Operator fixes (#110)

* operator: misc fixes
* Problem:
  * fix cluster roles in helm charts for 1.14 and above
  * fix scc to allow access to host ports for CSP pod
  * add script to delete all artifacts for operator/csi
  * update helm-operator image to use helm3
* Implementation:
  * fixed above issues
* Testing: tested on ocp 4.2 with installation/deletion/pvc/pod provisioning.
* Review: rkumar, gcostea
* Bug: https://nimblejira.nimblestorage.com/browse/NLT-
Signed-off-by: Shiva Krishna, Merla <shivakrishna.merla@hpe.com>

Author: shivamerla

.gitignore

@@ -17,4 +17,5 @@ build/
 *.out
 
 # helm-charts to build an operator
-operators/*/helm-charts
+operators/*/helm-charts
+operators/*/LICENSE

docs/hpe-csi-driver-1.1.0-beta.tgz

@@ -3,9 +3,9 @@ entries:
   hpe-csi-driver:
   - apiVersion: v1
     appVersion: 1.1.0-beta
-    created: "2020-02-03T11:47:56.434632-08:00"
+    created: "2020-02-08T15:26:10.759395-08:00"
     description: A Helm chart for installing the HPE CSI Driver for Kubernetes
-    digest: 426d98342fd2573982ab70f01e5c9e93e030543008ca3b0b397c6543c1a0c5f0
+    digest: a15d877cd347c3d7c3007f20995b08d0f656dc0fcf86201ce5a369b2f7e85e1b
     home: https://hpe.com/storage/containers
     icon: https://raw.githubusercontent.com/hpe-storage/co-deployments/master/docs/assets/hpedev.png
     keywords:
@@ -25,7 +25,7 @@ entries:
     version: 1.1.0-beta
   - apiVersion: v1
     appVersion: "1.0"
-    created: "2020-02-03T11:47:56.433954-08:00"
+    created: "2020-02-08T15:26:10.758796-08:00"
     description: A Helm chart for installing the HPE CSI Driver for Kubernetes
     digest: 0370a3eb966b1665c1d612ca78e9ad254960f9e10f34ff8a3a926870f241fc6e
     home: https://hpe.com/storage/containers
@@ -47,7 +47,7 @@ entries:
     version: 1.0.1
   - apiVersion: v1
     appVersion: "1.0"
-    created: "2020-02-03T11:47:56.426965-08:00"
+    created: "2020-02-08T15:26:10.757549-08:00"
     description: A Helm chart for installing the HPE CSI Driver for Kubernetes
     digest: 14fe529034fb3bc806639630424bdd11ba2c259dc363014d30a8a8d6b5830cae
     home: https://hpe.com/storage/containers
@@ -70,7 +70,7 @@ entries:
   hpe-flexvolume-driver:
   - apiVersion: v1
     appVersion: "3.1"
-    created: "2020-02-03T11:47:56.441454-08:00"
+    created: "2020-02-08T15:26:10.760574-08:00"
     description: A Helm chart for installing the HPE Volume Driver for Kubernetes
       FlexVolume plugin
     digest: 3b481fc1ad9bc923774563557dbc26fd94c581924b406180cccafb6b77744633
@@ -94,7 +94,7 @@ entries:
     version: 3.1.0
   - apiVersion: v1
     appVersion: "3.0"
-    created: "2020-02-03T11:47:56.439383-08:00"
+    created: "2020-02-08T15:26:10.759899-08:00"
     description: A Helm chart for installing the HPE Volume Driver for Kubernetes
       FlexVolume plugin
     digest: 523ad3c654d697e6350cde6cfee346f056373585c7bcce9b2125b9fb9cd92289
@@ -115,4 +115,4 @@ entries:
     urls:
     - hpe-flexvolume-driver-3.0.0.tgz
     version: 3.0.0
-generated: "2020-02-03T11:47:56.423326-08:00"
+generated: "2020-02-08T15:26:10.756651-08:00"

docs/index.yaml

@@ -71,70 +71,33 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: hpe-csi-attacher-role
 rules:
-  {{- if semverCompare "^1.12.0" .Capabilities.KubeVersion.GitVersion }}
   - apiGroups: [""]
     resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: [""]
-    resources: ["nodes"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["csi.storage.k8s.io"]
-    resources: ["csinodeinfos"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "update"]
-  {{- else if semverCompare "^1.13.0" .Capabilities.KubeVersion.GitVersion }}
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get", "list", "watch"]
-  - apiGroups: ["csi.storage.k8s.io"]
-    resources: ["csinodeinfos"]
-    verbs: ["get", "list", "watch"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "update"]
+    verbs: ["get", "list", "watch", "update", "patch"]
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments/status"]
     verbs: ["get", "list", "watch", "update", "create", "delete"]
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "watch", "list"]
-  - apiGroups: ["storage.hpe.com"]
-    resources: ["hpenodeinfos"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  {{- else }}
-  - apiGroups: [""]
-    resources: ["nodes"]
+  {{- if semverCompare "~1.12.0" .Capabilities.KubeVersion.GitVersion }}
+    resources: ["csinodeinfos"]
+    verbs: ["get", "list", "watch"]
+  {{- else if semverCompare "~1.13.0" .Capabilities.KubeVersion.GitVersion }}
+  - apiGroups: ["csi.storage.k8s.io"]
+    resources: ["csinodeinfos"]
     verbs: ["get", "list", "watch"]
+  {{ else }}
   - apiGroups: ["storage.k8s.io"]
     resources: ["csinodes"]
     verbs: ["get", "list", "watch"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments/status"]
-    verbs: ["get", "list", "watch", "update", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "watch", "list"]
-{{- if semverCompare ">=1.17.0" .Capabilities.KubeVersion.GitVersion }}
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "update", "patch"]
-   - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "update", "patch"]
- {{- else }}
-   - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "update"]
-   - apiGroups: ["storage.k8s.io"]
-    resources: ["volumeattachments"]
-    verbs: ["get", "list", "watch", "update"]
   {{- end }}
-{{- end }}
 
 ---
 

helm/charts/hpe-csi-driver/templates/hpe-csi-rbac.yaml

@@ -1,4 +1,15 @@
-FROM quay.io/operator-framework/helm-operator:v0.10.1
-LABEL name="csi-driver-operator" vendor="HPE" version="1.0.0" release="1.0" summary="HPE CSI Operator" description="HPE CSI Driver Operator"
+FROM quay.io/operator-framework/helm-operator:v0.15.1
+LABEL name="csi-driver-operator" \
+      maintainer="HPE Storage" \
+      vendor="HPE" \
+      version="1.0.0" \
+      release="1.0" \
+      summary="HPE CSI Operator" \
+      description="HPE CSI Driver Operator" \
+      io.k8s.display-name="HPE CSI Driver Operator for Kubernetes" \
+      io.k8s.description="The HPE CSI Driver Operator for Kubernetes enables container orchestrators, such as Kubernetes and OpenShift, to manage the life-cycle of persistent storage." \
+      io.openshift.tags=hpe,csi,hpe-csi-driver
+
 COPY helm-charts/ ${HOME}/helm-charts/
 COPY watches.yaml ${HOME}/watches.yaml
+COPY LICENSE /licenses/

operators/hpe-csi-operator/Dockerfile

@@ -12,83 +12,82 @@ For platform dependencies for HPE CSI driver please refer to [prerequisites](htt
 
 ## Installation
 
-Clone this GitHub repository.
+For OCP create SecurityContextConstraints with privileges required for CSI driver
 ```
-git clone https://github.com/hpe-storage/co-deployments
-cd operators/hpe-csi-operator
+oc deploy -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/scc.yaml -n hpe-csi
 ```
 
-Create your own `values.yaml`. The easiest way is to copy the default [./values.yaml](../../helm/charts/hpe-csi-driver/values.yaml) with `wget` and change parameters like `backend` as necessary.
+*** NOTE *** If you are using OpenShift, replace `kubectl` with `oc` below.
 
-Run the install script to set up the HPE CSI Operator.
-```install.sh --image=<image> --namespace=<namespace> --flavor=<co flavor> --values=<values.yaml file path>```
-
-Parameter list:<br/>
-1. ``image`` is the HPE CSI Operator image. If unspecified ``image`` resolves to the released version at [hpestorage/hpe-csi-operator](https://hub.docker.com/repository/docker/hpestorage/csi-driver-operator).
-2. ``namespace`` is the namespace/project in which the HPE CSI Operator and its entities will be installed. If unspecified, the operator creates and installs in  the ``hpe-csi`` namespace.
-**HPE CSI Operator MUST be installed in a new project with no other pods. Otherwise an uninstall may delete pods that are not related to the HPE CSI Operator.**
-3. ``flavor`` defaults to ``k8s``. Options are ``k8s``, ``kubernetes``, ``ocp`` or ``openshift``.
-4. ``values.yaml`` is the customized helm-chart configuration parameters. This is a **required parameter** and must contain a valid backend HPE storage system. All parameters that need a non-default value must be specified in this file.
-Refer to [Configuration for values.yaml.](https://github.com/hpe-storage/co-deployments/tree/master/helm/charts/hpe-csi-driver#configuration--installation) for details about various parameters.
-
-**Note:** HPE CSI Driver for Kubernetes automatically configures Linux iSCSI/Multipath settings based on [config.json](https://raw.githubusercontent.com/hpe-storage/co-deployments/master/helm/charts/hpe-csi-driver/files/config.json). In order to tune these values, edit the config map with `kubectl edit configmap hpe-linux-config -n hpe-csi` and restart node plugin using `kubectl delete pod -l app=hpe-csi-node` to apply.
-
-### Install script steps:
-The install script will do the following:
-1. Create New Project.<br/>
-The script creates a new project (if it does not already exist) with the given namespace. If no namespace parameter is specified, the ``hpe-csi`` namespace is used.<br/>
-
-2. Create a Custom Resource Definition (CRD) for the HPE CSI Operator. <br/>
-The script waits for the CRD to be published in the cluster. If after 10 seconds the API server has not setup the CRD, the script times out.
+Deploy Operator/RBAC and CRD's required
+```
+kubectl deploy -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/rbac.yaml -n hpe-csi
+kubectl deploy -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/operator.yaml -n hpe-csi
+kubectl deploy -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/crds/storage.hpe.com_hpecsidrivers_crd.yaml -n hpe-csi
+```
 
