Modernize etcd storageclass to out-of-tree provisioner

[voelzmo]

How to categorize this PR?

/area storage
/kind enhancement
/platform aws

What this PR does / why we need it:

Modernizes the etcd StorageClass for AWS:

1. Replaces the deprecated in-tree provisioner kubernetes.io/aws-ebs with the EBS CSI driver ebs.csi.aws.com
2. Extracts the hardcoded type: gp3 disk parameter from the StorageClass template into values.yaml under config.etcd.storage.parameters, making it configurable by operators.

The existing config.etcd.storage.encrypted boolean is preserved for backwards compatibility.

Which issue(s) this PR fixes:
Fixes #1716

Special notes for your reviewer:

The StorageClass template now renders arbitrary key/value pairs from config.etcd.storage.parameters, so operators can pass any EBS
CSI driver parameter (e.g. kmsKeyId, throughput) without chart changes.

The encrypted boolean in values is kept for backwards compatibility: if set, encrypted: "true" is still emitted unless the operator has already included encrypted in the parameters map, avoiding duplicate keys.

Release note:

The etcd StorageClass provisioner has been switched from in-tree `kubernetes.io/aws-ebs` to the EBS CSI driver `ebs.csi.aws.com`. The disk type is now configurable via `config.etcd.storage.parameters` in the Helm values (default: `type: gp3`).
The old way of configuring it via `.Values.config.etcd.storage.encrypted` is now deprecated and will be removed with a future release.

[github-actions]

This update modernizes the AWS EBS storage configuration by transitioning from the legacy Kubernetes EBS provisioner to the AWS EBS CSI driver, while adding flexibility for custom storage parameters in Gardener extension deployments.

Walkthrough

• Refactor: Migrated from legacy kubernetes.io/aws-ebs provisioner to modern ebs.csi.aws.com CSI driver for improved performance and feature support
• New Feature: Added configurable storage parameters section allowing users to specify custom EBS settings beyond the default gp3 volume type
• Bug Fix: Enhanced parameter validation logic to prevent conflicts when users provide custom encrypted settings in their parameters
• Chore: Updated Helm chart rawChart with compressed configuration changes to reflect the new storage architecture

_{Model: claude-sonnet-4-20250514 | Prompt Tokens: 14995 | Completion Tokens: 177}

[voelzmo]

Especially not sure about the need for backwards compatibility regarding the encrypted configuration of the volumes. WDYT?

[hebelsan]

Especially not sure about the need for backwards compatibility regarding the encrypted configuration of the volumes. WDYT?

Hm, I’d prefer having the encryption under the parameter field only...
Could we introduce this with a breaking change announcement?

[AndreasBurger]

lgtm

nvm, did not see the latest comments.

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AndreasBurger

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [AndreasBurger]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: c4685f9b961ed256bb4769014fc9adebf5595fb5

[AndreasBurger]

And it was merged by prow. Splendid.

I'll follow up on the latest comment from Alex and do the work

[AndreasBurger]

We talked about it, and this is good for now. We'll move towards the new scheme (i.e. using .Values.config.etcd.storage.parameters for all config) at a future point. I've put a deprecation notice for the old way into the release notes.