public-networks: allowed
         networking.gardener.cloud/to-private-networks: allowed
         networking.resources.gardener.cloud/to-kube-apiserver-tcp-443: allowed
@@ -67,8 +68,8 @@ spec:
             path: /healthz
             port: healthz
           initialDelaySeconds: 10
-          timeoutSeconds: 3
-          periodSeconds: 10
+          timeoutSeconds: 180
+          periodSeconds: 30
           failureThreshold: 5
         volumeMounts:
         - name: socket-dir
@@ -92,11 +93,15 @@ spec:
         - --kubeconfig=/var/run/secrets/gardener.cloud/shoot/generic-kubeconfig/kubeconfig
         - --feature-gates=Topology=true
         - --volume-name-prefix=pv-{{ .Release.Namespace }}
+        - --metrics-address=0.0.0.0:8080
         - --default-fstype=ext4
         - --leader-election
         - --leader-election-namespace=kube-system
         - --timeout={{ .Values.timeout }}
         - --v=5
+        ports:
+          - containerPort: 8080
+            name: metrics
         env:
         - name: ADDRESS
           value: {{ .Values.socketPath }}/csi.sock
@@ -120,7 +125,14 @@ spec:
         - --leader-election
         - --leader-election-namespace=kube-system
         - --timeout={{ .Values.timeout }}
-        - --v=5
+        - --v=3
+        - --http-endpoint=0.0.0.0:8081
+        - --retry-interval-start=1m
+        - --retry-interval-max=15m
+        - --reconcile-sync=5m
+        ports:
+        - containerPort: 8081
+          name: metrics
         env:
         - name: ADDRESS
           value: {{ .Values.socketPath }}/csi.sock
@@ -188,6 +200,7 @@ spec:
         image: {{ index .Values.images "csi-liveness-probe" }}
         args:
         - --csi-address=/csi/csi.sock
+        - --probe-timeout=3m
 {{- if .Values.resources.livenessProbe }}
         resources:
 {{ toYaml .Values.resources.livenessProbe | indent 10 }}

charts/internal/seed-controlplane/charts/csi-driver-controller/templates/metrics-service.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: csi
+    role: controller
+  name: csi-driver-controller
+  namespace: {{ .Release.Namespace }}
+spec:
+  ports:
+    - name: openstack-csi-provisioner-metrics
+      port: 8080
+      protocol: TCP
+      targetPort: 8080
+    - name: openstack-csi-attacher-metrics
+      port: 8081
+      protocol: TCP
+      targetPort: 8081
+  selector:
+    app: csi
+    role: controller
+  type: ClusterIP
+---

charts/internal/seed-controlplane/charts/csi-driver-controller/values.yaml

@@ -12,7 +12,7 @@ images:
   csi-snapshot-validation-webhook: image-repository:image-tag
 
 socketPath: /var/lib/csi/sockets/pluginproxy
-timeout: 3m
+timeout: 6m
 userAgentHeaders: []
 
 global:
@@ -21,8 +21,11 @@ global:
 resources:
   driver:
     requests:
-      cpu: 20m
+      cpu: 250m
       memory: 50Mi
+    limits:
+      cpu: 600m
+      memory: 360Mi
   provisioner:
     requests:
       cpu: 11m

charts/internal/shoot-system-components/charts/csi-driver-node/templates/daemonset.yaml

@@ -74,8 +74,8 @@ spec:
             path: /healthz
             port: healthz
           initialDelaySeconds: 10
-          timeoutSeconds: 3
-          periodSeconds: 10
+          timeoutSeconds: 180
+          periodSeconds: 30
           failureThreshold: 5
         volumeMounts:
         - name: kubelet-dir
@@ -122,6 +122,7 @@ spec:
         image: {{ index .Values.images "csi-liveness-probe" }}
         args:
         - --csi-address={{ .Values.socketPath }}
+        - --probe-timeout=3m
 {{- if .Values.resources.livenessProbe }}
         resources:
 {{ toYaml .Values.resources.livenessProbe | indent 10 }}

hack/api-reference/api.md

@@ -1363,6 +1363,18 @@ string
 </tr>
 <tr>
 <td>
+<code>subnetId</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>SubnetID is the ID of an existing subnet.</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>shareNetwork</code></br>
 <em>
 <a href="#openstack.provider.extensions.gardener.cloud/v1alpha1.ShareNetwork">
@@ -1375,6 +1387,18 @@ ShareNetwork
 <p>ShareNetwork holds information about the share network (used for shared file systems like NFS)</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>dnsServers</code></br>
+<em>
+[]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>DNSServers overrides the default dns configuration from cloud profile</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="openstack.provider.extensions.gardener.cloud/v1alpha1.NodeStatus">NodeStatus

