diff --git a/deploy/kubernetes/releases/csi-digitalocean-v1.3.0-luks.yaml b/deploy/kubernetes/releases/csi-digitalocean-v1.3.0-luks.yaml deleted file mode 100644 index 33eb21c7..00000000 --- a/deploy/kubernetes/releases/csi-digitalocean-v1.3.0-luks.yaml +++ /dev/null @@ -1,532 +0,0 @@ -# Copyright 2020 DigitalOcean -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Configuration to deploy release version of the CSI DigitalOcean -# plugin (https://github.com/digitalocean/csi-digitalocean) compatible with -# Kubernetes >=v1.14+ -# -# example usage: kubectl create -f -# - - -# Install the CSI Driver. This simplifies driver discovery and enables us to -# customize Kubernetes behavior -# https://kubernetes-csi.github.io/docs/csi-driver-object.html -apiVersion: storage.k8s.io/v1beta1 -kind: CSIDriver -metadata: - name: dobs.csi.digitalocean.com -spec: - attachRequired: true - podInfoOnMount: true - ---- - -############################################## -########### ############ -########### Snapshot CRDs ############ -########### ############ -############################################## -# -# The following CRD's are created by the csi-snapshotter, however it -# complicates installing a driver, because we're not able to install a custom -# VolumeSnapshotClass until the csi-snapshotter sidecar is up and running. We -# pulled out the CRD's and put them here to simplify the installation for the -# users. Make sure these are up to date with the original ones whenever we -# release a new version: https://github.com/kubernetes-csi/external-snapshotter/blob/master/cmd/csi-snapshotter/create_crd.go - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: volumesnapshotclasses.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshotClass - plural: volumesnapshotclasses - scope: Cluster - version: v1alpha1 - subresources: - status: {} - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: volumesnapshotcontents.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshotContent - plural: volumesnapshotcontents - scope: Cluster - version: v1alpha1 - ---- - -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: volumesnapshots.snapshot.storage.k8s.io -spec: - group: snapshot.storage.k8s.io - names: - kind: VolumeSnapshot - plural: volumesnapshots - scope: Namespaced - version: v1alpha1 - subresources: - status: {} - ---- - -kind: VolumeSnapshotClass -apiVersion: snapshot.storage.k8s.io/v1alpha1 -metadata: - name: do-block-storage - namespace: kube-system - annotations: - snapshot.storage.kubernetes.io/is-default-class: "true" -snapshotter: dobs.csi.digitalocean.com - ---- - -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: do-block-storage - namespace: kube-system - annotations: - storageclass.kubernetes.io/is-default-class: "true" -provisioner: dobs.csi.digitalocean.com -allowVolumeExpansion: true -parameters: - dobs.csi.digitalocean.com/luks-encrypted: "true" - dobs.csi.digitalocean.com/luks-cipher: "aes-xts-plain64" - dobs.csi.digitalocean.com/luks-key-size: "512" - csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} - csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}-luks-key ---- - -############################################## -########### ############ -########### Controller plugin ############ -########### ############ -############################################## - -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: csi-do-controller - namespace: kube-system -spec: - serviceName: "csi-do" - selector: - matchLabels: - app: csi-do-controller - replicas: 1 - template: - metadata: - labels: - app: csi-do-controller - role: csi-do - spec: - priorityClassName: system-cluster-critical - serviceAccount: csi-do-controller-sa - containers: - - name: csi-provisioner - image: quay.io/k8scsi/csi-provisioner:v1.4.0 - args: - - "--csi-address=$(ADDRESS)" - - "--v=5" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-attacher - image: quay.io/k8scsi/csi-attacher:v2.0.0 - args: - - "--v=5" - - "--csi-address=$(ADDRESS)" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-snapshotter - image: quay.io/k8scsi/csi-snapshotter:v1.2.2 - args: - - "--csi-address=$(ADDRESS)" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: IfNotPresent - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-resizer - image: quay.io/k8scsi/csi-resizer:v0.3.0 - args: - - "--v=5" - - "--csi-address=$(ADDRESS)" - - "--csiTimeout=30s" - env: - - name: ADDRESS - value: /var/lib/csi/sockets/pluginproxy/csi.sock - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - - name: csi-do-plugin - image: digitalocean/do-csi-plugin:v1.3.0-luks - args : - - "--endpoint=$(CSI_ENDPOINT)" - - "--token=$(DIGITALOCEAN_ACCESS_TOKEN)" - - "--url=$(DIGITALOCEAN_API_URL)" - env: - - name: CSI_ENDPOINT - value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: DIGITALOCEAN_API_URL - value: https://api.digitalocean.com/ - - name: DIGITALOCEAN_ACCESS_TOKEN - valueFrom: - secretKeyRef: - name: digitalocean - key: access-token - imagePullPolicy: "Always" - volumeMounts: - - name: socket-dir - mountPath: /var/lib/csi/sockets/pluginproxy/ - volumes: - - name: socket-dir - emptyDir: {} ---- - -kind: ServiceAccount -apiVersion: v1 -metadata: - name: csi-do-controller-sa - namespace: kube-system - ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-provisioner-role -rules: - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["get", "list"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-provisioner-binding -subjects: - - kind: ServiceAccount - name: csi-do-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-do-provisioner-role - apiGroup: rbac.authorization.k8s.io - ---- -# Attacher must be able to work with PVs, nodes and VolumeAttachments -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-attacher-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["nodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["csinodes"] - verbs: ["get", "list", "watch"] - - apiGroups: ["storage.k8s.io"] - resources: ["volumeattachments"] - verbs: ["get", "list", "watch", "update", "patch"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-attacher-binding -subjects: - - kind: ServiceAccount - name: csi-do-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-do-attacher-role - apiGroup: rbac.authorization.k8s.io - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-snapshotter-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "list", "watch", "delete", "get", "update"] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-snapshotter-binding -subjects: - - kind: ServiceAccount - name: csi-do-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-do-snapshotter-role - apiGroup: rbac.authorization.k8s.io - ---- - -# Resizer must be able to work with PVCs, PVs, SCs. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-resizer-role -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "update", "patch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims/status"] - verbs: ["update", "patch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-resizer-binding -subjects: - - kind: ServiceAccount - name: csi-do-controller-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-do-resizer-role - apiGroup: rbac.authorization.k8s.io - ---- - -######################################## -########### ############ -########### Node plugin ############ -########### ############ -######################################## - -kind: DaemonSet -apiVersion: apps/v1 -metadata: - name: csi-do-node - namespace: kube-system -spec: - selector: - matchLabels: - app: csi-do-node - template: - metadata: - labels: - app: csi-do-node - role: csi-do - spec: - priorityClassName: system-node-critical - serviceAccount: csi-do-node-sa - hostNetwork: true - containers: - - name: csi-node-driver-registrar - image: quay.io/k8scsi/csi-node-driver-registrar:v1.1.0 - args: - - "--v=5" - - "--csi-address=$(ADDRESS)" - - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - lifecycle: - preStop: - exec: - command: ["/bin/sh", "-c", "rm -rf /registration/dobs.csi.digitalocean.com /registration/dobs.csi.digitalocean.com-reg.sock"] - env: - - name: ADDRESS - value: /csi/csi.sock - - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/dobs.csi.digitalocean.com/csi.sock - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - volumeMounts: - - name: plugin-dir - mountPath: /csi/ - - name: registration-dir - mountPath: /registration/ - - name: csi-do-plugin - image: digitalocean/do-csi-plugin:v1.3.0-luks - args : - - "--endpoint=$(CSI_ENDPOINT)" - - "--url=$(DIGITALOCEAN_API_URL)" - env: - - name: CSI_ENDPOINT - value: unix:///csi/csi.sock - - name: DIGITALOCEAN_API_URL - value: https://api.digitalocean.com/ - imagePullPolicy: "Always" - securityContext: - privileged: true - capabilities: - add: ["SYS_ADMIN"] - allowPrivilegeEscalation: true - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: pods-mount-dir - mountPath: /var/lib/kubelet - # needed so that any mounts setup inside this container are - # propagated back to the host machine. - mountPropagation: "Bidirectional" - - name: device-dir - mountPath: /dev - - name: tmpfs - mountPath: /tmp - volumes: - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: DirectoryOrCreate - - name: plugin-dir - hostPath: - path: /var/lib/kubelet/plugins/dobs.csi.digitalocean.com - type: DirectoryOrCreate - - name: pods-mount-dir - hostPath: - path: /var/lib/kubelet - type: Directory - - name: device-dir - hostPath: - path: /dev - # to make sure temporary stored luks keys never touch a disk - - name: tmpfs - emptyDir: - medium: Memory - ---- - -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-do-node-sa - namespace: kube-system - ---- - -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-node-driver-registrar-role - namespace: kube-system -rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "create", "update", "patch"] - ---- - -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-do-node-driver-registrar-binding -subjects: - - kind: ServiceAccount - name: csi-do-node-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-do-node-driver-registrar-role - apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/releases/csi-digitalocean-v4.0.0/driver.yaml b/deploy/kubernetes/releases/csi-digitalocean-v4.0.0/driver.yaml index c047ddad..c6163b4e 100644 --- a/deploy/kubernetes/releases/csi-digitalocean-v4.0.0/driver.yaml +++ b/deploy/kubernetes/releases/csi-digitalocean-v4.0.0/driver.yaml @@ -40,11 +40,17 @@ deletionPolicy: Delete kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: - name: do-block-storage + name: do-block-storage-luks annotations: storageclass.kubernetes.io/is-default-class: "true" provisioner: dobs.csi.digitalocean.com allowVolumeExpansion: true +parameters: + dobs.csi.digitalocean.com/luks-encrypted: "true" + dobs.csi.digitalocean.com/luks-cipher: "aes-xts-plain64" + dobs.csi.digitalocean.com/luks-key-size: "512" + csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace} + csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}-luks-key --- @@ -57,24 +63,24 @@ allowVolumeExpansion: true kind: StatefulSet apiVersion: apps/v1 metadata: - name: csi-do-controller + name: csi-do-controller-luks namespace: kube-system spec: serviceName: "csi-do" selector: matchLabels: - app: csi-do-controller + app: csi-do-controller-luks replicas: 1 template: metadata: annotations: kubectl.kubernetes.io/default-container: csi-do-plugin labels: - app: csi-do-controller + app: csi-do-controller-luks role: csi-do spec: priorityClassName: system-cluster-critical - serviceAccount: csi-do-controller-sa + serviceAccount: csi-do-controller-sa-luks containers: - name: csi-provisioner image: k8s.gcr.io/sig-storage/csi-provisioner:v3.0.0 @@ -129,7 +135,7 @@ spec: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: csi-do-plugin - image: digitalocean/do-csi-plugin:v4.0.0 + image: edeckers/do-csi-plugin:v4.0.0-luks args : - "--endpoint=$(CSI_ENDPOINT)" - "--token=$(DIGITALOCEAN_ACCESS_TOKEN)" @@ -157,7 +163,7 @@ spec: kind: ServiceAccount apiVersion: v1 metadata: - name: csi-do-controller-sa + name: csi-do-controller-sa-luks namespace: kube-system --- @@ -202,7 +208,7 @@ metadata: name: csi-do-provisioner-binding subjects: - kind: ServiceAccount - name: csi-do-controller-sa + name: csi-do-controller-sa-luks namespace: kube-system roleRef: kind: ClusterRole @@ -239,7 +245,7 @@ metadata: name: csi-do-attacher-binding subjects: - kind: ServiceAccount - name: csi-do-controller-sa + name: csi-do-controller-sa-luks namespace: kube-system roleRef: kind: ClusterRole @@ -275,7 +281,7 @@ metadata: name: csi-do-snapshotter-binding subjects: - kind: ServiceAccount - name: csi-do-controller-sa + name: csi-do-controller-sa-luks namespace: kube-system roleRef: kind: ClusterRole @@ -311,7 +317,7 @@ metadata: name: csi-do-resizer-binding subjects: - kind: ServiceAccount - name: csi-do-controller-sa + name: csi-do-controller-sa-luks namespace: kube-system roleRef: kind: ClusterRole @@ -329,22 +335,22 @@ roleRef: kind: DaemonSet apiVersion: apps/v1 metadata: - name: csi-do-node + name: csi-do-node-luks namespace: kube-system spec: selector: matchLabels: - app: csi-do-node + app: csi-do-node-luks template: metadata: annotations: kubectl.kubernetes.io/default-container: csi-do-plugin labels: - app: csi-do-node + app: csi-do-node-luks role: csi-do spec: priorityClassName: system-node-critical - serviceAccount: csi-do-node-sa + serviceAccount: csi-do-node-luks hostNetwork: true initContainers: # Delete automount udev rule running on all DO droplets. The rule mounts @@ -385,7 +391,7 @@ spec: - name: registration-dir mountPath: /registration/ - name: csi-do-plugin - image: digitalocean/do-csi-plugin:v4.0.0 + image: edeckers/do-csi-plugin:v4.0.0-luks args : - "--endpoint=$(CSI_ENDPOINT)" - "--url=$(DIGITALOCEAN_API_URL)" @@ -410,6 +416,8 @@ spec: mountPropagation: "Bidirectional" - name: device-dir mountPath: /dev + - name: tmpfs + mountPath: /tmp volumes: - name: registration-dir hostPath: @@ -429,12 +437,16 @@ spec: - name: udev-rules-dir hostPath: path: /etc/udev/rules.d/ + # to make sure temporary stored luks keys never touch a disk + - name: tmpfs + emptyDir: + medium: Memory --- apiVersion: v1 kind: ServiceAccount metadata: - name: csi-do-node-sa + name: csi-do-node-sa-luks namespace: kube-system --- @@ -442,7 +454,7 @@ metadata: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-do-node-driver-registrar-role + name: csi-do-node-luks-driver-registrar-role namespace: kube-system rules: - apiGroups: [""] @@ -454,12 +466,12 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-do-node-driver-registrar-binding + name: csi-do-node-luks-driver-registrar-binding subjects: - kind: ServiceAccount - name: csi-do-node-sa + name: csi-do-node-sa-luks namespace: kube-system roleRef: kind: ClusterRole - name: csi-do-node-driver-registrar-role + name: csi-do-node-luks-driver-registrar-role apiGroup: rbac.authorization.k8s.io diff --git a/driver/node.go b/driver/node.go index 0139dcbf..b13da5e7 100644 --- a/driver/node.go +++ b/driver/node.go @@ -287,21 +287,11 @@ func (d *Driver) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpublish }) log.Info("node unpublish volume called") - err := d.mounter.Unmount(req.TargetPath) + err := d.mounter.Unmount(req.TargetPath, luksContext) if err != nil { return nil, err } - if mounted { - log.Info("unmounting the target path") - err := d.mounter.Unmount(req.TargetPath, luksContext) - if err != nil { - return nil, err - } - } else { - log.Info("target path is already unmounted") - } - log.Info("unmounting volume is finished") return &csi.NodeUnpublishVolumeResponse{}, nil }