Merge pull request #8 from IBM/storage-secret

storage-secret-store creation added
IBM · Dec 3, 2021 · d07f5fe · d07f5fe
2 parents 116867b + 8e284fc
commit d07f5fe
Show file tree

Hide file tree

Showing 434 changed files with 65,174 additions and 1,907 deletions.
diff --git a/README.md b/README.md
@@ -9,44 +9,41 @@ This operator is installed by the [cluster-storage-operator](https://github.com/
 Before running the operator manually, you must remove the operator installed by CVO
 
 ```shell
-# Scale down CVO
-oc scale -n openshift-cluster-version  deployment/cluster-version-operator --replicas=0
+# Scale down CVO and CSO
+oc scale --replicas=0 deploy/cluster-version-operator -n openshift-cluster-version
+oc scale --replicas=0 deploy/cluster-storage-operator -n openshift-cluster-storage-operator
 
 # Delete operator resources (daemonset, deployments)
 oc -n openshift-cluster-csi-drivers delete deployment.apps/ibm-vpc-block-csi-driver-operator deployment.apps/ibm-vpc-block-csi-controller daemonset.apps/ibm-vpc-block-csi-node
 ```
 
+Follow below steps to add node labels
+```shell
+# Get worker id 
+curl -X GET "https://<region>.iaas.cloud.ibm.com/v1/instances?version=2021-11-23&generation=2&name=<node-name>" -H "Authorization: $iam_token"
+# Add node labels 
+kubectl label nodes <node-name>  "ibm-cloud.kubernetes.io/worker-id"=<worker-id>
+
+```
+
 To build and run the operator locally:
 
 ```shell
 # Create only the resources the operator needs to run via CLI
-oc apply -f manifests/00_crd.yaml
-oc apply -f manifests/01_namespace.yaml
 oc apply -f manifests/09_cr.yaml
 
 # Build the operator
-make all
+make 
 
 # Set the environment variables
-export DRIVER_IMAGE=icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
-export PROVISIONER_IMAGE=quay.io/k8scsi/csi-provisioner:v1.6.0
-export ATTACHER_IMAGE=quay.io/k8scsi/csi-attacher:v2.2.0
-export NODE_DRIVER_REGISTRAR_IMAGE=quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
-export LIVENESS_PROBE_IMAGE=quay.io/k8scsi/livenessprobe:v2.0.0
+export DRIVER_IMAGE=gcr.io/k8s-staging-cloud-provider-ibm/ibm-vpc-block-csi-driver:master
+export PROVISIONER_IMAGE=k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2
+export ATTACHER_IMAGE=k8s.gcr.io/sig-storage/csi-attacher:v3.2.1
+export NODE_DRIVER_REGISTRAR_IMAGE=k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.2.0
+export LIVENESS_PROBE_IMAGE=k8s.gcr.io/sig-storage/livenessprobe:v2.3.0
+export RESIZER_IMAGE=k8s.gcr.io/sig-storage/csi-resizer:v1.2.0
+export NODE_LABEL_IMAGE=icr.io/obs/storage/vpc-node-label-updater:v1.0.1
 
 # Run the operator via CLI
 ./ibm-vpc-block-csi-driver-operator start --kubeconfig $MY_KUBECONFIG --namespace openshift-cluster-csi-drivers
 ```
-
-To run the latest build of the operator:
-```shell
-# Set the environment variables
-export DRIVER_IMAGE=icr.io/ibm/ibm-vpc-block-csi-driver:v3.0.0
-export PROVISIONER_IMAGE=quay.io/k8scsi/csi-provisioner:v1.6.0
-export ATTACHER_IMAGE=quay.io/k8scsi/csi-attacher:v2.2.0
-export NODE_DRIVER_REGISTRAR_IMAGE=quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
-export LIVENESS_PROBE_IMAGE=quay.io/k8scsi/livenessprobe:v2.0.0
-
-# Deploy the operator and everything it needs
-oc apply -f manifests/
-```
diff --git a/assets/controller.yaml b/assets/controller.yaml
@@ -16,10 +16,27 @@ spec:
       labels:
         app: ibm-vpc-block-csi-driver
     spec:
-      securityContext:
-        runAsNonRoot: true
-        runAsUser: 1000160009
       containers:
+        - args:
+            - --v=5
+            - --csi-address=/csi/csi.sock
+            - --timeout=900s
+          name: csi-resizer
+          image: ${RESIZER_IMAGE}
+          imagePullPolicy: Always
+          securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+          resources:
+            limits:
+              cpu: 80m
+              memory: 160Mi
+            requests:
+              cpu: 20m
+              memory: 40Mi
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
         - args:
             - --v=5
             - --csi-address=$(ADDRESS)
@@ -128,16 +145,10 @@ spec:
             - mountPath: /etc/storage_ibmc
               name: customer-auth
               readOnly: true
-            - mountPath: /etc/storage_ibmc/cluster_info
-              name: cluster-info
-              readOnly: true
       serviceAccountName: ibm-vpc-block-controller-sa
       volumes:
         - emptyDir: {}
           name: socket-dir
         - name: customer-auth
           secret:
             secretName: storage-secret-store
-        - configMap:
-            name: cluster-info
-          name: cluster-info
diff --git a/assets/controller_sa.yaml b/assets/controller_sa.yaml
@@ -1,6 +1,5 @@
 apiVersion: v1
 imagePullSecrets:
-  - name: kube-system-icr-io
   - name: bluemix-default-secret
   - name: bluemix-default-secret-regional
   - name: bluemix-default-secret-international

