Configurable FSGroupPolicy

Author: clintonk

cli/cmd/install.go

@@ -18,6 +18,7 @@ import (
 	"github.com/spf13/cobra"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	storagev1 "k8s.io/api/storage/v1"
 	apiextensionv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -125,6 +126,7 @@ var (
 	iscsiSelfHealingInterval time.Duration
 	iscsiSelfHealingWaitTime time.Duration
 	k8sAPIQPS                int
+	fsGroupPolicy            string
 
 	// CLI-based K8S client
 	client k8sclient.KubernetesClient
@@ -247,6 +249,8 @@ func init() {
 
 	installCmd.Flags().IntVar(&k8sAPIQPS, "k8s-api-qps", 0, "The QPS used by the controller while talking "+
 		"with the Kubernetes API server. The Burst value is automatically set as a function of the QPS value.")
+	installCmd.Flags().StringVar(&fsGroupPolicy, "fs-group-policy", "", "The FSGroupPolicy "+
+		"to set on Trident's CSIDriver resource.")
 
 	if err := installCmd.Flags().MarkHidden("skip-k8s-version-check"); err != nil {
 		_, _ = fmt.Fprintln(os.Stderr, err)
@@ -260,6 +264,9 @@ func init() {
 	if err := installCmd.Flags().MarkHidden("autosupport-hostname"); err != nil {
 		_, _ = fmt.Fprintln(os.Stderr, err)
 	}
+	if err := installCmd.Flags().MarkHidden("fs-group-policy"); err != nil {
+		_, _ = fmt.Fprintln(os.Stderr, err)
+	}
 }
 
 var installCmd = &cobra.Command{
@@ -483,6 +490,20 @@ func validateInstallationArguments() error {
 		return fmt.Errorf("'%s' is not a valid cloud identity for the cloud provider '%s'", cloudIdentity, k8sclient.CloudProviderGCP)
 	}
 
+	// Validate the fsGroupPolicy
+	switch strings.ToLower(fsGroupPolicy) {
+	case "":
+		break
+	case strings.ToLower(string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy)):
+		break
+	case strings.ToLower(string(storagev1.NoneFSGroupPolicy)):
+		break
+	case strings.ToLower(string(storagev1.FileFSGroupPolicy)):
+		break
+	default:
+		return fmt.Errorf("'%s' is not a valid fsGroupPolicy", fsGroupPolicy)
+	}
+
 	return nil
 }
 
@@ -1415,12 +1436,12 @@ func protectCustomResourceDefinitions() error {
 
 func createK8SCSIDriver() error {
 	// Delete the object in case it already exists and we need to update it
-	err := client.DeleteObjectByYAML(k8sclient.GetCSIDriverYAML(getCSIDriverName(), nil, nil), true)
+	err := client.DeleteObjectByYAML(k8sclient.GetCSIDriverYAML(getCSIDriverName(), fsGroupPolicy, nil, nil), true)
 	if err != nil {
 		return fmt.Errorf("could not delete csidriver custom resource; %v", err)
 	}
 
-	err = client.CreateObjectByYAML(k8sclient.GetCSIDriverYAML(getCSIDriverName(), nil, nil))
+	err = client.CreateObjectByYAML(k8sclient.GetCSIDriverYAML(getCSIDriverName(), fsGroupPolicy, nil, nil))
 	if err != nil {
 		return fmt.Errorf("could not create csidriver custom resource; %v", err)
 	}

cli/cmd/install_test.go

@@ -4,11 +4,13 @@ package cmd
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 	"time"
 
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
+	storagev1 "k8s.io/api/storage/v1"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -236,29 +238,31 @@ func TestValidateInstallationArguments(t *testing.T) {
 		imagePullPolicy     string
 		cloudProvider       string
 		cloudIdentity       string
+		fsGroupPolicy       string
 		nodePrep            []string
 		assertValid         assert.ErrorAssertionFunc
 	}{
 		// Valid arguments
-		{"default namespace", "default", "text", "IfNotPresent", "", "", nil, assert.NoError},
-		{"test namespace", "test-namespace", "text", "IfNotPresent", "", "", []string{}, assert.NoError},
-		{"image pull never", "test-namespace", "json", "Never", "", "", []string{"iscsi"}, assert.NoError},
-		{"cloud provider azure", "test-namespace", "json", "Never", k8sclient.CloudProviderAzure, "", []string{"iscsi"}, assert.NoError},
-		{"azure cloud identity key", "test", "text", "Always", k8sclient.CloudProviderAzure, k8sclient.AzureCloudIdentityKey + " a8rry78r8-7733-49bd-6656582", []string{}, assert.NoError},
-		{"image pull always", "test", "text", "Always", k8sclient.CloudProviderAzure, "", []string{}, assert.NoError},
+		{"default namespace", "default", "text", "IfNotPresent", "", "", "", nil, assert.NoError},
+		{"test namespace", "test-namespace", "text", "IfNotPresent", "", "", string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy), []string{}, assert.NoError},
+		{"image pull never", "test-namespace", "json", "Never", "", "", strings.ToLower(string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy)), []string{"iscsi"}, assert.NoError},
+		{"cloud provider azure", "test-namespace", "json", "Never", k8sclient.CloudProviderAzure, "", string(storagev1.FileFSGroupPolicy), []string{"iscsi"}, assert.NoError},
+		{"azure cloud identity key", "test", "text", "Always", k8sclient.CloudProviderAzure, k8sclient.AzureCloudIdentityKey + " a8rry78r8-7733-49bd-6656582", string(storagev1.NoneFSGroupPolicy), []string{}, assert.NoError},
+		{"image pull always", "test", "text", "Always", k8sclient.CloudProviderAzure, "", string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy), []string{}, assert.NoError},
 
 		// Invalid arguments
-		{"invalid namespace", "", "", "", "", "", []string{}, assert.Error},
-		{"invalid log format", "test", "html", "", "", "", []string{}, assert.Error},
-		{"invalid image pull policy", "test", "text", "Anyways", "", "", []string{}, assert.Error},
-		{"invalid cloud provider", "test", "json", "Never", "Docker", "", []string{}, assert.Error},
-		{"invalid cloud provider with azure key", "test", "json", "Never", "Docker", k8sclient.AzureCloudIdentityKey + " a8rry78r8-7733-49bd-6656582", []string{}, assert.Error},
-		{"invalid blank cloud identity", "test", "text", "IfNotPresent", k8sclient.CloudProviderAWS, "", []string{}, assert.Error},
-		{"invalid blank cloud provider", "test", "text", "IfNotPresent", "", k8sclient.AzureCloudIdentityKey + " a8rry78r8-7733-49bd-6656582", []string{}, assert.Error},
-		{"invalid cloud identity", "test", "text", "Always", k8sclient.CloudProviderAzure, "a8rry78r8-7733-49bd-6656582", []string{}, assert.Error},
-		{"invalid blank node prep", "default", "text", "IfNotPresent", "", "", []string{""}, assert.Error},
-		{"invalid only node prep", "default", "text", "IfNotPresent", "", "", []string{"NVME"}, assert.Error},
-		{"invalid node prep in list", "default", "text", "IfNotPresent", "", "", []string{"iscsi", "nvme"}, assert.Error},
+		{"invalid namespace", "", "", "", "", "", "", []string{}, assert.Error},
+		{"invalid log format", "test", "html", "", "", "", "", []string{}, assert.Error},
+		{"invalid image pull policy", "test", "text", "Anyways", "", "", "", []string{}, assert.Error},
+		{"invalid cloud provider", "test", "json", "Never", "Docker", "", "", []string{}, assert.Error},
+		{"invalid cloud provider with azure key", "test", "json", "Never", "Docker", k8sclient.AzureCloudIdentityKey + " a8rry78r8-7733-49bd-6656582", "", []string{}, assert.Error},
+		{"invalid blank cloud identity", "test", "text", "IfNotPresent", k8sclient.CloudProviderAWS, "", "", []string{}, assert.Error},
+		{"invalid blank cloud provider", "test", "text", "IfNotPresent", "", k8sclient.AzureCloudIdentityKey + " a8rry78r8-7733-49bd-6656582", "", []string{}, assert.Error},
+		{"invalid cloud identity", "test", "text", "Always", k8sclient.CloudProviderAzure, "a8rry78r8-7733-49bd-6656582", "", []string{}, assert.Error},
+		{"invalid fsGroupPolicy", "default", "text", "IfNotPresent", "", "", "invalid", nil, assert.Error},
+		{"invalid blank node prep", "default", "text", "IfNotPresent", "", "", "", []string{""}, assert.Error},
+		{"invalid only node prep", "default", "text", "IfNotPresent", "", "", "", []string{"NVME"}, assert.Error},
+		{"invalid node prep in list", "default", "text", "IfNotPresent", "", "", "", []string{"iscsi", "nvme"}, assert.Error},
 	}
 
 	for _, test := range tests {
@@ -269,6 +273,7 @@ func TestValidateInstallationArguments(t *testing.T) {
 			imagePullPolicy = test.imagePullPolicy
 			cloudProvider = test.cloudProvider
 			cloudIdentity = test.cloudIdentity
+			fsGroupPolicy = test.fsGroupPolicy
 			nodePrep = test.nodePrep
 			err := validateInstallationArguments()
 			test.assertValid(t, err)

cli/cmd/uninstall.go

@@ -286,7 +286,7 @@ func uninstallTrident() error {
 
 	anyErrors = removeRBACObjects(log.InfoLevel) || anyErrors
 
-	CSIDriverYAML := k8sclient.GetCSIDriverYAML(getCSIDriverName(), nil, nil)
+	CSIDriverYAML := k8sclient.GetCSIDriverYAML(getCSIDriverName(), fsGroupPolicy, nil, nil)
 
 	if err = client.DeleteObjectByYAML(CSIDriverYAML, true); err != nil {
 		Log().WithField("error", err).Warning("Could not delete csidriver custom resource.")

cli/k8s_client/yaml_factory.go

@@ -8,6 +8,8 @@ import (
 	"strconv"
 	"strings"
 
+	storagev1 "k8s.io/api/storage/v1"
+
 	commonconfig "github.com/netapp/trident/config"
 	. "github.com/netapp/trident/logging"
 	"github.com/netapp/trident/pkg/collection"
@@ -2593,15 +2595,25 @@ const customResourceDefinitionYAMLv1 = tridentVersionCRDYAMLv1 +
 	"\n---" + tridentActionSnapshotRestoreCRDYAMLv1 +
 	"\n---" + tridentConfiguratorCRDYAMLv1 + "\n"
 
-func GetCSIDriverYAML(name string, labels, controllingCRDetails map[string]string) string {
+func GetCSIDriverYAML(name, fsGroupPolicy string, labels, controllingCRDetails map[string]string) string {
 	Log().WithFields(LogFields{
 		"Name":                 name,
 		"Labels":               labels,
 		"ControllingCRDetails": controllingCRDetails,
 	}).Trace(">>>> GetCSIDriverYAML")
 	defer func() { Log().Trace("<<<< GetCSIDriverYAML") }()
 
+	switch strings.ToLower(fsGroupPolicy) {
+	case "", strings.ToLower(string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy)):
+		fsGroupPolicy = string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy)
+	case strings.ToLower(string(storagev1.NoneFSGroupPolicy)):
+		fsGroupPolicy = string(storagev1.NoneFSGroupPolicy)
+	case strings.ToLower(string(storagev1.FileFSGroupPolicy)):
+		fsGroupPolicy = string(storagev1.FileFSGroupPolicy)
+	}
+
 	csiDriver := strings.ReplaceAll(CSIDriverYAMLv1, "{NAME}", name)
+	csiDriver = strings.ReplaceAll(csiDriver, "{FS_GROUP_POLICY}", fsGroupPolicy)
 	csiDriver = yaml.ReplaceMultilineTag(csiDriver, "LABELS", constructLabels(labels))
 	csiDriver = yaml.ReplaceMultilineTag(csiDriver, "OWNER_REF", constructOwnerRef(controllingCRDetails))
 
@@ -2618,6 +2630,7 @@ metadata:
   {OWNER_REF}
 spec:
   attachRequired: true
+  fsGroupPolicy: {FS_GROUP_POLICY}
 `
 
 func constructNodeSelector(nodeLabels map[string]string) string {

cli/k8s_client/yaml_factory_test.go

@@ -3638,6 +3638,7 @@ func TestGetActionSnapshotRestoreCRDYAML(t *testing.T) {
 func TestGetCSIDriverYAML(t *testing.T) {
 	name := "csi.trident.netapp.io"
 	required := true
+	fsGroupPolicy := csiv1.ReadWriteOnceWithFSTypeFSGroupPolicy
 	expected := csiv1.CSIDriver{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "CSIDriver",
@@ -3648,15 +3649,17 @@ func TestGetCSIDriverYAML(t *testing.T) {
 		},
 		Spec: csiv1.CSIDriverSpec{
 			AttachRequired: &required,
+			FSGroupPolicy:  &fsGroupPolicy,
 		},
 	}
 
 	var actual csiv1.CSIDriver
-	actualYAML := GetCSIDriverYAML(name, nil, nil)
+	actualYAML := GetCSIDriverYAML(name, strings.ToLower(string(csiv1.ReadWriteOnceWithFSTypeFSGroupPolicy)), nil, nil)
 
 	assert.Nil(t, yaml.Unmarshal([]byte(actualYAML), &actual), "invalid YAML")
 	assert.True(t, reflect.DeepEqual(expected.TypeMeta, actual.TypeMeta))
 	assert.True(t, reflect.DeepEqual(expected.ObjectMeta, actual.ObjectMeta))
+	assert.True(t, reflect.DeepEqual(expected.Spec, actual.Spec))
 	assert.Equal(t, "csi.trident.netapp.io", actual.Name)
 }
 

helm/trident-operator/templates/tridentorchestrator.yaml

@@ -72,6 +72,9 @@ spec:
   {{- if .Values.k8sAPIQPS }}
   k8sAPIQPS: {{ .Values.k8sAPIQPS }}
   {{- end }}
+  {{- if .Values.fsGroupPolicy }}
+  fsGroupPolicy: {{ .Values.fsGroupPolicy }}
+  {{- end }}
   {{- if .Values.nodePrep }}
   nodePrep: {{- range .Values.nodePrep }}
     - {{.}} {{- end }}

operator/controllers/orchestrator/installer/installer.go

@@ -13,6 +13,7 @@ import (
 	"github.com/ghodss/yaml"
 	appsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
+	storagev1 "k8s.io/api/storage/v1"
 	apiextensionv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/client-go/rest"
 	"k8s.io/utils/env"
@@ -107,7 +108,8 @@ var (
 	nodePluginNodeSelector       map[string]string
 	nodePluginTolerations        []netappv1.Toleration
 
-	k8sAPIQPS int
+	k8sAPIQPS     int
+	fsGroupPolicy string
 
 	nodePrep []string
 
@@ -330,6 +332,23 @@ func (i *Installer) imagePrechecks(labels, controllingCRDetails map[string]strin
 	return identifiedImageVersion, nil
 }
 
+func (i *Installer) fsGroupPolicyPrechecks() error {
+	// Validate the fsGroupPolicy
+	switch strings.ToLower(fsGroupPolicy) {
+	case "":
+		break
+	case strings.ToLower(string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy)):
+		break
+	case strings.ToLower(string(storagev1.NoneFSGroupPolicy)):
+		break
+	case strings.ToLower(string(storagev1.FileFSGroupPolicy)):
+		break
+	default:
+		return fmt.Errorf("'%s' is not a valid fsGroupPolicy", fsGroupPolicy)
+	}
+	return nil
+}
+
 // setInstallationParams identifies the correct parameters for the Trident installation
 func (i *Installer) setInstallationParams(
 	cr netappv1.TridentOrchestrator, currentInstallationVersion string,
@@ -532,6 +551,7 @@ func (i *Installer) setInstallationParams(
 	cloudIdentity = cr.Spec.CloudIdentity
 
 	k8sAPIQPS = cr.Spec.K8sAPIQPS
+	fsGroupPolicy = cr.Spec.FSGroupPolicy
 
 	// Owner Reference details set on each of the Trident object created by the operator
 	controllingCRDetails := make(map[string]string)
@@ -603,6 +623,11 @@ func (i *Installer) setInstallationParams(
 		return nil, nil, false, returnError
 	}
 
+	// Perform fsGroupPolicy prechecks
+	if returnError = i.fsGroupPolicyPrechecks(); returnError != nil {
+		return nil, nil, false, returnError
+	}
+
 	// Update the label with the correct version
 	labels[TridentVersionLabelKey] = identifiedImageVersion
 
