STOR-1408: Chore: Update ibm-vpc-block-csi-driver to the latest release

.nancy-ignore

@@ -1,3 +1,4 @@
 CVE-2020-8561 ## CWE-610: Externally Controlled Reference to a Resource in Another Sphere 
-CVE-2021-25740 ## CWE-610: Externally Controlled Reference to a Resource in Another Sphere 
+CVE-2021-25740 ## CWE-610: Externally Controlled Reference to a Resource in Another Sphere
 sonatype-2022-6522 ## 1 non-CVE vuln [pkg:golang/k8s.io/[email protected]]
+CVE-2021-25749 ## Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.Fix not available in community till now.

.travis.yml

@@ -6,7 +6,7 @@ env:
     - GO111MODULE=on
 
 go:
-  - "1.18.2"
+  - "1.20.10"
 
 before_install:
   - go install github.com/mattn/goveralls@latest

Dockerfile.builder

@@ -1,4 +1,4 @@
-FROM golang:1.19.6
+FROM golang:1.20.10
 
 WORKDIR /go/src/github.com/kubernetes-sigs/ibm-vpc-block-csi-driver
 ADD . /go/src/github.com/kubernetes-sigs/ibm-vpc-block-csi-driver

Makefile

@@ -20,7 +20,7 @@ GIT_COMMIT_SHA="$(shell git rev-parse HEAD 2>/dev/null)"
 GIT_REMOTE_URL="$(shell git config --get remote.origin.url 2>/dev/null)"
 BUILD_DATE="$(shell date -u +"%Y-%m-%dT%H:%M:%SZ")"
 OSS_FILES := go.mod Dockerfile
-GOLANG_VERSION="1.19.6"
+GOLANG_VERSION="1.20.10"
 
 
 STAGING_REGISTRY ?= gcr.io/k8s-staging-cloud-provider-ibm
@@ -44,7 +44,7 @@ BUILD_NUMBER?=unknown
 GO111MODULE_FLAG?=on
 export GO111MODULE=$(GO111MODULE_FLAG)
 
-export LINT_VERSION="1.45.2"
+export LINT_VERSION="1.51.2"
 
 GOFILES=$(shell find . -type f -name '*.go' -not -path "./vendor/*")
 
@@ -88,7 +88,7 @@ verify:
 
 .PHONY: test
 test:
-	go test -v -race ./cmd/... ./pkg/...
+	go test -timeout 1800s -v -race ./cmd/... ./pkg/...
 
 .PHONY: ut-coverage
 ut-coverage:

cmd/main.go

@@ -21,10 +21,8 @@ import (
 	"flag"
 	"strings"
 
-	"math/rand"
 	"net/http"
 	"os"
-	"time"
 
 	libMetrics "github.com/IBM/ibmcloud-volume-interface/lib/metrics"
 	k8sUtils "github.com/IBM/secret-utils-lib/pkg/k8s_utils"
@@ -58,7 +56,6 @@ var (
 
 func main() {
 	flag.Parse()
-	rand.Seed(time.Now().UnixNano())
 	handle(logger)
 	os.Exit(0)
 }

deploy/kubernetes/driver/kubernetes/manifests/config-map.yaml

@@ -74,3 +74,4 @@ data:
   BlockDriverMemoryLimit: "600Mi"           #container:iks-vpc-block-driver, resource-type: memory-limit
   CSISnapshotterCPULimit: "80m"             #container:csi-snapshotter, resource-type: cpu-limit
   CSISnapshotterMemoryLimit: "160Mi"        #container:csi-snapshotter, resource-type: memory-limit
+  VolumeAttachmentLimit: "12"               #Volume Attachment Limit per node

deploy/kubernetes/driver/kubernetes/manifests/controller-server.yaml

@@ -1,25 +1,27 @@
-kind: StatefulSet
+kind: Deployment
 apiVersion: apps/v1
 metadata:
   name: ibm-vpc-block-csi-controller
   namespace: kube-system
   labels:
-    app: ibm-vpc-block-csi-driver
+    app: ibm-vpc-block-csi-controller
     addonmanager.kubernetes.io/mode: Reconcile
+    app.kubernetes.io/name: ibm-vpc-block-csi-driver
 spec:
-  serviceName: "ibm-vpc-block-service"
   replicas: 1
   selector:
     matchLabels:
-      app: ibm-vpc-block-csi-driver
+      app: ibm-vpc-block-csi-controller
+      app.kubernetes.io/name: ibm-vpc-block-csi-driver
   template:
     metadata:
       annotations:
         prometheus.io/scrape: "true"
         prometheus.io/port: "9080"
         prometheus.io/path: "/metrics"
       labels:
-        app: ibm-vpc-block-csi-driver
+        app: ibm-vpc-block-csi-controller
+        app.kubernetes.io/name: ibm-vpc-block-csi-driver
     spec:
       priorityClassName: system-cluster-critical
       serviceAccountName: ibm-vpc-block-controller-sa
@@ -207,4 +209,3 @@ spec:
         - name: customer-auth
           secret:
             secretName: storage-secret-store
-  volumeClaimTemplates: []

deploy/kubernetes/driver/kubernetes/manifests/node-server.yaml

@@ -4,20 +4,23 @@ metadata:
   name: ibm-vpc-block-csi-node
   namespace: kube-system
   labels:
-    app: ibm-vpc-block-csi-driver
+    app: ibm-vpc-block-csi-node
     addonmanager.kubernetes.io/mode: Reconcile
+    app.kubernetes.io/name: ibm-vpc-block-csi-driver
 spec:
   selector:
     matchLabels:
-      app: ibm-vpc-block-csi-driver
+      app: ibm-vpc-block-csi-node
+      app.kubernetes.io/name: ibm-vpc-block-csi-driver
   template:
     metadata:
       annotations:
         prometheus.io/scrape: "true"
         prometheus.io/port: "9080"
         prometheus.io/path: "/metrics"
       labels:
-        app: ibm-vpc-block-csi-driver
+        app: ibm-vpc-block-csi-node
+        app.kubernetes.io/name: ibm-vpc-block-csi-driver
     spec:
       priorityClassName: system-node-critical
       serviceAccountName: ibm-vpc-block-node-sa
@@ -44,6 +47,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: VOLUME_ATTACHMENT_LIMIT
+              value: "{{kube-system.addon-vpc-block-csi-driver-configmap.VolumeAttachmentLimit}}{{^kube-system.addon-vpc-block-csi-driver-configmap.VolumeAttachmentLimit}}12{{/kube-system.addon-vpc-block-csi-driver-configmap.VolumeAttachmentLimit}}"
           resources:
             limits:
               cpu: "{{kube-system.addon-vpc-block-csi-driver-configmap.CSIDriverRegistrarCPULimit}}{{^kube-system.addon-vpc-block-csi-driver-configmap.CSIDriverRegistrarCPULimit}}40m{{/kube-system.addon-vpc-block-csi-driver-configmap.CSIDriverRegistrarCPULimit}}"

examples/kubernetes/snapshot/VolumeSnapshot.yaml

@@ -0,0 +1,8 @@
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshot
+metadata:
+  name: snapshot-csi-block
+spec:
+  volumeSnapshotClassName: ibmc-vpcblock-snapshot
+  source:
+    persistentVolumeClaimName: csi-block-pvc-good 

examples/kubernetes/snapshot/restorePVC.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: restore-pvc1
+spec:
+  storageClassName: ibmc-vpc-block-5iops-tier
+  dataSource:
+    name: snapshot-csi-block # name of volumeSnapshot resource
+    kind: VolumeSnapshot
+    apiGroup: snapshot.storage.k8s.io
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi # size must be >= source PVC

examples/kubernetes/snapshot/volumesnapshotclass.yaml

@@ -0,0 +1,8 @@
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+  name: ibmc-vpcblock-snapshot-delete
+  labels:
+    app: ibm-vpc-block-csi-driver
+driver: vpc.block.csi.ibm.io
+deletionPolicy: Delete

examples/kubernetes/static-pod.yaml

@@ -0,0 +1,27 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: static-pvc-pod
+  labels:
+    app: static-pvc-pod
+spec:
+  selector:
+    matchLabels:
+      app: static-pvc-pod
+  template:
+    metadata:
+      labels:
+        app: static-pvc-pod
+    spec:
+      containers:
+      - image: rabbitmq
+        name: rabbitmq-container
+        volumeMounts:
+        - name: my-static-vol
+          mountPath: /my-static-vol
+      volumes:
+      - name: my-static-vol
+        persistentVolumeClaim:
+          claimName: static-pvc # Update your pvc name here
+      nodeSelector:
+        kubernetes.io/hostname: "10.240.0.7" # Update hostname as node name which should match as per volume's zone

examples/kubernetes/static-pv.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: static-pv
+spec:
+  accessModes:
+  - ReadWriteOnce # Should be matched as per PVC's requested accessMode
+  capacity:
+    storage: 10Gi # Should be matched as per PVC's request storage
+  csi:
+    driver: vpc.block.csi.ibm.io
+    fsType: ext4
+    volumeAttributes:
+      iops: "3000"
+      volumeId: r006-ab62267d-ad2f-43ec-a22e-23007a9d2618
+      zone: us-south-1
+      region: us-south
+    volumeHandle: r006-ab62267d-ad2f-43ec-a22e-23007a9d2618
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  volumeMode: Filesystem

examples/kubernetes/static-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: static-pvc
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10 # Update vpc data volume size which should match as per pv's size
+  storageClassName: ""

