Bumping the k8s.io dependencies to v0.26.7. The main intention
is to update the client-go library dependency for kube 1.27+,
where aggregated discovery is enabled. With client-go lower than
v0.26.4 in some cases it is possible that the discovery response
comes with the malformed response with nil GVK leading to Crash
Loop Back Off state.
Upstream kubernetes issue:
https://github.com/kubernetes/kubernetes/pull/116603
Signed-off-by: karthik-us <ksubrahm@redhat.com>
Currently, upgrade version for upgrade tests
need to be set in ci/centos branch.
This commit adds a variable in build.env,
so that we have the flexibility to use
this value instead.
Signed-off-by: Rakshith R <rar@redhat.com>
This commit makes sure sparsify() is not run when rbd
image is in use.
Running rbd sparsify with workload doing io and too
frequently is not desirable.
When a image is in use fstrim is run and sparsify will
be run only when image is not mapped.
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit 98fdadfde7)
# Conflicts:
# internal/rbd/errors.go
The ceph-iscsi repository seems to provide broken metadata or packages.
Ceph-CSI does not need to install them, so disable the repository for
now.
It seems that other repositories gave issues before too, but these
repositories were disabled after installing all available updates. For
ceph-iscsi updating fails already, so disable the repositories before
updating.
Updates: #2034
Signed-off-by: Niels de Vos <ndevos@ibm.com>
(cherry picked from commit ebfd915ad6)
The ceph-iscsi repository seems to provide broken metadata or packages.
Ceph-CSI does not need to install them, so disable the repository for
now.
It seems that other repositories gave issues before too, but these
repositories were disabled after installing all available updates. For
ceph-iscsi updating fails already, so disable the repositories before
updating.
Updates: #2034
Signed-off-by: Niels de Vos <ndevos@ibm.com>
(cherry picked from commit 0efe8e4711)
this commit adds the validation for encryption
value as false, and sets the type as none
Signed-off-by: riya-singhal31 <rsinghal@redhat.com>
(cherry picked from commit 38f5e860e2)
even 1.9.9 i havign security vulnerabilities
https://github.com/ceph/ceph-csi/actions/
\runs/5088482029/jobs/9144940410?pr=3859
updating the vault to latest release and all other
updates are due to the dependency update by `go mod tidy`
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
Installing Helm fails often in the CI. The Helm documentation does not
point to `https://git.io/get_helm.sh` anymore, but to a location on
GitHub. To make it easier to update the location in the future, it has
now been added to `build.env`, just like the `HELM_VERSION`.
See-also: https://helm.sh/docs/intro/install/
Signed-off-by: Niels de Vos <ndevos@ibm.com>
(cherry picked from commit bc167cc6f4)
By default, `cryptsetup luksFormat` uses Argon2i as Password-Based Key
Derivation Function (PBKDF), which not only has a CPU cost, but also a memory
cost (to make brute-force attacks harder).
The memory cost is based on the available system memory by default, which in
the context of Ceph CSI can be a problem for two reasons:
1. Pods can have a memory limit (much lower that the memory available on the
node, usually) which isn't taken into account by `cryptsetup`, so it can get
OOM-killed when formating a new volume;
2. The amount of memory that was used during `cryptsetup luksFormat` will then
be needed for `cryptsetup luksOpen`, so if the volume was formated on a node
with a lot of memory, but then needs to be opened on a different node with
less memory, `cryptsetup` will get OOM-killed.
This commit sets the PBKDF memory limit to a fixed value to ensure consistent
memory usage regardless of the specifications of the nodes where the volume
happens to be formatted in the first place.
The limit is set to a relatively low value (32 MiB) so that the `csi-rbdplugin`
container in the `nodeplugin` pod doesn't require an extravagantly high memory
limit in order to format/open volumes (particularly with operations happening
in parallel), while at the same time not being so low as to render it
completely pointless.
Signed-off-by: Benoît Knecht <bknecht@protonmail.ch>
(cherry picked from commit 1852e977f8)
Currently the Ceph-CSI community is on the 'free' Slack instance at
https://cephcsi.slack.com. The Ceph project uses a Slack instance that
we can use for Ceph-CSI as well. In order to integrate more with other
Ceph projects, we should ideally be active on the same Slack instance.
For now, we have `#ceph-csi` as only channel on the
https://ceph-storage-slack.com, we can add more channels if needed.
See-also: https://ceph.io/en/community/connect/
Signed-off-by: Niels de Vos <ndevos@ibm.com>
(cherry picked from commit ea3cd2b5e4)
After the `ok-to-test` label was added, the commenter will remove the
label again. There is no need for Mergify to re-add the label while CI
jobs are still running.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
There is no need to run the `test-retest-action` GitHub Workflow if
there are no changes under the `actions/retest` directory.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Currently commitlint is only skipped for PR at the time dependabot
creates them. Once Mergify rebases them, commitlint is started anyway.
This causes failed CI runs, which then need to be ignored. It is cleaner
to not run commitlint on any PR that dependabot owns.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Sometimes Mergify removed the `ok-to-test` label before the Pull Request
Commentor action have been run. With the updated commentor action, the
`ok-to-test` label is removed after leaving comments. There is no need
for Mergify to remove the label anymore.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Once the comments have been added, the `ok-to-test` label can be
removed. This makes it possible to simplify the Mergify configuration.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
