SovereignCloudStack
diff --git a/‎providers/openstack/scs/1-27/cluster-addon/Chart.yaml
+2-2 b/‎providers/openstack/scs/1-27/cluster-addon/Chart.yaml
+2-2
diff --git a/‎providers/openstack/scs/1-27/cluster-class/Chart.yaml
+3-3 b/‎providers/openstack/scs/1-27/cluster-class/Chart.yaml
+3-3
diff --git a/‎providers/openstack/scs/1-27/cluster-class/templates/cluster-class.yaml
+112-38 b/‎providers/openstack/scs/1-27/cluster-class/templates/cluster-class.yaml
+112-38
diff --git a/‎providers/openstack/scs/1-27/cluster-class/templates/openstack-cluster-template.yaml
+18-7 b/‎providers/openstack/scs/1-27/cluster-class/templates/openstack-cluster-template.yaml
+18-7
@@ -21,6 +21,6 @@ dependencies:
     repository: https://stackitcloud.github.io/yawol
     version: 0.21.3
     condition: yawol-controller.enabled
-name: openstack-wooctavia-1-27-cluster-addon
+name: openstack-scs-1-27-cluster-addon
 type: application
-version: v3
+version: v1
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: |
   This chart installs and configures:
-  * Openstack Wooctavia Cluster Class
-name: openstack-wooctavia-1-27-cluster-class
+  * Openstack scs Cluster Class
+name: openstack-scs-1-27-cluster-class
 type: application
-version: v3
+version: v1
@@ -11,11 +11,11 @@ spec:
     machineInfrastructure:
       ref:
         kind: OpenStackMachineTemplate
-        apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+        apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
         name: {{ .Release.Name }}-{{ .Chart.Version }}-control-plane
   infrastructure:
     ref:
-      apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+      apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
       kind: OpenStackClusterTemplate
       name: {{ .Release.Name }}-{{ .Chart.Version }}-cluster
   workers:
@@ -29,7 +29,7 @@ spec:
             name: {{ .Release.Name }}-{{ .Chart.Version }}
         infrastructure:
           ref:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             name: {{ .Release.Name }}-{{ .Chart.Version }}
   variables:
@@ -257,12 +257,61 @@ spec:
          description: "CertSANs sets extra Subject Alternative Names for the API Server signing cert."
          items:
            type: string
+   - name: oidc_config
+     required: false
+     schema:
+       openAPIV3Schema:
+         type: object
+         properties:
+           client_id:
+             type: string
+             example: "kubectl"
+             description: "A client id that all tokens must be issued for."
+           issuer_url:
+             type: string
+             example: "https://dex.k8s.scs.community"
+             description: "URL of the provider that allows the API server to
+discover public signing keys. Only URLs that use the https:// scheme are
+accepted. This is typically the provider's discovery URL, changed to have an
+empty path"
+           username_claim:
+             type: string
+             example: "preferred_username"
+             default: "sub"
+             description: "JWT claim to use as the user name. By default sub,
+which is expected to be a unique identifier of the end user. Admins can choose
+other claims, such as email or name, depending on their provider. However,
+claims other than email will be prefixed with the issuer URL to prevent naming
+clashes with other plugins."
+           groups_claim:
+             type: string
+             example: "groups"
+             default: "groups"
+             description: "JWT claim to use as the user's group. If the claim
+is present it must be an array of strings."
+           username_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to username claims to prevent
+clashes with existing names (such as system: users). For example, the value
+oidc: will create usernames like oidc:jane.doe. If this flag isn't provided and
+--oidc-username-claim is a value other than email the prefix defaults to (
+Issuer URL )# where ( Issuer URL ) is the value of --oidc-issuer-url. The value
+- can be used to disable all prefixing."
+           groups_prefix:
+             type: string
+             example: "oidc:"
+             default: "oidc:"
+             description: "Prefix prepended to group claims to prevent clashes
+with existing names (such as system: groups). For example, the value oidc: will
+create group names like oidc:engineering and oidc:infra."
   patches:
     - name: k8s_version
       description: "Sets the openstack node image for workers and the controlplane to the cluster-api image with the version mentioned in spec.topology.version."
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -271,15 +320,15 @@ spec:
                   - {{ .Release.Name }}-{{ .Chart.Version }}
           jsonPatches:
           - op: add
-            path: "/spec/template/spec/image"
+            path: "/spec/template/spec/image/filter/name"
             valueFrom:
               template: ubuntu-capi-image-{{ `{{ .builtin.cluster.topology.version }}` }}
     - name: apiserver_loadbalancer_octavia-amphora
       description: "Takes care of the patches that should be applied when variable apiserver_loadbalancer is set to octavia-amphora."
       enabledIf: {{ `'{{ eq .apiserver_loadbalancer "octavia-amphora" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
@@ -295,7 +344,7 @@ spec:
       enabledIf: {{ `'{{ eq .apiserver_loadbalancer "octavia-ovn" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
@@ -311,7 +360,7 @@ spec:
       enabledIf: {{ `'{{ eq .apiserver_loadbalancer "kube-vip" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
@@ -329,7 +378,7 @@ spec:
             valueFrom:
               template: {{ `"{{ if .kube_vip_apiserver_public_ip }}{{.kube_vip_apiserver_public_ip}}{{else}}{{.kube_vip_apiserver_virtual_ip}}{{end}}"` }}
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -443,7 +492,7 @@ spec:
       enabledIf: {{ `'{{ ne .controller_flavor "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -457,7 +506,7 @@ spec:
       enabledIf: {{ `'{{ ne .worker_flavor "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: false
@@ -474,7 +523,7 @@ spec:
       enabledIf: {{ `"{{ if .controller_root_disk }}true{{end}}"` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -489,7 +538,7 @@ spec:
       enabledIf: {{ `"{{ if .worker_root_disk }}true{{end}}"` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: false
@@ -507,21 +556,21 @@ spec:
       enabledIf: {{ `'{{ ne .external_id "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
           jsonPatches:
           - op: replace
-            path: "/spec/template/spec/externalNetworkId"
+            path: "/spec/template/spec/externalNetwork/id"
             valueFrom:
               variable: external_id
     - name: openstack_security_groups
       description: "Sets the list of the openstack security groups for the worker and the controlplane instances."
       enabledIf: {{ `"{{ if .openstack_security_groups }}true{{end}}"` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -534,7 +583,7 @@ spec:
             valueFrom:
               template: {{ `"[ {{ range .openstack_security_groups }} { name: {{ . }}}, {{ end }} ]"` }}
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
@@ -547,17 +596,17 @@ spec:
       enabledIf: {{ `'{{ ne .cloud_name "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
           jsonPatches:
           - op: replace
-            path: "/spec/template/spec/cloudName"
+            path: "/spec/template/spec/identityRef/cloudName"
             valueFrom:
               variable: cloud_name
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -566,15 +615,15 @@ spec:
                   - {{ .Release.Name }}-{{ .Chart.Version }}
           jsonPatches:
           - op: replace
-            path: "/spec/template/spec/cloudName"
+            path: "/spec/template/spec/identityRef/cloudName"
             valueFrom:
               variable: cloud_name
     - name: secret_name
       description: "Sets the name of the clouds secret."
       enabledIf: {{ `'{{ ne .secret_name "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
@@ -584,7 +633,7 @@ spec:
             valueFrom:
               variable: secret_name
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -601,7 +650,7 @@ spec:
       enabledIf: {{ `'{{ ne .controller_server_group_id "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -615,7 +664,7 @@ spec:
       enabledIf: {{ `'{{ ne .worker_server_group_id "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: false
@@ -632,7 +681,7 @@ spec:
       enabledIf: {{ `'{{ ne .ssh_key "" }}'` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackMachineTemplate
             matchResources:
               controlPlane: true
@@ -658,31 +707,56 @@ spec:
             path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs"
             valueFrom:
               variable: certSANs
-    - name: dns_nameservers
-      description: "Sets the list of nameservers for the OpenStack Subnet being created."
-      enabledIf: {{ `"{{ if and .dns_nameservers (ne .apiserver_loadbalancer \"kube-vip\")}}true{{end}}"` }}
+    - name: oidc_config
+      description: "Configure API Server to use external authentication service."
+      enabledIf: {{ `"{{ if and .oidc_config .oidc_config.client_id .oidc_config.issuer_url }}true{{end}}"` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
-            kind: OpenStackClusterTemplate
+            apiVersion: controlplane.cluster.x-k8s.io/v1beta1
+            kind: KubeadmControlPlaneTemplate
             matchResources:
-              infrastructureCluster: true
+              controlPlane: true
           jsonPatches:
           - op: add
-            path: "/spec/template/spec/dnsNameservers"
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-client-id"
+            valueFrom:
+              variable: oidc_config.client_id
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-issuer-url"
             valueFrom:
-              variable: dns_nameservers
-    - name: node_cidr
+              variable: oidc_config.issuer_url
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-claim"
+            valueFrom:
+              variable: oidc_config.username_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-claim"
+            valueFrom:
+              variable: oidc_config.groups_claim
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-username-prefix"
+            valueFrom:
+              variable: oidc_config.username_prefix
+          - op: add
+            path: "/spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/extraArgs/oidc-groups-prefix"
+            valueFrom:
+              variable: oidc_config.groups_prefix
+    - name: subnet
       description: "Sets the NodeCIDR for the OpenStack Subnet to be created. Cluster actuator will create a network, a subnet with NodeCIDR, and a router connected to this subnet."
       enabledIf: {{ `"{{ if and .node_cidr (ne .apiserver_loadbalancer \"kube-vip\")}}true{{end}}"` }}
       definitions:
         - selector:
-            apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+            apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
             kind: OpenStackClusterTemplate
             matchResources:
               infrastructureCluster: true
           jsonPatches:
           - op: add
-            path: "/spec/template/spec/nodeCidr"
+            path: "/spec/template/spec/managedSubnets"
             valueFrom:
-              variable: node_cidr
+              template: |
+                - cidr: '{{"{{"}} .node_cidr {{"}}"}}'
+                  dnsNameservers:
+                  {{`{{- range .dns_nameservers }}`}}
+                                  - {{`{{ . }}`}}
+                  {{`{{- end }}`}}
@@ -1,14 +1,25 @@
-apiVersion: infrastructure.cluster.x-k8s.io/v1alpha7
+apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
 kind: OpenStackClusterTemplate
 metadata:
   name: {{ .Release.Name }}-{{ .Chart.Version }}-cluster
 spec:
   template:
     spec:
-      allowAllInClusterTraffic: true
-      cloudName: {{ default "openstack" .Values.cloud.name }}
       identityRef:
-        name: {{ default "openstack" .Values.secrets.clouds_yaml }}
-        kind: Secret
-      managedSecurityGroups: true
-      externalNetworkId: {{ .Values.external_id }}
+        cloudName: {{ default "openstack" .Values.identityRef.cloudName }}
+        name: {{ default "openstack" .Values.identityRef.name }}
+      apiServerLoadBalancer:
+        enabled: {{ .Values.openstack_loadbalancer_apiserver }}
+{{- if .Values.restrict_kubeapi }}
+        allowedCIDRs: {{ .Values.restrict_kubeapi }}
+{{- end }}
+      managedSecurityGroups:
+        allowAllInClusterTraffic: true
+      managedSubnets:
+        - cidr: {{ .Values.node_cidr }}
+          dnsNameservers:
+          {{- range .Values.dns_nameservers }}
+            - {{ . }}
+          {{- end }}
+      externalNetwork:
+        id: {{ .Values.external_id }}