apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-controller rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] - apiGroups: [""] resources: ["nodes"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} verbs: ["get", "list", "watch", "patch"] {{- else }} verbs: ["get", "list", "watch"] {{- end }} {{- end }} - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "watch", "create", "delete", "update"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update"] - apiGroups: [""] resources: ["pods"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} verbs: ["get", "list", "watch", "update", "delete"] {{- else }} verbs: ["get", "list", "watch"] {{- end }} {{- end }} - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} verbs: ["get", "list", "watch", "update", "patch", "delete"] {{- else }} verbs: ["get", "list", "watch", "update", "patch"] {{- end }} {{- end }} - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments/status"] verbs: ["patch"] - apiGroups: ["csi.storage.k8s.io"] resources: ["csinodeinfos"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csinodes"] verbs: ["get", "list", "watch", "update"] # below for snapshotter - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshots/status"] verbs: ["update", "patch"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "list", "watch", "delete"] # below for resizer - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["update", "patch"] - apiGroups: [""] resources: ["persistentvolumeclaims/status"] verbs: ["update", "patch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] # below for dell-csi-replicator {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - apiGroups: ["replication.storage.dell.com"] resources: ["dellcsireplicationgroups"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["replication.storage.dell.com"] resources: ["dellcsireplicationgroups/status"] verbs: ["get", "patch", "update"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] {{- end}} {{- end}} {{- if eq (include "csi-isilon.isStorageCapacitySupported" .) "true" }} - apiGroups: ["storage.k8s.io"] resources: ["csistoragecapacities"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["pods"] verbs: ["get"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get"] {{- end }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-controller subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-controller apiGroup: rbac.authorization.k8s.io --- kind: Deployment apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-controller namespace: {{ .Release.Namespace }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: com.dell.karavi-authorization-proxy: "true" {{ end }} {{ end }} spec: selector: matchLabels: app: {{ .Release.Name }}-controller {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}} {{- fail "value for .Values.controller.controllerCount should be atleast 1" }} {{- else }} replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} {{- end }} strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 1 template: metadata: labels: app: {{ .Release.Name }}-controller spec: serviceAccount: {{ .Release.Name }}-controller affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app operator: In values: - {{ .Release.Name }}-controller topologyKey: kubernetes.io/hostname {{ if .Values.controller.nodeSelector }} nodeSelector: {{- toYaml .Values.controller.nodeSelector | nindent 8 }} {{ end }} {{ if .Values.controller.tolerations }} tolerations: {{- toYaml .Values.controller.tolerations | nindent 8 }} {{ end }} containers: {{- $encModes := list false }} {{- if eq .Values.encryption.enabled true }} {{- $encModes = list false true }} {{- end }} {{- range $encrypted := $encModes }} {{- with $ }} {{- $driverSock := "csi.sock" }} {{- $csiSidecarSuffix := "" }} {{- if $encrypted }} {{- $driverSock = "csi-sec.sock" }} {{- $csiSidecarSuffix = "-sec" }} {{- end }} {{- $driverSockPath := printf "/var/run/csi/%s" $driverSock }} {{- if not $encrypted }} {{- if hasKey .Values "podmon" }} {{- if eq .Values.podmon.enabled true }} - name: podmon image: {{ required "Must provide the podmon container image." .Values.images.podmon }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: {{- toYaml .Values.podmon.controller.args | nindent 12 }} env: - name: MY_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: MY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: MY_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: csi-isilon-config-params mountPath: /csi-isilon-config-params {{- end }} {{- end }} {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: dell-csi-replicator image: {{ required "Must provide the Dell CSI Replicator image." .Values.images.replication }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--leader-election=true" - "--worker-threads=2" - "--retry-interval-start=1s" - "--retry-interval-max=300s" - "--timeout=300s" - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" - "--prefix={{ .Values.controller.replication.replicationPrefix}}" env: - name: X_CSI_REPLICATION_CONFIG_DIR value: /csi-isilon-config-params - name: X_CSI_REPLICATION_CONFIG_FILE_NAME value: driver-config-params.yaml volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: csi-isilon-config-params mountPath: /csi-isilon-config-params {{- end }} {{- end }} {{- end }} {{- if hasKey .Values.controller "resizer" }} {{- if eq .Values.controller.resizer.enabled true }} - name: resizer{{ $csiSidecarSuffix }} image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--leader-election" - "--timeout=120s" - "--v=5" {{- if hasKey .Values.controller "leaderElection" }} {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" {{end}} {{end}} volumeMounts: - name: socket-dir mountPath: /var/run/csi {{ end }} {{ end }} - name: csi-metadata-retriever {{ $csiSidecarSuffix }} image: {{ required "Must provide the CSI metadata retriever container image." .Values.images.metadataretriever }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--timeout=120s" - "--v=5" command: [ "/csi-metadata-retriever" ] env: - name: CSI_RETRIEVER_ENDPOINT value: /var/run/csi/csi_retriever.sock volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: attacher{{ $csiSidecarSuffix }} image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--v=5" - "--leader-election" - "--timeout=180s" {{- if hasKey .Values.controller "leaderElection" }} {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" {{end}} {{end}} volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- if not $encrypted }} {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true }} - name: external-health-monitor-controller image: {{ required "Must provide the CSI external-health-monitor-controller container image." .Values.images.healthmonitor }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--v=5" - "--leader-election" - "--enable-node-watcher=true" - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" - "--timeout=180s" - "--http-endpoint=:8080" {{- if hasKey .Values.controller "leaderElection" }} {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" {{end}} {{end}} volumeMounts: - name: socket-dir mountPath: /var/run/csi {{end}} {{end}} {{- end }} - name: provisioner{{ $csiSidecarSuffix }} image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" - "--volume-name-uuid-length=10" - "--worker-threads=5" - "--timeout=120s" - "--v=5" - "--feature-gates=Topology=true" - "--leader-election" - "--extra-create-metadata" - "--enable-capacity={{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }}" - "--capacity-ownerref-level=2" - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" {{- if hasKey .Values.controller "leaderElection" }} {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" {{end}} {{end}} env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- if hasKey .Values.controller "snapshot" }} {{- if eq .Values.controller.snapshot.enabled true }} - name: snapshotter{{ $csiSidecarSuffix }} #image: quay.io/k8scsi/csi-snapshotter:v1.0.0 image: {{ required "Must provide the CSI snapshotter container image." .Values.images.snapshotter }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - "--csi-address={{ $driverSockPath }}" - "--timeout=120s" - "--v=5" - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" - "--leader-election" {{- if hasKey .Values.controller "leaderElection" }} {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" {{end}} {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" {{end}} {{end}} volumeMounts: - name: socket-dir mountPath: /var/run/csi {{end}} {{end}} {{- if not $encrypted }} - name: driver image: {{ required "Must provide the Isilon driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-isilon" ] args: - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" env: - name: CSI_ENDPOINT value: "{{ $driverSockPath }}" - name: CSI_RETRIEVER_ENDPOINT value: /var/run/csi/csi_retriever.sock - name: X_CSI_MODE value: controller - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.skipCertificateValidation }}" - name: X_CSI_ISI_AUTH_TYPE value: "{{ .Values.isiAuthType }}" - name: X_CSI_VERBOSE value: "{{ .Values.verbose }}" - name: X_CSI_ISI_PORT value: "{{ .Values.endpointPort }}" - name: X_CSI_ISI_AUTOPROBE value: "{{ .Values.autoProbe }}" - name: X_CSI_ISI_QUOTA_ENABLED value: "{{ .Values.enableQuota }}" - name: X_CSI_ISI_ACCESS_ZONE value: {{ .Values.isiAccessZone }} - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED value: "{{ .Values.enableCustomTopology }}" - name: X_CSI_ISI_PATH value: {{ .Values.isiPath }} - name: X_CSI_ISI_VOLUME_PATH_PERMISSIONS value: "{{ .Values.isiVolumePathPermissions }}" - name: X_CSI_ISI_IGNORE_UNRESOLVABLE_HOSTS value: "{{ .Values.ignoreUnresolvableHosts }}" - name: X_CSI_ISI_NO_PROBE_ON_START value: "{{ .Values.noProbeOnStart }}" - name: X_CSI_PODMON_ENABLED value: "{{ .Values.podmon.enabled }}" - name: X_CSI_PODMON_API_PORT value: "{{ .Values.podmonAPIPort }}" {{- if eq .Values.podmon.enabled true }} {{- range $key, $value := .Values.podmon.controller.args }} {{- if contains "--arrayConnectivityPollRate" $value }} - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE value: "{{ (split "=" $value)._1 }}" {{ end }} {{ end }} {{ end }} {{- if hasKey .Values.controller "replication" }} {{- if eq .Values.controller.replication.enabled true}} - name: X_CSI_REPLICATION_CONTEXT_PREFIX value: {{ .Values.controller.replication.replicationContextPrefix | default "powerscale"}} - name: X_CSI_REPLICATION_PREFIX value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} {{- end }} {{- end }} {{- if hasKey .Values.controller "healthMonitor" }} {{- if eq .Values.controller.healthMonitor.enabled true }} - name: X_CSI_HEALTH_MONITOR_ENABLED value: "{{ .Values.controller.healthMonitor.enabled }}" {{end}} {{end}} - name: X_CSI_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: SSL_CERT_DIR value: /certs - name: X_CSI_ISI_CONFIG_PATH value: /isilon-configs/config - name: X_CSI_MAX_PATH_LIMIT value: "{{ .Values.maxPathLen }}" volumeMounts: - name: socket-dir mountPath: /var/run/csi - name: certs mountPath: /certs readOnly: true - name: isilon-configs mountPath: /isilon-configs - name: csi-isilon-config-params mountPath: /csi-isilon-config-params {{- end }} {{- if not $encrypted }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-proxy imagePullPolicy: {{ .Values.imagePullPolicy }} image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }} env: - name: PROXY_HOST value: "{{ .Values.authorization.proxyHost }}" - name: SKIP_CERTIFICATE_VALIDATION value: "{{ .Values.authorization.skipCertificateValidation }}" - name: PLUGIN_IDENTIFIER value: powerscale - name: ACCESS_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: access - name: REFRESH_TOKEN valueFrom: secretKeyRef: name: proxy-authz-tokens key: refresh volumeMounts: - name: karavi-authorization-config mountPath: /etc/karavi-authorization/config - name: proxy-server-root-certificate mountPath: /etc/karavi-authorization/root-certificates - name: csi-isilon-config-params mountPath: /etc/karavi-authorization {{ end }} {{ end }} {{- end }} {{- if $encrypted }} - name: driver-sec image: {{ .Values.images.encryption }} imagePullPolicy: {{ .Values.imagePullPolicy }} args: - --name={{ .Values.encryption.pluginName }} - --nodeId=$(NODE_ID) - "--endpoint=unix://var/run/csi/csi-sec.sock" - "--targetEndpoint=unix://var/run/csi/csi.sock" - --targetType=Isilon - --controller - --logLevel={{ .Values.encryption.logLevel }} {{- range index .Values.encryption.extraArgs }} - {{ . | quote }} {{- end }} env: - name: NODE_ID valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - name: socket-dir mountPath: /var/run/csi {{- end }} {{- end }} {{- end }} volumes: - name: socket-dir emptyDir: - name: certs projected: sources: {{- range $i, $e := until (int .Values.certSecretCount ) }} - secret: name: {{ print $.Release.Name "-certs-" $e }} items: - key: cert-{{ $e }} path: cert-{{ $e }} {{- end }} - name: isilon-configs secret: secretName: {{ .Release.Name }}-creds - name: csi-isilon-config-params configMap: name: {{ .Release.Name }}-config-params {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} - name: karavi-authorization-config secret: secretName: karavi-authorization-config - name: proxy-server-root-certificate secret: secretName: proxy-server-root-certificate {{ end }} {{ end }}