Merge branch 'kubernetes-sigs:master' into feature/block-volume-encry…

…ption

manifests/supervisorcluster/1.28/cns-csi.yaml

@@ -237,7 +237,7 @@ spec:
       priorityClassName: system-node-critical
       containers:
         - name: csi-provisioner
-          image: localhost:5000/vmware/csi-provisioner/csi-provisioner:v5.0.2_vmware.4
+          image: localhost:5000/vmware/csi-provisioner/csi-provisioner:v5.0.2_vmware.5
           args:
             - "--v=4"
             - "--timeout=300s"

manifests/supervisorcluster/1.29/cns-csi.yaml

@@ -264,7 +264,7 @@ spec:
       priorityClassName: system-node-critical
       containers:
         - name: csi-provisioner
-          image: localhost:5000/vmware/csi-provisioner/csi-provisioner:v5.0.2_vmware.4
+          image: localhost:5000/vmware/csi-provisioner/csi-provisioner:v5.0.2_vmware.5
           args:
             - "--v=4"
             - "--timeout=300s"

manifests/supervisorcluster/1.30/cns-csi.yaml

@@ -264,7 +264,7 @@ spec:
       priorityClassName: system-node-critical
       containers:
         - name: csi-provisioner
-          image: localhost:5000/vmware/csi-provisioner/csi-provisioner:v5.0.2_vmware.4
+          image: localhost:5000/vmware/csi-provisioner/csi-provisioner:v5.0.2_vmware.5
           args:
             - "--v=4"
             - "--timeout=300s"

pkg/common/unittestcommon/utils.go

@@ -75,7 +75,8 @@ func GetFakeContainerOrchestratorInterface(orchestratorType int) (commonco.COCom
 				"storage-quota-m2":                  "false",
 				"workload-domain-isolation":         "true",
 				// Adding FSS from `wcp-cluster-capabilities` configmap in supervisor here for simplicity.
-				"Workload_Domain_Isolation_Supported": "true",
+				// TODO: Enable FSS for unit tests after mockControllerVolumeTopology interfaces are implemented
+				"Workload_Domain_Isolation_Supported": "false",
 			},
 		}
 		return fakeCO, nil

pkg/csi/service/common/commonco/k8sorchestrator/k8sorchestrator.go

@@ -1155,8 +1155,39 @@ func (c *K8sOrchestrator) IsFSSEnabled(ctx context.Context, featureName string)
 				}
 				log.Debugf("Supervisor feature state %q in WCP cluster capabilities is set to %t", featureName,
 					supervisorFeatureState)
+
+				if !supervisorFeatureState {
+					// if capability can be enabled after upgrading CSI, we need to fetch config again and confirm FSS
+					// is still disabled, or it got enabled
+					// WCPFeatureStatesSupportsLateEnablement contains capabilities which can be enabled later after
+					// CSI is upgraded and up and running
+					if _, exists = common.WCPFeatureStatesSupportsLateEnablement[featureName]; exists {
+						wcpCapabilityConfigMap, err := c.k8sClient.CoreV1().ConfigMaps(common.KubeSystemNamespace).Get(ctx,
+							common.WCPCapabilityConfigMapName, metav1.GetOptions{})
+						if err != nil {
+							log.Errorf("failed to fetch WCP FSS configmap %q/%q. Setting the feature state "+
+								"to false. Error: %+v", common.KubeSystemNamespace, common.WCPCapabilityConfigMapName, err)
+							return false
+						}
+						wcpCapabilityFssMap = wcpCapabilityConfigMap.Data
+						log.Infof("WCP cluster capabilities map - %+v", wcpCapabilityFssMap)
+
+						if fssVal, exists := wcpCapabilityFssMap[featureName]; exists {
+							supervisorFeatureState, err = strconv.ParseBool(fssVal)
+							if err != nil {
+								log.Errorf("Error while converting %q feature state with value: %q in "+
+									"%q/%q configmap to boolean. Setting the feature state to false. Error: %+v", featureName,
+									fssVal, common.KubeSystemNamespace, common.WCPCapabilityConfigMapName, err)
+								return false
+							}
+							log.Debugf("Supervisor feature state %q in WCP cluster capabilities is set to %t", featureName,
+								supervisorFeatureState)
+						}
+					}
+				}
 				return supervisorFeatureState
 			}
+			return false
 		}
 
 		// Check SV FSS map.

pkg/csi/service/common/constants.go

@@ -441,3 +441,11 @@ var WCPFeatureStates = map[string]struct{}{
 	WorkloadDomainIsolation:    {},
 	VPCCapabilitySupervisor:    {},
 }
+
+// WCPFeatureStatesSupportsLateEnablement contains capabilities that can be enabled later
+// after CSI upgrade
+// During FSS check if driver detects that the capabilities is disabled in the cached configmap,
+// it will re-fetch the configmap and update the cached configmap.
+var WCPFeatureStatesSupportsLateEnablement = map[string]struct{}{
+	WorkloadDomainIsolation: {},
+}

pkg/csi/service/wcp/controller.go

@@ -429,7 +429,8 @@ func (c *controller) ReloadConfiguration(reconnectToVCFromNewConfig bool) error
 }
 
 // createBlockVolume creates a block volume based on the CreateVolumeRequest.
-func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolumeRequest) (
+func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolumeRequest,
+	isWorkloadDomainIsolationEnabled bool) (
 	*csi.CreateVolumeResponse, string, error) {
 	log := logger.GetLogger(ctx)
 	var (
@@ -449,9 +450,7 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 		zoneLabelPresent     bool
 		err                  error
 	)
-
 	isVdppOnStretchedSVEnabled := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.VdppOnStretchedSupervisor)
-
 	// Support case insensitive parameters.
 	for paramName := range req.Parameters {
 		param := strings.ToLower(paramName)
@@ -521,7 +520,7 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 					"support for topology requirement with both zone and hostname labels is not yet implemented.")
 			}
 		} else if zoneLabelPresent {
-			if !commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WorkloadDomainIsolation) {
+			if !isWorkloadDomainIsolationEnabled {
 				if storageTopologyType == "" {
 					return nil, csifault.CSIInvalidArgumentFault, logger.LogNewErrorCode(log, codes.InvalidArgument,
 						"StorageTopologyType is unset while topology label is present")
@@ -548,12 +547,14 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 			log.Infof("Host Local volume provisioning with requirement: %+v", topologyRequirement)
 		} else {
 			// No topology labels present in the topologyRequirement
-			if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WorkloadDomainIsolation) &&
-				isVdppOnStretchedSVEnabled {
+			if isWorkloadDomainIsolationEnabled {
+				return nil, csifault.CSIInternalFault, logger.LogNewErrorCode(log, codes.Internal,
+					"volume provisioning request received without topologyRequirement.")
+			}
+			if isVdppOnStretchedSVEnabled {
 				return nil, csifault.CSIInternalFault, logger.LogNewErrorCode(log, codes.Internal,
 					"volume provisioning request received without topologyRequirement.")
 			}
-
 			if len(clusterComputeResourceMoIds) > 1 {
 				return nil, csifault.CSIInternalFault, logger.LogNewErrorCodef(log, codes.FailedPrecondition,
 					"stretched supervisor cluster does not support creating volumes "+
@@ -896,7 +897,8 @@ func (c *controller) createBlockVolume(ctx context.Context, req *csi.CreateVolum
 }
 
 // createFileVolume creates a file volume based on the CreateVolumeRequest.
-func (c *controller) createFileVolume(ctx context.Context, req *csi.CreateVolumeRequest) (
+func (c *controller) createFileVolume(ctx context.Context, req *csi.CreateVolumeRequest,
+	isWorkloadDomainIsolationEnabled bool) (
 	*csi.CreateVolumeResponse, string, error) {
 	log := logger.GetLogger(ctx)
 	var (
@@ -935,8 +937,6 @@ func (c *controller) createFileVolume(ctx context.Context, req *csi.CreateVolume
 
 	filterSuspendedDatastores := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.CnsMgrSuspendCreateVolume)
 	isTKGSHAEnabled := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.TKGsHA)
-	isWorkloadDomainIsolationSupported := commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx,
-		common.WorkloadDomainIsolation)
 	topoSegToDatastoresMap := make(map[string][]*cnsvsphere.DatastoreInfo)
 
 	vc, err := c.manager.VcenterManager.GetVirtualCenter(ctx, c.manager.VcenterConfig.Host)
@@ -947,7 +947,7 @@ func (c *controller) createFileVolume(ctx context.Context, req *csi.CreateVolume
 
 	// If FSS Workload_Domain_Isolation_Supported is enabled, find the shared datastores associated with
 	// topology requirements provided in the request if any and pass those to CNS for further processing.
-	if isWorkloadDomainIsolationSupported {
+	if isWorkloadDomainIsolationEnabled {
 		// Check if topology requirements are specified in the request and accordingly filter the vSAN datastores
 		// to be sent to CNS for volume provisioning.
 		hostnameLabelPresent, zoneLabelPresent = checkTopologyKeysFromAccessibilityReqs(req.GetAccessibilityRequirements())
@@ -1090,7 +1090,7 @@ func (c *controller) createFileVolume(ctx context.Context, req *csi.CreateVolume
 	}
 
 	// Calculate accessible topology for the provisioned volume in case of topology aware environment.
-	if isWorkloadDomainIsolationSupported {
+	if isWorkloadDomainIsolationEnabled {
 		if zoneLabelPresent {
 			// Note: with Workload domain isolation feature enabled, volumeInfo will always
 			// 			return URL of the datastore that volume is allocated on.
@@ -1162,6 +1162,8 @@ func (c *controller) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequ
 	createVolumeInternal := func() (
 		*csi.CreateVolumeResponse, string, error) {
 		log.Infof("CreateVolume: called with args %+v", *req)
+		isWorkloadDomainIsolationEnabled := commonco.ContainerOrchestratorUtility.
+			IsFSSEnabled(ctx, common.WorkloadDomainIsolation)
 		// TODO: If the err is returned by invoking CNS API, then faultType should be
 		// populated by the underlying layer.
 		// If the request failed due to validate the request, "csi.fault.InvalidArgument" will be return.
@@ -1190,7 +1192,7 @@ func (c *controller) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequ
 			}
 			// Block file volume provisioning if FSS Workload_Domain_Isolation_Supported is enabled but
 			// 'fileVolumeActivated' field is set to false in vSphere config secret.
-			if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WorkloadDomainIsolation) &&
+			if isWorkloadDomainIsolationEnabled &&
 				!c.manager.VcenterConfig.FileVolumeActivated {
 				return nil, csifault.CSIUnimplementedFault, logger.LogNewErrorCode(log, codes.Unimplemented,
 					"file services are disabled on supervisor cluster")
@@ -1200,14 +1202,14 @@ func (c *controller) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequ
 			// with multiple vSphere clusters.
 			if commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.TKGsHA) {
 				if len(clusterComputeResourceMoIds) > 1 &&
-					!commonco.ContainerOrchestratorUtility.IsFSSEnabled(ctx, common.WorkloadDomainIsolation) {
+					!isWorkloadDomainIsolationEnabled {
 					return nil, csifault.CSIUnimplementedFault, logger.LogNewErrorCode(log, codes.Unimplemented,
 						"file volume provisioning is not supported on a stretched supervisor cluster")
 				}
 			}
-			return c.createFileVolume(ctx, req)
+			return c.createFileVolume(ctx, req, isWorkloadDomainIsolationEnabled)
 		}
-		return c.createBlockVolume(ctx, req)
+		return c.createBlockVolume(ctx, req, isWorkloadDomainIsolationEnabled)
 	}
 	resp, faultType, err := createVolumeInternal()
 	log.Debugf("createVolumeInternal: returns fault %q", faultType)

pkg/csi/service/wcp/controller_test.go

@@ -259,16 +259,20 @@ func TestWCPCreateVolumeWithStoragePolicy(t *testing.T) {
 // but not storage topology type. It is a negative case.
 func TestWCPCreateVolumeWithZonalLabelPresentButNoStorageTopoType(t *testing.T) {
 	ct := getControllerTest(t)
-	err := commonco.ContainerOrchestratorUtility.DisableFSS(ctx, "Workload_Domain_Isolation_Supported")
-	if err != nil {
-		t.Fatal("failed to disable Workload_Domain_Isolation_Supported FSS")
-	}
-	defer func() {
-		err := commonco.ContainerOrchestratorUtility.EnableFSS(ctx, "Workload_Domain_Isolation_Supported")
+	// TODO: Add following code back when FSS for Workload_Domain_Isolation_Supported is enabled for unit tests
+	/*
+		err := commonco.ContainerOrchestratorUtility.DisableFSS(ctx, "Workload_Domain_Isolation_Supported")
 		if err != nil {
-			t.Fatal("failed to enable Workload_Domain_Isolation_Supported FSS back to true")
+			t.Fatal("failed to disable Workload_Domain_Isolation_Supported FSS")
 		}
-	}()
+		defer func() {
+			err := commonco.ContainerOrchestratorUtility.EnableFSS(ctx, "Workload_Domain_Isolation_Supported")
+			if err != nil {
+				t.Fatal("failed to enable Workload_Domain_Isolation_Supported FSS back to true")
+			}
+		}()
+	*/
+
 	// Create.
 	params := make(map[string]string)
 
@@ -365,7 +369,16 @@ func TestWCPCreateVolumeWithZonalLabelPresentButNoStorageTopoType(t *testing.T)
 // default value of FileVolumeActivated as "true".
 func TestWCPCreateVolumeWithoutZoneLabelPresentForFileVolume(t *testing.T) {
 	ct := getControllerTest(t)
-
+	err := commonco.ContainerOrchestratorUtility.EnableFSS(ctx, "Workload_Domain_Isolation_Supported")
+	if err != nil {
+		t.Fatal("failed to enable Workload_Domain_Isolation_Supported FSS")
+	}
+	defer func() {
+		err := commonco.ContainerOrchestratorUtility.DisableFSS(ctx, "Workload_Domain_Isolation_Supported")
+		if err != nil {
+			t.Fatal("failed to disable Workload_Domain_Isolation_Supported FSS")
+		}
+	}()
 	// Create.
 	params := make(map[string]string)
 
@@ -456,7 +469,16 @@ func TestWCPCreateVolumeWithoutZoneLabelPresentForFileVolume(t *testing.T) {
 // default value of FileVolumeActivated as "true".
 func TestWCPCreateVolumeWithHostLabelPresentForFileVolume(t *testing.T) {
 	ct := getControllerTest(t)
-
+	err := commonco.ContainerOrchestratorUtility.EnableFSS(ctx, "Workload_Domain_Isolation_Supported")
+	if err != nil {
+		t.Fatal("failed to enable Workload_Domain_Isolation_Supported FSS")
+	}
+	defer func() {
+		err := commonco.ContainerOrchestratorUtility.DisableFSS(ctx, "Workload_Domain_Isolation_Supported")
+		if err != nil {
+			t.Fatal("failed to disable Workload_Domain_Isolation_Supported FSS")
+		}
+	}()
 	// Create.
 	params := make(map[string]string)