STOR-2263: Enable csi resize and inline volume support for smb csi driver (#358)

* STOR-2263: Enable csi resize and inline volume support for smb csi driver

* fix: correct the smb csi driver role permission

Author: Phaow

assets/overlays/samba/base/csi-driver-cluster-role-binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: smb-csi-driver-binding
+subjects:
+  - kind: ServiceAccount
+    name: smb-csi-driver-node-sa
+    namespace: ${NODE_NAMESPACE}
+roleRef:
+  kind: ClusterRole
+  name: smb-csi-driver-role
+  apiGroup: rbac.authorization.k8s.io

assets/overlays/samba/base/csi-driver-cluster-role.yaml

@@ -0,0 +1,9 @@
+# SMB CSI inline volume needs the get permission for secrets
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: smb-csi-driver-role
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]

assets/overlays/samba/base/csidriver.yaml

@@ -2,6 +2,11 @@ apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
   name: smb.csi.k8s.io
+  labels:
+    security.openshift.io/csi-ephemeral-volume-profile: "privileged"
 spec:
   attachRequired: false
   podInfoOnMount: true
+  volumeLifecycleModes:
+    - Persistent
+    - Ephemeral

assets/overlays/samba/generated/standalone/controller.yaml

@@ -6,6 +6,9 @@
 # provisioner.yaml: Loaded from common/sidecars/provisioner.yaml
 # provisioner.yaml: Added arguments [--extra-create-metadata=true]
 # Applied strategic merge patch provisioner.yaml
+# resizer.yaml: Loaded from common/sidecars/resizer.yaml
+# resizer.yaml: Added arguments [--timeout=120s -handle-volume-inuse-error=false]
+# Applied strategic merge patch resizer.yaml
 # livenessprobe.yaml: Loaded from common/sidecars/livenessprobe.yaml
 # livenessprobe.yaml: Added arguments [--probe-timeout=3s]
 # Applied strategic merge patch livenessprobe.yaml
@@ -148,6 +151,52 @@ spec:
         volumeMounts:
         - mountPath: /etc/tls/private
           name: metrics-serving-cert
+      - args:
+        - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock
+        - --http-endpoint=localhost:8223
+        - --leader-election
+        - --leader-election-lease-duration=${LEADER_ELECTION_LEASE_DURATION}
+        - --leader-election-renew-deadline=${LEADER_ELECTION_RENEW_DEADLINE}
+        - --leader-election-retry-period=${LEADER_ELECTION_RETRY_PERIOD}
+        - --leader-election-namespace=${NODE_NAMESPACE}
+        - --v=${LOG_LEVEL}
+        - --timeout=120s
+        - -handle-volume-inuse-error=false
+        env: []
+        image: ${RESIZER_IMAGE}
+        imagePullPolicy: IfNotPresent
+        name: csi-resizer
+        resources:
+          requests:
+            cpu: 10m
+            memory: 50Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /var/lib/csi/sockets/pluginproxy/
+          name: socket-dir
+      - args:
+        - --secure-listen-address=0.0.0.0:9223
+        - --upstream=http://127.0.0.1:8223/
+        - --tls-cert-file=/etc/tls/private/tls.crt
+        - --tls-private-key-file=/etc/tls/private/tls.key
+        - --tls-cipher-suites=${TLS_CIPHER_SUITES}
+        - --tls-min-version=${TLS_MIN_VERSION}
+        - --logtostderr=true
+        image: ${KUBE_RBAC_PROXY_IMAGE}
+        imagePullPolicy: IfNotPresent
+        name: resizer-kube-rbac-proxy
+        ports:
+        - containerPort: 9223
+          name: resizer-m
+          protocol: TCP
+        resources:
+          requests:
+            cpu: 10m
+            memory: 20Mi
+        terminationMessagePolicy: FallbackToLogsOnError
+        volumeMounts:
+        - mountPath: /etc/tls/private
+          name: metrics-serving-cert
       - args:
         - --csi-address=/csi/csi.sock
         - --health-port=10307

assets/overlays/samba/generated/standalone/csi-driver-cluster-role-binding.yaml

@@ -0,0 +1,18 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/samba/base/csi-driver-cluster-role-binding.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: smb-csi-driver-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: smb-csi-driver-role
+subjects:
+- kind: ServiceAccount
+  name: smb-csi-driver-node-sa
+  namespace: ${NODE_NAMESPACE}

assets/overlays/samba/generated/standalone/csi-driver-cluster-role.yaml

@@ -0,0 +1,18 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/samba/base/csi-driver-cluster-role.yaml
+#
+#
+# SMB CSI inline volume needs the get permission for secrets
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: smb-csi-driver-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get

assets/overlays/samba/generated/standalone/csidriver.yaml

@@ -7,7 +7,12 @@
 apiVersion: storage.k8s.io/v1
 kind: CSIDriver
 metadata:
+  labels:
+    security.openshift.io/csi-ephemeral-volume-profile: privileged
   name: smb.csi.k8s.io
 spec:
   attachRequired: false
   podInfoOnMount: true
+  volumeLifecycleModes:
+  - Persistent
+  - Ephemeral

assets/overlays/samba/generated/standalone/main_resizer_binding.yaml

@@ -0,0 +1,19 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from base/rbac/main_resizer_binding.yaml
+#   because it's needed by controller sidecar common/sidecars/resizer.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: smb-csi-main-resizer-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: openshift-csi-main-resizer-role
+subjects:
+- kind: ServiceAccount
+  name: smb-csi-driver-controller-sa
+  namespace: ${NODE_NAMESPACE}

assets/overlays/samba/generated/standalone/manifests.yaml

@@ -11,11 +11,15 @@ controllerStaticAssetNames:
 guestStaticAssetNames:
 - configmap_and_secret_reader_provisioner_binding.yaml
 - controller_privileged_binding.yaml
+- csi-driver-cluster-role-binding.yaml
+- csi-driver-cluster-role.yaml
 - csidriver.yaml
 - lease_leader_election_binding.yaml
 - lease_leader_election_role.yaml
 - main_provisioner_binding.yaml
+- main_resizer_binding.yaml
 - node.yaml
 - node_privileged_binding.yaml
 - node_sa.yaml
 - privileged_role.yaml
+- storageclass_reader_resizer_binding.yaml

assets/overlays/samba/generated/standalone/service.yaml

@@ -3,6 +3,7 @@
 # Loaded from base/controller_metrics_service.yaml
 # Applied strategic merge patch common/metrics/service_add_port.yaml
 # Applied strategic merge patch common/metrics/service_add_port.yaml
+# Applied strategic merge patch common/metrics/service_add_port.yaml
 #
 #
 
@@ -21,6 +22,10 @@ spec:
     port: 9222
     protocol: TCP
     targetPort: provisioner-m
+  - name: resizer-m
+    port: 9223
+    protocol: TCP
+    targetPort: resizer-m
   - name: driver-m
     port: 9221
     protocol: TCP