apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-node namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-node rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["create", "delete", "get", "list", "watch", "update"] - apiGroups: [""] resources: ["persistentvolumesclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["security.openshift.io"] resourceNames: ["privileged"] resources: ["securitycontextconstraints"] verbs: ["use"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "update", "delete"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] {{ end }} {{ end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-node subjects: - kind: ServiceAccount name: {{ .Release.Name }}-node namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-node apiGroup: rbac.authorization.k8s.io --- kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-node namespace: {{ .Release.Namespace }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: com.dell.karavi-authorization-proxy: "true" {{ end }} {{ end }} spec: selector: matchLabels: app: {{ .Release.Name }}-node template: metadata: labels: app: {{ .Release.Name }}-node {{- if eq .Values.podmon.enabled true }} driver.dellemc.com: dell-storage {{- end }} spec: {{- if .Values.node.nodeSelector }} nodeSelector: {{- toYaml .Values.node.nodeSelector | nindent 8 }} {{- end }} {{- if .Values.node.tolerations }} tolerations: {{- toYaml .Values.node.tolerations | nindent 6 }} {{- end }} serviceAccount: {{ .Release.Name }}-node dnsPolicy: ClusterFirstWithHostNet hostNetwork: true {{- if and .Values.monitor.enabled .Values.monitor.hostPID }} hostPID: true {{- else }} hostPID: false {{- end }} containers: {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: {{ required "Must provide the podmon container image." .Values.podmon.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.node.args | nindent 12 }} env: - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: X_CSI_PRIVATE_MOUNT_DIR value: "{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/disks" - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: kubelet-pods mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: "Bidirectional" - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com mountPropagation: "Bidirectional" - name: usr-bin mountPath: /usr-bin - name: var-run mountPath: /var/run - name: vxflexos-config-params mountPath: /vxflexos-config-params {{- end }} {{- end }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" - name: SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.authorization.skipCertificateValidation }}" - name: PLUGIN_IDENTIFIER value: powerflex - name: ACCESS_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: access - name: REFRESH_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: refresh volumeMounts: - name: karavi-authorization-config mountPath: /etc/karavi-authorization/config - name: proxy-server-root-certificate mountPath: /etc/karavi-authorization/root-certificates - name: vxflexos-config-params mountPath: /etc/karavi-authorization {{ end }} {{ end }} - name: driver securityContext: privileged: true allowPrivilegeEscalation: true capabilities: add: ["SYS_ADMIN"] image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-vxflexos.sh" ] args: - "--array-config=/vxflexos-config/config" - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" env: - name: CSI_ENDPOINT value: unix://{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/csi_sock - name: X_CSI_MODE value: node - name: X_CSI_PRIVATE_MOUNT_DIR value: "{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/disks" - name: X_CSI_ALLOW_RWO_MULTI_POD_ACCESS value: "{{ required "Must provide a true/false string to allow RWO multi pod access." .Values.allowRWOMultiPodAccess }}" - name: SSL_CERT_DIR value: /certs {{- if hasKey .Values.node "healthMonitor" }} - name: X_CSI_HEALTH_MONITOR_ENABLED value: "{{ .Values.node.healthMonitor.enabled }}" {{- end }} {{- if hasKey .Values.node "approveSDC" }} - name: X_CSI_APPROVE_SDC_ENABLED value: "{{ .Values.node.approveSDC.enabled }}" {{- end }} {{- if hasKey .Values.node "renameSDC" }} - name: X_CSI_RENAME_SDC_ENABLED value: "{{ .Values.node.renameSDC.enabled }}" {{- if eq .Values.node.renameSDC.enabled true }} - name: X_CSI_RENAME_SDC_PREFIX value: "{{ .Values.node.renameSDC.prefix }}" {{- end }} {{- end }} volumeMounts: - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com - name: volumedevices-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices mountPropagation: "Bidirectional" - name: pods-path mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: "Bidirectional" - name: dev mountPath: /dev - name: vxflexos-config mountPath: /vxflexos-config - name: vxflexos-config-params mountPath: /vxflexos-config-params {{- if ge (int .Values.certSecretCount) 1 }} - name: certs mountPath: /certs readOnly: true {{- end}} - name: registrar image: {{ required "Must provide the CSI registrar container image." ( include "csi-vxflexos.registrarImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" - "--csi-address=$(ADDRESS)" - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/csi_sock env: - name: ADDRESS value: /csi/csi_sock - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName volumeMounts: - name: registration-dir mountPath: /registration - name: driver-path mountPath: /csi {{- if eq .Values.monitor.enabled true }} - name: sdc-monitor securityContext: privileged: true image: {{ required "Must provide the PowerFlex SDC container image." .Values.images.powerflexSdc }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: {{ if eq .Values.monitor.hostPID true }} - name: HOST_PID value: "1" {{ else }} - name: HOST_PID value: "0" {{ end }} - name: HOST_NET value: "1" - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MDM valueFrom: secretKeyRef: name: {{ .Release.Name }}-config key: MDM - name: MODE value: "monitoring" volumeMounts: - name: dev mountPath: /dev - name: os-release mountPath: /host-os-release - name: sdc-storage mountPath: /storage - name: udev-d mountPath: /rules.d {{- end }} initContainers: - name: sdc securityContext: privileged: true image: {{ required "Must provide the PowerFlex SDC container image." .Values.images.powerflexSdc }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MODE value: "config" - name: MDM valueFrom: secretKeyRef: name: {{ .Release.Name }}-config key: MDM - name: HOST_DRV_CFG_PATH value: /opt/emc/scaleio/sdc/bin volumeMounts: - name: dev mountPath: /dev - name: os-release mountPath: /host-os-release - name: sdc-storage mountPath: /storage - name: udev-d mountPath: /rules.d - name: scaleio-path-opt mountPath: /host_drv_cfg_path volumes: - name: registration-dir hostPath: path: {{ .Values.kubeletConfigDir }}/plugins_registry/ type: DirectoryOrCreate - name: driver-path hostPath: path: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com type: DirectoryOrCreate - name: volumedevices-path hostPath: path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices type: DirectoryOrCreate - name: pods-path hostPath: path: {{ .Values.kubeletConfigDir }}/pods type: Directory - name: dev hostPath: path: /dev type: Directory - name: scaleio-path-opt hostPath: path: /opt/emc/scaleio/sdc/bin type: DirectoryOrCreate - name: sdc-storage hostPath: path: /var/emc-scaleio type: DirectoryOrCreate - name: udev-d hostPath: path: /etc/udev/rules.d type: Directory - name: os-release hostPath: path: /etc/os-release type: File - name: vxflexos-config secret: secretName: {{ .Release.Name }}-config - name: vxflexos-config-params configMap: name: {{ .Release.Name }}-config-params {{- if ge (int .Values.certSecretCount) 1 }} - name: certs projected: sources: {{- range $i, $e := until (int .Values.certSecretCount ) }} - secret: name: {{ print $.Release.Name "-certs-" $e }} items: - key: cert-{{ $e }} path: cert-{{ $e }} {{- end }} {{- end }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-config secret: secretName: karavi-authorization-config - name: proxy-server-root-certificate secret: secretName: proxy-server-root-certificate {{ end }} {{ end }} {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: usr-bin hostPath: path: /usr/bin type: Directory - name: kubelet-pods hostPath: path: /var/lib/kubelet/pods type: Directory - name: var-run hostPath: path: /var/run type: Directory {{- end }} {{- end }}