Merge pull request #198 from shiftstack/merge-bot-release-4.12

OCPBUGS-15971: Merge https://github.com/kubernetes/cloud-provider-openstack:release-1.25 into release-4.12

charts/cinder-csi-plugin/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.25.5
+appVersion: v1.25.6
 description: Cinder CSI Chart for OpenStack
 name: openstack-cinder-csi
-version: 2.25.0
+version: 2.25.1
 home: https://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/manila-csi-plugin/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.25.5
+appVersion: v1.25.6
 description: Manila CSI Chart for OpenStack
 name: openstack-manila-csi
-version: 2.25.0
+version: 2.25.1
 home: http://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/openstack-cloud-controller-manager/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
-appVersion: v1.25.5
+appVersion: v1.25.6
 description: Openstack Cloud Controller Manager Helm Chart
 icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png
 home: https://github.com/kubernetes/cloud-provider-openstack
 name: openstack-cloud-controller-manager
-version: 2.25.0
+version: 2.25.1
 maintainers:
   - name: eumel8
     email: f.kloeker@telekom.de

docs/barbican-kms-plugin/using-barbican-kms-plugin.md

@@ -83,7 +83,7 @@ $ docker run -d --volume=/var/lib/kms:/var/lib/kms \
 --volume=/etc/kubernetes:/etc/kubernetes \
 -e socketpath=/var/lib/kms/kms.sock \
 -e cloudconfig=/etc/kubernetes/cloud-config \
-registry.k8s.io/provider-os/barbican-kms-plugin:v1.25.5
+registry.k8s.io/provider-os/barbican-kms-plugin:v1.25.6
 ```
 6. Create /etc/kubernetes/encryption-config.yaml
 ```

docs/keystone-auth/using-keystone-webhook-authenticator-and-authorizer.md

@@ -18,7 +18,7 @@
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
-# k8s-keystone-auth
+# k8s-keystone-auth12
 
 [Kubernetes webhook authentication and authorization](https://kubernetes.io/docs/reference/access-authn-authz/webhook/)
 for OpenStack Keystone. With k8s-keystone-auth, the Kubernetes cluster
@@ -252,7 +252,7 @@ it as a service. There are several things we need to notice in the
 deployment manifest:
 
 - We are using image
-  `registry.k8s.io/provider-os/k8s-keystone-auth:v1.25.5`
+  `registry.k8s.io/provider-os/k8s-keystone-auth:v1.25.6`
 - We use `k8s-auth-policy` configmap created above.
 - The pod uses service account `keystone-auth` created above.
 - We use `keystone-auth-certs` secret created above to inject the

docs/magnum-auto-healer/using-magnum-auto-healer.md

@@ -73,7 +73,7 @@ user_id=ceb61464a3d341ebabdf97d1d4b97099
 user_project_id=b23a5e41d1af4c20974bf58b4dff8e5a
 password=password
 region=RegionOne
-image=registry.k8s.io/provider-os/magnum-auto-healer:v1.25.5
+image=registry.k8s.io/provider-os/magnum-auto-healer:v1.25.6
 
 cat <<EOF | kubectl apply -f -
 ---

docs/manila-csi-plugin/using-manila-csi-plugin.md

@@ -50,6 +50,7 @@ Parameter | Required | Description
 `type` | _yes_ | Manila [share type](https://wiki.openstack.org/wiki/Manila/Concepts#share_type)
 `shareNetworkID` | _no_ | Manila [share network ID](https://wiki.openstack.org/wiki/Manila/Concepts#share_network)
 `availability` | _no_ | Manila availability zone of the provisioned share. If none is provided, the default Manila zone will be used. Note that this parameter is opaque to the CO and does not influence placement of workloads that will consume this share, meaning they may be scheduled onto any node of the cluster. If the specified Manila AZ is not equally accessible from all compute nodes of the cluster, use [Topology-aware dynamic provisioning](#topology-aware-dynamic-provisioning).
+`autoTopology` | _no_ | When set to "true" and the `availability` parameter is empty, the Manila CSI controller will map the Manila availability zone to the target compute node availability zone.
 `appendShareMetadata` | _no_ | Append user-defined metadata to the provisioned share. If not empty, this field must be a string with a valid JSON object. The object must consist of key-value pairs of type string. Example: `"{..., \"key\": \"value\"}"`.
 `cephfs-mounter` | _no_ | Relevant for CephFS Manila shares. Specifies which mounting method to use with the CSI CephFS driver. Available options are `kernel` and `fuse`, defaults to `fuse`. See [CSI CephFS docs](https://github.com/ceph/ceph-csi/blob/csi-v1.0/docs/deploy-cephfs.md#configuration) for further information.
 `cephfs-kernelMountOptions` | _no_ | Relevant for CephFS Manila shares. Specifies mount options for CephFS kernel client. See [CSI CephFS docs](https://github.com/ceph/ceph-csi/blob/csi-v1.0/docs/deploy-cephfs.md#configuration) for further information.
@@ -130,6 +131,35 @@ Storage AZ does not influence
           Shares in zone-a are accessible only from nodes in nova-1 and nova-2.
 ```
 
+In cases when the Manila availability zone must correspond to the Nova
+availability zone, you can set the `autoTopology: "true"` along with the
+`volumeBindingMode: WaitForFirstConsumer` and omit the `availability`
+parameter. By doing so, the share will be provisioned in the target compute
+node availability zone.
+
+```
+                          Auto topology-aware storage class example:
+
+
+           Both Compute and Storage AZs influence the placement of workloads.
+
+        +-----------+                                         +---------------+
+        | Manila AZ |                                         |  Compute AZs  |
+        |   zone-1  |    apiVersion: storage.k8s.io/v1        |     zone-1    |
+        |   zone-2  |    kind: StorageClass                   |     zone-2    |
+        +-----------+    metadata:                            +---------------+
+              |            name: nfs-gold                             |
+              |          provisioner: nfs.manila.csi.openstack.org    |
+              |          parameters:                                  |
+              +---------+  autoTopology: "true"  +--------------------+
+                           ...
+                         volumeBindingMode: WaitForFirstConsumer
+                           ...
+
+Shares for workloads in zone-1 will be created in zone-1 and accessible only from nodes in zone-1.
+Shares for workloads in zone-2 will be created in zone-2 and accessible only from nodes in zone-2.
+```
+
 [Enabling topology awareness in Kubernetes](#enabling-topology-awareness)
 
 ### Runtime configuration file

docs/octavia-ingress-controller/using-octavia-ingress-controller.md

@@ -148,7 +148,7 @@ Here are several other config options are not included in the example configurat
 ### Deploy octavia-ingress-controller
 