go.mod

@@ -1,11 +1,11 @@
 module github.com/kubernetes-sigs/ibm-vpc-block-csi-driver
 
-go 1.18
+go 1.20
 
 require (
 	github.com/IBM/ibm-csi-common v1.1.7
 	github.com/IBM/ibmcloud-volume-interface v1.2.0
-	github.com/IBM/ibmcloud-volume-vpc v1.1.5
+	github.com/IBM/ibmcloud-volume-vpc v1.1.6
 	github.com/IBM/secret-utils-lib v1.1.4
 	github.com/container-storage-interface/spec v1.7.0
 	github.com/golang/glog v1.1.0

go.sum

@@ -43,8 +43,8 @@ github.com/IBM/ibm-csi-common v1.1.7 h1:4QY86ZJ8rX1ghrhytgIY+VoEemeG+J2PbvzXTuYZ
 github.com/IBM/ibm-csi-common v1.1.7/go.mod h1:TilE1H+F4rzhgnEHHDzdcJ9M+WcJB6QCBxwtGdCDv7A=
 github.com/IBM/ibmcloud-volume-interface v1.2.0 h1:9SqCaC0H6nhiXZL57FsR0n1B7rQ7CVW86kjVKqGmMck=
 github.com/IBM/ibmcloud-volume-interface v1.2.0/go.mod h1:646HOeq8dAKbgpr7jRehGKckhgduJyII2uN5T6RDLww=
-github.com/IBM/ibmcloud-volume-vpc v1.1.5 h1:dN/LxVxtkiK0g4JzDP2VnHoh+LfHwPyzB+TgUZbhVyU=
-github.com/IBM/ibmcloud-volume-vpc v1.1.5/go.mod h1:+UTHGrGzjyA2VjaozhB1xOjAcJ1lsi9mFqfGsqmuCOQ=
+github.com/IBM/ibmcloud-volume-vpc v1.1.6 h1:HU76slo59S6vPANtQxTDdco+Lu7EToQw7Ow28n5eZR0=
+github.com/IBM/ibmcloud-volume-vpc v1.1.6/go.mod h1:+UTHGrGzjyA2VjaozhB1xOjAcJ1lsi9mFqfGsqmuCOQ=
 github.com/IBM/secret-common-lib v1.1.4 h1:gKpKnaP45Y6u7VpSlFfXjjTAHpu4bz9Ofy+aR0t2RcI=
 github.com/IBM/secret-common-lib v1.1.4/go.mod h1:0L/lLfwi5jwTTmNYE2246HzBIdGz0m6wu/5tXoRp/Lc=
 github.com/IBM/secret-utils-lib v1.1.4 h1:8WPG9KBrLLRhGbQn34NWzrFKlyfIIaUfLeDg+iRJkes=

hack/verify-golint.sh

@@ -18,13 +18,13 @@ set -euo pipefail
 curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin latest
 if [[ -z "$(command -v golangci-lint)" ]]; then
   echo "Cannot find golangci-lint. Installing golangci-lint..."
-  curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.50.0
+  curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.51.2
   export PATH=$PATH:$(go env GOPATH)/bin
 fi
 
 echo "Verifying golint"
 readonly PKG_ROOT="$(git rev-parse --show-toplevel)"
 
-golangci-lint run --deadline=10m
+golangci-lint run --timeout=10m
 
 echo "Congratulations! Lint check completed for all Go source files."

pkg/ibmcsidriver/constants.go

@@ -115,6 +115,12 @@ const (
 
 	// Generation ... just for backward compatibility
 	Generation = "generation"
+
+	// DEFAULT_SNAPSHOT_CREATE_DELAY ...
+	DEFAULT_SNAPSHOT_CREATE_DELAY = 300 //300 seconds
+
+	// MAX_SNAPSHOT_CREATE_DELAY ... This is max timeout value for csi-snapshotter
+	MAX_SNAPSHOT_CREATE_DELAY = 900 //900 seconds
 )
 
 // SupportedFS the supported FS types

pkg/ibmcsidriver/controller.go

@@ -18,6 +18,7 @@ limitations under the License.
 package ibmcsidriver
 
 import (
+	"os"
 	"strings"
 	"time"
 
