All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Upgrades involving k8s databases no long require manually confirming a backup exists using
--set IHaveBackedUpAllMyLinstorResources=true
.
v1.8.0 - 2022-03-15
- Allow setting the number of parallel requests created by the CSI sidecars. This limits the load on the LINSTOR backend, which could easily overload when creating many volumes at once.
- Unify certificates format for SSL enabled installation, no more java tooling required.
- Automatic certificates generation using Helm or Cert-manager
- HA Controller and CSI components now wait for the LINSTOR API to be initialized using InitContainers.
- Create backups of LINSTOR resource if the "k8s" database backend is used and an image change is detected. Backups
are stored in Secret resources as a
tar.gz
. If the secret would get too big, the backup can be downloaded from the operator pod. - Default images:
- LINSTOR 1.18.0
- LINSTOR CSI 0.18.0
- DRBD 9.1.6
- DRBD Reactor 0.5.3
- LINSTOR HA Controller 0.3.0
- CSI Attacher v3.4.0
- CSI Node Driver Registrar v2.4.0
- CSI Provisioner v3.1.0
- CSI Snapshotter v5.0.1
- CSI Resizer v1.4.0
- Stork v2.8.2
- Stork updated to support Kubernetes v1.22+.
- Satellites no longer have a readiness probe defined. This caused issues in the satellites by repeatedly opening unexpected connections, especially when using SSL.
- Only query node devices if a storage pool needs to be created.
- Use cached storage pool response to avoid causing excessive load on LINSTOR satellites.
- Protect LINSTOR passphrase from accidental deletion by using a finalizer.
- If you have SSL configured, then the certificates must be regenerated in PEM format. Learn more in the upgrade guide.
v1.7.1 - 2022-01-18
- Allow the external-provisioner and external-snapshotter access to secrets. This is required to support StorageClass and SnapshotClass secrets.
- Instruct external-provisioner to pass PVC name+namespace to the CSI driver, enabling optional support for PVC based names for LINSTOR volumes.
- Allow setting the log level of LINSTOR components via CRs. Other components are left using their default log level. The new default log level is INFO (was DEBUG previously, which was often too verbose).
- Override the kernel source directory used when compiling DRBD (defaults to /usr/src). See
operator.satelliteSet.kernelModuleInjectionAdditionalSourceDirectory
- etcd-chart: add option to set priorityClassName.
- Use correct secret name when setting up TLS for satellites
- Correctly configure ServiceMonitor resource if TLS is enabled for LINSTOR Controller.
v1.7.0 - 2021-12-14
pv-hostpath
: automatically determine on which nodes PVs should be created if no override is given.- Automatically add labels on Kubernetes Nodes to LINSTOR satellites as Auxiliary Properties. This enables using
Kubernetes labels for volume scheduling, for example using
replicasOnSame: topology.kubernetes.io/zone
. - Support LINSTORs
k8s
backend by adding the necessary RBAC resources and documentation. - Automatically create a LINSTOR passphrase when none is configured.
- Automatic eviction and deletion of offline satellites if the Kubernetes node object was also deleted.
- Default images:
quay.io/piraeusdatastore/piraeus-server:v1.17.0
quay.io/piraeusdatastore/piraeus-csi:v0.17.0
quay.io/piraeusdatastore/drbd9-bionic:v9.1.4
quay.io/piraeusdatastore/drbd-reactor:v0.4.4
- Recreates or updates to the satellite pods are now applied at once, instead of waiting for a node to complete before moving to the next.
- Enable CSI topology by default, allowing better volume scheduling with
volumeBindingMode: WaitForFirstConsumer
. - Disable STORK by default. Instead, we recommend using
volumeBindingMode: WaitForFirstConsumer
in storage classes.
v1.6.0 - 2021-09-02
- Allow CSI to work with distributions that use a kubelet working directory other than
/var/lib/kubelet
. See thecsi.kubeletPath
option. - Enable Storage Capacity Tacking. This enables Kubernetes to base Pod scheduling decisions on remaining storage capacity. The feature is in beta and enabled by default starting with Kubernetes 1.21.
-
Disable Stork Health Monitoring by default. Stork cannot distinguish between control plane and data plane issues, which can lead to instances where Stork will migrate a volume that is still mounted on another node, making the volume effectively unusable.
-
Updated operator to kubernetes v1.21 components.
-
Default images:
quay.io/piraeusdatastore/piraeus-server:v1.14.0
quay.io/piraeusdatastore/drbd9-bionic:v9.0.30
quay.io/piraeusdatastore/drbd-reactor:v0.4.3
quay.io/piraeusdatastore/piraeus-ha-controller:v0.2.0
- external CSI images
-
The cluster-wide snapshot controller is no longer deployed as a dependency of the piraeus-operator chart. Instead, separate charts are available on artifacthub.io that deploy the snapshot controller and extra validation for snapshot resources.
The subchart was removed, as it unnecessarily tied updates of the snapshot controller to piraeus and vice versa. With the tightened validation starting with snapshot CRDs
v1
, moving the snapshot controller to a proper chart seems like a good solution.
v1.5.1 - 2021-06-21
- Default images:
- Piraeus Server v1.13.0
- Piraeus CSI v0.13.1
- CSI Provisioner v2.1.2
v1.5.0 - 2021-05-12
- All operator-managed workloads apply recommended labels. This requires the recreation of Deployments and DaemonSets on upgrade. This is automatically handled by the operator, however any customizations applied to the deployments not managed by the operator will be reverted in the process.
- Use
drbd-reactor
to expose Prometheus endpoints on each satellite. - Configure
ServiceMonitor
resources if they are supported by the cluster (i.e. prometheus operator is configured)
- CSI Nodes no longer use
hostNetwork: true
. The pods already got the correct hostname via the downwardAPI and do not talk to DRBD's netlink interface directly. - External: CSI snapshotter subchart now packages
v1
CRDs. Fixes deprecation warnings when installing the snapshot controller. - Default images:
- Piraeus Server v1.12.3
- Piraeus CSI v0.13.0
- DRBD v9.0.29
v1.4.0 - 2021-04-07
- Additional environment variables and Linstor properties can now be set in the
LinstorController
CRD. - Set node name variable for Controller Pods, enabling k8s-await-election to correctly set up the endpoint for hairpin mode.
- Update the network address of controller pods if they diverged between Linstor and kubernetes. This can happen after a node restart, where a pod is recreated with the same name but different IP address.
v1.3.1 - 2021-01-14
- New guide on host preparation here.
- Default image updated:
operator.satelliteSet.kernelModuleInjectionImage
:quay.io/piraeusdatastore/drbd9-bionic:v9.0.27
operator.satelliteSet.satelliteImage
:quay.io/piraeusdatastore/piraeus-server:v1.11.1
operator.controller.controllerImage
:quay.io/piraeusdatastore/piraeus-server:v1.11.1
haController.image
:quay.io/piraeusdatastore/piraeus-ha-controller:v0.1.3
pv-hostpath
:chownerImage
:quay.io/centos/centos:8
v1.3.0 - 2020-12-21
- New component:
haController
will deploy the Piraeus High Availability Controller. More information is available in the optional components page - Enable strict checking of DRBD parameter to disable usermode helper in container environments.
- Override the image used in "chown" jobs in the
pv-hostpath
chart by using--set chownerImage=<my-image>
.
- Updated
operator-sdk
to v0.19.4 - Set CSI component timeout to 1 minute to reduce the number of retries in the CSI driver
- Default images updated:
operator.controller.controllerImage
:quay.io/piraeusdatastore/piraeus-server:v1.11.0
operator.satelliteSet.satelliteImage
:quay.io/piraeusdatastore/piraeus-server:v1.11.0
operator.satelliteSet.kernelModuleInjectionImage
:quay.io/piraeusdatastore/drbd9-bionic:v9.0.26
csi.pluginImage
:quay.io/piraeusdatastore/piraeus-csi:v0.11.0
- Fixed Helm warnings when setting "csi.controllerAffinity", "operator.controller.affinity" and "operator.satelliteSet.storagePools".
v1.2.0 - 2020-11-18
storagePools
can now also set up devices similar toautomaticStorageType
, but with more fine grained control. See the updated storage guide- New Helm options to disable creation of LinstorController and LinstorSatelliteSet resource
operator.controller.enabled
andoperator.satelliteSet.enabled
. - New Helm option to override the generated controller endpoint:
controllerEndpoint
- Allow overriding the default
securityContext
on a component basis:etcd.podsecuritycontext
sets the securityContext of etcd podsstork.podsecuritycontext
sets the securityContext of stork plugin and scheduler podscsi-snapshotter.podsecuritycontext
sets the securityContext of the CSI-Snapshotter podsoperator.podsecuritycontext
sets the securityContext of the operator pods
- Example settings for openshift
- LINSTOR controller runs with additional GID 1000, to ensure write access to log directory
- Fixed a bug in
pv-hostpath
where permissions on the created directory are not applied on all nodes. - Volumes created by
pv-hostpath
are now group writable. This makes them easier to integrate withfsGroup
settings. - Default value for affinity on LINSTOR controller and CSI controller changed. The new default is to distribute the pods across all available nodes.
- Default value for tolerations for etcd pods changed. They are now able to run on master nodes.
- Updates to LinstorController, LinstorSatelliteSet and LinstorCSIDriver are now propagated across all created resources
- Updated default images:
- csi sidecar containers updated (compatible with Kubernetes v1.17+)
- LINSTOR 1.10.0
- LINSTOR CSI 0.10.0
- Using
automaticStorageType
is deprecated. Use thestoragePools
values instead.
v1.1.0 - 2020-10-13
- The LINSTOR controller image given in
operator.controller.controllerImage
has to have its entrypoint set tok8s-await-election v0.2.0
or newer. Learn more in the upgrade guide.
- LINSTOR controller can be started with multiple replicas. See
operator.controller.replicas
. NOTE: This requires support from the container. You needpiraeus-server:v1.8.0
or newer. - The
pv-hostpath
helper chart automatically sets up permissions for non-root etcd containers. - Disable securityContext enforcement by setting
global.setSecurityContext=false
. - Add cluster roles to work with OpenShift's SCC system.
- Control volume placement and accessibility by using CSIs Topology feature. Controlled by setting
csi.enableTopology
. - All pods use a dedicated service account to allow for fine-grained permission control.
- The new helm section
psp.*
can automatically configure the ServiceAccount of all components to use the appropriate PSP roles.
- Default values:
operator.controller.controllerImage
:quay.io/piraeusdatastore/piraeus-server:v1.9.0
operator.satelliteSet.satelliteImage
:quay.io/piraeusdatastore/piraeus-server:v1.9.0
operator.satelliteSet.kernelModuleInjectionImage
:quay.io/piraeusdatastore/drbd9-bionic:v9.0.25
stork.storkImage
:docker.io/openstorage/stork:2.5.0
- linstor-controller no longer starts in a privileged container.
- legacy CRDs (LinstorControllerSet, LinstorNodeSet) have been removed.
v1alpha
CRD versions have been removed.- default pull secret
drbdiocred
removed. To keep using it, use--set drbdRepoCred=drbdiocred
.
v1.0.0 - 2020-08-06
v1
of all CRDs- Central value for controller image pull policy of all pods. Use
--set global.imagePullPolicy=<value>
on helm deployment. charts/piraeus/values.cn.yaml
a set of helm values for faster image download for CN users.- Allow specifying resource requirements for all pods. In helm you can set:
etcd.resources
for etcd containersstork.storkResources
for stork plugin resourcesstork.schedulerResources
for the kube-scheduler deployed for use with storkcsi-snapshotter.resources
for the cluster snapshotter controllercsi.resources
for all CSI related containers. for brevity, there is only one setting for ALL CSI containers. They are all stateless go process which use the same amount of resources.operator.resources
for operator containersoperator.controller.resources
for LINSTOR controller containersoperator.satelliteSet.resources
for LINSTOR satellite containersoperator.satelliteSet.kernelModuleInjectionResources
for kernel module injector/builder containers
- Components deployed by the operator can now run with multiple replicas. Components
elect a leader, that will take on the actual work as long as it is active. Should one
pod go down, another replica will take over.
Currently these components support multiple replicas:
etcd
=> setetcd.replicas
to the desired countstork
=> setstork.replicas
to the desired count for stork scheduler and controllersnapshot-controller
=> setcsi-snapshotter.replicas
to the desired count for cluster-wide CSI snapshot controllercsi-controller
=> setcsi.controllerReplicas
to the desired count for the linstor CSI controlleroperator
=> setoperator.replicas
to have multiple replicas of the operator running
- Reference docs for all helm settings. Link
stork.schedulerTag
can override the automatically chosen tag for thekube-scheduler
image. Previously, the tag always matched the kubernetes release.
- Renamed
LinstorNodeSet
toLinstorSatelliteSet
. This brings the operator in line with other LINSTOR resources. ExistingLinstorNodeSet
resources will automatically be migrated toLinstorSatelliteSet
. - Renamed
LinstorControllerSet
toLinstorController
. The old name implied the existence of multiple (separate) controllers. ExistingLinstorControllerSet
resources will automatically be migrated toLinstorController
. - Helm values renamed to align with new CRD names:
operator.controllerSet
tooperator.controller
operator.nodeSet
tooperator.satelliteSet
- Node scheduling no longer relies on
linstor.linbit.com/piraeus-node
labels. Instead, all CRDs support setting pod affinity and tolerations. In detail:linstorcsidrivers
gained 4 new resource keys, with no change in default behaviour:nodeAffinity
affinity passed to the csi nodesnodeTolerations
tolerations passed to the csi nodescontrollerAffinity
affinity passed to the csi controllercontrollerTolerations
tolerations passed to the csi controller
linstorcontrollerset
gained 2 new resource keys, with no change in default behaviour:affinity
affinity passed to the linstor controller podtolerations
tolerations passed to the linstor controller pod
linstornodeset
gained 2 new resource keys, with change in default behaviour:affinity
affinity passed to the linstor controller podtolerations
tolerations passed to the linstor controller pod
- Controller is now a Deployment instead of StatefulSet.
- Renamed
kernelModImage
tokernelModuleInjectionImage
- Renamed
drbdKernelModuleInjectionMode
toKernelModuleInjectionMode
v0.5.0 - 2020-06-29
-
Support volume resizing with newer CSI versions.
-
A new Helm chart
csi-snapshotter
that deploys extra components needed for volume snapshots. -
Add new kmod injection mode
DepsOnly
. Will try load kmods for LINSTOR layers from the host. DeprecatesNone
. -
Automatic deployment of Stork scheduler configured for LINSTOR.
- Replaced
bitnami/etcd
dependency with vendored custom version Some important keys for theetcd
helm chart have changed:statefulset.replicaCount
->replicas
persistence.enabled
->persistentVolume.enabled
persistence.size
->persistentVolume.storage
àuth.rbac
was removed: use tls certificatesauth.peer.useAutoTLS
was removedenvVarsConfigMap
was removed- When using etcd with TLS enabled:
- For peer communication, peers need valid certificates for
*.<release-name>-etcd
(was.<release-name>>-etcd-headless.<namespace>.svc.cluster.local
) - For client communication, servers need valid certificates for
*.<release-name>-etcd
(was.<release-name>>-etcd.<namespace>.svc.cluster.local
)
- For peer communication, peers need valid certificates for
v0.4.1 - 2020-06-10
- Automatic storage pool creation via
automaticStorageType
onLinstorNodeSet
. If this option is set, LINSTOR will create a storage pool based on all available devices on a node.
- Moved storage documentation to the storage guide
- Helm: update default images
v0.4.0 - 2020-06-05
- Secured database connection for Linstor: When using the
etcd
connector, you can specify a secret containing a CA certificate to switch from HTTP to HTTPS communication. - Secured connection between Linstor components: You can specify TLS keys to secure the communication between controller and satellite
- Secure storage with LUKS: You can specify the master passphrase used by Linstor when creating encrypted volumes when installing via Helm.
- Authentication with etcd using TLS client certificates.
- Secured connection between linstor-client and controller (HTTPS). More in the security guide
- Linstor controller endpoint can now be customized for all resources. If not specified, the old default values will be filled in.
- NodeSet service (
piraeus-op-ns
) was replaced by the ControllerSet service (piraeus-op-cs
) everywhere
- CSI storage driver setup: move setup from helm to go operator. This is mostly an internal change.
These changes may be of note if you used a non-default CSI configuration:
- helm value
csi.image
was renamed tocsi.pluginImage
- CSI deployment can be controlled by a new resource
linstorcsidrivers.piraeus.linbit.com
- helm value
- PriorityClasses are not automatically created. When not specified, the priority class is:
- "system-node-critical", if deployed in "kube-system" namespace
- default PriorityClass in other namespaces
- RBAC rules for CSI: creation moved to deployment step (Helm/OLM). ServiceAccounts should be specified in CSI resource. If no ServiceAccounts are named, the implicitly created accounts from previous deployments will be used.
- Helm: update default images
v0.3.0 - 2020-05-08
- Use single values for images in CRDs instead of specifying the version separately
- Helm: Use single values for images instead of specifying repo, name and version separately
- Helm: Replace fixed storage pool configuration with list
- Helm: Do not create any storage pools by default
- Helm: Replace
operator.nodeSet.spec
andoperator.controllerSet.spec
by justoperator.nodeSet
andoperator.controllerSet
.
v0.2.2 - 2020-04-24
- Fix reporting of errors in LinstorControllerSet status
v0.2.1 - 2020-04-14
- Helm: Update LINSTOR server dependencies to fix startup problems
v0.2.0 - 2020-04-10
- Helm: Allow an existing database to be used instead of always setting up a dedicated etcd instance
- Rename
etcdURL
parameter of LinstorControllerSet todbConnectionURL
to reflect the fact that it can be used for any database type - Upgrade to operator-sdk v0.16.0
- Helm: Create multiple volumes with a single
pv-hostchart
installation - Helm: Update dependencies
v0.1.4 - 2020-03-05
- Helm: Add support for
hostPath
PersistentVolume
persistence of etcd
- Helm: Remove vendored etcd chart from repository
- Rename CRDs from Piraeus* to Linstor*
- Make priority classes configurable
- Fix LINSTOR Controller/Satellite arguments
- Helm: Make etcd persistent by default
- Helm: Fix deployment of permissions objects into a non-default namespace
- Helm: Set default etcd size to 1Gi
- Helm: Update dependent image versions
- Docker: Change base image to Debian Buster
- Support for kernel module injection based on shipped modules - necessary for CoreOS support.
- /charts contains Helm v3 chart for this operator
- CRDs contain additional Spec parameters that allow customizing image repo and tag/version of the image.
- Another Spec parameter 'drbdRepoCred' can specify the name of the k8s secret used to access the container images.
- LINSTOR Controller image now contains the LINSTOR client, away from the
Satellite images as it was previously the case. Hence, the readiness probe
is changed to use
curl
instead oflinstor
client command.
- examples/operator-intra.yaml file to bundle all the rbac, crds, etc to run the operator
- EtcdURL field to controllersetcontroller spec. default: etcd-piraeus:2379
- Host networking on the LINSTOR Satellite pods with DNSClusterFirstWithHostNet DNS policy
- NodeSet service for the Satellite pods that also point to the Controller service for LINSTOR discovery
ControllerEndpoint
andDefaultController
from the PiraeusNodeSet spec
- Controller persistence is now handled by etcd. There must be a reachable and operable etcd cluster for this operator to work.
- Networking is now handled by a kubernetes service with the same name as the ControllerSet. The NodeSet must have the same name as the ControllerSet for networking to work properly.
- Opt-in node label for nodes is now
linstor.linbit.com/piraeus-node=true
- Remove requirement for
kube-system
namespace - Naming convention for NodeSet and ControllerSet Pods
- Updated ports for LINSTOR access on NodeSet and ControllerSet pods
- Updated framework to work with Operator Framework 0.13.0
- API Versions on PriorityClass, DaemonSet, StatefulSet, and CRD kinds to reflect K8s 1.16.0 release
v0.0.1 - 2019-07-19
- Initial public version with docs