Syncing latest changes from upstream main for ceph-csi-operator

.github/workflows/build-push.yaml

@@ -16,7 +16,7 @@ jobs:
     if: github.repository == 'ceph/ceph-csi-operator'
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3

Makefile

@@ -4,6 +4,10 @@ REGISTRY_NAMESPACE ?= cephcsi
 IMAGE_TAG ?= latest
 IMAGE_NAME ?= ceph-csi-operator
 
+# Use different name prefix and namespace prefix for csi rbac kustomize
+CSI_RBAC_NAME_PREFIX ?= ceph-csi-operator-
+CSI_RBAC_NAMESPACE ?= $(CSI_RBAC_NAME_PREFIX)system
+
 IMG ?= $(IMAGE_REGISTRY)/$(REGISTRY_NAMESPACE)/$(IMAGE_NAME):$(IMAGE_TAG)
 
 # ENVTEST_K8S_VERSION refers to the version of kubebuilder assets to be downloaded by envtest binary.
@@ -126,6 +130,11 @@ build-installer: manifests generate kustomize ## Generate a consolidated YAML wi
 	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	$(KUSTOMIZE) build config/default > dist/install.yaml
 
+.PHONY: build-csi-rbac
+build-csi-rbac:
+	cd config/csi-rbac && $(KUSTOMIZE) edit set nameprefix $(CSI_RBAC_NAME_PREFIX)
+	cd config/csi-rbac && $(KUSTOMIZE) edit set namespace $(CSI_RBAC_NAMESPACE)
+	$(KUSTOMIZE) build config/csi-rbac > dist/csi-rbac.yaml
 ##@ Deployment
 
 ifndef ignore-not-found

config/rbac/csi_cephfs_ctrlplugin_cluster_role.yaml → config/csi-rbac/cephfs_ctrlplugin_cluster_role.yaml

@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-cr
+  name: cephfs-ctrlplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["secrets"]

config/rbac/csi_rbd_nodeplugin_cluster_role_binding.yaml → config/csi-rbac/cephfs_ctrlplugin_cluster_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-crb
+  name: cephfs-ctrlplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-nodeplugin-sa
+    name: cephfs-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-rbd-nodeplugin-cr
+  name: cephfs-ctrlplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_ctrlplugin_role.yaml → config/csi-rbac/cephfs_ctrlplugin_role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-r
+  name: cephfs-ctrlplugin-r
 rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]

config/rbac/csi_rbd_ctrlplugin_role_binding.yaml → config/csi-rbac/cephfs_ctrlplugin_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-rb
+  name: cephfs-ctrlplugin-rb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-ctrlplugin-sa
+    name: cephfs-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: Role
-  name: csi-rbd-ctrlplugin-r
+  name: cephfs-ctrlplugin-r
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_ctrlplugin_service_account.yaml → config/csi-rbac/cephfs_ctrlplugin_service_account.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-rbd-ctrlplugin-sa
+  name: cephfs-ctrlplugin-sa
   namespace: system

config/rbac/csi_cephfs_nodeplugin_cluster_role.yaml → config/csi-rbac/cephfs_nodeplugin_cluster_role.yaml

@@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-nodeplugin-cr
+  name: cephfs-nodeplugin-cr
 rules:
 - apiGroups: [""]
   resources: ["nodes"]

config/rbac/csi_rbd_ctrlplugin_cluster_role_binding.yaml → config/csi-rbac/cephfs_nodeplugin_cluster_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-crb
+  name: cephfs-nodeplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-ctrlplugin-sa
+    name: cephfs-nodeplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-rbd-ctrlplugin-cr
+  name: cephfs-nodeplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_nodeplugin_service_account.yaml → config/csi-rbac/cephfs_nodeplugin_service_account.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-rbd-nodeplugin-sa
+  name: cephfs-nodeplugin-sa
   namespace: system

config/csi-rbac/kustomization.yaml

@@ -0,0 +1,21 @@
+resources:
+# CSI operands have their own set of RBAC that need to be installed
+# on the cluster.
+- cephfs_ctrlplugin_service_account.yaml
+- cephfs_ctrlplugin_cluster_role.yaml
+- cephfs_ctrlplugin_cluster_role_binding.yaml
+- cephfs_ctrlplugin_role.yaml
+- cephfs_ctrlplugin_role_binding.yaml
+- cephfs_nodeplugin_service_account.yaml
+- cephfs_nodeplugin_cluster_role.yaml
+- cephfs_nodeplugin_cluster_role_binding.yaml
+- rbd_ctrlplugin_service_account.yaml
+- rbd_ctrlplugin_cluster_role.yaml
+- rbd_ctrlplugin_cluster_role_binding.yaml
+- rbd_ctrlplugin_role.yaml
+- rbd_ctrlplugin_role_binding.yaml
+- rbd_nodeplugin_service_account.yaml
+- rbd_nodeplugin_cluster_role.yaml
+- rbd_nodeplugin_cluster_role_binding.yaml
+- rbd_nodeplugin_role.yaml
+- rbd_nodeplugin_role_binding.yaml

config/rbac/csi_nfs_ctrlplugin_cluster_role.yaml → config/csi-rbac/nfs_ctrlplugin_cluster_role.yaml

@@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-nfs-ctrlplugin-cr 
+  name: nfs-ctrlplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["persistentvolumes"]

config/rbac/csi_cephfs_nodeplugin_cluster_role_binding.yaml → config/csi-rbac/nfs_ctrlplugin_cluster_role_binding.yaml

@@ -1,12 +1,13 @@
+
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-nodeplugin-crb
+  name: nfs-ctrlplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-cephfs-nodeplugin-sa
+    name: nfs-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-cephfs-nodeplugin-cr
+  name: nfs-ctrlplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_nfs_ctrlplugin_service_account.yaml → config/csi-rbac/nfs_ctrlplugin_service_account.yaml

@@ -1,5 +1,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-nfs-ctrlplugin-sa
+  name: nfs-ctrlplugin-sa
   namespace: system

config/rbac/csi_nfs_nodeplugin_cluster_role.yaml → config/csi-rbac/nfs_nodeplugin_cluster_role.yaml

@@ -4,7 +4,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-nfs-nodeplugin-cr
+  name: nfs-nodeplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["nodes"]

config/rbac/csi_nfs_nodeplugin_cluster_role_binding.yaml → config/csi-rbac/nfs_nodeplugin_cluster_role_binding.yaml

@@ -1,12 +1,11 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-nfs-nodeplugin-crb
+  name: nfs-nodeplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-nfs-nodeplugin-sa
+    name: nfs-nodeplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-nfs-nodeplugin-cr
-
+  name: nfs-nodeplugin-cr

config/rbac/csi_nfs_nodeplugin_service_account.yaml → config/csi-rbac/nfs_nodeplugin_service_account.yaml

@@ -2,5 +2,5 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-nfs-nodeplugin-sa
+  name: nfs-nodeplugin-sa
   namespace: system

config/rbac/csi_rbd_ctrlplugin_cluster_role.yaml → config/csi-rbac/rbd_ctrlplugin_cluster_role.yaml

@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-ctrlplugin-cr
+  name: rbd-ctrlplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["secrets"]

config/rbac/csi_cephfs_ctrlplugin_cluster_role_binding.yaml → config/csi-rbac/rbd_ctrlplugin_cluster_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-crb
+  name: rbd-ctrlplugin-crb
 subjects:
   - kind: ServiceAccount
-    name: csi-cephfs-ctrlplugin-sa
+    name: rbd-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: ClusterRole
-  name: csi-cephfs-ctrlplugin-cr
+  name: rbd-ctrlplugin-cr
   apiGroup: rbac.authorization.k8s.io

config/rbac/csi_cephfs_ctrlplugin_role.yaml → config/csi-rbac/rbd_ctrlplugin_role.yaml

@@ -1,8 +1,11 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-r
+  name: rbd-ctrlplugin-r
 rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "watch", "list", "delete", "update", "create"]
+  - apiGroups: ["csiaddons.openshift.io"]
+    resources: ["csiaddonsnodes"]
+    verbs: ["create"]

config/rbac/csi_rbd_nodeplugin_role_binding.yaml → config/csi-rbac/rbd_ctrlplugin_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-rb
+  name: rbd-ctrlplugin-rb
 subjects:
   - kind: ServiceAccount
-    name: csi-rbd-nodeplugin-sa
+    name: rbd-ctrlplugin-sa
     namespace: system
 roleRef:
   kind: Role
-  name: csi-rbd-nodeplugin-r
+  name: rbd-ctrlplugin-r
   apiGroup: rbac.authorization.k8s.io

config/csi-rbac/rbd_ctrlplugin_service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rbd-ctrlplugin-sa
+  namespace: system

config/rbac/csi_rbd_nodeplugin_cluster_role.yaml → config/csi-rbac/rbd_nodeplugin_cluster_role.yaml

@@ -1,7 +1,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-cr
+  name: rbd-nodeplugin-cr
 rules:
   - apiGroups: [""]
     resources: ["secrets"]

config/csi-rbac/rbd_nodeplugin_cluster_role_binding.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: rbd-nodeplugin-crb
+subjects:
+  - kind: ServiceAccount
+    name: rbd-nodeplugin-sa
+    namespace: system
+roleRef:
+  kind: ClusterRole
+  name: rbd-nodeplugin-cr
+  apiGroup: rbac.authorization.k8s.io

config/rbac/csi_rbd_nodeplugin_role.yaml → config/csi-rbac/rbd_nodeplugin_role.yaml

@@ -1,7 +1,7 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-rbd-nodeplugin-r
+  name: rbd-nodeplugin-r
 rules:
   - apiGroups: ["csiaddons.openshift.io"]
     resources: ["csiaddonsnodes"]

config/rbac/csi_cephfs_ctrlplugin_role_binding.yaml → config/csi-rbac/rbd_nodeplugin_role_binding.yaml

@@ -1,12 +1,12 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-cephfs-ctrlplugin-rb
+  name: rbd-nodeplugin-rb
 subjects:
   - kind: ServiceAccount
-    name: csi-cephfs-ctrlplugin-sa
+    name: rbd-nodeplugin-sa
     namespace: system
 roleRef:
   kind: Role
-  name: csi-cephfs-ctrlplugin-r
+  name: rbd-nodeplugin-r
   apiGroup: rbac.authorization.k8s.io

config/csi-rbac/rbd_nodeplugin_service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: rbd-nodeplugin-sa
+  namespace: system

config/default/kustomization.yaml

@@ -17,6 +17,7 @@ namePrefix: ceph-csi-operator-
 resources:
 - ../crd
 - ../rbac
+- ../csi-rbac
 - ../manager
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
 # crd/kustomization.yaml

config/rbac/kustomization.yaml

@@ -30,23 +30,3 @@ resources:
 - operatorconfig_viewer_role.yaml
 - driver_editor_role.yaml
 - driver_viewer_role.yaml
-# CSI operands have their own set of RBAC that need to be installed
-# on the cluster.
-- csi_cephfs_ctrlplugin_service_account.yaml
-- csi_cephfs_ctrlplugin_cluster_role.yaml
-- csi_cephfs_ctrlplugin_cluster_role_binding.yaml
-- csi_cephfs_ctrlplugin_role.yaml
-- csi_cephfs_ctrlplugin_role_binding.yaml
-- csi_cephfs_nodeplugin_service_account.yaml
-- csi_cephfs_nodeplugin_cluster_role.yaml
-- csi_cephfs_nodeplugin_cluster_role_binding.yaml
-- csi_rbd_ctrlplugin_service_account.yaml
-- csi_rbd_ctrlplugin_cluster_role.yaml
-- csi_rbd_ctrlplugin_cluster_role_binding.yaml
-- csi_rbd_ctrlplugin_role.yaml
-- csi_rbd_ctrlplugin_role_binding.yaml
-- csi_rbd_nodeplugin_service_account.yaml
-- csi_rbd_nodeplugin_cluster_role.yaml
-- csi_rbd_nodeplugin_cluster_role_binding.yaml
-- csi_rbd_nodeplugin_role.yaml
-- csi_rbd_nodeplugin_role_binding.yaml

config/rbac/role.yaml

@@ -57,6 +57,7 @@ rules:
   resources:
   - cephconnections
   verbs:
+  - delete
   - get
   - list
   - update