diff --git a/assets/overlays/samba/base/csi-driver-cluster-role-binding.yaml b/assets/overlays/samba/base/csi-driver-cluster-role-binding.yaml new file mode 100644 index 000000000..bbdb649d9 --- /dev/null +++ b/assets/overlays/samba/base/csi-driver-cluster-role-binding.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: smb-csi-driver-binding +subjects: + - kind: ServiceAccount + name: smb-csi-driver-node-sa + namespace: ${NODE_NAMESPACE} +roleRef: + kind: ClusterRole + name: smb-csi-driver-role + apiGroup: rbac.authorization.k8s.io diff --git a/assets/overlays/samba/base/csi-driver-cluster-role.yaml b/assets/overlays/samba/base/csi-driver-cluster-role.yaml new file mode 100644 index 000000000..da43266b1 --- /dev/null +++ b/assets/overlays/samba/base/csi-driver-cluster-role.yaml @@ -0,0 +1,9 @@ +# SMB CSI inline volume needs the get permission for secrets +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: smb-csi-driver-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] diff --git a/assets/overlays/samba/base/csidriver.yaml b/assets/overlays/samba/base/csidriver.yaml index 258b17118..a1835b7f7 100644 --- a/assets/overlays/samba/base/csidriver.yaml +++ b/assets/overlays/samba/base/csidriver.yaml @@ -2,6 +2,11 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: name: smb.csi.k8s.io + labels: + security.openshift.io/csi-ephemeral-volume-profile: "privileged" spec: attachRequired: false podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/assets/overlays/samba/generated/standalone/controller.yaml b/assets/overlays/samba/generated/standalone/controller.yaml index 36a691ca9..4171cf9e9 100644 --- a/assets/overlays/samba/generated/standalone/controller.yaml +++ b/assets/overlays/samba/generated/standalone/controller.yaml @@ -6,6 +6,9 @@ # provisioner.yaml: Loaded from common/sidecars/provisioner.yaml # provisioner.yaml: Added arguments [--extra-create-metadata=true] # Applied strategic merge patch provisioner.yaml +# resizer.yaml: Loaded from common/sidecars/resizer.yaml +# resizer.yaml: Added arguments [--timeout=120s -handle-volume-inuse-error=false] +# Applied strategic merge patch resizer.yaml # livenessprobe.yaml: Loaded from common/sidecars/livenessprobe.yaml # livenessprobe.yaml: Added arguments [--probe-timeout=3s] # Applied strategic merge patch livenessprobe.yaml @@ -148,6 +151,52 @@ spec: volumeMounts: - mountPath: /etc/tls/private name: metrics-serving-cert + - args: + - --csi-address=/var/lib/csi/sockets/pluginproxy/csi.sock + - --http-endpoint=localhost:8223 + - --leader-election + - --leader-election-lease-duration=${LEADER_ELECTION_LEASE_DURATION} + - --leader-election-renew-deadline=${LEADER_ELECTION_RENEW_DEADLINE} + - --leader-election-retry-period=${LEADER_ELECTION_RETRY_PERIOD} + - --leader-election-namespace=${NODE_NAMESPACE} + - --v=${LOG_LEVEL} + - --timeout=120s + - -handle-volume-inuse-error=false + env: [] + image: ${RESIZER_IMAGE} + imagePullPolicy: IfNotPresent + name: csi-resizer + resources: + requests: + cpu: 10m + memory: 50Mi + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - --secure-listen-address=0.0.0.0:9223 + - --upstream=http://127.0.0.1:8223/ + - --tls-cert-file=/etc/tls/private/tls.crt + - --tls-private-key-file=/etc/tls/private/tls.key + - --tls-cipher-suites=${TLS_CIPHER_SUITES} + - --tls-min-version=${TLS_MIN_VERSION} + - --logtostderr=true + image: ${KUBE_RBAC_PROXY_IMAGE} + imagePullPolicy: IfNotPresent + name: resizer-kube-rbac-proxy + ports: + - containerPort: 9223 + name: resizer-m + protocol: TCP + resources: + requests: + cpu: 10m + memory: 20Mi + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /etc/tls/private + name: metrics-serving-cert - args: - --csi-address=/csi/csi.sock - --health-port=10307 diff --git a/assets/overlays/samba/generated/standalone/csi-driver-cluster-role-binding.yaml b/assets/overlays/samba/generated/standalone/csi-driver-cluster-role-binding.yaml new file mode 100644 index 000000000..ce00e693f --- /dev/null +++ b/assets/overlays/samba/generated/standalone/csi-driver-cluster-role-binding.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/samba/base/csi-driver-cluster-role-binding.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: smb-csi-driver-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: smb-csi-driver-role +subjects: +- kind: ServiceAccount + name: smb-csi-driver-node-sa + namespace: ${NODE_NAMESPACE} diff --git a/assets/overlays/samba/generated/standalone/csi-driver-cluster-role.yaml b/assets/overlays/samba/generated/standalone/csi-driver-cluster-role.yaml new file mode 100644 index 000000000..4c2ca255e --- /dev/null +++ b/assets/overlays/samba/generated/standalone/csi-driver-cluster-role.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/samba/base/csi-driver-cluster-role.yaml +# +# +# SMB CSI inline volume needs the get permission for secrets + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: smb-csi-driver-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get diff --git a/assets/overlays/samba/generated/standalone/csidriver.yaml b/assets/overlays/samba/generated/standalone/csidriver.yaml index 71174b81e..932becdd2 100644 --- a/assets/overlays/samba/generated/standalone/csidriver.yaml +++ b/assets/overlays/samba/generated/standalone/csidriver.yaml @@ -7,7 +7,12 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: + labels: + security.openshift.io/csi-ephemeral-volume-profile: privileged name: smb.csi.k8s.io spec: attachRequired: false podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/assets/overlays/samba/generated/standalone/main_resizer_binding.yaml b/assets/overlays/samba/generated/standalone/main_resizer_binding.yaml new file mode 100644 index 000000000..72efdd553 --- /dev/null +++ b/assets/overlays/samba/generated/standalone/main_resizer_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/main_resizer_binding.yaml +# because it's needed by controller sidecar common/sidecars/resizer.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: smb-csi-main-resizer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openshift-csi-main-resizer-role +subjects: +- kind: ServiceAccount + name: smb-csi-driver-controller-sa + namespace: ${NODE_NAMESPACE} diff --git a/assets/overlays/samba/generated/standalone/manifests.yaml b/assets/overlays/samba/generated/standalone/manifests.yaml index d12a3066a..5ab392a0a 100644 --- a/assets/overlays/samba/generated/standalone/manifests.yaml +++ b/assets/overlays/samba/generated/standalone/manifests.yaml @@ -11,11 +11,15 @@ controllerStaticAssetNames: guestStaticAssetNames: - configmap_and_secret_reader_provisioner_binding.yaml - controller_privileged_binding.yaml +- csi-driver-cluster-role-binding.yaml +- csi-driver-cluster-role.yaml - csidriver.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_provisioner_binding.yaml +- main_resizer_binding.yaml - node.yaml - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- storageclass_reader_resizer_binding.yaml diff --git a/assets/overlays/samba/generated/standalone/service.yaml b/assets/overlays/samba/generated/standalone/service.yaml index cb991e28b..cd91760c5 100644 --- a/assets/overlays/samba/generated/standalone/service.yaml +++ b/assets/overlays/samba/generated/standalone/service.yaml @@ -3,6 +3,7 @@ # Loaded from base/controller_metrics_service.yaml # Applied strategic merge patch common/metrics/service_add_port.yaml # Applied strategic merge patch common/metrics/service_add_port.yaml +# Applied strategic merge patch common/metrics/service_add_port.yaml # # @@ -21,6 +22,10 @@ spec: port: 9222 protocol: TCP targetPort: provisioner-m + - name: resizer-m + port: 9223 + protocol: TCP + targetPort: resizer-m - name: driver-m port: 9221 protocol: TCP diff --git a/assets/overlays/samba/generated/standalone/servicemonitor.yaml b/assets/overlays/samba/generated/standalone/servicemonitor.yaml index 8fadd06ed..6204b77a9 100644 --- a/assets/overlays/samba/generated/standalone/servicemonitor.yaml +++ b/assets/overlays/samba/generated/standalone/servicemonitor.yaml @@ -3,6 +3,7 @@ # Loaded from base/controller_metrics_servicemonitor.yaml # Applied JSON patch common/metrics/service_monitor_add_port.yaml.patch # Applied JSON patch common/metrics/service_monitor_add_port.yaml.patch +# Applied JSON patch common/metrics/service_monitor_add_port.yaml.patch # # @@ -21,6 +22,14 @@ spec: tlsConfig: caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt serverName: smb-csi-driver-controller-metrics.${NAMESPACE}.svc + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + path: /metrics + port: resizer-m + scheme: https + tlsConfig: + caFile: /etc/prometheus/configmaps/serving-certs-ca-bundle/service-ca.crt + serverName: smb-csi-driver-controller-metrics.${NAMESPACE}.svc - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token interval: 30s path: /metrics diff --git a/assets/overlays/samba/generated/standalone/storageclass_reader_resizer_binding.yaml b/assets/overlays/samba/generated/standalone/storageclass_reader_resizer_binding.yaml new file mode 100644 index 000000000..d32f61a5d --- /dev/null +++ b/assets/overlays/samba/generated/standalone/storageclass_reader_resizer_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/storageclass_reader_resizer_binding.yaml +# because it's needed by controller sidecar common/sidecars/resizer.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: smb-csi-storageclass-reader-resizer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openshift-csi-resizer-storageclass-reader-role +subjects: +- kind: ServiceAccount + name: smb-csi-driver-controller-sa + namespace: ${NODE_NAMESPACE} diff --git a/config/samba/manifests/stable/smb-csi-driver-operator.clusterserviceversion.yaml b/config/samba/manifests/stable/smb-csi-driver-operator.clusterserviceversion.yaml index 4b0adb831..e43eb6b14 100644 --- a/config/samba/manifests/stable/smb-csi-driver-operator.clusterserviceversion.yaml +++ b/config/samba/manifests/stable/smb-csi-driver-operator.clusterserviceversion.yaml @@ -200,6 +200,13 @@ spec: - list - watch - update + - apiGroups: + - '' + resources: + - persistentvolumeclaims/status + verbs: + - update + - patch - apiGroups: - storage.k8s.io resources: @@ -291,6 +298,8 @@ spec: value: quay.io/openshift/origin-csi-driver-smb:latest - name: PROVISIONER_IMAGE value: quay.io/openshift/origin-csi-external-provisioner:latest + - name: RESIZER_IMAGE + value: quay.io/openshift/origin-csi-external-resizer:latest - name: NODE_DRIVER_REGISTRAR_IMAGE value: quay.io/openshift/origin-csi-node-driver-registrar:latest - name: LIVENESS_PROBE_IMAGE diff --git a/pkg/driver/samba/samba.go b/pkg/driver/samba/samba.go index 927bc4462..18e5544fb 100644 --- a/pkg/driver/samba/samba.go +++ b/pkg/driver/samba/samba.go @@ -44,6 +44,10 @@ func GetSambaGeneratorConfig() *generator.CSIDriverGeneratorConfig { commongenerator.DefaultProvisioner.WithExtraArguments( "--extra-create-metadata=true", ), + commongenerator.DefaultResizer.WithExtraArguments( + "--timeout=120s", + "-handle-volume-inuse-error=false", + ), commongenerator.DefaultLivenessProbe.WithExtraArguments( "--probe-timeout=3s", ), @@ -76,6 +80,8 @@ func GetSambaGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/samba/base/configmap_and_secret_reader_provisioner_binding.yaml", "overlays/samba/base/controller_privileged_binding.yaml", "overlays/samba/base/csidriver.yaml", + "overlays/samba/base/csi-driver-cluster-role.yaml", + "overlays/samba/base/csi-driver-cluster-role-binding.yaml", ), AssetPatches: generator.NewAssetPatches(generator.StandaloneOnly, // Any role or cluster role bindings should not hardcode service account namespace because this operator is OLM based and can be installed into a custom namespace. diff --git a/test/e2e/samba/manifest.yaml b/test/e2e/samba/manifest.yaml index 180519c47..715b57099 100644 --- a/test/e2e/samba/manifest.yaml +++ b/test/e2e/samba/manifest.yaml @@ -13,8 +13,8 @@ DriverInfo: block: false exec: true volumeLimits: false - controllerExpansion: false - nodeExpansion: false + controllerExpansion: true + nodeExpansion: true snapshotDataSource: false RWX: true pvcDataSource: true diff --git a/test/e2e/samba/samba-server.yaml b/test/e2e/samba/samba-server.yaml index ac187414d..61f02ac75 100644 --- a/test/e2e/samba/samba-server.yaml +++ b/test/e2e/samba/samba-server.yaml @@ -203,6 +203,7 @@ parameters: csi.storage.k8s.io/node-stage-secret-namespace: samba-server reclaimPolicy: Delete volumeBindingMode: Immediate +allowVolumeExpansion: true mountOptions: - dir_mode=0777 - file_mode=0777