andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/dell/csi-isilon/templates/node.yaml

459 lines
16 KiB
YAML
Raw Normal View History

Charts CI ``` Added: dell/csi-isilon: - 2.6.1 Updated: bitnami/airflow: - 14.1.2 bitnami/kafka: - 22.0.2 kong/kong: - 2.20.1 percona/psmdb-db: - 1.14.3 percona/pxc-db: - 1.12.2 pixie/pixie-operator-chart: - 0.1.0 trilio/k8s-triliovault-operator: - 3.1.0 ```
2023-05-04 18:55:15 +00:00
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Release.Name }}-node
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}-node
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["create", "delete", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["persistentvolumesclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [ "security.openshift.io" ]
resourceNames: [ "privileged" ]
resources: [ "securitycontextconstraints" ]
verbs: [ "use" ]
{{- if hasKey .Values "podmon" }}
{{- if eq .Values.podmon.enabled true }}
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "update", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{ end }}
{{ end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ .Release.Name }}-node
subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-node
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ .Release.Name }}-node
apiGroup: rbac.authorization.k8s.io
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: {{ .Release.Name }}-node
namespace: {{ .Release.Namespace }}
{{- if hasKey .Values "authorization" }}
{{- if eq .Values.authorization.enabled true }}
annotations:
com.dell.karavi-authorization-proxy: "true"
{{ end }}
{{ end }}
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-node
template:
metadata:
labels:
app: {{ .Release.Name }}-node
{{- if .Values.podmon.enabled }}
driver.dellemc.com: dell-storage
{{- end }}
spec:
serviceAccount: {{ .Release.Name }}-node
{{ if .Values.node.nodeSelector }}
nodeSelector:
{{- toYaml .Values.node.nodeSelector | nindent 8 }}
{{ end }}
{{ if .Values.node.tolerations }}
tolerations:
{{- toYaml .Values.node.tolerations | nindent 8 }}
{{ end }}
hostNetwork: true
dnsPolicy: {{ .Values.node.dnsPolicy }}
containers:
{{- $encModes := list false }}
{{- if eq .Values.encryption.enabled true }}
{{- $encModes = list false true }}
{{- end }}
{{- range $encrypted := $encModes }}
{{- with $ }}
{{- $driverSock := "csi_sock" }}
{{- $csiSidecarSuffix := "" }}
{{- if $encrypted }}
{{- $driverSock = "csi_sec_sock" }}
{{- $csiSidecarSuffix = "-sec" }}
{{- end }}
{{- if hasKey .Values "podmon" }}
{{- if eq .Values.podmon.enabled true }}
- name: podmon
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
image: {{ required "Must provide the podmon container image." .Values.podmon.image }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
{{- toYaml .Values.podmon.node.args | nindent 12 }}
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: X_CSI_PRIVATE_MOUNT_DIR
value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks"
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: kubelet-pods
mountPath: {{ .Values.kubeletConfigDir }}/pods
mountPropagation: "Bidirectional"
- name: driver-path
mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon
mountPropagation: "Bidirectional"
- name: volumedevices-path
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices
mountPropagation: "Bidirectional"
- name: dev
mountPath: /dev
- name: usr-bin
mountPath: /usr-bin
- name: var-run
mountPath: /var/run
- name: csi-isilon-config-params
mountPath: /csi-isilon-config-params
{{- end }}
{{- end }}
{{- if not $encrypted }}
- name: driver
command: ["/csi-isilon"]
args:
- "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml"
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
