[controller] Add NFSStorageClass controller and validation webhook fo…

…r StorageClasses with provisioner nfs.csi.k8s.io (#4) Signed-off-by: Aleksandr Zimin <[email protected]>
deckhouse · May 13, 2024 · a81dead · a81dead
1 parent 7ceb69d
commit a81dead
Show file tree

Hide file tree

Showing 63 changed files with 4,861 additions and 27 deletions.
diff --git a/.github/workflows/build_dev.yml b/.github/workflows/build_dev.yml
@@ -10,7 +10,6 @@ env:
   GOLANG_VERSION: ${{ vars.GOLANG_VERSION }}
   GOPROXY: ${{ secrets.GOPROXY }}
   SOURCE_REPO: ${{ secrets.SOURCE_REPO }}
-  SOURCE_REPO_TAG: ${{ vars.SOURCE_REPO_TAG }}
 
 on:
   pull_request:

diff --git a/.github/workflows/build_prod.yml b/.github/workflows/build_prod.yml
@@ -11,7 +11,6 @@ env:
   GOLANG_VERSION: ${{ vars.GOLANG_VERSION }}
   GOPROXY: ${{ secrets.GOPROXY }}
   SOURCE_REPO: ${{ secrets.SOURCE_REPO }}
-  SOURCE_REPO_TAG: ${{ vars.SOURCE_REPO_TAG }}
 
 on:
   push:

diff --git a/.gitignore b/.gitignore
@@ -32,3 +32,6 @@ __pycache__/
 *.py[cod]
 *$py.class
 .pytest_cache/
+
+# dev
+images/controller/Makefile
diff --git a/.werf/bundle.yaml b/.werf/bundle.yaml
@@ -2,6 +2,7 @@
 ---
 image: bundle
 from: registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc
+fromCacheVersion: "2024-05-12.1"
 import:
 # Rendering .werf/images-digests.yaml is required!
 - image: images-digests

diff --git a/charts/deckhouse_lib_helm-1.21.0.tgz b/charts/deckhouse_lib_helm-1.21.0.tgz
diff --git a/charts/deckhouse_lib_helm-1.22.0.tgz b/charts/deckhouse_lib_helm-1.22.0.tgz
diff --git a/crds/doc-ru-nfsstorageclass.yaml b/crds/doc-ru-nfsstorageclass.yaml
@@ -4,11 +4,11 @@ spec:
       schema:
         openAPIV3Schema:
           description: |
-            Интерфейс управления StorageСlass для CSI-драйвера nfs.csi.storage.deckhouse.io. Ручное создание StorageClass для данного драйвера запрещено.
+            Интерфейс управления StorageСlass для CSI-драйвера nfs.csi.k8s.io. Ручное создание StorageClass для данного драйвера запрещено.
           properties:
             spec:
               properties:
-                server:
+                connection:
                   description: |
                     Настройки сервера NFS
                   properties:
@@ -18,10 +18,16 @@ spec:
                     share:
                       description: |
                         Путь к точке монтирования на NFS сервере
+                    subDir:
+                      description: |
+                        Поддиректория в NFS разделе. Если поддиректория не существует, она будет создана. Если значение subDir содержит следующие строки, они будут преобразованы в соответствующее имя pv/pvc или пространство имен:
+                        - ${pvc.metadata.name}
+                        - ${pvc.metadata.namespace}
+                        - ${pv.metadata.name}
                     nfsVersion:
                       description: |
                         Версия NFS сервера
-                options:
+                mountOptions:
                   description: |
                     Опции монтирования
                   properties:
@@ -39,7 +45,7 @@ spec:
                         Монтирование в режиме "только чтение"
                 chmodPermissions:
                   description: |
-                    Права монтирования субдиректории в NFS разделе
+                    Права для chmod, которые будут применены к субдиректории тома в NFS разделе
                 reclaimPolicy:
                   description: |
                     Режим поведения при удалении PVC. Может быть:

diff --git a/crds/nfsstorageclass.yaml b/crds/nfsstorageclass.yaml
@@ -32,10 +32,13 @@ spec:
               description: |
                 Defines a Kubernetes Storage class configuration.
               required:
-                - server
+                - connection
               properties:
-                server:
+                connection:
                   type: object
+                  x-kubernetes-validations:
+                    - rule: self == oldSelf
+                      message: Value is immutable.
                   description: |
                     Defines a Kubernetes Storage class configuration.
                   required:
@@ -50,13 +53,26 @@ spec:
                           message: Value is immutable.
                       description: |
                         NFS server host
+                      minLength: 1
                     share:
                       type: string
                       x-kubernetes-validations:
                         - rule: self == oldSelf
                           message: Value is immutable.
                       description: |
                         NFS server share path
+                      minLength: 1
+                    subDir:
+                      type: string
+                      x-kubernetes-validations:
+                        - rule: self == oldSelf
+                          message: Value is immutable.
+                      description: |
+                        Sub directory under nfs share. If sub directory does not exist, it will be created. If subDir value contains following strings, it would be converted into corresponding pv/pvc name or namespace:
+                        - ${pvc.metadata.name}
+                        - ${pvc.metadata.namespace}
+                        - ${pv.metadata.name}
+                      minLength: 1
                     nfsVersion:
                       type: string
                       x-kubernetes-validations:
@@ -68,7 +84,7 @@ spec:
                         - "3"
                         - "4.1"
                         - "4.2"
-                options:
+                mountOptions:
                   type: object
                   description: |
                     Storage class mount options
@@ -84,10 +100,12 @@ spec:
                       type: integer
                       description: |
                         NFS server timeout
+                      minimum: 1
                     retransmissions:
                       type: integer
                       description: |
                         NFS retries before fail
+                      minimum: 1
                     readOnly:
                       type: boolean
                       description: |
@@ -96,6 +114,7 @@ spec:
                   type: string
                   description: |
                     chmod rights for PVs subdirectory
+                  pattern: '^[0-7]{3,4}$'
                 reclaimPolicy:
                   type: string
                   x-kubernetes-validations:
@@ -138,3 +157,15 @@ spec:
                     Additional information about the current state of the Storage Class.
       subresources:
         status: {}
+      additionalPrinterColumns:
+        - jsonPath: .status.phase
+          name: Phase
+          type: string
+        - jsonPath: .status.reason
+          name: Reason
+          type: string
+          priority: 1
+        - jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+          description: The age of this resource
diff --git a/hooks/common.py b/hooks/common.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from deckhouse import hook
+from lib.module import module
+from typing import Callable
+import json
+import os
+import unittest
+
+
+NAMESPACE   = "d8-csi-nfs"
+MODULE_NAME = "csiNfs"
+
+def json_load(path: str):
+    with open(path, "r", encoding="utf-8") as f:
+        data = json.load(f)
+    return data
+
+def get_dir_path() -> str:
+    return os.path.dirname(os.path.abspath(__file__))
diff --git a/hooks/generate_webhook_certs.py b/hooks/generate_webhook_certs.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from lib.hooks.internal_tls import GenerateCertificateHook, TlsSecret, default_sans
+from lib.module import values as module_values
+from deckhouse import hook
+from typing import Callable
+import common
+
+def main():
+    hook = GenerateCertificateHook(
+        TlsSecret(
+            cn="webhooks",
+            name="webhooks-https-certs",
+            sansGenerator=default_sans([
+                "webhooks",
+                f"webhooks.{common.NAMESPACE}",
+                f"webhooks.{common.NAMESPACE}.svc"]),
+            values_path_prefix=f"{common.MODULE_NAME}.internal.customWebhookCert"
+            ),
+        cn="csi-nfs-webhooks",
+        common_ca=True,
+        namespace=common.NAMESPACE)
+
+    hook.run()
+
+if __name__ == "__main__":
+    main()
diff --git a/hooks/lib/__init__.py b/hooks/lib/__init__.py
diff --git a/hooks/lib/certificate/__init__.py b/hooks/lib/certificate/__init__.py