Snapshot support if the infra cluster supports snapshots. (#98)

* Implement snapshot support Signed-off-by: Alexander Wels <[email protected]> * Address review comments Signed-off-by: Alexander Wels <[email protected]> * Addressed more review comments Added extra unit tests to the client. Now am checking if the storage class is in the allowed list. Signed-off-by: Alexander Wels <[email protected]> --------- Signed-off-by: Alexander Wels <[email protected]>
kubevirt · Feb 26, 2024 · a722f94 · a722f94
1 parent 7aa580f
commit a722f94
Show file tree

Hide file tree

Showing 86 changed files with 6,017 additions and 6,874 deletions.
diff --git a/cmd/kubevirt-csi-driver/kubevirt-csi-driver.go b/cmd/kubevirt-csi-driver/kubevirt-csi-driver.go
@@ -83,7 +83,10 @@ func handle() {
 		klog.Fatalf("Failed to build tenant client set: %v", err)
 	}
 
-	virtClient, err := kubevirt.NewClient(infraRestConfig)
+	infraClusterLabelsMap := parseLabels()
+	storageClassEnforcement := configureStorageClassEnforcement(infraStorageClassEnforcement)
+
+	virtClient, err := kubevirt.NewClient(infraRestConfig, infraClusterLabelsMap, storageClassEnforcement)
 	if err != nil {
 		klog.Fatal(err)
 	}
@@ -107,31 +110,34 @@ func handle() {
 		}
 	}
 
-	infraClusterLabelsMap := parseLabels()
+	driver := service.NewKubevirtCSIDriver(virtClient,
+		identityClientset,
+		*infraClusterNamespace,
+		infraClusterLabelsMap,
+		storageClassEnforcement,
+		nodeID,
+		*runNodeService,
+		*runControllerService)
+
+	driver.Run(*endpoint)
+}
+
+func configureStorageClassEnforcement(infraStorageClassEnforcement string) util.StorageClassEnforcement {
 	var storageClassEnforcement util.StorageClassEnforcement
-	//parse yaml
+
 	if infraStorageClassEnforcement == "" {
 		storageClassEnforcement = util.StorageClassEnforcement{
 			AllowAll:     true,
 			AllowDefault: true,
 		}
 	} else {
+		//parse yaml
 		err := yaml.Unmarshal([]byte(infraStorageClassEnforcement), &storageClassEnforcement)
 		if err != nil {
 			klog.Fatalf("Failed to parse infra-storage-class-enforcement %v", err)
 		}
 	}
-
-	driver := service.NewKubevirtCSIDriver(virtClient,
-		identityClientset,
-		*infraClusterNamespace,
-		infraClusterLabelsMap,
-		storageClassEnforcement,
-		nodeID,
-		*runNodeService,
-		*runControllerService)
-
-	driver.Run(*endpoint)
+	return storageClassEnforcement
 }
 
 func parseLabels() map[string]string {

diff --git a/deploy/controller-infra/base/deploy.yaml b/deploy/controller-infra/base/deploy.yaml
@@ -110,6 +110,9 @@ spec:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
           args:
@@ -125,6 +128,32 @@ spec:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
+        - name: csi-snapshotter
+          args:
+          - "--v=5"
+          - "--csi-address=/csi/csi.sock"
+          - "--kubeconfig=/var/run/secrets/tenantcluster/value"
+          image: k8s.gcr.io/sig-storage/csi-snapshotter:v4.2.1
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            privileged: true
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+          - mountPath: /csi
+            name: socket-dir
+          - name: tenantcluster
+            mountPath: "/var/run/secrets/tenantcluster"
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
       volumes:
         - name: socket-dir
           emptyDir: {}

diff --git a/deploy/controller-tenant/base/deploy.yaml b/deploy/controller-tenant/base/deploy.yaml
@@ -73,6 +73,9 @@ spec:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
         - name: csi-provisioner
           image: quay.io/openshift/origin-csi-external-provisioner:latest
           args:
@@ -85,6 +88,13 @@ spec:
           volumeMounts:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
+          resources:
+            requests:
+              memory: 50Mi
+              cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
         - name: csi-attacher
           image: quay.io/openshift/origin-csi-external-attacher:latest
           args:
@@ -100,6 +110,9 @@ spec:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
           args:
@@ -113,9 +126,45 @@ spec:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
+        - name: csi-snapshotter
+          args:
+          - --v=3
+          - --csi-address=/csi/csi.sock
+          image: k8s.gcr.io/sig-storage/csi-snapshotter:v4.2.1
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            privileged: true
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+          - mountPath: /csi
+            name: socket-dir
+          resources:
+            requests:
+              memory: 20Mi
+              cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
       volumes:
         - name: socket-dir
           emptyDir: {}
         - name: infracluster
           secret:
             secretName: infra-cluster-credentials
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-snapshotter-role
+subjects:
+  - kind: ServiceAccount
+    name: kubevirt-csi-controller-sa
+    namespace: kubevirt-csi-driver
+roleRef:
+  kind: ClusterRole
+  name: external-snapshotter-runner
+  apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/infra-cluster-service-account.yaml b/deploy/infra-cluster-service-account.yaml
@@ -17,6 +17,12 @@ rules:
 - apiGroups: ["subresources.kubevirt.io"]
   resources: ["virtualmachineinstances/addvolume", "virtualmachineinstances/removevolume"]
   verbs: ["update"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshots"]
+  verbs: ["get", "create", "delete"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -29,4 +35,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: kubevirt-csi
----
+
+
diff --git a/deploy/tenant/base/deploy.yaml b/deploy/tenant/base/deploy.yaml
@@ -87,6 +87,12 @@ metadata:
   name: kubevirt-csi-node-sa
   namespace: kubevirt-csi-driver
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubevirt-csi-snapshot-sa
+  namespace: kubevirt-csi-driver
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -124,6 +130,24 @@ rules:
     verbs: ["use"]
     resourceNames: ["privileged"]
 ---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: external-snapshotter-runner
+rules:
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update", "patch"]
+---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@@ -137,6 +161,20 @@ roleRef:
   name: kubevirt-csi-node-cr
   apiGroup: rbac.authorization.k8s.io
 ---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-snapshotter-role
+subjects:
+  - kind: ServiceAccount
+    name: kubevirt-csi-snapshot-sa
+    namespace: kubevirt-csi-driver
+roleRef:
+  kind: ClusterRole
+  # change the name also here if the ClusterRole gets renamed
+  name: external-snapshotter-runner
+  apiGroup: rbac.authorization.k8s.io
+---
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
@@ -201,6 +239,9 @@ spec:
             requests:
               memory: 50Mi
               cpu: 10m
+            limits:
+              memory: 500Mi
+              cpu: 250m
         - name: csi-node-driver-registrar
           image: quay.io/openshift/origin-csi-node-driver-registrar:latest
           args:
@@ -225,6 +266,9 @@ spec:
             requests:
               memory: 20Mi
               cpu: 5m
+            limits:
+              memory: 500Mi
+              cpu: 100m
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
           args:
@@ -238,6 +282,9 @@ spec:
             requests:
               memory: 20Mi
               cpu: 5m
+            limits:
+              memory: 500Mi
+              cpu: 100m
       volumes:
         - name: kubelet-dir
           hostPath:
@@ -277,4 +324,11 @@ metadata:
 provisioner: csi.kubevirt.io
 parameters:
   infraStorageClassName: standard
-  bus: scsi
+  bus: scsi
+---
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+  name: kubevirt-csi-snapclass
+driver: csi.kubevirt.io
+deletionPolicy: Delete
diff --git a/deploy/tenant/base/kustomization.yaml b/deploy/tenant/base/kustomization.yaml
@@ -1,4 +1,9 @@
 commonLabels:
   app: kubevirt-csi-driver
 resources:
+- rbac-snapshot-controller.yaml
+- setup-snapshot-controller.yaml
+- snapshot.storage.k8s.io_volumesnapshotclasses.yaml
+- snapshot.storage.k8s.io_volumesnapshotcontents.yaml
+- snapshot.storage.k8s.io_volumesnapshots.yaml
 - deploy.yaml