env:
- name: CSI_ENDPOINT
value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}"
- name: X_CSI_MODE
value: node
- name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION
value: "{{ .Values.skipCertificateValidation }}"
- name: X_CSI_ISI_AUTH_TYPE
value: "{{ .Values.isiAuthType }}"
- name: X_CSI_ALLOWED_NETWORKS
value: "{{ .Values.allowedNetworks }}"
- name: X_CSI_VERBOSE
value: "{{ .Values.verbose }}"
- name: X_CSI_PRIVATE_MOUNT_DIR
value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks"
- name: X_CSI_ISI_PORT
value: "{{ .Values.endpointPort }}"
- name: X_CSI_ISI_PATH
value: {{ .Values.isiPath }}
- name: X_CSI_ISI_NO_PROBE_ON_START
value: "{{ .Values.noProbeOnStart }}"
- name: X_CSI_ISI_AUTOPROBE
value: "{{ .Values.autoProbe }}"
- name: X_CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: X_CSI_NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: SSL_CERT_DIR
value: /certs
- name: X_CSI_ISI_QUOTA_ENABLED
value: "{{ .Values.enableQuota }}"
- name: X_CSI_CUSTOM_TOPOLOGY_ENABLED
value: "{{ .Values.enableCustomTopology }}"
- name: X_CSI_ISI_CONFIG_PATH
value: /isilon-configs/config
- name: X_CSI_MAX_VOLUMES_PER_NODE
value: "{{ .Values.maxIsilonVolumesPerNode }}"
- name: X_CSI_HEALTH_MONITOR_ENABLED
value: "{{ .Values.node.healthMonitor.enabled }}"
- name: X_CSI_PODMON_ENABLED
value: "{{ .Values.podmon.enabled }}"
- name: X_CSI_PODMON_API_PORT
value: "{{ .Values.podmonAPIPort }}"
{{- if eq .Values.podmon.enabled true }}
{{- range $key, $value := .Values.podmon.node.args }}
{{- if contains "--arrayConnectivityPollRate" $value }}
- name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE
value: "{{ (split "=" $value)._1 }}"
{{ end }}
{{ end }}
{{ end }}
- name: X_CSI_MAX_PATH_LIMIT
value: "{{ .Values.maxPathLen }}"
volumeMounts:
- name: driver-path
mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon
{{- if eq .Values.encryption.enabled true }}
- name: staging-dir
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
mountPropagation: Bidirectional
{{- else }}
- name: volumedevices-path
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices
{{- end }}
- name: pods-path
mountPath: {{ .Values.kubeletConfigDir }}/pods
mountPropagation: "Bidirectional"
- name: dev
mountPath: /dev
- name: certs
mountPath: /certs
readOnly: true
- name: isilon-configs
mountPath: /isilon-configs
- name: csi-isilon-config-params
mountPath: /csi-isilon-config-params
{{- end }}
- name: registrar{{ $csiSidecarSuffix }}
image: {{ required "Must provide the CSI node registrar container image." ( include "csi-isilon.registrarImage" . ) }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
- "--v=5"
- "--csi-address=/csi/{{ $driverSock }}"
- --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
volumeMounts:
- name: registration-dir
mountPath: /registration
- name: driver-path
mountPath: /csi
{{- if not $encrypted }}
{{- if hasKey .Values "authorization" }}
{{- if eq .Values.authorization.enabled true }}
- name: karavi-authorization-proxy
imagePullPolicy: {{ .Values.imagePullPolicy }}
image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }}
env:
- name: PROXY_HOST
value: "{{ .Values.authorization.proxyHost }}"
- name: SKIP_CERTIFICATE_VALIDATION
value: "{{ .Values.authorization.skipCertificateValidation }}"
- name: PLUGIN_IDENTIFIER
value: powerscale
- name: ACCESS_TOKEN
valueFrom:
secretKeyRef:
name: proxy-authz-tokens
key: access
- name: REFRESH_TOKEN
valueFrom:
secretKeyRef:
name: proxy-authz-tokens
key: refresh
volumeMounts:
- name: karavi-authorization-config
mountPath: /etc/karavi-authorization/config
- name: proxy-server-root-certificate
mountPath: /etc/karavi-authorization/root-certificates
- name: csi-isilon-config-params
mountPath: /etc/karavi-authorization
{{ end }}
{{ end }}
{{- end }}
{{- if $encrypted }}
- name: driver-sec
image: {{ .Values.encryption.image }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
add: ["SYS_ADMIN"]
args:
- --name={{ .Values.encryption.pluginName }}
- --nodeId=$(NODE_ID)
- "--endpoint=unix://var/run/csi/csi_sec_sock"
- "--targetEndpoint=unix://var/run/csi/csi_sock"
- --targetType=Isilon
- --vaultClientConfig=/etc/dea/vault/client.json
- --logLevel={{ .Values.encryption.logLevel }}
- --licenseName=/etc/dea/license/license
{{- if .Values.encryption.livenessPort }}
- --livenessPort={{ .Values.encryption.livenessPort }}
{{- end}}
- --apiPort={{ .Values.encryption.apiPort }}
{{- range index .Values.encryption.extraArgs }}
- {{ . | quote }}
{{- end }}
env:
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if eq .Values.encryption.ocp true }}
- name: CORE_ID
value: "{{ required "encryption.ocpCoreID not set to core user uid:gid" .Values.encryption.ocpCoreID }}"
{{- end }}
volumeMounts:
- name: vault-config
mountPath: /etc/dea/vault
- name: driver-path
mountPath: /var/run/csi
- name: pods-path
mountPath: {{ .Values.kubeletConfigDir }}/pods
mountPropagation: Bidirectional
- name: staging-dir
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
mountPropagation: Bidirectional
- name: user-home
{{- if eq .Values.encryption.ocp true }}
mountPath: /corehome
{{- else }}
mountPath: /roothome
{{- end }}
- name: license-config
mountPath: /etc/dea/license
{{- if .Values.encryption.livenessPort }}
livenessProbe:
httpGet:
path: /liveprobe
port: {{ .Values.encryption.livenessPort }}
initialDelaySeconds: 1500
periodSeconds: 1000
timeoutSeconds: 3
failureThreshold: 100
{{- end }}
{{- end }}
{{- end }}
{{- end }}
volumes:
- name: registration-dir
hostPath:
path: {{ .Values.kubeletConfigDir }}/plugins_registry/
type: DirectoryOrCreate
- name: driver-path
hostPath:
path: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon
type: DirectoryOrCreate
- name: volumedevices-path
hostPath:
path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices
type: DirectoryOrCreate
- name: pods-path
hostPath:
path: {{ .Values.kubeletConfigDir }}/pods
type: Directory
- name: dev
hostPath:
path: /dev
type: Directory
- name: certs
projected:
sources:
{{- range $i, $e := until (int .Values.certSecretCount ) }}
- secret:
name: {{ print $.Release.Name "-certs-" $e }}
items:
- key: cert-{{ $e }}
path: cert-{{ $e }}
{{- end }}
- name: isilon-configs
secret:
secretName: {{ .Release.Name }}-creds
- name: csi-isilon-config-params
configMap:
name: {{ .Release.Name }}-config-params
{{- if hasKey .Values "authorization" }}
{{- if eq .Values.authorization.enabled true }}
- name: karavi-authorization-config
secret:
secretName: karavi-authorization-config
- name: proxy-server-root-certificate
secret:
secretName: proxy-server-root-certificate
{{ end }}
{{ end }}
{{- if hasKey .Values "podmon" }}
{{- if eq .Values.podmon.enabled true }}
- name: usr-bin
hostPath:
path: /usr/bin
type: Directory
- name: kubelet-pods
hostPath:
path: /var/lib/kubelet/pods
type: Directory
- name: var-run
hostPath:
path: /var/run
type: Directory
{{ end }}
{{ end }}
{{- if eq .Values.encryption.enabled true }}
- name: vault-config
projected:
sources:
- secret:
name: vault-cert
- secret:
name: vault-auth
- configMap:
name: vault-client-conf
- name: staging-dir
hostPath:
path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
type: DirectoryOrCreate
- name: user-home
hostPath:
{{- if eq .Values.encryption.ocp true }}
path: /home/core
{{- else }}
path: /root
{{- end }}
type: Directory
- name: license-config
secret:
secretName: encryption-license
{{- end }}