Merge branch 'main' of github.com:metal-stack/docs-new

Author: BotondGalxc

README.md

@@ -132,8 +132,8 @@ bun run fetch-readmes
 ```
 
 ## Component references
-
-Ensure first, that all files in the docs folder are updated and ready to freeze. Also execute `bun run fetch-readmes` to update files from components and apis.
+Ensure first, that all files in the docs folder are updated and ready to freeze. Also execute `bun run fetch-readmes` to update files from components and apis with the release-vector file from the main branch.
+It is also possible to use `bun run fetch-readmes v0.20.8` to use the release-vector file with a specific tag (i.E. v0.20.8).
 All components are referenced in the `/scripts/components.json` file. Use this minimal template to add a new component:
 
 ```json
@@ -160,26 +160,11 @@ bun run docusaurus docs:version v0.21.6
 
 Now, the new version will be create and the latest files will be copied to the "`versioned`" folders.
 
-## Comparison
-
-### Benefits
-
-**Core** features:
-
-- md, mdx based documentation
-- simple and flexible file structure
-- versioning
-- blog integration
-
-**Nice** to have:
+## Release Notes
+The release notes can be synced from GitHub with the GitHub API. Therefore, ensure that a valid access token is created and set on the GitHub Runner or local machine with the name `GH_RELEASE_TOKEN`.
 
-- completely in typescript
-- highly customizable
-- custom page routing
-- custom styling and theming
-- possibility for translations
-
-### Disadvantages
-
-- new framework
-- copies of versions can explode the size of the repository
+To run the synchronization, run the following commmand:
+```
+bun run create-release-notes
+```
+If you run this before the build step, also the release notes get indexed.

docs/contributing/03-contribution-guideline.md

@@ -110,7 +110,7 @@ Development follows the official guide to:
 
 #### Libraries
 
-metal-stack maintains several libraries that you should utilize in your project in order unify common behavior. Some of these projects are:
+metal-stack maintains several libraries that you should utilize in your project in order to unify common behavior. Some of these projects are:
 
 - [metal-go](https://github.com/metal-stack/metal-go)
 - [metal-lib](https://github.com/metal-stack/metal-lib)
@@ -121,7 +121,7 @@ From the server-side you should ensure that you are returning the common error j
 
 ### Documentation
 
-We want to share knowledge and keep things simple. If things cannot kept simple we want enable everybody to understand them by:
+We want to share knowledge and keep things simple. If things cannot kept simple we want to enable everybody to understand them by:
 
 - Document in short sentences[^4].
 - Do not explain the HOW (this is already documented by your code and documenting the obvious is considered a defect).

docs/docs/04-For Operators/01-hardware.md

@@ -37,7 +37,7 @@ The following GPU types are officially supported and verified by the metal-stack
 | NVIDIA | RTX 6000 | stable |
 | NVIDIA | H100     | stable |
 
-Other GPU models might work but were not reported to us. For a detailed description howto use GPU support in a kubernetes cluster please check this [documentation](../05-Concepts/04-Kubernetes/06-gpu-workers.md)
+Other GPU models might work but were not reported to us. For a detailed description howto use GPU support in a kubernetes cluster please check this [documentation](../05-Concepts/04-Kubernetes/06-gpu-workers.md).
 
 ## Network Cards
 
@@ -69,7 +69,7 @@ Other switch series and models might work but were not reported to us.
 
 On our switches we run [SONiC](https://sonicfoundation.dev). The metal-core writes network configuration specifically implemented for this operating system. Please also consider running SONiC on your switches if you do not want to run into any issues with networking.
 
-Our previous support for [Cumulus Linux](hhttps://www.nvidia.com/en-us/networking/ethernet-switching/cumulus-linux/) will come to an end.
+Our previous support for [Cumulus Linux](https://www.nvidia.com/en-us/networking/ethernet-switching/cumulus-linux/) will come to an end.
 
 Of course, contributions for supporting other switch vendors and operating systems are highly appreciated.
 :::

docs/docs/04-For Operators/02-operating-systems.md

@@ -34,11 +34,11 @@ It is fully possible to build your own operating system images and provide them
 
 There are some conventions though that you need to follow in order to make your image installable through the metal-hammer. You should understand the [machine provisioning sequence](../05-Concepts/01-architecture.md#machine-provisioning-sequence) before starting to write your own images.
 
-1. Images need to be compressed to a tarball using the [lz4](https://de.wikipedia.org/wiki/LZ4) compression algorithm
-1. An `md5` checksum file with the same name as the image archive needs to be provided in the download path along with the actual os image
-1. A `packages.txt` containing the packages contained in the OS image should be provided in the download path (not strictly required)
+1. Images need to be compressed to a tarball using the [lz4](https://de.wikipedia.org/wiki/LZ4) compression algorithm.
+1. An `md5` checksum file with the same name as the image archive needs to be provided in the download path along with the actual os image.
+1. A `packages.txt` containing the packages contained in the OS image should be provided in the download path (not strictly required).
 1. Consider semantic image versioning, which we use in our algorithms to select latest images (e.g. `os-major.minor.patch` ➡️ `ubuntu-19.10.20191018`)
-1. Consider installing packages used by the metal-stack infrastructure
+1. Consider installing packages used by the metal-stack infrastructure:
    - [FRR](https://frrouting.org/) to enable routing-to-the-host in our network topology
    - [go-lldpd](https://github.com/metal-stack/go-lldpd) to enable checking if the machine is still alive after user allocation
    - [ignition](https://github.com/coreos/ignition) for enabling users to run user-specific initialization instructions before bootup. It's pretty small in size, which is why we use it. However, you are free to use other cloud instance initialization tools if you want to.

docs/docs/04-For Operators/03-deployment-guide.md

@@ -124,7 +124,7 @@ This playbook will always be run before the actual metal-stack deployment and pr
 