-3. Create RBAC rules for the Operator.<br/>
-The HPE CSI Operator needs the following Cluster-level Roles and RoleBindings.
+Fetch and update CustomResource of type `HPECSIDriver` with required values
+```
+curl -sL https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/crds/storage.hpe.com_hpecsidrivers_cr.yaml
+```
 
+Deploy above updated CustomResource `csi-driver`
+```
+kubectl deploy -f storage.hpe.com_hpecsidrivers_cr.yaml -n hpe-csi
+```
 
-| Resource        | Permissions           | Notes  |
-| ------------- |:-------------:| -----:|
-| Namespace | Get | HPE CSI Operator needs the ability to get created namespaces |
-| Storageclass | Create/Delete | Create and cleanup storage classes to be used for Provisioning |
-| ClusterRoleBinding | Create/Delete/Get | HPE Operator needs to create and cleanup a ClusterRoleBinding used by the external-provisioner/external-attacher/external-snapshotter/external-resizer sidecars |
-<br/>
+where ``hpe-csi`` is the project/namespace in which the HPE CSI Operator is installed. It is **strongly recommended** to install the HPE CSI Operator in a new project and not add any other pods to this project/namespace. Any pods in this project will be cleaned up on an uninstall.
 
-In addition, the operator needs access to multiple resources in the project/namespace that it is deployed in to function correctly. Hence it is recommended to install the HPE CSI Operator in the non-default namespace.
-<br/>
+## Upgrading
 
-4. Creates a deployment for the Operator.<br/>
-Finally the script creates and deploys the operator using the customized parameters passed in the ``values.yaml`` file.
+Fetch and update CustomResource of type `HPECSIDriver` with required values
+```
+curl -sL https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/crds/storage.hpe.com_hpecsidrivers_cr.yaml
+```
 
-## Upgrading
+Deploy updated CustomResource `csi-driver`
+```
+kubectl deploy -f storage.hpe.com_hpecsidrivers_cr.yaml -n hpe-csi
+```
 
 ### How to upgrade from helm install to HPE CSI Operator
 This upgrade will not impact the in-use volumes/filesystems from data path perspective. However, it will affect the in-flight volume/filesystem management operations. So, it is recommended to stop all the volume/filesystem management operations before doing this upgrade. Otherwise, these operations may need to be retried after the upgrade.
 
 Remove the helm-chart using instructions in https://helm.sh/docs/using_helm/#uninstall-a-release.
 Once the helm chart has been uninstalled, follow the install instructions [above.](#installation)
 
-### Apply changes in ``values.yaml``
-The ``update.sh`` script is used to apply changes from ``values.yaml`` as follows.
+## Uninstall
+
+*** NOTE *** If you are using OpenShift, replace `kubectl` with `oc`.
+
+1. Delete the HPE CSI Driver custom resource, this will cause our CSI plugin resources to be cleaned up.
 ```
-./update.sh -f values.yaml
+kubectl delete -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/crds/storage.hpe.com_hpecsidrivers_cr.yaml -n hpe-csi
+
+kubectl delete -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/crds/storage.hpe.com_hpecsidrivers_crd.yaml -n hpe-csi
 ```
 
-## Uninstall
-To uninstall the HPE CSI Operator, run
+If the CRD fails to delete you may be experiencing a known issue. Resolve this by running:
 ```
-kubectl delete all --all -n <hpe-csi-operator-installed-namespace>
+kubectl patch crd/hpecsidrivers.storage.hpe.com -p '{"metadata":{"finalizers":[]}}' --type=merge
 ```
-where ``hpe-csi-operator-installed-namespace`` is the project/namespace in which the HPE CSI Operator is installed. It is **strongly recommended** to install the HPE CSI Operator in a new project and not add any other pods to this project/namespace. Any pods in this project will be cleaned up on an uninstall.
 
-If you are using OpenShift, replace `kubectl` with `oc`.
-To completely remove the CustomResourceDefinition used by the Operator run
+2. Delete all cluster level roles and bindings for operator
 ```
-kubectl delete crd hpecsidrivers.storage.hpe.com
+kubectl delete -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/rbac.yaml -n hpe-csi
 ```
-If the CRD fails to delete you may be experiencing a known issue. Resolve this by running:
+
+For OpenShift, delete SecurityContextConstraints created
 ```
-kubectl patch crd/hpecsidrivers.storage.hpe.com -p '{"metadata":{"finalizers":[]}}' --type=merge
+kubectl delete -f -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/scc.yaml -n hpe-csi
 ```
-If you are using OpenShift, replace `kubectl` with `oc` in the above commands.
+
+3. Delete operator deployment itself
+```
+kubectl delete -f https://raw.githubusercontent.com/hpe-storage/co-deployments/master/operators/hpe-csi-operator/deploy/operator.yaml -n hpe-csi
+```
+
+where ``hpe-csi`` is the project/namespace in which the HPE CSI Operator is installed. It is **strongly recommended** to install the HPE CSI Operator in a new project and not add any other pods to this project/namespace. Any pods in this project will be cleaned up on an uninstall.
 
 ## License
 This is open source software licensed using the Apache License 2.0. Please see [LICENSE](../../LICENSE) for details.

operators/hpe-csi-operator/README.md

@@ -13,6 +13,8 @@ IMG_DIR=$(dirname $0)
 HELM_DIR=${IMG_DIR}/../../helm
 mkdir -p ${IMG_DIR}/helm-charts
 
+cp ${IMG_DIR}/../../LICENSE ${IMG_DIR}/
+
 # Copy helm charts to staging directory
 cp -r ${HELM_DIR}/charts/hpe-csi-driver ${IMG_DIR}/helm-charts
 

operators/hpe-csi-operator/build.sh

@@ -1,4 +1,3 @@
----
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
@@ -11,9 +10,13 @@ spec:
     plural: hpecsidrivers
     singular: hpecsidriver
   scope: Namespaced
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      type: object
+      x-kubernetes-preserve-unknown-fields: true
   versions:
   - name: v1
     served: true
     storage: true
-  subresources:
-    status: {}

operators/hpe-csi-operator/deploy/cr.yaml

@@ -0,0 +1,54 @@
+apiVersion: storage.hpe.com/v1
+kind: HPECSIDriver
+metadata:
+  name: csi-driver
+spec:
+  # Default values copied from <project_dir>/helm-charts/hpe-csi-driver/values.yaml
+
+  CRD:
+    nodeInfo:
+      create: false
+  accessProtocol: iscsi
+  allowVolumeExpansion: true
+  backend: 192.168.1.1
+  csiAttacherImage: quay.io/k8scsi/csi-attacher
+  csiAttacherTagv0: v0.4.2
+  csiAttacherTagv1: v1.1.0
+  csiAttacherTagv2: v1.2.0
+  csiDriverImage: hpestorage/csi-driver
+  csiDriverTag: v1.1.0-beta
+  csiProvisionerImage: quay.io/k8scsi/csi-provisioner
+  csiProvisionerTagv0: v0.4.3
+  csiProvisionerTagv1: v1.4.0
+  csiResizerImage: quay.io/k8scsi/csi-resizer
+  csiResizerTag: v0.3.0
+  csiSnapshotterImage: quay.io/k8scsi/csi-snapshotter
+  csiSnapshotterTagv0: v0.4.2
+  csiSnapshotterTagv1: v1.2.2
+  csiSnapshotterTagv2: v1.2.2
+  cspImage: hpestorage/nimble-csp
+  cspName: nimble-csp
+  cspTag: v1.1.0-beta
+  flavor: kubernetes
+  fsType: xfs
+  imagePullPolicy: Always
+  logLevel: info
+  nodeRegistrarImage: quay.io/k8scsi/csi-node-driver-registrar
+  nodeRegistrarImagev0: quay.io/k8scsi/driver-registrar
+  nodeRegistrarTagv0: v0.4.1
+  nodeRegistrarTagv1: v1.1.0
+  nodeRegistrarTagv2: v1.1.0
+  password: admin
+  postInstallImage: alpine
+  postInstallTag: "3.3"
+  secretName: nimble-secret
+  serviceName: nimble-csp-svc
+  servicePort: "8080"
+  serviceWaitTime: "10"
+  storageClass:
+    create: true
+    defaultClass: false
+    name: hpe-standard
+  username: admin
+  volumeDescription: Volume created by the HPE CSI Driver for Kubernetes
+