STOR-2923: Rebase to upstream v1.34.4 for OCP 4.23/5.0

[rvagner78]

Upstream changelogs

• https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.34.2
• https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.34.3
• https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.34.4

Summary of changes

• Correct CSI-Provisioner permissions for VAC
• add instantAccessDurationMinutes snapshot parameter for PremiumV2/UltraSSD disks
• update maxDataDiskCountMap with latest VM size list
• add flag wait-for-detach-disk-complete
• increase checkDiskLun throttle threshold from 1s to 10s
• ManagedBy polling after successful VMSS detach
• add optional healthcheck for node-driver-registrar
• option for qps and burst to handle client throttling scenario
• update max disk count map with latest VM sizes

Diff to upstream: kubernetes-sigs/azuredisk-csi-driver@v1.34.4...rvagner78:azure-disk-csi-driver:rebase-1.34.4

Previous rebase: #122

cc @openshift/storage

Summary by CodeRabbit

• New Features

  • Added support for detaching disks with optional completion waiting.
  • Added Kubernetes API rate throttling configuration options.
  • Enhanced Windows NVMe disk support detection and handling.
  • Added batch migration wrapper for Premium to PremiumV2 disk migrations.

• Updates

  • Released v1.34.4 with CSI provisioner v6.2.0 and improved feature gates.
  • Updated Helm charts with new snapshot configurations and node health endpoint settings.
  • Improved disk LUN collision check behavior.

• Documentation

  • Added installation guides for v1.34.3 and v1.34.4.
  • Added batch migration wrapper documentation.

[openshift-ci-robot]

@rvagner78: This pull request references STOR-2923 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target only the "5.0.0" version, but multiple target versions were set.

Details

In response to this:

Upstream changelogs

• https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.34.2
• https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.34.3
• https://github.com/kubernetes-sigs/azuredisk-csi-driver/releases/tag/v1.34.4

Summary of changes

• Correct CSI-Provisioner permissions for VAC
• add instantAccessDurationMinutes snapshot parameter for PremiumV2/UltraSSD disks
• update maxDataDiskCountMap with latest VM size list
• add flag wait-for-detach-disk-complete
• increase checkDiskLun throttle threshold from 1s to 10s
• ManagedBy polling after successful VMSS detach
• add optional healthcheck for node-driver-registrar
• option for qps and burst to handle client throttling scenario
• update max disk count map with latest VM sizes

Diff to upstream: kubernetes-sigs/azuredisk-csi-driver@v1.34.4...rvagner78:azure-disk-csi-driver:rebase-1.34.4

Previous rebase: #122

cc @openshift/storage

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Version bump to v1.34.4, Helm chart and manifests updated, new controller/node flags (kube API QPS/burst, wait-for-detach), Windows NVMe disk location handling added with tests, migration batch script introduced, CRDs/RBAC/templates added, docs and go.mod refreshed.

Changes

v1.34.4 Release and Platform Updates

Layer / File(s)	Summary
Version bumps and docs Makefile, README.md, docs/*	Default image version set to v1.34.4; install docs added for v1.34.3/v1.34.4; migration docs updated with auto timeout derivation and new batch wrapper guide.
Helm charts and values charts/...	Latest chart moved to 1.34.4; values updated (provisioner v6.2.0, registrar liveness, kubeAPI QPS/Burst); added/updated templates for controller/node (Linux/Windows), CRDs, RBAC, and ServiceAccounts; repo index updated.
Static deploy manifests deploy/*	Controller/node Windows/Linux manifests added/updated for v1.34.3 and v1.34.4, CRDs and RBAC included; registrar health endpoint and probes refined; provisioner flags updated.
Driver options and kube client tuning pkg/azuredisk/*, pkg/azureutils/*	Added WaitForDetachDiskComplete flag, wired via DriverOptions and flags; GetKubeClient now accepts QPS/Burst; controllerserver throttle constant raised; code paths propagate new options.
Windows NVMe disk handling pkg/os/disk/*	Enhanced disk enumeration to detect NVMe via PNPDeviceID/Path, derive LUN from NSID, and map Location; added unit tests for NVMe parsing/detection.
Migration tooling hack/*	New batch migration wrapper with checkpointing/concurrency; common lib validates inputs, derives monitor timeout, requires flock.
Dependencies and images go.mod, pkg/azurediskplugin/Dockerfile, tests/scripts	OpenTelemetry and golang.org/x modules updated; base image bumped; tests adjusted for new client signature; e2e runner uses -procs.

Sequence Diagram(s)

(skip)

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Suggested reviewers

• dobsonj
• tsmetana

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: rvagner78
Once this PR has been reviewed and has the lgtm label, please assign mpatlasov for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 15

🧹 Nitpick comments (1)

charts/v1.34.4/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml (1)

66-68: ⚡ Quick win

RBAC concern: legacy csinodeinfos is redundant (chart already grants csinodes)

This template already grants read access to storage.k8s.io/csinodes earlier in the same controller RBAC, so the attacher shouldn’t be missing node info permissions. The remaining entry at lines 66-68 for csi.storage.k8s.io/csinodeinfos is legacy and likely unnecessary on modern clusters; consider removing it or gating it for older compatibility.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@charts/v1.34.4/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml`
around lines 66 - 68, The RBAC rule granting apiGroups "csi.storage.k8s.io"
resources "csinodeinfos" is redundant because the chart already grants
"storage.k8s.io/csinodes"; remove the "csinodeinfos" rule from the controller
RBAC block (resource "csinodeinfos") or gate it for older clusters by wrapping
it in a Helm conditional that checks API availability (e.g. using
.Capabilities.APIVersions.Has) so the "csinodeinfos" entry is only rendered when
the cluster requires that legacy API.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml`:
- Around line 42-47: The template is incorrectly gating rendering of
user-provided affinity on a substring check for "nodeSelectorTerms" which can
drop valid podAffinity/podAntiAffinity settings; update the logic around
.Values.controller.affinity so that if .Values.controller.affinity is set it is
rendered directly (use tpl/with to evaluate and then emit affinity: followed by
toYaml . | indent 8) instead of using contains "nodeSelectorTerms" — remove the
contains check and the else branch that skips affinity, and ensure the template
uses the existing tpl "{{ .Values.controller.affinity }}" . and toYaml to output
any affinity object provided.

In `@charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml`:
- Around line 38-39: The DaemonSet uses two different Helm values for
hostNetwork which can produce inconsistent manifests: hostNetwork is read from
.Values.linux.hostNetwork while readiness/liveness probe and container port
conditionals check .Values.node.hostNetwork; unify them by choosing one
canonical value (e.g., .Values.node.hostNetwork or .Values.linux.hostNetwork)
and update all references so hostNetwork, the probe/port if-conditions, and any
conditional blocks (the probe/port branches around readiness/liveness and
container ports) all use that single value (search for hostNetwork,
.Values.linux.hostNetwork, and .Values.node.hostNetwork in the template and make
them consistent).

In `@charts/v1.34.3/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml`:
- Around line 98-115: The template incorrectly emits
.Values.snapshot.VolumeSnapshotClass.additionalLabels as a top-level
additionalLabels key; update the VolumeSnapshotClass resource rendering (in
csi-snapshot-controller.yaml for VolumeSnapshotClass) to render those entries
under metadata.labels instead of a root-level additionalLabels: block—remove the
current additionalLabels: block and, inside the resource's metadata: section,
add a metadata.labels: and render the map via {{ toYaml
.Values.snapshot.VolumeSnapshotClass.additionalLabels | indent 2 }} (or use {{-
with .Values.snapshot.VolumeSnapshotClass.additionalLabels }} ... {{- end }} to
guard emptiness) so labels are only emitted when present and indentation matches
the YAML structure.

In `@charts/v1.34.3/azuredisk-csi-driver/templates/NOTES.txt`:
- Line 5: The kubectl selector in NOTES.txt uses the wrong label key; replace
the selector key app.kubernetes.io/name={{ .Release.Name }} with
app.kubernetes.io/instance={{ .Release.Name }} so the pod lookup uses the
release instance label (update the line containing kubectl --namespace={{
.Release.Namespace }} get pods --selector="app.kubernetes.io/name={{
.Release.Name }}" --watch to use app.kubernetes.io/instance instead).

In
`@charts/v1.34.3/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml`:
- Around line 66-68: The external-attacher Role {{ .Values.rbac.name
}}-external-attacher-role grants verbs on the wrong API and resource; update the
Role binding in rbac-csi-azuredisk-controller.yaml so that the rule uses
apiGroups: ["storage.k8s.io"] and resources: ["csinodes"] (keeping the existing
verbs ["get","list","watch"]) instead of apiGroups: ["csi.storage.k8s.io"] and
resources: ["csinodeinfos"] to match the CSI Node API used elsewhere.

In `@charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml`:
- Around line 42-61: The template currently only renders user-provided
controller.affinity when its rendered text contains "nodeSelectorTerms", which
silently drops valid affinity configs (e.g., podAntiAffinity); change the
condition to check whether controller.affinity is provided/non-empty after
rendering instead of searching for "nodeSelectorTerms". Replace the if
expression that uses tpl ... | contains "nodeSelectorTerms" with a check like
testing the tpl output for non-empty (e.g., {{- if tpl "{{
.Values.controller.affinity }}" . | trim | ne "" }} or equivalent) so any valid
affinity block (podAffinity, podAntiAffinity, nodeAffinity, etc.) is preserved;
keep the existing fallback branch that uses runOnControlPlane/runOnMaster
unchanged.

In `@charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml`:
- Around line 74-77: The chart mixes two different hostNetwork value keys
(.Values.linux.hostNetwork vs .Values.node.hostNetwork) causing probes/ports to
be rendered for the wrong network mode; pick the single canonical key used
elsewhere (e.g., .Values.linux.hostNetwork) and replace all occurrences of
.Values.node.hostNetwork in this template (the conditional blocks that choose
between --http-endpoint vs --health-port and the other branches around the node
liveness/readiness probe flags) so the checks that render --http-endpoint,
--health-port and probe host bindings all use the same value source
(.Values.linux.hostNetwork or .Values.node.hostNetwork consistently).

In `@charts/v1.34.4/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml`:
- Around line 112-115: The template is rendering
.Values.snapshot.VolumeSnapshotClass.additionalLabels under a top-level
additionalLabels key, which is invalid for VolumeSnapshotClass; update the
template so the labels are merged into the VolumeSnapshotClass metadata by
replacing the top-level block with a metadata.labels section (e.g. inside the
VolumeSnapshotClass manifest add metadata: labels: {{ toYaml
.Values.snapshot.VolumeSnapshotClass.additionalLabels | indent 4 }}), ensuring
you keep the existing {{- with
.Values.snapshot.VolumeSnapshotClass.additionalLabels }} guard and use proper
indentation so labels render under metadata.labels of the VolumeSnapshotClass
resource.

In `@deploy/v1.34.4/csi-snapshot-controller.yaml`:
- Around line 34-45: The tolerations that target control-plane taints (keys
"node-role.kubernetes.io/master", "node-role.kubernetes.io/controlplane", and
"node-role.kubernetes.io/control-plane") currently use operator: "Equal" with
value: "true" which will miss key-only NoSchedule taints; update each toleration
to use operator: "Exists" and remove the value field so the toleration matches
taints that are key-only (i.e., replace operator: "Equal"/value: "true" for the
three keys with operator: "Exists" and no value).

In `@deploy/v1.34.4/rbac-csi-azuredisk-controller.yaml`:
- Around line 186-188: The RBAC rule currently grants cluster-wide secret
listing ("resources: [\"secrets\"]" with "verbs: [\"get\", \"list\"]"); remove
the "list" verb to restrict to read-only retrieval only (leave "get") or, if
listing is required, scope the permission to a namespace by converting the
ClusterRole/ClusterRoleBinding into a namespaced Role and RoleBinding for the
specific namespace; update the entry that contains resources: ["secrets"] and
verbs: ["get","list"] accordingly so no cluster-wide "list" on secrets remains.

In `@docs/install-csi-driver-v1.34.3.md`:
- Line 7: Remove the unsafe TLS skip flag from the remote install/uninstall curl
commands: replace the curl invocations that include the "-k" or "-skSL" options
(the lines invoking "curl -skSL
https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.3/deploy/install-driver.sh
| bash -s v1.34.3 snapshot --" and the corresponding uninstall curl) by removing
"-k" so TLS certificate verification is enforced (e.g., use "curl -sSL ... |
bash -s ..."); ensure both the install and uninstall command instances are
updated.

In `@docs/install-csi-driver-v1.34.4.md`:
- Line 7: Remove the insecure TLS bypass by dropping the -k flag from the curl
commands that pipe to bash (the occurrences of "curl -skSL
https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.4/deploy/install-driver.sh
| bash -s v1.34.4 snapshot --" and the similar command at the other occurrence);
update both instances so curl validates TLS by using -sSL (or no -k) to avoid
bypassing certificate checks when fetching remote install scripts.

In `@docs/migrate-batch-wrapper.md`:
- Line 124: The fenced code block that begins with the line
"migration-batch-logs/" is missing a language tag and triggers markdownlint
MD040; update the opening fence from ``` to ```text so the block becomes a
labeled "text" code block (i.e., the block containing "migration-batch-logs/",
"wrapper.log", and "preflight.log" should start with ```text).

In `@hack/premium-to-premiumv2-migrator-batch.sh`:
- Around line 491-500: The script treats any live stored_pid as an active batch
(setting stale_pid and incrementing running) which can deadlock if that PID was
recycled; update the logic around PID_BATCH/stale_pid to verify the live process
actually belongs to our migrator before counting it: after kill -0 "$stored_pid"
succeeds, confirm the process command line matches our expected marker (e.g.,
inspect /proc/$stored_pid/cmdline or use ps -o cmd= -p "$stored_pid" and compare
to the script name or a known argument), and only then assign
PID_BATCH[$stored_pid]=$bidx and increment running; if the check fails,
remove/ignore that PID from PID_BATCH and continue. Apply the same verification
where the other loop (lines 512-515) treats stored_pid as active.
- Around line 173-180: The helper get_cached_pvc_json referenced by
get_cached_batch_label is missing, making batch-label reuse a no-op; add a small
function named get_cached_pvc_json that reads the prepopulated ALL_PVCS_JSON
(populated by populate_pvcs) and returns the JSON for a given namespace and PVC
name (e.g., filter ALL_PVCS_JSON with jq using .items[] |
select(.metadata.namespace==env_ns and .metadata.name==env_name)), or
alternatively source the helper file that defines get_cached_pvc_json before
get_cached_batch_label is invoked; ensure the new function signature is
get_cached_pvc_json "$ns" "$pvc" and that errors propagate instead of being
silently swallowed so get_cached_batch_label can correctly reuse existing batch
labels.

---

Nitpick comments:
In
`@charts/v1.34.4/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml`:
- Around line 66-68: The RBAC rule granting apiGroups "csi.storage.k8s.io"
resources "csinodeinfos" is redundant because the chart already grants
"storage.k8s.io/csinodes"; remove the "csinodeinfos" rule from the controller
RBAC block (resource "csinodeinfos") or gate it for older clusters by wrapping
it in a Helm conditional that checks API availability (e.g. using
.Capabilities.APIVersions.Has) so the "csinodeinfos" entry is only rendered when
the cluster requires that legacy API.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 993615b3-b163-4dd5-b2b7-e03a5fbf1d76

📥 Commits

Reviewing files that changed from the base of the PR and between 72a8648 and 0d5895e.

⛔ Files ignored due to path filters (165)

• go.sum is excluded by !**/*.sum
• vendor/go.opentelemetry.io/otel/.golangci.yml is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CHANGELOG.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/CONTRIBUTING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/Makefile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/RELEASING.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/encoder.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/hash.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/internal/attribute.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/kv.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/type_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/attribute/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/baggage/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/dependencies.Dockerfile is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/errorhandler/errorhandler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/handler.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/internal/global/state.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/asyncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/meter.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/syncfloat64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/metric/syncint64.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/baggage.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/propagation/trace_context.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/requirements.txt is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/internal/x/features.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/exponential_histogram.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/histogram.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/lastvalue.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/internal/aggregate/sum.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/internal/observ/instrumentation.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/manual_reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/periodic_reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/pipeline.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/reader.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/metric/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/builtin.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/container.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/env.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/host_id_readfile.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/os.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/process.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/resource/resource.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/batch_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/simple_span_processor.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/internal/observ/tracer.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/provider.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/sampling.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/trace/span.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/sdk/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.39.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/MIGRATION.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/README.md is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/attribute_group.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/doc.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/error_type.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/exception.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/otelconv/metric.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/semconv/v1.40.0/schema.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/auto.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/trace.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/trace/tracestate.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/go.opentelemetry.io/otel/versions.yaml is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/iter.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/node.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/nodetype_string.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/client_priority_go126.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/client_priority_go127.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_random.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpsfv/httpsfv.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sync/singleflight/singleflight.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/asm_darwin_arm64_gc.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_darwin_arm64_other.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_gccgo_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_other_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/cpu_windows_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/cpu/syscall_darwin_arm64_gc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/syscall_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_signed.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ioctl_unsigned.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_unix.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/cases/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/catalog.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/dict.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/go19.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/message/catalog/gopre19.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/secure/bidirule/bidirule.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/secure/bidirule/bidirule10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/secure/bidirule/bidirule9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables13.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/forminfo.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables10.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables11.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables12.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables15.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables17.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/norm/tables9.0.0.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/cursor.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/inspector.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/ast/inspector/iter.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/packages/packages.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/go/types/objectpath/objectpath.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/aliases/aliases_go122.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/core/event.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/keys/keys.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/event/label/label.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iexport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/iimport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/gcimporter/ureader_yes.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/deps.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/stdlib/manifest.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typeparams/free.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/tools/internal/typesinternal/types.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/encoding/tag/tag.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/encoding/text/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/filedesc/desc_lazy.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/genid/descriptor_gen.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/codec_map.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/impl/validate.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/internal/version/version.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/proto/decode.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/desc.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/reflect/protodesc/editions.go is excluded by !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/descriptorpb/descriptor.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/google.golang.org/protobuf/types/known/timestamppb/timestamp.pb.go is excluded by !**/*.pb.go, !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**
• vendor/sigs.k8s.io/cloud-provider-azure/pkg/consts/consts.go is excluded by !**/vendor/**, !vendor/**
• vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_instance_metadata.go is excluded by !**/vendor/**, !vendor/**
• vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_vmss_cache.go is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (93)

• Makefile
• README.md
• charts/README.md
• charts/index.yaml
• charts/latest/azuredisk-csi-driver-1.34.2.tgz
• charts/latest/azuredisk-csi-driver-1.34.4.tgz
• charts/latest/azuredisk-csi-driver/Chart.yaml
• charts/latest/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml
• charts/latest/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml
• charts/latest/azuredisk-csi-driver/values.yaml
• charts/v1.34.3/azuredisk-csi-driver-1.34.3.tgz
• charts/v1.34.3/azuredisk-csi-driver/Chart.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/NOTES.txt
• charts/v1.34.3/azuredisk-csi-driver/templates/_helpers.tpl
• charts/v1.34.3/azuredisk-csi-driver/templates/crd-csi-snapshot.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-driver.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-node-windows-hostprocess.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-node-windows.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/rbac-csi-azuredisk-node.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/rbac-csi-snapshot-controller.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-controller.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-node.yaml
• charts/v1.34.3/azuredisk-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml
• charts/v1.34.3/azuredisk-csi-driver/values.yaml
• charts/v1.34.4/azuredisk-csi-driver-1.34.4.tgz
• charts/v1.34.4/azuredisk-csi-driver/Chart.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/NOTES.txt
• charts/v1.34.4/azuredisk-csi-driver/templates/_helpers.tpl
• charts/v1.34.4/azuredisk-csi-driver/templates/crd-csi-snapshot.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-driver.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-node-windows-hostprocess.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-node-windows.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/rbac-csi-azuredisk-node.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/rbac-csi-snapshot-controller.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-controller.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/serviceaccount-csi-azuredisk-node.yaml
• charts/v1.34.4/azuredisk-csi-driver/templates/serviceaccount-csi-snapshot-controller.yaml
• charts/v1.34.4/azuredisk-csi-driver/values.yaml
• deploy/csi-azuredisk-controller.yaml
• deploy/csi-azuredisk-node-windows-hostprocess.yaml
• deploy/csi-azuredisk-node-windows.yaml
• deploy/csi-azuredisk-node.yaml
• deploy/v1.34.3/crd-csi-snapshot.yaml
• deploy/v1.34.3/csi-azuredisk-controller.yaml
• deploy/v1.34.3/csi-azuredisk-driver.yaml
• deploy/v1.34.3/csi-azuredisk-node-windows-hostprocess.yaml
• deploy/v1.34.3/csi-azuredisk-node-windows.yaml
• deploy/v1.34.3/csi-azuredisk-node.yaml
• deploy/v1.34.3/csi-snapshot-controller.yaml
• deploy/v1.34.3/rbac-csi-azuredisk-controller.yaml
• deploy/v1.34.3/rbac-csi-azuredisk-node.yaml
• deploy/v1.34.3/rbac-csi-snapshot-controller.yaml
• deploy/v1.34.4/crd-csi-snapshot.yaml
• deploy/v1.34.4/csi-azuredisk-controller.yaml
• deploy/v1.34.4/csi-azuredisk-driver.yaml
• deploy/v1.34.4/csi-azuredisk-node-windows-hostprocess.yaml
• deploy/v1.34.4/csi-azuredisk-node-windows.yaml
• deploy/v1.34.4/csi-azuredisk-node.yaml
• deploy/v1.34.4/csi-snapshot-controller.yaml
• deploy/v1.34.4/rbac-csi-azuredisk-controller.yaml
• deploy/v1.34.4/rbac-csi-azuredisk-node.yaml
• deploy/v1.34.4/rbac-csi-snapshot-controller.yaml
• docs/install-azuredisk-csi-driver.md
• docs/install-csi-driver-v1.34.3.md
• docs/install-csi-driver-v1.34.4.md
• docs/migrate-batch-wrapper.md
• docs/migrate-premiumlrs-to-premiumv2lrs.md
• go.mod
• hack/lib-premiumv2-migration-common.sh
• hack/premium-to-premiumv2-migrator-batch.sh
• pkg/azuredisk/azure_controller_common.go
• pkg/azuredisk/azure_controller_common_test.go
• pkg/azuredisk/azure_dd_max_disk_count.go
• pkg/azuredisk/azure_managedDiskController.go
• pkg/azuredisk/azuredisk.go
• pkg/azuredisk/azuredisk_option.go
• pkg/azuredisk/controllerserver.go
• pkg/azurediskplugin/Dockerfile
• pkg/azurediskplugin/main.go
• pkg/azureutils/azure_disk_utils.go
• pkg/azureutils/azure_disk_utils_test.go
• pkg/os/disk/disk.go
• pkg/os/disk/disk_cim.go
• pkg/os/disk/disk_nvme_test.go
• test/external-e2e/run.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Do not gate custom affinity on a nodeSelectorTerms substring check.

Line 42 can drop user-provided affinity unless it happens to contain nodeSelectorTerms. That silently ignores valid podAffinity/podAntiAffinity configs.

Suggested fix

-    {{- if tpl "{{ .Values.controller.affinity }}" . | contains "nodeSelectorTerms" }}
-      {{- with .Values.controller.affinity }}
-      affinity:
-{{ toYaml . | indent 8 }}
-      {{- end }}
+    {{- if .Values.controller.affinity }}
+      affinity:
+{{ toYaml .Values.controller.affinity | indent 8 }}
     {{- else if or .Values.controller.runOnControlPlane .Values.controller.runOnMaster}}
       affinity:
         nodeAffinity:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-controller.yaml`
around lines 42 - 47, The template is incorrectly gating rendering of
user-provided affinity on a substring check for "nodeSelectorTerms" which can
drop valid podAffinity/podAntiAffinity settings; update the logic around
.Values.controller.affinity so that if .Values.controller.affinity is set it is
rendered directly (use tpl/with to evaluate and then emit affinity: followed by
toYaml . | indent 8) instead of using contains "nodeSelectorTerms" — remove the
contains check and the else branch that skips affinity, and ensure the template
uses the existing tpl "{{ .Values.controller.affinity }}" . and toYaml to output
any affinity object provided.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use one hostNetwork source consistently across pod spec and probe/port conditionals.

hostNetwork is set from .Values.linux.hostNetwork, but probe/port branches are gated by .Values.node.hostNetwork. If these values differ, the rendered DaemonSet can be internally inconsistent.

💡 Suggested fix

-{{- if eq .Values.node.hostNetwork true }}
+{{- if eq .Values.linux.hostNetwork true }}
             - --http-endpoint=localhost:{{ .Values.node.livenessProbe.healthPort }}
 {{- else }}
             - --health-port={{ .Values.node.livenessProbe.healthPort }}
 {{- end }}
@@
-{{- if ne .Values.node.hostNetwork true }}
+{{- if ne .Values.linux.hostNetwork true }}
           ports:
             - containerPort: {{ .Values.node.livenessProbe.healthPort }}
               name: healthz
@@
-{{- if eq .Values.node.hostNetwork true }}
+{{- if eq .Values.linux.hostNetwork true }}
               host: localhost
               port: {{ .Values.node.livenessProbe.healthPort }}
 {{- else }}
               port: healthz
 {{- end }}

