Commit Graph

4354 Commits

Author SHA1 Message Date
Niels de Vos
b036537e1c doc: add Open Source Security Foundation (OpenSSF) best practices badge
The project is currently at 54% of the best practices. Hopefully this
badge creates some interest in increasing the grade.

See-also: https://bestpractices.coreinfrastructure.org/projects/5940
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-25 06:17:56 +00:00
Silvan Loser
f2e0fa28fb deploy: allowPrivilegeEscalation: true in containerSecurityContext
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true:

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
2022-04-22 23:36:02 +00:00
Silvan Loser
06c4477ff9 helm: allowPrivilegeEscalation: true in containerSecurityContext
When running the kubernetes cluster with one single privileged
PodSecurityPolicy which is allowing everything the nodeplugin
daemonset can fail to start. To be precise the problem is the
defaultAllowPrivilegeEscalation: false configuration in the PSP.
 Containers of the nodeplugin daemonset won't start when they
have privileged: true but no allowPrivilegeEscalation in their
container securityContext.

Kubernetes will not schedule if this mismatch exists cannot set
allowPrivilegeEscalation to false and privileged to true

Signed-off-by: Silvan Loser <silvan.loser@hotmail.ch>
Signed-off-by: Silvan Loser <33911078+losil@users.noreply.github.com>
2022-04-22 23:36:02 +00:00
Madhu Rajanna
432787fee2 doc: add new hackmd link for meeting minutes
replaced google doc link with new hackmd
link for upstream meetings.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 12:52:23 +00:00
Madhu Rajanna
5e1a074ea3 doc: update doc for 3.6.1 release
updated doc for 3.6.1 release, this will
be backported to release-v3.6 branch and
we will make deployment changes and do release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-22 09:05:09 +00:00
Niels de Vos
5e66372e31 e2e: allow RWOP tests to fail
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 16:22:49 +00:00
Niels de Vos
b82af7559b e2e: add -clusterid=... for selecting a Ceph cluster
The Ceph cluster-id is usually detected with `ceph fsid`. This is not
always correct, as the the Ceph cluster can also be configured by name.
If the -clusterid=... is passed, it will be used instead of trying to
detect it with `ceph fsid`.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 16:22:49 +00:00
Niels de Vos
e30364cb4d e2e: introduce getClusterID() helper
There are many locations where the cluster-id (`ceph fsid`) is obtained
from the Rook Toolbox. Instead of duplicating the code everywhere, use a
new helper function getClusterID().

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 16:22:49 +00:00
Niels de Vos
b20e3fa784 e2e: allow passing CephFS filesystem name on CLI
A new -filesystem=... option has been added so that the e2e tests can
run against environments that do not have a "myfs" CephFS filesystem.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 16:22:49 +00:00
Niels de Vos
fcb4701a06 e2e: cleanup StorageClass create retry
StorageClasses are cluster resources, not namespaced; there is no need
to log the namespace of a StorageClass.

When creating a StorageClass, NotFound is not an error that will be
returned, not need to check for it.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 10:48:04 +00:00
Niels de Vos
b235c171ba e2e: retry creation of the RBD StorageClass
On occasion the creation of the StorageClass can fail due to an
etcdserver timeout. If that happens, the creation can be attempted after
a delay.

This has already been done for CephFS StorageClasses, but was missed for
RBD.

See-also: ceph/ceph-csi@8a0377ef02
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 10:48:04 +00:00
Humble Chirammal
e8652ee366 helm: update helm version to v3.8.2
This commit update the helm version to latest available
v3.8.2.

Refer# https://github.com/helm/helm/releases/tag/v3.8.2

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-21 06:16:55 +00:00
Niels de Vos
e3d061075c e2e: use ResourceDeployer for RBD
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 00:22:53 +00:00
Niels de Vos
60442fa916 e2e: use ResourceDeployer for CephFS
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 00:22:53 +00:00
Niels de Vos
2b4bb63eb8 e2e: introduce ResourceDeployer interface
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-21 00:22:53 +00:00
Niels de Vos
701b5d7ecb e2e: Add early return in Context() for disabled tests
Some parts of the Context() seem to get executed, even when BeforeEach()
did a Skip() for the test. By adding a return inside the Context(), the
tests should not get executed at all.

This was noticed in a failed test, where upgrade was running, eventhough
the job was executed as a nornal non-upgrade one.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-20 17:34:00 +00:00
Niels de Vos
ef1d589caa ci: use requeue instead of refresh for re-adding PRs to the queue
The current version of Mergify provides a `requeue` command in addition
to `refresh`. After a CI job failed, the PR needs to be re-added to the
queue, so the `requeue` command is more appropriate.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-20 12:38:46 +00:00
Humble Chirammal
0dfc15121c deploy: change the image registry for sidecars
This commit change the image registry URL for sidecars in the
deployment from `k8s.gcr.io` to `registry.k8s.io` as
the migration is happening from former to the latter. This commit
also correct the e2e readme for the change.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-20 10:05:13 +00:00
Humble Chirammal
7d3fd4f683 nfs: change the image registry for sidecars
This commit change the image registry URL for sidecars in the
NFS deployment from `k8s.gcr.io` to `registry.k8s.io` as
the migration is happening from former to the latter.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-20 10:05:13 +00:00
Humble Chirammal
6d06698672 rbd: change the image registry for sidecars
This commit change the image registry URL for sidecars in the
RBD deployment from `k8s.gcr.io` to `registry.k8s.io` as
the migration is happening from former to the latter.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-20 10:05:13 +00:00
Humble Chirammal
1ced736447 cephfs: change the image registry for sidecars
This commit change the image registry URL for sidecars in the
CephFS deployment from `k8s.gcr.io` to `registry.k8s.io` as
the migration is happening from former to the latter.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-20 10:05:13 +00:00
Madhu Rajanna
d2bc9743f7 cephfs: add netNamespaceFilePath for CephFS
as same host directory is not shared between
the cephfs and the rbd plugin pod. we need
to keep the netNamespaceFilePath separately
for both cephfs and rbd. CephFS plugin will
use this path to execute mount -t commands.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-19 12:28:46 +00:00
Madhu Rajanna
eb4bfb7326 cleanup: use block comment for ClusterInfo example
Adjusted the mix of tabs and the spaces and also
used block comment for better readability.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-19 12:28:46 +00:00
Madhu Rajanna
b4acbd08a5 rbd: move radosNamespace to RBD section
As radosNamespace is more specific to
RBD not the general ceph configuration. Now
we introduced a new RBD section for RBD specific
options, Moving the radosNamespace to RBD section
and keeping the radosNamespace still under the
global ceph level configration for backward
compatibility.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-19 12:28:46 +00:00
Madhu Rajanna
766346868e util: Add RBD specific options in clusterInfo
As the netNamespaceFilePath can be separate for
both cephfs and rbd adding the netNamespaceFilePath
path for RBD, This will help us to keep RBD and
CephFS specific options separately.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-19 12:28:46 +00:00
Niels de Vos
2b71aac752 nfs: return gRPC status from CephFS CreateVolume failure
The NFS Controller returns a non-gRPC error in case the CreateVolume
call for the CephFS volume fails. It is better to return the gRPC-error
that the CephFS Controller passed along.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-19 08:23:16 +00:00
dependabot[bot]
8655a55b2e rebase: bump github.com/aws/aws-sdk-go from 1.43.32 to 1.43.41
Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.43.32 to 1.43.41.
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Changelog](https://github.com/aws/aws-sdk-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go/compare/v1.43.32...v1.43.41)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-19 06:19:30 +00:00
Humble Chirammal
fcd0f4713a cleanup: correct typos in test description and source code
this commit correct typos in various places.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-18 10:29:08 +00:00
Humble Chirammal
4c4879ba8b cleanup: remove import alias for fence library
this commit remove unneeded import alias of fence library
from the network_fence test.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-18 10:29:08 +00:00
dependabot[bot]
8c34554e17 rebase: bump github.com/container-storage-interface/spec
Bumps [github.com/container-storage-interface/spec](https://github.com/container-storage-interface/spec) from 1.5.0 to 1.6.0.
- [Release notes](https://github.com/container-storage-interface/spec/releases)
- [Commits](https://github.com/container-storage-interface/spec/compare/v1.5.0...v1.6.0)

---
updated-dependencies:
- dependency-name: github.com/container-storage-interface/spec
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-18 03:25:47 +00:00
Madhu Rajanna
c245436ec4 util: fix logging in ExecuteCommandWithNSEnter
log the nsenter and its argument after executing
the command with the nsenter CLI.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-14 12:17:21 +00:00
Niels de Vos
6b34e6c899 deploy: use k8s.gcr.io registry for the NFS-nodeplugin
Kubernetes CSI now hosts the container-image for the NFS-nodeplugin in
the the k8s.gcr.io instead of the Microsoft registry.

See-also: kubernetes-csi/csi-driver-nfs@7b5b6f344
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-14 09:06:49 +00:00
Niels de Vos
282c33cb58 rebase: use go-ceph version with NFS-Admin API
The NFS-Admin API has been added to go-ceph v0.15.0. As the API can not
be tested in the go-ceph CI, it requires build-tag `ceph_ci_untested`.
This additional build-tag has been added to the `Makefile` and should be
removed when the API does not require the build-tag anymore.

See-also: ceph/go-ceph#655
Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-14 08:01:45 +00:00
Niels de Vos
28369702d2 nfs: use go-ceph API for creating/deleting exports
Recent versions of Ceph allow calling the NFS-export management
functions over the go-ceph API.

This seems incompatible with older versions that have been tested with
the `ceph nfs` commands that this commit replaces.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-14 08:01:45 +00:00
Madhu Rajanna
d886ab0d66 rbd: use leases for leader election
use leases for leader election instead
of the deprecated configmap based leader
election.

This PR is making leases as default leader election
refer https://github.com/kubernetes-sigs/
controller-runtime/pull/1773, default from configmap
to configmap leases was done with
https://github.com/kubernetes-sigs/
controller-runtime/pull/1144.

Release notes https://github.com/kubernetes-sigs/
controller-runtime/releases/tag/v0.7.0

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-14 06:46:50 +00:00
Madhu Rajanna
2205145654 e2e: remove claimRef after deleting the PVC
Instead of patching the PV to update
the persistentVolumeReclaimPolicy and
the claimRef before deleting the PVC.
Patch PV persistentVolumeReclaimPolicy to Retain
to retain the PV after deleting the PVC.
Remove the claimRef on the PV after deleting
the PVC so that claim can be attached to a new PVC.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-13 17:35:42 +00:00
Rakshith R
784b086ea5 nfs: add provisioner & plugin sa to scc.yaml
This commit adds nfs provisioner & plugin sa to
scc.yaml to be used with openshift.

Signed-off-by: Rakshith R <rar@redhat.com>
2022-04-13 09:14:15 +00:00
Madhu Rajanna
64a9b1fa59 rbd: consider remote image health for primary
To consider the image is healthy during the Promote
operation currently we are checking only the image
state on the primary site. If the network is flaky
or the remote site is down the image health is
not as expected. To make sure the image is healthy
across the clusters check the state on both local
and the remote clusters.

some details:
https://bugzilla.redhat.com/show_bug.cgi?id=2014495

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-13 08:37:23 +00:00
Humble Chirammal
b64c7583a9 e2e: remove the release check in clone test validation
we no longer require the kubernetes validation for clone tests in
the e2e tests. This commit remove it for CephFS.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-13 04:55:50 +00:00
Humble Chirammal
5e23010e2b e2e: remove the release check in clone test validation
we no longer require the kubernetes validation for clone tests in
the e2e tests. This commit remove it for RBD.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-13 04:55:50 +00:00
Niels de Vos
5bc8584b02 e2e: add -is-openshift option to disable certain checks
On OpenShift it is not possible for the Rook toolbox to get the metrics
from Kubelet (without additional configuration). By passing
-is-openshift, the metrics are not checked, and the e2e suite does not
fail on that particular piece.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-12 22:43:15 +00:00
Niels de Vos
92866f46fd e2e: allow passing CephFS filesystem name on CLI
A new -filesystem=... option has been added so that the e2e tests can
run against environments that do not have a "myfs" CephFS filesystem.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-12 22:43:15 +00:00
Niels de Vos
ab5ca13586 e2e: return useful error message when ConfigMap creation fails
In case the toolbox pod is not available, the error message lists that
no Pods are found, but there is no hint about the toolbox. By mentioning
the toolbox in the error message, it suggests a good place to start
troubleshooting the environment.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
2022-04-12 22:43:15 +00:00
Humble Chirammal
6043a30877 e2e: change the default release version of upgrade tests
This commit correct the release version of upgrade tests from
unsupported 3.3.1 to supported version.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-12 08:54:55 +00:00
Humble Chirammal
a6a1a7775e doc: mention csi string in flag arguments correctly
This commit correct the csi string mention in the documentation.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-12 08:54:55 +00:00
Madhu Rajanna
dffb6e72c2 rbd: check nbd tool features only for rbd driver
calling setRbdNbdToolFeatures inside an init
gets called in main.go for both cephfs and rbd
driver. instead of calling it in init function
calling this in rbd driver.go as this is specific
to rbd.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2022-04-11 21:18:27 +00:00
dependabot[bot]
539050a857 rebase: bump github.com/aws/aws-sdk-go-v2/service/sts
Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.16.0 to 1.16.3.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.16.0...service/efs/v1.16.3)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-11 17:17:05 +00:00
Humble Chirammal
a44a97f3c5 deploy: snapshot deployment is no longer beta
Considering snapshot controllers have been moved to GA since
kube version 1.20, we no longer need to have a mention of beta
version of the same in our deployment.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-11 12:15:48 +00:00
Humble Chirammal
9b8bcbd874 e2e: correct the cephfs fuse verification podnames
The podnames were wrongly mention in the e2e tests and this correct
the same.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-11 12:15:48 +00:00
Humble Chirammal
959df4dbac doc: correct typos in struct field comments and release.md
corrected strings in the release guide and util server.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
2022-04-11 06:23:25 +00:00