support nfs-client deployments better, example file

stable/democratic-csi/Chart.yaml

@@ -2,4 +2,4 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
 name: democratic-csi
-version: 0.3.0
+version: 0.4.0

stable/democratic-csi/examples/nfs-client.yaml

@@ -0,0 +1,139 @@
+# driver only works with 1.16+
+csiDriver:
+  # should be globally unique for a given cluster
+  name: "org.democratic-csi.nfs-client"
+
+storageClasses:
+- name: nfs-client
+  defaultClass: false
+  reclaimPolicy: Delete
+  volumeBindingMode: Immediate
+  allowVolumeExpansion: false
+  parameters:
+    fsType: nfs
+
+  mountOptions:
+  - noatime
+  - nfsvers=3
+  secrets:
+    provisioner-secret:
+    controller-publish-secret:
+    node-stage-secret:
+    node-publish-secret:
+    controller-expand-secret:
+
+# if your cluster supports snapshots you may enable below
+volumeSnapshotClasses: []
+#- name: nfs-client
+#  secrets:
+#    snapshotter-secret:
+
+
+driver:
+  config:
+    #driver: 
+    # rest of per-driver config data/syntax
+    driver: nfs-client
+    instance_id:
+    nfs:
+      # make note of these 3, they are used below in various places
+      shareHost: <IP or host>
+      shareBasePath: "/some/path/to/nfs-client/storage"
+      controllerBasePath: "/nfs-storage"
+
+      dirPermissionsMode: "0777"
+      dirPermissionsUser: root
+      dirPermissionsGroup: root
+
+
+# There are 4 different approaches to installing the driver
+# 1: Run the controller service separated from the node service, mount the base share into the controller pod at run time
+# 2. Run the controller service separated from the node service, use an existing hostPath mount of the base share from the node in the controller pod
+# 3. Run the controller service jointly with the node service, mount the base share into the node pod at run time
+# 4. Run the controller service jointly with the node service, use an existing hostPath mount of the base share from the node in the node pod
+#
+# Uncomment the lines/sections below appropriate for your desired use-case
+
+controller:
+  enabled: true
+
+  externalResizer:
+    enabled: false
+
+  # For Options 1 and 2
+  #strategy: deployment
+
+  # For Option 1
+  #hostNetwork: true
+  #hostIPC: true
+
+  # For Options 3 and 4
+  #strategy: node
+
+
+# Option 1
+# do this if the nodes do NOT already have the base volume mounted out-of-band from k8s
+#  driver:
+#    securityContext:
+#      allowPrivilegeEscalation: true
+#      capabilities:
+#        add:
+#        - SYS_ADMIN
+#      privileged: true
+#    lifecycle:
+#      postStart:
+#        exec:
+#          command: ["/bin/sh", "-c", "mkdir -p <controllerBasePath>; mount <shareHost>:<shareBasePath> <controllerBasePath>"]
+#      preStop:
+#        exec:
+#          command: ["/bin/sh","-c","umount <controllerBasePath>"]
+
+# Option 2
+# do this if all nodes DO have the base volume mounted out-of-band from k8s
+#  driver:
+#    securityContext:
+#      allowPrivilegeEscalation: true
+#      capabilities:
+#        add:
+#        - SYS_ADMIN
+#      privileged: true
+#
+#    extraVolumeMounts:
+#    - name: nfs-storage
+#      mountPath: <controllerBasePath>
+#      mountPropagation: Bidirectional
+#
+#  extraVolumes:
+#  - name: nfs-storage
+#    hostPath:
+#      path: /already/mounted/path/to <shareHost>:<shareBasePath>
+#      type: Directory
+
+
+# Options 3 and 4
+#node:
+
+# Option 3
+# do this if the nodes do NOT already have the base volume mounted out-of-band from k8s
+#  driver:
+#    lifecycle:
+#      postStart:
+#        exec:
+#          command: ["/bin/sh", "-c", "mkdir -p <controllerBasePath>; mount <shareHost>:<shareBasePath> <controllerBasePath>"]
+#      preStop:
+#        exec:
+#          command: ["/bin/sh","-c","umount <controllerBasePath>"]
+
+# Option 4
+# do this if all nodes DO have the base volume mounted out-of-band from k8s
+#  driver:
+#    extraVolumeMounts:
+#    - name: nfs-storage
+#      mountPath: <controllerBasePath>
+#      mountPropagation: Bidirectional
+#
+#  extraVolumes:
+#  - name: nfs-storage
+#    hostPath:
+#      path: /already/mounted/path/to <shareHost>:<shareBasePath>
+#      type: Directory

stable/democratic-csi/templates/_helpers.tpl

@@ -87,18 +87,6 @@ Create chart name and version as used by the chart label.
     name: socket-dir
 {{- end -}}
 
-{{- define "democratic-csi.livenessprobe-container" -}}
-# https://github.com/kubernetes-csi/livenessprobe
-- name: livenessprobe
-  args:
-  - --v=5
-  - --csi-address=/csi-data/csi.sock
-  volumeMounts:
-  - mountPath: /csi-data
-    name: socket-dir
-{{- end -}}
-
-
 {{- define "democratic-csi.controller-rbac-rules" -}}
 # Allow listing and creating CRDs
 - apiGroups: ['apiextensions.k8s.io']

stable/democratic-csi/templates/controller.yaml

@@ -45,17 +45,16 @@ spec:
 {{ include "democratic-csi.external-snapshotter-container" . | indent 6 }}
       {{- end }}
 
-      {{- if .Values.controller.livenessProbe.enabled }}
-{{ include "democratic-csi.livenessprobe-container" . | indent 6 }}
-        image: {{ .Values.controller.livenessProbe.image }}
-      {{- end }}
-
       {{- if .Values.controller.driver.enabled }}
       - name: csi-driver
         image: {{ .Values.controller.driver.image }}
         {{- if .Values.controller.driver.lifecycle }}
         lifecycle:
 {{ toYaml .Values.controller.driver.lifecycle | indent 10 }}
+        {{- end }}
+        {{- if .Values.controller.driver.securityContext }}
+        securityContext:
+{{ toYaml .Values.controller.driver.securityContext | indent 10 }}
         {{- end }}
         args:
         - --csi-version={{ .Values.csiDriver.version }}
@@ -66,20 +65,14 @@ spec:
         - --server-socket=/csi-data/csi.sock
         imagePullPolicy: Always
 
-        # https://github.com/kubernetes-csi/livenessprobe/issues/82
         {{- if .Values.controller.livenessProbe.enabled }}
-        # Defining port which will be used to GET plugin health status
-        # 9808 is default, but can be changed.
-        ports:
-        - containerPort: 9808
-          name: healthz
-          protocol: TCP
-        # The probe
         livenessProbe:
           failureThreshold: 5
-          httpGet:
-            path: /healthz
-            port: healthz
+          exec:
+            command:
+            - bin/liveness-probe
+            - --csi-version={{ .Values.csiDriver.version }}
+            - --csi-address=/csi-data/csi.sock
           initialDelaySeconds: 10
           timeoutSeconds: 3
           periodSeconds: 60

stable/democratic-csi/templates/node.yaml

@@ -81,6 +81,19 @@ spec:
         terminationMessagePath: /tmp/termination-log
         terminationMessagePolicy: File
 
+        {{- if .Values.node.livenessProbe.enabled }}
+        livenessProbe:
+          failureThreshold: 5
+          exec:
+            command:
+            - bin/liveness-probe
+            - --csi-version={{ .Values.csiDriver.version }}
+            - --csi-address=/csi-data/csi.sock
+          initialDelaySeconds: 10
+          timeoutSeconds: 3
+          periodSeconds: 60
+        {{- end }}
+
         volumeMounts:
         - name: socket-dir
           mountPath: /csi-data

stable/democratic-csi/values.yaml

@@ -61,10 +61,8 @@ controller:
   clusterDriverRegistrar:
     enabled: false
 
-  # https://kubernetes-csi.github.io/docs/livenessprobe.html
   livenessProbe:
     enabled: true
-    image: quay.io/k8scsi/livenessprobe:v2.0.0
 
   # democratic-csi controller
   driver:
@@ -79,6 +77,13 @@ controller:
 #        exec:
 #          command: ["/bin/sh","-c","nginx -s quit; while killall -0 nginx; do sleep 1; done"]
 
+    securityContext:
+#      allowPrivilegeEscalation: true
+#      capabilities:
+#        add:
+#        - SYS_ADMIN
+#      privileged: true
+
     extraVolumeMounts: []
 #    - name: foo
 #      mountPath: /foo
@@ -96,6 +101,9 @@ node:
   hostNetwork: true
   hostIPC: true
 
+  livenessProbe:
+    enabled: true
+
   # democratic-csi node
   driver:
     enabled: true