459 lines
16 KiB
YAML
459 lines
16 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ .Release.Name }}-node
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ .Release.Name }}-node
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["persistentvolumes"]
|
|
verbs: ["create", "delete", "get", "list", "watch", "update"]
|
|
- apiGroups: [""]
|
|
resources: ["persistentvolumesclaims"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: [""]
|
|
resources: ["events"]
|
|
verbs: ["get", "list", "watch", "create", "update", "patch"]
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get", "list", "watch", "update", "patch"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["volumeattachments"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["storageclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources: ["volumeattachments"]
|
|
verbs: ["get", "list", "watch", "update"]
|
|
- apiGroups: [ "security.openshift.io" ]
|
|
resourceNames: [ "privileged" ]
|
|
resources: [ "securitycontextconstraints" ]
|
|
verbs: [ "use" ]
|
|
{{- if hasKey .Values "podmon" }}
|
|
{{- if eq .Values.podmon.enabled true }}
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list", "watch", "update", "delete"]
|
|
- apiGroups: ["coordination.k8s.io"]
|
|
resources: ["leases"]
|
|
verbs: ["get", "watch", "list", "delete", "update", "create"]
|
|
{{ end }}
|
|
{{ end }}
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: {{ .Release.Name }}-node
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ .Release.Name }}-node
|
|
namespace: {{ .Release.Namespace }}
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: {{ .Release.Name }}-node
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: {{ .Release.Name }}-node
|
|
namespace: {{ .Release.Namespace }}
|
|
{{- if hasKey .Values "authorization" }}
|
|
{{- if eq .Values.authorization.enabled true }}
|
|
annotations:
|
|
com.dell.karavi-authorization-proxy: "true"
|
|
{{ end }}
|
|
{{ end }}
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: {{ .Release.Name }}-node
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: {{ .Release.Name }}-node
|
|
{{- if .Values.podmon.enabled }}
|
|
driver.dellemc.com: dell-storage
|
|
{{- end }}
|
|
spec:
|
|
serviceAccount: {{ .Release.Name }}-node
|
|
{{ if .Values.node.nodeSelector }}
|
|
nodeSelector:
|
|
{{- toYaml .Values.node.nodeSelector | nindent 8 }}
|
|
{{ end }}
|
|
{{ if .Values.node.tolerations }}
|
|
tolerations:
|
|
{{- toYaml .Values.node.tolerations | nindent 8 }}
|
|
{{ end }}
|
|
hostNetwork: true
|
|
dnsPolicy: {{ .Values.node.dnsPolicy }}
|
|
containers:
|
|
{{- $encModes := list false }}
|
|
{{- if eq .Values.encryption.enabled true }}
|
|
{{- $encModes = list false true }}
|
|
{{- end }}
|
|
{{- range $encrypted := $encModes }}
|
|
{{- with $ }}
|
|
{{- $driverSock := "csi_sock" }}
|
|
{{- $csiSidecarSuffix := "" }}
|
|
{{- if $encrypted }}
|
|
{{- $driverSock = "csi_sec_sock" }}
|
|
{{- $csiSidecarSuffix = "-sec" }}
|
|
{{- end }}
|
|
{{- if hasKey .Values "podmon" }}
|
|
{{- if eq .Values.podmon.enabled true }}
|
|
- name: podmon
|
|
securityContext:
|
|
privileged: true
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
allowPrivilegeEscalation: true
|
|
image: {{ required "Must provide the podmon container image." .Values.images.podmon }}
|
|
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
args:
|
|
{{- toYaml .Values.podmon.node.args | nindent 12 }}
