Production deployment documentation

.gitignore

@@ -49,3 +49,6 @@ dex/
 *.pem
 
 index.html
+contrib/production/cert-manager/cloudflare-secret.yaml
+contrib/production/cert-manager/cluster-issuer.yaml
+contrib/production/oidc-dex/values.yaml

contrib/production/README.md

@@ -0,0 +1,19 @@
+# Production Deployment Assets
+
+This directory contains assets and configuration files for production deployment of kcp.
+
+!!! Note: We understand that maintaining static assets in the repository can be challenging. If you have noticed any discrepancies between these assets and the latest version of the kcp - please open an issue or submit a pull request to help us keep them up to date.
+
+## Usage
+
+These assets are referenced by the production deployment documentation in `docs/content/setup/production/`.
+
+Each deployment type (dekker, vespucci, comer) has its own subdirectory with complete configuration files and deployment manifests.
+
+## Deployment Types
+
+- **kcp-dekker**: Self-signed certificates, simple single-cluster deployment
+- **kcp-vespucci**: External certificates with Let's Encrypt, public shard access  
+- **kcp-comer**: CDN integration with dual front-proxy configuration
+
+See the corresponding documentation in `docs/content/setup/production/` for detailed deployment instructions.

contrib/production/cert-manager/certificate-example.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dex-tls-cert
+  namespace: oidc
+spec:
+  # Secret where the certificate will be stored
+  secretName: dex-tls
+
+  # Reference to the ClusterIssuer
+  issuerRef:
+    name: kcp-comerletsencrypt-prod
+    kind: ClusterIssuer
+
+  # Domains for the certificate
+  dnsNames:
+  - auth.example.com

contrib/production/cert-manager/cloudflare-secret.yaml.template

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-key-secret
+  namespace: cert-manager
+type: Opaque
+data:
+  # Replace with your base64 encoded Cloudflare Global API Key
+  # Get your API key from: https://dash.cloudflare.com/profile/api-tokens
+  # Then encode it: echo -n "xxxxxxxxxxxxx" | base64
+  api-key: xxxxxxxxxxxx

contrib/production/cert-manager/cluster-issuer.yaml.template

@@ -0,0 +1,20 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # You must replace this email address with your own.
+    email: [email protected]
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: le-issuer-account-key
+    solvers:
+    - dns01:
+        cloudflare:
+          email: [email protected]
+          apiKeySecretRef:
+            name: cloudflare-api-key-secret
+            key: api-key

contrib/production/etcd-druid/certificate-etcd-issuer.yaml

@@ -0,0 +1,30 @@
+# CA authority for etcd components.
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned
+  namespace: cert-manager
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: etcd-ca
+  namespace: cert-manager
+spec:
+  secretName: etcd-ca-tls
+  isCA: true
+  commonName: etcd-ca
+  issuerRef:
+    name: selfsigned
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: etcd-ca
+spec:
+  ca:
+    secretName: etcd-ca-tls

contrib/production/etcd-druid/etcdcopybackupstasks.druid.gardener.cloud.yaml

@@ -0,0 +1,205 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.16.5
+  name: etcdcopybackupstasks.druid.gardener.cloud
+spec:
+  group: druid.gardener.cloud
+  names:
+    kind: EtcdCopyBackupsTask
+    listKind: EtcdCopyBackupsTaskList
+    plural: etcdcopybackupstasks
+    singular: etcdcopybackupstask
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: EtcdCopyBackupsTask is a task for copying etcd backups from a
+          source to a target store.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: EtcdCopyBackupsTaskSpec defines the parameters for the copy
+              backups task.
+            properties:
+              maxBackupAge:
+                description: |-
+                  MaxBackupAge is the maximum age in days that a backup must have in order to be copied.
+                  By default, all backups will be copied.
+                format: int32
+                minimum: 0
+                type: integer
+              maxBackups:
+                description: MaxBackups is the maximum number of backups that will
+                  be copied starting with the most recent ones.
+                format: int32
+                minimum: 0
+                type: integer
+              podLabels:
+                additionalProperties:
+                  type: string
+                description: PodLabels is a set of labels that will be added to pod(s)
+                  created by the copy backups task.
+                type: object
+              sourceStore:
+                description: SourceStore defines the specification of the source object
+                  store provider for storing backups.
+                properties:
+                  container:
+                    description: Container is the name of the container the backup
+                      is stored at.
+                    type: string
+                  prefix:
+                    description: Prefix is the prefix used for the store.
+                    type: string
+                  provider:
+                    description: Provider is the name of the backup provider.
+                    type: string
+                  secretRef:
+                    description: SecretRef is the reference to the secret which used
+                      to connect to the backup store.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                required:
+                - prefix
+                type: object
+              targetStore:
+                description: TargetStore defines the specification of the target object
+                  store provider for storing backups.
+                properties:
+                  container:
+                    description: Container is the name of the container the backup
+                      is stored at.
+                    type: string
+                  prefix:
+                    description: Prefix is the prefix used for the store.
+                    type: string
+                  provider:
+                    description: Provider is the name of the backup provider.
+                    type: string
+                  secretRef:
+                    description: SecretRef is the reference to the secret which used
+                      to connect to the backup store.
+                    properties:
+                      name:
+                        description: name is unique within a namespace to reference
+                          a secret resource.
+                        type: string
+                      namespace:
+                        description: namespace defines the space within which the
+                          secret name must be unique.
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                required:
+                - prefix
+                type: object
+              waitForFinalSnapshot:
+                description: WaitForFinalSnapshot defines the parameters for waiting
+                  for a final full snapshot before copying backups.
+                properties:
+                  enabled:
+                    description: Enabled specifies whether to wait for a final full
+                      snapshot before copying backups.
+                    type: boolean
+                  timeout:
+                    description: |-
+                      Timeout is the timeout for waiting for a final full snapshot. When this timeout expires, the copying of backups
+                      will be performed anyway. No timeout or 0 means wait forever.
+                    pattern: ^(0|([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+)$
+                    type: string
+                required:
+                - enabled
+                type: object
+            required:
+            - sourceStore
+            - targetStore
+            type: object
+          status:
+            description: EtcdCopyBackupsTaskStatus defines the observed state of the
+              copy backups task.
+            properties:
+              conditions:
+                description: Conditions represents the latest available observations
+                  of an object's current state.
+                items:
+                  description: Condition holds the information about the state of
+                    a resource.
+                  properties:
+                    lastTransitionTime:
+                      description: Last time the condition transitioned from one status
+                        to another.
+                      format: date-time
+                      type: string
+                    lastUpdateTime:
+                      description: Last time the condition was updated.
+                      format: date-time
+                      type: string
+                    message:
+                      description: A human-readable message indicating details about
+                        the transition.
+                      type: string
+                    reason:
+                      description: The reason for the condition's last transition.
+                      type: string
+                    status:
+                      description: Status of the condition, one of True, False, Unknown.
+                      type: string
+                    type:
+                      description: Type of the Etcd condition.
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - lastUpdateTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastError:
+                description: LastError represents the last occurred error.
+                type: string
+              observedGeneration:
+                description: ObservedGeneration is the most recent generation observed
+                  for this resource.
+                format: int64
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}