GCSFuse Profiles: Move Profiles to stable

Makefile

@@ -274,11 +274,8 @@ generate-spec-yaml:
 	cd ./deploy/overlays/${OVERLAY}; ${BINDIR}/kustomize edit set image gke.gcr.io/gcs-fuse-csi-driver-webhook=${WEBHOOK_IMAGE}:${STAGINGVERSION};
 	cd ./deploy/overlays/${OVERLAY}; ${BINDIR}/kustomize edit add configmap gcsfusecsi-image-config --behavior=merge --disableNameSuffixHash --from-literal=sidecar-image=${SIDECAR_IMAGE}:${STAGINGVERSION};
 	cd ./deploy/overlays/${OVERLAY}; ${BINDIR}/kustomize edit add configmap gcsfusecsi-image-config --behavior=merge --disableNameSuffixHash --from-literal=metadata-sidecar-image=${PREFETCH_IMAGE}:${STAGINGVERSION};
-	if [ "$(OVERLAY)" = "profiles" ]; then \
-		echo "Applying profiles configmap..."; \
-		cd ./deploy/overlays/profiles; ${BINDIR}/kustomize edit add configmap gcsfusecsi-profiles-config --behavior=create --disableNameSuffixHash --from-literal=cluster-location=${CLUSTER_LOCATION}; \
-		cd ./deploy/overlays/profiles; ${BINDIR}/kustomize edit add configmap gcsfusecsi-profiles-config --behavior=create --disableNameSuffixHash --from-literal=project-number=${PROJECT_NUMBER}; \
-	fi
+	cd ./deploy/overlays/${OVERLAY}; ${BINDIR}/kustomize edit add configmap gcsfusecsi-profiles-config --behavior=merge --disableNameSuffixHash --from-literal=cluster-location=${CLUSTER_LOCATION};
+	cd ./deploy/overlays/${OVERLAY}; ${BINDIR}/kustomize edit add configmap gcsfusecsi-profiles-config --behavior=merge --disableNameSuffixHash --from-literal=project-number=${PROJECT_NUMBER};
 # Must be unindented. When Make sees indented text, it attempts to pass it to the shell (/bin/sh) to execute. The shell doesn't know what ifeq is, so it crashes.
 ifeq ($(SELF_MANAGED_K8S), true)
 	echo "[{\"op\": \"replace\",\"path\": \"/spec/tokenRequests/0/audience\",\"value\": \"${IDENTITY_PROVIDER}\"}]" > ./deploy/overlays/${OVERLAY}/project_patch_csi_driver.json

deploy/base/controller/controller.yaml

@@ -32,95 +32,52 @@ spec:
       serviceAccount: gcs-fuse-csi-controller-sa
       priorityClassName: csi-gcp-gcs-controller
       containers:
-        - name: liveness-probe
-          volumeMounts:
-            - mountPath: /csi
-              name: socket-dir
-          image: registry.k8s.io/sig-storage/livenessprobe
-          imagePullPolicy: IfNotPresent
-          args:
-            - --csi-address=/csi/csi.sock
-            - --probe-timeout=3s
-            - --health-port=29633
-            - --v=2
-          resources:
-            limits:
-              cpu: 50m
-              memory: 100Mi
-            requests:
-              cpu: 10m
-              memory: 20Mi
-        - name: csi-external-provisioner
-          image: registry.k8s.io/sig-storage/csi-provisioner
-          imagePullPolicy: IfNotPresent
-          args:
-            - "--v=5"
-            - "--csi-address=/csi/csi.sock"
-            - "--timeout=250s"
-            - "--extra-create-metadata"
-            - "--http-endpoint=:22021"
-            - "--leader-election-namespace=$(CLOUDSTORAGECSI_NAMESPACE)"
-            - "--leader-election"
-            - "--retry-interval-max=60s"
-          resources:
-            limits:
-              cpu: 100m
-              memory: 200Mi
-            requests:
-              cpu: 10m
-              memory: 20Mi
-          env:
-            - name: CLOUDSTORAGECSI_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          ports:
-            - containerPort: 22021
-              name: http-endpoint
-              protocol: TCP
-          livenessProbe:
-            failureThreshold: 1
-            httpGet:
-              path: /healthz/leader-election
-              port: http-endpoint
-            initialDelaySeconds: 10
-            timeoutSeconds: 10
-            periodSeconds: 20
-          volumeMounts:
-            - name: socket-dir
-              mountPath: /csi
         - name: gcs-fuse-csi-driver
           image: gke.gcr.io/gcs-fuse-csi-driver
           imagePullPolicy: IfNotPresent
           args:
             - "--v=5"
             - "--endpoint=unix:/csi/csi.sock"
-            - "--nodeid=$(KUBE_NODE_NAME)"
             - "--controller=true"
+            - "--enable-gcsfuse-profiles=true"
+            - "--leader-election=true"
+            - "--leader-election-namespace=$(CLOUDSTORAGECSI_NAMESPACE)"
+            - "--cluster-location=$(CLUSTER_LOCATION)"
+            - "--project-number=$(PROJECT_NUMBER)"
+            - "--http-endpoint=:29633"
           ports:
             - containerPort: 29633
-              name: healthz
+              name: http-endpoint
               protocol: TCP
           livenessProbe:
             failureThreshold: 5
             httpGet:
-              path: /healthz
-              port: healthz
+              path: /healthz/leader-election
+              port: http-endpoint
             initialDelaySeconds: 30
             timeoutSeconds: 10
             periodSeconds: 30
           resources:
             limits:
-              cpu: 200m
               memory: 200Mi
             requests:
               cpu: 10m
               memory: 80Mi
           env:
-            - name: KUBE_NODE_NAME
+            - name: CLOUDSTORAGECSI_NAMESPACE
               valueFrom:
                 fieldRef:
-                  fieldPath: spec.nodeName
+                  fieldPath: metadata.namespace
+            - name: CLUSTER_LOCATION
+              valueFrom:
+                configMapKeyRef:
+                  name: gcsfusecsi-profiles-config
+                  key: cluster-location
+            - name: PROJECT_NUMBER
+              valueFrom:
+                configMapKeyRef:
+                  name: gcsfusecsi-profiles-config
+                  key: project-number
           volumeMounts:
             - name: socket-dir
               mountPath: /csi

deploy/base/controller/controller_setup.yaml

@@ -100,4 +100,42 @@ subjects:
 roleRef:
   kind: Role
   name: gcs-fuse-csi-leaderelection-role
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: gcs-fuse-csi-bucket-scanner-role
+rules:
+# Required to remove Pod scheduling gates.
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "patch"]
+# Required to patch PV annotations.
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "patch"]
+# Required to map PVC to PV from Pod.
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+# Required to get gcsfuse profile configs.
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+# Required to get node zone to enable AnyC.
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: gcs-fuse-csi-bucket-scanner-rolebinding
+subjects:
+  - kind: ServiceAccount
+    name: gcs-fuse-csi-controller-sa
+roleRef:
+  kind: ClusterRole
+  name: gcs-fuse-csi-bucket-scanner-role
+  apiGroup: rbac.authorization.k8s.io

deploy/base/node/node.yaml

@@ -58,6 +58,8 @@ spec:
             - --max-metric-collectors=-1
             - --enable-sidecar-bucket-access-check=true
             - --enable-gcsfuse-kernel-params=true
+            - --enable-gcsfuse-profiles=true
+            - --enable-gcsfuse-profiles-internal=true
           ports:
           - containerPort: 9920
             name: metrics

deploy/base/node/node_setup.yaml

@@ -42,13 +42,14 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["get"]
-# Required to list PV annotations.
+# PV is required to read PV annotations.
+# PVC required to map PVC to PV from Pod.
   - apiGroups: [""]
-    resources: ["persistentvolumes"]
+    resources: ["persistentvolumes", "persistentvolumeclaims"]
     verbs: ["get", "list", "watch"]
-# Required to map PVC to PV from Pod.
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
+# Required to get gcsfuse profile configs.
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
     verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1

deploy/base/setup/kustomization.yaml

@@ -18,4 +18,5 @@ kind: Kustomization
 namespace: gcs-fuse-csi-driver
 resources:
 - cluster_setup.yaml
-- csi_driver.yaml
+- csi_driver.yaml
+- storageclass.yaml

deploy/overlays/profiles/storageclass.yaml → deploy/base/setup/storageclass.yaml

@@ -74,3 +74,8 @@ parameters:
   fuseEphemeralStorageAllocatableFactor: "0.85"
   bucketScanResyncPeriod: "168h"
   bucketScanTimeout: "2m"
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gcsfusecsi-profiles-config

deploy/base/webhook/deployment.yaml

@@ -60,6 +60,7 @@ spec:
             - --port=22030
             - --health-probe-bind-address=:22031
             - --should-inject-sa-vol=true
+            - --enable-gcsfuse-profiles=true
           env:
             - name: SIDECAR_IMAGE_PULL_POLICY
               value: "IfNotPresent"

deploy/base/webhook/webhook_setup.yaml

@@ -36,6 +36,9 @@ rules:
   - apiGroups: [""]
     resources: ["nodes", "persistentvolumes", "persistentvolumeclaims", "configmaps"]
     verbs: ["get","list","watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get","list","watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding