Merge branch 'master' of https://github.com/NetApp/trident into incop…

…orate-azure-resources

CHANGELOG.md

@@ -2,7 +2,13 @@
 
 [Releases](https://github.com/NetApp/trident/releases)
 
-## Changes since v23.01.0
+## Changes since v23.04.0
+
+**Fixes:**
+
+- Fixed ONTAP ZAPI request to ensure LUN serial number is queried when getting LUN attributes.
+
+## v23.04.0
 
 - **IMPORTANT**: Force volume detach for ONTAP-SAN-* volumes is only supported with Kubernetes versions which have enabled the Non-Graceful Node Shutdown feature gate.
   Force detach must be enabled at install time via `--enable-force-detach` Trident installer flag.

Dockerfile

@@ -1,6 +1,6 @@
 ARG ARCH=amd64
 
-FROM --platform=linux/${ARCH} gcr.io/distroless/static@sha256:a01d47d4036cae5a67a9619e3d06fa14a6811a2247b4da72b4233ece4efebd57
+FROM --platform=linux/${ARCH} gcr.io/distroless/static@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e
 
 LABEL maintainers="The NetApp Trident Team" \
       app="trident.netapp.io" \

Makefile

@@ -323,20 +323,24 @@ ifeq ($(BUILD_CLI),$(DOCKER_BUILDX_BUILD_CLI))
 	-@$(call buildx_create_instance,$(BUILDX_CONFIG_FILE))
 endif
 	@$(call build_images_for_platforms,$(call all_image_platforms,$(PLATFORMS)),$(BUILD_CLI),$(TRIDENT_TAG),$(BUILDX_OUTPUT))
-# if a single image platform is specified, retag image without platform
+# if a single image platform is specified and the BUILD_CLI places images in the default context, retag image without platform
 ifeq (1,$(words $(call all_image_platforms,$(PLATFORMS))))
+ifneq (,$(if $(findstring $(DOCKER_BUILDX_BUILD_CLI),$(BUILD_CLI)),$(findstring load,$(BUILDX_OUTPUT)),true))
 	@$(DOCKER_CLI) tag $(call image_tag,$(TRIDENT_TAG),$(call all_image_platforms,$(PLATFORMS))) $(MANIFEST_TAG)
 endif
+endif
 
 operator_images: operator_binaries
 ifeq ($(BUILD_CLI),$(DOCKER_BUILDX_BUILD_CLI))
 	-@$(call buildx_create_instance,$(BUILDX_CONFIG_FILE))
 endif
 	@$(call build_operator_images_for_platforms,$(call operator_image_platforms,$(PLATFORMS)),$(BUILD_CLI),$(OPERATOR_TAG),$(BUILDX_OUTPUT))
-# if a single operator image platform is specified, retag image without platform
+# if a single operator image platform is specified and the BUILD_CLI places images in the default context, retag image without platform
 ifeq (1,$(words $(call operator_image_platforms,$(PLATFORMS))))
+ifneq (,$(if $(findstring $(DOCKER_BUILDX_BUILD_CLI),$(BUILD_CLI)),$(findstring load,$(BUILDX_OUTPUT)),true))
 	@$(DOCKER_CLI) tag $(call image_tag,$(OPERATOR_TAG),$(call operator_image_platforms,$(PLATFORMS))) $(OPERATOR_MANIFEST_TAG)
 endif
+endif
 
 # creates multi-platform image manifest
 manifest: images

cli/k8s_client/client_factory.go

@@ -39,6 +39,8 @@ type Clients struct {
 const (
 	k8sTimeout       = 30 * time.Second
 	defaultNamespace = "default"
+	QPS              = 50
+	burstTime        = 100
 )
 
 var cachedClients *Clients
@@ -198,6 +200,8 @@ func createK8SClientsExCluster(
 	}
 
 	// Create the CLI-based Kubernetes client
+	restConfig.QPS = QPS
+	restConfig.Burst = burstTime
 	k8sClient, err := NewKubeClient(restConfig, namespace, k8sTimeout)
 	if err != nil {
 		return nil, fmt.Errorf("could not initialize Kubernetes client; %v", err)
@@ -220,6 +224,8 @@ func createK8SClientsInCluster(ctx context.Context, overrideNamespace string) (*
 	if err != nil {
 		return nil, err
 	}
+	restConfig.QPS = QPS
+	restConfig.Burst = burstTime
 
 	// when running in a pod, we use the Trident pod's namespace
 	namespaceBytes, err := os.ReadFile(config.NamespaceFile)

cli/k8s_client/yaml_factory.go

@@ -587,7 +587,7 @@ spec:
         - name: asup-dir
           mountPath: /asup
       - name: csi-provisioner
-        image: {CSI_SIDECAR_REGISTRY}/csi-provisioner:v3.4.1
+        image: {CSI_SIDECAR_REGISTRY}/csi-provisioner:v3.5.0
         imagePullPolicy: {IMAGE_PULL_POLICY}
         securityContext:
           capabilities:
@@ -607,7 +607,7 @@ spec:
         - name: socket-dir
           mountPath: /var/lib/csi/sockets/pluginproxy/
       - name: csi-attacher
-        image: {CSI_SIDECAR_REGISTRY}/csi-attacher:v4.2.0
+        image: {CSI_SIDECAR_REGISTRY}/csi-attacher:v4.3.0
         imagePullPolicy: {IMAGE_PULL_POLICY}
         securityContext:
           capabilities:
@@ -625,7 +625,7 @@ spec:
         - name: socket-dir
           mountPath: /var/lib/csi/sockets/pluginproxy/
       - name: csi-resizer
-        image: {CSI_SIDECAR_REGISTRY}/csi-resizer:v1.7.0
+        image: {CSI_SIDECAR_REGISTRY}/csi-resizer:v1.8.0
         imagePullPolicy: {IMAGE_PULL_POLICY}
         args:
         - "--v={SIDECAR_LOG_LEVEL}"
@@ -638,7 +638,7 @@ spec:
         - name: socket-dir
           mountPath: /var/lib/csi/sockets/pluginproxy/
       - name: csi-snapshotter
-        image: {CSI_SIDECAR_REGISTRY}/csi-snapshotter:v6.2.1
+        image: {CSI_SIDECAR_REGISTRY}/csi-snapshotter:v6.2.2
         imagePullPolicy: {IMAGE_PULL_POLICY}
         securityContext:
           capabilities:
@@ -955,7 +955,7 @@ spec:
           mountPath: /certs
           readOnly: true
       - name: driver-registrar
-        image: {CSI_SIDECAR_REGISTRY}/csi-node-driver-registrar:v2.7.0
+        image: {CSI_SIDECAR_REGISTRY}/csi-node-driver-registrar:v2.8.0
         imagePullPolicy: {IMAGE_PULL_POLICY}
         args:
         - "--v={SIDECAR_LOG_LEVEL}"
@@ -1157,7 +1157,7 @@ spec:
             cpu: 10m
             memory: 20Mi
       - name: node-driver-registrar
-        image: {CSI_SIDECAR_REGISTRY}/csi-node-driver-registrar:v2.7.0
+        image: {CSI_SIDECAR_REGISTRY}/csi-node-driver-registrar:v2.8.0
         imagePullPolicy: {IMAGE_PULL_POLICY}
         args:
         - --v=2
@@ -1377,6 +1377,8 @@ allowHostPID: true
 allowHostPorts: false
 allowPrivilegeEscalation: true
 allowPrivilegedContainer: true
+allowedCapabilities:
+- SYS_ADMIN
 allowedUnsafeSysctls: null
 defaultAddCapabilities: null
 fsGroup:

cli/k8s_client/yaml_factory_test.go

@@ -1016,7 +1016,10 @@ func TestGetOpenShiftSCCYAML(t *testing.T) {
 		AllowHostPorts:           false,
 		AllowPrivilegeEscalation: &allowPrivilegeEscalation,
 		AllowPrivilegedContainer: true,
-		DefaultAddCapabilities:   nil,
+		AllowedCapabilities: []v1.Capability{
+			"SYS_ADMIN",
+		},
+		DefaultAddCapabilities: nil,
 		FSGroup: scc.FSGroupStrategyOptions{
 			Type: "RunAsAny",
 		},

config/config.go

@@ -39,7 +39,7 @@ const (
 	OrchestratorName                 = "trident"
 	OrchestratorClientName           = OrchestratorName + "ctl"
 	OrchestratorAPIVersion           = "1"
-	DefaultOrchestratorVersion       = "23.04.0"
+	DefaultOrchestratorVersion       = "23.07.0"
 	PersistentStoreBootstrapAttempts = 30
 	PersistentStoreBootstrapTimeout  = PersistentStoreBootstrapAttempts * time.Second
 	PersistentStoreTimeout           = 10 * time.Second
@@ -158,7 +158,7 @@ const (
 	Darwin  = "darwin"
 
 	// Minimum and maximum supported Kubernetes versions
-	KubernetesVersionMin = "v1.21"
+	KubernetesVersionMin = "v1.22"
 	KubernetesVersionMax = "v1.27"
 
 	// KubernetesCSISidecarRegistry is where the CSI sidecar images are hosted
@@ -176,7 +176,7 @@ const (
 	/* Kubernetes operator constants */
 	OperatorContainerName = "trident-operator"
 
-	DefaultAutosupportImage = "docker.io/netapp/trident-autosupport:23.01"
+	DefaultAutosupportImage = "docker.io/netapp/trident-autosupport:23.04"
 
 	// IscsiSelfHealingInterval is an interval with which the iSCSI self-healing thread is called periodically
 	IscsiSelfHealingInterval = 300 * time.Second
@@ -248,6 +248,10 @@ var (
 		6: "SINGLE_NODE_SINGLE_WRITER",
 		7: "SINGLE_NODE_MULTI_WRITER",
 	}
+
+	// DisableExtraFeatures makes a subset of Trident features disabled
+	// This can be removed when ACP replaces feature-gating
+	DisableExtraFeatures = true
 )
 
 func IsValidProtocol(p Protocol) bool {

contrib/docker/plugin/Dockerfile

@@ -1,6 +1,6 @@
 FROM busybox:uclibc as busybox
 
-FROM gcr.io/distroless/static:b3e0897b507e86f0dab5bb99861e297d53891e84
+FROM gcr.io/distroless/static@sha256:7198a357ff3a8ef750b041324873960cf2153c11cc50abb9d8d5f8bb089f6b4e
 
 LABEL maintainers="The NetApp Trident Team" \
       app="trident.netapp.io" \

core/orchestrator_core.go

@@ -3271,9 +3271,16 @@ func (o *TridentOrchestrator) unpublishVolume(ctx context.Context, volumeName, n
 		return fmt.Errorf(msg)
 	}
 
+	// Get node attributes from the node ID
+	nodeInfo, err := o.GetNode(ctx, nodeName)
+	if err != nil {
+		Logc(ctx).WithError(err).WithField("Node info not found for node ", nodeName)
+		return err
+	}
 	publishInfo := &utils.VolumePublishInfo{
 		HostName:    nodeName,
 		TridentUUID: o.uuid,
+		HostNQN:     nodeInfo.NQN,
 	}
 
 	volume, ok := o.subordinateVolumes[volumeName]
@@ -3434,8 +3441,9 @@ func (o *TridentOrchestrator) AttachVolume(
 			return utils.MountDevice(ctx, loopDeviceName, mountpoint, publishInfo.SubvolumeMountOptions, isRawBlock)
 		}
 	} else {
-		return utils.AttachISCSIVolumeRetry(ctx, volumeName, mountpoint, publishInfo, map[string]string{},
+		_, err := utils.AttachISCSIVolumeRetry(ctx, volumeName, mountpoint, publishInfo, map[string]string{},
 			AttachISCSIVolumeTimeoutLong)
+		return err
 	}
 }
 
@@ -3945,7 +3953,7 @@ func (o *TridentOrchestrator) ImportSnapshot(
 	// Complete the snapshot config.
 	snapshotConfig.VolumeInternalName = volume.Config.InternalName
 	snapshotConfig.LUKSPassphraseNames = volume.Config.LUKSPassphraseNames
-	snapshotConfig.ImportNotManaged = true // All imported snapshots are not managed.
+	snapshotConfig.ImportNotManaged = volume.Config.ImportNotManaged // Snapshots inherit the managed state of their volume
 
 	// Query the storage backend for the snapshot.
 	snapshot, err := backend.GetSnapshot(ctx, snapshotConfig, volume.Config)

core/orchestrator_core_test.go

@@ -6963,6 +6963,69 @@ func TestImportSnapshot(t *testing.T) {
 	}
 	snapName := "snapshot-import"
 	snapInternalName := "snap.2023-05-23_175116"
+	snapConfig := &storage.SnapshotConfig{
+		Version:            "1",
+		Name:               snapName,
+		VolumeName:         volumeName,
+		InternalName:       snapInternalName,
+		VolumeInternalName: volumeInternalName,
+		ImportNotManaged:   false,
+	}
+	snapshot := &storage.Snapshot{
+		Config:    snapConfig,
+		Created:   "2023-05-15T17:04:09Z",
+		SizeBytes: 1024,
+	}
+
+	// Initialize mocks.
+	mockCtrl := gomock.NewController(t)
+	mockBackend := mockstorage.NewMockBackend(mockCtrl)
+	mockStore := mockpersistentstore.NewMockStoreClient(mockCtrl)
+
+	// Set up common mock expectations between test cases.
+	mockBackend.EXPECT().GetDriverName().Return(backendUUID).AnyTimes()
+	mockBackend.EXPECT().Name().Return(backendUUID).AnyTimes()
+	mockBackend.EXPECT().State().Return(storage.Online).AnyTimes()
+	mockBackend.EXPECT().BackendUUID().Return(backendUUID).AnyTimes()
+
+	// Set up test case specific mock expectations and inject mocks into core.
+	mockBackend.EXPECT().GetSnapshot(
+		gomock.Any(), snapConfig, volume.Config,
+	).Return(snapshot, nil)
+	mockStore.EXPECT().AddSnapshot(gomock.Any(), snapshot).Return(nil)
+
+	o.storeClient = mockStore
+	o.backends[volume.BackendUUID] = mockBackend
+	o.volumes[snapConfig.VolumeName] = volume
+
+	// Call method under test and make assertions.
+	importedSnap, err := o.ImportSnapshot(ctx(), snapConfig)
+	assert.NoError(t, err)
+	assert.NotNil(t, importedSnap)
+	assert.EqualValues(t, snapshot.ConstructExternal(), importedSnap)
+}
+
+func TestImportSnapshot_VolumeNotManaged(t *testing.T) {
+	o := getOrchestrator(t, false)
+
+	// Initialize variables used in all subtests.
+	backendUUID := "test-backend"
+	volumeName := "pvc-e9748b6b-8240-4fd8-97bc-868bf064ecd4"
+	volumeInternalName := "trident_pvc_e9748b6b_8240_4fd8_97bc_868bf064ecd4"
+	volume := &storage.Volume{
+		Config: &storage.VolumeConfig{
+			Version:             "",
+			Name:                volumeName,
+			InternalName:        volumeInternalName,
+			ImportOriginalName:  "import-" + volumeName,
+			ImportBackendUUID:   "import-" + backendUUID,
+			ImportNotManaged:    true,
+			LUKSPassphraseNames: nil,
+		},
+		BackendUUID: backendUUID,
+	}
+	snapName := "snapshot-import"
+	snapInternalName := "snap.2023-05-23_175116"
 	snapConfig := &storage.SnapshotConfig{
 		Version:            "1",
 		Name:               snapName,

deploy/bundle_post_1_25.yaml

@@ -454,7 +454,7 @@ spec:
                   fieldPath: metadata.name
             - name: OPERATOR_NAME
               value: trident-operator
-          image: docker.io/netapp/trident-operator:23.04.0
+          image: docker.io/netapp/trident-operator:23.07.0
           imagePullPolicy: IfNotPresent
           name: trident-operator
           securityContext:

deploy/bundle_pre_1_25.yaml

@@ -457,7 +457,7 @@ spec:
                   fieldPath: metadata.name
             - name: OPERATOR_NAME
               value: trident-operator
-          image: docker.io/netapp/trident-operator:23.04.0
+          image: docker.io/netapp/trident-operator:23.07.0
           imagePullPolicy: IfNotPresent
           name: trident-operator
           securityContext:

deploy/crds/tridentorchestrator_cr_autosupport.yaml

@@ -6,5 +6,5 @@ spec:
   debug: true
   namespace: trident
   silenceAutosupport: false
-  autosupportImage: "netapp/trident-autosupport:23.01"
+  autosupportImage: "netapp/trident-autosupport:23.04"
   autosupportProxy: "http://proxy.example.com:8888"

deploy/crds/tridentorchestrator_cr_customimage.yaml

@@ -5,4 +5,4 @@ metadata:
 spec:
   debug: true
   namespace: trident
-  tridentImage: localhost:5000/netapp/trident:23.01
+  tridentImage: localhost:5000/netapp/trident:23.04

deploy/crds/tridentorchestrator_cr_imagepullsecrets.yaml

@@ -5,6 +5,6 @@ metadata:
 spec:
   debug: true
   namespace: trident
-  tridentImage: netapp/trident:23.04.0
+  tridentImage: netapp/trident:23.07.0
   imagePullSecrets:
   - thisisasecret

deploy/operator.yaml

@@ -22,7 +22,7 @@ spec:
       serviceAccountName: trident-operator
       containers:
         - name: trident-operator
-          image: docker.io/netapp/trident-operator:23.04.0
+          image: docker.io/netapp/trident-operator:23.07.0
           command:
           - "/trident-operator"
           - "--debug"

frontend/crd/snapshot_restore.go

@@ -11,6 +11,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/cache"
 
+	"github.com/netapp/trident/config"
 	. "github.com/netapp/trident/logging"
 	netappv1 "github.com/netapp/trident/persistent_store/crd/apis/netapp/v1"
 	"github.com/netapp/trident/storage"
@@ -61,6 +62,10 @@ func (c *TridentCrdController) handleActionSnapshotRestore(keyItem *KeyItem) (re
 		}
 	}()
 
+	if config.DisableExtraFeatures {
+		return errors.UnsupportedError("snapshot restore is not enabled")
+	}
+
 	// Detect a CR that is in progress but is not a retry from the workqueue.  This can only happen
 	// if Trident restarted while processing a CR, in which case we move the CR directly to Failed.
 	if actionCR.InProgress() && !keyItem.isRetry {