Merge pull request #1 from ceresimaging/expose-rclone-rc-api

marcelofernandez · web-flow · commit 452345ee81ec · 2025-04-23T14:10:06.000-03:00
Expose rclone rc api to the cluster internal network
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-v3.0.1
+v3.1-ceres
diff --git a/deploy/kubernetes/1.20/csi-controller-rbac.yaml b/deploy/kubernetes/1.20/csi-controller-rbac.yaml
@@ -64,3 +64,29 @@ roleRef:
   kind: ClusterRole
   name: external-controller-rclone
   apiGroup: rbac.authorization.k8s.io
+---
+# Add a Role for service management
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-nodeplugin-rclone-service-role
+  namespace: csi-rclone
+rules:
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+# Add a RoleBinding to bind the role to the ServiceAccount
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-nodeplugin-rclone-service-binding
+  namespace: csi-rclone
+subjects:
+  - kind: ServiceAccount
+    name: csi-nodeplugin-rclone
+    namespace: csi-rclone
+roleRef:
+  kind: Role
+  name: csi-nodeplugin-rclone-service-role
+  apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/kubernetes/1.20/csi-controller-rclone.yaml b/deploy/kubernetes/1.20/csi-controller-rclone.yaml
@@ -47,7 +47,7 @@ spec:
             - name: socket-dir
               mountPath: /plugin
         - name: rclone
-          image: ghcr.io/ceresimaging/csi-rclone:v3.0.1
+          image: ghcr.io/ceresimaging/csi-rclone:v3.1-ceres
           args :
             - "/bin/csi-rclone-plugin"
             - "--nodeid=$(NODE_ID)"
diff --git a/deploy/kubernetes/1.20/csi-nodeplugin-rbac.yaml b/deploy/kubernetes/1.20/csi-nodeplugin-rbac.yaml
@@ -25,6 +25,9 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["services", "endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/deploy/kubernetes/1.20/csi-nodeplugin-rclone.yaml b/deploy/kubernetes/1.20/csi-nodeplugin-rclone.yaml
@@ -51,7 +51,7 @@ spec:
             capabilities:
               add: ["SYS_ADMIN"]
             allowPrivilegeEscalation: true
-          image: ghcr.io/ceresimaging/csi-rclone:v3.0.1
+          image: ghcr.io/ceresimaging/csi-rclone:v3.1-ceres
           args:
             - "/bin/csi-rclone-plugin"
             - "--nodeid=$(NODE_ID)"
diff --git a/deploy/kubernetes/1.20/csi-rclone-storageclass.yaml b/deploy/kubernetes/1.20/csi-rclone-storageclass.yaml
@@ -8,4 +8,5 @@ volumeBindingMode: WaitForFirstConsumer
 # You will need to delete storageclass to update this field
 # provisioner: csi-rclone
 # parameters:
+#   exposeRc: "true"
 #   pathPattern: "${.PVC.namespace}/${.PVC.annotations.csi-rclone/storage-path}"
diff --git a/example/kubernetes/nginx-example.yaml b/example/kubernetes/nginx-example.yaml
@@ -1,3 +1,4 @@
+# Example of Static Provisioning with Persistent Volumes using Rclone CSI Driver
 apiVersion: v1
 kind: PersistentVolume
 metadata:
@@ -9,7 +10,7 @@ spec:
   - ReadWriteMany
   capacity:
     storage: 10Gi
-  storageClassName: rclone
+  storageClassName: ""
   csi:
     driver: csi-rclone
     volumeHandle: data-id
@@ -20,6 +21,7 @@ spec:
       s3-endpoint: "http://minio.minio:9000"
       s3-access-key-id: "ACCESS_KEY_ID"
       s3-secret-access-key: "SECRET_ACCESS_KEY"
+      exposeRc: "true"  # This enables the rclone RC API
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -31,7 +33,7 @@ spec:
   resources:
     requests:
       storage: 10Gi
-  storageClassName: rclone
+  storageClassName: ""
   selector:
     matchLabels:
       name: data-rclone-example
diff --git a/example/kubernetes/nginx-pvc-example.yaml b/example/kubernetes/nginx-pvc-example.yaml
@@ -1,10 +1,12 @@
+# Example of Dynamic provisioning with PersistentVolumeClaim using rclone CSI driver
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: data-rclone-example
   annotations:
     csi-rclone/storage-path: nginx
     csi-rclone/umask: "022"
+    csi-rclone/exposeRc: "true"  # This creates a K8s service exposing the rclone RC API
 spec:
   accessModes:
   - ReadWriteMany
diff --git a/pkg/rclone/controller.go b/pkg/rclone/controller.go
@@ -119,8 +119,8 @@ func (cs *controllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 			if strings.HasPrefix(key, "csi-rclone/") {
 				key = strings.TrimPrefix(key, "csi-rclone/")
 
-				// Only allow some keys (umask, uid) to be passed to the volume context to avoid security issues
-				if key == "umask" {
+				// Only allow some keys (umask, uid, exposeRc) to be passed to the volume context to avoid security issues
+				if key == "umask" || key == "exposeRc" {
 					volumeContext[key] = value
 				}
 			}
diff --git a/pkg/rclone/nodeserver.go b/pkg/rclone/nodeserver.go

Original file line number	Diff line number	Diff line change
`@@ -119,8 +119,8 @@ func (cs controllerServer) CreateVolume(ctx context.Context, req csi.CreateVol`
`119`	`119`	`if strings.HasPrefix(key, "csi-rclone/") {`
`120`	`120`	`key = strings.TrimPrefix(key, "csi-rclone/")`
`121`	`121`
`122`		`- // Only allow some keys (umask, uid) to be passed to the volume context to avoid security issues`
`123`		`- if key == "umask" {`
	`122`	`+ // Only allow some keys (umask, uid, exposeRc) to be passed to the volume context to avoid security issues`
	`123`	`+ if key == "umask" \|\| key == "exposeRc" {`
`124`	`124`	`volumeContext[key] = value`
`125`	`125`	`}`
`126`	`126`	`}`