@@ -215,7 +216,7 @@ func (csiCS *CSIControllerServer) ControllerPublishVolume(ctx context.Context, r
 	lockWaitStart := time.Now()
 	csiCS.mutex.Lock(nodeID)
 	defer csiCS.mutex.Unlock(nodeID)
-	metrics.UpdateDurationFromStart(ctxLogger, metrics.FunctionLabel("ControllerPublishVolume.Lock"), lockWaitStart)
+	defer metrics.UpdateDurationFromStart(ctxLogger, metrics.FunctionLabel("ControllerPublishVolume.Lock"), lockWaitStart)
 
 	volumeCapabilities := []*csi.VolumeCapability{volumeCapability}
 	// Validate volume capabilities, are all capabilities supported by driver or not
@@ -439,6 +440,13 @@ func (csiCS *CSIControllerServer) CreateSnapshot(ctx context.Context, req *csi.C
 	ctxLogger.Info("CSIControllerServer-CreateSnapshot... ", zap.Reflect("Request", *req))
 	defer metrics.UpdateDurationFromStart(ctxLogger, "CreateSnapshot", time.Now())
 
+	//Feature flag to enable/disable CreateSnapshot feature.
+	if strings.ToLower(os.Getenv("IS_SNAPSHOT_ENABLED")) == "false" {
+		ctxLogger.Warn("CreateSnapshot functionality is disabled.")
+		time.Sleep(10 * time.Minute) //To avoid multiple retries from kubernetes to CSI Driver
+		return nil, commonError.GetCSIError(ctxLogger, commonError.MethodUnimplemented, requestID, nil, "CreateSnapshot functionality is disabled.")
+	}
+
 	snapshotName := req.GetName()
 	if len(snapshotName) == 0 {
 		return nil, commonError.GetCSIError(ctxLogger, commonError.MissingSnapshotName, requestID, nil)
@@ -479,6 +487,7 @@ func (csiCS *CSIControllerServer) CreateSnapshot(ctx context.Context, req *csi.C
 	snapshot, err = session.CreateSnapshot(sourceVolumeID, snapshotParameters)
 
 	if err != nil {
+		time.Sleep(time.Duration(getMaxDelaySnapshotCreate(ctxLogger)) * time.Second) //To avoid multiple retries from kubernetes to CSI Driver
 		return nil, commonError.GetCSIError(ctxLogger, commonError.InternalError, requestID, err, "creation")
 	}
 	return createCSISnapshotResponse(*snapshot), nil

pkg/ibmcsidriver/controller_helper.go

@@ -19,6 +19,7 @@ package ibmcsidriver
 
 import (
 	"fmt"
+	"os"
 	"strconv"
 	"strings"
 
@@ -508,3 +509,27 @@ func getPrefedTopologyParams(topList []*csi.Topology) (map[string]string, error)
 	}
 	return nil, fmt.Errorf("preferred topologies specified but no segments")
 }
+
+/*
+1.) IF user does not given the value DEFAULT_SNAPSHOT_CREATE_DELAY mins
+2.) IF user has given more than MAX_SNAPSHOT_CREATE_DELAY default is MAX_SNAPSHOT_CREATE_DELAY
+3.) In case of any invalid value DEFAULT_SNAPSHOT_CREATE_DELAY mins
+*/
+func getMaxDelaySnapshotCreate(ctxLogger *zap.Logger) int {
+	userDelayEnv := os.Getenv("CUSTOM_SNAPSHOT_CREATE_DELAY")
+	if userDelayEnv == "" {
+		return DEFAULT_SNAPSHOT_CREATE_DELAY
+	}
+
+	customSnapshotCreateDelay, err := strconv.Atoi(userDelayEnv)
+	if err != nil {
+		ctxLogger.Warn("Error while processing CUSTOM_SNAPSHOT_CREATE_DELAY value.Expecting integer value in seconds", zap.Any("CUSTOM_SNAPSHOT_CREATE_DELAY", customSnapshotCreateDelay), zap.Any("Considered value", DEFAULT_SNAPSHOT_CREATE_DELAY), zap.Error(err))
+		return DEFAULT_SNAPSHOT_CREATE_DELAY // min 300 seconds default
+	}
+	if customSnapshotCreateDelay > MAX_SNAPSHOT_CREATE_DELAY {
+		ctxLogger.Warn("CUSTOM_SNAPSHOT_CREATE_DELAY value cannot exceed the limits", zap.Any("CUSTOM_SNAPSHOT_CREATE_DELAY", customSnapshotCreateDelay), zap.Any("Limit value", MAX_SNAPSHOT_CREATE_DELAY))
+		return MAX_SNAPSHOT_CREATE_DELAY // max 900 seconds
+	}
+
+	return customSnapshotCreateDelay
+}

pkg/ibmcsidriver/ibm_csi_driver.go

@@ -35,10 +35,9 @@ type IBMCSIDriver struct {
 	vendorVersion string
 	logger        *zap.Logger
 	region        string
-
-	ids *CSIIdentityServer
-	ns  *CSINodeServer
-	cs  *CSIControllerServer
+	ids           *CSIIdentityServer
+	ns            *CSINodeServer
+	cs            *CSIControllerServer
 
 	vcap  []*csi.VolumeCapability_AccessMode
 	cscap []*csi.ControllerServiceCapability