Fixes: #14518

A recent change seems to have broken the permissions of the auto-assign
action.

This tries to fix this by making permissions more specific.

Signed-off-by: Michael Adam <obnox@samba.org>

ci: fix the permissions of the assign action

For the new 1.15 branch and first test release, update the docs
and manifests to v1.15.0-beta.0

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>

build: Set the release version to v1.15.0-beta.0

Add CephObjectStore spec.hosting.advertiseEndpoint configuration. This
provides a clear documented default for which endpoint Rook "advertises"
to dependent resources like CephObjectStores, OBCs, and COSI
Buckets/Accesses and allows users to override the default behavior if
desired.

The current default is to round-robin an endpoint from
spec.hosting.dnsNames, which has proven to be troublesome for some
users' object store configurations. This change provides much-needed
disambiguation for users.

This may be a breaking change for some existing spec.hosting.dnsNames
users. This is unexpected but is documented.

Signed-off-by: Blaine Gardner <blaine.gardner@ibm.com>
(cherry picked from commit a2b0b64)

object: add hosting.advertiseEndpoint config (backport #14467)

issue:
external-provisioner (v5) enabled topology feature-gate by default
and the current implementation in Rook uses a conditional block to
enable the topology feature gate. This approach now does not directly
reflect the state of the `CSI_ENABLE_TOPOLOGY`.

fix:
replacing the conditional block with a direct use of the
`CSI_ENABLE_TOPOLOGY` for flag value.

Signed-off-by: Praveen M <m.praveen@ibm.com>
(cherry picked from commit e30e5e8)

csi: explicitly set Topology feature-gate (backport #14517)

RGW can only serve a single certificate. This limitation means that the
prior behavior of using the default service for admin ops when TLS is
enabled may mean it requires additional complex certificate management
to make sure the object store uses a certificate valid for Rook internal
admin ops and user connections.

This is needlessly complex for users. Instead, change Rook's behavior
and documentation to clarify that it will use the same endpoint intended
for S3 client applications. This means that users have a more
straightforward path to enabling both Rook and consuming applications.

More info: #14530

Signed-off-by: Blaine Gardner <blaine.gardner@ibm.com>
(cherry picked from commit b4a2285)

object: use advertise endpoint for admin ops (backport #14532)

This commit adds example yamls for block
volume mode.

Signed-off-by: Rakshith R <rar@redhat.com>
(cherry picked from commit 53e2f8c)

csi: add pvc & pod yamls for block volume mode (backport #14542)

For the specification see:
<https://github.com/rook/rook/blob/master/design/ceph/object/swift-and-keystone-integration.md>

* extend the API object specs for swift and keystone integration

* adapt rgw to the new go-ceph version

  - The parameter lists of the API call have changes, as parameters
    ignored by the RGW Admin Ops API are no longer serialized, therefore
    the mock has to be adapted.

  - There is now validation for the user keys that are passed to the
    User get API, therefore things failed when we had empty keys in our
    User proxy object.

* expand the reconcile loop for the swift and keystone integration

* fix minor mistakes in design document

* add env var to pass extra args to minikube

  Minikube decides CPU cores and memory automatically based on the
  available resources on the machine which may be insufficient to
  run rook. This commit adds an environment variable to add arbitrary
  arguments to the minikube command, so both can be specified if
  desired.

* integration tests for swift and keystone

  The new integration of swift or s3 and keystone support by rook
  does not have any integration tests yet.

  This commit introduces integration tests for swift and keystone. The
  tests are done against a minimal keystone setup (keystone container
  image from Yaook-project (https://yaook.cloud), sqlite as database
  backend, cert-manager and trust-manager for test certificate setup).

  To prevent hardcoded credentials, passwords are generated
  by the tests. The integration tests use the openstack client
  (keystone- and swift-functionality) (https://docs.openstack.org/
  python-openstackclient/ latest/). This was a concious design decision
  to use client tooling as close as possible to the end user instead of
  using other go-libraries (such as gophercloud).

* add documentation on swift and keystone

  Currently there is no documentation on the use of Swift to access
  an object store as well as the use of OpenStack keystone for
  authentication.

  This commit adds documentation on the use of Swift and OpenStack
  keystone, as well as CRD-related documentation and an example setup.

* add integration tests for S3 via keystone

  This commit introduces integration tests for s3 and keystone. The
  tests are run against the same minimal keystone setup that the tests
  for swift and keystone use.

  The integration tests use the aws s3 client to use client tooling as
  close as possible to the end user instead of using other go-libraries.

Co-authored-by: Jan Klippel <jan.klippel@uhurutec.com>
Co-authored-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
Signed-off-by: Sebastian Riese <sebastian.riese@cloudandheat.com>
Signed-off-by: Jan Klippel <jan.klippel@uhurutec.com>
Signed-off-by: Silvio Ankermann <silvio.ankermann@cloudandheat.com>
(cherry picked from commit ee8bcad)

rgw: implement support for authentication using keystone for s3 and swift (backport #13807)

Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
(cherry picked from commit c146b59)

docs: fix affinity docs in operator chart (backport #14546)

PR #14473

tried to improve the token-permissions score of the OpenSSF scorecard
report.

https://scorecard.dev/viewer/?uri=github.com/rook/rook

The latest scorecard run however shows that this score has  not improved.
It still shows two warbnings about missing top level permissions.

The rest looks good (just Info entries).

This change aims at  finally improving the token-permissions score

by adding top level permissions to the two warned-about workflow files.

Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 2d29297)

ci: fix excessive token permissions -- again (backport #14557)

Update Rook and Ceph upgrade docs for upcoming v1.15 release.
Tidy up pending release notes in the working text as well as official
doc texts.

Signed-off-by: Blaine Gardner <blaine.gardner@ibm.com>
(cherry picked from commit 6026fb1)

docs: update upgrade docs for v1.15 (backport #14559)

With the release of K8s v1.31.0, we update the minimum
supported version to v1.26, and add v1.31 to the CI
so we can test the most recent six versions of K8s.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
(cherry picked from commit e157bb5)

core: Support k8s versions 1.26 through 1.31 (backport #14566)

Ceph image no longer has `ip` tool installed. Use a different container
image for the daemonset which sets host IPs and routes for multus hosts.

Signed-off-by: Blaine Gardner <blaine.gardner@ibm.com>
(cherry picked from commit 5773132)

ci: fix failing multus validation tool test (backport #14565)

adding code changes,rbac changes required for create the new
Ceph-CSI operator CR named cephCluster in api group 'csi.ceph.io'.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 4b0b3a5)

adding changes to create CSI-operator config CR based on
every radosnamesapce and subvolumegroup.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 667e044)

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 1ad20d0)

adding the CSI-operator manifest files
inside rook repo naming deploy/examples/csi-operator-manifests.yaml.

Also, let's skip running any lint check on file `deploy/examples/csi-operator.yaml` as this is owned by CSI-operator.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit c30b8a5)

adding annotation to existing CSI driver resource so that
csi-operator can take ownership of existing CSI driver resources.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 64cce51)

adding unit test for csi-op resources and also
fixing small pointer issue with this commit.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit f40cb39)

csi: add csi-operator operator config cr (backport #14489)

As we have new csi-addons v0.9.0
updating the same here as well.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 123025f)

# Conflicts:
#	go.sum

updating cephcsi image to 3.12.0
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
(cherry picked from commit 7c7e8a2)

csi: update csi-addons to v0.9.0 (backport #14579)

The jobs to detect the ceph and csi versions now can have
custom annotationso and labels added to them. They are
very short-lived jobs, but they may need custom annotations
in some environments to run.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
(cherry picked from commit 5014d5b)

core: Add annotations and labels to detect version jobs (backport #14576)

The codegen needs updating since the swift
types were added.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>
(cherry picked from commit 52f892a)

build: Update codegen deepcopy for swift (backport #14597)

Updating storageClassName for cluster-on-pvc.yaml file from gp2 to gp2-csi.

Signed-off-by: ShravaniVangur <shravanivangur@gmail.com>
(cherry picked from commit 9656d19)

Below csi sidecars are updated with latest available versions

csi-resizer: v1.11.1
csi-provisioner: v5.0.1
csi-attacher: v4.6.1
csi-snapshotter: v8.0.1
csi-node-driver-registrar: v2.11.1

Signed-off-by: Praveen M <m.praveen@ibm.com>
(cherry picked from commit a1ddf45)

# Conflicts:
#	deploy/examples/images.txt

updating csi-operator version in go.mod and csi-operator.yaml
to use latest release v0.1. And also fixing one small bug
where csi-driver log level was set in csi-operator log level.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 89e9077)

this commit contains changes that are forced by latest
controller-runtime version v0.19.0.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 2556e14)

Signed-off-by: Praveen M <m.praveen@ibm.com>
(cherry picked from commit 1efe3b6)

make test was failing when running on arm macbooks. Fix it so that it
isn't running with hardcoded GOOS=linux.

Signed-off-by: Blaine Gardner <blaine.gardner@ibm.com>
(cherry picked from commit 5da7feb)

csi: storageclass update to gp2-csi (backport #14586)

csi: update csi-operator to use latest tag v0.1 (backport #14599)

test: fix 'make test' on arm mac (backport #14604)

csi: update csi sidecars' image version (backport #14357)

Alerting on controller-runtime's workqueue_depth can be useful for
debugging controllers. Also having a prometheus target for a pod gives
another data point that the system is working as expected. It is useful
for uptime alerts.

Make the bind address configurable via the configmap while still retaining the default
behavior that it is disabled.

Resolves: #14538

Signed-off-by: Justin Cichra <jcichra@cloudflare.com>
(cherry picked from commit 74a79b2)

osd got resized by cryptsetup bluestore cmd
but it should also be reweight to balance the pgs properly

closes: #14430

Signed-off-by: parth-gr <partharora1010@gmail.com>
(cherry picked from commit 17cfda5)

Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
(cherry picked from commit 6714b86)

osd: reweight osd while resizing (backport #14435)

Signed-off-by: Zuhair AlSader <zuhair@devzero.io>
(cherry picked from commit b6087c4)

core: add configuration option for metrics bindAddress (backport #14598)

manifest: add registry name to docker images (backport #14550)

docs: missing slack link (backport #14612)

For the minor release update the documentation and manifests
to v1.15.0

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>

The docker.io image prefix is expected to be prepended
to the image names in the test images. This was missed
in 14550 related to some CI tests, which was now causing
the CI failures in the 1.15 branch where the search and
replace was missing the new docker.io prefix.

Signed-off-by: Travis Nielsen <tnielsen@redhat.com>

build: Update the release version to v1.15.0

when I was pusing the new changes in older pr I missed
updating the latest tag to v0.1.0 in csi-operator.yaml
file. Updating now.

Signed-off-by: subhamkrai <srai@redhat.com>
(cherry picked from commit 838f583)

csi: use specific tag instead of latest image (backport #14618)