From 9607f015101659f3e51adf9fd0b9452ea65248c8 Mon Sep 17 00:00:00 2001 From: Moritz Eckert Date: Mon, 8 May 2023 17:43:46 +0000 Subject: [PATCH] cli: add cinder csi helm charts --- cli/internal/helm/BUILD.bazel | 14 ++ .../constellation-services/Chart.yaml | 10 + .../charts/cinder-config/.helmignore | 23 +++ .../charts/cinder-config/Chart.yaml | 5 + .../cinder-config/templates/secret.yaml | 8 + .../charts/cinder-config/values.schema.json | 17 ++ .../charts/cinder-config/values.yaml | 0 .../charts/cinder-csi-plugin/Chart.yaml | 5 + .../cinder-csi-plugin/templates/_helpers.tpl | 103 ++++++++++ .../templates/cinder-csi-driver.yaml | 10 + .../controllerplugin-deployment.yaml | 194 ++++++++++++++++++ .../templates/controllerplugin-rbac.yaml | 174 ++++++++++++++++ .../templates/nodeplugin-daemonset.yaml | 153 ++++++++++++++ .../templates/nodeplugin-rbac.yaml | 28 +++ .../templates/storageclass.yaml | 29 +++ .../charts/cinder-csi-plugin/values.yaml | 120 +++++++++++ .../constellation-services/values.yaml | 1 + 17 files changed, 894 insertions(+) create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/.helmignore create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.schema.json create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml create mode 100644 cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml diff --git a/cli/internal/helm/BUILD.bazel b/cli/internal/helm/BUILD.bazel index 7c6f7c2aa..730beadc6 100644 --- a/cli/internal/helm/BUILD.bazel +++ b/cli/internal/helm/BUILD.bazel @@ -334,6 +334,20 @@ go_library( "charts/edgeless/constellation-services/charts/yawol-config/templates/secret.yaml", "charts/edgeless/constellation-services/charts/yawol-config/values.schema.json", "charts/edgeless/constellation-services/charts/yawol-config/values.yaml", + "charts/edgeless/constellation-services/charts/cinder-config/.helmignore", + "charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml", + "charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml", + "charts/edgeless/constellation-services/charts/cinder-config/values.schema.json", + "charts/edgeless/constellation-services/charts/cinder-config/values.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml", + "charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml", ], importpath = "github.com/edgelesssys/constellation/v2/cli/internal/helm", visibility = ["//cli:__subpackages__"], diff --git a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml index b2c5fff18..3ca6b521a 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/Chart.yaml @@ -77,3 +77,13 @@ dependencies: condition: openstack.deployYawolLoadBalancer tags: - OpenStack + - name: cinder-config + version: 1.0.0 + condition: openstack.deployCSIDriver + tags: + - OpenStack + - name: cinder-csi-plugin + version: 1.0.0 + condition: openstack.deployCSIDriver + tags: + - OpenStack diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/.helmignore b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml new file mode 100644 index 000000000..381651c00 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +name: cinder-config +description: A Helm chart for Kubernetes +type: application +version: 1.0.0 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml new file mode 100644 index 000000000..646a27c84 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/templates/secret.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cinder-csi-cloud-config + namespace: {{ .Release.Namespace }} +type: Opaque +data: + cloudprovider.conf: {{ .Values.secretData | b64enc }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.schema.json b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.schema.json new file mode 100644 index 000000000..3625e4e07 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.schema.json @@ -0,0 +1,17 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "properties": { + "secretData": { + "description": "Cloud INI secret used for cinder.", + "type": "string", + "examples": [ + "[Global]\nauth-url = ..." + ] + } + }, + "required": [ + "secretData" + ], + "title": "Values", + "type": "object" +} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-config/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml new file mode 100644 index 000000000..bce9fb3f0 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: v1.0.0 +description: Cinder CSI Chart for OpenStack with on-node encryption support +name: cinder-csi-plugin +version: 1.0.0 diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl new file mode 100644 index 000000000..a40643c22 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/_helpers.