diff --git a/assets/node.yaml b/assets/node.yaml
@@ -15,6 +15,30 @@ spec:
       labels:
         app: ibm-vpc-block-csi-driver
     spec:
+      initContainers:
+        - name: vpc-node-label-updater
+          imagePullPolicy: Always
+          securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+          resources:
+            limits:
+              cpu: 12m
+              memory: 24Mi
+            requests:
+              cpu: 3m
+              memory: 6Mi
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: SECRET_CONFIG_PATH
+              value: /etc/storage_ibmc
+          image: ${NODE_LABEL_IMAGE}
+          volumeMounts:
+            - mountPath: /etc/storage_ibmc
+              name: customer-auth
       containers:
         - args:
             - --v=5
@@ -111,9 +135,6 @@ spec:
             - mountPath: /etc/storage_ibmc
               name: customer-auth
               readOnly: true
-            - mountPath: /etc/storage_ibmc/cluster_info
-              name: cluster-info
-              readOnly: true
         - args:
             - --csi-address=/csi/csi.sock
           image: ${LIVENESS_PROBE_IMAGE}
@@ -171,6 +192,3 @@ spec:
         - name: customer-auth
           secret:
             secretName: storage-secret-store
-        - configMap:
-            name: cluster-info
-          name: cluster-info
diff --git a/assets/node_sa.yaml b/assets/node_sa.yaml
@@ -1,6 +1,5 @@
 apiVersion: v1
 imagePullSecrets:
-  - name: kube-system-icr-io
   - name: bluemix-default-secret
   - name: bluemix-default-secret-regional
   - name: bluemix-default-secret-international

diff --git a/assets/rbac/attacher_role.yaml b/assets/rbac/attacher_role.yaml
@@ -44,3 +44,6 @@ rules:
       - watch
       - update
       - patch
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
diff --git a/assets/rbac/initcontainer_role.yaml b/assets/rbac/initcontainer_role.yaml
@@ -0,0 +1,12 @@
+---
+ kind: ClusterRole
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+   name: vpc-block-initcontainer-role
+   labels:
+     app: ibm-vpc-block-csi-driver
+     addonmanager.kubernetes.io/mode: Reconcile
+ rules:
+   - apiGroups: [""]
+     resources: ["nodes"]
+     verbs: ["get", "list", "update"]
diff --git a/assets/rbac/initcontainer_rolebinding.yaml b/assets/rbac/initcontainer_rolebinding.yaml
@@ -0,0 +1,16 @@
+---
+ kind: ClusterRoleBinding
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+   name: vpc-block-initcontainer-binding
+   labels:
+     app: ibm-vpc-block-csi-driver
+     addonmanager.kubernetes.io/mode: Reconcile
+ subjects:
+   - kind: ServiceAccount
+     name: ibm-vpc-block-node-sa
+     namespace: openshift-cluster-csi-drivers
+ roleRef:
+   kind: ClusterRole
+   name: vpc-block-initcontainer-role
+   apiGroup: rbac.authorization.k8s.io
diff --git a/assets/rbac/resizer_role.yaml b/assets/rbac/resizer_role.yaml
@@ -0,0 +1,24 @@
+---
+ kind: ClusterRole
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+   name: vpc-block-external-resizer-role
+   labels:
+     app: ibm-vpc-block-csi-driver
+     addonmanager.kubernetes.io/mode: Reconcile
+ rules:
+   - apiGroups: [""]
+     resources: ["persistentvolumes"]
+     verbs: ["get", "list", "watch", "update", "patch"]
+   - apiGroups: [""]
+     resources: ["persistentvolumeclaims"]
+     verbs: ["get", "list", "watch"]
+   - apiGroups: [""]
+     resources: ["pods"]
+     verbs: ["get", "list", "watch"]
+   - apiGroups: [""]
+     resources: ["persistentvolumeclaims/status"]
+     verbs: ["patch", "update"]
+   - apiGroups: [""]
+     resources: ["events"]
+     verbs: ["list", "watch", "create", "update", "patch"]
diff --git a/assets/rbac/resizer_rolebinding.yaml b/assets/rbac/resizer_rolebinding.yaml
@@ -0,0 +1,16 @@
+---
+ kind: ClusterRoleBinding
+ apiVersion: rbac.authorization.k8s.io/v1
+ metadata:
+   name: vpc-block-external-resizer-binding
+   labels:
+     app: ibm-vpc-block-csi-driver
+     addonmanager.kubernetes.io/mode: Reconcile
+ subjects:
+   - kind: ServiceAccount
+     name: ibm-vpc-block-controller-sa
+     namespace: openshift-cluster-csi-drivers
+ roleRef:
+   kind: ClusterRole
+   name: vpc-block-external-resizer-role
+   apiGroup: rbac.authorization.k8s.io
diff --git a/go.mod b/go.mod
@@ -3,6 +3,9 @@ module github.com/IBM/ibm-vpc-block-csi-driver-operator
 go 1.16
 
 require (
+	bou.ke/monkey v1.0.2
+	github.com/IBM/go-sdk-core/v5 v5.7.2
+	github.com/IBM/platform-services-go-sdk v0.22.2
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
 	github.com/openshift/api v0.0.0-20210521075222-e273a339932a
 	github.com/openshift/build-machinery-go v0.0.0-20210423112049-9415d7ebd33e
@@ -12,6 +15,7 @@ require (
 	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.7.0
+	k8s.io/api v0.21.1
 	k8s.io/apimachinery v0.21.1
 	k8s.io/client-go v0.21.1
 	k8s.io/component-base v0.21.1