From 45423873fb3c6c7f2f853a21f5868bde582bfe5a Mon Sep 17 00:00:00 2001 From: Patryk Matuszak Date: Fri, 20 Dec 2024 13:17:09 +0100 Subject: [PATCH 1/2] Remove CSI webhook as it is deprecated --- .../webhook_clusterrole.yaml | 11 --- .../webhook_clusterrolebinding.yaml | 12 --- .../webhook_config.yaml | 42 ---------- .../webhook_deployment.yaml | 83 ------------------- .../webhook_service.yaml | 18 ---- .../webhook_serviceaccount.yaml | 5 -- assets/release/release-aarch64.json | 3 +- assets/release/release-x86_64.json | 3 +- .../config/config-openapi-spec.json | 6 +- docs/user/howto_config.md | 4 +- .../microshift/pkg/config/storage.go | 14 ++-- okd/src/README.md | 1 - packaging/microshift/config.yaml | 5 +- pkg/components/csi-snapshot-controller.go | 38 ++------- pkg/config/config_test.go | 3 +- pkg/config/storage.go | 14 ++-- pkg/config/storage_test.go | 11 ++- pkg/healthcheck/microshift_core_workloads.go | 5 +- pkg/healthcheck/workloads_test.go | 16 +--- scripts/auto-rebase/assets.yaml | 8 -- scripts/auto-rebase/rebase.sh | 12 --- test/suites/standard1/configuration.robot | 11 ++- 22 files changed, 40 insertions(+), 285 deletions(-) delete mode 100644 assets/components/csi-snapshot-controller/webhook_clusterrole.yaml delete mode 100644 assets/components/csi-snapshot-controller/webhook_clusterrolebinding.yaml delete mode 100644 assets/components/csi-snapshot-controller/webhook_config.yaml delete mode 100644 assets/components/csi-snapshot-controller/webhook_deployment.yaml delete mode 100644 assets/components/csi-snapshot-controller/webhook_service.yaml delete mode 100644 assets/components/csi-snapshot-controller/webhook_serviceaccount.yaml diff --git a/assets/components/csi-snapshot-controller/webhook_clusterrole.yaml b/assets/components/csi-snapshot-controller/webhook_clusterrole.yaml deleted file mode 100644 index 322dd21fa6..0000000000 --- a/assets/components/csi-snapshot-controller/webhook_clusterrole.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: csi-snapshot-webhook-clusterrole -rules: -- apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] -- apiGroups: ["groupsnapshot.storage.k8s.io"] - resources: ["volumegroupsnapshotclasses"] - verbs: ["get", "list", "watch"] diff --git a/assets/components/csi-snapshot-controller/webhook_clusterrolebinding.yaml b/assets/components/csi-snapshot-controller/webhook_clusterrolebinding.yaml deleted file mode 100644 index 007207e86b..0000000000 --- a/assets/components/csi-snapshot-controller/webhook_clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-snapshot-webhook-clusterrolebinding -subjects: - - kind: ServiceAccount - name: csi-snapshot-webhook - namespace: ${CONTROLPLANE_NAMESPACE} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: csi-snapshot-webhook-clusterrole diff --git a/assets/components/csi-snapshot-controller/webhook_config.yaml b/assets/components/csi-snapshot-controller/webhook_config.yaml deleted file mode 100644 index 6c4f539985..0000000000 --- a/assets/components/csi-snapshot-controller/webhook_config.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: snapshot.storage.k8s.io - labels: - app: csi-snapshot-webhook - annotations: - service.beta.openshift.io/inject-cabundle: "true" - include.release.openshift.io/self-managed-high-availability: "true" - include.release.openshift.io/single-node-developer: "true" -webhooks: - - name: volumesnapshotclasses.snapshot.storage.k8s.io - clientConfig: - service: - name: csi-snapshot-webhook - namespace: kube-system - path: /volumesnapshot - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["snapshot.storage.k8s.io"] - apiVersions: ["v1beta1", "v1"] - resources: ["volumesnapshotclasses"] - admissionReviewVersions: - - v1 - - v1beta1 - sideEffects: None - failurePolicy: Ignore - - name: volumegroupsnapshotclasses.groupsnapshot.storage.k8s.io - clientConfig: - service: - name: csi-snapshot-webhook - namespace: openshift-cluster-storage-operator - path: /volumegroupsnapshot - rules: - - operations: ["CREATE", "UPDATE"] - apiGroups: ["groupsnapshot.storage.k8s.io"] - apiVersions: ["v1alpha1"] - resources: ["volumegroupsnapshotclasses"] - admissionReviewVersions: - - v1 - sideEffects: None - failurePolicy: Ignore diff --git a/assets/components/csi-snapshot-controller/webhook_deployment.yaml