|
|
env:
|
|
- name: KUBE_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: spec.nodeName
|
|
- name: X_CSI_PRIVATE_MOUNT_DIR
|
|
value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks"
|
|
- name: MY_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: MY_POD_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.name
|
|
- name: MY_POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
volumeMounts:
|
|
- name: kubelet-pods
|
|
mountPath: {{ .Values.kubeletConfigDir }}/pods
|
|
mountPropagation: "Bidirectional"
|
|
- name: driver-path
|
|
mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon
|
|
mountPropagation: "Bidirectional"
|
|
- name: volumedevices-path
|
|
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices
|
|
mountPropagation: "Bidirectional"
|
|
- name: dev
|
|
mountPath: /dev
|
|
- name: usr-bin
|
|
mountPath: /usr-bin
|
|
- name: var-run
|
|
mountPath: /var/run
|
|
- name: csi-isilon-config-params
|
|
mountPath: /csi-isilon-config-params
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- if not $encrypted }}
|
|
- name: driver
|
|
command: ["/csi-isilon"]
|
|
args:
|
|
- "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml"
|
|
securityContext:
|
|
privileged: true
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
allowPrivilegeEscalation: true
|
|
image: {{ required "Must provide the Isilon driver image repository." .Values.images.driver }}
|
|
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
env:
|
|
- name: CSI_ENDPOINT
|
|
value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}"
|
|
- name: X_CSI_MODE
|
|
value: node
|
|
- name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION
|
|
value: "{{ .Values.skipCertificateValidation }}"
|
|
- name: X_CSI_ISI_AUTH_TYPE
|
|
value: "{{ .Values.isiAuthType }}"
|
|
- name: X_CSI_ALLOWED_NETWORKS
|
|
value: "{{ .Values.allowedNetworks }}"
|
|
- name: X_CSI_VERBOSE
|
|
value: "{{ .Values.verbose }}"
|
|
- name: X_CSI_PRIVATE_MOUNT_DIR
|
|
value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks"
|
|
- name: X_CSI_ISI_PORT
|
|
value: "{{ .Values.endpointPort }}"
|
|
- name: X_CSI_ISI_PATH
|
|
value: {{ .Values.isiPath }}
|
|
- name: X_CSI_ISI_NO_PROBE_ON_START
|
|
value: "{{ .Values.noProbeOnStart }}"
|
|
- name: X_CSI_ISI_AUTOPROBE
|
|
value: "{{ .Values.autoProbe }}"
|
|
- name: X_CSI_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
- name: X_CSI_NODE_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.hostIP
|
|
- name: SSL_CERT_DIR
|
|
value: /certs
|
|
- name: X_CSI_ISI_QUOTA_ENABLED
|
|
value: "{{ .Values.enableQuota }}"
|
|
- name: X_CSI_CUSTOM_TOPOLOGY_ENABLED
|
|
value: "{{ .Values.enableCustomTopology }}"
|
|
- name: X_CSI_ISI_CONFIG_PATH
|
|
value: /isilon-configs/config
|
|
- name: X_CSI_MAX_VOLUMES_PER_NODE
|
|
value: "{{ .Values.maxIsilonVolumesPerNode }}"
|
|
- name: X_CSI_HEALTH_MONITOR_ENABLED
|
|
value: "{{ .Values.node.healthMonitor.enabled }}"
|
|
- name: X_CSI_PODMON_ENABLED
|
|
value: "{{ .Values.podmon.enabled }}"
|
|
- name: X_CSI_PODMON_API_PORT
|
|
value: "{{ .Values.podmonAPIPort }}"
|
|
{{- if eq .Values.podmon.enabled true }}
|
|
{{- range $key, $value := .Values.podmon.node.args }}
|
|
{{- if contains "--arrayConnectivityPollRate" $value }}
|
|
- name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE
|
|
value: "{{ (split "=" $value)._1 }}"
|
|
{{ end }}
|
|
{{ end }}
|
|
{{ end }}
|
|
- name: X_CSI_MAX_PATH_LIMIT
|
|
value: "{{ .Values.maxPathLen }}"
|
|
volumeMounts:
|
|
- name: driver-path
|
|
mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon
|
|
{{- if eq .Values.encryption.enabled true }}
|
|
- name: staging-dir
|
|
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
|
|
mountPropagation: Bidirectional
|
|
{{- else }}
|
|
- name: volumedevices-path
|
|
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices
|
|
{{- end }}
|
|
- name: pods-path
|
|
mountPath: {{ .Values.kubeletConfigDir }}/pods
|
|
mountPropagation: "Bidirectional"
|
|
- name: dev
|
|
mountPath: /dev
|
|
- name: certs
|
|
mountPath: /certs
|
|
readOnly: true
|
|
- name: isilon-configs
|
|
mountPath: /isilon-configs
|
|
- name: csi-isilon-config-params
|
|
mountPath: /csi-isilon-config-params
|
|
{{- end }}
|
|
- name: registrar{{ $csiSidecarSuffix }}
|
|
image: {{ required "Must provide the CSI node registrar container image." .Values.images.registrar }}
|
|
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
args:
|
|
- "--v=5"
|
|
- "--csi-address=/csi/{{ $driverSock }}"
|
|
- --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}
|
|
env:
|
|
- name: KUBE_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
apiVersion: v1
|
|
fieldPath: spec.nodeName
|
|
volumeMounts:
|
|
- name: registration-dir
|
|
mountPath: /registration
|
|
- name: driver-path
|
|
mountPath: /csi
|
|
{{- if not $encrypted }}
|
|
{{- if hasKey .Values "authorization" }}
|
|
{{- if eq .Values.authorization.enabled true }}
|
|
- name: karavi-authorization-proxy
|
|
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
image: {{ required "Must provide the authorization sidecar container image." .Values.images.authorization }}
|
|
env:
|
|
- name: PROXY_HOST
|
|
value: "{{ .Values.authorization.proxyHost }}"
|
|
- name: SKIP_CERTIFICATE_VALIDATION
|
|
value: "{{ .Values.authorization.skipCertificateValidation }}"
|
|
- name: PLUGIN_IDENTIFIER
|
|
value: powerscale
|
|
- name: ACCESS_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: proxy-authz-tokens
|
|
key: access
|
|
- name: REFRESH_TOKEN
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: proxy-authz-tokens
|
|
key: refresh
|
|
volumeMounts:
|
|
- name: karavi-authorization-config
|
|
mountPath: /etc/karavi-authorization/config
|
|
- name: proxy-server-root-certificate
|
|
mountPath: /etc/karavi-authorization/root-certificates
|
|
- name: csi-isilon-config-params
|
|
mountPath: /etc/karavi-authorization
|
|
{{ end }}
|
|
{{ end }}
|
|
{{- end }}
|
|
{{- if $encrypted }}
|
|
- name: driver-sec
|
|
image: {{ .Values.images.encryption }}
|
|
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
|
securityContext:
|
|
privileged: true
|
|
allowPrivilegeEscalation: true
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
args:
|
|
- --name={{ .Values.encryption.pluginName }}
|
|
- --nodeId=$(NODE_ID)
|
|
- "--endpoint=unix://var/run/csi/csi_sec_sock"
|
|
- "--targetEndpoint=unix://var/run/csi/csi_sock"
|
|
- --targetType=Isilon
|
|
- --vaultClientConfig=/etc/dea/vault/client.json
|
|
- --logLevel={{ .Values.encryption.logLevel }}
|
|
- --licenseName=/etc/dea/license/license
|
|
{{- if .Values.encryption.livenessPort }}
|
|
- --livenessPort={{ .Values.encryption.livenessPort }}
|
|
{{- end}}
|
|
- --apiPort={{ .Values.encryption.apiPort }}
|
|
{{- range index .Values.encryption.extraArgs }}
|
|
- {{ . | quote }}
|
|
{{- end }}
