Merge pull request #676 from Nikhil-Ladha/sync_us

Manual sync upstream master to downstream master

.github/workflows/build.yml

@@ -27,7 +27,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: Set up Helm
         uses: azure/setup-helm@v4
@@ -77,7 +77,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: ["1.21","1.22"]
+        go-version: ["1.22"]
     steps:
       - name: checkout
         uses: actions/checkout@v4

.github/workflows/canary-integration-test.yml

@@ -68,7 +68,8 @@ jobs:
         run: |
           toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
           kubectl -n rook-ceph exec $toolbox -- mkdir -p /etc/ceph/test-data
-          kubectl -n rook-ceph cp tests/ceph-status-out $toolbox:/etc/ceph/test-data/
+          kubectl -n rook-ceph cp tests/external-cluster/ceph-status-out $toolbox:/etc/ceph/test-data/
+          kubectl -n rook-ceph cp tests/external-cluster/external-config.ini $toolbox:/etc/ceph/
           kubectl -n rook-ceph cp deploy/examples/create-external-cluster-resources.py $toolbox:/etc/ceph
           kubectl -n rook-ceph cp deploy/examples/create-external-cluster-resources-tests.py $toolbox:/etc/ceph
           timeout 10 sh -c "until kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --rbd-data-pool-name replicapool; do echo 'waiting for script to succeed' && sleep 1; done"
@@ -267,6 +268,29 @@ jobs:
           toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
           kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --rbd-data-pool-name replicapool --v2-port-enable
 
+      - name: test config file flag
+        run: |
+          toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
+          # create `radosNamespace2` rados-namespace for `replicapool` rbd data-pool
+          kubectl -n rook-ceph exec $toolbox -- rbd namespace create replicapool/radosnamespace2
+
+          # validate `--rados-namespace`, config file value is radosnamespace2, cli arg flag is set to radosnamespace1 and no default is set
+          # command line arg should be used
+          kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --rbd-data-pool-name replicapool --rados-namespace radosnamespace1 --config-file /etc/ceph/external-config.ini
+
+          # validate the `rbd-data-pool-name`,config value set to replicapoolconfig, command line arg is not set and no default
+          # config value should be used
+          sed -i 's/replicapool/replicapoolconfig/' deploy/examples/pool-test.yaml
+          kubectl create -f deploy/examples/pool-test.yaml
+          kubectl wait --for='jsonpath={.status.phase}=Ready' Cephblockpool/replicapoolconfig -nrook-ceph
+          # create `radosNamespace2` rados-namespace for `replicapoolconfig` rbd data-pool
+          kubectl -n rook-ceph exec $toolbox -- rbd namespace create replicapoolconfig/radosnamespace2
+          kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --config-file /etc/ceph/external-config.ini
+
+          # validate the default `format`` flag, config file value is not set and no cmd line argument is set and default value is `Json``,
+          # default value should be used
+          kubectl -n rook-ceph exec $toolbox -- python3 /etc/ceph/create-external-cluster-resources.py --rbd-data-pool-name replicapool --config-file /etc/ceph/external-config.ini
+
       - name: check-ownerreferences
         run: tests/scripts/github-action-helper.sh check_ownerreferences
 
@@ -1546,7 +1570,7 @@ jobs:
       - name: setup golang
         uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: setup cluster resources
         uses: ./.github/workflows/canary-test-config

.github/workflows/canary-test-config/action.yaml

@@ -14,7 +14,7 @@ runs:
     - name: setup golang
       uses: actions/setup-go@v5
       with:
-        go-version: "1.21"
+        go-version: "1.22"
 
     - name: Setup Minikube
       shell: bash --noprofile --norc -eo pipefail -x {0}

.github/workflows/codegen.yml

@@ -36,7 +36,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: run codegen
         run: GOPATH=$(go env GOPATH) make codegen

.github/workflows/crds-gen.yml

@@ -35,7 +35,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: run crds-gen
         run: GOPATH=$(go env GOPATH) make crds

.github/workflows/daily-nightly-jobs.yml

@@ -30,7 +30,7 @@ jobs:
       - name: setup golang
         uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: Install Docker
         run: |

.github/workflows/docs-check.yml

@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - uses: actions/setup-python@v5
         with:

.github/workflows/golangci-lint.yaml

@@ -29,7 +29,7 @@ jobs:
           fetch-depth: 0
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v6
         with:
@@ -54,7 +54,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v5
         with:
-         go-version: "1.22"
+         go-version: "1.22.5"
          check-latest: true
       - name: govulncheck
         uses: golang/govulncheck-action@v1

.github/workflows/integration-test-config-latest-k8s/action.yaml

@@ -18,7 +18,7 @@ runs:
     - name: setup golang
       uses: actions/setup-go@v5
       with:
-        go-version: "1.21"
+        go-version: "1.22"
 
     - name: Setup Minikube
       shell: bash --noprofile --norc -eo pipefail -x {0}

.github/workflows/mod-check.yml

@@ -35,7 +35,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: run mod check
         run: GOPATH=$(go env GOPATH) make -j $(nproc) mod.check

.github/workflows/multus.yaml

@@ -39,7 +39,7 @@ jobs:
       - name: Set up Go version
         uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: Create KinD Cluster
         uses: helm/[email protected]

.github/workflows/push-build.yaml

@@ -27,7 +27,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
         # docker/setup-qemu action installs QEMU static binaries, which are used to run builders for architectures other than the host.
       - name: set up QEMU

.github/workflows/rbac-gen.yaml

@@ -35,7 +35,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: run gen-rbac
         run: GOPATH=$(go env GOPATH) make gen-rbac

.github/workflows/unit-test.yml

@@ -43,7 +43,7 @@ jobs:
 
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.21"
+          go-version: "1.22"
 
       - name: Setup jq
         uses: dcarbone/[email protected]

Documentation/CRDs/Cluster/external-cluster/external-cluster.md

@@ -63,6 +63,32 @@ python3 create-external-cluster-resources.py --rbd-data-pool-name <pool_name> --
 * `--topology-pools`: (optional) Comma-separated list of topology-constrained rbd pools
 * `--topology-failure-domain-label`: (optional) K8s cluster failure domain label (example: zone, rack, or host) for the topology-pools that match the ceph domain
 * `--topology-failure-domain-values`: (optional) Comma-separated list of the k8s cluster failure domain values corresponding to each of the pools in the `topology-pools` list
+* `--config-file`: Path to the configuration file, Priority: command-line-args > config.ini values > default values
+
+### Config-file
+
+Use the config file to set the user configuration file, add the flag `--config-file` to set the file path.
+
+Example:
+
+`/config.ini`
+
+```console
+[Configurations]
+format = bash
+cephfs-filesystem-name = <filesystem-name>
+rbd-data-pool-name = <pool_name>
+...
+```
+
+```console
+python3 create-external-cluster-resources.py --config-file /config.ini
+```
+
+!!! note
+    You can use both config file and other arguments at the same time
+    Priority: command-line-args > config.ini file values > default values
+
 
 ### Multi-tenancy
 

Documentation/CRDs/specification.md

@@ -12567,7 +12567,7 @@ will be set by the persistentvolume controller if it exists.
 If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be
 set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource
 exists.
-More info: <a href="https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass">https://kubernetes.io/docs/concepts/storage/persistent-volumes#volumeattributesclass</a>
+More info: <a href="https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/">https://kubernetes.io/docs/concepts/storage/volume-attributes-classes/</a>
 (Alpha) Using this field requires the VolumeAttributesClass feature gate to be enabled.</p>
 </td>
 </tr>

Documentation/Contributing/development-flow.md

@@ -7,7 +7,7 @@ don't hesitate to reach out to us on our [Slack](https://Rook-io.slack.com) dev
 
 ## Prerequisites
 
-1. [GO 1.21](https://golang.org/dl/) or greater installed
+1. [GO 1.22](https://golang.org/dl/) or greater installed
 2. Git client installed
 3. GitHub account
 

Documentation/Getting-Started/ceph-openshift.md

@@ -59,7 +59,7 @@ There are some Rook settings that also need to be adjusted to work in OpenShift.
 
 There is an environment variable that needs to be set in the operator spec that will allow Rook to run in OpenShift clusters.
 
-* `ROOK_HOSTPATH_REQUIRES_PRIVILEGED`: Must be set to `true`. Writing to the hostPath is required for the Ceph mon and osd pods. Given the restricted permissions in OpenShift with SELinux, the pod must be running privileged in order to write to the hostPath volume.
+* `ROOK_HOSTPATH_REQUIRES_PRIVILEGED`: Must be set to `true`. Writing to the hostPath is required for the Ceph mon, osd pods and csi provisioners(if logrotation is on). Given the restricted permissions in OpenShift with SELinux, the pod must be running privileged in order to write to the hostPath volume.
 
 ```yaml
 - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED

Documentation/Storage-Configuration/Block-Storage-RBD/block-storage.md

@@ -201,19 +201,8 @@ If a node goes down where a pod is running where a RBD RWO volume is mounted, th
 
 ### Configure CSI-Addons
 
-Deploy the csi-addons manifests:
+Deploy csi-addons controller and enable `csi-addons` sidecar as mentioned in the [CSI Addons](../Ceph-CSI/ceph-csi-drivers#CSI-Addons-Controller) guide.
 
-```console
-kubectl create -f https://raw.githubusercontent.com/csi-addons/kubernetes-csi-addons/v0.8.0/deploy/controller/crds.yaml
-kubectl create -f https://raw.githubusercontent.com/csi-addons/kubernetes-csi-addons/v0.8.0/deploy/controller/rbac.yaml
-kubectl create -f https://raw.githubusercontent.com/csi-addons/kubernetes-csi-addons/v0.8.0/deploy/controller/setup-controller.yaml
-```
-
-Enable the `csi-addons` sidecar in the Rook operator configuration.
-
-```console
-kubectl patch cm rook-ceph-operator-config -n<namespace> -p $'data:\n "CSI_ENABLE_CSIADDONS": "true"'
-```
 
 ### Handling Node Loss
 

Documentation/Storage-Configuration/Ceph-CSI/ceph-csi-drivers.md

@@ -166,9 +166,9 @@ that the controller inspects and forwards to one or more CSI-Addons sidecars for
 Deploy the controller by running the following commands:
 
 ```console
-kubectl create -f https://raw.githubusercontent.com/csi-addons/kubernetes-csi-addons/v0.8.0/deploy/controller/crds.yaml
-kubectl create -f https://raw.githubusercontent.com/csi-addons/kubernetes-csi-addons/v0.8.0/deploy/controller/rbac.yaml
-kubectl create -f https://raw.githubusercontent.com/csi-addons/kubernetes-csi-addons/v0.8.0/deploy/controller/setup-controller.yaml
+kubectl create -f https://github.com/csi-addons/kubernetes-csi-addons/releases/download/v0.8.0/crds.yaml
+kubectl create -f https://github.com/csi-addons/kubernetes-csi-addons/releases/download/v0.8.0/rbac.yaml
+kubectl create -f https://github.com/csi-addons/kubernetes-csi-addons/releases/download/v0.8.0/setup-controller.yaml
 ```
 
 This creates the required CRDs and configures permissions.
@@ -206,22 +206,28 @@ CSI-Addons supports the following operations:
     * [Creating VolumeReplicationClass](https://github.com/csi-addons/kubernetes-csi-addons/blob/v0.8.0/docs/volumereplicationclass.md)
     * [Creating VolumeReplication CR](https://github.com/csi-addons/kubernetes-csi-addons/blob/v0.8.0/docs/volumereplication.md)
 
-## Enable RBD Encryption Support
+## Enable RBD and CephFS Encryption Support
 
-Ceph-CSI supports encrypting individual RBD PersistentVolumeClaims with LUKS. More details can be found
-[here](https://github.com/ceph/ceph-csi/blob/v3.6.0/docs/deploy-rbd.md#encryption-for-rbd-volumes)
-including a full list of supported encryption configurations. A sample configmap can be found
-[here](https://github.com/ceph/ceph-csi/blob/v3.6.0/examples/kms/vault/kms-config.yaml).
+Ceph-CSI supports encrypting PersistentVolumeClaims (PVCs) for both RBD and CephFS.
+This can be achieved using LUKS for RBD and fscrypt for CephFS. More details on encrypting RBD PVCs can be found
+[here](https://github.com/ceph/ceph-csi/blob/v3.11.0/docs/deploy-rbd.md#encryption-for-rbd-volumes),
+which includes a full list of supported encryption configurations.
+More details on encrypting CephFS PVCs can be found [here](https://github.com/ceph/ceph-csi/blob/v3.11.0/docs/deploy-cephfs.md#cephfs-volume-encryption).
+A sample KMS configmap can be found [here](https://github.com/ceph/ceph-csi/blob/v3.11.0/examples/kms/vault/kms-config.yaml).
+
+!!! note
+    Not all KMS are compatible with fscrypt. Generally, KMS that either store secrets to use directly (like Vault)
+    or allow access to the plain password (like Kubernetes Secrets) are compatible.
 
 !!! note
     Rook also supports OSD-level encryption (see `encryptedDevice` option [here](../../CRDs/Cluster/ceph-cluster-crd.md#osd-configuration-settings)).
 
 Using both RBD PVC encryption and OSD encryption at the same time will lead to double encryption and may reduce read/write performance.
 
-Existing Ceph clusters can also enable Ceph-CSI RBD PVC encryption support and multiple kinds of encryption
+Existing Ceph clusters can also enable Ceph-CSI PVC encryption support and multiple kinds of encryption
 KMS can be used on the same Ceph cluster using different storageclasses.
 
-The following steps demonstrate how to enable support for encryption:
+The following steps demonstrate the common process for enabling encryption support for both RBD and CephFS:
 
 * Create the `rook-ceph-csi-kms-config` configmap with required encryption configuration in
 the same namespace where the Rook operator is deployed. An example is shown below:
@@ -262,8 +268,9 @@ stringData:
   encryptionPassphrase: test-encryption
 ```
 
-* Create a new [storageclass](https://github.com/rook/rook/blob/master/deploy/examples/csi/rbd/storageclass.yaml) with additional parameters
-`encrypted: "true"` and `encryptionKMSID: "<key used in configmap>"`. An example is show below:
+* Create a new [RBD storageclass](https://github.com/rook/rook/blob/master/deploy/examples/csi/rbd/storageclass.yaml) or
+[CephFS storageclass](https://github.com/rook/rook/blob/master/deploy/examples/csi/cephfs/storageclass.yaml) with additional parameters
+`encrypted: "true"` and `encryptionKMSID: "<key used in configmap>"`. An example is shown below:
 
 ```yaml
 apiVersion: storage.k8s.io/v1
@@ -279,6 +286,9 @@ parameters:
 
 * PVCs created using the new storageclass will be encrypted.
 
+!!! note
+    CephFS encryption requires fscrypt support in Linux kernel, kernel version 6.6 or higher.
+
 ## Enable Read affinity for RBD and CephFS volumes
 
 Ceph CSI supports mapping RBD volumes with KRBD options and mounting

Documentation/Storage-Configuration/Shared-Filesystem-CephFS/filesystem-storage.md

@@ -391,7 +391,7 @@ kubectl delete -f kube-registry.yaml
 To delete the filesystem components and backing data, delete the Filesystem CRD.
 
 !!! warning
-    Data will be deleted if preserveFilesystemOnDelete=false**.
+    Data will be deleted if **preserveFilesystemOnDelete=false**.
 
 ```console
 kubectl -n rook-ceph delete cephfilesystem myfs