[csi] Add volumeCleanup (#73)

Signed-off-by: Aleksandr Zimin <[email protected]>
Signed-off-by: Anton Sergunov <[email protected]>
Signed-off-by: Vasily Oleynikov <[email protected]>
Signed-off-by: Denis.Rebenok <[email protected]>
Co-authored-by: Anton Sergunov <[email protected]>
Co-authored-by: Vasily Oleynikov <[email protected]>
Co-authored-by: Denis Rebenok <[email protected]>
Co-authored-by: Denis.Rebenok <[email protected]>

Author: 4 people

.github/workflows/build_dev.yml

@@ -52,11 +52,11 @@ jobs:
       - name: Set vars
         id: set-vars
         run: |
-          # Slect edition for build, default EE
+          # Slect edition for build, default ee
           if echo "${{ steps.get-labels.outputs.result }}" | grep -q "edition/ce"; then
-            echo "MODULE_EDITION=CE" >> "$GITHUB_OUTPUT"
+            echo "MODULE_EDITION=ce" >> "$GITHUB_OUTPUT"
           else
-            echo "MODULE_EDITION=EE" >> "$GITHUB_OUTPUT"
+            echo "MODULE_EDITION=ee" >> "$GITHUB_OUTPUT"
           fi
 
   dev_setup_build:

.github/workflows/build_prod.yml

@@ -60,7 +60,7 @@ jobs:
       - name: SET VAR
         run: |
           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/ee/modules" >> "$GITHUB_ENV"
-          echo "MODULE_EDITION=EE" >> "$GITHUB_ENV"
+          echo "MODULE_EDITION=ee" >> "$GITHUB_ENV"
       - run: |
           echo $MODULES_REGISTRY
           echo $MODULES_MODULE_NAME
@@ -95,7 +95,7 @@ jobs:
       - name: SET VAR
         run: |
           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/fe/modules" >> "$GITHUB_ENV"
-          echo "MODULE_EDITION=EE" >> "$GITHUB_ENV"
+          echo "MODULE_EDITION=ee" >> "$GITHUB_ENV"
       - run: |
           echo $MODULES_REGISTRY
           echo $MODULES_MODULE_NAME
@@ -130,7 +130,7 @@ jobs:
       - name: SET VAR
         run: |
           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/se/modules" >> "$GITHUB_ENV"
-          echo "MODULE_EDITION=EE" >> "$GITHUB_ENV"
+          echo "MODULE_EDITION=se" >> "$GITHUB_ENV"
       - run: |
           echo $MODULES_REGISTRY
           echo $MODULES_MODULE_NAME
@@ -165,7 +165,7 @@ jobs:
       - name: SET VAR
         run: |
           echo "MODULES_MODULE_SOURCE=$MODULES_REGISTRY/$MODULE_SOURCE_NAME/se-plus/modules" >> "$GITHUB_ENV"
-          echo "MODULE_EDITION=EE" >> "$GITHUB_ENV"
+          echo "MODULE_EDITION=seplus" >> "$GITHUB_ENV"
       - run: |
           echo $MODULES_REGISTRY
           echo $MODULES_MODULE_NAME

.github/workflows/go_lint.yaml

@@ -1,7 +1,7 @@
 name: Go linter for images
 
 env:
-  GO_BUILD_TAGS: "EE CE"
+  GO_BUILD_TAGS: "ee ce se seplus csepro"
 
 on:
   pull_request:

.github/workflows/go_tests.yaml

@@ -1,7 +1,7 @@
 name: Go tests for images
 
 env:
-  GO_BUILD_TAGS: "EE CE"
+  GO_BUILD_TAGS: "ee ce se seplus csepro"
 
 on:
   pull_request:

.werf/choise-edition.yaml

@@ -2,7 +2,7 @@
 ---
 image: choise-edition
 from: {{ $.BASE_ALT_P11 }}
-fromCacheVersion: 2025-01-31.1
+fromCacheVersion: 2025-02-10.1
 git:
   - add: /
     to: /
@@ -11,5 +11,6 @@ git:
 shell:
   setup:
     - cd /openapi
-    - cp -v values_{{ .MODULE_EDITION }}.yaml values.yaml
+    # - cp -v values_{{ .MODULE_EDITION }}.yaml values.yaml
+    - if [[ {{ .MODULE_EDITION }} == "ce" ]]; then cp -v values_ce.yaml values.yaml; else cp -v values_ee.yaml values.yaml; fi
     - rm -rf values_*.yaml

