Implement different driver modes and AWS Region override for controller service

[rfranzke]

Is this a bug fix or adding new feature?
Feature

Fixes #378

What is this PR about? / Why do we need it?
This PR allows to only run the controller service of the driver (and not the node service). Also, it allows to configure the AWS region instead of always looking it up via the AWS EC2 metadata service.

This enables the use-case of running the CSI controllers (csi-provisioner, csi-attacher, etc., + the driver controller) separately outside of the cluster, and not necessarily on an AWS EC2 instance.

What testing is done?
I ran the CSI controllers + EBS driver separately outside of the Kubernetes cluster (with the newly introduced flags of this PR). Also, I ran the EBS driver daemon set inside the cluster (together with the registrar) without the flags (i.e., with standard mode). I was successfully able to provision and deprovision EBS volumes.

[k8s-ci-robot]

Welcome @rfranzke!

It looks like this is your first PR to kubernetes-sigs/aws-ebs-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-ebs-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @rfranzke. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[coveralls]

Pull Request Test Coverage Report for Build 992

• 15 of 45 (33.33%) changed or added relevant lines in 4 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.2%) to 70.953%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
pkg/driver/fakes.go	0	1	0.0%
pkg/driver/driver.go	0	29	0.0%

Totals
Change from base Build 991:	0.2%
Covered Lines:	1258
Relevant Lines:	1773

---

💛 - Coveralls

[rfranzke]

/assign @leakingtapan

[leakingtapan]

@rfranzke This is a nice features! I like the way this PR is heading towards. Several comments:

1. Regarding adding the --region flag, IIUC, this is similar to what's asked
   in Support create pvc in other regions #378. I think a better way to handle this is letting controller service to figure out the region through volume topology instead of either passing the region as cli flag or reading from IMDS. The way it will works is during provisioning in the CreateVolume method, controller service will read the region from the zone here, and create a new cloud client using the region, the volume will be created with the per region client.
2. Regarding the --run-as-controller flag, there are three modes to run the driver 1) controller service only 2) node service only and 3) both (the current mode). I would like a more expressive way to define the three modes than --run-as-controller. One way I'm thinking is we use subcommand to describe what service to run. To run just the controller service, we do:
   /bin/aws-ebs-csi-driver controller. To run just the node service, we do: /bin/aws-ebs-csi-driver node. The benefit is we can cleanly separate the flags that matters to each service independently. Such that extra-volume-tags will only be a flag that is valid to the aws-ebs-csi-driver controller subcommand. And if no subcommand is provided, we will run the driver as current mode (both controller and node service).

[leakingtapan]

/ok-to-test

[rfranzke]

@leakingtapan Thanks for your feedback, I’ve updated the PR based on your suggestions wrt driver mode (all vs. controller vs. node) and implemented the subcommands.

Regarding the first suggestion wrt region:

The way it will works is during provisioning in the CreateVolume method, controller service will read the region from the zone here, and create a new cloud client using the region, the volume will be created with the per region client.

I don’t think this is possible, unfortunately. Checking the link you referred, I could certainly move the statement up and create a new cloud client with the region, but this only covers the CreateVolume case. What if a volume shall be deleted? As far as I can see no region information is provided in the DeleteVolumeRequest object but only the volume id. Where would I get the correct region from?

Another concern was that, even if the DeleteVolume case is solvable somehow, then we would have to remove the default cloud client as it tries to talk to the metadata service (which will not work if the controller does not run on an AWS EC2 instance). Instead, we would have to check in every function where d.cloud is used if it was initialized already, and if not yet then initialize it. (Yes, this is not a problem/argument against it, just something I noticed and wanted to mention).

Though, I have changed it from being a command line parameter to an environment variable (analogous to this code and as AWS_REGION is a pretty well-known environment variable for the use-case of overwriting the region).

Do you see an option to get rid of the “static” region overwriting via the env variable? I’m no CSI expert and not too familiar with the code overall, so chances are high that I’m missing something.

Happy to hear your feedback now!

PS: I don’t think the failing tests were related to my changes, were they?

[rfranzke]

/retest

[leakingtapan]

I don’t think this is possible, unfortunately. Checking the link you referred, I could certainly move the statement up and create a new cloud client with the region, but this only covers the CreateVolume case. What if a volume shall be deleted? As far as I can see no region information is provided in the DeleteVolumeRequest object but only the volume id. Where would I get the correct region from?

It's a good point for DeleteVolume. In my opinion, the CSI spec should have a way to pass in topology information (eg. zone) into DeleteVolume call. So that volume deletion could be handled correctly for volumes across different zones. Symmetrically, this seems necessary as a reverse operation of CreateVolume.

After a second thought, I think we don't need to block this by the above issue. Using AWS_REGION as an override to the IMDS region is acceptable to me. As we can solve the above problem later (if CSI spec) can support this. In the ideal world, the region resolution ordering will be 1) automatic resolution using topology 2) using AWS_REGION 3) using IMDS. And with this PR, we are adding option 2) which sounds good to me :)

[leakingtapan]

Created an issue in CSI: container-storage-interface/spec#408

[leakingtapan]

Since coverage dropped, could you add some unit tests? thx for the contribution :)

[rfranzke]

@leakingtapan can you have another look, please?

[leakingtapan]

@rfranzke I see the coverage is still drop. Could you check where the coverage is missing? Once the coverage is back, you are good to go. Thx

[rfranzke]

@leakingtapan please check now :)

[rfranzke]

/retest

[leakingtapan]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: leakingtapan, rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leakingtapan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment