STOR-2758: Rebase to upstream v2.4.2 for OCP 4.22

[dfajmon]

Issue link
https://redhat.atlassian.net/browse/STOR-2758

Diff to upstream v2.4.2
aws/efs-utils@v2.4.2...dfajmon:rebase-v2.4.2

Notes for reviewers

Botocore dependencies are included with install-python-deps-ocp.sh.

Summary of changes

Breaking Changes

• efs-utils v2.0.0 replaces stunnel with efs-proxy, a Rust-based in-house proxy for TLS encryption. Building from source now requires Rust and Cargo >= 1.68. Existing mounts must be re-mounted to benefit from improved performance. OCSP and Mac clients continue to fall back to stunnel automatically. (0c5b52d)

Major Features

• Add new region mount option to allow multiple mounts from different regions (#171)
• Add environment variable support for AWS profiles and regions (AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION) (#297)
• Enable support for EC2 Mac instances running macOS Sequoia (#250)
• Add macOS Tahoe (macOS-26) and Ubuntu 24 support (#311)
• Remove OpenSSH dependency in proxy, use AWS-LC-FIPS as crypto library provider (#311)
• Adding region-specifc domain suffix for sts endpoints and adding new regions and domain suffixes (#234)

Notable Bug Fixes

• Fix log retention logic (#319)
• Fix EFS_FQDN_RE to support ADC DNS suffixes with hyphens (#325)
• Fix backtrace version to resolve ubuntu and rhel build issues (#282)
• Upgrade log4rs version to mitigate security vulnerabilities (#269)

Cherry-picked commits

Commit	Subject	Author
UPSTREAM: <carry>: Add OpenShift files	Roman Bednar	d82a42c

Upstream changelogs

The upstream aws/efs-utils project does not publish formal per-release changelogs or GitHub Releases. Changes are tracked via git tags and commit history.

Full changelog

aws/efs-utils@v1.36.0...v2.4.2

Last rebase

#26

@openshift/storage

[Phaow]

/hold

[Phaow]

@dfajmon I manually build the utils image and override it in driver dockerfile, build operator/bundle/index images launched regression tests, all efs related tests mount failed ->

...
Warning  FailedMount       51s (x10 over 5m4s)  kubelet            MountVolume.SetUp failed for volume "pvc-52b777f7-0fca-4b22-bcf5-3434575c5ad8" : rpc error: code = Internal desc = Could not mount "fs-0fa045a224cfa40bd:/" at "/var/lib/kubelet/pods/5a143a7e-117b-4e81-8ed6-85ef918be535/volumes/kubernetes.io~csi/pvc-52b777f7-0fca-4b22-bcf5-3434575c5ad8/mount": mount failed: exit status 1
  Mounting command: mount
  Mounting arguments: -t efs -o accesspoint=fsap-0ba9c66a60b072488,tls fs-0fa045a224cfa40bd:/ /var/lib/kubelet/pods/5a143a7e-117b-4e81-8ed6-85ef918be535/volumes/kubernetes.io~csi/pvc-52b777f7-0fca-4b22-bcf5-3434575c5ad8/mount
  Output: Could not start amazon-efs-mount-watchdog, unrecognized init system "aws-efs-csi-dri"
  which: no efs-proxy in (/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin)
  Failed to locate efs-proxy in /sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/bin - The efs-proxy binary is packaged with efs-utils. It was deleted or not installed correctly.
...

Dig further and found seems in https://github.com/aws/efs-utils/pull/203/changes?mode=single#diff-ebc2f4cb2a27f555929aab44a3f15be40decdc0432e7ffa6b7e6a588354c166bR1909-R1916 uses efs-proxy mount by default. It seems we need a carry patch change the dist/efs-utils.conf (using legacy stunnel instead of efs-proxy for TLS mounts)

[mount]
# Use legacy stunnel instead of efs-proxy for TLS mounts
use_legacy_stunnel = true

[Phaow]

It seems we need a carry patch change the dist/efs-utils.conf (using legacy stunnel instead of efs-proxy for TLS mounts)
[mount]
# Use legacy stunnel instead of efs-proxy for TLS mounts
use_legacy_stunnel = true

Sorry, it is a hallucination(claude's suggestion), after double checking I do not find it in source codes or aws doc. We still needs to find another way to fix it if we have to rebase the 2.0+ version.

[mpatlasov]

@mpatlasov I removed it because it's another CI and we don't use it. I took it as similar case as .github folder.

@dfajmon , OK, I didn't know that we remove everything related to upstream CI, but it must be fine -- we needn't this file downstream.

I'm just curios, what would be broken if we keep it "as is"? Can you add some words about why we removed this file to commit description, please.

[openshift-ci]

@dfajmon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[jsafrane]

/lgtm

[Phaow]

/unassign @duanwei33 @chao007 @radeore

[Phaow]

/hold cancel
I manually build the utils image and override it in driver dockerfile, build operator/bundle/index images launched regression tests, all looks good.

[Phaow]

/verified by CI

[openshift-ci-robot]

@Phaow: This PR has been marked as verified by [CI](https://qe-private-deck-ci.apps.ci.l2s4.p1.openshiftapps.com/view/gs/qe-private-deck/pr-logs/pull/openshift_release/75338/rehearse-75338-periodic-ci-openshift-openshift-tests-private-release-4.22-amd64-nightly-aws-efs-operator-e2e-extended/2041769804657856512).

Details

In response to this:

/verified by CI

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.