mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-09-19 23:19:52 +00:00
b3fbcb9c95
if the kms encryption configmap is not mounted as a volume to the CSI pods, add the code to read the configuration from the kubernetes. Later the code to fetch the configmap will be moved to the new sidecar which is will talk to respective CO to fetch the encryption configurations. The k8s configmap uses the standard vault spefic names to add the configurations. this will be converted back to the CSI configurations. Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
182 lines
5.7 KiB
YAML
182 lines
5.7 KiB
YAML
---
|
|
kind: DaemonSet
|
|
apiVersion: apps/v1
|
|
metadata:
|
|
name: csi-rbdplugin
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: csi-rbdplugin
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: csi-rbdplugin
|
|
spec:
|
|
serviceAccount: rbd-csi-nodeplugin
|
|
hostNetwork: true
|
|
hostPID: true
|
|
# to use e.g. Rook orchestrated cluster, and mons' FQDN is
|
|
# resolved through k8s service, set dns policy to cluster first
|
|
dnsPolicy: ClusterFirstWithHostNet
|
|
containers:
|
|
- name: driver-registrar
|
|
# This is necessary only for systems with SELinux, where
|
|
# non-privileged sidecar containers cannot access unix domain socket
|
|
# created by privileged CSI driver container.
|
|
securityContext:
|
|
privileged: true
|
|
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1
|
|
args:
|
|
- "--v=5"
|
|
- "--csi-address=/csi/csi.sock"
|
|
- "--kubelet-registration-path=/var/lib/kubelet/plugins/rbd.csi.ceph.com/csi.sock"
|
|
env:
|
|
- name: KUBE_NODE_NAME
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- name: registration-dir
|
|
mountPath: /registration
|
|
- name: csi-rbdplugin
|
|
securityContext:
|
|
privileged: true
|
|
capabilities:
|
|
add: ["SYS_ADMIN"]
|
|
allowPrivilegeEscalation: true
|
|
# for stable functionality replace canary with latest release version
|
|
image: quay.io/cephcsi/cephcsi:canary
|
|
args:
|
|
- "--nodeid=$(NODE_ID)"
|
|
- "--type=rbd"
|
|
- "--nodeserver=true"
|
|
- "--endpoint=$(CSI_ENDPOINT)"
|
|
- "--v=5"
|
|
- "--drivername=rbd.csi.ceph.com"
|
|
# If topology based provisioning is desired, configure required
|
|
# node labels representing the nodes topology domain
|
|
# and pass the label names below, for CSI to consume and advertise
|
|
# its equivalent topology domain
|
|
# - "--domainlabels=failure-domain/region,failure-domain/zone"
|
|
env:
|
|
- name: POD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
- name: NODE_ID
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: spec.nodeName
|
|
# - name: POD_NAMESPACE
|
|
# valueFrom:
|
|
# fieldRef:
|
|
# fieldPath: spec.namespace
|
|
# - name: KMS_CONFIGMAP_NAME
|
|
# value: encryptionConfig
|
|
- name: CSI_ENDPOINT
|
|
value: unix:///csi/csi.sock
|
|
imagePullPolicy: "IfNotPresent"
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
- mountPath: /dev
|
|
name: host-dev
|
|
- mountPath: /sys
|
|
name: host-sys
|
|
- mountPath: /run/mount
|
|
name: host-mount
|
|
- mountPath: /lib/modules
|
|
name: lib-modules
|
|
readOnly: true
|
|
- name: ceph-csi-config
|
|
mountPath: /etc/ceph-csi-config/
|
|
- name: ceph-csi-encryption-kms-config
|
|
mountPath: /etc/ceph-csi-encryption-kms-config/
|
|
- name: plugin-dir
|
|
mountPath: /var/lib/kubelet/plugins
|
|
mountPropagation: "Bidirectional"
|
|
- name: mountpoint-dir
|
|
mountPath: /var/lib/kubelet/pods
|
|
mountPropagation: "Bidirectional"
|
|
- name: keys-tmp-dir
|
|
mountPath: /tmp/csi/keys
|
|
- name: liveness-prometheus
|
|
securityContext:
|
|
privileged: true
|
|
image: quay.io/cephcsi/cephcsi:canary
|
|
args:
|
|
- "--type=liveness"
|
|
- "--endpoint=$(CSI_ENDPOINT)"
|
|
- "--metricsport=8680"
|
|
- "--metricspath=/metrics"
|
|
- "--polltime=60s"
|
|
- "--timeout=3s"
|
|
env:
|
|
- name: CSI_ENDPOINT
|
|
value: unix:///csi/csi.sock
|
|
- name: POD_IP
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: status.podIP
|
|
volumeMounts:
|
|
- name: socket-dir
|
|
mountPath: /csi
|
|
imagePullPolicy: "IfNotPresent"
|
|
volumes:
|
|
- name: socket-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins/rbd.csi.ceph.com
|
|
type: DirectoryOrCreate
|
|
- name: plugin-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins
|
|
type: Directory
|
|
- name: mountpoint-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/pods
|
|
type: DirectoryOrCreate
|
|
- name: registration-dir
|
|
hostPath:
|
|
path: /var/lib/kubelet/plugins_registry/
|
|
type: Directory
|
|
- name: host-dev
|
|
hostPath:
|
|
path: /dev
|
|
- name: host-sys
|
|
hostPath:
|
|
path: /sys
|
|
- name: host-mount
|
|
hostPath:
|
|
path: /run/mount
|
|
- name: lib-modules
|
|
hostPath:
|
|
path: /lib/modules
|
|
- name: ceph-csi-config
|
|
configMap:
|
|
name: ceph-csi-config
|
|
- name: ceph-csi-encryption-kms-config
|
|
configMap:
|
|
name: ceph-csi-encryption-kms-config
|
|
- name: keys-tmp-dir
|
|
emptyDir: {
|
|
medium: "Memory"
|
|
}
|
|
---
|
|
# This is a service to expose the liveness metrics
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: csi-metrics-rbdplugin
|
|
labels:
|
|
app: csi-metrics
|
|
spec:
|
|
ports:
|
|
- name: http-metrics
|
|
port: 8080
|
|
protocol: TCP
|
|
targetPort: 8680
|
|
selector:
|
|
app: csi-rbdplugin
|