pkg/apis/openstack/types_infrastructure.go

@@ -43,8 +43,12 @@ type Networks struct {
 	Workers string
 	// ID is the ID of an existing private network.
 	ID *string
+	// SubnetID is the ID of an existing subnet.
+	SubnetID *string
 	// ShareNetwork holds information about the share network (used for shared file systems like NFS)
 	ShareNetwork *ShareNetwork
+	// DNSServers overrides the default dns configuration from cloud profile
+	DNSServers *[]string
 }
 
 // Router indicates whether to use an existing router or create a new one.

pkg/apis/openstack/v1alpha1/types_infrastructure.go

@@ -47,9 +47,15 @@ type Networks struct {
 	// ID is the ID of an existing private network.
 	// +optional
 	ID *string `json:"id,omitempty"`
+	// SubnetID is the ID of an existing subnet.
+	// +optional
+	SubnetID *string `json:"subnetId,omitempty"`
 	// ShareNetwork holds information about the share network (used for shared file systems like NFS)
 	// +optional
 	ShareNetwork *ShareNetwork `json:"shareNetwork,omitempty"`
+	// DNSServers overrides the default dns configuration from cloud profile
+	// +optional
+	DNSServers *[]string `json:"dnsServers,omitempty"`
 }
 
 // Router indicates whether to use an existing router or create a new one.

pkg/apis/openstack/validation/infrastructure.go

@@ -69,6 +69,15 @@ func ValidateInfrastructureConfig(infra *api.InfrastructureConfig, nodesCIDR *st
 		}
 	}
 
+	if infra.Networks.SubnetID != nil {
+		if infra.Networks.ID == nil {
+			allErrs = append(allErrs, field.Invalid(networksPath.Child("subnetId"), infra.Networks.SubnetID, "if subnet ID is provided a networkID must be provided"))
+		}
+		if _, err := uuid.Parse(*infra.Networks.SubnetID); err != nil {
+			allErrs = append(allErrs, field.Invalid(networksPath.Child("subnetId"), infra.Networks.SubnetID, "if subnet ID is provided it must be a valid OpenStack UUID"))
+		}
+	}
+
 	if infra.Networks.Router != nil && len(infra.Networks.Router.ID) == 0 {
 		allErrs = append(allErrs, field.Invalid(networksPath.Child("router", "id"), infra.Networks.Router.ID, "router id must not be empty when router key is provided"))
 	}

pkg/apis/openstack/validation/infrastructure_test.go

@@ -87,6 +87,40 @@ var _ = Describe("InfrastructureConfig validation", func() {
 				"Field": Equal("floatingPoolSubnetName"),
 			}))
 		})
+
+		It("should forbid subnet id when network id is unspecified", func() {
+			infrastructureConfig.Networks.SubnetID = pointer.String(uuid.NewString())
+
+			errorList := ValidateInfrastructureConfig(infrastructureConfig, &nodes, nilPath)
+
+			Expect(errorList).To(ConsistOfFields(Fields{
+				"Type":   Equal(field.ErrorTypeInvalid),
+				"Field":  Equal("networks.subnetId"),
+				"Detail": Equal("if subnet ID is provided a networkID must be provided"),
+			}))
+		})
+
+		It("should forbid an invalid subnet id", func() {
+			infrastructureConfig.Networks.ID = pointer.String(uuid.NewString())
+			infrastructureConfig.Networks.SubnetID = pointer.String("thisiswrong")
+
+			errorList := ValidateInfrastructureConfig(infrastructureConfig, &nodes, nilPath)
+
+			Expect(errorList).To(ConsistOfFields(Fields{
+				"Type":   Equal(field.ErrorTypeInvalid),
+				"Field":  Equal("networks.subnetId"),
+				"Detail": Equal("if subnet ID is provided it must be a valid OpenStack UUID"),
+			}))
+		})
+
+		It("should allow an valid OpenStack UUID as subnet ID", func() {
+			infrastructureConfig.Networks.ID = pointer.String(uuid.NewString())
+			infrastructureConfig.Networks.SubnetID = pointer.String(uuid.NewString())
+
+			errorList := ValidateInfrastructureConfig(infrastructureConfig, &nodes, nilPath)
+
+			Expect(errorList).To(BeEmpty())
+		})
 	})
 
 	Context("CIDR", func() {