add documentation about cloudprovider

Signed-off-by: Felix Breuer <f.breuer94@gmail.com>

Author: breuerfelix

docs/cloudprovider.md

@@ -0,0 +1,70 @@
+# CloudProvider Configuration
+
+This document describes the CloudProvider configuration for the STACKIT Gardener Extension, including the cloudprovider secret and the `CloudProfileConfig`.
+
+## CloudProvider Secret
+
+The cloudprovider secret requires the following fields:
+
+| Field                | Key                   | Description                                            | Required |
+| -------------------- | --------------------- | ------------------------------------------------------ | -------- |
+| Project ID           | `project-id`          | The STACKIT project identifier                         | Yes      |
+| Service Account JSON | `serviceaccount.json` | The STACKIT service account credentials in JSON format | Yes      |
+
+**Example Secret:**
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudprovider
+  namespace: shoot--<project>--<cluster>
+type: Opaque
+stringData:
+  project-id: <project-id>
+  serviceaccount.json: <sa-json>
+```
+
+The service account needs the following permissions:
+
+| Permission                     | Purpose                               |
+| ------------------------------ | ------------------------------------- |
+| `nlb.admin`                    | create network load balancer          |
+| `blockstorage.admin`           | CSI driver                            |
+| `compute.admin`                | CCM node-controller                   |
+| `iaas.network.admin`           | bastion and infrastructure controller |
+| `iaas.isoplated-network.admin` | infrastructure controller             |
+
+## CloudProfileConfig Fields
+
+Example with comments:
+
+```yaml
+providerConfig:
+  # image mappings used for bastion and workers
+  machineImages:
+    - name: ubuntu
+      versions:
+        - version: "22.04"
+          regions:
+            - name: eu01
+              # provider-specific image ID
+              id: <image-id>
+              architecture: amd64
+  # rescan block devices after resize
+  rescanBlockStorageOnResize: true
+  # max volumes attached per node
+  nodeVolumeAttachLimit: 30
+  # list of IPs of DNS servers used while creating subnets
+  dnsServers:
+    - 1.1.1.1
+  # /etc/resolv.conf options for workers
+  resolvConfOptions: []
+  # shoot storage classes
+  storageClasses:
+    - name: default
+      default: true
+      parameters:
+        type: "storage_premium_perf4"
+      provisioner: block-storage.csi.stackit.cloud
+```

pkg/apis/stackit/v1alpha1/types_cloudprofile.go

@@ -16,53 +16,61 @@ import (
 type CloudProfileConfig struct {
 	metav1.TypeMeta `json:",inline"`
 	// Constraints is an object containing constraints for certain values in the control plane config.
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	Constraints Constraints `json:"constraints"`
 	// DNSServers is a list of IPs of DNS servers used while creating subnets.
 	// +optional
 	DNSServers []string `json:"dnsServers,omitempty"`
 	// DHCPDomain is the dhcp domain of the OpenStack system configured in nova.conf. Only meaningful for
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// Kubernetes 1.10.1+. See https://github.com/kubernetes/kubernetes/pull/61890 for details.
 	// +optional
 	DHCPDomain *string `json:"dhcpDomain,omitempty"`
 	// KeyStoneURL is the URL for auth{n,z} in OpenStack (pointing to KeyStone).
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	KeyStoneURL string `json:"keystoneURL,omitempty"`
 	// KeystoneCACert is the CA Bundle for the KeyStoneURL.
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	KeyStoneCACert *string `json:"keystoneCACert,omitempty"`
 	// KeyStoneForceInsecure is a flag to control whether the OpenStack client should perform no certificate validation.
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	KeyStoneForceInsecure bool `json:"keystoneForceInsecure,omitempty"`
 	// KeyStoneURLs is a region-URL mapping for auth{n,z} in OpenStack (pointing to KeyStone).
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	KeyStoneURLs []KeyStoneURL `json:"keystoneURLs,omitempty"`
 	// MachineImages is the list of machine images that are understood by the controller. It maps
 	// logical names and versions to provider-specific identifiers.
 	MachineImages []MachineImages `json:"machineImages"`
 	// RequestTimeout specifies the HTTP timeout against the OpenStack API.
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	RequestTimeout *metav1.Duration `json:"requestTimeout,omitempty"`
 	// RescanBlockStorageOnResize specifies whether the storage plugin scans and checks new block device size before it resizes
 	// the filesystem.
 	// +optional
 	RescanBlockStorageOnResize *bool `json:"rescanBlockStorageOnResize,omitempty"`
 	// IgnoreVolumeAZ specifies whether the volumes AZ should be ignored when scheduling to nodes,
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// to allow for differences between volume and compute zone naming.
 	// +optional
 	IgnoreVolumeAZ *bool `json:"ignoreVolumeAZ,omitempty"`
 	// NodeVolumeAttachLimit specifies how many volumes can be attached to a node.
 	// +optional
 	NodeVolumeAttachLimit *int32 `json:"nodeVolumeAttachLimit,omitempty"`
 	// UseOctavia specifies whether the OpenStack Octavia network load balancing is used.
-	//
-	// Deprecated: This field will be removed in future release.
-	//
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	UseOctavia *bool `json:"useOctavia,omitempty"`
 	// UseSNAT specifies whether S-NAT is supposed to be used for the Gardener managed OpenStack router.
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	UseSNAT *bool `json:"useSNAT,omitempty"`
 	// ServerGroupPolicies specify the allowed server group policies for worker groups.
+	// Deprecated: OpenStack-only; not used for STACKIT.
 	// +optional
 	ServerGroupPolicies []string `json:"serverGroupPolicies,omitempty"`
 	// ResolvConfOptions specifies options to be added to /etc/resolv.conf on workers
@@ -75,7 +83,6 @@ type CloudProfileConfig struct {
 	// +optional
 	APIEndpoints *APIEndpoints `json:"apiEndpoints,omitempty"`
 	// CABundle is the CA certificate bundle for API endpoints.
-	// This field is currently ignored and reserved for future use.
 	// +optional
 	CABundle *string `json:"caBundle,omitempty"`
 }