setting privileged as pod security enforcement level
to run test on kubernetes 1.25
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 607c654263)
remove the podsecurity feature-gate
from minikube.sh, because of it
kubernetes 1.25.0 deployment is failing
fixes: #3358
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 0e294d66e2)
as PSP is deprecated in kubernetes 1.21
and will be removed in kubernetes 1.25
removing the existing PSP related templates
from the repo and updated the required documents.
fixes#1988
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 96a3aabe5a)
based on the discussion on the slack
channel. we are adding a github action
to trigger the CI jobs when a ok-to-test
label is added on the PR.
This action is based on below github action
https://github.com/peter-evans/create-or-update-comment
Sample Demo avaiable at
https://github.com/Madhu-1/
\label-commentor-action-testing/pull/4
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 659567cfdc)
To avoid subvolume leaks if the SetAllMetadata
operations fails delete the subvolume.
If any operation fails after creating the subvolume
we will remove the omap as the omap gets
removed we will need to remove the subvolume to
avoid stale resources.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 302fead713)
A vulnerability was found in golang.org/x/text/language package which
could cause a denial of service. An attacker can craft an
Accept-Language header which ParseAcceptLanguage will take significant
time to parse.
Version v0.3.8 of golang.org/x/text fixes a vulnerability.
See-also: https://go.dev/issue/56152
See-also: https://bugzilla.redhat.com/CVE-2022-32149
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit e08005f402)
This commit makes the following changes:
`Please replace \":code_blocks => false\" \`
`by \":ignore_code_blocks => true\" in your configuration.`
Some rules are ignore for the time being,
these will be fixed later on.
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit b3837d44ce)
The error message return from the GRPC
should be of GRPC error messages only
not the normal go errors. This commits
returns GRPC error if setAllMetadata
fails.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 69eb6e40dc)
If any operations fails after the volume creation
we will cleanup the omap objects, but it is missing
if setAllMetadata fails. This commits adds the code
to cleanup the rbd image if metadata operation fails.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 01d4a614c3)
As we need to compare the error type instead
of the error value we need to use errors.As
to check the API is implemented or not.
fixes: #3347
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit b40e8894f8)
Because the rbd-nbd tests fail with minikube and the Podman driver,
disable the tests for the time being.
Updates: #3431
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 386d3ddd6e)
There are occasions where deleting a PVC (or PV) never succeeds. The
reported status of the deleted object is sometimes empty, which suggests
that the PVC or PV was, in fact, deleted.
To diagnose the incorrect error checking, include the errors for
retrying in the logs.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 8eaf1d790d)
In case `wget` is not installed, downloading the Helm release will fail.
The `install-helm.sh` script won't return a fatal error in that case,
and CI jobs continue running in an environment that is not ready.
By adding a check that exist the script with a failure, the CI will now
correctly report a problem when Helm can not be downloaded.
See-also: #3430
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit fa97875dc9)
The scale down/up functions fail often with "deployment not found"
errors. Possibly deploying with Podman is slower than deploying in a
minikube VM, and there is a delay for the deployment to become
available.
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 8f915576c4)
When running on AWE EC2 virtual-machines, we'll use Podman instead of
installing a VM. The "none" driver might work as well, but it requires
additional dependencies to be installed, which may change over time with
new minikube or Kubernetes releases. Hopefully the Podman driver is less
affected with changes in dependencies.
Depends-on: #3419Closes: #3415
Signed-off-by: Niels de Vos <ndevos@redhat.com>
(cherry picked from commit 0cba72485c)
updated doc for 3.7.1 release is available with this commit.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit a799075cfc)
This commit adds blocklist range cmd feature,
while fallbacks to old blocklist one ip at a
time if the cmd is invalid(not available).
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit a57859dfa4)
use TokenRequest API by default for vault SA even with K8s versions < 1.24
Signed-off-by: Prashanth Dintyala <vdintyala@nvidia.com>
(cherry picked from commit 2a6487cbf5)
Incase the subvolumegroup is deleted
and recreated we need to restart the
cephcsi provisioner pod to clear cache
that cephcsi maintains. With this PR
if cephcsi sees NotFound error duing
subvolume creation it will reset the cache
for that filesystem so that in next RPC
call cephcsi will try to create the
subvolumegroup again
Ref: https://github.com/rook/rook/issues/10623
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 76064d8e34)
In a cluster we can have multiple filesystem
for that we need to have a map of
subvolumegroups to check filesystem is created
nor not.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit e56621cd66)
When a file on source is deleted same
need to be deleted on the destination,
with rsync we can achieve it.
fixes: #3329
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 9d46478794)
If the image is mirroring enabled
and primary consider it for mapping,
if the image is mirroring enabled but
not primary yet. return error message
until the image is marked as primary.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 71dbc7dbb4)
This commit change the default fsgroup policy for csi driver object
to "File" type which is the better/correct setting for the CSI volumes.
We have been using default value which is "ReadWriteOnceWithFSType".
with this change backward compatibility should be preserved.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 586a9cc8ee)
If the ceph cluster is of older version and doesnot
support metadata operation, Instead of failing
the request return the success if metadata
operation is not supported.
fixes#3347
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 038462ff43)
This commit updates csi-addons spec version
and modifies logging to strip replication
request secret using csi.StripSecret, then
with replication.protosanitizer if the former
fails. This is done in order to make sure
we strip csi and replication format of secrets.
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit 40134772a7)
This commit uses %q instead %v in error messages
and adds result reason and message in kmip
verifyresponse().
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit f47839d73d)
This commit fixes a bug in kmip kms Decrypt
function, where emd.DEK was fed in a Nonce
instead of emd.Nonce by mistake.
Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit eaa0e14cb2)
This commit rebase the kubernetes version to 1.24.4 tree to make
sure we are using latest available bug fix release.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 2505c2ad14)
This commit add upgrade documentation for release 3.7.0
and also update support matrix for v3.7.0.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
(cherry picked from commit 1e2a777d67)
This commit add ceph_pre_quincy tag to the build. The main
reason being the changes or new APIs exposed in go-ceph version
v0.17.0 is part of this Ceph build tag. Enabling the same for
the reason.
Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
csi-addons server will advertise replication capability and
replication service will run with csi-addons server too.
Signed-off-by: Rakshith R <rar@redhat.com>
The Key Management Interoperability Protocol (KMIP)
is an extensible communication protocol
that defines message formats for the manipulation
of cryptographic keys on a key management server.
Ceph-CSI can now be configured to connect to
various KMS using KMIP for encrypting RBD volumes.
https://en.wikipedia.org/wiki/Key_Management_Interoperability_Protocol
Signed-off-by: Rakshith R <rar@redhat.com>
Currently, we use the Ubuntu 18.04 actions runner
for stale job. This runner will be deprecated
and removed in the beginning of Dec.
So should change the runner to use latest ubuntu.
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
getting is unused for linter "staticcheck"
(nolintlint) error message due to wrong
comment format. this the format now with
`//directive // comment`
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>