Commit Graph

2912 Commits

Author SHA1 Message Date
Silvan Loser
059969b10b helm: allowPrivilegeEscalation: true in containerSecurityContext
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
(cherry picked from commit 06c4477ff9)
2022-04-26 10:02:04 +00:00
Madhu Rajanna
41728c2465 revert: "deploy: change image versions to v3.6.1"
This reverts commit 2032a84c68.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 16:05:51 +00:00
Madhu Rajanna
0932a4b6be revert: "helm: update image tag for release 3.6.1"
This reverts commit 1bd6297ecb.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 16:05:51 +00:00
Madhu Rajanna
1bd6297ecb helm: update image tag for release 3.6.1
This commit change the required image tag to
v3.6.1 instead of v3.6-canary for v3.6.1 release

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 13:41:39 +00:00
Madhu Rajanna
2032a84c68 deploy: change image versions to v3.6.1
This commit change the required image tag to
v3.6.1 instead of v3.6-canary for v3.6.1 release

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 13:41:39 +00:00
Madhu Rajanna
eae4ff7fd3 doc: update doc for 3.6.1 release
updated doc for 3.6.1 release, this will
be backported to release-v3.6 branch and
we will make deployment changes and do release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 5e1a074ea3)
2022-04-22 09:35:29 +00:00
Madhu Rajanna
c83a281857 cephfs: add netNamespaceFilePath for CephFS
as same host directory is not shared between
the cephfs and the rbd plugin pod. we need
to keep the netNamespaceFilePath separately
for both cephfs and rbd. CephFS plugin will
use this path to execute mount -t commands.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit d2bc9743f7)
2022-04-19 16:33:59 +00:00
Madhu Rajanna
a901997542 cleanup: use block comment for ClusterInfo example
Adjusted the mix of tabs and the spaces and also
used block comment for better readability.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit eb4bfb7326)
2022-04-19 16:33:59 +00:00
Madhu Rajanna
f8a19c8cbb rbd: move radosNamespace to RBD section
As radosNamespace is more specific to
RBD not the general ceph configuration. Now
we introduced a new RBD section for RBD specific
options, Moving the radosNamespace to RBD section
and keeping the radosNamespace still under the
global ceph level configration for backward
compatibility.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit b4acbd08a5)
2022-04-19 16:33:59 +00:00
Madhu Rajanna
76398d6887 util: Add RBD specific options in clusterInfo
As the netNamespaceFilePath can be separate for
both cephfs and rbd adding the netNamespaceFilePath
path for RBD, This will help us to keep RBD and
CephFS specific options separately.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 766346868e)
2022-04-19 16:33:59 +00:00
Niels de Vos
61ca06148e nfs: return gRPC status from CephFS CreateVolume failure
The NFS Controller returns a non-gRPC error in case the CreateVolume
call for the CephFS volume fails. It is better to return the gRPC-error
that the CephFS Controller passed along.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 2b71aac752)
2022-04-19 10:41:27 +00:00
Niels de Vos
6e0e6df2db rebase: use go-ceph version with NFS-Admin API
The NFS-Admin API has been added to go-ceph v0.15.0. As the API can not
be tested in the go-ceph CI, it requires build-tag `ceph_ci_untested`.
This additional build-tag has been added to the `Makefile` and should be
removed when the API does not require the build-tag anymore.

See-also: ceph/go-ceph#655
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 282c33cb58)
2022-04-15 13:13:31 +00:00
Niels de Vos
3ce0e1fa50 nfs: use go-ceph API for creating/deleting exports
Recent versions of Ceph allow calling the NFS-export management
functions over the go-ceph API.

This seems incompatible with older versions that have been tested with
the `ceph nfs` commands that this commit replaces.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 28369702d2)
2022-04-15 13:13:31 +00:00
Madhu Rajanna
e61012da14 rbd: use leases for leader election
use leases for leader election instead
of the deprecated configmap based leader
election.

This PR is making leases as default leader election
refer https://github.com/kubernetes-sigs/
controller-runtime/pull/1773, default from configmap
to configmap leases was done with
https://github.com/kubernetes-sigs/
controller-runtime/pull/1144.

Release notes https://github.com/kubernetes-sigs/
controller-runtime/releases/tag/v0.7.0

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit d886ab0d66)
2022-04-15 10:24:19 +00:00
Madhu Rajanna
ebf2677b30 util: fix logging in ExecuteCommandWithNSEnter
log the nsenter and its argument after executing
the command with the nsenter CLI.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit c245436ec4)
2022-04-14 16:33:49 +00:00
Madhu Rajanna
3521465e60 rbd: check nbd tool features only for rbd driver
calling setRbdNbdToolFeatures inside an init
gets called in main.go for both cephfs and rbd
driver. instead of calling it in init function
calling this in rbd driver.go as this is specific
to rbd.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit dffb6e72c2)
2022-04-14 09:17:45 +00:00
Rakshith R
9245b58a9f nfs: add provisioner & plugin sa to scc.yaml
This commit adds nfs provisioner & plugin sa to
scc.yaml to be used with openshift.

Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit 784b086ea5)
2022-04-13 13:23:48 +00:00
Madhu Rajanna
db1b1dd6ec rbd: consider remote image health for primary
To consider the image is healthy during the Promote
operation currently we are checking only the image
state on the primary site. If the network is flaky
or the remote site is down the image health is
not as expected. To make sure the image is healthy
across the clusters check the state on both local
and the remote clusters.

some details:
https://bugzilla.redhat.com/show_bug.cgi?id=2014495

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 64a9b1fa59)
2022-04-13 10:57:40 +00:00
Madhu Rajanna
3161a6b060 util: add support for the nsenter
add support to run rbd map and mount -t
commands with the nsenter.

complete design of pod/multus network
is added here https://github.com/rook/rook/
blob/master/design/ceph/multus-network.md#csi-pods

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 7b2aef0d81)
2022-04-08 14:44:20 +00:00
Humble Chirammal
2790daac39 deploy: update deployment templates to point to 3.6-canary images
This commit revert the deployment templates in release 3.6 branch
to canary.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-06 04:55:57 +00:00
Humble Chirammal
eff3e9a237 helm: update image tag for release 3.6 instead of canary
This commit change the image tag for release v3.6 instead of
canary.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-05 14:25:09 +00:00
Humble Chirammal
85670bad1f deploy: change image versions to v3.6.0 instead of canary
This commit change the required image tag to release 3.6 instead
of canary for v3.6 release

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-05 14:25:09 +00:00
Humble Chirammal
bd3db134b9 build: consume quincy release of Ceph
This promotes the ceph release to Quincy

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-05 02:37:28 +00:00
Humble Chirammal
32ecbdeb71 doc: update documentation for release 3.6.0
This commit add upgrade documentation for release 3.6.0
and also update support matrix for v3.6.0.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-04 13:29:08 +00:00
Niels de Vos
682840476f build: ignore generated go-tags file
The `scripts/golangci.yml.buildtags.in` file is generated from the
`Makefile`, there is no need to include it in the repository. By adding
the file to the `.gitignore` list, the output of `git status` will not
show the file anymore.

Fixes: 8fb5739f2
    "build: more flexible handling of go build tags; added ceph_preview"
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-04 12:59:12 +00:00
Prasanna Kumar Kalever
d760d0ab6d rbd: check for cookie support from kernel
Currently we only check if the rbd-nbd tool supports cookie feature.
This change will also defend cookie addition based on kernel version

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-04-04 09:51:13 +00:00
Niels de Vos
804e2715d8 deploy: add deployment artifacts for NFS support
These deployment files are heavily based on the CephFS deployment.

Deploying an environment with these files work for me in minikube. This
should make it possible to add e2e testing as well.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-01 10:37:41 +00:00
Niels de Vos
591cd694ab doc: mark NFS support Alpha state
There is currently no e2e testing, unit-tests or Helm Chart for NFS
support. Until the functionality is confirmed to be working on a regular
basis, support for NFS provisioner volume will be Alpha.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-31 14:16:44 +00:00
Madhu Rajanna
f8bbd2f60f cephfs: fix omap deletion in DeleteSnapshot
The omap is stored with the requested
snapshot name not with the subvolume
snapshotname. This fix uses the correct
snapshot request name to cleanup the omap
once the subvolume snapshot is deleted.

fixes: #2974

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-03-31 13:46:03 +00:00
Niels de Vos
1da19680b4 nfs: support new and old NFS-management commands
The `ceph nfs export ...` commands have changed in recent Ceph releases.
Use the most recent command as a default, fall back to the older command
when an error is reported.

This shoud make the NFS-provisioner work on any current Ceph version.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-31 11:28:40 +00:00
Madhu Rajanna
f90408be4d rbd: increase force promote timeout to 2 minutes
Increase the timeout to 2 minutes to give enough time
for rollback to complete.
As rollback is performed by the force-promote command it,
at times, may take more than a minute
(based on dirty blocks that need to be rolled
back approximately) to rollback.

The added extra 1 minute is useful though to avoid
multiple calls to complete the rollback and in
extremely corner cases to avoid failures in the
first instance of the call when the mirror watcher
is not yet removed (post scaling down the
RBD mirror instance)

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-03-30 13:46:27 +00:00
dependabot[bot]
e45c70b84f rebase: bump google.golang.org/protobuf from 1.27.1 to 1.28.0
Bumps [google.golang.org/protobuf](https://github.com/protocolbuffers/protobuf-go) from 1.27.1 to 1.28.0.
- [Release notes](https://github.com/protocolbuffers/protobuf-go/releases)
- [Changelog](https://github.com/protocolbuffers/protobuf-go/blob/master/release.bash)
- [Commits](https://github.com/protocolbuffers/protobuf-go/compare/v1.27.1...v1.28.0)

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-30 11:17:14 +00:00
Thibaut Blanchard
e874c9c11b rbd: fix topology snapshot pool
Restoring a snapshot with a new PVC results with a wrong
dataPoolName in case of initial volume linked
to a storageClass with topology constraints and erasure coding.

