feat: add S3 endpoint override for S3-compatible storage

[cwrau]

No description provided.

[gemini-code-assist]

Code Review

This pull request introduces support for S3-compatible storage by adding an Endpoint field to the ETCDBackup specification and enabling path-style S3 access. It also implements a deterministic @daily backup schedule that distributes backup tasks across an 8-hour window based on cluster identity to avoid concurrent resource spikes. Other changes include updating several dependencies, including the cluster namespace in S3 backup keys, and refining vulnerability scanning. Feedback includes a suggestion to simplify a conditional block in the new backup schedule logic and a recommendation to use a more granular endpoint resolver instead of the deprecated WithBaseEndpoint function.

[Copilot]

Pull request overview

Adds configurability for ETCD S3 backups to support S3-compatible storage by allowing an endpoint override, and introduces deterministic spreading for @daily backup schedules to avoid thundering-herd backup runs across clusters.

Changes:

• Add spec.etcd.backup.endpoint to the HostedControlPlane API and wire it into the AWS SDK S3 client configuration (base endpoint + path-style addressing).
• Introduce resolveBackupSchedule to expand @daily into a deterministic, cluster-identity-based cron time window and update reconciler logic/tests accordingly.
• Update S3 backup key prefixing and refresh several Go dependencies / minor refactors.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
taskfile.yaml	Adjusts Grype scan invocation (adds --only-fixed).
pkg/reconcilers/etcd_cluster/s3_client/s3_client.go	Adds endpoint override handling, path-style option, and changes S3 key prefixing.
pkg/reconcilers/etcd_cluster/reconciler.go	Uses resolveBackupSchedule for schedule parsing/next-run computations.
pkg/reconcilers/etcd_cluster/reconciler_test.go	Updates error assertion and adds coverage for @daily schedule spreading behavior.
pkg/reconcilers/etcd_cluster/backup_schedule.go	New helper to deterministically resolve schedules (notably @daily).
pkg/reconcilers/etcd_cluster/backup_schedule_test.go	New unit tests validating deterministic schedule resolution and window constraints.
pkg/reconcilers/apiserverresources/apiserverresources.go	Minor cleanup: inline secret items conversion.
go.mod	Bumps AWS SDK, Cilium, OTel, gRPC, k8s libs, controller-runtime, etc.
go.sum	Corresponding dependency checksum updates.
api/v1alpha1/zz_generated.deepcopy.go	DeepCopy updated for new ETCDBackup.Endpoint field.
api/v1alpha1/hostedcontrolplane_types.go	Adds optional ETCDBackup.Endpoint field to the API.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 15 changed files in this pull request and generated 5 comments.

Comments suppressed due to low confidence (1)

api/v1alpha1/hostedcontrolplane_types.go:79

• This PR is titled as adding an S3 endpoint override, but it also removes the customKubeconfigs API surface (types, webhook validation, cert generation, and tests). That’s a significant behavior/API change and looks unrelated to S3 endpoint overrides; consider splitting the custom-kubeconfig removal into a separate PR (or updating the PR description/title and documenting the breaking change/migration).

type HostedControlPlaneInlineSpec struct {
	//+kubebuilder:validation:Optional
	Deployment HostedControlPlaneDeployment `json:"deployment,omitempty"`
	//+kubebuilder:validation:Required
	Gateway GatewayReference `json:"gateway"`

	//+kubebuilder:validation:Optional
	KonnectivityClient ScalablePod `json:"konnectivityClient,omitempty"`
	//+kubebuilder:validation:Optional
	KubeProxy KubeProxyComponent `json:"kubeProxy,omitempty"`
	//+kubebuilder:validation:Optional
	CoreDNS ScalablePod `json:"coredns,omitempty"`
	//+kubebuilder:validation:Optional
	ETCD ETCDComponent `json:"etcd,omitempty"`
	// OIDCProviders configures structured JWT/OIDC authentication.
	// The key is the issuer URL. If non-empty, an AuthenticationConfiguration
	// is generated and passed to the API server via --authentication-config.
	//+kubebuilder:validation:Optional
	OIDCProviders map[string]OIDCProvider `json:"oidcProviders,omitempty"`
}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 15 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[marvinWolff]

Not necessarily for this PR, but i think it would be a good idea to export some metrics.

I think alerting on failing etcd-backups would be a good idea, for that we would need metrics.

[cwrau]

Not necessarily for this PR, but i think it would be a good idea to export some metrics.

I think alerting on failing etcd-backups would be a good idea, for that we would need metrics.

This would already be covered by kube-state-metrics

[Copilot]

Pull request overview

Copilot reviewed 15 out of 16 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[marvinWolff]

@cwrau can you check the pipeline?

[Copilot]

Pull request overview

Copilot reviewed 14 out of 16 changed files in this pull request and generated 18 comments.

Files not reviewed (1)

• api/v1alpha1/zz_generated.deepcopy.go: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 14 out of 16 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• api/v1alpha1/zz_generated.deepcopy.go: Language not supported