diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ea84f178..c1172db3 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -12,7 +12,10 @@ # Alexander Hoppe (hoppea2) # Alik Saring (alikdell) # Aaron Tye (atye) +# Chaganti Rajitha (chaganti-rajitha) # Florian Coulombel (coulof) +# Meghana G M (meggm) +# Niranjan N (niranjan-n1) # Shayna Finocchiaro (shaynafinocchiaro) # Sharmila Ramamoorthy (sharmilarama) # Tao He (taohe1012) @@ -22,4 +25,4 @@ # Forrest Xia (forrestxia) # for all files: -* @gallacher @tdawe @alikdell @atye @hoppea2 @coulof @shaynafinocchiaro @sharmilarama @taohe1012 @P-Cao @baoy1 @YianZong @forrestxia +* @gallacher @tdawe @alikdell @atye @hoppea2 @chaganti-rajitha @coulof @meggm @niranjan-n1 @shaynafinocchiaro @sharmilarama @taohe1012 @P-Cao @baoy1 @YianZong @forrestxia \ No newline at end of file diff --git a/.github/workflows/helm-validations.yml b/.github/workflows/helm-validations.yml index 9e9fea33..f06c35a9 100644 --- a/.github/workflows/helm-validations.yml +++ b/.github/workflows/helm-validations.yml @@ -8,6 +8,7 @@ on: - main - karavi-observability-release - csm-authorization-release + - release-v1.7.0 jobs: # This job will check to see if any .yaml file is modified diff --git a/charts/container-storage-modules/templates/_helpers.tpl b/charts/container-storage-modules/templates/_helpers.tpl index 000bd372..629c0b30 100644 --- a/charts/container-storage-modules/templates/_helpers.tpl +++ b/charts/container-storage-modules/templates/_helpers.tpl @@ -1,9 +1,9 @@ -{{/* -Namespace for all resources to be installed into -If not defined in values file then the helm release namespace is used -By default this is not set so the helm release namespace will be used -*/}} - -{{- define "custom.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} +{{/* +Namespace for all resources to be installed into +If not defined in values file then the helm release namespace is used +By default this is not set so the helm release namespace will be used +*/}} + +{{- define "custom.namespace" -}} + {{ .Values.namespace | default .Release.Namespace }} {{- end -}} \ No newline at end of file diff --git a/charts/csi-isilon/Chart.yaml b/charts/csi-isilon/Chart.yaml new file mode 100644 index 00000000..7ec43fe1 --- /dev/null +++ b/charts/csi-isilon/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: csi-isilon +version: 2.7.0 +appVersion: "2.7.0" +kubeVersion: ">= 1.21.0 < 1.28.0" +#If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead +#WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +#kubeVersion: ">= 1.21.0-0 < 1.28.0-0" +description: | + PowerScale CSI (Container Storage Interface) driver Kubernetes + integration. This chart includes everything required to provision via CSI as + well as an Isilon StorageClass. +type: application +keywords: +- csi +- storage +maintainers: +- name: DellEMC +sources: +- https://github.com/dell/csi-isilon diff --git a/charts/csi-isilon/templates/_helpers.tpl b/charts/csi-isilon/templates/_helpers.tpl new file mode 100644 index 00000000..02b2867e --- /dev/null +++ b/charts/csi-isilon/templates/_helpers.tpl @@ -0,0 +1,61 @@ +{{/* +Return the appropriate sidecar images based on k8s version +*/}} +{{- define "csi-isilon.attacherImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-isilon.provisionerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-isilon.snapshotterImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-isilon.resizerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-isilon.registrarImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-isilon.healthmonitorImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Return true if storage capacity tracking is enabled and is supported based on k8s version +*/}} +{{- define "csi-isilon.isStorageCapacitySupported" -}} +{{- if eq .Values.storageCapacity.enabled true -}} + {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} + {{- true -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/csi-isilon/templates/controller.yaml b/charts/csi-isilon/templates/controller.yaml new file mode 100644 index 00000000..26479f3b --- /dev/null +++ b/charts/csi-isilon/templates/controller.yaml @@ -0,0 +1,604 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "patch"] + {{- else }} + verbs: ["get", "list", "watch"] + {{- end }} + {{- end }} + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["pods"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "delete"] + {{- else }} + verbs: ["get", "list", "watch"] + {{- end }} + {{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "patch", "delete"] + {{- else }} + verbs: ["get", "list", "watch", "update", "patch"] + {{- end }} + {{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch", "update"] +# below for snapshotter + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + # below for resizer + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + # below for dell-csi-replicator + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups/status"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + {{- end}} + {{- end}} + {{- if eq (include "csi-isilon.isStorageCapacitySupported" .) "true" }} + - apiGroups: ["storage.k8s.io"] + resources: ["csistoragecapacities"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] + - apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["get"] + {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-controller + apiGroup: rbac.authorization.k8s.io +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-controller + {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}} + {{- fail "value for .Values.controller.controllerCount should be atleast 1" }} + {{- else }} + replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} + {{- end }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + app: {{ .Release.Name }}-controller + spec: + serviceAccount: {{ .Release.Name }}-controller + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }}-controller + topologyKey: kubernetes.io/hostname + {{ if .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml .Values.controller.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.controller.tolerations }} + tolerations: + {{- toYaml .Values.controller.tolerations | nindent 8 }} + {{ end }} + containers: + {{- $encModes := list false }} + {{- if eq .Values.encryption.enabled true }} + {{- $encModes = list false true }} + {{- end }} +{{- range $encrypted := $encModes }} +{{- with $ }} + {{- $driverSock := "csi.sock" }} + {{- $csiSidecarSuffix := "" }} + {{- if $encrypted }} + {{- $driverSock = "csi-sec.sock" }} + {{- $csiSidecarSuffix = "-sec" }} + {{- end }} + {{- $driverSockPath := printf "/var/run/csi/%s" $driverSock }} + {{- if not $encrypted }} + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.controller.args | nindent 12 }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: dell-csi-replicator + image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--leader-election=true" + - "--worker-threads=2" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" + - "--prefix={{ .Values.controller.replication.replicationPrefix}}" + env: + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /csi-isilon-config-params + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: driver-config-params.yaml + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "resizer" }} + {{- if eq .Values.controller.resizer.enabled true }} + - name: resizer{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI resizer container image." ( include "csi-isilon.resizerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--leader-election" + - "--timeout=120s" + - "--v=5" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{ end }} + {{ end }} + - name: csi-metadata-retriever {{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI metadata retriever container image." .Values.controller.metadataretriever.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--leader-election" + - "--timeout=120s" + - "--v=5" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + command: [ "/csi-metadata-retriever" ] + env: + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: attacher{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI attacher container image." ( include "csi-isilon.attacherImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--v=5" + - "--leader-election" + - "--timeout=180s" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if not $encrypted }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: external-health-monitor-controller + image: {{ required "Must provide the CSI external-health-monitor-controller container image." ( include "csi-isilon.healthmonitorImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--v=5" + - "--leader-election" + - "--enable-node-watcher=true" + - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" + - "--timeout=180s" + - "--http-endpoint=:8080" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{end}} + {{end}} + {{- end }} + - name: provisioner{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI provisioner container image." ( include "csi-isilon.provisionerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" + - "--volume-name-uuid-length=10" + - "--worker-threads=5" + - "--timeout=120s" + - "--v=5" + - "--feature-gates=Topology=true" + - "--leader-election" + - "--extra-create-metadata" + - "--enable-capacity={{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }}" + - "--capacity-ownerref-level=2" + - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "snapshot" }} + {{- if eq .Values.controller.snapshot.enabled true }} + - name: snapshotter{{ $csiSidecarSuffix }} + #image: quay.io/k8scsi/csi-snapshotter:v1.0.0 + image: {{ required "Must provide the CSI snapshotter container image." ( include "csi-isilon.snapshotterImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address={{ $driverSockPath }}" + - "--timeout=120s" + - "--v=5" + - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" + - "--leader-election" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{end}} + {{end}} + {{- if not $encrypted }} + - name: driver + image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-isilon" ] + args: + - "--leader-election" + {{- if hasKey .Values.controller "leaderElection" }} + {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} + - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" + {{end}} + {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} + - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" + {{end}} + {{end}} + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + env: + - name: CSI_ENDPOINT + value: "{{ $driverSockPath }}" + - name: CSI_RETRIEVER_ENDPOINT + value: /var/run/csi/csi_retriever.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.skipCertificateValidation }}" + - name: X_CSI_ISI_AUTH_TYPE + value: "{{ .Values.isiAuthType }}" + - name: X_CSI_VERBOSE + value: "{{ .Values.verbose }}" + - name: X_CSI_ISI_PORT + value: "{{ .Values.endpointPort }}" + - name: X_CSI_ISI_AUTOPROBE + value: "{{ .Values.autoProbe }}" + - name: X_CSI_ISI_QUOTA_ENABLED + value: "{{ .Values.enableQuota }}" + - name: X_CSI_ISI_ACCESS_ZONE + value: {{ .Values.isiAccessZone }} + - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED + value: "{{ .Values.enableCustomTopology }}" + - name: X_CSI_ISI_PATH + value: {{ .Values.isiPath }} + - name: X_CSI_ISI_VOLUME_PATH_PERMISSIONS + value: "{{ .Values.isiVolumePathPermissions }}" + - name: X_CSI_ISI_IGNORE_UNRESOLVABLE_HOSTS + value: "{{ .Values.ignoreUnresolvableHosts }}" + - name: X_CSI_ISI_NO_PROBE_ON_START + value: "{{ .Values.noProbeOnStart }}" + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmonAPIPort }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.controller.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{ end }} + {{ end }} + {{ end }} + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: X_CSI_REPLICATION_CONTEXT_PREFIX + value: {{ .Values.controller.replication.replicationContextPrefix | default "powerscale"}} + - name: X_CSI_REPLICATION_PREFIX + value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{end}} + {{end}} + - name: X_CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SSL_CERT_DIR + value: /certs + - name: X_CSI_ISI_CONFIG_PATH + value: /isilon-configs/config + - name: X_CSI_MAX_PATH_LIMIT + value: "{{ .Values.maxPathLen }}" + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: certs + mountPath: /certs + readOnly: true + - name: isilon-configs + mountPath: /isilon-configs + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- if not $encrypted }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powerscale + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: csi-isilon-config-params + mountPath: /etc/karavi-authorization + {{ end }} + {{ end }} + {{- end }} + {{- if $encrypted }} + - name: driver-sec + image: {{ .Values.encryption.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - --name={{ .Values.encryption.pluginName }} + - --nodeId=$(NODE_ID) + - "--endpoint=unix://var/run/csi/csi-sec.sock" + - "--targetEndpoint=unix://var/run/csi/csi.sock" + - --targetType=Isilon + - --controller + - --logLevel={{ .Values.encryption.logLevel }} + {{- range index .Values.encryption.extraArgs }} + - {{ . | quote }} + {{- end }} + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} +{{- end }} +{{- end }} + volumes: + - name: socket-dir + emptyDir: + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $.Release.Name "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} + - name: isilon-configs + secret: + secretName: {{ .Release.Name }}-creds + - name: csi-isilon-config-params + configMap: + name: {{ .Release.Name }}-config-params + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate + {{ end }} + {{ end }} diff --git a/charts/csi-isilon/templates/csidriver.yaml b/charts/csi-isilon/templates/csidriver.yaml new file mode 100644 index 00000000..dd8956ac --- /dev/null +++ b/charts/csi-isilon/templates/csidriver.yaml @@ -0,0 +1,12 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: csi-isilon.dellemc.com +spec: + attachRequired: true + podInfoOnMount: true + storageCapacity: {{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }} + fsGroupPolicy: {{ .Values.fsGroupPolicy }} + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/charts/csi-isilon/templates/driver-config-params.yaml b/charts/csi-isilon/templates/driver-config-params.yaml new file mode 100644 index 00000000..98671fef --- /dev/null +++ b/charts/csi-isilon/templates/driver-config-params.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-params + namespace: {{ .Release.Namespace }} +data: + driver-config-params.yaml: | + CSI_LOG_LEVEL: "{{ .Values.logLevel }}" + {{ if .Values.podmon.enabled }} + PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}" + PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}" + {{ end }} diff --git a/charts/csi-isilon/templates/node.yaml b/charts/csi-isilon/templates/node.yaml new file mode 100644 index 00000000..c08c2f92 --- /dev/null +++ b/charts/csi-isilon/templates/node.yaml @@ -0,0 +1,458 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["create", "delete", "get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["persistentvolumesclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [ "security.openshift.io" ] + resourceNames: [ "privileged" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "use" ] + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "update", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + {{ end }} + {{ end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-node + apiGroup: rbac.authorization.k8s.io +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-node + template: + metadata: + labels: + app: {{ .Release.Name }}-node +{{- if .Values.podmon.enabled }} + driver.dellemc.com: dell-storage +{{- end }} + spec: + serviceAccount: {{ .Release.Name }}-node + {{ if .Values.node.nodeSelector }} + nodeSelector: + {{- toYaml .Values.node.nodeSelector | nindent 8 }} + {{ end }} + {{ if .Values.node.tolerations }} + tolerations: + {{- toYaml .Values.node.tolerations | nindent 8 }} + {{ end }} + hostNetwork: true + dnsPolicy: {{ .Values.node.dnsPolicy }} + containers: + {{- $encModes := list false }} + {{- if eq .Values.encryption.enabled true }} + {{- $encModes = list false true }} + {{- end }} +{{- range $encrypted := $encModes }} +{{- with $ }} + {{- $driverSock := "csi_sock" }} + {{- $csiSidecarSuffix := "" }} + {{- if $encrypted }} + {{- $driverSock = "csi_sec_sock" }} + {{- $csiSidecarSuffix = "-sec" }} + {{- end }} + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: podmon + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.node.args | nindent 12 }} + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: kubelet-pods + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon + mountPropagation: "Bidirectional" + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: usr-bin + mountPath: /usr-bin + - name: var-run + mountPath: /var/run + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + {{- end }} + {{- if not $encrypted }} + - name: driver + command: ["/csi-isilon"] + args: + - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: CSI_ENDPOINT + value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}" + - name: X_CSI_MODE + value: node + - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.skipCertificateValidation }}" + - name: X_CSI_ISI_AUTH_TYPE + value: "{{ .Values.isiAuthType }}" + - name: X_CSI_ALLOWED_NETWORKS + value: "{{ .Values.allowedNetworks }}" + - name: X_CSI_VERBOSE + value: "{{ .Values.verbose }}" + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks" + - name: X_CSI_ISI_PORT + value: "{{ .Values.endpointPort }}" + - name: X_CSI_ISI_PATH + value: {{ .Values.isiPath }} + - name: X_CSI_ISI_NO_PROBE_ON_START + value: "{{ .Values.noProbeOnStart }}" + - name: X_CSI_ISI_AUTOPROBE + value: "{{ .Values.autoProbe }}" + - name: X_CSI_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: X_CSI_NODE_IP + valueFrom: + fieldRef: + fieldPath: status.hostIP + - name: SSL_CERT_DIR + value: /certs + - name: X_CSI_ISI_QUOTA_ENABLED + value: "{{ .Values.enableQuota }}" + - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED + value: "{{ .Values.enableCustomTopology }}" + - name: X_CSI_ISI_CONFIG_PATH + value: /isilon-configs/config + - name: X_CSI_MAX_VOLUMES_PER_NODE + value: "{{ .Values.maxIsilonVolumesPerNode }}" + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.node.healthMonitor.enabled }}" + - name: X_CSI_PODMON_ENABLED + value: "{{ .Values.podmon.enabled }}" + - name: X_CSI_PODMON_API_PORT + value: "{{ .Values.podmonAPIPort }}" + {{- if eq .Values.podmon.enabled true }} + {{- range $key, $value := .Values.podmon.node.args }} + {{- if contains "--arrayConnectivityPollRate" $value }} + - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE + value: "{{ (split "=" $value)._1 }}" + {{ end }} + {{ end }} + {{ end }} + - name: X_CSI_MAX_PATH_LIMIT + value: "{{ .Values.maxPathLen }}" + volumeMounts: + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon + {{- if eq .Values.encryption.enabled true }} + - name: staging-dir + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: Bidirectional + {{- else }} + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + {{- end }} + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: certs + mountPath: /certs + readOnly: true + - name: isilon-configs + mountPath: /isilon-configs + - name: csi-isilon-config-params + mountPath: /csi-isilon-config-params + {{- end }} + - name: registrar{{ $csiSidecarSuffix }} + image: {{ required "Must provide the CSI node registrar container image." ( include "csi-isilon.registrarImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--v=5" + - "--csi-address=/csi/{{ $driverSock }}" + - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }} + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: registration-dir + mountPath: /registration + - name: driver-path + mountPath: /csi + {{- if not $encrypted }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powerscale + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: csi-isilon-config-params + mountPath: /etc/karavi-authorization + {{ end }} + {{ end }} + {{- end }} + {{- if $encrypted }} + - name: driver-sec + image: {{ .Values.encryption.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: ["SYS_ADMIN"] + args: + - --name={{ .Values.encryption.pluginName }} + - --nodeId=$(NODE_ID) + - "--endpoint=unix://var/run/csi/csi_sec_sock" + - "--targetEndpoint=unix://var/run/csi/csi_sock" + - --targetType=Isilon + - --vaultClientConfig=/etc/dea/vault/client.json + - --logLevel={{ .Values.encryption.logLevel }} + - --licenseName=/etc/dea/license/license + {{- if .Values.encryption.livenessPort }} + - --livenessPort={{ .Values.encryption.livenessPort }} + {{- end}} + - --apiPort={{ .Values.encryption.apiPort }} + {{- range index .Values.encryption.extraArgs }} + - {{ . | quote }} + {{- end }} + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- if eq .Values.encryption.ocp true }} + - name: CORE_ID + value: "{{ required "encryption.ocpCoreID not set to core user uid:gid" .Values.encryption.ocpCoreID }}" + {{- end }} + volumeMounts: + - name: vault-config + mountPath: /etc/dea/vault + - name: driver-path + mountPath: /var/run/csi + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: Bidirectional + - name: staging-dir + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: Bidirectional + - name: user-home + {{- if eq .Values.encryption.ocp true }} + mountPath: /corehome + {{- else }} + mountPath: /roothome + {{- end }} + - name: license-config + mountPath: /etc/dea/license + {{- if .Values.encryption.livenessPort }} + livenessProbe: + httpGet: + path: /liveprobe + port: {{ .Values.encryption.livenessPort }} + initialDelaySeconds: 1500 + periodSeconds: 1000 + timeoutSeconds: 3 + failureThreshold: 100 + {{- end }} + {{- end }} +{{- end }} +{{- end }} + volumes: + - name: registration-dir + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins_registry/ + type: DirectoryOrCreate + - name: driver-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon + type: DirectoryOrCreate + - name: volumedevices-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + type: DirectoryOrCreate + - name: pods-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/pods + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $.Release.Name "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} + - name: isilon-configs + secret: + secretName: {{ .Release.Name }}-creds + - name: csi-isilon-config-params + configMap: + name: {{ .Release.Name }}-config-params + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate + {{ end }} + {{ end }} + {{- if hasKey .Values "podmon" }} + {{- if eq .Values.podmon.enabled true }} + - name: usr-bin + hostPath: + path: /usr/bin + type: Directory + - name: kubelet-pods + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - name: var-run + hostPath: + path: /var/run + type: Directory + {{ end }} + {{ end }} + {{- if eq .Values.encryption.enabled true }} + - name: vault-config + projected: + sources: + - secret: + name: vault-cert + - secret: + name: vault-auth + - configMap: + name: vault-client-conf + - name: staging-dir + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + type: DirectoryOrCreate + - name: user-home + hostPath: + {{- if eq .Values.encryption.ocp true }} + path: /home/core + {{- else }} + path: /root + {{- end }} + type: Directory + - name: license-config + secret: + secretName: encryption-license + {{- end }} diff --git a/charts/csi-isilon/templates/sec-rolebinding.yaml b/charts/csi-isilon/templates/sec-rolebinding.yaml new file mode 100644 index 00000000..452ab697 --- /dev/null +++ b/charts/csi-isilon/templates/sec-rolebinding.yaml @@ -0,0 +1,42 @@ +{{- if eq .Values.encryption.enabled true }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: {{ .Release.Name }}-manager-role +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Name }}-manager-rolebinding + namespace: kube-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-manager-role +subjects: +- kind: ServiceAccount +# "system:serviceaccount:isilon:isilon-node" + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +- kind: ServiceAccount +# "system:serviceaccount:isilon:isilon-controller" + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/charts/csi-isilon/templates/validation.yaml b/charts/csi-isilon/templates/validation.yaml new file mode 100644 index 00000000..ddfe4f6c --- /dev/null +++ b/charts/csi-isilon/templates/validation.yaml @@ -0,0 +1,17 @@ +{{- if .Values.encryption.enabled }} +{{- if .Values.authorization.enabled }} +{{- fail "Encryption cannot be enabled in tandem with Authorization. Please adjust your values.yaml to disable one or the other" }} +{{- end }} +{{- if .Values.controller.replication.enabled }} +{{- fail "Encryption cannot be enabled in tandem with Replication. Please adjust your values.yaml to disable one or the other" }} +{{- end }} +{{- if .Values.controller.healthMonitor.enabled }} +{{- fail "Encryption cannot be enabled in tandem with Health Monitor. Please adjust your values.yaml to disable one or the other" }} +{{- end }} +{{- if .Values.podmon.enabled }} +{{- fail "Encryption cannot be enabled in tandem with Pods Monitor. Please adjust your values.yaml to disable one or the other" }} +{{- end }} +{{- if ne (.Values.controller.controllerCount | toString | atoi ) 1 }} +{{- fail "Encryption can only be enabled with controller.controllerCount 1" }} +{{- end }} +{{- end }} diff --git a/charts/csi-isilon/values.yaml b/charts/csi-isilon/values.yaml new file mode 100644 index 00000000..4245696c --- /dev/null +++ b/charts/csi-isilon/values.yaml @@ -0,0 +1,455 @@ +## K8S/DRIVER ATTRIBUTES +######################## +# version: version of this values file +# Note: Do not change this value +version: "v2.7.0" + +# CSI driver log level +# Allowed values: "error", "warn"/"warning", "info", "debug" +# Default value: "debug" +logLevel: "debug" + +# certSecretCount: Represents number of certificate secrets, which user is going to create for +# ssl authentication. (isilon-cert-0..isilon-cert-n) +# Allowed values: n, where n > 0 +# Default value: None +certSecretCount: 1 + +# allowedNetworks: Custom networks for PowerScale export +# Specify list of networks which can be used for NFS I/O traffic; CIDR format should be used. +# Allowed values: list of one or more networks +# Default value: None +# Examples: [192.168.1.0/24, 192.168.100.0/22] +allowedNetworks: [] + +# maxIsilonVolumesPerNode: Specify default value for maximum number of volumes that controller can publish to the node. +# If value is zero CO SHALL decide how many volumes of this type can be published by the controller to the node. +# This limit is applicable to all the nodes in the cluster for which node label 'max-isilon-volumes-per-node' is not set. +# Allowed values: n, where n >= 0 +# Default value: 0 +maxIsilonVolumesPerNode: 0 + +# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container. +# Allowed values: +# Always: Always pull the image. +# IfNotPresent: Only pull the image if it does not already exist on the node. +# Never: Never pull the image. +# Default value: None +imagePullPolicy: IfNotPresent + +# verbose: Indicates what content of the OneFS REST API message should be logged in debug level logs +# Allowed Values: +# 0: log full content of the HTTP request and response +# 1: log without the HTTP response body +# 2: log only 1st line of the HTTP request and response +# Default value: 0 +verbose: 1 + +# Specify kubelet config dir path. +# Ensure that the config.yaml file is present at this path. +# Default value: None +kubeletConfigDir: /var/lib/kubelet + +# enableCustomTopology: Specify if custom topology label .dellemc.com/: +# has to be used for making connection to backend PowerScale Array. +# If enableCustomTopology is set to true, then do not specify allowedTopologies in storage class. +# Allowed values: +# true : enable custom topology +# false: disable custom topology +# Default value: false +enableCustomTopology: false + +# fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. +# Allowed values: +# ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined +# and the volume's accessModes contains ReadWriteOnce. +# File: kubernetes may use fsGroup to change permissions and ownership of the volume +# to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. +# None: volumes will be mounted with no modifications. +# Default value: ReadWriteOnceWithFSType +fsGroupPolicy: ReadWriteOnceWithFSType + +# podmonAPIPort: Defines the port to be used within the kubernetes cluster +# Allowed values: +# Any valid and free port. +# Default value: 8083 +podmonAPIPort: 8083 + +# maxPathLen: this parameter is used for setting the maximum Path length for the given volume. +# Default value: 192 +# Examples: 192, 256 +maxPathLen: 192 + +# controller: configure controller pod specific parameters +controller: + # controllerCount: defines the number of csi-powerscale controller pods to deploy to + # the Kubernetes release. + # Allowed values: n, where n > 0 + # Default value: None + controllerCount: 2 + + # volumeNamePrefix: Prefix of PersistentVolume names created + # Allowed values: string + # Default value: None + volumeNamePrefix: k8s + + # leaderElection: configure leader election parameters + leaderElection: + # Duration, that non-leader candidates will wait to force acquire leadership + # Allowed values: Duration, in seconds. Must be greater than leaderElectionRenewDeadline + # Default value: 15s + leaderElectionLeaseDuration: 15s + + # Duration, that the acting leader will retry refreshing leadership before giving up + # Allowed values: Duration, in seconds. Must be greater than leaderElectionRetryPeriod + # Default value: 10s + leaderElectionRenewDeadline: 10s + + # Duration, the LeaderElector clients should wait between tries of actions. + # Allowed values: Duration, in seconds + # Default value: 5s + leaderElectionRetryPeriod: 5s + + # Image for csi-metadata-retriever + metadataretriever: + image: dellemc/csi-metadata-retriever:v1.4.0 + + # replication: allows to configure replication + # Replication CRDs must be installed before installing driver + replication: + # enabled: Enable/Disable replication feature + # Allowed values: + # true: enable replication feature(install dell-csi-replicator sidecar) + # false: disable replication feature(do not install dell-csi-replicator sidecar) + # Default value: false + enabled: false + + # image: Image to use for dell-csi-replicator. This shouldn't be changed + # Allowed values: string + # Default value: None + image: dellemc/dell-csi-replicator:v1.5.0 + + # replicationContextPrefix: prefix to use for naming of resources created by replication feature + # Allowed values: string + # Default value: powerscale + replicationContextPrefix: "powerscale" + + # replicationPrefix: prefix to prepend to storage classes parameters + # Allowed values: string + # Default value: replication.storage.dell.com + replicationPrefix: "replication.storage.dell.com" + + snapshot: + # enabled: Enable/Disable volume snapshot feature + # Allowed values: + # true: enable volume snapshot feature(install snapshotter sidecar) + # false: disable volume snapshot feature(do not install snapshotter sidecar) + # Default value: None + enabled: true + + # snapNamePrefix: Prefix to apply to the names of a created snapshots + # Allowed values: string + # Default value: None + snapNamePrefix: snapshot + + resizer: + # enabled: Enable/Disable volume expansion feature + # Allowed values: + # true: enable volume expansion feature(install resizer sidecar) + # false: disable volume snapshot feature(do not install resizer sidecar) + # Default value: None + enabled: true + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume status, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # interval: Interval of monitoring volume health condition + # Allowed values: Number followed by unit of time (s,m,h) + # Default value: 60s + interval: 60s + + # nodeSelector: Define node selection constraints for pods of controller deployment. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master: "" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane: "" + + # tolerations: Define tolerations for the controller deployment, if required. + # Default value: None + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + tolerations: + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # tolerations: + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + +# node: configure node pod specific parameters +node: + # nodeSelector: Define node selection constraints for pods of node daemonset + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master: "" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane: "" + + # tolerations: Define tolerations for the node daemonset, if required. + # Default value: None + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + tolerations: + # - key: "node.kubernetes.io/memory-pressure" + # operator: "Exists" + # effect: "NoExecute" + # - key: "node.kubernetes.io/disk-pressure" + # operator: "Exists" + # effect: "NoExecute" + # - key: "node.kubernetes.io/network-unavailable" + # operator: "Exists" + # effect: "NoExecute" + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # tolerations: + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + + # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled + #tolerations: + # - key: "offline.vxflexos.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "vxflexos.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.unity.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "unity.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.isilon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "isilon.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + + # dnsPolicy: Determines the DNS Policy of the Node service. + # Allowed values: + # Default: The Pod inherits the name resolution configuration from the node that the pods run on. + # ClusterFirst: Any DNS query that does not match the configured cluster domain suffix, such as "www.kubernetes.io", + # is forwarded to the upstream nameserver inherited from the node. + # ClusterFirstWithHostNet: For Pods running with hostNetwork, you should explicitly set this DNS policy. + # None: It allows a Pod to ignore DNS settings from the Kubernetes environment. + # All DNS settings are supposed to be provided using the dnsConfig field in the Pod Spec. + # Default value: ClusterFirst + # ClusterFirstWithHostNet is the recommended DNS policy. + # Prior to v1.5 of the driver, the default DNS policy was ClusterFirst. + # In certain scenarios, users might need to change the default dnsPolicy. + dnsPolicy: ClusterFirstWithHostNet + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume usage, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + +## PLATFORM ATTRIBUTES +###################### +# endpointPort: Specify the HTTPs port number of the PowerScale OneFS API server +# Formerly this attribute was named as "isiPort" +# This value acts as a default value for endpointPort, if not specified for a cluster config in secret +# If authorization is enabled, endpointPort must match the port specified in the endpoint parameter of the karavi-authorization-config secret +# Allowed value: valid port number +# Default value: 8080 +endpointPort: 8080 + +# skipCertificateValidation: Specify whether the PowerScale OneFS API server's certificate chain and host name should be verified. +# Formerly this attribute was named as "isiInsecure" +# This value acts as a default value for skipCertificateValidation, if not specified for a cluster config in secret +# Allowed values: +# true: skip OneFS API server's certificate verification +# false: verify OneFS API server's certificates +# Default value: false +skipCertificateValidation: true + +# isiAuthType: Indicates whether the authentication will be session-based or basic. +# Allowed values: +# 0: enables basic Authentication +# 1: enables session-based Authentication +# Default value: 0 +isiAuthType: 0 + +# isiAccessZone: The name of the access zone a volume can be created in. +# If storageclass is missing with AccessZone parameter, then value of isiAccessZone is used for the same. +# Default value: System +# Examples: System, zone1 +isiAccessZone: System + +# enableQuota: Indicates whether the provisioner should attempt to set (later unset) quota +# on a newly provisioned volume. +# This requires SmartQuotas to be enabled on PowerScale cluster. +# Allowed values: +# true: set quota for volume +# false: do not set quota for volume +enableQuota: true + +# isiPath: The base path for the volumes to be created on PowerScale cluster. +# This value acts as a default value for isiPath, if not specified for a cluster config in secret +# Ensure that this path exists on PowerScale cluster. +# Allowed values: unix absolute path +# Default value: /ifs +# Examples: /ifs/data/csi, /ifs/engineering +isiPath: /ifs/data/csi + +# isiVolumePathPermissions: The permissions for isi volume directory path +# This value acts as a default value for isiVolumePathPermissions, if not specified for a cluster config in secret +# Allowed values: valid octal mode number +# Default value: "0777" +# Examples: "0777", "777", "0755" +isiVolumePathPermissions: "0777" + +# ignoreUnresolvableHosts: Ignore unresolvable hosts on the OneFS +# When set to true, OneFS allows new host to add to existing export list though any of the existing hosts from the +# same exports are unresolvable/doesn't exist anymore. +# Allowed values: +# true: ignore existing unresolvable hosts and append new host to the existing export +# false: exhibits OneFS default behavior i.e. if any of existing hosts are unresolvable while adding new one it fails +# Default value: false +ignoreUnresolvableHosts: false + +# noProbeOnStart: Indicates whether the controller/node should probe all the PowerScale clusters during driver initialization +# When set to true, the driver will not set node labels, please manually add +# the label .dellemc.com/: on the nodes for each of the clusters reachable from the node. +# Allowed values: +# true : do not probe all PowerScale clusters during driver initialization +# false: probe all PowerScale clusters during driver initialization +# Default value: false +noProbeOnStart: false + +# autoProbe: automatically probe the PowerScale cluster if not done already during CSI calls. +# Allowed values: +# true : enable auto probe. +# false: disable auto probe. +# Default value: false +autoProbe: true + +authorization: + enabled: false + # sidecarProxyImage: the container image used for the csm-authorization-sidecar. + # Default value: dellemc/csm-authorization-sidecar:v1.7.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 + # proxyHost: hostname of the csm-authorization server + # Default value: None + proxyHost: + # skipCertificateValidation: certificate validation of the csm-authorization server + # Allowed Values: + # "true" - TLS certificate verification will be skipped + # "false" - TLS certificate will be verified + # Default value: "true" + skipCertificateValidation: true + +# Storage Capacity Tracking +# Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions. +storageCapacity: + # enabled : Enable/Disable storage capacity tracking + # Allowed values: + # true: enable storage capacity tracking + # false: disable storage capacity tracking + # Default value: true + enabled: true + # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity + # Allowed values: 1m,2m,3m,...,10m,...,60m etc + # Default value: 5m + pollInterval: 5m + +# Enable this feature only after contact support for additional information +podmon: + enabled: false + image: dellemc/podmon:v1.6.0 + #controller: + # args: + # - "--csisock=unix:/var/run/csi/csi.sock" + # - "--labelvalue=csi-isilon" + # - "--arrayConnectivityPollRate=60" + # - "--driverPath=csi-isilon.dellemc.com" + # - "--mode=controller" + # - "--skipArrayConnectionValidation=false" + # - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + # - "--driverPodLabelValue=dell-storage" + # - "--ignoreVolumelessPods=false" + + #node: + # args: + # - "--csisock=unix:/var/lib/kubelet/plugins/csi-isilon/csi_sock" + # - "--labelvalue=csi-isilon" + # - "--arrayConnectivityPollRate=60" + # - "--driverPath=csi-isilon.dellemc.com" + # - "--mode=node" + # - "--leaderelection=false" + # - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" + # - "--driverPodLabelValue=dell-storage" + # - "--ignoreVolumelessPods=false" + +encryption: + # enabled: Enable/disable volume encryption feature. + enabled: false + + # pluginName: The name of the provisioner to use for encrypted volumes. + pluginName: "sec-isilon.dellemc.com" + + # image: Encryption driver image name. + image: "dellemc/csm-encryption:v0.3.0" + + # apiPort: TCP port number used by the REST API server. + apiPort: 3838 + + # logLevel: Log level of the encryption driver. + # Allowed values: "error", "warning", "info", "debug", "trace". + logLevel: "error" + + # livenessPort: HTTP liveness probe port number. + # Leave empty to disable the liveness probe. + # Example: 8080 + livenessPort: + + # ocp: Enable when running on OpenShift Container Platform with CoreOS worker nodes. + ocp: false + + # ocpCoreID: User ID and group ID of user core on CoreOS worker nodes. + # Ignored when ocp is set to false. + ocpCoreID: "1000:1000" + + # extraArgs: Extra command line parameters to pass to the encryption driver. + # Allowed values: + # --sharedStorage - may be required by some applications to work properly. + # When set, performance is reduced and hard links cannot be created. + # See the gocryptfs documentation for more details. + extraArgs: [] + +images: + # "driver" defines the container image, used for the driver container. + driverRepository: dellemc diff --git a/charts/csi-powermax/Chart.yaml b/charts/csi-powermax/Chart.yaml index 0afb7d76..af51a96b 100644 --- a/charts/csi-powermax/Chart.yaml +++ b/charts/csi-powermax/Chart.yaml @@ -1,21 +1,22 @@ apiVersion: v2 +appVersion: "2.7.0" name: csi-powermax -version: 2.6.0 -appVersion: "2.6.0" -kubeVersion: ">= 1.23.0 < 1.27.0" -# If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead -# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED -# kubeVersion: ">= 1.23.0-0 < 1.27.0-0" +version: 2.7.0 description: | PowerMax CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerMax StorageClass. +type: application +kubeVersion: ">= 1.23.0 < 1.28.0" +# If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead +# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +# kubeVersion: ">= 1.23.0-0 < 1.28.0-0" keywords: - csi - storage dependencies: - name: csireverseproxy - version: 2.5.0 + version: 2.6.0 condition: required home: https://github.com/dell/csi-powermax icon: https://avatars1.githubusercontent.com/u/20958494?s=200&v=4 diff --git a/charts/csi-powermax/charts/csireverseproxy/Chart.yaml b/charts/csi-powermax/charts/csireverseproxy/Chart.yaml index e27e2ad8..3ea07357 100644 --- a/charts/csi-powermax/charts/csireverseproxy/Chart.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/Chart.yaml @@ -4,6 +4,6 @@ description: A Helm chart for CSI PowerMax ReverseProxy type: application -version: 2.5.0 +version: 2.6.0 -appVersion: 2.5.0 \ No newline at end of file +appVersion: 2.6.0 diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml new file mode 100644 index 00000000..e37a47ac --- /dev/null +++ b/charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml @@ -0,0 +1,70 @@ +# If the csireverseproxy cert and key are provided, deploy a CA Issuer using the cert and key +{{- if ne .Values.certManager.selfSignedCert true }} +apiVersion: v1 +data: + tls.crt: {{ .Values.certManager.certificateFile }} + tls.key: {{ .Values.certManager.privateKeyFile }} +kind: Secret +type: kubernetes.io/tls +metadata: + name: csirevproxy-tls-secret + namespace: {{ .Release.Namespace }} + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: csirevproxy-issuer + namespace: {{ .Release.Namespace }} +spec: + ca: + secretName: csirevproxy-tls-secret +--- +{{- else }} +# deploy a selfsigned-issuer +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} + +--- +{{- end }} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: csirevproxy-tls-cert + namespace: {{ .Release.Namespace }} +spec: + secretName: csirevproxy-tls-secret + commonName: powermax-reverseproxy + duration: 2160h # 90d + renewBefore: 360h # 15d + subject: + organizations: + - dellemc + isCA: false + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 2048 + usages: + - server auth + - client auth + dnsNames: + - powermax-reverseproxy + - powermax-reverseproxy.powermax.svc.cluster.local + - reverseproxy + issuerRef: + {{- if ne .Values.certManager.selfSignedCert true }} + name: csirevproxy-issuer + {{- else }} + name: selfsigned-issuer + {{- end }} + kind: Issuer + group: cert-manager.io +--- \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml index f33e26e2..27938ea4 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-reverseproxy-config - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: {{ tpl (.Files.Glob "conf/config.yaml").AsConfig . | indent 2 }} diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml index 3de519e6..2cf75993 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml @@ -3,7 +3,7 @@ kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-reverseproxy - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} rules: - apiGroups: [""] resources: ["secrets"] @@ -13,11 +13,11 @@ kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-reverseproxy - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} subjects: - kind: ServiceAccount name: {{ .Release.Name }}-reverseproxy - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} roleRef: kind: Role name: {{ .Release.Name }}-reverseproxy diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml index 2c39b851..53d291ca 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }}-reverseproxy - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: replicas: 1 selector: @@ -29,7 +29,7 @@ spec: - name: X_CSI_REVPROXY_TLS_CERT_DIR value: /app/tls - name: X_CSI_REVPROXY_WATCH_NAMESPACE - value: {{ include "custom.namespace" . }} + value: {{ .Release.Namespace }} volumeMounts: - name: configmap-volume mountPath: /etc/config/configmap diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml index 503ca314..ea1b34e4 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/service.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ .Release.Name }}-reverseproxy - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: ports: - port: {{ .Values.port }} diff --git a/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml b/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml index ddc5e865..aa37a367 100644 --- a/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml @@ -3,5 +3,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-reverseproxy - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} {{- end }} \ No newline at end of file diff --git a/charts/csi-powermax/charts/csireverseproxy/values.yaml b/charts/csi-powermax/charts/csireverseproxy/values.yaml index f017be39..32b0106b 100644 --- a/charts/csi-powermax/charts/csireverseproxy/values.yaml +++ b/charts/csi-powermax/charts/csireverseproxy/values.yaml @@ -1,4 +1,4 @@ -image: dellemc/csipowermax-reverseproxy:v2.5.0 +image: dellemc/csipowermax-reverseproxy:v2.6.0 port: 2222 # TLS secret which is used for setting up the proxy HTTPS server diff --git a/charts/csi-powermax/templates/_helpers.tpl b/charts/csi-powermax/templates/_helpers.tpl index c7cd1ba5..0ad1b65d 100644 --- a/charts/csi-powermax/templates/_helpers.tpl +++ b/charts/csi-powermax/templates/_helpers.tpl @@ -3,58 +3,48 @@ Return the appropriate sidecar images based on k8s version */}} {{- define "csi-powermax.attacherImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.2.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.3.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powermax.provisionerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.4.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.5.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powermax.snapshotterImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.1" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.2" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powermax.resizerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.7.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.8.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powermax.registrarImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.3" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powermax.healthmonitorImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.8.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "23") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} {{- end -}} {{- end -}} {{- end -}} - -{{/* -Namespace for all resources to be installed into -If not defined in values file then the helm release namespace is used -By default this is not set so the helm release namespace will be used -*/}} - -{{- define "custom.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} -{{- end -}} \ No newline at end of file diff --git a/charts/csi-powermax/templates/controller.yaml b/charts/csi-powermax/templates/controller.yaml index 4e6d4e73..f5118102 100644 --- a/charts/csi-powermax/templates/controller.yaml +++ b/charts/csi-powermax/templates/controller.yaml @@ -2,13 +2,13 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{.Release.Name}}-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if eq .Values.customDriverName.enabled true}} - name: {{printf "%s-%s-controller" ( include "custom.namespace" . ) .Values.customDriverName.value}} + name: {{printf "%s-%s-controller" .Release.Namespace .Values.customDriverName.value}} {{- else }} name: {{ .Release.Name }}-controller {{- end }} @@ -97,18 +97,18 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if eq .Values.customDriverName.enabled true}} - name: {{ printf "%s-%s-controller" ( include "custom.namespace" . ) .Values.customDriverName.value }} + name: {{ printf "%s-%s-controller" .Release.Namespace .Values.customDriverName.value }} {{- else }} name: {{ .Release.Name }}-controller {{- end }} subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole {{- if eq .Values.customDriverName.enabled true}} - name: {{ printf "%s-%s-controller" ( include "custom.namespace" . ) .Values.customDriverName.value }} + name: {{ printf "%s-%s-controller" .Release.Namespace .Values.customDriverName.value }} {{- else }} name: {{ .Release.Name }}-controller {{- end }} @@ -118,7 +118,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ .Release.Name }}-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: @@ -345,7 +345,7 @@ spec: {{- end }} - name: X_CSI_POWERMAX_DRIVER_NAME {{- if eq .Values.customDriverName.enabled true}} - value: {{ required "Must provide a driver name" (printf "%s.%s.dellemc.com" ( include "custom.namespace" . ) .Values.customDriverName.value) }} + value: {{ required "Must provide a driver name" (printf "%s.%s.dellemc.com" .Release.Namespace .Values.customDriverName.value) }} {{- else }} value: csi-powermax.dellemc.com {{- end }} @@ -448,7 +448,7 @@ spec: - name: X_CSI_REVPROXY_TLS_CERT_DIR value: /app/tls - name: X_CSI_REVPROXY_WATCH_NAMESPACE - value: {{ include "custom.namespace" . }} + value: {{ .Release.Namespace }} - name: X_CSI_REVPROXY_IS_LEADER_ENABLED value: "true" volumeMounts: diff --git a/charts/csi-powermax/templates/csidriver.yaml b/charts/csi-powermax/templates/csidriver.yaml index 0160ef76..52cc6694 100644 --- a/charts/csi-powermax/templates/csidriver.yaml +++ b/charts/csi-powermax/templates/csidriver.yaml @@ -2,7 +2,7 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: {{- if eq .Values.customDriverName.enabled true}} - name: {{ printf "%s-%s" ( include "custom.namespace" . ) .Values.customDriverName.value }} + name: {{ printf "%s-%s" .Release.Namespace .Values.customDriverName.value }} {{- else }} name: csi-powermax {{- end }} diff --git a/charts/csi-powermax/templates/driver-config-params.yaml b/charts/csi-powermax/templates/driver-config-params.yaml index 2068da2a..1f39a8b3 100644 --- a/charts/csi-powermax/templates/driver-config-params.yaml +++ b/charts/csi-powermax/templates/driver-config-params.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-config-params - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: driver-config-params.yaml: | CSI_LOG_LEVEL: {{ .Values.global.logLevel | default "debug" }} diff --git a/charts/csi-powermax/templates/node.yaml b/charts/csi-powermax/templates/node.yaml index 6d70d614..0d0cdae8 100644 --- a/charts/csi-powermax/templates/node.yaml +++ b/charts/csi-powermax/templates/node.yaml @@ -3,13 +3,13 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-node - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if eq .Values.customDriverName.enabled true}} - name: {{ printf "%s-%s-node" ( include "custom.namespace" . ) .Values.customDriverName.value }} + name: {{ printf "%s-%s-node" .Release.Namespace .Values.customDriverName.value }} {{- else }} name: {{ .Release.Name }}-node {{- end }} @@ -43,18 +43,18 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: {{- if eq .Values.customDriverName.enabled true}} - name: {{ printf "%s-%s-node" ( include "custom.namespace" . ) .Values.customDriverName.value }} + name: {{ printf "%s-%s-node" .Release.Namespace .Values.customDriverName.value }} {{- else }} name: {{ .Release.Name }}-node {{- end }} subjects: - kind: ServiceAccount name: {{ .Release.Name }}-node - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole {{- if eq .Values.customDriverName.enabled true}} - name: {{ printf "%s-%s-node" ( include "custom.namespace" . ) .Values.customDriverName.value }} + name: {{ printf "%s-%s-node" .Release.Namespace .Values.customDriverName.value }} {{- else }} name: {{ .Release.Name }}-node {{- end }} @@ -65,7 +65,7 @@ kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-node - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} {{- if hasKey .Values "authorization" }} {{- if eq .Values.authorization.enabled true }} annotations: @@ -113,7 +113,7 @@ spec: env: - name: X_CSI_POWERMAX_DRIVER_NAME {{- if eq .Values.customDriverName.enabled true }} - value: {{ required "Must provide a driver name" (printf "%s.%s.dellemc.com" ( include "custom.namespace" . ) .Values.customDriverName.value) }} + value: {{ required "Must provide a driver name" (printf "%s.%s.dellemc.com" .Release.Namespace .Values.customDriverName.value) }} {{- else }} value: csi-powermax.dellemc.com {{- end }} diff --git a/charts/csi-powermax/values.yaml b/charts/csi-powermax/values.yaml index ef37cf81..418b1c32 100644 --- a/charts/csi-powermax/values.yaml +++ b/charts/csi-powermax/values.yaml @@ -49,7 +49,7 @@ global: # Current version of the driver # Don't modify this value as this value will be used by the install script -version: "v2.6.0" +version: "v2.7.0" images: # "driver" defines the container image, used for the driver container. @@ -255,8 +255,8 @@ enableCHAP: false csireverseproxy: # image: Define the container images used for the reverse proxy # Default value: None - # Example: "csipowermax-reverseproxy:v2.5.0" - image: dellemc/csipowermax-reverseproxy:v2.5.0 + # Example: "csipowermax-reverseproxy:v2.6.0" + image: dellemc/csipowermax-reverseproxy:v2.6.0 # "tlsSecret" defines the TLS secret that is created with certificate # and its associated key # Default value: None @@ -277,9 +277,21 @@ csireverseproxy: # Default value: None # Example: "StandAlone" mode: StandAlone - # Optionally, uncomment and specify the name of the pre-created namespace to install the sidecar in it - # namespace: - + # Auto-create TLS certificate for csi-reverseproxy + certManager: + # Set selfSignedCert to use a self-signed certificate + # Default value: true + selfSignedCert: true + # certificateFile has tls.key content in encoded format + # Allowed Values: + # - encoded base64 value of tls.crt: cat tls.crt | base64 + # - comment the param, if selfsigned should be used + certificateFile: tls.crt.encoded64 + # privateKeyFile has tls.key content in encoded format + # Allowed Values: + # - encoded base64 value of tls.key: cat tls.key | base64 + # - comment the param, if selfsigned should be used + privateKeyFile: tls.key.encoded64 # clusterPrefix: Define a prefix that is appended onto # all resources created in the Array # This should be unique per K8s/CSI deployment @@ -363,7 +375,7 @@ replication: enabled: false # Change this to use any specific version of the dell-csi-replicator sidecar # Default value: None - image: dellemc/dell-csi-replicator:v1.4.0 + image: dellemc/dell-csi-replicator:v1.5.0 # replicationContextPrefix enables side cars to read # required information from the volume context # Default value: "powermax" @@ -384,10 +396,10 @@ migration: enabled: false # Change this to use any specific version of the dell-csi-migrator sidecar # Default value: None - image: dellemc/dell-csi-migrator:v1.1.0 + image: dellemc/dell-csi-migrator:v1.1.1 # Node rescan sidecar does a rescan on nodes for identifying new paths - # Default value: dellemc/dell-csi-node-rescanner:v1.0.0 - nodeRescanSidecarImage: dellemc/dell-csi-node-rescanner:v1.0.0 + # Default value: dellemc/dell-csi-node-rescanner:v1.0.1 + nodeRescanSidecarImage: dellemc/dell-csi-node-rescanner:v1.0.1 # migrationPrefix: Determine if migration is enabled # Default value: "migration.storage.dell.com" # Examples: "migration.storage.dell.com" @@ -403,8 +415,8 @@ migration: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.6.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 + # Default value: dellemc/csm-authorization-sidecar:v1.7.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -435,6 +447,3 @@ vSphere: vCenterHost: "00.000.000.00" # vCenterCredSecret: secret name for the vCenter credentials vCenterCredSecret: vcenter-creds - -# Optionally, uncomment and specify the name of the pre-created namespace to install the driver in it -# namespace: diff --git a/charts/csi-powerstore/Chart.yaml b/charts/csi-powerstore/Chart.yaml index 91274ff3..f64ae17c 100644 --- a/charts/csi-powerstore/Chart.yaml +++ b/charts/csi-powerstore/Chart.yaml @@ -13,19 +13,19 @@ # limitations under the License. # # - -name: csi-powerstore apiVersion: v2 -version: 2.6.0 -appVersion: "2.6.0" -kubeVersion: ">= 1.22.0 < 1.27.0" -# If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead -# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED -# kubeVersion: ">= 1.22.0-0 < 1.27.0-0" +appVersion: "2.7.0" +name: csi-powerstore +version: 2.7.0 description: | PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerStore StorageClass. +type: application +kubeVersion: ">= 1.22.0 < 1.28.0" +# If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead +# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +# kubeVersion: ">= 1.22.0-0 < 1.28.0-0" keywords: - csi - storage diff --git a/charts/csi-powerstore/templates/_helpers.tpl b/charts/csi-powerstore/templates/_helpers.tpl index 0de84a7c..8da93b35 100644 --- a/charts/csi-powerstore/templates/_helpers.tpl +++ b/charts/csi-powerstore/templates/_helpers.tpl @@ -3,48 +3,48 @@ Return the appropriate sidecar images based on k8s version */}} {{- define "csi-powerstore.attacherImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-attacher:v4.2.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.provisionerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-provisioner:v3.4.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.snapshotterImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.1" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.resizerImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-resizer:v1.7.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.registrarImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.3" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} {{- end -}} {{- end -}} {{- end -}} {{- define "csi-powerstore.healthmonitorImage" -}} {{- if eq .Capabilities.KubeVersion.Major "1" }} - {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "26") -}} - {{- print "gcr.io/k8s-staging-sig-storage/csi-external-health-monitor-controller:v0.8.0" -}} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "22") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} {{- end -}} {{- end -}} {{- end -}} @@ -59,13 +59,3 @@ Return true if storage capacity tracking is enabled and is supported based on k8 {{- end -}} {{- end -}} {{- end -}} - -{{/* -Namespace for all resources to be installed into -If not defined in values file then the helm release namespace is used -By default this is not set so the helm release namespace will be used -*/}} - -{{- define "custom.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} -{{- end -}} \ No newline at end of file diff --git a/charts/csi-powerstore/templates/controller.yaml b/charts/csi-powerstore/templates/controller.yaml index da8b9d09..8770c6a2 100644 --- a/charts/csi-powerstore/templates/controller.yaml +++ b/charts/csi-powerstore/templates/controller.yaml @@ -18,7 +18,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- @@ -145,7 +145,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-controller @@ -157,7 +157,7 @@ kind: Deployment apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: selector: matchLabels: @@ -452,4 +452,4 @@ spec: name: {{ .Release.Name }}-config-params - name: powerstore-config secret: - secretName: {{ .Release.Name }}-config \ No newline at end of file + secretName: {{ .Release.Name }}-config diff --git a/charts/csi-powerstore/templates/csidriver.yaml b/charts/csi-powerstore/templates/csidriver.yaml index ecf17723..9f5ad9be 100644 --- a/charts/csi-powerstore/templates/csidriver.yaml +++ b/charts/csi-powerstore/templates/csidriver.yaml @@ -24,4 +24,4 @@ spec: fsGroupPolicy: {{ .Values.fsGroupPolicy }} volumeLifecycleModes: - Persistent - - Ephemeral \ No newline at end of file + - Ephemeral diff --git a/charts/csi-powerstore/templates/driver-config-params.yaml b/charts/csi-powerstore/templates/driver-config-params.yaml index 5e4cd28d..ce5349de 100644 --- a/charts/csi-powerstore/templates/driver-config-params.yaml +++ b/charts/csi-powerstore/templates/driver-config-params.yaml @@ -18,7 +18,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-config-params - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: driver-config-params.yaml: | CSI_LOG_LEVEL: "{{ .Values.logLevel }}" diff --git a/charts/csi-powerstore/templates/node.yaml b/charts/csi-powerstore/templates/node.yaml index 724bdcd9..d4773176 100644 --- a/charts/csi-powerstore/templates/node.yaml +++ b/charts/csi-powerstore/templates/node.yaml @@ -18,7 +18,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-node - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- @@ -72,7 +72,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-node - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-node @@ -84,7 +84,7 @@ kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ .Release.Name }}-node - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: selector: matchLabels: @@ -348,4 +348,4 @@ spec: path: /var/run type: Directory {{ end }} - {{ end }} \ No newline at end of file + {{ end }} diff --git a/charts/csi-powerstore/values.yaml b/charts/csi-powerstore/values.yaml index 0d9922bf..ec8db4f5 100644 --- a/charts/csi-powerstore/values.yaml +++ b/charts/csi-powerstore/values.yaml @@ -23,7 +23,7 @@ driverName: "csi-powerstore.dellemc.com" # Driver version required to pull the latest driver image -version: "v2.6.0" +version: "v2.7.0" # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. @@ -151,7 +151,7 @@ controller: # image: Image to use for dell-csi-replicator. This shouldn't be changed # Allowed values: string # Default value: None - image: dellemc/dell-csi-replicator:v1.4.0 + image: dellemc/dell-csi-replicator:v1.5.0 # replicationContextPrefix: prefix to use for naming of resources created by replication feature # Allowed values: string @@ -164,7 +164,7 @@ controller: replicationPrefix: "replication.storage.dell.com" # Image for csi-metadata-retriever - metadataretriever: dellemc/csi-metadata-retriever:v1.3.0 + metadataretriever: dellemc/csi-metadata-retriever:v1.4.0 # nodeSelector: Define node selection constraints for controller pods. # For the pod to be eligible to run on a node, the node must have each @@ -311,7 +311,7 @@ storageCapacity: # Enable this feature only after contact support for additional information podmon: enabled: false - image: dellemc/podmon:v1.5.0 + image: dellemc/podmon:v1.6.0 controller: args: - "--csisock=unix:/var/run/csi/csi.sock" @@ -339,6 +339,3 @@ podmon: images: # "driver" defines the container image, used for the driver container. driverRepository: dellemc - -# Optionally, uncomment and specify the name of the pre-created namespace to install the driver in it -# namespace: diff --git a/charts/csi-unity/Chart.yaml b/charts/csi-unity/Chart.yaml new file mode 100644 index 00000000..c1a1c271 --- /dev/null +++ b/charts/csi-unity/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: 2.7.0 +name: csi-unity +version: 2.7.0 +description: | + Unity XT CSI (Container Storage Interface) driver Kubernetes + integration. This chart includes everything required to provision via CSI as + well as a Unity XT StorageClass. +type: application +kubeVersion: ">= 1.24.0 < 1.28.0" +# If you are using a complex K8s version like "v1.24.3-mirantis-1", use this kubeVersion check instead +# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +# kubeVersion: ">= 1.24.0-0 < 1.28.0-0" +keywords: +- csi +- storage +sources: +- https://github.com/dell/csi-unity +maintainers: +- name: DellEMC diff --git a/charts/csi-unity/templates/_helpers.tpl b/charts/csi-unity/templates/_helpers.tpl new file mode 100644 index 00000000..e5bc0130 --- /dev/null +++ b/charts/csi-unity/templates/_helpers.tpl @@ -0,0 +1,50 @@ +{{/* +Return the appropriate sidecar images based on k8s version +*/}} +{{- define "csi-unity.attacherImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-unity.provisionerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-unity.snapshotterImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-unity.resizerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-unity.registrarImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-unity.healthmonitorImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/csi-unity/templates/controller.yaml b/charts/csi-unity/templates/controller.yaml new file mode 100644 index 00000000..2cf81728 --- /dev/null +++ b/charts/csi-unity/templates/controller.yaml @@ -0,0 +1,304 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] +{{- if .Values.podmon.enabled }} + verbs: ["get", "list", "watch", "patch"] +{{- else }} + verbs: ["get", "list", "watch"] +{{- end }} + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update","patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "create", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] +{{- if .Values.podmon.enabled }} + verbs: ["get", "list", "watch", "update", "patch", "delete"] +{{- else }} + verbs: ["get", "list", "watch", "update","patch"] +{{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] +{{- if .Values.podmon.enabled }} + verbs: ["get", "list", "watch", "update", "delete"] +{{- else }} + verbs: ["get", "list", "watch"] +{{- end }} +# below for snapshotter + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + # below for resizer + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-controller + apiGroup: rbac.authorization.k8s.io +--- +{{ $releaseName := .Release.Name }} +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +spec: + {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}} + {{- fail "value for .Values.controller.controllerCount should be atleast 1" }} + {{- else }} + replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} + {{- end }} + selector: + matchLabels: + app: {{ .Release.Name }}-controller + template: + metadata: + labels: + app: {{ .Release.Name }}-controller + spec: + serviceAccountName: {{ .Release.Name }}-controller + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - {{ .Release.Name }}-controller + topologyKey: "kubernetes.io/hostname" + {{- if .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: + {{- toYaml .Values.controller.tolerations | nindent 6 }} + {{- end }} + containers: +{{- if .Values.podmon.enabled }} + - name: podmon + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + args: + {{- toYaml .Values.podmon.controller.args | nindent 12 }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: unity-config + mountPath: /unity-config +{{- end }} + - name: attacher + image: {{ required "Must provide the CSI attacher container image." ( include "csi-unity.attacherImage" . ) }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: provisioner + image: {{ required "Must provide the CSI provisioner container image." ( include "csi-unity.provisionerImage" . ) }} + args: + - "--csi-address=$(ADDRESS)" + - "--volume-name-prefix={{ required "Must provide a Volume Name Prefix." .Values.controller.volumeNamePrefix }}" + - "--volume-name-uuid-length=10" + - "--timeout=180s" + - "--worker-threads=6" + - "--v=5" + - "--feature-gates=Topology=true" + - "--strict-topology=true" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "snapshot" }} + {{- if eq .Values.controller.snapshot.enabled true }} + - name: snapshotter + image: {{ required "Must provide the CSI snapshotter container image. " ( include "csi-unity.snapshotterImage" . ) }} + args: + - "--csi-address=$(ADDRESS)" + - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}" + - "--snapshot-name-uuid-length=10" + - "--timeout=360s" + - "--v=5" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end}} + {{- end}} + {{- if hasKey .Values.controller "resizer" }} + {{- if eq .Values.controller.resizer.enabled true }} + - name: resizer + image: {{ required "Must provide the CSI resizer container image." ( include "csi-unity.resizerImage" . ) }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{ end }} + {{ end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: csi-external-health-monitor-controller + image: {{ required "Must provide the CSI external health monitor image." ( include "csi-unity.healthmonitorImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--http-endpoint=:8080" + - "--enable-node-watcher=true" + - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" + - "--timeout=180s" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} + - name: driver + image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + args: + - "--driver-name=csi-unity.dellemc.com" + - "--driver-config=/unity-config/driver-config-params.yaml" + - "--driver-secret=/unity-secret/config" + - "--leader-election" + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: CSI_ENDPOINT + value: /var/run/csi/csi.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_UNITY_AUTOPROBE + value: "true" + - name: SSL_CERT_DIR + value: /certs + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{- end }} + {{- end }} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: certs + mountPath: /certs + readOnly: true + - name: unity-config + mountPath: /unity-config + - name: unity-secret + mountPath: /unity-secret + volumes: + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $releaseName "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} + - name: socket-dir + emptyDir: + - name: unity-config + configMap: + name: {{ .Release.Name }}-config-params + - name: unity-secret + secret: + secretName: {{ .Release.Name }}-creds diff --git a/charts/csi-unity/templates/csidriver.yaml b/charts/csi-unity/templates/csidriver.yaml new file mode 100644 index 00000000..f38d58ee --- /dev/null +++ b/charts/csi-unity/templates/csidriver.yaml @@ -0,0 +1,11 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: csi-unity.dellemc.com +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral + fsGroupPolicy: {{ .Values.fsGroupPolicy }} diff --git a/charts/csi-unity/templates/driver-config-params.yaml b/charts/csi-unity/templates/driver-config-params.yaml new file mode 100644 index 00000000..2bbf8948 --- /dev/null +++ b/charts/csi-unity/templates/driver-config-params.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-params + namespace: {{ .Release.Namespace }} +data: + driver-config-params.yaml: | + CSI_LOG_LEVEL: "{{ .Values.logLevel }}" + ALLOW_RWO_MULTIPOD_ACCESS: "{{ .Values.allowRWOMultiPodAccess }}" + MAX_UNITY_VOLUMES_PER_NODE: "{{ .Values.maxUnityVolumesPerNode }}" + SYNC_NODE_INFO_TIME_INTERVAL: "{{ .Values.syncNodeInfoInterval }}" + TENANT_NAME: "{{ .Values.tenantName }}" + {{ if .Values.podmon.enabled }} + PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_CONTROLLER_LOG_FORMAT: "TEXT" + PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_NODE_LOG_FORMAT: "TEXT" + {{ end }} diff --git a/charts/csi-unity/templates/node.yaml b/charts/csi-unity/templates/node.yaml new file mode 100644 index 00000000..d013812e --- /dev/null +++ b/charts/csi-unity/templates/node.yaml @@ -0,0 +1,279 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +rules: + - apiGroups: [ "" ] + resources: [ "persistentvolumes" ] + verbs: [ "create", "delete", "get", "list", "watch", "update" ] + - apiGroups: [ "" ] + resources: [ "persistentvolumesclaims" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "get", "list", "watch", "create", "update", "patch" ] + - apiGroups: [ "" ] + resources: [ "nodes" ] + verbs: [ "get", "list", "watch", "update", "patch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "volumeattachments" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "storageclasses" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [ "storage.k8s.io" ] + resources: [ "volumeattachments" ] + verbs: [ "get", "list", "watch", "update" ] + - apiGroups: [ "security.openshift.io" ] + resourceNames: [ "privileged" ] + resources: [ "securitycontextconstraints" ] + verbs: [ "use" ] +{{- if .Values.podmon.enabled }} + - apiGroups: [ "" ] + resources: [ "pods" ] + verbs: [ "get", "list", "watch", "update", "delete" ] + - apiGroups: [ "coordination.k8s.io" ] + resources: [ "leases" ] + verbs: [ "get", "watch", "list", "delete", "update", "create" ] +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-node + apiGroup: rbac.authorization.k8s.io +--- +{{ $releaseName := .Release.Name }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: {{ .Release.Name }}-node + template: + metadata: + labels: + app: {{ .Release.Name }}-node +{{- if .Values.podmon.enabled }} + driver.dellemc.com: dell-storage +{{- end }} + spec: + serviceAccountName: {{ .Release.Name }}-node + {{- if .Values.node.nodeSelector }} + nodeSelector: + {{- toYaml .Values.node.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.node.tolerations }} + tolerations: + {{- toYaml .Values.node.tolerations | nindent 8 }} + {{- end }} + hostIPC: true + hostNetwork: true + dnsPolicy: {{ .Values.node.dnsPolicy }} + containers: +{{- if .Values.podmon.enabled }} + - name: podmon + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + imagePullPolicy: {{ .Values.imagePullPolicy }} + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + args: + {{- toYaml .Values.podmon.node.args | nindent 12 }} + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/disks" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: kubelet-pods + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com + mountPropagation: "Bidirectional" + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: usr-bin + mountPath: /usr-bin + - name: var-run + mountPath: /var/run + - name: unity-config + mountPath: /unity-config +{{- end }} + - name: driver + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + args: + - "--driver-name=csi-unity.dellemc.com" + - "--driver-config=/unity-config/driver-config-params.yaml" + - "--driver-secret=/unity-secret/config" + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: CSI_ENDPOINT + value: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/csi_sock + - name: X_CSI_MODE + value: node + - name: X_CSI_UNITY_AUTOPROBE + value: "true" + - name: X_CSI_UNITY_ALLOW_MULTI_POD_ACCESS + value: {{ .Values.allowRWOMultiPodAccess | default "false" | lower | quote }} + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/disks" + - name: X_CSI_EPHEMERAL_STAGING_PATH + value: "{{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/pv/" + - name: X_CSI_ISCSI_CHROOT + value: {{ .Values.ISCSIChroot | default "/noderoot" }} + - name: X_CSI_UNITY_NODENAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_UNITY_NODENAME_PREFIX + value: {{ .Values.nodeNamePrefix }} + - name: SSL_CERT_DIR + value: /certs + - name: X_CSI_UNITY_SYNC_NODEINFO_INTERVAL + value: {{ .Values.syncNodeInfoInterval | default "15" | quote }} + {{- if hasKey .Values.node "healthMonitor" }} + {{- if eq .Values.node.healthMonitor.enabled true }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.node.healthMonitor.enabled }}" + {{- end }} + {{- end }} + volumeMounts: + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + mountPropagation: "Bidirectional" + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: noderoot + mountPath: /noderoot + - name: certs + mountPath: /certs + readOnly: true + - name: unity-config + mountPath: /unity-config + - name: unity-secret + mountPath: /unity-secret + - name: registrar + image: {{ required "Must provide the CSI registrar container image." ( include "csi-unity.registrarImage" . ) }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/csi_sock + env: + - name: ADDRESS + value: /csi/csi_sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: registration-dir + mountPath: /registration + - name: driver-path + mountPath: /csi + volumes: + - name: registration-dir + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins_registry/ + type: DirectoryOrCreate + - name: driver-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com + type: DirectoryOrCreate + - name: volumedevices-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi + type: DirectoryOrCreate + - name: pods-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/pods + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: noderoot + hostPath: + path: / + type: Directory + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $releaseName "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} + - name: unity-config + configMap: + name: {{ .Release.Name }}-config-params + - name: unity-secret + secret: + secretName: {{ .Release.Name }}-creds +{{- if .Values.podmon.enabled }} + - name: usr-bin + hostPath: + path: /usr/bin + type: Directory + - name: kubelet-pods + hostPath: + path: {{ .Values.kubeletConfigDir }}/pods + type: Directory + - name: var-run + hostPath: + path: /var/run + type: Directory +{{- end }} diff --git a/charts/csi-unity/values.yaml b/charts/csi-unity/values.yaml new file mode 100644 index 00000000..5cca28ff --- /dev/null +++ b/charts/csi-unity/values.yaml @@ -0,0 +1,247 @@ +## K8S/DRIVER ATTRIBUTES +######################## + +# version: version of this values file +# Note: Do not change this value +# Examples : "v2.7.0" , "nightly" +version: "v2.7.0" + +# LogLevel is used to set the logging level of the driver. +# Allowed values: "error", "warn"/"warning", "info", "debug" +# Default value: "info" +logLevel: "info" + +# certSecretCount: Represents number of certificate secrets, which user is going to create for +# ssl authentication. (unity-cert-0..unity-cert-n) +# Allowed values: n, where n > 0 +# Default value: None +certSecretCount: 1 + +# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container. +# Allowed values: +# Always: Always pull the image. +# IfNotPresent: Only pull the image if it does not already exist on the node. +# Never: Never pull the image. +# Default value: IfNotPresent +imagePullPolicy: Always + +# Specify kubelet config dir path. +# Ensure that the config.yaml file is present at this path. +# Default value: None +kubeletConfigDir: /var/lib/kubelet + +# fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. +# Allowed values: +# ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined +# and the volume's accessModes contains ReadWriteOnce. +# File: kubernetes may use fsGroup to change permissions and ownership of the volume +# to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. +# None: volumes will be mounted with no modifications. +# Default value: ReadWriteOnceWithFSType +fsGroupPolicy: ReadWriteOnceWithFSType + +#To set nodeSelectors and tolerations for controller. +# controller: configure controller pod specific parameters +controller: + # controllerCount: defines the number of csi-unity controller pods to deploy to + # the Kubernetes release. + # Allowed values: n, where n > 0 + # Default value: None + controllerCount: 2 + + # volumeNamePrefix: Prefix of PersistentVolume names created + # Allowed values: string + # Default value: None + volumeNamePrefix: csivol + + snapshot: + # enabled: Enable/Disable volume snapshot feature + # Allowed values: + # true: enable volume snapshot feature(install snapshotter sidecar) + # false: disable volume snapshot feature(do not install snapshotter sidecar) + # Default value: None + enabled: true + + # snapNamePrefix: Prefix to apply to the names of a created snapshots + # Allowed values: string + # Default value: None + snapNamePrefix: csi-snap + + resizer: + # enabled: Enable/Disable volume expansion feature + # Allowed values: + # true: enable volume expansion feature(install resizer sidecar) + # false: disable volume snapshot feature(do not install resizer sidecar) + # Default value: None + enabled: true + + # nodeSelector: Define node selection constraints for controller pods. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master: "" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane: "" + + # tolerations: Define tolerations for the controllers, if required. + # Leave as blank to install controller on worker nodes + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoExecute" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume state, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # interval: Interval of monitoring volume health condition + # Allowed values: Number followed by unit of time (s,m,h) + # Default value: 60s + interval: 60s + +# node: configure node pod specific parameters +node: + # dnsPolicy : Define the DNS Policy of the Node service. + # ClusterFirstWithHostNet is the recommended and default DNS policy for the driver. + # Prior to v1.6 of the driver, the default DNS policy was ClusterFirst. + # In certain scenarios, users might need to change the default dnsPolicy. + # Default value: None + dnsPolicy: "ClusterFirstWithHostNet" + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI Volumes - volume usage + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # nodeSelector: Define node selection constraints for node pods. + # For the pod to be eligible to run on a node, the node must have each + # of the indicated key-value pairs as labels. + # Leave as blank to consider all nodes + # Allowed values: map of key-value pairs + # Default value: None + nodeSelector: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # node-role.kubernetes.io/master: "" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # node-role.kubernetes.io/control-plane: "" + + # tolerations: Define tolerations for the node daemonset, if required. + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoExecute" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoExecute" + # - key: "node.kubernetes.io/memory-pressure" + # operator: "Exists" + # effect: "NoExecute" + # - key: "node.kubernetes.io/disk-pressure" + # operator: "Exists" + # effect: "NoExecute" + # - key: "node.kubernetes.io/network-unavailable" + # operator: "Exists" + # effect: "NoExecute" + # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled + # - key: "offline.vxflexos.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "vxflexos.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.unity.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "unity.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.isilon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "isilon.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + +# CSM module attributes +# service to monitor failing jobs and notify +podmon: + # enabled - flag to enable or disable podmon + # allowed values : boolean + # defaule value : None + # Examples : true , false + enabled: false + # image - image name + # allowed values - string + # default value : None + # Example : "podman:latest", "pod:latest" + image: dellemc/podmon:v1.6.0 + controller: + args: + - "--csisock=unix:/var/run/csi/csi.sock" + - "--labelvalue=csi-unity" + - "--driverPath=csi-unity.dellemc.com" + - "--mode=controller" + - "--skipArrayConnectionValidation=false" + - "--driver-config-params=/unity-config/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + node: + args: + - "--csisock=unix:/var/lib/kubelet/plugins/unity.emc.dell.com/csi_sock" + - "--labelvalue=csi-unity" + - "--driverPath=csi-unity.dellemc.com" + - "--mode=node" + - "--leaderelection=false" + - "--driver-config-params=/unity-config/driver-config-params.yaml" + - "--driverPodLabelValue=dell-storage" + - "--ignoreVolumelessPods=false" + +### The below parameters have been discontinued for configuration from secret.yaml and will have to be configured only in values.yaml + +# syncNodeInfoInterval - Time interval to add node info to array. Default 15 minutes. Minimum value should be 1. +# Allowed values: integer +# Default value: 15 +# Examples : 0 , 2 +syncNodeInfoInterval: 15 + +# allowRWOMultiPodAccess - Flag to enable sharing of volumes across multiple pods within the same node in RWO access mode. +# Allowed values: boolean +# Default value: "false" +# Examples : "true" , "false" +allowRWOMultiPodAccess: "false" + +# maxUnityVolumesPerNode - Maximum number of volumes that controller can publish to the node. +# Allowed values: integer +# Default value: 0 +# Examples : 0 , 1 +maxUnityVolumesPerNode: 0 + +# tenantName - Tenant name that need to added while adding host entry to the array. +# Allowed values: string +# Default value: "" +# Examples : "tenant2" , "tenant3" +tenantName: "" + +images: + # "driver" defines the container image, used for the driver container. + driverRepository: dellemc diff --git a/charts/csi-vxflexos/Chart.yaml b/charts/csi-vxflexos/Chart.yaml new file mode 100644 index 00000000..960d6e6e --- /dev/null +++ b/charts/csi-vxflexos/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +appVersion: "2.7.0" +name: csi-vxflexos +version: "2.7.0" +description: | + VxFlex OS CSI (Container Storage Interface) driver Kubernetes + integration. This chart includes everything required to provision via CSI as + well as a VxFlex OS StorageClass. +kubeVersion: ">= 1.21.0 < 1.28.0" +# If you are using a complex K8s version like "v1.21.3-mirantis-1", use this kubeVersion check instead +# WARNING: this version of the check will allow the use of alpha and beta versions, which is NOT SUPPORTED +# kubeVersion: ">= 1.21.0-0 < 1.28.0-0" +keywords: +- csi +- storage +maintainers: +- name: DellEMC +sources: +- https://github.com/dell/csi-vxflexos + diff --git a/charts/csi-vxflexos/templates/_helpers.tpl b/charts/csi-vxflexos/templates/_helpers.tpl new file mode 100644 index 00000000..63e654ea --- /dev/null +++ b/charts/csi-vxflexos/templates/_helpers.tpl @@ -0,0 +1,50 @@ +{{/* +Return the appropriate sidecar images based on k8s version +*/}} +{{- define "csi-vxflexos.attacherImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-attacher:v4.3.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-vxflexos.provisionerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-provisioner:v3.5.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-vxflexos.snapshotterImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.2" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-vxflexos.resizerImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-vxflexos.registrarImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.8.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "csi-vxflexos.healthmonitorImage" -}} + {{- if eq .Capabilities.KubeVersion.Major "1" }} + {{- if and (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "21") (le (trimSuffix "+" .Capabilities.KubeVersion.Minor) "27") -}} + {{- print "registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.9.0" -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/csi-vxflexos/templates/controller.yaml b/charts/csi-vxflexos/templates/controller.yaml new file mode 100644 index 00000000..8c4b4bef --- /dev/null +++ b/charts/csi-vxflexos/templates/controller.yaml @@ -0,0 +1,442 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +rules: + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "patch"] +{{- else }} + verbs: ["get", "list", "watch"] +{{- end }} +{{- end }} + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "patch", "delete"] +{{- else }} + verbs: ["get", "list", "watch", "update", "patch"] +{{- end }} +{{- end }} + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["csi.storage.k8s.io"] + resources: ["csinodeinfos"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + verbs: ["get", "list", "watch", "update", "delete"] +{{- else }} + verbs: ["get", "list", "watch"] +{{- end }} +{{- end }} +# below for snapshotter + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +{{- if hasKey .Values "vgsnapshotter" }} +{{- if eq .Values.vgsnapshotter.enabled true }} + - apiGroups: ["volumegroup.storage.dell.com"] + resources: ["dellcsivolumegroupsnapshots","dellcsivolumegroupsnapshots/status"] + verbs: ["create", "list", "watch", "delete", "update"] +{{- end }} +{{- end }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] +{{- if hasKey .Values "vgsnapshotter" }} +{{- if eq .Values.vgsnapshotter.enabled true }} + verbs: ["get", "list", "watch", "update", "create", "delete"] +{{- else }} + verbs: ["get", "list", "watch", "update"] +{{- end }} +{{- end }} + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status","volumesnapshotcontents/status"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete", "update"] +{{- if hasKey .Values.controller "replication" }} +{{- if eq .Values.controller.replication.enabled true}} + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["replication.storage.dell.com"] + resources: ["dellcsireplicationgroups/status"] + verbs: ["get", "patch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "delete", "get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["create", "get", "list", "watch"] +{{- end}} +{{- end}} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-controller +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-controller + apiGroup: rbac.authorization.k8s.io +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-controller + namespace: {{ .Release.Namespace }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: +{{- if gt (int .Values.controller.controllerCount) 1 }} + strategy: + rollingUpdate: + maxUnavailable: 1 +{{- end }} + selector: + matchLabels: + name: {{ .Release.Name }}-controller + replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }} + template: + metadata: + labels: + {{- if eq (.Values.vgsnapshotter.enabled| toString) "true" }} + vg-snapshotter-enabled: "true" + {{- else if eq (.Values.vgsnapshotter.enabled| toString) "false" }} + vg-snapshotter-enabled: "false" + {{- end }} + name: {{ .Release.Name }}-controller + spec: + affinity: + nodeSelector: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - {{ .Release.Name }}-controller + topologyKey: kubernetes.io/hostname + serviceAccountName: {{ .Release.Name }}-controller + {{- if .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml .Values.controller.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.controller.tolerations }} + tolerations: + {{- toYaml .Values.controller.tolerations | nindent 6 }} + {{- end }} + containers: +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + - name: podmon + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.controller.args | nindent 12 }} + env: + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: vxflexos-config-params + mountPath: /vxflexos-config-params +{{- end }} +{{- end }} + - name: attacher + image: {{ required "Must provide the CSI attacher container image." ( include "csi-vxflexos.attacherImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election=true" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: dell-csi-replicator + image: {{ required "Must provide the Dell CSI Replicator image." .Values.controller.replication.image}} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--leader-election=true" + - "--worker-threads=2" + - "--retry-interval-start=1s" + - "--retry-interval-max=300s" + - "--timeout=300s" + - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}" + - "--prefix={{ .Values.controller.replication.replicationPrefix}}" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + - name: X_CSI_REPLICATION_CONFIG_DIR + value: /vxflexos-config-params + - name: X_CSI_REPLICATION_CONFIG_FILE_NAME + value: driver-config-params.yaml + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: vxflexos-config-params + mountPath: /vxflexos-config-params + {{- end }} + {{- end }} + - name: provisioner + image: {{ required "Must provide the CSI provisioner container image." ( include "csi-vxflexos.provisionerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--feature-gates=Topology=true" + - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}" + - "--volume-name-uuid-length=10" + - "--leader-election=true" + - "--timeout=120s" + - "--v=5" + - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}" + - "--extra-create-metadata" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true}} + - name: csi-external-health-monitor-controller + image: {{ required "Must provide the CSI external health monitor image." ( include "csi-vxflexos.healthmonitorImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election=true" + - "--enable-node-watcher=true" + - "--http-endpoint=:8080" + - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}" + - "--timeout=180s" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + {{- end }} + {{- end }} +{{- if hasKey .Values "vgsnapshotter" }} +{{- if eq .Values.vgsnapshotter.enabled true }} + - name: vg-snapshotter + image: {{ required "Must provide the vgsnapshotter container image." .Values.vgsnapshotter.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi +{{- end }} +{{- end }} +{{- if hasKey .Values.controller "snapshot" }} +{{- if eq .Values.controller.snapshot.enabled true }} + - name: snapshotter + image: {{ required "Must provide the CSI snapshotter container image. " ( include "csi-vxflexos.snapshotterImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--timeout=120s" + - "--v=5" + - "--leader-election=true" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi +{{- end }} +{{- end }} +{{- if hasKey .Values.controller "resizer" }} +{{- if eq .Values.controller.resizer.enabled true }} + - name: resizer + image: {{ required "Must provide the CSI resizer container image." ( include "csi-vxflexos.resizerImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--csi-address=$(ADDRESS)" + - "--v=5" + - "--leader-election=true" + env: + - name: ADDRESS + value: /var/run/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi +{{- end }} +{{- end }} +{{- if hasKey .Values "authorization" }} +{{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powerflex + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: vxflexos-config-params + mountPath: /etc/karavi-authorization +{{- end }} +{{- end }} + - name: driver + image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-vxflexos.sh" ] + args: + - "--leader-election" + - "--array-config=/vxflexos-config/config" + - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" + env: + - name: CSI_ENDPOINT + value: /var/run/csi/csi.sock + - name: X_CSI_MODE + value: controller + - name: X_CSI_VXFLEXOS_ENABLESNAPSHOTCGDELETE + value: "{{ required "Enable this to allow deletion of all snaps in CG" .Values.enablesnapshotcgdelete }}" + - name: X_CSI_VXFLEXOS_ENABLELISTVOLUMESNAPSHOT + value: "{{ required "Enable this to have CSI ListVolumes include snapshots" .Values.enablelistvolumesnapshot }}" + - name: SSL_CERT_DIR + value: /certs + {{- if hasKey .Values.controller "replication" }} + {{- if eq .Values.controller.replication.enabled true}} + - name: X_CSI_REPLICATION_CONTEXT_PREFIX + value: {{ .Values.controller.replication.replicationContextPrefix | default "powerflex"}} + - name: X_CSI_REPLICATION_PREFIX + value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}} + {{- end }} + {{- end }} + {{- if hasKey .Values.controller "healthMonitor" }} + {{- if eq .Values.controller.healthMonitor.enabled true}} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.controller.healthMonitor.enabled }}" + {{- end }} + {{- end }} + volumeMounts: + - name: socket-dir + mountPath: /var/run/csi + - name: vxflexos-config + mountPath: /vxflexos-config + - name: vxflexos-config-params + mountPath: /vxflexos-config-params +{{- if ge (int .Values.certSecretCount) 1 }} + - name: certs + mountPath: /certs + readOnly: true +{{- end}} + volumes: + - name: socket-dir + emptyDir: + - name: vxflexos-config + secret: + secretName: {{ .Release.Name }}-config + - name: vxflexos-config-params + configMap: + name: {{ .Release.Name }}-config-params + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate + {{ end }} + {{ end }} +{{- if ge (int .Values.certSecretCount) 1 }} + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $.Release.Name "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} +{{- end }} diff --git a/charts/csi-vxflexos/templates/csidriver.yaml b/charts/csi-vxflexos/templates/csidriver.yaml new file mode 100644 index 00000000..f8aac725 --- /dev/null +++ b/charts/csi-vxflexos/templates/csidriver.yaml @@ -0,0 +1,11 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: csi-vxflexos.dellemc.com +spec: + fsGroupPolicy: {{ .Values.fsGroupPolicy }} + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/charts/csi-vxflexos/templates/driver-config-params.yaml b/charts/csi-vxflexos/templates/driver-config-params.yaml new file mode 100644 index 00000000..0129cac5 --- /dev/null +++ b/charts/csi-vxflexos/templates/driver-config-params.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-params + namespace: {{ .Release.Namespace }} +data: + driver-config-params.yaml: | + CSI_LOG_LEVEL: "{{ .Values.logLevel }}" + CSI_LOG_FORMAT: "{{ .Values.logFormat }}" + {{ if .Values.podmon.enabled }} + PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}" + PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" + PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}" + {{ end }} diff --git a/charts/csi-vxflexos/templates/node.yaml b/charts/csi-vxflexos/templates/node.yaml new file mode 100644 index 00000000..2ba5d3c6 --- /dev/null +++ b/charts/csi-vxflexos/templates/node.yaml @@ -0,0 +1,406 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["create", "delete", "get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["persistentvolumesclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["security.openshift.io"] + resourceNames: ["privileged"] + resources: ["securitycontextconstraints"] + verbs: ["use"] +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "update", "delete"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +{{ end }} +{{ end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Release.Name }}-node +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Name }}-node + apiGroup: rbac.authorization.k8s.io +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Release.Name }}-node + namespace: {{ .Release.Namespace }} + {{- if hasKey .Values "authorization" }} + {{- if eq .Values.authorization.enabled true }} + annotations: + com.dell.karavi-authorization-proxy: "true" + {{ end }} + {{ end }} +spec: + selector: + matchLabels: + app: {{ .Release.Name }}-node + template: + metadata: + labels: + app: {{ .Release.Name }}-node +{{- if eq .Values.podmon.enabled true }} + driver.dellemc.com: dell-storage +{{- end }} + spec: + {{- if .Values.node.nodeSelector }} + nodeSelector: + {{- toYaml .Values.node.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.node.tolerations }} + tolerations: + {{- toYaml .Values.node.tolerations | nindent 6 }} + {{- end }} + serviceAccount: {{ .Release.Name }}-node + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + {{- if and .Values.monitor.enabled .Values.monitor.hostPID }} + hostPID: true + {{- else }} + hostPID: false + {{- end }} + containers: +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + - name: podmon + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: {{ required "Must provide the podmon container image." .Values.podmon.image }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + {{- toYaml .Values.podmon.node.args | nindent 12 }} + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/disks" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: kubelet-pods + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com + mountPropagation: "Bidirectional" + - name: usr-bin + mountPath: /usr-bin + - name: var-run + mountPath: /var/run + - name: vxflexos-config-params + mountPath: /vxflexos-config-params +{{- end }} +{{- end }} +{{- if hasKey .Values "authorization" }} +{{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-proxy + image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: PROXY_HOST + value: "{{ .Values.authorization.proxyHost }}" + - name: SKIP_CERTIFICATE_VALIDATION + value: "{{ .Values.authorization.skipCertificateValidation }}" + - name: PLUGIN_IDENTIFIER + value: powerflex + - name: ACCESS_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: access + - name: REFRESH_TOKEN + valueFrom: + secretKeyRef: + name: proxy-authz-tokens + key: refresh + volumeMounts: + - name: karavi-authorization-config + mountPath: /etc/karavi-authorization/config + - name: proxy-server-root-certificate + mountPath: /etc/karavi-authorization/root-certificates + - name: vxflexos-config-params + mountPath: /etc/karavi-authorization +{{ end }} +{{ end }} + - name: driver + securityContext: + privileged: true + allowPrivilegeEscalation: true + capabilities: + add: ["SYS_ADMIN"] + image: "{{ required "Must provide the driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }}" + imagePullPolicy: {{ .Values.imagePullPolicy }} + command: [ "/csi-vxflexos.sh" ] + args: + - "--array-config=/vxflexos-config/config" + - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" + env: + - name: CSI_ENDPOINT + value: unix://{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/csi_sock + - name: X_CSI_MODE + value: node + - name: X_CSI_PRIVATE_MOUNT_DIR + value: "{{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/disks" + - name: X_CSI_ALLOW_RWO_MULTI_POD_ACCESS + value: "{{ required "Must provide a true/false string to allow RWO multi pod access." .Values.allowRWOMultiPodAccess }}" + - name: SSL_CERT_DIR + value: /certs + {{- if hasKey .Values.node "healthMonitor" }} + - name: X_CSI_HEALTH_MONITOR_ENABLED + value: "{{ .Values.node.healthMonitor.enabled }}" + {{- end }} + {{- if hasKey .Values.node "approveSDC" }} + - name: X_CSI_APPROVE_SDC_ENABLED + value: "{{ .Values.node.approveSDC.enabled }}" + {{- end }} + {{- if hasKey .Values.node "renameSDC" }} + - name: X_CSI_RENAME_SDC_ENABLED + value: "{{ .Values.node.renameSDC.enabled }}" + {{- if eq .Values.node.renameSDC.enabled true }} + - name: X_CSI_RENAME_SDC_PREFIX + value: "{{ .Values.node.renameSDC.prefix }}" + {{- end }} + {{- end }} + volumeMounts: + - name: driver-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com + - name: volumedevices-path + mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + mountPropagation: "Bidirectional" + - name: pods-path + mountPath: {{ .Values.kubeletConfigDir }}/pods + mountPropagation: "Bidirectional" + - name: dev + mountPath: /dev + - name: vxflexos-config + mountPath: /vxflexos-config + - name: vxflexos-config-params + mountPath: /vxflexos-config-params +{{- if ge (int .Values.certSecretCount) 1 }} + - name: certs + mountPath: /certs + readOnly: true +{{- end}} + - name: registrar + image: {{ required "Must provide the CSI registrar container image." ( include "csi-vxflexos.registrarImage" . ) }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com/csi_sock + env: + - name: ADDRESS + value: /csi/csi_sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + volumeMounts: + - name: registration-dir + mountPath: /registration + - name: driver-path + mountPath: /csi + {{- if eq .Values.monitor.enabled true }} + - name: sdc-monitor + securityContext: + privileged: true + image: {{ required "Must provide the PowerFlex SDC container image." .Values.images.powerflexSdc }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + {{ if eq .Values.monitor.hostPID true }} + - name: HOST_PID + value: "1" + {{ else }} + - name: HOST_PID + value: "0" + {{ end }} + - name: HOST_NET + value: "1" + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MDM + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-config + key: MDM + - name: MODE + value: "monitoring" + volumeMounts: + - name: dev + mountPath: /dev + - name: os-release + mountPath: /host-os-release + - name: sdc-storage + mountPath: /storage + - name: udev-d + mountPath: /rules.d + {{- end }} + initContainers: + - name: sdc + securityContext: + privileged: true + image: {{ required "Must provide the PowerFlex SDC container image." .Values.images.powerflexSdc }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + env: + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MODE + value: "config" + - name: MDM + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-config + key: MDM + - name: HOST_DRV_CFG_PATH + value: /opt/emc/scaleio/sdc/bin + volumeMounts: + - name: dev + mountPath: /dev + - name: os-release + mountPath: /host-os-release + - name: sdc-storage + mountPath: /storage + - name: udev-d + mountPath: /rules.d + - name: scaleio-path-opt + mountPath: /host_drv_cfg_path + volumes: + - name: registration-dir + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins_registry/ + type: DirectoryOrCreate + - name: driver-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/vxflexos.emc.dell.com + type: DirectoryOrCreate + - name: volumedevices-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices + type: DirectoryOrCreate + - name: pods-path + hostPath: + path: {{ .Values.kubeletConfigDir }}/pods + type: Directory + - name: dev + hostPath: + path: /dev + type: Directory + - name: scaleio-path-opt + hostPath: + path: /opt/emc/scaleio/sdc/bin + type: DirectoryOrCreate + - name: sdc-storage + hostPath: + path: /var/emc-scaleio + type: DirectoryOrCreate + - name: udev-d + hostPath: + path: /etc/udev/rules.d + type: Directory + - name: os-release + hostPath: + path: /etc/os-release + type: File + - name: vxflexos-config + secret: + secretName: {{ .Release.Name }}-config + - name: vxflexos-config-params + configMap: + name: {{ .Release.Name }}-config-params +{{- if ge (int .Values.certSecretCount) 1 }} + - name: certs + projected: + sources: +{{- range $i, $e := until (int .Values.certSecretCount ) }} + - secret: + name: {{ print $.Release.Name "-certs-" $e }} + items: + - key: cert-{{ $e }} + path: cert-{{ $e }} +{{- end }} +{{- end }} +{{- if hasKey .Values "authorization" }} +{{- if eq .Values.authorization.enabled true }} + - name: karavi-authorization-config + secret: + secretName: karavi-authorization-config + - name: proxy-server-root-certificate + secret: + secretName: proxy-server-root-certificate +{{ end }} +{{ end }} +{{- if hasKey .Values "podmon" }} +{{- if eq .Values.podmon.enabled true }} + - name: usr-bin + hostPath: + path: /usr/bin + type: Directory + - name: kubelet-pods + hostPath: + path: /var/lib/kubelet/pods + type: Directory + - name: var-run + hostPath: + path: /var/run + type: Directory +{{- end }} +{{- end }} diff --git a/charts/csi-vxflexos/values.yaml b/charts/csi-vxflexos/values.yaml new file mode 100644 index 00000000..ec5c6dd6 --- /dev/null +++ b/charts/csi-vxflexos/values.yaml @@ -0,0 +1,323 @@ +--- +# k8s/driver attributes + +# "version" is used to verify the values file matches driver version +# Not recommend to change +version: v2.7.0 + +images: + # "driver" defines the container image, used for the driver container. + driverRepository: dellemc + + # "powerflexSdc" defines the SDC image for init container. + powerflexSdc: dellemc/sdc:3.6.0.6 + + +# Represents number of certificate secrets, which user is going to create for ssl authentication. (vxflexos-cert-0..vxflexos-cert-n) +# If user does not use certificate, set to 0 +certSecretCount: 0 + +# CSI driver log level +# Allowed values: "error", "warn"/"warning", "info", "debug" +# Default value: "debug" +logLevel: "debug" + +# CSI driver log format +# Allowed values: "TEXT" or "JSON" +# Default value: "TEXT" +logFormat: "TEXT" + +# Specify kubelet config dir path. +# Ensure that the config.yaml file is present at this path. +# Default value: None +kubeletConfigDir: /var/lib/kubelet + +# "defaultFsType" is used to set the default FS type which will be used +# for mount volumes if FsType is not specified in the storage class +# Allowed values: ext4, xfs +# Default value: none +defaultFsType: ext4 + +# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container. +# Allowed values: +# Always: Always pull the image. +# IfNotPresent: Only pull the image if it does not already exist on the node. +# Never: Never pull the image. +# Default value: None +imagePullPolicy: IfNotPresent + +# "enablesnapshotcgdelete"- a boolean that, when enabled, will delete all snapshots in a consistency group +# everytime a snap in the group is deleted +# Allowed values: true, false +# Default value: none +enablesnapshotcgdelete: "false" + +# "enablelistvolumesnapshot" - a boolean that, when enabled, will allow list volume operation to include snapshots (since creating a volume +# from a snap actually results in a new snap) +# It is recommend this be false unless instructed otherwise. +# Allowed values: true, false +# Default value: none +enablelistvolumesnapshot: "false" + +# Setting allowRWOMultiPodAccess to "true" will allow multiple pods on the same node +# to access the same RWO volume. This behavior conflicts with the CSI specification version 1.3 +# NodePublishVolume descrition that requires an error to be returned in this case. +# However some other CSI drivers support this behavior and some customers desire this behavior. +# Kubernetes could make a change at their discretion that would preclude our ability to support this option. +# Customers use this option at their own risk. +# You should leave this set as "false" unless instructed to change it by Dell support. +# Allowed values: true, false +# Default value: "false" +allowRWOMultiPodAccess: "false" + +# fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted. +# Allowed values: +# ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined +# and the volume's accessModes contains ReadWriteOnce. +# File: kubernetes may use fsGroup to change permissions and ownership of the volume +# to match user requested fsGroup in the pod's security policy regardless of fstype or access mode. +# None: volumes will be mounted with no modifications. +fsGroupPolicy: File + +# "controller" allows to configure controller specific parameters +controller: + + # replication: allows to configure replication + # Replication CRDs must be installed before installing driver + replication: + # enabled: Enable/Disable replication feature + # Allowed values: + # true: enable replication feature(install dell-csi-replicator sidecar) + # false: disable replication feature(do not install dell-csi-replicator sidecar) + # Default value: false + enabled: false + + # image: Image to use for dell-csi-replicator. This shouldn't be changed + # Allowed values: string + # Default value: None + image: dellemc/dell-csi-replicator:v1.5.0 + + # replicationContextPrefix: prefix to use for naming of resources created by replication feature + # Allowed values: string + # Default value: powerflex + replicationContextPrefix: "powerflex" + + # replicationPrefix: prefix to prepend to storage classes parameters + # Allowed values: string + # Default value: replication.storage.dell.com + replicationPrefix: "replication.storage.dell.com" + + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # interval: Interval of monitoring volume health condition + # Allowed values: Number followed by unit (s,m,h) + # Examples: 60s, 5m, 1h + # Default value: 60s + interval: 60s + + # volumeNamePrefix- defines a string prepended to each volume created by the CSI driver. + # Default value: none + # Examples: "k8s", "app1" + volumeNamePrefix: k8s + + # "controllerCount" defines the number of VxFlex controller pods to deploy + # Allowed values: n, where n > 0 + # Default value: none + controllerCount: 2 + + snapshot: + # enabled: Enable/Disable volume snapshot feature + # Allowed values: + # true: enable volume snapshot feature(install snapshotter sidecar) + # false: disable volume snapshot feature(do not install snapshotter sidecar) + # Default value: None + enabled: true + + resizer: + # enabled: Enable/Disable volume expansion feature + # Allowed values: + # true: enable volume expansion feature(install resizer sidecar) + # false: disable volume snapshot feature(do not install resizer sidecar) + # Default value: None + enabled: true + + #"controller.nodeSelector" defines what nodes would be selected for pods of controller deployment + # Leave as blank to use all nodes + # Allowed values: map of key-value pairs + # Default value: None + # Examples: + # node-role.kubernetes.io/control-plane: "" + nodeSelector: + # node-role.kubernetes.io/control-plane: "" + + # "controller.tolerations" defines tolerations that would be applied to controller deployment + # Leave as blank to install controller on worker nodes + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + +# "node" allows to configure node specific parameters +node: + healthMonitor: + # enabled: Enable/Disable health monitor of CSI volumes- volume usage, volume condition + # Allowed values: + # true: enable checking of health condition of CSI volumes + # false: disable checking of health condition of CSI volumes + # Default value: None + enabled: false + + # "node.nodeSelector" defines what nodes would be selected for pods of node daemonset + # Leave as blank to use all nodes + # Allowed values: map of key-value pairs + # Default value: None + # Examples: + # node-role.kubernetes.io/control-plane: "" + nodeSelector: + # node-role.kubernetes.io/control-plane: "" + + # "node.tolerations" defines tolerations that would be applied to node daemonset + # Leave as blank to install node driver only on worker nodes + # Default value: None + tolerations: + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint + # - key: "node-role.kubernetes.io/master" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint + # - key: "node-role.kubernetes.io/control-plane" + # operator: "Exists" + # effect: "NoSchedule" + # Uncomment if CSM for Resiliency and CSI Driver pods monitor is enabled + # - key: "offline.vxflexos.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "vxflexos.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.unity.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "unity.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "offline.isilon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + # - key: "isilon.podmon.storage.dell.com" + # operator: "Exists" + # effect: "NoSchedule" + + # "renameSDC" defines the rename operation for SDC + # Default value: None + renameSDC: + # enabled: Enable/Disable rename of SDC + # Allowed values: + # true: enable renaming + # false: disable renaming + # Default value: "false" + enabled: false + # "prefix" defines a string for prefix of the SDC name. + # "prefix" + "worker_node_hostname" should not exceed 31 chars. + # Default value: none + # Examples: "rhel-sdc", "sdc-test" + prefix: "sdc-test" + + # "approveSDC" defines the approve operation for SDC + # Default value: None + approveSDC: + # enabled: Enable/Disable SDC approval + #Allowed values: + # true: Driver will attempt to approve restricted SDC by GUID during setup + # false: Driver will not attempt to approve restricted SDC by GUID during setup + # Default value: false + enabled: false + +# monitoring pod details +# These options control the running of the monitoring container +# This container gather diagnostic information in case of failure +monitor: + # enabled allows the usage of the monitoring pod to be disabled + # Allowed values: true, false + # Default value: "false" + enabled: false + + # hostNetwork determines if the monitor pod should run on the host network or not + # Allowed values: true, false + # Default value: "false" + hostNetwork: true + + # hostPID determines if the monitor pod should run in the host namespace + # Allowed values: true, false + # Default value: "false" + hostPID: true + + +# CSM module attributes + +# volume group snapshotter(vgsnapshotter) details +# These options control the running of the vgsnapshotter container +vgsnapshotter: + enabled: false + image: dellemc/csi-volumegroup-snapshotter:v1.2.0 + +# Podmon is an optional feature under development and tech preview. +# Enable this feature only after contact support for additional information +podmon: + enabled: false + image: dellemc/podmon:v1.6.0 + #controller: + # args: + # - "--csisock=unix:/var/run/csi/csi.sock" + # - "--labelvalue=csi-vxflexos" + # - "--mode=controller" + # - "--skipArrayConnectionValidation=false" + # - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" + # - "--driverPodLabelValue=dell-storage" + # - "--ignoreVolumelessPods=false" + #node: + # args: + # - "--csisock=unix:/var/lib/kubelet/plugins/vxflexos.emc.dell.com/csi_sock" + # - "--labelvalue=csi-vxflexos" + # - "--mode=node" + # - "--leaderelection=false" + # - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" + # - "--driverPodLabelValue=dell-storage" + # - "--ignoreVolumelessPods=false" + +# CSM module attributes +# authorization: enable csm-authorization for RBAC +# Deploy and configure authorization before installing driver +# Allowed values: +# "true" - authorization is enabled +# "false" - authorization is disabled +# Default value: "false" +authorization: + enabled: false + + # sidecarProxyImage: the container image used for the csm-authorization-sidecar. + # Default value: dellemc/csm-authorization-sidecar:v1.7.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 + + # proxyHost: hostname of the csm-authorization server + # Default value: None + proxyHost: + + # skipCertificateValidation: certificate validation of the csm-authorization server + # Allowed Values: + # "true" - TLS certificate verification will be skipped + # "false" - TLS certificate will be verified + # Default value: "true" + skipCertificateValidation: true diff --git a/charts/csm-application-mobility/values.yaml b/charts/csm-application-mobility/values.yaml index 5e091edb..456c5853 100644 --- a/charts/csm-application-mobility/values.yaml +++ b/charts/csm-application-mobility/values.yaml @@ -79,6 +79,3 @@ velero: # volumeMounts: # - mountPath: /target # name: plugins - -# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it -# namespace: diff --git a/charts/csm-authorization/Chart.yaml b/charts/csm-authorization/Chart.yaml index a2ac7f6f..f4d8cc0c 100644 --- a/charts/csm-authorization/Chart.yaml +++ b/charts/csm-authorization/Chart.yaml @@ -1,12 +1,12 @@ apiVersion: v2 name: csm-authorization -version: 1.6.0 -appVersion: 1.6.0 +version: 1.7.0 +appVersion: 1.7.0 type: application description: CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. dependencies: - name: cert-manager - version: 1.6.1 + version: 1.11.0 repository: https://charts.jetstack.io condition: cert-manager.enabled - name: ingress-nginx diff --git a/charts/csm-authorization/templates/NOTES.txt b/charts/csm-authorization/templates/NOTES.txt index a364e366..af981ed2 100644 --- a/charts/csm-authorization/templates/NOTES.txt +++ b/charts/csm-authorization/templates/NOTES.txt @@ -10,14 +10,6 @@ LoadBalancer host rules for proxy-server: - {{ .Values.authorization.hostname }} - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local -LoadBalancer host rules for tenant-service: -- tenant.{{ .Values.authorization.hostname }} - -LoadBalancer host rules for role-service: -- role.{{ .Values.authorization.hostname }} - -LoadBalancer host rules for storage-service: -- storage.{{ .Values.authorization.hostname }} - authorization.proxyHost value for a CSI Driver examples: - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) + diff --git a/charts/csm-authorization/templates/certificate.yaml b/charts/csm-authorization/templates/certificate.yaml index 95dbef5b..70a5ec36 100644 --- a/charts/csm-authorization/templates/certificate.yaml +++ b/charts/csm-authorization/templates/certificate.yaml @@ -52,29 +52,11 @@ spec: - karavi-auth - karavi-auth.{{ include "custom.namespace" . }}.svc.kubernetes.local - {{ .Values.authorization.hostname }} - - tenant.{{ .Values.authorization.hostname }} - - role.{{ .Values.authorization.hostname }} - - storage.{{ .Values.authorization.hostname }} {{- if .Values.authorization.proxyServerIngress.hosts }} {{- range .Values.authorization.proxyServerIngress.hosts }} - {{ tpl . $}} {{- end }} {{- end}} - {{- if .Values.authorization.tenantServiceIngress.hosts }} - {{- range .Values.authorization.tenantServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if .Values.authorization.roleServiceIngress.hosts }} - {{- range .Values.authorization.roleServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if .Values.authorization.storageServiceIngress.hosts }} - {{- range .Values.authorization.storageServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} issuerRef: name: selfsigned kind: Issuer diff --git a/charts/csm-authorization/templates/ingress.yaml b/charts/csm-authorization/templates/ingress.yaml index b10cfbe1..c4e7271c 100644 --- a/charts/csm-authorization/templates/ingress.yaml +++ b/charts/csm-authorization/templates/ingress.yaml @@ -49,159 +49,3 @@ spec: number: 8080 {{- end }} {{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: tenant-service - namespace: {{ include "custom.namespace" . }} - annotations: - {{- if .Values.authorization.tenantServiceIngress.annotations }} - {{- range $key, $value := .Values.authorization.tenantServiceIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.tenantServiceIngress.ingressClassName }} - tls: - - hosts: - - tenant.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.tenantServiceIngress.hosts }} - {{- range .Values.authorization.tenantServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: tenant.{{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: tenant-service - port: - number: 50051 - {{- if .Values.authorization.tenantServiceIngress.hosts }} - {{- range .Values.authorization.tenantServiceIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: tenant-service - port: - number: 50051 - {{- end }} - {{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: role-service - namespace: {{ include "custom.namespace" . }} - annotations: - {{- if .Values.authorization.roleServiceIngress.annotations }} - {{- range $key, $value := .Values.authorization.roleServiceIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.roleServiceIngress.ingressClassName }} - tls: - - hosts: - - role.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.roleServiceIngress.hosts }} - {{- range .Values.authorization.roleServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: role.{{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: role-service - port: - number: 50051 - {{- if .Values.authorization.roleServiceIngress.hosts }} - {{- range .Values.authorization.roleServiceIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: role-service - port: - number: 50051 - {{- end}} - {{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: storage-service - namespace: {{ include "custom.namespace" . }} - annotations: - {{- if .Values.authorization.storageServiceIngress.annotations }} - {{- range $key, $value := .Values.authorization.storageServiceIngress.annotations }} - {{ $key }}: {{ tpl $value $ | quote }} - {{- end }} - {{- end }} -spec: - ingressClassName: {{ .Values.authorization.storageServiceIngress.ingressClassName }} - tls: - - hosts: - - storage.{{ .Values.authorization.hostname }} - {{- if .Values.authorization.storageServiceIngress.hosts }} - {{- range .Values.authorization.storageServiceIngress.hosts }} - - {{ tpl . $}} - {{- end }} - {{- end}} - {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} - secretName: user-provided-tls - {{- else }} - secretName: karavi-selfsigned-tls - {{- end}} - rules: - - host: storage.{{ .Values.authorization.hostname }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: storage-service - port: - number: 50051 - {{- if .Values.authorization.storageServiceIngress.hosts }} - {{- range .Values.authorization.storageServiceIngress.hosts }} - - host: {{ tpl . $}} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: storage-service - port: - number: 50051 - {{- end}} - {{- end}} diff --git a/charts/csm-authorization/templates/policies.yaml b/charts/csm-authorization/templates/policies.yaml index e0af3a8b..838f7965 100644 --- a/charts/csm-authorization/templates/policies.yaml +++ b/charts/csm-authorization/templates/policies.yaml @@ -42,7 +42,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: volumes-unmap - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} --- @@ -50,6 +50,6 @@ apiVersion: v1 kind: ConfigMap metadata: name: sdc-approve - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: - {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} \ No newline at end of file + {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} diff --git a/charts/csm-authorization/templates/proxy-server.yaml b/charts/csm-authorization/templates/proxy-server.yaml index 2e76dcf7..a780ed46 100644 --- a/charts/csm-authorization/templates/proxy-server.yaml +++ b/charts/csm-authorization/templates/proxy-server.yaml @@ -61,10 +61,10 @@ spec: image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService }} imagePullPolicy: Always args: - - "--redis-host=redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" - - "--tenant-service=tenant-service.{{ include "custom.namespace" . }}.svc.cluster.local:50051" - - "--role-service=role-service.{{ include "custom.namespace" . }}.svc.cluster.local:50051" - - "--storage-service=storage-service.{{ include "custom.namespace" . }}.svc.cluster.local:50051" + - "--redis-host=redis.{{ .Release.Namespace }}.svc.cluster.local:6379" + - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--role-service=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" + - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" ports: - containerPort: 8080 volumeMounts: diff --git a/charts/csm-authorization/templates/storage-service.yaml b/charts/csm-authorization/templates/storage-service.yaml index 88a6e932..16672639 100644 --- a/charts/csm-authorization/templates/storage-service.yaml +++ b/charts/csm-authorization/templates/storage-service.yaml @@ -11,7 +11,7 @@ metadata: rules: - apiGroups: [""] resources: ["secrets"] - verbs: ["get", "patch"] + verbs: ["get", "patch","post"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -57,12 +57,17 @@ spec: volumeMounts: - name: storage-volume mountPath: /etc/karavi-authorization/storage + - name: config-volume + mountPath: /etc/karavi-authorization/config - name: csm-config-params mountPath: /etc/karavi-authorization/csm-config-params volumes: - name: storage-volume secret: secretName: karavi-storage-secret + - name: config-volume + secret: + secretName: karavi-config-secret - name: csm-config-params configMap: name: csm-config-params diff --git a/charts/csm-authorization/values.yaml b/charts/csm-authorization/values.yaml index 6beb5c71..22f83d7b 100644 --- a/charts/csm-authorization/values.yaml +++ b/charts/csm-authorization/values.yaml @@ -11,16 +11,15 @@ cert-manager: authorization: # images to use in installation images: - proxyService: dellemc/csm-authorization-proxy:v1.6.0 - tenantService: dellemc/csm-authorization-tenant:v1.6.0 - roleService: dellemc/csm-authorization-role:v1.6.0 - storageService: dellemc/csm-authorization-storage:v1.6.0 + proxyService: dellemc/csm-authorization-proxy:v1.7.0 + tenantService: dellemc/csm-authorization-tenant:v1.7.0 + roleService: dellemc/csm-authorization-role:v1.7.0 + storageService: dellemc/csm-authorization-storage:v1.7.0 opa: openpolicyagent/opa opaKubeMgmt: openpolicyagent/kube-mgmt:0.11 # base hostname for the ingress rules that expose the services # the proxy-server ingress will use this hostname - # the tenant-service ingress will use tenant.hostname # the role-service ingress will use role.hostname hostname: csm-authorization.com @@ -48,42 +47,6 @@ authorization: # additional annotations for the proxy-server ingress annotations: {} - # tenant-service ingress configuration - tenantServiceIngress: - ingressClassName: nginx - - # additional host rules for the tenant-service ingress - hosts: [] - - # additional annotations for the tenant-service ingress - # if applicable, an annotation supporting grpc for your ingress controller must be supplied - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - - # role-service ingress configuration - roleServiceIngress: - ingressClassName: nginx - - # additional host rules for the role-service ingress - hosts: [] - - # additional annotations for the role-service ingress - # an annotation supporting grpc for your ingress controller must be supplied, if applicable - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - - # storage-service ingress configuration - storageServiceIngress: - ingressClassName: nginx - - # additional host rules for the storage-service ingress - hosts: [] - - # additional annotations for the storage-service ingress - # an annotation supporting grpc for your ingress controller must be supplied, if applicable - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - redis: images: redis: redis:6.0.8-alpine @@ -91,8 +54,3 @@ redis: # set the storageClass for redis to use. otherwise, the default storage class is used # storageClass: local-storage - # Optionally, uncomment and specify the name of the pre-created namespace to install the redis in it - # namespace: - -# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it -# namespace: diff --git a/charts/csm-replication/Chart.yaml b/charts/csm-replication/Chart.yaml index bd063562..084df7e7 100644 --- a/charts/csm-replication/Chart.yaml +++ b/charts/csm-replication/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: csm-replication type: application -version: 1.4.0 -appVersion: "1.4.0" +version: 1.5.0 +appVersion: "1.5.0" diff --git a/charts/csm-replication/templates/_helpers.tpl b/charts/csm-replication/templates/_helpers.tpl index 309ada37..9f4b76ed 100644 --- a/charts/csm-replication/templates/_helpers.tpl +++ b/charts/csm-replication/templates/_helpers.tpl @@ -60,13 +60,3 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} - -{{/* -Namespace for all resources to be installed into -If not defined in values file then the helm release namespace is used -By default this is not set so the helm release namespace will be used -*/}} - -{{- define "custom.namespace" -}} - {{ .Values.namespace | default .Release.Namespace }} -{{- end -}} \ No newline at end of file diff --git a/charts/csm-replication/templates/controller.yaml b/charts/csm-replication/templates/controller.yaml index e52c3191..d0f408cc 100644 --- a/charts/csm-replication/templates/controller.yaml +++ b/charts/csm-replication/templates/controller.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: dell-replication-controller-sa - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} secrets: - name: replication-secret --- @@ -179,10 +179,10 @@ apiVersion: v1 kind: Secret metadata: name: replication-secret - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} annotations: kubernetes.io/service-account.name: dell-replication-controller-sa - kubernetes.io/service-account.namespace: {{ include "custom.namespace" . }} + kubernetes.io/service-account.namespace: {{ .Release.Namespace }} type: kubernetes.io/service-account-token --- apiVersion: rbac.authorization.k8s.io/v1 @@ -196,7 +196,7 @@ roleRef: subjects: - kind: ServiceAccount name: dell-replication-controller-sa - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -209,14 +209,14 @@ roleRef: subjects: - kind: ServiceAccount name: dell-replication-controller-sa - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- -{{- $secret := (lookup "v1" "ConfigMap" "{{ include custom.namespace . }}" "dell-replication-controller-config").data -}} +{{- $secret := (lookup "v1" "ConfigMap" "{{ .Release.Namespace }}" "dell-replication-controller-config").data -}} apiVersion: v1 kind: ConfigMap metadata: name: dell-replication-controller-config - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} {{ if $secret -}} data: {{- range $key, $value := $secret }} @@ -236,7 +236,7 @@ metadata: labels: control-plane: controller-manager name: dell-replication-controller-manager-metrics-service - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: ports: - name: https @@ -251,7 +251,7 @@ metadata: labels: control-plane: controller-manager name: dell-replication-controller-manager - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: replicas: {{ .Values.replicas }} selector: @@ -295,7 +295,7 @@ spec: - name: X_CSI_REPLICATION_IN_CLUSTER value: "true" - name: X_CSI_REPLICATION_WATCH_NAMESPACE - value: {{ include "custom.namespace" . }} + value: {{ .Release.Namespace }} - name: X_CSI_REPLICATION_CONFIG_DIR value: /app/config - name: X_CSI_REPLICATION_CERT_DIR diff --git a/charts/csm-replication/values.yaml b/charts/csm-replication/values.yaml index dbf8a0ec..d9463d7d 100644 --- a/charts/csm-replication/values.yaml +++ b/charts/csm-replication/values.yaml @@ -5,11 +5,11 @@ replicas: 1 # image: Defines controller image. This shouldn't be changed # Allowed values: string -image: dellemc/dell-replication-controller:v1.4.0 +image: dellemc/dell-replication-controller:v1.5.0 # image: Defines controller's init container image. This shouldn't be changed # Allowed values: string -initImage: dellemc/dell-replication-init:v1.0.0 +initImage: dellemc/dell-replication-init:v1.0.1 # logLevel: Defines initial log level for controller. This can be changed in runtime # Allowed values: "debug", "info", "warn", "error", "panic" @@ -39,6 +39,3 @@ retryIntervalMax: 5m # - ip: "10.10.10.11" # hostnames: # - "foo.baz" - -# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it -# namespace: diff --git a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml index 177b3d1c..209acef1 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerflex.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powerflex app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powerflex - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: type: {{ .Values.karaviMetricsPowerflex.service.type }} ports: @@ -24,7 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powerflex - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: karavi-metrics-powerflex app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml b/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml index 6f50d613..4cb2e16f 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-metrics-powermax-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- @@ -35,7 +35,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Release.Name }}-metrics-powermax-controller - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: {{ .Release.Name }}-metrics-powermax-controller diff --git a/charts/karavi-observability/templates/karavi-metrics-powermax.yaml b/charts/karavi-observability/templates/karavi-metrics-powermax.yaml index 31891ab8..c1469734 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powermax.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powermax.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powermax app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powermax - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: type: {{ .Values.karaviMetricsPowermax.service.type }} ports: @@ -24,7 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powermax - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: karavi-metrics-powermax app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml index 510e9460..416da9ee 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerscale.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powerscale app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powerscale - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: type: {{ .Values.karaviMetricsPowerscale.service.type }} ports: @@ -24,7 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powerscale - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: karavi-metrics-powerscale app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml b/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml index a54d1d5a..070a435e 100644 --- a/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml +++ b/charts/karavi-observability/templates/karavi-metrics-powerstore.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: karavi-metrics-powerstore app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-metrics-powerstore - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: type: {{ .Values.karaviMetricsPowerstore.service.type }} ports: @@ -24,7 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-metrics-powerstore - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: karavi-metrics-powerstore app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/karavi-observability-configmap.yaml b/charts/karavi-observability/templates/karavi-observability-configmap.yaml index 87ae451e..4b0e3fb5 100644 --- a/charts/karavi-observability/templates/karavi-observability-configmap.yaml +++ b/charts/karavi-observability/templates/karavi-observability-configmap.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powerflex-configmap - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: karavi-metrics-powerflex.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowerflex.collectorAddr }} @@ -29,7 +29,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-topology-configmap - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: karavi-topology.yaml: | PROVISIONER_NAMES: {{ .Values.karaviTopology.provisionerNames }} @@ -49,7 +49,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powerstore-configmap - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: karavi-metrics-powerstore.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowerstore.collectorAddr }} @@ -76,7 +76,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powerscale-configmap - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: karavi-metrics-powerscale.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowerscale.collectorAddr }} @@ -103,7 +103,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: karavi-metrics-powermax-configmap - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} data: karavi-metrics-powermax.yaml : | COLLECTOR_ADDR: {{ .Values.karaviMetricsPowermax.collectorAddr }} diff --git a/charts/karavi-observability/templates/karavi-topology.yaml b/charts/karavi-observability/templates/karavi-topology.yaml index 68b4b199..8ae79dc6 100644 --- a/charts/karavi-observability/templates/karavi-topology.yaml +++ b/charts/karavi-observability/templates/karavi-topology.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: karavi-topology app.kubernetes.io/instance: {{ .Release.Name }} name: karavi-topology - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} spec: type: {{ .Values.karaviTopology.service.type }} ports: @@ -24,7 +24,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: karavi-topology - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: karavi-topology app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/templates/otel-collector.yaml b/charts/karavi-observability/templates/otel-collector.yaml index 093bf924..28a4d159 100644 --- a/charts/karavi-observability/templates/otel-collector.yaml +++ b/charts/karavi-observability/templates/otel-collector.yaml @@ -5,7 +5,7 @@ data: kind: ConfigMap metadata: name: otel-collector-config - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- @@ -16,7 +16,7 @@ data: kind: ConfigMap metadata: name: nginx-config - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} --- @@ -24,7 +24,7 @@ apiVersion: v1 kind: Service metadata: name: otel-collector - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: otel-collector app.kubernetes.io/instance: {{ .Release.Name }} @@ -47,7 +47,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: otel-collector - namespace: {{ include "custom.namespace" . }} + namespace: {{ .Release.Namespace }} labels: app.kubernetes.io/name: otel-collector app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/karavi-observability/values.yaml b/charts/karavi-observability/values.yaml index c169c805..461b28be 100644 --- a/charts/karavi-observability/values.yaml +++ b/charts/karavi-observability/values.yaml @@ -40,8 +40,8 @@ karaviMetricsPowerflex: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.6.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 + # Default value: dellemc/csm-authorization-sidecar:v1.7.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -116,8 +116,8 @@ karaviMetricsPowerscale: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.6.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 + # Default value: dellemc/csm-authorization-sidecar:v1.7.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -153,8 +153,8 @@ karaviMetricsPowermax: authorization: enabled: false # sidecarProxyImage: the container image used for the csm-authorization-sidecar. - # Default value: dellemc/csm-authorization-sidecar:v1.6.0 - sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.6.0 + # Default value: dellemc/csm-authorization-sidecar:v1.7.0 + sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.7.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: @@ -178,5 +178,3 @@ cert-manager: enabled: false serviceAccount: create: false -# Optionally, uncomment and specify the name of the pre-created namespace to install the module in it -# namespace: