Add Quota limit support on COS CSI (#291)

Author: Prachi030510

go.mod

@@ -4,7 +4,7 @@ go 1.24.5
 
 require (
 	github.com/IBM/go-sdk-core/v5 v5.21.0
-	github.com/IBM/ibm-cos-sdk-go v1.12.2
+	github.com/IBM/ibm-cos-sdk-go v1.12.3
 	github.com/IBM/ibm-cos-sdk-go-config/v2 v2.3.0
 	github.com/IBM/ibm-csi-common v1.1.21
 	github.com/IBM/ibmcloud-volume-interface v1.2.20

go.sum

@@ -4,8 +4,8 @@ github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU
 github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/IBM/go-sdk-core/v5 v5.21.0 h1:DUnYhvC4SoC8T84rx5omnhY3+xcQg/Whyoa3mDPIMkk=
 github.com/IBM/go-sdk-core/v5 v5.21.0/go.mod h1:Q3BYO6iDA2zweQPDGbNTtqft5tDcEpm6RTuqMlPcvbw=
-github.com/IBM/ibm-cos-sdk-go v1.12.2 h1:71A4tDl8u6BZ548h71ecEe7fw5bBA7ECTVqYmeSQWQA=
-github.com/IBM/ibm-cos-sdk-go v1.12.2/go.mod h1:ODYcmrmdpjo5hVguq9RbD6xmC8xb1XZMG7NefUbJNcc=
+github.com/IBM/ibm-cos-sdk-go v1.12.3 h1:kMIs1nfPY0UXAMcW6bq8O9WOd6KgqiDBnIMd0e/fMqA=
+github.com/IBM/ibm-cos-sdk-go v1.12.3/go.mod h1:dt13UIqJRgfGIlSNlnf17JmAXlBXhfTgXLKV3as8ABk=
 github.com/IBM/ibm-cos-sdk-go-config/v2 v2.3.0 h1:956Nqk0eKI3lq+AkzWXZDid4UZHRz0wWh1LwkleBsWk=
 github.com/IBM/ibm-cos-sdk-go-config/v2 v2.3.0/go.mod h1:chnQxV+i38wD0aIi4KNU5bP2uzPtc7EHqB3/8Rhyjlg=
 github.com/IBM/ibm-csi-common v1.1.21 h1:/OmjpF+YgmkLmtehFmmfWp9kHGP9iMNkTU/KQDYXzrY=

pkg/constants/constants.go

@@ -43,7 +43,9 @@ const (
 	SecretNameKey      = "cos.csi.driver/secret"           // #nosec G101 -- false positive, this is not a credential
 	SecretNamespaceKey = "cos.csi.driver/secret-namespace" // #nosec G101 -- false positive, this is not a credential
 
-	BucketVersioning = "bucketVersioning"
+	BucketVersioning      = "bucketVersioning"
+	QuotaLimitKey         = "quotaLimit"
+	ResourceConfigApiKey  = "resourceConfigApiKey" // #nosec G101 -- this is just a map key name, not a real credential
 
 	IsNodeServer         = "IS_NODE_SERVER"
 	KubeNodeName         = "KUBE_NODE_NAME"

pkg/driver/controllerserver.go

@@ -16,6 +16,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"strconv"
 	"strings"
 	"time"
 
@@ -50,6 +51,7 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum
 		pvcName            string
 		pvcNamespace       string
 		bucketVersioning   string
+		quotaLimitEnabled  bool
 	)
 
 	modifiedRequest, err := utils.ReplaceAndReturnCopy(req)
@@ -60,7 +62,7 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum
 
 	volumeName, err := sanitizeVolumeID(req.GetName())
 	if err != nil {
-		return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Error in sanitizeVolumeID  %v", err))
+		return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Error in sanitizeVolumeID %v", err))
 	}
 	volumeID := volumeName
 	if len(volumeID) == 0 {
@@ -141,6 +143,28 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum
 
 		secretMap = secretMapCustom
 	}
+	if quotaLimitStr, ok := secretMap[constants.QuotaLimitKey]; ok && quotaLimitStr != "" {
+		klog.Infof("quotaLimit from secretMap: %q", quotaLimitStr)
+		quotaLimitEnabled, err = strconv.ParseBool(quotaLimitStr)
+		if err != nil {
+			return nil, status.Error(codes.InvalidArgument,
+				fmt.Sprintf("invalid quotaLimit value %q: must be 'true' or 'false'", quotaLimitStr))
+		}
+
+		if quotaLimitEnabled {
+			if secretMap[constants.ResourceConfigApiKey] == "" {
+				return nil, status.Error(codes.InvalidArgument,
+					"resourceConfigApiKey missing in secret, cannot set quota limit for bucket")
+			}
+
+			quotaBytes := req.GetCapacityRange().GetRequiredBytes()
+			if quotaBytes <= 0 {
+				return nil, status.Error(codes.InvalidArgument,
+					"enable quotaLimit requested but no positive storage size requested in PVC")
+			}
+			klog.Infof("enable quota limit requested with %d bytes", quotaBytes)
+		}
+	}
 
 	endPoint = secretMap["cosEndpoint"]
 	if endPoint == "" {
@@ -216,6 +240,22 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum
 			klog.Infof("Created bucket: %s", bucketName)
 		}
 
+		if quotaLimitEnabled {
+			quotaBytes := req.GetCapacityRange().GetRequiredBytes()
+			resConfApikey := secretMap[constants.ResourceConfigApiKey]
+
+			klog.Infof("Applying hard quota of %d bytes to bucket %s", quotaBytes, bucketName)
+			err = sess.UpdateQuotaLimit(quotaBytes, resConfApikey, bucketName, endPoint, creds.IAMEndpoint)
+			if err != nil {
+				klog.Errorf("Failed to set quota limit on bucket %s: %v", bucketName, err)
+				if params["userProvidedBucket"] == "false" {
+					_ = sess.DeleteBucket(bucketName)
+				}
+				return nil, status.Error(codes.Internal, fmt.Sprintf("failed to set bucket quota limit: %v", err))
+			}
+			klog.Infof("Successfully applied hard quota %d bytes to bucket %s", quotaBytes, bucketName)
+		}
+
 		if bucketVersioning != "" {
 			enable := strings.ToLower(strings.TrimSpace(bucketVersioning)) == "true"
 			klog.Infof("Bucket versioning value evaluated to: %t", enable)
@@ -247,6 +287,20 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum
 			return nil, status.Error(codes.PermissionDenied, fmt.Sprintf("%v: %v", err, tempBucketName))
 		}
 
+		if quotaLimitEnabled {
+			quotaBytes := req.GetCapacityRange().GetRequiredBytes()
+			resConfApikey := secretMap[constants.ResourceConfigApiKey]
+
+			klog.Infof("Applying hard quota of %d bytes to temp bucket %s", quotaBytes, tempBucketName)
+			err = sess.UpdateQuotaLimit(quotaBytes, resConfApikey, tempBucketName, endPoint, creds.IAMEndpoint)
+			if err != nil {
+				klog.Errorf("Failed to set quota limit on temp bucket %s: %v", tempBucketName, err)
+				_ = sess.DeleteBucket(tempBucketName)
+				return nil, status.Error(codes.Internal, fmt.Sprintf("failed to set bucket quota limit: %v", err))
+			}
+			klog.Infof("Successfully applied hard quota %d bytes to temp bucket %s", quotaBytes, tempBucketName)
+		}
+
 		if bucketVersioning != "" {
 			enable := strings.ToLower(strings.TrimSpace(bucketVersioning)) == "true"
 			klog.Infof("Temp bucket versioning value evaluated to: %t", enable)
@@ -505,6 +559,8 @@ func parseCustomSecret(secret *v1.Secret) map[string]string {
 		locationConstraint string
 		bucketVersioning   string
 		objectPath         string
+		resConfApiKey      string
+		quotaLimit         string
 	)
 
 	if bytesVal, ok := secret.Data["accessKey"]; ok {
@@ -551,6 +607,13 @@ func parseCustomSecret(secret *v1.Secret) map[string]string {
 		objectPath = string(bytesVal)
 	}
 
+	if bytesVal, ok := secret.Data[constants.ResourceConfigApiKey]; ok {
+		resConfApiKey = string(bytesVal)
+	}
+	if bytesVal, ok := secret.Data[constants.QuotaLimitKey]; ok {
+		quotaLimit = string(bytesVal)
+	}
+
 	secretMapCustom["accessKey"] = accessKey
 	secretMapCustom["secretKey"] = secretKey
 	secretMapCustom["apiKey"] = apiKey
@@ -562,6 +625,8 @@ func parseCustomSecret(secret *v1.Secret) map[string]string {
 	secretMapCustom["locationConstraint"] = locationConstraint
 	secretMapCustom[constants.BucketVersioning] = bucketVersioning
 	secretMapCustom["objectPath"] = objectPath
+	secretMapCustom[constants.ResourceConfigApiKey] = resConfApiKey
+	secretMapCustom[constants.QuotaLimitKey] = quotaLimit
 
 	return secretMapCustom
 }