Merge pull request #793 from red-hat-storage/sync_us--master

Syncing latest changes from upstream master for rook

.github/workflows/build.yml

@@ -25,9 +25,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Set up Helm
         uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
@@ -85,7 +85,7 @@ jobs:
           fetch-depth: 0
 
       - name: setup golang ${{ matrix.go-version }}
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
           go-version: ${{ matrix.go-version }}
 

.github/workflows/canary-integration-test.yml

@@ -407,8 +407,8 @@ jobs:
         run: |
           toolbox=$(kubectl get pod -l app=rook-ceph-tools-operator-image -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
           s5cmd_version="$(kubectl -n rook-ceph exec ${toolbox} -- /usr/local/bin/s5cmd version)"
-          echo ${s5cmd_version} | grep -q "^v2.2.1"  || {
-             echo " Error: the version of s5cmd version in the  toolbox is not the expected v2.2.1 but ${s5cmd_version}"
+          echo ${s5cmd_version} | grep -q "^v2.3.0"  || {
+             echo " Error: the version of s5cmd version in the  toolbox is not the expected v2.3.0 but ${s5cmd_version}"
              exit 1
           }
 

.github/workflows/canary-test-config/action.yaml

@@ -7,7 +7,7 @@ runs:
     - name: setup golang
       uses: actions/setup-go@v5
       with:
-        go-version: "1.22"
+        go-version: "1.23"
 
     - name: Setup Minikube
       shell: bash --noprofile --norc -eo pipefail -x {0}

.github/workflows/codegen.yml

@@ -34,9 +34,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: run codegen
         run: GOPATH=$(go env GOPATH) make codegen

.github/workflows/commitlint.yml

@@ -31,7 +31,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@3d28780bbf0365e29b144e272b2121204d5be5f3 # v6.1.2
+      - uses: wagoid/commitlint-github-action@0184f5a228ee06430bb9e67d65f73a1a6767496a # v6.2.0
         with:
           configFile: "./.commitlintrc.json"
           helpURL: https://rook.io/docs/rook/latest/Contributing/development-flow/#commit-structure

.github/workflows/crds-gen.yml

@@ -33,9 +33,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: run crds-gen
         run: GOPATH=$(go env GOPATH) make crds

.github/workflows/daily-nightly-jobs.yml

@@ -29,9 +29,9 @@ jobs:
           use-tmate: ${{ secrets.USE_TMATE }}
 
       - name: setup golang
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Install Docker
         run: |

.github/workflows/docs-check.yml

@@ -28,9 +28,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:

.github/workflows/golangci-lint.yaml

@@ -27,14 +27,14 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.55
+          version: v1.62
 
           # Optional: working directory, useful for monorepos
           # working-directory: somedir
@@ -52,9 +52,9 @@ jobs:
     name: govulncheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-         go-version: "1.22.5"
+         go-version: "1.23"
          check-latest: true
       - name: govulncheck
         uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4

.github/workflows/integration-test-config-latest-k8s/action.yaml

@@ -11,7 +11,7 @@ runs:
     - name: setup golang
       uses: actions/setup-go@v5
       with:
-        go-version: "1.22"
+        go-version: "1.23"
 
     - name: Setup Minikube
       shell: bash --noprofile --norc -eo pipefail -x {0}

.github/workflows/mod-check.yml

@@ -33,9 +33,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: run mod check
         run: GOPATH=$(go env GOPATH) make -j $(nproc) mod.check

.github/workflows/multus.yaml

@@ -41,12 +41,12 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Go version
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Create KinD Cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+        uses: helm/kind-action@ae94020eaf628e9b9b9f341a10cc0cdcf5c018fb # v1.11.0
         with:
           config: tests/scripts/multus/kind-config.yaml
           cluster_name: kind

.github/workflows/push-build.yaml

@@ -25,9 +25,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
         # docker/setup-qemu action installs QEMU static binaries, which are used to run builders for architectures other than the host.
       - name: set up QEMU

.github/workflows/rbac-gen.yaml

@@ -33,9 +33,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: run gen-rbac
         run: GOPATH=$(go env GOPATH) make gen-rbac

.github/workflows/scorecards.yml

@@ -64,6 +64,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           sarif_file: results.sarif

.github/workflows/unit-test.yml

@@ -41,9 +41,9 @@ jobs:
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
         with:
-          go-version: "1.22"
+          go-version: "1.23"
 
       - name: Setup jq
         uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a # v3.0.1

Documentation/CRDs/Object-Storage/ceph-object-store-crd.md

@@ -123,7 +123,7 @@ spec:
   protocols:
     swift:
       accountInUrl: true
-      urlPrefix: /swift
+      urlPrefix: swift
   [...]
 ```
 
@@ -235,6 +235,24 @@ The gateway settings correspond to the RGW daemon settings.
       service.beta.openshift.io/serving-cert-secret-name: <name of TLS secret for automatic generation>
     ```
 
+* `opsLogSidecar`: By default, all RGW logs are included in the main RGW container logs.
+    For enhanced observability of the operations, the [RGW operations log](https://docs.ceph.com/en/latest/radosgw/config-ref/#confval-rgw_enable_ops_log) can be separated from the main RGW container logs by enabling a sidecar.
+    OpsLogSidecar can be enabled by the following example:
+
+```yaml
+  gateway:
+    opsLogSidecar:
+      resources:
+        requests: {}
+        limits: {}
+```
+
+Once enabled, logs can be accessed in RGW pod `ops-log` sidecar containers. For example:
+
+```sh
+kubectl --namespace rook-ceph logs rook-ceph-rgw-my-store-a-59d48474d8-jv7ps --container ops-log
+```
+
 ## Zone Settings
 
 The [zone](../../Storage-Configuration/Object-Storage-RGW/ceph-object-multisite.md) settings allow the object store to join custom created [ceph-object-zone](ceph-object-zone-crd.md).
@@ -349,6 +367,94 @@ vault write -f transit/keys/<mybucketkey> exportable=true # transit engine
 
 * `tokenSecretName` can be (and often will be) the same for both kms and s3 configurations.
 
+## Advanced configuration
+
+!!! warning
+    This feature is intended for advanced users. It allows breaking configurations to be easily
+    applied. Use with caution.
+
+CephObjectStore allows arbitrary Ceph configurations to be applied to RGW daemons that serve the
+object store. [RGW config reference](https://docs.ceph.com/en/latest/radosgw/config-ref/).
+
+Configurations are applied to all RGWs that serve the CephObjectStore. Values must be strings.
+Below is an example showing how different RGW configs and values might be applied. The example is
+intended only to show a selection of value data types.
+
+```yaml
+# THIS SAMPLE IS NOT A RECOMMENDATION
+# ...
+spec:
+  gateway:
+    # ...
+    rgwConfig:
+      debug_rgw: "10" # int
+      # debug-rgw: "20" # equivalent config keys can have dashes or underscores
+      rgw_s3_auth_use_ldap: "true" # bool
+    rgwCommandFlags:
+      rgw_dmclock_auth_res: "100.0" # float
+      rgw_d4n_l1_datacache_persistent_path: /var/log/rook/rgwd4ncache # string
+      rgw_d4n_address: "127.0.0.1:6379" # IP string
+```
+
+* `rgwConfig` - These configurations are applied and modified at runtime, without RGW restart.
+* `rgwCommandFlags` - These configurations are applied as CLI arguments and result in RGW daemons
+    restarting when updates are applied. Restarts are desired behavior for some RGW configs.
+
+!!! note
+    Once an `rgwConfig` is set, it will not be removed from Ceph's central config store when removed
+    from the `rgwConfig` spec. Be sure to specifically set values back to their defaults once done.
+    With this in mind, `rgwCommandFlags` may be a better choice for temporary config values like
+    debug levels.
+
+### Example - debugging
+
+Users are often asked to provide RGW logs at a high log level when troubleshooting complex issues.
+Apply log levels to RGWs easily using `rgwCommandFlags`.
+
+This spec will restart the RGW(s) with the highest level debugging enabled.
+
+```yaml
+# ...
+spec:
+  gateway:
+    # ...
+    rgwCommandFlags:
+      debug_ms: "20"
+      debug_rgw: "20"
+```
+
+Once RGW debug logging is no longer needed, the values can simply be removed from the spec.
+
+### Example - usage with `additionalVolumeMounts`
+
+This sample configuration below demonstrates how advanced configuration can be used alongside
+`additionalVolumeMounts`. This hypothetical scenario shows how a Kubernetes secret containing an
+LDAP secret might be mounted to the RGW pod and how RGW would be configured to reference the mounted
+secret file.
+
+```yaml
+  # ...
+  gateway:
+    # ...
+    rgwConfig:
+      rgw_ldap_secret: /var/rgw/ldap/bindpass.secret
+    additionalVolumeMounts:
+      - subPath: ldap
+        volumeSource:
+          secret:
+            secretName: rgw-ldap
+            defaultMode: 0600
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: rgw-ldap
+    namespace: rook-ceph
+type: Opaque
+data:
+    "bindpass.secret": aGVsbG8ud29ybGQK # hello.world
+```
+
 ## Deleting a CephObjectStore
 
 During deletion of a CephObjectStore resource, Rook protects against accidental or premature