diff --git a/CHANGELOG.md b/CHANGELOG.md index 508399f4..0a5848c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ ## unreleased +## v1.0.0 - 2019.02.05 + * Add support for luks-encrypted volumes * Add support for `bulk` volumes diff --git a/Makefile b/Makefile index 68a5214b..c779d240 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ LDFLAGS ?= -X github.com/cloudscale-ch/csi-cloudscale/driver.version=${VERSION} PKG ?= github.com/cloudscale-ch/csi-cloudscale/cmd/cloudscale-csi-plugin ## Bump the version in the version file. Set BUMP to [ patch | major | minor ] -BUMP := patch +BUMP ?= patch VERSION ?= $(shell cat VERSION) all: test @@ -30,7 +30,6 @@ bump-version: $(eval NEW_DATE = $(shell date +%Y.%m.%d)) @sed -i'' -e 's/## unreleased/## ${NEW_VERSION} - ${NEW_DATE}/g' CHANGELOG.md @ echo '## unreleased\n' | cat - CHANGELOG.md > temp && mv temp CHANGELOG.md - @rm README.md-e CHANGELOG.md-e deploy/kubernetes/releases/csi-cloudscale-${NEW_VERSION}.yaml-e .PHONY: compile compile: diff --git a/README.md b/README.md index d0296e14..4c8c7733 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ secret `my-pvc-luks-key`. ## Releases The cloudscale.ch CSI plugin follows [semantic versioning](https://semver.org/). -The current version is: **`v0.2.0`**. The project is still under active development and may not be +The current version is: **`v1.0.0`**. The project is still under active development and may not be production ready. * Bug fixes will be released as a `PATCH` update. @@ -120,10 +120,10 @@ cloudscale Opaque 1 18h Before you continue, be sure to checkout to a [tagged release](https://github.com/cloudscale-ch/csi-cloudscale/releases). Always use the [latest stable version](https://github.com/cloudscale-ch/csi-cloudscale/releases/latest) -For example, to use the latest stable version (`v0.2.0`) you can execute the following command: +For example, to use the latest stable version (`v1.0.0`) you can execute the following command: ``` -$ kubectl apply -f https://raw.githubusercontent.com/cloudscale-ch/csi-cloudscale/master/deploy/kubernetes/releases/csi-cloudscale-v0.2.0.yaml +$ kubectl apply -f https://raw.githubusercontent.com/cloudscale-ch/csi-cloudscale/master/deploy/kubernetes/releases/csi-cloudscale-v1.0.0.yaml ``` This file will be always updated to point to the latest stable release. @@ -264,15 +264,15 @@ $ git push origin After it's merged to master, [create a new Github release](https://github.com/cloudscale-ch/csi-cloudscale/releases/new) from -master with the version `v0.2.0` and then publish a new docker build: +master with the version `v1.0.0` and then publish a new docker build: ``` $ git checkout master $ make publish ``` -This will create a binary with version `v0.2.0` and docker image pushed to -`cloudscalech/cloudscale-csi-plugin:v0.2.0` +This will create a binary with version `v1.0.0` and docker image pushed to +`cloudscalech/cloudscale-csi-plugin:v1.0.0` ## Contributing diff --git a/VERSION b/VERSION index 1474d00f..0ec25f75 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -v0.2.0 +v1.0.0 diff --git a/deploy/kubernetes/releases/csi-cloudscale-v0.2.0.yaml b/deploy/kubernetes/releases/csi-cloudscale-v1.0.0.yaml similarity index 50% rename from deploy/kubernetes/releases/csi-cloudscale-v0.2.0.yaml rename to deploy/kubernetes/releases/csi-cloudscale-v1.0.0.yaml index 108fcd1f..667725ac 100644 --- a/deploy/kubernetes/releases/csi-cloudscale-v0.2.0.yaml +++ b/deploy/kubernetes/releases/csi-cloudscale-v1.0.0.yaml @@ -12,15 +12,66 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - + # Configuration to deploy release version of the CSI cloudscale.ch # plugin (https://github.com/cloudscale-ch/csi-cloudscale) compatible with -# Kubernetes >=v1.10.5 +# Kubernetes >=v1.13.0 # # example usage: kubectl create -f +#################################################### +########### ############ +########### CSI Node and Driver CRDs ############ +########### ############ +#################################################### +--- + +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: csinodeinfos.csi.storage.k8s.io +spec: + group: csi.storage.k8s.io + names: + kind: CSINodeInfo + plural: csinodeinfos + scope: Cluster + validation: + openAPIV3Schema: + properties: + csiDrivers: + description: List of CSI drivers running on the node and their properties. + items: + properties: + driver: + description: The CSI driver that this object refers to. + type: string + nodeID: + description: The node from the driver point of view. + type: string + topologyKeys: + description: List of keys supported by the driver. + items: + type: string + type: array + type: array + version: v1alpha1 +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + --- +########################################## +########### ############ +########### Storage Class ############ +########### ############ +########################################## + kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: @@ -29,6 +80,51 @@ metadata: annotations: storageclass.kubernetes.io/is-default-class: "true" provisioner: ch.cloudscale.csi +parameters: + csi.cloudscale.ch/volume-type: ssd + +--- + +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: cloudscale-volume-bulk + namespace: kube-system +provisioner: ch.cloudscale.csi +parameters: + csi.cloudscale.ch/volume-type: bulk + +--- + +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: cloudscale-volume-ssd-luks + namespace: kube-system +provisioner: ch.cloudscale.csi +parameters: + csi.cloudscale.ch/volume-type: ssd + csi.cloudscale.ch/luks-encrypted: "true" + csi.cloudscale.ch/luks-cipher: "aes-xts-plain64" + csi.cloudscale.ch/luks-key-size: "512" + csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} + csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}-luks-key + +--- + +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: cloudscale-volume-bulk-luks + namespace: kube-system +provisioner: ch.cloudscale.csi +parameters: + csi.cloudscale.ch/volume-type: bulk + csi.cloudscale.ch/luks-encrypted: "true" + csi.cloudscale.ch/luks-cipher: "aes-xts-plain64" + csi.cloudscale.ch/luks-key-size: "512" + csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} + csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}-luks-key --- @@ -52,10 +148,13 @@ spec: app: csi-cloudscale-controller role: csi-cloudscale spec: + hostNetwork: true + priorityClassName: system-cluster-critical serviceAccount: csi-cloudscale-controller-sa containers: - name: csi-provisioner - image: quay.io/k8scsi/csi-provisioner:v0.3.0 + image: quay.io/k8scsi/csi-provisioner:v1.0.1 + imagePullPolicy: "Always" args: - "--provisioner=ch.cloudscale.csi" - "--csi-address=$(ADDRESS)" @@ -63,27 +162,37 @@ spec: env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "Always" volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-attacher - image: quay.io/k8scsi/csi-attacher:v0.3.0 + image: quay.io/k8scsi/csi-attacher:v1.0.1 + imagePullPolicy: "Always" args: - "--v=5" - "--csi-address=$(ADDRESS)" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-cluster-driver-registrar + image: quay.io/k8scsi/csi-cluster-driver-registrar:v1.0.1 + args: + - "--v=5" + - "--pod-info-mount-version=\"v1\"" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-cloudscale-plugin - image: cloudscalech/cloudscale-csi-plugin:v0.2.0 + image: cloudscalech/cloudscale-csi-plugin:v1.0.0 args : - "--endpoint=$(CSI_ENDPOINT)" - - "--token=$(CLOUDSCALE_ACCESS_TOKEN)" - "--url=$(CLOUDSCALE_API_URL)" env: - name: CSI_ENDPOINT @@ -102,6 +211,7 @@ spec: volumes: - name: socket-dir emptyDir: {} + --- apiVersion: v1 @@ -112,34 +222,111 @@ metadata: --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cloudscale-provisioner-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + # cluster-driver-registrar currently needs permissions to create the CSIDriver CRD + # see https://github.com/kubernetes-csi/cluster-driver-registrar/issues/3 + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "create"] + + +--- + kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-cloudscale-controller-provisioner-binding - namespace: kube-system + name: csi-cloudscale-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-cloudscale-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-cloudscale-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- +# Attacher must be able to work with PVs, nodes and VolumeAttachments +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cloudscale-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cloudscale-attacher-binding subjects: - kind: ServiceAccount name: csi-cloudscale-controller-sa namespace: kube-system roleRef: kind: ClusterRole - name: system:csi-external-provisioner + name: csi-cloudscale-attacher-role apiGroup: rbac.authorization.k8s.io --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cloudscale-cluster-driver-registrar-role +rules: + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csidrivers"] + verbs: ["create", "delete"] + +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-cloudscale-controller-attacher-binding - namespace: kube-system + name: csi-cloudscale-cluster-driver-registrar-binding subjects: - kind: ServiceAccount name: csi-cloudscale-controller-sa namespace: kube-system roleRef: kind: ClusterRole - name: system:csi-external-attacher + name: csi-cloudscale-cluster-driver-registrar-role apiGroup: rbac.authorization.k8s.io --- @@ -166,17 +353,25 @@ spec: app: csi-cloudscale-node role: csi-cloudscale spec: + priorityClassName: system-node-critical serviceAccount: csi-cloudscale-node-sa hostNetwork: true containers: - name: driver-registrar - image: quay.io/k8scsi/driver-registrar:v0.3.0 + image: quay.io/k8scsi/csi-node-driver-registrar:v1.0.2 args: - "--v=5" - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/csi.cloudscale.ch /registration/csi.cloudscale.ch-reg.sock"] env: - name: ADDRESS value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/csi.cloudscale.ch/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: @@ -184,14 +379,13 @@ spec: volumeMounts: - name: plugin-dir mountPath: /csi/ - # TODO(arslan): the registrar is not implemented yet - # - name: registrar-socket-dir - # mountPath: /var/lib/csi/sockets/ + - name: registration-dir + mountPath: /registration/ - name: csi-cloudscale-plugin - image: cloudscalech/cloudscale-csi-plugin:v0.2.0 + image: cloudscalech/cloudscale-csi-plugin:v1.0.0 + imagePullPolicy: "Always" args : - "--endpoint=$(CSI_ENDPOINT)" - - "--token=$(CLOUDSCALE_ACCESS_TOKEN)" - "--url=$(CLOUDSCALE_API_URL)" env: - name: CSI_ENDPOINT @@ -203,7 +397,6 @@ spec: secretKeyRef: name: cloudscale key: access-token - imagePullPolicy: "Always" securityContext: privileged: true capabilities: @@ -219,15 +412,16 @@ spec: mountPropagation: "Bidirectional" - name: device-dir mountPath: /dev + - name: tmpfs + mountPath: /tmp volumes: - # TODO(arslan): the registar is not implemented yet - #- name: registrar-socket-dir - # hostPath: - # path: /var/lib/kubelet/device-plugins/ - # type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: DirectoryOrCreate - name: plugin-dir hostPath: - path: /var/lib/kubelet/plugins/ch.cloudscale.csi + path: /var/lib/kubelet/plugins/csi.cloudscale.ch type: DirectoryOrCreate - name: pods-mount-dir hostPath: @@ -236,6 +430,11 @@ spec: - name: device-dir hostPath: path: /dev + # to make sure temporary stored luks keys never touch a disk + - name: tmpfs + emptyDir: + medium: Memory + --- apiVersion: v1 @@ -246,11 +445,22 @@ metadata: --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-cloudscale-driver-registrar-role + namespace: kube-system +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + +--- + kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-cloudscale-driver-registrar-binding - namespace: kube-system subjects: - kind: ServiceAccount name: csi-cloudscale-node-sa @@ -258,21 +468,4 @@ subjects: roleRef: kind: ClusterRole name: csi-cloudscale-driver-registrar-role - apiGroup: rbac.authorization.k8s.io - - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-cloudscale-driver-registrar-role - namespace: kube-system -rules: - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "update"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - + apiGroup: rbac.authorization.k8s.io