From 9b016ac1f4f24193e208c25cbe82838b207e80e5 Mon Sep 17 00:00:00 2001 From: Pavel Timofeev Date: Tue, 24 Sep 2024 02:53:38 -0600 Subject: [PATCH 1/4] Set readOnlyRootFilesystem: true for all containers (#67) --- charts/csi-driver-lvm/Chart.yaml | 2 +- charts/csi-driver-lvm/templates/controller.yaml | 3 +++ charts/csi-driver-lvm/templates/plugin.yaml | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/csi-driver-lvm/Chart.yaml b/charts/csi-driver-lvm/Chart.yaml index 585d914..d61a4c3 100644 --- a/charts/csi-driver-lvm/Chart.yaml +++ b/charts/csi-driver-lvm/Chart.yaml @@ -1,5 +1,5 @@ name: csi-driver-lvm -version: 0.6.2 +version: 0.6.3 description: local persistend storage for lvm appVersion: v0.5.3 apiVersion: v1 diff --git a/charts/csi-driver-lvm/templates/controller.yaml b/charts/csi-driver-lvm/templates/controller.yaml index e85da51..928f39d 100644 --- a/charts/csi-driver-lvm/templates/controller.yaml +++ b/charts/csi-driver-lvm/templates/controller.yaml @@ -168,6 +168,7 @@ spec: - --v=5 - --csi-address=/csi/csi.sock securityContext: + readOnlyRootFilesystem: true privileged: true volumeMounts: - mountPath: /csi @@ -180,6 +181,7 @@ spec: - --csi-address=/csi/csi.sock - --feature-gates=Topology=true securityContext: + readOnlyRootFilesystem: true privileged: true volumeMounts: - mountPath: /csi @@ -191,6 +193,7 @@ spec: - -v=5 - -csi-address=/csi/csi.sock securityContext: + readOnlyRootFilesystem: true privileged: true volumeMounts: - mountPath: /csi diff --git a/charts/csi-driver-lvm/templates/plugin.yaml b/charts/csi-driver-lvm/templates/plugin.yaml index b49ab05..e203bf3 100644 --- a/charts/csi-driver-lvm/templates/plugin.yaml +++ b/charts/csi-driver-lvm/templates/plugin.yaml @@ -161,6 +161,7 @@ spec: imagePullPolicy: IfNotPresent resources: {} securityContext: + readOnlyRootFilesystem: true privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File @@ -206,6 +207,7 @@ spec: protocol: TCP resources: {} securityContext: + readOnlyRootFilesystem: true privileged: true terminationMessagePath: /termination.log terminationMessagePolicy: File @@ -239,6 +241,8 @@ spec: image: {{ template "externalImages.csiLivenessprobe" . }} imagePullPolicy: IfNotPresent resources: {} + securityContext: + readOnlyRootFilesystem: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: From 1af04d9fa9e5aaa04cb6fc9516a6a9a2ffacd9df Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 24 Sep 2024 14:44:37 +0200 Subject: [PATCH 2/4] Add missing mount of lvm archive directory. (#104) --- charts/csi-driver-lvm/Chart.yaml | 2 +- charts/csi-driver-lvm/templates/plugin.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/charts/csi-driver-lvm/Chart.yaml b/charts/csi-driver-lvm/Chart.yaml index d61a4c3..c509e15 100644 --- a/charts/csi-driver-lvm/Chart.yaml +++ b/charts/csi-driver-lvm/Chart.yaml @@ -1,5 +1,5 @@ name: csi-driver-lvm -version: 0.6.3 +version: 0.6.4 description: local persistend storage for lvm appVersion: v0.5.3 apiVersion: v1 diff --git a/charts/csi-driver-lvm/templates/plugin.yaml b/charts/csi-driver-lvm/templates/plugin.yaml index e203bf3..7f001ff 100644 --- a/charts/csi-driver-lvm/templates/plugin.yaml +++ b/charts/csi-driver-lvm/templates/plugin.yaml @@ -231,6 +231,9 @@ spec: - mountPath: /etc/lvm/cache name: lvmcache mountPropagation: Bidirectional + - mountPath: /etc/lvm/archive + name: lvmarchive + mountPropagation: Bidirectional - mountPath: /run/lock/lvm name: lvmlock mountPropagation: Bidirectional @@ -285,6 +288,10 @@ spec: path: {{ .Values.lvm.hostWritePath }}/cache type: DirectoryOrCreate name: lvmcache + - hostPath: + path: {{ .Values.lvm.hostWritePath }}/archive + type: DirectoryOrCreate + name: lvmarchive - hostPath: path: {{ .Values.lvm.hostWritePath }}/lock type: DirectoryOrCreate From 9de7b22d48acd1fbe37b94ad5cd91270663e3c0d Mon Sep 17 00:00:00 2001 From: Gerrit Date: Tue, 24 Sep 2024 16:15:24 +0200 Subject: [PATCH 3/4] Sidecars definition in csi-driver-lvm chart. (#103) --- .github/workflows/csi-driver-lvm.yaml | 8 ++-- charts/csi-driver-lvm/Chart.yaml | 4 +- charts/csi-driver-lvm/templates/_helpers.tpl | 39 ------------------- .../csi-driver-lvm/templates/controller.yaml | 6 +-- charts/csi-driver-lvm/templates/plugin.yaml | 4 +- charts/csi-driver-lvm/values.yaml | 22 +++++------ tests/csi-driver-lvm/Dockerfile | 4 +- 7 files changed, 22 insertions(+), 65 deletions(-) delete mode 100644 charts/csi-driver-lvm/templates/_helpers.tpl diff --git a/.github/workflows/csi-driver-lvm.yaml b/.github/workflows/csi-driver-lvm.yaml index 2c6afb5..c37fd04 100644 --- a/.github/workflows/csi-driver-lvm.yaml +++ b/.github/workflows/csi-driver-lvm.yaml @@ -12,15 +12,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Create k8s Kind Cluster - uses: helm/kind-action@v1.3.0 + uses: helm/kind-action@v1.10.0 with: + version: v0.24.0 install_only: true - name: Test run: | - for i in 100 101; do fallocate -l 1G loop${i}.img ; sudo losetup /dev/loop${i} loop${i}.img; done - sudo losetup -a make test-csi-driver-lvm + make cleanup-csi-driver-lvm diff --git a/charts/csi-driver-lvm/Chart.yaml b/charts/csi-driver-lvm/Chart.yaml index c509e15..7aab3c4 100644 --- a/charts/csi-driver-lvm/Chart.yaml +++ b/charts/csi-driver-lvm/Chart.yaml @@ -1,7 +1,7 @@ name: csi-driver-lvm -version: 0.6.4 +version: 0.7.0 description: local persistend storage for lvm -appVersion: v0.5.3 +appVersion: v0.6.0 apiVersion: v1 keywords: - storage diff --git a/charts/csi-driver-lvm/templates/_helpers.tpl b/charts/csi-driver-lvm/templates/_helpers.tpl deleted file mode 100644 index da1a285..0000000 --- a/charts/csi-driver-lvm/templates/_helpers.tpl +++ /dev/null @@ -1,39 +0,0 @@ -{{- define "externalImages.csiAttacher" -}} -{{- if .Values.customCSISidecars.enabled -}} -{{- print .Values.customCSISidecars.attacher -}} -{{- else -}} -{{- print "registry.k8s.io/sig-storage/csi-attacher:v4.7.0" -}} -{{- end -}} -{{- end -}} - -{{- define "externalImages.csiProvisioner" -}} -{{- if .Values.customCSISidecars.enabled -}} -{{- print .Values.customCSISidecars.provisioner -}} -{{- else -}} -{{- print "registry.k8s.io/sig-storage/csi-provisioner:v5.1.0" -}} -{{- end -}} -{{- end -}} - -{{- define "externalImages.csiLivenessprobe" -}} -{{- if .Values.customCSISidecars.enabled -}} -{{- print .Values.customCSISidecars.livenessprobe -}} -{{- else -}} -{{- print "registry.k8s.io/sig-storage/livenessprobe:v2.12.0" -}} -{{- end -}} -{{- end -}} - -{{- define "externalImages.csiResizer" -}} -{{- if .Values.customCSISidecars.enabled -}} -{{- print .Values.customCSISidecars.resizer -}} -{{- else -}} -{{- print "registry.k8s.io/sig-storage/csi-resizer:v1.12.0" -}} -{{- end -}} -{{- end -}} - -{{- define "externalImages.csiNodeDriverRegistrar" -}} -{{- if .Values.customCSISidecars.enabled -}} -{{- print .Values.customCSISidecars.registrar -}} -{{- else -}} -{{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0" -}} -{{- end -}} -{{- end -}} diff --git a/charts/csi-driver-lvm/templates/controller.yaml b/charts/csi-driver-lvm/templates/controller.yaml index 928f39d..3c1283b 100644 --- a/charts/csi-driver-lvm/templates/controller.yaml +++ b/charts/csi-driver-lvm/templates/controller.yaml @@ -162,7 +162,7 @@ spec: serviceAccountName: csi-driver-lvm-controller containers: - name: csi-attacher - image: {{ template "externalImages.csiAttacher" . }} + image: {{ .Values.sidecarImages.attacher }} imagePullPolicy: IfNotPresent args: - --v=5 @@ -174,7 +174,7 @@ spec: - mountPath: /csi name: socket-dir - name: csi-provisioner - image: {{ template "externalImages.csiProvisioner" . }} + image: {{ .Values.sidecarImages.provisioner }} imagePullPolicy: IfNotPresent args: - -v=5 @@ -187,7 +187,7 @@ spec: - mountPath: /csi name: socket-dir - name: csi-resizer - image: {{ template "externalImages.csiResizer" . }} + image: {{ .Values.sidecarImages.resizer }} imagePullPolicy: IfNotPresent args: - -v=5 diff --git a/charts/csi-driver-lvm/templates/plugin.yaml b/charts/csi-driver-lvm/templates/plugin.yaml index 7f001ff..67cdd1f 100644 --- a/charts/csi-driver-lvm/templates/plugin.yaml +++ b/charts/csi-driver-lvm/templates/plugin.yaml @@ -157,7 +157,7 @@ spec: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - image: {{ template "externalImages.csiNodeDriverRegistrar" . }} + image: {{ .Values.sidecarImages.registrar }} imagePullPolicy: IfNotPresent resources: {} securityContext: @@ -241,7 +241,7 @@ spec: args: - --csi-address=/csi/csi.sock - --health-port=9898 - image: {{ template "externalImages.csiLivenessprobe" . }} + image: {{ .Values.sidecarImages.livenessprobe }} imagePullPolicy: IfNotPresent resources: {} securityContext: diff --git a/charts/csi-driver-lvm/values.yaml b/charts/csi-driver-lvm/values.yaml index 8fbaf3a..ff89e65 100644 --- a/charts/csi-driver-lvm/values.yaml +++ b/charts/csi-driver-lvm/values.yaml @@ -21,14 +21,21 @@ compat03x: false pluginImage: repository: ghcr.io/metal-stack/csi-driver-lvm - tag: v0.5.3 + tag: v0.6.0 pullPolicy: IfNotPresent provisionerImage: repository: ghcr.io/metal-stack/csi-driver-lvm-provisioner - tag: v0.5.3 + tag: v0.6.0 pullPolicy: IfNotPresent +sidecarImages: + attacher: k8s.gcr.io/sig-storage/csi-attacher:v3.5.0 + livenessprobe: k8s.gcr.io/sig-storage/livenessprobe:v2.7.0 + provisioner: k8s.gcr.io/sig-storage/csi-provisioner:v3.2.1 + registrar: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.1 + resizer: k8s.gcr.io/sig-storage/csi-resizer:v1.6.0 + kubernetes: kubeletPath: /var/lib/kubelet @@ -48,17 +55,6 @@ storageClasses: additionalAnnotations: [] reclaimPolicy: Delete -customCSISidecars: - enabled: false - - ## uncomment and set these if enabled=true - - # attacher: k8s.gcr.io/sig-storage/csi-attacher:v3.5.0 - # livenessprobe: k8s.gcr.io/sig-storage/livenessprobe:v2.7.0 - # provisioner: k8s.gcr.io/sig-storage/csi-provisioner:v3.2.1 - # registrar: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.1 - # resizer: k8s.gcr.io/sig-storage/csi-resizer:v1.6.0 - nodeSelector: # The plugin daemonset will run on all nodes if it has a toleration, # so it is not necessary to set a nodeSelector for it diff --git a/tests/csi-driver-lvm/Dockerfile b/tests/csi-driver-lvm/Dockerfile index c93cd1f..100236b 100644 --- a/tests/csi-driver-lvm/Dockerfile +++ b/tests/csi-driver-lvm/Dockerfile @@ -1,7 +1,7 @@ -FROM dtzar/helm-kubectl:3.9.4 as helm-kubectl +FROM dtzar/helm-kubectl:3.16 AS helm-kubectl FROM bats/bats COPY --from=helm-kubectl /usr/local/bin/helm /usr/local/bin/helm COPY --from=helm-kubectl /usr/local/bin/kubectl /usr/local/bin/kubectl -ENTRYPOINT [ "bats" ] +ENTRYPOINT ["bats"] From 18c66f665a5c8c82df2cec29410f0fd8613702bb Mon Sep 17 00:00:00 2001 From: Gerrit Date: Mon, 30 Sep 2024 14:47:42 +0200 Subject: [PATCH 4/4] Adapt to latest size reservations API. (#105) --- charts/metal-control-plane/Chart.yaml | 2 +- charts/metal-control-plane/templates/metal-api.yaml | 5 +++++ charts/metal-control-plane/values.yaml | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/charts/metal-control-plane/Chart.yaml b/charts/metal-control-plane/Chart.yaml index 8a133b7..d0440b6 100644 --- a/charts/metal-control-plane/Chart.yaml +++ b/charts/metal-control-plane/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v1 appVersion: "1.0" description: A Helm chart for deploying the metal control plane in K8s name: metal-control-plane -version: 0.4.4 +version: 0.4.5 diff --git a/charts/metal-control-plane/templates/metal-api.yaml b/charts/metal-control-plane/templates/metal-api.yaml index 228234e..282d849 100644 --- a/charts/metal-control-plane/templates/metal-api.yaml +++ b/charts/metal-control-plane/templates/metal-api.yaml @@ -327,6 +327,8 @@ data: {{ .Values.metal_api.filesystemlayouts | nindent 4 }} sizeimageconstraints.yaml: | {{ .Values.metal_api.sizeimageconstraints | nindent 4 }} + size_reservations.yaml: | + {{ .Values.metal_api.size_reservations | nindent 4 }} --- apiVersion: batch/v1 kind: Job @@ -370,6 +372,7 @@ spec: /metalctl network ip apply -f /masterdata/ip.yaml /metalctl filesystemlayout apply -f /masterdata/filesystemlayouts.yaml /metalctl size imageconstraint apply -f /masterdata/sizeimageconstraints.yaml + /metalctl size reservation apply -f /masterdata/size_reservations.yaml volumeMounts: - name: masterdata mountPath: /masterdata @@ -410,6 +413,8 @@ spec: path: filesystemlayouts.yaml - key: sizeimageconstraints.yaml path: sizeimageconstraints.yaml + - key: size_reservations.yaml + path: size_reservations.yaml --- apiVersion: batch/v1 kind: Job diff --git a/charts/metal-control-plane/values.yaml b/charts/metal-control-plane/values.yaml index 2a138ed..6f936d2 100644 --- a/charts/metal-control-plane/values.yaml +++ b/charts/metal-control-plane/values.yaml @@ -111,6 +111,7 @@ metal_api: projects: "[]" filesystemlayouts: "[]" sizeimageconstraints: "[]" + size_reservations: "[]" s3: enabled: false address: ""