Merge develop branch

.github/workflows/build-container.yml

@@ -20,41 +20,28 @@ jobs:
       packages: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
 
       - name: Install Go
-        uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
         with:
-          go-version: "1.18"
-
-      - name: Pseudo version
-        id: pseudo-version
-        run: |
-          git clone https://github.com/edgelesssys/constellation /constellation
-          cd /constellation/hack/pseudo-version
-          echo "pseudoVersion=$(go run .)" >> $GITHUB_ENV
-          echo ${{ env.pseudoVersion }}
+          go-version: "1.22.0"
 
       - name: Set up Docker Buildx
         id: docker-setup
-        uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
 
       - name: Build container image
-        run: make REGISTRY=ghcr.io/edgelesssys VERSION=${{ env.pseudoVersion }} image-csi-plugin
+        run: make REGISTRY=ghcr.io/edgelesssys/constellation VERSION=${{ inputs.versionTag }} build-local-image-cinder-csi-plugin
 
       - name: Log in to the Container registry
         id: docker-login
-        uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Push container image
         run: |
-          docker push ghcr.io/edgelesssys/cinder-csi-plugin:${{ env.pseudoVersion }}
-          if [ "${{ inputs.versionTag }}" != "" ]
-          then
-            docker tag ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ env.pseudoVersion }} ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ inputs.versionTag }}
-            docker push ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ inputs.versionTag }}
-          fi
+          docker push ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ inputs.versionTag }}

CONTRIBUTING.md

@@ -8,7 +8,7 @@ We'd love to accept your patches! Before we can accept them you need to sign Clo
 ## Reporting an issue
 If you find a bug or a feature request related to cloud-provider-openstack you can create a new github issue in this repo @[kubernetes/cloud-provider-openstack](https://github.com/kubernetes/cloud-provider-openstack/issues).
 
-## Submiting a Pull Request
+## Submitting a Pull Request
 * Fork the cloud-provider-openstack repo, develop and test your code changes.
 * Submit a pull request.
 * The bot will automatically assigns someone to review your PR.

Dockerfile

@@ -32,19 +32,19 @@
 ##                               BUILD ARGS                                   ##
 ################################################################################
 # This build arg allows the specification of a custom Golang image.
-ARG GOLANG_IMAGE=golang:1.20.3
+ARG GOLANG_IMAGE=golang:1.21.5-bullseye
 
 # The distroless image on which the CPI manager image is built.
 #
 # Please do not use "latest". Explicit tags should be used to provide
 # deterministic builds. Follow what kubernetes uses to build
 # kube-controller-manager, for example for 1.27.x:
 # https://github.com/kubernetes/kubernetes/blob/release-1.27/build/common.sh#L99
-ARG DISTROLESS_IMAGE=registry.k8s.io/build-image/go-runner:v2.3.1-go1.20.3-bullseye.0
+ARG DISTROLESS_IMAGE=registry.k8s.io/build-image/go-runner:v2.3.1-go1.21.5-bookworm.0
 
 # We use Alpine as the source for default CA certificates and some output
 # images
-ARG ALPINE_IMAGE=alpine:3.17.3
+ARG ALPINE_IMAGE=alpine:3.17.5
 
 # cinder-csi-plugin uses Debian as a base image
 ARG DEBIAN_IMAGE=registry.k8s.io/build-image/debian-base:bullseye-v1.4.3
@@ -125,11 +125,33 @@ CMD ["sh", "-c", "/bin/barbican-kms-plugin --socketpath ${socketpath} --cloud-co
 ##
 ## cinder-csi-plugin
 ##
-FROM --platform=${TARGETPLATFORM} ${DEBIAN_IMAGE} as cinder-csi-plugin
 
-# Install e4fsprogs for format
-RUN clean-install btrfs-progs e2fsprogs mount udev xfsprogs libcryptsetup12 libcryptsetup-dev
+# step 1: copy all necessary files from Debian distro to /dest folder
+# all magic happens in tools/csi-deps.sh
+FROM --platform=${TARGETPLATFORM} ${DEBIAN_IMAGE} as cinder-csi-plugin-utils
 
+RUN clean-install bash rsync mount udev btrfs-progs e2fsprogs xfsprogs util-linux libcryptsetup12 libcryptsetup-dev libgcc-s1
+COPY tools/csi-deps.sh /tools/csi-deps.sh
+RUN /tools/csi-deps.sh
+
+# step 2: check if all necessary files are copied and work properly
+# the build have to finish without errors, but the result image will not be used
+FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as cinder-csi-plugin-utils-check
+
+COPY --from=cinder-csi-plugin-utils /dest /
+COPY --from=cinder-csi-plugin-utils /bin/sh /bin/sh
+COPY tools/csi-deps-check.sh /tools/csi-deps-check.sh
+
+SHELL ["/bin/sh"]
+RUN /tools/csi-deps-check.sh
+
+# step 3: build tiny cinder-csi-plugin image with only necessary files
+FROM --platform=${TARGETPLATFORM} ${DISTROLESS_IMAGE} as cinder-csi-plugin
+
+# Copying csi-deps-check.sh simply ensures that the resulting image has a dependency
+# on cinder-csi-plugin-utils-check and therefore that the check has passed
+COPY --from=cinder-csi-plugin-utils-check /tools/csi-deps-check.sh /bin/csi-deps-check.sh
+COPY --from=cinder-csi-plugin-utils /dest /
 COPY --from=builder /build/cinder-csi-plugin /bin/cinder-csi-plugin
 COPY --from=certs /etc/ssl/certs /etc/ssl/certs
 

Makefile

@@ -36,7 +36,7 @@ VERSION         ?= $(shell git describe --dirty --tags --match='v*')
 GOARCH		:=
 GOFLAGS		:=
 TAGS		:=
-LDFLAGS		:= "-w -s -X 'k8s.io/component-base/version.gitVersion=$(VERSION)'"
+LDFLAGS		:= "-w -s -X 'k8s.io/component-base/version.gitVersion=$(VERSION)' -X 'k8s.io/cloud-provider-openstack/pkg/version.Version=$(VERSION)'"
 GOX_LDFLAGS	:= $(shell echo "$(LDFLAGS) -extldflags \"-static\"")
 REGISTRY	?= registry.k8s.io/provider-os
 IMAGE_OS	?= linux
@@ -81,7 +81,7 @@ $(BUILD_CMDS): $(SOURCES)
 test: unit functional
 
 check: work
-	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.2 run ./...
+	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.54.2 run ./...
 
 unit: work
 	CGO_ENABLED=1 go test -tags=unit $(shell go list ./... | sed -e '/sanity/ { N; d; }' | sed -e '/tests/ {N; d;}') $(TESTARGS)

OWNERS

@@ -1,16 +1,15 @@
 emeritus_approvers:
-- lingxiankong
-approvers:
 - chrigl
+- lingxiankong
 - ramineni
-- zetaab
+approvers:
+- dulek
 - jichenjc
+- kayrus
+- zetaab
 reviewers:
-- chrigl
 - dulek
-- Fedosin
 - jichenjc
 - kayrus
 - mdbooth
-- ramineni
 - zetaab

charts/cinder-csi-plugin/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
-appVersion: v1.0.0
+appVersion: v1.0.1
 description: Cinder CSI Chart for OpenStack with on-node encryption support
 name: openstack-cinder-csi
-version: 1.0.0
+version: 1.0.1

charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml

@@ -5,6 +5,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cinder-csi.controllerplugin.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   replicas: {{ .Values.csi.plugin.controllerPlugin.replicas }}
   strategy:
@@ -21,10 +25,18 @@ spec:
     metadata:
       labels:
         {{- include "cinder-csi.controllerplugin.labels" . | nindent 8 }}
+      annotations:
+        {{- with .Values.commonAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       serviceAccount: csi-cinder-controller-sa
+      securityContext:
+        {{- toYaml .Values.csi.plugin.controllerPlugin.podSecurityContext | nindent 8 }}
       containers:
         - name: csi-attacher
+          securityContext:
+            {{- toYaml .Values.csi.plugin.controllerPlugin.securityContext | nindent 12 }}
           image: "{{ .Values.csi.attacher.image.repository }}:{{ .Values.csi.attacher.image.tag }}"
           imagePullPolicy: {{ .Values.csi.attacher.image.pullPolicy }}
           args:
@@ -46,6 +58,8 @@ spec:
               mountPath: /var/lib/csi/sockets/pluginproxy/
           resources: {{ toYaml .Values.csi.attacher.resources | nindent 12 }}
         - name: csi-provisioner
+          securityContext:
+            {{- toYaml .Values.csi.plugin.controllerPlugin.securityContext | nindent 12 }}
           image: "{{ .Values.csi.provisioner.image.repository }}:{{ .Values.csi.provisioner.image.tag }}"
           imagePullPolicy: {{ .Values.csi.provisioner.image.pullPolicy }}
           args:
@@ -69,6 +83,8 @@ spec:
               mountPath: /var/lib/csi/sockets/pluginproxy/
           resources: {{ toYaml .Values.csi.provisioner.resources | nindent 12 }}
         - name: csi-snapshotter
+          securityContext:
+            {{- toYaml .Values.csi.plugin.controllerPlugin.securityContext | nindent 12 }}
           image: "{{ .Values.csi.snapshotter.image.repository }}:{{ .Values.csi.snapshotter.image.tag }}"
           imagePullPolicy: {{ .Values.csi.snapshotter.image.pullPolicy }}
           args:
@@ -89,6 +105,8 @@ spec:
               name: socket-dir
           resources: {{ toYaml .Values.csi.snapshotter.resources | nindent 12 }}
         - name: csi-resizer
+          securityContext:
+            {{- toYaml .Values.csi.plugin.controllerPlugin.securityContext | nindent 12 }}
           image: "{{ .Values.csi.resizer.image.repository }}:{{ .Values.csi.resizer.image.tag }}"
           imagePullPolicy: {{ .Values.csi.resizer.image.pullPolicy }}
           args:
@@ -110,6 +128,8 @@ spec:
               mountPath: /var/lib/csi/sockets/pluginproxy/
           resources: {{ toYaml .Values.csi.resizer.resources | nindent 12 }}
         - name: liveness-probe
+          securityContext:
+            {{- toYaml .Values.csi.plugin.controllerPlugin.securityContext | nindent 12 }}
           image: "{{ .Values.csi.livenessprobe.image.repository }}:{{ .Values.csi.livenessprobe.image.tag }}"
           imagePullPolicy: {{ .Values.csi.livenessprobe.image.pullPolicy }}
           args:
@@ -128,6 +148,8 @@ spec:
               name: socket-dir
           resources: {{ toYaml .Values.csi.livenessprobe.resources | nindent 12 }}
         - name: cinder-csi-plugin
+          securityContext:
+            {{- toYaml .Values.csi.plugin.controllerPlugin.securityContext | nindent 12 }}
           image: "{{ .Values.csi.plugin.image.repository }}:{{ .Values.csi.plugin.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.csi.plugin.image.pullPolicy }}
           args:
@@ -137,6 +159,9 @@ spec:
             - "--cloud-config=$(CLOUD_CONFIG)"
             - "--cluster=$(CLUSTER_NAME)"
             - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}"
+            {{- if .Values.csi.plugin.httpEndpoint.enabled }}
+            - "--http-endpoint=:{{ .Values.csi.plugin.httpEndpoint.port }}"
+            {{- end }}
             {{- if .Values.csi.plugin.extraArgs }}
             {{- with .Values.csi.plugin.extraArgs }}
             {{- tpl . $ | trim | nindent 12 }}
@@ -153,6 +178,11 @@ spec:
             - containerPort: 9808
               name: healthz
               protocol: TCP
+            {{- if .Values.csi.plugin.httpEndpoint.enabled }}
+            - containerPort: {{ .Values.csi.plugin.httpEndpoint.port }}
+              name: http
+              protocol: TCP
+            {{- end }}
           # The probe
           livenessProbe:
             failureThreshold: {{ .Values.csi.livenessprobe.failureThreshold }}
@@ -169,22 +199,33 @@ spec:
               mountPath: /etc/kubernetes/{{ .Values.secret.filename }}
               readOnly: true
               subPath: {{ .Values.secret.filename }}
+          {{- with .Values.csi.plugin.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }}
       volumes:
         - name: socket-dir
           emptyDir:
-        - name: cloud-config
         {{- if .Values.secret.enabled }}
+        - name: cloud-config
           secret:
             secretName: {{ .Values.secret.name }}
-        {{- else }}
+        {{- else if .Values.secret.hostMount }}
+        - name: cloud-config
           hostPath:
             path: /etc/kubernetes
         {{- end }}
+        {{- with .Values.csi.plugin.volumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
       affinity: {{ toYaml .Values.csi.plugin.controllerPlugin.affinity | nindent 8 }}
       nodeSelector: {{ toYaml .Values.csi.plugin.controllerPlugin.nodeSelector | nindent 8 }}
       tolerations: {{ toYaml .Values.csi.plugin.controllerPlugin.tolerations | nindent 8 }}
       imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
+      {{- with .Values.csi.plugin.controllerPlugin.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
     {{- end }}

charts/cinder-csi-plugin/templates/controllerplugin-podmonitor.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.csi.plugin.podMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  labels:
+    {{- include "cinder-csi.controllerplugin.labels" . | nindent 4 }}
+  name: {{ include "cinder-csi.name" . }}-controllerplugin
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  podMetricsEndpoints:
+  - interval: 30s
+    port: http
+    scheme: http
+  jobLabel: component
+  selector:
+    matchLabels:
+      {{- include "cinder-csi.controllerplugin.matchLabels" . | nindent 6 }}
+{{- end }}