Set up dynamic provisioning of persistent volumes on AWS #423
Conversation
|
To test, follow the example here: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/examples/kubernetes/dynamic-provisioning |
There was a problem hiding this comment.
Thanks for the PR, this works after fixing a small issue I mention in the review, great work!
My main concern with this is not using the upstream Helm chart, I think we should use it if possible, see my comment about that.
We should consider exposing a knob to turn this on and off, some users might not be interested in this.
I think this won't be updated when we update the chart in Lokomotive, maybe @invidian has some ideas on how to do this.
Also, I think we should have a test that checks that dynamic provisioning works, the test would deploy a minimal app with a PVC and check it's bound or something similar.
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/workers/workers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/workers/workers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/workers/workers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/aws-ebs-csi-driver/Chart.yaml
Outdated
Show resolved
Hide resolved
...ts/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/aws-ebs-csi-driver/templates/node.yaml
Outdated
Show resolved
Hide resolved
|
I agree with @iaguis that this should perhaps be optional behavior. I suggest following changes:
|
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
from
7440384
to
6480e33
Compare
|
I tested the new EBS component and it worked fine 👍. What I would like to see to move this forward is address the rest of @invidian's comments in #423 (comment):
If you have any questions about this let us know. |
|
One thing, which definitely should be added is a storage class, with parametrized default annotation, without that, prometheus operator will be in pending state until one creates the default storage class manually and removes the PVCs and pods to trigger the recreation. Sample storage class, which I think can be used: kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: ebs-sc
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumerAnother thing which should think about is handling orphan volumes. I suspect, that if you create the volumes, then you destroy the cluster, the volumes will remain in AWS account. |
|
As expected, I can find orphan EBS volumes in AWS console after destroying the cluster 😕 We need to find a way to deal with those somehow. |
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
2 times, most recently
from
2440fda
to
4dc2cee
Compare
|
@BrainBlasted I wanted to ensure you've seen #379 (comment). Sorry to add this info now (this came up in today's sprint planning). I hope I'm not adding too much work. |
|
Yes, I saw. Once everything else is finished I'll add a policy similar to the ones in #464 that allows this to work |
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
2 times, most recently
from
ad0721b
to
a559e06
Compare
I think these are largely done now, save for the third item. However, everything seems to work without the worker nodes using the IAM roles now that the controller is using it (which is needed for the upstream helm chart to work) |
|
I don't quite understand why the CI failed here. |
There was a problem hiding this comment.
I don't quite understand why the CI failed here.
About that, I'm not sure either. Better to just run the job again I guess, to see if it fails consistently.
The PR looks very good @BrainBlasted, nice work :)
We need to add documentation of new parameters to docs/configuration-reference/platforms/aws.md for new flag and to docs/configuration-reference/components/ for new component.
If you could also re-organize the commits, perhaps into 2: one for adding IAM-related code and one for new component, it would make it easier for other reviewers to review the PR and it will make our git history a bit simpler after merging.
If the IAM role is only attached to the controller nodes, the severity of blocking access to metadata drops in my opinion. What do you think @iaguis @johananl?
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/variables.tf
Outdated
Show resolved
Hide resolved
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
2 times, most recently
from
07861c7
to
3ac4fe2
Compare
|
Reworked into two commits, as requested. |
BrainBlasted
changed the title
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
from
3ac4fe2
to
1bc6e1c
Compare
|
I made that change, but CI is still hanging on that test for some reason. |
invidian
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
from
a8011b9
to
6b5eee6
Compare
|
Oops, |
|
I don't mind - thanksOn Jun 3, 2020 1:16 AM, Mateusz Gozdek <notifications@github.com> wrote:
Oops, component "aws-ebs-csi-driver" {} line was missing in ci/aws/aws-cluster.lokocfg.envsubst. I added it now, I hope you don't mind @BrainBlasted.
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.
|
There was a problem hiding this comment.
Thanks a lot for the PR @BrainBlasted. I've added some comments.
| resource "aws_iam_role_policy" "csi-driver-role-policy" { | ||
| count = var.set_csi_driver_iam_role ? 1 : 0 | ||
| name = "${var.cluster_name}-policy" | ||
| role = join("", aws_iam_role.csi-driver-role.*.id) |
There was a problem hiding this comment.
I think it's safer and more intuitive to do role = aws_iam_role.csi-driver-role.[count.index].id.
There was a problem hiding this comment.
This won't work, because the resource aws_iam_role.csi-driver-role won't exist. Also, if done like this, you will look up on index 1, so 2nd instance of the resource. Or does your syntax magically handles it somehow?
There was a problem hiding this comment.
As mentioned, count.index does not work here if the roles aren't set.
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf
Outdated
Show resolved
Hide resolved
| user_data = data.ct_config.controller-ignitions[count.index].rendered | ||
| ami = local.ami_id | ||
| user_data = data.ct_config.controller-ignitions[count.index].rendered | ||
| iam_instance_profile = join("", aws_iam_instance_profile.csi-driver-instance-profile.*.name) |
There was a problem hiding this comment.
I would use aws_iam_instance_profile.csi-driver-instance-profile.[0].name. There can't be more than one instance profile so join doesn't make sense to me here.
There was a problem hiding this comment.
This suggestion doesn't work when set_csi_driver_iam_role = false
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
3 times, most recently
from
75297e3
to
6ecb4b4
Compare
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/controllers.tf
Show resolved
Hide resolved
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package awsebscsidriver |
There was a problem hiding this comment.
@johananl we don't do that for any other components, so maybe to avoid introducing inconsistencies, we can leave it as it is for now to move forward with this PR and we re-visit it later for all components?
| return gohcl.DecodeBody(*configBody, evalContext, c) | ||
| } | ||
|
|
||
| // RenderManifests renders the helm chart templates with values provided. |
There was a problem hiding this comment.
I suspect @johananl meant https://helm.sh/docs/chart_best_practices/conventions/, even though even https://helm.sh does not respect it, as they often use Helm Charts term.
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
3 times, most recently
from
3d6abaa
to
8aa2b93
Compare
There was a problem hiding this comment.
Some small comments. Good work!
Can you rework your commit messages so they follow our guidelines, right now lines are too long.
The only question I have is whether we should set enable_csi to true by default. I understand we want to make this the default behavior. However, since we need to install the component anyway to have this working it might be fine to have it false by default. When we have a way to install this automatically on AWS we might revisit this to make it work for every AWS cluster.
Happy to hear some other opinions.
| ## Introduction | ||
|
|
||
| The [CSI Driver for Amazon EBS](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) | ||
| provides a CSI interface used by Container Orchestrators to manage the lifecycle |
There was a problem hiding this comment.
I think he means this
| provides a CSI interface used by Container Orchestrators to manage the lifecycle | |
| provides a CSI interface used by container orchestrators to manage the lifecycle |
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package awsebscsidriver |
| return gohcl.DecodeBody(*configBody, evalContext, c) | ||
| } | ||
|
|
||
| // RenderManifests renders the helm chart templates with values provided. |
There was a problem hiding this comment.
I'd say
| // RenderManifests renders the helm chart templates with values provided. | |
| // RenderManifests renders the Helm chart templates with values provided. |
Having it |
BrainBlasted
force-pushed
the
cdavis/dynamic-pvcs-aws
branch
from
8aa2b93
to
7284bfa
Compare
|
Re-worked the commits to follow the guidelines. I think it's fine to leave |
Sets up the plumbing required to support dynamic provisioning on AWS.
For #379