vSphere-CSI: update to 2.4.0 (kubernetes-sigs#8295)

inventory/sample/group_vars/all/vsphere.yml

@@ -14,18 +14,18 @@
 ## gcr.io/cloud-provider-vsphere/cpi/release/manager
 # external_vsphere_cloud_controller_image_tag: "latest"
 ## gcr.io/cloud-provider-vsphere/csi/release/syncer
-# vsphere_syncer_image_tag: "v2.2.1"
-## quay.io/k8scsi/csi-attacher
-# vsphere_csi_attacher_image_tag: "v3.1.0"
+# vsphere_syncer_image_tag: "v2.4.0"
+## k8s.gcr.io/sig-storage/csi-attacher
+# vsphere_csi_attacher_image_tag: "v3.3.0"
 ## gcr.io/cloud-provider-vsphere/csi/release/driver
-# vsphere_csi_controller: "v2.2.1"
-## quay.io/k8scsi/livenessprobe
-# vsphere_csi_liveness_probe_image_tag: "v2.2.0"
-## quay.io/k8scsi/csi-provisioner
-# vsphere_csi_provisioner_image_tag: "v2.1.0"
-## quay.io/k8scsi/csi-resizer
+# vsphere_csi_controller: "v2.4.0"
+## k8s.gcr.io/sig-storage/livenessprobe
+# vsphere_csi_liveness_probe_image_tag: "v2.4.0"
+## k8s.gcr.io/sig-storage/csi-provisioner
+# vsphere_csi_provisioner_image_tag: "v3.0.0"
+## k8s.gcr.io/sig-storage/csi-resizer
 ## makes sense only for vSphere version >=7.0
-# vsphere_csi_resizer_tag: "v1.1.0"
+# vsphere_csi_resizer_tag: "v1.3.0"
 
 ## To use vSphere CSI plugin to provision volumes set this value to true
 # vsphere_csi_enabled: true

roles/kubernetes-apps/csi_driver/vsphere/defaults/main.yml

@@ -4,14 +4,14 @@ external_vsphere_insecure: "true"
 external_vsphere_kubernetes_cluster_id: "kubernetes-cluster-id"
 external_vsphere_version: "6.7u3"
 
-vsphere_syncer_image_tag: "v1.0.2"
-vsphere_csi_attacher_image_tag: "v1.1.1"
-vsphere_csi_controller: "v1.0.2"
-vsphere_csi_liveness_probe_image_tag: "v1.1.0"
-vsphere_csi_provisioner_image_tag: "v1.2.2"
-vsphere_csi_node_driver_registrar_image_tag: "v1.1.0"
-vsphere_csi_driver_image_tag: "v1.0.2"
-vsphere_csi_resizer_tag: "v1.0.0"
+vsphere_syncer_image_tag: "v2.4.0"
+vsphere_csi_attacher_image_tag: "v3.3.0"
+vsphere_csi_controller: "v2.4.0"
+vsphere_csi_liveness_probe_image_tag: "v2.4.0"
+vsphere_csi_provisioner_image_tag: "v3.0.0"
+vsphere_csi_node_driver_registrar_image_tag: "v2.3.0"
+vsphere_csi_driver_image_tag: "v2.4.0"
+vsphere_csi_resizer_tag: "v1.3.0"
 
 vsphere_csi_controller_replicas: 1
 

roles/kubernetes-apps/csi_driver/vsphere/tasks/main.yml

@@ -2,11 +2,6 @@
 - include_tasks: vsphere-credentials-check.yml
   tags: vsphere-csi-driver
 
-- name: vSphere CSI Driver | Choose how to deploy CSI driver based on controller version
-  set_fact:
-    controller_spec: "{% if vsphere_csi_controller is version('v2.0.0', '<') %}vsphere-csi-controller-ss.yml{% else %}vsphere-csi-controller-deployment.yml{% endif %}"
-  tags: vsphere-csi-driver
-
 - name: vSphere CSI Driver | Generate CSI cloud-config
   template:
     src: "{{ item }}.j2"
@@ -22,9 +17,12 @@
     src: "{{ item }}.j2"
     dest: "{{ kube_config_dir }}/{{ item }}"
   with_items:
+    - vsphere-csi-driver.yml
     - vsphere-csi-controller-rbac.yml
-    - vsphere-csi-node-rbac.yaml
-    - "{{ controller_spec }}"
+    - vsphere-csi-node-rbac.yml
+    - vsphere-csi-controller-config.yml
+    - vsphere-csi-controller-deployment.yml
+    - vsphere-csi-controller-service.yml
     - vsphere-csi-node.yml
   register: vsphere_csi_manifests
   when: inventory_hostname == groups['kube_control_plane'][0]

roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-config.yml.j2

@@ -0,0 +1,15 @@
+apiVersion: v1
+data:
+  "csi-migration": "false"
+  "csi-auth-check": "true"
+  "online-volume-extend": "true"
+  "trigger-csi-fullsync": "false"
+  "async-query-volume": "true"
+  "improved-csi-idempotency": "true"
+  "improved-volume-topology": "true"
+  "block-volume-snapshot": "false"
+  "csi-windows-support": "false"
+kind: ConfigMap
+metadata:
+  name: internal-feature-states.csi.vsphere.vmware.com
+  namespace: kube-system

roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-deployment.yml.j2

@@ -5,6 +5,11 @@ metadata:
   namespace: kube-system
 spec:
   replicas: {{ vsphere_csi_controller_replicas }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+      maxSurge: 0
   selector:
     matchLabels:
       app: vsphere-csi-controller
@@ -14,6 +19,16 @@ spec:
         app: vsphere-csi-controller
         role: vsphere-csi
     spec:
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: "app"
+                    operator: In
+                    values:
+                      - vsphere-csi-controller
+              topologyKey: "kubernetes.io/hostname"
       serviceAccountName: vsphere-csi-controller
       nodeSelector:
         node-role.kubernetes.io/control-plane: ""
@@ -39,12 +54,14 @@ spec:
       dnsPolicy: "Default"
       containers:
         - name: csi-attacher
-          image: {{ quay_image_repo }}/k8scsi/csi-attacher:{{ vsphere_csi_attacher_image_tag }}
+          image: {{ kube_image_repo }}/sig-storage/csi-attacher:{{ vsphere_csi_attacher_image_tag }}
           args:
             - "--v=4"
             - "--timeout=300s"
             - "--csi-address=$(ADDRESS)"
             - "--leader-election"
+            - "--kube-api-qps=100"
+            - "--kube-api-burst=100"
           env:
             - name: ADDRESS
               value: /csi/csi.sock
@@ -53,17 +70,15 @@ spec:
               name: socket-dir
 {% if external_vsphere_version >= "7.0" %}
         - name: csi-resizer
-          image: {{ quay_image_repo }}/k8scsi/csi-resizer:{{ vsphere_csi_resizer_tag }}
+          image: {{ kube_image_repo }}/sig-storage/csi-resizer:{{ vsphere_csi_resizer_tag }}
           args:
             - "--v=4"
             - "--timeout=300s"
             - "--csi-address=$(ADDRESS)"
             - "--leader-election"
-{% if vsphere_csi_controller is version('v2.2.0', '>=') %}
             - "--handle-volume-inuse-error=false"
             - "--kube-api-qps=100"
             - "--kube-api-burst=100"
-{% endif %}
           env:
             - name: ADDRESS
               value: /csi/csi.sock
@@ -77,13 +92,18 @@ spec:
           args:
             - "--fss-name=internal-feature-states.csi.vsphere.vmware.com"
             - "--fss-namespace=$(CSI_NAMESPACE)"
+            - "--use-gocsi=false"
 {% endif %}
           imagePullPolicy: {{ k8s_image_pull_policy }}
           env:
             - name: CSI_ENDPOINT
               value: unix://{{ csi_endpoint }}/csi.sock
             - name: X_CSI_MODE
               value: "controller"
+            - name: X_CSI_SPEC_DISABLE_LEN_CHECK
+              value: "true"
+            - name: X_CSI_SERIAL_VOL_ACCESS_TIMEOUT
+              value: 3m
             - name: VSPHERE_CSI_CONFIG
               value: "/etc/cloud/csi-vsphere.conf"
             - name: LOGGER_LEVEL
@@ -98,8 +118,6 @@ spec:
                 fieldRef:
                   fieldPath: metadata.namespace
 {% endif %}
-            - name: X_CSI_SERIAL_VOL_ACCESS_TIMEOUT
-              value: 3m
           volumeMounts:
             - mountPath: /etc/cloud
               name: vsphere-config-volume
@@ -122,7 +140,7 @@ spec:
             periodSeconds: 5
             failureThreshold: 3
         - name: liveness-probe
-          image: {{ quay_image_repo }}/k8scsi/livenessprobe:{{ vsphere_csi_liveness_probe_image_tag }}
+          image: {{ kube_image_repo }}/sig-storage/livenessprobe:{{ vsphere_csi_liveness_probe_image_tag }}
           args:
             - "--v=4"
             - "--csi-address=$(ADDRESS)"
@@ -167,7 +185,7 @@ spec:
               name: vsphere-config-volume
               readOnly: true
         - name: csi-provisioner
-          image: {{ quay_image_repo }}/k8scsi/csi-provisioner:{{ vsphere_csi_provisioner_image_tag }}
+          image: {{ kube_image_repo }}/sig-storage/csi-provisioner:{{ vsphere_csi_provisioner_image_tag }}
           args:
             - "--v=4"
             - "--timeout=300s"
@@ -193,42 +211,3 @@ spec:
           secretName: vsphere-config-secret
       - name: socket-dir
         emptyDir: {}
----
-apiVersion: v1
-data:
-  "csi-migration": "false" # csi-migration feature is only available for vSphere 7.0U1
-  "csi-auth-check": "true"
-  "online-volume-extend": "true"
-kind: ConfigMap
-metadata:
-  name: internal-feature-states.csi.vsphere.vmware.com
-  namespace: kube-system
----
-apiVersion: storage.k8s.io/v1 # For k8s 1.17 or lower use storage.k8s.io/v1beta1
-kind: CSIDriver
-metadata:
-  name: csi.vsphere.vmware.com
-spec:
-  attachRequired: true
-  podInfoOnMount: false
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: vsphere-csi-controller
-  namespace: kube-system
-  labels:
-    app: vsphere-csi-controller
-spec:
-  ports:
-    - name: ctlr
-      port: 2112
-      targetPort: 2112
-      protocol: TCP
-    - name: syncer
-      port: 2113
-      targetPort: 2113
-      protocol: TCP
-  selector:
-    app: vsphere-csi-controller
-

roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-rbac.yml.j2

@@ -39,18 +39,37 @@ rules:
     resources: ["volumeattachments"]
     verbs: ["get", "list", "watch", "patch"]
 {% if external_vsphere_version >= "7.0u1" %}
+  - apiGroups: ["cns.vmware.com"]
+    resources: ["triggercsifullsyncs"]
+    verbs: ["create", "get", "update", "watch", "list"]
   - apiGroups: ["cns.vmware.com"]
     resources: ["cnsvspherevolumemigrations"]
     verbs: ["create", "get", "list", "watch", "update", "delete"]
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
-    verbs: ["get", "create"]
+    verbs: ["get", "create", "update"]
+  - apiGroups: ["cns.vmware.com"]
+    resources: ["cnsvolumeoperationrequests"]
+    verbs: ["create", "get", "list", "update", "delete"]
+  - apiGroups: [ "cns.vmware.com" ]
+    resources: [ "csinodetopologies" ]
+    verbs: ["get", "update", "watch", "list"]
 {% endif %}
-{% if vsphere_csi_controller is version('v2.0.0', '>=') %}
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments/status"]
     verbs: ["patch"]
-{% endif %}
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshots" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotclasses" ]
+    verbs: [ "watch", "get", "list" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotcontents" ]
+    verbs: [ "create", "get", "list", "watch", "update", "delete" ]
+  - apiGroups: [ "snapshot.storage.k8s.io" ]
+    resources: [ "volumesnapshotcontents/status" ]
+    verbs: [ "update", "patch" ]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

roles/kubernetes-apps/csi_driver/vsphere/templates/vsphere-csi-controller-service.yml.j2

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vsphere-csi-controller
+  namespace: kube-system
+  labels:
+    app: vsphere-csi-controller
+spec:
+  ports:
+    - name: ctlr
+      port: 2112
+      targetPort: 2112
+      protocol: TCP
+    - name: syncer
+      port: 2113
+      targetPort: 2113
+      protocol: TCP
+  selector:
+    app: vsphere-csi-controller