@@ -767,6 +792,8 @@ func (i *Installer) InstallOrPatchTrident(
 		ACPImage:                 acpImage,
 		ISCSISelfHealingInterval: iscsiSelfHealingInterval,
 		ISCSISelfHealingWaitTime: iscsiSelfHealingWaitTime,
+		K8sAPIQPS:                k8sAPIQPS,
+		FSGroupPolicy:            fsGroupPolicy,
 		NodePrep:                 nodePrep,
 	}
 
@@ -882,7 +909,7 @@ func (i *Installer) createOrPatchK8sCSIDriver(controllingCRDetails, labels map[s
 		return fmt.Errorf("failed to remove unwanted K8s CSI drivers; %v", err)
 	}
 
-	newK8sCSIDriverYAML := k8sclient.GetCSIDriverYAML(CSIDriverName, labels, controllingCRDetails)
+	newK8sCSIDriverYAML := k8sclient.GetCSIDriverYAML(CSIDriverName, fsGroupPolicy, labels, controllingCRDetails)
 
 	err = i.client.PutCSIDriver(currentCSIDriver, createCSIDriver, newK8sCSIDriverYAML, appLabel)
 	if err != nil {

operator/controllers/orchestrator/installer/installer_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 	corev1 "k8s.io/api/core/v1"
+	storagev1 "k8s.io/api/storage/v1"
 	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -266,6 +267,38 @@ func TestCloudIdentityPrechecks(t *testing.T) {
 	}
 }
 
+func TestFSGroupPolicyPrechecks(t *testing.T) {
+	mockK8sClient := newMockKubeClient(t)
+	installer := newTestInstaller(mockK8sClient)
+
+	tests := []struct {
+		fsGroupPolicy string
+		Valid         bool
+	}{
+		// Valid values
+		{"", true},
+		{string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy), true},
+		{strings.ToLower(string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy)), true},
+		{string(storagev1.FileFSGroupPolicy), true},
+		{strings.ToLower(string(storagev1.FileFSGroupPolicy)), true},
+		{string(storagev1.NoneFSGroupPolicy), true},
+		{strings.ToLower(string(storagev1.NoneFSGroupPolicy)), true},
+
+		// Invalid values
+		{"test", false},
+	}
+
+	for _, test := range tests {
+		fsGroupPolicy = test.fsGroupPolicy
+		err := installer.fsGroupPolicyPrechecks()
+		if test.Valid {
+			assert.NoError(t, err, "should be valid")
+		} else {
+			assert.Error(t, err, "should be invalid")
+		}
+	}
+}
+
 func TestSetInstallationParams_NodePrep(t *testing.T) {
 	tests := []struct {
 		name        string
@@ -406,3 +439,36 @@ func TestSetInstallationParams_Images(t *testing.T) {
 		})
 	}
 }
+
+func TestSetInstallationParams_FSGroupPolicy(t *testing.T) {
+	tests := []struct {
+		name          string
+		fsGroupPolicy string
+		assertValid   assert.ErrorAssertionFunc
+	}{
+		{name: "validFunc nil", fsGroupPolicy: "", assertValid: assert.NoError},
+		{name: "validFunc empty", fsGroupPolicy: string(storagev1.ReadWriteOnceWithFSTypeFSGroupPolicy), assertValid: assert.NoError},
+		{name: "validFunc empty", fsGroupPolicy: string(storagev1.FileFSGroupPolicy), assertValid: assert.NoError},
+		{name: "validFunc empty", fsGroupPolicy: string(storagev1.NoneFSGroupPolicy), assertValid: assert.NoError},
+		{name: "invalid one", fsGroupPolicy: "invalid", assertValid: assert.Error},
+	}
+
+	mockK8sClient := newMockKubeClient(t)
+	mockK8sClient.EXPECT().ServerVersion().Return(&version.Version{}).AnyTimes()
+	installer := newTestInstaller(mockK8sClient)
+
+	to := netappv1.TridentOrchestrator{
+		TypeMeta:   metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{},
+		Spec:       netappv1.TridentOrchestratorSpec{},
+		Status:     netappv1.TridentOrchestratorStatus{},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			to.Spec.FSGroupPolicy = test.fsGroupPolicy
+			_, _, _, err := installer.setInstallationParams(to, "")
+			test.assertValid(t, err)
+		})
+	}
+}