[manila-csi-plugin] support muilple share rules #2915
Conversation
k8s-ci-robot
added
release-note
|
Welcome @silvacarloss! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @silvacarloss. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/L
|
/ok-to-test I'll make a review a bit later |
k8s-ci-robot
added
ok-to-test
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
e100d6b to
e7984fb
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
e7984fb to
e1c1dfc
Compare
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
e1c1dfc to
a4a50ea
Compare
examples/manila-csi-plugin/nfs/static-provisioning/preprovisioned-pvc.yaml
Outdated
Show resolved
Hide resolved
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
a4a50ea to
978dd3d
Compare
|
|
k8s-ci-robot
added
cncf-cla: no
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
cc098b5 to
7e80d0a
Compare
|
/retest |
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
7e80d0a to
bcfd545
Compare
There was a problem hiding this comment.
Hi, a comment inline regarding backwards compatibility; I think you've demonstrated that it works well with NFS, and it'd be nice to test with CephFS as well to be sure. Thanks @silvacarloss
There was a problem hiding this comment.
I believe we need to polish the options for cleanliness and more importantly to avoid breaking backward compatibility. I'm also surprised that it's working at all since we seems to be using a deprecated API call to list accesses which is supposed to return 404.
| @@ -46,7 +46,7 @@ type ShareAdapter interface { | |||
| // GetOrGrantAccess first tries to retrieve an access right for args.Share. | |||
There was a problem hiding this comment.
Please update the godoc as well.
pkg/csi/manila/nodeserver.go
Outdated
| @@ -131,6 +119,7 @@ func (ns *nodeServer) buildVolumeContext(ctx context.Context, volID volumeID, sh | |||
| // Build volume context for fwd plugin | |||
|
|
|||
| sa := getShareAdapter(ns.d.shareProto) | |||
| accessRight = getAccessRightBasedOnShareAdapter(sa, accessRights, shareOpts.ShareAccessIDs) | |||
There was a problem hiding this comment.
If we're not using the returned value, perhaps replace the variable with _ ?
There was a problem hiding this comment.
good question... accessRight was defined in the function signature, so it's empty. When we get to this getAccessRightBasedOnShareAdapter function, it might (or might not) return an access right, which should populate the accessRight value that will be returned, so it's part of assigning a value so it will work with the naked return behavior. I'm kinda new to go and not sure if the naked return is a good practice, so please let me know if this is okay :)
pkg/csi/manila/shareadapters/nfs.go
Outdated
| }) | ||
| // Search again because access rights have changed | ||
| if created { | ||
| rights, err = args.ManilaClient.GetAccessRights(ctx, args.Share.ID) |
There was a problem hiding this comment.
Perhaps we can save the extra API call if we append the returned accesses from the calls args.ManilaClient.GrantAccess() to rights.
Also, as a side note, it looks like args.ManilaClient.GetAccessRights() is using gophercloud's shares.ListAccessRights() function, which in turns make a call to a deprecated API. The doc says that it will return 404 starting from microversion 2.45, which is OpenStack Rocky. I suspect we're always getting a 404 error for all calls to args.ManilaClient.GetAccessRights(). This would be problematic on line 39.
It should be using shareaccessrules.List() instead.
There was a problem hiding this comment.
OK, this deprecated API call is actually tracked in #2277.
There was a problem hiding this comment.
And we're setting the client micro-version to 2.37, which explains why it's working.
There was a problem hiding this comment.
Makes sense, this call has to change indeed. Can we make this a part of a follow-up change though? :)
There was a problem hiding this comment.
Agree on bumping the microversion with a different change; it's desirable to not depend on an old API version - it'll certainly simplify things, and we'll get to use newer features including the ability to paginate and such.
| klog.V(4).Infof("cephx access right for share %s already exists", args.Share.Name) | ||
| accessToList := []string{args.Share.Name} | ||
| if args.Options.CephfsClientID != "" { | ||
| accessToList = strings.Split(args.Options.CephfsClientID, ",") |
There was a problem hiding this comment.
Same comment as for NFS, we should document that cephfs-clientID takes a list of comma-separated IDs.
That being said, we probably need a new option in plural form, deprecating cephfs-clientID. Same goes for nfs-shareClient.
There was a problem hiding this comment.
Changed the doc. Can we keep the current options for now and follow-up on this later? We should also introduce one of the things I mentioned in the todos: get the node's context and simplify the nodeserver code by only looking up for the access rule that will be used for that given node.
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
bcfd545 to
d308dc2
Compare
pkg/csi/manila/nodeserver.go
Outdated
| @@ -131,6 +119,7 @@ func (ns *nodeServer) buildVolumeContext(ctx context.Context, volID volumeID, sh | |||
| // Build volume context for fwd plugin | |||
|
|
|||
| sa := getShareAdapter(ns.d.shareProto) | |||
| accessRight = getAccessRightBasedOnShareAdapter(sa, accessRights, shareOpts.ShareAccessIDs) | |||
There was a problem hiding this comment.
good question... accessRight was defined in the function signature, so it's empty. When we get to this getAccessRightBasedOnShareAdapter function, it might (or might not) return an access right, which should populate the accessRight value that will be returned, so it's part of assigning a value so it will work with the naked return behavior. I'm kinda new to go and not sure if the naked return is a good practice, so please let me know if this is okay :)
| klog.V(4).Infof("cephx access right for share %s already exists", args.Share.Name) | ||
| accessToList := []string{args.Share.Name} | ||
| if args.Options.CephfsClientID != "" { | ||
| accessToList = strings.Split(args.Options.CephfsClientID, ",") |
There was a problem hiding this comment.
Changed the doc. Can we keep the current options for now and follow-up on this later? We should also introduce one of the things I mentioned in the todos: get the node's context and simplify the nodeserver code by only looking up for the access rule that will be used for that given node.
| @@ -46,7 +46,7 @@ type ShareAdapter interface { | |||
| // GetOrGrantAccess first tries to retrieve an access right for args.Share. | |||
pkg/csi/manila/shareadapters/nfs.go
Outdated
| }) | ||
| // Search again because access rights have changed | ||
| if created { | ||
| rights, err = args.ManilaClient.GetAccessRights(ctx, args.Share.ID) |
There was a problem hiding this comment.
Makes sense, this call has to change indeed. Can we make this a part of a follow-up change though? :)
There was a problem hiding this comment.
Thank you @silvacarloss ; this looks good to me hoping CI passes.
| @@ -43,10 +43,11 @@ type SecretArgs struct { | |||
| } | |||
|
|
|||
| type ShareAdapter interface { | |||
| // GetOrGrantAccess first tries to retrieve an access right for args.Share. | |||
| // An access right is created for the share in case it doesn't exist yet. | |||
| // GetOrGrantAccess first tries to retrieve the list of access rights for args.Share. | |||
There was a problem hiding this comment.
The function name is now GetOrGrantAccesses.
Signed-off-by: moonek <[email protected]> Signed-off-by: Carlos da Silva <[email protected]>
silvacarloss
force-pushed
the
support-multiple-share-rules-manila-csi
branch
from
d308dc2 to
bf72548
Compare
What this PR does / why we need it:
Manila currently supports only setting a single access rule, making it difficult to have multiple access rules to a shared file system, which is a common scenario in a cloud where we need to have multiple clients being able to mount the shares simultaneously. This PR introduces support for multiple share access rules by accepting a list of IPs/Cephx users instead of a single string.
Which issue this PR fixes(if applicable):
fixes #2725
Special notes for reviewers:
Author of the change stated that they didn't have a CephFS environment, so could not test it with CephFS.
Another pull request was proposed for this issue [1], but due to maintainers not being able to update and rebase the original author's PR, we opened a new PR.
[1] #2727
Release note: