Volume snapshots config and upstream controller and CRDs (#3192)

* Add volume snapshots enable switch

* Deploy upstream snapshot-controller and CRDs

* Add volumeSnapshotController config and remove volumeSnapshot.enabled

* Add volumeSnapshotController config validation

Author: nprokopic

chart/values.schema.json

@@ -1109,6 +1109,10 @@
         "metricsServer": {
           "$ref": "#/$defs/DeployMetricsServer",
           "description": "MetricsServer holds dedicated metrics server configuration."
+        },
+        "volumeSnapshotController": {
+          "$ref": "#/$defs/VolumeSnapshotController",
+          "description": "VolumeSnapshotController holds dedicated CSI snapshot-controller configuration."
         }
       },
       "additionalProperties": false,
@@ -4714,6 +4718,17 @@
       "additionalProperties": false,
       "type": "object",
       "description": "VolumeMount describes a mounting of a Volume within a container."
+    },
+    "VolumeSnapshotController": {
+      "properties": {
+        "enabled": {
+          "type": "boolean",
+          "description": "Enabled defines if the CSI volumes snapshot-controller should be enabled."
+        }
+      },
+      "additionalProperties": false,
+      "type": "object",
+      "description": "VolumeSnapshotController defines CSI volumes snapshot-controller configuration."
     }
   },
   "properties": {

chart/values.yaml

@@ -885,6 +885,11 @@ deploy:
   metricsServer:
     # Enabled defines if metrics server should be enabled.
     enabled: false
+  
+  # VolumeSnapshotController holds dedicated CSI snapshot-controller configuration.
+  volumeSnapshotController:
+    # Enabled defines if the CSI volumes snapshot-controller should be enabled.
+    enabled: false
 
 # Integrations holds config for vCluster integrations with other operators or tools running on the host cluster
 integrations:

config/config.go

@@ -298,13 +298,22 @@ type Deploy struct {
 
 	// MetricsServer holds dedicated metrics server configuration.
 	MetricsServer DeployMetricsServer `json:"metricsServer,omitempty"`
+
+	// VolumeSnapshotController holds dedicated CSI snapshot-controller configuration.
+	VolumeSnapshotController VolumeSnapshotController `json:"volumeSnapshotController,omitempty"`
 }
 
 type DeployMetricsServer struct {
 	// Enabled defines if metrics server should be enabled.
 	Enabled bool `json:"enabled,omitempty"`
 }
 
+// VolumeSnapshotController defines CSI volumes snapshot-controller configuration.
+type VolumeSnapshotController struct {
+	// Enabled defines if the CSI volumes snapshot-controller should be enabled.
+	Enabled bool `json:"enabled,omitempty"`
+}
+
 type IngressNginx struct {
 	// Enabled defines if ingress-nginx should be enabled.
 	Enabled bool `json:"enabled,omitempty"`

config/values.yaml

@@ -472,6 +472,8 @@ deploy:
     defaultIngressClass: true
   metricsServer:
     enabled: false
+  volumeSnapshotController:
+    enabled: false
 
 integrations:
   metricsServer:

pkg/cli/create_helm.go

@@ -329,6 +329,11 @@ func CreateHelm(ctx context.Context, options *CreateOptions, globalFlags *flags.
 		return err
 	}
 
+	err = pkgconfig.ValidateVolumeSnapshotController(vClusterConfig.Deploy.VolumeSnapshotController, vClusterConfig.PrivateNodes)
+	if err != nil {
+		return err
+	}
+
 	warnings := pkgconfig.Lint(*vClusterConfig)
 	for _, warning := range warnings {
 		cmd.log.Warnf(warning)

pkg/config/validation.go

@@ -199,6 +199,12 @@ func ValidateConfigAndSetDefaults(vConfig *VirtualClusterConfig) error {
 		return err
 	}
 
+	// validate deploy.volumeSnapshotController
+	err = ValidateVolumeSnapshotController(vConfig.Config.Deploy.VolumeSnapshotController, vConfig.PrivateNodes)
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -790,6 +796,13 @@ func validatePrivatedNodesMode(vConfig *VirtualClusterConfig) error {
 	return nil
 }
 
+func ValidateVolumeSnapshotController(volumeSnapshotController config.VolumeSnapshotController, privateNodes config.PrivateNodes) error {
+	if volumeSnapshotController.Enabled && !privateNodes.Enabled {
+		return fmt.Errorf("volume snapshot-controller is only supported with private nodes")
+	}
+	return nil
+}
+
 var allowedOperators = []string{"", "In", "NotIn", "Exists", "DoesNotExist", "Gt", "Lt"}
 
 func validateRequirements(requirements []config.Requirement) error {

pkg/controllers/register.go

@@ -21,6 +21,7 @@ import (
 	"github.com/loft-sh/vcluster/pkg/controllers/k8sdefaultendpoint"
 	"github.com/loft-sh/vcluster/pkg/controllers/podsecurity"
 	"github.com/loft-sh/vcluster/pkg/snapshot"
+	csiVolumeSnapshots "github.com/loft-sh/vcluster/pkg/snapshot/volumes/csi/deploy"
 	"github.com/loft-sh/vcluster/pkg/util/loghelper"
 	"github.com/pkg/errors"
 )
@@ -267,5 +268,13 @@ func registerSnapshotController(registerContext *synccontext.RegisterContext) er
 		return fmt.Errorf("unable to register vcluster snapshot controller: %w", err)
 	}
 
+	config := registerContext.Config
+	if config.PrivateNodes.Enabled && config.Deploy.VolumeSnapshotController.Enabled {
+		err = csiVolumeSnapshots.Deploy(registerContext)
+		if err != nil {
+			return fmt.Errorf("unable to deploy required CSI volume snapshot compoments: %w", err)
+		}
+	}
+
 	return nil
 }

pkg/snapshot/volumes/csi/deploy/deploy.go

@@ -0,0 +1,37 @@
+package deploy
+
+import (
+	_ "embed"
+	"fmt"
+
+	"k8s.io/klog/v2"
+
+	"github.com/loft-sh/vcluster/pkg/syncer/synccontext"
+	"github.com/loft-sh/vcluster/pkg/util/applier"
+)
+
+var (
+	//go:embed snapshot.storage.k8s.io-crds-v8.3.0.yaml
+	snapshotCRDs string
+
+	//go:embed snapshot-controller-v8.3.0.yaml
+	snapshotController string
+)
+
+func Deploy(ctx *synccontext.RegisterContext) error {
+	// apply the volume snapshot CustomResourceDefinition manifests
+	klog.Infof("Applying volume snapshot CustomResourceDefinitions...")
+	err := applier.ApplyManifest(ctx, ctx.VirtualManager.GetConfig(), []byte(snapshotCRDs))
+	if err != nil {
+		return fmt.Errorf("failed to apply volume snapshot CustomResourceDefinitions: %w", err)
+	}
+
+	// apply the snapshot controller manifests
+	klog.Infof("Applying snapshot controller...")
+	err = applier.ApplyManifest(ctx, ctx.VirtualManager.GetConfig(), []byte(snapshotController))
+	if err != nil {
+		return fmt.Errorf("failed to apply snapshot controller: %w", err)
+	}
+
+	return nil
+}

pkg/snapshot/volumes/csi/deploy/snapshot-controller-v8.3.0.yaml

@@ -0,0 +1,200 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: snapshot-controller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: snapshot-controller-leaderelection
+  namespace: kube-system
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: snapshot-controller-runner
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshots
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshots/status
+  verbs:
+  - update
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: snapshot-controller-leaderelection
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: snapshot-controller-leaderelection
+subjects:
+- kind: ServiceAccount
+  name: snapshot-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: snapshot-controller-role
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: snapshot-controller-runner
+subjects:
+- kind: ServiceAccount
+  name: snapshot-controller
+  namespace: kube-system
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: snapshot-controller
+  namespace: kube-system
+spec:
+  minReadySeconds: 35
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: snapshot-controller
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: snapshot-controller
+    spec:
+      containers:
+      - args:
+        - --v=5
+        - --leader-election=true
+        image: registry.k8s.io/sig-storage/snapshot-controller:v8.3.0
+        imagePullPolicy: IfNotPresent
+        name: snapshot-controller
+      serviceAccountName: snapshot-controller