 ```shell
-image="registry.k8s.io/provider-os/octavia-ingress-controller:v1.25.5"
+image="registry.k8s.io/provider-os/octavia-ingress-controller:v1.25.6"
 
 cat <<EOF > /etc/kubernetes/octavia-ingress-controller/deployment.yaml
 ---

examples/manila-csi-plugin/nfs/auto-topology-aware/pod.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: new-nfs-share-pod
+spec:
+  containers:
+    - name: web-server
+      image: nginx
+      imagePullPolicy: IfNotPresent
+      volumeMounts:
+        - name: mypvc
+          mountPath: /var/lib/www
+  nodeSelector:
+    topology.kubernetes.io/zone: zone-1
+  volumes:
+    - name: mypvc
+      persistentVolumeClaim:
+        claimName: new-nfs-share-pvc
+        readOnly: false

examples/manila-csi-plugin/nfs/auto-topology-aware/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: new-nfs-share-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: csi-manila-nfs

examples/manila-csi-plugin/nfs/auto-topology-aware/storageclass.yaml

@@ -0,0 +1,29 @@
+# Topology constraints example:
+#
+# Let's have two Manila AZs: zone-{1..2}
+# Let's have six Nova AZs: zone-{1..6}
+#
+# Manila zone-1 is accessible from nodes in zone-1 only
+# Manila zone-2 is accessible from nodes in zone-2 only
+#
+# We're provisioning into zone-1
+# availability parameter and allowedTopologies are empty, therefore the dynamic
+# share provisioning with automatic availability zone selection takes place.
+# The "volumeBindingMode" must be set to "WaitForFirstConsumer".
+
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: csi-manila-nfs
+provisioner: nfs.manila.csi.openstack.org
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+parameters:
+  type: default
+  autoTopology: "true"
+  csi.storage.k8s.io/provisioner-secret-name: csi-manila-secrets
+  csi.storage.k8s.io/provisioner-secret-namespace: default
+  csi.storage.k8s.io/node-stage-secret-name: csi-manila-secrets
+  csi.storage.k8s.io/node-stage-secret-namespace: default
+  csi.storage.k8s.io/node-publish-secret-name: csi-manila-secrets
+  csi.storage.k8s.io/node-publish-secret-namespace: default

examples/manila-csi-plugin/nfs/dynamic-provisioning/pvc.yaml

@@ -9,4 +9,3 @@ spec:
     requests:
       storage: 1Gi
   storageClassName: csi-manila-nfs
-

examples/manila-csi-plugin/nfs/topology-aware/storageclass.yaml

@@ -24,6 +24,7 @@ parameters:
   csi.storage.k8s.io/node-stage-secret-namespace: default
   csi.storage.k8s.io/node-publish-secret-name: csi-manila-secrets
   csi.storage.k8s.io/node-publish-secret-namespace: default
+allowVolumeExpansion: true
 allowedTopologies:
   - matchLabelExpressions:
     - key: topology.manila.csi.openstack.org/zone

examples/webhook/keystone-deployment.yaml

@@ -18,7 +18,7 @@ spec:
       serviceAccountName: k8s-keystone
       containers:
         - name: k8s-keystone-auth
-          image: registry.k8s.io/provider-os/k8s-keystone-auth:v1.25.5
+          image: registry.k8s.io/provider-os/k8s-keystone-auth:v1.25.6
           args:
             - ./bin/k8s-keystone-auth
             - --tls-cert-file

go.mod

@@ -20,23 +20,23 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.12.0
 	github.com/stretchr/testify v1.8.0
-	golang.org/x/net v0.4.0
-	golang.org/x/sys v0.3.0
-	golang.org/x/term v0.3.0
+	golang.org/x/net v0.8.0
+	golang.org/x/sys v0.6.0
+	golang.org/x/term v0.6.0
 	google.golang.org/grpc v1.48.0
 	google.golang.org/protobuf v1.28.0
 	gopkg.in/gcfg.v1 v1.2.3
 	gopkg.in/godo.v2 v2.0.9
 	gopkg.in/yaml.v2 v2.4.0
-	k8s.io/api v0.25.3
-	k8s.io/apimachinery v0.25.3
-	k8s.io/apiserver v0.25.3
-	k8s.io/client-go v0.25.3
-	k8s.io/cloud-provider v0.25.3
-	k8s.io/component-base v0.25.3
+	k8s.io/api v0.25.10
+	k8s.io/apimachinery v0.25.10
+	k8s.io/apiserver v0.25.10
+	k8s.io/client-go v0.25.10
+	k8s.io/cloud-provider v0.25.10
+	k8s.io/component-base v0.25.10
 	k8s.io/klog/v2 v2.70.1
-	k8s.io/kubernetes v1.25.3
-	k8s.io/mount-utils v0.25.3
+	k8s.io/kubernetes v1.25.10
+	k8s.io/mount-utils v0.25.10
 	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20190209200317-47dd539968c4
 )
@@ -122,8 +122,8 @@ require (
 	go.uber.org/zap v1.19.0 // indirect
 	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 // indirect
 	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/sync v0.1.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20220519153652-3a47de7e79bd // indirect
@@ -133,46 +133,47 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.0.0 // indirect
-	k8s.io/component-helpers v0.25.3 // indirect
-	k8s.io/controller-manager v0.25.3 // indirect
-	k8s.io/csi-translation-lib v0.25.3 // indirect
+	k8s.io/component-helpers v0.25.10 // indirect
+	k8s.io/controller-manager v0.25.10 // indirect
+	k8s.io/csi-translation-lib v0.25.10 // indirect
 	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
 	k8s.io/kubectl v0.0.0 // indirect
 	k8s.io/kubelet v0.0.0 // indirect
 	k8s.io/pod-security-admission v0.0.0 // indirect
-	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.33 // indirect
+	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.37 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
 )
 
 replace (
+	github.com/docker/distribution => github.com/docker/distribution v2.8.2+incompatible
 	google.golang.org/grpc v1.34.0 => google.golang.org/grpc v1.29.0
-	k8s.io/api => k8s.io/api v0.25.3
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.3
-	k8s.io/apimachinery => k8s.io/apimachinery v0.25.3
-	k8s.io/apiserver => k8s.io/apiserver v0.25.3
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.3
-	k8s.io/client-go => k8s.io/client-go v0.25.3
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.25.3
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.25.3
-	k8s.io/code-generator => k8s.io/code-generator v0.25.3
-	k8s.io/component-base => k8s.io/component-base v0.25.3
-	k8s.io/component-helpers => k8s.io/component-helpers v0.25.3
-	k8s.io/controller-manager => k8s.io/controller-manager v0.25.3
-	k8s.io/cri-api => k8s.io/cri-api v0.25.3
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.25.3
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.25.3
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.25.3
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.25.3
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.25.3
-	k8s.io/kubectl => k8s.io/kubectl v0.25.3
-	k8s.io/kubelet => k8s.io/kubelet v0.25.3
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.25.3
-	k8s.io/metrics => k8s.io/metrics v0.25.3
-	k8s.io/mount-utils => k8s.io/mount-utils v0.25.3
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.25.3
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.25.3
-	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.25.3
-	k8s.io/sample-controller => k8s.io/sample-controller v0.25.3
+	k8s.io/api => k8s.io/api v0.25.10
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.10
+	k8s.io/apimachinery => k8s.io/apimachinery v0.25.10
+	k8s.io/apiserver => k8s.io/apiserver v0.25.10
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.10
+	k8s.io/client-go => k8s.io/client-go v0.25.10
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.25.10
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.25.10
+	k8s.io/code-generator => k8s.io/code-generator v0.25.10
+	k8s.io/component-base => k8s.io/component-base v0.25.10
+	k8s.io/component-helpers => k8s.io/component-helpers v0.25.10
+	k8s.io/controller-manager => k8s.io/controller-manager v0.25.10
+	k8s.io/cri-api => k8s.io/cri-api v0.25.10
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.25.10
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.25.10
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.25.10
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.25.10
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.25.10
+	k8s.io/kubectl => k8s.io/kubectl v0.25.10
+	k8s.io/kubelet => k8s.io/kubelet v0.25.10
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.25.10
+	k8s.io/metrics => k8s.io/metrics v0.25.10
+	k8s.io/mount-utils => k8s.io/mount-utils v0.25.10
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.25.10
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.25.10
+	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.25.10
+	k8s.io/sample-controller => k8s.io/sample-controller v0.25.10
 )