GA v1.4.0 merge develop to master branch (#117)

README.md

@@ -4,17 +4,15 @@ The Container Storage Interface (CSI) Driver for IBM block storage systems enabl
 This is the official operator to deploy and manage IBM block storage CSI driver.
 
 Supported container platforms (and architectures):
-  - OpenShift v4.3 (IBM Z and IBM PowerPC)
-  - OpenShift v4.4 (x86 and IBM Z)
-  - OpenShift v4.5 (x86)
-  - Kubernetes v1.17 (x86)
+  - OpenShift v4.4 (x86, IBM Z, and IBM PowerPC)
+  - OpenShift v4.5 (x86, IBM Z, and IBM PowerPC)
   - Kubernetes v1.18 (x86)
+  - Kubernetes v1.19 (x86)
 
 Supported IBM storage systems:
   - IBM Spectrum Virtualize Family including IBM SAN Volume Controller (SVC) and IBM FlashSystem® family members built with IBM Spectrum® Virtualize (FlashSystem 5010, 5030, 5100, 7200, 9100, 9200, 9200R)
-  - IBM FlashSystem A9000/R
-  - IBM DS8880
-  - IBM DS8900
+  - IBM FlashSystem A9000 and A9000R
+  - IBM DS8000 Family
 
 Supported operating systems (and architectures):
   - RHEL 7.x (x86)
@@ -41,9 +39,12 @@ yum -y install iscsi-initiator-utils   # Only if iSCSI connectivity is required
 yum -y install xfsprogs                # Only if XFS file system is required
 ```
 
-#### 2. Configure Linux multipath devices on the host, using one of the following procedures.
+#### 2. Configure Linux® multipath devices on the host.
 
-##### 2.1 Configuring for OpenShift Container Platform users (RHEL and RHCOS)
+**Important:** Be sure to configure each worker with storage connectivity according to your storage system instructions. 
+For more information, find your storage system documentation on [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter).
+
+##### 2.1 Additional configuration steps for OpenShift® Container Platform users (RHEL and RHCOS). Other users can continue to step 3.
 
 The following yaml file example is for both Fibre Channel and iSCSI configurations. To support iSCSI, uncomment the last two lines in the file:
 
@@ -120,43 +121,118 @@ Apply the yaml file.
 oc apply -f 99-ibm-attach.yaml
 ```
 
-RHEL users should verify that the `systemctl status multipathd` output indicates that the multipath status is active and error-free.
+#### 3. If needed, enable support for volume snapshots (FlashCopy® function) on your Kubernetes cluster.
+For more information and instructions, see the Kubernetes blog post, [Kubernetes 1.17 Feature: Kubernetes Volume Snapshot Moves to Beta](https://kubernetes.io/blog/2019/12/09/kubernetes-1-17-feature-cis-volume-snapshot-beta/).
 
-```bash
-yum install device-mapper-multipath
-modprobe dm-multipath
-systemctl enable multipathd
-systemctl start multipathd
-systemctl status multipathd
-multipath -ll
-```
 
-##### 2.2 Configuring for Kubernetes users (RHEL)
-Create and set the relevant storage system parameters in the `/etc/multipath.conf` file. You can also use the default `multipath.conf` file, located in the `/usr/share/doc/device-mapper-multipath-*` directory.
+#### 4. Configure storage system connectivity
+##### 4.1. Define the hostname of each Kubernetes node on the relevant storage systems with the valid WWPN (for Fibre Channel) or IQN (for iSCSI) of the node.
 
-Verify that the `systemctl status multipathd` output indicates that the multipath status is active and error-free.
+##### 4.2. For Fibre Channel, configure the relevant zoning from the storage to the host.
 
-```bash
-yum install device-mapper-multipath
-modprobe dm-multipath
-systemctl enable multipathd
-systemctl start multipathd
-systemctl status multipathd
-multipath -ll
-```
+<br/>
+<br/>
+<br/>
 
-#### 3. Configure storage system connectivity
-3.1. Define the hostname of each Kubernetes node on the relevant storage systems with the valid WWPN (for Fibre Channel) or IQN (for iSCSI) of the node.
+## Installation
 
-3.2. For Fibre Channel, configure the relevant zoning from the storage to the host.
+# SecurityContextConstraints Requirements
 
+The operator uses the restricted and privileged SCC for deployments. 
 
