Trickybrain
diff --git a/‎Dockerfile
Lines changed: 12 additions & 5 deletions b/‎Dockerfile
Lines changed: 12 additions & 5 deletions
diff --git a/‎Makefile
Lines changed: 3 additions & 1 deletion b/‎Makefile
Lines changed: 3 additions & 1 deletion
diff --git a/‎charts/aws-fsx-csi-driver/templates/controller-deployment.yaml
Lines changed: 14 additions & 6 deletions b/‎charts/aws-fsx-csi-driver/templates/controller-deployment.yaml
Lines changed: 14 additions & 6 deletions
diff --git a/‎charts/aws-fsx-csi-driver/templates/node-daemonset.yaml
Lines changed: 7 additions & 7 deletions b/‎charts/aws-fsx-csi-driver/templates/node-daemonset.yaml
Lines changed: 7 additions & 7 deletions
diff --git a/‎charts/aws-fsx-csi-driver/templates/pdb.yaml
Lines changed: 22 additions & 0 deletions b/‎charts/aws-fsx-csi-driver/templates/pdb.yaml
Lines changed: 22 additions & 0 deletions
diff --git a/‎charts/aws-fsx-csi-driver/values.yaml
Lines changed: 109 additions & 18 deletions b/‎charts/aws-fsx-csi-driver/values.yaml
Lines changed: 109 additions & 18 deletions
@@ -12,27 +12,34 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+ARG AL_VERSION=al23
 FROM --platform=$BUILDPLATFORM golang:1.24 as builder
 WORKDIR /go/src/github.com/kubernetes-sigs/aws-fsx-csi-driver
+COPY go.* .
+RUN go mod download
 COPY . .
 ARG TARGETOS
 ARG TARGETARCH
 RUN OS=$TARGETOS ARCH=$TARGETARCH make $TARGETOS/$TARGETARCH
 
 # https://github.com/aws/eks-distro-build-tooling/blob/main/eks-distro-base/Dockerfile.minimal-base-csi-ebs#L36
-FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs-builder:latest-al2 as rpm-installer
-
+FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs-builder:latest-${AL_VERSION} as rpm-installer
+ARG AL_VERSION
 # shallow install systemd and the kernel which are not needed in the final container image
 # since lustre is not run as a systemd service and the kernel module is node loaded via the container
 # to avoid pulling in a large tree of unnecessary dependencies
 RUN set -x && \
     enable_extra lustre && \
-    clean_install "kernel systemd" true true && \
-    clean_install lustre-client && \
+    clean_install "kernel systemd" true true; \
+    if [[ "${AL_VERSION}" == "al23" ]]; then \
+    clean_install lustre-client; \
+    else \
+    clean_install lustre; \
+    fi; \
     remove_package "kernel systemd" true && \
     cleanup "fsx-csi"
 
-FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest-al2 AS linux-amazon
+FROM public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-csi-ebs:latest-${AL_VERSION} AS linux-amazon
 
 COPY --from=rpm-installer /newroot /
 
 
@@ -35,6 +35,7 @@ OUTPUT_TYPE?=docker
 OS?=linux
 ARCH?=amd64
 OSVERSION?=amazon
+AL_VERSION?=al23
 
 ALL_OS?=linux
 ALL_ARCH_linux?=amd64 arm64
@@ -53,7 +54,7 @@ word-hyphen = $(word $2,$(subst -, ,$1))
 .PHONY: linux/$(ARCH) bin/aws-fsx-csi-driver
 linux/$(ARCH): bin/aws-fsx-csi-driver
 bin/aws-fsx-csi-driver: | bin
-	CGO_ENABLED=0 GOOS=linux GOARCH=$(ARCH) go build -ldflags ${LDFLAGS} -o bin/aws-fsx-csi-driver ./cmd/
+	CGO_ENABLED=0 GOOS=linux GOARCH=$(ARCH) go build -mod=mod -ldflags ${LDFLAGS} -o bin/aws-fsx-csi-driver ./cmd/
 
 .PHONY: all
 all: all-image-docker
@@ -89,6 +90,7 @@ image: .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION)
 		-t=$(IMAGE):$(TAG)-$(OS)-$(ARCH)-$(OSVERSION) \
 		--build-arg=GOPROXY=$(GOPROXY) \
 		--build-arg=VERSION=$(VERSION) \
+		--build-arg=AL_VERSION=$(AL_VERSION) \
 		`./hack/provenance` \
 		.
 	touch $@
 
@@ -39,7 +39,7 @@ spec:
         {{- end }}
       containers:
         - name: fsx-plugin
-          image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - --mode={{ .Values.controller.mode }}
@@ -65,10 +65,10 @@ spec:
                   name: aws-secret
                   key: access_key
                   optional: true
-            {{- with .Values.controller.region }}
+              {{- with .Values.controller.region }}
             - name: AWS_REGION
               value: {{ . }}
-            {{- end }}
+              {{- end }}
           volumeMounts:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
@@ -89,7 +89,7 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
         - name: csi-provisioner
-          image: {{ printf "%s:%s" .Values.sidecars.provisioner.image.repository .Values.sidecars.provisioner.image.tag }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.provisioner.image.repository .Values.sidecars.provisioner.image.tag }}
           args:
             - --csi-address=$(ADDRESS)
             - --v={{ .Values.sidecars.provisioner.logLevel }}
@@ -107,7 +107,7 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
         - name: csi-resizer
-          image: {{ printf "%s:%s" .Values.sidecars.resizer.image.repository .Values.sidecars.resizer.image.tag }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.resizer.image.repository .Values.sidecars.resizer.image.tag }}
           args:
             - --csi-address=$(ADDRESS)
             - --v={{ .Values.sidecars.resizer.logLevel }}
@@ -124,7 +124,7 @@ spec:
             {{- toYaml . | nindent 12 }}
           {{- end }}
         - name: liveness-probe
-          image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
+          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
           args:
             - --csi-address=/csi/csi.sock
             - --health-port=9910
@@ -138,3 +138,11 @@ spec:
       volumes:
         - name: socket-dir
           emptyDir: {}
+      {{- with .Values.controller.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
@@ -44,13 +44,13 @@ spec:
       tolerations:
         {{- if .Values.node.tolerateAllTaints }}
         - operator: Exists
-        {{- else }}
-        {{- with .Values.node.tolerations }}
-        {{- toYaml . | nindent 8 }}
-        {{- end }}
+          {{- else }}
+          {{- with .Values.node.tolerations }}
+          {{- toYaml . | nindent 8 }}
+          {{- end }}
         - key: "fsx.csi.aws.com/agent-not-ready"
           operator: "Exists"
-        {{- end }}
+          {{- end }}
       {{- with .Values.node.affinity }}
       affinity: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -72,10 +72,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            {{- with .Values.node.region }}
+              {{- with .Values.node.region }}
             - name: AWS_REGION
               value: {{ . }}
-            {{- end }}
+              {{- end }}
           volumeMounts:
             - name: kubelet-dir
               mountPath: /var/lib/kubelet
 
@@ -0,0 +1,22 @@
+{{- if and .Values.controller.podDisruptionBudget.enabled (not .Values.nodeComponentOnly) -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: fsx-csi-controller
+  namespace: kube-system
+  labels:
+    {{- include "aws-fsx-csi-driver.labels" . | nindent 4 }} 
+spec:
+  selector:
+    matchLabels:
+      app: fsx-csi-controller
+      {{- include "aws-fsx-csi-driver.selectorLabels" . | nindent 6 }} 
+  {{- if .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
+  unhealthyPodEvictionPolicy: {{ .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
+  {{- end }}
+  {{- if le (.Values.controller.replicaCount | int) 2 }}
+  maxUnavailable: 1
+  {{- else }}
+  minAvailable: 2
+  {{- end }}
+{{- end -}}
@@ -4,7 +4,7 @@
 
 image:
   repository: public.ecr.aws/fsx-csi-driver/aws-fsx-csi-driver
-  tag: v1.4.0
+  tag: "v1.4.0"
   pullPolicy: IfNotPresent
 
 csidriver:
@@ -14,37 +14,75 @@ sidecars:
   livenessProbe:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
-      tag: v2.15.0-eks-1-33-3
+      tag: v2.15.0-eks-1-33-9
       pullPolicy: IfNotPresent
-    resources: {}
+    resources:
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        memory: 128Mi
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
   nodeDriverRegistrar:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
-      tag: v2.13.0-eks-1-33-3
+      tag: v2.13.0-eks-1-33-9
       pullPolicy: IfNotPresent
     logLevel: 2
-    resources: {}
+    resources: 
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        memory: 128Mi
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
   provisioner:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
-      tag: v5.2.0-eks-1-33-3
+      tag: v5.2.0-eks-1-33-9
       pullPolicy: IfNotPresent
     logLevel: 2
-    resources: {}
+    resources: 
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        memory: 128Mi
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
   resizer:
     image:
       repository: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer
-      tag: v1.13.2-eks-1-33-3
+      tag: v1.13.2-eks-1-33-9
       pullPolicy: IfNotPresent
     logLevel: 2
-    resources: {}
+    resources: 
+      requests:
+        cpu: 10m
+        memory: 32Mi
+      limits:
+        memory: 128Mi
+    securityContext:
+      readOnlyRootFilesystem: true
+      allowPrivilegeEscalation: false
 
 controller:
   mode: controller
   loggingFormat: text
   nodeSelector: {}
   replicaCount: 2
-  resources: {}
+  #If you do want to specify resources, uncomment the following lines, adjust them as necessary
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+    limits:
+      memory: 256Mi
   serviceAccount:
     # Specifies whether a service account should be created
     create: true
@@ -65,14 +103,55 @@ controller:
     - effect: NoExecute
       operator: Exists
       tolerationSeconds: 300
+  # securityContext on the controller pod
+  securityContext:
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
+    fsGroup: 0
+  # securityContext on the controller container
+  # Setting privileged=false will cause the "delete-access-point-root-dir" controller option to fail
+  containerSecurityContext:
+    privileged: true
+  leaderElectionRenewDeadline: 10s
+  leaderElectionLeaseDuration: 15s
+  affinity:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 1
+          preference:
+            matchExpressions:
+              - key: eks.amazonaws.com/compute-type
+                operator: NotIn
+                values:
+                  - fargate
+                  - hybrid
+  # topologySpreadConstraints:
+  #  - maxSkew: 1
+  #    topologyKey: topology.kubernetes.io/zone
+  #    whenUnsatisfiable: ScheduleAnyway
+  #  - maxSkew: 1
+  #    topologyKey: kubernetes.io/hostname
+  #    whenUnsatisfiable: ScheduleAnyway
+  topologySpreadConstraints: []  
+  podDisruptionBudget:
+    # Warning: Disabling PodDisruptionBudget may lead to delays in stateful workloads starting due to controller
+    # pod restarts or evictions.
+    enabled: true
 
 node:
   mode: node
   loggingFormat: text
   logLevel: 2
   nodeSelector: {}
   updateStrategy: {}
-  resources: {}
+  #If you do want to specify resources, uncomment the following lines, adjust them as necessary,
+  resources:
+    requests:
+      cpu: 10m
+      memory: 40Mi
+    limits:
+      memory: 256Mi
   dnsPolicy: ClusterFirst
   dnsConfig:
     {}
@@ -88,13 +167,18 @@ node:
     #  eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/fsx-csi-role
     name: fsx-csi-node-sa
     annotations: {}
+  healthPort: 9809
+  # securityContext on the node pod
+  securityContext:
+    # The node pod must be run as root to bind to the registration/driver sockets
+    runAsNonRoot: false
+    runAsUser: 0
+    runAsGroup: 0
+    fsGroup: 0
+  env: []
+  volumes: []
+  volumeMounts: []
   podAnnotations: {}
-  # AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata
-  # service.
-  # ---
-  # region: us-east-1
-  region:
-  terminationGracePeriodSeconds: 30
   tolerateAllTaints: true
   tolerations:
     - operator: Exists
@@ -109,8 +193,15 @@ node:
             operator: NotIn
             values:
             - fargate
-
+            - hybrid 
+            
 nameOverride: ""
 fullnameOverride: ""
 
 imagePullSecrets: []
+
+nodeComponentOnly: false
+# nodeComponentOnly: true
+  # Only deploys the node DaemonSet, Skips controller deployment
+# nodeComponentOnly: false (default)
+  # Deploys both controller and node components, normal full deployment