Commit Graph

198 Commits

Author SHA1 Message Date
Alexandre Lossent
5cba04c470 cephfs: support selinux mount options
- mount host's /etc/selinux in node plugins
- process mount options in all code paths for cephfs volume options

Signed-off-by: Alexandre Lossent <alexandre.lossent@cern.ch>
2021-08-04 12:59:34 +00:00
rtsp
af1f50ba04 deploy: rbd kubernetes manifests
add ability to deploy ceph-csi-rbd on non-default namespace

Signed-off-by: rtsp <git@rtsp.us>
2021-07-31 03:09:14 +00:00
Thomas Kooi
75b9b9fe6d cleanup: fix beta apiVersion for csidriver
This change resolves a typo for installing the CSIDriver
resource in Kubernetes clusters before 1.18,
where the apiVersion is incorrect.

See also:
https://kubernetes-csi.github.io/docs/csi-driver-object.html

[ndevos: replace v1betav1 in examples with v1beta1]
Signed-off-by: Thomas Kooi <t.j.kooi@avisi.nl>
2021-07-22 09:12:44 +00:00
Prasanna Kumar Kalever
b6a88dd728 rbd: add volume healer
Problem:
-------
For rbd nbd userspace mounter backends, after a restart of the nodeplugin
all the mounts will start seeing IO errors. This is because, for rbd-nbd
backends there will be a userspace mount daemon running per volume, post
restart of the nodeplugin pod, there is no way to restore the daemons
back to life.

Solution:
--------
The volume healer is a one-time activity that is triggered at the startup
time of the rbd nodeplugin. It navigates through the list of volume
attachments on the node and acts accordingly.

For now, it is limited to nbd type storage only, but it is flexible and
can be extended in the future for other backend types as needed.

From a few feets above:
This solves a severe problem for nbd backed csi volumes. The healer while
going through the list of volume attachments on the node, if finds the
volume is in attached state and is of type nbd, then it will attempt to
fix the rbd-nbd volumes by sending a NodeStageVolume request with the
required volume attributes like secrets, device name, image attributes,
and etc.. which will finally help start the required rbd-nbd daemons in
the nodeplugin csi-rbdplugin container. This will allow reattaching the
backend images with the right nbd device, thus allowing the applications
to perform IO without any interruptions even after a nodeplugin restart.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-07-16 16:30:58 +00:00
Prasanna Kumar Kalever
10e4eee481 deploy: add few more cluster-roles for rbd nodeplugin
Nodeplugin needs below cluster roles:
persistentvolumes: get
volumeattachments: list, get

These additional permissions are needed by the volume healer. Volume healer
aims at fixing the volume health issues at the very startup time of the
nodeplugin. As part of its operations, volume healer has to run through
the list of volume attachments and understand details about each
persistentvolume.

The later commits will use these additional cluster roles.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-07-16 16:30:58 +00:00
Prasanna Kumar Kalever
874f6629fb rbd: get default plugin path
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-07-16 16:30:58 +00:00
Niels de Vos
8662e01d2c deploy: allow RBD components to get ServiceAccounts
The provisioner and node-plugin have the capability to connect to
Hashicorp Vault with a ServiceAccount from the Namespace where the PVC
is created. This requires permissions to read the contents of the
ServiceAccount from an other Namespace than where Ceph-CSI is deployed.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-07-13 17:16:35 +00:00
Yug
a852e66133 deploy: update node-driver-registrar
update node-driver-registrar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
b19717ef99 deploy: update csi-snapshotter sidecar
update csi-snapshotter sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
77f2db8875 deploy: update csi-resizer sidecar
update csi-resizer sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
fac20a9446 deploy: update csi-attacher sidecar
update csi-attacher sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yug
cf63be41c8 deploy: update csi-provisioner sidecar
update csi-provisioner sidecar to
the latest available release version.

Signed-off-by: Yug <yuggupta27@gmail.com>
2021-06-25 15:45:14 +00:00
Yati Padia
774e8e4042 util: enable golang profiling
Add support for golang profiling.
Standard tools like go tool pprof and curl
work. example:
$ go tool pprof http://localhost:8080/debug/pprof/profile
$ go tool pprof http://localhost:8080/debug/pprof/heap
$ curl http://localhost:8080/debug/pprof/heap?debug=1

https://golang.org/pkg/net/http/pprof/ contains
more details about the pprof interface.

Fixes: #1699

Signed-off-by: Yati Padia <ypadia@redhat.com>
2021-05-25 10:41:22 +00:00
Humble Chirammal
1b0ebc43d4 deploy: use serviceAccountName instead of serviceAccount in yamls
serviceAccount is the depricated alias for serviceAccountName, so it
is recommended/suggested to use serviceAccountName instead.

For ex. reference:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2021-04-06 09:00:35 +00:00
Madhu Rajanna
fba6a2d0c3 deploy: add csidriver object for cephfs and rbd
csidriver object can be created on the kubernetes
for below reason.

If a CSI driver creates a CSIDriver object,
Kubernetes users can easily discover the CSI
Drivers installed on their cluster
(simply by issuing kubectl get CSIDriver)

Ref: https://kubernetes-csi.github.io/docs/csi-driver-object.html#what-is-the-csidriver-object

attachRequired is always required to be set to
true to avoid issue on RWO PVC.

more details about it at https://github.com/rook/rook/pull/4332

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-03-31 13:41:35 +00:00
Prasanna Kumar Kalever
ea4489da68 deploy: bump the snapshotter sidecar image version to v4.0.0
use the latest version of csi-snapshotter sidecar image at the
provisioner templates

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-03-15 15:11:01 +00:00
Madhu Rajanna
7835609b06 set priorityclass on provisioner pods
set system-cluster-critical priorityclass on
provisioner pods. the system-cluster-critical is
having lowest priority compared to node-critical.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-19 13:29:09 +00:00
Madhu Rajanna
2190ca922e set priorityclass on plugin pods
set system-node-critical priority on the plugin
pods, as its the highest priority and this need to
be applied on plugin pods as its critical for
storage in cluster.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-19 13:29:09 +00:00
Madhu Rajanna
e6098520d1 rbd: add configmap get clusterrole for provisioner
as provisioner need to get the configmap from
different namespace to check tenant configuration.
added the clusterrole get access for the same.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-02-04 14:58:40 +00:00
Matt Brown
123a26abb3 deploy, helm: enable secret watch in rbac
enables secret ''watch'' rbac permission for ceph-csi-rbd-provisioner role. Fixes 1841.

Signed-off-by: Matt Brown <matthewbrown18@gmail.com>
2021-01-26 15:41:11 +00:00
Niels de Vos
dd29c6c06b deploy: allow rbd nodeplugin to read ConfigMaps from Tenants
Tenants can have their own ConfigMap that contains connection parameters
to the Vault Service where the PV encyption keys are located. It is
possible for a Tenant to use a different Vault Service than the one
configured by the Storage Admin who deployed Ceph-CSI.

For this, the node-plugin needs to be able to read the ConfigMap from
the Tenants namespace.

See-also: docs/design/proposals/encryption-with-vault-tokens.md
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-16 16:45:29 +00:00
Madhu Rajanna
b3fbcb9c95 rbd: read configuration from the configmap
if the kms encryption configmap is not mounted
as a volume to the CSI pods, add the code to
read the configuration from the kubernetes. Later
the code to fetch the configmap will be moved to
the new sidecar which is will talk to respective
CO to fetch the encryption configurations.

The k8s configmap uses the standard vault spefic
names to add the configurations. this will be converted
back to the CSI configurations.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-16 15:05:05 +00:00
Niels de Vos
cb1899b8c0 deploy: allow rbd nodeplugin to read Secrets from Tenants
In order to fetch the Kubernetes Secret with the Vault Token for a
Tenant, the ClusterRole needs to allow reading Secrets from all
Kubernetes Namespaces (each Tenant has their own Namespace).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-14 14:45:09 +00:00
Niels de Vos
0e6443e4c1 deploy: add --extra-create-metadata arg to csi-provisioner sidecar
This argument in csi-provisioner sidecar allows us to receive pv/pvc
name/namespace metadata in the createVolume() request.

For ex:

    csi.storage.k8s.io/pvc/name
    csi.storage.k8s.io/pvc/namespace
    csi.storage.k8s.io/pv/name

This is a useful information which can be used depend on the use case we
have at our driver. The features like vault token enablement for multi
tenancy, RBD mirroring ..etc can consume this based on the need.

Refer: #1305
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2020-12-09 13:58:48 +00:00
Madhu Rajanna
518ccf42b3 deploy: add option to set default-fstype in provisioner
external-provisioner is exposing a new argument
to set the default fstype while starting the provisioner
sidecar, if the fstype is not specified in the storageclass
the default fstype will be applied for the pvc created from
the storageclass.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Madhu Rajanna
e3d1ba7703 deploy: set topology=false in provisioner sidecar
with csi-provisioner v2.x the topology based
provisioning will not have any backward compatibility
with older version of kubernetes, if the nodes are
not labeled with topology keys, the pvc creation
is going to get fail with error `accessibility
requirements: no available topology found`, disabling
the topology based provisioning by default, if user want
to use it he can always enable it.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-12-08 16:09:25 +00:00
Mudit Agarwal
a92d8d7f2e deploy: update csi sidecar images
This PR makes the changes in csi templates and
upgrade documentation required for updating
csi sidecar images.

Signed-off-by: Mudit Agarwal <muagarwa@redhat.com>
2020-12-08 10:23:34 +00:00
Madhu Rajanna
39b1f2b4d3 cleanup: fix mispell words
fixed mispell words in the repo.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-11-29 12:47:46 +05:30
Madhu Rajanna
fc9b2e5ac5 deploy: update deployment template for new controller
updated deployment template for the new controller and
also added `update` configmap RBAC for the controller
as the controller uses the configmap for the leader
election.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-11-28 18:50:00 +00:00
Humble Chirammal
e154029e6d deploy: update csi-attacher to v2.2.0 from v2.1.0
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2020-10-13 12:34:42 +00:00
Humble Chirammal
bae289ea0a deploy: update sidecar repo paths to new image repository
The image repository has been migrated to k8s.gcr.io/sig-storage from
quay.io/k8scsi.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2020-10-13 12:34:42 +00:00
Nico Berlee
6a5f1380b0 deploy: add pod anti-affinity for provisioner deployments
The added anti-affinity rules prevent provisioner operators from scheduling on
the same nodes. The kubernetes scheduler will spread the pods across nodes to
improve availability during node failures.

Signed-off-by: Nico Berlee <nico.berlee@on2it.net>
2020-09-29 09:29:58 +00:00
Madhu Rajanna
f2edc926cf deploy: remove preStop hook from daemonset templates
The lifecycle preStop hook fails on container stop / exit
because /bin/sh is not present in the driver registrar container
image.

the driver-registrar will remove the socket file
before stopping. we dont need to have any preStop hook
to remove the socket as it was not working as expected

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-08-31 17:24:54 +00:00
Madhu Rajanna
cc0f0b8a6a deploy: remove unnecessary aggregate clusterroles
The aggregate clusterrole were designed for the scenario where
the rules are not completely owned by one component.
the aggregate rules can be removed and simplify
certain issues around upgrades.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-08-19 09:30:17 +00:00
Madhu Rajanna
d15ded88f5 cleanup: Remove support for Delete and Unmounting v1.1.0 PVC
as v1.0.0 is deprecated we need to remove the support
for it in the Next coming (v3.0.0) release. This PR
removes the support for the same.

closes #882

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-07-10 16:07:13 +00:00
Madhu Rajanna
9b518726ab rbd: add hardlimt and softlimit flag
added Hardlimit and Softlimit flags for cephcsi
arguments. When the Softlimit is reached cephcsi
will start a background task to flatten the rbd
image and return success and if the hardlimit
is reached it will start a background task
to flatten the rbd image and return ready
to use as false to make sure that the image
will not be used until it is flatten.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-07-01 08:21:47 +00:00
Humble Chirammal
65982a0489 deploy: add --retry-interval-start arg for attacher & resizer
Considering this parameter is available for other sidecars we should
have a parity between the sidecars. Adding it for the same reason

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2020-05-27 15:52:08 +00:00
Madhu Rajanna
a116764f4d Snapshot: Template changes for snapshot beta
Updated the deployment templates and the sidecar
images version to support snapshot beta version.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-05-15 08:19:32 +00:00
Yug Gupta
9394ac887e rbd: change image pull policy
unlike other containers, image pull policy of
csi-snapshotter was set to "Always", which can
be changed to pull only if not present.

Signed-off-by: Yug Gupta <ygupta@redhat.com>
2020-05-12 13:44:52 +00:00
ShyamsundarR
5c4abf8347 Add topology support to ceph-csi
Signed-off-by: ShyamsundarR <srangana@redhat.com>
2020-04-14 14:14:29 +00:00
Madhu Rajanna
58765e27a0 Resizer: Update resizer image version
Recently resizer 0.5.0 has been released.
This PR updated the resizer container from
v0.4.0 to v0.5.0

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-04-06 12:06:54 +00:00
Madhu Rajanna
bcd646ee55 Deprecate grpc metrics in ceph-csi
As kubernetes CSI sidecar is exposing the
GRPC mertics we can make use of the same in
ceph-csi we dont need to expose our own.

update: #881

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-04-01 11:59:37 +00:00
Wong Hoi Sing Edison
ebe5aa00cf Upgrade: csi-node-driver-registrar from v1.2.0 to v1.3.0
See https://github.com/kubernetes-csi/node-driver-registrar/releases/tag/v1.3.0
See https://github.com/kubernetes-csi/node-driver-registrar/blob/v1.3.0/CHANGELOG-1.3.md
2020-04-01 08:39:37 +00:00
Humble Chirammal
8265c431a7 Bring attacher controllers to latest version
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2020-03-20 11:09:05 +00:00
Madhu Rajanna
d02dfe2dfe Remove unwanted RBAC rules from ceph-csi
There are currently unwanted RBAC permission
is given for ceph-csi, This PR reduces removes
such unwanted RBAC resources.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-02-13 21:36:27 +00:00
Vasyl Purchel
419ad0dd8e Adds per volume encryption with Vault integration
- adds proposal document for PVC encryption from PR448
- adds per-volume encription by generating encryption passphrase
  for each volume and storing it in a KMS
- adds HashiCorp Vault integration as a KMS for encryption passphrases
- avoids encrypting volume second time if it was already encrypted but
  no file system created
- avoids unnecessary checks if volume is a mapped device when encryption
  was not requested
- prevents resizing encrypted volumes (it is not currently supported)
- prevents creating snapshots from encrypted volumes to prevent attack
  on encryption key (security guard until re-encryption of volumes
  implemented)

Signed-off-by: Vasyl Purchel vasyl.purchel@workday.com
Signed-off-by: Andrea Baglioni andrea.baglioni@workday.com

Fixes #420
Fixes #744
2020-02-05 05:18:56 +00:00
Madhu Rajanna
eb2fb9233b Add run hostpath to daemonset pods
`/run/mount` need to be share between host and
csi-plugin containers for `/run/mount/utab`

this is required to ensures that the network
is not stopped prior to unmounting the network devices.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-28 16:50:18 +00:00
Oguz Kilcan
aadce54b2f Added PodSecurityPolicy support 2020-01-22 08:19:42 +00:00
wilmardo
f04af5742d refact: Remove Kubernetes 1.13.x support
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2020-01-20 10:32:30 +00:00
Madhu Rajanna
e0cc7740f6 CSI: run all containers as privileged in daemonset pods
On systems with SELinux enabled, non-privileged containers
can't access data of privileged containers. Since the socket
is exposed by privileged containers, all sidecars must be
privileged too. This is needed only for containers running
in daemonset as we are using bidirectional mounts in daemonset

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-13 13:21:29 +00:00
Madhu Rajanna
fbda8cc4ca Use EmptyDir to store provisioner socket
currently, we are making use of host path directory
to store the provisioner socket, as this
the socket is not needed by anyone else other than
containers inside the provisioner pod using the
empty directory to store this socket is the best option.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-13 13:21:29 +00:00
Wong Hoi Sing Edison
543360ee00 Upgrade: csi-attacher from v1.2.0 to v2.1.0
See https://github.com/kubernetes-csi/external-attacher/releases/tag/v2.1.0
See https://github.com/kubernetes-csi/external-attacher/blob/v2.1.0/CHANGELOG-2.1.md
2020-01-07 14:27:29 +00:00
Wong Hoi Sing Edison
202a2a7200 Upgrade: csi-snapshotter from v1.2.1 to v1.2.2
See https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v1.2.2
See https://github.com/kubernetes-csi/external-snapshotter/blob/v1.2.2/CHANGELOG-1.2.md
2020-01-06 12:36:44 +00:00
Wong Hoi Sing Edison
f37bdfdd44 Upgrade: csi-node-driver-registrar from v1.1.0 to v1.2.0
See https://github.com/kubernetes-csi/node-driver-registrar/releases/tag/v1.2.0
See https://github.com/kubernetes-csi/node-driver-registrar/blob/v1.2.0/CHANGELOG-1.2.md
2020-01-06 07:48:41 +00:00
Madhu Rajanna
4d28a981fc Remove hard-coded UpdateStrategy from templates
Provided an option to specify the UpdateStrategy
in helm  charts.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2020-01-05 08:05:06 +00:00
Wong Hoi Sing Edison
74cb18bd28 Upgrade: csi-resizer from v0.3.0 to v0.4.0
See https://github.com/kubernetes-csi/external-resizer/releases/tag/v0.4.0
See https://github.com/kubernetes-csi/external-resizer/blob/v0.4.0/CHANGELOG-0.4.md
2020-01-05 07:21:12 +00:00
Wong Hoi Sing Edison
3e656769b7 Update csi-provisioner from v1.3.0 to v1.4.0
See https://github.com/kubernetes-csi/external-provisioner/releases/tag/v1.4.0
See https://github.com/kubernetes-csi/external-provisioner/blob/v1.4.0/CHANGELOG-1.4.md
2020-01-02 15:53:07 +00:00
Sébastien Bernard
40b04d2f3a Add missing env for namespace. 2019-12-20 13:59:15 +00:00
Madhu Rajanna
b849b7daaa Fix leader election flag in deployment files
Fixes: https://github.com/ceph/ceph-csi/issues/748

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-12-17 12:19:01 +00:00
Humble Chirammal
7e59c0ed78 Change deployment artifacts for RBD resizer
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-12-13 12:40:12 +00:00
Humble Chirammal
1efdf14ac5 At present, the request timeout of sidecars are at the 60s and this is a request to increase
this time out value to 150s or higher. The higher timeout value can help to reduce the
load of our backend ceph cluster and also can avoid throttling issues at sidecars to an extent.

Fix# #602

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-10-09 05:28:40 +00:00
Daniel-Pivonka
cd52798a51 Change default csi liveness ports to ones less common
Signed-off-by: Daniel-Pivonka <dpivonka@redhat.com>
2019-10-01 15:08:58 +00:00
wilmardo
abdadef8bc fix: add POD_NAMESPACE to RBD provisioner deployments
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-09-30 11:15:35 +00:00
Madhu Rajanna
3d0cba1931 Remove rootfs from rbd provisioner pod
rootfs dependency was removed from rbd
by removing support for `nsenter`, This
PR removed the `/` mount from provisioner

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-27 06:29:56 +00:00
wilmardo
6ee381db3a refactor: Merge 1.13 and 1.14 Helm charts and improve charts
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-09-27 05:49:18 +00:00
Madhu Rajanna
70d49b4e47 tempate changes for containerized flag removal
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-23 13:22:29 +00:00
Madhu Rajanna
e2890a27ff connect to provisioner socket
Fixes: #619

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-09-20 08:13:19 +00:00
Madhu Rajanna
a81a3bf96b implement grpc metrics for ceph-csi
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-30 06:50:32 +00:00
wilmardo
3111e7712a feat: Adds Ceph logo as icon for Helm charts
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-08-20 05:34:28 +00:00
Madhu Rajanna
0da4bd5151 start controller or node server based on config
if both controller and nodeserver flags are set/unset
cephcsi will start both server,

if only one flag is set, it will start relavent
service.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-19 06:11:43 +00:00
Humble Chirammal
0fc7f4513b Snashotter update
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-08-19 05:06:42 +00:00
wilmardo
0a90762970 fix: Adds liveness sidecar to v1.14+ helm charts
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-08-16 08:38:49 +00:00
wilmardo
30fb7de118 feat: Implement helm lint
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-08-16 07:38:33 +00:00
Daniel-Pivonka
d621a58207 prometheus liveness probe sidecar
Signed-off-by: Daniel-Pivonka dpivonka@redhat.com
2019-08-13 17:51:41 +00:00
wilmardo
cba6115e30 Fix 1.13 charts
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-08-13 16:42:15 +00:00
wilmardo
ca5fbc180c Rework of helm charts
Signed-off-by: wilmardo <info@wilmardenouden.nl>
2019-08-13 16:42:15 +00:00
Niels de Vos
31648c8feb provisioners: add reconfiguring of PID limit
The container runtime CRI-O limits the number of PIDs to 1024 by
default. When many PVCs are requested at the same time, it is possible
for the provisioner to start too many threads (or go routines) and
executing 'rbd' commands can start to fail. In case a go routine can not
get started, the process panics.

