validate storage pools in CreateVolume

Author: amacaskill

pkg/common/parameters_test.go

@@ -227,11 +227,41 @@ func TestExtractAndDefaultParameters(t *testing.T) {
 			},
 		},
 		{
-			name:       "invalid storage pool parameters",
+			name:       "invalid storage pool parameters, starts with /projects instead of projects",
+			parameters: map[string]string{ParameterKeyType: "hyperdisk-balanced", ParameterKeyStoragePools: "/projects/my-project/zones/us-central1-a/storagePools/storagePool-1"},
+			labels:     map[string]string{},
+			expectErr:  true,
+		},
+		{
+			name:       "invalid storage pool parameters, missing projects",
 			parameters: map[string]string{ParameterKeyType: "hyperdisk-balanced", ParameterKeyStoragePools: "zones/us-central1-a/storagePools/storagePool-1"},
 			labels:     map[string]string{},
 			expectErr:  true,
 		},
+		{
+			name:       "invalid storage pool parameters, missing zones",
+			parameters: map[string]string{ParameterKeyType: "hyperdisk-balanced", ParameterKeyStoragePools: "projects/my-project/storagePools/storagePool-1"},
+			labels:     map[string]string{},
+			expectErr:  true,
+		},
+		{
+			name:       "invalid storage pool parameters, duplicate projects",
+			parameters: map[string]string{ParameterKeyType: "hyperdisk-balanced", ParameterKeyStoragePools: "projects/my-project/projects/my-project/storagePools/storagePool-1"},
+			labels:     map[string]string{},
+			expectErr:  true,
+		},
+		{
+			name:       "invalid storage pool parameters, duplicate zones",
+			parameters: map[string]string{ParameterKeyType: "hyperdisk-balanced", ParameterKeyStoragePools: "zones/us-central1-a/zones/us-central1-a/storagePools/storagePool-1"},
+			labels:     map[string]string{},
+			expectErr:  true,
+		},
+		{
+			name:       "invalid storage pool parameters, duplicate storagePools",
+			parameters: map[string]string{ParameterKeyType: "hyperdisk-balanced", ParameterKeyStoragePools: "projects/my-project/storagePools/us-central1-a/storagePools/storagePool-1"},
+			labels:     map[string]string{},
+			expectErr:  true,
+		},
 	}
 
 	for _, tc := range tests {

pkg/gce-pd-csi-driver/controller.go

@@ -254,6 +254,10 @@ func (gceCS *GCEControllerServer) CreateVolume(ctx context.Context, req *csi.Cre
 		gceAPIVersion = gce.GCEAPIVersionBeta
 	}
 
+	if err := validateStoragePools(req, params, gceCS.CloudProvider.GetDefaultProject()); err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "CreateVolume failed to validate storage pools: %v", err)
+	}
+
 	// Verify that the regional availability class is only used on regional disks.
 	if params.ForceAttach && params.ReplicationType != replicationTypeRegionalPD {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid availabilty class for zonal disk")
@@ -1623,13 +1627,13 @@ func getZonesFromTopology(topList []*csi.Topology) ([]string, error) {
 	zones := []string{}
 	for _, top := range topList {
 		if top.GetSegments() == nil {
-			return nil, fmt.Errorf("preferred topologies specified but no segments")
+			return nil, fmt.Errorf("topologies specified but no segments")
 		}
 
 		// GCE PD cloud provider Create has no restrictions so just create in top preferred zone
 		zone, err := getZoneFromSegment(top.GetSegments())
 		if err != nil {
-			return nil, fmt.Errorf("could not get zone from preferred topology: %w", err)
+			return nil, fmt.Errorf("could not get zone from topology: %w", err)
 		}
 		zones = append(zones, zone)
 	}

pkg/gce-pd-csi-driver/controller_test.go

@@ -877,6 +877,59 @@ func TestCreateVolumeArguments(t *testing.T) {
 			},
 			expErrCode: codes.InvalidArgument,
 		},
+		{
+			name: "success with storage pools parameter",
+			req: &csi.CreateVolumeRequest{
+				Name:               name,
+				CapacityRange:      stdCapRange,
+				VolumeCapabilities: stdVolCaps,
+				Parameters:         map[string]string{"storage-pools": "projects/test-project/zones/us-central1-a/storagePools/storagePool-1", "type": "hyperdisk-balanced"},
+				AccessibilityRequirements: &csi.TopologyRequirement{
+					Requisite: []*csi.Topology{
+						{
+							Segments: map[string]string{common.TopologyKeyZone: "us-central1-a"},
+						},
+					},
+					Preferred: []*csi.Topology{
+						{
+							Segments: map[string]string{common.TopologyKeyZone: "us-central1-a"},
+						},
+					},
+				},
+			},
+			expVol: &csi.Volume{
+				CapacityBytes: common.GbToBytes(20),
+				VolumeId:      "projects/test-project/zones/us-central1-a/disks/test-name",
+				VolumeContext: nil,
+				AccessibleTopology: []*csi.Topology{
+					{
+						Segments: map[string]string{common.TopologyKeyZone: "us-central1-a"},
+					},
+				},
+			},
+		},
+		{
+			name: "fail with invalid storage pools parameter",
+			req: &csi.CreateVolumeRequest{
+				Name:               name,
+				CapacityRange:      stdCapRange,
+				VolumeCapabilities: stdVolCaps,
+				Parameters:         map[string]string{"storage-pools": "zones/us-central1-a/storagePools/storagePool-1", "type": "hyperdisk-balanced"},
+				AccessibilityRequirements: &csi.TopologyRequirement{
+					Requisite: []*csi.Topology{
+						{
+							Segments: map[string]string{common.TopologyKeyZone: "us-central1-a"},
+						},
+					},
+					Preferred: []*csi.Topology{
+						{
+							Segments: map[string]string{common.TopologyKeyZone: "us-central1-a"},
+						},
+					},
+				},
+			},
+			expErrCode: codes.InvalidArgument,
+		},
 	}
 
 	// Run test cases
@@ -1312,6 +1365,7 @@ func TestCreateVolumeWithVolumeSourceFromVolume(t *testing.T) {
 		name                 string
 		volumeOnCloud        bool
 		expErrCode           codes.Code
+		expErrMsg            string
 		sourceVolumeID       string
 		reqParameters        map[string]string
 		sourceReqParameters  map[string]string
@@ -1400,6 +1454,30 @@ func TestCreateVolumeWithVolumeSourceFromVolume(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:                 "fail cloning with storage pools",
+			volumeOnCloud:        true,
+			sourceVolumeID:       testZonalVolumeSourceID,
+			requestCapacityRange: stdCapRange,
+			sourceCapacityRange:  stdCapRange,
+			reqParameters: map[string]string{
+				common.ParameterKeyType:                 "test-type",
+				common.ParameterKeyReplicationType:      replicationTypeNone,
+				common.ParameterKeyDiskEncryptionKmsKey: "encryption-key",
+				common.ParameterKeyStoragePools:         "projects/test-project/zones/country-region-zone/storagePools/storagePool-1",
+			},
+			sourceReqParameters: zonalParams,
+			sourceTopology: &csi.TopologyRequirement{
+				Requisite: requisiteTopology,
+				Preferred: prefTopology,
+			},
+			requestTopology: &csi.TopologyRequirement{
+				Requisite: requisiteTopology,
+				Preferred: prefTopology,
+			},
+			expErrCode: codes.InvalidArgument,
+			expErrMsg:  "storage pools do not support disk clones",
+		},
 		{
 			name:                 "success zonal -> zonal cloning, req = all zones in region, pref = req w/ src zone as first element: delayed binding without allowedTopologies",
 			volumeOnCloud:        true,
@@ -1851,6 +1929,9 @@ func TestCreateVolumeWithVolumeSourceFromVolume(t *testing.T) {
 		if tc.expErrCode != codes.OK {
 			t.Fatalf("Expected error: %v, got no error", tc.expErrCode)
 		}
+		if tc.expErrMsg != "" && tc.expErrMsg != err.Error() {
+			t.Fatalf("Got error: %v, expected error: %v", err.Error(), tc.expErrMsg)
+		}
 
 		// Make sure the response has the source volume.
 		respVolume := resp.GetVolume()

pkg/gce-pd-csi-driver/utils.go

@@ -23,7 +23,10 @@ import (
 
 	csi "github.com/container-storage-interface/spec/lib/go/csi"
 	"google.golang.org/grpc"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
+
+	"sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/pkg/common"
 )
 
 const (
@@ -139,6 +142,68 @@ func validateAccessMode(am *csi.VolumeCapability_AccessMode) error {
 	return nil
 }
 
+func validateStoragePools(req *csi.CreateVolumeRequest, params common.DiskParameters, project string) error {
+	storagePoolsEnabled := params.StoragePools != nil
+	if !storagePoolsEnabled || req == nil {
+		return nil
+	}
+
+	if params.EnableConfidentialCompute {
+		return fmt.Errorf("storage pools do not support confidential storage")
+	}
+
+	if !(params.DiskType == "hyperdisk-balanced" || params.DiskType == "hyperdisk-throughput") {
+		return fmt.Errorf("invalid disk-type: %q. storage pools only support hyperdisk-balanced or hyperdisk-throughput", params.DiskType)
+	}
+
+	if params.ReplicationType == replicationTypeRegionalPD {
+		return fmt.Errorf("storage pools do not support regional PD")
+	}
+
+	if useVolumeCloning(req) {
+		return fmt.Errorf("storage pools do not support disk clones")
+	}
+
+	// Check that requisite zones matches the storage pools zones.
+	// This means allowedTopologies was set properly by GCW.
+	if err := validateStoragePoolZones(req, params.StoragePools); err != nil {
+		return fmt.Errorf("failed to validate storage pools zones: %v", err)
+	}
+
+	// Check that Storage Pools are in same project as the GCEClient that creates the volume.
+	if err := validateStoragePoolProjects(project, params.StoragePools); err != nil {
+		return fmt.Errorf("failed to validate storage pools projects: %v", err)
+	}
+
+	return nil
+}
+
+func validateStoragePoolZones(req *csi.CreateVolumeRequest, storagePools []common.StoragePool) error {
+	storagePoolZones, err := common.StoragePoolZones(storagePools)
+	if err != nil {
+		return err
+	}
+	reqZones, err := getZonesFromTopology(req.GetAccessibilityRequirements().GetRequisite())
+	if err != nil {
+		return err
+	}
+	if !common.UnorderedSlicesEqual(storagePoolZones, reqZones) {
+		return fmt.Errorf("requisite topologies must match storage pools zones. requisite zones: %v, storage pools zones: %v", reqZones, storagePoolZones)
+	}
+	return nil
+}
+
+func validateStoragePoolProjects(project string, storagePools []common.StoragePool) error {
+	spProjects := sets.String{}
+	for _, sp := range storagePools {
+		if sp.Project != project {
+			spProjects.Insert(sp.Project)
+			return fmt.Errorf("cross-project storage pools usage is not supported. Trying to CreateVolume in project %q with storage pools in projects %v", project, spProjects.UnsortedList())
+		}
+	}
+	return nil
+}
+
 func getMultiWriterFromCapability(vc *csi.VolumeCapability) (bool, error) {
 	if vc.GetAccessMode() == nil {
 		return false, errors.New("access mode is nil")