|
|
env:
|
|
- name: NODE_ID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
{{- if eq .Values.encryption.ocp true }}
|
|
- name: CORE_ID
|
|
value: "{{ required "encryption.ocpCoreID not set to core user uid:gid" .Values.encryption.ocpCoreID }}"
|
|
{{- end }}
|
|
volumeMounts:
|
|
- name: vault-config
|
|
mountPath: /etc/dea/vault
|
|
- name: driver-path
|
|
mountPath: /var/run/csi
|
|
- name: pods-path
|
|
mountPath: {{ .Values.kubeletConfigDir }}/pods
|
|
mountPropagation: Bidirectional
|
|
- name: staging-dir
|
|
mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
|
|
mountPropagation: Bidirectional
|
|
- name: user-home
|
|
{{- if eq .Values.encryption.ocp true }}
|
|
mountPath: /corehome
|
|
{{- else }}
|
|
mountPath: /roothome
|
|
{{- end }}
|
|
- name: license-config
|
|
mountPath: /etc/dea/license
|
|
{{- if .Values.encryption.livenessPort }}
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /liveprobe
|
|
port: {{ .Values.encryption.livenessPort }}
|
|
initialDelaySeconds: 1500
|
|
periodSeconds: 1000
|
|
timeoutSeconds: 3
|
|
failureThreshold: 100
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
volumes:
|
|
- name: registration-dir
|
|
hostPath:
|
|
path: {{ .Values.kubeletConfigDir }}/plugins_registry/
|
|
type: DirectoryOrCreate
|
|
- name: driver-path
|
|
hostPath:
|
|
path: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon
|
|
type: DirectoryOrCreate
|
|
- name: volumedevices-path
|
|
hostPath:
|
|
path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices
|
|
type: DirectoryOrCreate
|
|
- name: pods-path
|
|
hostPath:
|
|
path: {{ .Values.kubeletConfigDir }}/pods
|
|
type: Directory
|
|
- name: dev
|
|
hostPath:
|
|
path: /dev
|
|
type: Directory
|
|
- name: certs
|
|
projected:
|
|
sources:
|
|
{{- range $i, $e := until (int .Values.certSecretCount ) }}
|
|
- secret:
|
|
name: {{ print $.Release.Name "-certs-" $e }}
|
|
items:
|
|
- key: cert-{{ $e }}
|
|
path: cert-{{ $e }}
|
|
{{- end }}
|
|
- name: isilon-configs
|
|
secret:
|
|
secretName: {{ .Release.Name }}-creds
|
|
- name: csi-isilon-config-params
|
|
configMap:
|
|
name: {{ .Release.Name }}-config-params
|
|
{{- if hasKey .Values "authorization" }}
|
|
{{- if eq .Values.authorization.enabled true }}
|
|
- name: karavi-authorization-config
|
|
secret:
|
|
secretName: karavi-authorization-config
|
|
- name: proxy-server-root-certificate
|
|
secret:
|
|
secretName: proxy-server-root-certificate
|
|
{{ end }}
|
|
{{ end }}
|
|
{{- if hasKey .Values "podmon" }}
|
|
{{- if eq .Values.podmon.enabled true }}
|
|
- name: usr-bin
|
|
hostPath:
|
|
path: /usr/bin
|
|
type: Directory
|
|
- name: kubelet-pods
|
|
hostPath:
|
|
path: /var/lib/kubelet/pods
|
|
type: Directory
|
|
- name: var-run
|
|
hostPath:
|
|
path: /var/run
|
|
type: Directory
|
|
{{ end }}
|
|
{{ end }}
|
|
{{- if eq .Values.encryption.enabled true }}
|
|
- name: vault-config
|
|
projected:
|
|
sources:
|
|
- secret:
|
|
name: vault-cert
|
|
- secret:
|
|
name: vault-auth
|
|
- configMap:
|
|
name: vault-client-conf
|
|
- name: staging-dir
|
|
hostPath:
|
|
path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
|
|
type: DirectoryOrCreate
|
|
- name: user-home
|
|
hostPath:
|
|
{{- if eq .Values.encryption.ocp true }}
|
|
path: /home/core
|
|
{{- else }}
|
|
path: /root
|
|
{{- end }}
|
|
type: Directory
|
|
- name: license-config
|
|
secret:
|
|
secretName: encryption-license
|
|
{{- end }}
|