 ### Inventory
 
-Then, there will be an inventory for the control plane deployment in `inventories/control-plane.yaml` that adds the localhost to the `control-plane` host group:
+Then, there will be an inventory for the control plane deployment in `inventories/control-plane.yaml` that adds `localhost` to the `control-plane` host group:
 
 ```yaml
 ---
@@ -538,7 +538,7 @@ The basic principles of how the metal control plane can be deployed should now b
 
 ### Setting Up the backup-restore-sidecar
 
-The backup-restore-sidecar can come up very handy when you want to add another layer of security to the metal-stack databases in your Kubernetes cluster. The sidecar takes backups of the metal databases in small time intervals and stores them in a blobstore of a cloud provider. For each database that will be backed up, a lifecycle rule is established. The backup mechanism is deactivated by default and must be activated by the operator. This way your metal-stack setup can even survive the deletion of your Kubernetes control plane cluster (including all volumes getting lost). After re-deploying metal-stack to another Kubernetes clusters, the databases come up with the latest backup data in a matter of seconds.
+The backup-restore-sidecar can come in very handy when you want to add another layer of security to the metal-stack databases in your Kubernetes cluster. The sidecar takes backups of the metal databases in small time intervals and stores them in a blobstore of a cloud provider. For each database that will be backed up, a lifecycle rule is established. The backup mechanism is deactivated by default and must be activated by the operator. This way your metal-stack setup can even survive the deletion of your Kubernetes control plane cluster (including all volumes getting lost). After re-deploying metal-stack to another Kubernetes clusters, the databases come up with the latest backup data in a matter of seconds.
 
 Encryption can be enabled for the backups by providing an AES-256 encryption key.
 

docs/docs/05-Concepts/03-Network/02-firewalls.md

@@ -2,6 +2,7 @@
 slug: /firewalls
 title: Firewalls
 sidebar_position: 1
+draft: true
 ---
 
 # Firewalls

docs/docs/05-Concepts/03-Network/03-tailscale.md

@@ -0,0 +1,126 @@
+---
+slug: /tailscale-service-exposal
+title: Tailscale
+sidebar_position: 3
+---
+# Expose Services with Tailscale
+This guide is a recommendation on how to access services from anywhere if you are evaluating the metalstack on-prem starter without a public IP-address.
+
+These steps will guide you through the process quickly. For a deeper dive, or if you want to use alternative setups, the Tailscale articles are also linked.
+
+## What are Tailscale and Tailnets?
+Tailscale is a Canadian company that offers a virtual private network solution based on WireGuard.
+
+Instead of relying on centralised VPN servers to route all traffic, Tailscale creates a mesh VPN called Tailnet. It creates encrypted peer-to-peer connections between network subscribers. This approach is claimed to improve throughput and stability while reducing latency.
+
+Tailscale's solution is composed of components that are mostly open source. Find more information on their [open source sstatement](https://tailscale.com/opensource) and their [GitHub repository](https://github.com/tailscale).
+
+## Setup an Account and Clients
+Please begin by [following these steps](https://login.tailscale.com/start)  to use an authentication provider to create the first user account for your network.
+
+The first step is to install Tailscale clients on the devices from which you wish to access the Kubernetes services.
+
+Should you require to extend an invitation to additional users, this can be facilitated by navigating to the "Users" tab on the Admin Console.
+
+## Setup the Operator
+### Labels
+First, we will establish tags to categorise our services. Please open the 'Access controls' tab, where you will find a text editor containing all the Access Control settings in JSON format.
+
+Uncomment the `tagOwners` section and add the following tags:
+```json
+"tagOwners": {
+   "tag:k8s-operator": [],
+   "tag:k8s": ["tag:k8s-operator"],
+}
+```
+The operator will use the `k8s-operator`-tag. Devices with this tag are now configured as owner for devices with the `k8s`-tag, which will be used for our services.
+### Create OAuth-Client Credentials
+In the "Settings" tab at "OAuth clients", generate a new OAuth client. Set write permissions for "Devices - Core" and "Keys - Auth Keys". Select the `k8s-operator` tag for both.
+
+![Tailscale Devices Configuration](tailscale-devices.png)
+![Tailscale AuthKey Configuration](tailscale-authkeys.png)
+
+Therefore, a device that has been assigned the label `k8s-operator` will have the capability to register additional devices with the `k8s` tag.
+
+When you click "create", you get a client-id and client-secret, that you will need to setup the operator.
+### Setup Operator with helm
+The most common and practical way is to use a Helm chart to setup the operator. Therefore, we first have to add and update the helm-repository of tailscale:
+```
+helm repo add tailscale https://pkgs.tailscale.com/helmcharts
+helm repo update
+```
+
+Now, we can install the helm-chart in a dedicated namespace using the credentials of the OAuth client
+
+```bash
+helm upgrade \
+  --install \
+  tailscale-operator \
+  tailscale/tailscale-operator \
+  --namespace=tailscale \
+  --create-namespace \
+  --set-string oauth.clientId="<OAauth client ID>" \
+  --set-string oauth.clientSecret="<OAuth client secret>" \
+  --wait
+```
+Check on the administration console, if your operator appears on the Machines list.
+
+Alternative ways & troubleshooting:
+- Take the [operator.yaml manifest](https://github.com/tailscale/tailscale/blob/main/cmd/k8s-operator/deploy/manifests/operator.yaml) from the GitHub repository and make your adjustments to use [Static manifests with kubectl](https://tailscale.com/kb/1236/kubernetes-operator#static-manifests-with-kubectl)
+- If the operator does not show op in the Machines list, use the guide for [Troubleshooting the Kubernetes operator](https://tailscale.com/kb/1446/kubernetes-operator-troubleshooting)
+## Expose Services on the Tailnet
+There are three ways to allow traffic to your pods from the tailnet. We can setup a dedicated Service or annotate an existing one. For more routing options, use an Ingress object. For detailed configuration options, review the article about [Expose a Kubernetes cluster workload to your tailnet (cluster ingress)](https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress)
+### Add a Load Balancer Service
+The installed operator is looking for Service objects with the `spec.type`of `LoadBalancer`and the `spec.loadBalancerClass` of `tailscale`.
+```yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx
+spec:
+  ports:
+    - name: https
+      port: 443
+      targetPort: 443
+  type: LoadBalancer
+  loadBalancerClass: tailscale
+```
+### Annotate an existing Service
+Edit the Service and add the annotation `tailscale.com/expose` with the value "true":
+```yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    tailscale.com/expose: "true"
+  name: nginx
+spec:
+  ...
+```
+Note that "true" is quoted because annotation values are strings, and an unquoted true will be incorrectly interpreted as a boolean.
+### Use an Ingress
+To enable path-based routing, use an Ingress resource.
+Ingress routes only use TLS over HTTPS. To make this work, you have to enable the `MagicDNS` and `HTTPS` options in the [DNS-Tab on your Administration Console](https://login.tailscale.com/admin/dns). This enables helpful features:
+- Magic DNS automatically register your services with subdomains in your tailnet
+- HTTPS enables the provisioning of certificates for devices
+
+To set the Ingress up, just refer to `tailscale` as the `ingressClassName`:
+```yaml
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx
+spec:
+  ingressClassName: tailscale
+  rules:
+    - http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+  ...
+```
+Please consider, that currently only paths with `pathType: prefix` are supported currently

docs/docs/05-Concepts/03-Network/tailscale-authkeys.png

@@ -43,9 +43,9 @@ To ensure that internal components interact securely with the metal-api, metal-s
 
 Users can interact with the metal-api using [metalctl](https://github.com/metal-stack/metalctl), the command-line interface provided by metal-stack. Depending on the required operations, users should authenticate with the appropriate role to match their level of access.
 
-## Defence in Depth
+## Defense in Depth
 
-Defence in depth is a security strategy that employs multiple layers of defense to protect systems and data. By implementing various security measures at different levels, metal-stack aims to mitigate risks and enhance overall security posture.
+Defense in depth is a security strategy that employs multiple layers of defense to protect systems and data. By implementing various security measures at different levels, metal-stack aims to mitigate risks and enhance overall security posture.
 
 ## Redundancy