Also applies to: 74-78, 159-177

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.34.3/azuredisk-csi-driver/templates/csi-azuredisk-node.yaml` around
lines 38 - 39, The DaemonSet uses two different Helm values for hostNetwork
which can produce inconsistent manifests: hostNetwork is read from
.Values.linux.hostNetwork while readiness/liveness probe and container port
conditionals check .Values.node.hostNetwork; unify them by choosing one
canonical value (e.g., .Values.node.hostNetwork or .Values.linux.hostNetwork)
and update all references so hostNetwork, the probe/port if-conditions, and any
conditional blocks (the probe/port branches around readiness/liveness and
container ports) all use that single value (search for hostNetwork,
.Values.linux.hostNetwork, and .Values.node.hostNetwork in the template and make
them consistent).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE="charts/v1.34.3/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml"
echo "== File: $FILE =="
ls -la "$FILE" || true
echo
echo "== Lines 70-160 (context) =="
sed -n '70,160p' "$FILE"
echo
echo "== Search for additionalLabels in charts/v1.34.3/azuredisk-csi-driver/templates =="
rg -n "additionalLabels" charts/v1.34.3/azuredisk-csi-driver/templates || true
echo
echo "== Search for VolumeSnapshotClass.additionalLabels in charts/v1.34.3/azuredisk-csi-driver =="
rg -n "VolumeSnapshotClass\.additionalLabels" charts/v1.34.3/azuredisk-csi-driver || true

Repository: openshift/azure-disk-csi-driver

Length of output: 2930

---

🌐 Web query:

Kubernetes snapshot.storage.k8s.io/v1 VolumeSnapshotClass fields additionalLabels metadata.labels

💡 Result:

There are no VolumeSnapshotClass fields named "additionalLabels" or "metadata.labels" in the snapshot.storage.k8s.io/v1 API spec itself. 1) What VolumeSnapshotClass v1 actually defines A VolumeSnapshotClass (apiVersion: snapshot.storage.k8s.io/v1) specifies these top-level fields: driver, deletionPolicy, and parameters (plus standard Kubernetes metadata). The Kubernetes docs describe these class fields as the attributes used for dynamically provisioning VolumeSnapshots, and show the v1 YAML structure using metadata.name and the fields driver/deletionPolicy/parameters; they do not list any spec field called additionalLabels. [1] 2) Where labels go: always under standard ObjectMeta In Kubernetes, labels are part of the standard object metadata (ObjectMeta.labels). The Kubernetes API reference describes ObjectMeta as containing annotations and labels. [2] So the correct field is VolumeSnapshotClass.metadata.labels, but that is not a VolumeSnapshotClass-specific field—it's the generic Kubernetes metadata.labels on any object. 3) VolumeSnapshotClass does not have a spec-level additionalLabels concept The external-snapshotter CSI CRD for snapshot.storage.k8s.io/v1 VolumeSnapshotClasses is consistent with the Kubernetes docs: it defines metadata, driver, deletionPolicy, and parameters, with no VolumeSnapshotClass-specific spec field named additionalLabels. [3] Practical takeaway - Use VolumeSnapshotClass.metadata.labels to attach Kubernetes labels to the VolumeSnapshotClass object itself. [2] - Do not look for VolumeSnapshotClass.spec.additionalLabels or any “additionalLabels” field in snapshot.storage.k8s.io/v1; it isn’t part of the published v1 API/CRD schema. [1][3]

Citations:

• 1: https://kubernetes.io/docs/concepts/storage/volume-snapshot-classes/
• 2: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/
• 3: https://github.com/kubernetes-csi/external-snapshotter/blob/master/client/config/crd/snapshot.storage.k8s.io_volumesnapshotclasses.yaml

---

Render custom labels under metadata.labels for VolumeSnapshotClass (not as a top-level additionalLabels)
The template renders .Values.snapshot.VolumeSnapshotClass.additionalLabels as additionalLabels: at the resource root, but snapshot.storage.k8s.io/v1 VolumeSnapshotClass doesn’t define such a field; labels should be set via metadata.labels.

💡 Suggested fix

 metadata:
   name: {{ .Values.snapshot.VolumeSnapshotClass.name }}
   annotations:
@@
     "helm.sh/hook": post-install
+  {{- with .Values.snapshot.VolumeSnapshotClass.additionalLabels }}
+  labels:
+{{ toYaml . | indent 4 }}
+  {{- end }}
 driver: {{ .Values.driver.name }}
 deletionPolicy: {{ .Values.snapshot.VolumeSnapshotClass.deletionPolicy }}
 parameters:
   incremental: {{ .Values.snapshot.VolumeSnapshotClass.parameters.incremental }}
   {{- if ne .Values.snapshot.VolumeSnapshotClass.parameters.resourceGroup "" }}
   resourceGroup: {{ .Values.snapshot.VolumeSnapshotClass.parameters.resourceGroup }}
   {{- end }}
   tags: {{ .Values.snapshot.VolumeSnapshotClass.parameters.tags }}
-{{- with .Values.snapshot.VolumeSnapshotClass.additionalLabels }}
-additionalLabels:
-{{ toYaml . | indent 2 }}
-{{- end }}
 {{- end -}}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	metadata:
	name: {{ .Values.snapshot.VolumeSnapshotClass.name }}
	annotations:
	# This is what defines this resource as a hook. Without this line, the
	# job is considered part of the release.
	"helm.sh/hook": post-install
	driver: {{ .Values.driver.name }}
	deletionPolicy: {{ .Values.snapshot.VolumeSnapshotClass.deletionPolicy }}
	parameters:
	incremental: {{ .Values.snapshot.VolumeSnapshotClass.parameters.incremental }}
	{{- if ne .Values.snapshot.VolumeSnapshotClass.parameters.resourceGroup "" }}
	resourceGroup: {{ .Values.snapshot.VolumeSnapshotClass.parameters.resourceGroup }}
	{{- end }}
	tags: {{ .Values.snapshot.VolumeSnapshotClass.parameters.tags }}
	{{- with .Values.snapshot.VolumeSnapshotClass.additionalLabels }}
	additionalLabels:
	{{ toYaml . | indent 2 }}
	{{- end }}
	metadata:
	name: {{ .Values.snapshot.VolumeSnapshotClass.name }}
	annotations:
	# This is what defines this resource as a hook. Without this line, the
	# job is considered part of the release.
	"helm.sh/hook": post-install
	{{- with .Values.snapshot.VolumeSnapshotClass.additionalLabels }}
	labels:
	{{ toYaml . | indent 4 }}
	{{- end }}
	driver: {{ .Values.driver.name }}
	deletionPolicy: {{ .Values.snapshot.VolumeSnapshotClass.deletionPolicy }}
	parameters:
	incremental: {{ .Values.snapshot.VolumeSnapshotClass.parameters.incremental }}
	{{- if ne .Values.snapshot.VolumeSnapshotClass.parameters.resourceGroup "" }}
	resourceGroup: {{ .Values.snapshot.VolumeSnapshotClass.parameters.resourceGroup }}
	{{- end }}
	tags: {{ .Values.snapshot.VolumeSnapshotClass.parameters.tags }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.34.3/azuredisk-csi-driver/templates/csi-snapshot-controller.yaml`
around lines 98 - 115, The template incorrectly emits
.Values.snapshot.VolumeSnapshotClass.additionalLabels as a top-level
additionalLabels key; update the VolumeSnapshotClass resource rendering (in
csi-snapshot-controller.yaml for VolumeSnapshotClass) to render those entries
under metadata.labels instead of a root-level additionalLabels: block—remove the
current additionalLabels: block and, inside the resource's metadata: section,
add a metadata.labels: and render the map via {{ toYaml
.Values.snapshot.VolumeSnapshotClass.additionalLabels | indent 2 }} (or use {{-
with .Values.snapshot.VolumeSnapshotClass.additionalLabels }} ... {{- end }} to
guard emptiness) so labels are only emitted when present and indentation matches
the YAML structure.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix the pod selector label in the install note command.

Line 5 selects app.kubernetes.io/name={{ .Release.Name }}, but release name maps to app.kubernetes.io/instance. With custom release names, this command can return zero pods.

Suggested fix

-  kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch
+  kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/instance={{ .Release.Name }}" --watch

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/name={{ .Release.Name }}" --watch
	kubectl --namespace={{ .Release.Namespace }} get pods --selector="app.kubernetes.io/instance={{ .Release.Name }}" --watch

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/v1.34.3/azuredisk-csi-driver/templates/NOTES.txt` at line 5, The
kubectl selector in NOTES.txt uses the wrong label key; replace the selector key
app.kubernetes.io/name={{ .Release.Name }} with app.kubernetes.io/instance={{
.Release.Name }} so the pod lookup uses the release instance label (update the
line containing kubectl --namespace={{ .Release.Namespace }} get pods
--selector="app.kubernetes.io/name={{ .Release.Name }}" --watch to use
app.kubernetes.io/instance instead).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix external-attacher RBAC to use storage.k8s.io/csinodes instead of legacy csi.storage.k8s.io/csinodeinfos

{{ .Values.rbac.name }}-external-attacher-role grants get/list/watch on csi.storage.k8s.io csinodeinfos, which is inconsistent with the current CSI Node API used elsewhere in the chart (storage.k8s.io csinodes), and can break external-attacher authorization.

💡 Suggested fix

-  - apiGroups: ["csi.storage.k8s.io"]
-    resources: ["csinodeinfos"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
     verbs: ["get", "list", "watch"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- apiGroups: ["csi.storage.k8s.io"]
	resources: ["csinodeinfos"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["storage.k8s.io"]
	resources: ["csinodes"]
	verbs: ["get", "list", "watch"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@charts/v1.34.3/azuredisk-csi-driver/templates/rbac-csi-azuredisk-controller.yaml`
around lines 66 - 68, The external-attacher Role {{ .Values.rbac.name
}}-external-attacher-role grants verbs on the wrong API and resource; update the
Role binding in rbac-csi-azuredisk-controller.yaml so that the rule uses
apiGroups: ["storage.k8s.io"] and resources: ["csinodes"] (keeping the existing
verbs ["get","list","watch"]) instead of apiGroups: ["csi.storage.k8s.io"] and
resources: ["csinodeinfos"] to match the CSI Node API used elsewhere.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove -k from the curl install/uninstall commands.

Line 7 and Line 39 disable TLS certificate verification, which weakens the security of a remote-script execution path.

🔧 Suggested fix

-curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.3/deploy/install-driver.sh | bash -s v1.34.3 snapshot --
+curl -fsSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.3/deploy/install-driver.sh | bash -s v1.34.3 snapshot --

-curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.3/deploy/uninstall-driver.sh | bash -s v1.34.3 --
+curl -fsSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.3/deploy/uninstall-driver.sh | bash -s v1.34.3 --

Also applies to: 39-39

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/install-csi-driver-v1.34.3.md` at line 7, Remove the unsafe TLS skip
flag from the remote install/uninstall curl commands: replace the curl
invocations that include the "-k" or "-skSL" options (the lines invoking "curl
-skSL
https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.3/deploy/install-driver.sh
| bash -s v1.34.3 snapshot --" and the corresponding uninstall curl) by removing
"-k" so TLS certificate verification is enforced (e.g., use "curl -sSL ... |
bash -s ..."); ensure both the install and uninstall command instances are
updated.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Drop -k in these remote script examples.

Line 7 and Line 39 currently bypass TLS cert validation, which is risky for commands that pipe downloaded content to bash.

🔧 Suggested fix

-curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.4/deploy/install-driver.sh | bash -s v1.34.4 snapshot --
+curl -fsSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.4/deploy/install-driver.sh | bash -s v1.34.4 snapshot --

-curl -skSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.4/deploy/uninstall-driver.sh | bash -s v1.34.4 --
+curl -fsSL https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.4/deploy/uninstall-driver.sh | bash -s v1.34.4 --

Also applies to: 39-39

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/install-csi-driver-v1.34.4.md` at line 7, Remove the insecure TLS bypass
by dropping the -k flag from the curl commands that pipe to bash (the
occurrences of "curl -skSL
https://raw.githubusercontent.com/kubernetes-sigs/azuredisk-csi-driver/v1.34.4/deploy/install-driver.sh
| bash -s v1.34.4 snapshot --" and the similar command at the other occurrence);
update both instances so curl validates TLS by using -sSL (or no -k) to avoid
bypassing certificate checks when fetching remote install scripts.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language to the fenced code block.

Line 124 starts a fenced block without a language tag, triggering markdownlint MD040.

🔧 Suggested fix

-```
+```text
 migration-batch-logs/
   wrapper.log              # wrapper script stdout/stderr
   preflight.log            # shared resource creation log

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 124-124: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/migrate-batch-wrapper.md` at line 124, The fenced code block that begins
with the line "migration-batch-logs/" is missing a language tag and triggers
markdownlint MD040; update the opening fence from ``` to ```text so the block
becomes a labeled "text" code block (i.e., the block containing
"migration-batch-logs/", "wrapper.log", and "preflight.log" should start with
```text).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Undefined helper makes batch-label reuse a no-op.

Line 177 calls get_cached_pvc_json, but this script never defines/sources it before use. The fallback hides the failure, so existing batch IDs are never actually reused.

🔧 Proposed fix

 get_cached_batch_label() {
   local ns="$1" pvc="$2"
   local pvc_json
-  pvc_json=$(get_cached_pvc_json "$ns" "$pvc" 2>/dev/null || echo "")
+  pvc_json=$(kcmd get pvc "$pvc" -n "$ns" -o json 2>/dev/null || echo "")
   if [[ -n "$pvc_json" ]]; then
     echo "$pvc_json" | jq -r --arg key "$BATCH_LABEL_KEY" '.metadata.labels[$key] // empty'
   fi
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/premium-to-premiumv2-migrator-batch.sh` around lines 173 - 180, The
helper get_cached_pvc_json referenced by get_cached_batch_label is missing,
making batch-label reuse a no-op; add a small function named get_cached_pvc_json
that reads the prepopulated ALL_PVCS_JSON (populated by populate_pvcs) and
returns the JSON for a given namespace and PVC name (e.g., filter ALL_PVCS_JSON
with jq using .items[] | select(.metadata.namespace==env_ns and
.metadata.name==env_name)), or alternatively source the helper file that defines
get_cached_pvc_json before get_cached_batch_label is invoked; ensure the new
function signature is get_cached_pvc_json "$ns" "$pvc" and that errors propagate
instead of being silently swallowed so get_cached_batch_label can correctly
reuse existing batch labels.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Tracking external PIDs as active can deadlock batch completion.

Line 497 treats any live stored_pid as an active tracked job and increments running. If that PID is reused by an unrelated process, the loop at Lines 512-515 can wait forever.

🔧 Proposed fix

     if [[ -n "$stale_pid" ]]; then
-      info "Batch ${bidx}: previous process (pid=${stale_pid}) still running — tracking it."
-      PID_BATCH[$stale_pid]=$bidx
-      running=$(( running + 1 ))
+      info "Batch ${bidx}: previous process (pid=${stale_pid}) appears active — skipping dispatch in this run."
       continue
     fi

Also applies to: 512-515

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/premium-to-premiumv2-migrator-batch.sh` around lines 491 - 500, The
script treats any live stored_pid as an active batch (setting stale_pid and
incrementing running) which can deadlock if that PID was recycled; update the
logic around PID_BATCH/stale_pid to verify the live process actually belongs to
our migrator before counting it: after kill -0 "$stored_pid" succeeds, confirm
the process command line matches our expected marker (e.g., inspect
/proc/$stored_pid/cmdline or use ps -o cmd= -p "$stored_pid" and compare to the
script name or a known argument), and only then assign
PID_BATCH[$stored_pid]=$bidx and increment running; if the check fails,
remove/ignore that PID from PID_BATCH and continue. Apply the same verification
where the other loop (lines 512-515) treats stored_pid as active.

[rvagner78]

/test e2e-azure

[rvagner78]

/retest

[rvagner78]

/retest

[rvagner78]

/retest

[openshift-ci]

@rvagner78: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azurestack-csi	0d5895e	link	false	/test e2e-azurestack-csi

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.