Merge pull request #1448 from xing-yang/cleanup

Allow provisioning to proceed to prevent leaking resources

Author: k8s-ci-robot

pkg/controller/controller.go

@@ -150,7 +150,8 @@ const (
 
 	snapshotNotBound = "snapshot %s not bound"
 
-	pvcCloneFinalizer = "provisioner.storage.kubernetes.io/cloning-protection"
+	pvcCloneFinalizer                 = "provisioner.storage.kubernetes.io/cloning-protection"
+	snapshotSourceProtectionFinalizer = "snapshot.storage.kubernetes.io/volumesnapshot-as-source-protection"
 
 	annAllowVolumeModeChange = "snapshot.storage.kubernetes.io/allow-volume-mode-change"
 )
@@ -1161,7 +1162,15 @@ func (p *csiProvisioner) getSnapshotSource(ctx context.Context, claim *v1.Persis
 	}
 
 	if snapshotObj.ObjectMeta.DeletionTimestamp != nil {
-		return nil, fmt.Errorf("snapshot %s is currently being deleted", dataSource.Name)
+		// VolumeSnapshot is being deleted. Check if provisioning already started by looking for
+		// the specific finalizer added by external-snapshotter when a snapshot is used as a data source.
+		// If the finalizer exists, it means provisioning was started before deletion began,
+		// so we should continue to prevent resource leaks.
+		// If the finalizer doesn't exist, this is a new provisioning attempt and should be rejected.
+		if !checkFinalizer(snapshotObj, snapshotSourceProtectionFinalizer) {
+			return nil, fmt.Errorf("snapshot %s is being deleted", dataSource.Name)
+		}
+		klog.V(3).Infof("Snapshot %s/%s is being deleted but has volumesnapshot-as-source-protection finalizer, allowing provisioning to continue", dataSource.Namespace, dataSource.Name)
 	}
 	klog.V(5).Infof("VolumeSnapshot %+v", snapshotObj)
 

pkg/controller/controller_test.go

@@ -2946,29 +2946,32 @@ func TestProvisionFromSnapshot(t *testing.T) {
 	}
 
 	type testcase struct {
-		volOpts                           controller.ProvisionOptions
-		restoredVolSizeSmall              bool
-		wrongDataSource                   bool
-		snapshotStatusReady               bool
-		expectedPVSpec                    *pvSpec
-		expectErr                         bool
-		expectCSICall                     bool
-		notPopulated                      bool
-		misBoundSnapshotContentUID        bool
-		misBoundSnapshotContentNamespace  bool
-		misBoundSnapshotContentName       bool
-		nilBoundVolumeSnapshotContentName bool
-		nilSnapshotStatus                 bool
-		nilReadyToUse                     bool
-		nilContentStatus                  bool
-		nilSnapshotHandle                 bool
-		allowVolumeModeChange             bool
-		xnsEnabled                        bool // set to use CrossNamespaceVolumeDataSource feature, default false
-		snapNamespace                     string
-		withreferenceGrants               bool // set to use ReferenceGrant, default false
-		refGrantsrcNamespace              string
-		referenceGrantFrom                []gatewayv1beta1.ReferenceGrantFrom
-		referenceGrantTo                  []gatewayv1beta1.ReferenceGrantTo
+		volOpts                                  controller.ProvisionOptions
+		restoredVolSizeSmall                     bool
+		wrongDataSource                          bool
+		snapshotStatusReady                      bool
+		expectedPVSpec                           *pvSpec
+		expectErr                                bool
+		expectCSICall                            bool
+		notPopulated                             bool
+		misBoundSnapshotContentUID               bool
+		misBoundSnapshotContentNamespace         bool
+		misBoundSnapshotContentName              bool
+		nilBoundVolumeSnapshotContentName        bool
+		nilSnapshotStatus                        bool
+		nilReadyToUse                            bool
+		nilContentStatus                         bool
+		nilSnapshotHandle                        bool
+		allowVolumeModeChange                    bool
+		snapshotBeingDeleted                     bool // set DeletionTimestamp on snapshot
+		snapshotWithoutSourceProtectionFinalizer bool // simulate snapshot being deleted without the volumesnapshot-as-source-protection finalizer
+		snapshotWithDifferentFinalizer           bool // simulate snapshot with a different finalizer (not the source protection one)
+		xnsEnabled                               bool // set to use CrossNamespaceVolumeDataSource feature, default false
+		snapNamespace                            string
+		withreferenceGrants                      bool // set to use ReferenceGrant, default false
+		refGrantsrcNamespace                     string
+		referenceGrantFrom                       []gatewayv1beta1.ReferenceGrantFrom
+		referenceGrantTo                         []gatewayv1beta1.ReferenceGrantTo
 	}
 	testcases := map[string]testcase{
 		"provision with volume snapshot data source": {
@@ -4486,6 +4489,123 @@ func TestProvisionFromSnapshot(t *testing.T) {
 			referenceGrantFrom:   []gatewayv1beta1.ReferenceGrantFrom{},
 			referenceGrantTo:     []gatewayv1beta1.ReferenceGrantTo{},
 		},
+		"provision with snapshot being deleted without source-protection-finalizer should fail": {
+			volOpts: controller.ProvisionOptions{
+				StorageClass: &storagev1.StorageClass{
+					ReclaimPolicy: &deletePolicy,
+					Parameters:    map[string]string{},
+					Provisioner:   "test-driver",
+				},
+				PVName: "test-name",
+				PVC: &v1.PersistentVolumeClaim{
+					ObjectMeta: metav1.ObjectMeta{
+						UID:         "testid",
+						Annotations: driverNameAnnotation,
+					},
+					Spec: v1.PersistentVolumeClaimSpec{
+						StorageClassName: &snapClassName,
+						Resources: v1.VolumeResourceRequirements{
+							Requests: v1.ResourceList{
+								v1.ResourceName(v1.ResourceStorage): resource.MustParse(strconv.FormatInt(requestedBytes, 10)),
+							},
+						},
+						AccessModes: []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce},
+						DataSource: &v1.TypedLocalObjectReference{
+							Name:     snapName,
+							Kind:     "VolumeSnapshot",
+							APIGroup: &apiGrp,
+						},
+					},
+				},
+			},
+			snapshotStatusReady:                      true,
+			snapshotBeingDeleted:                     true,
+			snapshotWithoutSourceProtectionFinalizer: true,
+			expectErr:                                true,
+		},
+		"provision with snapshot being deleted with different finalizer (not source-protection) should fail": {
+			volOpts: controller.ProvisionOptions{
+				StorageClass: &storagev1.StorageClass{
+					ReclaimPolicy: &deletePolicy,
+					Parameters:    map[string]string{},
+					Provisioner:   "test-driver",
+				},
+				PVName: "test-name",
+				PVC: &v1.PersistentVolumeClaim{
+					ObjectMeta: metav1.ObjectMeta{
+						UID:         "testid",
+						Annotations: driverNameAnnotation,
+					},
+					Spec: v1.PersistentVolumeClaimSpec{
+						StorageClassName: &snapClassName,
+						Resources: v1.VolumeResourceRequirements{
+							Requests: v1.ResourceList{
+								v1.ResourceName(v1.ResourceStorage): resource.MustParse(strconv.FormatInt(requestedBytes, 10)),
+							},
+						},
+						AccessModes: []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce},
+						DataSource: &v1.TypedLocalObjectReference{
+							Name:     snapName,
+							Kind:     "VolumeSnapshot",
+							APIGroup: &apiGrp,
+						},
+					},
+				},
+			},
+			snapshotStatusReady:            true,
+			snapshotBeingDeleted:           true,
+			snapshotWithDifferentFinalizer: true,
+			expectErr:                      true,
+		},
+		"provision with snapshot being deleted with source-protection-finalizer should proceed for cleanup": {
+			volOpts: controller.ProvisionOptions{
+				StorageClass: &storagev1.StorageClass{
+					ReclaimPolicy: &deletePolicy,
+					Parameters:    map[string]string{},
+					Provisioner:   "test-driver",
+				},
+				PVName: "test-name",
+				PVC: &v1.PersistentVolumeClaim{
+					ObjectMeta: metav1.ObjectMeta{
+						UID:         "testid",
+						Annotations: driverNameAnnotation,
+					},
+					Spec: v1.PersistentVolumeClaimSpec{
+						StorageClassName: &snapClassName,
+						Resources: v1.VolumeResourceRequirements{
+							Requests: v1.ResourceList{
+								v1.ResourceName(v1.ResourceStorage): resource.MustParse(strconv.FormatInt(requestedBytes, 10)),
+							},
+						},
+						AccessModes: []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce},
+						DataSource: &v1.TypedLocalObjectReference{
+							Name:     snapName,
+							Kind:     "VolumeSnapshot",
+							APIGroup: &apiGrp,
+						},
+					},
+				},
+			},
+			snapshotStatusReady:  true,
+			snapshotBeingDeleted: true,
+			expectedPVSpec: &pvSpec{
+				Name:          "test-testi",
+				ReclaimPolicy: v1.PersistentVolumeReclaimDelete,
+				AccessModes:   []v1.PersistentVolumeAccessMode{v1.ReadWriteOnce},
+				Capacity: v1.ResourceList{
+					v1.ResourceName(v1.ResourceStorage): bytesToQuantity(requestedBytes),
+				},
+				CSIPVS: &v1.CSIPersistentVolumeSource{
+					Driver:       "test-driver",
+					VolumeHandle: "test-volume-id",
+					FSType:       "ext4",
+					VolumeAttributes: map[string]string{
+						"storage.kubernetes.io/csiProvisionerIdentity": "test-provisioner",
+					},
+				},
+			},
+			expectCSICall: true,
+		},
 	}
 
 	tmpdir := tempDir(t)
@@ -4516,6 +4636,19 @@ func TestProvisionFromSnapshot(t *testing.T) {
 			if tc.nilReadyToUse {
 				snap.Status.ReadyToUse = nil
 			}
+			if tc.snapshotBeingDeleted {
+				deletionTime := metav1.Now()
+				snap.ObjectMeta.DeletionTimestamp = &deletionTime
+				// Set up finalizers based on what the test is checking:
+				// - snapshotWithDifferentFinalizer: add a different finalizer to verify we check for the specific source-protection one
+				// - snapshotWithoutSourceProtectionFinalizer: don't add any finalizers (simulates new provisioning attempt)
+				// - default: add the volumesnapshot-as-source-protection finalizer (simulates in-flight provisioning)
+				if tc.snapshotWithDifferentFinalizer {
+					snap.ObjectMeta.Finalizers = []string{"some-other-finalizer"}
+				} else if !tc.snapshotWithoutSourceProtectionFinalizer {
+					snap.ObjectMeta.Finalizers = []string{"snapshot.storage.kubernetes.io/volumesnapshot-as-source-protection"}
+				}
+			}
 			return true, snap, nil
 		})