From bb363d78e77fc5732dc3aa7248c6b27bc628c3d2 Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Wed, 28 Feb 2024 08:43:07 -0500 Subject: [PATCH 1/4] Add a dummy pr for changes --- pkg/driver/azure-file/azure_file.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/driver/azure-file/azure_file.go b/pkg/driver/azure-file/azure_file.go index 7234e012e..00760a062 100644 --- a/pkg/driver/azure-file/azure_file.go +++ b/pkg/driver/azure-file/azure_file.go @@ -127,6 +127,7 @@ func GetAzureFileOperatorConfig() *config.OperatorConfig { // after a client connection + cluster flavour are established. func GetAzureFileOperatorControllerConfig(ctx context.Context, flavour generator.ClusterFlavour, c *clients.Clients) (*config.OperatorControllerConfig, error) { cfg := operator.NewDefaultOperatorControllerConfig(flavour, c, "AzureFile") + klog.Infof("Running using new csi-operator") // We need featuregate accessor made available to the operator pods desiredVersion := os.Getenv(operatorImageVersionEnvVarName) From 2f06e1acf031d97b5447d3194885d3ce6f66aad2 Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Wed, 28 Feb 2024 16:08:51 -0500 Subject: [PATCH 2/4] Give driver on node permission to read secret --- .../csi-driver-cluster-role-binding-node.yaml | 12 +++++ .../base/csi-driver-cluster-role-node.yaml | 9 ++++ .../csi-driver-cluster-role-binding-node.yaml | 18 +++++++ .../csi-driver-cluster-role-node.yaml | 19 +++++++ .../generated/hypershift/manifests.yaml | 2 + .../azure-file/generated/hypershift/node.yaml | 50 ------------------ .../csi-driver-cluster-role-binding-node.yaml | 18 +++++++ .../csi-driver-cluster-role-node.yaml | 19 +++++++ .../generated/standalone/manifests.yaml | 2 + .../azure-file/generated/standalone/node.yaml | 50 ------------------ .../azure-file/patches/node_add_driver.yaml | 52 ------------------- pkg/driver/azure-file/azure_file.go | 2 + 12 files changed, 101 insertions(+), 152 deletions(-) create mode 100644 assets/overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml create mode 100644 assets/overlays/azure-file/base/csi-driver-cluster-role-node.yaml create mode 100644 assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-binding-node.yaml create mode 100644 assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-node.yaml create mode 100644 assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-binding-node.yaml create mode 100644 assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-node.yaml diff --git a/assets/overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml b/assets/overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml new file mode 100644 index 000000000..58d35895a --- /dev/null +++ b/assets/overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azure-file-csi-driver-binding-node +subjects: + - kind: ServiceAccount + name: azure-file-csi-driver-node-sa + namespace: openshift-cluster-csi-drivers +roleRef: + kind: ClusterRole + name: azure-file-csi-driver-node-role + apiGroup: rbac.authorization.k8s.io diff --git a/assets/overlays/azure-file/base/csi-driver-cluster-role-node.yaml b/assets/overlays/azure-file/base/csi-driver-cluster-role-node.yaml new file mode 100644 index 000000000..cc7358145 --- /dev/null +++ b/assets/overlays/azure-file/base/csi-driver-cluster-role-node.yaml @@ -0,0 +1,9 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azure-file-csi-driver-node-role +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + diff --git a/assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-binding-node.yaml b/assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-binding-node.yaml new file mode 100644 index 000000000..b46a4dd56 --- /dev/null +++ b/assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-binding-node.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azure-file-csi-driver-binding-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-file-csi-driver-node-role +subjects: +- kind: ServiceAccount + name: azure-file-csi-driver-node-sa + namespace: openshift-cluster-csi-drivers diff --git a/assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-node.yaml b/assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-node.yaml new file mode 100644 index 000000000..7e82469de --- /dev/null +++ b/assets/overlays/azure-file/generated/hypershift/csi-driver-cluster-role-node.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-file/base/csi-driver-cluster-role-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: azure-file-csi-driver-node-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/assets/overlays/azure-file/generated/hypershift/manifests.yaml b/assets/overlays/azure-file/generated/hypershift/manifests.yaml index b64bdae16..9bda0f3a0 100644 --- a/assets/overlays/azure-file/generated/hypershift/manifests.yaml +++ b/assets/overlays/azure-file/generated/hypershift/manifests.yaml @@ -5,7 +5,9 @@ controllerStaticAssetNames: - controller_sa.yaml - service.yaml guestStaticAssetNames: +- csi-driver-cluster-role-binding-node.yaml - csi-driver-cluster-role-binding.yaml +- csi-driver-cluster-role-node.yaml - csi-driver-cluster-role.yaml - csidriver.yaml - lease_leader_election_binding.yaml diff --git a/assets/overlays/azure-file/generated/hypershift/node.yaml b/assets/overlays/azure-file/generated/hypershift/node.yaml index ec408c4a5..3e11d8b94 100644 --- a/assets/overlays/azure-file/generated/hypershift/node.yaml +++ b/assets/overlays/azure-file/generated/hypershift/node.yaml @@ -40,8 +40,6 @@ spec: - --cloud-config-secret-name="" - --cloud-config-secret-namespace="" env: - - name: AZURE_CREDENTIAL_FILE - value: /etc/kubernetes/cloud.conf - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME @@ -76,9 +74,6 @@ spec: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - - mountPath: /etc/kubernetes/ - name: cloud-config - readOnly: true - mountPath: /dev name: device-dir - mountPath: /sys/bus/scsi/devices @@ -148,46 +143,6 @@ spec: - mountPath: /csi name: socket-dir hostNetwork: true - initContainers: - - args: - - --cloud-config-file-path=/etc/cloud-config/config - - --output-file-path=/etc/merged-cloud-config/cloud.conf - - --disable-identity-extension-auth - - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY} - command: - - /azure-config-credentials-injector - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - key: azure_client_id - name: azure-file-credentials - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: azure_client_secret - name: azure-file-credentials - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - key: azure_tenant_id - name: azure-file-credentials - optional: true - - name: AZURE_FEDERATED_TOKEN_FILE - valueFrom: - secretKeyRef: - key: azure_federated_token_file - name: azure-file-credentials - optional: true - image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE} - name: azure-inject-credentials - volumeMounts: - - mountPath: /etc/cloud-config - name: src-cloud-config - readOnly: true - - mountPath: /etc/merged-cloud-config - name: cloud-config nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical @@ -219,9 +174,6 @@ spec: path: /sys/fs type: Directory name: sys-fs - - configMap: - name: azure-cloud-config - name: src-cloud-config - hostPath: path: /sys/bus/scsi/devices type: Directory @@ -230,8 +182,6 @@ spec: path: /sys/class/scsi_host/ type: Directory name: scsi-host-dir - - emptydir: {} - name: cloud-config - name: bound-sa-token projected: sources: diff --git a/assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-binding-node.yaml b/assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-binding-node.yaml new file mode 100644 index 000000000..b46a4dd56 --- /dev/null +++ b/assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-binding-node.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azure-file-csi-driver-binding-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-file-csi-driver-node-role +subjects: +- kind: ServiceAccount + name: azure-file-csi-driver-node-sa + namespace: openshift-cluster-csi-drivers diff --git a/assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-node.yaml b/assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-node.yaml new file mode 100644 index 000000000..7e82469de --- /dev/null +++ b/assets/overlays/azure-file/generated/standalone/csi-driver-cluster-role-node.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-file/base/csi-driver-cluster-role-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: azure-file-csi-driver-node-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch diff --git a/assets/overlays/azure-file/generated/standalone/manifests.yaml b/assets/overlays/azure-file/generated/standalone/manifests.yaml index 028c90073..664a33251 100644 --- a/assets/overlays/azure-file/generated/standalone/manifests.yaml +++ b/assets/overlays/azure-file/generated/standalone/manifests.yaml @@ -10,7 +10,9 @@ controllerStaticAssetNames: - service.yaml - servicemonitor.yaml guestStaticAssetNames: +- csi-driver-cluster-role-binding-node.yaml - csi-driver-cluster-role-binding.yaml +- csi-driver-cluster-role-node.yaml - csi-driver-cluster-role.yaml - csidriver.yaml - lease_leader_election_binding.yaml diff --git a/assets/overlays/azure-file/generated/standalone/node.yaml b/assets/overlays/azure-file/generated/standalone/node.yaml index ec408c4a5..3e11d8b94 100644 --- a/assets/overlays/azure-file/generated/standalone/node.yaml +++ b/assets/overlays/azure-file/generated/standalone/node.yaml @@ -40,8 +40,6 @@ spec: - --cloud-config-secret-name="" - --cloud-config-secret-namespace="" env: - - name: AZURE_CREDENTIAL_FILE - value: /etc/kubernetes/cloud.conf - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME @@ -76,9 +74,6 @@ spec: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - - mountPath: /etc/kubernetes/ - name: cloud-config - readOnly: true - mountPath: /dev name: device-dir - mountPath: /sys/bus/scsi/devices @@ -148,46 +143,6 @@ spec: - mountPath: /csi name: socket-dir hostNetwork: true - initContainers: - - args: - - --cloud-config-file-path=/etc/cloud-config/config - - --output-file-path=/etc/merged-cloud-config/cloud.conf - - --disable-identity-extension-auth - - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY} - command: - - /azure-config-credentials-injector - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - key: azure_client_id - name: azure-file-credentials - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: azure_client_secret - name: azure-file-credentials - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - key: azure_tenant_id - name: azure-file-credentials - optional: true - - name: AZURE_FEDERATED_TOKEN_FILE - valueFrom: - secretKeyRef: - key: azure_federated_token_file - name: azure-file-credentials - optional: true - image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE} - name: azure-inject-credentials - volumeMounts: - - mountPath: /etc/cloud-config - name: src-cloud-config - readOnly: true - - mountPath: /etc/merged-cloud-config - name: cloud-config nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical @@ -219,9 +174,6 @@ spec: path: /sys/fs type: Directory name: sys-fs - - configMap: - name: azure-cloud-config - name: src-cloud-config - hostPath: path: /sys/bus/scsi/devices type: Directory @@ -230,8 +182,6 @@ spec: path: /sys/class/scsi_host/ type: Directory name: scsi-host-dir - - emptydir: {} - name: cloud-config - name: bound-sa-token projected: sources: diff --git a/assets/overlays/azure-file/patches/node_add_driver.yaml b/assets/overlays/azure-file/patches/node_add_driver.yaml index f5575e507..68f5603a5 100644 --- a/assets/overlays/azure-file/patches/node_add_driver.yaml +++ b/assets/overlays/azure-file/patches/node_add_driver.yaml @@ -24,8 +24,6 @@ spec: - --cloud-config-secret-name="" - --cloud-config-secret-namespace="" env: - - name: AZURE_CREDENTIAL_FILE - value: "/etc/kubernetes/cloud.conf" - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME @@ -56,9 +54,6 @@ spec: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - - mountPath: /etc/kubernetes/ - readOnly: true - name: cloud-config - mountPath: /dev name: device-dir - mountPath: /sys/bus/scsi/devices @@ -72,52 +67,7 @@ spec: - name: bound-sa-token mountPath: /var/run/secrets/openshift/serviceaccount readOnly: true - initContainers: - # Merge /etc/kubernetes/cloud.conf (on the host) with secret "azure-file-credentials" into "merged-cloud-config" emptydir. - - name: azure-inject-credentials - image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE} - command: - - /azure-config-credentials-injector - args: - - --cloud-config-file-path=/etc/cloud-config/config - - --output-file-path=/etc/merged-cloud-config/cloud.conf - # Force disable node's managed identity, azure-file-credentials Secret should be used. - - --disable-identity-extension-auth - - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY} - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: azure-file-credentials - key: azure_client_id - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: azure-file-credentials - key: azure_client_secret - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: azure-file-credentials - key: azure_tenant_id - optional: true - - name: AZURE_FEDERATED_TOKEN_FILE - valueFrom: - secretKeyRef: - name: azure-file-credentials - key: azure_federated_token_file - optional: true - volumeMounts: - - name: src-cloud-config - mountPath: /etc/cloud-config - readOnly: true - - name: cloud-config - mountPath: /etc/merged-cloud-config volumes: - - name: src-cloud-config - configMap: - name: azure-cloud-config - hostPath: path: /sys/bus/scsi/devices type: Directory @@ -126,8 +76,6 @@ spec: path: /sys/class/scsi_host/ type: Directory name: scsi-host-dir - - emptydir: {} - name: cloud-config - name: bound-sa-token projected: sources: diff --git a/pkg/driver/azure-file/azure_file.go b/pkg/driver/azure-file/azure_file.go index 00760a062..5e2d1b866 100644 --- a/pkg/driver/azure-file/azure_file.go +++ b/pkg/driver/azure-file/azure_file.go @@ -106,6 +106,8 @@ func GetAzureFileGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/azure-file/base/storageclass.yaml", "overlays/azure-file/base/csi-driver-cluster-role.yaml", "overlays/azure-file/base/csi-driver-cluster-role-binding.yaml", + "overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml", + "overlays/azure-file/base/csi-driver-cluster-role-node.yaml", ), }, } From 4956269e508d51e975c4fb3b871192c6543a0ab9 Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Wed, 28 Feb 2024 16:51:29 -0500 Subject: [PATCH 3/4] Remove cloud-config from node for azure-disk --- .../generated/hypershift/manifests.yaml | 2 + .../azure-disk/generated/hypershift/node.yaml | 51 +----------------- .../generated/standalone/manifests.yaml | 2 + .../azure-disk/generated/standalone/node.yaml | 51 +----------------- .../azure-disk/patches/node_add_driver.yaml | 54 +------------------ pkg/driver/azure-disk/azure_disk.go | 2 + 6 files changed, 10 insertions(+), 152 deletions(-) diff --git a/assets/overlays/azure-disk/generated/hypershift/manifests.yaml b/assets/overlays/azure-disk/generated/hypershift/manifests.yaml index 186996d9e..cd031613b 100644 --- a/assets/overlays/azure-disk/generated/hypershift/manifests.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/manifests.yaml @@ -5,6 +5,8 @@ controllerStaticAssetNames: - controller_sa.yaml - service.yaml guestStaticAssetNames: +- csi-driver-cluster-role-binding-node.yaml +- csi-driver-cluster-role-node.yaml - csidriver.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml diff --git a/assets/overlays/azure-disk/generated/hypershift/node.yaml b/assets/overlays/azure-disk/generated/hypershift/node.yaml index 081f1b57e..fcd87fd61 100644 --- a/assets/overlays/azure-disk/generated/hypershift/node.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/node.yaml @@ -37,11 +37,10 @@ spec: - --v=${LOG_LEVEL} - --nodeid=$(KUBE_NODE_NAME) - --metrics-address=localhost:8206 + - --get-node-info-from-labels=true - --cloud-config-secret-name="" - --cloud-config-secret-namespace="" env: - - name: AZURE_CREDENTIAL_FILE - value: /etc/kubernetes/cloud.conf - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME @@ -76,9 +75,6 @@ spec: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - - mountPath: /etc/kubernetes/ - name: cloud-config - readOnly: true - mountPath: /dev name: device-dir - mountPath: /sys/bus/scsi/devices @@ -145,46 +141,6 @@ spec: - mountPath: /csi name: socket-dir hostNetwork: true - initContainers: - - args: - - --cloud-config-file-path=/etc/cloud-config/config - - --output-file-path=/etc/merged-cloud-config/cloud.conf - - --disable-identity-extension-auth - - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY} - command: - - /azure-config-credentials-injector - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - key: azure_client_id - name: azure-disk-credentials - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: azure_client_secret - name: azure-disk-credentials - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - key: azure_tenant_id - name: azure-disk-credentials - optional: true - - name: AZURE_FEDERATED_TOKEN_FILE - valueFrom: - secretKeyRef: - key: azure_federated_token_file - name: azure-disk-credentials - optional: true - image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE} - name: azure-inject-credentials - volumeMounts: - - mountPath: /etc/cloud-config - name: src-cloud-config - readOnly: true - - mountPath: /etc/merged-cloud-config - name: cloud-config nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical @@ -216,9 +172,6 @@ spec: path: /sys/fs type: Directory name: sys-fs - - configMap: - name: azure-cloud-config - name: src-cloud-config - hostPath: path: /sys/bus/scsi/devices type: Directory @@ -227,8 +180,6 @@ spec: path: /sys/class/scsi_host/ type: Directory name: scsi-host-dir - - emptydir: {} - name: cloud-config updateStrategy: rollingUpdate: maxUnavailable: 10% diff --git a/assets/overlays/azure-disk/generated/standalone/manifests.yaml b/assets/overlays/azure-disk/generated/standalone/manifests.yaml index bdd1e8cea..f152c489d 100644 --- a/assets/overlays/azure-disk/generated/standalone/manifests.yaml +++ b/assets/overlays/azure-disk/generated/standalone/manifests.yaml @@ -10,6 +10,8 @@ controllerStaticAssetNames: - service.yaml - servicemonitor.yaml guestStaticAssetNames: +- csi-driver-cluster-role-binding-node.yaml +- csi-driver-cluster-role-node.yaml - csidriver.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml diff --git a/assets/overlays/azure-disk/generated/standalone/node.yaml b/assets/overlays/azure-disk/generated/standalone/node.yaml index 081f1b57e..fcd87fd61 100644 --- a/assets/overlays/azure-disk/generated/standalone/node.yaml +++ b/assets/overlays/azure-disk/generated/standalone/node.yaml @@ -37,11 +37,10 @@ spec: - --v=${LOG_LEVEL} - --nodeid=$(KUBE_NODE_NAME) - --metrics-address=localhost:8206 + - --get-node-info-from-labels=true - --cloud-config-secret-name="" - --cloud-config-secret-namespace="" env: - - name: AZURE_CREDENTIAL_FILE - value: /etc/kubernetes/cloud.conf - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME @@ -76,9 +75,6 @@ spec: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - - mountPath: /etc/kubernetes/ - name: cloud-config - readOnly: true - mountPath: /dev name: device-dir - mountPath: /sys/bus/scsi/devices @@ -145,46 +141,6 @@ spec: - mountPath: /csi name: socket-dir hostNetwork: true - initContainers: - - args: - - --cloud-config-file-path=/etc/cloud-config/config - - --output-file-path=/etc/merged-cloud-config/cloud.conf - - --disable-identity-extension-auth - - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY} - command: - - /azure-config-credentials-injector - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - key: azure_client_id - name: azure-disk-credentials - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - key: azure_client_secret - name: azure-disk-credentials - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - key: azure_tenant_id - name: azure-disk-credentials - optional: true - - name: AZURE_FEDERATED_TOKEN_FILE - valueFrom: - secretKeyRef: - key: azure_federated_token_file - name: azure-disk-credentials - optional: true - image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE} - name: azure-inject-credentials - volumeMounts: - - mountPath: /etc/cloud-config - name: src-cloud-config - readOnly: true - - mountPath: /etc/merged-cloud-config - name: cloud-config nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical @@ -216,9 +172,6 @@ spec: path: /sys/fs type: Directory name: sys-fs - - configMap: - name: azure-cloud-config - name: src-cloud-config - hostPath: path: /sys/bus/scsi/devices type: Directory @@ -227,8 +180,6 @@ spec: path: /sys/class/scsi_host/ type: Directory name: scsi-host-dir - - emptydir: {} - name: cloud-config updateStrategy: rollingUpdate: maxUnavailable: 10% diff --git a/assets/overlays/azure-disk/patches/node_add_driver.yaml b/assets/overlays/azure-disk/patches/node_add_driver.yaml index 4a4959f90..db707544c 100644 --- a/assets/overlays/azure-disk/patches/node_add_driver.yaml +++ b/assets/overlays/azure-disk/patches/node_add_driver.yaml @@ -23,11 +23,10 @@ spec: # network. We don't scrape metrics on node - --metrics-address=localhost:8206 # Use credentials provided by the azure-inject-credentials container + - --get-node-info-from-labels=true - --cloud-config-secret-name="" - --cloud-config-secret-namespace="" env: - - name: AZURE_CREDENTIAL_FILE - value: "/etc/kubernetes/cloud.conf" - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME @@ -58,9 +57,6 @@ spec: - mountPath: /var/lib/kubelet mountPropagation: Bidirectional name: kubelet-dir - - mountPath: /etc/kubernetes/ - readOnly: true - name: cloud-config - mountPath: /dev name: device-dir - mountPath: /sys/bus/scsi/devices @@ -71,52 +67,7 @@ spec: name: etc-selinux - mountPath: /sys/fs name: sys-fs - initContainers: - # Merge /etc/kubernetes/cloud.conf (on the host) with secret "azure-disk-credentials" into "merged-cloud-config" emptydir. - - name: azure-inject-credentials - image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE} - command: - - /azure-config-credentials-injector - args: - - --cloud-config-file-path=/etc/cloud-config/config - - --output-file-path=/etc/merged-cloud-config/cloud.conf - # Force disable node's managed identity, azure-disk-credentials Secret should be used. - - --disable-identity-extension-auth - - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY} - env: - - name: AZURE_CLIENT_ID - valueFrom: - secretKeyRef: - name: azure-disk-credentials - key: azure_client_id - - name: AZURE_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: azure-disk-credentials - key: azure_client_secret - optional: true - - name: AZURE_TENANT_ID - valueFrom: - secretKeyRef: - name: azure-disk-credentials - key: azure_tenant_id - optional: true - - name: AZURE_FEDERATED_TOKEN_FILE - valueFrom: - secretKeyRef: - name: azure-disk-credentials - key: azure_federated_token_file - optional: true - volumeMounts: - - name: src-cloud-config - mountPath: /etc/cloud-config - readOnly: true - - name: cloud-config - mountPath: /etc/merged-cloud-config volumes: - - name: src-cloud-config - configMap: - name: azure-cloud-config - hostPath: path: /sys/bus/scsi/devices type: Directory @@ -125,6 +76,5 @@ spec: path: /sys/class/scsi_host/ type: Directory name: scsi-host-dir - - emptydir: {} - name: cloud-config + diff --git a/pkg/driver/azure-disk/azure_disk.go b/pkg/driver/azure-disk/azure_disk.go index 694a0ca66..9ed846cda 100644 --- a/pkg/driver/azure-disk/azure_disk.go +++ b/pkg/driver/azure-disk/azure_disk.go @@ -133,6 +133,8 @@ func GetAzureDiskGeneratorConfig() *generator.CSIDriverGeneratorConfig { "overlays/azure-disk/base/csidriver.yaml", "overlays/azure-disk/base/storageclass.yaml", "overlays/azure-disk/base/volumesnapshotclass.yaml", + "overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml", + "overlays/azure-disk/base/csi-driver-cluster-role-node.yaml", ), }, } From 5d56922b0873799bb4949a46e02d61dec6e7ff9b Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Wed, 28 Feb 2024 16:51:47 -0500 Subject: [PATCH 4/4] add azure disk --- .../csi-driver-cluster-role-binding-node.yaml | 12 ++++++++++++ .../base/csi-driver-cluster-role-node.yaml | 9 +++++++++ .../csi-driver-cluster-role-binding-node.yaml | 18 ++++++++++++++++++ .../csi-driver-cluster-role-node.yaml | 19 +++++++++++++++++++ .../csi-driver-cluster-role-binding-node.yaml | 18 ++++++++++++++++++ .../csi-driver-cluster-role-node.yaml | 19 +++++++++++++++++++ 6 files changed, 95 insertions(+) create mode 100644 assets/overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml create mode 100644 assets/overlays/azure-disk/base/csi-driver-cluster-role-node.yaml create mode 100644 assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-binding-node.yaml create mode 100644 assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-node.yaml create mode 100644 assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-binding-node.yaml create mode 100644 assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-node.yaml diff --git a/assets/overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml b/assets/overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml new file mode 100644 index 000000000..6b9036216 --- /dev/null +++ b/assets/overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azure-disk-csi-driver-binding-node +subjects: + - kind: ServiceAccount + name: azure-disk-csi-driver-node-sa + namespace: openshift-cluster-csi-drivers +roleRef: + kind: ClusterRole + name: azure-disk-csi-driver-node-role + apiGroup: rbac.authorization.k8s.io diff --git a/assets/overlays/azure-disk/base/csi-driver-cluster-role-node.yaml b/assets/overlays/azure-disk/base/csi-driver-cluster-role-node.yaml new file mode 100644 index 000000000..58f69f4b5 --- /dev/null +++ b/assets/overlays/azure-disk/base/csi-driver-cluster-role-node.yaml @@ -0,0 +1,9 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: azure-disk-csi-driver-node-role +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + diff --git a/assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-binding-node.yaml b/assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-binding-node.yaml new file mode 100644 index 000000000..8d95301df --- /dev/null +++ b/assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-binding-node.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azure-disk-csi-driver-binding-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-disk-csi-driver-node-role +subjects: +- kind: ServiceAccount + name: azure-disk-csi-driver-node-sa + namespace: openshift-cluster-csi-drivers diff --git a/assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-node.yaml b/assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-node.yaml new file mode 100644 index 000000000..ce8329dba --- /dev/null +++ b/assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-node.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: azure-disk-csi-driver-node-role +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch diff --git a/assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-binding-node.yaml b/assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-binding-node.yaml new file mode 100644 index 000000000..8d95301df --- /dev/null +++ b/assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-binding-node.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azure-disk-csi-driver-binding-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-disk-csi-driver-node-role +subjects: +- kind: ServiceAccount + name: azure-disk-csi-driver-node-sa + namespace: openshift-cluster-csi-drivers diff --git a/assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-node.yaml b/assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-node.yaml new file mode 100644 index 000000000..ce8329dba --- /dev/null +++ b/assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-node.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-node.yaml +# +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: azure-disk-csi-driver-node-role +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch