1
0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-01-09 21:39:29 +00:00
ceph-csi/charts/ceph-csi-rbd
Rakshith R 4f0bb2315b rbd: add aws-sts-metdata encryption type
With Amazon STS and kubernetes cluster is configured with
OIDC identity provider, credentials to access Amazon KMS
can be fetched using oidc-token(serviceaccount token).
Each tenant/namespace needs to create a secret with aws region,
role and CMK ARN.
Ceph-CSI will assume the given role with oidc token and access
aws KMS, with given CMK to encrypt/decrypt DEK which will stored
in the image metdata.

Refer: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
Resolves: 

Signed-off-by: Rakshith R <rar@redhat.com>
2022-03-16 07:29:56 +00:00
..
templates rbd: add aws-sts-metdata encryption type 2022-03-16 07:29:56 +00:00
.helmignore refactor: Merge 1.13 and 1.14 Helm charts and improve charts 2019-09-27 05:49:18 +00:00
Chart.yaml helm: use "version: 3-canary" for helm charts on "devel" 2021-11-24 04:32:15 +00:00
README.md helm: make ceph.conf ConfigMap name configurable 2022-02-21 07:25:22 +00:00
values.yaml doc: remove mention of image feature dependency 2022-03-02 09:08:33 +00:00

ceph-csi-rbd

The ceph-csi-rbd chart adds rbd volume support to your cluster.

Install from release repo

Add chart repository to install helm charts from it

helm repo add ceph-csi https://ceph.github.io/csi-charts

Install from local Chart

we need to enter into the directory where all charts are present

cd charts

Note: charts directory is present in root of the ceph-csi project

Install chart

To install the Chart into your Kubernetes cluster

  • For helm 2.x

    helm install --namespace "ceph-csi-rbd" --name "ceph-csi-rbd" ceph-csi/ceph-csi-rbd
    
  • For helm 3.x

    Create the namespace where Helm should install the components with

    kubectl create namespace "ceph-csi-rbd"
    

    Run the installation

    helm install --namespace "ceph-csi-rbd" "ceph-csi-rbd" ceph-csi/ceph-csi-rbd
    

After installation succeeds, you can get a status of Chart

helm status "ceph-csi-rbd"

Delete Chart

If you want to delete your Chart, use this command

  • For helm 2.x

    helm delete --purge "ceph-csi-rbd"
    
  • For helm 3.x

    helm uninstall "ceph-csi-rbd" --namespace "ceph-csi-rbd"
    

If you want to delete the namespace, use this command

kubectl delete namespace ceph-csi-rbd

Configuration

The following table lists the configurable parameters of the ceph-csi-cephfs charts and their default values.

Parameter Description Default
rbac.create Specifies whether RBAC resources should be created true
serviceAccounts.nodeplugin.create Specifies whether a nodeplugin ServiceAccount should be created true
serviceAccounts.nodeplugin.name The name of the nodeplugin ServiceAccount to use. If not set and create is true, a name is generated using the fullname ""
serviceAccounts.provisioner.create Specifies whether a provisioner ServiceAccount should be created true
serviceAccounts.provisioner.name The name of the provisioner ServiceAccount to use. If not set and create is true, a name is generated using the fullname ""
csiConfig Configuration for the CSI to connect to the cluster []
csiMapping Configuration details of clusterID,PoolID,FscID mapping []
encryptionKMSConfig Configuration for the encryption KMS {}
logLevel Set logging level for csi containers. Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity. 5
nodeplugin.name Specifies the nodeplugins name nodeplugin
nodeplugin.updateStrategy Specifies the update Strategy. If you are using ceph-fuse client set this value to OnDelete RollingUpdate
nodeplugin.priorityClassName Set user created priorityclassName for csi plugin pods. default is system-node-critical which is highest priority system-node-critical
nodeplugin.profiling.enabled Specifies whether profiling should be enabled false
nodeplugin.registrar.image.repository Node Registrar image repository URL k8s.gcr.io/sig-storage/csi-node-driver-registrar
nodeplugin.registrar.image.tag Image tag v2.2.0
nodeplugin.registrar.image.pullPolicy Image pull policy IfNotPresent
nodeplugin.plugin.image.repository Nodeplugin image repository URL quay.io/cephcsi/cephcsi
nodeplugin.plugin.image.tag Image tag canary
nodeplugin.plugin.image.pullPolicy Image pull policy IfNotPresent
nodeplugin.nodeSelector Kubernetes nodeSelector to add to the Daemonset {}
nodeplugin.tolerations List of Kubernetes tolerations to add to the Daemonset {}
nodeplugin.podSecurityPolicy.enabled If true, create & use Pod Security Policy resources. false
provisioner.name Specifies the name of provisioner provisioner
provisioner.replicaCount Specifies the replicaCount 3
provisioner.defaultFSType Specifies the default Fstype ext4
provisioner.deployController It enables or disables the deployment of controller which generates the OMAP data if it is not present true
provisioner.hardMaxCloneDepth Hard limit for maximum number of nested volume clones that are taken before a flatten occurs 8
provisioner.softMaxCloneDepth Soft limit for maximum number of nested volume clones that are taken before a flatten occurs 4
provisioner.maxSnapshotsOnImage Maximum number of snapshots allowed on rbd image without flattening 450
provisioner.minSnapshotsOnImage Minimum number of snapshots allowed on rbd image to trigger flattening 250
provisioner.skipForceFlatten Skip image flattening if kernel support mapping of rbd images which has the deep-flatten feature false
provisioner.timeout GRPC timeout for waiting for creation or deletion of a volume 60s
provisioner.priorityClassName Set user created priorityclassName for csi provisioner pods. Default is system-cluster-critical which is less priority than system-node-critical system-cluster-critical
provisioner.profiling.enabled Specifies whether profiling should be enabled false
provisioner.provisioner.image.repository Specifies the csi-provisioner image repository URL k8s.gcr.io/sig-storage/csi-provisioner
provisioner.provisioner.image.tag Specifies image tag v2.2.2
provisioner.provisioner.image.pullPolicy Specifies pull policy IfNotPresent
provisioner.attacher.image.repository Specifies the csi-attacher image repository URL k8s.gcr.io/sig-storage/csi-attacher
provisioner.attacher.image.tag Specifies image tag v3.2.1
provisioner.attacher.image.pullPolicy Specifies pull policy IfNotPresent
provisioner.attacher.name Specifies the name of csi-attacher sidecar attacher
provisioner.attacher.enabled Specifies whether attacher sidecar is enabled true
provisioner.resizer.image.repository Specifies the csi-resizer image repository URL k8s.gcr.io/sig-storage/csi-resizer
provisioner.resizer.image.tag Specifies image tag v1.2.0
provisioner.resizer.image.pullPolicy Specifies pull policy IfNotPresent
provisioner.resizer.name Specifies the name of csi-resizer sidecar resizer
provisioner.resizer.enabled Specifies whether resizer sidecar is enabled true
provisioner.snapshotter.image.repository Specifies the csi-snapshotter image repository URL k8s.gcr.io/sig-storage/csi-snapshotter
provisioner.snapshotter.image.tag Specifies image tag v4.1.1
provisioner.snapshotter.image.pullPolicy Specifies pull policy IfNotPresent
provisioner.nodeSelector Specifies the node selector for provisioner deployment {}
provisioner.tolerations Specifies the tolerations for provisioner deployment {}
provisioner.affinity Specifies the affinity for provisioner deployment {}
provisioner.podSecurityPolicy.enabled Specifies whether podSecurityPolicy is enabled false
topology.enabled Specifies whether topology based provisioning support should be exposed by CSI false
topology.domainLabels DomainLabels define which node labels to use as domains for CSI nodeplugins to advertise their domains {}
provisionerSocketFile The filename of the provisioner socket csi-provisioner.sock
pluginSocketFile The filename of the plugin socket csi.sock
kubeletDir kubelet working directory /var/lib/kubelet
cephLogDirHostPath Host path location for ceph client processes logging, ex: rbd-nbd /var/log/ceph
driverName Name of the csi-driver rbd.csi.ceph.com
configMapName Name of the configmap which contains cluster configuration ceph-csi-config
externallyManagedConfigmap Specifies the use of an externally provided configmap false
cephConfConfigMapName Name of the configmap which contains ceph.conf configuration ceph-config
kmsConfigMapName Name of the configmap used for encryption kms configuration ceph-csi-encryption-kms-config
storageClass.create Specifies whether the StorageClass should be created false
storageClass.name Specifies the rbd StorageClass name csi-rbd-sc
storageClass.annotations Specifies the annotations for the rbd StorageClass []
storageClass.clusterID String representing a Ceph cluster to provision storage from <cluster-ID>
storageClass.dataPool Specifies the erasure coded pool ""
storageClass.pool Ceph pool into which the RBD image shall be created replicapool
storageclass.imageFeatures Specifies RBD image features layering
storageclass.tryOtherMounters Specifies whether to try other mounters in case if the current mounter fails to mount the rbd image for any reason false
storageClass.mounter Specifies RBD mounter ""
storageClass.cephLogDir ceph client log location, it is the target bindmount path used inside container "/var/log/ceph"
storageClass.cephLogStrategy ceph client log strategy, available options remove or compress or preserve "remove"
storageClass.volumeNamePrefix Prefix to use for naming RBD images ""
storageClass.encrypted Specifies whether volume should be encrypted. Set it to true if you want to enable encryption ""
storageClass.encryptionKMSID Specifies the encryption kms id ""
storageClass.topologyConstrainedPools Add topology constrained pools configuration, if topology based pools are setup, and topology constrained provisioning is required []
storageClass.mapOptions Specifies comma-separated list of map options ""
storageClass.unmapOtpions Specifies comma-separated list of unmap options ""
storageClass.provisionerSecret The secrets have to contain user and/or Ceph admin credentials. csi-rbd-secret
storageClass.provisionerSecretNamespace Specifies the provisioner secret namespace ""
storageClass.controllerExpandSecret Specifies the controller expand secret name csi-rbd-secret
storageClass.controllerExpandSecretNamespace Specifies the controller expand secret namespace ""
storageClass.nodeStageSecret Specifies the node stage secret name csi-rbd-secret
storageClass.nodeStageSecretNamespace Specifies the node stage secret namespace ""
storageClass.fstype Specify the filesystem type of the volume ext4
storageClass.reclaimPolicy Specifies the reclaim policy of the StorageClass Delete
storageClass.allowVolumeExpansion Specifies whether volume expansion should be allowed true
storageClass.mountOptions Specifies the mount options for storageClass []
secret.create Specifies whether the secret should be created false
secret.name Specifies the rbd secret name csi-rbd-secret
secret.userID Specifies the user ID of the rbd secret <plaintext ID>
secret.userKey Specifies the key that corresponds to the userID <Ceph auth key corresponding to ID above>
secret.encryptionPassphrase Specifies the encryption passphrase of the secret test_passphrase
selinuxMount Mount the host /etc/selinux inside pods to support selinux-enabled filesystems true

Command Line

You can pass the settings with helm command line parameters. Specify each parameter using the --set key=value argument to helm install. For Example:

helm install --set configMapName=ceph-csi-config --set provisioner.podSecurityPolicy.enabled=true