Commit Graph

99 Commits

Author SHA1 Message Date
Antoine C
3e9b438e7c helm: add least privileges logic for secrets on ceph-csi-cephfs chart
this allows the encryption KMS config to be granted secret access with
a least privilges policy.

Signed-off-by: Antoine C <hi@acolombier.dev>
2024-11-18 15:28:23 +00:00
Antoine C
cc407d157e helm: support encryption config in ceph-csi-cephfs chart
this chart currently lack the ability to properly configure encryption,
as well as granting sufficent permission to allow controllers to access
secret when needed.

Signed-off-by: Antoine C <hi@acolombier.dev>
2024-11-18 15:28:23 +00:00
Mike Vollman
d1c28fa57a helm: Support setting annotations for nodePlugin and provisioner
Adding annotation support to both the CephFS and RBD charts.  Support
setting the DaemonSet and Pod level annotations for the nodeplugin.
Support setting the Deployment and Pod level annotations for the
provisioner.

Signed-off-by: Mike Vollman <mike@reportallusa.com>
2024-10-15 11:35:56 +00:00
Nikhil-Ladha
dfd8550667 cephfs: expose csi metrics of sidecars
Expose csi metrics of sidecars deployed by cephfs driver

Signed-off-by: Nikhil-Ladha <nikhilladha1999@gmail.com>
2024-10-10 15:11:20 +00:00
Robert Vasek
d250be4c39 helm: added logSlowOperationInterval value to cephfs and rbd charts
Signed-off-by: Robert Vasek <robert.vasek@clyso.com>
2024-09-20 08:55:17 +00:00
Madhu Rajanna
88ce2c625b helm: remove kube version check
kubernetes 1.25 is EOL and we dont
support it in cephcsi anymore, Removing
the checks for the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2024-09-02 13:57:11 +00:00
james-choncholas
3fbe7a8c77 helm: optionally set userID and userKey in cephfs chart
According to https://github.com/ceph/ceph-csi/issues/4467 the cephfs
static provisioner expect userID and userKey in the credential secret.
Add these values to the helm chart so that they are only included in the
templated yaml if the values are non-empty.

Signed-off-by: james-choncholas <jim@choncholas.com>
2024-08-28 15:29:15 +00:00
Andreas
7afddb41d6 deploy: support omap data store in radosnamespace via cli argument
Signed-off-by: Andreas <zerotens@users.noreply.github.com>
2024-07-30 07:13:48 +00:00
Andreas
1f192ac3da helm: add cli argument instanceid
Signed-off-by: Andreas <zerotens@users.noreply.github.com>
2024-07-01 13:32:33 +00:00
1602077
ea42a0e873 deploy: configurable podSecurityContexts in ceph-csi-cephfs
pod-level security contexts for nodeplugin daemonset and provisioner
deployment can be set via helm values.yaml

Signed-off-by: 1602077 <62025739+1602077@users.noreply.github.com>
2024-06-10 14:29:48 +00:00
Praveen M
33a888f9ec helm: fix seLinuxMount option for csi driver
This commit fixes the typo from `.Values.seLinuxMount` to
`.Values.CSIDriver.seLinuxMount` used in helm charts.

Signed-off-by: Praveen M <m.praveen@ibm.com>
2024-03-29 10:46:18 +00:00
NymanRobin
5224d58c13 cephfs: add support for encryption in ceph-csi-cephfs chart
the chart currently lacks access to configmap and secrets
this causes the mounting of encrypted file systems to fail