The PID limit can be changed by passing an argument to kubelet, but this
will affect all pids running on a host. Changing the parameters to
kubelet is also not a very elegant solution.

Instead, the provisioner pod can change the configuration itself. The
pod is running in privileged mode and can write to /sys/fs/cgroup where
the limit is configured.

With this change, the limit is configured to 'max', just as if there is
no limit at all. The logs of the csi-rbdplugin in the provisioner pod
will reflect the change it makes when starting the service:

    $ oc -n rook-ceph logs -c csi-rbdplugin csi-rbdplugin-provisioner-0
    ..
    I0726 13:59:19.737678       1 cephcsi.go:127] Initial PID limit is set to 1024
    I0726 13:59:19.737746       1 cephcsi.go:136] Reconfigured PID limit to -1 (max)
    ..

It is possible to pass a different limit on the commandline of the
cephcsi executable. The following flag has been added:

    --pidlimit=<int>       the PID limit to configure through cgroups

This accepts special values -1 (max) and 0 (default, do not
reconfigure). Other integers will be the limit that gets configured in
cgroups.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2019-08-13 14:43:29 +00:00
ShyamsundarR
44f7b1fe4b Use "rbd device list" to list and find rbd images and their device paths
This change also starts mapping nbd based access using ther rbd CLI
as, it is a prerequisite to get device listing for nbd as well.

Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-08-13 14:07:52 +00:00
Madhu Rajanna
02bcb5f16a Enable leader election in v1.14+
Use Deployment with leader election instead of StatefulSet

Deployment behaves better when a node gets disconnected
from the rest of the cluster - new provisioner leader
is elected in ~15 seconds, while it may take up to
5 minutes for StatefulSet to start a new replica.

Refer: kubernetes-csi/external-provisioner@52d1fbc

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-08-05 07:11:44 +00:00
ShyamsundarR
bd204d7d45 Use --keyfile option to pass keys to all Ceph CLIs
Every Ceph CLI that is invoked at present passes the key via the
--key option, and hence is exposed to key being displayed on
the host using a ps command or such means.

This commit addresses this issue by stashing the key in a tmp
file, which is again created on a tmpfs (or empty dir backed by
memory). Further using such tmp files as arguments to the --keyfile
option for every CLI that is invoked.

This prevents the key from being visible as part of the argument list
of the invoked program on the system.

Fixes: #318

Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-07-25 12:46:15 +00:00
Madhu Rajanna
f4c80dec9a Implement NodeStage and NodeUnstage for rbd
in NodeStage RPC call  we  have to map the
device to the node plugin and make  sure  the
the device will be mounted to  the global path

in  nodeUnstage request unmount the device from
global path and unmap the device

if the volume mode is block  we will be creating
a file inside a stageTargetPath  and it will be
considered  as the global path

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-07-24 12:49:21 +00:00
ShyamsundarR
c4a3675cec Move locks to more granular locking than CPU count based
As detailed in issue #279, current lock scheme has hash
buckets that are count of CPUs. This causes a lot of contention
when parallel requests are made to the CSI plugin. To reduce
lock contention, this commit introduces granular locks per
identifier.

The commit also changes the timeout for gRPC requests to Create
and Delete volumes, as the current timeout is 10s (kubernetes
documentation says 15s but code defaults are 10s). A virtual
setup takes about 12-15s to complete a request at times, that leads
to unwanted retries of the same request, hence the increased
timeout to enable operation completion with minimal retries.

Tests to create PVCs before and after these changes look like so,

Before:
Default master code + sidecar provisioner --timeout option set
to 30 seconds

20 PVCs
Creation: 3 runs, 396/391/400 seconds
Deletion: 3 runs, 218/271/118 seconds
  - Once was stalled for more than 8 minutes and cancelled the run

After:
Current commit + sidecar provisioner --timeout option set to 30 sec
20 PVCs
Creation: 3 runs, 42/59/65 seconds
Deletion: 3 runs, 32/32/31 seconds

Fixes: #279
Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-07-01 14:10:14 +00:00
Humble Chirammal
027331c186 Use sidecar which support cloning
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-06-28 01:11:06 +00:00
Madhu Rajanna
59d3365d3b update statefulset and daemonset api-version
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-06-25 14:00:46 +00:00
Madhu Rajanna
983f28ad2f Revert "Use Deployment with leader election instead of StatefulSet"
This reverts commit a151bec94b.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-06-14 13:39:03 +00:00
Madhu Rajanna
bccfafdfb2 update helm chart version
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-06-10 16:54:05 +05:30
Madhu Rajanna
a151bec94b Use Deployment with leader election instead of StatefulSet
Deployment behaves better when a node gets disconnected from the rest of
the cluster - new provisioner leader is elected in ~15 seconds, while
it may take up to 5 minutes for StatefulSet to start a new replica.

Refer: 52d1fbcf9d

Fixes: #335

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-06-10 09:51:22 +05:30
Humble Chirammal
45ae1c56e4 Promote sidecars to latest available version tags.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-06-02 15:01:34 +05:30
Madhu Rajanna
2d560ba087 update ceph-csi to build and use a single docker image
currently, we have 3 docker files(cephcsi,rbd,cephfs) in the ceph-csi repo.
[commit ](85e121ebfe)
added by John to build a single image which can act as rbd or
cephfs based on the input configuration.

This PR updates the makefile and kubernetes templates to use
the unified image and also its deletes the other two dockerfiles.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-05-28 18:10:22 +00:00
ShyamsundarR
d02e50aa9b Removed config maps and replaced with rados omaps
Existing config maps are now replaced with rados omaps that help
store information regarding the requested volume names and the rbd
image names backing the same.

Further to detect cluster, pool and which image a volume ID refers
to, changes to volume ID encoding has been done as per provided
design specification in the stateless ceph-csi proposal.

Additional changes and updates,
- Updated documentation
- Updated manifests
- Updated Helm chart
- Addressed a few csi-test failures

Signed-off-by: ShyamsundarR <srangana@redhat.com>
2019-05-19 12:29:33 +00:00
Humble Chirammal
68ff602391 Resolve merge conflict
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-05-07 15:27:34 +05:30
Humble Chirammal
1eff2e1490 Merge branch 'master' of http://github.com/ceph/ceph-csi into csi-v1.0
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2019-05-07 15:14:14 +05:30
Miao Zhou
00e7e29996 bump up the chart version 2019-05-06 15:52:45 +08:00
Zhou Miao
a01c01b01b fix helm value pullPolicy mismatch bug 2019-04-25 12:03:44 +08:00
Kaushal M
63d00afb28
deploy: Use aggregated ClusterRoles
The kubernetes manifests and Helm templates have been updated to use
aggregated ClusterRoles. The same change has been done in Rook as well.

Refer rook/rook#2634 and rook/rook#2975

Signed-off-by: Kaushal M <kshlmster@gmail.com>
2019-04-17 11:15:08 +05:30
Yuxiang Zhu
35c55aeb68 add missing PV update permission for rbd attacher
PR #290 missed the update permission to persistentvolumes.

Without that permission, you will get the following error when attaching a RBD volume to a pod:

```
Warning  FailedAttachVolume  100s (x11 over 7m52s)  attachdetach-controller  AttachVolume.Attach failed for volume "pvc-d23f8745-60bb-11e9-bd35-5254001c78d6" : could not add PersistentVolume finalizer: persistentvolumes "pvc-d23f8745-60bb-11e9-bd35-5254001c78d6" is forbidden: User "system:serviceaccount:kube-system:rbd-csi-provisioner" cannot update resource "persistentvolumes" in API group "" at the cluster scope
```
2019-04-17 11:16:43 +08:00
Madhu Rajanna
849de000f4 updated helm chat version
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-04-04 11:13:16 +05:30
Madhu Rajanna
3767375b6a Add csidriver CRD
if attacher is not enabled, we need to
create the csidriver CRD with spec
to make attachRequired as false to
skip volume attach check in kube.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-04-04 11:11:29 +05:30
Madhu Rajanna
e4d830a2c2 remove extra node rules in provisioner
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-04-04 11:11:29 +05:30
Madhu Rajanna
c6b4e47723 add if condition for attacher
adding the condition will help us
to easily remove the attacher later.
or even we can add else condition
if we have an alternate to attacher.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2019-04-04 11:11:29 +05:30