feat!: replace nfs-subdir-external-provisioner with csi-driver-nfs

CONTRIBUTING.md

@@ -6,14 +6,49 @@ We just ask that you follow our contribution guidelines when you do.
 Contributions to this project must be accompanied by a signed [Contributor Agreement](ContributorAgreement.txt).
 You (or your employer) retain the copyright to your contribution; this simply grants us permission to use and redistribute your contributions as part of the project.
 
-## Code reviews
-All submissions to this project—including submissions from project members—require review.
-Our review process typically involves performing unit tests, development tests, integration tests, and security scans using internal SAS infrastructure.
-For this reason, we don’t often merge pull requests directly from GitHub.
+## Code Reviews
+All submissions to this project—including submissions from project members—require
+review. Our review process typically involves performing unit tests, development
+tests, integration tests, and security scans.
 
-Instead, we work with submissions internally first, vetting them to ensure they meet our security and quality standards.
-We’ll do our best to work with contributors in public issues and pull requests; however, to ensure our code meets our internal compliance standards, we may need to incorporate your submission into a solution we push ourselves.
+## Pull Request Requirement
 
-This does not mean we don’t value or appreciate your contribution.
-We simply need to review your code internally before merging it.
-We work to ensure all contributors receive appropriate recognition for their contributions, at least by acknowledging them in our release notes.
+### Conventional Commits
+All pull requests must follow the [Conventional Commit](https://www.conventionalcommits.org/en/v1.0.0/)
+standard for commit messages. This helps maintain a consistent and meaningful
+commit history. Pull requests with commits that do not follow the Conventional
+Commit format will not be merged.
+
+### Developer Certificate of Origin Sign-Off
+This project requires all commits to be signed off in accordance with the [Developer Certificate of Origin (DCO)](https://developercertificate.org/).
+By signing off your commits, you certify that you have the right to submit the
+contribution under the open source license used by this project.
+
+To sign off your commits, use the --signoff flag with git commit:
+
+```bash
+git commit --signoff -m "Your commit message"
+```
+
+This will add a Signed-off-by line to your commit message, e.g.:
+
+```bash
+Signed-off-by: You Name <your.email@example.com>
+```
+
+For more information, please refer to https://probot.github.io/apps/dco/
+
+### Linter Analysis Checks
+All pull requests must pass our automated analysis checks before they can be
+merged. These checks include:
+
+- **Hadolint** – for Dockerfile best practices
+- **ShellCheck** – for shell script issues
+- **Ansible-lint** – for Ansible playbook and role validation
+
+## Security Scans
+To ensure that all submissions meet our security and quality standards, we perform
+security scans using internal SAS infrastructure. Contributions might be subjected
+to security scans before they can be accepted. Reporting of any Common Vulnerabilities
+and Exposures (CVEs) that are detected is not available in this project at this
+time.

README.md

@@ -38,7 +38,7 @@ This project contains Ansible code that creates a baseline cluster in an existin
 
 - Prepare Kubernetes cluster
   - Deploy [ingress-nginx](https://kubernetes.github.io/ingress-nginx)
-  - Deploy [nfs-subdir-external-provisioner](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner) for PVs
+  - Deploy [csi-driver-nfs](https://github.com/kubernetes-csi/csi-driver-nfs) for PVs
   - Deploy [cert-manager](https://github.com/jetstack/cert-manager) for TLS
   - Deploy [metrics-server](https://github.com/bitnami/charts/tree/master/bitnami/metrics-server/) (AWS only)
   - Deploy [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) (AWS only)

docs/CONFIG-VARS.md

@@ -90,22 +90,22 @@ Viya4-deployment uses the jump server to interact with the RWX filestore, which
 
 ### Storage for AWS
 
-When `V4_CFG_MANAGE_STORAGE` is set to `true`, viya4-deployment uses the [EBS CSI driver](#ebs-csi-driver) to create two elastic block storage based storage classes with the default names of `io2-vol-mq` and `io2-vol-pg`. The volume type for both storage classes defaults to `io2`. For EKS clusters, RabbitMQ makes PVC requests to create block storage persistent volumes using the `io2-vol-mq` storage class while Crunchy Postgres makes PVC requests to create block storage persistent volumes using the `io2-vol-pg` storage class. Viya4-deployment also creates the `sas` storage class using the nfs-subdir-external-provisioner Helm chart. If a jump server is used, viya4-deployment uses that server to create the folders for the `astores`, `bin`, `data` and `homes` RWX Filestore NFS paths that are outlined below in the [RWX Filestore](#rwx-filestore) section.
+When `V4_CFG_MANAGE_STORAGE` is set to `true`, viya4-deployment uses the [EBS CSI driver](#ebs-csi-driver) to create two elastic block storage based storage classes with the default names of `io2-vol-mq` and `io2-vol-pg`. The volume type for both storage classes defaults to `io2`. For EKS clusters, RabbitMQ makes PVC requests to create block storage persistent volumes using the `io2-vol-mq` storage class while Crunchy Postgres makes PVC requests to create block storage persistent volumes using the `io2-vol-pg` storage class. Viya4-deployment also creates the `sas` storage class using the csi-driver-nfs Helm chart. If a jump server is used, viya4-deployment uses that server to create the folders for the `astores`, `bin`, `data` and `homes` RWX Filestore NFS paths that are outlined below in the [RWX Filestore](#rwx-filestore) section.
 
 ### Storage for Azure
 
 By default, viya4-deployment uses the [Azure managed disks CSI driver](#azure-managed-disk-csi-driver) to create two elastic block storage based storage classes with the default names of `managed-csi-premium-v2-mq` and `managed-csi-premium-v2-pg`. The disk SKU for both storage classes defaults to `PremiumV2_LRS`. For AKS clusters, RabbitMQ makes PVC requests to create block storage persistent volumes using the `managed-csi-premium-v2-mq` storage class while Crunchy Postgres makes PVC requests to create block storage persistent volumes using the `managed-csi-premium-v2-pg` storage class. To use a different StorageClass for RabbitMQ, set the `V4_CFG_RABBITMQ_STORAGECLASS` property to the name of the StorageClass to use. To use a different StorageClass for Crunchy Postgres, set the `V4_CFG_CRUNCHY_STORAGECLASS` property to the name of the StorageClass to use.
 
 **NOTE**: The Azure managed disk CSI Driver can only be included at AKS cluster creation time. It is included in all AKS clusters by default, and any AKS clusters created with viya4-iac-azure will have the driver installed. If you did not use the viya4-iac-azure project to create your AKS cluster, ensure that you have enabled the Azure disk CSI driver prior to using this project or disable the creation of the StorageClasses.
 
-viya4-deployment also creates the `sas` storage class using the nfs-subdir-external-provisioner Helm chart. If a jump server is used, viya4-deployment uses that server to create the folders for the `astores`, `bin`, `data` and `homes` RWX Filestore NFS paths that are outlined below in the [RWX Filestore](#rwx-filestore) section.
+viya4-deployment also creates the `sas` storage class using the csi-driver-nfs Helm chart. If a jump server is used, viya4-deployment uses that server to create the folders for the `astores`, `bin`, `data` and `homes` RWX Filestore NFS paths that are outlined below in the [RWX Filestore](#rwx-filestore) section.
 
 ### Storage for Google Cloud
-When `V4_CFG_MANAGE_STORAGE` is set to `true`, viya4-deployment creates the `sas` and `pg-storage` storage classes using the nfs-subdir-external-provisioner Helm chart. If a jump server is used, viya4-deployment uses that server to create the folders for the `astores`, `bin`, `data` and `homes` RWX Filestore NFS paths that are outlined below in the [RWX Filestore](#rwx-filestore) section.
+When `V4_CFG_MANAGE_STORAGE` is set to `true`, viya4-deployment creates the `sas` and `pg-storage` storage classes using the csi-driver-nfs Helm chart. If a jump server is used, viya4-deployment uses that server to create the folders for the `astores`, `bin`, `data` and `homes` RWX Filestore NFS paths that are outlined below in the [RWX Filestore](#rwx-filestore) section.
 
 ### NFS Storage
 
-When `V4_CFG_MANAGE_STORAGE` is set to `true`, viya4-deployment creates NFS-based storage classes using the nfs-subdir-external-provisioner Helm chart.
+When `V4_CFG_MANAGE_STORAGE` is set to `true`, viya4-deployment creates NFS-based storage classes using the csi-driver-nfs Helm chart.
 
 When `V4_CFG_MANAGE_STORAGE` is set to `false`, viya4-deployment does not create the `sas` or `pg-storage` storage classes for you. In addition, viya4-deployment does not create or manage the RWX Filestore NFS paths. Before you run the SAS Viya deployment, you must set the values for `V4_CFG_RWX_FILESTORE_DATA_PATH` and `V4_CFG_RWX_FILESTORE_HOMES_PATH` to specify existing NFS folder locations. The viya4-deployment user can create the required NFS folders from the jump server before starting the deployment. Recommended attribute settings for each folder are as follows:
 - **filemode**: `0777`
@@ -431,24 +431,24 @@ Kubernetes Metrics Server installation is currently only applicable for AWS EKS
 
 ### NFS Client
 
-The NFS client is currently supported by the newer nfs-subdir-external-provisioner.
+The NFS client is currently supported by the csi-driver-nfs.
 
 | Name | Description | Type | Default | Required | Notes | Tasks |
 | :--- | ---: | ---: | ---: | ---: | ---: | ---: |
-| NFS_CLIENT_NAMESPACE | nfs-subdir-external-provisioner Helm installation namespace | string | nfs-client | false | | baseline |
-| NFS_CLIENT_CHART_URL | nfs-subdir-external-provisioner Helm chart URL | string | Go [here](https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/) for more information. | false | | baseline |
-| NFS_CLIENT_CHART_NAME | nfs-subdir-external-provisioner Helm chart name | string | nfs-subdir-external-provisioner | false | | baseline |
-| NFS_CLIENT_CHART_VERSION | nfs-subdir-external-provisioner Helm chart version | string | 4.0.18| false | | baseline |
-| NFS_CLIENT_CONFIG | nfs-subdir-external-provisioner Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline |
+| CSI_DRIVER_NFS_NAMESPACE | csi-driver-nfs Helm installation namespace | string | kube-system | false | | baseline |
+| CSI_DRIVER_NFS_CHART_URL | csi-driver-nfs Helm chart URL | string | Go [here](https://github.com/kubernetes-csi/csi-driver-nfs/) for more information. | false | | baseline |
+| CSI_DRIVER_NFS_CHART_NAME | csi-driver-nfs Helm chart name | string | csi-driver-nfs | false | | baseline |
+| CSI_DRIVER_NFS_CHART_VERSION | csi-driver-nfs Helm chart version | string | 4.11.0 | false | | baseline |
+| CSI_DRIVER_NFS_CONFIG | csi-driver-nfs Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline |
 
 ### Postgres NFS Client
 
-The Postgres NFS client is currently supported by the nfs-subdir-external-provisioner. It creates the storage class used by 2022.10 and later internal postgres instances.
+The Postgres NFS client is currently supported by the csi-driver-nfs. It creates the storage class used by 2022.10 and later internal postgres instances.
 
 | Name | Description | Type | Default | Required | Notes | Tasks |
 | :--- | ---: | ---: | ---: | ---: | ---: | ---: |
-| PG_NFS_CLIENT_NAMESPACE | nfs-subdir-external-provisioner Helm installation namespace | string | nfs-client | false | | baseline |
-| PG_NFS_CLIENT_CHART_URL | nfs-subdir-external-provisioner Helm chart URL | string | Go [here](https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/) for more information. | false | | baseline |
-| PG_NFS_CLIENT_CHART_NAME | nfs-subdir-external-provisioner Helm chart name | string | nfs-subdir-external-provisioner | false | | baseline |
-| PG_NFS_CLIENT_CHART_VERSION | nfs-subdir-external-provisioner Helm chart version | string | 4.0.18| false | | baseline |
-| PG_NFS_CLIENT_CONFIG | nfs-subdir-external-provisioner Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline |
+| CSI_DRIVER_NFS_PG_NAMESPACE | csi-driver-nfs Helm installation namespace | string | nfs-client | false | | baseline |
+| CSI_DRIVER_NFS_PG_CHART_URL | csi-driver-nfs Helm chart URL | string | Go [here](https://github.com/kubernetes-csi/csi-driver-nfs/) for more information. | false | | baseline |
+| CSI_DRIVER_NFS_PG_CHART_NAME | csi-driver-nfs Helm chart name | string | csi-driver-nfs | false | | baseline |
+| CSI_DRIVER_NFS_PG_CHART_VERSION | csi-driver-nfs Helm chart version | string | 4.11.0 | false | | baseline |
+| CSI_DRIVER_NFS_PG_CONFIG | csi-driver-nfs Helm values | string | See [this file](../roles/baseline/defaults/main.yml) for more information. | false | | baseline |

examples/ansible-vars-iac.yaml

@@ -12,6 +12,8 @@ V4_CFG_MANAGE_STORAGE: true
 V4_CFG_SAS_API_KEY: <api_client_id>
 V4_CFG_SAS_API_SECRET: <api_client_secret>
 V4_CFG_ORDER_NUMBER: <order_number>
+V4_CFG_CADENCE_NAME: <cadence_name> # [lts|stable]
+V4_CFG_CADENCE_VERSION: <cadence_version>
 
 ## CR Access
 V4_CFG_CR_USER: <container_registry_user>

examples/ansible-vars.yaml

@@ -23,6 +23,8 @@ V4_CFG_MANAGE_STORAGE: true
 V4_CFG_SAS_API_KEY: <api_client_id>
 V4_CFG_SAS_API_SECRET: <api_client_secret>
 V4_CFG_ORDER_NUMBER: <order_number>
+V4_CFG_CADENCE_NAME: <cadence_name> # [lts|stable]
+V4_CFG_CADENCE_VERSION: <cadence_version>
 
 ## CR Access
 V4_CFG_CR_USER: <container_registry_user>

examples/multi-tenancy/ansible-vars-multi-tenancy.yaml

@@ -15,6 +15,8 @@ V4_CFG_MANAGE_STORAGE: true
 V4_CFG_SAS_API_KEY: <api_client_id>
 V4_CFG_SAS_API_SECRET: <api_client_secret>
 V4_CFG_ORDER_NUMBER: <order_number>
+V4_CFG_CADENCE_NAME: <cadence_name> # [lts|stable]
+V4_CFG_CADENCE_VERSION: <cadence_version>
 
 ## CR Access
 V4_CFG_CR_USER: <container_registry_user>

roles/baseline/defaults/main.yml

@@ -1,4 +1,4 @@
-# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# Copyright © 2020-2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 ---
@@ -8,6 +8,7 @@ V4_CFG_INGRESS_TYPE: ingress
 V4_CFG_INGRESS_MODE: public
 V4_CFG_MANAGE_STORAGE: true
 V4_CFG_AWS_LB_SUBNETS: ""
+STORAGE_TYPE_BACKEND: ""
 
 ## Cert-manager
 CERT_MANAGER_NAME: cert-manager
@@ -111,27 +112,35 @@ INGRESS_NGINX_ANNOTATIONS_RISK_LEVEL:
     config:
       annotations-risk-level: "Critical"
 
-## Nfs-subdir-external-provisioner
-NFS_CLIENT_NAME: nfs-subdir-external-provisioner-sas
-NFS_CLIENT_NAMESPACE: nfs-client
-NFS_CLIENT_CHART_NAME: nfs-subdir-external-provisioner
-NFS_CLIENT_CHART_URL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
-NFS_CLIENT_CHART_VERSION: 4.0.18
-NFS_CLIENT_CONFIG:
-  nfs:
-    server: "{{ V4_CFG_RWX_FILESTORE_ENDPOINT }}"
-    path: "{{ V4_CFG_RWX_FILESTORE_PATH | replace('/$', '') }}/pvs"
+## Csi-driver-provisioner
+CSI_DRIVER_NFS_NAME: csi-driver-nfs-sas
+CSI_DRIVER_NFS_NAMESPACE: kube-system
+CSI_DRIVER_NFS_CHART_NAME: csi-driver-nfs
+CSI_DRIVER_NFS_CHART_URL: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
+CSI_DRIVER_NFS_CHART_VERSION: 4.11.0
+CSI_DRIVER_NFS_CONFIG:
+  driver:
+    mountPermissions: "0777"
+  storageClass:
+    create: true
+    name: sas
+    annotations:
+    reclaimPolicy: Delete
+    volumeBindingMode: Immediate
+    parameters:
+      server: "{{ V4_CFG_RWX_FILESTORE_ENDPOINT }}"
+      share: "{{ '/ontap' if STORAGE_TYPE_BACKEND == 'ontap' else ('/pvs' if PROVIDER != 'azure' else (V4_CFG_RWX_FILESTORE_PATH | replace('/$', '') ~ '/pvs')) }}"
+      subDir: ${pvc.metadata.namespace}/${pvc.metadata.name}/${pv.metadata.name}
+      mountPermissions: "0777"
     mountOptions:
+      - vers=4.1
       - noatime
       - nodiratime
       - rsize=262144
       - wsize=262144
-  storageClass:
-    archiveOnDelete: "false"
-    name: sas
 # EFS best practice NFS mount options for the aws provider
-NFS_EFS_CLIENT_CONFIG:
-  nfs:
+CSI_DRIVER_NFS_EFS_CONFIG:
+  storageClass:
     mountOptions:
       - noresvport
       - rsize=1048576
@@ -142,24 +151,41 @@ NFS_EFS_CLIENT_CONFIG:
       - _netdev
 