b/assets/components/csi-snapshot-controller/webhook_deployment.yaml deleted file mode 100644 index 1ac61c9022..0000000000 --- a/assets/components/csi-snapshot-controller/webhook_deployment.yaml +++ /dev/null @@ -1,83 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: csi-snapshot-webhook - namespace: kube-system -spec: - serviceName: "csi-snapshot-webhook" - selector: - matchLabels: - app: csi-snapshot-webhook - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - maxSurge: 0 - template: - metadata: - annotations: - target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}' - openshift.io/required-scc: restricted-v2 - labels: - app: csi-snapshot-webhook - spec: - serviceAccount: csi-snapshot-webhook - containers: - - name: webhook - image: '{{ .ReleaseImage.csi_snapshot_validation_webhook }}' - args: - - --tls-cert-file=/etc/snapshot-validation-webhook/certs/tls.crt - - --tls-private-key-file=/etc/snapshot-validation-webhook/certs/tls.key - - "--v=2" - - --port=8443 - ports: - - containerPort: 8443 - volumeMounts: - - name: certs - mountPath: /etc/snapshot-validation-webhook/certs - readOnly: true - optional: true - imagePullPolicy: IfNotPresent - resources: - requests: - cpu: 10m - memory: 20Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsUser: 65534 - terminationMessagePolicy: FallbackToLogsOnError - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchLabels: - app: csi-snapshot-webhook - topologyKey: kubernetes.io/hostname - restartPolicy: Always - securityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault - nodeSelector: - node-role.kubernetes.io/master: "" - volumes: - - name: certs - secret: - secretName: csi-snapshot-webhook-secret - tolerations: - - key: "node.kubernetes.io/unreachable" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 - - key: "node.kubernetes.io/not-ready" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 - - key: node-role.kubernetes.io/master - operator: Exists - effect: "NoSchedule" diff --git a/assets/components/csi-snapshot-controller/webhook_service.yaml b/assets/components/csi-snapshot-controller/webhook_service.yaml deleted file mode 100644 index ddd576182d..0000000000 --- a/assets/components/csi-snapshot-controller/webhook_service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: csi-snapshot-webhook - namespace: kube-system - labels: - app: csi-snapshot-webhook - hypershift.openshift.io/allow-guest-webhooks: "true" - annotations: - service.beta.openshift.io/serving-cert-secret-name: csi-snapshot-webhook-secret - capability.openshift.io/name: CSISnapshot -spec: - ports: - - name: webhook - port: 443 - targetPort: 8443 - selector: - app: csi-snapshot-webhook diff --git a/assets/components/csi-snapshot-controller/webhook_serviceaccount.yaml b/assets/components/csi-snapshot-controller/webhook_serviceaccount.yaml deleted file mode 100644 index 3d56d25c29..0000000000 --- a/assets/components/csi-snapshot-controller/webhook_serviceaccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-snapshot-webhook - namespace: kube-system diff --git a/assets/release/release-aarch64.json b/assets/release/release-aarch64.json index 118daaf1d5..f76eac36b9 100644 --- a/assets/release/release-aarch64.json +++ b/assets/release/release-aarch64.json @@ -11,7 +11,6 @@ "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:618a701c092403624182c4969c1a6a2f4aadd26c7b50e46c7fbe7175da0f3575", "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ddbe4e12785990a4764abb85ef5c5c64bdaafa83c29e35beb77e03d995f0b256", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:bd6dc4d6e90fdbcdb844759e203c9c591abc5ac29a956257a90bda101a37b76e", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b7c79ee759c3bb9ae50d27d7487c9dc9de5224c9175ac9636f500ab0fd46e90b", - "csi-snapshot-validation-webhook": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:30ca243687727c62df5c0f952105a52c6e587c1ec0f348ae91bf8e09de7f2494" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b7c79ee759c3bb9ae50d27d7487c9dc9de5224c9175ac9636f500ab0fd46e90b" } } diff --git a/assets/release/release-x86_64.json b/assets/release/release-x86_64.json index fe43f68047..2cc7213e36 100644 --- a/assets/release/release-x86_64.json +++ b/assets/release/release-x86_64.json @@ -11,7 +11,6 @@ "pod": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9baab801b7c1371ecebdbb4570228756e056689e7f834fbfc597df4c8eb1e3fd", "service-ca-operator": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e91a5da769452f47bb5c2518174474b08d466344cd9a46f49d386f0562e88acd", "lvms_operator": "registry.redhat.io/lvms4/lvms-rhel9-operator@sha256:bd6dc4d6e90fdbcdb844759e203c9c591abc5ac29a956257a90bda101a37b76e", - "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d49a8e92e26b4e27adbb1d37cf15a2ea2ae0501054ff9db1a355c80802fdc9ba", - "csi-snapshot-validation-webhook": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:41c28bd33107bba44960076491be57572c782b1275ae5519b0bcd04853efbdb8" + "csi-snapshot-controller": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:d49a8e92e26b4e27adbb1d37cf15a2ea2ae0501054ff9db1a355c80802fdc9ba" } } diff --git a/cmd/generate-config/config/config-openapi-spec.json b/cmd/generate-config/config/config-openapi-spec.json index 493141cf37..1f0501b1ed 100755 --- a/cmd/generate-config/config/config-openapi-spec.json +++ b/cmd/generate-config/config/config-openapi-spec.json @@ -434,7 +434,7 @@ ] }, "optionalCsiComponents": { - "description": "OptionalCSIComponents is a user defined slice of CSIComponent values. These value tell MicroShift which\nadditional, non-driver, CSI controllers to deploy on start. MicroShift will deploy snapshot controller\nand webhook when no components are specified. This preserves the current deployment behavior of existing\nclusters. Users must set `.storage.optionalCsiComponents: []` to explicitly tell MicroShift not to deploy any CSI\ncomponents. The CSI Driver is excluded as it is typically deployed via the same manifest as the accompanying\nstorage driver. Like CSIStorageDriver, uninstallation is not supported as this can lead to orphaned storage\nobjects.\nAllowed values are: unset, [], or one or more of [\"snapshot-controller\", \"snapshot-webhook\"]", + "description": "OptionalCSIComponents is a user defined slice of CSIComponent values. These value tell MicroShift which\nadditional, non-driver, CSI controllers to deploy on start. MicroShift will deploy snapshot controller\nwhen no components are specified. This preserves the current deployment behavior of existing\nclusters. Users must set `.storage.optionalCsiComponents: []` to explicitly tell MicroShift not to deploy any CSI\ncomponents. The CSI Driver is excluded as it is typically deployed via the same manifest as the accompanying\nstorage driver. Like CSIStorageDriver, uninstallation is not supported as this can lead to orphaned storage\nobjects.\nAllowed values are: unset, [], or one or more of [\"snapshot-controller\"]", "type": "array", "items": { "description": "OptionalCsiComponent values determine which CSI components MicroShift should deploy. Currently only csi snapshot components\nare supported.", @@ -442,13 +442,11 @@ "enum": [ "none", "snapshot-controller", - "snapshot-webhook", "" ] }, "example": [ - "snapshot-controller", - "snapshot-webhook" + "snapshot-controller" ] } } diff --git a/docs/user/howto_config.md b/docs/user/howto_config.md index 0ac720fc5e..a5d8850888 100644 --- a/docs/user/howto_config.md +++ b/docs/user/howto_config.md @@ -367,9 +367,9 @@ specifying supported values under `.storage` node of the MicroShift config in th storage optionalCsiComponents: **ARRAY**. ``` - - Expected values are: `['csi-snapshot-controller', 'csi-snapshot-webhook', 'none']`. `'none'` is mutually exclusive + - Expected values are: `['csi-snapshot-controller', 'none']`. `'none'` is mutually exclusive with all other values. - - Empty array defaults to deploying `snapshot-controller` and `snapshot-webhook`. + - Empty array defaults to deploying `snapshot-controller`. ### Automated Uninstallation is Not Supported diff --git a/etcd/vendor/github.com/openshift/microshift/pkg/config/storage.go b/etcd/vendor/github.com/openshift/microshift/pkg/config/storage.go index b53c93024a..a590b29cde 100644 --- a/etcd/vendor/github.com/openshift/microshift/pkg/config/storage.go +++ b/etcd/vendor/github.com/openshift/microshift/pkg/config/storage.go @@ -26,12 +26,12 @@ const ( // OptionalCsiComponent values determine which CSI components MicroShift should deploy. Currently only csi snapshot components // are supported. -// +kubebuilder:validation:Enum:=none;snapshot-controller;snapshot-webhook;"" +// +kubebuilder:validation:Enum:=none;snapshot-controller;"" type OptionalCsiComponent string const ( // CsiComponentNone exists to support backwards compatibility with existing MicroShift clusters. By default, - // MicroShift will deploy snapshot controller and webhook when no components are specified. This preserves the + // MicroShift will deploy snapshot controller when no components are specified. This preserves the // current deployment behavior of existing clusters. Users must set .storage.with-csi-components: [ "none" ] to // explicitly tell MicroShift not to deploy any CSI components. The CSI Driver is excluded as it is typically // deployed via the same manifest as the accompanying storage driver. Like DriverOpt, uninstallation is not @@ -39,8 +39,6 @@ const ( CsiComponentNone OptionalCsiComponent = "none" // CsiComponentSnapshot causes MicroShift to deploy the CSI Snapshot controller. CsiComponentSnapshot OptionalCsiComponent = "snapshot-controller" - // CsiComponentSnapshotWebhook causes MicroShift to deploy the CSI Snapshot Validation Webhook. - CsiComponentSnapshotWebhook OptionalCsiComponent = "snapshot-webhook" // CsiComponentNullAlias is equivalent to not specifying a value. It exists because controller-gen generates // default empty-array values as [""], instead of []. Failing to include this odd value would mean the generated // /etc/microshift/config.default.yaml would break if passed to MicroShift. @@ -59,14 +57,14 @@ type Storage struct { Driver CSIStorageDriver `json:"driver,omitempty"` // OptionalCSIComponents is a user defined slice of CSIComponent values. These value tell MicroShift which // additional, non-driver, CSI controllers to deploy on start. MicroShift will deploy snapshot controller - // and webhook when no components are specified. This preserves the current deployment behavior of existing + // when no components are specified. This preserves the current deployment behavior of existing // clusters. Users must set `.storage.optionalCsiComponents: []` to explicitly tell MicroShift not to deploy any CSI // components. The CSI Driver is excluded as it is typically deployed via the same manifest as the accompanying // storage driver. Like CSIStorageDriver, uninstallation is not supported as this can lead to orphaned storage // objects. - // Allowed values are: unset, [], or one or more of ["snapshot-controller", "snapshot-webhook"] + // Allowed values are: unset, [], or one or more of ["snapshot-controller"] // +kubebuilder:validation:Optional - // +kubebuilder:example={"snapshot-controller", "snapshot-webhook"} + // +kubebuilder:example={"snapshot-controller"} OptionalCSIComponents []OptionalCsiComponent `json:"optionalCsiComponents,omitempty"` } @@ -75,7 +73,7 @@ func (s Storage) driverIsValid() (isSupported bool) { } func (s Storage) csiComponentsAreValid() []string { - supported := sets.New[OptionalCsiComponent](CsiComponentSnapshot, CsiComponentSnapshotWebhook, CsiComponentNone, + supported := sets.New[OptionalCsiComponent](CsiComponentSnapshot, CsiComponentNone, CsiComponentNullAlias) unsupported := sets.New[string]() diff --git a/okd/src/README.md b/okd/src/README.md index 9e7a9dc102..732cb6466c 100644 --- a/okd/src/README.md +++ b/okd/src/README.md @@ -38,7 +38,6 @@ > oc get pods NAMESPACE NAME READY STATUS RESTARTS AGE kube-system csi-snapshot-controller-7d6c78bc58-5p7tb 1/1 Running 0 8m52s - kube-system csi-snapshot-webhook-5598db6db4-rmrpx 1/1 Running 0 8m54s openshift-dns dns-default-2q89q 2/2 Running 0 7m34s openshift-dns node-resolver-k2c5h 1/1 Running 0 8m54s openshift-ingress router-default-db4b598b9-x8lvb 1/1 Running 0 8m52s diff --git a/packaging/microshift/config.yaml b/packaging/microshift/config.yaml index b298a55b0a..c16df2939a 100644 --- a/packaging/microshift/config.yaml +++ b/packaging/microshift/config.yaml @@ -374,15 +374,14 @@ storage: driver: "" # OptionalCSIComponents is a user defined slice of CSIComponent values. These value tell MicroShift which # additional, non-driver, CSI controllers to deploy on start. MicroShift will deploy snapshot controller - # and webhook when no components are specified. This preserves the current deployment behavior of existing + # when no components are specified. This preserves the current deployment behavior of existing # clusters. Users must set `.storage.optionalCsiComponents: []` to explicitly tell MicroShift not to deploy any CSI # components. The CSI Driver is excluded as it is typically deployed via the same manifest as the accompanying # storage driver. Like CSIStorageDriver, uninstallation is not supported as this can lead to orphaned storage # objects. - # Allowed values are: unset, [], or one or more of ["snapshot-controller", "snapshot-webhook"] + # Allowed values are: unset, [], or one or more of ["snapshot-controller"] # example: # - snapshot-controller - # - snapshot-webhook optionalCsiComponents: - "" diff --git a/pkg/components/csi-snapshot-controller.go b/pkg/components/csi-snapshot-controller.go index 810e1c1831..c4dff338b0 100644 --- a/pkg/components/csi-snapshot-controller.go +++ b/pkg/components/csi-snapshot-controller.go @@ -16,7 +16,7 @@ func startCSISnapshotController(ctx context.Context, cfg *config.Config, kubecon if len(cfg.Storage.OptionalCSIComponents) == 0 { // Upgraded clusters will not have set .storage.*, so we need to support the prior default behavior and deploy // CSI snapshots when .storage.optionalCsiComponents is nil. - csiComps.Insert(config.CsiComponentSnapshot, config.CsiComponentSnapshotWebhook) + csiComps.Insert(config.CsiComponentSnapshot) } else if csiComps.Has(config.CsiComponentNone) { // User set a zero-len slice, indicating that the cluster supports optional CSI components, and that they should // be disabled. @@ -25,36 +25,12 @@ func startCSISnapshotController(ctx context.Context, cfg *config.Config, kubecon } var ( - whSA = []string{"components/csi-snapshot-controller/webhook_serviceaccount.yaml"} - whCfg = []string{"components/csi-snapshot-controller/webhook_config.yaml"} - whDeploy = []string{"components/csi-snapshot-controller/webhook_deployment.yaml"} - whSvc = []string{"components/csi-snapshot-controller/webhook_service.yaml"} - cr = []string{"components/csi-snapshot-controller/clusterrole.yaml"} - crb = []string{"components/csi-snapshot-controller/clusterrolebinding.yaml"} - sa = []string{"components/csi-snapshot-controller/serviceaccount.yaml"} - deploy = []string{"components/csi-snapshot-controller/csi_controller_deployment.yaml"} + cr = []string{"components/csi-snapshot-controller/clusterrole.yaml"} + crb = []string{"components/csi-snapshot-controller/clusterrolebinding.yaml"} + sa = []string{"components/csi-snapshot-controller/serviceaccount.yaml"} + deploy = []string{"components/csi-snapshot-controller/csi_controller_deployment.yaml"} ) - // Deploy Webhook - //nolint:nestif - if csiComps.Has(config.CsiComponentSnapshotWebhook) { - klog.Infof("deploying CSI snapshot webhook") - if err := assets.ApplyServiceAccounts(ctx, whSA, kubeconfigPath); err != nil { - return fmt.Errorf("apply service account: %w", err) - } - if err := assets.ApplyDeployments(ctx, whDeploy, renderTemplate, renderParamsFromConfig(cfg, nil), kubeconfigPath); err != nil { - return fmt.Errorf("apply deployment: %w", err) - } - if err := assets.ApplyValidatingWebhookConfiguration(ctx, whCfg, kubeconfigPath); err != nil { - return fmt.Errorf("apply validationWebhookConfiguration: %w", err) - } - if err := assets.ApplyDeployments(ctx, deploy, renderTemplate, renderParamsFromConfig(cfg, nil), kubeconfigPath); err != nil { - return fmt.Errorf("apply deployments: %w", err) - } - } else { - klog.Warningf("CSI snapshot webhook is disabled") - } - // Deploy CSI Controller Deployment //nolint:nestif if csiComps.Has(config.CsiComponentSnapshot) || csiComps.Len() == 0 { @@ -68,8 +44,8 @@ func startCSISnapshotController(ctx context.Context, cfg *config.Config, kubecon if err := assets.ApplyServiceAccounts(ctx, sa, kubeconfigPath); err != nil { return fmt.Errorf("apply service account: %w", err) } - if err := assets.ApplyServices(ctx, whSvc, nil, map[string]interface{}{}, kubeconfigPath); err != nil { - return fmt.Errorf("apply service: %w", err) + if err := assets.ApplyDeployments(ctx, deploy, renderTemplate, renderParamsFromConfig(cfg, nil), kubeconfigPath); err != nil { + return fmt.Errorf("apply deployments: %w", err) } } else { klog.Warningf("CSI snapshot controller is disabled") diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 4d36dbbed2..e484a04576 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -377,13 +377,12 @@ func TestGetActiveConfigFromYAML(t *testing.T) { driver: "none" optionalCsiComponents: - "snapshot-controller" - - "snapshot-webhook" `), expected: func() *Config { c := mkDefaultConfig() c.Storage = Storage{ Driver: CsiDriverNone, - OptionalCSIComponents: []OptionalCsiComponent{CsiComponentSnapshot, CsiComponentSnapshotWebhook}, + OptionalCSIComponents: []OptionalCsiComponent{CsiComponentSnapshot}, } return c }(), diff --git a/pkg/config/storage.go b/pkg/config/storage.go index b53c93024a..a590b29cde 100644 --- a/pkg/config/storage.go +++ b/pkg/config/storage.go @@ -26,12 +26,12 @@ const ( // OptionalCsiComponent values determine which CSI components MicroShift should deploy. Currently only csi snapshot components // are supported. -// +kubebuilder:validation:Enum:=none;snapshot-controller;snapshot-webhook;"" +// +kubebuilder:validation:Enum:=none;snapshot-controller;"" type OptionalCsiComponent string const ( // CsiComponentNone exists to support backwards compatibility with existing MicroShift clusters. By default, - // MicroShift will deploy snapshot controller and webhook when no components are specified. This preserves the + // MicroShift will deploy snapshot controller when no components are specified. This preserves the // current deployment behavior of existing clusters. Users must set .storage.with-csi-components: [ "none" ] to // explicitly tell MicroShift not to deploy any CSI components. The CSI Driver is excluded as it is typically // deployed via the same manifest as the accompanying storage driver. Like DriverOpt, uninstallation is not @@ -39,8 +39,6 @@ const ( CsiComponentNone OptionalCsiComponent = "none" // CsiComponentSnapshot causes MicroShift to deploy the CSI Snapshot controller. CsiComponentSnapshot OptionalCsiComponent = "snapshot-controller" - // CsiComponentSnapshotWebhook causes MicroShift to deploy the CSI Snapshot Validation Webhook. - CsiComponentSnapshotWebhook OptionalCsiComponent = "snapshot-webhook" // CsiComponentNullAlias is equivalent to not specifying a value. It exists because controller-gen generates // default empty-array values as [""], instead of []. Failing to include this odd value would mean the generated // /etc/microshift/config.default.yaml would break if passed to MicroShift. @@ -59,14 +57,14 @@ type Storage struct { Driver CSIStorageDriver `json:"driver,omitempty"` // OptionalCSIComponents is a user defined slice of CSIComponent values. These value tell MicroShift which // additional, non-driver, CSI controllers to deploy on start. MicroShift will deploy snapshot controller - // and webhook when no components are specified. This preserves the current deployment behavior of existing + // when no components are specified. This preserves the current deployment behavior of existing // clusters. Users must set `.storage.optionalCsiComponents: []` to explicitly tell MicroShift not to deploy any CSI // components. The CSI Driver is excluded as it is typically deployed via the same manifest as the accompanying // storage driver. Like CSIStorageDriver, uninstallation is not supported as this can lead to orphaned storage // objects. - // Allowed values are: unset, [], or one or more of ["snapshot-controller", "snapshot-webhook"] + // Allowed values are: unset, [], or one or more of ["snapshot-controller"] // +kubebuilder:validation:Optional - // +kubebuilder:example={"snapshot-controller", "snapshot-webhook"} + // +kubebuilder:example={"snapshot-controller"} OptionalCSIComponents []OptionalCsiComponent `json:"optionalCsiComponents,omitempty"` } @@ -75,7 +73,7 @@ func (s Storage) driverIsValid() (isSupported bool) { } func (s Storage) csiComponentsAreValid() []string { - supported := sets.New[OptionalCsiComponent](CsiComponentSnapshot, CsiComponentSnapshotWebhook, CsiComponentNone, + supported := sets.New[OptionalCsiComponent](CsiComponentSnapshot, CsiComponentNone, CsiComponentNullAlias) unsupported := sets.New[string]() diff --git a/pkg/config/storage_test.go b/pkg/config/storage_test.go index 4a4434ba3f..40bf80b689 100644 --- a/pkg/config/storage_test.go +++ b/pkg/config/storage_test.go @@ -57,7 +57,7 @@ func TestStorage_IsValid(t *testing.T) { name: "is valid when a driver is set and csi-components are valid", fields: fields{ Driver: CsiDriverLVMS, - CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot, CsiComponentSnapshotWebhook}, + CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot}, }, want: []error{}, }, @@ -73,7 +73,7 @@ func TestStorage_IsValid(t *testing.T) { name: "is valid when the driver is unset and csi-components are valid", fields: fields{ Driver: CsiDriverUnset, - CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot, CsiComponentSnapshotWebhook}, + CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot}, }, want: []error{}, }, @@ -81,7 +81,7 @@ func TestStorage_IsValid(t *testing.T) { name: "is invalid when driver is valid, but csi-components are invalid", fields: fields{ Driver: CsiDriverLVMS, - CSIComponents: []OptionalCsiComponent{"foobar", CsiComponentSnapshot, CsiComponentSnapshotWebhook}, + CSIComponents: []OptionalCsiComponent{"foobar", CsiComponentSnapshot}, }, want: []error{ fmt.Errorf("invalid CSI components: [foobar]"), @@ -91,7 +91,7 @@ func TestStorage_IsValid(t *testing.T) { name: "is invalid when driver is invalid, but CSI components are valid", fields: fields{ Driver: "foobar", - CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot, CsiComponentSnapshotWebhook}, + CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot}, }, want: []error{ fmt.Errorf("invalid driver \"foobar\""), @@ -125,7 +125,6 @@ func TestStorage_csiComponentIsValid(t *testing.T) { fields: fields{ CSIComponents: []OptionalCsiComponent{ CsiComponentSnapshot, - CsiComponentSnapshotWebhook, }, }, want: []string{}, @@ -230,7 +229,7 @@ func TestStorage_noneIsMutuallyExclusive(t *testing.T) { { name: "passes when none is not in a list of values", fields: fields{ - CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot, CsiComponentSnapshotWebhook}, + CSIComponents: []OptionalCsiComponent{CsiComponentSnapshot}, }, want: nil, want1: true, diff --git a/pkg/healthcheck/microshift_core_workloads.go b/pkg/healthcheck/microshift_core_workloads.go index 0ea8abfb0f..6c50d99c50 100644 --- a/pkg/healthcheck/microshift_core_workloads.go +++ b/pkg/healthcheck/microshift_core_workloads.go @@ -126,7 +126,7 @@ func getExpectedCSIComponents(cfg *config.Config) []string { klog.V(2).Infof("Configured optional CSI components: %v", cfg.Storage.OptionalCSIComponents) if len(cfg.Storage.OptionalCSIComponents) == 0 { - return []string{"csi-snapshot-controller", "csi-snapshot-webhook"} + return []string{"csi-snapshot-controller"} } // Validation fails when there's more than one component provided and one of them is "None". @@ -140,9 +140,6 @@ func getExpectedCSIComponents(cfg *config.Config) []string { if comp == config.CsiComponentSnapshot { deployments = append(deployments, "csi-snapshot-controller") } - if comp == config.CsiComponentSnapshotWebhook { - deployments = append(deployments, "csi-snapshot-webhook") - } } return deployments } diff --git a/pkg/healthcheck/workloads_test.go b/pkg/healthcheck/workloads_test.go index b78eebd10e..dd59ec2a54 100644 --- a/pkg/healthcheck/workloads_test.go +++ b/pkg/healthcheck/workloads_test.go @@ -18,7 +18,7 @@ func Test_csiComponentsAreExpected(t *testing.T) { cfg: config.Config{Storage: config.Storage{ OptionalCSIComponents: []config.OptionalCsiComponent{}, }}, - expectedResult: []string{"csi-snapshot-controller", "csi-snapshot-webhook"}, + expectedResult: []string{"csi-snapshot-controller"}, }, { name: "none", @@ -34,20 +34,6 @@ func Test_csiComponentsAreExpected(t *testing.T) { }}, expectedResult: []string{"csi-snapshot-controller"}, }, - { - name: "only webhook", - cfg: config.Config{Storage: config.Storage{ - OptionalCSIComponents: []config.OptionalCsiComponent{config.CsiComponentSnapshotWebhook}, - }}, - expectedResult: []string{"csi-snapshot-webhook"}, - }, - { - name: "controller & webhook", - cfg: config.Config{Storage: config.Storage{ - OptionalCSIComponents: []config.OptionalCsiComponent{config.CsiComponentSnapshot, config.CsiComponentSnapshotWebhook}, - }}, - expectedResult: []string{"csi-snapshot-controller", "csi-snapshot-webhook"}, - }, } for _, td := range testData { t.Run(td.name, func(t *testing.T) { diff --git a/scripts/auto-rebase/assets.yaml b/scripts/auto-rebase/assets.yaml index 2cbef5ec16..00c2c7a3cf 100644 --- a/scripts/auto-rebase/assets.yaml +++ b/scripts/auto-rebase/assets.yaml @@ -89,14 +89,6 @@ assets: files: - file: csi_controller_deployment.yaml - file: serviceaccount.yaml - - file: webhook_config.yaml - - file: webhook_deployment.yaml - - file: webhook_service.yaml - - file: webhook_serviceaccount.yaml - - file: webhook_clusterrole.yaml - src: ./rbac/ - - file: webhook_clusterrolebinding.yaml - src: ./rbac/ - file: volumesnapshotclasses.yaml - file: volumesnapshotcontents.yaml - file: volumesnapshots.yaml diff --git a/scripts/auto-rebase/rebase.sh b/scripts/auto-rebase/rebase.sh index c9c76d0564..fb863f8825 100755 --- a/scripts/auto-rebase/rebase.sh +++ b/scripts/auto-rebase/rebase.sh @@ -789,18 +789,6 @@ EOF yq -i 'del(.spec.template.spec.priorityClassName) | del(.spec.template.spec.containers[0].securityContext.seccompProfile)' $target yq -i 'with(.spec.template.spec.containers[0].securityContext; .runAsUser = 65534)' $target - local target="${REPOROOT}/assets/components/csi-snapshot-controller/webhook_deployment.yaml" - yq -i '.metadata.namespace = "kube-system"' $target - yq -i '.spec.template.spec.containers[0].image = "{{ .ReleaseImage.csi_snapshot_validation_webhook }}"' $target - yq -i 'with(.spec.template.spec.containers[0].args; .[] |= sub("\${LOG_LEVEL}", "2") )' $target - yq -i 'del(.spec.template.spec.priorityClassName)' $target - yq -i 'with(.spec.template.spec.containers[0].securityContext; .runAsUser = 65534)' $target - - yq -i '.metadata.namespace = "kube-system"' "${REPOROOT}/assets/components/csi-snapshot-controller/webhook_service.yaml" - yq -i '.metadata.namespace = "kube-system"' "${REPOROOT}/assets/components/csi-snapshot-controller/webhook_serviceaccount.yaml" - - yq -i '.webhooks[0].clientConfig.service.namespace="kube-system"' "${REPOROOT}/assets/components/csi-snapshot-controller/webhook_config.yaml" - yq -i '.metadata.namespace = "kube-system"' "${REPOROOT}/assets/components/csi-snapshot-controller/serviceaccount.yaml" local target="${REPOROOT}/assets/components/csi-snapshot-controller/05_operand_rbac.yaml" diff --git a/test/suites/standard1/configuration.robot b/test/suites/standard1/configuration.robot index 2512fe806b..ddd48d0578 100644 --- a/test/suites/standard1/configuration.robot +++ b/test/suites/standard1/configuration.robot @@ -89,7 +89,7 @@ Deploy MicroShift With LVMS By Default [Documentation] Verify that LVMS and CSI snapshotting are deployed when config fields are null. [Setup] Deploy Storage Config ${LVMS_DEFAULT} LVMS Is Deployed - CSI Snapshot Controller And Webhook Are Deployed + CSI Snapshot Controller Is Deployed [Teardown] Run Keywords ... Remove Storage Drop In Config ... Restart MicroShift @@ -99,7 +99,7 @@ Deploy MicroShift Without LVMS ... components are still deployed. [Setup] Deploy Storage Config ${LVMS_DISABLED} - CSI Snapshot Controller And Webhook Are Deployed + CSI Snapshot Controller Is Deployed Run Keyword And Expect Error 1 != 0 ... LVMS Is Deployed [Teardown] Run Keywords @@ -112,7 +112,7 @@ Deploy MicroShift Without CSI Snapshotter LVMS Is Deployed Run Keyword And Expect Error 1 != 0 - ... CSI Snapshot Controller And Webhook Are Deployed + ... CSI Snapshot Controller Is Deployed [Teardown] Run Keywords ... Remove Storage Drop In Config @@ -228,7 +228,6 @@ LVMS Is Deployed Wait Until Resource Exists daemonset vg-manager openshift-storage 120s Named Daemonset Should Be Available vg-manager openshift-storage 120s -CSI Snapshot Controller And Webhook Are Deployed - [Documentation] Wait for CSI snapshot controller and webhook to be deployed +CSI Snapshot Controller Is Deployed + [Documentation] Wait for CSI snapshot controller to be deployed Named Deployment Should Be Available csi-snapshot-controller kube-system 120s - Named Deployment Should Be Available csi-snapshot-webhook kube-system 120s From db26897ecadadd5cf88290dc89bb814cd8d4d709 Mon Sep 17 00:00:00 2001 From: Patryk Matuszak Date: Fri, 20 Dec 2024 17:56:52 +0100 Subject: [PATCH 2/2] Fix Execute Command in greenboot.robot --- test/suites/greenboot/greenboot.robot | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/suites/greenboot/greenboot.robot b/test/suites/greenboot/greenboot.robot index 8522256663..c8ffdf9f22 100644 --- a/test/suites/greenboot/greenboot.robot +++ b/test/suites/greenboot/greenboot.robot @@ -105,7 +105,7 @@ Disrupt Service ${rc}= Execute Command ... chmod 000 ${HOSTNAME_BIN_PATH} - ... sudo=True return_rc=True + ... sudo=True return_rc=True return_stdout=False Should Be Equal As Integers 0 ${rc} Restore Service