mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-01-29 16:19:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #153 from ceph/devel

Browse Source 
update downstream devel with upstream devel
This commit is contained in:
OpenShift Merge Robot 2022-12-21 09:25:05 -05:00 committed by GitHub
commit ac6e6cae5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
276 changed files with 9526 additions and 9861 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/dependency-review.yaml vendored
View File

@ -17,4 +17,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
uses: actions/dependency-review-action@v3

24
README.md
View File

@ -8,18 +8,18 @@ Card](https://goreportcard.com/badge/github.com/ceph/ceph-csi)](https://goreport
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5940/badge)](https://bestpractices.coreinfrastructure.org/projects/5940)
- [Ceph CSI](#ceph-csi)
- [Overview](#overview)
- [Project status](#project-status)
- [Known to work CO platforms](#known-to-work-co-platforms)
- [Support Matrix](#support-matrix)
- [Ceph-CSI features and available versions](#ceph-csi-features-and-available-versions)
- [CSI spec and Kubernetes version compatibility](#csi-spec-and-kubernetes-version-compatibility)
- [Ceph CSI Container images and release compatibility](#ceph-csi-container-images-and-release-compatibility)
- [Contributing to this repo](#contributing-to-this-repo)
- [Troubleshooting](#troubleshooting)
- [Weekly Bug Triage call](#weekly-bug-triage-call)
- [Dev standup](#dev-standup)
- [Contact](#contact)
- [Overview](#overview)
- [Project status](#project-status)
- [Known to work CO platforms](#known-to-work-co-platforms)
- [Support Matrix](#support-matrix)
- [Ceph-CSI features and available versions](#ceph-csi-features-and-available-versions)
- [CSI spec and Kubernetes version compatibility](#csi-spec-and-kubernetes-version-compatibility)
- [Ceph CSI Container images and release compatibility](#ceph-csi-container-images-and-release-compatibility)
- [Contributing to this repo](#contributing-to-this-repo)
- [Troubleshooting](#troubleshooting)
- [Weekly Bug Triage call](#weekly-bug-triage-call)
- [Dev standup](#dev-standup)
- [Contact](#contact)
This repo contains the Ceph
[Container Storage Interface (CSI)](https://github.com/container-storage-interface/)

4
actions/retest/go.mod
View File

@ -4,13 +4,13 @@ go 1.18
require (
github.com/google/go-github v17.0.0+incompatible
golang.org/x/oauth2 v0.2.0
golang.org/x/oauth2 v0.3.0
)
require (
github.com/golang/protobuf v1.5.2 // indirect
github.com/google/go-querystring v1.1.0 // indirect
golang.org/x/net v0.2.0 // indirect
golang.org/x/net v0.3.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.1 // indirect
)

8
actions/retest/go.sum
View File

@ -11,10 +11,10 @@ github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU=
golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs=
golang.org/x/net v0.3.0 h1:VWL6FNY2bEEmsGVKabSlHu5Irp34xmMRoqb/9lF9lxk=
golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
golang.org/x/oauth2 v0.3.0 h1:6l90koy8/LaBLmLu8jpHeHexzMwEita0zFfYlggy2F8=
golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=

4
actions/retest/vendor/modules.txt vendored
View File

@ -7,11 +7,11 @@ github.com/google/go-github/github
# github.com/google/go-querystring v1.1.0
## explicit; go 1.10
github.com/google/go-querystring/query
# golang.org/x/net v0.2.0
# golang.org/x/net v0.3.0
## explicit; go 1.17
golang.org/x/net/context
golang.org/x/net/context/ctxhttp
# golang.org/x/oauth2 v0.2.0
# golang.org/x/oauth2 v0.3.0
## explicit; go 1.17
golang.org/x/oauth2
golang.org/x/oauth2/internal

28
api/go.mod
View File

@ -1,10 +1,32 @@
module github.com/ceph/ceph-csi/api
go 1.16
go 1.18
require (
github.com/ghodss/yaml v1.0.0
github.com/openshift/api v0.0.0-20210927171657-636513e97fda
github.com/stretchr/testify v1.7.0
k8s.io/api v0.22.1
github.com/stretchr/testify v1.8.0
k8s.io/api v0.25.4
)
require (
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/go-logr/logr v1.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
golang.org/x/net v0.2.0 // indirect
golang.org/x/text v0.4.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apimachinery v0.25.4 // indirect
k8s.io/klog/v2 v2.80.1 // indirect
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
)

47
api/go.sum
View File

@ -28,8 +28,10 @@ github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v0.4.0 h1:K7/B1jt6fIBQVd4Owv2MqGQClcgf0R266+7C/QjRcLc=
github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.2.3 h1:2DntVwHkVopvECVRSlL5PSo9eG+cAkDCuckLubN+rq0=
github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8=
@ -55,11 +57,13 @@ github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5a
github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20181127221834-b4f47329b966/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@ -70,8 +74,9 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
github.com/json-iterator/go v1.1.11 h1:uVUAXhF2To8cbw/3xN3pxj6kk7TYKs98NIrTqPlMWAQ=
github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@ -89,8 +94,9 @@ github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJ
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
@ -116,11 +122,14 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
@ -148,8 +157,9 @@ golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/
golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE=
golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -177,8 +187,9 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6 h1:aRYxNxv6iGQlyVaZmk6ZgYEDa+Jg18DxebPSrd6bg1M=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@ -193,7 +204,6 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@ -234,24 +244,33 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
k8s.io/api v0.22.1 h1:ISu3tD/jRhYfSW8jI/Q1e+lRxkR7w9UwQEZ7FgslrwY=
k8s.io/api v0.22.1/go.mod h1:bh13rkTp3F1XEaLGykbyRD2QaTTzPm0e/BMd8ptFONY=
k8s.io/apimachinery v0.22.1 h1:DTARnyzmdHMz7bFWFDDm22AM4pLWTQECMpRTFu2d2OM=
k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs=
k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ=
k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ0=
k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc=
k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo=
k8s.io/code-generator v0.22.1/go.mod h1:eV77Y09IopzeXOJzndrDyCI88UBok2h6WxAlBwpxa+o=
k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
k8s.io/klog/v2 v2.9.0/go.mod h1:hy9LJ/NvuK+iVyP4Ehqva4HxZG/oXyIS3n3Jmire4Ec=
k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e/go.mod h1:vHXdDvt9+2spS2Rx9ql3I8tycm3H9FDfdUoIuKCefvw=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
sigs.k8s.io/structured-merge-diff/v4 v4.1.2 h1:Hr/htKFmJEbtMgS/UD0N+gtgctAqz81t3nu+sPzynno=
sigs.k8s.io/structured-merge-diff/v4 v4.1.2/go.mod h1:j/nl6xW8vLS49O8YvXW1ocPhZawJtm+Yrr7PPRQ0Vg4=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=

4
build.env
View File

@ -16,7 +16,7 @@ BASE_IMAGE=quay.io/ceph/ceph:v17
CEPH_VERSION=quincy
# standard Golang options
GOLANG_VERSION=1.18.5
GOLANG_VERSION=1.18.8
GO111MODULE=on
# commitlint version
@ -52,7 +52,7 @@ CSI_ATTACHER_VERSION=v4.0.0
CSI_SNAPSHOTTER_VERSION=v6.1.0
CSI_RESIZER_VERSION=v1.6.0
CSI_PROVISIONER_VERSION=v3.3.0
CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.6.0
CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.6.2
# e2e settings
# - enable CEPH_CSI_RUN_ALL_TESTS when running tests with if it has root

2
charts/ceph-csi-cephfs/README.md
View File

@ -93,7 +93,7 @@ charts and their default values.
| `nodeplugin.priorityClassName` | Set user created priorityclassName for csi plugin pods. default is system-node-critical which is highest priority | `system-node-critical` |
| `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` |
| `nodeplugin.registrar.image.repository` | Node-Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` |
| `nodeplugin.registrar.image.tag` | Image tag | `v2.6.0` |
| `nodeplugin.registrar.image.tag` | Image tag | `v2.6.2` |
| `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
| `nodeplugin.plugin.image.tag` | Image tag | `canary` |

2
charts/ceph-csi-cephfs/values.yaml
View File

@ -87,7 +87,7 @@ nodeplugin:
registrar:
image:
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
tag: v2.6.0
tag: v2.6.2
pullPolicy: IfNotPresent
resources: {}

2
charts/ceph-csi-rbd/README.md
View File

@ -95,7 +95,7 @@ charts and their default values.
| `nodeplugin.priorityClassName` | Set user created priorityclassName for csi plugin pods. default is system-node-critical which is highest priority | `system-node-critical` |
| `nodeplugin.profiling.enabled` | Specifies whether profiling should be enabled | `false` |
| `nodeplugin.registrar.image.repository` | Node Registrar image repository URL | `registry.k8s.io/sig-storage/csi-node-driver-registrar` |
| `nodeplugin.registrar.image.tag` | Image tag | `v2.6.0` |
| `nodeplugin.registrar.image.tag` | Image tag | `v2.6.2` |
| `nodeplugin.registrar.image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `nodeplugin.plugin.image.repository` | Nodeplugin image repository URL | `quay.io/cephcsi/cephcsi` |
| `nodeplugin.plugin.image.tag` | Image tag | `canary` |

2
charts/ceph-csi-rbd/values.yaml
View File

@ -110,7 +110,7 @@ nodeplugin:
registrar:
image:
repository: registry.k8s.io/sig-storage/csi-node-driver-registrar
tag: v2.6.0
tag: v2.6.2
pullPolicy: IfNotPresent
resources: {}

3
deploy/cephcsi/image/Dockerfile
View File

@ -28,7 +28,8 @@ RUN ${GOROOT}/bin/go version && ${GOROOT}/bin/go env
RUN dnf config-manager --disable \
tcmu-runner,tcmu-runner-source,tcmu-runner-noarch || true
RUN dnf -y install \
RUN dnf -y update \
&& dnf -y install --nodocs \
librados-devel librbd-devel \
/usr/bin/cc \
make \

11
deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml
View File

@ -117,6 +117,12 @@ spec:
fieldPath: spec.nodeName
- name: CSI_ENDPOINT
value: unix:///csi/csi-provisioner.sock
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# - name: KMS_CONFIGMAP_NAME
# value: encryptionConfig
imagePullPolicy: "IfNotPresent"
volumeMounts:
- name: socket-dir
@ -134,6 +140,8 @@ spec:
mountPath: /etc/ceph-csi-config/
- name: keys-tmp-dir
mountPath: /tmp/csi/keys
- name: ceph-csi-encryption-kms-config
mountPath: /etc/ceph-csi-encryption-kms-config/
- name: liveness-prometheus
image: quay.io/cephcsi/cephcsi:canary
args:
@ -178,3 +186,6 @@ spec:
emptyDir: {
medium: "Memory"
}
- name: ceph-csi-encryption-kms-config
configMap:
name: ceph-csi-encryption-kms-config

13
deploy/cephfs/kubernetes/csi-cephfsplugin.yaml
View File

@ -27,7 +27,7 @@ spec:
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.2
args:
- "--v=1"
- "--csi-address=/csi/csi.sock"
@ -74,6 +74,12 @@ spec:
fieldPath: spec.nodeName
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# - name: KMS_CONFIGMAP_NAME
# value: encryptionConfig
imagePullPolicy: "IfNotPresent"
volumeMounts:
- name: socket-dir
@ -104,6 +110,8 @@ spec:
mountPath: /tmp/csi/keys
- name: ceph-csi-mountinfo
mountPath: /csi/mountinfo
- name: ceph-csi-encryption-kms-config
mountPath: /etc/ceph-csi-encryption-kms-config/
- name: liveness-prometheus
securityContext:
privileged: true
@ -173,6 +181,9 @@ spec:
hostPath:
path: /var/lib/kubelet/plugins/cephfs.csi.ceph.com/mountinfo
type: DirectoryOrCreate
- name: ceph-csi-encryption-kms-config
configMap:
name: ceph-csi-encryption-kms-config
---
# This is a service to expose the liveness metrics
apiVersion: v1

33
deploy/cephfs/kubernetes/csi-nodeplugin-rbac.yaml
View File

@ -3,3 +3,36 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: cephfs-csi-nodeplugin
namespace: default
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-nodeplugin
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-csi-nodeplugin
subjects:
- kind: ServiceAccount
name: cephfs-csi-nodeplugin
# replace with non-default namespace name
namespace: default
roleRef:
kind: ClusterRole
name: cephfs-csi-nodeplugin
apiGroup: rbac.authorization.k8s.io

24
deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
View File

@ -3,6 +3,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: cephfs-csi-provisioner
namespace: default
---
kind: ClusterRole
@ -10,9 +11,12 @@ apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cephfs-external-provisioner-runner
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
@ -22,6 +26,9 @@ rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
@ -37,15 +44,21 @@ rules:
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
@ -68,6 +81,9 @@ metadata:
namespace: default
name: cephfs-external-provisioner-cfg
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]

2
deploy/nfs/kubernetes/csi-nfsplugin.yaml
View File

@ -27,7 +27,7 @@ spec:
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.2
args:
- "--v=1"
- "--csi-address=/csi/csi.sock"

2
deploy/rbd/kubernetes/csi-rbdplugin.yaml
View File

@ -29,7 +29,7 @@ spec:
securityContext:
privileged: true
allowPrivilegeEscalation: true
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.0
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.2
args:
- "--v=1"
- "--csi-address=/csi/csi.sock"

70
docs/ceph-csi-upgrade.md
View File

@ -1,39 +1,39 @@
# Ceph-csi Upgrade
- [Ceph-csi Upgrade](#ceph-csi-upgrade)
- [Pre-upgrade considerations](#pre-upgrade-considerations)
- [Snapshot-controller and snapshot crd](#snapshot-controller-and-snapshot-crd)
- [Snapshot API version support matrix](#snapshot-api-version-support-matrix)
- [Upgrading from v3.2 to v3.3](#upgrading-from-v32-to-v33)
- [Upgrading from v3.3 to v3.4](#upgrading-from-v33-to-v34)
- [Upgrading from v3.4 to v3.5](#upgrading-from-v34-to-v35)
- [Upgrading from v3.5 to v3.6](#upgrading-from-v35-to-v36)
- [Upgrading from v3.6 to v3.7](#upgrading-from-v36-to-v37)
- [Upgrading CephFS](#upgrading-cephfs)
- [1. Upgrade CephFS Provisioner resources](#1-upgrade-cephfs-provisioner-resources)
- [1.1 Update the CephFS Provisioner RBAC](#11-update-the-cephfs-provisioner-rbac)
- [1.2 Update the CephFS Provisioner deployment](#12-update-the-cephfs-provisioner-deployment)
- [2. Upgrade CephFS Nodeplugin resources](#2-upgrade-cephfs-nodeplugin-resources)
- [2.1 Update the CephFS Nodeplugin RBAC](#21-update-the-cephfs-nodeplugin-rbac)
- [2.2 Update the CephFS Nodeplugin daemonset](#22-update-the-cephfs-nodeplugin-daemonset)
- [2.3 Manual deletion of CephFS Nodeplugin daemonset pods](#23-manual-deletion-of-cephfs-nodeplugin-daemonset-pods)
- [Delete removed CephFS PSP, Role and RoleBinding](#delete-removed-cephfs-psp-role-and-rolebinding)
- [Upgrading RBD](#upgrading-rbd)
- [3. Upgrade RBD Provisioner resources](#3-upgrade-rbd-provisioner-resources)
- [3.1 Update the RBD Provisioner RBAC](#31-update-the-rbd-provisioner-rbac)
- [3.2 Update the RBD Provisioner deployment](#32-update-the-rbd-provisioner-deployment)
- [4. Upgrade RBD Nodeplugin resources](#4-upgrade-rbd-nodeplugin-resources)
- [4.1 Update the RBD Nodeplugin RBAC](#41-update-the-rbd-nodeplugin-rbac)
- [4.2 Update the RBD Nodeplugin daemonset](#42-update-the-rbd-nodeplugin-daemonset)
- [Delete removed RBD PSP, Role and RoleBinding](#delete-removed-rbd-psp-role-and-rolebinding)
- [Upgrading NFS](#upgrading-nfs)
- [5. Upgrade NFS Provisioner resources](#5-upgrade-nfs-provisioner-resources)
- [5.1 Update the NFS Provisioner RBAC](#51-update-the-nfs-provisioner-rbac)
- [5.2 Update the NFS Provisioner deployment](#52-update-the-nfs-provisioner-deployment)
- [6. Upgrade NFS Nodeplugin resources](#6-upgrade-nfs-nodeplugin-resources)
- [6.1 Update the NFS Nodeplugin RBAC](#61-update-the-nfs-nodeplugin-rbac)
- [6.2 Update the NFS Nodeplugin daemonset](#62-update-the-nfs-nodeplugin-daemonset)
- [CSI Sidecar containers consideration](#csi-sidecar-containers-consideration)
- [Pre-upgrade considerations](#pre-upgrade-considerations)
- [Snapshot-controller and snapshot crd](#snapshot-controller-and-snapshot-crd)
- [Snapshot API version support matrix](#snapshot-api-version-support-matrix)
- [Upgrading from v3.2 to v3.3](#upgrading-from-v32-to-v33)
- [Upgrading from v3.3 to v3.4](#upgrading-from-v33-to-v34)
- [Upgrading from v3.4 to v3.5](#upgrading-from-v34-to-v35)
- [Upgrading from v3.5 to v3.6](#upgrading-from-v35-to-v36)
- [Upgrading from v3.6 to v3.7](#upgrading-from-v36-to-v37)
- [Upgrading CephFS](#upgrading-cephfs)
- [1. Upgrade CephFS Provisioner resources](#1-upgrade-cephfs-provisioner-resources)
- [1.1 Update the CephFS Provisioner RBAC](#11-update-the-cephfs-provisioner-rbac)
- [1.2 Update the CephFS Provisioner deployment](#12-update-the-cephfs-provisioner-deployment)
- [2. Upgrade CephFS Nodeplugin resources](#2-upgrade-cephfs-nodeplugin-resources)
- [2.1 Update the CephFS Nodeplugin RBAC](#21-update-the-cephfs-nodeplugin-rbac)
- [2.2 Update the CephFS Nodeplugin daemonset](#22-update-the-cephfs-nodeplugin-daemonset)
- [2.3 Manual deletion of CephFS Nodeplugin daemonset pods](#23-manual-deletion-of-cephfs-nodeplugin-daemonset-pods)
- [Delete removed CephFS PSP, Role and RoleBinding](#delete-removed-cephfs-psp-role-and-rolebinding)
- [Upgrading RBD](#upgrading-rbd)
- [3. Upgrade RBD Provisioner resources](#3-upgrade-rbd-provisioner-resources)
- [3.1 Update the RBD Provisioner RBAC](#31-update-the-rbd-provisioner-rbac)
- [3.2 Update the RBD Provisioner deployment](#32-update-the-rbd-provisioner-deployment)
- [4. Upgrade RBD Nodeplugin resources](#4-upgrade-rbd-nodeplugin-resources)
- [4.1 Update the RBD Nodeplugin RBAC](#41-update-the-rbd-nodeplugin-rbac)
- [4.2 Update the RBD Nodeplugin daemonset](#42-update-the-rbd-nodeplugin-daemonset)
- [Delete removed RBD PSP, Role and RoleBinding](#delete-removed-rbd-psp-role-and-rolebinding)
- [Upgrading NFS](#upgrading-nfs)
- [5. Upgrade NFS Provisioner resources](#5-upgrade-nfs-provisioner-resources)
- [5.1 Update the NFS Provisioner RBAC](#51-update-the-nfs-provisioner-rbac)
- [5.2 Update the NFS Provisioner deployment](#52-update-the-nfs-provisioner-deployment)
- [6. Upgrade NFS Nodeplugin resources](#6-upgrade-nfs-nodeplugin-resources)
- [6.1 Update the NFS Nodeplugin RBAC](#61-update-the-nfs-nodeplugin-rbac)
- [6.2 Update the NFS Nodeplugin daemonset](#62-update-the-nfs-nodeplugin-daemonset)
- [CSI Sidecar containers consideration](#csi-sidecar-containers-consideration)
## Pre-upgrade considerations
@ -226,10 +226,10 @@ For each node:
- Drain your application pods from the node
- Delete the CSI driver pods on the node
- The pods to delete will be named with a csi-cephfsplugin prefix and have a
- The pods to delete will be named with a csi-cephfsplugin prefix and have a
random suffix on each node. However, no need to delete the provisioner
pods: csi-cephfsplugin-provisioner-* .
- The pod deletion causes the pods to be restarted and updated automatically
- The pod deletion causes the pods to be restarted and updated automatically
on the node.
#### Delete removed CephFS PSP, Role and RoleBinding

11
docs/ceph-mount-corruption.md
View File

@ -77,13 +77,16 @@ following errors:
More details about the error codes can be found [here](https://www.gnu.org/software/libc/manual/html_node/Error-Codes.html)
For such mounts, The CephCSI nodeplugin returns volume_condition as abnormal for `NodeGetVolumeStats` RPC call.
For such mounts, The CephCSI nodeplugin returns volume_condition as
abnormal for `NodeGetVolumeStats` RPC call.
### kernel client recovery
Once a mountpoint corruption is detected, Below are the two methods to recover from it.
Once a mountpoint corruption is detected,
Below are the two methods to recover from it.
* Reboot the node where the abnormal volume behavior is observed.
* Scale down all the applications using the CephFS PVC on the node where abnormal mounts
are present. Once all the applications are deleted, scale up the application
* Scale down all the applications using the CephFS PVC
on the node where abnormal mounts are present.
Once all the applications are deleted, scale up the application
to remount the CephFS PVC to application pods.

8
docs/cephfs-snapshot-backed-volumes.md
View File

@ -21,12 +21,12 @@ For provisioning new snapshot-backed volumes, following configuration must be
set for storage class(es) and their PVCs respectively:
* StorageClass:
* Specify `backingSnapshot: "true"` parameter.
* Specify `backingSnapshot: "true"` parameter.
* PersistentVolumeClaim:
* Set `storageClassName` to point to your storage class with backing
* Set `storageClassName` to point to your storage class with backing
snapshots enabled.
* Define `spec.dataSource` for your desired source volume snapshot.
* Set `spec.accessModes` to `ReadOnlyMany`. This is the only access mode that
* Define `spec.dataSource` for your desired source volume snapshot.
* Set `spec.accessModes` to `ReadOnlyMany`. This is the only access mode that
is supported by this feature.
### Mounting snapshots from pre-provisioned volumes

21
docs/deploy-cephfs.md
View File

@ -63,7 +63,7 @@ you're running it inside a k8s cluster and find the config itself).
**Available volume parameters:**
| Parameter | Required | Description |
| --------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|-----------------------------------------------------------------------------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `clusterID` | yes | String representing a Ceph cluster, must be unique across all Ceph clusters in use for provisioning, cannot be greater than 36 bytes in length, and should remain immutable for the lifetime of the Ceph cluster in use |
| `fsName` | yes | CephFS filesystem name into which the volume shall be created |
| `mounter` | no | Mount method to be used for this volume. Available options are `kernel` for Ceph kernel client and `fuse` for Ceph FUSE driver. Defaults to "default mounter". |
@ -75,6 +75,8 @@ you're running it inside a k8s cluster and find the config itself).
| `fuseMountOptions` | no | Comma separated string of mount options accepted by ceph-fuse mounter, by default no options are passed. |
| `csi.storage.k8s.io/provisioner-secret-name`, `csi.storage.k8s.io/node-stage-secret-name` | for Kubernetes | Name of the Kubernetes Secret object containing Ceph client credentials. Both parameters should have the same value |
| `csi.storage.k8s.io/provisioner-secret-namespace`, `csi.storage.k8s.io/node-stage-secret-namespace` | for Kubernetes | Namespaces of the above Secret objects |
| `encrypted` | no | disabled by default, use `"true"` to enable fscrypt encryption on PVC and `"false"` to disable it. **Do not change for existing storageclasses** |
| `encryptionKMSID` | no | required if encryption is enabled and a kms is used to store passphrases |
**NOTE:** An accompanying CSI configuration file, needs to be provided to the
running pods. Refer to [Creating CSI configuration](../examples/README.md#creating-csi-configuration)
@ -217,3 +219,20 @@ The Helm chart is located in `charts/ceph-csi-cephfs`.
**Deploy Helm Chart:**
[See the Helm chart readme for installation instructions.](../charts/ceph-csi-cephfs/README.md)
## CephFS Volume Encryption
Requires fscrypt support in the Linux kernel and Ceph.
Key management is compatible with the
[fscrypt](https://github.com/google/fscrypt) userspace tool. See the
design doc [Ceph Filesystem fscrypt
Support](design/proposals/cephfs-fscrypt.md) for details.
In general the KMS configuration is the same as for RBD encryption and
can even be shared.
However, not all KMS are supported in order to be compatible with
[fscrypt](https://github.com/google/fscrypt). In general KMS that
either store secrets to use directly (Vault), or allow access to the
plain password (Kubernets Secrets) work.

45
docs/deploy-rbd.md
View File

@ -51,25 +51,26 @@ make image-cephcsi
**Available volume parameters:**
| Parameter | Required | Description |
| --------------------------------------------------------------------------------------------------- | -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `clusterID` | yes | String representing a Ceph cluster, must be unique across all Ceph clusters in use for provisioning, cannot be greater than 36 bytes in length, and should remain immutable for the lifetime of the Ceph cluster in use |
| `pool` | yes | Ceph pool into which the RBD image shall be created |
| `dataPool` | no | Ceph pool used for the data of the RBD images. |
| `volumeNamePrefix` | no | Prefix to use for naming RBD images (defaults to `csi-vol-`). |
| `snapshotNamePrefix` | no | Prefix to use for naming RBD snapshot images (defaults to `csi-snap-`). |
| `imageFeatures` | no | RBD image features. CSI RBD currently supports `layering`, `journaling`, `exclusive-lock`, `object-map`, `fast-diff`, `deep-flatten` features. deep-flatten is added for cloned images. Refer <https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features> for image feature dependencies. |
| `tryOtherMounters` | no | Specifies whether to try other mounters in case if the current mounter fails to mount the rbd image for any reason |
| `mapOptions` | no | Map options to use when mapping rbd image. See [krbd](https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options) and [nbd](https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options) options. |
| `unmapOptions` | no | Unmap options to use when unmapping rbd image. See [krbd](https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options) and [nbd](https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options) options. |
| `csi.storage.k8s.io/provisioner-secret-name`, `csi.storage.k8s.io/node-stage-secret-name` | yes (for Kubernetes) | name of the Kubernetes Secret object containing Ceph client credentials. Both parameters should have the same value |
| `csi.storage.k8s.io/provisioner-secret-namespace`, `csi.storage.k8s.io/node-stage-secret-namespace` | yes (for Kubernetes) | namespaces of the above Secret objects |
| `mounter` | no | if set to `rbd-nbd`, use `rbd-nbd` on nodes that have `rbd-nbd` and `nbd` kernel modules to map rbd images |
| `encrypted` | no | disabled by default, use `"true"` to enable LUKS encryption on PVC and `"false"` to disable it. **Do not change for existing storageclasses** |
| `encryptionKMSID` | no | required if encryption is enabled and a kms is used to store passphrases |
| `stripeUnit` | no | stripe unit in bytes |
| `stripeCount` | no | objects to stripe over before looping |
| `objectSize` | no | object size in bytes |
| Parameter | Required | Description |
|-----------------------------------------------------------------------------------------------------|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `clusterID` | yes | String representing a Ceph cluster, must be unique across all Ceph clusters in use for provisioning, cannot be greater than 36 bytes in length, and should remain immutable for the lifetime of the Ceph cluster in use |
| `pool` | yes | Ceph pool into which the RBD image shall be created |
| `dataPool` | no | Ceph pool used for the data of the RBD images. |
| `volumeNamePrefix` | no | Prefix to use for naming RBD images (defaults to `csi-vol-`). |
| `snapshotNamePrefix` | no | Prefix to use for naming RBD snapshot images (defaults to `csi-snap-`). |
| `imageFeatures` | no | RBD image features. CSI RBD currently supports `layering`, `journaling`, `exclusive-lock`, `object-map`, `fast-diff`, `deep-flatten` features. deep-flatten is added for cloned images. Refer <https://docs.ceph.com/en/latest/rbd/rbd-config-ref/#image-features> for image feature dependencies. |
| `tryOtherMounters` | no | Specifies whether to try other mounters in case if the current mounter fails to mount the rbd image for any reason |
| `mapOptions` | no | Map options to use when mapping rbd image. See [krbd](https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options) and [nbd](https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options) options. |
| `unmapOptions` | no | Unmap options to use when unmapping rbd image. See [krbd](https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options) and [nbd](https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options) options. |
| `csi.storage.k8s.io/provisioner-secret-name`, `csi.storage.k8s.io/node-stage-secret-name` | yes (for Kubernetes) | name of the Kubernetes Secret object containing Ceph client credentials. Both parameters should have the same value |
| `csi.storage.k8s.io/provisioner-secret-namespace`, `csi.storage.k8s.io/node-stage-secret-namespace` | yes (for Kubernetes) | namespaces of the above Secret objects |
| `mounter` | no | if set to `rbd-nbd`, use `rbd-nbd` on nodes that have `rbd-nbd` and `nbd` kernel modules to map rbd images |
| `encrypted` | no | disabled by default, use `"true"` to enable either LUKS or fscrypt encryption on PVC and `"false"` to disable it. **Do not change for existing storageclasses** |
| `encryptionKMSID` | no | required if encryption is enabled and a kms is used to store passphrases |
| `encryptionType` | no | Either `block` or `file`. If unset or `block` use LUKS block device encryption. If `file` use ext4 fscrypt to encrypt on the file system level (requires kernel support). |
| `stripeUnit` | no | stripe unit in bytes |
| `stripeCount` | no | objects to stripe over before looping |
| `objectSize` | no | object size in bytes |
**NOTE:** An accompanying CSI configuration file, needs to be provided to the
running pods. Refer to [Creating CSI configuration](../examples/README.md#creating-csi-configuration)
@ -220,9 +221,9 @@ possible to encrypt them with ceph-csi by using LUKS encryption.
* volume is attached to provisioner container
* on first time attachment
(no file system on the attached device, checked with blkid)
* passphrase is retrieved from selected KMS if KMS is in use
* device is encrypted with LUKS using a passphrase from K8s Secret or KMS
* image-meta updated to "encrypted" in Ceph
* passphrase is retrieved from selected KMS if KMS is in use
* device is encrypted with LUKS using a passphrase from K8s Secret or KMS
* image-meta updated to "encrypted" in Ceph
* passphrase is retrieved from selected KMS if KMS is in use
* device is open and device path is changed to use a mapper device
* mapper device is used instead of original one with usual workflow

4
docs/design/proposals/cephfs-fscrypt.md
View File

@ -19,8 +19,8 @@ Work is in progress to add fscrypt support to CephFS for filesystem-level encryp
- [FSCrypt Kernel Documentation](https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html)
- Management Tools
- [`fscrypt`](https://github.com/google/fscrypt)
- [`fscryptctl`](https://github.com/google/fscryptctl)
- [`fscrypt`](https://github.com/google/fscrypt)
- [`fscryptctl`](https://github.com/google/fscryptctl)
- [Ceph Feature Tracker: "Add fscrypt support to the kernel CephFS client"](https://tracker.ceph.com/issues/46690)
- [`fscrypt` design document](https://goo.gl/55cCrI)

6
docs/design/proposals/clusterid-mapping.md
View File

@ -79,13 +79,13 @@ volume is present in the pool.
## Problems with volumeID Replication
* The clusterID can be different
* as the clusterID is the namespace where rook is deployed, the Rook might
* as the clusterID is the namespace where rook is deployed, the Rook might
be deployed in the different namespace on a secondary cluster
* In standalone Ceph-CSI the clusterID is fsID and fsID is unique per
* In standalone Ceph-CSI the clusterID is fsID and fsID is unique per
cluster
* The poolID can be different
* PoolID which is encoded in the volumeID won't remain the same across
* PoolID which is encoded in the volumeID won't remain the same across
clusters
To solve this problem we need to have a new mapping between clusterID's and the

8
docs/design/proposals/encrypted-pvc.md
View File

@ -33,10 +33,10 @@ requirement by using dm-crypt module through cryptsetup cli interface.
[here](https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encrypting_devices_with_cryptsetup)
Functions to implement necessary interaction are implemented in a separate
`cryptsetup.go` file.
* LuksFormat
* LuksOpen
* LuksClose
* LuksStatus
* LuksFormat
* LuksOpen
* LuksClose
* LuksStatus
* `CreateVolume`: refactored to prepare for encryption (tag image that it
requires encryption later), before returning, if encrypted volume option is

6
docs/design/proposals/encryption-with-vault-tokens.md
View File

@ -54,7 +54,7 @@ Encryption Key (DEK) for PVC encryption:
- when creating the PVC the Ceph-CSI provisioner needs to store the Kubernetes
Namespace of the PVC in its metadata
- stores the `csi.volume.owner` (name of Tenant) in the metadata of the
- stores the `csi.volume.owner` (name of Tenant) in the metadata of the
volume and sets it as `rbdVolume.Owner`
- the Ceph-CSI node-plugin needs to request the Vault Token in the NodeStage
CSI operation and create/get the key for the PVC
@ -87,8 +87,8 @@ Kubernetes and other Container Orchestration frameworks is tracked in
- configuration of the VaultTokenKMS can be very similar to VaultKMS for common
settings
- the configuration can override the defaults for each Tenant separately
- Vault Service connection details (address, TLS options, ...)
- name of the Kubernetes Secret that can be looked up per tenant
- Vault Service connection details (address, TLS options, ...)
- name of the Kubernetes Secret that can be looked up per tenant
- the configuration points to a Kubernetes Secret per Tenant that contains the
Vault Token
- the configuration points to an optional Kubernetes ConfigMap per Tenant that

2
docs/design/proposals/intree-migrate.md
View File

@ -126,4 +126,4 @@ at [CephFS in-tree migration KEP](https://github.com/kubernetes/enhancements/iss
[Tracker Issue in Ceph CSI](https://github.com/ceph/ceph-csi/issues/2509)
[In-tree storage plugin to CSI Driver Migration KEP](https://github.com/kubernetes/enhancements/issues/625)
[In-tree storage plugin to CSI Driver Migration KEP](https://github.com/kubernetes/enhancements/issues/625)

30
docs/design/proposals/rbd-snap-clone.md
View File

@ -1,21 +1,21 @@
# Steps and RBD CLI commands for RBD snapshot and clone operations
- [Steps and RBD CLI commands for RBD snapshot and clone operations](#steps-and-rbd-cli-commands-for-rbd-snapshot-and-clone-operations)
- [Create a snapshot from PVC](#create-a-snapshot-from-pvc)
- [steps to create a snapshot](#steps-to-create-a-snapshot)
- [RBD CLI commands to create snapshot](#rbd-cli-commands-to-create-snapshot)
- [Create PVC from a snapshot (datasource snapshot)](#create-pvc-from-a-snapshot-datasource-snapshot)
- [steps to create a pvc from snapshot](#steps-to-create-a-pvc-from-snapshot)
- [RBD CLI commands to create clone from snapshot](#rbd-cli-commands-to-create-clone-from-snapshot)
- [Delete a snapshot](#delete-a-snapshot)
- [steps to delete a snapshot](#steps-to-delete-a-snapshot)
- [RBD CLI commands to delete a snapshot](#rbd-cli-commands-to-delete-a-snapshot)
- [Delete a Volume (PVC)](#delete-a-volume-pvc)
- [steps to delete a volume](#steps-to-delete-a-volume)
- [RBD CLI commands to delete a volume](#rbd-cli-commands-to-delete-a-volume)
- [Volume cloning (datasource pvc)](#volume-cloning-datasource-pvc)
- [steps to create a Volume from Volume](#steps-to-create-a-volume-from-volume)
- [RBD CLI commands to create a Volume from Volume](#rbd-cli-commands-to-create-a-volume-from-volume)
- [Create a snapshot from PVC](#create-a-snapshot-from-pvc)
- [steps to create a snapshot](#steps-to-create-a-snapshot)
- [RBD CLI commands to create snapshot](#rbd-cli-commands-to-create-snapshot)
- [Create PVC from a snapshot (datasource snapshot)](#create-pvc-from-a-snapshot-datasource-snapshot)
- [steps to create a pvc from snapshot](#steps-to-create-a-pvc-from-snapshot)
- [RBD CLI commands to create clone from snapshot](#rbd-cli-commands-to-create-clone-from-snapshot)
- [Delete a snapshot](#delete-a-snapshot)
- [steps to delete a snapshot](#steps-to-delete-a-snapshot)
- [RBD CLI commands to delete a snapshot](#rbd-cli-commands-to-delete-a-snapshot)
- [Delete a Volume (PVC)](#delete-a-volume-pvc)
- [steps to delete a volume](#steps-to-delete-a-volume)
- [RBD CLI commands to delete a volume](#rbd-cli-commands-to-delete-a-volume)
- [Volume cloning (datasource pvc)](#volume-cloning-datasource-pvc)
- [steps to create a Volume from Volume](#steps-to-create-a-volume-from-volume)
- [RBD CLI commands to create a Volume from Volume](#rbd-cli-commands-to-create-a-volume-from-volume)
This document outlines the command used to create RBD snapshot, delete RBD
snapshot, Restore RBD snapshot and Create new RBD image from existing RBD image.

14
docs/design/proposals/rbd-volume-healer.md
View File

@ -85,16 +85,16 @@ Volume healer does the below,
NodeStage, NodeUnstage, NodePublish, NodeUnPublish operations. Hence none of
the operations happen in parallel.
- Any issues if the NodeUnstage is issued by kubelet?
- This can not be a problem as we take a lock at the Ceph-CSI level
- If the NodeUnstage success, Ceph-CSI will return StagingPath not found
- This can not be a problem as we take a lock at the Ceph-CSI level
- If the NodeUnstage success, Ceph-CSI will return StagingPath not found
error, we can then skip
- If the NodeUnstage fails with an operation already going on, in the next
- If the NodeUnstage fails with an operation already going on, in the next
NodeUnstage the volume gets unmounted
- What if the PVC is deleted?
- If the PVC is deleted, the volume attachment list might already get
- If the PVC is deleted, the volume attachment list might already get
refreshed and entry will be skipped/deleted at the healer.
- For any reason, If the request bails out with Error NotFound, skip the
- For any reason, If the request bails out with Error NotFound, skip the
PVC, assuming it might have deleted or the NodeUnstage might have already
happened.
- The Volume healer currently works with rbd-nbd, but the design can
accommodate other userspace mounters (may be ceph-fuse).
- The Volume healer currently works with rbd-nbd, but the design can
accommodate other userspace mounters (may be ceph-fuse).

12
docs/disaster-recovery.md
View File

@ -226,13 +226,13 @@ status:
* Take a backup of PVC and PV object on primary cluster(cluster-1)
* Take backup of the PVC `rbd-pvc`
* Take backup of the PVC `rbd-pvc`
```bash
kubectl get pvc rbd-pvc -oyaml >pvc-backup.yaml
```
* Take a backup of the PV, corresponding to the PVC
* Take a backup of the PV, corresponding to the PVC
```bash
kubectl get pv/pvc-65dc0aac-5e15-4474-90f4-7a3532c621ec -oyaml >pv_backup.yaml
@ -243,7 +243,7 @@ status:
* Restoring on the secondary cluster(cluster-2)
* Create storageclass on the secondary cluster
* Create storageclass on the secondary cluster
```bash
kubectl create -f examples/rbd/storageclass.yaml --context=cluster-2
@ -251,7 +251,7 @@ status:
storageclass.storage.k8s.io/csi-rbd-sc created
```
* Create VolumeReplicationClass on the secondary cluster
* Create VolumeReplicationClass on the secondary cluster
```bash
cat <<EOF | kubectl --context=cluster-2 apply -f -
@ -270,7 +270,7 @@ status:
volumereplicationclass.replication.storage.openshift.io/rbd-volumereplicationclass created
```
* If Persistent Volumes and Claims are created manually
* If Persistent Volumes and Claims are created manually
on the secondary cluster, remove the `claimRef` on the
backed up PV objects in yaml files; so that the PV can
get bound to the new claim on the secondary cluster.
@ -350,7 +350,7 @@ Follow the below steps for planned migration of workload from primary
* Create the VolumeReplicationClass on the secondary site.
* Create the VolumeReplications for all the PVCs for which mirroring
is enabled
* `replicationState` should be `primary` for all the PVCs on
* `replicationState` should be `primary` for all the PVCs on
the secondary site.
* Check whether the image is marked `primary` on the secondary site
by verifying it in VolumeReplication CR status.

12
docs/expand-pvc.md
View File

@ -1,12 +1,12 @@
# Dynamically Expand Volume
- [Dynamically Expand Volume](#dynamically-expand-volume)
- [Prerequisite](#prerequisite)
- [Expand RBD PVCs](#expand-rbd-pvcs)
- [Expand RBD Filesystem PVC](#expand-rbd-filesystem-pvc)
- [Expand RBD Block PVC](#expand-rbd-block-pvc)
- [Expand CephFS PVC](#expand-cephfs-pvc)
- [Expand CephFS Filesystem PVC](#expand-cephfs-filesystem-pvc)
- [Prerequisite](#prerequisite)
- [Expand RBD PVCs](#expand-rbd-pvcs)
- [Expand RBD Filesystem PVC](#expand-rbd-filesystem-pvc)
- [Expand RBD Block PVC](#expand-rbd-block-pvc)
- [Expand CephFS PVC](#expand-cephfs-pvc)
- [Expand CephFS Filesystem PVC](#expand-cephfs-filesystem-pvc)
## Prerequisite

11
docs/intree-migrate.md
View File

@ -10,11 +10,11 @@ corresponding CSI (`rbd.csi.ceph.com`) driver.
- [Prerequisite](#prerequisite)
- [Volume operations after enabling CSI migration](#volume-operations-after-enabling-csi-migration)
- [Create volume](#create-volume)
- [Mount volume to a POD](#mount-volume-to-a-pod)
- [Resize volume](#resize-volume)
- [Unmount volume](#unmount-volume)
- [Delete volume](#delete-volume)
- [Create volume](#create-volume)
- [Mount volume to a POD](#mount-volume-to-a-pod)
- [Resize volume](#resize-volume)
- [Unmount volume](#unmount-volume)
- [Delete volume](#delete-volume)
- [References](#additional-references)
### Prerequisite
@ -140,4 +140,3 @@ To know more about in-tree to CSI migration:
- [design doc](./design/proposals/intree-migrate.md)
- [Kubernetes 1.17 Feature: Kubernetes In-Tree to CSI Volume Migration Moves to Beta](https://Kubernetes.io/blog/2019/12/09/Kubernetes-1-17-feature-csi-migration-beta/)

2
docs/metrics.md
View File

@ -1,7 +1,7 @@
# Metrics
- [Metrics](#metrics)
- [Liveness](#liveness)
- [Liveness](#liveness)
## Liveness

28
docs/rbd-nbd.md
View File

@ -1,12 +1,12 @@
# RBD NBD Mounter
- [RBD NBD Mounter](#rbd-nbd-mounter)
- [Overview](#overview)
- [Configuration](#configuration)
- [Configuring logging path](#configuring-logging-path)
- [Status](#status)
- [Support Matrix](#support-matrix)
- [CSI spec and Kubernetes version compatibility](#csi-spec-and-kubernetes-version-compatibility)
- [Overview](#overview)
- [Configuration](#configuration)
- [Configuring logging path](#configuring-logging-path)
- [Status](#status)
- [Support Matrix](#support-matrix)
- [CSI spec and Kubernetes version compatibility](#csi-spec-and-kubernetes-version-compatibility)
## Overview
@ -42,29 +42,29 @@ under the `cephLogDir` path on NodeStage(map) and removed the same on
the respective NodeUnstage(unmap).
- There are different strategies to maintain the logs
- `remove`: delete log file on unmap/detach (default behaviour)
- `compress`: compress the log file to gzip on unmap/detach, in case there
- `remove`: delete log file on unmap/detach (default behaviour)
- `compress`: compress the log file to gzip on unmap/detach, in case there
exists a `.gz` file from previous map/unmap of the same volume, then
override the previous log with new log.
- `preserve`: preserve the log file in text format
- `preserve`: preserve the log file in text format
You can tweak the log strategies through `cephLogStrategy` option from the
storageclass yaml
- In case if you need a customized log path, you should do below:
- Edit the DaemonSet templates to change the ceph log directory host-path
- If you are using helm charts, then you can use key `cephLogDirHostPath`
- Edit the DaemonSet templates to change the ceph log directory host-path
- If you are using helm charts, then you can use key `cephLogDirHostPath`
```
helm install --set cephLogDirHostPath=/var/log/ceph-csi/my-dir
```
- For standard templates edit [csi-rbdplugin.yaml](../deploy/rbd/kubernetes/csi-rbdplugin.yaml)
- For standard templates edit [csi-rbdplugin.yaml](../deploy/rbd/kubernetes/csi-rbdplugin.yaml)
to update `hostPath` for `ceph-logdir`.
to update `pathPrefix` spec entries.
- Update the StorageClass with the customized log directory path
- Now update rbd StorageClass for `cephLogDir`, for example
- Update the StorageClass with the customized log directory path
- Now update rbd StorageClass for `cephLogDir`, for example
```
cephLogDir: "/var/log/prod-A-logs"

8
docs/releases.md
View File

@ -1,10 +1,10 @@
# Ceph CSI driver Release Process
- [Ceph CSI driver Release Process](#ceph-csi-driver-release-process)
- [Introduction](#introduction)
- [Versioning](#versioning)
- [Tagging repositories](#tagging-repositories)
- [Release process [TBD]](#release-process-tbd)
- [Introduction](#introduction)
- [Versioning](#versioning)
- [Tagging repositories](#tagging-repositories)
- [Release process [TBD]](#release-process-tbd)
## Introduction

20
docs/snap-clone.md
View File

@ -2,15 +2,15 @@
- [Prerequisite](#prerequisite)
- [Create CephFS Snapshot and Clone Volume](#create-cephfs-snapshot-and-clone-volume)
- [Create CephFS SnapshotClass](#create-cephfs-snapshotclass)
- [Create CephFS Snapshot](#create-cephfs-snapshot)
- [Restore CephFS Snapshot to a new PVC](#restore-cephfs-snapshot)
- [Clone CephFS PVC](#clone-cephfs-pvc)
- [Create CephFS SnapshotClass](#create-cephfs-snapshotclass)
- [Create CephFS Snapshot](#create-cephfs-snapshot)
- [Restore CephFS Snapshot to a new PVC](#restore-cephfs-snapshot)
- [Clone CephFS PVC](#clone-cephfs-pvc)
- [Create RBD Snapshot and Clone Volume](#create-rbd-snapshot-and-clone-volume)
- [Create RBD SnapshotClass](#create-rbd-snapshotclass)
- [Create RBD Snapshot](#create-rbd-snapshot)
- [Restore RBD Snapshot to a new PVC](#restore-rbd-snapshot)
- [Clone RBD PVC](#clone-rbd-pvc)
- [Create RBD SnapshotClass](#create-rbd-snapshotclass)
- [Create RBD Snapshot](#create-rbd-snapshot)
- [Restore RBD Snapshot to a new PVC](#restore-rbd-snapshot)
- [Clone RBD PVC](#clone-rbd-pvc)
## Prerequisite
@ -23,7 +23,7 @@
be a `volumesnapshotclass` object present in the cluster
for snapshot request to be satisfied.
- To install snapshot controller and CRD
- To install snapshot controller and CRD
```console
./scripts/install-snapshot.sh install
@ -36,7 +36,7 @@
SNAPSHOT_VERSION="v5.0.1" ./scripts/install-snapshot.sh install
```
- In the future, you can choose to cleanup by running
- In the future, you can choose to cleanup by running
```console
./scripts/install-snapshot.sh cleanup

24
docs/static-pvc.md
View File

@ -1,18 +1,18 @@
# Static PVC with ceph-csi
- [Static PVC with ceph-csi](#static-pvc-with-ceph-csi)
- [RBD static PVC](#rbd-static-pvc)
- [Create RBD image](#create-rbd-image)
- [Create RBD static PV](#create-rbd-static-pv)
- [RBD Volume Attributes in PV](#rbd-volume-attributes-in-pv)
- [Create RBD static PVC](#create-rbd-static-pvc)
- [Resize RBD image](#resize-rbd-image)
- [CephFS static PVC](#cephfs-static-pvc)
- [Create CephFS subvolume](#create-cephfs-subvolume)
- [Create CephFS static PV](#create-cephfs-static-pv)
- [Node stage secret ref in CephFS PV](#node-stage-secret-ref-in-cephfs-pv)
- [CephFS volume attributes in PV](#cephfs-volume-attributes-in-pv)
- [Create CephFS static PVC](#create-cephfs-static-pvc)
- [RBD static PVC](#rbd-static-pvc)
- [Create RBD image](#create-rbd-image)
- [Create RBD static PV](#create-rbd-static-pv)
- [RBD Volume Attributes in PV](#rbd-volume-attributes-in-pv)
- [Create RBD static PVC](#create-rbd-static-pvc)
- [Resize RBD image](#resize-rbd-image)
- [CephFS static PVC](#cephfs-static-pvc)
- [Create CephFS subvolume](#create-cephfs-subvolume)
- [Create CephFS static PV](#create-cephfs-static-pv)
- [Node stage secret ref in CephFS PV](#node-stage-secret-ref-in-cephfs-pv)
- [CephFS volume attributes in PV](#cephfs-volume-attributes-in-pv)
- [Create CephFS static PVC](#create-cephfs-static-pvc)
This document outlines how to create static PV and static PVC from
existing rbd image/cephFS volume.

12
e2e/README.md
View File

@ -1,12 +1,12 @@
# End-to-End Testing
- [End-to-End Testing](#end-to-end-testing)
- [Introduction](#introduction)
- [Install Kubernetes](#install-kubernetes)
- [Deploy Rook](#deploy-rook)
- [Test parameters](#test-parameters)
- [E2E for snapshot](#e2e-for-snapshot)
- [Running E2E](#running-e2e)
- [Introduction](#introduction)
- [Install Kubernetes](#install-kubernetes)
- [Deploy Rook](#deploy-rook)
- [Test parameters](#test-parameters)
- [E2E for snapshot](#e2e-for-snapshot)
- [Running E2E](#running-e2e)
## Introduction

313
e2e/cephfs.go
View File

@ -114,7 +114,24 @@ func validateSubvolumeCount(f *framework.Framework, count int, fileSystemName, s
e2elog.Failf("failed to list CephFS subvolumes: %v", err)
}
if len(subVol) != count {
e2elog.Failf("subvolumes [%v]. subvolume count %d not matching expected count %v", subVol, len(subVol), count)
e2elog.Failf("subvolumes [%v]. subvolume count %d not matching expected count %d", subVol, len(subVol), count)
}
}
func validateCephFSSnapshotCount(
f *framework.Framework,
count int,
subvolumegroup string,
pv *v1.PersistentVolume,
) {
subVolumeName := pv.Spec.CSI.VolumeAttributes["subvolumeName"]
fsName := pv.Spec.CSI.VolumeAttributes["fsName"]
snaps, err := listCephFSSnapshots(f, fsName, subVolumeName, subvolumegroup)
if err != nil {
e2elog.Failf("failed to list subvolume snapshots: %v", err)
}
if len(snaps) != count {
e2elog.Failf("snapshots [%v]. snapshots count %d not matching expected count %d", snaps, len(snaps), count)
}
}
@ -186,6 +203,7 @@ var _ = Describe(cephfsType, func() {
if err != nil {
e2elog.Failf("failed to create node secret: %v", err)
}
deployVault(f.ClientSet, deployTimeout)
// wait for cluster name update in deployment
containers := []string{cephFSContainerName}
@ -231,6 +249,8 @@ var _ = Describe(cephfsType, func() {
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
deleteVault()
if deployCephFS {
deleteCephfsPlugin()
if cephCSINamespace != defaultNs {
@ -397,6 +417,67 @@ var _ = Describe(cephfsType, func() {
}
})
if testCephFSFscrypt {
kmsToTest := map[string]kmsConfig{
"secrets-metadata-test": secretsMetadataKMS,
"vault-test": vaultKMS,
"vault-tokens-test": vaultTokensKMS,
"vault-tenant-sa-test": vaultTenantSAKMS,
}
for kmsID, kmsConf := range kmsToTest {
kmsID := kmsID
kmsConf := kmsConf
By("create a storageclass with pool and an encrypted PVC then bind it to an app with "+kmsID, func() {
scOpts := map[string]string{
"encrypted": "true",
"encryptionKMSID": kmsID,
}
err := createCephfsStorageClass(f.ClientSet, f, true, scOpts)
if err != nil {
e2elog.Failf("failed to create CephFS storageclass: %v", err)
}
if kmsID == "vault-tokens-test" {
var token v1.Secret
tenant := f.UniqueName
token, err = getSecret(vaultExamplePath + "tenant-token.yaml")
if err != nil {
e2elog.Failf("failed to load tenant token from secret: %v", err)
}
_, err = c.CoreV1().Secrets(tenant).Create(context.TODO(), &token, metav1.CreateOptions{})
if err != nil {
e2elog.Failf("failed to create Secret with tenant token: %v", err)
}
defer func() {
err = c.CoreV1().Secrets(tenant).Delete(context.TODO(), token.Name, metav1.DeleteOptions{})
if err != nil {
e2elog.Failf("failed to delete Secret with tenant token: %v", err)
}
}()
}
if kmsID == "vault-tenant-sa-test" {
err = createTenantServiceAccount(f.ClientSet, f.UniqueName)
if err != nil {
e2elog.Failf("failed to create ServiceAccount: %v", err)
}
defer deleteTenantServiceAccount(f.UniqueName)
}
err = validateFscryptAndAppBinding(pvcPath, appPath, kmsConf, f)
if err != nil {
e2elog.Failf("failed to validate CephFS pvc and application binding: %v", err)
}
err = deleteResource(cephFSExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete CephFS storageclass: %v", err)
}
})
}
}
By("create a PVC and check PVC/PV metadata on CephFS subvolume", func() {
err := createCephfsStorageClass(f.ClientSet, f, true, nil)
if err != nil {
@ -936,13 +1017,11 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
subVolumeName := pv.Spec.CSI.VolumeAttributes["subvolumeName"]
validateCephFSSnapshotCount(f, 1, subvolumegroup, pv)
snaps, err := listCephFSSnapshots(f, fileSystemName, subVolumeName, subvolumegroup)
if err != nil {
e2elog.Failf("failed to list subvolume snapshots: %v", err)
}
if len(snaps) == 0 {
e2elog.Failf("cephFS snapshots list is empty %s/%s", fileSystemName, subVolumeName)
}
content, err := getVolumeSnapshotContent(snap.Namespace, snap.Name)
if err != nil {
e2elog.Failf("failed to get snapshotcontent for %s in namespace %s: %v",
@ -1016,6 +1095,7 @@ var _ = Describe(cephfsType, func() {
}
validateSubvolumeCount(f, 0, fileSystemName, subvolumegroup)
validateOmapCount(f, 0, cephfsType, metadataPool, volumesType)
err = deleteResource(cephFSExamplePath + "snapshotclass.yaml")
if err != nil {
e2elog.Failf("failed to delete CephFS snapshotclass: %v", err)
@ -1092,6 +1172,11 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to create PVC: %v", err)
}
_, pv, err := getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
snap := getSnapshot(snapshotPath)
snap.Namespace = f.UniqueName
snap.Spec.Source.PersistentVolumeClaimName = &pvc.Name
@ -1101,7 +1186,7 @@ var _ = Describe(cephfsType, func() {
if err != nil {
e2elog.Failf("failed to create snapshot (%s): %v", snap.Name, err)
}
validateCephFSSnapshotCount(f, 1, subvolumegroup, pv)
err = deleteBackingCephFSSubvolumeSnapshot(f, pvc, &snap)
if err != nil {
e2elog.Failf("failed to delete backing snapshot for snapname:=%s", err)
@ -1151,6 +1236,11 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to create PVC: %v", err)
}
_, pv, err := getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
snap := getSnapshot(snapshotPath)
snap.Namespace = f.UniqueName
snap.Spec.Source.PersistentVolumeClaimName = &pvc.Name
@ -1161,6 +1251,7 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to create snapshot (%s): %v", snap.Name, err)
}
validateCephFSSnapshotCount(f, 1, subvolumegroup, pv)
// Delete the parent pvc before restoring
// another one from snapshot.
err = deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
@ -1230,6 +1321,11 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to create PVC: %v", err)
}
_, pv, err := getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
app, err := loadApp(appPath)
if err != nil {
e2elog.Failf("failed to load application: %v", err)
@ -1272,6 +1368,7 @@ var _ = Describe(cephfsType, func() {
if failed != 0 {
e2elog.Failf("creating snapshots failed, %d errors were logged", failed)
}
validateCephFSSnapshotCount(f, totalCount, subvolumegroup, pv)
pvcClone, err := loadPVC(pvcClonePath)
if err != nil {
@ -1400,6 +1497,8 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("deleting snapshots failed, %d errors were logged", failed)
}
validateCephFSSnapshotCount(f, 0, subvolumegroup, pv)
wg.Add(totalCount)
// delete clone and app
for i := 0; i < totalCount; i++ {
@ -1442,6 +1541,164 @@ var _ = Describe(cephfsType, func() {
}
})
if testCephFSFscrypt {
for _, kmsID := range []string{"secrets-metadata-test", "vault-test"} {
kmsID := kmsID
By("checking encrypted snapshot-backed volume with KMS "+kmsID, func() {
err := deleteResource(cephFSExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
scOpts := map[string]string{
"encrypted": "true",
"encryptionKMSID": kmsID,
}
err = createCephfsStorageClass(f.ClientSet, f, true, scOpts)
if err != nil {
e2elog.Failf("failed to create CephFS storageclass: %v", err)
}
err = createCephFSSnapshotClass(f)
if err != nil {
e2elog.Failf("failed to delete CephFS storageclass: %v", err)
}
pvc, err := loadPVC(pvcPath)
if err != nil {
e2elog.Failf("failed to load PVC: %v", err)
}
pvc.Namespace = f.UniqueName
err = createPVCAndvalidatePV(f.ClientSet, pvc, deployTimeout)
if err != nil {
e2elog.Failf("failed to create PVC: %v", err)
}
app, err := loadApp(appPath)
if err != nil {
e2elog.Failf("failed to load application: %v", err)
}
app.Namespace = f.UniqueName
app.Spec.Volumes[0].PersistentVolumeClaim.ClaimName = pvc.Name
appLabels := map[string]string{
appKey: appLabel,
}
app.Labels = appLabels
optApp := metav1.ListOptions{
LabelSelector: fmt.Sprintf("%s=%s", appKey, appLabels[appKey]),
}
err = writeDataInPod(app, &optApp, f)
if err != nil {
e2elog.Failf("failed to write data: %v", err)
}
appTestFilePath := app.Spec.Containers[0].VolumeMounts[0].MountPath + "/test"
snap := getSnapshot(snapshotPath)
snap.Namespace = f.UniqueName
snap.Spec.Source.PersistentVolumeClaimName = &pvc.Name
err = createSnapshot(&snap, deployTimeout)
if err != nil {
e2elog.Failf("failed to create snapshot: %v", err)
}
err = appendToFileInContainer(f, app, appTestFilePath, "hello", &optApp)
if err != nil {
e2elog.Failf("failed to append data: %v", err)
}
parentFileSum, err := calculateSHA512sum(f, app, appTestFilePath, &optApp)
if err != nil {
e2elog.Failf("failed to get SHA512 sum for file: %v", err)
}
err = deleteResource(cephFSExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete CephFS storageclass: %v", err)
}
err = createCephfsStorageClass(f.ClientSet, f, false, map[string]string{
"backingSnapshot": "true",
"encrypted": "true",
"encryptionKMSID": kmsID,
})
if err != nil {
e2elog.Failf("failed to create CephFS storageclass: %v", err)
}
pvcClone, err := loadPVC(pvcClonePath)
if err != nil {
e2elog.Failf("failed to load PVC: %v", err)
}
// Snapshot-backed volumes support read-only access modes only.
pvcClone.Spec.AccessModes = []v1.PersistentVolumeAccessMode{v1.ReadOnlyMany}
appClone, err := loadApp(appClonePath)
if err != nil {
e2elog.Failf("failed to load application: %v", err)
}
appCloneLabels := map[string]string{
appKey: appCloneLabel,
}
appClone.Labels = appCloneLabels
optAppClone := metav1.ListOptions{
LabelSelector: fmt.Sprintf("%s=%s", appKey, appCloneLabels[appKey]),
}
pvcClone.Namespace = f.UniqueName
appClone.Namespace = f.UniqueName
err = createPVCAndApp("", f, pvcClone, appClone, deployTimeout)
if err != nil {
e2elog.Failf("failed to create PVC and app: %v", err)
}
// Snapshot-backed volume shouldn't contribute to total subvolume count.
validateSubvolumeCount(f, 1, fileSystemName, subvolumegroup)
// Deleting snapshot before deleting pvcClone should succeed. It will be
// deleted once all volumes that are backed by this snapshot are gone.
err = deleteSnapshot(&snap, deployTimeout)
if err != nil {
e2elog.Failf("failed to delete snapshot: %v", err)
}
appCloneTestFilePath := appClone.Spec.Containers[0].VolumeMounts[0].MountPath + "/test"
snapFileSum, err := calculateSHA512sum(f, appClone, appCloneTestFilePath, &optAppClone)
if err != nil {
e2elog.Failf("failed to get SHA512 sum for file: %v", err)
}
if parentFileSum == snapFileSum {
e2elog.Failf("SHA512 sums of files in parent subvol and snapshot should differ")
}
err = deletePVCAndApp("", f, pvcClone, appClone)
if err != nil {
e2elog.Failf("failed to delete PVC or application: %v", err)
}
err = deletePVCAndApp("", f, pvc, app)
if err != nil {
e2elog.Failf("failed to delete PVC or application: %v", err)
}
err = deleteResource(cephFSExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete CephFS storageclass: %v", err)
}
err = deleteResource(cephFSExamplePath + "snapshotclass.yaml")
if err != nil {
e2elog.Failf("failed to delete CephFS snapshotclass: %v", err)
}
err = createCephfsStorageClass(f.ClientSet, f, false, nil)
if err != nil {
e2elog.Failf("failed to create CephFS storageclass: %v", err)
}
})
}
}
By("checking snapshot-backed volume", func() {
err := createCephFSSnapshotClass(f)
if err != nil {
@ -1458,6 +1715,11 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to create PVC: %v", err)
}
_, pv, err := getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
app, err := loadApp(appPath)
if err != nil {
e2elog.Failf("failed to load application: %v", err)
@ -1485,6 +1747,7 @@ var _ = Describe(cephfsType, func() {
if err != nil {
e2elog.Failf("failed to create snapshot: %v", err)
}
validateCephFSSnapshotCount(f, 1, subvolumegroup, pv)
err = appendToFileInContainer(f, app, appTestFilePath, "hello", &optApp)
if err != nil {
@ -1557,6 +1820,8 @@ var _ = Describe(cephfsType, func() {
e2elog.Failf("failed to delete PVC or application: %v", err)
}
validateCephFSSnapshotCount(f, 0, subvolumegroup, pv)
err = deletePVCAndApp("", f, pvc, app)
if err != nil {
e2elog.Failf("failed to delete PVC or application: %v", err)
@ -1573,6 +1838,44 @@ var _ = Describe(cephfsType, func() {
}
})
if testCephFSFscrypt {
kmsToTest := map[string]kmsConfig{
"secrets-metadata-test": secretsMetadataKMS,
"vault-test": vaultKMS,
}
for kmsID, kmsConf := range kmsToTest {
kmsID := kmsID
kmsConf := kmsConf
By("create an encrypted PVC-PVC clone and bind it to an app with "+kmsID, func() {
err := deleteResource(cephFSExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
scOpts := map[string]string{
"encrypted": "true",
"encryptionKMSID": kmsID,
}
err = createCephfsStorageClass(f.ClientSet, f, true, scOpts)
if err != nil {
e2elog.Failf("failed to create CephFS storageclass: %v", err)
}
validateFscryptClone(pvcPath, appPath, pvcSmartClonePath, appSmartClonePath, kmsConf, f)
err = deleteResource(cephFSExamplePath + "storageclass.yaml")
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
err = createCephfsStorageClass(f.ClientSet, f, false, nil)
if err != nil {
e2elog.Failf("failed to create CephFS storageclass: %v", err)
}
})
}
}
By("create a PVC-PVC clone and bind it to an app", func() {
var wg sync.WaitGroup
totalCount := 3

195
e2e/cephfs_helper.go
View File

@ -373,3 +373,198 @@ func deleteBackingCephFSSubvolumeSnapshot(
return nil
}
func validateEncryptedCephfs(f *framework.Framework, pvName, appName string) error {
pod, err := f.ClientSet.CoreV1().Pods(f.UniqueName).Get(context.TODO(), appName, metav1.GetOptions{})
if err != nil {
return fmt.Errorf("failed to get pod %q in namespace %q: %w", appName, f.UniqueName, err)
}
volumeMountPath := fmt.Sprintf(
"/var/lib/kubelet/pods/%s/volumes/kubernetes.io~csi/%s/mount",
pod.UID,
pvName)
selector, err := getDaemonSetLabelSelector(f, cephCSINamespace, cephFSDeamonSetName)
if err != nil {
return fmt.Errorf("failed to get labels: %w", err)
}
opt := metav1.ListOptions{
LabelSelector: selector,
}
cmd := fmt.Sprintf("getfattr --name=ceph.fscrypt.auth --only-values %s", volumeMountPath)
_, _, err = execCommandInContainer(f, cmd, cephCSINamespace, "csi-cephfsplugin", &opt)
if err != nil {
cmd = fmt.Sprintf("getfattr --recursive --dump %s", volumeMountPath)
stdOut, stdErr, listErr := execCommandInContainer(f, cmd, cephCSINamespace, "csi-cephfsplugin", &opt)
if listErr == nil {
return fmt.Errorf("error checking for cephfs fscrypt xattr on %q. listing: %s %s",
volumeMountPath, stdOut, stdErr)
}
return fmt.Errorf("error checking file xattr: %w", err)
}
return nil
}
func getInfoFromPVC(pvcNamespace, pvcName string, f *framework.Framework) (string, string, error) {
c := f.ClientSet.CoreV1()
pvc, err := c.PersistentVolumeClaims(pvcNamespace).Get(context.TODO(), pvcName, metav1.GetOptions{})
if err != nil {
return "", "", fmt.Errorf("failed to get pvc: %w", err)
}
pv, err := c.PersistentVolumes().Get(context.TODO(), pvc.Spec.VolumeName, metav1.GetOptions{})
if err != nil {
return "", "", fmt.Errorf("failed to get pv: %w", err)
}
return pv.Name, pv.Spec.CSI.VolumeHandle, nil
}
func validateFscryptAndAppBinding(pvcPath, appPath string, kms kmsConfig, f *framework.Framework) error {
pvc, app, err := createPVCAndAppBinding(pvcPath, appPath, f, deployTimeout)
if err != nil {
return err
}
pvName, csiVolumeHandle, err := getInfoFromPVC(pvc.Namespace, pvc.Name, f)
if err != nil {
return err
}
err = validateEncryptedCephfs(f, pvName, app.Name)
if err != nil {
return err
}
if kms != noKMS && kms.canGetPassphrase() {
// check new passphrase created
_, stdErr := kms.getPassphrase(f, csiVolumeHandle)
if stdErr != "" {
return fmt.Errorf("failed to read passphrase from vault: %s", stdErr)
}
}
err = deletePVCAndApp("", f, pvc, app)
if err != nil {
return err
}
if kms != noKMS && kms.canGetPassphrase() {
// check new passphrase created
stdOut, _ := kms.getPassphrase(f, csiVolumeHandle)
if stdOut != "" {
return fmt.Errorf("passphrase found in vault while should be deleted: %s", stdOut)
}
}
if kms != noKMS && kms.canVerifyKeyDestroyed() {
destroyed, msg := kms.verifyKeyDestroyed(f, csiVolumeHandle)
if !destroyed {
return fmt.Errorf("passphrased was not destroyed: %s", msg)
} else if msg != "" {
e2elog.Logf("passphrase destroyed, but message returned: %s", msg)
}
}
return nil
}
//nolint:gocyclo,cyclop // test function
func validateFscryptClone(
pvcPath, appPath, pvcSmartClonePath, appSmartClonePath string,
kms kmsConfig,
f *framework.Framework,
) {
pvc, err := loadPVC(pvcPath)
if err != nil {
e2elog.Failf("failed to load PVC: %v", err)
}
pvc.Namespace = f.UniqueName
err = createPVCAndvalidatePV(f.ClientSet, pvc, deployTimeout)
if err != nil {
e2elog.Failf("failed to create PVC: %v", err)
}
app, err := loadApp(appPath)
if err != nil {
e2elog.Failf("failed to load application: %v", err)
}
label := make(map[string]string)
label[appKey] = appLabel
app.Namespace = f.UniqueName
app.Spec.Volumes[0].PersistentVolumeClaim.ClaimName = pvc.Name
app.Labels = label
opt := metav1.ListOptions{
LabelSelector: fmt.Sprintf("%s=%s", appKey, label[appKey]),
}
wErr := writeDataInPod(app, &opt, f)
if wErr != nil {
e2elog.Failf("failed to write data from application %v", wErr)
}
pvcClone, err := loadPVC(pvcSmartClonePath)
if err != nil {
e2elog.Failf("failed to load PVC: %v", err)
}
pvcClone.Spec.DataSource.Name = pvc.Name
pvcClone.Namespace = f.UniqueName
appClone, err := loadApp(appSmartClonePath)
if err != nil {
e2elog.Failf("failed to load application: %v", err)
}
appClone.Namespace = f.UniqueName
appClone.Labels = map[string]string{
appKey: f.UniqueName,
}
err = createPVCAndApp(f.UniqueName, f, pvcClone, appClone, deployTimeout)
if err != nil {
e2elog.Failf("failed to create PVC or application (%s): %v", f.UniqueName, err)
}
_, csiVolumeHandle, err := getInfoFromPVC(pvcClone.Namespace, pvcClone.Name, f)
if err != nil {
e2elog.Failf("failed to get pvc info: %s", err)
}
if kms != noKMS && kms.canGetPassphrase() {
// check new passphrase created
stdOut, stdErr := kms.getPassphrase(f, csiVolumeHandle)
if stdOut != "" {
e2elog.Logf("successfully read the passphrase from vault: %s", stdOut)
}
if stdErr != "" {
e2elog.Failf("failed to read passphrase from vault: %s", stdErr)
}
}
// delete parent pvc
err = deletePVCAndApp("", f, pvc, app)
if err != nil {
e2elog.Failf("failed to delete PVC or application: %v", err)
}
err = deletePVCAndApp(f.UniqueName, f, pvcClone, appClone)
if err != nil {
e2elog.Failf("failed to delete PVC or application (%s): %v", f.UniqueName, err)
}
if kms != noKMS && kms.canGetPassphrase() {
// check passphrase deleted
stdOut, _ := kms.getPassphrase(f, csiVolumeHandle)
if stdOut != "" {
e2elog.Failf("passphrase found in vault while should be deleted: %s", stdOut)
}
}
if kms != noKMS && kms.canVerifyKeyDestroyed() {
destroyed, msg := kms.verifyKeyDestroyed(f, csiVolumeHandle)
if !destroyed {
e2elog.Failf("passphrased was not destroyed: %s", msg)
} else if msg != "" {
e2elog.Logf("passphrase destroyed, but message returned: %s", msg)
}
}
}

1
e2e/e2e_test.go
View File

@ -38,6 +38,7 @@ func init() {
flag.BoolVar(&deployRBD, "deploy-rbd", true, "deploy rbd csi driver")
flag.BoolVar(&deployNFS, "deploy-nfs", false, "deploy nfs csi driver")
flag.BoolVar(&testCephFS, "test-cephfs", true, "test cephFS csi driver")
flag.BoolVar(&testCephFSFscrypt, "test-cephfs-fscrypt", false, "test CephFS csi driver fscrypt support")
flag.BoolVar(&testRBD, "test-rbd", true, "test rbd csi driver")
flag.BoolVar(&testRBDFSCrypt, "test-rbd-fscrypt", false, "test rbd csi driver fscrypt support")
flag.BoolVar(&testNBD, "test-nbd", false, "test rbd csi driver with rbd-nbd mounter")

8
e2e/nfs.go
View File

@ -616,6 +616,11 @@ var _ = Describe("nfs", func() {
e2elog.Failf("failed to calculate checksum: %v", err)
}
_, pv, err := getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
snap := getSnapshot(snapshotPath)
snap.Namespace = f.UniqueName
snap.Spec.Source.PersistentVolumeClaimName = &pvc.Name
@ -640,6 +645,7 @@ var _ = Describe("nfs", func() {
if failed != 0 {
e2elog.Failf("creating snapshots failed, %d errors were logged", failed)
}
validateCephFSSnapshotCount(f, totalCount, defaultSubvolumegroup, pv)
pvcClone, err := loadPVC(pvcClonePath)
if err != nil {
@ -812,6 +818,8 @@ var _ = Describe("nfs", func() {
e2elog.Failf("deleting snapshots failed, %d errors were logged", failed)
}
validateCephFSSnapshotCount(f, 0, defaultSubvolumegroup, pv)
wg.Add(totalCount)
// delete clone and app
for i := 0; i < totalCount; i++ {

17
e2e/upgrade-cephfs.go
View File

@ -74,6 +74,7 @@ var _ = Describe("CephFS Upgrade Testing", func() {
if err != nil {
e2elog.Failf("failed to getwd: %v", err)
}
deployVault(f.ClientSet, deployTimeout)
err = upgradeAndDeployCSI(upgradeVersion, "cephfs")
if err != nil {
e2elog.Failf("failed to upgrade csi: %v", err)
@ -150,6 +151,7 @@ var _ = Describe("CephFS Upgrade Testing", func() {
if err != nil {
e2elog.Failf("failed to delete storageclass: %v", err)
}
deleteVault()
if deployCephFS {
deleteCephfsPlugin()
if cephCSINamespace != defaultNs {
@ -208,6 +210,12 @@ var _ = Describe("CephFS Upgrade Testing", func() {
if err != nil {
e2elog.Failf("failed to create pvc and application: %v", err)
}
var pv *v1.PersistentVolume
_, pv, err = getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
opt := metav1.ListOptions{
LabelSelector: fmt.Sprintf("%s=%s", appKey, label[appKey]),
}
@ -246,6 +254,8 @@ var _ = Describe("CephFS Upgrade Testing", func() {
if err != nil {
e2elog.Failf("failed to create snapshot %v", err)
}
validateCephFSSnapshotCount(f, 1, defaultSubvolumegroup, pv)
err = deletePod(app.Name, app.Namespace, f.ClientSet, deployTimeout)
if err != nil {
e2elog.Failf("failed to delete application: %v", err)
@ -300,6 +310,12 @@ var _ = Describe("CephFS Upgrade Testing", func() {
if err != nil {
e2elog.Failf("failed to create pvc and application: %v", err)
}
var pv *v1.PersistentVolume
_, pv, err = getPVCAndPV(f.ClientSet, pvc.Name, pvc.Namespace)
if err != nil {
e2elog.Failf("failed to get PV object for %s: %v", pvc.Name, err)
}
opt := metav1.ListOptions{
LabelSelector: fmt.Sprintf("%s=%s", appKey, label[appKey]),
}
@ -333,6 +349,7 @@ var _ = Describe("CephFS Upgrade Testing", func() {
if err != nil {
e2elog.Failf("failed to delete snapshot %v", err)
}
validateCephFSSnapshotCount(f, 0, defaultSubvolumegroup, pv)
})
By("Create clone from existing PVC", func() {

39
e2e/utils.go
View File

@ -79,25 +79,26 @@ const (
var (
// cli flags.
deployTimeout int
deployCephFS bool
deployRBD bool
deployNFS bool
testCephFS bool
testRBD bool
testRBDFSCrypt bool
testNBD bool
testNFS bool
helmTest bool
upgradeTesting bool
upgradeVersion string
cephCSINamespace string
rookNamespace string
radosNamespace string
poll = 2 * time.Second
isOpenShift bool
clusterID string
nfsDriverName string
deployTimeout int
deployCephFS bool
deployRBD bool
deployNFS bool
testCephFS bool
testCephFSFscrypt bool
testRBD bool
testRBDFSCrypt bool
testNBD bool
testNFS bool
helmTest bool
upgradeTesting bool
upgradeVersion string
cephCSINamespace string
rookNamespace string
radosNamespace string
poll = 2 * time.Second
isOpenShift bool
clusterID string
nfsDriverName string
)
type cephfsFilesystem struct {

10
examples/README.md
View File

@ -30,12 +30,12 @@ the required monitor details for the same, as in the provided [sample config
Gather the following information from the Ceph cluster(s) of choice,
* Ceph monitor list
* Typically in the output of `ceph mon dump`
* Used to prepare a list of `monitors` in the CSI configuration file
* Typically in the output of `ceph mon dump`
* Used to prepare a list of `monitors` in the CSI configuration file
* Ceph Cluster fsid
* If choosing to use the Ceph cluster fsid as the unique value of clusterID,
* Output of `ceph fsid`
* Alternatively, choose a `<cluster-id>` value that is distinct per Ceph
* If choosing to use the Ceph cluster fsid as the unique value of clusterID,
* Output of `ceph fsid`
* Alternatively, choose a `<cluster-id>` value that is distinct per Ceph
cluster in use by this kubernetes cluster
Update the [sample configmap](./csi-config-map-sample.yaml) with values

2
examples/cephfs/plugin-deploy.sh
View File

@ -8,7 +8,7 @@ fi
cd "$deployment_base" || exit 1
objects=(csi-provisioner-rbac csi-nodeplugin-rbac csi-config-map csi-cephfsplugin-provisioner csi-cephfsplugin)
objects=(csi-provisioner-rbac csi-nodeplugin-rbac csi-config-map csi-cephfsplugin-provisioner csi-cephfsplugin csidriver)
for obj in "${objects[@]}"; do
kubectl create -f "./$obj.yaml"

2
examples/cephfs/plugin-teardown.sh
View File

@ -8,7 +8,7 @@ fi
cd "$deployment_base" || exit 1
objects=(csi-cephfsplugin-provisioner csi-cephfsplugin csi-config-map csi-provisioner-rbac csi-nodeplugin-rbac)
objects=(csi-cephfsplugin-provisioner csi-cephfsplugin csi-config-map csi-provisioner-rbac csi-nodeplugin-rbac csidriver)
for obj in "${objects[@]}"; do
kubectl delete -f "./$obj.yaml"

3
examples/cephfs/secret.yaml
View File

@ -12,3 +12,6 @@ stringData:
# Required for dynamically provisioned volumes
adminID: <plaintext ID>
adminKey: <Ceph auth key corresponding to ID above>
# Encryption passphrase
encryptionPassphrase: test_passphrase

8
examples/cephfs/snapshot.yaml
View File

@ -1,12 +1,4 @@
---
# Snapshot API version compatibility matrix:
# v1beta1:
# v1.17 =< k8s < v1.20
# 2.x =< snapshot-controller < v4.x
# v1:
# k8s >= v1.20
# snapshot-controller >= v4.x
# We recommend to use {sidecar, controller, crds} of same version
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:

10
examples/cephfs/snapshotclass.yaml
View File

@ -1,19 +1,11 @@
---
# Snapshot API version compatibility matrix:
# v1beta1:
# v1.17 =< k8s < v1.20
# 2.x =< snapshot-controller < v4.x
# v1:
# k8s >= v1.20
# snapshot-controller >= v4.x
# We recommend to use {sidecar, controller, crds} of same version
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: csi-cephfsplugin-snapclass
driver: cephfs.csi.ceph.com
parameters:
# String representing a Ceph cluster to provision storage from.
# String representing a Ceph cluster to provision storage snapshot from.
# Should be unique across all Ceph clusters in use for provisioning,
# cannot be greater than 36 bytes in length, and should remain immutable for
# the lifetime of the StorageClass in use.

11
examples/cephfs/storageclass.yaml
View File

@ -52,6 +52,17 @@ parameters:
# (defaults to `false`)
# backingSnapshot: "true"
# (optional) Instruct the plugin it has to encrypt the volume
# By default it is disabled. Valid values are "true" or "false".
# A string is expected here, i.e. "true", not true.
# encrypted: "true"
# (optional) Use external key management system for encryption passphrases by
# specifying a unique ID matching KMS ConfigMap. The ID is only used for
# correlation to configmap entry.
# encryptionKMSID: <kms-config-id>
reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:

2
examples/kms/vault/vault.yaml
View File

@ -169,7 +169,7 @@ spec:
- name: PLUGIN_ROLE
value: csi-kubernetes
- name: SERVICE_ACCOUNTS
value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner
value: rbd-csi-nodeplugin,rbd-csi-provisioner,csi-rbdplugin,csi-rbdplugin-provisioner,cephfs-csi-nodeplugin,cephfs-csi-provisioner,csi-cephfsplugin,csi-cephfsplugin-provisioner
- name: SERVICE_ACCOUNTS_NAMESPACE
value: default
- name: VAULT_ADDR

2
examples/nfs/snapshotclass.yaml
View File

@ -5,7 +5,7 @@ metadata:
name: csi-nfsplugin-snapclass
driver: nfs.csi.ceph.com
parameters:
# String representing a Ceph cluster to provision storage from.
# String representing a Ceph cluster to provision storage snapshot from.
# Should be unique across all Ceph clusters in use for provisioning,
# cannot be greater than 36 bytes in length, and should remain immutable for
# the lifetime of the StorageClass in use.

2
examples/rbd/plugin-deploy.sh
View File

@ -10,7 +10,7 @@ fi
pushd "${deployment_base}" >/dev/null || exit 1
objects=(csi-provisioner-rbac csi-nodeplugin-rbac csi-config-map csi-rbdplugin-provisioner csi-rbdplugin)
objects=(csi-provisioner-rbac csi-nodeplugin-rbac csi-config-map csi-rbdplugin-provisioner csi-rbdplugin csidriver)
for obj in "${objects[@]}"; do
kubectl create -f "./${obj}.yaml"

2
examples/rbd/plugin-teardown.sh
View File

@ -10,7 +10,7 @@ fi
pushd "${deployment_base}" >/dev/null || exit 1
objects=(csi-rbdplugin-provisioner csi-rbdplugin csi-config-map csi-provisioner-rbac csi-nodeplugin-rbac)
objects=(csi-rbdplugin-provisioner csi-rbdplugin csi-config-map csi-provisioner-rbac csi-nodeplugin-rbac csidriver)
for obj in "${objects[@]}"; do
kubectl delete -f "./${obj}.yaml"

8
examples/rbd/snapshot.yaml
View File

@ -1,12 +1,4 @@
---
# Snapshot API version compatibility matrix:
# v1beta1:
# v1.17 =< k8s < v1.20
# 2.x =< snapshot-controller < v4.x
# v1:
# k8s >= v1.20
# snapshot-controller >= v4.x
# We recommend to use {sidecar, controller, crds} of same version
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshot
metadata:

10
examples/rbd/snapshotclass.yaml
View File

@ -1,19 +1,11 @@
---
# Snapshot API version compatibility matrix:
# v1beta1:
# v1.17 =< k8s < v1.20
# 2.x =< snapshot-controller < v4.x
# v1:
# k8s >= v1.20
# snapshot-controller >= v4.x
# We recommend to use {sidecar, controller, crds} of same version
apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: csi-rbdplugin-snapclass
driver: rbd.csi.ceph.com
parameters:
# String representing a Ceph cluster to provision storage from.
# String representing a Ceph cluster to provision storage snapshot from.
# Should be unique across all Ceph clusters in use for provisioning,
# cannot be greater than 36 bytes in length, and should remain immutable for
# the lifetime of the StorageClass in use.

116
go.mod
View File

@ -3,9 +3,9 @@ module github.com/ceph/ceph-csi
go 1.18
require (
github.com/IBM/keyprotect-go-client v0.9.0
github.com/aws/aws-sdk-go v1.44.132
github.com/aws/aws-sdk-go-v2/service/sts v1.17.1
github.com/IBM/keyprotect-go-client v0.9.1
github.com/aws/aws-sdk-go v1.44.146
github.com/aws/aws-sdk-go-v2/service/sts v1.17.6
github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
// TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag
github.com/ceph/go-ceph v0.18.0
@ -24,26 +24,26 @@ require (
github.com/libopenstorage/secrets v0.0.0-20210908194121-a1d19aa9713a
github.com/onsi/ginkgo/v2 v2.4.0
github.com/onsi/gomega v1.23.0
github.com/pkg/xattr v0.4.7
github.com/prometheus/client_golang v1.12.2
github.com/pkg/xattr v0.4.9
github.com/prometheus/client_golang v1.14.0
github.com/stretchr/testify v1.8.1
golang.org/x/crypto v0.1.0
golang.org/x/net v0.1.0
golang.org/x/sys v0.2.0
google.golang.org/grpc v1.50.1
golang.org/x/crypto v0.4.0
golang.org/x/net v0.4.0
golang.org/x/sys v0.3.0
google.golang.org/grpc v1.51.0
google.golang.org/protobuf v1.28.1
k8s.io/api v0.25.3
k8s.io/apimachinery v0.25.3
k8s.io/api v0.25.4
k8s.io/apimachinery v0.25.4
k8s.io/client-go v12.0.0+incompatible
k8s.io/cloud-provider v0.25.3
k8s.io/cloud-provider v0.25.4
k8s.io/klog/v2 v2.80.1
//
// when updating k8s.io/kubernetes, make sure to update the replace section too
//
k8s.io/kubernetes v1.25.3
k8s.io/mount-utils v0.25.3
k8s.io/kubernetes v1.25.4
k8s.io/mount-utils v0.25.4
k8s.io/pod-security-admission v0.0.0
k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
sigs.k8s.io/controller-runtime v0.11.0-beta.0.0.20211208212546-f236f0345ad2
)
@ -52,11 +52,11 @@ require (
github.com/ansel1/merry/v2 v2.0.1 // indirect
github.com/armon/go-metrics v0.3.9 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/aws/aws-sdk-go-v2 v1.17.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect
github.com/aws/smithy-go v1.13.4 // indirect
github.com/aws/aws-sdk-go-v2 v1.17.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 // indirect
github.com/aws/smithy-go v1.13.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v3 v3.0.0 // indirect
@ -80,7 +80,7 @@ require (
github.com/golang/snappy v0.0.4 // indirect
github.com/google/gnostic v0.6.9 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/gofuzz v1.1.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@ -129,9 +129,9 @@ require (
github.com/pierrec/lz4 v2.5.2+incompatible // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/procfs v0.7.3 // indirect
github.com/prometheus/client_model v0.3.0 // indirect
github.com/prometheus/common v0.37.0 // indirect
github.com/prometheus/procfs v0.8.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/spf13/cobra v1.4.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
@ -148,21 +148,21 @@ require (
go.uber.org/atomic v1.10.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.23.0 // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
golang.org/x/term v0.1.0 // indirect
golang.org/x/text v0.4.0 // indirect
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
golang.org/x/oauth2 v0.2.0 // indirect
golang.org/x/term v0.3.0 // indirect
golang.org/x/text v0.5.0 // indirect
golang.org/x/time v0.2.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 // indirect
google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.25.3 // indirect
k8s.io/apiserver v0.25.3 // indirect
k8s.io/component-base v0.25.3 // indirect
k8s.io/component-helpers v0.25.3 // indirect
k8s.io/apiextensions-apiserver v0.25.4 // indirect
k8s.io/apiserver v0.25.4 // indirect
k8s.io/component-base v0.25.4 // indirect
k8s.io/component-helpers v0.25.4 // indirect
k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea // indirect
k8s.io/kubectl v0.0.0 // indirect
k8s.io/kubelet v0.0.0 // indirect
@ -180,31 +180,31 @@ replace (
//
// k8s.io/kubernetes depends on these k8s.io packages, but unversioned
//
k8s.io/api => k8s.io/api v0.25.3
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.3
k8s.io/apimachinery => k8s.io/apimachinery v0.25.3
k8s.io/apiserver => k8s.io/apiserver v0.25.3
k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.3
k8s.io/client-go => k8s.io/client-go v0.25.3
k8s.io/cloud-provider => k8s.io/cloud-provider v0.25.3
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.25.3
k8s.io/code-generator => k8s.io/code-generator v0.25.3
k8s.io/component-base => k8s.io/component-base v0.25.3
k8s.io/component-helpers => k8s.io/component-helpers v0.25.3
k8s.io/controller-manager => k8s.io/controller-manager v0.25.3
k8s.io/cri-api => k8s.io/cri-api v0.25.3
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.25.3
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.25.3
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.25.3
k8s.io/kube-proxy => k8s.io/kube-proxy v0.25.3
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.25.3
k8s.io/kubectl => k8s.io/kubectl v0.25.3
k8s.io/kubelet => k8s.io/kubelet v0.25.3
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.25.3
k8s.io/metrics => k8s.io/metrics v0.25.3
k8s.io/mount-utils => k8s.io/mount-utils v0.25.3
k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.25.3
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.25.3
k8s.io/api => k8s.io/api v0.25.4
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.4
k8s.io/apimachinery => k8s.io/apimachinery v0.25.4
k8s.io/apiserver => k8s.io/apiserver v0.25.4
k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.4
k8s.io/client-go => k8s.io/client-go v0.25.4
k8s.io/cloud-provider => k8s.io/cloud-provider v0.25.4
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.25.4
k8s.io/code-generator => k8s.io/code-generator v0.25.4
k8s.io/component-base => k8s.io/component-base v0.25.4
k8s.io/component-helpers => k8s.io/component-helpers v0.25.4
k8s.io/controller-manager => k8s.io/controller-manager v0.25.4
k8s.io/cri-api => k8s.io/cri-api v0.25.4
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.25.4
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.25.4
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.25.4
k8s.io/kube-proxy => k8s.io/kube-proxy v0.25.4
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.25.4
k8s.io/kubectl => k8s.io/kubectl v0.25.4
k8s.io/kubelet => k8s.io/kubelet v0.25.4
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.25.4
k8s.io/metrics => k8s.io/metrics v0.25.4
k8s.io/mount-utils => k8s.io/mount-utils v0.25.4
k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.25.4
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.25.4
// layeh.com seems to be misbehaving
layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917
)

144
go.sum
View File

@ -81,8 +81,8 @@ github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
github.com/DataDog/zstd v1.4.4/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
github.com/IBM/keyprotect-go-client v0.9.0 h1:UwbyEHcaGlmLNK7PW0qo9VlxneN+0/2zoGBubHzbtro=
github.com/IBM/keyprotect-go-client v0.9.0/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
github.com/IBM/keyprotect-go-client v0.9.1 h1:uoPmFX3voN/tH0o9+MdmGAI5/Bf1o25qv82QutQzvVU=
github.com/IBM/keyprotect-go-client v0.9.1/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
github.com/Jeffail/gabs v1.1.1 h1:V0uzR08Hj22EX8+8QMhyI9sX2hwRu+/RJhJUmnwda/E=
github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc=
github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
@ -140,20 +140,20 @@ github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:l
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.44.132 h1:+IjL9VoR0OXScQ5gyme9xjcolwUkd3uaH144f4Ao+4s=
github.com/aws/aws-sdk-go v1.44.132/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk=
github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU=
github.com/aws/aws-sdk-go-v2/service/sts v1.17.1 h1:KRAix/KHvjGODaHAMXnxRk9t0D+4IJVUuS/uwXxngXk=
github.com/aws/aws-sdk-go-v2/service/sts v1.17.1/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4=
github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk=
github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/aws/aws-sdk-go v1.44.146 h1:7YdGgPxDPRJu/yYffzZp/H7yHzQ6AqmuNFZPYraaN8I=
github.com/aws/aws-sdk-go v1.44.146/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go-v2 v1.17.2 h1:r0yRZInwiPBNpQ4aDy/Ssh3ROWsGtKDwar2JS8Lm+N8=
github.com/aws/aws-sdk-go-v2 v1.17.2/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26 h1:5WU31cY7m0tG+AiaXuXGoMzo2GBQ1IixtWa8Yywsgco=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.26/go.mod h1:2E0LdbJW6lbeU4uxjum99GZzI0ZjDpAb0CoSCM0oeEY=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20 h1:WW0qSzDWoiWU2FS5DbKpxGilFVlCEJPwx4YtjdfI0Jw=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.20/go.mod h1:/+6lSiby8TBFpTVXZgKiN/rCfkYXEGvhlM4zCgPpt7w=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20 h1:jlgyHbkZQAgAc7VIxJDmtouH8eNjOk2REVAQfVhdaiQ=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.20/go.mod h1:Xs52xaLBqDEKRcAfX/hgjmD3YQ7c/W+BEyfamlO/W2E=
