Add Pod Disruption Budget and configurable deployment name

omerap12 commented 4 months ago

Is this a bug fix or adding new feature? Re-raising this PR #901. set configurable deployment and pdb name. What is this PR about? / Why do we need it? Fixes #1397 What testing is done? Helm testing: the following values file:

nameOverride: ""
fullnameOverride: ""

replicaCount: 2

useFIPS: false

image:
  repository: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
  tag: "v2.0.5"
  pullPolicy: IfNotPresent

sidecars:
  livenessProbe:
    image:
      repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
      tag: v2.13.0-eks-1-30-8
      pullPolicy: IfNotPresent
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
  nodeDriverRegistrar:
    image:
      repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
      tag: v2.11.0-eks-1-30-8
      pullPolicy: IfNotPresent
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
  csiProvisioner:
    image:
      repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
      tag: v5.0.1-eks-1-30-8
      pullPolicy: IfNotPresent
    resources: {}
    securityContext:
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false

imagePullSecrets: []

## Controller deployment variables

controller:
  # Specifies whether a deployment should be created
  create: true
  # name of the controller deployment
  name: efs-csi-controller
  # Number for the log level verbosity
  logLevel: 2
  # If set, add pv/pvc metadata to plugin create requests as parameters.
  extraCreateMetadata: true
  # Add additional tags to access points
  tags:
    {}
    # environment: prod
    # region: us-east-1
  # Enable if you want the controller to also delete the
  # path on efs when deleteing an access point
  deleteAccessPointRootDir: false
  podAnnotations: {}
  podLabel: {}
  hostNetwork: false
  priorityClassName: system-cluster-critical
  dnsPolicy: ClusterFirst
  dnsConfig: {}
  additionalLabels: {}
  resources:
    {}
    # We usually recommend not to specify default resources and to leave this as a conscious
    # choice for the user. This also increases chances charts run on environments with little
    # resources, such as Minikube. If you do want to specify resources, uncomment the following
    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  nodeSelector: {}
  updateStrategy: {}
  tolerations:
    - key: CriticalAddonsOnly
      operator: Exists
    - key: efs.csi.aws.com/agent-not-ready
      operator: Exists
  affinity: {}
  env: []
  volumes: []
  volumeMounts: []
  # Specifies whether a service account should be created
  serviceAccount:
    create: true
    name: efs-csi-controller-sa
    annotations: {}
    ## Enable if EKS IAM for SA is used
    #  eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role
  healthPort: 9909
  regionalStsEndpoints: false
  # Pod Disruption Budget
  pdb:
    minAvailable: 1
  # securityContext on the controller pod
  securityContext:
    runAsNonRoot: false
    runAsUser: 0
    runAsGroup: 0
    fsGroup: 0
  # securityContext on the controller container
  # Setting privileged=false will cause the "delete-access-point-root-dir" controller option to fail
  containerSecurityContext:
    privileged: true
  leaderElectionRenewDeadline: 10s
  leaderElectionLeaseDuration: 15s

## Node daemonset variables

node:
  # Number for the log level verbosity
  logLevel: 2
  volMetricsOptIn: false
  volMetricsRefreshPeriod: 240
  volMetricsFsRateLimit: 5
  hostAliases:
    {}
    # For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per
    # https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3
    # implementing the suggested solution found here:
    # https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346
    # EFS Vol ID, IP, Region
    # "fs-01234567":
    #   ip: 10.10.2.2
    #   region: us-east-2
  priorityClassName: system-node-critical
  dnsPolicy: ClusterFirst
  dnsConfig:
    {}
    # Example config which uses the AWS nameservers
    # dnsPolicy: "None"
    # dnsConfig:
    #   nameservers:
    #     - 169.254.169.253
  podLabels: {}
  podAnnotations: {}
  additionalLabels: {}
  resources:
    {}
    # limits:
    #   cpu: 100m
    #   memory: 128Mi
    # requests:
    #   cpu: 100m
    #   memory: 128Mi
  nodeSelector: {}
  updateStrategy: {}
    # Override default strategy (RollingUpdate) to speed up deployment.
    # This can be useful if helm timeouts are observed.
    # type: OnDelete
  tolerations:
    - operator: Exists
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                  - fargate
  # Specifies whether a service account should be created
  serviceAccount:
    create: true
    name: efs-csi-node-sa
    annotations: {}
    ## Enable if EKS IAM for SA is used
    #  eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role
  healthPort: 9809
  # securityContext on the node pod
  securityContext:
    # The node pod must be run as root to bind to the registration/driver sockets
    runAsNonRoot: false
    runAsUser: 0
    runAsGroup: 0
    fsGroup: 0
  env: []
  volumes: []
  volumeMounts: []

storageClasses: []
# Add StorageClass resources like:
# - name: efs-sc
#   annotations:
#     # Use that annotation if you want this to your default storageclass
#     storageclass.kubernetes.io/is-default-class: "true"
#   mountOptions:
#   - tls
#   parameters:
#     provisioningMode: efs-ap
#     fileSystemId: fs-1122aabb
#     directoryPerms: "700"
#     gidRangeStart: "1000"
#     gidRangeEnd: "2000"
#     basePath: "/dynamic_provisioning"
#     subPathPattern: "/subPath"
#     ensureUniqueDirectory: true
#   reclaimPolicy: Delete
#   volumeBindingMode: Immediate

provides this output:

---
# Source: aws-efs-csi-driver/templates/controller-pdb.yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: efs-csi-controller
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
spec:
  selector:
    matchLabels:
      app: efs-csi-controller
      app.kubernetes.io/name: aws-efs-csi-driver
      app.kubernetes.io/instance: release-name
  minAvailable: 1
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: efs-csi-controller-sa
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
---
# Source: aws-efs-csi-driver/templates/node-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: efs-csi-node-sa
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-external-provisioner-role
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "patch", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "patch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["csinodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-external-provisioner-role-describe-secrets
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
rules:
  - apiGroups: [ "" ]
    resources: [ "secrets" ]
    resourceNames: ["x-account"]
    verbs: [ "get", "watch", "list" ]
---
# Source: aws-efs-csi-driver/templates/node-serviceaccount.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-node-role
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
rules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch", "patch"]
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-provisioner-binding
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
subjects:
  - kind: ServiceAccount
    name: efs-csi-controller-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-csi-external-provisioner-role
  apiGroup: rbac.authorization.k8s.io
---
# Source: aws-efs-csi-driver/templates/node-serviceaccount.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-node-binding
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
subjects:
  - kind: ServiceAccount
    name: efs-csi-node-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-csi-node-role
  apiGroup: rbac.authorization.k8s.io
---
# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml
# We use a RoleBinding to restrict Secret access to the namespace that the 
# RoleBinding is created in (typically kube-system)
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: efs-csi-provisioner-binding-describe-secrets
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
subjects:
  - kind: ServiceAccount
    name: efs-csi-controller-sa
    namespace: default
roleRef:
  kind: ClusterRole
  name: efs-csi-external-provisioner-role-describe-secrets
  apiGroup: rbac.authorization.k8s.io
---
# Source: aws-efs-csi-driver/templates/node-daemonset.yaml
# Node Service
kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: efs-csi-node
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
spec:
  selector:
    matchLabels:
      app: efs-csi-node
      app.kubernetes.io/name: aws-efs-csi-driver
      app.kubernetes.io/instance: release-name
  template:
    metadata:
      labels:
        app: efs-csi-node
        app.kubernetes.io/name: aws-efs-csi-driver
        app.kubernetes.io/instance: release-name
    spec:
      nodeSelector:
        kubernetes.io/os: linux
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                - fargate
      hostNetwork: true
      dnsPolicy: ClusterFirst
      serviceAccountName: efs-csi-node-sa
      priorityClassName: system-node-critical
      tolerations:
        - operator: Exists
      securityContext:
        fsGroup: 0
        runAsGroup: 0
        runAsNonRoot: false
        runAsUser: 0
      containers:
        - name: efs-plugin
          securityContext:
            privileged: true
          image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.5
          imagePullPolicy: IfNotPresent
          args:
            - --endpoint=$(CSI_ENDPOINT)
            - --logtostderr
            - --v=2
            - --vol-metrics-opt-in=false
            - --vol-metrics-refresh-period=240
            - --vol-metrics-fs-rate-limit=5
          env:
            - name: CSI_ENDPOINT
              value: unix:/csi/csi.sock
            - name: CSI_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: kubelet-dir
              mountPath: /var/lib/kubelet
              mountPropagation: "Bidirectional"
            - name: plugin-dir
              mountPath: /csi
            - name: efs-state-dir
              mountPath: /var/run/efs
            - name: efs-utils-config
              mountPath: /var/amazon/efs
            - name: efs-utils-config-legacy
              mountPath: /etc/amazon/efs-legacy
          ports:
            - name: healthz
              containerPort: 9809
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 2
            failureThreshold: 5
        - name: csi-driver-registrar
          image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar:v2.11.0-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=$(ADDRESS)
            - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
            - --v=2
          env:
            - name: ADDRESS
              value: /csi/csi.sock
            - name: DRIVER_REG_SOCK_PATH
              value: /var/lib/kubelet/plugins/efs.csi.aws.com/csi.sock
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
            - name: registration-dir
              mountPath: /registration
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
        - name: liveness-probe
          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=/csi/csi.sock
            - --health-port=9809
            - --v=2
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
      volumes:
        - name: kubelet-dir
          hostPath:
            path: /var/lib/kubelet
            type: Directory
        - name: plugin-dir
          hostPath:
            path: /var/lib/kubelet/plugins/efs.csi.aws.com/
            type: DirectoryOrCreate
        - name: registration-dir
          hostPath:
            path: /var/lib/kubelet/plugins_registry/
            type: Directory
        - name: efs-state-dir
          hostPath:
            path: /var/run/efs
            type: DirectoryOrCreate
        - name: efs-utils-config
          hostPath:
            path: /var/amazon/efs
            type: DirectoryOrCreate
        - name: efs-utils-config-legacy
          hostPath:
            path: /etc/amazon/efs
            type: DirectoryOrCreate
---
# Source: aws-efs-csi-driver/templates/controller-deployment.yaml
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
  name: efs-csi-controller
  labels:
    app.kubernetes.io/name: aws-efs-csi-driver
spec:
  replicas: 2
  selector:
    matchLabels:
      app: efs-csi-controller
      app.kubernetes.io/name: aws-efs-csi-driver
      app.kubernetes.io/instance: release-name
  template:
    metadata:
      labels:
        app: efs-csi-controller
        app.kubernetes.io/name: aws-efs-csi-driver
        app.kubernetes.io/instance: release-name
    spec:
      hostNetwork: false
      nodeSelector:
        kubernetes.io/os: linux
      serviceAccountName: efs-csi-controller-sa
      priorityClassName: system-cluster-critical
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - key: efs.csi.aws.com/agent-not-ready
          operator: Exists
      securityContext:
        fsGroup: 0
        runAsGroup: 0
        runAsNonRoot: false
        runAsUser: 0
      dnsPolicy: ClusterFirst
      containers:
        - name: efs-plugin
          securityContext:
            privileged: true
          image: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver:v2.0.5
          imagePullPolicy: IfNotPresent
          args:
            - --endpoint=$(CSI_ENDPOINT)
            - --logtostderr
            - --v=2
            - --delete-access-point-root-dir=false
          env:
            - name: CSI_ENDPOINT
              value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
            - name: CSI_NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
          ports:
            - name: healthz
              containerPort: 9909
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 10
            failureThreshold: 5
        - name: csi-provisioner
          image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner:v5.0.1-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=$(ADDRESS)
            - --v=2
            - --feature-gates=Topology=true
            - --extra-create-metadata
            - --leader-election
            - --leader-election-renew-deadline=10s
            - --leader-election-lease-duration=15s
          env:
            - name: ADDRESS
              value: /var/lib/csi/sockets/pluginproxy/csi.sock
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
        - name: liveness-probe
          image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe:v2.13.0-eks-1-30-8
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=/csi/csi.sock
            - --health-port=9909
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
      volumes:
        - name: socket-dir
          emptyDir: {}
---
# Source: aws-efs-csi-driver/templates/csidriver.yaml
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
  name: efs.csi.aws.com
  annotations:
    "helm.sh/hook": pre-install, pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation
    "helm.sh/resource-policy": keep
spec:
  attachRequired: false

dmytro-rusakov-picnic commented 4 months ago

Hi! I was also waiting for this feature and happy to see the PR! @d-nishi @mskanth972 , sorry to bother you, but would you be able to review it so that it will be merged and not forgotten as previous PR please?

sherifabdlnaby commented 1 day ago

Hey team! PDB is very important configuration to have exposed by the chart! Can we get this merged ? I think this PR just needs a rebase and should be good to be merged. Unfortunately I can't rebase it myself.

@omerap12 Can you rebase and lets work on getting this merged ? 🙏🏻

mskanth972 commented 1 day ago

I can help in merge, @omerap12 can you you rebase it?

sherifabdlnaby commented 1 day ago

@d-nishi @mskanth972 Sorry to bother guys! Will appreciate if we can get this merged 🙏🏻 It is backward compatible and should be OK to merge IMO 🙏🏻

omerap12 commented 19 hours ago

I can help in merge, @omerap12 can you you rebase it?

Sure. Ill merge it today

deepak-kosaraju commented 18 hours ago

I can help in merge, @omerap12 can you you rebase it?

Sure. Ill merge it today

I don't think you can merge it after rebase based on the @k8s-ci-robot comment above,

Once this PR has been reviewed and has the lgtm label, please assign mskanth972 for approval. For more information see the Kubernetes Code Review Process

omerap12 commented 18 hours ago

I can help in merge, @omerap12 can you you rebase it?

Sure. Ill merge it today

I don't think you can merge it after rebase based on the @k8s-ci-robot comment above,

Once this PR has been reviewed and has the lgtm label, please assign mskanth972 for approval. For more information see the Kubernetes Code Review Process

Yes, that what I meant :)

deepak-kosaraju commented 18 hours ago

@omerap12 - Based of previous release https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1433 can you also update update the CHANGELOG and chart version to 3.0.9

omerap12 commented 17 hours ago

@deepak-kosaraju PTAL

omerap12 commented 17 hours ago

3.0.9

Are you sure? The chart version is 3.1.1 at the moment..

mskanth972 commented 12 hours ago

3.0.9

Are you sure? The chart version is 3.1.1 at the moment..

Please remove that, we can add while making a release.

omerap12 commented 10 hours ago

3.0.9

Are you sure? The chart version is 3.1.1 at the moment..

Please remove that, we can add while making a release.

Done

mskanth972 commented 10 hours ago

3.0.9

Are you sure? The chart version is 3.1.1 at the moment..

Please remove that, we can add while making a release.

Done

Sorry, can you please squash all the commits to one.

omerap12 commented 10 hours ago

3.0.9

Are you sure? The chart version is 3.1.1 at the moment..

Please remove that, we can add while making a release.

Done

Sorry, can you please squash all the commits to one.

Done

mskanth972 commented 10 hours ago

/lgtm /approve

omerap12 commented 10 hours ago

/lgtm /approve

Thanks! by the way I have this PR ( from long time ago ): https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1351 Do we wish to merge it as well? or should I close it?

sherifabdlnaby commented 10 hours ago

Please check my comments before merging :)

mskanth972 commented 9 hours ago

/hold

omerap12 commented 9 hours ago

PTAL @sherifabdlnaby

k8s-ci-robot commented 9 hours ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mkilchhofer, mskanth972, omerap12, sherifabdlnaby

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/aws-efs-csi-driver/blob/master/OWNERS)~~ [mskanth972] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

omerap12 commented 9 hours ago

ping @mskanth972

mskanth972 commented 9 hours ago

/unhold

mskanth972 commented 8 hours ago

/lgtm

deepak-kosaraju commented 8 hours ago

@mskanth972 and @omerap12 Template need fix for copy/paste error, aws-ebs-csi-driver.labels should be aws-efs-csi-driver.labels ref: https://github.com/omerap12/aws-efs-csi-driver/blob/92fdf69a7d8a2717155cc65177395af378882241/charts/aws-efs-csi-driver/templates/_helpers.tpl#L37

I was about to submit review comment, and noticed its merged so added this comment.

omerap12 commented 8 hours ago

@mskanth972 and @omerap12 Template need fix for copy/paste error, aws-ebs-csi-driver.labels should be aws-efs-csi-driver.labels ref: https://github.com/omerap12/aws-efs-csi-driver/blob/92fdf69a7d8a2717155cc65177395af378882241/charts/aws-efs-csi-driver/templates/_helpers.tpl#L37

I was about to submit review comment, and noticed its merged so added this comment.

https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1510

kubernetes-sigs / aws-efs-csi-driver

Add Pod Disruption Budget and configurable deployment name #1404