Commit Graph

170 Commits

Author SHA1 Message Date
Madhu Rajanna
2032a84c68 deploy: change image versions to v3.6.1
This commit change the required image tag to
v3.6.1 instead of v3.6-canary for v3.6.1 release

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 13:41:39 +00:00
Humble Chirammal
2790daac39 deploy: update deployment templates to point to 3.6-canary images
This commit revert the deployment templates in release 3.6 branch
to canary.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-06 04:55:57 +00:00
Humble Chirammal
eff3e9a237 helm: update image tag for release 3.6 instead of canary
This commit change the image tag for release v3.6 instead of
canary.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-05 14:25:09 +00:00
Humble Chirammal
85670bad1f deploy: change image versions to v3.6.0 instead of canary
This commit change the required image tag to release 3.6 instead
of canary for v3.6 release

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-05 14:25:09 +00:00
Rakshith R
40de75e0db rbd: modify oidc token file path according to FHS 3.0
OIDC token file path has been modified from
`/var/run/secrets/token` to `/run/secrets/tokens`.
This has been done to ensure compliance with
FHS 3.0.

refer:
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html

Signed-off-by: Rakshith R <rar@redhat.com>
2022-03-23 13:29:35 +00:00
Rakshith R
4f0bb2315b rbd: add aws-sts-metdata encryption type
With Amazon STS and kubernetes cluster is configured with
OIDC identity provider, credentials to access Amazon KMS
can be fetched using oidc-token(serviceaccount token).
Each tenant/namespace needs to create a secret with aws region,
role and CMK ARN.
Ceph-CSI will assume the given role with oidc token and access
aws KMS, with given CMK to encrypt/decrypt DEK which will stored
in the image metdata.

Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
Resolves: #2879

Signed-off-by: Rakshith R <rar@redhat.com>
2022-03-16 07:29:56 +00:00
Humble Chirammal
de2489ed7d deploy: update csi-snapshotter sidecar to v5.0.1
This release of snapshotter has a breaking change as mentioned
in the release note:

Refer#
[1]: https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v5.0.0

RBAC rules are also updated with this commit.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-02-03 19:01:57 +00:00
Madhu Rajanna
3a445cfc36 deploy: update resizer to 1.4.0
updating external resizer image version
from 1.3.0 to latest available release i.e
1.4.0

1.4.0 changelog link
https://github.com/kubernetes-csi/
external-resizer/blob/master/CHANGELOG/CHANGELOG-1.4.md

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-01-26 15:22:24 +00:00
Humble Chirammal
0078e5c8e7 deploy: update node driver registrar container to v2.4.0
This commit updates the node driver registrar container to latest
version.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-01-14 17:24:49 +05:30
Humble Chirammal
0ab717f06f deploy: update csi-attacher to v3.4.0
This commit update the csi-attacher sidecar version to v3.4.0

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-01-14 17:24:49 +05:30
Humble Chirammal
ea8e360888 deploy: update sidecars to latest versions.
This commit updates sidecars to the latest available version
which is compatible with kubernetes 1.23 and csi spec 1.5

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-01-14 17:24:49 +05:30
Niels de Vos
ee2e97b62d deploy: add CSI-Addons endpoint
Deployments place all sockets for communicating with CSI components in
the shared `/csi` directory. The CSI-Addons socket was introduced
recently, but not configured to be in the same location (by default
placed in `/tmp`).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-12-22 13:21:59 +00:00
Niels de Vos
cff0e04e3c build: remove unneeded empty YAML document from deployment artifacts
The generated files under the deploy/ directory contain an empty YAML
document that may cause confusion for some versions of kubectl. Dropping
the unneeded `---` start of the file for the header should make parsing
of the deployment artifacts a little less error prone.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-10-15 16:08:59 +00:00
Niels de Vos
c443320126 deploy: move rbd/ceph-csi-config ConfigMap to API
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-10-15 16:08:59 +00:00
Niels de Vos
584d43a132 deploy: move rbd/CSIDriver to API
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-10-15 16:08:59 +00:00
Madhu Rajanna
7fc1bf1321 deploy: remove extra volumes from rbd plugin PSP
removed extra volume permissions from the rbd
nodeplugin PSP.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-22 07:12:34 +00:00
Madhu Rajanna
9e88fd1eb7 deploy: reduce the PSP permission for rbd deployment
rbd deployment doesnot need extra permission like
privileged,Capabilities and remove unwanted volumes.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-22 07:12:34 +00:00
Madhu Rajanna
e5569f0547 deploy: remove securityContext from rbd provisioner
we dont need securityContext for the rbd provisioner
pod as its not doing any special operations like map
,unmap selinux etc.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-22 07:12:34 +00:00
Madhu Rajanna
cc6c51395e deploy: update templates for ceph.conf
updated cephfs and rbd templates to mount
the ceph.conf configmap.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-03 14:14:43 +00:00
Prasanna Kumar Kalever
0be7024726 rbd: provide host-path for rbd-nbd logging
Problem:
--------
1. rbd-nbd by default logs to /var/log/ceph/ceph-client.admin.log,
Unfortunately, container doesn't have /var/log/ceph directory hence
rbd-nbd is not logging now.
2. Rbd-nbd logs are not persistent across nodeplugin restarts.

Solution:
--------
Provide a host path so that log directory is made available, and the
logs persist on the hostnode across container restarts.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-08-24 07:15:30 +00:00
Humble Chirammal
763387c8e2 rebase: update external-resizer to v1.3.0 release
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-08-18 17:05:22 +00:00
Humble Chirammal
68bbd58045 rebase: update sidecars to latest versions
external-provisioner: v2.3.0
external-attacher: v3.3.0
external-snapshotter: v4.2.0
node-driver-registrar: v2.3.0

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-08-17 10:58:52 +00:00
Alexandre Lossent
5cba04c470 cephfs: support selinux mount options
- mount host's /etc/selinux in node plugins
- process mount options in all code paths for cephfs volume options

Signed-off-by: Alexandre Lossent <alexandre.lossent@cern.ch>
2021-08-04 12:59:34 +00:00
rtsp
af1f50ba04 deploy: rbd kubernetes manifests
add ability to deploy ceph-csi-rbd on non-default namespace

Signed-off-by: rtsp <git@rtsp.us>
2021-07-31 03:09:14 +00:00
Thomas Kooi
75b9b9fe6d cleanup: fix beta apiVersion for csidriver
This change resolves a typo for installing the CSIDriver
resource in Kubernetes clusters before 1.18,
where the apiVersion is incorrect.

See also:
https://kubernetes-csi.github.io/docs/csi-driver-object.html

[ndevos: replace v1betav1 in examples with v1beta1]
Signed-off-by: Thomas Kooi <t.j.kooi@avisi.nl>
2021-07-22 09:12:44 +00:00
Prasanna Kumar Kalever
b6a88dd728 rbd: add volume healer
Problem:
-------
For rbd nbd userspace mounter backends, after a restart of the nodeplugin
all the mounts will start seeing IO errors. This is because, for rbd-nbd
backends there will be a userspace mount daemon running per volume, post
restart of the nodeplugin pod, there is no way to restore the daemons
back to life.

Solution:
--------
The volume healer is a one-time activity that is triggered at the startup
time of the rbd nodeplugin. It navigates through the list of volume
attachments on the node and acts accordingly.

For now, it is limited to nbd type storage only, but it is flexible and
can be extended in the future for other backend types as needed.

From a few feets above:
This solves a severe problem for nbd backed csi volumes. The healer while
going through the list of volume attachments on the node, if finds the
volume is in attached state and is of type nbd, then it will attempt to
fix the rbd-nbd volumes by sending a NodeStageVolume request with the
required volume attributes like secrets, device name, image attributes,
and etc.. which will finally help start the required rbd-nbd daemons in
the nodeplugin csi-rbdplugin container. This will allow reattaching the
backend images with the right nbd device, thus allowing the applications
to perform IO without any interruptions even after a nodeplugin restart.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-07-16 16:30:58 +00:00
Prasanna Kumar Kalever
10e4eee481 deploy: add few more cluster-roles for rbd nodeplugin
Nodeplugin needs below cluster roles:
persistentvolumes: get
volumeattachments: list, get

These additional permissions are needed by the volume healer. Volume healer
aims at fixing the volume health issues at the very startup time of the
nodeplugin. As part of its operations, volume healer has to run through
the list of volume attachments and understand details about each
persistentvolume.

The later commits will use these additional cluster roles.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-07-16 16:30:58 +00:00
Prasanna Kumar Kalever
874f6629fb rbd: get default plugin path
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-07-16 16:30:58 +00:00
Niels de Vos
8662e01d2c deploy: allow RBD components to get ServiceAccounts
The provisioner and node-plugin have the capability to connect to
Hashicorp Vault with a ServiceAccount from the Namespace where the PVC
is created. This requires permissions to read the contents of the
ServiceAccount from an other Namespace than where Ceph-CSI is deployed.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-13 17:16:35 +00:00
Yug
a852e66133 deploy: update node-driver-registrar
update node-driver-registrar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
b19717ef99 deploy: update csi-snapshotter sidecar
update csi-snapshotter sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
77f2db8875 deploy: update csi-resizer sidecar
update csi-resizer sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
fac20a9446 deploy: update csi-attacher sidecar
update csi-attacher sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
cf63be41c8 deploy: update csi-provisioner sidecar
update csi-provisioner sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yati Padia
774e8e4042 util: enable golang profiling
Add support for golang profiling.
Standard tools like go tool pprof and curl
work. example:
$ go tool pprof http://localhost:8080/debug/pprof/profile
$ go tool pprof http://localhost:8080/debug/pprof/heap
$ curl http://localhost:8080/debug/pprof/heap?debug=1

https://golang.org/pkg/net/http/pprof/ contains
more details about the pprof interface.

Fixes: #1699

Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-05-25 10:41:22 +00:00
Humble Chirammal
1b0ebc43d4 deploy: use serviceAccountName instead of serviceAccount in yamls
serviceAccount is the depricated alias for serviceAccountName, so it
is recommended/suggested to use serviceAccountName instead.

For ex. reference:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-04-06 09:00:35 +00:00
Madhu Rajanna
fba6a2d0c3 deploy: add csidriver object for cephfs and rbd
csidriver object can be created on the kubernetes
for below reason.

If a CSI driver creates a CSIDriver object,
Kubernetes users can easily discover the CSI
Drivers installed on their cluster
(simply by issuing kubectl get CSIDriver)

Ref: https://kubernetes-csi.github.io/docs/csi-driver-object.html#what-is-the-csidriver-object

attachRequired is always required to be set to
true to avoid issue on RWO PVC.

more details about it at https://github.com/rook/rook/pull/4332

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-03-31 13:41:35 +00:00
Prasanna Kumar Kalever
ea4489da68 deploy: bump the snapshotter sidecar image version to v4.0.0
use the latest version of csi-snapshotter sidecar image at the
provisioner templates

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-03-15 15:11:01 +00:00
Madhu Rajanna
7835609b06 set priorityclass on provisioner pods
set system-cluster-critical priorityclass on
provisioner pods. the system-cluster-critical is
having lowest priority compared to node-critical.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-19 13:29:09 +00:00
Madhu Rajanna
2190ca922e set priorityclass on plugin pods
set system-node-critical priority on the plugin
pods, as its the highest priority and this need to
be applied on plugin pods as its critical for
storage in cluster.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-19 13:29:09 +00:00
Madhu Rajanna
e6098520d1 rbd: add configmap get clusterrole for provisioner
as provisioner need to get the configmap from
different namespace to check tenant configuration.
added the clusterrole get access for the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Matt Brown
123a26abb3 deploy, helm: enable secret watch in rbac
enables secret ''watch'' rbac permission for ceph-csi-rbd-provisioner role. Fixes 1841.

Signed-off-by: Matt Brown <matthewbrown18@gmail.com>
2021-01-26 15:41:11 +00:00
Niels de Vos
dd29c6c06b deploy: allow rbd nodeplugin to read ConfigMaps from Tenants
Tenants can have their own ConfigMap that contains connection parameters
to the Vault Service where the PV encyption keys are located. It is
possible for a Tenant to use a different Vault Service than the one
configured by the Storage Admin who deployed Ceph-CSI.

For this, the node-plugin needs to be able to read the ConfigMap from
the Tenants namespace.

See-also: docs/design/proposals/encryption-with-vault-tokens.md
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-16 16:45:29 +00:00
Madhu Rajanna
b3fbcb9c95 rbd: read configuration from the configmap
if the kms encryption configmap is not mounted
as a volume to the CSI pods, add the code to
read the configuration from the kubernetes. Later
the code to fetch the configmap will be moved to
the new sidecar which is will talk to respective
CO to fetch the encryption configurations.

The k8s configmap uses the standard vault spefic
names to add the configurations. this will be converted
back to the CSI configurations.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-16 15:05:05 +00:00
Niels de Vos
cb1899b8c0 deploy: allow rbd nodeplugin to read Secrets from Tenants
In order to fetch the Kubernetes Secret with the Vault Token for a
Tenant, the ClusterRole needs to allow reading Secrets from all
Kubernetes Namespaces (each Tenant has their own Namespace).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
0e6443e4c1 deploy: add --extra-create-metadata arg to csi-provisioner sidecar
This argument in csi-provisioner sidecar allows us to receive pv/pvc
name/namespace metadata in the createVolume() request.

For ex:

    csi.storage.k8s.io/pvc/name
    csi.storage.k8s.io/pvc/namespace
    csi.storage.k8s.io/pv/name

This is a useful information which can be used depend on the use case we
have at our driver. The features like vault token enablement for multi
tenancy, RBD mirroring ..etc can consume this based on the need.

Refer: #1305
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 13:58:48 +00:00
Madhu Rajanna
518ccf42b3 deploy: add option to set default-fstype in provisioner
external-provisioner is exposing a new argument
to set the default fstype while starting the provisioner
sidecar, if the fstype is not specified in the storageclass
the default fstype will be applied for the pvc created from
the storageclass.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Madhu Rajanna
e3d1ba7703 deploy: set topology=false in provisioner sidecar
with csi-provisioner v2.x the topology based
provisioning will not have any backward compatibility
with older version of kubernetes, if the nodes are
not labeled with topology keys, the pvc creation
is going to get fail with error `accessibility
requirements: no available topology found`, disabling
the topology based provisioning by default, if user want
to use it he can always enable it.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Mudit Agarwal
a92d8d7f2e deploy: update csi sidecar images
This PR makes the changes in csi templates and
upgrade documentation required for updating
csi sidecar images.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2020-12-08 10:23:34 +00:00
Madhu Rajanna
39b1f2b4d3 cleanup: fix mispell words
fixed mispell words in the repo.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-11-29 12:47:46 +05:30