Add DigitalOcean CSI driver (#1754)

* Add DigitalOcean CSI driver

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>

* Add DigitalOcean CSI driver images

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>

* Add default StorageClass and VolumeSnapshotClass

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>

addons/csi-digitalocean/snapshot-controller.yaml

@@ -0,0 +1,98 @@
+# Copyright 2022 DigitalOcean
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+#
+# snapshotter controller
+# source: # Source: https://github.com/kubernetes-csi/external-snapshotter
+#
+
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: snapshot-controller
+  namespace: kube-system
+spec:
+  serviceName: "snapshot-controller"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: snapshot-controller
+  template:
+    metadata:
+      labels:
+        app: snapshot-controller
+    spec:
+      serviceAccount: snapshot-controller
+      containers:
+        - name: snapshot-controller
+          image: {{ .InternalImages.Get "DigitalOceanCSISnapshotController" }}
+          args:
+            - "--v=5"
+          imagePullPolicy: IfNotPresent
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-controller
+  namespace: kube-system
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-controller-role
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update"]
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: snapshot-controller-binding
+subjects:
+  - kind: ServiceAccount
+    name: snapshot-controller
+    namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: snapshot-controller-role
+  apiGroup: rbac.authorization.k8s.io

addons/csi-digitalocean/snapshot-validation-webhook.yaml

@@ -0,0 +1,97 @@
+# Copyright 2022 DigitalOcean
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: digitalocean-webhook-certs
+  namespace: kube-system
+data:
+  "cert.pem": |
+{{ .Certificates.DigitalOceanCSIWebhookCert | b64enc | indent 4 }}
+  "key.pem": |
+{{ .Certificates.DigitalOceanCSIWebhookKey | b64enc | indent 4 }}
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: "validation-webhook.snapshot.storage.k8s.io"
+webhooks:
+  - name: "validation-webhook.snapshot.storage.k8s.io"
+    rules:
+      - apiGroups:   ["snapshot.storage.k8s.io"]
+        apiVersions: ["v1", "v1beta1"]
+        operations:  ["CREATE", "UPDATE"]
+        resources:   ["volumesnapshots", "volumesnapshotcontents"]
+        scope:       "*"
+    clientConfig:
+      service:
+        namespace: "kube-system"
+        name: "snapshot-validation-service"
+        path: "/volumesnapshot"
+      caBundle: |
+{{ .Certificates.KubernetesCA | b64enc | indent 8 }}
+    admissionReviewVersions: ["v1", "v1beta1"]
+    sideEffects: None
+    failurePolicy: Fail
+    timeoutSeconds: 5
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: snapshot-validation
+  namespace: kube-system
+  labels:
+    app: snapshot-validation
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: snapshot-validation
+  template:
+    metadata:
+      labels:
+        app: snapshot-validation
+    spec:
+      containers:
+        - name: snapshot-validation
+          image: {{ .InternalImages.Get "DigitalOceanCSISnapshotValidationWebhook" }}
+          imagePullPolicy: IfNotPresent
+          args: ['--tls-cert-file=/etc/snapshot-validation-webhook/certs/cert.pem', '--tls-private-key-file=/etc/snapshot-validation-webhook/certs/key.pem']
+          ports:
+            - containerPort: 443
+          volumeMounts:
+            - name: snapshot-validation-webhook-certs
+              mountPath: /etc/snapshot-validation-webhook/certs
+              readOnly: true
+      volumes:
+        - name: snapshot-validation-webhook-certs
+          secret:
+            secretName: digitalocean-webhook-certs
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: snapshot-validation-service
+  namespace: kube-system
+spec:
+  selector:
+    app: snapshot-validation
+  ports:
+    - protocol: TCP
+      port: 443

addons/default-storage-class/storage-class.yaml

@@ -172,3 +172,25 @@ provisioner: csi.hetzner.cloud
 volumeBindingMode: WaitForFirstConsumer
 allowVolumeExpansion: true
 {{ end }}
+
+{{ if eq .Config.CloudProvider.CloudProviderName "digitalocean" }}
+{{ if .Config.CloudProvider.External }}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: do-block-storage
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: dobs.csi.digitalocean.com
+allowVolumeExpansion: true
+---
+kind: VolumeSnapshotClass
+apiVersion: snapshot.storage.k8s.io/v1beta1
+metadata:
+  name: do-block-storage
+  annotations:
+    snapshot.storage.kubernetes.io/is-default-class: "true"
+driver: dobs.csi.digitalocean.com
+deletionPolicy: Delete
+{{ end }}
+{{ end }}

pkg/addons/applier.go

@@ -208,8 +208,10 @@ func newAddonsApplier(s *state.State) (*applier, error) {
 		Params:    params,
 	}
 
+	// Certs for CSI plugins
+	switch {
 	// Certs for vsphere-csi-webhook (deployed only if CSIMigration is enabled)
-	if csiMigration && s.Cluster.CloudProvider.Vsphere != nil {
+	case csiMigration && s.Cluster.CloudProvider.Vsphere != nil:
 		vsphereCSICertsMap, err := certificate.NewSignedTLSCert(
 			resources.VsphereCSIWebhookName,
 			resources.VsphereCSIWebhookNamespace,
@@ -222,9 +224,7 @@ func newAddonsApplier(s *state.State) (*applier, error) {
 		}
 		data.Certificates["vSphereCSIWebhookCert"] = vsphereCSICertsMap[resources.TLSCertName]
 		data.Certificates["vSphereCSIWebhookKey"] = vsphereCSICertsMap[resources.TLSKeyName]
-	}
-
-	if s.Cluster.CloudProvider.Nutanix != nil {
+	case s.Cluster.CloudProvider.Nutanix != nil:
 		nutanixCSICertsMap, err := certificate.NewSignedTLSCert(
 			resources.NutanixCSIWebhookName,
 			resources.NutanixCSIWebhookNamespace,
@@ -237,6 +237,19 @@ func newAddonsApplier(s *state.State) (*applier, error) {
 		}
 		data.Certificates["NutanixCSIWebhookCert"] = nutanixCSICertsMap[resources.TLSCertName]
 		data.Certificates["NutanixCSIWebhookKey"] = nutanixCSICertsMap[resources.TLSKeyName]
+	case s.Cluster.CloudProvider.DigitalOcean != nil && s.Cluster.CloudProvider.External:
+		digitaloceanCSICertsMap, err := certificate.NewSignedTLSCert(
+			resources.DigitalOceanCSIWebhookName,
+			resources.DigitalOceanCSIWebhookNamespace,
+			s.Cluster.ClusterNetwork.ServiceDomainName,
+			kubeCAPrivateKey,
+			kubeCACert,
+		)
+		if err != nil {
+			return nil, err
+		}
+		data.Certificates["DigitalOceanCSIWebhookCert"] = digitaloceanCSICertsMap[resources.TLSCertName]
+		data.Certificates["DigitalOceanCSIWebhookKey"] = digitaloceanCSICertsMap[resources.TLSKeyName]
 	}
 
 	return &applier{

pkg/addons/ensure.go

@@ -49,6 +49,7 @@ var (
 		resources.AddonCSIAwsEBS:          "",
 		resources.AddonCSIAzureDisk:       "",
 		resources.AddonCSIAzureFile:       "",
+		resources.AddonCSIDigitalOcean:    "",
 		resources.AddonCSIHetzner:         "",
 		resources.AddonCSIOpenStackCinder: "",
 		resources.AddonCSIVsphere:         "",
@@ -132,9 +133,14 @@ func collectAddons(s *state.State) (addonsToDeploy []addonAction) {
 			},
 		)
 	case s.Cluster.CloudProvider.DigitalOcean != nil:
-		addonsToDeploy = append(addonsToDeploy, addonAction{
-			name: resources.AddonCCMDigitalOcean,
-		})
+		addonsToDeploy = append(addonsToDeploy,
+			addonAction{
+				name: resources.AddonCCMDigitalOcean,
+			},
+			addonAction{
+				name: resources.AddonCSIDigitalOcean,
+			},
+		)
 	case s.Cluster.CloudProvider.Hetzner != nil:
 		addonsToDeploy = append(addonsToDeploy,
 			addonAction{

pkg/templates/images/images.go

@@ -124,6 +124,17 @@ const (
 	NutanixCSIResizer
 	NutanixCSISnapshotter
 
+	// DigitalOcean CSI
+	DigitalOceanCSI
+	DigitalOceanCSIAlpine
+	DigitalOceanCSIAttacher
+	DigitalOceanCSINodeDriverRegistar
+	DigitalOceanCSIProvisioner
+	DigitalOceanCSIResizer
+	DigitalOceanCSISnapshotController
+	DigitalOceanCSISnapshotValidationWebhook
+	DigitalOceanCSISnapshotter
+
 	// CCMs and CSI plugins
 	DigitaloceanCCM
 	HetznerCCM
@@ -235,6 +246,16 @@ func optionalResources() map[Resource]map[string]string {
 		// DigitalOcean CCM
 		DigitaloceanCCM: {"*": "docker.io/digitalocean/digitalocean-cloud-controller-manager:v0.1.33"},
 
+		DigitalOceanCSI:                          {"*": "docker.io/digitalocean/do-csi-plugin:v3.0.0"},
+		DigitalOceanCSIAlpine:                    {"*": "docker.io/alpine:3"},
+		DigitalOceanCSIAttacher:                  {"*": "k8s.gcr.io/sig-storage/csi-attacher:v3.3.0"},
+		DigitalOceanCSINodeDriverRegistar:        {"*": "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.4.0"},
+		DigitalOceanCSIProvisioner:               {"*": "k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2"},
+		DigitalOceanCSIResizer:                   {"*": "k8s.gcr.io/sig-storage/csi-resizer:v1.3.0"},
+		DigitalOceanCSISnapshotController:        {"*": "k8s.gcr.io/sig-storage/snapshot-controller:v3.0.3"},
+		DigitalOceanCSISnapshotValidationWebhook: {"*": "k8s.gcr.io/sig-storage/snapshot-validation-webhook:v3.0.3"},
+		DigitalOceanCSISnapshotter:               {"*": "k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3"},
+
 		// Hetzner CCM
 		HetznerCCM: {"*": "docker.io/hetznercloud/hcloud-cloud-controller-manager:v1.12.0"},
 

pkg/templates/resources/resources.go

@@ -35,6 +35,7 @@ const (
 	AddonCSIAwsEBS          = "csi-aws-ebs"
 	AddonCSIAzureDisk       = "csi-azuredisk"
 	AddonCSIAzureFile       = "csi-azurefile"
+	AddonCSIDigitalOcean    = "csi-digitalocean"
 	AddonCSIHetzner         = "csi-hetzner"
 	AddonCSIOpenStackCinder = "csi-openstack-cinder"
 	AddonCSIVsphere         = "csi-vsphere"
@@ -64,6 +65,9 @@ const (
 
 	NutanixCSIWebhookName      = "snapshot-validation-service"
 	NutanixCSIWebhookNamespace = metav1.NamespaceSystem
+
+	DigitalOceanCSIWebhookName      = "snapshot-validation-service"
+	DigitalOceanCSIWebhookNamespace = metav1.NamespaceSystem
 )
 
 const (