Changes related to GRPC server (#64)

* nitContainer to install s3fs on worker noe

* Update init container image and host network permissions

* cos apis

Signed-off-by: Ashima-Ashima1 <[email protected]>

* cos apis

Signed-off-by: Ashima-Ashima1 <[email protected]>

* cos apis

Signed-off-by: Ashima-Ashima1 <[email protected]>

* cos apis

Signed-off-by: Ashima-Ashima1 <[email protected]>

* update gomod

Signed-off-by: Ashima-Ashima1 <[email protected]>

* update crds

Signed-off-by: Ashima-Ashima1 <[email protected]>

* cos apis

Signed-off-by: Ashima-Ashima1 <[email protected]>

* remove host access to initContainer

* resolve merge conflicts and rebase branch

Signed-off-by: Ashima-Ashima1 <[email protected]>

* update go.mod

Signed-off-by: Ashima-Ashima1 <[email protected]>

* cos apis

Signed-off-by: Ashima-Ashima1 <[email protected]>

* remove initContainer on node_csi pod

* remove initContainer on node_csi pod

* FIx contants

* Update node server security contexts

---------

Signed-off-by: Ashima-Ashima1 <[email protected]>
Co-authored-by: bhagyak1 <[email protected]>
Co-authored-by: Mayank Sachan <[email protected]>

Author: 3 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2024-11-25T05:25:45Z",
+  "generated_at": "2025-05-22T09:04:02Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

Makefile

@@ -196,8 +196,8 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 
 ## Tool Versions
-KUSTOMIZE_VERSION ?= v5.5.0
-CONTROLLER_TOOLS_VERSION ?= v0.16.4
+KUSTOMIZE_VERSION ?= v5.6.0
+CONTROLLER_TOOLS_VERSION ?= v0.17.3
 
 KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
 .PHONY: kustomize

config/crd/bases/objectdriver.csi.ibm.com_ibmobjectcsis.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.4
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: ibmobjectcsis.objectdriver.csi.ibm.com
 spec:
   group: objectdriver.csi.ibm.com
@@ -329,7 +329,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                         Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -344,7 +343,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                         Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -511,7 +509,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                     Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -526,7 +523,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                     Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -691,7 +687,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                         Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -706,7 +701,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                         Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -873,7 +867,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                     Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -888,7 +881,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                     Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -1344,7 +1336,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                         Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -1359,7 +1350,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                         Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -1526,7 +1516,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                     Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -1541,7 +1530,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                     Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -1706,7 +1694,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                         Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -1721,7 +1708,6 @@ spec:
                                         pod labels will be ignored. The default value is empty.
                                         The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                         Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                        This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                       items:
                                         type: string
                                       type: array
@@ -1888,7 +1874,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both matchLabelKeys and labelSelector.
                                     Also, matchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array
@@ -1903,7 +1888,6 @@ spec:
                                     pod labels will be ignored. The default value is empty.
                                     The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
                                     Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
-                                    This is a beta field and requires enabling MatchLabelKeysInPodAffinity feature gate (enabled by default).
                                   items:
                                     type: string
                                   type: array

config/crd/bases/objectdriver.csi.ibm.com_recoverstalevolumes.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.16.4
+    controller-gen.kubebuilder.io/version: v0.17.3
   name: recoverstalevolumes.objectdriver.csi.ibm.com
 spec:
   group: objectdriver.csi.ibm.com

config/manager/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: controller
   newName: icr.io/ibm/ibm-object-csi-driver-operator
-  newTag: v0.1.17
+  newTag: v0.1.18
 commonLabels:
   app.kubernetes.io/managed-by: ibm-object-csi-driver-operator
   app.kubernetes.io/part-of: ibm-object-csi-driver

config/manager/manager.yaml

@@ -101,7 +101,7 @@ spec:
             cpu: 500m
             memory: 500Mi
           requests:
-            cpu: 10m
+            cpu: 50m
             memory: 128Mi
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10

config/samples/csi_v1alpha1_ibmobjectcsi.yaml

@@ -14,7 +14,7 @@ spec:
   # and csi-provisioner and livenessprobe sidecars.
   controller:
     repository: icr.io/ibm/ibm-object-csi-driver
-    tag: "v0.1.17"
+    tag: "v0.1.18"
     imagePullPolicy: IfNotPresent
     resources:
       limits:
@@ -35,15 +35,6 @@ spec:
                 - controller
             topologyKey: topology.kubernetes.io/zone
           weight: 100
-        - podAffinityTerm:
-            labelSelector:
-              matchExpressions:
-              - key: app.kubernetes.io/component
-                operator: In
-                values:
-                - controller
-            topologyKey: topology.kubernetes.io/zone
-          weight: 100
       nodeAffinity:
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
@@ -57,8 +48,15 @@ spec:
   # and csi-node-driver-registrar and livenessprobe sidecars.
   node:
     repository: icr.io/ibm/ibm-object-csi-driver
-    tag: "v0.1.17"
+    tag: "v0.1.18"
     imagePullPolicy: Always
+    resources:
+      limits:
+        cpu: 120m
+        memory: 300Mi
+      requests:
+        cpu: 30m
+        memory: 75Mi
 
   sidecars:
   - name: csi-node-driver-registrar

controllers/constants/constants.go

@@ -72,6 +72,7 @@ const (
 	CSINodeSCCClusterRole                 = "node-scc-clusterrole"
 	CSINodeSCCClusterRoleBinding          = "node-scc-clusterrolebinding"
 	CSINodePriorityClassName              = "system-node-critical"
+	CSIControllerPriorityClassName        = "system-cluster-critical"
 
 	ResourceReqLimitsConfigMap = "cos-csi-driver-configmap"
 	ObjectCSIDriver            = "ibm-object-csi"

controllers/syncer/csi_controller.go

@@ -91,6 +91,7 @@ func (s *csiControllerSyncer) ensurePodSpec() corev1.PodSpec {
 		Affinity:           s.driver.Spec.Controller.Affinity,
 		Tolerations:        s.driver.Spec.Controller.Tolerations,
 		ServiceAccountName: constants.GetResourceName(constants.CSIControllerServiceAccount),
+		PriorityClassName:  constants.CSIControllerPriorityClassName,
 	}
 }
 

controllers/syncer/csi_node.go

@@ -93,6 +93,7 @@ func (s *csiNodeSyncer) ensurePodSpec() corev1.PodSpec {
 		SecurityContext: &corev1.PodSecurityContext{
 			RunAsNonRoot: util.True(),
 			RunAsUser:    func(uid int64) *int64 { return &uid }(2121),
+			RunAsGroup:   func(uid int64) *int64 { return &uid }(2121),
 		},
 		Affinity:           s.driver.Spec.Node.Affinity,
 		Tolerations:        s.driver.Spec.Node.Tolerations,
@@ -138,7 +139,7 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 
 	nodePlugin.SecurityContext = &corev1.SecurityContext{
 		RunAsNonRoot: util.False(),
-		Privileged:   util.True(),
+		Privileged:   util.True(), // Revisit if node server needs privileged permission
 		RunAsUser:    func(uid int64) *int64 { return &uid }(0),
 	}
 	fillSecurityContextCapabilities(
@@ -154,9 +155,10 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 			"--v=5",
 		},
 	)
-	registrar.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
-		RunAsUser:  func(uid int64) *int64 { return &uid }(0),
-		Privileged: util.False(),
+	registrar.SecurityContext = &corev1.SecurityContext{
+		RunAsNonRoot: util.False(),
+		RunAsUser:    func(uid int64) *int64 { return &uid }(0),
+		Privileged:   util.False(),
 	}
 	fillSecurityContextCapabilities(registrar.SecurityContext)
 	registrar.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
@@ -171,10 +173,6 @@ func (s *csiNodeSyncer) ensureContainersSpec() []corev1.Container {
 			healthPortArg,
 		},
 	)
-	livenessProbe.SecurityContext = &corev1.SecurityContext{RunAsNonRoot: util.False(),
-		RunAsUser:  func(uid int64) *int64 { return &uid }(0),
-		Privileged: util.False(),
-	}
 	fillSecurityContextCapabilities(livenessProbe.SecurityContext)
 	livenessProbe.ImagePullPolicy = s.getCSINodeDriverRegistrarPullPolicy()
 	livenessProbe.Resources = getSidecarResourceRequests(s.driver, constants.LivenessProbe)
@@ -267,6 +265,15 @@ func (s *csiNodeSyncer) getVolumeMountsFor(name string) []corev1.VolumeMount {
 				Name:      "host-log",
 				MountPath: "/host/var/log",
 			},
+			{
+				Name:      "coscsi-socket",
+				MountPath: "/var/lib/coscsi.sock",
+				ReadOnly:  false,
+			},
+			{
+				Name:      "coscsi-mounter-config",
+				MountPath: "/var/lib/cos-csi",
+			},
 		}
 
 	case constants.CSINodeDriverRegistrar:
@@ -301,6 +308,8 @@ func (s *csiNodeSyncer) ensureVolumes() []corev1.Volume {
 		ensureVolume("fuse-device", ensureHostPathVolumeSource("/dev/fuse", "")),
 		ensureVolume("log-dev", ensureHostPathVolumeSource("/dev/log", "")),
 		ensureVolume("host-log", ensureHostPathVolumeSource("/var/log", "")),
+		ensureVolume("coscsi-socket", ensureHostPathVolumeSource("/var/lib/coscsi.sock", "Socket")),
+		ensureVolume("coscsi-mounter-config", ensureHostPathVolumeSource("/var/lib/cos-csi", "DirectoryOrCreate")),
 	}
 }