diff --git a/deploy/rbd/helm/Chart.yaml b/deploy/rbd/helm/Chart.yaml index 7aa0bc6c0..353dfcd8c 100644 --- a/deploy/rbd/helm/Chart.yaml +++ b/deploy/rbd/helm/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v1 -appVersion: "0.3.0" +appVersion: "1.0.0" description: Container Storage Interface (CSI) driver, provisioner, and attacher for Ceph RBD name: ceph-csi-rbd -version: 0.1.0 +version: 0.2.0 keywords: - ceph - rbd diff --git a/deploy/rbd/helm/templates/attacher-statefulset.yaml b/deploy/rbd/helm/templates/attacher-statefulset.yaml index 1ba9847d5..78e9a02db 100644 --- a/deploy/rbd/helm/templates/attacher-statefulset.yaml +++ b/deploy/rbd/helm/templates/attacher-statefulset.yaml @@ -11,6 +11,11 @@ metadata: spec: serviceName: {{ include "ceph-csi-rbd.attacher.fullname" . }} replicas: {{ .Values.attacher.replicas }} + selector: + matchLabels: + app: {{ include "ceph-csi-rbd.name" . }} + component: {{ .Values.attacher.name }} + release: {{ .Release.Name }} template: metadata: labels: diff --git a/deploy/rbd/helm/templates/nodeplugin-daemonset.yaml b/deploy/rbd/helm/templates/nodeplugin-daemonset.yaml index 6cbc279da..8b163aeb6 100644 --- a/deploy/rbd/helm/templates/nodeplugin-daemonset.yaml +++ b/deploy/rbd/helm/templates/nodeplugin-daemonset.yaml @@ -65,7 +65,8 @@ spec: - "--endpoint=$(CSI_ENDPOINT)" - "--v=5" - "--drivername=csi-rbdplugin" - - "--containerized=true" + - "--containerized=true" + - "--metadatastorage=k8s_configmap" env: - name: HOST_ROOTFS value: "/rootfs" @@ -82,6 +83,9 @@ spec: - name: pods-mount-dir mountPath: /var/lib/kubelet/pods mountPropagation: "Bidirectional" + - name: plugin-mount-dir + mountPath: {{ .Values.volumeDevicesDir }} + mountPropagation: "Bidirectional" - mountPath: /dev name: host-dev - mountPath: /rootfs @@ -98,9 +102,13 @@ spec: hostPath: path: {{ .Values.socketDir }} type: DirectoryOrCreate + - name: plugin-mount-dir + hostPath: + path: {{ .Values.volumeDevicesDir }} + type: DirectoryOrCreate - name: registration-dir hostPath: - path: /var/lib/kubelet/plugins/ + path: {{ .Values.registrationDir }} type: Directory - name: pods-mount-dir hostPath: diff --git a/deploy/rbd/helm/templates/provisioner-clusterrole.yaml b/deploy/rbd/helm/templates/provisioner-clusterrole.yaml index 8e754967b..6b1cfdb70 100644 --- a/deploy/rbd/helm/templates/provisioner-clusterrole.yaml +++ b/deploy/rbd/helm/templates/provisioner-clusterrole.yaml @@ -25,4 +25,7 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "create", "update"] {{- end -}} diff --git a/deploy/rbd/helm/templates/provisioner-role.yaml b/deploy/rbd/helm/templates/provisioner-role.yaml new file mode 100644 index 000000000..0540ef55c --- /dev/null +++ b/deploy/rbd/helm/templates/provisioner-role.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create -}} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + component: {{ .Values.provisioner.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "delete"] +{{- end -}} diff --git a/deploy/rbd/helm/templates/provisioner-rolebinding.yaml b/deploy/rbd/helm/templates/provisioner-rolebinding.yaml new file mode 100644 index 000000000..34f8356bb --- /dev/null +++ b/deploy/rbd/helm/templates/provisioner-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create -}} +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} + labels: + app: {{ include "ceph-csi-rbd.name" . }} + chart: {{ include "ceph-csi-rbd.chart" . }} + component: {{ .Values.provisioner.name }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +subjects: + - kind: ServiceAccount + name: {{ include "ceph-csi-rbd.serviceAccountName.provisioner" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "ceph-csi-rbd.provisioner.fullname" . }} + apiGroup: rbac.authorization.k8s.io + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/deploy/rbd/helm/templates/provisioner-statefulset.yaml b/deploy/rbd/helm/templates/provisioner-statefulset.yaml index f5809b760..ec9c94bc3 100644 --- a/deploy/rbd/helm/templates/provisioner-statefulset.yaml +++ b/deploy/rbd/helm/templates/provisioner-statefulset.yaml @@ -11,6 +11,11 @@ metadata: spec: serviceName: {{ include "ceph-csi-rbd.provisioner.fullname" . }} replicas: {{ .Values.provisioner.replicas }} + selector: + matchLabels: + app: {{ include "ceph-csi-rbd.name" . }} + component: {{ .Values.provisioner.name }} + release: {{ .Release.Name }} template: metadata: labels: @@ -25,7 +30,6 @@ spec: - name: csi-provisioner image: "{{ .Values.provisioner.image.repository }}:{{ .Values.provisioner.image.tag }}" args: - - "--provisioner=csi-rbdplugin" - "--csi-address=$(ADDRESS)" - "--v=5" env: @@ -37,11 +41,44 @@ spec: mountPath: {{ .Values.socketDir }} resources: {{ toYaml .Values.provisioner.resources | indent 12 }} + - name: csi-rbdplugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "{{ .Values.nodeplugin.plugin.image.repository }}:{{ .Values.nodeplugin.plugin.image.tag }}" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + - "--v=5" + - "--drivername=csi-rbdplugin" + - "--containerized=true" + - "--metadatastorage=k8s_configmap" + env: + - name: HOST_ROOTFS + value: "/rootfs" + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: "unix:/{{ .Values.socketDir }}/{{ .Values.socketFile }}" + imagePullPolicy: {{ .Values.nodeplugin.plugin.image.imagePullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: {{ .Values.socketDir }} + - name: host-rootfs + mountPath: "/rootfs" + resources: +{{ toYaml .Values.nodeplugin.plugin.resources | indent 12 }} volumes: - name: socket-dir + emptyDir: {} +#FIXME this seems way too much. Why is it needed at all for this? + - name: host-rootfs hostPath: - path: {{ .Values.socketDir }} - type: DirectoryOrCreate + path: / {{- if .Values.provisioner.affinity -}} affinity: {{ toYaml .Values.provisioner.affinity . | indent 8 }} diff --git a/deploy/rbd/helm/values.yaml b/deploy/rbd/helm/values.yaml index 03e4a7b68..fab0fb8d3 100644 --- a/deploy/rbd/helm/values.yaml +++ b/deploy/rbd/helm/values.yaml @@ -12,8 +12,10 @@ serviceAccounts: create: true name: -socketDir: /var/lib/kubelet/plugins/csi-rbdplugin +socketDir: /var/lib/kubelet/plugins_registry/csi-rbdplugin socketFile: csi.sock +registrationDir: /var/lib/kubelet/plugins_registry +volumeDevicesDir: /var/lib/kubelet/plugins/kubernetes.io/csi/volumeDevices attacher: name: attacher @@ -22,7 +24,7 @@ attacher: image: repository: quay.io/k8scsi/csi-attacher - tag: v0.3.0 + tag: v1.0.0 pullPolicy: IfNotPresent resources: {} @@ -39,7 +41,7 @@ nodeplugin: registrar: image: repository: quay.io/k8scsi/driver-registrar - tag: v0.3.0 + tag: canary pullPolicy: IfNotPresent resources: {} @@ -47,7 +49,7 @@ nodeplugin: plugin: image: repository: quay.io/cephcsi/rbdplugin - tag: v0.3.0 + tag: v1.0.0 pullPolicy: IfNotPresent resources: {} @@ -65,7 +67,7 @@ provisioner: image: repository: quay.io/k8scsi/csi-provisioner - tag: v0.3.0 + tag: canary pullPolicy: IfNotPresent resources: {}