Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
csi-powerscale/helm/csi-isilon/templates/node.yaml
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: {{ .Release.Name }}-node | |
| namespace: {{ .Release.Namespace }} | |
| --- | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: {{ .Release.Name }}-node | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["persistentvolumes"] | |
| verbs: ["create", "delete", "get", "list", "watch", "update"] | |
| - apiGroups: [""] | |
| resources: ["persistentvolumesclaims"] | |
| verbs: ["get", "list", "watch", "update"] | |
| - apiGroups: [""] | |
| resources: ["events"] | |
| verbs: ["get", "list", "watch", "create", "update", "patch"] | |
| - apiGroups: [""] | |
| resources: ["nodes"] | |
| verbs: ["get", "list", "watch", "update", "patch"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["volumeattachments"] | |
| verbs: ["get", "list", "watch", "update"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["storageclasses"] | |
| verbs: ["get", "list", "watch"] | |
| - apiGroups: ["storage.k8s.io"] | |
| resources: ["volumeattachments"] | |
| verbs: ["get", "list", "watch", "update"] | |
| - apiGroups: [ "security.openshift.io" ] | |
| resourceNames: [ "privileged" ] | |
| resources: [ "securitycontextconstraints" ] | |
| verbs: [ "use" ] | |
| {{- if hasKey .Values "podmon" }} | |
| {{- if eq .Values.podmon.enabled true }} | |
| - apiGroups: [""] | |
| resources: ["pods"] | |
| verbs: ["get", "list", "watch", "update", "delete"] | |
| - apiGroups: ["coordination.k8s.io"] | |
| resources: ["leases"] | |
| verbs: ["get", "watch", "list", "delete", "update", "create"] | |
| {{ end }} | |
| {{ end }} | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: {{ .Release.Name }}-node | |
| subjects: | |
| - kind: ServiceAccount | |
| name: {{ .Release.Name }}-node | |
| namespace: {{ .Release.Namespace }} | |
| roleRef: | |
| kind: ClusterRole | |
| name: {{ .Release.Name }}-node | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| kind: DaemonSet | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: {{ .Release.Name }}-node | |
| namespace: {{ .Release.Namespace }} | |
| {{- if hasKey .Values "authorization" }} | |
| {{- if eq .Values.authorization.enabled true }} | |
| annotations: | |
| com.dell.karavi-authorization-proxy: "true" | |
| {{ end }} | |
| {{ end }} | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: {{ .Release.Name }}-node | |
| template: | |
| metadata: | |
| labels: | |
| app: {{ .Release.Name }}-node | |
| {{- if .Values.podmon.enabled }} | |
| driver.dellemc.com: dell-storage | |
| {{- end }} | |
| spec: | |
| serviceAccount: {{ .Release.Name }}-node | |
| {{ if .Values.node.nodeSelector }} | |
| nodeSelector: | |
| {{- toYaml .Values.node.nodeSelector | nindent 8 }} | |
| {{ end }} | |
| {{ if .Values.node.tolerations }} | |
| tolerations: | |
| {{- toYaml .Values.node.tolerations | nindent 8 }} | |
| {{ end }} | |
| hostNetwork: true | |
| dnsPolicy: {{ .Values.node.dnsPolicy }} | |
| containers: | |
| {{- $encModes := list false }} | |
| {{- if eq .Values.encryption.enabled true }} | |
| {{- $encModes = list false true }} | |
| {{- end }} | |
| {{- range $encrypted := $encModes }} | |
| {{- with $ }} | |
| {{- $driverSock := "csi_sock" }} | |
| {{- $csiSidecarSuffix := "" }} | |
| {{- if $encrypted }} | |
| {{- $driverSock = "csi_sec_sock" }} | |
| {{- $csiSidecarSuffix = "-sec" }} | |
| {{- end }} | |
| {{- if hasKey .Values "podmon" }} | |
| {{- if eq .Values.podmon.enabled true }} | |
| - name: podmon | |
| securityContext: | |
| privileged: true | |
| capabilities: | |
| add: ["SYS_ADMIN"] | |
| allowPrivilegeEscalation: true | |
| image: {{ required "Must provide the podmon container image." .Values.podmon.image }} | |
| imagePullPolicy: {{ .Values.imagePullPolicy }} | |
| args: | |
| {{- toYaml .Values.podmon.node.args | nindent 12 }} | |
| env: | |
| - name: KUBE_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: spec.nodeName | |
| - name: X_CSI_PRIVATE_MOUNT_DIR | |
| value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks" | |
| - name: MY_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: MY_POD_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.name | |
| - name: MY_POD_NAMESPACE | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: metadata.namespace | |
| volumeMounts: | |
| - name: kubelet-pods | |
| mountPath: {{ .Values.kubeletConfigDir }}/pods | |
| mountPropagation: "Bidirectional" | |
| - name: driver-path | |
| mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon | |
| mountPropagation: "Bidirectional" | |
| - name: volumedevices-path | |
| mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices | |
| mountPropagation: "Bidirectional" | |
| - name: dev | |
| mountPath: /dev | |
| - name: usr-bin | |
| mountPath: /usr-bin | |
| - name: var-run | |
| mountPath: /var/run | |
| - name: csi-isilon-config-params | |
| mountPath: /csi-isilon-config-params | |
| {{- end }} | |
| {{- end }} | |
| {{- if not $encrypted }} | |
| - name: driver | |
| command: ["/csi-isilon"] | |
| args: | |
| - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" | |
| securityContext: | |
| privileged: true | |
| capabilities: | |
| add: ["SYS_ADMIN"] | |
| allowPrivilegeEscalation: true | |
| image: {{ required "Must provide the Isilon driver image repository." .Values.images.driverRepository }}/{{ .Chart.Name }}:{{ .Values.version }} | |
| imagePullPolicy: {{ .Values.imagePullPolicy }} | |
| env: | |
| - name: CSI_ENDPOINT | |
| value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }}" | |
| - name: X_CSI_MODE | |
| value: node | |
| - name: X_CSI_ISI_SKIP_CERTIFICATE_VALIDATION | |
| value: "{{ .Values.skipCertificateValidation }}" | |
| - name: X_CSI_ISI_AUTH_TYPE | |
| value: "{{ .Values.isiAuthType }}" | |
| - name: X_CSI_ALLOWED_NETWORKS | |
| value: "{{ .Values.allowedNetworks }}" | |
| - name: X_CSI_VERBOSE | |
| value: "{{ .Values.verbose }}" | |
| - name: X_CSI_PRIVATE_MOUNT_DIR | |
| value: "{{ .Values.kubeletConfigDir }}/plugins/csi-isilon/disks" | |
| - name: X_CSI_ISI_PORT | |
| value: "{{ .Values.endpointPort }}" | |
| - name: X_CSI_ISI_PATH | |
| value: {{ .Values.isiPath }} | |
| - name: X_CSI_ISI_NO_PROBE_ON_START | |
| value: "{{ .Values.noProbeOnStart }}" | |
| - name: X_CSI_ISI_AUTOPROBE | |
| value: "{{ .Values.autoProbe }}" | |
| - name: X_CSI_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| - name: X_CSI_NODE_IP | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: status.hostIP | |
| - name: SSL_CERT_DIR | |
| value: /certs | |
| - name: X_CSI_ISI_QUOTA_ENABLED | |
| value: "{{ .Values.enableQuota }}" | |
| - name: X_CSI_CUSTOM_TOPOLOGY_ENABLED | |
| value: "{{ .Values.enableCustomTopology }}" | |
| - name: X_CSI_ISI_CONFIG_PATH | |
| value: /isilon-configs/config | |
| - name: X_CSI_MAX_VOLUMES_PER_NODE | |
| value: "{{ .Values.maxIsilonVolumesPerNode }}" | |
| - name: X_CSI_HEALTH_MONITOR_ENABLED | |
| value: "{{ .Values.node.healthMonitor.enabled }}" | |
| - name: X_CSI_PODMON_ENABLED | |
| value: "{{ .Values.podmon.enabled }}" | |
| - name: X_CSI_PODMON_API_PORT | |
| value: "{{ .Values.podmonAPIPort }}" | |
| {{- if eq .Values.podmon.enabled true }} | |
| {{- range $key, $value := .Values.podmon.node.args }} | |
| {{- if contains "--arrayConnectivityPollRate" $value }} | |
| - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE | |
| value: "{{ (split "=" $value)._1 }}" | |
| {{ end }} | |
| {{ end }} | |
| {{ end }} | |
| - name: X_CSI_MAX_PATH_LIMIT | |
| value: "{{ .Values.maxPathLen }}" | |
| volumeMounts: | |
| - name: driver-path | |
| mountPath: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon | |
| {{- if eq .Values.encryption.enabled true }} | |
| - name: staging-dir | |
| mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi | |
| mountPropagation: Bidirectional | |
| {{- else }} | |
| - name: volumedevices-path | |
| mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices | |
| {{- end }} | |
| - name: pods-path | |
| mountPath: {{ .Values.kubeletConfigDir }}/pods | |
| mountPropagation: "Bidirectional" | |
| - name: dev | |
| mountPath: /dev | |
| - name: certs | |
| mountPath: /certs | |
| readOnly: true | |
| - name: isilon-configs | |
| mountPath: /isilon-configs | |
| - name: csi-isilon-config-params | |
| mountPath: /csi-isilon-config-params | |
| {{- end }} | |
| - name: registrar{{ $csiSidecarSuffix }} | |
| image: {{ required "Must provide the CSI node registrar container image." ( include "csi-isilon.registrarImage" . ) }} | |
| imagePullPolicy: {{ .Values.imagePullPolicy }} | |
| args: | |
| - "--v=5" | |
| - "--csi-address=/csi/{{ $driverSock }}" | |
| - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/csi-isilon/{{ $driverSock }} | |
| env: | |
| - name: KUBE_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: spec.nodeName | |
| volumeMounts: | |
| - name: registration-dir | |
| mountPath: /registration | |
| - name: driver-path | |
| mountPath: /csi | |
| {{- if not $encrypted }} | |
| {{- if hasKey .Values "authorization" }} | |
| {{- if eq .Values.authorization.enabled true }} | |
| - name: karavi-authorization-proxy | |
| imagePullPolicy: {{ .Values.imagePullPolicy }} | |
| image: {{ required "Must provide the authorization sidecar container image." .Values.authorization.sidecarProxyImage }} | |
| env: | |
| - name: PROXY_HOST | |
| value: "{{ .Values.authorization.proxyHost }}" | |
| - name: SKIP_CERTIFICATE_VALIDATION | |
| value: "{{ .Values.authorization.skipCertificateValidation }}" | |
| - name: PLUGIN_IDENTIFIER | |
| value: powerscale | |
| - name: ACCESS_TOKEN | |
| valueFrom: | |
| secretKeyRef: | |
| name: proxy-authz-tokens | |
| key: access | |
| - name: REFRESH_TOKEN | |
| valueFrom: | |
| secretKeyRef: | |
| name: proxy-authz-tokens | |
| key: refresh | |
| volumeMounts: | |
| - name: karavi-authorization-config | |
| mountPath: /etc/karavi-authorization/config | |
| - name: proxy-server-root-certificate | |
| mountPath: /etc/karavi-authorization/root-certificates | |
| - name: csi-isilon-config-params | |
| mountPath: /etc/karavi-authorization | |
| {{ end }} | |
| {{ end }} | |
| {{- end }} | |
| {{- if $encrypted }} | |
| - name: driver-sec | |
| image: {{ .Values.encryption.image }} | |
| imagePullPolicy: {{ .Values.imagePullPolicy }} | |
| securityContext: | |
| privileged: true | |
| allowPrivilegeEscalation: true | |
| capabilities: | |
| add: ["SYS_ADMIN"] | |
| args: | |
| - --name={{ .Values.encryption.pluginName }} | |
| - --nodeId=$(NODE_ID) | |
| - "--endpoint=unix://var/run/csi/csi_sec_sock" | |
| - "--targetEndpoint=unix://var/run/csi/csi_sock" | |
| - --targetType=Isilon | |
| - --vaultClientConfig=/etc/dea/vault/client.json | |
| - --logLevel={{ .Values.encryption.logLevel }} | |
| - --licenseName=/etc/dea/license/license | |
| {{- if .Values.encryption.livenessPort }} | |
| - --livenessPort={{ .Values.encryption.livenessPort }} | |
| {{- end}} | |
| - --apiPort={{ .Values.encryption.apiPort }} | |
| {{- range index .Values.encryption.extraArgs }} | |
| - {{ . | quote }} | |
| {{- end }} | |
| env: | |
| - name: NODE_ID | |
| valueFrom: | |
| fieldRef: | |
| fieldPath: spec.nodeName | |
| {{- if eq .Values.encryption.ocp true }} | |
| - name: CORE_ID | |
| value: "{{ required "encryption.ocpCoreID not set to core user uid:gid" .Values.encryption.ocpCoreID }}" | |
| {{- end }} | |
| volumeMounts: | |
| - name: vault-config | |
| mountPath: /etc/dea/vault | |
| - name: driver-path | |
| mountPath: /var/run/csi | |
| - name: pods-path | |
| mountPath: {{ .Values.kubeletConfigDir }}/pods | |
| mountPropagation: Bidirectional | |
| - name: staging-dir | |
| mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi | |
| mountPropagation: Bidirectional | |
| - name: user-home | |
| {{- if eq .Values.encryption.ocp true }} | |
| mountPath: /corehome | |
| {{- else }} | |
| mountPath: /roothome | |
| {{- end }} | |
| - name: license-config | |
| mountPath: /etc/dea/license | |
| {{- if .Values.encryption.livenessPort }} | |
| livenessProbe: | |
| httpGet: | |
| path: /liveprobe | |
| port: {{ .Values.encryption.livenessPort }} | |
| initialDelaySeconds: 1500 | |
| periodSeconds: 1000 | |
| timeoutSeconds: 3 | |
| failureThreshold: 100 | |
| {{- end }} | |
| {{- end }} | |
| {{- end }} | |
| {{- end }} | |
| volumes: | |
| - name: registration-dir | |
| hostPath: | |
| path: {{ .Values.kubeletConfigDir }}/plugins_registry/ | |
| type: DirectoryOrCreate | |
| - name: driver-path | |
| hostPath: | |
| path: {{ .Values.kubeletConfigDir }}/plugins/csi-isilon | |
| type: DirectoryOrCreate | |
| - name: volumedevices-path | |
| hostPath: | |
| path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/volumeDevices | |
| type: DirectoryOrCreate | |
| - name: pods-path | |
| hostPath: | |
| path: {{ .Values.kubeletConfigDir }}/pods | |
| type: Directory | |
| - name: dev | |
| hostPath: | |
| path: /dev | |
| type: Directory | |
| - name: certs | |
| projected: | |
| sources: | |
| {{- range $i, $e := until (int .Values.certSecretCount ) }} | |
| - secret: | |
| name: {{ print $.Release.Name "-certs-" $e }} | |
| items: | |
| - key: cert-{{ $e }} | |
| path: cert-{{ $e }} | |
| {{- end }} | |
| - name: isilon-configs | |
| secret: | |
| secretName: {{ .Release.Name }}-creds | |
| - name: csi-isilon-config-params | |
| configMap: | |
| name: {{ .Release.Name }}-config-params | |
| {{- if hasKey .Values "authorization" }} | |
| {{- if eq .Values.authorization.enabled true }} | |
| - name: karavi-authorization-config | |
| secret: | |
| secretName: karavi-authorization-config | |
| - name: proxy-server-root-certificate | |
| secret: | |
| secretName: proxy-server-root-certificate | |
| {{ end }} | |
| {{ end }} | |
| {{- if hasKey .Values "podmon" }} | |
| {{- if eq .Values.podmon.enabled true }} | |
| - name: usr-bin | |
| hostPath: | |
| path: /usr/bin | |
| type: Directory | |
| - name: kubelet-pods | |
| hostPath: | |
| path: /var/lib/kubelet/pods | |
| type: Directory | |
| - name: var-run | |
| hostPath: | |
| path: /var/run | |
| type: Directory | |
| {{ end }} | |
| {{ end }} | |
| {{- if eq .Values.encryption.enabled true }} | |
| - name: vault-config | |
| projected: | |
| sources: | |
| - secret: | |
| name: vault-cert | |
| - secret: | |
| name: vault-auth | |
| - configMap: | |
| name: vault-client-conf | |
| - name: staging-dir | |
| hostPath: | |
| path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi | |
| type: DirectoryOrCreate | |
| - name: user-home | |
| hostPath: | |
| {{- if eq .Values.encryption.ocp true }} | |
| path: /home/core | |
| {{- else }} | |
| path: /root | |
| {{- end }} | |
| type: Directory | |
| - name: license-config | |
| secret: | |
| secretName: encryption-license | |
| {{- end }} |