Skip to content

[kubevirt-csi] Update Role of CSI controller #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 8, 2025
Merged

[kubevirt-csi] Update Role of CSI controller #1165

merged 2 commits into from
Jul 8, 2025

Conversation

lllamnyp
Copy link
Member

@lllamnyp lllamnyp commented Jul 7, 2025
edited by coderabbitai bot
Loading

What this PR does

Following a recent update, the KubeVirt CSI controller now needs new permissions to manage volumes for tenant k8s clusters. This patch updates the role granted to the kcsi-controller deployment of each tenant k8s cluster.

Release note

[kubevirt-csi] Update kcsi-controller role to align with the requirements of the version of the controller in use.

Summary by CodeRabbit

  • New Features

    • Expanded permissions for Kubernetes infrastructure service accounts, including enhanced access to virtual machines, volume snapshots, and persistent volume claims.

  • Chores

    • Updated chart version to 0.25.1.
    • Refreshed version mapping for the Kubernetes package.
    • Made the CSI driver container image configurable via deployment settings.
    • Integrated CSI driver image reference into deployment configuration automatically.

@lllamnyp lllamnyp requested review from kvaps and klinch0 as code owners July 7, 2025 14:29
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Jul 7, 2025
edited
Loading

"""

Walkthrough

The changes update the Kubernetes application's Helm chart version to 0.25.1, expand the permissions in the CSI service account Role to cover additional resources and actions, update the version mapping to reflect the new chart version and its commit reference, and make the CSI driver container image configurable via Helm values. Additionally, the Makefile target for building the CSI driver image now updates the Helm values file with the generated image tag.

Changes

File(s) Change Summary
packages/apps/kubernetes/Chart.yaml Incremented chart version from 0.25.0 to 0.25.1.
packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml Expanded Role rules: added permissions for more resources in kubevirt.io and subresources.kubevirt.io, added snapshot and PVC rules.
packages/apps/versions_map Updated "kubernetes 0.25.0" to a specific commit and added "kubernetes 0.25.1" pointing to HEAD.
packages/system/kubevirt-csi-node/templates/deploy.yaml, packages/system/kubevirt-csi-node/values.yaml Made CSI driver container image configurable via Helm values by replacing hardcoded image with templated value and adding config.
packages/apps/kubernetes/Makefile Modified image-kubevirt-csi-driver target to update Helm values file with generated CSI driver image tag using yq.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Makefile
    participant Helm
    participant Kubernetes API
    participant CSI Controller

    User->>Makefile: Build CSI driver image
    Makefile->>Helm values.yaml: Update csiDriver.image with generated image tag
    User->>Helm: Deploy/Upgrade chart (v0.25.1) with configurable CSI image
    Helm->>Kubernetes API: Apply updated Role and DaemonSet with templated image
    Kubernetes API->>CSI Controller: Grant expanded permissions
    CSI Controller->>Kubernetes API: Perform actions (get/list VMs, manage snapshots, patch PVCs)
Loading

Possibly related PRs

Suggested labels

enhancement, size:S, lgtm

Suggested reviewers

  • llamnyp

Poem

A hop, a skip, a chart update's here,
Permissions expanded, the pathway is clear.
Snapshots and volumes, now under control,
With versioning tidy, we’re on a roll!
🐇✨
CSI driver image now takes flight,
Configured with values, just right!
Kubernetes leaps to version anew,
The cluster’s more able, thanks to this crew!
"""

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Jul 7, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml (1)

21-26: Consider adding update verb for PVCs

The controller patches PVC annotations, but future releases may perform full updates. Granting update alongside patch is harmless and avoids a potential RBAC regression.

-  verbs: ["get", "patch"]
+  verbs: ["get", "patch", "update"]
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70f8266 and 6d04efb.

📒 Files selected for processing (3)
  • packages/apps/kubernetes/Chart.yaml (1 hunks)
  • packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml (1 hunks)
  • packages/apps/versions_map (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Build
🔇 Additional comments (4)
packages/apps/kubernetes/Chart.yaml (1)

19-19: Confirm accompanying docs & artifacts for the version bump

version was incremented to 0.25.1. Please make sure:
• CHANGELOG / release-notes mention the change,
• any Chart.lock or OCI images are rebuilt,
• down-stream manifests that pin the chart version are updated (e.g. GitOps repos).

packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml (2)

16-18: LGTM – broader VM resource coverage

Adding virtualmachineinstances / virtualmachines with list,get correctly reflects the controller’s discovery needs.

19-20: Accurate subresource verbs

Using update for addvolume/removevolume aligns with KubeVirt’s API (these endpoints expect a PUT). No concerns here.

packages/apps/versions_map (1)

57-58: Version map consistency check

The old 0.25.0 now points to a fixed commit while 0.25.1 points to HEAD. Double-check that the referenced commit (70f82667) actually contains the chart at version 0.25.0; mismatched pointers break reproducible builds.

