e2e manifests

[pohly]

/kind cleanup

What this PR does / why we need it:

For CSI testing we want to get away from having to replicate .yaml files in code. Now the CSI drivers and their RBAC rules get created from .yaml files.

Special notes for your reviewer:

My proposal is to review and potentially merge this PR first, then create the rbac.yaml in the individual repos at the URLs linked to here in the readmes.

Release note:

- The builtin system:csi-external-provisioner and system:csi-external-attacher cluster roles
  are deprecated and will not be updated for deployments of CSI sidecar container versions >= 0.4.
  Deployments with the current CSI sidecar containers have to provide their own RBAC
  definitions. The reason is that the rules depend on how the sidecar containers are used,
  which is defined by the deployment.

/sig storage
/sig testing
/cc @msau42

[pohly]

@msau42 I went ahead and also rewrote the GCE CSI test, which allowed me to remove a lot of code from csi_objects.go. Can you perhaps check that I didn't break that test? Or is it running in the Kubernetes CI?

[pohly]

Note that the csiTestDriver implementation for hostpath and GCE now use almost the same code. The real difference is in the set of .yaml files and in the names of the containers. It seems very feasible now to just have one struct which defines these settings and then fill in that struct from .yaml files, either shipped with the test suite or provided by a user.

Only createGCESecrets() may still need some special handling.

[pohly]

/retest

[davidz627]

/cc

[pohly]

I found that the gcePD CSI driver test case does run in the CI... and that it currently hangs. I've added more debug output, so perhaps soon I'll know why. I got stuck trying to run it locally because it wasn't obvious how to set up the required service account secret.

[pohly]

Some help would be welcome. The gcePD test failed in https://prow.k8s.io/log?job=pull-kubernetes-e2e-gce&id=56220 again because of permission issues. I don't understand what the error messages are trying to tell me, the service account setup looks sane to me:

I1017 18:50:42.646] Oct 17 18:45:34.524: INFO: creating ServiceAccount:
I1017 18:50:42.646] {
I1017 18:50:42.646]   "kind": "ServiceAccount",
I1017 18:50:42.646]   "apiVersion": "v1",
I1017 18:50:42.646]   "metadata": {
I1017 18:50:42.646]     "name": "csi-driver-registrar",
I1017 18:50:42.646]     "namespace": "e2e-tests-csi-volumes-nh7pq",
I1017 18:50:42.646]     "creationTimestamp": null
I1017 18:50:42.646]   }
I1017 18:50:42.646] }
...
I1017 18:50:42.651] Oct 17 18:45:34.531: INFO: creating ClusterRole
I1017 18:50:42.651] :{
I1017 18:50:42.651]   "kind": "ClusterRole",
I1017 18:50:42.651]   "apiVersion": "rbac.authorization.k8s.io/v1",
I1017 18:50:42.651]   "metadata": {
I1017 18:50:42.651]     "name": "driver-registrar-runner-e2e-tests-csi-volumes-nh7pq",
I1017 18:50:42.651]     "creationTimestamp": null
I1017 18:50:42.652]   },
I1017 18:50:42.652]   "rules": [
I1017 18:50:42.652]     {
I1017 18:50:42.652]       "verbs": [
I1017 18:50:42.652]         "get",
I1017 18:50:42.652]         "list",
I1017 18:50:42.652]         "watch",
I1017 18:50:42.652]         "create",
I1017 18:50:42.652]         "update",
I1017 18:50:42.652]         "patch"
I1017 18:50:42.652]       ],
I1017 18:50:42.653]       "apiGroups": [
I1017 18:50:42.653]         ""
I1017 18:50:42.653]       ],
I1017 18:50:42.653]       "resources": [
I1017 18:50:42.653]         "events"
I1017 18:50:42.653]       ]
I1017 18:50:42.653]     },
I1017 18:50:42.653]     {
I1017 18:50:42.653]       "verbs": [
I1017 18:50:42.653]         "get",
I1017 18:50:42.654]         "update",
I1017 18:50:42.654]         "patch"
I1017 18:50:42.654]       ],
I1017 18:50:42.654]       "apiGroups": [
I1017 18:50:42.654]         ""
I1017 18:50:42.654]       ],
I1017 18:50:42.654]       "resources": [
I1017 18:50:42.654]         "nodes"
I1017 18:50:42.654]       ]
I1017 18:50:42.654]     }
I1017 18:50:42.654]   ]
I1017 18:50:42.655] }
...
I1017 18:50:42.657] Oct 17 18:45:34.539: INFO: creating ClusterRoleBinding:
I1017 18:50:42.657] {
I1017 18:50:42.657]   "kind": "ClusterRoleBinding",
I1017 18:50:42.657]   "apiVersion": "rbac.authorization.k8s.io/v1",
I1017 18:50:42.657]   "metadata": {
I1017 18:50:42.657]     "name": "csi-driver-registrar-role-e2e-tests-csi-volumes-nh7pq",
I1017 18:50:42.658]     "creationTimestamp": null
I1017 18:50:42.658]   },
I1017 18:50:42.658]   "subjects": [
I1017 18:50:42.658]     {
I1017 18:50:42.658]       "kind": "ServiceAccount",
I1017 18:50:42.658]       "name": "csi-driver-registrar",
I1017 18:50:42.658]       "namespace": "e2e-tests-csi-volumes-nh7pq"
I1017 18:50:42.658]     }
I1017 18:50:42.658]   ],
I1017 18:50:42.658]   "roleRef": {
I1017 18:50:42.659]     "apiGroup": "rbac.authorization.k8s.io",
I1017 18:50:42.659]     "kind": "ClusterRole",
I1017 18:50:42.659]     "name": "driver-registrar-runner-e2e-tests-csi-volumes-nh7pq"
I1017 18:50:42.659]   }
I1017 18:50:42.659] }
...
I1017 18:45:34.534] Oct 17 18:45:27.723: INFO: At 2018-10-17 18:40:25 +0000 UTC - event for csi-gce-node: {daemonset-controller } FailedCreate: Error creating: pods "csi-gce-node-" is forbidden: unable to validate against any pod security policy: []
I1017 18:45:34.535] Oct 17 18:45:27.723: INFO: At 2018-10-17 18:40:26 +0000 UTC - event for csi-gce-controller: {statefulset-controller } FailedCreate: create Pod csi-gce-controller-0 in StatefulSet csi-gce-controller failed error: pods "csi-gce-controller-0" is forbidden: unable to validate against any pod security policy: []

