From bc5e33791f9ef53d40fbcf1997727a624310517f Mon Sep 17 00:00:00 2001 From: Mohamed Omar Zaian Date: Wed, 20 Sep 2023 13:56:00 +0200 Subject: [PATCH] [vsphere_csi] Update to 3.1.0 (#10451) --- .../csi_driver/vsphere/defaults/main.yml | 18 ++++---- .../vsphere-csi-controller-config.yml.j2 | 19 +++++--- .../vsphere-csi-controller-deployment.yml.j2 | 45 ++++++++++++------- .../vsphere-csi-controller-rbac.yml.j2 | 5 ++- .../vsphere/templates/vsphere-csi-node.yml.j2 | 5 ++- 5 files changed, 58 insertions(+), 34 deletions(-) diff --git a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml index e01b36b1dc5..0d4144141ba 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml +++ b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml @@ -4,15 +4,15 @@ external_vsphere_insecure: "true" external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id" external_vsphere_version: "7.0u1" -vsphere_syncer_image_tag: "v2.5.1" -vsphere_csi_attacher_image_tag: "v3.4.0" -vsphere_csi_controller: "v2.5.1" -vsphere_csi_liveness_probe_image_tag: "v2.6.0" -vsphere_csi_provisioner_image_tag: "v3.1.0" -vsphere_csi_snapshotter_image_tag: "v5.0.1" -vsphere_csi_node_driver_registrar_image_tag: "v2.5.0" -vsphere_csi_driver_image_tag: "v2.5.1" -vsphere_csi_resizer_tag: "v1.4.0" +vsphere_syncer_image_tag: "v3.1.0" +vsphere_csi_attacher_image_tag: "v4.3.0" +vsphere_csi_controller: "v3.1.0" +vsphere_csi_liveness_probe_image_tag: "v2.10.0" +vsphere_csi_provisioner_image_tag: "v3.5.0" +vsphere_csi_snapshotter_image_tag: "v6.2.2" +vsphere_csi_node_driver_registrar_image_tag: "v2.8.0" +vsphere_csi_driver_image_tag: "v3.1.0" +vsphere_csi_resizer_tag: "v1.8.0" # Set to kube-system for backward compatibility, should be change to vmware-system-csi on the long run vsphere_csi_namespace: "kube-system" diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2 index d7ee521ebed..fb52d107e47 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2 @@ -1,22 +1,29 @@ apiVersion: v1 data: - "csi-migration": "false" {% if external_vsphere_version >= "7.0" %} "csi-auth-check": "true" {% else %} "csi-auth-check": "false" {% endif %} + "csi-auth-check": "true" "online-volume-extend": "true" "trigger-csi-fullsync": "false" "async-query-volume": "true" + "block-volume-snapshot": "true" + "csi-windows-support": "false" + "list-volumes": "true" + "pv-to-backingdiskobjectid-mapping": "false" + "cnsmgr-suspend-create-volume": "true" + "topology-preferential-datastores": "true" + "max-pvscsi-targets-per-vm": "true" + "multi-vcenter-csi-topology": "true" + "csi-internal-generated-cluster-id": "true" + "listview-tasks": "true" +{% if vsphere_csi_controller is version('v2.7.0', '>=') %} "improved-csi-idempotency": "true" "improved-volume-topology": "true" - "block-volume-snapshot": "{{ vsphere_csi_block_volume_snapshot }}" - "csi-windows-support": "false" -{% if vsphere_csi_controller is version('v2.5.0', '>=') %} "use-csinode-id": "true" - "pv-to-backingdiskobjectid-mapping": "false" - "cnsmgr-suspend-create-volume": "false" + "list-volumes": "false" {% endif %} kind: ConfigMap metadata: diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2 index 8bda5145a5b..dd009d8f74a 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2 @@ -19,6 +19,7 @@ spec: app: vsphere-csi-controller role: vsphere-csi spec: + priorityClassName: system-cluster-critical # Guarantees scheduling for critical system pods affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -60,6 +61,9 @@ spec: - "--timeout=300s" - "--csi-address=$(ADDRESS)" - "--leader-election" + - "--leader-election-lease-duration=120s" + - "--leader-election-renew-deadline=60s" + - "--leader-election-retry-period=30s" - "--kube-api-qps=100" - "--kube-api-burst=100" {% if vsphere_csi_attacher_resources | length > 0 %} @@ -83,6 +87,9 @@ spec: - "--kube-api-qps=100" - "--kube-api-burst=100" - "--leader-election" + - "--leader-election-lease-duration=120s" + - "--leader-election-renew-deadline=60s" + - "--leader-election-retry-period=30s" {% if vsphere_csi_resizer_resources | length > 0 %} resources: {{ vsphere_csi_resizer_resources | default({}) | to_nice_yaml | trim | indent(width=12) }} @@ -99,8 +106,6 @@ spec: args: - "--fss-name=internal-feature-states.csi.vsphere.vmware.com" - "--fss-namespace={{ vsphere_csi_namespace }}" - - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}" - - "--use-gocsi=false" {% if vsphere_csi_resources | length > 0 %} resources: {{ vsphere_csi_resources | default({}) | to_nice_yaml | trim | indent(width=12) }} @@ -131,6 +136,10 @@ spec: readOnly: true - mountPath: {{ csi_endpoint }} name: socket-dir + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 ports: - name: healthz containerPort: 9808 @@ -142,9 +151,9 @@ spec: httpGet: path: /healthz port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 5 + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 180 failureThreshold: 3 - name: liveness-probe image: {{ kube_image_repo }}/sig-storage/livenessprobe:{{ vsphere_csi_liveness_probe_image_tag }} @@ -165,10 +174,16 @@ spec: image: {{ gcr_image_repo }}/cloud-provider-vsphere/csi/release/syncer:{{ vsphere_syncer_image_tag }} args: - "--leader-election" + - "--leader-election-lease-duration=30s" + - "--leader-election-renew-deadline=20s" + - "--leader-election-retry-period=10s" - "--fss-name=internal-feature-states.csi.vsphere.vmware.com" - "--fss-namespace={{ vsphere_csi_namespace }}" - - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}" imagePullPolicy: {{ k8s_image_pull_policy }} + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 ports: - containerPort: 2113 name: prometheus @@ -200,10 +215,13 @@ spec: - "--v=4" - "--timeout=300s" - "--csi-address=$(ADDRESS)" -{% if vsphere_csi_controller is version('v2.2.0', '>=') %} - "--kube-api-qps=100" - "--kube-api-burst=100" -{% endif %} + - "--leader-election" + - "--leader-election-lease-duration=120s" + - "--leader-election-renew-deadline=60s" + - "--leader-election-retry-period=30s" + - "--default-fstype=ext4" - "--leader-election" - "--default-fstype=ext4" # needed only for topology aware setup @@ -213,13 +231,6 @@ spec: resources: {{ vsphere_csi_provisioner_resources | default({}) | to_nice_yaml | trim | indent(width=12) }} {% endif %} - env: - - name: ADDRESS - value: /csi/csi.sock - volumeMounts: - - mountPath: /csi - name: socket-dir -{% if vsphere_csi_controller is version('v2.5.0', '>=') %} - name: csi-snapshotter image: {{ kube_image_repo }}/sig-storage/csi-snapshotter:{{ vsphere_csi_snapshotter_image_tag }} args: @@ -229,13 +240,15 @@ spec: - "--timeout=300s" - "--csi-address=$(ADDRESS)" - "--leader-election" + - "--leader-election-lease-duration=120s" + - "--leader-election-renew-deadline=60s" + - "--leader-election-retry-period=30s" env: - name: ADDRESS value: /csi/csi.sock volumeMounts: - mountPath: /csi name: socket-dir -{% endif %} volumes: - name: vsphere-config-volume secret: diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2 index fd614f9a41f..013d3dc3f6a 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2 @@ -10,8 +10,11 @@ metadata: name: vsphere-csi-controller-role rules: - apiGroups: [""] - resources: ["nodes", "pods", "configmaps"] + resources: ["nodes", "pods"] verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] diff --git a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2 b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2 index eedacf69536..e110ee300dd 100644 --- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2 @@ -17,6 +17,7 @@ spec: app: vsphere-csi-node role: vsphere-csi spec: + priorityClassName: system-node-critical nodeSelector: kubernetes.io/os: linux {% if vsphere_csi_node_affinity %} @@ -66,8 +67,6 @@ spec: args: - "--fss-name=internal-feature-states.csi.vsphere.vmware.com" - "--fss-namespace={{ vsphere_csi_namespace }}" - - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}" - - "--use-gocsi=false" imagePullPolicy: "Always" {% if vsphere_csi_driver_resources | length > 0 %} resources: @@ -92,6 +91,8 @@ spec: value: "true" - name: LOGGER_LEVEL value: "PRODUCTION" # Options: DEVELOPMENT, PRODUCTION + - name: GODEBUG + value: x509sha1=1 - name: NODEGETINFO_WATCH_TIMEOUT_MINUTES value: "1" securityContext: