For RWX block volumes, for VMFS datastores, policy must be EZT (#3471)

Author: skogta

pkg/csi/service/wcp/controller.go

@@ -505,6 +505,17 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 		return nil, csifault.CSIInternalFault, logger.LogNewErrorCodef(log, codes.Internal,
 			"failed to get vCenter from Manager. Error: %v", err)
 	}
+
+	if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx,
+		common.SharedDiskFss) && isSharedRawBlockRequest(ctx, req.VolumeCapabilities) {
+		log.Infof("Volume request is for shared RWX volume. Validatig if policy is compatible for VMFS datastores.")
+		err := validateStoragePolicyForVmfs(ctx, vc, storagePolicyID)
+		if err != nil {
+			log.Errorf("failed validation for policy %s", storagePolicyID)
+			return nil, csifault.CSIInternalFault, err
+		}
+	}
+
 	// Fetch the accessibility requirements from the request.
 	topologyRequirement = req.GetAccessibilityRequirements()
 	filterSuspendedDatastores := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.CnsMgrSuspendCreateVolume)

pkg/csi/service/wcp/controller_helper.go

@@ -50,6 +50,11 @@ import (
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/syncer/k8scloudoperator"
 )
 
+var (
+	vmfsNamespace         = "com.vmware.storage.volumeallocation"
+	vmfsNamespaceEztValue = "Fully initialized"
+)
+
 // validateCreateBlockReqParam is a helper function used to validate the parameter
 // name received in the CreateVolume request for block volumes on WCP CSI driver.
 // Returns true if the parameter name is valid, false otherwise.
@@ -86,6 +91,51 @@ func validateCreateFileReqParam(paramName, value string) bool {
 		paramName == common.AttributeIsLinkedCloneKey
 }
 
+// verifyStoragePolicyForVmfsWithEageredZeroThick goes through each rule in the policy to
+// find out if it is fully intialized for VMFS datastores.
+// This check is required for RWX shared block volumes as for VMFS, the policy must be EZT.
+func verifyStoragePolicyForVmfsWithEageredZeroThick(ctx context.Context,
+	spbmPolicyContentList []vsphere.SpbmPolicyContent,
+	storagePolicyId string) error {
+	log := logger.GetLogger(ctx)
+
+	for _, polictContent := range spbmPolicyContentList {
+		for _, profile := range polictContent.Profiles {
+			for _, rule := range profile.Rules {
+				if rule.Ns == vmfsNamespace {
+					if rule.Value != vmfsNamespaceEztValue {
+						msg := fmt.Sprintf("Policy %s is for VMFS datastores. It must be fully initialized for "+
+							"RWX block volumes", storagePolicyId)
+						err := errors.New(msg)
+						log.Errorf(msg)
+						return err
+					}
+					log.Infof("Policy %s is for VMFS and is fully initialized", storagePolicyId)
+					return nil
+				}
+			}
+		}
+	}
+
+	log.Debugf("Policy %s validated correctly", storagePolicyId)
+	return nil
+}
+
+// validateStoragePolicyForVmfs checks whether the policy is compatible for VMFS datastores.
+// This function is only called for RWX shared block volumes.
+func validateStoragePolicyForVmfs(ctx context.Context,
+	vc *vsphere.VirtualCenter, storagePolicyId string) error {
+	log := logger.GetLogger(ctx)
+
+	spbmPolicyContentList, err := vc.PbmRetrieveContent(ctx, []string{storagePolicyId})
+	if err != nil {
+		log.Errorf("failed to retrieve policy %s", storagePolicyId)
+		return err
+	}
+
+	return verifyStoragePolicyForVmfsWithEageredZeroThick(ctx, spbmPolicyContentList, storagePolicyId)
+}
+
 // validateWCPCreateVolumeRequest is the helper function to validate
 // CreateVolumeRequest for WCP CSI driver.
 // Function returns error if validation fails otherwise returns nil.

pkg/csi/service/wcp/controller_helper_test.go

@@ -11,6 +11,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/fake"
 	k8stesting "k8s.io/client-go/testing"
+	cnsvsphere "sigs.k8s.io/vsphere-csi-driver/v3/pkg/common/cns-lib/vsphere"
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/common/unittestcommon"
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service/common/commonco"
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service/logger"
@@ -132,6 +133,68 @@ func TestGetPodVMUUID(t *testing.T) {
 	})
 }
 
+func TestVerifyStoragePolicyForVmfsWithEageredZeroThick(t *testing.T) {
+	ctx := context.TODO()
+
+	t.Run("Valid VMFS EZT policy", func(t *testing.T) {
+		policyList := []cnsvsphere.SpbmPolicyContent{
+			{
+				Profiles: []cnsvsphere.SpbmPolicySubProfile{
+					{
+						Rules: []cnsvsphere.SpbmPolicyRule{
+							{Ns: vmfsNamespace, Value: vmfsNamespaceEztValue},
+						},
+					},
+				},
+			},
+		}
+
+		err := verifyStoragePolicyForVmfsWithEageredZeroThick(ctx, policyList, "valid-policy-id")
+		assert.NoError(t, err)
+	})
+
+	t.Run("Invalid VMFS policy - not EZT", func(t *testing.T) {
+		policyList := []cnsvsphere.SpbmPolicyContent{
+			{
+				Profiles: []cnsvsphere.SpbmPolicySubProfile{
+					{
+						Rules: []cnsvsphere.SpbmPolicyRule{
+							{Ns: vmfsNamespace, Value: "Thin"},
+						},
+					},
+				},
+			},
+		}
+
+		err := verifyStoragePolicyForVmfsWithEageredZeroThick(ctx, policyList, "invalid-policy-id")
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "must be fully initialized")
+	})
+
+	t.Run("Policy with no VMFS rule", func(t *testing.T) {
+		policyList := []cnsvsphere.SpbmPolicyContent{
+			{
+				Profiles: []cnsvsphere.SpbmPolicySubProfile{
+					{
+						Rules: []cnsvsphere.SpbmPolicyRule{
+							{Ns: "VSAN", Value: "Whatever"},
+						},
+					},
+				},
+			},
+		}
+
+		err := verifyStoragePolicyForVmfsWithEageredZeroThick(ctx, policyList, "no-vmfs-rule-policy")
+		assert.NoError(t, err)
+	})
+
+	t.Run("Empty policy list", func(t *testing.T) {
+		var policyList []cnsvsphere.SpbmPolicyContent
+		err := verifyStoragePolicyForVmfsWithEageredZeroThick(ctx, policyList, "empty-policy")
+		assert.NoError(t, err)
+	})
+}
+
 func newMockPod(name, namespace, nodeName string, volumes []string,
 	annotations map[string]string, phase v1.PodPhase) *v1.Pod {
 	vols := make([]v1.Volume, len(volumes))