From de2489ed7d3afb1322c12ad6ec4f5cc57fe38f81 Mon Sep 17 00:00:00 2001
From: Humble Chirammal <hchiramm@redhat.com>
Date: Mon, 17 Jan 2022 18:28:38 +0530
Subject: [PATCH] deploy: update csi-snapshotter sidecar to v5.0.1

This release of snapshotter has a breaking change as mentioned
in the release note:

Refer#
[1]: https://github.com/kubernetes-csi/external-snapshotter/releases/tag/v5.0.0

RBAC rules are also updated with this commit.

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
---
 build.env                                           |  4 ++--
 .../templates/provisioner-clusterrole.yaml          |  9 ++++++---
 .../templates/provisioner-clusterrole.yaml          |  9 ++++++---
 .../kubernetes/csi-cephfsplugin-provisioner.yaml    |  2 +-
 deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml  |  7 +++++--
 deploy/rbd/kubernetes/csi-provisioner-rbac.yaml     |  9 ++++++---
 .../rbd/kubernetes/csi-rbdplugin-provisioner.yaml   |  2 +-
 docs/snap-clone.md                                  |  2 +-
 scripts/install-snapshot.sh                         | 11 ++++++-----
 scripts/snapshot-controller-psp.yaml                | 13 +++++++------
 10 files changed, 41 insertions(+), 27 deletions(-)

diff --git a/build.env b/build.env
index 7ae48b792..9398d56c5 100644
--- a/build.env
+++ b/build.env
@@ -27,7 +27,7 @@ GOLANGCI_VERSION=v1.43.0
 
 # external snapshotter version
 # Refer: https://github.com/kubernetes-csi/external-snapshotter/releases
-SNAPSHOT_VERSION=v4.0.0
+SNAPSHOT_VERSION=v5.0.1
 
 # "go test" configuration
 # set to stdout or html to enable coverage reporting, disabled by default
@@ -49,7 +49,7 @@ ROOK_CEPH_CLUSTER_IMAGE=quay.io/ceph/ceph:v16
 
 # CSI sidecar version
 CSI_ATTACHER_VERSION=v3.4.0
-CSI_SNAPSHOTTER_VERSION=v4.2.0
+CSI_SNAPSHOTTER_VERSION=v5.0.1
 CSI_PROVISIONER_VERSION=v3.1.0
 CSI_RESIZER_VERSION=v1.4.0
 CSI_NODE_DRIVER_REGISTRAR_VERSION=v2.4.0
diff --git a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml
index c970766e5..a3cc5377d 100644
--- a/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml
+++ b/charts/ceph-csi-cephfs/templates/provisioner-clusterrole.yaml
@@ -27,16 +27,19 @@ rules:
     verbs: ["list", "watch", "create", "update", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents"]
-    verbs: ["create", "get", "list", "watch", "update", "delete"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
 {{- if .Values.provisioner.attacher.enabled }}
   - apiGroups: ["storage.k8s.io"]
     resources: ["volumeattachments"]
diff --git a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
index 032705753..9a4b1fe83 100644
--- a/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
+++ b/charts/ceph-csi-rbd/templates/provisioner-clusterrole.yaml
@@ -38,16 +38,19 @@ rules:
 {{- end }}
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["get", "list", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents"]
-    verbs: ["create", "get", "list", "watch", "update", "delete"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get"]
diff --git a/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml b/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml
index 6b6959b3a..a690a230d 100644
--- a/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml
+++ b/deploy/cephfs/kubernetes/csi-cephfsplugin-provisioner.yaml
@@ -76,7 +76,7 @@ spec:
             - name: socket-dir
               mountPath: /csi
         - name: csi-snapshotter
-          image: k8s.gcr.io/sig-storage/csi-snapshotter:v4.2.0
+          image: k8s.gcr.io/sig-storage/csi-snapshotter:v5.0.1
           args:
             - "--csi-address=$(ADDRESS)"
             - "--v=5"
diff --git a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
index 227e0e854..821cebb53 100644
--- a/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
+++ b/deploy/cephfs/kubernetes/csi-provisioner-rbac.yaml
@@ -31,9 +31,12 @@ rules:
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
     verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["get", "list", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents"]
-    verbs: ["create", "get", "list", "watch", "update", "delete"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]
@@ -51,7 +54,7 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
index 32b8973f7..0cc0b8282 100644
--- a/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
+++ b/deploy/rbd/kubernetes/csi-provisioner-rbac.yaml
@@ -35,10 +35,13 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshots"]
-    verbs: ["get", "list"]
+    verbs: ["get", "list", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["get", "list", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents"]
-    verbs: ["create", "get", "list", "watch", "update", "delete"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]
@@ -53,7 +56,7 @@ rules:
     verbs: ["get", "list", "watch"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotcontents/status"]
-    verbs: ["update"]
+    verbs: ["update", "patch"]
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get"]
diff --git a/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml b/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml
index 9b4eb4b4d..5616d878a 100644
--- a/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml
+++ b/deploy/rbd/kubernetes/csi-rbdplugin-provisioner.yaml
@@ -67,7 +67,7 @@ spec:
             - name: socket-dir
               mountPath: /csi
         - name: csi-snapshotter
-          image: k8s.gcr.io/sig-storage/csi-snapshotter:v4.2.0
+          image: k8s.gcr.io/sig-storage/csi-snapshotter:v5.0.1
           args:
             - "--csi-address=$(ADDRESS)"
             - "--v=5"
diff --git a/docs/snap-clone.md b/docs/snap-clone.md
index 6d502552b..1f964d6b5 100644
--- a/docs/snap-clone.md
+++ b/docs/snap-clone.md
@@ -33,7 +33,7 @@
     `SNAPSHOT_VERSION` variable, for example:
 
