feat: Add manila csi

magnum_cluster_api/clients.py

@@ -13,7 +13,40 @@
 # under the License.
 
 import pykube
-from magnum.common import clients
+from magnum.common import clients, exception
+from manilaclient.v2 import client as manilaclient
+
+
+class OpenStackClients(clients.OpenStackClients):
+    """Convenience class to create and cache client instances."""
+
+    def __init__(self, context):
+        super(OpenStackClients, self).__init__(context)
+        self._manila = None
+
+    @exception.wrap_keystone_exception
+    def manila(self):
+        if self._manila:
+            return self._manila
+        endpoint_type = self._get_client_option("manila", "endpoint_type")
+        region_name = self._get_client_option("manila", "region_name")
+        manilaclient_version = self._get_client_option("manila", "api_version")
+        endpoint = self.url_for(
+            service_type="sharev2", interface=endpoint_type, region_name=region_name
+        )
+        args = {
+            "cacert": self._get_client_option("manila", "ca_file"),
+            "insecure": self._get_client_option("manila", "insecure"),
+        }
+
+        session = self.keystone().session
+        self._manila = manilaclient.Client(
+            api_version=manilaclient_version,
+            session=session,
+            service_catalog_url=endpoint,
+            **args
+        )
+        return self._manila
 
 
 def get_pykube_api() -> pykube.HTTPClient:
@@ -22,3 +55,7 @@ def get_pykube_api() -> pykube.HTTPClient:
 
 def get_openstack_api(context) -> clients.OpenStackClients:
     return clients.OpenStackClients(context)
+
+
+def get_openstack_api(context) -> OpenStackClients:
+    return OpenStackClients(context)

magnum_cluster_api/conf.py

@@ -12,8 +12,16 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+from magnum.i18n import _
 from oslo_config import cfg
 
+auto_scaling_group = cfg.OptGroup(name="auto_scaling", title="Options for auto scaling")
+
+manila_client_group = cfg.OptGroup(
+    name="manila_client", title="Options for the Manila client"
+)
+
+
 auto_scaling_opts = [
     cfg.StrOpt(
         "image_repository",
@@ -47,5 +55,47 @@
     ),
 ]
 
+
+manila_client_opts = [
+    cfg.StrOpt(
+        "region_name",
+        help=_(
+            "Region in Identity service catalog to use for "
+            "communication with the OpenStack service."
+        ),
+    ),
+    cfg.StrOpt(
+        "endpoint_type",
+        default="publicURL",
+        help=_(
+            "Type of endpoint in Identity service catalog to use "
+            "for communication with the OpenStack service."
+        ),
+    ),
+    cfg.StrOpt(
+        "api_version",
+        default="3",
+        help=_("Version of Manila API to use in manilaclient."),
+    ),
+]
+
+common_security_opts = [
+    cfg.StrOpt("ca_file", help=_("Optional CA cert file to use in SSL connections.")),
+    cfg.StrOpt("cert_file", help=_("Optional PEM-formatted certificate chain file.")),
+    cfg.StrOpt(
+        "key_file",
+        help=_("Optional PEM-formatted file that contains the " "private key."),
+    ),
+    cfg.BoolOpt(
+        "insecure",
+        default=False,
+        help=_("If set, then the server's certificate will not " "be verified."),
+    ),
+]
+
 CONF = cfg.CONF
-CONF.register_opts(auto_scaling_opts, "auto_scaling")
+CONF.register_group(auto_scaling_group)
+CONF.register_group(manila_client_group)
+CONF.register_opts(auto_scaling_opts, group=auto_scaling_group)
+CONF.register_opts(manila_client_opts, group=manila_client_group)
+CONF.register_opts(manila_client_opts, group=common_security_opts)

magnum_cluster_api/manifests/manila-csi/csi-controllerplugin-rbac.yaml

@@ -0,0 +1,113 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        rbac.manila.csi.openstack.org/aggregate-to-openstack-manila-csi-controllerplugin: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-manila-csi-controllerplugin-rules
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+    rbac.manila.csi.openstack.org/aggregate-to-openstack-manila-csi-controllerplugin: "true"
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+subjects:
+  - kind: ServiceAccount
+    name: openstack-manila-csi-controllerplugin
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: openstack-manila-csi-controllerplugin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+subjects:
+  - kind: ServiceAccount
+    name: openstack-manila-csi-controllerplugin
+    namespace: default
+roleRef:
+  kind: Role
+  name: openstack-manila-csi-controllerplugin
+  apiGroup: rbac.authorization.k8s.io

magnum_cluster_api/manifests/manila-csi/csi-controllerplugin.yaml

@@ -0,0 +1,128 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+spec:
+  selector:
+    app: openstack-manila-csi
+    component: controllerplugin
+  ports:
+    - name: dummy
+      port: 12345
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: openstack-manila-csi-controllerplugin
+  labels:
+    app: openstack-manila-csi
+    component: controllerplugin
+spec:
+  serviceName: openstack-manila-csi-controllerplugin
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openstack-manila-csi
+      component: controllerplugin
+  template:
+    metadata:
+      labels:
+        app: openstack-manila-csi
+        component: controllerplugin
+    spec:
+      serviceAccountName: openstack-manila-csi-controllerplugin
+      containers:
+        - name: provisioner
+          image: "registry.k8s.io/sig-storage/csi-provisioner:v3.0.0"
+          args:
+            - "--csi-address=$(ADDRESS)"
+            # To enable topology awareness in csi-provisioner, uncomment the following line:
+            # - "--feature-gates=Topology=true"
+          env:
+            - name: ADDRESS
+              value: "unix:///var/lib/kubelet/plugins/manila.csi.openstack.org/csi-controllerplugin.sock"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
+        - name: snapshotter
+          image: "registry.k8s.io/sig-storage/csi-snapshotter:v5.0.1"
+          args:
+            - "--csi-address=$(ADDRESS)"
+          env:
+            - name: ADDRESS
+              value: "unix:///var/lib/kubelet/plugins/manila.csi.openstack.org/csi-controllerplugin.sock"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
+        - name: resizer
+          image: "registry.k8s.io/sig-storage/csi-resizer:v1.3.0"
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--handle-volume-inuse-error=false"
+          env:
+            - name: ADDRESS
+              value: "unix:///var/lib/kubelet/plugins/manila.csi.openstack.org/csi-controllerplugin.sock"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
+        - name: nodeplugin
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          image: registry.k8s.io/provider-os/manila-csi-plugin:v1.27.0-alpha.0
+          command: ["/bin/sh", "-c",
+            '/bin/manila-csi-plugin
+            --nodeid=$(NODE_ID)
+            --endpoint=$(CSI_ENDPOINT)
+            --drivername=$(DRIVER_NAME)
+            --share-protocol-selector=$(MANILA_SHARE_PROTO)
+            --fwdendpoint=$(FWD_CSI_ENDPOINT)'
+            # To enable topology awareness and retrieve compute node AZs from the OpenStack Metadata Service, add the following flags:
+            # --with-topology
+            # --nodeaz=$(curl http://169.254.169.254/openstack/latest/meta_data.json | jq -r .availability_zone)
+            # Those flags need to be added to csi-nodeplugin.yaml as well.
+          ]
+          env:
+            - name: DRIVER_NAME
+              value: manila.csi.openstack.org
+            - name: NODE_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CSI_ENDPOINT
+              value: "unix:///var/lib/kubelet/plugins/manila.csi.openstack.org/csi-controllerplugin.sock"
+            - name: FWD_CSI_ENDPOINT
+              value: "unix:///var/lib/kubelet/plugins/csi-nfsplugin/csi.sock"
+            - name: MANILA_SHARE_PROTO
+              value: "NFS"
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
+            - name: fwd-plugin-dir
+              mountPath: /var/lib/kubelet/plugins/csi-nfsplugin
+            - name: pod-mounts
+              mountPath: /var/lib/kubelet/pods
+              mountPropagation: Bidirectional
+      volumes:
+        - name: plugin-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins/manila.csi.openstack.org
+            type: DirectoryOrCreate
+        - name: fwd-plugin-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins/csi-nfsplugin
+            type: Directory
+        - name: pod-mounts
+          hostPath:
+            path: /var/lib/kubelet/pods
+            type: Directory
+