distributed provisioning

By putting external-provisioner onto each node and letting it provision volumes directly on the node, we can remove the controller/node communication part in PMEM-CSI. This solves various issues in that part (race conditions that led to volume leaks) and simplifies the deployment (no need for two-way TLS certificates anymore). The webhooks check for capacity by discovering the PMEM-CSI node pods and retrieving metrics data from them via the normal metrics support. The combination of node drivers from 0.8 with a controller from 0.9 is harmless (no volume leaked) but can no longer create new volumes. Existing volumes on the nodes are still usable. Combining a controller from 0.8 with node drivers from 0.9 is more problematic because the old controller will cause volume leaks when volumes are deleted (intel#733). If this is a problem, then the old StatefulSet can be deleted manually before upgrading.
pohly · Dec 18, 2020 · 351f850 · 351f850
1 parent 480cfde
commit 351f850
Show file tree

Hide file tree

Showing 94 changed files with 5,030 additions and 6,723 deletions.
diff --git a/Makefile b/Makefile
@@ -185,9 +185,6 @@ KUSTOMIZE += deploy/common/pmem-storageclass-late-binding.yaml=deploy/kustomize/
 KUSTOMIZE += deploy/operator/pmem-csi-operator.yaml=deploy/kustomize/operator
 KUSTOMIZE += deploy/operator/pmem-csi-operator-webhook.yaml=deploy/kustomize/operator-webhook
 
-# Special one-off deployment with device mode = fake.
-KUSTOMIZE += deploy/kubernetes-1.19/pmem-csi-fake.yaml=deploy/kustomize/kubernetes-base-fake
-
 KUSTOMIZE_OUTPUT := $(foreach item,$(KUSTOMIZE),$(firstword $(subst =, ,$(item))))
 
 # This function takes the name of a .yaml output file and returns the
@@ -205,7 +202,7 @@ $(KUSTOMIZE_OUTPUT): _work/kustomize $(KUSTOMIZE_INPUT)
 	mkdir -p ${@D}
 	$(call KUSTOMIZE_INVOCATION,$<,$@) >$@
 	if echo "$@" | grep '/pmem-csi-' | grep -qv '\-operator'; then \
-		dir=$$(echo "$@" | tr - / | sed -e 's;kubernetes/;kubernetes-;' -e 's;/alpha/;-alpha/;' -e 's/.yaml//' -e 's;/pmem/csi/;/;') && \
+		dir=$$(echo "$@" | tr - / | sed -e 's;kubernetes/;kubernetes-;' -e 's;/alpha/;-alpha/;'  -e 's;/distributed/;-distributed/;' -e 's/.yaml//' -e 's;/pmem/csi/;/;') && \
 		mkdir -p $$dir && \
 		cp $@ $$dir/pmem-csi.yaml && \
 		echo 'resources: [ pmem-csi.yaml ]' > $$dir/kustomization.yaml; \

diff --git a/deploy/bindata_generated.go b/deploy/bindata_generated.go
diff --git a/deploy/crd/pmem-csi.intel.com_deployments.yaml b/deploy/crd/pmem-csi.intel.com_deployments.yaml
@@ -288,12 +288,6 @@ spec:
           spec:
             description: DeploymentSpec defines the desired state of Deployment
             properties:
-              caCert:
-                description: CACert encoded root certificate of the CA by which the
-                  registry and node controller certificates are signed If not provided
-                  operator uses a self-signed CA certificate
-                format: byte
-                type: string
               controllerDriverResources:
                 description: ControllerDriverResources Compute resources required
                   by driver container running on master node
@@ -351,18 +345,6 @@ spec:
               logLevel:
                 description: LogLevel number for the log verbosity
                 type: integer
-              nodeControllerCert:
-                description: NodeControllerCert encoded certificate signed by a CA
-                  for node controller server authentication If not provided, provisioned
-                  one by the operator using self-signed CA
-                format: byte
-                type: string
-              nodeControllerKey:
-                description: NodeControllerPrivateKey encoded private key used for
-                  node controller server certificate If not provided, provisioned
-                  one by the operator
-                format: byte
-                type: string
               nodeDriverResources:
                 description: NodeDriverResources Compute resources required by driver
                   container running on worker nodes
@@ -465,17 +447,6 @@ spec:
                       to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                     type: object
                 type: object
-              registryCert:
-                description: RegistryCert encoded certificate signed by a CA for registry
-                  server authentication If not provided, provisioned one by the operator
-                  using self-signed CA
-                format: byte
-                type: string
-              registryKey:
-                description: RegistryPrivateKey encoded private key used for registry
-                  server certificate If not provided, provisioned one by the operator
-                format: byte
-                type: string
             type: object
           status:
             description: DeploymentStatus defines the observed state of Deployment

diff --git a/deploy/crd/pmem-csi.intel.com_deployments_webhook.yaml b/deploy/crd/pmem-csi.intel.com_deployments_webhook.yaml
@@ -261,10 +261,6 @@ spec:
           spec:
             description: DeploymentSpec defines the desired state of Deployment
             properties:
-              caCert:
-                description: CACert encoded root certificate of the CA by which the registry and node controller certificates are signed If not provided operator uses a self-signed CA certificate
-                format: byte
-                type: string
               controllerDriverResources:
                 description: ControllerDriverResources Compute resources required by driver container running on master node
                 properties:
@@ -316,14 +312,6 @@ spec:
               logLevel:
                 description: LogLevel number for the log verbosity
                 type: integer
-              nodeControllerCert:
-                description: NodeControllerCert encoded certificate signed by a CA for node controller server authentication If not provided, provisioned one by the operator using self-signed CA
-                format: byte
-                type: string
-              nodeControllerKey:
-                description: NodeControllerPrivateKey encoded private key used for node controller server certificate If not provided, provisioned one by the operator
-                format: byte
-                type: string
               nodeDriverResources:
                 description: NodeDriverResources Compute resources required by driver container running on worker nodes
                 properties:
@@ -406,14 +394,6 @@ spec:
                     description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
                     type: object
                 type: object
-              registryCert:
-                description: RegistryCert encoded certificate signed by a CA for registry server authentication If not provided, provisioned one by the operator using self-signed CA
-                format: byte
-                type: string
-              registryKey:
-                description: RegistryPrivateKey encoded private key used for registry server certificate If not provided, provisioned one by the operator
-                format: byte
-                type: string
             type: object
           status:
             description: DeploymentStatus defines the observed state of Deployment