 ## pg-storage storage class config
-PG_NFS_CLIENT_NAME: nfs-subdir-external-provisioner-pg-storage
-PG_NFS_CLIENT_NAMESPACE: nfs-client
-PG_NFS_CLIENT_CHART_NAME: nfs-subdir-external-provisioner
-PG_NFS_CLIENT_CHART_URL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
-PG_NFS_CLIENT_CHART_VERSION: 4.0.18
-PG_NFS_CLIENT_CONFIG:
-  nfs:
-    server: "{{ V4_CFG_RWX_FILESTORE_ENDPOINT }}"
-    path: "{{ V4_CFG_RWX_FILESTORE_PATH | replace('/$', '') }}/pvs"
+CSI_DRIVER_NFS_PG_NAME: csi-driver-nfs-pg-storage
+CSI_DRIVER_NFS_PG_NAMESPACE: nfs-client
+CSI_DRIVER_NFS_PG_CHART_NAME: csi-driver-nfs
+CSI_DRIVER_NFS_PG_CHART_URL: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
+CSI_DRIVER_NFS_PG_CHART_VERSION: 4.11.0
+CSI_DRIVER_NFS_PG_CONFIG:
+  driver:
+    mountPermissions: "0777"
+  storageClass:
+    reclaimPolicy: Retain
+    volumeBindingMode: Immediate
+    create: true
+    name: pg-storage
+    annotations:
+    parameters:
+      server: "{{ V4_CFG_RWX_FILESTORE_ENDPOINT }}"
+      share: "{{ '/ontap' if STORAGE_TYPE_BACKEND == 'ontap' else ('/pvs' if PROVIDER != 'azure' else (V4_CFG_RWX_FILESTORE_PATH | replace('/$', '') ~ '/pvs')) }}"
+      subDir: ${pvc.metadata.namespace}/${pvc.metadata.name}/${pv.metadata.name}
+      mountPermissions: "0777"
     mountOptions:
       - noatime
       - nodiratime
       - rsize=262144
       - wsize=262144
+# EFS best practice NFS mount options for the aws provider
+CSI_DRIVER_NFS_PG_EFS_CONFIG:
   storageClass:
-    archiveOnDelete: "false"
-    reclaimPolicy: Retain
-    name: pg-storage
+    mountOptions:
+      - noresvport
+      - rsize=1048576
+      - wsize=1048576
+      - soft
+      - timeo=600
+      - retrans=2
+      - _netdev
 
 ## Contour - Ingress
 CONTOUR_NAME: contour

roles/baseline/tasks/main.yaml

@@ -1,11 +1,11 @@
-# Copyright © 2020-2024, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
+# Copyright © 2020-2025, SAS Institute Inc., Cary, NC, USA. All Rights Reserved.
 # SPDX-License-Identifier: Apache-2.0
 
 
 ---
-- name: Include nfs-subdir-external-provisioner
+- name: Include nfs.csi.k8s.io
   include_tasks:
-    file: nfs-subdir-external-provisioner.yaml
+    file: nfs-csi-provisioner.yaml
   when:
     - V4_CFG_RWX_FILESTORE_ENDPOINT is defined
     - V4_CFG_RWX_FILESTORE_PATH is defined