@lllamnyp
[kubevirt-csi] Update Role of CSI controller
8d3324f 
Following a [recent update](kubevirt/csi-driver@0171916),
the KubeVirt CSI controller now needs new permissions to manage volumes
for tenant k8s clusters.

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
@lllamnyp lllamnyp force-pushed the fix/kubevirt-csi-rbac branch from 6d04efb to 8d3324f Compare July 7, 2025 16:13
coderabbitai[bot]
coderabbitai bot reviewed Jul 7, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
packages/system/kubevirt-csi-node/templates/deploy.yaml (1)

166-166: Parameterised image is good; consider tightening the pull policy

imagePullPolicy: Always defeats the immutability benefit of a digest-pinned image and increases node-startup latency. Unless you rely on rapid image mutation, IfNotPresent (or making the policy configurable) is typically preferable.

-          imagePullPolicy: Always
+          # Consider making this configurable and defaulting to IfNotPresent
+          imagePullPolicy: IfNotPresent
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6d04efb and 8d3324f.

📒 Files selected for processing (5)
  • packages/apps/kubernetes/Chart.yaml (1 hunks)
  • packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml (1 hunks)
  • packages/apps/versions_map (1 hunks)
  • packages/system/kubevirt-csi-node/templates/deploy.yaml (1 hunks)
  • packages/system/kubevirt-csi-node/values.yaml (1 hunks)
🚧 Files skipped from review as they are similar to previous changes (3)
  • packages/apps/kubernetes/Chart.yaml
  • packages/apps/versions_map
  • packages/apps/kubernetes/templates/csi/infra-cluster-service-account.yaml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Build
🔇 Additional comments (1)
packages/system/kubevirt-csi-node/values.yaml (1)

2-3: Confirm image reference and automation version sync

The chart’s version: 0.0.0 in Chart.yaml is just a placeholder and will be set by your build/release pipeline, so you don’t need to manually bump it here. However, please:

  • Verify the correct GHCR path—should it be
    ghcr.io/cozystack/kubevirt-csi-driver:0.25.1@sha256:<new-digest>
    instead of
    ghcr.io/cozystack/cozystack/kubevirt-csi-driver:…?
  • Ensure your release automation updates the image.tag and image.digest to the 0.25.1 driver.
  • (Optional) Split repository, tag, and digest into separate values for easier automated bumps.

kvaps
kvaps reviewed Jul 7, 2025
View reviewed changes
packages/system/kubevirt-csi-node/values.yaml
@@ -1 +1,3 @@
storageClass: replicated
csiDriver:
image: ghcr.io/cozystack/cozystack/kubevirt-csi-driver:0.25.0@sha256:445c2727b04ac68595b43c988ff17b3d69a7b22b0644fde3b10c65b47a7bc036
Copy link
Member

@kvaps kvaps Jul 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add auto update for this string via make image target of tenant kubernetes application, please?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay fixed that d200017

@kvaps
Automatically set image for kubevirt-csi-node
d200017 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@kvaps kvaps merged commit 4503105 into main Jul 8, 2025
4 of 6 checks passed
@kvaps kvaps deleted the fix/kubevirt-csi-rbac branch July 8, 2025 06:20
coderabbitai[bot]
coderabbitai bot reviewed Jul 8, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
packages/apps/kubernetes/Makefile (1)

67-68: Guard cat failure so an absent tag file doesn’t silently wipe the Helm value

IMAGE=$$(cat images/kubevirt-csi-driver.tag) \ yq … swallows a failing cat exit-code because the status that reaches make is yq’s.
If the tag file is missing, IMAGE becomes empty and yq will overwrite .csiDriver.image with an empty string, yet the recipe still succeeds.

-	IMAGE=$$(cat images/kubevirt-csi-driver.tag) \
-		yq -i '.csiDriver.image = strenv(IMAGE)' ../../system/kubevirt-csi-node/values.yaml
+	IMAGE=$$(cat images/kubevirt-csi-driver.tag) && \
+	yq -i '.csiDriver.image = strenv(IMAGE)' ../../system/kubevirt-csi-node/values.yaml

Using && (or set -e at recipe start) ensures the build aborts if the tag file is absent or unreadable, preventing accidental blanking of the Helm value.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d3324f and d200017.

📒 Files selected for processing (1)
  • packages/apps/kubernetes/Makefile (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Build
  • GitHub Check: pre-commit

@coderabbitai coderabbitai bot mentioned this pull request Jul 15, 2025
Merged
This was referenced Aug 18, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kvaps kvaps kvaps approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@klinch0 klinch0 Awaiting requested review from klinch0 klinch0 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@lllamnyp @kvaps