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "cinder-csi.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "cinder-csi.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "cinder-csi.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "cinder-csi.labels" -}} +app.kubernetes.io/name: {{ include "cinder-csi.name" . }} +helm.sh/chart: {{ include "cinder-csi.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "cinder-csi.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "cinder-csi.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create unified labels for cinder-csi components +*/}} +{{- define "cinder-csi.common.matchLabels" -}} +app: {{ template "cinder-csi.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "cinder-csi.common.metaLabels" -}} +chart: {{ template "cinder-csi.chart" . }} +heritage: {{ .Release.Service }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels -}} +{{- end }} +{{- end -}} + +{{- define "cinder-csi.controllerplugin.matchLabels" -}} +component: controllerplugin +{{ include "cinder-csi.common.matchLabels" . }} +{{- end -}} + +{{- define "cinder-csi.controllerplugin.labels" -}} +{{ include "cinder-csi.controllerplugin.matchLabels" . }} +{{ include "cinder-csi.common.metaLabels" . }} +{{- end -}} + +{{- define "cinder-csi.nodeplugin.matchLabels" -}} +component: nodeplugin +{{ include "cinder-csi.common.matchLabels" . }} +{{- end -}} + +{{- define "cinder-csi.nodeplugin.labels" -}} +{{ include "cinder-csi.nodeplugin.matchLabels" . }} +{{ include "cinder-csi.common.metaLabels" . }} +{{- end -}} + +{{- define "cinder-csi.snapshot-controller.matchLabels" -}} +component: snapshot-controller +{{ include "cinder-csi.common.matchLabels" . }} +{{- end -}} + +{{- define "cinder-csi.snapshot-controller.labels" -}} +{{ include "cinder-csi.snapshot-controller.matchLabels" . }} +{{ include "cinder-csi.common.metaLabels" . }} +{{- end -}} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml new file mode 100644 index 000000000..3e7b600fb --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/cinder-csi-driver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: cinder.csi.confidential.cloud +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml new file mode 100644 index 000000000..9e13f8513 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml @@ -0,0 +1,194 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ include "cinder-csi.name" . }}-controllerplugin + namespace: {{ .Release.Namespace }} + labels: + {{- include "cinder-csi.controllerplugin.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.csi.plugin.controllerPlugin.replicas }} + strategy: + type: {{ .Values.csi.plugin.controllerPlugin.strategy.type }} +{{- if eq .Values.csi.plugin.controllerPlugin.strategy.type "RollingUpdate" }} + rollingUpdate: + maxUnavailable: {{ .Values.csi.plugin.controllerPlugin.strategy.rollingUpdate.maxUnavailable }} + maxSurge: {{ .Values.csi.plugin.controllerPlugin.strategy.rollingUpdate.maxSurge }} +{{- end }} + selector: + matchLabels: + {{- include "cinder-csi.controllerplugin.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "cinder-csi.controllerplugin.labels" . | nindent 8 }} + spec: + serviceAccount: csi-cinder-controller-sa + containers: + - name: csi-attacher + image: "{{ .Values.csi.attacher.image.repository }}:{{ .Values.csi.attacher.image.tag }}" + imagePullPolicy: {{ .Values.csi.attacher.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - "--csi-address=$(ADDRESS)" + - "--timeout={{ .Values.timeout }}" + - "--leader-election=true" + - "--default-fstype=ext4" + {{- if .Values.csi.attacher.extraArgs }} + {{- with .Values.csi.attacher.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: {{ toYaml .Values.csi.attacher.resources | nindent 12 }} + - name: csi-provisioner + image: "{{ .Values.csi.provisioner.image.repository }}:{{ .Values.csi.provisioner.image.tag }}" + imagePullPolicy: {{ .Values.csi.provisioner.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - "--csi-address=$(ADDRESS)" + - "--timeout={{ .Values.timeout }}" + - "--leader-election=true" + - "--default-fstype=ext4" + - "--feature-gates=Topology={{ .Values.csi.provisioner.topology }}" + - "--extra-create-metadata" + {{- if .Values.csi.provisioner.extraArgs }} + {{- with .Values.csi.provisioner.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: {{ toYaml .Values.csi.provisioner.resources | nindent 12 }} + - name: csi-snapshotter + image: "{{ .Values.csi.snapshotter.image.repository }}:{{ .Values.csi.snapshotter.image.tag }}" + imagePullPolicy: {{ .Values.csi.snapshotter.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - "--csi-address=$(ADDRESS)" + - "--timeout={{ .Values.timeout }}" + - "--leader-election=true" + {{- if .Values.csi.snapshotter.extraArgs }} + {{- with .Values.csi.snapshotter.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + resources: {{ toYaml .Values.csi.snapshotter.resources | nindent 12 }} + - name: csi-resizer + image: "{{ .Values.csi.resizer.image.repository }}:{{ .Values.csi.resizer.image.tag }}" + imagePullPolicy: {{ .Values.csi.resizer.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - "--csi-address=$(ADDRESS)" + - "--timeout={{ .Values.timeout }}" + - "--handle-volume-inuse-error=false" + - "--leader-election=true" + {{- if .Values.csi.resizer.extraArgs }} + {{- with .Values.csi.resizer.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: {{ toYaml .Values.csi.resizer.resources | nindent 12 }} + - name: liveness-probe + image: "{{ .Values.csi.livenessprobe.image.repository }}:{{ .Values.csi.livenessprobe.image.tag }}" + imagePullPolicy: {{ .Values.csi.livenessprobe.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - "--csi-address=$(ADDRESS)" + {{- if .Values.csi.livenessprobe.extraArgs }} + {{- with .Values.csi.livenessprobe.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + resources: {{ toYaml .Values.csi.livenessprobe.resources | nindent 12 }} + - name: cinder-csi-plugin + image: "{{ .Values.csi.plugin.image.repository }}:{{ .Values.csi.plugin.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.csi.plugin.image.pullPolicy }} + args: + - /bin/cinder-csi-plugin + - "-v={{ .Values.logVerbosityLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--cloud-config=$(CLOUD_CONFIG)" + - "--cluster=$(CLUSTER_NAME)" + - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}" + {{- if .Values.csi.plugin.extraArgs }} + {{- with .Values.csi.plugin.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/kubernetes/{{ .Values.secret.filename }} + - name: CLUSTER_NAME + value: "{{ .Values.clusterID }}" + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + # The probe + livenessProbe: + failureThreshold: {{ .Values.csi.livenessprobe.failureThreshold }} + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: {{ .Values.csi.livenessprobe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.csi.livenessprobe.timeoutSeconds }} + periodSeconds: {{ .Values.csi.livenessprobe.periodSeconds }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: cloud-config + mountPath: /etc/kubernetes/{{ .Values.secret.filename }} + readOnly: true + subPath: {{ .Values.secret.filename }} + resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }} + volumes: + - name: socket-dir + emptyDir: + - name: cloud-config + {{- if .Values.secret.enabled }} + secret: + secretName: {{ .Values.secret.name }} + {{- else }} + hostPath: + path: /etc/kubernetes + {{- end }} + affinity: {{ toYaml .Values.csi.plugin.controllerPlugin.affinity | nindent 8 }} + nodeSelector: {{ toYaml .Values.csi.plugin.controllerPlugin.nodeSelector | nindent 8 }} + tolerations: {{ toYaml .Values.csi.plugin.controllerPlugin.tolerations | nindent 8 }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml new file mode 100644 index 000000000..e8d7a909f --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml @@ -0,0 +1,174 @@ +# This YAML file contains RBAC API objects, +# which are necessary to run csi controller plugin + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-controller-sa + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-attacher-role + apiGroup: rbac.authorization.k8s.io +--- +# external Provisioner +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # Secret permission is optional. + # Enable it if your driver needs secret. + # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. + # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-snapshotter-role + apiGroup: rbac.authorization.k8s.io +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-role +rules: + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-resizer-role + apiGroup: rbac.authorization.k8s.io +--- diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml new file mode 100644 index 000000000..dd9f513ac --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml @@ -0,0 +1,153 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ include "cinder-csi.name" . }}-nodeplugin + namespace: {{ .Release.Namespace }} + labels: + {{- include "cinder-csi.nodeplugin.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "cinder-csi.nodeplugin.matchLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "cinder-csi.nodeplugin.labels" . | nindent 8 }} + spec: + serviceAccount: csi-cinder-node-sa + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: node-driver-registrar + image: "{{ .Values.csi.nodeDriverRegistrar.image.repository }}:{{ .Values.csi.nodeDriverRegistrar.image.tag }}" + imagePullPolicy: {{ .Values.csi.nodeDriverRegistrar.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + {{- if .Values.csi.nodeDriverRegistrar.extraArgs }} + {{- with .Values.csi.nodeDriverRegistrar.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}/plugins/cinder.csi.openstack.org/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{ toYaml .Values.csi.nodeDriverRegistrar.resources | nindent 12 }} + - name: liveness-probe + image: "{{ .Values.csi.livenessprobe.image.repository }}:{{ .Values.csi.livenessprobe.image.tag }}" + imagePullPolicy: {{ .Values.csi.livenessprobe.image.pullPolicy }} + args: + - "-v={{ .Values.logVerbosityLevel }}" + - --csi-address=/csi/csi.sock + {{- if .Values.csi.livenessprobe.extraArgs }} + {{- with .Values.csi.livenessprobe.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{ toYaml .Values.csi.livenessprobe.resources | nindent 12 }} + - name: cinder-csi-plugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "{{ .Values.csi.plugin.image.repository }}:{{ .Values.csi.plugin.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.csi.plugin.image.pullPolicy }} + args: + - /bin/cinder-csi-plugin + - "-v={{ .Values.logVerbosityLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--cloud-config=$(CLOUD_CONFIG)" + - "--kms-addr={{ .Values.csi.kms.keyServiceName }}.{{ .Values.csi.kms.keyServiceNamespace | default .Release.Namespace }}:{{ .Values.csi.kms.keyServicePort }}" + {{- if .Values.csi.plugin.extraArgs }} + {{- with .Values.csi.plugin.extraArgs }} + {{- tpl . $ | trim | nindent 12 }} + {{- end }} + {{- end }} + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/kubernetes/{{ .Values.secret.filename }} + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + # The probe + livenessProbe: + failureThreshold: {{ .Values.csi.livenessprobe.failureThreshold }} + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: {{ .Values.csi.livenessprobe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.csi.livenessprobe.timeoutSeconds }} + periodSeconds: {{ .Values.csi.livenessprobe.periodSeconds }} + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: kubelet-dir + mountPath: {{ .Values.csi.plugin.nodePlugin.kubeletDir }} + mountPropagation: "Bidirectional" + - name: pods-probe-dir + mountPath: /dev + mountPropagation: "HostToContainer" + - name: cloud-config + mountPath: /etc/kubernetes/{{ .Values.secret.filename }} + readOnly: true + subPath: {{ .Values.secret.filename }} + resources: {{ toYaml .Values.csi.plugin.resources | nindent 12 }} + volumes: + - name: socket-dir + hostPath: + path: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}/plugins/cinder.csi.openstack.org + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: {{ .Values.csi.plugin.nodePlugin.kubeletDir }}/plugins_registry/ + type: Directory + - name: kubelet-dir + hostPath: + path: {{ .Values.csi.plugin.nodePlugin.kubeletDir }} + type: Directory + # - name: pods-cloud-data + # hostPath: + # path: /var/lib/cloud/data + # type: Directory + - name: pods-probe-dir + hostPath: + path: /dev + type: Directory + - name: cloud-config + {{- if .Values.secret.enabled }} + secret: + secretName: {{ .Values.secret.name }} + {{- else }} + hostPath: + path: /etc/kubernetes + {{- end }} + affinity: {{ toYaml .Values.csi.plugin.nodePlugin.affinity | nindent 8 }} + nodeSelector: {{ toYaml .Values.csi.plugin.nodePlugin.nodeSelector | nindent 8 }} + tolerations: {{ toYaml .Values.csi.plugin.nodePlugin.tolerations | nindent 8 }} + imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml new file mode 100644 index 000000000..894a8df21 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/nodeplugin-rbac.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-node-sa + namespace: {{ .Release.Namespace }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-node-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-nodeplugin-role + apiGroup: rbac.authorization.k8s.io diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml new file mode 100644 index 000000000..5c987b7be --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/templates/storageclass.yaml @@ -0,0 +1,29 @@ +{{- if .Values.storageClass.enabled }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: encrypted-rwo + {{- if .Values.storageClass.default.isDefault }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" + {{- end }} +provisioner: cinder.csi.confidential.cloud +reclaimPolicy: Delete +allowVolumeExpansion: {{ .Values.storageClass.default.allowVolumeExpansion }} +volumeBindingMode: Immediate +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: integrity-encrypted-rwo + {{- if .Values.storageClass.integrity.isDefault }} + annotations: + storageclass.kubernetes.io/is-default-class: "true" + {{- end }} +parameters: + csi.storage.k8s.io/fstype: ext4-integrity +provisioner: cinder.csi.confidential.cloud +reclaimPolicy: Delete +allowVolumeExpansion: {{ .Values.storageClass.integrity.allowVolumeExpansion }} +volumeBindingMode: Immediate +{{- end }} diff --git a/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml new file mode 100644 index 000000000..40d986102 --- /dev/null +++ b/cli/internal/helm/charts/edgeless/constellation-services/charts/cinder-csi-plugin/values.yaml @@ -0,0 +1,120 @@ +extraLabels: {} + +nameOverride: "" +fullnameOverride: "" +timeout: 3m + +csi: + attacher: + image: + repository: registry.k8s.io/sig-storage/csi-attacher + tag: v4.2.0 + pullPolicy: IfNotPresent + resources: {} + extraArgs: {} + provisioner: + topology: "true" + image: + repository: registry.k8s.io/sig-storage/csi-provisioner + tag: v3.4.1 + pullPolicy: IfNotPresent + resources: {} + extraArgs: {} + snapshotter: + image: + repository: registry.k8s.io/sig-storage/csi-snapshotter + tag: v6.2.1 + pullPolicy: IfNotPresent + resources: {} + extraArgs: {} + resizer: + image: + repository: registry.k8s.io/sig-storage/csi-resizer + tag: v1.7.0 + pullPolicy: IfNotPresent + resources: {} + extraArgs: {} + livenessprobe: + image: + repository: registry.k8s.io/sig-storage/livenessprobe + tag: v2.9.0 + pullPolicy: IfNotPresent + failureThreshold: 5 + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 60 + resources: {} + extraArgs: {} + nodeDriverRegistrar: + image: + repository: registry.k8s.io/sig-storage/csi-node-driver-registrar + tag: v2.6.2 + pullPolicy: IfNotPresent + resources: {} + extraArgs: {} + plugin: + image: + repository: ghcr.io/edgelesssys/constellation/cinder-csi-plugin + pullPolicy: IfNotPresent + tag: # defaults to .Chart.AppVersion + volumeMounts: + - name: cloud-config + mountPath: /etc/kubernetes + readOnly: true + nodePlugin: + affinity: {} + nodeSelector: {} + tolerations: + - operator: Exists + kubeletDir: /var/lib/kubelet + controllerPlugin: + replicas: 1 + strategy: + # RollingUpdate strategy replaces old pods with new ones gradually, + # without incurring downtime. + type: RollingUpdate + rollingUpdate: + # maxUnavailable is the maximum number of pods that can be + # unavailable during the update process. + maxUnavailable: 0 + # maxSurge is the maximum number of pods that can be + # created over the desired number of pods. + maxSurge: 1 + affinity: {} + nodeSelector: {} + tolerations: [] + resources: {} + extraArgs: {} + kms: + keyServiceName: "key-service" + keyServicePort: 9000 + keyServiceNamespace: "kube-system" + +# Log verbosity level. +# See https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/logging.md +# for description of individual verbosity levels. +logVerbosityLevel: 2 + +secret: + enabled: true + create: false + filename: cloudprovider.conf + name: cinder-csi-cloud-config + +storageClass: + enabled: true + default: + isDefault: true + allowVolumeExpansion: true + integrity: + isDefault: false + allowVolumeExpansion: false + +# You may set ID of the cluster where openstack-cinder-csi is deployed. This value will be appended +# to volume metadata in newly provisioned volumes as `cinder.csi.openstack.org/cluster=`. +clusterID: "kubernetes" + +priorityClassName: "" + +imagePullSecrets: [] +# - name: my-imagepull-secret diff --git a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml index 90aac76fb..24fc9e608 100644 --- a/cli/internal/helm/charts/edgeless/constellation-services/values.yaml +++ b/cli/internal/helm/charts/edgeless/constellation-services/values.yaml @@ -19,6 +19,7 @@ azure: # OpenStack specific configuration openstack: deployYawolLoadBalancer: false + deployCSIDriver: false # Set one of the tags to true to indicate which CSP you are deploying to. tags: