Support for running controller outside of cluster

[MartinWeindel]

What this PR does / why we need it:
If the control plane runs in another cluster, it is needed to specify kubeconfig path for controller and syncer.

Release note:

Support for running the CSI controller outside the controlled cluster.

[k8s-ci-robot]

Welcome @MartinWeindel!

It looks like this is your first PR to kubernetes-sigs/vsphere-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/vsphere-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @MartinWeindel. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[MartinWeindel]

/assign @codenrhoden

[divyenpatel]

@MartinWeindel what is the use case of running controller outside of the cluster? Isn't this a security hole?

[MartinWeindel]

The use case is providing Kubernetes clusters on vSphere by Gardener.
In Gardener, it is standard procedure to run the control plane for an end-user "shoot" cluster on a so called "seed" cluster, which controls up to hundreds of shoot clusters.
This means the end-user "shoot" cluster is masterless and consists only of worker nodes.
Of course the communication to the K8s API server running on the control plane must be secured with TLS and signed certificates.
Take a look on the Gardener architecture diagram if you are interested in more details.

[RaunakShah]

What about defaulting to an in cluster config if BuildConfigFromFlags fails?

[MartinWeindel]

This would be very confusing. You specify a kubeconfig, but if something fails the controller suddenly tries to control the cluster it is running on.
Better to fail early and report it. If you want to use in-cluster config, just do not provide a kubeconfig.
BTW, your colleges of the vSphere cloud manager are using exactly the same logic, see https://github.com/kubernetes/cloud-provider-vsphere/blob/master/pkg/common/kubernetes/kubernetes.go#L38-L44

[RaunakShah]

CPI have different use cases from CSI. However, on second thought, i agree with the benefits of failing early.

[RaunakShah]

Have you done any testing to validate if nodeUpdate works as expected? I think here that you'd need to unregister the old node object and register the new one if that passes (or vice versa). Otherwise we'd have a long list of nodes registered representing the same node object.

[MartinWeindel]

A node update typically updates its status fields. Especially it is forbidden to change the providerID of the spec or its name. Therefore the node registration happens with the same values and the node manager is hopefully idempotent. I'm not an expert here, but removing the node registration on an update of its status looks to me like a very dangerous operation.

[mandelsoft]

The problem here is a timing behaviour. If the CSI controller is already running if new nodes join the cluster
the node object is created first without attributes required by the CSI controller. They are later added by the cloud controller.
But this is then no create event anymore, but an update event. Therefore it is not possible to ignore update events in the CSI controller.

[RaunakShah]

@mandelsoft exactly! Not just in the case of new nodes, but also if CSI is initialized before CPI adds ProviderID to all nodes, we have a situation where not all nodes are registered with the ProviderID set. This is the use case that i see for nodeUpdate.
@MartinWeindel it seems that nodeRegister will modify the existing node entry and not add a new one. But we still need some testing to verify

[MartinWeindel]

friendly ping
Have you found time for "some testing to verify"? Or is there still anything to be resolved before this PR can be accepted?
Thanks!

[RaunakShah]

@divyenpatel can you review this PR?

[divyenpatel]

/ok-to-test

[divyenpatel]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: divyenpatel, MartinWeindel

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [divyenpatel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[divyenpatel]

/lgtm