add functionality to deploy cloud-sa secret and driver #705
Conversation
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @hantaowang. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
hantaowang
force-pushed
the
deploy-csi-driver-cl2
branch
from
b422498 to
22457a4
Compare
|
Ive rebased it, but as it stands this PR 99% will not work. A couple to consider:
|
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,10 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy a secret that contains the e2e Google credentials | |||
| if [[ -z "${E2E_GOOGLE_APPLICATION_CREDENTIALS}" ]]; then | |||
There was a problem hiding this comment.
-
Do we have access to this env-var here? [I hope we do, just asking if you verified it.]
-
Please add :- to avoid using unset var (both here and below)
There was a problem hiding this comment.
The env var is set by prow afaik and is inherited for all prow jobs.
| - Identifier: WaitForRunningDriverPods | ||
| Method: WaitForRunningPods | ||
| Params: | ||
| desiredPodCount: {{SumInt .Nodes 1}} |
There was a problem hiding this comment.
One driver per node plus a cluster wide driver.
| @@ -0,0 +1,2 @@ | |||
| DEPLOY_CSI_DRIVER: true | |||
| CSI_DRIVER_PATH: "volume-types/persistentvolume/gcp-csi-driver-stable.yaml" | |||
| @@ -0,0 +1,343 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
@msau42 @davidz627 - can you please review this file - I don't know enough about what exactly is needed and how to configure it to make it work.
There was a problem hiding this comment.
Please see my latest comment. Tldr: it wont but raises an interesting problem.
There was a problem hiding this comment.
this looks like a copy paste of the stable driver :) Please comment at top of file a xref to the original files.
This is the correct set of yamls to deploy a driver into a cluster (along with the secret defined in that other file)
I missed this initially - those are good question. @mm4tt - for thoughts too |
I should point out in our tests we do this by just waiting 60 seconds after deploying the driver. But i dont know if that will work for larger scale clusters. |
|
Keep in mind that eventually the driver will be bundled in gke. Which can be optin during gcloud container create |
|
Regarding waiting for the driver to be up, we can watch csinode and wait for the driver to be registered |
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,10 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy a secret that contains the e2e Google credentials | |||
| if [[ -z "${E2E_GOOGLE_APPLICATION_CREDENTIALS}" ]]; then | |||
There was a problem hiding this comment.
log/echo a warning if this couldn't be found. Looks like if the file doesn't exist we just give up
| - Identifier: WaitForRunningDriverPods | ||
| Method: WaitForRunningPods | ||
| Params: | ||
| desiredPodCount: {{SumInt .Nodes 1}} |
| @@ -0,0 +1,343 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
this looks like a copy paste of the stable driver :) Please comment at top of file a xref to the original files.
This is the correct set of yamls to deploy a driver into a cluster (along with the secret defined in that other file)
If we just deploy with an addition script in run-e2e.sh, we can actually just use |
|
@hantaowang - did you verify that this actually works? I think that @mm4tt yesterday mentioned that having multiple objects in one file will not work with CL...
I'm fine with that too. Technically, installing driver is more cluster-setup than test itself, so I would be fine with running something in run-e2e (if we can wait for it) |
No I believe with how object bundles work right now, it won't work. This was just to mock what deploying with CL2 would look like. The default namespace issue also presents a problem, so thats another thing that won't work. I'll try the run-e2e.sh method and make sure that works, and then ill push here and remove the hold. |
hantaowang
force-pushed
the
deploy-csi-driver-cl2
branch
from
22457a4 to
1fb9a5c
Compare
k8s-ci-robot
added
size/XS
k8s-ci-robot
added
size/L
|
I tested this method and it does work. The deployment is built into run-e2e.sh. There is no tear down, but that should be fine - we just need to not run csi and non csi tests on the same cluster. To use it, add /assign @wojtek-t |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,19 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy the GCP PD CSI Driver is required | |||
| if [ $1 = "--deploy-csi-driver" ]; then | |||
There was a problem hiding this comment.
I don't know how back params work but I feel like theres a better way to do this, doesn't this just check the first arg for an exact string match? What if I use the "single-dash" syntax instead.
Worth investigating other methods, I've seen other things before that seem to work.
There was a problem hiding this comment.
I not sure what other methods can work. i didnt want to check every argument although that is a possibility. Its a bit harder since that arg cant be passed to CL2, so it needs to be spliced out. Open to suggestions.
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,19 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy the GCP PD CSI Driver is required | |||
| if [ $1 = "--deploy-csi-driver" ]; then | |||
| echo "${E2E_GOOGLE_APPLICATION_CREDENTIALS}" | |||
There was a problem hiding this comment.
oh sorry, that was for testing
| @@ -13,6 +13,7 @@ | |||
| {{$VOLUMES_PER_POD := .VOLUMES_PER_POD}} | |||
| {{$VOLUME_TEMPLATE_PATH := .VOLUME_TEMPLATE_PATH}} | |||
| {{$PROVISION_VOLUME := DefaultParam .PROVISION_VOLUME false}} | |||
| {{$USE_CSI := DefaultParam .USE_CSI false}} | |||
There was a problem hiding this comment.
should this param be more specific like DEPLOY_PD_CSI_DRIVER or something?
There was a problem hiding this comment.
I think in the future, we may want to support more drivers to test, so its vague here in the config on purpose.
There was a problem hiding this comment.
USE_CSI sounds fine - (in test we're not deploying anything, just potentially using the functionality)
hantaowang
force-pushed
the
deploy-csi-driver-cl2
branch
from
5032354 to
3a89b69
Compare
| @@ -0,0 +1,354 @@ | |||
| # This config generated from the GCP PD CSI Driver | |||
There was a problem hiding this comment.
I'm not a fan of putting this file in the clusterloader2/ main dir.
Can you move it to "clusterloader2/drivers" or "cl2/csi/" or sth like that.
[e.g. cl2/testing/prometheus contains manifests
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,18 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy the GCP PD CSI Driver is required | |||
| if [ $1 = "--deploy-csi-driver" ]; then | |||
There was a problem hiding this comment.
I'm not a fan of this approach - other than supporting different flag, I prefer to be much more explicit.
Can we instead simply introduce a dedicated env var and use it.
e.g. "DEPLOY_GCI_DRIVER" (and just check if it is true).
There was a problem hiding this comment.
is it ok to configure the test with env vars? I defaulted to flags because everything else was configured by flags but this seems like a more flexible solution.
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,18 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy the GCP PD CSI Driver is required | |||
| if [ $1 = "--deploy-csi-driver" ]; then | |||
| if [[ -z "${E2E_GOOGLE_APPLICATION_CREDENTIALS}" ]]; then | |||
There was a problem hiding this comment.
:-
otherwise you're risking that this will fail with unbounded variable
clusterloader2/run-e2e.sh
Outdated
| echo "Env var E2E_GOOGLE_APPLICATION_CREDENTIALS must be set to deploy driver" | ||
| exit 1 | ||
| else | ||
| kubectl create secret generic cloud-sa --from-file="${E2E_GOOGLE_APPLICATION_CREDENTIALS}" |
clusterloader2/run-e2e.sh
Outdated
| fi | ||
| kubectl apply -f ${CLUSTERLOADER_ROOT}/gcp-csi-driver-stable.yaml | ||
| kubectl wait pods -l app=gcp-compute-persistent-disk-csi-driver --for condition=Ready --timeout=300s | ||
| shift |
There was a problem hiding this comment.
shift shifts the arguments by 1, essentially popping off the first arg. I will remove this for using env vars.
| @@ -13,6 +13,7 @@ | |||
| {{$VOLUMES_PER_POD := .VOLUMES_PER_POD}} | |||
| {{$VOLUME_TEMPLATE_PATH := .VOLUME_TEMPLATE_PATH}} | |||
| {{$PROVISION_VOLUME := DefaultParam .PROVISION_VOLUME false}} | |||
| {{$USE_CSI := DefaultParam .USE_CSI false}} | |||
There was a problem hiding this comment.
USE_CSI sounds fine - (in test we're not deploying anything, just potentially using the functionality)
clusterloader2/testing/experimental/storage/pod-startup/volume-types/persistentvolume/pvc.yaml
Show resolved
Hide resolved
| @@ -0,0 +1 @@ | |||
| USE_CSI: true | |||
hantaowang
force-pushed
the
deploy-csi-driver-cl2
branch
2 times, most recently
from
454480e to
50d4d95
Compare
clusterloader2/run-e2e.sh
Outdated
| @@ -22,5 +22,17 @@ CLUSTERLOADER_ROOT=$(dirname "${BASH_SOURCE}") | |||
| export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" | |||
| export KUBEMARK_ROOT_KUBECONFIG="${KUBEMARK_ROOT_KUBECONFIG:-${HOME}/.kube/config}" | |||
|
|
|||
| # Deploy the GCP PD CSI Driver is required | |||
clusterloader2/run-e2e.sh
Outdated
| if [[ -z "${E2E_GOOGLE_APPLICATION_CREDENTIALS:-}" ]]; then | ||
| echo "Env var E2E_GOOGLE_APPLICATION_CREDENTIALS must be set to deploy driver" | ||
| exit 1 | ||
| else |
There was a problem hiding this comment.
remove else - there is exit 1 above anyway
hantaowang
force-pushed
the
deploy-csi-driver-cl2
branch
from
50d4d95 to
771484f
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hantaowang, wojtek-t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
@davidz627 @wojtek-t @jingxu97 @verult
This PR adds the ability to test PVs provisioned and managed by the CSI GCP PD Driver. Included is a change to cl2's run-e2e.sh that deploys a secret (if it exists) and a yaml that deploys the driver and all its associates rbacs and SAs (one of which uses this secret).
I will rebase this after #657 is merged so that the ability to deploy the driver yaml (if necessary) is build into the storage test config. It will be turned off by default and an additional override file in volume-types/persistentvolume will turn it on.