-
Notifications
You must be signed in to change notification settings - Fork 68
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support EFS on ROSA for ReadWriteMany PVCs (#387)
Closes #386
- Loading branch information
Showing
14 changed files
with
374 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
manifests | ||
ccoctl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: operators.coreos.com/v1 | ||
kind: OperatorGroup | ||
metadata: | ||
generateName: openshift-cluster-csi-drivers- | ||
namespace: openshift-cluster-csi-drivers | ||
--- | ||
apiVersion: operators.coreos.com/v1alpha1 | ||
kind: Subscription | ||
metadata: | ||
labels: | ||
operators.coreos.com/aws-efs-csi-driver-operator.openshift-cluster-csi-drivers: "" | ||
name: aws-efs-csi-driver-operator | ||
namespace: openshift-cluster-csi-drivers | ||
spec: | ||
channel: stable | ||
installPlanApproval: Automatic | ||
name: aws-efs-csi-driver-operator | ||
source: redhat-operators | ||
sourceNamespace: openshift-marketplace |
20 changes: 20 additions & 0 deletions
20
provision/aws/efs/credentialRequests/openshift-aws-efs-csi-driver-credential-request.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
apiVersion: cloudcredential.openshift.io/v1 | ||
kind: CredentialsRequest | ||
metadata: | ||
name: openshift-aws-efs-csi-driver | ||
namespace: openshift-cloud-credential-operator | ||
spec: | ||
providerSpec: | ||
apiVersion: cloudcredential.openshift.io/v1 | ||
kind: AWSProviderSpec | ||
statementEntries: | ||
- action: | ||
- elasticfilesystem:* | ||
effect: Allow | ||
resource: '*' | ||
secretRef: | ||
name: aws-efs-cloud-credentials | ||
namespace: openshift-cluster-csi-drivers | ||
serviceAccountNames: | ||
- aws-efs-csi-driver-operator | ||
- aws-efs-csi-driver-controller-sa |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: operator.openshift.io/v1 | ||
kind: ClusterCSIDriver | ||
metadata: | ||
name: efs.csi.aws.com | ||
spec: | ||
managementState: Managed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,119 @@ | ||
#!/bin/bash | ||
# This automated the setup of EFS as a RWX storage in ROSA. It is based on the following information: | ||
# * https://access.redhat.com/articles/6966373 | ||
# * https://mobb.ninja/docs/rosa/aws-efs/ | ||
# * https://docs.openshift.com/rosa/storage/container_storage_interface/osd-persistent-storage-aws-efs-csi.html | ||
|
||
set -xeo pipefail | ||
|
||
if [ -f ./.env ]; then | ||
source ./.env | ||
fi | ||
|
||
AWS_REGION=${REGION} | ||
OIDC_PROVIDER=$(oc get authentication.config.openshift.io cluster -o json \ | ||
| jq -r .spec.serviceAccountIssuer| sed -e "s/^https:\/\///") | ||
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) | ||
|
||
cd efs | ||
|
||
oc create -f aws-efs-csi-driver-operator.yaml | ||
|
||
CCO_POD_NAME=$(oc get po -n openshift-cloud-credential-operator -l app=cloud-credential-operator -o jsonpath='{.items[*].metadata.name}') | ||
|
||
oc cp -c cloud-credential-operator openshift-cloud-credential-operator/${CCO_POD_NAME}:/usr/bin/ccoctl ./ccoctl --retries=999 | ||
|
||
chmod 775 ./ccoctl | ||
|
||
./ccoctl aws create-iam-roles --name=${CLUSTER_NAME} --region=${AWS_REGION} --credentials-requests-dir=credentialRequests/ --identity-provider-arn=arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER} | ||
|
||
oc create -f manifests/openshift-cluster-csi-drivers-aws-efs-cloud-credentials-credentials.yaml | ||
|
||
oc create -f efs-csi-aws-com-cluster-csi-driver.yaml | ||
|
||
kubectl wait --for=condition=AWSEFSDriverNodeServiceControllerAvailable --timeout=300s clustercsidriver.operator.openshift.io/efs.csi.aws.com | ||
kubectl wait --for=condition=AWSEFSDriverControllerServiceControllerAvailable --timeout=300s clustercsidriver.operator.openshift.io/efs.csi.aws.com | ||
|
||
NODE=$(oc get nodes --selector=node-role.kubernetes.io/worker \ | ||
-o jsonpath='{.items[0].metadata.name}') | ||
VPC=$(aws ec2 describe-instances \ | ||
--filters "Name=private-dns-name,Values=$NODE" \ | ||
--output json \ | ||
--query 'Reservations[*].Instances[*].{VpcId:VpcId}' \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0][0].VpcId') | ||
CIDR=$(aws ec2 describe-vpcs \ | ||
--filters "Name=vpc-id,Values=$VPC" \ | ||
--query 'Vpcs[*].CidrBlock' \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0]') | ||
SG=$(aws ec2 describe-instances --filters \ | ||
"Name=private-dns-name,Values=$NODE" \ | ||
--query 'Reservations[*].Instances[*].{SecurityGroups:SecurityGroups}' \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0][0].SecurityGroups[0].GroupId') | ||
echo "CIDR - $CIDR, SG - $SG" | ||
|
||
aws ec2 authorize-security-group-ingress \ | ||
--group-id $SG \ | ||
--protocol tcp \ | ||
--port 2049 \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
--cidr $CIDR | jq . | ||
|
||
SUBNET=$(aws ec2 describe-subnets \ | ||
--filters Name=vpc-id,Values=$VPC Name=tag:Name,Values='*-private*' \ | ||
--query 'Subnets[*].{SubnetId:SubnetId}' \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0].SubnetId') | ||
AWS_ZONE=$(aws ec2 describe-subnets --filters Name=subnet-id,Values=$SUBNET \ | ||
--output json \ | ||
--region $AWS_REGION | jq -r '.Subnets[0].AvailabilityZone') | ||
|
||
EFS=$(aws efs create-file-system --creation-token efs-token-${CLUSTER_NAME} \ | ||
--availability-zone-name $AWS_ZONE \ | ||
--output json \ | ||
--tags Key=Name,Value=${CLUSTER_NAME} \ | ||
--region $AWS_REGION \ | ||
--encrypted | jq -r '.FileSystemId') | ||
echo $EFS | ||
|
||
cat <<EOF | oc apply -f - | ||
kind: StorageClass | ||
apiVersion: storage.k8s.io/v1 | ||
metadata: | ||
name: efs-sc | ||
provisioner: efs.csi.aws.com | ||
parameters: | ||
provisioningMode: efs-ap | ||
fileSystemId: $EFS | ||
directoryPerms: "700" | ||
gidRangeStart: "1000" | ||
gidRangeEnd: "2000" | ||
basePath: "/dynamic_provisioning" | ||
EOF | ||
|
||
while true; do | ||
LIFECYCLE_STATE="$(aws efs describe-file-systems --file-system-id $EFS --region $AWS_REGION --output json | jq -r '.FileSystems[0].LifeCycleState')" | ||
if [[ "${LIFECYCLE_STATE}" == "available" ]]; then break; fi | ||
sleep 1 | ||
echo -n '.' | ||
done | ||
|
||
for SUBNET in $(aws ec2 describe-subnets \ | ||
--filters Name=vpc-id,Values=$VPC Name=tag:Name,Values='*-private*' \ | ||
--query 'Subnets[*].{SubnetId:SubnetId}' \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[].SubnetId'); do \ | ||
MOUNT_TARGET=$(aws efs create-mount-target --file-system-id $EFS \ | ||
--subnet-id $SUBNET --security-groups $SG \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.MountTargetId'); \ | ||
echo $MOUNT_TARGET; \ | ||
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
#!/bin/bash | ||
# don't use 'set -e' here, as we want to cleanup also half-installed EFS setups | ||
|
||
if [ -f ./.env ]; then | ||
source ./.env | ||
fi | ||
|
||
export AWS_REGION=${REGION} | ||
|
||
EFS=$(oc get sc/efs-sc -o jsonpath='{.parameters.fileSystemId}') | ||
|
||
for MOUNT_TARGET in $(aws efs describe-mount-targets \ | ||
--region=$AWS_REGION \ | ||
--file-system-id=$EFS \ | ||
--output json \ | ||
| jq -r '.MountTargets[].MountTargetId'); do | ||
aws efs delete-mount-target --mount-target-id $MOUNT_TARGET --region $AWS_REGION | ||
done | ||
|
||
while true; do | ||
LIFECYCLE_STATE="$(aws efs describe-mount-targets \ | ||
--region=$AWS_REGION \ | ||
--file-system-id=$EFS \ | ||
--output json \ | ||
| jq -r '.MountTargets[].MountTargetId')" | ||
if [[ "${LIFECYCLE_STATE}" == "" ]]; then break; fi | ||
sleep 1 | ||
echo -n '.' | ||
done | ||
|
||
aws efs delete-file-system --file-system-id $EFS --region $AWS_REGION | ||
|
||
NODE=$(oc get nodes --selector=node-role.kubernetes.io/worker \ | ||
-o jsonpath='{.items[0].metadata.name}') | ||
VPC=$(aws ec2 describe-instances \ | ||
--filters "Name=private-dns-name,Values=$NODE" \ | ||
--output json \ | ||
--query 'Reservations[*].Instances[*].{VpcId:VpcId}' \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0][0].VpcId') | ||
CIDR=$(aws ec2 describe-vpcs \ | ||
--filters "Name=vpc-id,Values=$VPC" \ | ||
--query 'Vpcs[*].CidrBlock' \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0]') | ||
SG=$(aws ec2 describe-instances --filters \ | ||
"Name=private-dns-name,Values=$NODE" \ | ||
--query 'Reservations[*].Instances[*].{SecurityGroups:SecurityGroups}' \ | ||
--output json \ | ||
--region $AWS_REGION \ | ||
| jq -r '.[0][0].SecurityGroups[0].GroupId') | ||
echo "CIDR - $CIDR, SG - $SG" | ||
|
||
aws ec2 revoke-security-group-ingress \ | ||
--group-id $SG \ | ||
--protocol tcp \ | ||
--region $AWS_REGION \ | ||
--port 2049 \ | ||
--cidr $CIDR | ||
|
||
cd efs | ||
|
||
CCO_POD_NAME=$(oc get po -n openshift-cloud-credential-operator -l app=cloud-credential-operator -o jsonpath='{.items[*].metadata.name}') | ||
|
||
oc cp -c cloud-credential-operator openshift-cloud-credential-operator/${CCO_POD_NAME}:/usr/bin/ccoctl ./ccoctl --retries=999 | ||
|
||
chmod 775 ./ccoctl | ||
|
||
./ccoctl aws delete --name=${CLUSTER_NAME} --region=${AWS_REGION} | ||
|
||
oc delete storageclass efs-sc | ||
|
||
oc delete -n openshift-cluster-csi-drivers Subscription aws-efs-csi-driver-operator | ||
|
||
oc delete -n openshift-cluster-csi-drivers Secret aws-efs-cloud-credentials | ||
|
||
oc delete ClusterCSIDriver efs.csi.aws.com | ||
|
||
for OPERATOR_GROUP in $(oc get -n openshift-cluster-csi-drivers OperatorGroup -o name); do | ||
oc delete -n openshift-cluster-csi-drivers $OPERATOR_GROUP | ||
done |
Oops, something went wrong.