-<br/>
-<br/>
-<br/>
+### Custom SecurityContextConstraints definition:
 
+<details>
+  <summary>ibm-block-csi-anyuid</summary>
 
-## Installation
+```yaml
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: anyuid provides all features of the restricted SCC
+      but allows users to run with any UID and any GID.
+  name: ibm-block-csi-anyuid
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups:
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:ibm-block-csi:ibm-block-csi-operator
+- system:serviceaccount:ibm-block-csi:ibm-block-csi-controller-sa
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- projected
+- secret
+```
+</details>
+
+<details>
+  <summary>ibm-block-csi-privileged</summary>
+
+```yaml
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: 'privileged allows access to all privileged and host
+      features and the ability to run as any user, any group, any fsGroup, and with
+      any SELinux context.  WARNING: this is the most relaxed SCC and should be used
+      only for cluster administration. Grant with caution.'
+  name: ibm-block-csi-privileged
+allowHostDirVolumePlugin: true
+allowHostIPC: true
+allowHostNetwork: true
+allowHostPID: true
+allowHostPorts: true
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: true
+allowedCapabilities:
+- '*'
+allowedUnsafeSysctls:
+- '*'
+defaultAddCapabilities: null
+fsGroup:
+  type: RunAsAny
+groups:
+priority: null
+readOnlyRootFilesystem: false
+requiredDropCapabilities: null
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: RunAsAny
+seccompProfiles:
+- '*'
+supplementalGroups:
+  type: RunAsAny
+users:
+- system:serviceaccount:ibm-block-csi:ibm-block-csi-node-sa
+volumes:
+- '*'
+```
+</details>
 
 ### Install the operator
 
@@ -212,7 +288,7 @@ $ kubectl -n <namespace> apply -f csi.ibm.com_v1_ibmblockcsi_cr.yaml
 ```bash
 $ kubectl get all -n <namespace>  -l csi
 NAME                             READY   STATUS    RESTARTS   AGE
-pod/ibm-block-csi-controller-0   5/5     Running   0          9m36s
+pod/ibm-block-csi-controller-0   6/6     Running   0          9m36s
 pod/ibm-block-csi-node-jvmvh     3/3     Running   0          9m36s
 pod/ibm-block-csi-node-tsppw     3/3     Running   0          9m36s
 
@@ -273,11 +349,12 @@ Use the `SpaceEfficiency` parameters for each storage system. These values are n
 	* Always includes deduplication and compression.
 	No need to specify during configuration.
 * IBM Spectrum Virtualize Family
+	* `thick` (default value, if not specified)
 	* `thin`
 	* `compressed`
 	* `deduplicated`
 * IBM DS8000 Family
-	* `standard` (default value, if not specified)
+	* `none` (default value, if not specified)
 	* `thin`
 
 ```
@@ -294,9 +371,12 @@ parameters:
   csi.storage.k8s.io/provisioner-secret-namespace: <ARRAY_SECRET_NAMESPACE>
   csi.storage.k8s.io/controller-publish-secret-name: <ARRAY_SECRET>
   csi.storage.k8s.io/controller-publish-secret-namespace: <ARRAY_SECRET_NAMESPACE>
+  csi.storage.k8s.io/controller-expand-secret-name: <ARRAY_SECRET>
+  csi.storage.k8s.io/controller-expand-secret-namespace: <ARRAY_SECRET_NAMESPACE>
 
   csi.storage.k8s.io/fstype: xfs    # Optional: Values ext4/xfs. The default is ext4.
   volume_name_prefix: <prefix_name> # Optional: DS8000 Family maximum prefix length is 5 characters. Maximum prefix length for other systems is 20 characters.
+allowVolumeExpansion: true
 ```
 
 #### 3. Apply the storage class:

build/Dockerfile.nodeagent

@@ -2,7 +2,7 @@ FROM golang:1.13.1
 
 WORKDIR /go/src/github.com/IBM/ibm-block-csi-operator/
 COPY . .
-RUN CGO_ENABLED=1 GOOS=linux go build -o ibm-node-agent -gcflags all=-trimpath=${GOPATH} -asmflags all=-trimpath=${GOPATH} cmd/node/main.go
+RUN CGO_ENABLED=1 GOOS=linux go build -mod vendor -o ibm-node-agent -gcflags all=-trimpath=${GOPATH} -asmflags all=-trimpath=${GOPATH} cmd/node/main.go
 
 
 FROM registry.access.redhat.com/ubi7/ubi:7.6-177

build/Dockerfile.operator

@@ -24,10 +24,10 @@ RUN CGO_ENABLED=1 GOOS=linux go build \
 	github.com/IBM/ibm-block-csi-operator/cmd/manager
 
 
-FROM registry.access.redhat.com/ubi7/ubi-minimal:7.8-237
+FROM registry.access.redhat.com/ubi7/ubi-minimal:7.9-224
 MAINTAINER IBM Storage
 
-ARG VERSION=1.3.0
+ARG VERSION=1.4.0
 ARG BUILD_NUMBER=0
 
 ###Required Labels

build/ci/jenkins_pipeline_build

@@ -1,4 +1,10 @@
 pipeline {
+    environment {
+        registryCredentialsID = 'csi_w3_user'
+    }
+    options {
+        ansiColor('xterm')
+    }
     agent {
         label "${env.AGENT_LABEL}"
     }
@@ -16,7 +22,12 @@ pipeline {
         }
         stage ('Build and push images') {
             steps {
-                sh './build/ci/build_push_image.sh build/_output/reports/images_url'
+                script {
+                    registryUrl = "https://${DOCKER_REGISTRY}"
+                    docker.withRegistry(registryUrl, registryCredentialsID) {
+                        sh './build/ci/build_push_image.sh build/_output/reports/images_url'
+                    }
+                }
             }
         }
     }

deploy/crds/csi.ibm.com_configs_crd.yaml

@@ -2,6 +2,10 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: configs.csi.ibm.com
+  labels:
+    app.kubernetes.io/name: configs
+    app.kubernetes.io/instance: configs
+    app.kubernetes.io/managed-by: ibm-block-csi-operator
 spec:
   group: csi.ibm.com
   names:

deploy/crds/csi.ibm.com_ibmblockcsis_crd.yaml

@@ -2,6 +2,13 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: ibmblockcsis.csi.ibm.com
+  labels:
+    app.kubernetes.io/name: ibmblockcsis
+    app.kubernetes.io/instance: ibmblockcsis
+    app.kubernetes.io/managed-by: ibm-block-csi-operator
+    product: ibm-block-csi-driver
+    release: v1.4.0
+    csi: ibm
 spec:
   group: csi.ibm.com
   names:
@@ -33,6 +40,13 @@ spec:
         spec:
           description: IBMBlockCSISpec defines the desired state of IBMBlockCSI
           properties:
+            license:
+              properties:
+                accept:
+                  type: boolean
+              required:
+              - accept
+              type: object
             controller:
               description: IBMBlockCSIControllerSpec defines the desired state of
                 IBMBlockCSIController
@@ -1368,7 +1382,7 @@ spec:
           required:
           - controller
           - node
-          type: object
+        type: object
         status:
           description: IBMBlockCSIStatus defines the observed state of IBMBlockCSI
           properties:

deploy/crds/csi.ibm.com_nodeinfos_crd.yaml

@@ -2,6 +2,10 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   name: nodeinfos.csi.ibm.com
+  labels:
+    app.kubernetes.io/name: nodeinfos
+    app.kubernetes.io/instance: nodeinfos
+    app.kubernetes.io/managed-by: ibm-block-csi-operator
 spec:
   group: csi.ibm.com
   names: