Stackit changes

content/en/docs/deployment/private-cloud/private-cloud-cluster/_index.md

@@ -26,6 +26,7 @@ To create a cluster in your OpenShift context, you need the following:
 * A supported Kubernetes platform; for more information, see [Supported Versions](/developerportal/deploy/private-cloud-supported-environments/#supported-versions)
 * An administration account for your OpenShift or Kubernetes platform
 * **OpenShift CLI** installed (see [Getting started with the CLI](https://docs.openshift.com/container-platform/4.1/cli_reference/getting-started-cli.html) on the Red Hat OpenShift website for more information) if you are creating clusters on OpenShift
+* **Stackit CLI** installed (see [Getting started with the CLI](https://github.com/stackitcloud/stackit-cli/blob/main/INSTALLATION.md) on the Stackit website for more information) if you are creating clusters on Stackit.
 * **Kubectl** installed if you are deploying to another Kubernetes platform (see [Install and Set Up kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) on the Kubernetes webside for more information)
 * A command line terminal that supports the console API and mouse interactions. In Windows, this could be PowerShell or the Windows Command Prompt. See [Terminal limitations](#terminal-limitations), below, for a more detailed explanation.
 

content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-registry.md

@@ -25,6 +25,7 @@ Some examples of such container registries are:
 * Docker Hub
 * Azure ACR [admin account](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli#admin-account)
 * Self-hosted registries such as [Sonartype Nexus](https://www.sonatype.com/products/nexus-repository)
+* Stackit container registry
 
 However, static credentials are often considered insecure, and cloud providers offer alternative authentication methods based on short-lived tokens. For example, pushing an image to ECR requires getting a short-lived token from the AWS API. For more details about specific container registries, see the [Configuring the Registry](#configure-registry) section.
 
@@ -199,12 +200,12 @@ To use Google Artifact registry with the Mendix Operator, perform the following
 2. Assign the *Artifact Registry Writer* (`roles/artifactregistry.writer`) role to the GCR Service Account.
 3. Allow the Mendix Operator to use the GCR Service Account by running the following command, where `PROJECT_ID` is the Google Cloud project ID, `K8S_NAMESPACE` is the Kubernetes namespace name where the Operator is installed, `KSA_NAME` is the Kubernetes Service Account name, and `GSA_NAME` is the GCP Service Account name from step 1:
 
-    ```shell
-    gcloud iam service-accounts add-iam-policy-binding \
-        --role roles/iam.workloadIdentityUser \
-        --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
-        GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
-    ```
+        ```shell
+        gcloud iam service-accounts add-iam-policy-binding \
+            --role roles/iam.workloadIdentityUser \
+            --member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
+            GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
+        ```
 
 On the Kubernetes side, the Mendix Operator will use a Kubernetes Service Account to authenticate. On the GCP side, there should be a matching GCP Service Account. For simplicity, Mendix recommends using the `mendix-builder` for the service account name, on both GCP and Kubernetes sides. For more details, see the Google documentation on [using workload identities](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to).
 
@@ -279,6 +280,27 @@ To access quay.io, you will need to create a robot account, and give this accoun
 Check your image registry documentation to see if repositories can be created automatically (on push) or need to be pre-created.
 Some registries impose limitations on repository names, for example the repository path cannot have more than three parts.
 
+**Stackit container registry**
+
+| Field               | Value                                                                                          |
+| ------------------- | -----------------------------------------------------------------------------------------------|
+| Push URL            | registry.onstackit.cloud                                                                       |
+| Pull URL            | registry.onstackit.cloud                                                                       |         
+| Registry name       | `<stackitregistry>/<repository>`, where `<stackitregistry>` is the registry created in stackit |
+| With authentication | enabled                                                                                        |
+| User                | Username for the registry robot account                                                        |
+| Password            | Token (password) for the robot account                                                         |
+
+Before pushing images to container registry, you will need to create the repository first.
+
+In order to fetch the container images from container registry, make sure to patch the default service accounts with the registry credentials.
+
+Example:
+
+   ```shell
+   kubectl patch serviceaccount default -n <namespace> -p '{"imagePullSecrets": [{"name": "<secret-name>"}]}'
+   ```
+
 ### Existing Docker Registry Secret
 
 If you already have a existing `~/.docker/config.json` file, you can use it directly by choosing the `docker-secret` option.

content/en/docs/deployment/private-cloud/private-cloud-cluster/private-cloud-storage-plans.md

@@ -215,6 +215,12 @@ If you would like to have more control over database configuration, consider usi
 If your provider is AWS, [Postgres IAM authentication](#database-postgres-iam) can be used instead to increase security.
 If your provider is Azure, [Postgres managed identity authentication](#database-postgres-azwi) can be used instead to increase security.
 
+{{% alert color="info" %}}
+The Mendix on-demand PostgreSQL provisioner cannot be used directly. STACKIT PostgreSQL Flex does not expose the CREATEROLE privilege, which is necessary for Mendix to automatically create database users via SQL commands. In order to facilitate the use of Postgres, switch to [JDBC plan](#database-jdbc) and create a dedicated database user for the new Mendix environment using the STACKIT CLI or API.
+{{% /alert %}}
+
+
+
 ##### Prerequisites
 
 * A Postgres server - for example, an RDS instance, or a Postgres server installed from a Helm chart
@@ -764,6 +770,10 @@ Azure workload identities allow a Kubernetes Service Account to authenticate its
 
 JDBC databases are dedicated, basic databases. The **Dedicated JDBC** plan enables you to enter the [database configuration parameters](/refguide/custom-settings/) for an existing database directly, as supported by the Mendix Runtime. This plan allows to configure and use any database supported by the Mendix Runtime, including Oracle.
 
+{{% alert color="info" %}}
+In order to use **STACKIT PostgreSQL Flex** db, use the JDBC plan and provide the connection details as per the STACKIT documentation. Use the STACKIT CLI or API to create a dedicated database user for the new Mendix environment.
+{{% /alert %}}
+
 #### Prerequisites
 
 * A database server, for example Postgres or Oracle.
@@ -1884,6 +1894,58 @@ In the Ceph plan configuration, enter the following details:
 * **Access Key** and **Secret Key** - Credentials to access the bucket.
 * **Type** - Specifies if the container can be shared between environments (create an on-demand storage plan); or that the container can only be used by one environment (create a dedicated storage plan). To increase security and prevent environments from being able to access each other's data, select **Dedicated**.
 
+### STACKIT Object Storage {#stackit-object-storage}
+
+This basic, dedicated option allows to attach an existing S3-compatible bucket and credentials (access and secret keys) to one or more environments.
+All apps (environments) will use the same bucket and credentials (access and secret keys). However, with this approach, environments share a common storage namespace, which can lead to potential data isolation issues and increased security risks if not managed carefully. 
+Another option is to use a dedicated object storage bucket for each environment.
+
+#### Prerequisites
+
+* A Ceph or S3-compatible bucket.
+* An Access and Secret key with permissions to access the bucket.
+
+#### Limitations
+
+* Access/Secret keys used by existing environments can only be rotated manually.
+* No isolation between environments using the storage plan if using same bucket for all environments
+* Configuration parameters will not be validated and will be provided to the Mendix app as-is. If the arguments are not valid or there is an issue with permissions, the Mendix Runtime will fail to start the and deployment will appear to hang with **Replicas running** and **Runtime** showing a spinner.
+
+#### Environment Isolation
+
+* The Ceph or S3-compatible bucket and credentials (access and secret keys) are shared between all environments using this plan.
+* An environment can access data from other environments using this Storage Plan.
+* By creating dedicated bucket for all the environment, isolation between the environment can be achieved.
+
+#### Create Workflow
+
+When a new environment is created, the Mendix Operator performs the following actions:
+
+* Generate a unique prefix based on the environment's name, so that each environment stores files in a separate prefix (directory).
+* Create a Kubernetes secret to provide connection details to the new app environment - to automatically configure the new environment.
+
+#### Delete Workflow
+
+When an existing environment is deleted, the Mendix Operator performs the following actions:
+
+* Delete that environment's Kubernetes blob file storage credentials secret.
+
+#### Configuring the Plan
+
+In the Ceph plan configuration, enter the following details:
+
+* **Endpoint** - The Ceph bucket's endpoint address, for example `https://ceph-instance.local:9000/<bucket-name>`.
+* **Access Key** and **Secret Key** - Credentials to access the bucket.
+* **Type** - Specifies if the container can be shared between environments (create an on-demand storage plan); or that the container can only be used by one environment (create a dedicated storage plan). To increase security and prevent environments from being able to access each other's data, select **Dedicated**.
+
+* **IRSA Authentication** - Set to **no**.
+* **Create bucket per environment** - Set to **No**.
+* **Create account (IAM user) per environment** - Set to **No**.
+* **Endpoint** - The S3 bucket's endpoint address.
+* **Access Key** and **Secret Key** - The credentials for the environment user account.
+* **Autogenerate prefix** - Leave it empty
+* **Share bucket between environments** - Specifies if the bucket can be shared between environments (create an on-demand storage plan); Enable this option and  the bucket will be shared between multiple environments. 
+
 ## Walkthroughs
 
 This section provides instructions how to set up storage for the most typical use cases.

content/en/docs/deployment/private-cloud/private-cloud-supported-environments.md

@@ -27,6 +27,7 @@ If you want to deploy your app to Amazon EKS, consider using the Mendix for Amaz
 * [minikube](https://minikube.sigs.k8s.io/docs/)
 * [Google Cloud Platform](https://cloud.google.com/)
 * [Google Kubernetes Engine- Autopilot](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview). For more information, see [Mendix on Kubernetes Cluster: GKE Autopilot Workarounds](/developerportal/deploy/private-cloud-cluster/#gke-autopilot-workarounds)
+* [Stackit Kubernetes Engine](https://stackit.com/en/products/runtime/stackit-kubernetes-engine)
 
 {{% alert color="warning" %}}
 If deploying to Red Hat OpenShift, you need to specify that specifically when creating your deployment. All other cluster types use generic Kubernetes operations.
@@ -160,6 +161,10 @@ Mendix Operator supports registry authentication with [workload identity](https:
 
 When used together with an [Azure Kubernetes Service](https://azure.microsoft.com/en-us/products/kubernetes-service), Mendix Operator can use [managed identity authentication](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity) assigned to the Mendix Operator's Kubernetes service account.
 
+### Stackit Container Registry
+
+[Stackit Container Registry](https://docs.stackit.cloud/products/developer-platform/container-registry/) is a cloud-native registry that enables you to store, manage and deploy container images securely and efficiently within the STACKIT Cloud. With this tool, you can easily manage the entire lifecycle of your container images (if static credential authentication is used).
+
 ## Databases{#databases}
 
 The following databases are supported, and provide the features listed.
@@ -208,6 +213,7 @@ The following managed PostgreSQL databases are supported:
 * [Azure Database for PostgreSQL](https://azure.microsoft.com/en-us/services/postgresql/).
 * [Google Cloud SQL for PostgreSQL](https://cloud.google.com/sql/docs/postgres).
 * [Amazon RDS Aurora for PostgreSQL](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.AuroraPostgreSQL.html)
+* [Stackit Postgres Flex](https://stackit.com/en/products/database/stackit-postgresql-flex)
 
 Amazon PostgreSQL instances require additional firewall configuration to allow connections from the Kubernetes cluster.
 
@@ -243,6 +249,10 @@ The Mendix Operator allows you to specify custom Certificate Authorities to trus
 Strict TLS mode should only be used with apps created in Mendix 8.15.2 (or later versions), earlier Mendix versions will fail to start when validating the TLS certificate.
 {{% /alert %}}
 
+{{% alert color="info" %}}
+The Mendix on-demand PostgreSQL provisioner cannot be used directly. STACKIT PostgreSQL Flex does not expose the CREATEROLE privilege, which is necessary for Mendix to automatically create database users via SQL commands. Hence, a databaser user needs to be created per environment before deployment.
+{{% /alert %}}
+
 ### Microsoft SQL Server
 
 This refers to a SQL Server database which is automatically provisioned by the Operator. If you are connecting to an existing database, you should use the [Dedicated JDBC database](#jdbc) option described below.
@@ -346,6 +356,9 @@ Mendix Operator will need the endpoint, access key, and secret key to access the
 
 [Ceph](https://ceph.io/en/) is supported with the S3-compatible interface [Ceph Object Gateway](https://docs.ceph.com/en/mimic/radosgw/). The Mendix Operator will need the endpoint, access key, and secret key to access the storage. Please check the Ceph documentation for information on how to get the credentials.
 
+### STACKIT Object Storage (S3 compatible)
+STACKIT's S3-compatible object storage does not implement APIs such as CreateUser, CreatePolicy, CreateBucket. Hence, a bucket needs to be created beforehand which will be shared with multiple environments or seperate buckets can be created per environment.
+
 ## Networking
 
 {{% alert color="info" %}}