github.com/aws/aws-sdk-go-v2/service/sts v1.17.6 h1:VQFOLQVL3BrKM/NLO/7FiS4vcp5bqK0mGMyk09xLoAY=
github.com/aws/aws-sdk-go-v2/service/sts v1.17.6/go.mod h1:Az3OXXYGyfNwQNsK/31L4R75qFYnO641RZGAoV3uH1c=
github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
@ -328,11 +328,13 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
github.com/go-ldap/ldap/v3 v3.1.3/go.mod h1:3rbOH3jRS2u6jg2rJnKAMLE/xQyCKIveG2Sa/Cohzb8=
github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
github.com/go-logr/logr v0.4.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU=
@ -453,8 +455,9 @@ github.com/google/go-metrics-stackdriver v0.2.0/go.mod h1:KLcPyp3dWJAFD+yHisGlJS
github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g=
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
@ -897,8 +900,8 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
github.com/pkg/xattr v0.4.7 h1:XoA3KzmFvyPlH4RwX5eMcgtzcaGBaSvgt3IoFQfbrmQ=
github.com/pkg/xattr v0.4.7/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
github.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=
github.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/portworx/dcos-secrets v0.0.0-20180616013705-8e8ec3f66611/go.mod h1:4hklRW/4DQpLqkcXcjtNprbH2tz/sJaNtqinfPWl/LA=
@ -925,14 +928,15 @@ github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP
github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
github.com/prometheus/client_golang v1.11.1/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
github.com/prometheus/client_golang v1.12.2 h1:51L9cDoUHVrXx4zWYlcLQIZ+d+VXHgqnYKkIuq4g/34=
github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.2.0 h1:uq5h0d+GuxiXLJLNABMgp2qUWDPiLvgCzz2dUR+/W/M=
github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
@ -942,8 +946,9 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
github.com/prometheus/common v0.9.1/go.mod h1:yhUN8i9wzaXS3w1O07YhxHEBxD+W35wd8bs7vj7HSQ4=
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4=
github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@ -953,8 +958,9 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
@ -993,7 +999,6 @@ github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY=
github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
@ -1135,8 +1140,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
golang.org/x/crypto v0.4.0 h1:UVQgzMY87xqpKNgb+kDsll2Igd33HszWHFLmpaRMq/8=
golang.org/x/crypto v0.4.0/go.mod h1:3quD/ATkf6oY+rnes5c3ExXTbLc8mueNue5/DoinL80=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -1231,11 +1236,13 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@ -1255,8 +1262,10 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU=
golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -1358,14 +1367,15 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210422114643-f5beecf764ed/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.3.0 h1:qoo4akIqOcDME5bhc/NgxUdovd6BSS2uMsVjB56q1xI=
golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1376,8 +1386,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -1385,8 +1396,9 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb
golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20201208040808-7e3f01d25324/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 h1:vVKdlvoWBphwdxWKrFZEuM0kGgGLxUOYcY4U/2Vjg44=
golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE=
golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@ -1569,8 +1581,9 @@ google.golang.org/genproto v0.0.0-20210903162649-d08c68adba83/go.mod h1:eFjDcFEc
google.golang.org/genproto v0.0.0-20210924002016-3dee208752a0/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
google.golang.org/genproto v0.0.0-20220208230804-65c12eb4c068/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21 h1:hrbNEivu7Zn1pxvHk6MBrq9iE22woVILTHqexqBxe6I=
google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e h1:S9GbmC1iCgvbLyAokVCwiO6tVIrU9Y7c5oMx1V/ki/Y=
google.golang.org/genproto v0.0.0-20221024183307-1bc688fe9f3e/go.mod h1:9qHF0xnpdSfF6knlcsnpzUu5y+rpwgbvsyGAZPBMg4s=
google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
google.golang.org/grpc v1.16.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
@ -1605,8 +1618,8 @@ google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9K
google.golang.org/grpc v1.44.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU=
google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@ -1683,23 +1696,23 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
k8s.io/api v0.25.3 h1:Q1v5UFfYe87vi5H7NU0p4RXC26PPMT8KOpr1TLQbCMQ=
k8s.io/api v0.25.3/go.mod h1:o42gKscFrEVjHdQnyRenACrMtbuJsVdP+WVjqejfzmI=
k8s.io/apiextensions-apiserver v0.25.3 h1:bfI4KS31w2f9WM1KLGwnwuVlW3RSRPuIsfNF/3HzR0k=
k8s.io/apiextensions-apiserver v0.25.3/go.mod h1:ZJqwpCkxIx9itilmZek7JgfUAM0dnTsA48I4krPqRmo=
k8s.io/apimachinery v0.25.3 h1:7o9ium4uyUOM76t6aunP0nZuex7gDf8VGwkR5RcJnQc=
k8s.io/apimachinery v0.25.3/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo=
k8s.io/apiserver v0.25.3 h1:m7+xGuG5+KYAnEsqaFtDyWMkmMMEOFYlu+NlWv5qSBI=
k8s.io/apiserver v0.25.3/go.mod h1:9bT47iM2fzRuhICJpM/RcQR9sqDDfZ7Yw60h0p3JW08=
k8s.io/client-go v0.25.3 h1:oB4Dyl8d6UbfDHD8Bv8evKylzs3BXzzufLiO27xuPs0=
k8s.io/client-go v0.25.3/go.mod h1:t39LPczAIMwycjcXkVc+CB+PZV69jQuNx4um5ORDjQA=
k8s.io/cloud-provider v0.25.3 h1:1X1BKXm0fp8/ZkaQKNDyWqgh6t7m9O5MDSbO9OA4muk=
k8s.io/cloud-provider v0.25.3/go.mod h1:P7TjzjbkqW3C0NAT1bNEZrZRifNNBVhrTb+iHRjfFz0=
k8s.io/code-generator v0.25.3/go.mod h1:9F5fuVZOMWRme7MYj2YT3L9ropPWPokd9VRhVyD3+0w=
k8s.io/component-base v0.25.3 h1:UrsxciGdrCY03ULT1h/S/gXFCOPnLhUVwSyx+hM/zq4=
k8s.io/component-base v0.25.3/go.mod h1:WYoS8L+IlTZgU7rhAl5Ctpw0WdMxDfCC5dkxcEFa/TI=
k8s.io/component-helpers v0.25.3 h1:Ldwi2U50KohMVDKBcVT3zDpIOKFP4bPEy/4Dj4NsoYU=
k8s.io/component-helpers v0.25.3/go.mod h1:yu9zgPm9pf5jpmUzOZA9PMHY16Eu8ymt8AnSL0Xwbgw=
k8s.io/api v0.25.4 h1:3YO8J4RtmG7elEgaWMb4HgmpS2CfY1QlaOz9nwB+ZSs=
k8s.io/api v0.25.4/go.mod h1:IG2+RzyPQLllQxnhzD8KQNEu4c4YvyDTpSMztf4A0OQ=
k8s.io/apiextensions-apiserver v0.25.4 h1:7hu9pF+xikxQuQZ7/30z/qxIPZc2J1lFElPtr7f+B6U=
k8s.io/apiextensions-apiserver v0.25.4/go.mod h1:bkSGki5YBoZWdn5pWtNIdGvDrrsRWlmnvl9a+tAw5vQ=
k8s.io/apimachinery v0.25.4 h1:CtXsuaitMESSu339tfhVXhQrPET+EiWnIY1rcurKnAc=
k8s.io/apimachinery v0.25.4/go.mod h1:jaF9C/iPNM1FuLl7Zuy5b9v+n35HGSh6AQ4HYRkCqwo=
k8s.io/apiserver v0.25.4 h1:/3TwZcgLqX7wUxq7TtXOUqXeBTwXIblVMQdhR5XZ7yo=
k8s.io/apiserver v0.25.4/go.mod h1:rPcm567XxjOnnd7jedDUnGJGmDGAo+cT6H7QHAN+xV0=
k8s.io/client-go v0.25.4 h1:3RNRDffAkNU56M/a7gUfXaEzdhZlYhoW8dgViGy5fn8=
k8s.io/client-go v0.25.4/go.mod h1:8trHCAC83XKY0wsBIpbirZU4NTUpbuhc2JnI7OruGZw=
k8s.io/cloud-provider v0.25.4 h1:juIfru1jVX6BlDWcJ18sv6aWxMSMmcjWf2HNXUtnkiI=
k8s.io/cloud-provider v0.25.4/go.mod h1:L018fvnYxHrJP93UNSu8ODZYd/HCukliBzzNsV4TqC0=
k8s.io/code-generator v0.25.4/go.mod h1:9F5fuVZOMWRme7MYj2YT3L9ropPWPokd9VRhVyD3+0w=
k8s.io/component-base v0.25.4 h1:n1bjg9Yt+G1C0WnIDJmg2fo6wbEU1UGMRiQSjmj7hNQ=
k8s.io/component-base v0.25.4/go.mod h1:nnZJU8OP13PJEm6/p5V2ztgX2oyteIaAGKGMYb2L2cY=
k8s.io/component-helpers v0.25.4 h1:FIwp5ZzjaA7p0lekHQM28E7qTd9Aetx5O9e7r4n2Kqo=
k8s.io/component-helpers v0.25.4/go.mod h1:X4KJ8SsJ/onWcDQkRhcE2WRG/iNMufCl7RsNSYtguJg=
k8s.io/gengo v0.0.0-20201214224949-b6c5ce23f027/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/gengo v0.0.0-20211129171323-c02415ce4185/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
@ -1715,20 +1728,21 @@ k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH
k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea h1:3QOH5+2fGsY8e1qf+GIFpg+zw/JGNrgyZRQR7/m6uWg=
k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
k8s.io/kubectl v0.25.3 h1:HnWJziEtmsm4JaJiKT33kG0kadx68MXxUE8UEbXnN4U=
k8s.io/kubectl v0.25.3/go.mod h1:glU7PiVj/R6Ud4A9FJdTcJjyzOtCJyc0eO7Mrbh3jlI=
k8s.io/kubelet v0.25.3 h1:PjT3Xo0VL1BpRilBpZrRN8pSy6w5pGQ0YDQQeQWSHvQ=
k8s.io/kubelet v0.25.3/go.mod h1:YopVc6vLhveZb22I7AzcoWPap+t3/KJKqRZDa2MZmyE=
k8s.io/kubernetes v1.25.3 h1:Ljx/Ew9+dt7rN9ob3V+N/aoDy7nDSbmr35IbYGRTyqE=
k8s.io/kubernetes v1.25.3/go.mod h1:lvEY+3iJhh+sGIK1LorGkI56rW0eLGsfalnp68wQwYU=
k8s.io/mount-utils v0.25.3 h1:Eb4MDClmozX3Vrz4ZtoG0bQ/pGhT5gyo28p3f+0r9EE=
k8s.io/mount-utils v0.25.3/go.mod h1:odpFnGwJfFjN3SRnjfGS0902ubcj/W6hDOrNDmSSINo=
k8s.io/pod-security-admission v0.25.3 h1:2HnXWKUIDSez2sWtvxeGgGVUFvYnJJHutL4AI1MIuwk=
k8s.io/pod-security-admission v0.25.3/go.mod h1:xSaLkcMPD6cGKrZ//ZUrCNs0BewZzQdOEcC9LuXBGR4=
k8s.io/kubectl v0.25.4 h1:O3OA1z4V1ZyvxCvScjq0pxAP7ABgznr8UvnVObgI6Dc=
k8s.io/kubectl v0.25.4/go.mod h1:CKMrQ67Bn2YCP26tZStPQGq62zr9pvzEf65A0navm8k=
k8s.io/kubelet v0.25.4 h1:24MmTTQGBHr08UkMYFC/RaLjuiMREM53HfRgJKWRquI=
k8s.io/kubelet v0.25.4/go.mod h1:dWAxzvWR7B6LrSgE+6H6Dc7bOzNOzm+O+W6zLic9daA=
k8s.io/kubernetes v1.25.4 h1:M1+MR8IxE64zHhSSDn30twChLaOI+p0Kt77pvyQMKwU=
k8s.io/kubernetes v1.25.4/go.mod h1:lvEY+3iJhh+sGIK1LorGkI56rW0eLGsfalnp68wQwYU=
k8s.io/mount-utils v0.25.4 h1:+j1GBo6rH6sM1GvOI4jcu1IpjA5WssuwW7UEkQevaTU=
k8s.io/mount-utils v0.25.4/go.mod h1:odpFnGwJfFjN3SRnjfGS0902ubcj/W6hDOrNDmSSINo=
k8s.io/pod-security-admission v0.25.4 h1:jUjWkuYPnuZo7HNj0FkiPjcoj0ERULXGSTCMiDM91A8=
k8s.io/pod-security-admission v0.25.4/go.mod h1:0xthTisMu4TTzHrzM5SCeaRoFwqBjM54DqdHVcwk62k=
k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed h1:jAne/RjBTyawwAy0utX5eqigAwz/lQhTmy+Hr/Cpue4=
k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

54
internal/cephfs/controllerserver.go
View File

@ -26,6 +26,7 @@ import (
"github.com/ceph/ceph-csi/internal/cephfs/store"
fsutil "github.com/ceph/ceph-csi/internal/cephfs/util"
csicommon "github.com/ceph/ceph-csi/internal/csi-common"
"github.com/ceph/ceph-csi/internal/kms"
"github.com/ceph/ceph-csi/internal/util"
"github.com/ceph/ceph-csi/internal/util/k8s"
"github.com/ceph/ceph-csi/internal/util/log"
@ -66,18 +67,29 @@ func (cs *ControllerServer) createBackingVolume(
ctx context.Context,
volOptions,
parentVolOpt *store.VolumeOptions,
pvID *store.VolumeIdentifier,
vID, pvID *store.VolumeIdentifier,
sID *store.SnapshotIdentifier,
secrets map[string]string,
) error {
var err error
volClient := core.NewSubVolume(volOptions.GetConnection(),
&volOptions.SubVolume, volOptions.ClusterID, cs.ClusterName, cs.SetMetadata)
if sID != nil {
return cs.createBackingVolumeFromSnapshotSource(ctx, volOptions, parentVolOpt, volClient, sID)
err = parentVolOpt.CopyEncryptionConfig(volOptions, sID.SnapshotID, vID.VolumeID)
if err != nil {
return status.Error(codes.Internal, err.Error())
}
return cs.createBackingVolumeFromSnapshotSource(ctx, volOptions, parentVolOpt, volClient, sID, secrets)
}
if parentVolOpt != nil {
err = parentVolOpt.CopyEncryptionConfig(volOptions, pvID.VolumeID, vID.VolumeID)
if err != nil {
return status.Error(codes.Internal, err.Error())
}
return cs.createBackingVolumeFromVolumeSource(ctx, parentVolOpt, volClient, pvID)
}
@ -96,6 +108,7 @@ func (cs *ControllerServer) createBackingVolumeFromSnapshotSource(
parentVolOpt *store.VolumeOptions,
volClient core.SubVolumeClient,
sID *store.SnapshotIdentifier,
secrets map[string]string,
) error {
if err := cs.OperationLocks.GetRestoreLock(sID.SnapshotID); err != nil {
log.ErrorLog(ctx, err.Error())
@ -105,7 +118,7 @@ func (cs *ControllerServer) createBackingVolumeFromSnapshotSource(
defer cs.OperationLocks.ReleaseRestoreLock(sID.SnapshotID)
if volOptions.BackingSnapshot {
if err := store.AddSnapshotBackedVolumeRef(ctx, volOptions, cs.ClusterName, cs.SetMetadata); err != nil {
if err := store.AddSnapshotBackedVolumeRef(ctx, volOptions, cs.ClusterName, cs.SetMetadata, secrets); err != nil {
log.ErrorLog(ctx, "failed to create snapshot-backed volume from snapshot %s: %v",
sID.FsSnapshotName, err)
@ -162,7 +175,8 @@ func (cs *ControllerServer) checkContentSource(
switch volumeSource.Type.(type) {
case *csi.VolumeContentSource_Snapshot:
snapshotID := req.VolumeContentSource.GetSnapshot().GetSnapshotId()
volOpt, _, sid, err := store.NewSnapshotOptionsFromID(ctx, snapshotID, cr, cs.ClusterName, cs.SetMetadata)
volOpt, _, sid, err := store.NewSnapshotOptionsFromID(ctx, snapshotID, cr,
req.GetSecrets(), cs.ClusterName, cs.SetMetadata)
if err != nil {
if errors.Is(err, cerrors.ErrSnapNotFound) {
return nil, nil, nil, status.Error(codes.NotFound, err.Error())
@ -294,13 +308,14 @@ func (cs *ControllerServer) CreateVolume(
return nil, status.Error(codes.Internal, err.Error())
}
// TODO return error message if requested vol size greater than found volume return error
metadata := k8s.GetVolumeMetadata(req.GetParameters())
if vID != nil {
volClient := core.NewSubVolume(volOptions.GetConnection(), &volOptions.SubVolume,
volOptions.ClusterID, cs.ClusterName, cs.SetMetadata)
if sID != nil || pvID != nil && !volOptions.BackingSnapshot {
if (sID != nil || pvID != nil) && !volOptions.BackingSnapshot {
err = volClient.ExpandVolume(ctx, volOptions.Size)
if err != nil {
purgeErr := volClient.PurgeVolume(ctx, false)
@ -370,7 +385,7 @@ func (cs *ControllerServer) CreateVolume(
}()
// Create a volume
err = cs.createBackingVolume(ctx, volOptions, parentVol, pvID, sID)
err = cs.createBackingVolume(ctx, volOptions, parentVol, vID, pvID, sID, req.GetSecrets())
if err != nil {
if cerrors.IsCloneRetryError(err) {
return nil, status.Error(codes.Aborted, err.Error())
@ -529,7 +544,7 @@ func (cs *ControllerServer) DeleteVolume(
}
defer cr.DeleteCredentials()
if err := cs.cleanUpBackingVolume(ctx, volOptions, vID, cr); err != nil {
if err := cs.cleanUpBackingVolume(ctx, volOptions, vID, cr, secrets); err != nil {
return nil, err
}
@ -547,7 +562,19 @@ func (cs *ControllerServer) cleanUpBackingVolume(
volOptions *store.VolumeOptions,
volID *store.VolumeIdentifier,
cr *util.Credentials,
secrets map[string]string,
) error {
if volOptions.IsEncrypted() && volOptions.Encryption.KMS.RequiresDEKStore() == kms.DEKStoreIntegrated {
// Only remove DEK when the KMS stores it itself. On
// GetSecret enabled KMS the DEKs are stored by
// fscrypt on the volume that is going to be deleted anyway.
log.DebugLog(ctx, "going to remove DEK for integrated store %q (fscrypt)", volOptions.Encryption.GetID())
if err := volOptions.Encryption.RemoveDEK(volID.VolumeID); err != nil {
log.WarningLog(ctx, "failed to clean the passphrase for volume %q (file encryption): %s",
volOptions.VolID, err)
}
}
if !volOptions.BackingSnapshot {
// Regular volumes need to be purged.
@ -585,7 +612,7 @@ func (cs *ControllerServer) cleanUpBackingVolume(
}
snapParentVolOptions, _, snapID, err := store.NewSnapshotOptionsFromID(ctx,
volOptions.BackingSnapshotID, cr, cs.ClusterName, cs.SetMetadata)
volOptions.BackingSnapshotID, cr, secrets, cs.ClusterName, cs.SetMetadata)
if err != nil {
absorbErrs := []error{
util.ErrPoolNotFound,
@ -874,6 +901,14 @@ func (cs *ControllerServer) CreateSnapshot(
return nil, status.Error(codes.Internal, err.Error())
}
// Use same encryption KMS than source volume and copy the passphrase. The passphrase becomes
// available under the snapshot id for CreateVolume to use this snap as a backing volume
snapVolOptions := store.VolumeOptions{}
err = parentVolOptions.CopyEncryptionConfig(&snapVolOptions, sourceVolID, sID.SnapshotID)
if err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
return &csi.CreateSnapshotResponse{
Snapshot: &csi.Snapshot{
SizeBytes: info.BytesQuota,
@ -991,7 +1026,8 @@ func (cs *ControllerServer) DeleteSnapshot(
}
defer cs.OperationLocks.ReleaseDeleteLock(snapshotID)
volOpt, snapInfo, sid, err := store.NewSnapshotOptionsFromID(ctx, snapshotID, cr, cs.ClusterName, cs.SetMetadata)
volOpt, snapInfo, sid, err := store.NewSnapshotOptionsFromID(ctx, snapshotID, cr,
req.GetSecrets(), cs.ClusterName, cs.SetMetadata)
if err != nil {
switch {
case errors.Is(err, util.ErrPoolNotFound):

58
internal/cephfs/nodeserver.go
View File

@ -30,6 +30,7 @@ import (
fsutil "github.com/ceph/ceph-csi/internal/cephfs/util"
csicommon "github.com/ceph/ceph-csi/internal/csi-common"
"github.com/ceph/ceph-csi/internal/util"
"github.com/ceph/ceph-csi/internal/util/fscrypt"
"github.com/ceph/ceph-csi/internal/util/log"
"github.com/container-storage-interface/spec/lib/go/csi"
@ -88,7 +89,7 @@ func (ns *NodeServer) getVolumeOptions(
return nil, status.Error(codes.Internal, err.Error())
}
volOptions, _, err = store.NewVolumeOptionsFromStaticVolume(string(volID), volContext)
volOptions, _, err = store.NewVolumeOptionsFromStaticVolume(string(volID), volContext, volSecrets)
if err != nil {
if !errors.Is(err, cerrors.ErrNonStaticVolume) {
return nil, status.Error(codes.Internal, err.Error())
@ -118,6 +119,39 @@ func validateSnapshotBackedVolCapability(volCap *csi.VolumeCapability) error {
return nil
}
// maybeUnlockFileEncryption unlocks fscrypt on stagingTargetPath, if volOptions enable encryption.
func maybeUnlockFileEncryption(
ctx context.Context,
volOptions *store.VolumeOptions,
stagingTargetPath string,
volID fsutil.VolumeID,
) error {
if volOptions.IsEncrypted() {
log.DebugLog(ctx, "cephfs: unlocking fscrypt on volume %q path %s", volID, stagingTargetPath)
return fscrypt.Unlock(ctx, volOptions.Encryption, stagingTargetPath, string(volID))
}
return nil
}
// maybeInitializeFileEncryption initializes KMS and node specifics, if volContext enables encryption.
func maybeInitializeFileEncryption(
ctx context.Context,
mnt mounter.VolumeMounter,
volOptions *store.VolumeOptions,
) error {
if volOptions.IsEncrypted() {
if _, isFuse := mnt.(*mounter.FuseMounter); isFuse {
return errors.New("FUSE mounter does not support encryption")
}
return fscrypt.InitializeNode(ctx)
}
return nil
}
// NodeStageVolume mounts the volume to a staging path on the node.
func (ns *NodeServer) NodeStageVolume(
ctx context.Context,
@ -170,6 +204,11 @@ func (ns *NodeServer) NodeStageVolume(
return nil, status.Error(codes.Internal, err.Error())
}
err = maybeInitializeFileEncryption(ctx, mnt, volOptions)
if err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
// Check if the volume is already mounted
if err = ns.tryRestoreFuseMountInNodeStage(ctx, mnt, stagingTargetPath); err != nil {
@ -185,6 +224,9 @@ func (ns *NodeServer) NodeStageVolume(
if isMnt {
log.DebugLog(ctx, "cephfs: volume %s is already mounted to %s, skipping", volID, stagingTargetPath)
if err = maybeUnlockFileEncryption(ctx, volOptions, stagingTargetPath, volID); err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
return &csi.NodeStageVolumeResponse{}, nil
}
@ -205,6 +247,10 @@ func (ns *NodeServer) NodeStageVolume(
log.DebugLog(ctx, "cephfs: successfully mounted volume %s to %s", volID, stagingTargetPath)
if err = maybeUnlockFileEncryption(ctx, volOptions, stagingTargetPath, volID); err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
if _, isFuse := mnt.(*mounter.FuseMounter); isFuse {
// FUSE mount recovery needs NodeStageMountinfo records.
@ -452,6 +498,16 @@ func (ns *NodeServer) NodePublishVolume(
}
// It's not, mount now
encrypted, err := store.IsEncrypted(ctx, req.GetVolumeContext())
if err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
if encrypted {
stagingTargetPath = fscrypt.AppendEncyptedSubdirectory(stagingTargetPath)
if err = fscrypt.IsDirectoryUnlocked(stagingTargetPath, "ceph"); err != nil {
return nil, status.Error(codes.Internal, err.Error())
}
}
if err = mounter.BindMount(
ctx,

3
internal/cephfs/store/backingsnapshot.go
View File

@ -36,6 +36,7 @@ func AddSnapshotBackedVolumeRef(
volOptions *VolumeOptions,
clusterName string,
setMetadata bool,
secrets map[string]string,
) error {
ioctx, err := volOptions.conn.GetIoctx(volOptions.MetadataPool)
if err != nil {
@ -98,7 +99,7 @@ func AddSnapshotBackedVolumeRef(
// deleting the backing snapshot. Make sure the snapshot still exists by
// trying to retrieve it again.
_, _, _, err = NewSnapshotOptionsFromID(ctx,
volOptions.BackingSnapshotID, volOptions.conn.Creds, clusterName, setMetadata)
volOptions.BackingSnapshotID, volOptions.conn.Creds, secrets, clusterName, setMetadata)
if err != nil {
log.ErrorLog(ctx, "failed to get backing snapshot %s: %v", volOptions.BackingSnapshotID, err)
}

26
internal/cephfs/store/fsjournal.go
View File

@ -90,8 +90,10 @@ func CheckVolExists(ctx context.Context,
}
defer j.Destroy()
kmsID, encryptionType := getEncryptionConfig(volOptions)
imageData, err := j.CheckReservation(
ctx, volOptions.MetadataPool, volOptions.RequestName, volOptions.NamePrefix, "", "", util.EncryptionTypeNone)
ctx, volOptions.MetadataPool, volOptions.RequestName, volOptions.NamePrefix, "", kmsID, encryptionType)
if err != nil {
return nil, err
}
@ -249,6 +251,14 @@ func updateTopologyConstraints(volOpts *VolumeOptions) error {
return nil
}
func getEncryptionConfig(volOptions *VolumeOptions) (string, util.EncryptionType) {
if volOptions.IsEncrypted() {
return volOptions.Encryption.GetID(), util.EncryptionTypeFile
}
return "", util.EncryptionTypeNone
}
// ReserveVol is a helper routine to request a UUID reservation for the CSI VolumeName and,
// to generate the volume identifier for the reserved UUID.
func ReserveVol(ctx context.Context, volOptions *VolumeOptions, secret map[string]string) (*VolumeIdentifier, error) {
@ -276,10 +286,13 @@ func ReserveVol(ctx context.Context, volOptions *VolumeOptions, secret map[strin
}
defer j.Destroy()
kmsID, encryptionType := getEncryptionConfig(volOptions)
imageUUID, vid.FsSubvolName, err = j.ReserveName(
ctx, volOptions.MetadataPool, util.InvalidPoolID,
volOptions.MetadataPool, util.InvalidPoolID, volOptions.RequestName,
volOptions.NamePrefix, "", "", volOptions.ReservedID, "", volOptions.BackingSnapshotID, util.EncryptionTypeNone)
volOptions.NamePrefix, "", kmsID, volOptions.ReservedID, volOptions.Owner,
volOptions.BackingSnapshotID, encryptionType)
if err != nil {
return nil, err
}
@ -319,10 +332,13 @@ func ReserveSnap(
}
defer j.Destroy()
kmsID, encryptionType := getEncryptionConfig(volOptions)
imageUUID, vid.FsSnapshotName, err = j.ReserveName(
ctx, volOptions.MetadataPool, util.InvalidPoolID,
volOptions.MetadataPool, util.InvalidPoolID, snap.RequestName,
snap.NamePrefix, parentSubVolName, "", snap.ReservedID, "", "", util.EncryptionTypeNone)
snap.NamePrefix, parentSubVolName, kmsID, snap.ReservedID, "",
volOptions.Owner, encryptionType)
if err != nil {
return nil, err
}
@ -390,8 +406,10 @@ func CheckSnapExists(
}
defer j.Destroy()
kmsID, encryptionType := getEncryptionConfig(volOptions)
snapData, err := j.CheckReservation(
ctx, volOptions.MetadataPool, snap.RequestName, snap.NamePrefix, volOptions.VolID, "", util.EncryptionTypeNone)
ctx, volOptions.MetadataPool, snap.RequestName, snap.NamePrefix, volOptions.VolID, kmsID, encryptionType)
if err != nil {
return nil, nil, err
}

197
internal/cephfs/store/volumeoptions.go
View File

@ -29,10 +29,16 @@ import (
"github.com/ceph/ceph-csi/internal/cephfs/core"
cerrors "github.com/ceph/ceph-csi/internal/cephfs/errors"
fsutil "github.com/ceph/ceph-csi/internal/cephfs/util"
kmsapi "github.com/ceph/ceph-csi/internal/kms"
"github.com/ceph/ceph-csi/internal/util"
"github.com/ceph/ceph-csi/internal/util/k8s"
"github.com/ceph/ceph-csi/internal/util/log"
)
const (
cephfsDefaultEncryptionType = util.EncryptionTypeFile
)
type VolumeOptions struct {
core.SubVolume
@ -55,6 +61,11 @@ type VolumeOptions struct {
Topology map[string]string
FscID int64
// Encryption provides access to optional VolumeEncryption functions
Encryption *util.VolumeEncryption
// Owner is the creator (tenant, Kubernetes Namespace) of the volume
Owner string
// conn is a connection to the Ceph cluster obtained from a ConnPool
conn *util.ClusterConnection
@ -84,6 +95,9 @@ func (vo *VolumeOptions) Destroy() {
if vo.conn != nil {
vo.conn.Destroy()
}
if vo.IsEncrypted() {
vo.Encryption.Destroy()
}
}
func validateNonEmptyField(field, fieldName string) error {
@ -196,6 +210,7 @@ func fmtBackingSnapshotOptionMismatch(optName, expected, actual string) error {
// NewVolumeOptions generates a new instance of volumeOptions from the provided
// CSI request parameters.
// nolint:gocyclo,cyclop // TODO: reduce complexity
func NewVolumeOptions(
ctx context.Context,
requestName,
@ -219,6 +234,7 @@ func NewVolumeOptions(
opts.ClusterID = clusterData.ClusterID
opts.Monitors = strings.Join(clusterData.Monitors, ",")
opts.SubvolumeGroup = clusterData.CephFS.SubvolumeGroup
opts.Owner = k8s.GetOwner(volOptions)
if err = extractOptionalOption(&opts.Pool, "pool", volOptions); err != nil {
return nil, err
@ -248,6 +264,10 @@ func NewVolumeOptions(
return nil, err
}
if err = opts.InitKMS(ctx, volOptions, req.GetSecrets()); err != nil {
return nil, fmt.Errorf("failed to init KMS: %w", err)
}
if backingSnapshotBool != "" {
if opts.BackingSnapshot, err = strconv.ParseBool(backingSnapshotBool); err != nil {
return nil, fmt.Errorf("failed to parse backingSnapshot: %w", err)
@ -294,7 +314,7 @@ func NewVolumeOptions(
opts.BackingSnapshotID = req.GetVolumeContentSource().GetSnapshot().GetSnapshotId()
err = opts.populateVolumeOptionsFromBackingSnapshot(ctx, cr, clusterName, setMetadata)
err = opts.populateVolumeOptionsFromBackingSnapshot(ctx, cr, req.GetSecrets(), clusterName, setMetadata)
if err != nil {
return nil, err
}
@ -305,6 +325,7 @@ func NewVolumeOptions(
// newVolumeOptionsFromVolID generates a new instance of volumeOptions and VolumeIdentifier
// from the provided CSI VolumeID.
// nolint:gocyclo,cyclop // TODO: reduce complexity
func NewVolumeOptionsFromVolID(
ctx context.Context,
volID string,
@ -382,6 +403,7 @@ func NewVolumeOptionsFromVolID(
}
volOptions.RequestName = imageAttributes.RequestName
vid.FsSubvolName = imageAttributes.ImageName
volOptions.Owner = imageAttributes.Owner
if volOpt != nil {
if err = extractOptionalOption(&volOptions.Pool, "pool", volOpt); err != nil {
@ -403,6 +425,10 @@ func NewVolumeOptionsFromVolID(
if err = extractMounter(&volOptions.Mounter, volOpt); err != nil {
return nil, nil, err
}
if err = volOptions.InitKMS(ctx, volOpt, secrets); err != nil {
return nil, nil, err
}
}
if imageAttributes.BackingSnapshotID != "" || volOptions.BackingSnapshotID != "" {
@ -414,11 +440,18 @@ func NewVolumeOptionsFromVolID(
volOptions.SubVolume.VolID = vid.FsSubvolName
if volOptions.BackingSnapshot {
err = volOptions.populateVolumeOptionsFromBackingSnapshot(ctx, cr, clusterName, setMetadata)
err = volOptions.populateVolumeOptionsFromBackingSnapshot(ctx, cr, secrets, clusterName, setMetadata)
} else {
err = volOptions.populateVolumeOptionsFromSubvolume(ctx, clusterName, setMetadata)
}
if volOpt == nil && imageAttributes.KmsID != "" && volOptions.Encryption == nil {
err = volOptions.ConfigureEncryption(ctx, imageAttributes.KmsID, secrets)
if err != nil {
return &volOptions, &vid, err
}
}
return &volOptions, &vid, err
}
@ -447,6 +480,7 @@ func (vo *VolumeOptions) populateVolumeOptionsFromSubvolume(
func (vo *VolumeOptions) populateVolumeOptionsFromBackingSnapshot(
ctx context.Context,
cr *util.Credentials,
secrets map[string]string,
clusterName string,
setMetadata bool,
) error {
@ -471,7 +505,7 @@ func (vo *VolumeOptions) populateVolumeOptionsFromBackingSnapshot(
}
parentBackingSnapVolOpts, _, snapID, err := NewSnapshotOptionsFromID(ctx,
vo.BackingSnapshotID, cr, clusterName, setMetadata)
vo.BackingSnapshotID, cr, secrets, clusterName, setMetadata)
if err != nil {
return fmt.Errorf("failed to retrieve backing snapshot %s: %w", vo.BackingSnapshotID, err)
}
@ -576,6 +610,11 @@ func NewVolumeOptionsFromMonitorList(
return nil, nil, err
}
opts.Owner = k8s.GetOwner(options)
if err = opts.InitKMS(context.TODO(), options, secrets); err != nil {
return nil, nil, err
}
vid.FsSubvolName = volID
vid.VolumeID = volID
@ -591,7 +630,7 @@ func NewVolumeOptionsFromMonitorList(
// detected to be a statically provisioned volume.
func NewVolumeOptionsFromStaticVolume(
volID string,
options map[string]string,
options, secrets map[string]string,
) (*VolumeOptions, *VolumeIdentifier, error) {
var (
opts VolumeOptions
@ -625,6 +664,7 @@ func NewVolumeOptionsFromStaticVolume(
opts.ClusterID = clusterData.ClusterID
opts.Monitors = strings.Join(clusterData.Monitors, ",")
opts.SubvolumeGroup = clusterData.CephFS.SubvolumeGroup
opts.Owner = k8s.GetOwner(options)
if err = extractOption(&opts.RootPath, "rootPath", options); err != nil {
return nil, nil, err
@ -650,6 +690,10 @@ func NewVolumeOptionsFromStaticVolume(
return nil, nil, err
}
if err = opts.InitKMS(context.TODO(), options, secrets); err != nil {
return nil, nil, err
}
vid.FsSubvolName = opts.RootPath
vid.VolumeID = volID
@ -666,6 +710,7 @@ func NewSnapshotOptionsFromID(
ctx context.Context,
snapID string,
cr *util.Credentials,
secrets map[string]string,
clusterName string,
setMetadata bool,
) (*VolumeOptions, *core.SnapshotInfo, *SnapshotIdentifier, error) {
@ -739,8 +784,16 @@ func NewSnapshotOptionsFromID(
sid.FsSubvolName = imageAttributes.SourceName
volOptions.SubVolume.VolID = sid.FsSubvolName
volOptions.Owner = imageAttributes.Owner
vol := core.NewSubVolume(volOptions.conn, &volOptions.SubVolume, volOptions.ClusterID, clusterName, setMetadata)
if imageAttributes.KmsID != "" && volOptions.Encryption == nil {
err = volOptions.ConfigureEncryption(ctx, imageAttributes.KmsID, secrets)
if err != nil {
return &volOptions, nil, &sid, err
}
}
subvolInfo, err := vol.GetSubVolumeInfo(ctx)
if err != nil {
return &volOptions, nil, &sid, err
@ -788,3 +841,139 @@ func GenSnapFromOptions(ctx context.Context, req *csi.CreateSnapshotRequest) (*S
return cephfsSnap, nil
}
func parseEncryptionOpts(volOptions map[string]string) (string, util.EncryptionType, error) {
var (
err error
ok bool
encrypted, kmsID string
)
encrypted, ok = volOptions["encrypted"]
if !ok {
return "", util.EncryptionTypeNone, nil
}
kmsID, err = util.FetchEncryptionKMSID(encrypted, volOptions["encryptionKMSID"])
if err != nil {
return "", util.EncryptionTypeInvalid, err
}
encType := util.FetchEncryptionType(volOptions, cephfsDefaultEncryptionType)
return kmsID, encType, nil
}
// IsEncrypted returns true if volOptions enables file encryption.
func IsEncrypted(ctx context.Context, volOptions map[string]string) (bool, error) {
_, encType, err := parseEncryptionOpts(volOptions)
if err != nil {
return false, err
}
return encType == util.EncryptionTypeFile, nil
}
// CopyEncryptionConfig copies passphrases and initializes a fresh
// Encryption struct if necessary from (vo, vID) to (cp, cpVID).
func (vo *VolumeOptions) CopyEncryptionConfig(cp *VolumeOptions, vID, cpVID string) error {
var err error
if !vo.IsEncrypted() {
return nil
}
if vID == cpVID {
return fmt.Errorf("BUG: %v and %v have the same VolID %q "+
"set!? Call stack: %s", vo, cp, vID, util.CallStack())
}
if cp.Encryption == nil {
cp.Encryption, err = util.NewVolumeEncryption(vo.Encryption.GetID(), vo.Encryption.KMS)
if errors.Is(err, util.ErrDEKStoreNeeded) {
_, err := vo.Encryption.KMS.GetSecret("")
if errors.Is(err, kmsapi.ErrGetSecretUnsupported) {
return err
}
}
}
if vo.Encryption.KMS.RequiresDEKStore() == kmsapi.DEKStoreIntegrated {
passphrase, err := vo.Encryption.GetCryptoPassphrase(vID)
if err != nil {
return fmt.Errorf("failed to fetch passphrase for %q (%+v): %w",
vID, vo, err)
}
err = cp.Encryption.StoreCryptoPassphrase(cpVID, passphrase)
if err != nil {
return fmt.Errorf("failed to store passphrase for %q (%+v): %w",
cpVID, cp, err)
}
}
return nil
}
// ConfigureEncryption initializes the Ceph CSI key management from
// kmsID and credentials. Sets vo.Encryption on success.
func (vo *VolumeOptions) ConfigureEncryption(
ctx context.Context,
kmsID string,
credentials map[string]string,
) error {
kms, err := kmsapi.GetKMS(vo.Owner, kmsID, credentials)
if err != nil {
log.ErrorLog(ctx, "get KMS failed %+v: %v", vo, err)
return err
}
vo.Encryption, err = util.NewVolumeEncryption(kmsID, kms)
if errors.Is(err, util.ErrDEKStoreNeeded) {
// fscrypt uses secrets directly from the KMS.
// Therefore we do not support an additional DEK
// store. Since not all "metadata" KMS support
// GetSecret, test for support here. Postpone any
// other error handling
_, err := vo.Encryption.KMS.GetSecret("")
if errors.Is(err, kmsapi.ErrGetSecretUnsupported) {
return err
}
}
return nil
}
// InitKMS initialized the Ceph CSI key management by parsing the
// configuration from volume options + credentials. Sets vo.Encryption
// on success.
func (vo *VolumeOptions) InitKMS(
ctx context.Context,
volOptions, credentials map[string]string,
) error {
var err error
kmsID, encType, err := parseEncryptionOpts(volOptions)
if err != nil {
return err
}
if encType == util.EncryptionTypeNone {
return nil
}
if encType != util.EncryptionTypeFile {
return fmt.Errorf("unsupported encryption type %v. only supported type is 'file'", encType)
}
err = vo.ConfigureEncryption(ctx, kmsID, credentials)
if err != nil {
return fmt.Errorf("invalid encryption kms configuration: %w", err)
}
return nil
}
func (vo *VolumeOptions) IsEncrypted() bool {
return vo.Encryption != nil
}

1
scripts/Dockerfile.test
View File

@ -33,6 +33,7 @@ RUN source /build.env \
findutils \
librados-devel \
librbd-devel \
openssl \
rubygems \
ShellCheck \
codespell \

7
scripts/mdl-style.rb
View File

@ -3,13 +3,8 @@ all
#Refer below url for more information about the markdown rules.
#https://github.com/markdownlint/markdownlint/blob/master/docs/RULES.md
rule 'MD013', :ignore_code_blocks => false, :tables => false, :line_length => 80
rule 'MD013', :ignore_code_blocks => true, :tables => false, :line_length => 80
exclude_rule 'MD033' # In-line HTML: GitHub style markdown adds HTML tags
exclude_rule 'MD040' # Fenced code blocks should have a language specified
exclude_rule 'MD041' # First line in file should be a top level header
# TODO: Enable the rules after making required changes.
exclude_rule 'MD007' # Unordered list indentation
exclude_rule 'MD012' # Multiple consecutive blank lines
exclude_rule 'MD013' # Line length
exclude_rule 'MD047' # File should end with a single newline character

2
scripts/test-go.sh
View File

@ -21,7 +21,7 @@ failed=0
for gopackage in ${GOPACKAGES}; do
echo "--- testing: ${gopackage} ---"
# shellcheck disable=SC2086
go test "${GO_TAGS}" "${MOD_VENDOR}" -v ${GOTESTOPTS[*]} "${gopackage}" || ((failed += 1))
go test "${GO_TAGS}" "${MOD_VENDOR}" -v "${GOTESTOPTS[@]}" "${gopackage}" || ((failed += 1))
if [[ -f cover.out ]]; then
# Append to coverfile
grep -v "^mode: count" cover.out >>"${COVERFILE}"

1
tools/README.md
View File

@ -5,4 +5,3 @@
`yamlgen` reads deployment configurations from the `api/` package and generates
YAML files that can be used for deploying without advanced automation like
Rook. The generated files are located under `deploy/`.

8
vendor/github.com/IBM/keyprotect-go-client/.bumpversion.cfg generated vendored Normal file
View File

@ -0,0 +1,8 @@
[bumpversion]
current_version = 0.9.1
commit = True
message = Update version {current_version} -> {new_version} [skip ci]
[bumpversion:file:README.md]
search = {current_version}
replace = {new_version}

1
vendor/github.com/IBM/keyprotect-go-client/.gitattributes generated vendored Normal file
View File

@ -0,0 +1 @@
*.enc binary

15
vendor/github.com/IBM/keyprotect-go-client/.gitignore generated vendored
View File

@ -42,3 +42,18 @@ cover.*
**/coverage.out
**/coverage.tmp
*.coverprofile
.env
# SDK generator
.openapi-generator-ignore
.openapi-generator/VERSION
# IDE files
*.idea
*.log
# files produced by "npm install" commands during build
package.json
package-lock.json
node_modules/

1
vendor/github.com/IBM/keyprotect-go-client/.npmrc generated vendored Normal file
View File

@ -0,0 +1 @@
package-lock=false

23
vendor/github.com/IBM/keyprotect-go-client/.releaserc generated vendored Normal file
View File

@ -0,0 +1,23 @@
{
"debug": true,
"branches": [ "master" ],
"plugins": [
"@semantic-release/commit-analyzer",
"@semantic-release/release-notes-generator",
"@semantic-release/changelog",
[
"@semantic-release/exec",
{
"prepareCmd": "bump2version --allow-dirty --current-version ${lastRelease.version} --new-version ${nextRelease.version} patch"
}
],
[
"@semantic-release/git",
{
"assets" : [ "CHANGELOG.md" ],
"message": "chore(release): ${nextRelease.version} release notes [skip ci]\n\n${nextRelease.notes}"
}
],
"@semantic-release/github"
]
}

39
vendor/github.com/IBM/keyprotect-go-client/.travis.yml generated vendored
View File

@ -1,26 +1,47 @@
language: go
dist: xenial
dist: bionic
go:
- 1.17.x
- 1.18.x
- 1.19.x
- 1.17.x
- 1.18.x
- 1.19.x
env:
- GO111MODULE=on
global:
- GO111MODULE=on
before_install:
- sudo apt-get update
- pyenv global 3.8
before_script:
- GO111MODULE=off go get -u github.com/haya14busa/goverage
install:
- go build ./...
- curl -sfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh| sh -s -- -b $(go env GOPATH)/bin v1.49.0
- curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh | sh -s -- -b $(go env GOPATH)/bin
script:
- $GOPATH/bin/goverage -v -race -coverprofile=cover.out $(go list ./... | grep -v '/vendor|/scripts')
- go tool cover -func=cover.out
- go tool cover -html=cover.out -o=cover.html
# FIXME: these scripts don't exist in this repo
# after_success:
# - ./scripts/calculateCoverage.sh
# - ./scripts/publishCoverage.sh
# To enable semantic-release, uncomment these sections.
before_deploy:
- nvm install 14
- npm install -g npm@6.x
- npm install @semantic-release/changelog
- npm install @semantic-release/exec
- npm install @semantic-release/git
- npm install @semantic-release/github
- pip install --user bump2version
#
deploy:
- provider: script
script: npx semantic-release
skip_cleanup: true
on:
go: '1.18.x'
branch: master

7
vendor/github.com/IBM/keyprotect-go-client/CHANGELOG.md generated vendored Normal file
View File

@ -0,0 +1,7 @@
## [0.9.1](https://github.com/IBM/keyprotect-go-client/compare/v0.9.0...v0.9.1) (2022-12-06)
### Bug Fixes
* **build:** adding SDK version to README ([#104](https://github.com/IBM/keyprotect-go-client/issues/104)) ([858b1ec](https://github.com/IBM/keyprotect-go-client/commit/858b1ecbb328d4c463b0473a1758141b92e44fe1))
* **build:** integrate semantic-release based CI/CD ([#99](https://github.com/IBM/keyprotect-go-client/issues/99)) ([7776874](https://github.com/IBM/keyprotect-go-client/commit/77768745c974db99468e98a39f3981e264702609))

2
vendor/github.com/IBM/keyprotect-go-client/README.md generated vendored
View File

@ -1,3 +1,5 @@
# IBM Cloud Go SDK Version 0.9.1
# keyprotect-go-client
[![Build Status](https://travis-ci.com/IBM/keyprotect-go-client.svg?branch=master)](https://travis-ci.com/IBM/keyprotect-go-client)

2
vendor/github.com/aws/aws-sdk-go-v2/aws/go_module_metadata.go generated vendored
View File

@ -3,4 +3,4 @@
package aws
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.17.1"
const goModuleVersion = "1.17.2"

4
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/CHANGELOG.md generated vendored
View File

@ -1,3 +1,7 @@
# v1.1.26 (2022-12-02)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.1.25 (2022-10-24)
* **Dependency Update**: Updated to the latest SDK module versions

2
vendor/github.com/aws/aws-sdk-go-v2/internal/configsources/go_module_metadata.go generated vendored
View File

@ -3,4 +3,4 @@
package configsources
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.1.25"
const goModuleVersion = "1.1.26"

4
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/CHANGELOG.md generated vendored
View File

@ -1,3 +1,7 @@
# v2.4.20 (2022-12-02)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.4.19 (2022-10-24)
* **Dependency Update**: Updated to the latest SDK module versions

2
vendor/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2/go_module_metadata.go generated vendored
View File

@ -3,4 +3,4 @@
package endpoints
// goModuleVersion is the tagged release for this module
const goModuleVersion = "2.4.19"
const goModuleVersion = "2.4.20"

4
vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/CHANGELOG.md generated vendored
View File

@ -1,3 +1,7 @@
# v1.9.20 (2022-12-02)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.9.19 (2022-10-24)
* **Dependency Update**: Updated to the latest SDK module versions

2
vendor/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url/go_module_metadata.go generated vendored
View File

@ -3,4 +3,4 @@
package presignedurl
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.9.19"
const goModuleVersion = "1.9.20"

20
vendor/github.com/aws/aws-sdk-go-v2/service/sts/CHANGELOG.md generated vendored
View File

@ -1,3 +1,23 @@
# v1.17.6 (2022-12-02)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.17.5 (2022-11-22)
* No change notes available for this release.
# v1.17.4 (2022-11-17)
* **Documentation**: Documentation updates for AWS Security Token Service.
# v1.17.3 (2022-11-16)
* No change notes available for this release.
# v1.17.2 (2022-11-10)
* No change notes available for this release.
# v1.17.1 (2022-10-24)
* **Dependency Update**: Updated to the latest SDK module versions

87
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRole.go generated vendored
View File

@ -28,16 +28,16 @@ import (
// inline or managed session policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. When you create a role, you create two policies: A role
// trust policy that specifies who can assume the role and a permissions policy
@ -189,11 +189,11 @@ type AssumeRoleInput struct {
// be any ASCII character from the space character to the end of the valid
// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
// Services conversion compresses the passed session policies and session tags into
// a packed binary format that has a separate limit. Your request can fail for this
// limit even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit.
// Services conversion compresses the passed inline session policy, managed policy
// ARNs, and session tags into a packed binary format that has a separate limit.
// Your request can fail for this limit even if your plaintext meets the other
// requirements. The PackedPolicySize response element indicates by percentage how
// close the policies and tags for your request are to the upper size limit.
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@ -204,18 +204,18 @@ type AssumeRoleInput struct {
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
// the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed session policies and session tags into a packed binary
// format that has a separate limit. Your request can fail for this limit even if
// your plaintext meets the other requirements. The PackedPolicySize response
// element indicates by percentage how close the policies and tags for your request
// are to the upper size limit. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session
// Policies
// compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyArns []types.PolicyDescriptorType
@ -257,22 +257,23 @@ type AssumeRoleInput struct {
// Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit. You can pass a session tag with the same key as a tag that is
// already attached to the role. When you do, session tags override a role tag with
// the same key. Tag keyvalue pairs are not case sensitive, but case is preserved.
// This means that you cannot have separate Department and department tag keys.
// Assume that the role has the Department=Marketing tag and you pass the
// department=engineering session tag. Department and department are not saved as
// separate tags, and the session tag passed in the request takes precedence over
// the role tag. Additionally, if you used temporary credentials to perform this
// operation, the new session inherits any transitive session tags from the calling
// session. If you pass a session tag with the same key as an inherited tag, the
// operation fails. To view the inherited tags for a session, see the CloudTrail
// logs. For more information, see Viewing Session Tags in CloudTrail
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is already attached to the role. When you do, session
// tags override a role tag with the same key. Tag keyvalue pairs are not case
// sensitive, but case is preserved. This means that you cannot have separate
// Department and department tag keys. Assume that the role has the
// Department=Marketing tag and you pass the department=engineering session tag.
// Department and department are not saved as separate tags, and the session tag
// passed in the request takes precedence over the role tag. Additionally, if you
// used temporary credentials to perform this operation, the new session inherits
// any transitive session tags from the calling session. If you pass a session tag
// with the same key as an inherited tag, the operation fails. To view the
// inherited tags for a session, see the CloudTrail logs. For more information, see
// Viewing Session Tags in CloudTrail
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
// in the IAM User Guide.
Tags []types.Tag

74
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithSAML.go generated vendored
View File

@ -53,16 +53,16 @@ import (
// pass inline or managed session policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
// Amazon Web Services security credentials. The identity of the caller is
@ -82,16 +82,16 @@ import (
// these and additional limits, see IAM and STS Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit. You can pass a session tag with the same key as a tag that is
// attached to the role. When you do, session tags override the role's tags with
// the same key. An administrator must grant you the permissions necessary to pass
// session tags. The administrator can also create granular permissions to allow
// you to pass only specific session tags. For more information, see Tutorial:
// Using Tags for Attribute-Based Access Control
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is attached to the role. When you do, session tags
// override the role's tags with the same key. An administrator must grant you the
// permissions necessary to pass session tags. The administrator can also create
// granular permissions to allow you to pass only specific session tags. For more
// information, see Tutorial: Using Tags for Attribute-Based Access Control
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with
@ -194,11 +194,11 @@ type AssumeRoleWithSAMLInput struct {
// be any ASCII character from the space character to the end of the valid
// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
// Services conversion compresses the passed session policies and session tags into
// a packed binary format that has a separate limit. Your request can fail for this
// limit even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit.
// Services conversion compresses the passed inline session policy, managed policy
// ARNs, and session tags into a packed binary format that has a separate limit.
// Your request can fail for this limit even if your plaintext meets the other
// requirements. The PackedPolicySize response element indicates by percentage how
// close the policies and tags for your request are to the upper size limit.
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@ -209,18 +209,18 @@ type AssumeRoleWithSAMLInput struct {
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
// the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed session policies and session tags into a packed binary
// format that has a separate limit. Your request can fail for this limit even if
// your plaintext meets the other requirements. The PackedPolicySize response
// element indicates by percentage how close the policies and tags for your request
// are to the upper size limit. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session
// Policies
// compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyArns []types.PolicyDescriptorType

74
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_AssumeRoleWithWebIdentity.go generated vendored
View File

@ -63,16 +63,16 @@ import (
// inline or managed session policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
// attributes into your web identity token as session tags. Each session tag
@ -84,16 +84,16 @@ import (
// these and additional limits, see IAM and STS Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit. You can pass a session tag with the same key as a tag that is
// attached to the role. When you do, the session tag overrides the role tag with
// the same key. An administrator must grant you the permissions necessary to pass
// session tags. The administrator can also create granular permissions to allow
// you to pass only specific session tags. For more information, see Tutorial:
// Using Tags for Attribute-Based Access Control
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is attached to the role. When you do, the session tag
// overrides the role tag with the same key. An administrator must grant you the
// permissions necessary to pass session tags. The administrator can also create
// granular permissions to allow you to pass only specific session tags. For more
// information, see Tutorial: Using Tags for Attribute-Based Access Control
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with
@ -215,11 +215,11 @@ type AssumeRoleWithWebIdentityInput struct {
// be any ASCII character from the space character to the end of the valid
// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
// Services conversion compresses the passed session policies and session tags into
// a packed binary format that has a separate limit. Your request can fail for this
// limit even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit.
// Services conversion compresses the passed inline session policy, managed policy
// ARNs, and session tags into a packed binary format that has a separate limit.
// Your request can fail for this limit even if your plaintext meets the other
// requirements. The PackedPolicySize response element indicates by percentage how
// close the policies and tags for your request are to the upper size limit.
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@ -230,18 +230,18 @@ type AssumeRoleWithWebIdentityInput struct {
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
// the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed session policies and session tags into a packed binary
// format that has a separate limit. Your request can fail for this limit even if
// your plaintext meets the other requirements. The PackedPolicySize response
// element indicates by percentage how close the policies and tags for your request
// are to the upper size limit. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session
// Policies
// compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyArns []types.PolicyDescriptorType

87
vendor/github.com/aws/aws-sdk-go-v2/service/sts/api_op_GetFederationToken.go generated vendored
View File

@ -55,16 +55,16 @@ import (
// session policy
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Though the session policy
// parameters are optional, if you do not pass a policy, then the resulting
// federated user session has no permissions. When you pass session policies, the
// session permissions are the intersection of the IAM user policies and the
// session policies that you pass. This gives you a way to further restrict the
// permissions for a federated user. You cannot use session policies to grant more
// permissions than those that are defined in the permissions policy of the IAM
// user. For more information, see Session Policies
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Though the session policy parameters are optional, if you do not pass a policy,
// then the resulting federated user session has no permissions. When you pass
// session policies, the session permissions are the intersection of the IAM user
// policies and the session policies that you pass. This gives you a way to further
// restrict the permissions for a federated user. You cannot use session policies
// to grant more permissions than those that are defined in the permissions policy
// of the IAM user. For more information, see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. For information about using GetFederationToken to create
// temporary security credentials, see GetFederationToken—Federation Through a
@ -135,15 +135,15 @@ type GetFederationTokenInput struct {
// You must pass an inline or managed session policy
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. This parameter is optional. However, if you do not
// pass any session policies, then the resulting federated user session has no
// permissions. When you pass session policies, the session permissions are the
// intersection of the IAM user policies and the session policies that you pass.
// This gives you a way to further restrict the permissions for a federated user.
// You cannot use session policies to grant more permissions than those that are
// defined in the permissions policy of the IAM user. For more information, see
// Session Policies
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. This parameter is
// optional. However, if you do not pass any session policies, then the resulting
// federated user session has no permissions. When you pass session policies, the
// session permissions are the intersection of the IAM user policies and the
// session policies that you pass. This gives you a way to further restrict the
// permissions for a federated user. You cannot use session policies to grant more
// permissions than those that are defined in the permissions policy of the IAM
// user. For more information, see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The resulting credentials can be used to access a
// resource that has a resource-based policy. If that policy specifically
@ -155,11 +155,11 @@ type GetFederationTokenInput struct {
// from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters. An Amazon Web Services conversion compresses the
// passed session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit.
// passed inline session policy, managed policy ARNs, and session tags into a
// packed binary format that has a separate limit. Your request can fail for this
// limit even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit.
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
@ -168,11 +168,11 @@ type GetFederationTokenInput struct {
// managed session policy
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. You can provide up to 10 managed
// policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs)
// and Amazon Web Services Service Namespaces
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// You can provide up to 10 managed policy ARNs. For more information about ARNs,
// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in
// the Amazon Web Services General Reference. This parameter is optional. However,
// if you do not pass any session policies, then the resulting federated user
@ -188,11 +188,12 @@ type GetFederationTokenInput struct {
// references the federated user session in the Principal element of the policy,
// the session has the permissions allowed by the policy. These permissions are
// granted in addition to the permissions that are granted by the session policies.
// An Amazon Web Services conversion compresses the passed session policies and
// session tags into a packed binary format that has a separate limit. Your request
// can fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit.
PolicyArns []types.PolicyDescriptorType
// A list of session tags. Each session tag consists of a key name and an
@ -205,15 +206,15 @@ type GetFederationTokenInput struct {
// Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit. You can pass a session tag with the same key as a tag that is
// already attached to the user you are federating. When you do, session tags
// override a user tag with the same key. Tag keyvalue pairs are not case
// sensitive, but case is preserved. This means that you cannot have separate
// Department and department tag keys. Assume that the role has the
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is already attached to the user you are federating. When
// you do, session tags override a user tag with the same key. Tag keyvalue pairs
// are not case sensitive, but case is preserved. This means that you cannot have
// separate Department and department tag keys. Assume that the role has the
// Department=Marketing tag and you pass the department=engineering session tag.
// Department and department are not saved as separate tags, and the session tag
// passed in the request takes precedence over the role tag.

2
vendor/github.com/aws/aws-sdk-go-v2/service/sts/go_module_metadata.go generated vendored
View File

@ -3,4 +3,4 @@
package sts
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.17.1"
const goModuleVersion = "1.17.6"

9
vendor/github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints/endpoints.go generated vendored
View File

@ -153,6 +153,9 @@ var defaultPartitions = endpoints.Partitions{
endpoints.EndpointKey{
Region: "ap-south-1",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "ap-south-2",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "ap-southeast-1",
}: endpoints.Endpoint{},
@ -176,12 +179,18 @@ var defaultPartitions = endpoints.Partitions{
endpoints.EndpointKey{
Region: "eu-central-1",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "eu-central-2",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "eu-north-1",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "eu-south-1",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "eu-south-2",
}: endpoints.Endpoint{},
endpoints.EndpointKey{
Region: "eu-west-1",
}: endpoints.Endpoint{},

1108
vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go generated vendored
View File

File diff suppressed because it is too large Load Diff

2
vendor/github.com/aws/aws-sdk-go/aws/version.go generated vendored
View File

@ -5,4 +5,4 @@ package aws
const SDKName = "aws-sdk-go"
// SDKVersion is the version of this SDK
const SDKVersion = "1.44.132"
const SDKVersion = "1.44.146"

149
vendor/github.com/aws/aws-sdk-go/service/ec2/api.go generated vendored
View File

@ -3400,9 +3400,9 @@ func (c *EC2) CancelImageLaunchPermissionRequest(input *CancelImageLaunchPermiss
// CancelImageLaunchPermission API operation for Amazon Elastic Compute Cloud.
//
// Removes your Amazon Web Services account from the launch permissions for
// the specified AMI. For more information, see Cancel sharing an AMI with your
// Amazon Web Services account (https://docs.aws.amazon.com/) in the Amazon
// Elastic Compute Cloud User Guide.
// the specified AMI. For more information, see Cancel having an AMI shared
// with your Amazon Web Services account (https://docs.aws.amazon.com/) in the
// Amazon Elastic Compute Cloud User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
@ -3951,7 +3951,7 @@ func (c *EC2) CopyImageRequest(input *CopyImageInput) (req *request.Request, out
// in the Amazon Elastic Compute Cloud User Guide.
//
// For more information about the prerequisites and limits when copying an AMI,
// see Copying an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
// see Copy an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html)
// in the Amazon Elastic Compute Cloud User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -5375,7 +5375,7 @@ func (c *EC2) CreateImageRequest(input *CreateImageInput) (req *request.Request,
// from this new AMI, the instance automatically launches with those additional
// volumes.
//
// For more information, see Creating Amazon EBS-Backed Linux AMIs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)
// For more information, see Create an Amazon EBS-backed Linux AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html)
// in the Amazon Elastic Compute Cloud User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -45667,7 +45667,7 @@ func (c *EC2) RegisterImageRequest(input *RegisterImageInput) (req *request.Requ
//
// Registers an AMI. When you're creating an AMI, this is the final step you
// must complete before you can launch an instance from the AMI. For more information
// about creating AMIs, see Creating your own AMIs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami.html)
// about creating AMIs, see Create your own AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami.html)
// in the Amazon Elastic Compute Cloud User Guide.
//
// For Amazon EBS-backed instances, CreateImage creates and registers the AMI
@ -45716,7 +45716,7 @@ func (c *EC2) RegisterImageRequest(input *RegisterImageInput) (req *request.Requ
// a Reserved Instance without the matching billing product code, the Reserved
// Instance will not be applied to the On-Demand Instance. For information about
// how to obtain the platform details and billing information of an AMI, see
// Understanding AMI billing (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html)
// Understand AMI billing information (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html)
// in the Amazon Elastic Compute Cloud User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
@ -61643,6 +61643,19 @@ type CopyImageInput struct {
// in the Amazon EC2 API Reference.
ClientToken *string `type:"string"`
// Indicates whether to include your user-defined AMI tags when copying the
// AMI.
//
// The following tags will not be copied:
//
// * System tags (prefixed with aws:)
//
// * For public and shared AMIs, user-defined tags that are attached by other
// Amazon Web Services accounts
//
// Default: Your user-defined AMI tags are not copied.
CopyImageTags *bool `type:"boolean"`
// A description for the new AMI in the destination Region.
Description *string `type:"string"`
@ -61652,8 +61665,8 @@ type CopyImageInput struct {
// You cannot copy an AMI from an Outpost to a Region, from one Outpost to another,
// or within the same Outpost.
//
// For more information, see Copying AMIs from an Amazon Web Services Region
// to an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-amis)
// For more information, see Copy AMIs from an Amazon Web Services Region to
// an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-amis)
// in the Amazon Elastic Compute Cloud User Guide.
DestinationOutpostArn *string `type:"string"`
@ -61667,7 +61680,7 @@ type CopyImageInput struct {
// encrypted. You can encrypt a copy of an unencrypted snapshot, but you cannot
// create an unencrypted copy of an encrypted snapshot. The default KMS key
// for Amazon EBS is used unless you specify a non-default Key Management Service
// (KMS) KMS key using KmsKeyId. For more information, see Amazon EBS Encryption
// (KMS) KMS key using KmsKeyId. For more information, see Amazon EBS encryption
// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)
// in the Amazon Elastic Compute Cloud User Guide.
Encrypted *bool `locationName:"encrypted" type:"boolean"`
@ -61755,6 +61768,12 @@ func (s *CopyImageInput) SetClientToken(v string) *CopyImageInput {
return s
}
// SetCopyImageTags sets the CopyImageTags field's value.
func (s *CopyImageInput) SetCopyImageTags(v bool) *CopyImageInput {
s.CopyImageTags = &v
return s
}
// SetDescription sets the Description field's value.
func (s *CopyImageInput) SetDescription(v string) *CopyImageInput {
s.Description = &v
@ -64469,10 +64488,12 @@ type CreateFlowLogsInput struct {
LogDestinationType *string `type:"string" enum:"LogDestinationType"`
// The fields to include in the flow log record. List the fields in the order
// in which they should appear. For more information about the available fields,
// see Flow log records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records).
// If you omit this parameter, the flow log is created using the default format.
// If you specify this parameter, you must include at least one field.
// in which they should appear. If you omit this parameter, the flow log is
// created using the default format. If you specify this parameter, you must
// include at least one field. For more information about the available fields,
// see Flow log records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records)
// in the Amazon VPC User Guide or Transit Gateway Flow Log records (https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html#flow-log-records)
// in the Amazon Web Services Transit Gateway Guide.
//
// Specify the fields using the ${field-id} format, separated by spaces. For
// the CLI, surround this parameter value with single quotes on Linux or double
@ -64486,8 +64507,9 @@ type CreateFlowLogsInput struct {
LogGroupName *string `type:"string"`
// The maximum interval of time during which a flow of packets is captured and
// aggregated into a flow log record. You can specify 60 seconds (1 minute)
// or 600 seconds (10 minutes).
// aggregated into a flow log record. The possible values are 60 seconds (1
// minute) or 600 seconds (10 minutes). This parameter must be 60 seconds for
// transit gateway resource types.
//
// When a network interface is attached to a Nitro-based instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances),
// the aggregation interval is always 60 seconds or less, regardless of the
@ -64499,7 +64521,8 @@ type CreateFlowLogsInput struct {
// The IDs of the resources to monitor. For example, if the resource type is
// VPC, specify the IDs of the VPCs.
//
// Constraints: Maximum of 1000 resources
// Constraints: Maximum of 25 for transit gateway resource types. Maximum of
// 1000 for the other resource types.
//
// ResourceIds is a required field
ResourceIds []*string `locationName:"ResourceId" locationNameList:"item" type:"list" required:"true"`
@ -64513,7 +64536,8 @@ type CreateFlowLogsInput struct {
TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"`
// The type of traffic to monitor (accepted traffic, rejected traffic, or all
// traffic).
// traffic). This parameter is not supported for transit gateway resource types.
// It is required for the other resource types.
TrafficType *string `type:"string" enum:"TrafficType"`
}
@ -66941,6 +66965,10 @@ type CreateNatGatewayInput struct {
// it is UnauthorizedOperation.
DryRun *bool `type:"boolean"`
// The private IPv4 address to assign to the NAT gateway. If you don't provide
// an address, a private IPv4 address will be automatically assigned.
PrivateIpAddress *string `type:"string"`
// The subnet in which to create the NAT gateway.
//
// SubnetId is a required field
@ -67005,6 +67033,12 @@ func (s *CreateNatGatewayInput) SetDryRun(v bool) *CreateNatGatewayInput {
return s
}
// SetPrivateIpAddress sets the PrivateIpAddress field's value.
func (s *CreateNatGatewayInput) SetPrivateIpAddress(v string) *CreateNatGatewayInput {
s.PrivateIpAddress = &v
return s
}
// SetSubnetId sets the SubnetId field's value.
func (s *CreateNatGatewayInput) SetSubnetId(v string) *CreateNatGatewayInput {
s.SubnetId = &v
@ -86448,7 +86482,7 @@ type DescribeImagesInput struct {
// * owner-id - The Amazon Web Services account ID of the owner. We recommend
// that you use the Owner request parameter instead of this filter.
//
// * platform - The platform. To only list Windows-based AMIs, use windows.
// * platform - The platform. The only supported value is windows.
//
// * product-code - The product code.
//
@ -116104,7 +116138,7 @@ type Image struct {
Platform *string `locationName:"platform" type:"string" enum:"PlatformValues"`
// The platform details associated with the billing code of the AMI. For more
// information, see Understanding AMI billing (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html)
// information, see Understand AMI billing information (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-billing-info.html)
// in the Amazon Elastic Compute Cloud User Guide.
PlatformDetails *string `locationName:"platformDetails" type:"string"`
@ -126900,6 +126934,10 @@ type LaunchTemplatePlacement struct {
// The Availability Zone of the instance.
AvailabilityZone *string `locationName:"availabilityZone" type:"string"`
// The Group ID of the placement group. You must specify the Placement Group
// Group ID to launch an instance in a shared placement group.
GroupId *string `locationName:"groupId" type:"string"`
// The name of the placement group for the instance.
GroupName *string `locationName:"groupName" type:"string"`
@ -126951,6 +126989,12 @@ func (s *LaunchTemplatePlacement) SetAvailabilityZone(v string) *LaunchTemplateP
return s
}
// SetGroupId sets the GroupId field's value.
func (s *LaunchTemplatePlacement) SetGroupId(v string) *LaunchTemplatePlacement {
s.GroupId = &v
return s
}
// SetGroupName sets the GroupName field's value.
func (s *LaunchTemplatePlacement) SetGroupName(v string) *LaunchTemplatePlacement {
s.GroupName = &v
@ -126997,6 +127041,10 @@ type LaunchTemplatePlacementRequest struct {
// The Availability Zone for the instance.
AvailabilityZone *string `type:"string"`
// The Group Id of a placement group. You must specify the Placement Group Group
// Id to launch an instance in a shared placement group.
GroupId *string `type:"string"`
// The name of the placement group for the instance.
GroupName *string `type:"string"`
@ -127050,6 +127098,12 @@ func (s *LaunchTemplatePlacementRequest) SetAvailabilityZone(v string) *LaunchTe
return s
}
// SetGroupId sets the GroupId field's value.
func (s *LaunchTemplatePlacementRequest) SetGroupId(v string) *LaunchTemplatePlacementRequest {
s.GroupId = &v
return s
}
// SetGroupName sets the GroupName field's value.
func (s *LaunchTemplatePlacementRequest) SetGroupName(v string) *LaunchTemplatePlacementRequest {
s.GroupName = &v
@ -131904,6 +131958,10 @@ type ModifyInstancePlacementInput struct {
// The affinity setting for the instance.
Affinity *string `locationName:"affinity" type:"string" enum:"Affinity"`
// The Group Id of a placement group. You must specify the Placement Group Group
// Id to launch an instance in a shared placement group.
GroupId *string `type:"string"`
// The name of the placement group in which to place the instance. For spread
// placement groups, the instance must have a tenancy of default. For cluster
// and partition placement groups, the instance must have a tenancy of default
@ -131972,6 +132030,12 @@ func (s *ModifyInstancePlacementInput) SetAffinity(v string) *ModifyInstancePlac
return s
}
// SetGroupId sets the GroupId field's value.
func (s *ModifyInstancePlacementInput) SetGroupId(v string) *ModifyInstancePlacementInput {
s.GroupId = &v
return s
}
// SetGroupName sets the GroupName field's value.
func (s *ModifyInstancePlacementInput) SetGroupName(v string) *ModifyInstancePlacementInput {
s.GroupName = &v
@ -140792,6 +140856,9 @@ type Placement struct {
// This parameter is not supported by CreateFleet (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateFleet).
AvailabilityZone *string `locationName:"availabilityZone" type:"string"`
// The Group Id of the placement group.
GroupId *string `locationName:"groupId" type:"string"`
// The name of the placement group the instance is in.
GroupName *string `locationName:"groupName" type:"string"`
@ -140862,6 +140929,12 @@ func (s *Placement) SetAvailabilityZone(v string) *Placement {
return s
}
// SetGroupId sets the GroupId field's value.
func (s *Placement) SetGroupId(v string) *Placement {
s.GroupId = &v
return s
}
// SetGroupName sets the GroupName field's value.
func (s *Placement) SetGroupName(v string) *Placement {
s.GroupName = &v
@ -151365,8 +151438,8 @@ type S3Storage struct {
_ struct{} `type:"structure"`
// The access key ID of the owner of the bucket. Before you specify a value
// for your access key ID, review and follow the guidance in Best Practices
// for Managing Amazon Web Services Access Keys (https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html).
// for your access key ID, review and follow the guidance in Best practices
// for managing Amazon Web Services access keys (https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html).
AWSAccessKeyId *string `type:"string"`
// The bucket in which to store the AMI. You can specify a bucket that you already
@ -167219,6 +167292,9 @@ const (
// AllocationStrategyCapacityOptimizedPrioritized is a AllocationStrategy enum value
AllocationStrategyCapacityOptimizedPrioritized = "capacityOptimizedPrioritized"
// AllocationStrategyPriceCapacityOptimized is a AllocationStrategy enum value
AllocationStrategyPriceCapacityOptimized = "priceCapacityOptimized"
)
// AllocationStrategy_Values returns all elements of the AllocationStrategy enum
@ -167228,6 +167304,7 @@ func AllocationStrategy_Values() []string {
AllocationStrategyDiversified,
AllocationStrategyCapacityOptimized,
AllocationStrategyCapacityOptimizedPrioritized,
AllocationStrategyPriceCapacityOptimized,
}
}
@ -167307,6 +167384,9 @@ const (
// ArchitectureTypeX8664Mac is a ArchitectureType enum value
ArchitectureTypeX8664Mac = "x86_64_mac"
// ArchitectureTypeArm64Mac is a ArchitectureType enum value
ArchitectureTypeArm64Mac = "arm64_mac"
)
// ArchitectureType_Values returns all elements of the ArchitectureType enum
@ -167316,6 +167396,7 @@ func ArchitectureType_Values() []string {
ArchitectureTypeX8664,
ArchitectureTypeArm64,
ArchitectureTypeX8664Mac,
ArchitectureTypeArm64Mac,
}
}
@ -167331,6 +167412,9 @@ const (
// ArchitectureValuesX8664Mac is a ArchitectureValues enum value
ArchitectureValuesX8664Mac = "x86_64_mac"
// ArchitectureValuesArm64Mac is a ArchitectureValues enum value
ArchitectureValuesArm64Mac = "arm64_mac"
)
// ArchitectureValues_Values returns all elements of the ArchitectureValues enum
@ -167340,6 +167424,7 @@ func ArchitectureValues_Values() []string {
ArchitectureValuesX8664,
ArchitectureValuesArm64,
ArchitectureValuesX8664Mac,
ArchitectureValuesArm64Mac,
}
}
@ -171410,6 +171495,18 @@ const (
// InstanceTypeU3tb156xlarge is a InstanceType enum value
InstanceTypeU3tb156xlarge = "u-3tb1.56xlarge"
// InstanceTypeU18tb1112xlarge is a InstanceType enum value
InstanceTypeU18tb1112xlarge = "u-18tb1.112xlarge"
// InstanceTypeU24tb1112xlarge is a InstanceType enum value
InstanceTypeU24tb1112xlarge = "u-24tb1.112xlarge"
// InstanceTypeTrn12xlarge is a InstanceType enum value
InstanceTypeTrn12xlarge = "trn1.2xlarge"
// InstanceTypeTrn132xlarge is a InstanceType enum value
InstanceTypeTrn132xlarge = "trn1.32xlarge"
)
// InstanceType_Values returns all elements of the InstanceType enum
@ -171984,6 +172081,10 @@ func InstanceType_Values() []string {
InstanceTypeR6aMetal,
InstanceTypeP4de24xlarge,
InstanceTypeU3tb156xlarge,
InstanceTypeU18tb1112xlarge,
InstanceTypeU24tb1112xlarge,
InstanceTypeTrn12xlarge,
InstanceTypeTrn132xlarge,
}
}
@ -174267,6 +174368,9 @@ const (
// SpotAllocationStrategyCapacityOptimizedPrioritized is a SpotAllocationStrategy enum value
SpotAllocationStrategyCapacityOptimizedPrioritized = "capacity-optimized-prioritized"
// SpotAllocationStrategyPriceCapacityOptimized is a SpotAllocationStrategy enum value
SpotAllocationStrategyPriceCapacityOptimized = "price-capacity-optimized"
)
// SpotAllocationStrategy_Values returns all elements of the SpotAllocationStrategy enum
@ -174276,6 +174380,7 @@ func SpotAllocationStrategy_Values() []string {
SpotAllocationStrategyDiversified,
SpotAllocationStrategyCapacityOptimized,
SpotAllocationStrategyCapacityOptimizedPrioritized,
SpotAllocationStrategyPriceCapacityOptimized,
}
}

213
vendor/github.com/aws/aws-sdk-go/service/sts/api.go generated vendored
View File

@ -74,16 +74,16 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
//
// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plaintext that you use for both inline
// and managed session policies can't exceed 2,048 characters. Passing policies
// to this operation returns new temporary credentials. The resulting session's
// permissions are the intersection of the role's identity-based policy and
// the session policies. You can use the role's temporary credentials in subsequent
// Amazon Web Services API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that
// you use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent Amazon Web Services API calls to access resources in the account
// that owns the role. You cannot use session policies to grant more permissions
// than those allowed by the identity-based policy of the role that is being
// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
//
// When you create a role, you create two policies: A role trust policy that
@ -307,16 +307,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
//
// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plaintext that you use for both inline
// and managed session policies can't exceed 2,048 characters. Passing policies
// to this operation returns new temporary credentials. The resulting session's
// permissions are the intersection of the role's identity-based policy and
// the session policies. You can use the role's temporary credentials in subsequent
// Amazon Web Services API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that
// you use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent Amazon Web Services API calls to access resources in the account
// that owns the role. You cannot use session policies to grant more permissions
// than those allowed by the identity-based policy of the role that is being
// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
//
// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
@ -343,11 +343,12 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
// and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// You can pass a session tag with the same key as a tag that is attached to
// the role. When you do, session tags override the role's tags with the same
@ -563,16 +564,16 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
//
// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plaintext that you use for both inline
// and managed session policies can't exceed 2,048 characters. Passing policies
// to this operation returns new temporary credentials. The resulting session's
// permissions are the intersection of the role's identity-based policy and
// the session policies. You can use the role's temporary credentials in subsequent
// Amazon Web Services API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that
// you use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent Amazon Web Services API calls to access resources in the account
// that owns the role. You cannot use session policies to grant more permissions
// than those allowed by the identity-based policy of the role that is being
// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
//
// # Tags
@ -588,11 +589,12 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
// and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// You can pass a session tag with the same key as a tag that is attached to
// the role. When you do, the session tag overrides the role tag with the same
@ -1110,9 +1112,9 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
//
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plaintext that you use for both inline
// and managed session policies can't exceed 2,048 characters.
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that
// you use for both inline and managed session policies can't exceed 2,048 characters.
//
// Though the session policy parameters are optional, if you do not pass a policy,
// then the resulting federated user session has no permissions. When you pass
@ -1424,11 +1426,12 @@ type AssumeRoleInput struct {
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
Policy *string `min:"1" type:"string"`
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@ -1441,11 +1444,12 @@ type AssumeRoleInput struct {
// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
@ -1520,11 +1524,12 @@ type AssumeRoleInput struct {
// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// You can pass a session tag with the same key as a tag that is already attached
// to the role. When you do, session tags override a role tag with the same
@ -1843,11 +1848,12 @@ type AssumeRoleWithSAMLInput struct {
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
Policy *string `min:"1" type:"string"`
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@ -1860,11 +1866,12 @@ type AssumeRoleWithSAMLInput struct {
// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
@ -2190,11 +2197,12 @@ type AssumeRoleWithWebIdentityInput struct {
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
Policy *string `min:"1" type:"string"`
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@ -2207,11 +2215,12 @@ type AssumeRoleWithWebIdentityInput struct {
// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
@ -2934,8 +2943,8 @@ type GetFederationTokenInput struct {
//
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies.
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies.
//
// This parameter is optional. However, if you do not pass any session policies,
// then the resulting federated user session has no permissions.
@ -2960,11 +2969,12 @@ type GetFederationTokenInput struct {
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
Policy *string `min:"1" type:"string"`
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
@ -2973,11 +2983,12 @@ type GetFederationTokenInput struct {
//
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plaintext that you use for both inline
// and managed session policies can't exceed 2,048 characters. You can provide
// up to 10 managed policy ARNs. For more information about ARNs, see Amazon
// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that
// you use for both inline and managed session policies can't exceed 2,048 characters.
// You can provide up to 10 managed policy ARNs. For more information about
// ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference.
//
// This parameter is optional. However, if you do not pass any session policies,
@ -2997,11 +3008,12 @@ type GetFederationTokenInput struct {
// by the policy. These permissions are granted in addition to the permissions
// that are granted by the session policies.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
PolicyArns []*PolicyDescriptorType `type:"list"`
// A list of session tags. Each session tag consists of a key name and an associated
@ -3015,11 +3027,12 @@ type GetFederationTokenInput struct {
// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed session policies
// and session tags into a packed binary format that has a separate limit. Your
// request can fail for this limit even if your plaintext meets the other requirements.
// The PackedPolicySize response element indicates by percentage how close the
// policies and tags for your request are to the upper size limit.
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has
// a separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the
// upper size limit.
//
// You can pass a session tag with the same key as a tag that is already attached
// to the user you are federating. When you do, session tags override a user

4
vendor/github.com/aws/smithy-go/CHANGELOG.md generated vendored
View File

@ -1,3 +1,7 @@
# Release (2022-12-02)
* No change notes available for this release.
# Release (2022-10-24)
## Module Highlights

2
vendor/github.com/aws/smithy-go/README.md generated vendored
View File

@ -2,7 +2,7 @@
[![Go Build Status](https://github.com/aws/smithy-go/actions/workflows/go.yml/badge.svg?branch=main)](https://github.com/aws/smithy-go/actions/workflows/go.yml)[![Codegen Build Status](https://github.com/aws/smithy-go/actions/workflows/codegen.yml/badge.svg?branch=main)](https://github.com/aws/smithy-go/actions/workflows/codegen.yml)
Smithy code generators for Go.
[Smithy](https://smithy.io/) code generators for Go.
**WARNING: All interfaces are subject to change.**

2
vendor/github.com/aws/smithy-go/encoding/xml/doc.go generated vendored
View File

@ -2,7 +2,7 @@
Package xml holds the XMl encoder utility. This utility is written in accordance to our design to delegate to
shape serializer function in which a xml.Value will be passed around.
Resources followed: https://awslabs.github.io/smithy/1.0/spec/core/xml-traits.html#
Resources followed: https://smithy.io/2.0/spec/protocol-traits.html#xml-bindings
Member Element

2
vendor/github.com/aws/smithy-go/go_module_metadata.go generated vendored
View File

@ -3,4 +3,4 @@
package smithy
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.13.4"
const goModuleVersion = "1.13.5"

Some files were not shown because too many files have changed in this diff Show More