Commit Graph

110 Commits

Author SHA1 Message Date
Ruslan Khizhnyak
d56c9abbce helm: CSIDriver add labels and seLinuxMount disabling method
Signed-off-by: Ruslan Khizhnyak <rkhizhnyak@ptsecurity.com>
2024-03-21 10:07:23 +00:00
Praveen M
b9543d3fd3 helm: update template for rbd volumegroupsnapshot
This commit updates template for rbd VolumeGroupSnapshot.
The value is set to false by default.

Signed-off-by: Praveen M <m.praveen@ibm.com>
2024-03-18 17:00:45 +00:00
Dmytro Alieksieiev
fcaac58a1e helm: Include seLinuxMount only if KubeVersion greater or equal of 1.25
Signed-off-by: Dmytro Alieksieiev <1865999+dragoangel@users.noreply.github.com>
2024-03-13 07:40:19 +00:00
Niels de Vos
c9e64f9478 deploy: make the csi-*plugin containers the default for kubectl commands
When issues or bugs are reported, users often share the logs of the
default container in a Pod. These logs do not contain the required
information, as that mostly only can be found in the logs of the
Ceph-CSI container (named csi-cephfsplugin or csi-rbdplugin).

By moving the Ceph-CSI containers in the Pods to the 1st in the list,
they become the default container for commands like `kubectl logs`.

Signed-off-by: Niels de Vos <ndevos@ibm.com>
2024-02-14 16:23:52 +00:00
Sebastian Hoß
017dddcbfc helm: align seLinuxMount option w/ deploy folder
Signed-off-by: Sebastian Hoß <seb@xn--ho-hia.de>
2024-01-03 18:48:13 +00:00
Jan Nemcik
1fb6d8f891 helm: update node plugin cluster role
added permission to get nodes for rbd and cephfs nodeplugin daemonset

Signed-off-by: Jan Nemcik <jan.nemcik@solargis.com>
2023-12-11 10:59:50 +00:00
Praveen M
2309168943 helm: add default false value for --enable-read-affinity
Signed-off-by: Praveen M <m.praveen@ibm.com>
2023-12-06 18:18:21 +00:00
Ruslan Khizhnyak
ec29ec1ac2 helm: add extraDeploy option
To deploy additional manifests with the release.

Signed-off-by: Ruslan Khizhnyak <mustdiechik@gmail.com>
2023-11-23 13:50:44 +00:00
Ruslan Khizhnyak
802f22f0ae helm: add annotations secret manifest
To use mutating webhook to modify secrets.
For example banzaicloud vault webhook:
https://bank-vaults.dev/docs/mutating-webhook/annotations/

Signed-off-by: Ruslan Khizhnyak <mustdiechik@gmail.com>
2023-11-09 17:18:33 +00:00
Domonkos Cinke
d0fea3baed deploy: allow mkfsOptions
Signed-off-by: Domonkos Cinke <seayou@gmail.com>
2023-11-09 15:16:28 +00:00
KJ
0a53b0d9ba helm: Allow templating of RBD striping parameters
Allow templating of stripeUnit, stripeCount and objectSize
storageClass parameters in ceph-csi-rbd chart

Signed-off-by: Kingsley Jarrett <kj@kingj.net>
2023-11-09 09:58:39 +00:00
Praveen M
6719d6497f e2e: added test to verify read affinity functionality
e2e test case is added to test if read affinity is enabled by
verifying read_from_replica=localize option is passed

Signed-off-by: Praveen M <m.praveen@ibm.com>
2023-09-26 07:02:21 +00:00
Praveen M
1b20fec20d helm: add option to enable read affinity for rbd
This commit adds --enable-read-affinity flag to
enable read affinity for rbd

Signed-off-by: Praveen M <m.praveen@ibm.com>
2023-09-26 07:02:21 +00:00
Garen Fang
37018a2eef helm: add imagePullSecrets option
Currently the Helm chart does not contain a
imagePullSecrets option when you are using
private container registry, this is very inconvenient.
This PR add this option for both CephFS and RBD.

Signed-off-by: Garen Fang <fungaren@qq.com>
2023-06-16 04:37:03 +00:00
DashJay
9df4634fd0 deploy: fix bug of ceph-csi-rbd helm chart
fix bug that make provisioner get dup affinities
when deploy helm chart ceph-csi-rbd and ceph-csi-cephfs.

Signed-off-by: DashJay <45532257+dashjay@users.noreply.github.com>
2023-05-22 06:34:19 +00:00
Domonkos Cinke
b7b491c097 deploy: add extraArgs for sidecars
Add the ability to control more arguments for CSI sidecar components.

Signed-off-by: Domonkos Cinke <seayou@gmail.com>
2023-01-05 15:58:48 +00:00
Humble Chirammal
b258628b05 helm: get rid of storage group enablement based on the version
deploy: remove beta storage group mention from csidriver yaml

the kubernetes version based enablement of storage api group
enablement is no longer requried and its already on v1 for
supported kubernetes versions.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-11-11 16:41:24 +00:00
BOSSER, Bastien
dea07aa184 deploy: add commonLabels value
Signed-off-by: BOSSER, Bastien <bastien.bosser@atos.net>
2022-11-02 11:28:18 +00:00
Humble Chirammal
1e0bd66108 rbd: make default fstype explicit to ext4
With the attacher sidecar update to v4.0.0 this has to be set
explictly.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-09-21 22:00:24 +00:00
Humble Chirammal
586a9cc8ee rbd: change default FsGroupPolicy to "File" for RBD CSI driver
This commit change the default fsgroup policy for csi driver object
to "File" type which is the better/correct setting for the CSI volumes.
We have been using default value which is "ReadWriteOnceWithFSType".
with this change backward compatibility should be preserved.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-09-05 07:06:37 +00:00
Madhu Rajanna
96a3aabe5a deploy: remove psp from cephcsi
as PSP is deprecated in kubernetes 1.21
and will be removed in kubernetes 1.25
removing the existing PSP related templates
from the repo and updated the required documents.

fixes #1988

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-08-23 07:53:46 +00:00
Humble Chirammal
76ddf8e306 deploy: introduce new log level for sidecar controllers
At present we have single log level configuration for all the containers
running for our CSI pods, which has been defaulted to log Level 5.
However this cause many logs to be spitted in a cluster and cause log
spamming to an extent. This commit introduce one more log level control
for CSI pods called sidecarLogLevel which defaults to log Level 1.

The sidecar controllers like snapshotter, resizer, attacher..etc has
been configured with this new log level and driver pods are with old
configruation value.

This allow us to have different configuration options for sidecar
constrollers and driver pods.

With this, we will also have a choice of different configuation setting
instead of locking onto one variable for the containers deployed via CSI driver.

To summarize the CSI containers maintained by Ceph CSI driver has log
level 5 and controllers/sidecars not maintained by Ceph CSI driver has
log level 1 configuration.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-07-28 08:31:37 +00:00
Yati Padia
776821f17f deploy: update csi-provisioner to latest version
This commits updates csi-provisioner sidecar to
latest version i.e., v3.2.0.

fixes: #3184

Signed-off-by: Yati Padia <ypadia@redhat.com>
2022-07-19 14:42:21 +00:00
Carsten Buchberger
b262f06c33 helm: enable host networking for provisioner
Adds the possibility in the helm-chart to enable hostNetworking
for provider pods.

Signed-off-by: Carsten Buchberger <c.buchberger@witcom.de>
2022-07-04 15:14:59 +00:00
Prasanna Kumar Kalever
dc738b96b4 deploy: add setmetadata=true in the templates
setmetadata on the volume by default, otherwise e2e will fail

