apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-node namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-node rules: - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["create", "delete", "get", "list", "watch", "update"] - apiGroups: [""] resources: ["persistentvolumesclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["events"] verbs: ["get", "list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch", "update"] - apiGroups: [ "security.openshift.io" ] resourceNames: [ "privileged" ] resources: [ "securitycontextconstraints" ] verbs: [ "use" ] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch", "update", "delete"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] {{ end }} {{ end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-node subjects: - kind: ServiceAccount name: {{ .Release.Name }}-node namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-node apiGroup: rbac.authorization.k8s.io --- kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-node namespace: {{ .Release.Namespace }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: com.dell.karavi-authorization-proxy: "true" {{ end }} {{ end }} spec: selector: matchLabels: app: {{ .Release.Name }}-node template: metadata: labels: app: {{ .Release.Name }}-node {{- if .Values.podmon.enabled }} driver.dellemc.com: dell-storage {{- end }} spec: serviceAccount: {{ .Release.Name }}-node {{ if .Values.node.nodeSelector }} nodeSelector: {{- toYaml .Values.node.nodeSelector | nindent 8 }} {{ end }} {{ if .Values.node.tolerations }} tolerations: {{- toYaml .Values.node.tolerations | nindent 8 }} {{ end }} hostNetwork: true dnsPolicy: {{ .Values.node.dnsPolicy }} containers: {{- $encModes := list false }} {{- if eq .Values.encryption.enabled true }} {{- $encModes = list false true }} {{- end }} {{- range $encrypted := $encModes }} {{- with $ }} {{- $driverSock := "csi_sock" }} {{- $csiSidecarSuffix := "" }} {{- if $encrypted }} {{- $driverSock = "csi_sec_sock" }} {{- $csiSidecarSuffix = "-sec" }} {{- end }} {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: {{ required "Must provide the podmon container image." .Values.podmon.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.node.args | nindent 12 }} env: - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - name: X_CSI_PRIVATE_MOUNT_DIR value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks" - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: kubelet-pods mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: "Bidirectional" - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon mountPropagation: "Bidirectional" - name: volumedevices-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices mountPropagation: "Bidirectional" - name: dev mountPath: /dev - name: usr-bin mountPath: /usr-bin - name: var-run mountPath: /var/run - name: csi-isilon-config-params mountPath: /csi-isilon-config-params {{- end }} {{- end }} {{- if not $encrypted }} - name: driver command: ["/csi-isilon"] args: - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" securityContext: privileged: true capabilities: add: ["SYS_ADMIN"] allowPrivilegeEscalation: true image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: CSI_ENDPOINT value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}" - name: X_CSI_MODE value: node - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.skipCertificateValidation }}" - name: X_CSI_ISI_AUTH_TYPE value: "{{ .Values.isiAuthType }}" - name: X_CSI_ALLOWED_NETWORKS value: "{{ .Values.allowedNetworks }}" - name: X_CSI_VERBOSE value: "{{ .Values.verbose }}" - name: X_CSI_PRIVATE_MOUNT_DIR value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks" - name: X_CSI_ISI_PORT value: "{{ .Values.endpointPort }}" - name: X_CSI_ISI_PATH value: {{ .Values.isiPath }} - name: X_CSI_ISI_NO_PROBE_ON_START value: "{{ .Values.noProbeOnStart }}" - name: X_CSI_ISI_AUTOPROBE value: "{{ .Values.autoProbe }}" - name: X_CSI_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: X_CSI_NODE_IP valueFrom: fieldRef: fieldPath: status.hostIP - name: SSL_CERT_DIR value: /certs - name: X_CSI_ISI_QUOTA_ENABLED value: "{{ .Values.enableQuota }}" - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED value: "{{ .Values.enableCustomTopology }}" - name: X_CSI_ISI_CONFIG_PATH value: /isilon-configs/config - name: X_CSI_MAX_VOLUMES_PER_NODE value: "{{ .Values.maxIsilonVolumesPerNode }}" - name: X_CSI_HEALTH_MONITOR_ENABLED value: "{{ .Values.node.healthMonitor.enabled }}" - name: X_CSI_PODMON_ENABLED value: "{{ .Values.podmon.enabled }}" - name: X_CSI_PODMON_API_PORT value: "{{ .Values.podmonAPIPort }}" {{- if eq .Values.podmon.enabled true }} {{- range $key, $value := .Values.podmon.node.args }} {{- if contains "--arrayConnectivityPollRate" $value }} - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE value: "{{ (split "=" $value)._1 }}" {{ end }} {{ end }} {{ end }} - name: X_CSI_MAX_PATH_LIMIT value: "{{ .Values.maxPathLen }}" volumeMounts: - name: driver-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon {{- if eq .Values.encryption.enabled true }} - name: staging-dir mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi mountPropagation: Bidirectional {{- else }} - name: volumedevices-path mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices {{- end }} - name: pods-path mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: "Bidirectional" - name: dev mountPath: /dev - name: certs mountPath: /certs readOnly: true - name: isilon-configs mountPath: /isilon-configs - name: csi-isilon-config-params mountPath: /csi-isilon-config-params {{- end }} - name: registrar{{ $csiSidecarSuffix }} image: {{ required "Must provide the CSI node registrar container image." ( include "csi-isilon.registrarImage" . ) }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--v=5" - "--csi-address=/csi/{{ $driverSock }}" - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }} env: - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName volumeMounts: - name: registration-dir mountPath: /registration - name: driver-path mountPath: /csi {{- if not $encrypted }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy imagePullPolicy: {{ .Values.imagePullPolicy }} image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" - name: SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.authorization.skipCertificateValidation }}" - name: PLUGIN_IDENTIFIER value: powerscale - name: ACCESS_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: access - name: REFRESH_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: refresh volumeMounts: - name: karavi-authorization-config mountPath: /etc/karavi-authorization/config - name: proxy-server-root-certificate mountPath: /etc/karavi-authorization/root-certificates - name: csi-isilon-config-params mountPath: /etc/karavi-authorization {{ end }} {{ end }} {{- end }} {{- if $encrypted }} - name: driver-sec image: {{ .Values.encryption.image }} imagePullPolicy: {{ .Values.imagePullPolicy }} securityContext: privileged: true allowPrivilegeEscalation: true capabilities: add: ["SYS_ADMIN"] args: - --name={{ .Values.encryption.pluginName }} - --nodeId=$(NODE_ID) - "--endpoint=unix://var/run/csi/csi_sec_sock" - "--targetEndpoint=unix://var/run/csi/csi_sock" - --targetType=Isilon - --vaultClientConfig=/etc/dea/vault/client.json - --logLevel={{ .Values.encryption.logLevel }} - --licenseName=/etc/dea/license/license {{- if .Values.encryption.livenessPort }} - --livenessPort={{ .Values.encryption.livenessPort }} {{- end}} - --apiPort={{ .Values.encryption.apiPort }} {{- range index .Values.encryption.extraArgs }} - {{ . | quote }} {{- end }} env: - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName {{- if eq .Values.encryption.ocp true }} - name: CORE_ID value: "{{ required "encryption.ocpCoreID not set to core user uid:gid" .Values.encryption.ocpCoreID }}" {{- end }} volumeMounts: - name: vault-config mountPath: /etc/dea/vault - name: driver-path mountPath: /var/run/csi - name: pods-path mountPath: {{ .Values.kubeletConfigDir }}/pods mountPropagation: Bidirectional - name: staging-dir mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi mountPropagation: Bidirectional - name: user-home {{- if eq .Values.encryption.ocp true }} mountPath: /corehome {{- else }} mountPath: /roothome {{- end }} - name: license-config mountPath: /etc/dea/license {{- if .Values.encryption.livenessPort }} livenessProbe: httpGet: path: /liveprobe port: {{ .Values.encryption.livenessPort }} initialDelaySeconds: 1500 periodSeconds: 1000 timeoutSeconds: 3 failureThreshold: 100 {{- end }} {{- end }} {{- end }} {{- end }} volumes: - name: registration-dir hostPath: path: {{ .Values.kubeletConfigDir }}/plugins_registry/ type: DirectoryOrCreate - name: driver-path hostPath: path: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon type: DirectoryOrCreate - name: volumedevices-path hostPath: path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices type: DirectoryOrCreate - name: pods-path hostPath: path: {{ .Values.kubeletConfigDir }}/pods type: Directory - name: dev hostPath: path: /dev type: Directory - name: certs projected: sources: {{- range $i, $e := until (int .Values.certSecretCount ) }} - secret: name: {{ print $.Release.Name "-certs-" $e }} items: - key: cert-{{ $e }} path: cert-{{ $e }} {{- end }} - name: isilon-configs secret: secretName: {{ .Release.Name }}-creds - name: csi-isilon-config-params configMap: name: {{ .Release.Name }}-config-params {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-config secret: secretName: karavi-authorization-config - name: proxy-server-root-certificate secret: secretName: proxy-server-root-certificate {{ end }} {{ end }} {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: usr-bin hostPath: path: /usr/bin type: Directory - name: kubelet-pods hostPath: path: /var/lib/kubelet/pods type: Directory - name: var-run hostPath: path: /var/run type: Directory {{ end }} {{ end }} {{- if eq .Values.encryption.enabled true }} - name: vault-config projected: sources: - secret: name: vault-cert - secret: name: vault-auth - configMap: name: vault-client-conf - name: staging-dir hostPath: path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi type: DirectoryOrCreate - name: user-home hostPath: {{- if eq .Values.encryption.ocp true }} path: /home/core {{- else }} path: /root {{- end }} type: Directory - name: license-config secret: secretName: encryption-license {{- end }}