@liggitt @davidz627

[pohly]

@msau let me come back to the offer of not renaming the gcePD driver. I had that working before the driver update to gcp-compute-persistent-disk-csi-driver:v0.1.0.alpha, but now I can't get it to work again and my possibilities to debug that are rather limited and slow.

Therefore the latest incarnation of this PR deploys the gcePD driver without renaming, as in current Kubernetes master. If that works, please merge. I'm not going to wait for clean test results myself anymore today, though.

I left in the version update - killing two birds with one stone, basically. Otherwise we would have two conflicting PRs.

/hold cancel

[msau42]

Hm I wonder if the alpha pd driver is going to have issues with the latest sidecars.

Also, unfortunately we haven't published public images of the beta gce pd driver yet. So I think it's best to just leave PD driver image versions the way it was before, and we will update the versions when we're ready.

Also I think we need to add the [Serial] tag to pd so that tests won't be run it parallel.

[davidz627]

+1

[pohly]

The test has passed, so it looks like the alpha driver is compatible with the latest sidecar drivers. Do you want to revert that part nonetheless?

Please lets add the [Serial] tag as part of PR #68025 /cc @mkimuram

It has been working so far and this PR doesn't make it worse. From a practical perspective,
I don't see a good way to add it to the current test because of the way how it loops over the different drivers, and that part will be changed anyway:

	for driverName, initCSIDriver := range csiTestDrivers {
		curDriverName := driverName
		curInitCSIDriver := initCSIDriver

		Context(fmt.Sprintf("CSI plugin test using CSI driver: %s", curDriverName), func() {

[msau42]

If its passing then it's fine to leave it. It's not a configuration that's officially been tested/supported by us, but I will update it later once we get the latest driver image published.

[pohly]

@msau42 so is this PR ready for merging now?

[pohly]

/test pull-kubernetes-integration

[pohly]

/test pull-kubernetes-integration

[msau42]

do you want to simplify the hostpath specs too?

[pohly]

Yes, but let's do that in a separate PR and then also coordinate the update with the original .yaml file in kubernetes-csi/docs.

I've filed kubernetes-csi/docs#68 for this.

[msau42]

If its passing then it's fine to leave it. It's not a configuration that's officially been tested/supported by us, but I will update it later once we get the latest driver image published.

[AishSundar]

@pohly is this planned to be merged in 1.13 timeframe? if so please give this a priority and milestone label accordingly. @nikopen in case you need him to apply the milestone label

[pohly]

Yes, this is for 1.13.

/milestone v1.13
/priority important-soon

[k8s-ci-robot]

@pohly: You must be a member of the kubernetes/kubernetes-milestone-maintainers github team to set the milestone.

In response to this:

Yes, this is for 1.13.

/milestone v1.13
/priority important-soon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[pohly]

@nikopen can you please add the v1.13 milestone label to this PR?

[nikopen]

/milestone v1.13

[msau42]

/lgtm

[jsafrane]

/assign @saad-ali
for approval

[saad-ali]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pohly, saad-ali

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/OWNERS [saad-ali]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gnufied]

Printing all of the YAMLs is far too noisy - #70448