Skip to content

Add vast-cosi 2.6.5 community pack (VAST COSI S3 driver)#254

Open
blik616287 wants to merge 2 commits into
spectrocloud:mainfrom
blik616287:add-vast-cosi-pack-2.6.5
Open

Add vast-cosi 2.6.5 community pack (VAST COSI S3 driver)#254
blik616287 wants to merge 2 commits into
spectrocloud:mainfrom
blik616287:add-vast-cosi-pack-2.6.5

Conversation

@blik616287

Copy link
Copy Markdown
Contributor

Purpose

New community pack: VAST Data COSI Driver (S3) (vast-cosi, v2.6.5). Provisions S3 object-storage buckets on a VAST Data cluster via the Kubernetes Container Object Storage Interface (COSI) — a BucketClaim is satisfied by a VAST view with the S3 protocol on a tenant VIP pool. Helm-based with build-on-deploy (0-CVE wolfi-base as the only pack-content image; the VAST driver + COSI sidecar craned at deploy). It also bundles the v1alpha1 COSI CRDs and the matching central objectstorage-controller so BucketClaimBucket provisioning works out of the box (the controller image is pinned to v0.1.0/v1alpha1 to match the driver's API).

Conventions

  • pack.json schema-conformant (version 2.6.5, no v prefix).
  • validate-values.sh packs/vast-cosi-2.6.5/values.yamlSUCCESS, 0 errors / 0 warnings.
  • Container images listed under pack.content.images (wolfi-base, vastdataorg/csi:v2.6.5, objectstorage-controller:v20220915-v0.1.0-...).
  • README.md follows the repo README template.

Scenarios validated

  • Local (kind): render + install + build-on-deploy init exits 0; bundled COSI CRDs + controller install.
  • Live (Palette-deployed AWS IaaS cluster → VAST VoC cluster): created a BucketClaim against the BucketClass → the bundled controller produced a BucketbucketReady=true, bucket provisioned on VAST (S3 endpoint on the tenant VIP).

Notes

One of three VAST storage packs submitted as separate PRs: vast-csi, vast-cosi (this), vast-block.

@bulwark-spectrocloud bulwark-spectrocloud Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ CVE scan completed successfully.

Scan Summary:

  • Total images scanned: 3
  • Clean images: 1
  • Images with CVEs: 2
  • Total CVEs found: 4780

🔴 Critical CVEs: 19
🟠 High CVEs: 675
🟡 Medium CVEs: 2336
🟢 Low CVEs: 1750

Images with CVEs:

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

@blik616287

Copy link
Copy Markdown
Contributor Author

Image / CVE note (re: reported vulnerabilities)

Two reasons vast-cosi shows more CVEs than vast-csi/vast-block:

  1. vastdataorg/csi:v2.6.5 — the VAST driver, a Python/poetry app on RedHat UBI9. It is not craneable onto wolfi-base: the build-on-deploy matched-ld swap targets a single static ELF (the Go COSI sidecar), but the driver is the Python interpreter + a full native-extension dependency tree, and it does privileged host I/O. So it ships as the vendor image (UBI9-minimal, RedHat-vendor-tracked CVEs). A 0-CVE driver requires a Chainguard/distroless build from VAST upstream.
  2. objectstorage-controller:v20220915-v0.1.0-8-g0e0ba7c — the bundled central COSI controller, a 2022 image pinned to v0.1.0 for the v1alpha1 API the VAST driver/sidecar speak. Its older base adds CVEs. It can be bumped to the newer v0.1.2-alpha1 (2024) gcr tag — same v1alpha1 API, fresher base — to cut the count; happy to do that here if preferred.

The Go COSI sidecar itself is craned onto 0-CVE wolfi-base. security-scans/pax-cve passed (reported, not gating).

Additional validation evidence

Conventions

validate-values.sh packs/vast-cosi-2.6.5/values.yaml  ->  Errors: 0  Warnings: 0  (SUCCESS)
pack.json: name/displayName/version/layer present; version 2.6.5 (no 'v')
pack.content.images: wolfi-base, vastdataorg/csi:v2.6.5, objectstorage-controller:...v0.1.0...

Bundled (so BucketClaim -> Bucket works out of the box, no separate COSI install):

v1alpha1 COSI CRDs: bucketclaims, buckets, bucketaccesses, bucketaccessclasses (+ bucketclasses)
central controller: objectstorage-controller (v1alpha1)  ->  1/1 Running
cosi-vast-provisioner (driver + sidecar)                 ->  2/2 Running

Live (Palette-deployed AWS IaaS cluster -> VAST VoC), end-to-end:

# BucketClass appears automatically from the pack
$ kubectl get bucketclass
vastdata-bucket

# BucketClaim -> Bucket provisioned on VAST
$ kubectl get bucketclaim
ready=true   bucket=vastdata-bucketc22d23f7-...
# controller log: "Add Bucket success" bucketID=...@https://<tenant-VIP>:443

@kreeuwijk kreeuwijk left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@JPedro2
JPedro2 self-requested a review June 30, 2026 06:08

@bulwark-spectrocloud bulwark-spectrocloud Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ CVE scan completed successfully.

Scan Summary:

  • Total images scanned: 3
  • Clean images: 1
  • Images with CVEs: 2
  • Total CVEs found: 4842

🔴 Critical CVEs: 19
🟠 High CVEs: 676
🟡 Medium CVEs: 2337
🟢 Low CVEs: 1810

Images with CVEs:

⚠️ Please review the CVE findings above and address critical/high severity issues before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants