the omap is stored with the requested
snapshot name not with the subvolume
snapshotname. This fix uses the correct
snapshot request name to cleanup the omap
once the subvolume snapshot is deleted.
fixes: #2832
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 294355590422f280953991d6a55553ce1a3db15c)
The field name was wrong in example yaml and this correct the same
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 13f16113961d0e2dcd1b86ed0bb5e0bb600eeefc)
When a tenant configures `vaultNamespace` in their own ConfigMap, it is
not applied to the Vault configuration, unless `vaultAuthNamespace` is
set as well. This is unexpected, as the `vaultAuthNamespace` usually is
something configured globally, and not per tenant.
The `vaultAuthNamespace` is an advanced option, that is often not needed
to be configured. Only when tenants have to configure their own
`vaultNamespace`, it is possible that they need to use a different
`vaultAuthNamespace`. The default for the `vaultAuthNamespace` is now
the `vaultNamespace` value from the global configuration. Tenants can
still set it to something else in their own ConfigMap if needed.
Note that Hashicorp Vault Namespaces are only functional in the
Enterprise version of the product. Therefor this can not be tested in
the Ceph-CSI e2e with the Open Source version of Vault.
Fixes: https://bugzilla.redhat.com/2050056
Reported-by: Rachael George <rgeorge@redhat.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit f6894909d77ae03648094baa4c0410ceb3a7369b)
As we are using optional additional auth data while wrapping
the DEK, we have to send the same additionally while unwrapping.
Error:
```
failed to unwrap the DEK: kp.Error: ..(INVALID_FIELD_ERR)',
reasons='[INVALID_FIELD_ERR: The field `ciphertext` must be: the
original base64 encoded ciphertext from the wrap operation
```
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 1c3baa07222f6435f54d1af95b4d469cc6dd3f58)
In case building a new container-image fails, the old image has already
been removed by the same make target. The container-id file that is used
to prevent unneeded rebuilds, causes build problems in case the
container-image in the container-id file does not exist (anymore).
By removing the container-id file before rebuilding the image, there
should not be any issues on subsequent (attempted fixed) builds of the
container-images.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 07e408408077f7fa0f63ac7f4125919715eca9c1)
The CentOS 8 repository for Apache Arrow has been removed. This causes
container-image builds fail with the following error:
Errors during downloading metadata for repository 'apache-arrow-centos':
- Status code: 404 for https://apache.jfrog.io/artifactory/arrow/centos/8/x86_64/repodata/repomd.xml (IP: 54.190.66.70)
Error: Failed to download metadata for repo 'apache-arrow-centos': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
The Ceph base image has `arrow/centos/8` configured, maybe Apache Arrow
offers a CentOS Stream 8 repository now? Once the Ceph container-image
has been updated, the repository can be enabled again.
Ceph-CSI does not depend on Apache Arrow, so there is no functional
change by disabling the repository.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit cbec296543a459f0d38d395319f7cb14b60525a1)
The CentOS Stream 8 base container image does not have `ps` installed.
This causes CI jobs to fail, when checking for a restarted rbd-nbd
process.
Instead of using `ps`, the `pstree` command can be used. This will add
some ASCII-tree symbols in front of the command that is logged by the
e2e tests, but that is only used for manual reviewing and does not harm
the running test.
Fixes: #2850
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 693aabbe1e5905c237d489e9a56596eac190d154)
To be consistent with other components and also to explictly
state it belong to `ibm keyprotect` service introducing this
change
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit f82260068940aa4d5c5fe45c8f566ec22ca38028)
considering the pod has run as normal user, the fsgroup has also
set to the same.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 7ff048bf1e8ee1be58db2d00a60085f8b4a119e8)
currently we are overriding the permission to `0o777` at time of node
stage which is not the correct action. That said, this permission
change causes an extra permission correction at time of nodestaging
by the CO while the FSGROUP change policy has been set to
`OnRootMismatch`.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit bf4ba0ec84cd7bb8c5cf2f93b7a8dfea227dd1ae)
pull the ceph image from quay.io instead
of dockerhub.
From ceph doc, the images are available
in both quay and dockerhub
https://docs.ceph.com/en/latest/install/
containers/#official-releases but latest
images are not updated in dockerhub.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 6bdeffda59197cf2c344b56c733ec575a7081c92)
During CreateVolume from snapshot/volume,
its difficult to identify if the clone is
failed and a new clone is created. In case
of clone failure logging the error message
for better debugging.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 2daf2f9f0c6ba1bb28d0ae2977dcd062724afa7f)
This commit revert the template changes brought in for release-3.5
and making it refer to canary.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit updates the node driver registrar container to latest
version.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 0078e5c8e77c4d75dd8b2b6f475b6a1a3330c0af)
This commit adds latest versions of the sidecars to the build.env
to pass the latest versions on the deployment
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit c0c2d72933e5f08c5ee3a71e851173fe3a22306a)
This commit update the csi-attacher sidecar version to v3.4.0
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 0ab717f06fce595011f423666704da265e35bdfd)
This commit updates sidecars to the latest available version
which is compatible with kubernetes 1.23 and csi spec 1.5
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit ea8e360888f3d91cf0bbd73cb2c1636c84b1a23f)
Without commit [1] Kernel doesn't handle io-timeout=0 correctly
Hence we recommend Kernel version 5.4 or higher that has commit [1]
[1] https://bit.ly/34CFh06
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
(cherry picked from commit 1c153b120cb4aaf6a5792434eb39eefbef2a5d35)
This commit adds the upgrade documentation from v3.4 to v3.5
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit b15132587164c408f1717e1c8b3938692059df50)
Currently, as a workaround, we are calling
the resize volume on the cloned, restore volumes
to adjust the cloned, restored volumes.
With this fix, we are calling the resize volume
only if there is a size mismatch with requested
and the volume from which the new volume needs
to be created.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit add example yamls for RBD and CephFS Pod and PVCs
RBD:
Raw Block Volume and File Mode PVCs with RWOP accessmode
Raw Block Volume POD and FileMode POD yamls referring RWOP PVC
CephFS:
RWOP PVC and POD yaml referring RWOP PVC
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
The ReadWriteOncePod feature gate need to be enabled only when we
are operating on kube 1.22 or above cluster. This commit adds the
logic to parse the kubernetes cluster at time of minikube deployment
and if it is above v1.22, enable the RWOP feature gate
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
SINGLE_NODE_WRITER capability ambiguity has been fixed in csi spec v1.5
which allows the SP drivers to declare more granular WRITE capability in form
of SINGLE_NODE_SINGLE_WRITER or SINGLE_NODE_MULTI_WRITER.
These are not really new capabilities rather capabilities introduced to
get the desired functionality from CO side based on the capabilities SP
driver support for various CSI operations, this new capabilities also help
to address new access mode RWOP (readwriteoncepod).
This commit adds a helper function which identity the request is of
multiwriter mode and also validates whether it is filesystem mode or
block mode. Based on the inspection it fails to allow multi write
requests for filesystem mode and only allow multi write request against
block mode.
This commit also adds unit tests for isMultiWriterBlock function which
validates various accesstypes and accessmodes.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
SINGLE_NODE_WRITER capability ambiguity has been fixed in csi spec v1.5
which allows the SP drivers to declare more granular WRITE capability.
These are not really new capabilities rather capabilities introduced to
get the desired functionality from CO side based on the capabilities SP
driver support for various CSI operations.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
This commit adds optional BaseURL and TokenURL configuration to
key protect/hpcs configuration and client connections, if not
provided default values are used.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
By the addition of the queue rules in the Mrgify configuration, all PRs
that require changes, or have been updated and review should be dropped,
are now added to the queue for merging. This is obviously not what we
want.
Fixes: 43fc945 ("ci: move from merge action to queue action")
Signed-off-by: Niels de Vos <ndevos@redhat.com>
as mentioned in the below blog the support for strict mode
and merge action will be done soon in mergify. This brings
the change requested for the same.
Ref# https://blog.mergify.com/strict-mode-deprecation/
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
implement UnfenceClusterNetwork grpc call
which allows to unblock the access to a
CIDR block by removing it from network fence.
Signed-off-by: Yug Gupta <yuggupta27@gmail.com>
implement FenceClusterNetwork grpc call which
allows to blocks access to a CIDR block by
creating a network fence.
Signed-off-by: Yug Gupta <yuggupta27@gmail.com>
Convert the CIDR block into a range of IPs,
and then add network fencing via "ceph osd blocklist"
for each IP in that range.
Signed-off-by: Yug Gupta <yuggupta27@gmail.com>