[vsphere_csi] Update to 3.1.0 (#10451)

2023-09-20 13:56:00 +02:00 · 2023-09-20 13:56:00 +02:00 · bc5e33791f
parent d669b93c4f
commit bc5e33791f
5 changed files with 58 additions and 34 deletions
--- a/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
+++ b/roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml
@ -4,15 +4,15 @@ external_vsphere_insecure: "true"
 external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id"
 external_vsphere_version: "7.0u1"

-vsphere_syncer_image_tag: "v2.5.1"
-vsphere_csi_attacher_image_tag: "v3.4.0"
-vsphere_csi_controller: "v2.5.1"
-vsphere_csi_liveness_probe_image_tag: "v2.6.0"
-vsphere_csi_provisioner_image_tag: "v3.1.0"
-vsphere_csi_snapshotter_image_tag: "v5.0.1"
-vsphere_csi_node_driver_registrar_image_tag: "v2.5.0"
-vsphere_csi_driver_image_tag: "v2.5.1"
-vsphere_csi_resizer_tag: "v1.4.0"
+vsphere_syncer_image_tag: "v3.1.0"
+vsphere_csi_attacher_image_tag: "v4.3.0"
+vsphere_csi_controller: "v3.1.0"
+vsphere_csi_liveness_probe_image_tag: "v2.10.0"
+vsphere_csi_provisioner_image_tag: "v3.5.0"
+vsphere_csi_snapshotter_image_tag: "v6.2.2"
+vsphere_csi_node_driver_registrar_image_tag: "v2.8.0"
+vsphere_csi_driver_image_tag: "v3.1.0"
+vsphere_csi_resizer_tag: "v1.8.0"

 # Set to kube-system for backward compatibility, should be change to vmware-system-csi on the long run
 vsphere_csi_namespace: "kube-system"
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2
@ -1,22 +1,29 @@
 apiVersion: v1
 data:
-  "csi-migration": "false"
 {% if external_vsphere_version >= "7.0" %}
  "csi-auth-check": "true"
 {% else %}
  "csi-auth-check": "false"
 {% endif %}
+  "csi-auth-check": "true"
  "online-volume-extend": "true"
  "trigger-csi-fullsync": "false"
  "async-query-volume": "true"
+  "block-volume-snapshot": "true"
+  "csi-windows-support": "false"
+  "list-volumes": "true"
+  "pv-to-backingdiskobjectid-mapping": "false"
+  "cnsmgr-suspend-create-volume": "true"
+  "topology-preferential-datastores": "true"
+  "max-pvscsi-targets-per-vm": "true"
+  "multi-vcenter-csi-topology": "true"
+  "csi-internal-generated-cluster-id": "true"
+  "listview-tasks": "true" 
+{% if vsphere_csi_controller is version('v2.7.0', '>=') %}
  "improved-csi-idempotency": "true"
  "improved-volume-topology": "true"
-  "block-volume-snapshot": "{{ vsphere_csi_block_volume_snapshot }}"
-  "csi-windows-support": "false"
-{% if vsphere_csi_controller is version('v2.5.0', '>=') %}
  "use-csinode-id": "true"
-  "pv-to-backingdiskobjectid-mapping": "false"
-  "cnsmgr-suspend-create-volume": "false"
+  "list-volumes": "false"
 {% endif %}
 kind: ConfigMap
 metadata:
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2
@ -19,6 +19,7 @@ spec:
        app: vsphere-csi-controller
        role: vsphere-csi
    spec:
+      priorityClassName: system-cluster-critical # Guarantees scheduling for critical system pods
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
@ -60,6 +61,9 @@ spec:
            - "--timeout=300s"
            - "--csi-address=$(ADDRESS)"
            - "--leader-election"
+            - "--leader-election-lease-duration=120s"
+            - "--leader-election-renew-deadline=60s"
+            - "--leader-election-retry-period=30s"
            - "--kube-api-qps=100"
            - "--kube-api-burst=100"
 {% if vsphere_csi_attacher_resources | length > 0 %}
@ -83,6 +87,9 @@ spec:
            - "--kube-api-qps=100"
            - "--kube-api-burst=100"
            - "--leader-election"
+            - "--leader-election-lease-duration=120s"
+            - "--leader-election-renew-deadline=60s"
+            - "--leader-election-retry-period=30s"
 {% if vsphere_csi_resizer_resources | length > 0 %}
          resources:
            {{ vsphere_csi_resizer_resources | default({}) | to_nice_yaml | trim | indent(width=12) }}
@ -99,8 +106,6 @@ spec:
          args:
            - "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
            - "--fss-namespace={{ vsphere_csi_namespace }}"
-            - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}"
-            - "--use-gocsi=false"
 {% if vsphere_csi_resources | length > 0 %}
          resources:
            {{ vsphere_csi_resources | default({}) | to_nice_yaml | trim | indent(width=12) }}
@ -131,6 +136,10 @@ spec:
              readOnly: true
            - mountPath: {{ csi_endpoint }}
              name: socket-dir
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65532
+            runAsGroup: 65532
          ports:
            - name: healthz
              containerPort: 9808
@ -142,9 +151,9 @@ spec:
            httpGet:
              path: /healthz
              port: healthz
-            initialDelaySeconds: 10
-            timeoutSeconds: 3
-            periodSeconds: 5
+            initialDelaySeconds: 30
+            timeoutSeconds: 10
+            periodSeconds: 180
            failureThreshold: 3
        - name: liveness-probe
          image: {{ kube_image_repo }}/sig-storage/livenessprobe:{{ vsphere_csi_liveness_probe_image_tag }}
@ -165,10 +174,16 @@ spec:
          image: {{ gcr_image_repo }}/cloud-provider-vsphere/csi/release/syncer:{{ vsphere_syncer_image_tag }}
          args:
            - "--leader-election"
+            - "--leader-election-lease-duration=30s"
+            - "--leader-election-renew-deadline=20s"
+            - "--leader-election-retry-period=10s"
            - "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
            - "--fss-namespace={{ vsphere_csi_namespace }}"
-            - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}"
          imagePullPolicy: {{ k8s_image_pull_policy }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65532
+            runAsGroup: 65532
          ports:
            - containerPort: 2113
              name: prometheus
@ -200,10 +215,13 @@ spec:
            - "--v=4"
            - "--timeout=300s"
            - "--csi-address=$(ADDRESS)"
-{% if vsphere_csi_controller is version('v2.2.0', '>=') %}
            - "--kube-api-qps=100"
            - "--kube-api-burst=100"
-{% endif %}
+            - "--leader-election"
+            - "--leader-election-lease-duration=120s"
+            - "--leader-election-renew-deadline=60s"
+            - "--leader-election-retry-period=30s"
+            - "--default-fstype=ext4"
            - "--leader-election"
            - "--default-fstype=ext4"
            # needed only for topology aware setup
@ -213,13 +231,6 @@ spec:
          resources:
            {{ vsphere_csi_provisioner_resources | default({}) | to_nice_yaml | trim | indent(width=12) }}
 {% endif %}
-          env:
-            - name: ADDRESS
-              value: /csi/csi.sock
-          volumeMounts:
-            - mountPath: /csi
-              name: socket-dir
-{% if vsphere_csi_controller is version('v2.5.0', '>=') %}
        - name: csi-snapshotter
          image: {{ kube_image_repo }}/sig-storage/csi-snapshotter:{{ vsphere_csi_snapshotter_image_tag }}
          args:
@ -229,13 +240,15 @@ spec:
            - "--timeout=300s"
            - "--csi-address=$(ADDRESS)"
            - "--leader-election"
+            - "--leader-election-lease-duration=120s"
+            - "--leader-election-renew-deadline=60s"
+            - "--leader-election-retry-period=30s"
          env:
            - name: ADDRESS
              value: /csi/csi.sock
          volumeMounts:
            - mountPath: /csi
              name: socket-dir
-{% endif %}
      volumes:
      - name: vsphere-config-volume
        secret:
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2
@ -10,8 +10,11 @@ metadata:
  name: vsphere-csi-controller-role
 rules:
  - apiGroups: [""]
-    resources: ["nodes", "pods", "configmaps"]
+    resources: ["nodes", "pods"]
    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch", "create"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
--- a/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2
+++ b/roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-node.yml.j2
@ -17,6 +17,7 @@ spec:
        app: vsphere-csi-node
        role: vsphere-csi
    spec:
+      priorityClassName: system-node-critical
      nodeSelector:
        kubernetes.io/os: linux
 {% if vsphere_csi_node_affinity %}
@ -66,8 +67,6 @@ spec:
        args:
          - "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
          - "--fss-namespace={{ vsphere_csi_namespace }}"
-          - "--supervisor-fss-namespace={{ vsphere_csi_namespace }}"
-          - "--use-gocsi=false"
        imagePullPolicy: "Always"
 {% if vsphere_csi_driver_resources | length > 0 %}
        resources:
@ -92,6 +91,8 @@ spec:
          value: "true"
        - name: LOGGER_LEVEL
          value: "PRODUCTION" # Options: DEVELOPMENT, PRODUCTION
+        - name: GODEBUG
+          value: x509sha1=1
        - name: NODEGETINFO_WATCH_TIMEOUT_MINUTES
          value: "1"
        securityContext: