Do not use beta API for hyperdisk in multi-writer mode.

CHANGELOG/CHANGELOG-1.12.md

@@ -1,3 +1,45 @@
+# v1.12.13 - Changelog since v1.12.11
+
+## Changes by Kind
+
+### Bug
+- Update Go version and dependencies to fix CVE-2024-24790,CVE-2024-24789 by @Sneha-at in #1851
+
+# v1.12.12 - Changelog since v1.12.11
+
+## Changes by Kind
+
+### Bug
+- Automated cherry pick of #1658: Add support for checking if a device is being used by a filesystem by @pwschuurman in #1845
+
+
+# v1.12.11 - Changelog since v1.12.10
+
+## Changes by Kind
+
+### Bug
+- [release-1.12] Update debian image from bullseye to bookworm to fix CVEs by @k8s-infra-cherrypick-robot in #1735
+- Reverting the Dockerfile debian image from bookworm to bullseye due to regression by @Sneha-at in #1774
+- [release-1.12] Return Unavailable for 'connection reset by peer' errors by @k8s-infra-cherrypick-robot in #1813
+- Automated cherry pick of #1708: Properly unwrap gce-compute error code. by @hime in #1840
+
+# v1.12.10 - Changelog since v1.12.9
+
+## Changes by Kind
+
+### Bug
+- Fix CVE-2023-45288 by @dannawang0221 in #1682
+
+
+# v1.12.9 - Changelog since v1.12.8
+
+## Changes by Kind
+
+### Bug
+
+- Change GetDisk error reporting to temporary in CreateVolume codepath ([#1600])https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/pull/1600), [@k8s-infra-cherrypick-robot](https://github.com/k8s-infra-cherrypick-robot))
+- [release-1.12] Fix nvme path filtering logic for udevadm trigger by @k8s-infra-cherrypick-robot in #1647
+
 # v1.12.8 - Changelog since v1.12.7
 
 ## Changes by Kind

CHANGELOG/CHANGELOG-1.13.md

@@ -1,3 +1,46 @@
+# v1.13.8 - Changelog since v1.13.7
+
+## Changes by Kind
+
+### Uncategorized
+
+- [release-1.13] Properly unwrap gce-compute error code. by @hime in #1839
+
+
+# v1.13.7 - Changelog since v1.13.6
+
+## Changes by Kind
+
+### Uncategorized
+
+- [release-1.13] Reassign error returned from validateStoragePools so InvalidArgument is recorded by @k8s-infra-cherrypick-robot in #1721
+- [release-1.13] Return Unavailable for 'connection reset by peer' errors by @k8s-infra-cherrypick-robot in #1724
+- [release-1.13] Update debian image from bullseye to bookworm to fix CVEs by @k8s-infra-cherrypick-robot in #1734
+- Reverting the Dockerfile debian image from bookworm to bullseye due to regression by @Sneha-at in #1775
+- Automated cherry pick of #1658: Add support for checking if a device is being used by a by @pwschuurman in #1805
+
+
+# v1.13.6 - Changelog since v1.13.5
+
+## Changes by Kind
+
+### Uncategorized
+
+- Automated cherry pick of #1666: migrate hyperdisk/chd/storagepools to GCE v1 disk API
+#1667: remove support for GCE Alpha Disks by @amacaskill in #1669
+- [release-1.13] Record original error code to operation_errors metric for temporary errors by @k8s-infra-cherrypick-robot in #1672
+- [release-1.13] Remove short variable declaration from validateStoragePools by @k8s-infra-cherrypick-robot in #1674
+- Fix CVE-2023-45288 by @dannawang0221 in #1683
+
+
+# v1.13.5 - Changelog since v1.13.4
+
+## Changes by Kind
+
+### Uncategorized
+_Nothing has changed._
+
+
 # v1.13.4 - Changelog since v1.13.3
 
 ## Changes by Kind

CHANGELOG/CHANGELOG-1.14.md

@@ -1,3 +1,26 @@
+# v1.14.3 - Changelog since v1.14.2
+
+## Changes by Kind
+
+### Bug or Regression
+- Update base image to bookworm-v1.0.4-gke.2 by @k8s-infra-cherrypick-robot in #1834
+
+
+# v1.14.2 - Changelog since v1.14.1
+
+## Changes by Kind
+
+### Uncategorized
+- [release-1.14] Change OPERATION_CANCELED_BY_USER to Canceled instead of Aborted by @k8s-infra-cherrypick-robot in #1790
+
+# v1.14.1 - Changelog since v1.14.0
+
+## Changes by Kind
+
+### Bug or Regression
+- [release-1.14] Adding missing libgpg-error.so.0 required by nvme-cli by @k8s-infra-cherrypick-robot in #1765
+
+
 # v1.14.0 - Changelog since v1.13.6
 
 ## Changes by Kind

CHANGELOG/CHANGELOG-1.15.md

@@ -0,0 +1,36 @@
+# v1.15.2 - Changelog since v1.15.1
+
+- [release-1.15] Map RESOURCE_OPERATION_RATE_EXCEEDED to ResourceExhausted by @k8s-infra-cherrypick-robot in #1848
+- [release-1.15] Add StatusConflict http kind to userErrorCodeMap. by @k8s-infra-cherrypick-robot in #1850
+- Automated cherry pick of #1826: Add ControllerModifyVolume E2E tests
+- #1836: Create documentation for ControllerModifyVolume and controller default
+- #1838: Enable VolumeAttributesClass feature gate for CI runs
+
+
+# v1.15.1 - Changelog since v1.15.0
+### Bug
+- Update base image to bookworm-v1.0.4-gke.2 by @k8s-infra-cherrypick-robot in #1833
+
+# v1.15.0 - Changelog since v1.14.3
+
+## Changes by Kind
+
+### Bug or Regression
+- Adding missing libgpg-error.so.0 required by nvme-cli by @pwschuurman in #1760
+- Format byte array error output from google_nvme_id as string by @pwschuurman in #1761
+
+### Feature
+- Add ControllerModifyVolume functionality by @travisyx in #1801
+
+### Uncategorized
+- Add verify-docker-deps.sh to verify-all.sh by @pwschuurman in #1762
+- Change OPERATION_CANCELED_BY_USER to Canceled instead of Aborted by @amacaskill in #1789
+- Bump the onsi group across 1 directory with 2 updates by @dependabot in #1811
+- Upgrade sanity tests to v5.3.0 and CSI Spec to v1.10.0 by @travisyx in #1814
+- Add manual deployment instructions for Storage Pools by @amacaskill in #1817
+- Update stable rc master image to point to v1.14.2-rc1 by @amacaskill in #1806
+- Bump golang from 1.22.5 to 1.23.0 by @dependabot in #1808
+- Bump golang from 1.22.4 to 1.22.5 by @dependabot in #1778
+- prune changelog for 1.14 by @pwschuurman in #1745
+- Add back CHANGELOG, removed in #1745 by mistake by @pwschuurman in #1746
+- Add support for running tests on confidential VMs that use NVMe by @pwschuurman in #1636

Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM golang:1.23.0 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23.0 AS builder
 
 ARG STAGINGVERSION
 ARG TARGETPLATFORM
@@ -23,24 +23,24 @@ RUN GOARCH=$(echo $TARGETPLATFORM | cut -f2 -d '/') GCE_PD_CSI_STAGING_VERSION=$
 
 # Start from Kubernetes Debian base.
 
-FROM gke.gcr.io/debian-base:bookworm-v1.0.4-gke.2 as debian
+FROM gke.gcr.io/debian-base:bookworm-v1.0.4-gke.2 AS debian
 
 # Install necessary dependencies
 # google_nvme_id script depends on the following packages: nvme-cli, xxd, bash
 RUN clean-install util-linux e2fsprogs mount ca-certificates udev xfsprogs nvme-cli xxd bash
 
 # Since we're leveraging apt to pull in dependencies, we use `gcr.io/distroless/base` because it includes glibc.
-FROM gcr.io/distroless/base-debian12 as distroless-base
+FROM gcr.io/distroless/base-debian12 AS distroless-base
 
 # The distroless amd64 image has a target triplet of x86_64
 FROM distroless-base AS distroless-amd64
-ENV LIB_DIR_PREFIX x86_64
+ENV LIB_DIR_PREFIX=x86_64
 
 # The distroless arm64 image has a target triplet of aarch64
 FROM distroless-base AS distroless-arm64
-ENV LIB_DIR_PREFIX aarch64
+ENV LIB_DIR_PREFIX=aarch64
 
-FROM distroless-$TARGETARCH as output-image
+FROM distroless-$TARGETARCH
 
 # Copy necessary dependencies into distroless base.
 COPY --from=builder /go/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/bin/gce-pd-csi-driver /gce-pd-csi-driver
@@ -84,7 +84,6 @@ COPY --from=debian /lib/${LIB_DIR_PREFIX}-linux-gnu/libselinux.so.1 \
                    /lib/${LIB_DIR_PREFIX}-linux-gnu/liblzma.so.5 \
                    /lib/${LIB_DIR_PREFIX}-linux-gnu/libreadline.so.8 \
                    /lib/${LIB_DIR_PREFIX}-linux-gnu/libz.so.1 \
-                   /lib/${LIB_DIR_PREFIX}-linux-gnu/libc.so.6 \
                    /lib/${LIB_DIR_PREFIX}-linux-gnu/liburcu.so.8 \ 
                    /lib/${LIB_DIR_PREFIX}-linux-gnu/libcap.so.2 \
                    /lib/${LIB_DIR_PREFIX}-linux-gnu/libcrypto.so.3 \
@@ -119,16 +118,4 @@ COPY --from=debian /usr/lib/${LIB_DIR_PREFIX}-linux-gnu/libblkid.so.1 \
 # Copy NVME support required script and rules into distroless base.
 COPY deploy/kubernetes/udev/google_nvme_id /lib/udev_containerized/google_nvme_id
 
-# Build stage used for validation of the output-image
-# See validate-container-linux-* targets in Makefile
-FROM output-image as validation-image
-
-COPY --from=debian /usr/bin/ldd /usr/bin/find /usr/bin/xargs /usr/bin/
-COPY --from=builder /go/src/sigs.k8s.io/gcp-compute-persistent-disk-csi-driver/hack/print-missing-deps.sh /print-missing-deps.sh
-SHELL ["/bin/bash", "-c"]
-RUN /print-missing-deps.sh
-
-# Final build stage, create the real Docker image with ENTRYPOINT
-FROM output-image
-
 ENTRYPOINT ["/gce-pd-csi-driver"]

Makefile

@@ -73,20 +73,24 @@ build-and-push-multi-arch-debug: build-and-push-container-linux-debug build-and-
 push-container: build-container
 
 # Used by hack/verify-docker-deps.sh, not used for building artifacts
-validate-container-linux-amd64: init-buildx
-	$(DOCKER) buildx build --platform=linux/amd64 \
-		-t validation_linux_amd64 \
-		--target validation-image \
-		--build-arg BUILDPLATFORM=linux \
-		--build-arg STAGINGVERSION=$(STAGINGVERSION) .
+validate-container-linux-amd64: build-and-load-container-linux-amd64
+	./hack/print-missing-deps.sh $(STAGINGIMAGE):$(STAGINGVERSION)_linux_amd64
 
 # Used by hack/verify-docker-deps.sh, not used for building artifacts
-validate-container-linux-arm64: init-buildx
-	$(DOCKER) buildx build --platform=linux/arm64 \
-		-t validation_linux_arm64 \
-		--target validation-image \
-		--build-arg BUILDPLATFORM=linux \
-		--build-arg STAGINGVERSION=$(STAGINGVERSION) .
+validate-container-linux-arm64: build-and-load-container-linux-arm64
+	./hack/print-missing-deps.sh $(STAGINGIMAGE):$(STAGINGVERSION)_linux_arm64
+
+validate-container-linux: validate-container-linux-amd64 validate-container-linux-arm64
+
+build-and-load-container-linux-amd64: require-GCE_PD_CSI_STAGING_IMAGE init-buildx
+	$(DOCKER) buildx build --platform=linux/amd64 \
+		-t $(STAGINGIMAGE):$(STAGINGVERSION)_linux_amd64 \
+		--build-arg STAGINGVERSION=$(STAGINGVERSION) --load .
+
+build-and-load-container-linux-arm64: require-GCE_PD_CSI_STAGING_IMAGE init-buildx
+	$(DOCKER) buildx build --file=Dockerfile --platform=linux/arm64 \
+		-t $(STAGINGIMAGE):$(STAGINGVERSION)_linux_arm64 \
+		--build-arg STAGINGVERSION=$(STAGINGVERSION) --load .
 
 build-and-push-container-linux-amd64: require-GCE_PD_CSI_STAGING_IMAGE init-buildx
 	$(DOCKER) buildx build --platform=linux/amd64 \

cmd/gce-pd-csi-driver/main.go

@@ -143,6 +143,7 @@ func handle() {
 		}()
 	}
 
+	var metricsManager *metrics.MetricsManager = nil
 	if *runControllerService && *httpEndpoint != "" {
 		mm := metrics.NewMetricsManager()
 		mm.InitializeHttpHandler(*httpEndpoint, *metricsPath)
@@ -151,6 +152,7 @@ func handle() {
 		if metrics.IsGKEComponentVersionAvailable() {
 			mm.EmitGKEComponentVersion()
 		}
+		metricsManager = &mm
 	}
 
 	if len(*extraVolumeLabelsStr) > 0 && !*runControllerService {
@@ -261,7 +263,7 @@ func handle() {
 	gce.WaitForOpBackoff.Steps = *waitForOpBackoffSteps
 	gce.WaitForOpBackoff.Cap = *waitForOpBackoffCap
 
-	gceDriver.Run(*endpoint, *grpcLogCharCap, *enableOtelTracing)
+	gceDriver.Run(*endpoint, *grpcLogCharCap, *enableOtelTracing, metricsManager)
 }
 
 func notEmpty(v string) bool {

deploy/kubernetes/images/prow-stable-sidecar-rc-master/image.yaml

@@ -23,7 +23,7 @@ metadata:
   name: imagetag-csi-resize-prow-rc
 imageTag:
   name: registry.k8s.io/sig-storage/csi-resizer
-  newTag: "v1.11.1"
+  newTag: "v1.12.0"
 ---
 apiVersion: builtin
 kind: ImageTagTransformer
@@ -48,6 +48,6 @@ metadata:
 imageTag:
   name: registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver
   newName: gcr.io/k8s-staging-cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver
-  newTag: "v1.15.2-rc3"
+  newTag: "v1.15.3-rc2"
 ---
 

deploy/kubernetes/images/stable-master/image.yaml

@@ -22,7 +22,7 @@ metadata:
   name: imagetag-csi-resizer
 imageTag:
   name: registry.k8s.io/sig-storage/csi-resizer
-  newTag: "v1.11.1"
+  newTag: "v1.12.0"
 ---
 
 apiVersion: builtin

examples/kubernetes/demo-vol-create.yaml

@@ -16,7 +16,7 @@ metadata:
 driverName: pd.csi.storage.gke.io
 parameters:
   iops: "3000"
-  throughput: "150"
+  throughput: "150Mi"
 ---
 apiVersion: storage.k8s.io/v1beta1
 kind: VolumeAttributesClass
@@ -25,7 +25,7 @@ metadata:
 driverName: pd.csi.storage.gke.io
 parameters:
   iops: "3013"
-  throughput: "151"
+  throughput: "151Mi"
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim

hack/print-missing-deps.sh

@@ -20,13 +20,33 @@ set -o pipefail
 
 echo "Verifying Docker Executables have appropriate dependencies"
 
+TEMP_DIR="$(mktemp -d)"
+trap 'rm -rf -- "$TEMP_DIR"' EXIT
+
+export CONTAINER_IMAGE="$1"
+export CONTAINER_EXPORT_DIR="$TEMP_DIR/image_dir"
+
+extractContainerImage() {
+  CONTAINER_ID="$(docker create "$CONTAINER_IMAGE")"
+  CONTAINER_EXPORT_TAR="$TEMP_DIR/image.tar"
+  docker export "$CONTAINER_ID" -o "$CONTAINER_EXPORT_TAR"
+  mkdir -p "$CONTAINER_EXPORT_DIR"
+  tar xf "$CONTAINER_EXPORT_TAR" -C "$CONTAINER_EXPORT_DIR"
+}
+
+printNeededDeps() {
+  readelf -d "$@" 2>&1 | grep NEEDED | awk '{print $5}' | sed -e 's@\[@@g' -e 's@\]@@g'
+}
+
 printMissingDep() {
-  if /usr/bin/ldd "$@" | grep "not found"; then
+  if ! find "$CONTAINER_EXPORT_DIR" -name "$@" > /dev/null; then
     echo "!!! Missing deps for $@ !!!"
     exit 1
   fi
 }
 
+export -f printNeededDeps
 export -f printMissingDep
 
-/usr/bin/find / -type f -executable -print | /usr/bin/xargs -I {} /bin/bash -c 'printMissingDep "{}"'
+extractContainerImage
+/usr/bin/find "$CONTAINER_EXPORT_DIR" -type f -executable -print | /usr/bin/xargs -I {} /bin/bash -c 'printNeededDeps "{}"' | sort | uniq | /usr/bin/xargs -I {} /bin/bash -c 'printMissingDep "{}"'

hack/verify-all.sh

@@ -23,5 +23,3 @@ PKG_ROOT=$(git rev-parse --show-toplevel)
 "${PKG_ROOT}/hack/verify-gofmt.sh"
 "${PKG_ROOT}/hack/verify-govet.sh"
 "${PKG_ROOT}/hack/verify-docker-deps.sh"
-
-make -C "${PKG_ROOT}" all

hack/verify-docker-deps.sh

@@ -22,4 +22,5 @@ echo "Verifying Docker Image Dependencies"
 
 PKG_ROOT=$(git rev-parse --show-toplevel)
 
-make -C "${PKG_ROOT}" validate-container-linux-amd64 validate-container-linux-arm64
+export GCE_PD_CSI_STAGING_IMAGE=validation-image
+make -C "${PKG_ROOT}" validate-container-linux