     ```console
-    SNAPSHOT_VERSION="v4.0.0" ./scripts/install-snapshot.sh install
+    SNAPSHOT_VERSION="v5.0.1" ./scripts/install-snapshot.sh install
     ```
 
   - In the future, you can choose to cleanup by running
diff --git a/scripts/install-snapshot.sh b/scripts/install-snapshot.sh
index 8ba912809..31c661539 100755
--- a/scripts/install-snapshot.sh
+++ b/scripts/install-snapshot.sh
@@ -7,7 +7,7 @@ SCRIPT_DIR="$(dirname "${0}")"
 # shellcheck source=build.env
 source "${SCRIPT_DIR}/../build.env"
 
-SNAPSHOT_VERSION=${SNAPSHOT_VERSION:-"v4.0.0"}
+SNAPSHOT_VERSION=${SNAPSHOT_VERSION:-"v5.0.1"}
 
 TEMP_DIR="$(mktemp -d)"
 SNAPSHOTTER_URL="https://raw.githubusercontent.com/kubernetes-csi/external-snapshotter/${SNAPSHOT_VERSION}"
@@ -24,7 +24,7 @@ VOLUME_SNAPSHOT="${SNAPSHOTTER_URL}/client/config/crd/snapshot.storage.k8s.io_vo
 function install_snapshot_controller() {
     local namespace=$1
     if [ -z "${namespace}" ]; then
-        namespace="default"
+        namespace="kube-system"
     fi
 
     create_or_delete_resource "create" ${namespace}
@@ -51,7 +51,7 @@ function install_snapshot_controller() {
 function cleanup_snapshot_controller() {
     local namespace=$1
     if [ -z "${namespace}" ]; then
-        namespace="default"
+        namespace="kube-system"
     fi
     create_or_delete_resource "delete" ${namespace}
 }
@@ -65,8 +65,9 @@ function create_or_delete_resource() {
     mkdir -p "${TEMP_DIR}"
     curl -o "${temp_rbac}" "${SNAPSHOT_RBAC}"
     curl -o "${temp_snap_controller}" "${SNAPSHOT_CONTROLLER}"
-    sed -i "s/namespace: default/namespace: ${namespace}/g" "${temp_rbac}"
-    sed -i "s/namespace: default/namespace: ${namespace}/g" "${snapshotter_psp}"
+    sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_rbac}"
+    sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${temp_snap_controller}"
+    sed -i "s/namespace: kube-system/namespace: ${namespace}/g" "${snapshotter_psp}"
     sed -i "s/canary/${SNAPSHOT_VERSION}/g" "${temp_snap_controller}"
 
     kubectl "${operation}" -f "${temp_rbac}"
diff --git a/scripts/snapshot-controller-psp.yaml b/scripts/snapshot-controller-psp.yaml
index 51d30b791..21c4d0fb6 100644
--- a/scripts/snapshot-controller-psp.yaml
+++ b/scripts/snapshot-controller-psp.yaml
@@ -3,6 +3,7 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: csi-snapshotter-psp
+  namespace: kube-system
 spec:
   allowPrivilegeEscalation: true
   allowedCapabilities:
@@ -28,8 +29,8 @@ kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: csi-snapshotter-psp
-  # replace with non-default namespace name
-  namespace: default
+  # replace with non-kube-system namespace name
+  namespace: kube-system
 rules:
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
@@ -41,13 +42,13 @@ kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: csi-snapshotter-psp
-  # replace with non-default namespace name
-  namespace: default
+  # replace with non-kube-system namespace name
+  namespace: kube-system
 subjects:
   - kind: ServiceAccount
     name: snapshot-controller
-    # replace with non-default namespace name
-    namespace: default
+    # replace with non-kube-system namespace name
+    namespace: kube-system
 roleRef:
   kind: Role
   name: csi-snapshotter-psp