Upstream merge

Dockerfile

@@ -14,7 +14,7 @@
 
 ARG ARCH=amd64
 
-FROM k8s.gcr.io/build-image/debian-base-${ARCH}:v2.1.3
+FROM k8s.gcr.io/build-image/debian-base:buster-v1.6.0
 
 # Copy nfsplugin from build _output directory
 COPY bin/nfsplugin /nfsplugin

Makefile

@@ -42,6 +42,9 @@ REGISTRY_NAME ?= $(shell echo $(REGISTRY) | sed "s/.azurecr.io//g")
 IMAGE_TAG = $(REGISTRY)/$(IMAGENAME):$(IMAGE_VERSION)
 IMAGE_TAG_LATEST = $(REGISTRY)/$(IMAGENAME):latest
 
+E2E_HELM_OPTIONS ?= --set image.nfs.repository=$(REGISTRY)/$(IMAGENAME) --set image.nfs.tag=$(IMAGE_VERSION) --set image.nfs.pullPolicy=Always
+E2E_HELM_OPTIONS += ${EXTRA_HELM_OPTIONS}
+
 all: nfs
 
 .PHONY: verify
@@ -112,16 +115,18 @@ install-helm:
 e2e-bootstrap: install-helm
 	docker pull $(IMAGE_TAG) || make container push
 	helm install csi-driver-nfs ./charts/latest/csi-driver-nfs --namespace kube-system --wait --timeout=15m -v=5 --debug \
-	--set image.nfs.repository=$(REGISTRY)/$(IMAGENAME) \
-	--set image.nfs.tag=$(IMAGE_VERSION) \
-	--set image.nfs.pullPolicy=Always
-	--set controller.logLevel=8
-	--set node.logLevel=8
+		${E2E_HELM_OPTIONS} \
+		--set controller.logLevel=8 \
+		--set node.logLevel=8
 
 .PHONY: e2e-teardown
 e2e-teardown:
 	helm delete csi-driver-nfs --namespace kube-system
 
 .PHONY: e2e-test
 e2e-test:
-	go test -v -timeout=0 ./test/e2e ${GINKGO_FLAGS}
+	if [ ! -z "$(EXTERNAL_E2E_TEST)" ]; then \
+		bash ./test/external-e2e/run.sh;\
+	else \
+		go test -v -timeout=0 ./test/e2e ${GINKGO_FLAGS};\
+	fi

README.md

@@ -31,6 +31,7 @@ Please refer to [`nfs.csi.k8s.io` driver parameters](./docs/driver-parameters.md
 ### Examples
  - [Set up a NFS Server on a Kubernetes cluster](./deploy/example/nfs-provisioner/README.md)
  - [Basic usage](./deploy/example/README.md)
+ - [fsGroupPolicy](./deploy/example/fsgroup)
 
 ### Troubleshooting
  - [CSI driver troubleshooting guide](./docs/csi-debug.md) 

charts/README.md

@@ -3,6 +3,11 @@
 ## Prerequisites
  - [install Helm](https://helm.sh/docs/intro/quickstart/#install-helm)
 
+### Tips
+ - `--set controller.runOnMaster=true` could make csi-nfs-controller only run on master node
+ - `--set feature.enableFSGroupPolicy=true` could enable `fsGroupPolicy` on a k8s 1.20+ cluster (this feature is in beta, check details [here](../deploy/example/fsgroup))
+ - `--set controller.replicas=1` could set replica of csi-nfs-controller as `1`
+
 ## install latest version
 ```console
 helm repo add csi-driver-nfs https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
@@ -31,17 +36,18 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
 
 | Parameter                                         | Description                                                | Default                                                           |
 |---------------------------------------------------|------------------------------------------------------------|-------------------------------------------------------------------|
+| `feature.enableFSGroupPolicy`                     | enable `fsGroupPolicy` on a k8s 1.20+ cluster           | `false`                      |
 | `image.nfs.repository`                            | csi-driver-nfs docker image                                | gcr.io/k8s-staging-sig-storage/nfsplugin                          |
 | `image.nfs.tag`                                   | csi-driver-nfs docker image tag                            | amd64-linux-canary                                                |
 | `image.nfs.pullPolicy`                            | csi-driver-nfs image pull policy                           | IfNotPresent                                                      |
 | `image.csiProvisioner.repository`                 | csi-provisioner docker image                               | k8s.gcr.io/sig-storage/csi-provisioner                            |
 | `image.csiProvisioner.tag`                        | csi-provisioner docker image tag                           | v2.0.4                                                            |
 | `image.csiProvisioner.pullPolicy`                 | csi-provisioner image pull policy                          | IfNotPresent                                                      |
 | `image.livenessProbe.repository`                  | liveness-probe docker image                                | k8s.gcr.io/sig-storage/livenessprobe                              |
-| `image.livenessProbe.tag`                         | liveness-probe docker image tag                            | v2.1.0                                                            |
+| `image.livenessProbe.tag`                         | liveness-probe docker image tag                            | v2.3.0                                                            |
 | `image.livenessProbe.pullPolicy`                  | liveness-probe image pull policy                           | IfNotPresent                                                      |
 | `image.nodeDriverRegistrar.repository`            | csi-node-driver-registrar docker image                     | k8s.gcr.io/sig-storage/csi-node-driver-registrar                  |
-| `image.nodeDriverRegistrar.tag`                   | csi-node-driver-registrar docker image tag                 | v2.0.1                                                            |
+| `image.nodeDriverRegistrar.tag`                   | csi-node-driver-registrar docker image tag                 | v2.2.0                                                            |
 | `image.nodeDriverRegistrar.pullPolicy`            | csi-node-driver-registrar image pull policy                | IfNotPresent                                                      |
 | `imagePullSecrets`                                | Specify docker-registry secret names as an array           | [] (does not add image pull secrets to deployed pods)                                                           |
 | `serviceAccount.create`                           | whether create service account of csi-nfs-controller       | true                                                              |
@@ -50,6 +56,7 @@ The following table lists the configurable parameters of the latest NFS CSI Driv
 | `controller.runOnMaster`                          | run controller on master node                              | false                                                             |
 | `controller.logLevel`                             | controller driver log level                                                          |`5`                                                           |
 | `node.logLevel`                                   | node driver log level                                                          |`5`                                                           |
+| `node.livenessProbe.healthPort `                  | the health check port for liveness probe                    |`29653`                                                           |
 
 ## troubleshooting
  - Add `--wait -v=5 --debug` in `helm install` command to get detailed error

charts/latest/csi-driver-nfs/templates/csi-nfs-driverinfo.yaml

@@ -6,4 +6,6 @@ spec:
   attachRequired: false
   volumeLifecycleModes:
     - Persistent
-  podInfoOnMount: true
+  {{- if .Values.feature.enableFSGroupPolicy}}
+  fsGroupPolicy: File
+  {{- end}}

charts/latest/csi-driver-nfs/templates/csi-nfs-node.yaml

@@ -29,7 +29,7 @@ spec:
           args:
             - --csi-address=/csi/csi.sock
             - --probe-timeout=3s
-            - --health-port=29653
+            - --health-port={{ .Values.node.livenessProbe.healthPort }}
             - --v=2
           imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
           volumeMounts:

charts/latest/csi-driver-nfs/values.yaml

@@ -9,11 +9,11 @@ image:
         pullPolicy: IfNotPresent
     livenessProbe:
         repository: k8s.gcr.io/sig-storage/livenessprobe
-        tag: v2.1.0
+        tag: v2.3.0
         pullPolicy: IfNotPresent
     nodeDriverRegistrar:
         repository: k8s.gcr.io/sig-storage/csi-node-driver-registrar
-        tag: v2.1.0
+        tag: v2.2.0
         pullPolicy: IfNotPresent
 serviceAccount:
   create: true
@@ -26,6 +26,11 @@ controller:
 
 node:
   logLevel: 5
+  livenessProbe:
+    healthPort: 29653
+
+feature:
+  enableFSGroupPolicy: false
 
 ## Reference to one or more secrets to be used when pulling images
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

deploy/csi-nfs-controller.yaml

@@ -50,7 +50,7 @@ spec:
               cpu: 10m
               memory: 20Mi
         - name: liveness-probe
-          image: k8s.gcr.io/sig-storage/livenessprobe:v2.1.0
+          image: k8s.gcr.io/sig-storage/livenessprobe:v2.3.0
           args:
             - --csi-address=/csi/csi.sock
             - --probe-timeout=3s

deploy/csi-nfs-driverinfo.yaml

@@ -7,4 +7,3 @@ spec:
   attachRequired: false
   volumeLifecycleModes:
     - Persistent
-  podInfoOnMount: true

deploy/csi-nfs-node.yaml

@@ -21,7 +21,7 @@ spec:
         kubernetes.io/os: linux
       containers:
         - name: liveness-probe
-          image: k8s.gcr.io/sig-storage/livenessprobe:v2.1.0
+          image: k8s.gcr.io/sig-storage/livenessprobe:v2.3.0
           args:
             - --csi-address=/csi/csi.sock
             - --probe-timeout=3s
@@ -38,7 +38,7 @@ spec:
               cpu: 10m
               memory: 20Mi
         - name: node-driver-registrar
-          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0
+          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.2.0
           lifecycle:
             preStop:
               exec:

deploy/example/fsgroup/README.md

@@ -0,0 +1,24 @@
+# fsGroup Support
+
+[fsGroupPolicy](https://kubernetes-csi.github.io/docs/support-fsgroup.html) feature is Beta from Kubernetes 1.20, and disabled by default, follow below steps to enable this feature.
+
+### Option#1: Enable fsGroupPolicy support in [driver helm installation](../../../charts)
+
+add `--set feature.enableFSGroupPolicy=true` in helm installation command.
+
+### Option#2: Enable fsGroupPolicy support on a cluster with CSI driver already installed
+
+```console
+kubectl delete CSIDriver nfs.csi.k8s.io
+cat <<EOF | kubectl create -f -
+apiVersion: storage.k8s.io/v1beta1
+kind: CSIDriver
+metadata:
+  name: nfs.csi.k8s.io
+spec:
+  attachRequired: false
+  volumeLifecycleModes:
+    - Persistent
+  fsGroupPolicy: File
+EOF
+```

deploy/example/storageclass-nfs.yaml

@@ -7,7 +7,7 @@ provisioner: nfs.csi.k8s.io
 parameters:
   server: nfs-server.default.svc.cluster.local
   share: /
-reclaimPolicy: Retain
+reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
   - hard

pkg/nfs/controllerserver.go

@@ -104,9 +104,7 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 	if err = os.Mkdir(internalVolumePath, 0777); err != nil && !os.IsExist(err) {
 		return nil, status.Errorf(codes.Internal, "failed to make subdirectory: %v", err.Error())
 	}
-	// Remove capacity setting when provisioner 1.4.0 is available with fix for
-	// https://github.com/kubernetes-csi/external-provisioner/pull/271
-	return &csi.CreateVolumeResponse{Volume: cs.nfsVolToCSI(nfsVol, reqCapacity)}, nil
+	return &csi.CreateVolumeResponse{Volume: cs.nfsVolToCSI(nfsVol)}, nil
 }
 
 // DeleteVolume delete a volume
@@ -338,9 +336,9 @@ func (cs *ControllerServer) getVolumeSharePath(vol *nfsVolume) string {
 }
 
 // Convert into nfsVolume into a csi.Volume
-func (cs *ControllerServer) nfsVolToCSI(vol *nfsVolume, reqCapacity int64) *csi.Volume {
+func (cs *ControllerServer) nfsVolToCSI(vol *nfsVolume) *csi.Volume {
 	return &csi.Volume{
-		CapacityBytes: reqCapacity,
+		CapacityBytes: 0, // by setting it to zero, Provisioner will use PVC requested size as PV size
 		VolumeId:      vol.id,
 		VolumeContext: map[string]string{
 			paramServer: vol.server,

pkg/nfs/nodeserver.go

@@ -72,11 +72,6 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		return &csi.NodePublishVolumeResponse{}, nil
 	}
 
-	if acquired := ns.Driver.volumeLocks.TryAcquire(volumeID); !acquired {
-		return nil, status.Errorf(codes.Aborted, volumeOperationAlreadyExistsFmt, volumeID)
-	}
-	defer ns.Driver.volumeLocks.Release(volumeID)
-
 	mountOptions := req.GetVolumeCapability().GetMount().GetMountFlags()
 	if req.GetReadonly() {
 		mountOptions = append(mountOptions, "ro")
@@ -141,11 +136,6 @@ func (ns *NodeServer) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpu
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
-	if acquired := ns.Driver.volumeLocks.TryAcquire(volumeID); !acquired {
-		return nil, status.Errorf(codes.Aborted, volumeOperationAlreadyExistsFmt, volumeID)
-	}
-	defer ns.Driver.volumeLocks.Release(volumeID)
-
 	klog.V(4).Infof("NodeUnpublishVolume: path %s is *not* a mount point: %t", targetPath, notMnt)
 	if !notMnt {
 

pkg/nfs/nodeserver_test.go

@@ -19,7 +19,6 @@ package nfs
 import (
 	"context"
 	"errors"
-	"fmt"
 	"os"
 	"reflect"
 	"testing"
@@ -69,19 +68,6 @@ func TestNodePublishVolume(t *testing.T) {
 				VolumeId: "vol_1"},
 			expectedErr: status.Error(codes.InvalidArgument, "Target path not provided"),
 		},
-		{
-			desc: "[Error] Volume operation in progress",
-			setup: func() {
-				ns.Driver.volumeLocks.TryAcquire("vol_1")
-			},
-			req: csi.NodePublishVolumeRequest{VolumeCapability: &csi.VolumeCapability{AccessMode: &volumeCap},
-				VolumeId:   "vol_1",
-				TargetPath: targetTest},
-			expectedErr: status.Error(codes.Aborted, fmt.Sprintf(volumeOperationAlreadyExistsFmt, "vol_1")),
-			cleanup: func() {
-				ns.Driver.volumeLocks.Release("vol_1")
-			},
-		},
 		{
 			desc: "[Success] Stage target path missing",
 			req: csi.NodePublishVolumeRequest{VolumeCapability: &csi.VolumeCapability{AccessMode: &volumeCap},
@@ -147,8 +133,7 @@ func TestNodeUnpublishVolume(t *testing.T) {
 
 	errorTarget := testutil.GetWorkDirPath("error_is_likely_target", t)
 	targetTest := testutil.GetWorkDirPath("target_test", t)
-	targetFile := testutil.GetWorkDirPath("abc.go", t)
-	alreadyMountedTarget := testutil.GetWorkDirPath("false_is_likely_exist_target", t)
+	//targetFile := testutil.GetWorkDirPath("abc.go", t)
 
 	tests := []struct {
 		desc        string
@@ -167,27 +152,20 @@ func TestNodeUnpublishVolume(t *testing.T) {
 			req:         csi.NodeUnpublishVolumeRequest{VolumeId: "vol_1"},
 			expectedErr: status.Error(codes.InvalidArgument, "Target path missing in request"),
 		},
+		/* Not relevant due to carry patch https://github.com/openshift/csi-driver-nfs/commit/59fe400d433137c48de81650026922a88e167177
+		// Downstream doesn't call IsLikelyNotMountPoint, and doesn't raise any error if the target is not mounted
 		{
 			desc:        "[Error] Unmount error mocked by IsLikelyNotMountPoint",
 			req:         csi.NodeUnpublishVolumeRequest{TargetPath: errorTarget, VolumeId: "vol_1"},
 			expectedErr: status.Error(codes.Internal, "fake IsLikelyNotMountPoint: fake error"),
 		},
+		// Downstream doesn't raise any error if the target is not mounted
 		{
 			desc:        "[Error] Volume not mounted",
 			req:         csi.NodeUnpublishVolumeRequest{TargetPath: targetFile, VolumeId: "vol_1"},
 			expectedErr: status.Error(codes.NotFound, "Volume not mounted"),
 		},
-		{
-			desc: "[Error] Volume operation in progress",
-			setup: func() {
-				ns.Driver.volumeLocks.TryAcquire("vol_1")
-			},
-			req:         csi.NodeUnpublishVolumeRequest{TargetPath: alreadyMountedTarget, VolumeId: "vol_1"},
-			expectedErr: status.Error(codes.Aborted, fmt.Sprintf(volumeOperationAlreadyExistsFmt, "vol_1")),
-			cleanup: func() {
-				ns.Driver.volumeLocks.Release("vol_1")
-			},
-		},
+		*/
 	}
 
 	// Setup

pkg/nfs/utils.go

@@ -95,10 +95,6 @@ func logGRPC(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, h
 	return resp, err
 }
 
-const (
-	volumeOperationAlreadyExistsFmt = "An operation with the given Volume ID %s already exists"
-)
-
 type VolumeLocks struct {
 	locks sets.String
 	mux   sync.Mutex

release-tools/KUBERNETES_CSI_OWNERS_ALIASES

@@ -0,0 +1,44 @@
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+aliases:
+
+  # SIG-Storage chairs and leads should always have approval rights in all repos.
+  # Others may be added as needed here or in each repo.
+  kubernetes-csi-approvers:
+  - jsafrane
+  - msau42
+  - saad-ali
+  - xing-yang
+
+  # Reviewers are automatically assigned to new PRs. The following
+  # reviewers will be active in all repos. Other reviewers can be
+  # added in each repo.
+  #
+  # Reviewers are encouraged to set the "Busy" flag in their GitHub status
+  # when they are temporarily unable to review PRs.
+  kubernetes-csi-reviewers:
+  - andyzhangx
+  - chrishenzie
+  - ggriffiths
+  - gnufied
+  - j-griffith
+  - Jiawei0227
+  - jingxu97
+  - jsafrane
+  - pohly
+  - xing-yang
+
+# This documents who previously contributed to Kubernetes-CSI
+# as approver.
+emeritus_approver:
+- lpabon
+- sbezverk
+- vladimirvivien
+
+# This documents who previously contributed to Kubernetes-CSI
+# as reviewer.
+emeritus_reviewer:
+- lpabon
+- saad-ali
+- sbezverk
+- vladimirvivien

release-tools/OWNERS

@@ -0,0 +1 @@
+../OWNERS

release-tools/OWNERS_ALIASES

@@ -0,0 +1 @@
+../OWNERS_ALIASES