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-06-28 19:12:53 +00:00
Prasanna Kumar Kalever
d3650ae863 deploy: fix the staging path accordingly in the templates
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-06-24 12:23:29 +00:00
Madhu Rajanna
7a2dd4c3cf rbd: create token and use it for vault SA
create the token if kubernetes version in
1.24+ and use it for vault sa.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
Signed-off-by: Rakshith R <rar@redhat.com>
2022-06-17 11:37:59 +00:00
Prasanna Kumar Kalever
fb58d73b1b deploy: add cluster name in the templates
added in helm charts which should help users.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-06-08 16:23:59 +00:00
Humble Chirammal
9b64e0a170 helm: enable RecoverVolumeExpansionFailure feature gate
This commit enable the mentioned feature gate which helps to
recover from volume expansion failures.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-05-25 18:03:16 +00:00
Silvan Loser
06c4477ff9 helm: allowPrivilegeEscalation: true in containerSecurityContext
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
2022-04-22 23:36:02 +00:00
Prasanna Kumar Kalever
d870cb152a deploy: add --extra-create-metadata arg to csi-snapshotter sidecar
This argument in csi-snapshotter sidecar allows us to receive
snapshot-name/snapshot-namespace/snapshotcontent-name metadata in the
CreateSnapshot() request.

For ex:

csi.storage.k8s.io/volumesnapshot/name
csi.storage.k8s.io/volumesnapshot/namespace
csi.storage.k8s.io/volumesnapshotcontent/name

This is a useful information which can be used depend on the use case we
have at our driver. The features like adding metadata to snapshot image
can consume this based on the need.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2022-04-08 15:43:14 +00:00
Rakshith R
40de75e0db rbd: modify oidc token file path according to FHS 3.0
OIDC token file path has been modified from
`/var/run/secrets/token` to `/run/secrets/tokens`.
This has been done to ensure compliance with
FHS 3.0.

refer:
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html

Signed-off-by: Rakshith R <rar@redhat.com>
2022-03-23 13:29:35 +00:00
Rakshith R
4f0bb2315b rbd: add aws-sts-metdata encryption type
With Amazon STS and kubernetes cluster is configured with
OIDC identity provider, credentials to access Amazon KMS
can be fetched using oidc-token(serviceaccount token).
Each tenant/namespace needs to create a secret with aws region,
role and CMK ARN.
Ceph-CSI will assume the given role with oidc token and access
aws KMS, with given CMK to encrypt/decrypt DEK which will stored
in the image metdata.

Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
Resolves: #2879

Signed-off-by: Rakshith R <rar@redhat.com>
2022-03-16 07:29:56 +00:00
Silvio Gissi
9c50e255fb helm: make ceph.conf ConfigMap name configurable
ConfigMap name was hardcoded and led to conflicts. Fixes #2858.

Signed-off-by: Silvio Gissi <silvio@gissilabs.com>
2022-02-21 07:25:22 +00:00
Francesco Astegiano
4235178f7c helm: Add selinuxMount flag to enable/disable /etc/selinux host mount
Add selinuxMount flag to enable/disable /etc/selinux host mount inside pods
to support selinux-enabled filesystems

Signed-off-by: Francesco Astegiano <francesco.astegiano@gmail.com>
2022-02-16 12:48:00 +00:00
Deividas Burškaitis
91c22f521b helm: add port sections to helm templates
to show what ports containers are exposing add port sections to nodeplugin
and provisioner helm templates

Signed-off-by: Deividas Burškaitis <deividas.burskaitis@oxylabs.io>
2022-02-15 10:06:26 +00:00
Madhu Rajanna
0311eb5f44 helm: remove namespace from storageclass yaml
removes namespace from non-namespaced storageclass
object.

fixes: #2714

Replacement for #2715 as we didnt receive any update
and PR is already closed.

Co-authored-by: jhrcz-ls
Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-02-11 12:32:58 +00:00
Humble Chirammal
de2489ed7d deploy: update csi-snapshotter sidecar to v5.0.1
This release of snapshotter has a breaking change as mentioned
in the release note:

Refer#
[1]: https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v5.0.0

RBAC rules are also updated with this commit.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-02-03 19:01:57 +00:00
Madhu Rajanna
28fef9b379 cleanup: remove thick provisioning code
This commit removes the thick provisioning
code as thick provisioning is deprecated in
cephcsi 3.5.0.

fixes: #2795

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-01-28 11:17:15 +00:00
Niels de Vos
ee2e97b62d deploy: add CSI-Addons endpoint
Deployments place all sockets for communicating with CSI components in
the shared `/csi` directory. The CSI-Addons socket was introduced
recently, but not configured to be in the same location (by default
placed in `/tmp`).

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2021-12-22 13:21:59 +00:00
Steven Reitsma
6be0e8cb51 helm: Fix missing ClusterRoleBinding for nodeplugin ServiceAccount
When topology is disabled, the ClusterRoleBinding is not created in the Helm
chart. However, the nodeplugin needs access to volumeattachments for the volume
healer.

Signed-off-by: Steven Reitsma <steven@properchaos.nl>
2021-12-22 11:06:11 +00:00
Toby Jackson
989905aa9f helm: csiplugin-configmap generates invalid configuation
When generating csiconfiguration from values the config.json key gets merged with cluster-mapping.json
as the config.json toYaml element supresses a newline.

This fixes the situation where configuration is generated as shown;

```
 data:
   config.json: |-
    [{"clusterID":"....","monitors":["..."]}]cluster-mapping.json: |-
    []
```

Signed-off-by: Toby Jackson <toby@warmfusion.co.uk>
2021-11-25 06:31:38 +00:00
Prasanna Kumar Kalever
9a3170bf77 rbd: provide a way to disable the auto fallback to nbd mounter
This change allows the user to choose not to fallback to NBD mounter
when some ImageFeatures are absent with krbd driver, rather just fail
the NodeStage call.

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-11-01 08:17:36 +00:00
Shaohui Liu
af752dd38f helm: support adding annotations to StorageClasses
Signed-off-by: Shaohui Liu <liushaohui@xiaomi.com>
2021-10-28 16:56:12 +00:00
Madhu Rajanna
e45bf03bd8 helm: remove securityContext from cephfs deployment
we dont need securityContext for the cephfs provisioner
pod as its not doing any special operations like mount,
selinux operations etc .

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-22 07:12:34 +00:00
Madhu Rajanna
f267d77801 helm: remove extra volumes from rbd plugin PSP
removed extra volume permissions from the rbd
nodeplugin PSP

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-22 07:12:34 +00:00
Madhu Rajanna
6f1066fd36 helm: reduce the PSP permission for rbd deployment
rbd deployment doesnot need extra permission like
privileged and extra volumes etc.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-22 07:12:34 +00:00
Prasanna Kumar Kalever
c9cc36d8db rbd: provide alternatives to preserve the ceph log files
Currently, we delete the ceph client log file on unmap/detach.

This patch provides additional alternatives for users who would like to
persist the log files.

Strategies:
-----------
`remove`: delete log file on unmap/detach
`compress`: compress the log file to gzip on unmap/detach
`preserve`: preserve the log file in text format

Note that the default strategy will be remove on unmap, and these options
can be tweaked from the storage class

Compression size details example:

On Map: (with debug-rbd=20)
---------
$ ls -lh
-rw-r--r-- 1 root root 526K Sep  1 18:15
rbd-nbd-0001-0024-fed5480a-f00f-417a-a51d-31d8a8144c03-0000000000000003-d2e89c87-0b4d-11ec-8ea6-160f128e682d.log

On unmap:
---------
$ ls -lh
-rw-r--r-- 1 root root  33K Sep  1 18:15
rbd-nbd-0001-0024-fed5480a-f00f-417a-a51d-31d8a8144c03-0000000000000003-d2e89c87-0b4d-11ec-8ea6-160f128e682d.gz

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-09-16 13:55:15 +00:00
Prasanna Kumar Kalever
314516cedd deploy: fix cephLogDir passing to storageclass via helm
cephLogDir: is a storage class option that is passed to rbd-nbd daemon.
cephLogDirHostPath: is a nodeplugin daemonset level option that helps in
                   using the right host-path while bind-mounting

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
2021-09-16 13:55:15 +00:00
Madhu Rajanna
d22e7a1bdb helm: update templates for ceph.conf
updated cephfs and rbd templates to
configure the ceph.conf content.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2021-09-03 14:14:43 +00:00