.werf/consts.yaml

@@ -1,12 +1,12 @@
 # base images
-{{- $_ := set . "BASE_GOLANG_1_23" "registry.deckhouse.io/base_images/golang:1.23.4-bookworm@sha256:a9147a48ac5e925a66764afae7cf4b1cfd37a6e94ad7519eca74c1fd8993ae45" }}
+{{- $_ := set . "BASE_GOLANG_1_23" "registry.deckhouse.io/base_images/golang:1.23.6-alpine3.20@sha256:3058c63e0e2532881949c4186414baa24a0f9a8f9349b1853daa49be816f42e9" }}
 {{- $_ := set . "BASE_SCRATCH" "registry.deckhouse.io/base_images/scratch@sha256:653ae76965c98c8cd1c8c9ff7725316d2983986f896655b30e0f44d2f8b2dd7e" }}
-{{- $_ := set . "BASE_ALT_P11" "registry.deckhouse.io/base_images/alt:p11@sha256:e47d84424485d3674240cb2f67d3a1801b37d327e6d1eb8cc8d01be8ed3b34f3" }}
+{{- $_ := set . "BASE_ALT_P11" "registry.deckhouse.io/base_images/alt:p11@sha256:b630220d83798057e1c67fe6f712a49e9c3abb377f0bd7183bba0ba541fc4081" }}
 {{- $_ := set . "BASE_ALPINE_3_16" "registry.deckhouse.io/base_images/alpine:3.16.3" }}
 {{- $_ := set . "BASE_ALPINE_3_20" "registry.deckhouse.io/base_images/alpine:3.20.3@sha256:41628df7c9b935d248f64542634e7a843f9bc7f2252d7f878e77f7b79a947466" }}
 
-# Edition module settings, default EE
-{{- $_ := set . "MODULE_EDITION" (env "MODULE_EDITION" "EE") }}
+# Edition module settings, default ee
+{{- $_ := set . "MODULE_EDITION" (env "MODULE_EDITION" "ee") }}
 
 # component versions
 {{- $versions := dict }}
@@ -19,4 +19,5 @@
 # custom constants
 {{- $_ := set $ "DEV_PACKAGES" "make automake pkg-config gcc libtool git curl" }}
 {{- $_ := set $ "DECKHOUSE_UID_GID" "64535" }}
+{{- $_ := set $ "ALT_BASE_PACKAGES" "openssl libtirpc tzdata" }}
 {{- $_ := set $ "ALT_CLEANUP_CMD" "rm -rf /var/lib/apt/lists/* /var/cache/apt/* && mkdir -p /var/lib/apt/lists/partial /var/cache/apt/archives/partial" }}

api/v1alpha1/nfs_storage_class.go

@@ -45,6 +45,7 @@ type NFSStorageClassSpec struct {
 	ReclaimPolicy     string                        `json:"reclaimPolicy"`
 	VolumeBindingMode string                        `json:"volumeBindingMode"`
 	WorkloadNodes     *NFSStorageClassWorkloadNodes `json:"workloadNodes,omitempty"`
+	VolumeCleanup     string                        `json:"volumeCleanup,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true

crds/doc-ru-nfsstorageclass.yaml

@@ -75,6 +75,18 @@ spec:
                         matchExpressions:
                           description: |
                             Список сложных условий выбора узлов. Каждое условие задаёт ключ, оператор и, при необходимости, значения для фильтрации узлов на основе их меток или других полей.
+                volumeCleanup:
+                  description: |
+                    **Функция доступна в Enterprise Edition.**
+
+                    Метод очистки тома после удаления PV.
+                    По умолчанию драйвер NFS CSI удаляет каталог, созданный для PV на сервере NFS, не выполняя никакой очистки данных
+                    Если параметр `volumeCleanup` задан, драйвер удалит каждый файл в каталоге PV.
+
+                    Допустимые значения параметра:
+                    - **Discard** — используется функция `Discard`(trim) файловой системы для освобождения блоков данных (Эта опция доступна только в том случае, если она поддерживается, например, в NFSv4.2.).
+                    - **RandomFillSinglePass** — перед удалением содержимое каждого файла перезаписывается случайными данными один раз. Реализуется путем вызова утилиты `shred`.
+                    - **RandomFillThreePass** — перед удалением содержимое каждого файла перезаписывается случайными данными три раза. Реализуется путем вызова утилиты `shred`.
             status:
               properties:
                 phase:

