Merge pull request #805 from ttakahashi21/KEP-3294

Alpha support for provision volumes from cross-namespace data sources

Author: k8s-ci-robot

README.md

@@ -27,7 +27,8 @@ Following table reflects the head of this branch.
 | ReadWriteOncePod   | Alpha | Off | [Single pod access mode for PersistentVolumes](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes).                                        | No |
 | HonorPVReclaimPolicy| Alpha |Off | [Honor the PV reclaim policy](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/2644-honor-pv-reclaim-policy)                                  | No |
 | PreventVolumeModeConversion | Alpha |Off | [Prevent unauthorized conversion of source volume mode](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3141-prevent-volume-mode-conversion) | `--prevent-volume-mode-conversion` (No in-tree feature gate) |
-| CSINodeExpandSecret | Alpha |Off | [CSI Node expansion secret](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3107-csi-nodeexpandsecret)                                  | No
+| CSINodeExpandSecret | Alpha |Off | [CSI Node expansion secret](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3107-csi-nodeexpandsecret)                                  | No |
+| CrossNamespaceVolumeDataSource | Alpha |Off | [Cross-namespace volume data source](https://github.com/kubernetes/enhancements/tree/master/keps/sig-storage/3294-provision-volumes-from-cross-namespace-snapshots) | `--feature-gates=CrossNamespaceVolumeDataSource=true` |
 
 All other external-provisioner features and the external-provisioner itself is considered GA and fully supported.
 

cmd/csi-provisioner/csi-provisioner.go

@@ -64,6 +64,9 @@ import (
 	"github.com/kubernetes-csi/external-provisioner/pkg/features"
 	"github.com/kubernetes-csi/external-provisioner/pkg/owner"
 	snapclientset "github.com/kubernetes-csi/external-snapshotter/client/v6/clientset/versioned"
+	gatewayclientset "sigs.k8s.io/gateway-api/pkg/client/clientset/versioned"
+	gatewayInformers "sigs.k8s.io/gateway-api/pkg/client/informers/externalversions"
+	referenceGrantv1beta1 "sigs.k8s.io/gateway-api/pkg/client/listers/apis/v1beta1"
 )
 
 var (
@@ -192,6 +195,15 @@ func main() {
 		klog.Fatalf("Failed to create snapshot client: %v", err)
 	}
 
+	var gatewayClient gatewayclientset.Interface
+	if utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) {
+		// gatewayclientset.NewForConfig creates a new Clientset for GatewayClient
+		gatewayClient, err = gatewayclientset.NewForConfig(config)
+		if err != nil {
+			klog.Fatalf("Failed to create gateway client: %v", err)
+		}
+	}
+
 	metricsManager := metrics.NewCSIMetricsManagerWithOptions("", /* driverName */
 		// Will be provided via default gatherer.
 		metrics.WithProcessStartTime(false),
@@ -354,6 +366,14 @@ func main() {
 		}
 	}
 
+	var referenceGrantLister referenceGrantv1beta1.ReferenceGrantLister
+	var gatewayFactory gatewayInformers.SharedInformerFactory
+	if utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) {
+		gatewayFactory = gatewayInformers.NewSharedInformerFactory(gatewayClient, ctrl.ResyncPeriodOfReferenceGrantInformer)
+		referenceGrants := gatewayFactory.Gateway().V1beta1().ReferenceGrants()
+		referenceGrantLister = referenceGrants.Lister()
+	}
+
 	// -------------------------------
 	// PersistentVolumeClaims informer
 	rateLimiter := workqueue.NewItemExponentialFailureRateLimiter(*retryIntervalStart, *retryIntervalMax)
@@ -402,6 +422,7 @@ func main() {
 		nodeLister,
 		claimLister,
 		vaLister,
+		referenceGrantLister,
 		*extraCreateMetadata,
 		*defaultFSType,
 		nodeDeployment,
@@ -604,6 +625,18 @@ func main() {
 			}
 		}
 
+		if utilfeature.DefaultFeatureGate.Enabled(features.CrossNamespaceVolumeDataSource) {
+			if gatewayFactory != nil {
+				gatewayFactory.Start(ctx.Done())
+			}
+			gatewayCacheSyncResult := gatewayFactory.WaitForCacheSync(ctx.Done())
+			for _, v := range gatewayCacheSyncResult {
+				if !v {
+					klog.Fatalf("Failed to sync Informers for gateway!")
+				}
+			}
+		}
+
 		if capacityController != nil {
 			go capacityController.Run(ctx, int(*capacityThreads))
 		}

deploy/kubernetes/rbac.yaml

@@ -57,6 +57,13 @@ rules:
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments"]
     verbs: ["get", "list", "watch"]
+  # (Alpha) Access to referencegrants is only needed when the CSI driver
+  # has the CrossNamespaceVolumeDataSource controller capability.
+  # In that case, external-provisioner requires "get", "list", "watch" 
+  # permissions  for "referencegrants" on "gateway.networking.k8s.io".
+  #- apiGroups: ["gateway.networking.k8s.io"]
+  #  resources: ["referencegrants"]
+  #  verbs: ["get", "list", "watch"]
 
 ---
 kind: ClusterRoleBinding

go.mod

@@ -26,6 +26,7 @@ require (
 	k8s.io/csi-translation-lib v0.26.0-rc.0
 	k8s.io/klog/v2 v2.80.1
 	sigs.k8s.io/controller-runtime v0.13.1
+	sigs.k8s.io/gateway-api v0.6.0-rc1
 	sigs.k8s.io/sig-storage-lib-external-provisioner/v8 v8.0.0
 )
 

go.sum

@@ -958,6 +958,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/controller-runtime v0.13.1 h1:tUsRCSJVM1QQOOeViGeX3GMT3dQF1eePPw6sEE3xSlg=
 sigs.k8s.io/controller-runtime v0.13.1/go.mod h1:Zbz+el8Yg31jubvAEyglRZGdLAjplZl+PgtYNI6WNTI=
+sigs.k8s.io/gateway-api v0.6.0-rc1 h1:ierhK6SIK8pSibB+gkr+aG8cWLez/M7iD9dQIqLALxU=
+sigs.k8s.io/gateway-api v0.6.0-rc1/go.mod h1:+3QMzP775JFKArHqiwk/kzItMRXW9CKPXcO8QcuXvvk=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 h1:iXTIw73aPyC+oRdyqqvVJuloN1p0AC/kzH07hu3NE+k=
 sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/sig-storage-lib-external-provisioner/v8 v8.0.0 h1:vQUoaDxbberC3UwvE+zauyOMkpWlleaVgc75LoDOyy4=