diff --git a/.github/workflows/build-container.yml b/.github/workflows/build-container.yml new file mode 100644 index 00000000..ed9a6371 --- /dev/null +++ b/.github/workflows/build-container.yml @@ -0,0 +1,60 @@ +name: Build and upload CSI driver container image + +on: + workflow_dispatch: + inputs: + versionTag: + description: "Version tag of the image" + default: "" + type: string + required: false + push: + branches: + - main + +jobs: + build-csi-driver: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Check out repository + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b + + - name: Install Go + uses: actions/setup-go@84cbf8094393cdc5fe1fe1671ff2647332956b1a + with: + go-version: "1.18" + + - name: Pseudo version + id: pseudo-version + run: | + git clone https://github.com/edgelesssys/constellation /constellation + cd /constellation/hack/pseudo-version + echo "pseudoVersion=$(go run .)" >> $GITHUB_ENV + echo ${{ env.pseudoVersion }} + + - name: Set up Docker Buildx + id: docker-setup + uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 + + - name: Build container image + run: make REGISTRY=ghcr.io/edgelesssys VERSION=${{ env.pseudoVersion }} image-csi-plugin + + - name: Log in to the Container registry + id: docker-login + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push container image + run: | + docker push ghcr.io/edgelesssys/cinder-csi-plugin:${{ env.pseudoVersion }} + if [ "${{ inputs.versionTag }}" != "" ] + then + docker tag ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ env.pseudoVersion }} ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ inputs.versionTag }} + docker push ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${{ inputs.versionTag }} + fi diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml deleted file mode 100644 index 462450a9..00000000 --- a/.github/workflows/pr.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: Lint Charts - -on: - pull_request: - paths: - - 'charts/**' - -jobs: - lint: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Set up Helm - uses: azure/setup-helm@v3 - with: - version: v3.10.0 - - - uses: actions/setup-python@v4 - with: - python-version: '3.9' - check-latest: true - - # see example https://github.com/helm/chart-testing-action - - name: Set up chart-testing - uses: helm/chart-testing-action@v2.3.1 - - - name: Run chart-testing (lint) - run: ct lint --target-branch ${GITHUB_BASE_REF} diff --git a/.github/workflows/release-cpo.yaml b/.github/workflows/release-cpo.yaml deleted file mode 100644 index 68d38d41..00000000 --- a/.github/workflows/release-cpo.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Release CPO - -on: - push: - tags: - - v1.* - -jobs: - release: - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Create Release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: Release ${{ github.ref }} - body: | - todo - draft: true - prerelease: false diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml deleted file mode 100644 index 354d6932..00000000 --- a/.github/workflows/release.yaml +++ /dev/null @@ -1,26 +0,0 @@ -name: Release Charts - -on: - push: - branches: - - "master" - - "release-*" - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: Configure Git - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.1.0 - env: - CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/Dockerfile b/Dockerfile index decbdd59..df6f913a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -47,8 +47,9 @@ RUN apk add --no-cache ca-certificates # We use go's native cross compilation for multi-arch in this stage, so the # builder itself is always amd64 FROM --platform=linux/amd64 ${GOLANG_IMAGE} as builder +RUN apt-get update && apt-get install -y build-essential git wget pkg-config libcryptsetup12 libcryptsetup-dev -ARG GOPROXY=https://goproxy.io,direct +ARG GOPROXY=direct ARG TARGETOS ARG TARGETARCH ARG VERSION @@ -109,7 +110,7 @@ CMD ["sh", "-c", "/bin/barbican-kms-plugin --socketpath ${socketpath} --cloud-co FROM --platform=${TARGETPLATFORM} ${DEBIAN_IMAGE} as cinder-csi-plugin # Install e4fsprogs for format -RUN clean-install btrfs-progs e2fsprogs mount udev xfsprogs +RUN clean-install btrfs-progs e2fsprogs mount udev xfsprogs libcryptsetup12 libcryptsetup-dev COPY --from=builder /build/cinder-csi-plugin /bin/cinder-csi-plugin COPY --from=certs /etc/ssl/certs /etc/ssl/certs diff --git a/Makefile b/Makefile index 4d1f536e..4455c090 100644 --- a/Makefile +++ b/Makefile @@ -72,7 +72,7 @@ build-all-archs: build: $(BUILD_CMDS) $(BUILD_CMDS): $(SOURCES) - CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) GOPROXY=${GOPROXY} go build \ + CGO_ENABLED=1 GOOS=$(GOOS) GOARCH=$(GOARCH) GOPROXY=${GOPROXY} go build \ -trimpath \ -ldflags $(LDFLAGS) \ -o $@ \ @@ -84,7 +84,7 @@ check: work go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.2 run ./... unit: work - go test -tags=unit $(shell go list ./... | sed -e '/sanity/ { N; d; }' | sed -e '/tests/ {N; d;}') $(TESTARGS) + CGO_ENABLED=1 go test -tags=unit $(shell go list ./... | sed -e '/sanity/ { N; d; }' | sed -e '/tests/ {N; d;}') $(TESTARGS) functional: @echo "$@ not yet implemented" diff --git a/README.md b/README.md index af2ed8e3..e98a42ba 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,107 @@ -# Cloud Provider OpenStack +# OpenStack Cinder CSI driver for Constellation Kubernetes -Thank you for visiting the `Cloud Provider OpenStack` repository! +This is a fork of the OpenStack Cinder CSI driver with added encryption features for Constellation. -This Repository hosts various plugins relevant to OpenStack and Kubernetes Integration +- [Upstream source](https://github.com/kubernetes/cloud-provider-openstack) +- [Constellation repo](https://github.com/edgelesssys/constellation) -* [OpenStack Cloud Controller Manager](/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md/) -* [Octavia Ingress Controller](/docs/octavia-ingress-controller/using-octavia-ingress-controller.md/) -* [Cinder CSI Plugin](/docs/cinder-csi-plugin/using-cinder-csi-plugin.md/) -* [Keystone Webhook Authentication Authorization](/docs/keystone-auth/using-keystone-webhook-authenticator-and-authorizer.md/) -* [Client Keystone](/docs/keystone-auth/using-client-keystone-auth.md/) -* [Manila CSI Plugin](/docs/manila-csi-plugin/using-manila-csi-plugin.md/) -* [Barbican KMS Plugin](/docs/barbican-kms-plugin/using-barbican-kms-plugin.md/) -* [Magnum Auto Healer](/docs/magnum-auto-healer/using-magnum-auto-healer.md/) +## About -**NOTE:** +This driver allows a Constellation cluster to use [Cinder CSI](https://wiki.openstack.org/wiki/Cinder) volumes, csi plugin name: `cinder.csi.confidential.cloud` -* Cinder Standalone Provisioner, Manila Provisioner and Cinder FlexVolume Driver were removed since release v1.18.0. -* Version 1.17 was the last release of Manila Provisioner, which is unmaintained from now on. Due to dependency issues, we removed the code from master but it is still accessible in the [release-1.17](https://github.com/kubernetes/cloud-provider-openstack/tree/release-1.17) branch. Please consider migrating to Manila CSI Plugin. -* Start from release v1.26.0, neutron lbaasv1 support is removed and only Octavia is supported. +### Install the driver on a Constellation Kubernetes cluster -## Developing +Create a cloud configuration: -Refer to [Getting Started Guide](/docs/developers-guide.md/) for setting up development environment and contributing. +```shell +cat < cloud-config.yaml +apiVersion: v1 +kind: Secret +metadata: + name: cinder-csi-cloud-config + namespace: kube-system +type: Opaque +stringData: + cloud.conf: |- + [Global] + auth-url= + username= + password= + project-id= + project-name= + user-domain-name= + project-domain-name= + region= +EOF +kubectl apply -f cloud-config.yaml +``` -## Contact +Use `helm` to deploy the driver to your cluster: -Please join us on [Kubernetes provider-openstack slack channel](https://kubernetes.slack.com/messages/provider-openstack) +```shell +helm install cinder-csi cloud-provider-openstack/charts/cinder-csi-plugin --namespace kube-system +``` -Project Co-Leads: -* @ramineni - Anusha Ramineni -* @chrigl - Christoph Glaubitz -* @jichenjc - Chen Ji -* @zetaab - Jesse Haka +See [helm configuration](./charts/cinder-csi-plugin/README.md) for a detailed list on configuration options. + +Remove the driver using helm: + +```shell +helm uninstall cinder-csi -n kube-system +``` + +## Features + +- Please refer to [Cinder CSI Features](./docs/cinder-csi-plugin/features.md) + +### Enabling integrity protection + +By default the CSI driver will transparently encrypt all disks staged on the node. +Optionally, you can configure the driver to also apply integrity protection. + +Please note that enabling integrity protection requires wiping the disk before use. +Disk wipe speeds are largely dependent on IOPS and the performance tier of the disk. +If you intend to provision large amounts of storage and Pod creation speed is important, +we recommend requesting high-performance disks. + +To enable integrity protection, create a storage class with an explicit file system type request and add the suffix `-integrity`. +The following is a storage class for integrity protected `ext4` formatted disks: + +```yaml +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: integrity-protected +provisioner: azuredisk.csi.confidential.cloud +parameters: + skuName: StandardSSD_LRS + csi.storage.k8s.io/fstype: ext4-integrity +reclaimPolicy: Delete +volumeBindingMode: Immediate +``` + +Please note that [volume expansion](https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/) is not supported for integrity-protected disks. + +## Troubleshooting + +- [CSI driver troubleshooting guide](./docs/cinder-csi-plugin/troubleshooting.md) + +## Kubernetes Development + +- Please refer to [development guide](./docs/csi-dev.md) + +To build the driver container image: + +```shell +driver_version=v0.0.0-test +make REGISTRY=ghcr.io/edgelesssys/constellation VERSION=${driver_version} build-local-image-cinder-csi-plugin +docker push ghcr.io/edgelesssys/constellation/cinder-csi-plugin:${driver_version} +``` + +## Links + +- [Kubernetes CSI Documentation](https://kubernetes-csi.github.io/docs/) +- [Container Storage Interface (CSI) Specification](https://github.com/container-storage-interface/spec) ## License diff --git a/charts/cinder-csi-plugin/Chart.yaml b/charts/cinder-csi-plugin/Chart.yaml index 2803d79d..d263e85d 100644 --- a/charts/cinder-csi-plugin/Chart.yaml +++ b/charts/cinder-csi-plugin/Chart.yaml @@ -1,10 +1,5 @@ apiVersion: v1 -appVersion: v1.27.0 -description: Cinder CSI Chart for OpenStack +appVersion: v1.0.0 +description: Cinder CSI Chart for OpenStack with on-node encryption support name: openstack-cinder-csi -version: 2.28.0-alpha.1 -home: https://github.com/kubernetes/cloud-provider-openstack -icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png -maintainers: - - name: brtknr - email: brtknr@bath.edu +version: 1.0.0 diff --git a/charts/cinder-csi-plugin/templates/NOTES.txt b/charts/cinder-csi-plugin/templates/NOTES.txt index 2ed02ae6..02559af4 100644 --- a/charts/cinder-csi-plugin/templates/NOTES.txt +++ b/charts/cinder-csi-plugin/templates/NOTES.txt @@ -1 +1 @@ -Use the following storageClass csi-cinder-sc-retain and csi-cinder-sc-delete only for RWO volumes. \ No newline at end of file +Use the following storageClass encrypted-rwo and integrity-encrypted-rwo only for RWO volumes. diff --git a/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml b/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml index 5b681e4c..3e7b600f 100644 --- a/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml +++ b/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml @@ -1,7 +1,7 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: - name: cinder.csi.openstack.org + name: cinder.csi.confidential.cloud spec: attachRequired: true podInfoOnMount: true diff --git a/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml b/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml index 4934320d..9e13f851 100644 --- a/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml +++ b/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml @@ -136,6 +136,7 @@ spec: - "--endpoint=$(CSI_ENDPOINT)" - "--cloud-config=$(CLOUD_CONFIG)" - "--cluster=$(CLUSTER_NAME)" + - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}" {{- if .Values.csi.plugin.extraArgs }} {{- with .Values.csi.plugin.extraArgs }} {{- tpl . $ | trim | nindent 12 }} @@ -164,7 +165,10 @@ spec: volumeMounts: - name: socket-dir mountPath: /csi - {{- .Values.csi.plugin.volumeMounts | toYaml | trimSuffix "\n" | nindent 12 }} + - name: cloud-config + mountPath: /etc/kubernetes/{{ .Values.secret.filename }} + readOnly: true + subPath: {{ .Values.secret.filename }} resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }} volumes: - name: socket-dir @@ -177,10 +181,10 @@ spec: hostPath: path: /etc/kubernetes {{- end }} - {{ .Values.csi.plugin.volumes | toYaml | trimSuffix "\n" | nindent 8 }} affinity: {{ toYaml .Values.csi.plugin.controllerPlugin.affinity | nindent 8 }} nodeSelector: {{ toYaml .Values.csi.plugin.controllerPlugin.nodeSelector | nindent 8 }} tolerations: {{ toYaml .Values.csi.plugin.controllerPlugin.tolerations | nindent 8 }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} diff --git a/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml b/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml index f2f42a79..dd9f513a 100644 --- a/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml +++ b/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml @@ -16,6 +16,7 @@ spec: spec: serviceAccount: csi-cinder-node-sa hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet containers: - name: node-driver-registrar image: "{{ .Values.csi.nodeDriverRegistrar.image.repository }}:{{ .Values.csi.nodeDriverRegistrar.image.tag }}" @@ -72,6 +73,7 @@ spec: - "-v={{ .Values.logVerbosityLevel }}" - "--endpoint=$(CSI_ENDPOINT)" - "--cloud-config=$(CLOUD_CONFIG)" + - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}" {{- if .Values.csi.plugin.extraArgs }} {{- with .Values.csi.plugin.extraArgs }} {{- tpl . $ | trim | nindent 12 }} @@ -104,7 +106,10 @@ spec: - name: pods-probe-dir mountPath: /dev mountPropagation: "HostToContainer" - {{- .Values.csi.plugin.volumeMounts | toYaml | trimSuffix "\n" | nindent 12 }} + - name: cloud-config + mountPath: /etc/kubernetes/{{ .Values.secret.filename }} + readOnly: true + subPath: {{ .Values.secret.filename }} resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }} volumes: - name: socket-dir @@ -135,10 +140,10 @@ spec: hostPath: path: /etc/kubernetes {{- end }} - {{ .Values.csi.plugin.volumes | toYaml | trimSuffix "\n" | nindent 8 }} affinity: {{ toYaml .Values.csi.plugin.nodePlugin.affinity | nindent 8 }} nodeSelector: {{ toYaml .Values.csi.plugin.nodePlugin.nodeSelector | nindent 8 }} tolerations: {{ toYaml .Values.csi.plugin.nodePlugin.tolerations | nindent 8 }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} diff --git a/charts/cinder-csi-plugin/templates/storageclass.yaml b/charts/cinder-csi-plugin/templates/storageclass.yaml index 704c3003..5c987b7b 100644 --- a/charts/cinder-csi-plugin/templates/storageclass.yaml +++ b/charts/cinder-csi-plugin/templates/storageclass.yaml @@ -2,24 +2,28 @@ apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: - name: csi-cinder-sc-delete - {{- if .Values.storageClass.delete.isDefault }} + name: encrypted-rwo + {{- if .Values.storageClass.default.isDefault }} annotations: storageclass.kubernetes.io/is-default-class: "true" {{- end }} -provisioner: cinder.csi.openstack.org +provisioner: cinder.csi.confidential.cloud reclaimPolicy: Delete -allowVolumeExpansion: {{ .Values.storageClass.delete.allowVolumeExpansion }} +allowVolumeExpansion: {{ .Values.storageClass.default.allowVolumeExpansion }} +volumeBindingMode: Immediate --- apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: - name: csi-cinder-sc-retain - {{- if .Values.storageClass.retain.isDefault }} + name: integrity-encrypted-rwo + {{- if .Values.storageClass.integrity.isDefault }} annotations: storageclass.kubernetes.io/is-default-class: "true" {{- end }} -provisioner: cinder.csi.openstack.org -reclaimPolicy: Retain -allowVolumeExpansion: {{ .Values.storageClass.retain.allowVolumeExpansion }} -{{- end }} \ No newline at end of file +parameters: + csi.storage.k8s.io/fstype: ext4-integrity +provisioner: cinder.csi.confidential.cloud +reclaimPolicy: Delete +allowVolumeExpansion: {{ .Values.storageClass.integrity.allowVolumeExpansion }} +volumeBindingMode: Immediate +{{- end }} diff --git a/charts/cinder-csi-plugin/values.yaml b/charts/cinder-csi-plugin/values.yaml index 0f995429..40d98610 100644 --- a/charts/cinder-csi-plugin/values.yaml +++ b/charts/cinder-csi-plugin/values.yaml @@ -54,17 +54,10 @@ csi: extraArgs: {} plugin: image: - repository: registry.k8s.io/provider-os/cinder-csi-plugin + repository: ghcr.io/edgelesssys/constellation/cinder-csi-plugin pullPolicy: IfNotPresent - tag: # defaults to .Chart.AppVersion - volumes: - - name: cacert - hostPath: - path: /etc/cacert + tag: # defaults to .Chart.AppVersion volumeMounts: - - name: cacert - mountPath: /etc/cacert - readOnly: true - name: cloud-config mountPath: /etc/kubernetes readOnly: true @@ -92,6 +85,10 @@ csi: tolerations: [] resources: {} extraArgs: {} + kms: + keyServiceName: "key-service" + keyServicePort: 9000 + keyServiceNamespace: "kube-system" # Log verbosity level. # See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md @@ -99,47 +96,19 @@ csi: logVerbosityLevel: 2 secret: - enabled: false + enabled: true create: false - filename: cloud.conf -# name: cinder-csi-cloud-config -# data: -# cloud.conf: |- -# [Global] -# auth-url=http://openstack-control-plane -# user-id=user-id -# password=password -# trust-id=trust-id -# region=RegionOne -# ca-file=/etc/cacert/ca-bundle.crt + filename: cloudprovider.conf + name: cinder-csi-cloud-config storageClass: enabled: true - delete: - isDefault: false + default: + isDefault: true allowVolumeExpansion: true - retain: + integrity: isDefault: false - allowVolumeExpansion: true -# any kind of custom StorageClasses -# custom: |- -# --- -# apiVersion: storage.k8s.io/v1 -# kind: StorageClass -# metadata: -# name: sas -# provisioner: cinder.csi.openstack.org -# volumeBindingMode: WaitForFirstConsumer -# allowVolumeExpansion: true -# parameters: -# type: SAS -# --- -# apiVersion: snapshot.storage.k8s.io/v1 -# kind: VolumeSnapshotClass -# metadata: -# name: csi-cinder-snapclass -# driver: cinder.csi.openstack.org -# deletionPolicy: Delete + allowVolumeExpansion: false # You may set ID of the cluster where openstack-cinder-csi is deployed. This value will be appended # to volume metadata in newly provisioned volumes as `cinder.csi.openstack.org/cluster=`. diff --git a/cmd/cinder-csi-plugin/main.go b/cmd/cinder-csi-plugin/main.go index 10730570..73caaa7c 100644 --- a/cmd/cinder-csi-plugin/main.go +++ b/cmd/cinder-csi-plugin/main.go @@ -21,6 +21,8 @@ import ( "fmt" "os" + "github.com/edgelesssys/constellation/v2/csi/cryptmapper" + cryptKms "github.com/edgelesssys/constellation/v2/csi/kms" "github.com/spf13/cobra" "github.com/spf13/pflag" "k8s.io/cloud-provider-openstack/pkg/csi/cinder" @@ -37,6 +39,7 @@ var ( cloudconfig []string cluster string httpEndpoint string + kmsAddr string ) func main() { @@ -90,6 +93,12 @@ func main() { cmd.PersistentFlags().StringVar(&cluster, "cluster", "", "The identifier of the cluster that the plugin is running in.") cmd.PersistentFlags().StringVar(&httpEndpoint, "http-endpoint", "", "The TCP network address where the HTTP server for diagnostics, including metrics and leader election health check, will listen (example: `:8080`). The default is empty string, which means the server is disabled.") + + cmd.PersistentFlags().StringVar(&kmsAddr, "kms-addr", "kms.kube-system:9000", "Address of Constellation's KMS. Used to request keys (default: kms.kube-system:9000)") + if err := cmd.MarkPersistentFlagRequired("kms-addr"); err != nil { + klog.Fatalf("Unable to mark flag kms-addr to be required: %v", err) + } + openstack.AddExtraFlags(pflag.CommandLine) code := cli.Run(cmd) @@ -112,6 +121,12 @@ func handle() { //Initialize Metadata metadata := metadata.GetMetadataProvider(cloud.GetMetadataOpts().SearchOrder) - d.SetupDriver(cloud, mount, metadata) + //Initialize CryptMapper + cm := cryptmapper.New( + cryptKms.NewConstellationKMS(kmsAddr), + &cryptmapper.CryptDevice{}, + ) + + d.SetupDriver(cloud, mount, metadata, cm) d.Run() } diff --git a/docs/cinder-csi-plugin/using-cinder-csi-plugin.md b/docs/cinder-csi-plugin/using-cinder-csi-plugin.md index ae61009a..8152ea89 100644 --- a/docs/cinder-csi-plugin/using-cinder-csi-plugin.md +++ b/docs/cinder-csi-plugin/using-cinder-csi-plugin.md @@ -46,7 +46,7 @@ For sidecar version compatibility with kubernetes, please refer [Compatibility M ## Driver Deployment -You can either use the manifests under `manifests/cinder-csi-plugin` or the Helm chart `charts/cinder-csi-plugin`. +Use the the Helm chart `charts/cinder-csi-plugin` to deploy the driver. ### Command-line arguments @@ -88,6 +88,13 @@ In addition to the standard set of klog flags, `cinder-csi-plugin` accepts the f This will be added as metadata to every Cinder volume created by this plugin. + +
--kms-addr <KMS address>
+
+ This argument is required. + + Address of Constellation's KMS. Used to request keys. +
## Driver Config @@ -104,7 +111,7 @@ Implementation of `cinder-csi-plugin` relies on following OpenStack services. For Driver configuration, parameters must be passed via configuration file specified in `$CLOUD_CONFIG` environment variable. The following sections are supported in configuration file. -### Global +### Global For Cinder CSI Plugin to authenticate with OpenStack Keystone, required parameters needs to be passed in `[Global]` section of the file. For all supported parameters, please refer [Global](../openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#global) section. ### Block Storage @@ -132,67 +139,6 @@ These configuration options pertain to metadata and should appear in the `[Metad Influencing this behavior may be desirable as the metadata on the configuration drive may grow stale over time, whereas the metadata service always provides the most up to date view. Not all OpenStack clouds provide both configuration drive and metadata service though and only one or the other may be available which is why the default is to check both. -### Using the manifests - -All the manifests required for the deployment of the plugin are found at ```manifests/cinder-csi-plugin``` - -Configuration file specified in `$CLOUD_CONFIG` is passed to cinder CSI driver via kubernetes `secret`. If the secret `cloud-config` is already created in the cluster, you can remove the file, `manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml` and directly proceed to the step of creating controller and node plugins. - -To create a secret: - -* Encode your `$CLOUD_CONFIG` file content using base64. - -`$ base64 -w 0 $CLOUD_CONFIG` - -* Update ```cloud.conf``` configuration in ```manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml``` file -by using the result of the above command. - -* Create the secret. - -``` $ kubectl create -f manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml``` - -This should create a secret name `cloud-config` in `kube-system` namespace. - -Once the secret is created, Controller Plugin and Node Plugins can be deployed using respective manifests - -```$ kubectl -f manifests/cinder-csi-plugin/ apply``` - -This creates a set of cluster roles, cluster role bindings, and statefulsets etc to communicate with openstack(cinder). -For detailed list of created objects, explore the yaml files in the directory. -You should make sure following similar pods are ready before proceed: - -``` -$ kubectl get pods -n kube-system -NAME READY STATUS RESTARTS AGE -csi-cinder-controllerplugin 6/6 Running 0 29h -csi-cinder-nodeplugin 3/3 Running 0 46h -``` - -To get information about CSI Drivers running in a cluster - - -``` -$ kubectl get csidrivers.storage.k8s.io -NAME ATTACHREQUIRED PODINFOONMOUNT STORAGECAPACITY TOKENREQUESTS REQUIRESREPUBLISH MODES AGE -cinder.csi.openstack.org true true false false Persistent,Ephemeral 19h - -``` - -> NOTE: If using certs(`ca-file`), make sure to add the additional mount to the manifests (controller and node plugin) to mount the location of certs as volume onto container. For example, add `ca-cert` in `/etc/cacert` folder. Uncomment the related sections in `manifests/cinder-csi-plugin/cinder-csi-controllerplugin.yaml` and `manifests/cinder-csi-plugin/cinder-csi-nodeplugin.yaml` and replace the path with your own. - -``` - volumeMounts: - .... - - name: cacert - mountPath: /etc/cacert - readOnly: true - - volumes: - .... - - name: cacert - hostPath: - path: /etc/cacert -``` - ### Using the Helm chart > NOTE: With default values, this chart assumes that the `cloud.conf` is found on the host under `/etc/kubernetes/` and that your OpenStack cloud has cert under `/etc/cacert`. @@ -244,7 +190,7 @@ helm install --namespace kube-system --name cinder-csi ./charts/cinder-csi-plugi | StorageClass `parameters` | `availability` | `nova` | String. Volume Availability Zone | | StorageClass `parameters` | `type` | Empty String | String. Name/ID of Volume type. Corresponding volume type should exist in cinder | | VolumeSnapshotClass `parameters` | `force-create` | `false` | Enable to support creating snapshot for a volume in in-use status | -| Inline Volume `volumeAttributes` | `capacity` | `1Gi` | volume size for creating inline volumes| +| Inline Volume `volumeAttributes` | `capacity` | `1Gi` | volume size for creating inline volumes| | Inline Volume `VolumeAttributes` | `type` | Empty String | Name/ID of Volume type. Corresponding volume type should exist in cinder | ## Local Development @@ -256,14 +202,14 @@ To build the plugin, run ``` $ export ARCH=amd64 # Defaults to amd64 $ make build-cmd-cinder-csi-plugin -``` +``` To build cinder-csi-plugin image ``` $ export ARCH=amd64 # Defaults to amd64 $ make image-cinder-csi-plugin -``` +``` ### Testing @@ -274,7 +220,7 @@ To run all unit tests: $ make test ``` #### Sanity Tests -Sanity tests ensures the CSI spec conformance of the driver. For more info, refer [Sanity check](https://github.com/kubernetes-csi/csi-test/tree/master/pkg/sanity) +Sanity tests ensures the CSI spec conformance of the driver. For more info, refer [Sanity check](https://github.com/kubernetes-csi/csi-test/tree/master/pkg/sanity) Run sanity tests for cinder CSI driver using: @@ -288,5 +234,5 @@ Optionally, to test the driver csc tool could be used. please refer, [usage guid Starting from Kubernetes 1.21, OpenStack Cinder CSI migration is supported as beta feature and is `ON` by default. Cinder CSI driver must be installed on clusters on OpenStack for Cinder volumes to work. If you have persistence volumes that are created with in-tree `kubernetes.io/cinder` plugin, you could migrate to use `cinder.csi.openstack.org` Container Storage Interface (CSI) Driver. -* The CSI Migration feature for Cinder, when enabled, shims all plugin operations from the existing in-tree plugin to the `cinder.csi.openstack.org` CSI Driver. +* The CSI Migration feature for Cinder, when enabled, shims all plugin operations from the existing in-tree plugin to the `cinder.csi.openstack.org` CSI Driver. * For more info, please refer [Migrate to CCM with CSI Migration](../openstack-cloud-controller-manager/migrate-to-ccm-with-csimigration.md#migrate-from-in-tree-cloud-provider-to-openstack-cloud-controller-manager-and-enable-csimigration) guide diff --git a/edgeless/tests/README.md b/edgeless/tests/README.md new file mode 100644 index 00000000..9838168d --- /dev/null +++ b/edgeless/tests/README.md @@ -0,0 +1,38 @@ +# CSI driver e2e tests + +Run CSI e2e tests using [`sonobuoy`](https://github.com/vmware-tanzu/sonobuoy/releases/latest). + +## Generate test framework + +Generate CSI e2e test sonobuoy config: + +```shell +KUBECONFIG= sonobuoy.yaml +``` + +Apply driver patch: + +```shell +patch sonobuoy.yaml < patch.diff +``` + +## Running the test suite + +Start the test: + +```shell +kubectl apply -f sonobuoy.yaml +``` + +Wait for tests to complete: + +```shell +sonobuoy wait +``` + +Analyze results: + +```shell +sonobuoy results $(sonobuoy retrieve) +``` diff --git a/edgeless/tests/patch.diff b/edgeless/tests/patch.diff new file mode 100644 index 00000000..41c8bd61 --- /dev/null +++ b/edgeless/tests/patch.diff @@ -0,0 +1,61 @@ +--- sonobuoy.yaml.old 2023-05-09 08:24:09.470582428 +0000 ++++ sonobuoy.yaml 2023-05-15 16:11:05.459165941 +0000 +@@ -64,6 +64,10 @@ + data: + plugin-0.yaml: |- + podSpec: ++ volumes: ++ - name: csi-driver-config-volume ++ configMap: ++ name: csi-driver-test-config + containers: [] + nodeSelector: + kubernetes.io/os: linux +@@ -86,7 +90,7 @@ + - /run_e2e.sh + env: + - name: E2E_EXTRA_ARGS +- value: --progress-report-url=http://localhost:8099/progress ++ value: --progress-report-url=http://localhost:8099/progress --storage.testdriver=/tmp/csi-cfg/driver.yaml + - name: E2E_FOCUS + value: External.Storage + - name: E2E_PARALLEL +@@ -113,6 +117,8 @@ + volumeMounts: + - mountPath: /tmp/sonobuoy/results + name: results ++ - mountPath: /tmp/csi-cfg ++ name: csi-driver-config-volume + plugin-1.yaml: |- + podSpec: + containers: [] +@@ -245,4 +251,28 @@ + sonobuoy-component: aggregator + type: ClusterIP + --- +- ++apiVersion: v1 ++kind: ConfigMap ++metadata: ++ name: csi-driver-test-config ++ namespace: sonobuoy ++data: ++ driver.yaml: | ++ StorageClass: ++ FromName: true ++ DriverInfo: ++ Name: cinder.csi.confidential.cloud ++ SupportedFsType: ++ ext2: {} ++ ext3: {} ++ ext4: {} ++ xfs: {} ++ Capabilities: ++ persistence: true ++ block: true ++ exec: true ++ controllerExpansion: true ++ offlineExpansion: true ++ onlineExpansion: false ++ topology: true ++--- diff --git a/edgeless/tests/use.md b/edgeless/tests/use.md new file mode 100644 index 00000000..f2f0e7d6 --- /dev/null +++ b/edgeless/tests/use.md @@ -0,0 +1,125 @@ +# Use + +## Create a new storage class + +The following will create a storage class for the CSI driver. + +```shell +cat < -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}' + ``` + +3. Mark new class as the default + + ```shell + kubectl patch storageclass encrypted-storage -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' + ``` + +4. Verify that your chosen storage class is default: + + ```shell + kubectl get storageclass + ``` + + The output is similar to this: + + ```shell + NAME PROVISIONER AGE + encrypted-storage (default) cinder.csi.confidential.cloud 1d + ``` diff --git a/examples/cinder-csi-plugin/nginx.yaml b/examples/cinder-csi-plugin/nginx.yaml index c0308896..d5bacd80 100644 --- a/examples/cinder-csi-plugin/nginx.yaml +++ b/examples/cinder-csi-plugin/nginx.yaml @@ -1,13 +1,5 @@ # This YAML file contains nginx & csi cinder driver objects, # which are necessary to run nginx with csi cinder driver. - -apiVersion: storage.k8s.io/v1 -kind: StorageClass -metadata: - name: csi-sc-cinderplugin -provisioner: cinder.csi.openstack.org - ---- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -18,7 +10,7 @@ spec: resources: requests: storage: 1Gi - storageClassName: csi-sc-cinderplugin + storageClassName: encrypted-rwo --- apiVersion: v1 diff --git a/go.mod b/go.mod index 3a476705..61c42220 100644 --- a/go.mod +++ b/go.mod @@ -4,15 +4,16 @@ go 1.20 require ( github.com/container-storage-interface/spec v1.8.0 + github.com/edgelesssys/constellation/v2 v2.7.1 github.com/go-chi/chi/v5 v5.0.8 github.com/gophercloud/gophercloud v1.3.0 - github.com/gophercloud/utils v0.0.0-20230330070308-5bd5e1d608f8 + github.com/gophercloud/utils v0.0.0-20230418172808-6eab72e966e1 github.com/hashicorp/go-version v1.6.0 github.com/kubernetes-csi/csi-lib-utils v0.13.0 github.com/kubernetes-csi/csi-test/v5 v5.0.0 github.com/mitchellh/go-homedir v1.1.0 github.com/mitchellh/mapstructure v1.5.0 - github.com/onsi/ginkgo/v2 v2.9.2 + github.com/onsi/ginkgo/v2 v2.9.4 github.com/onsi/gomega v1.27.6 github.com/pborman/uuid v1.2.1 github.com/sirupsen/logrus v1.9.0 @@ -21,9 +22,9 @@ require ( github.com/spf13/viper v1.15.0 github.com/stretchr/testify v1.8.2 golang.org/x/net v0.9.0 - golang.org/x/sys v0.7.0 - golang.org/x/term v0.7.0 - google.golang.org/grpc v1.54.0 + golang.org/x/sys v0.8.0 + golang.org/x/term v0.8.0 + google.golang.org/grpc v1.55.0 google.golang.org/protobuf v1.30.0 gopkg.in/gcfg.v1 v1.2.3 gopkg.in/godo.v2 v2.0.9 @@ -31,12 +32,12 @@ require ( k8s.io/api v0.27.1 k8s.io/apimachinery v0.27.1 k8s.io/apiserver v0.27.1 - k8s.io/client-go v0.27.1 + k8s.io/client-go v1.5.2 k8s.io/cloud-provider v0.27.1 k8s.io/component-base v0.27.1 - k8s.io/klog/v2 v2.90.1 + k8s.io/klog/v2 v2.100.1 k8s.io/kms v0.27.1 - k8s.io/kubernetes v1.27.1 + k8s.io/kubernetes v1.26.3 k8s.io/mount-utils v0.27.1 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 software.sslmate.com/src/go-pkcs12 v0.2.0 @@ -48,9 +49,10 @@ require ( github.com/NYTimes/gziphandler v1.1.1 // indirect github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230321174746-8dcc6526cfb1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect + github.com/aws/aws-sdk-go v1.44.257 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect - github.com/cenkalti/backoff/v4 v4.2.0 // indirect + github.com/cenkalti/backoff/v4 v4.2.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/coreos/go-semver v0.3.1 // indirect github.com/coreos/go-systemd/v22 v22.5.0 // indirect @@ -69,26 +71,29 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.3 // indirect - github.com/google/cel-go v0.14.0 // indirect + github.com/google/cel-go v0.15.0 // indirect github.com/google/gnostic v0.6.9 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect + github.com/google/pprof v0.0.0-20230502171905-255e3b9b56de // indirect github.com/google/uuid v1.3.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 // indirect + github.com/hashicorp/go-uuid v1.0.3 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/imdario/mergo v0.3.15 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect + github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect + github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect github.com/mgutz/str v1.2.0 // indirect github.com/moby/spdystream v0.2.0 // indirect github.com/moby/sys/mountinfo v0.6.2 // indirect - github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect + github.com/moby/term v0.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect @@ -97,9 +102,9 @@ require ( github.com/pelletier/go-toml/v2 v2.0.7 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/prometheus/client_golang v1.15.0 // indirect - github.com/prometheus/client_model v0.3.0 // indirect - github.com/prometheus/common v0.42.0 // indirect + github.com/prometheus/client_golang v1.15.1 // indirect + github.com/prometheus/client_model v0.4.0 // indirect + github.com/prometheus/common v0.43.0 // indirect github.com/prometheus/procfs v0.9.0 // indirect github.com/spf13/afero v1.9.5 // indirect github.com/spf13/cast v1.5.0 // indirect @@ -110,26 +115,26 @@ require ( go.etcd.io/etcd/api/v3 v3.5.8 // indirect go.etcd.io/etcd/client/pkg/v3 v3.5.8 // indirect go.etcd.io/etcd/client/v3 v3.5.8 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.40.0 // indirect - go.opentelemetry.io/otel v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 // indirect - go.opentelemetry.io/otel/metric v0.37.0 // indirect - go.opentelemetry.io/otel/sdk v1.14.0 // indirect - go.opentelemetry.io/otel/trace v1.14.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.41.1 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.41.1 // indirect + go.opentelemetry.io/otel v1.15.1 // indirect + go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1 // indirect + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1 // indirect + go.opentelemetry.io/otel/metric v0.38.1 // indirect + go.opentelemetry.io/otel/sdk v1.15.1 // indirect + go.opentelemetry.io/otel/trace v1.15.1 // indirect go.opentelemetry.io/proto/otlp v0.19.0 // indirect - go.uber.org/atomic v1.10.0 // indirect + go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.24.0 // indirect golang.org/x/crypto v0.8.0 // indirect - golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect + golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 // indirect golang.org/x/oauth2 v0.7.0 // indirect - golang.org/x/sync v0.1.0 // indirect + golang.org/x/sync v0.2.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/time v0.3.0 // indirect - golang.org/x/tools v0.7.0 // indirect + golang.org/x/tools v0.8.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect @@ -141,9 +146,8 @@ require ( k8s.io/component-helpers v0.27.1 // indirect k8s.io/controller-manager v0.27.1 // indirect k8s.io/csi-translation-lib v0.27.1 // indirect - k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c // indirect + k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect k8s.io/kubectl v0.27.1 // indirect - k8s.io/kubelet v0.0.0 // indirect k8s.io/pod-security-admission v0.27.1 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect diff --git a/go.sum b/go.sum index aee34095..adf9119b 100644 --- a/go.sum +++ b/go.sum @@ -54,14 +54,16 @@ github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230321174746-8dcc6526cfb1/g github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= +github.com/aws/aws-sdk-go v1.44.257 h1:HwelXYZZ8c34uFFhgVw3ybu2gB5fkk8KLj2idTvzZb8= +github.com/aws/aws-sdk-go v1.44.257/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/benbjohnson/clock v1.3.0 h1:ip6w0uFQkncKQ979AypyG0ER7mqUSBdKLOgAle/AT8A= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/buger/jsonparser v1.1.1/go.mod h1:6RYKKt7H4d4+iWqouImQ9R2FZql3VbhNgx27UK13J/0= -github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4= -github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= @@ -97,6 +99,8 @@ github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= +github.com/edgelesssys/constellation/v2 v2.7.1 h1:1v7CxFm1Ynm4/o3L3EAx+lcRgqnOvJXLCFrMnmMkTA8= +github.com/edgelesssys/constellation/v2 v2.7.1/go.mod h1:BkAahvBkSZivWW+uhGzLB/yh0ZohTyWE3a0d03106mE= github.com/emicklei/go-restful/v3 v3.10.2 h1:hIovbnmBTLjHXkqEBUz3HGpXZdM7ZrE9fJIZIqlJLqE= github.com/emicklei/go-restful/v3 v3.10.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -142,10 +146,10 @@ github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= +github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -179,9 +183,9 @@ github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= -github.com/google/cel-go v0.14.0 h1:LFobwuUDslWUHdQ48SXVXvQgPH2X1XVhsgOGNioAEZ4= -github.com/google/cel-go v0.14.0/go.mod h1:YzWEoI07MC/a/wj9in8GeVatqfypkldgBlwXh9bCwqY= +github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU= +github.com/google/cel-go v0.15.0 h1:OLNhWn8gPWnQz78aSp8RWjCV4sMVHciQqHj53adYUGU= +github.com/google/cel-go v0.15.0/go.mod h1:YzWEoI07MC/a/wj9in8GeVatqfypkldgBlwXh9bCwqY= github.com/google/gnostic v0.6.9 h1:ZK/5VhkoX835RikCHpSUJV9a+S3e1zLh59YnyWeBW+0= github.com/google/gnostic v0.6.9/go.mod h1:Nm8234We1lq6iB9OmlgNv3nH91XLLVZHCDayfA3xq+E= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -215,8 +219,8 @@ github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= -github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20230502171905-255e3b9b56de h1:6bMcLOeKoNo0+mTOb1ee3McF6CCKGixjLR3EDQY1Jik= +github.com/google/pprof v0.0.0-20230502171905-255e3b9b56de/go.mod h1:79YE0hCXdHag9sBkw2o+N/YnZtTkXi0UT9Nnixa5eYk= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= @@ -227,8 +231,8 @@ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5m github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= github.com/gophercloud/gophercloud v1.3.0 h1:RUKyCMiZoQR3VlVR5E3K7PK1AC3/qppsWYo6dtBiqs8= github.com/gophercloud/gophercloud v1.3.0/go.mod h1:aAVqcocTSXh2vYFZ1JTvx4EQmfgzxRcNupUfxZbBNDM= -github.com/gophercloud/utils v0.0.0-20230330070308-5bd5e1d608f8 h1:K9r5WEeAiaEgFZsuOP0OYjE4TtyFcCLG1nI08t9AP6A= -github.com/gophercloud/utils v0.0.0-20230330070308-5bd5e1d608f8/go.mod h1:VSalo4adEk+3sNkmVJLnhHoOyOYYS8sTWLG4mv5BKto= +github.com/gophercloud/utils v0.0.0-20230418172808-6eab72e966e1 h1:vJyXd9+MB5vAKxpOo4z/PDSiPgKmEyJwHIDOdV4Y0KY= +github.com/gophercloud/utils v0.0.0-20230418172808-6eab72e966e1/go.mod h1:VSalo4adEk+3sNkmVJLnhHoOyOYYS8sTWLG4mv5BKto= github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw= @@ -239,6 +243,7 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFb github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.0/go.mod h1:hgWBS7lorOAVIJEQMi4ZsPv9hVvWI6+ch50m39Pf2Ks= github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2 h1:gDLXvp5S9izjldquuoAhDzccbskOL6tDC5jMSyx3zxE= github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2/go.mod h1:7pdNwVWBBHGiCxa9lAszqCJMbfTISJ7oMftp8+UGV08= +github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek= github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= @@ -252,6 +257,10 @@ github.com/imdario/mergo v0.3.15 h1:M8XP7IuFNsqUx6VPK2P9OSmsYsI/YFaGil0uD21V3dM= github.com/imdario/mergo v0.3.15/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jonboulle/clockwork v0.2.2 h1:UOGuzwb1PwsrDAObMuhUnj0p5ULPj8V/xJ7Kx9qUBdQ= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= @@ -278,6 +287,8 @@ github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0V github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= +github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6 h1:YDjLk3wsL5ZLhLC4TIwIvT2NkSCAdAV6pzzZaRfj4jk= +github.com/martinjungblut/go-cryptsetup v0.0.0-20220520180014-fd0874fd07a6/go.mod h1:gZoZ0+POlM1ge/VUxWpMmZVNPzzMJ7l436CgkQ5+qzU= github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/mgutz/str v1.2.0 h1:4IzWSdIz9qPQWLfKZ0rJcV0jcUDpxvP4JVZ4GXQyvSw= @@ -290,8 +301,8 @@ github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= -github.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA= -github.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= +github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= +github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -318,13 +329,13 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= -github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_golang v1.15.1 h1:8tXpTmJbyH5lydzFPoxSIJ0J46jdh3tylbvM1xCv0LI= +github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= -github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= -github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= -github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= -github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/common v0.43.0 h1:iq+BVjvYLei5f27wiuNiB1DN6DYQkp1c8Bx0Vykh5us= +github.com/prometheus/common v0.43.0/go.mod h1:NCvr5cQIh3Y/gy73/RdVtC9r8xxrxwJnB+2lB3BxrFc= github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= @@ -395,29 +406,29 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 h1:5jD3teb4Qh7mx/nfzq4jO2WFFpvXD0vYWFDrdvNWmXk= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0/go.mod h1:UMklln0+MRhZC4e3PwmN3pCtq4DyIadWw4yikh6bNrw= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.40.0 h1:lE9EJyw3/JhrjWH/hEy9FptnalDQgj7vpbgC2KCCCxE= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.40.0/go.mod h1:pcQ3MM3SWvrA71U4GDqv9UFDJ3HQsW7y5ZO3tDTlUdI= -go.opentelemetry.io/otel v1.14.0 h1:/79Huy8wbf5DnIPhemGB+zEPVwnN6fuQybr/SRXa6hM= -go.opentelemetry.io/otel v1.14.0/go.mod h1:o4buv+dJzx8rohcUeRmWUZhqupFvzWis188WlggnNeU= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0 h1:/fXHZHGvro6MVqV34fJzDhi7sHGpX3Ej/Qjmfn003ho= -go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.14.0/go.mod h1:UFG7EBMRdXyFstOwH028U0sVf+AvukSGhF0g8+dmNG8= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0 h1:TKf2uAs2ueguzLaxOCBXNpHxfO/aC7PAdDsSH0IbeRQ= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.14.0/go.mod h1:HrbCVv40OOLTABmOn1ZWty6CHXkU8DK/Urc43tHug70= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0 h1:ap+y8RXX3Mu9apKVtOkM6WSFESLM8K3wNQyOU8sWHcc= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0/go.mod h1:5w41DY6S9gZrbjuq6Y+753e96WfPha5IcsOSZTtullM= -go.opentelemetry.io/otel/metric v0.37.0 h1:pHDQuLQOZwYD+Km0eb657A25NaRzy0a+eLyKfDXedEs= -go.opentelemetry.io/otel/metric v0.37.0/go.mod h1:DmdaHfGt54iV6UKxsV9slj2bBRJcKC1B1uvDLIioc1s= -go.opentelemetry.io/otel/sdk v1.14.0 h1:PDCppFRDq8A1jL9v6KMI6dYesaq+DFcDZvjsoGvxGzY= -go.opentelemetry.io/otel/sdk v1.14.0/go.mod h1:bwIC5TjrNG6QDCHNWvW4HLHtUQ4I+VQDsnjhvyZCALM= -go.opentelemetry.io/otel/trace v1.14.0 h1:wp2Mmvj41tDsyAJXiWDWpfNsOiIyd38fy85pyKcFq/M= -go.opentelemetry.io/otel/trace v1.14.0/go.mod h1:8avnQLK+CG77yNLUae4ea2JDQ6iT+gozhnZjy/rw9G8= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.41.1 h1:Ei1FUQ5CbSNkl2o/XAiksXSyQNAeJBX3ivqJpJ254Ak= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.41.1/go.mod h1:f7TOPTlEcliCBlOYPuNnZTuND71MVTAoINWIt1SmP/c= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.41.1 h1:pX+lppB8PArapyhS6nBStyQmkaDUPWdQf0UmEGRCQ54= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.41.1/go.mod h1:2FmkXne0k9nkp27LD/m+uoh8dNlstsiCJ7PLc/S72aI= +go.opentelemetry.io/otel v1.15.1 h1:3Iwq3lfRByPaws0f6bU3naAqOR1n5IeDWd9390kWHa8= +go.opentelemetry.io/otel v1.15.1/go.mod h1:mHHGEHVDLal6YrKMmk9LqC4a3sF5g+fHfrttQIB1NTc= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1 h1:XYDQtNzdb2T4uM1pku2m76eSMDJgqhJ+6KzkqgQBALc= +go.opentelemetry.io/otel/exporters/otlp/internal/retry v1.15.1/go.mod h1:uOTV75+LOzV+ODmL8ahRLWkFA3eQcSC2aAsbxIu4duk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1 h1:tyoeaUh8REKay72DVYsSEBYV18+fGONe+YYPaOxgLoE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.15.1/go.mod h1:HUSnrjQQ19KX9ECjpQxufsF+3ioD3zISPMlauTPZu2g= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1 h1:pIfoG5IAZFzp9EUlJzdSkpUwpaUAAnD+Ru1nBLTACIQ= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.15.1/go.mod h1:poNKBqF5+nR/6ke2oGTDjHfksrsHDOHXAl2g4+9ONsY= +go.opentelemetry.io/otel/metric v0.38.1 h1:2MM7m6wPw9B8Qv8iHygoAgkbejed59uUR6ezR5T3X2s= +go.opentelemetry.io/otel/metric v0.38.1/go.mod h1:FwqNHD3I/5iX9pfrRGZIlYICrJv0rHEUl2Ln5vdIVnQ= +go.opentelemetry.io/otel/sdk v1.15.1 h1:5FKR+skgpzvhPQHIEfcwMYjCBr14LWzs3uSqKiQzETI= +go.opentelemetry.io/otel/sdk v1.15.1/go.mod h1:8rVtxQfrbmbHKfqzpQkT5EzZMcbMBwTzNAggbEAM0KA= +go.opentelemetry.io/otel/trace v1.15.1 h1:uXLo6iHJEzDfrNC0L0mNjItIp06SyaBQxu5t3xMlngY= +go.opentelemetry.io/otel/trace v1.15.1/go.mod h1:IWdQG/5N1x7f6YUlmdLeJvH9yxtuJAfc4VW5Agv9r/8= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= go.opentelemetry.io/proto/otlp v0.19.0 h1:IVN6GR+mhC4s5yfcTbmzHYODqvWAp3ZedA2SJPI1Nnw= go.opentelemetry.io/proto/otlp v0.19.0/go.mod h1:H7XAot3MsfNsj7EXtrA2q5xSNQ10UqI405h3+duxN4U= -go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= -go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= @@ -445,8 +456,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230321023759-10a507213a29 h1:ooxPy7fPvB4kwsA2h+iBNHkAbp/4JxTSwCmvdjEYmug= -golang.org/x/exp v0.0.0-20230321023759-10a507213a29/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= +golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53 h1:5llv2sWeaMSnA3w2kS57ouQQ4pudlXrR0dCgw51QK9o= +golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -511,6 +522,7 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= @@ -540,8 +552,9 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.2.0 h1:PUR+T4wwASmuSTYdKjYHI5TD22Wy5ogLU5qZCOLxBrI= +golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -588,17 +601,19 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= -golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= +golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= -golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ= -golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= +golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= +golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -670,8 +685,9 @@ golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= -golang.org/x/tools v0.7.0 h1:W4OVu8VVOaIO0yzWMNdepAulS7YfoS3Zabrm8DOXXU4= golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s= +golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -766,8 +782,8 @@ google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.42.0/go.mod h1:k+4IHHFw41K8+bbowsex27ge2rCb65oeWqe4jJ590SU= google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= -google.golang.org/grpc v1.54.0 h1:EhTqbhiYeixwWQtAEZAxmV9MGqcjEU2mFx52xCzNyag= -google.golang.org/grpc v1.54.0/go.mod h1:PUSEXI6iWghWaB6lXM4knEgpJNu2qUcKfDtNci3EC2g= +google.golang.org/grpc v1.55.0 h1:3Oj82/tFSCeUrRTg/5E/7d/W5A1tj6Ky1ABAuZuv5ag= +google.golang.org/grpc v1.55.0/go.mod h1:iYEXKGkEBhg1PjZQvoYEVPTDkHo1/bjTnfwTeGONTY8= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -839,18 +855,16 @@ k8s.io/controller-manager v0.27.1/go.mod h1:oe9vKl0RPiedlCXmeVbhkDV2yX8r7C4K/B8O k8s.io/csi-translation-lib v0.27.1 h1:D9Hw2iBZzFPriFH0FDyUFdfflYAW6S032P6Yps9sKq8= k8s.io/csi-translation-lib v0.27.1/go.mod h1:MyBDHVDz24OOSc4FdmSZA2nkfNu+Ysu8BqjdOAcKoT8= k8s.io/klog/v2 v2.70.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/klog/v2 v2.90.1 h1:m4bYOKall2MmOiRaR1J+We67Do7vm9KiQVlT96lnHUw= -k8s.io/klog/v2 v2.90.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= +k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= +k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/kms v0.27.1 h1:JTSQbJb+mcobScQwF0bOmZhIwP17k8GvBsiLlA6SQqw= k8s.io/kms v0.27.1/go.mod h1:VuTsw0uHlSycKLCkypCGxfFCjLfzf/5YMeATECd/zJA= -k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c h1:EFfsozyzZ/pggw5qNx7ftTVZdp7WZl+3ih89GEjYEK8= -k8s.io/kube-openapi v0.0.0-20230327201221-f5883ff37f0c/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg= +k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f/go.mod h1:byini6yhqGC14c3ebc/QwanvYwhuMWF6yz2F8uwW8eg= k8s.io/kubectl v0.27.1 h1:9T5c5KdpburYiW8XKQSH0Uly1kMNE90aGSnbYUZNdcA= k8s.io/kubectl v0.27.1/go.mod h1:QsAkSmrRsKTPlAFzF8kODGDl4p35BIwQnc9XFhkcsy8= -k8s.io/kubelet v0.27.1 h1:IkfZ0N9CX/g6EDis7nJw8ZsOuHcpFA6cm0pXQx0g5TY= -k8s.io/kubelet v0.27.1/go.mod h1:g3cIhpZPawo/MvsdnmcLmqDJvDPdbUFkzfyLNz03nQg= -k8s.io/kubernetes v1.27.1 h1:DFeW4Lv+kh5DyYcezOzwmQAbC3VqXAxnMyZabALiRSc= -k8s.io/kubernetes v1.27.1/go.mod h1:TTwPjSCKQ+a/NTiFKRGjvOnEaQL8wIG40nsYH8Er4bA= +k8s.io/kubernetes v1.26.3 h1:LtjNGNNpCTRyrWhDJMwTWDX+4h+GLwfULS8pu0xzSdk= +k8s.io/kubernetes v1.26.3/go.mod h1:NxzR7U7mS+OGa3J/qweI86Pek//mlfHqDgt6NNGdz8g= k8s.io/mount-utils v0.27.1 h1:RSd0wslbIuwLRaGGNAGMZ3m9FLcvukxJ3FWlOm76W2A= k8s.io/mount-utils v0.27.1/go.mod h1:vmcjYdi2Vg1VTWY7KkhvwJVY6WDHxb/QQhiQKkR8iNs= k8s.io/pod-security-admission v0.27.1 h1:if4d1zzcpNOZNvljvJ0nTCshFPUmnkIsy7KYJg7FP08= diff --git a/manifests/cinder-csi-plugin/cinder-csi-controllerplugin-rbac.yaml b/manifests/cinder-csi-plugin/cinder-csi-controllerplugin-rbac.yaml deleted file mode 100644 index 067e0f8e..00000000 --- a/manifests/cinder-csi-plugin/cinder-csi-controllerplugin-rbac.yaml +++ /dev/null @@ -1,184 +0,0 @@ -# This YAML file contains RBAC API objects, -# which are necessary to run csi controller plugin - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-cinder-controller-sa - namespace: kube-system - ---- -# external attacher -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-attacher-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments/status"] - verbs: ["patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-attacher-binding -subjects: - - kind: ServiceAccount - name: csi-cinder-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-attacher-role - apiGroup: rbac.authorization.k8s.io - ---- -# external Provisioner -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-provisioner-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-provisioner-binding -subjects: - - kind: ServiceAccount - name: csi-cinder-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-provisioner-role - apiGroup: rbac.authorization.k8s.io - ---- -# external snapshotter -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshotter-role -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - # Secret permission is optional. - # Enable it if your driver needs secret. - # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. - # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. - # - apiGroups: [""] - # resources: ["secrets"] - # verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents/status"] - verbs: ["update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshotter-binding -subjects: - - kind: ServiceAccount - name: csi-cinder-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-snapshotter-role - apiGroup: rbac.authorization.k8s.io ---- - -# External Resizer -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-resizer-role -rules: - # The following rule should be uncommented for plugins that require secrets - # for provisioning. - # - apiGroups: [""] - # resources: ["secrets"] - # verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-resizer-binding -subjects: - - kind: ServiceAccount - name: csi-cinder-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-resizer-role - apiGroup: rbac.authorization.k8s.io - diff --git a/manifests/cinder-csi-plugin/cinder-csi-controllerplugin.yaml b/manifests/cinder-csi-plugin/cinder-csi-controllerplugin.yaml deleted file mode 100644 index 39afbef7..00000000 --- a/manifests/cinder-csi-plugin/cinder-csi-controllerplugin.yaml +++ /dev/null @@ -1,141 +0,0 @@ -# This YAML file contains CSI Controller Plugin Sidecars -# external-attacher, external-provisioner, external-snapshotter -# external-resize, liveness-probe - -kind: Deployment -apiVersion: apps/v1 -metadata: - name: csi-cinder-controllerplugin - namespace: kube-system -spec: - replicas: 1 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 0 - maxSurge: 1 - selector: - matchLabels: - app: csi-cinder-controllerplugin - template: - metadata: - labels: - app: csi-cinder-controllerplugin - spec: - serviceAccount: csi-cinder-controller-sa - containers: - - name: csi-attacher - image: registry.k8s.io/sig-storage/csi-attacher:v4.2.0 - args: - - "--csi-address=$(ADDRESS)" - - "--timeout=3m" - - "--leader-election=true" - - "--default-fstype=ext4" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-provisioner - image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.1 - args: - - "--csi-address=$(ADDRESS)" - - "--timeout=3m" - - "--default-fstype=ext4" - - "--feature-gates=Topology=true" - - "--extra-create-metadata" - - "--leader-election=true" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-snapshotter - image: registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1 - args: - - "--csi-address=$(ADDRESS)" - - "--timeout=3m" - - "--extra-create-metadata" - - "--leader-election=true" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: Always - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - name: csi-resizer - image: registry.k8s.io/sig-storage/csi-resizer:v1.7.0 - args: - - "--csi-address=$(ADDRESS)" - - "--timeout=3m" - - "--handle-volume-inuse-error=false" - - "--leader-election=true" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: liveness-probe - image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0 - args: - - "--csi-address=$(ADDRESS)" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - volumeMounts: - - mountPath: /var/lib/csi/sockets/pluginproxy/ - name: socket-dir - - name: cinder-csi-plugin - image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.27.0 - args: - - /bin/cinder-csi-plugin - - "--endpoint=$(CSI_ENDPOINT)" - - "--cloud-config=$(CLOUD_CONFIG)" - - "--cluster=$(CLUSTER_NAME)" - - "--v=1" - env: - - name: CSI_ENDPOINT - value: unix://csi/csi.sock - - name: CLOUD_CONFIG - value: /etc/config/cloud.conf - - name: CLUSTER_NAME - value: kubernetes - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - # The probe - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 10 - periodSeconds: 60 - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: secret-cinderplugin - mountPath: /etc/config - readOnly: true - # - name: cacert - # mountPath: /etc/cacert - # readOnly: true - volumes: - - name: socket-dir - emptyDir: - - name: secret-cinderplugin - secret: - secretName: cloud-config - # - name: cacert - # hostPath: - # path: /etc/cacert diff --git a/manifests/cinder-csi-plugin/cinder-csi-nodeplugin-rbac.yaml b/manifests/cinder-csi-plugin/cinder-csi-nodeplugin-rbac.yaml deleted file mode 100644 index 912923fc..00000000 --- a/manifests/cinder-csi-plugin/cinder-csi-nodeplugin-rbac.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# This YAML defines all API objects to create RBAC roles for csi node plugin. - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-cinder-node-sa - namespace: kube-system ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-nodeplugin-role -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-nodeplugin-binding -subjects: - - kind: ServiceAccount - name: csi-cinder-node-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-nodeplugin-role - apiGroup: rbac.authorization.k8s.io diff --git a/manifests/cinder-csi-plugin/cinder-csi-nodeplugin.yaml b/manifests/cinder-csi-plugin/cinder-csi-nodeplugin.yaml deleted file mode 100644 index 11bea573..00000000 --- a/manifests/cinder-csi-plugin/cinder-csi-nodeplugin.yaml +++ /dev/null @@ -1,118 +0,0 @@ -# This YAML file contains driver-registrar & csi driver nodeplugin API objects, -# which are necessary to run csi nodeplugin for cinder. - -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: csi-cinder-nodeplugin - namespace: kube-system -spec: - selector: - matchLabels: - app: csi-cinder-nodeplugin - template: - metadata: - labels: - app: csi-cinder-nodeplugin - spec: - tolerations: - - operator: Exists - serviceAccount: csi-cinder-node-sa - hostNetwork: true - containers: - - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.3 - args: - - "--csi-address=$(ADDRESS)" - - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - - name: liveness-probe - image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0 - args: - - --csi-address=/csi/csi.sock - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: cinder-csi-plugin - securityContext: - privileged: true - capabilities: - add: ["SYS_ADMIN"] - allowPrivilegeEscalation: true - image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.27.0 - args: - - /bin/cinder-csi-plugin - - "--endpoint=$(CSI_ENDPOINT)" - - "--cloud-config=$(CLOUD_CONFIG)" - - "--v=1" - env: - - name: CSI_ENDPOINT - value: unix://csi/csi.sock - - name: CLOUD_CONFIG - value: /etc/config/cloud.conf - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - # The probe - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 10 - timeoutSeconds: 3 - periodSeconds: 10 - volumeMounts: - - name: socket-dir - mountPath: /csi - - name: kubelet-dir - mountPath: /var/lib/kubelet - mountPropagation: "Bidirectional" - - name: pods-probe-dir - mountPath: /dev - mountPropagation: "HostToContainer" - - name: secret-cinderplugin - mountPath: /etc/config - readOnly: true - # - name: cacert - # mountPath: /etc/cacert - # readOnly: true - volumes: - - name: socket-dir - hostPath: - path: /var/lib/kubelet/plugins/cinder.csi.openstack.org - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - - name: kubelet-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: pods-probe-dir - hostPath: - path: /dev - type: Directory - - name: secret-cinderplugin - secret: - secretName: cloud-config - # - name: cacert - # hostPath: - # path: /etc/cacert diff --git a/manifests/cinder-csi-plugin/csi-cinder-driver.yaml b/manifests/cinder-csi-plugin/csi-cinder-driver.yaml deleted file mode 100644 index 5b681e4c..00000000 --- a/manifests/cinder-csi-plugin/csi-cinder-driver.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: storage.k8s.io/v1 -kind: CSIDriver -metadata: - name: cinder.csi.openstack.org -spec: - attachRequired: true - podInfoOnMount: true - volumeLifecycleModes: - - Persistent - - Ephemeral diff --git a/manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml b/manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml deleted file mode 100644 index 5813c5c0..00000000 --- a/manifests/cinder-csi-plugin/csi-secret-cinderplugin.yaml +++ /dev/null @@ -1,10 +0,0 @@ -# This YAML file contains secret objects, -# which are necessary to run csi cinder plugin. - -kind: Secret -apiVersion: v1 -metadata: - name: cloud-config - namespace: kube-system -data: - cloud.conf: W0dsb2JhbF0KdXNlcm5hbWUgPSBhZG1pbgpwYXNzd29yZCA9IG5vbW9yZXNlY3JldApkb21haW4tbmFtZSA9IGRlZmF1bHQKYXV0aC11cmwgPSBodHRwOi8vMTkyLjE2OC4yMDAuOS9pZGVudGl0eQp0ZW5hbnQtaWQgPSBjYzM0YjExZmY5NWQ0MjMwOTA4MWQwYmQ0NmMwZmY4OQpyZWdpb24gPSBSZWdpb25PbmUK diff --git a/pkg/csi/cinder/driver.go b/pkg/csi/cinder/driver.go index 8db7fc1f..2d1d10e3 100644 --- a/pkg/csi/cinder/driver.go +++ b/pkg/csi/cinder/driver.go @@ -1,5 +1,9 @@ /* Copyright 2017 The Kubernetes Authors. +Copyright Edgeless Systems GmbH +NOTE: This file is a modified version from the one of the cloud-provider-openstack project. +Changes are needed to enable the use of dm-crypt. +The original copyright notice is kept below. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -19,6 +23,8 @@ package cinder import ( "fmt" + "golang.org/x/net/context" + "github.com/container-storage-interface/spec/lib/go/csi" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -30,7 +36,7 @@ import ( ) const ( - driverName = "cinder.csi.openstack.org" + driverName = "cinder.csi.confidential.cloud" topologyKey = "topology." + driverName + "/zone" ) @@ -53,6 +59,13 @@ var ( //revive:disable:exported type CinderDriver = Driver +type cryptMapper interface { + CloseCryptDevice(volumeID string) error + OpenCryptDevice(ctx context.Context, source, volumeID string, integrity bool) (string, error) + ResizeCryptDevice(ctx context.Context, volumeID string) (string, error) + GetDevicePath(volumeID string) (string, error) +} + //revive:enable:exported type Driver struct { @@ -60,10 +73,12 @@ type Driver struct { fqVersion string //Fully qualified version in format {Version}@{CPO version} endpoint string cluster string + kmsAddr string ids *identityServer cs *controllerServer ns *nodeServer + cm cryptMapper vcap []*csi.VolumeCapability_AccessMode cscap []*csi.ControllerServiceCapability @@ -156,11 +171,12 @@ func (d *Driver) GetVolumeCapabilityAccessModes() []*csi.VolumeCapability_Access return d.vcap } -func (d *Driver) SetupDriver(cloud openstack.IOpenStack, mount mount.IMount, metadata metadata.IMetadata) { +func (d *Driver) SetupDriver(cloud openstack.IOpenStack, mount mount.IMount, metadata metadata.IMetadata, cm cryptMapper) { d.ids = NewIdentityServer(d) d.cs = NewControllerServer(d, cloud) d.ns = NewNodeServer(d, mount, metadata, cloud) + d.cm = cm } diff --git a/pkg/csi/cinder/fake.go b/pkg/csi/cinder/fake.go index dfed9220..d70fbd86 100644 --- a/pkg/csi/cinder/fake.go +++ b/pkg/csi/cinder/fake.go @@ -27,6 +27,7 @@ var FakeCluster = "cluster" var FakeNodeID = "CSINodeID" var FakeEndpoint = "tcp://127.0.0.1:10000" var FakeConfig = "/etc/cloud.conf" +var FakeKMS = "fake.kms:9000" var FakeCtx = context.Background() var FakeVolName = "CSIVolumeName" var FakeVolID = "CSIVolumeID" diff --git a/pkg/csi/cinder/nodeserver.go b/pkg/csi/cinder/nodeserver.go index 98fc09f4..0427f831 100644 --- a/pkg/csi/cinder/nodeserver.go +++ b/pkg/csi/cinder/nodeserver.go @@ -24,6 +24,7 @@ import ( "strings" "github.com/container-storage-interface/spec/lib/go/csi" + "github.com/edgelesssys/constellation/v2/csi/cryptmapper" "github.com/gophercloud/gophercloud/openstack/blockstorage/v3/volumes" "github.com/kubernetes-csi/csi-lib-utils/protosanitizer" "golang.org/x/net/context" @@ -68,7 +69,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis ephemeralVolume := req.GetVolumeContext()["csi.storage.k8s.io/ephemeral"] == "true" if ephemeralVolume { klog.Warningf("CSI inline ephemeral volumes support is deprecated in 1.24 release.") - return nodePublishEphemeral(req, ns) + return nodePublishEphemeral(ctx, req, ns) } // In case of ephemeral volume staging path not provided @@ -119,12 +120,13 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis return &csi.NodePublishVolumeResponse{}, nil } -func nodePublishEphemeral(req *csi.NodePublishVolumeRequest, ns *nodeServer) (*csi.NodePublishVolumeResponse, error) { +func nodePublishEphemeral(ctx context.Context, req *csi.NodePublishVolumeRequest, ns *nodeServer) (*csi.NodePublishVolumeResponse, error) { var size int var err error volID := req.GetVolumeId() + volumeCapability := req.GetVolumeCapability() volName := fmt.Sprintf("ephemeral-%s", volID) properties := map[string]string{"cinder.csi.openstack.org/cluster": ns.Driver.cluster} capacity, ok := req.GetVolumeContext()["capacity"] @@ -207,6 +209,21 @@ func nodePublishEphemeral(req *csi.NodePublishVolumeRequest, ns *nodeServer) (*c if notMnt { // set default fstype is ext4 fsType := "ext4" + + if mnt := volumeCapability.GetMount(); mnt != nil { + if mnt.FsType != "" { + fsType = mnt.FsType + } + } + + // [Edgeless] Map the device as a crypt device, creating a new LUKS partition if needed + fsType, integrity := cryptmapper.IsIntegrityFS(fsType) + newDevicePath, err := ns.Driver.cm.OpenCryptDevice(ctx, devicePath, evol.ID, integrity) + if err != nil { + return nil, status.Error(codes.Internal, fmt.Sprintf("NodeStageVolume failed on volume %v to %s, open crypt device failed: %v", devicePath, targetPath, err)) + } + devicePath = newDevicePath + // Mount err = m.Mounter().FormatAndMount(devicePath, targetPath, fsType, nil) if err != nil { @@ -227,11 +244,8 @@ func nodePublishVolumeForBlock(req *csi.NodePublishVolumeRequest, ns *nodeServer m := ns.Mount - // Do not trust the path provided by cinder, get the real path on node - source, err := getDevicePath(volumeID, m) - if err != nil { - return nil, status.Error(codes.Internal, fmt.Sprintf("Unable to find Device path for volume: %v", err)) - } + // Get device mapper path + source := filepath.Join("/dev/mapper", volumeID) exists, err := utilpath.Exists(utilpath.CheckFollowSymlink, podVolumePath) if err != nil { @@ -319,6 +333,11 @@ func nodeUnpublishEphemeral(req *csi.NodeUnpublishVolumeRequest, ns *nodeServer, return nil, status.Error(codes.FailedPrecondition, "Volume attachement not found in request") } + // [Edgeless] Unmap the crypt device so we can properly remove the device from the node + if err := ns.Driver.cm.CloseCryptDevice(volumeID); err != nil { + return nil, status.Errorf(codes.Internal, "nodeUnpublishEphemeral failed to close mapped crypt device for disk %s: %v", volumeID, err) + } + err := ns.Cloud.DetachVolume(instanceID, volumeID) if err != nil { klog.V(3).Infof("Failed to DetachVolume: %v", err) @@ -373,29 +392,41 @@ func (ns *nodeServer) NodeStageVolume(ctx context.Context, req *csi.NodeStageVol return nil, status.Error(codes.Internal, fmt.Sprintf("Unable to find Device path for volume: %v", err)) } - if blk := volumeCapability.GetBlock(); blk != nil { - // If block volume, do nothing - return &csi.NodeStageVolumeResponse{}, nil - } - // Verify whether mounted notMnt, err := m.IsLikelyNotMountPointAttach(stagingTarget) if err != nil { return nil, status.Error(codes.Internal, err.Error()) } - // Volume Mount + // set default fstype is ext4 + fsType := "ext4" + var options []string + if mnt := volumeCapability.GetMount(); mnt != nil { + if mnt.FsType != "" { + fsType = mnt.FsType + } + mountFlags := mnt.GetMountFlags() + options = append(options, collectMountOptions(fsType, mountFlags)...) + } + // [Edgeless] Check if the volume should be integrity protected + fsType, integrity := cryptmapper.IsIntegrityFS(fsType) + if notMnt { - // set default fstype is ext4 - fsType := "ext4" - var options []string - if mnt := volumeCapability.GetMount(); mnt != nil { - if mnt.FsType != "" { - fsType = mnt.FsType - } - mountFlags := mnt.GetMountFlags() - options = append(options, collectMountOptions(fsType, mountFlags)...) + // [Edgeless] Map the device as a crypt device, creating a new LUKS partition if needed + newDevicePath, err := ns.Driver.cm.OpenCryptDevice(ctx, devicePath, volumeID, integrity) + if err != nil { + return nil, status.Error(codes.Internal, fmt.Sprintf("NodeStageVolume failed on volume %v to %s, open crypt device failed: %v", devicePath, stagingTarget, err)) } + devicePath = newDevicePath + } + + if blk := volumeCapability.GetBlock(); blk != nil { + // If block volume, do nothing + return &csi.NodeStageVolumeResponse{}, nil + } + + // Volume Mount + if notMnt { // Mount err = m.Mounter().FormatAndMount(devicePath, stagingTarget, fsType, options) if err != nil { @@ -452,6 +483,11 @@ func (ns *nodeServer) NodeUnstageVolume(ctx context.Context, req *csi.NodeUnstag return nil, status.Errorf(codes.Internal, "Unmount of targetPath %s failed with error %v", stagingTargetPath, err) } + // [Edgeless] Unmap the crypt device so we can properly remove the device from the node + if err := ns.Driver.cm.CloseCryptDevice(volumeID); err != nil { + return nil, status.Errorf(codes.Internal, "NodeUnstageVolume failed to close mapped crypt device for disk %s: %v", stagingTargetPath, err) + } + return &csi.NodeUnstageVolumeResponse{}, nil } @@ -549,23 +585,21 @@ func (ns *nodeServer) NodeExpandVolume(ctx context.Context, req *csi.NodeExpandV return nil, status.Error(codes.Internal, fmt.Sprintf("NodeExpandVolume failed with error %v", err)) } - output, err := ns.Mount.GetMountFs(volumePath) + // [Edgeless] Resize LUKS partition + devicePath, err := ns.Driver.cm.GetDevicePath(volumeID) + devicePath, err = ns.Driver.cm.ResizeCryptDevice(ctx, volumeID) if err != nil { - return nil, status.Error(codes.Internal, fmt.Sprintf("Failed to find mount file system %s: %v", volumePath, err)) - } - - devicePath := strings.TrimSpace(string(output)) - if devicePath == "" { - return nil, status.Error(codes.Internal, "Unable to find Device path for volume") + return nil, status.Errorf(codes.Internal, "resizing crypt device: %v", err) } if ns.Cloud.GetBlockStorageOpts().RescanOnResize { // comparing current volume size with the expected one - newSize := req.GetCapacityRange().GetRequiredBytes() + newSize := req.GetCapacityRange().GetRequiredBytes() - cryptmapper.LUKSHeaderSize // LUKS2 header is 16MiB, subtract from request size to get expected value) if err := blockdevice.RescanBlockDeviceGeometry(devicePath, volumePath, newSize); err != nil { return nil, status.Errorf(codes.Internal, "Could not verify %q volume size: %v", volumeID, err) } } + r := mountutil.NewResizeFs(ns.Mount.Mounter().Exec) if _, err := r.Resize(devicePath, volumePath); err != nil { return nil, status.Errorf(codes.Internal, "Could not resize volume %q: %v", volumeID, err) diff --git a/tests/sanity/cinder/fakecryptmapper.go b/tests/sanity/cinder/fakecryptmapper.go new file mode 100644 index 00000000..731d4eb7 --- /dev/null +++ b/tests/sanity/cinder/fakecryptmapper.go @@ -0,0 +1,27 @@ +package sanity + +import "context" + +type fakeCryptMapper struct { + deviceName string +} + +func (s *fakeCryptMapper) CloseCryptDevice(volumeID string) error { + return nil +} + +func (s *fakeCryptMapper) OpenCryptDevice(ctx context.Context, source, volumeID string, integrity bool) (string, error) { + return "/dev/mapper/" + volumeID, nil +} + +func (s *fakeCryptMapper) ResizeCryptDevice(ctx context.Context, volumeID string) (string, error) { + return s.deviceName, nil +} + +func (s *fakeCryptMapper) GetDevicePath(volumeID string) (string, error) { + return s.deviceName, nil +} + +func fakeEvalSymlinks(path string) (string, error) { + return path, nil +} diff --git a/tests/sanity/cinder/sanity_test.go b/tests/sanity/cinder/sanity_test.go index a3d13d33..575a3318 100644 --- a/tests/sanity/cinder/sanity_test.go +++ b/tests/sanity/cinder/sanity_test.go @@ -26,7 +26,9 @@ func TestDriver(t *testing.T) { fakemnt := GetFakeMountProvider() fakemet := &fakemetadata{} - d.SetupDriver(fakecloudprovider, fakemnt, fakemet) + fakecm := &fakeCryptMapper{} + + d.SetupDriver(fakecloudprovider, fakemnt, fakemet, fakecm) // TODO: Stop call