Signed-off-by: NymanRobin <nyman.robin@gmail.com>
2024-03-21 14:58:33 +00:00
Ruslan Khizhnyak
d56c9abbce helm: CSIDriver add labels and seLinuxMount disabling method
Signed-off-by: Ruslan Khizhnyak <rkhizhnyak@ptsecurity.com>
2024-03-21 10:07:23 +00:00
Dmytro Alieksieiev
fcaac58a1e helm: Include seLinuxMount only if KubeVersion greater or equal of 1.25
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
2024-03-13 07:40:19 +00:00
Madhu Rajanna
e6d913970b helm: template changes for cephfs volumegroupsnapshot
tempalate changes for cephfs volumegroupsnapshot
the default is set to false and user can set
the value to true to get the support for VGS.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2024-02-22 15:21:07 +00:00
Niels de Vos
c9e64f9478 deploy: make the csi-*plugin containers the default for kubectl commands
When issues or bugs are reported, users often share the logs of the
default container in a Pod. These logs do not contain the required
information, as that mostly only can be found in the logs of the
Ceph-CSI container (named csi-cephfsplugin or csi-rbdplugin).

By moving the Ceph-CSI containers in the Pods to the 1st in the list,
they become the default container for commands like `kubectl logs`.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-02-14 16:23:52 +00:00
maximus13th
51decb097c cephfs: allow modify fsGroupPolicy for csidriver
allow to change value of fsGroupPolicy parameter for CSI Driver spec

Signed-off-by: maximus13th <maxym.pariy@gmail.com>
2024-01-08 11:11:39 +00:00
Sebastian Hoß
017dddcbfc helm: align seLinuxMount option w/ deploy folder
Signed-off-by: Sebastian Hoß <seb@xn--ho-hia.de>
2024-01-03 18:48:13 +00:00
Jan Nemcik
1fb6d8f891 helm: update node plugin cluster role
added permission to get nodes for rbd and cephfs nodeplugin daemonset

Signed-off-by: Jan Nemcik <jan.nemcik@solargis.com>
2023-12-11 10:59:50 +00:00
Praveen M
2309168943 helm: add default false value for --enable-read-affinity
Signed-off-by: Praveen M <m.praveen@ibm.com>
2023-12-06 18:18:21 +00:00
Ruslan Khizhnyak
ec29ec1ac2 helm: add extraDeploy option
To deploy additional manifests with the release.

Signed-off-by: Ruslan Khizhnyak <mustdiechik@gmail.com>
2023-11-23 13:50:44 +00:00
Praveen M
7e26beb51e helm: add option to enable read affinity for CephFS
This commit adds --enable-read-affinity flag to
enable read affinity for CephFS.

Signed-off-by: Praveen M <m.praveen@ibm.com>
2023-11-22 13:13:01 +00:00
Ruslan Khizhnyak
802f22f0ae helm: add annotations secret manifest
To use mutating webhook to modify secrets.
For example banzaicloud vault webhook:
https://bank-vaults.dev/docs/mutating-webhook/annotations/

Signed-off-by: Ruslan Khizhnyak <mustdiechik@gmail.com>
2023-11-09 17:18:33 +00:00
Garen Fang
37018a2eef helm: add imagePullSecrets option
Currently the Helm chart does not contain a
imagePullSecrets option when you are using
private container registry, this is very inconvenient.
This PR add this option for both CephFS and RBD.

Signed-off-by: Garen Fang <fungaren@qq.com>
2023-06-16 04:37:03 +00:00
DashJay
9df4634fd0 deploy: fix bug of ceph-csi-rbd helm chart
fix bug that make provisioner get dup affinities
when deploy helm chart ceph-csi-rbd and ceph-csi-cephfs.

Signed-off-by: DashJay <45532257+dashjay@users.noreply.github.com>
2023-05-22 06:34:19 +00:00
Domonkos Cinke
b7b491c097 deploy: add extraArgs for sidecars
Add the ability to control more arguments for CSI sidecar components.

Signed-off-by: Domonkos Cinke <seayou@gmail.com>
2023-01-05 15:58:48 +00:00
Humble Chirammal
b258628b05 helm: get rid of storage group enablement based on the version
deploy: remove beta storage group mention from csidriver yaml

the kubernetes version based enablement of storage api group
enablement is no longer requried and its already on v1 for
supported kubernetes versions.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-11-11 16:41:24 +00:00
BOSSER, Bastien
dea07aa184 deploy: add commonLabels value
Signed-off-by: BOSSER, Bastien <bastien.bosser@atos.net>
2022-11-02 11:28:18 +00:00
Madhu Rajanna
96a3aabe5a deploy: remove psp from cephcsi
as PSP is deprecated in kubernetes 1.21
and will be removed in kubernetes 1.25
removing the existing PSP related templates
from the repo and updated the required documents.

fixes #1988

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-08-23 07:53:46 +00:00
Prasanna Kumar Kalever
c0a566b5ed deploy: add setmetadata=true in the templates
setmetadata on the volume by default, otherwise e2e will fail

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-08-01 07:15:29 +00:00
Prasanna Kumar Kalever
f84265fdf5 deploy: add --extra-create-metadata arg to csi-snapshotter sidecar
This argument in csi-snapshotter sidecar allows us to receive
snapshot-name/snapshot-namespace/snapshotcontent-name metadata in the
CreateSnapshot() request.

For ex:

csi.storage.k8s.io/volumesnapshot/name
csi.storage.k8s.io/volumesnapshot/namespace
csi.storage.k8s.io/volumesnapshotcontent/name

This is a useful information which can be used depend on the use case we
have at our driver. The features like adding metadata to snapshot image
can consume this based on the need.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-07-28 19:37:23 +00:00
Humble Chirammal
76ddf8e306 deploy: introduce new log level for sidecar controllers
At present we have single log level configuration for all the containers
running for our CSI pods, which has been defaulted to log Level 5.
However this cause many logs to be spitted in a cluster and cause log
spamming to an extent. This commit introduce one more log level control
for CSI pods called sidecarLogLevel which defaults to log Level 1.

The sidecar controllers like snapshotter, resizer, attacher..etc has
been configured with this new log level and driver pods are with old
configruation value.

This allow us to have different configuration options for sidecar
constrollers and driver pods.

With this, we will also have a choice of different configuation setting
instead of locking onto one variable for the containers deployed via CSI driver.

To summarize the CSI containers maintained by Ceph CSI driver has log
level 5 and controllers/sidecars not maintained by Ceph CSI driver has
log level 1 configuration.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-07-28 08:31:37 +00:00
Prasanna Kumar Kalever
cc9e8aa7b6 deploy: add cluster name in the templates
added in helm charts which should help users.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-07-28 04:07:52 +00:00
Yati Padia
b0b0e083ad cephfs: add update rbac rule to pv resource
This commit adds the update rbac rule to persistent
volume resource as the ci was failing with below error:
cannot update resource "persistentvolumes" in API group
"" at the cluster scope

Signed-off-by: Yati Padia <ypadia@redhat.com>
2022-07-19 14:42:21 +00:00
Yati Padia
776821f17f deploy: update csi-provisioner to latest version
This commits updates csi-provisioner sidecar to
latest version i.e., v3.2.0.

fixes: #3184

Signed-off-by: Yati Padia <ypadia@redhat.com>
2022-07-19 14:42:21 +00:00
takeaki-matsumoto
1025871021 cephfs: Support mount option on nodeplugin
add mount options on nodeplugin side

Signed-off-by: takeaki-matsumoto <takeaki.matsumoto@linecorp.com>
2022-07-18 22:04:12 +00:00
Humble Chirammal
1856647506 cephfs: go with default permissions while creating subvolumes
While creating subvolumes, CephFS driver set the mode to `777`
and pass it along to go ceph apis which cause the subvolume
permission to be on 777, however if we create a subvolume
directly in the ceph cluster, the default permission bits are
set which is 755 for the subvolume. This commit try to stick
to the default behaviour even while creating the subvolume.

This also means that we can work with fsgrouppolicy set to
`File` in csiDriver object which is also addressed in this commit.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-07-13 06:49:58 +00:00
Carsten Buchberger
b262f06c33 helm: enable host networking for provisioner
Adds the possibility in the helm-chart to enable hostNetworking
for provider pods.

Signed-off-by: Carsten Buchberger <c.buchberger@witcom.de>
2022-07-04 15:14:59 +00:00
Humble Chirammal
8d3bb82949 deploy: remove attachrequired param from csidriver object
As the attacher is no longer required we have to mention the same
for csidriver object parameter.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-06-06 12:25:11 +00:00
Humble Chirammal
c0fa88435f deploy: remove external-attacher sidecar from cephfs deployment
CephFS CSI driver dont need attacher sidecar for its operations.
This commit remove the same. The RBAC has also got adjusted.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-06-06 12:25:11 +00:00
Humble Chirammal
9b64e0a170 helm: enable RecoverVolumeExpansionFailure feature gate
This commit enable the mentioned feature gate which helps to
recover from volume expansion failures.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-05-25 18:03:16 +00:00
Humble Chirammal
29870cdbcc helm: remove topology RBAC section for cephfs deployment
At present CephFS does not support topology aware provisioning and this
commit remove the same.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-05-23 10:57:56 +00:00
Humble Chirammal
6558de9e08 helm: remove cephfs node plugin cluster role RBAC
This commit remove the node plugin RBAC of CephFS.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-27 10:51:33 +00:00
Silvan Loser
06c4477ff9 helm: allowPrivilegeEscalation: true in containerSecurityContext
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
2022-04-22 23:36:02 +00:00
Madhu Rajanna
7b2aef0d81 util: add support for the nsenter
add support to run rbd map and mount -t
commands with the nsenter.

complete design of pod/multus network
is added here https://github.com/rook/rook/
blob/master/design/ceph/multus-network.md#csi-pods

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-08 10:23:21 +00:00
Robert Vasek
80dda7cc30 cephfs: detect corrupt ceph-fuse mounts and try to remount
Mounts managed by ceph-fuse may get corrupted by e.g. the ceph-fuse process
exiting abruptly, or its parent container being terminated, taking down its
child processes with it.

This commit adds checks to NodeStageVolume and NodePublishVolume procedures
to detect whether a mountpoint in staging_target_path and/or target_path is
corrupted, and remount is performed if corruption is detected.

Signed-off-by: Robert Vasek <robert.vasek@cern.ch>
2022-03-10 06:05:52 +00:00
Benjamin Guillon
d236968bf9 helm: remove kube version semver check for CSI cephfs resizer component
It was decided that latest ceph CSI versions would drop support for
older Kubernetes versions, making this check useless. So it was removed.

Removing this version check allows for the deployment of the CephFS
resizer component when using the helm chart on non vanilla kubernetes
clusters whose API server version are in the form of `1.x.y-abc+def-ghi`.

Signed-off-by: Benjamin Guillon <benjamin.guillon@cc.in2p3.fr>
2022-03-09 06:07:49 +00:00
Silvio Gissi
9c50e255fb helm: make ceph.conf ConfigMap name configurable
ConfigMap name was hardcoded and led to conflicts. Fixes #2858.

Signed-off-by: Silvio Gissi <silvio@gissilabs.com>
2022-02-21 07:25:22 +00:00
Francesco Astegiano
4235178f7c helm: Add selinuxMount flag to enable/disable /etc/selinux host mount
Add selinuxMount flag to enable/disable /etc/selinux host mount inside pods
to support selinux-enabled filesystems

Signed-off-by: Francesco Astegiano <francesco.astegiano@gmail.com>
2022-02-16 12:48:00 +00:00
Deividas Burškaitis
91c22f521b helm: add port sections to helm templates
to show what ports containers are exposing add port sections to nodeplugin
and provisioner helm templates

Signed-off-by: Deividas Burškaitis <deividas.burskaitis@oxylabs.io>
2022-02-15 10:06:26 +00:00