crds/nfsstorageclass.yaml

@@ -39,6 +39,11 @@ spec:
                 - connection
                 - reclaimPolicy
                 - volumeBindingMode
+              x-kubernetes-validations:
+                - rule: "self.reclaimPolicy != 'Retain' || !has(self.volumeCleanup)"
+                  message: "If reclaimPolicy is 'Retain', volumeCleanup must be omitted."
+                - rule: "self.connection.nfsVersion == '4.2' || !has(self.volumeCleanup)|| self.volumeCleanup != 'Discard'"
+                  message: "Discard mode is only available when connection.nfsVersion is '4.2'."
               properties:
                 connection:
                   type: object
@@ -191,6 +196,24 @@ spec:
                                 type: array
                                 items:
                                   type: string
+                volumeCleanup:
+                  type: string
+                  x-doc-d8editions: [ee,fe]
+                  description: |
+                    **This feature is available in Enterprise Edition.**
+
+                    Specifies the cleanup method to be applied to the PV’s subdirectory content before deletion.
+                    By default, the NFS CSI driver simply deletes the directory created for the Persistent Volume (PV) on the NFS server without performing any data cleanup.
+                    When volumeCleanup is enabled, the driver will erase each file in the PV directory.
+
+                    Valid options are:
+                    - **Discard**: Uses the filesystem’s discard (trim) functionality to free data blocks. (This option is available only when supported, for example with NFSv4.2.)
+                    - **RandomFillSinglePass**: Overwrites the content of each file once with random data before deletion. This is implemented by invoking the utility `shred`.
+                    - **RandomFillThreePass**: Overwrites the content of each file three times with random data before deletion. This is implemented by invoking the utility `shred`.
+                  enum:
+                    - Discard
+                    - RandomFillSinglePass
+                    - RandomFillThreePass
             status:
               type: object
               description: |

docs/README.md

@@ -81,3 +81,49 @@ A directory `<directory from share>/<PV name>` will be created for each PV.
 ### Checking module health
 
 You can verify the functionality of the module using the instructions [in FAQ](./faq.html#how-to-check-module-health).
+
+### Selects the method to clean the volume before deleting the PV
+
+Files with user data may remain on the volume to be deleted. These files will be deleted and will not be accessible to other users via NFS.
+
+However, the deleted files' data may be available to other clients if the server grants block-level access to its storage.
+
+The `volumeCleanup` parameter will help you choose how to clean the volume before deleting it.
+
+> **Caution.** This option does not affect files already deleted by the client application.
+
+> **Caution.** This option affects only commands sent via the NFS protocol. The server-side execution of these commands is defined by:
+>
+> - NFS server service;
+> - the file system;
+> - the level of block devices and their virtualization (e.g. LVM);
+> - the physical devices themselves.
+>
+> Make sure the server is trusted. Do not send sensitive data to servers that you are not sure of.
+
+#### `SinglePass` method
+
+Used if `volumeCleanup` is set to `RandomFillSinglePass`.
+
+The contents of the files are overwritten with a random sequence before deletion. The random sequence is transmitted over the network.
+
+#### `ThreePass` method
+
+Used if `volumeCleanup` is set to `RandomFillThreePass`.
+
+The contents of the files are overwritten three times with a random sequence before deletion. The three random sequences are transmitted over the network.
+
+#### `Discard` method
+
+Used if `volumeCleanup` is set to `Discard`.
+
+Many file systems implement support for solid-state drives, allowing the space occupied by a file to be freed at the block level without writing new data to extend the life of the solid-state drive. However, not all solid-state drives guarantee that the freed block data is inaccessible.
+
+If `volumeCleanup` is set to `Discard`, file contents are marked as free via the `falloc` system call with the `FALLOC_FL_PUNCH_HOLE` flag. The file system will free the blocks fully used by the file, via the `blkdiscard` call, and the remaining space will be overwritten with zeros.
+
+Advantages of this method:
+
+- the amount of traffic does not depend on the size of the files, only on the number of files;
+- the method can make old data unavailable in some server configurations;
+- works for both hard disks and SSDs;
+- can maximize SSD lifetime.