Signed-off-by: Thibaut Blanchard <thibaut.blanchard@gmail.com>
2022-03-30 04:40:30 +00:00
dependabot[bot]
134603540b rebase: bump github.com/onsi/gomega from 1.18.1 to 1.19.0
Bumps [github.com/onsi/gomega](https://github.com/onsi/gomega) from 1.18.1 to 1.19.0.
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.18.1...v1.19.0)

---
updated-dependencies:
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-29 12:07:17 +00:00
dependabot[bot]
4652b8facf rebase: bump github.com/hashicorp/vault/api from 1.4.1 to 1.5.0
Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-29 04:06:00 +00:00
Niels de Vos
190504713a doc: initial/partial instructions for using NFS examples
The README explains some of the requirements and basic configuration for
using the NFS-provisioner. When more deployment artifacts are added, the
README will get extended.

The Rook CephNFS example is included, as it is the easiest to get
started with dynamic provisioning of NFS-volumes.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:58:42 +00:00
Niels de Vos
b72774f9e9 doc: example for PVC and Pod using a NFS-volume
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:58:42 +00:00
Niels de Vos
2743510009 doc: example of StorageClass for NFS-provisioning
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:58:42 +00:00
Niels de Vos
885295fcc9 nfs: store the NFS-cluster name in the journal
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
3b4d193ca8 journal: add StoreAttribute/FetchAttribute
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
010fd816dd nfs: store the calling Context in NFSVolume
NFSVolume instances are short lived, they only extist for a certain gRPC
procedure. It is easier to store the calling Context in the NFSVolume
struct, than to pass it to some of the functions that require it.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
3d0c4e0659 nfs: enable NFS-provisioner with --type=nfs
Deployments can use --type=nfs to deploy the NFS Controller Server
(provisioner).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
6d83df9cc9 nfs: add basic provisioner with create/delete procedures
These NFS Controller and Identity servers are the base for the new
provisioner. The functionality is currently extremely limited, follow-up
PRs will implement various CSI procedures.

CreateVolume is implemented with the bare minimum. This makes it
possible to create a volume, and mount it with the
kubernetes-csi/csi-driver-nfs NodePlugin.

DeleteVolume unexports the volume from the Ceph managed NFS-Ganesha
service. In case the Ceph cluster provides multiple NFS-Ganesha
deployments, things might not work as expected. This is going to be
addressed in follow-up improvements.

Lots of TODO comments need to be resolved before this can be declared
"production ready". Unit- and e2e-tests are missing as well.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
87f87141be deploy: add CSIDriver for NFS
The API is extended for generation of the NFS CSIDriver object. The
YAML file under deploy/ was created by `yamlgen`.

The contents of the csidriver.yaml file is heavily based on the upstream
CSIDriver from the Kubernetes csi-driver-nfs project.

Because ./tools/yamlgen uses the API, it gets copied under vendor/ .
This causes two copies of the API to be included in the repository, but
that can not be prevented, it seems.

See-also: https://github.com/kubernetes-csi/csi-driver-nfs/blob/master/deploy/csi-nfs-driverinfo.yaml
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
984119b30d ci: add "nfs" as allowed commit prefix
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Niels de Vos
4dc1d36218 cleanup: reduce complexity of main()
Move the printing of the version and other information to its own
function. This reduces the complexity enough so that golang-ci does not
complain about it anymore.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-03-28 11:23:17 +00:00
Humble Chirammal
16abbbc846 build: remove cache while building container image
Reduce size of the container image by removing the cache in deploy
and devel container.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-03-28 06:09:27 +00:00
Robert Vasek
f6ae612003 util: added reference tracker
RT, reference tracker, is key-based implementation of a reference counter.
Unlike an integer-based counter, RT counts references by tracking unique
keys. This allows accounting in situations where idempotency must be
preserved. It guarantees there will be no duplicit increments or decrements
of the counter.

Signed-off-by: Robert Vasek <robert.vasek@cern.ch>
2022-03-27 19:24:26 +00:00
Robert Vasek
8fb5739f21 build: more flexible handling of go build tags; added ceph_preview
ceph_preview tag is needed to make new go-ceph's RADOS read/write ops available

Signed-off-by: Robert Vasek <robert.vasek@cern.ch>
2022-03-27 19:24:26 +00:00
Humble Chirammal
afeae03069 ci: fetch sidecar versions from build.env and use it
The sidecar images in minikube deployment will be fetched from
build.env and used/validated accordingly.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-03-24 14:09:13 +00:00