apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-controller rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["nodes"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} verbs: ["get", "list", "watch", "patch"] {{- else }} verbs: ["get", "list", "watch"] {{- end }} {{- end }} - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} verbs: ["get", "list", "watch", "update", "patch", "delete"] {{- else }} verbs: ["get", "list", "watch", "update", "patch"] {{- end }} {{- end }} - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} verbs: ["get", "list", "watch", "update", "delete"] {{- else }} verbs: ["get", "list", "watch"] {{- end }} {{- end }} # below for snapshotter - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] {{- if hasKey .Values "vgsnapshotter" }} {{- if eq .Values.vgsnapshotter.enabled true }} - apiGroups: ["volumegroup.storage.dell.com"] resources: ["dellcsivolumegroupsnapshots","dellcsivolumegroupsnapshots/status"] verbs: ["create", "list", "watch", "delete", "update"] {{- end }} {{- end }} - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] {{- if hasKey .Values "vgsnapshotter" }} {{- if eq .Values.vgsnapshotter.enabled true }} verbs: ["get", "list", "watch", "update", "create", "delete"] {{- else }} verbs: ["get", "list", "watch", "update"] {{- end }} {{- end }} - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status","volumesnapshotcontents/status"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete", "update"] {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - apiGroups: ["replication.storage.dell.com"] resources: ["dellcsireplicationgroups"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["replication.storage.dell.com"] resources: ["dellcsireplicationgroups/status"] verbs: ["get", "patch", "update"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] - apiGroups: [""] resources: ["namespaces"] verbs: ["create", "get", "list", "watch"] {{- end}} {{- end}} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-controller subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-controller apiGroup: rbac.authorization.k8s.io --- kind: Deployment apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: com.dell.karavi-authorization-proxy: "true" {{ end }} {{ end }} spec: {{- if gt (int .Values.controller.controllerCount) 1 }} strategy: rollingUpdate: maxUnavailable: 1 {{- end }} selector: matchLabels: name: {{ .Release.Name }}-controller replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} template: metadata: labels: {{- if eq (.Values.vgsnapshotter.enabled| toString) "true" }} vg-snapshotter-enabled: "true" {{- else if eq (.Values.vgsnapshotter.enabled| toString) "false" }} vg-snapshotter-enabled: "false" {{- end }} name: {{ .Release.Name }}-controller spec: affinity: nodeSelector: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: name operator: In values: - {{ .Release.Name }}-controller topologyKey: kubernetes.io/hostname serviceAccountName: {{ .Release.Name }}-controller {{- if .Values.controller.nodeSelector }} nodeSelector: {{- toYaml .Values.controller.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.controller.tolerations }} tolerations: {{- toYaml .Values.controller.tolerations | nindent 6 }} {{- end }} containers: {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon image: {{ required "Must provide the podmon container image." .Values.podmon.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.controller.args | nindent 12 }} env: - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: vxflexos-config-params mountPath: /vxflexos-config-params {{- end }} {{- end }} - name: attacher image: {{ required "Must provide the CSI attacher container image." ( include "csi-vxflexos.attacherImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" - "--v=5" - "--leader-election=true" env: - name: ADDRESS value: /var/run/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: dell-csi-replicator image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" - "--leader-election=true" - "--worker-threads=2" - "--retry-interval-start=1s" - "--retry-interval-max=300s" - "--timeout=300s" - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" - "--prefix={{ .Values.controller.replication.replicationPrefix}}" env: - name: ADDRESS value: /var/run/csi/csi.sock - name: X_CSI_REPLICATION_CONFIG_DIR value: /vxflexos-config-params - name: X_CSI_REPLICATION_CONFIG_FILE_NAME value: driver-config-params.yaml volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: vxflexos-config-params mountPath: /vxflexos-config-params {{- end }} {{- end }} - name: provisioner image: {{ required "Must provide the CSI provisioner container image." ( include "csi-vxflexos.provisionerImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" - "--feature-gates=Topology=true" - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" - "--volume-name-uuid-length=10" - "--leader-election=true" - "--timeout=120s" - "--v=5" - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" - "--extra-create-metadata" env: - name: ADDRESS value: /var/run/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true}} - name: csi-external-health-monitor-controller image: {{ required "Must provide the CSI external health monitor image." ( include "csi-vxflexos.healthmonitorImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" - "--v=5" - "--leader-election=true" - "--enable-node-watcher=true" - "--http-endpoint=:8080" - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" - "--timeout=180s" env: - name: ADDRESS value: /var/run/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- end }} {{- end }} {{- if hasKey .Values "vgsnapshotter" }} {{- if eq .Values.vgsnapshotter.enabled true }} - name: vg-snapshotter image: {{ required "Must provide the vgsnapshotter container image." .Values.vgsnapshotter.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: ADDRESS value: /var/run/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- end }} {{- end }} {{- if hasKey .Values.controller "snapshot" }} {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter image: {{ required "Must provide the CSI snapshotter container image. " ( include "csi-vxflexos.snapshotterImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" - "--timeout=120s" - "--v=5" - "--leader-election=true" env: - name: ADDRESS value: /var/run/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- end }} {{- end }} {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer image: {{ required "Must provide the CSI resizer container image." ( include "csi-vxflexos.resizerImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address=$(ADDRESS)" - "--v=5" - "--leader-election=true" env: - name: ADDRESS value: /var/run/csi/csi.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- end }} {{- end }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" - name: SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.authorization.skipCertificateValidation }}" - name: PLUGIN_IDENTIFIER value: powerflex - name: ACCESS_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: access - name: REFRESH_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: refresh volumeMounts: - name: karavi-authorization-config mountPath: /etc/karavi-authorization/config - name: proxy-server-root-certificate mountPath: /etc/karavi-authorization/root-certificates - name: vxflexos-config-params mountPath: /etc/karavi-authorization {{- end }} {{- end }} - name: driver image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-vxflexos.sh" ] args: - "--leader-election" - "--array-config=/vxflexos-config/config" - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" env: - name: CSI_ENDPOINT value: /var/run/csi/csi.sock - name: X_CSI_MODE value: controller - name: X_CSI_VXFLEXOS_ENABLESNAPSHOTCGDELETE value: "{{ required "Enable this to allow deletion of all snaps in CG" .Values.enablesnapshotcgdelete }}" - name: X_CSI_VXFLEXOS_ENABLELISTVOLUMESNAPSHOT value: "{{ required "Enable this to have CSI ListVolumes include snapshots" .Values.enablelistvolumesnapshot }}" - name: SSL_CERT_DIR value: /certs {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: X_CSI_REPLICATION_CONTEXT_PREFIX value: {{ .Values.controller.replication.replicationContextPrefix | default "powerflex"}} - name: X_CSI_REPLICATION_PREFIX value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} {{- end }} {{- end }} {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true}} - name: X_CSI_HEALTH_MONITOR_ENABLED value: "{{ .Values.controller.healthMonitor.enabled }}" {{- end }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: vxflexos-config mountPath: /vxflexos-config - name: vxflexos-config-params mountPath: /vxflexos-config-params {{- if ge (int .Values.certSecretCount) 1 }} - name: certs mountPath: /certs readOnly: true {{- end}} volumes: - name: socket-dir emptyDir: - name: vxflexos-config secret: secretName: {{ .Release.Name }}-config - name: vxflexos-config-params configMap: name: {{ .Release.Name }}-config-params {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-config secret: secretName: karavi-authorization-config - name: proxy-server-root-certificate secret: secretName: proxy-server-root-certificate {{ end }} {{ end }} {{- if ge (int .Values.certSecretCount) 1 }} - name: certs projected: sources: {{- range $i, $e := until (int .Values.certSecretCount ) }} - secret: name: {{ print $.Release.Name "-certs-" $e }} items: - key: cert-{{ $e }} path: cert-{{ $e }} {{- end }} {{- end }}