Support Data Repository Associations for Lusture 2.12 or newer filesystems(e.g. PERSISTENT_2 deployment type)

[everpeace]

Is this a bug fix or adding new feature?

new feature
fixes #367

What is this PR about? / Why do we need it?

This PR supports Data Repository Association(API reference) for Lusture 2.12 or newer filesystems(e.g. PERSISTENT_2 deployment type) like below:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: fsx-sc
provisioner: fsx.csi.aws.com
parameters:
  subnetId: subnet-0d7b5e117ad7b4961
  securityGroupIds: sg-05a37bfe01467059a
  deploymentType: PERSISTENT_2
  perUnitStorageThroughput: "125"
  # User can specify multiple data repository associations like this
  dataRepositoryAssociations: |
    - batchImportMetaDataOnCreate: true
      dataRepositoryPath: s3://ml-training-data-000
      fileSystemPath: /ml-training-data-000
      s3:
        autoExportPolicy:
          events: ["NEW", "CHANGED", "DELETED" ]
        autoImportPolicy:
          events: ["NEW", "CHANGED", "DELETED" ]
    - batchImportMetaDataOnCreate: true
      dataRepositoryPath: s3://ml-training-data-001
      fileSystemPath: /ml-training-data-001
      s3:
        autoExportPolicy:
          events: ["NEW", "CHANGED", "DELETED" ]
        autoImportPolicy:
          events: ["NEW", "CHANGED", "DELETED" ]

  # NOTE: These parameters can't be set when using　dataRepositoryAssociations
  #       as document explained:: https://docs.aws.amazon.com/fsx/latest/APIReference/API_CreateFileSystemLustreConfiguration.html
  # s3ImportPath: s3://ml-training-data-000
  # s3ExportPath: s3://ml-training-data-000/export
  # autoImportPolicy: NEW_CHANGED

What testing is done?

make test

# with setting GINKGO_FOCUS=".*fsx-csi-e2e.*PERSISTENT_2.*"
make test-e2e 

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: everpeace
Once this PR has been reviewed and has the lgtm label, please assign olemarkus for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[everpeace]

/retest pull-aws-fsx-csi-driver-e2e

[k8s-ci-robot]

@everpeace: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

• /test pull-aws-fsx-csi-driver-e2e
• /test pull-aws-fsx-csi-driver-unit
• /test pull-aws-fsx-csi-driver-verify

Use /test all to run all jobs.

In response to this:

/retest pull-aws-fsx-csi-driver-e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[everpeace]

/test pull-aws-fsx-csi-driver-e2e

[jacobwolfaws]

If I understand correctly, this would be if there are multiple DRAs with the same association id, not multiple associations with the same volume.

[everpeace]

Thanks. fixed in bba7484.

[everpeace]

@jacobwolfaws Thank you for the quick review. I addressed your feedbacks. PTAL 🙇

[everpeace]

Should we make the default provisioner timeout longer in helm chart? It is because it often takes more time to prepare an FSx filesystem when it has data repository associations.

Single FSx for Lusture fielsystem can have up to 8 data repository associations.

In my experience, it usually takes around 7-10 minutes to make single data repository associations available even for empty S3 bucket.
Moreover, setting up data repository associations on the specific filesystem looks like sequential.

So, I think 90 min = 10x8 min (data repository associations) + 5 min (FSx filesystem) + <buffer> would be safe because the current CreateVolume operation is synchronous operation and not be safe when timeout happened.

What do you think??

[jacobwolfaws]

I think keeping the default timer the same + clearly documenting the need to change the timeout if using DRAs would be the correct move. This ensures consistent behavior for users who aren't using DRAs. Extending it is a one way door (because reducing the timeout would break compatibility for users who are using a large number of DRAs).

[everpeace]

Extending it is a one way door (because reducing the timeout would break compatibility for users who are using a large number of DRAs)

It makes sense.

the default timer the same + clearly documenting the need to change the timeout if using DRAs would be the correct move

OK. let me add the documentation.

[everpeace]

addressed in below commits:

• 03a32dc
• fafc9e9

[jacobwolfaws]

I'm not sure about the information for users, it seems like users using DRAs will still be fine in most cases:
https://github.com/kubernetes-csi/external-provisioner?tab=readme-ov-file
https://github.com/kubernetes-csi/external-provisioner?tab=readme-ov-file#csi-error-and-timeout-handling
The CreateVolume will timeout and other ones will be made with an exponential backoff. It's only in the case of a large number of DRAs where this will be an issue.

[everpeace]

/test pull-aws-fsx-csi-driver-e2e

[jacobwolfaws]

What's the value of creating a separate file for this vs. putting it in the values.yaml:
https://github.com/kubernetes-sigs/aws-fsx-csi-driver/blob/master/charts/aws-fsx-csi-driver/values.yaml#L42-L67

[everpeace]

This file is for manifests only for kustomize. values.yaml is dedicated to helm chart. I understand this driver supports both kustomize and helm.

In kustomize, injecting parameter in building manifest needs a bit hack. This env file is needed for kustomize users to change timeout value. I also updated install.md as below:

https://github.com/everpeace/aws-fsx-csi-driver/blob/suppor-dra/docs/install.md#deploy-driver

# To set CSI controller's provisioner timeout,
# Please follow the instruction
$ cd $(mktemp -d)
$ kustomize init
$ kustomize edit add resource "github.com/kubernetes-sigs/aws-fsx-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.1"
$ kustomize edit add configmap fsx-csi-controller --from-literal=CONTROLLER_PROVISIONER_TIMEOUT=30m --behavior=merge
$ kubectl apply -k .

[jacobwolfaws]

I think we should avoid hacks when possible and this seems like an avoidable instance. If users want to configure their kustomize templates, they can download them, configure them, and deploy them freely. We should follow precedent in terms of implementation, which is to put it in the values.yaml.

[jacobwolfaws]

I'm not sure about the information for users, it seems like users using DRAs will still be fine in most cases:
https://github.com/kubernetes-csi/external-provisioner?tab=readme-ov-file
https://github.com/kubernetes-csi/external-provisioner?tab=readme-ov-file#csi-error-and-timeout-handling
The CreateVolume will timeout and other ones will be made with an exponential backoff. It's only in the case of a large number of DRAs where this will be an issue.

[jacobwolfaws]

I think we should avoid hacks when possible and this seems like an avoidable instance. If users want to configure their kustomize templates, they can download them, configure them, and deploy them freely. We should follow precedent in terms of implementation, which is to put it in the values.yaml.

[jacobwolfaws]

If PollCheckTimeout < provisionerTimeout, the provisionerTimeout will always kill the CreateVolume call before it the PollCheckTimeout is hit. I don't think incrementing this should make a difference