From a16ad32a3fd8914caf80eaf424ca38627bab302f Mon Sep 17 00:00:00 2001 From: mkjpryor Date: Tue, 9 Jan 2024 11:55:52 +0000 Subject: [PATCH] Update csi-cinder addon to 2.28.1 --- manifests.yaml | 585 +++++++++++++++++++++++++++++++ skopeo-manifests/csi-cinder.yaml | 16 + 2 files changed, 601 insertions(+) create mode 100644 manifests.yaml create mode 100644 skopeo-manifests/csi-cinder.yaml diff --git a/manifests.yaml b/manifests.yaml new file mode 100644 index 000000000..a3be4ef6f --- /dev/null +++ b/manifests.yaml @@ -0,0 +1,585 @@ +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +# This YAML file contains RBAC API objects, +# which are necessary to run csi controller plugin + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-controller-sa + namespace: default +--- +# Source: openstack-cinder-csi/templates/nodeplugin-rbac.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-node-sa + namespace: default +--- +# Source: openstack-cinder-csi/templates/storageclass.yaml +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: csi-cinder-sc-delete +provisioner: cinder.csi.openstack.org +reclaimPolicy: Delete +allowVolumeExpansion: true +--- +# Source: openstack-cinder-csi/templates/storageclass.yaml +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: csi-cinder-sc-retain +provisioner: cinder.csi.openstack.org +reclaimPolicy: Retain +allowVolumeExpansion: true +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +# external Provisioner +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-role +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshotter-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # Secret permission is optional. + # Enable it if your driver needs secret. + # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. + # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-role +rules: + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +--- +# Source: openstack-cinder-csi/templates/nodeplugin-rbac.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-role +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: default +roleRef: + kind: ClusterRole + name: csi-attacher-role + apiGroup: rbac.authorization.k8s.io +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-provisioner-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: default +roleRef: + kind: ClusterRole + name: csi-provisioner-role + apiGroup: rbac.authorization.k8s.io +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-snapshotter-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: default +roleRef: + kind: ClusterRole + name: csi-snapshotter-role + apiGroup: rbac.authorization.k8s.io +--- +# Source: openstack-cinder-csi/templates/controllerplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-resizer-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: default +roleRef: + kind: ClusterRole + name: csi-resizer-role + apiGroup: rbac.authorization.k8s.io +--- +# Source: openstack-cinder-csi/templates/nodeplugin-rbac.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-binding +subjects: + - kind: ServiceAccount + name: csi-cinder-node-sa + namespace: default +roleRef: + kind: ClusterRole + name: csi-nodeplugin-role + apiGroup: rbac.authorization.k8s.io +--- +# Source: openstack-cinder-csi/templates/nodeplugin-daemonset.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: openstack-cinder-csi-nodeplugin + namespace: default + labels: + component: nodeplugin + app: openstack-cinder-csi + release: openstack-cinder-csi + chart: openstack-cinder-csi-2.28.1 + heritage: Helm + annotations: +spec: + selector: + matchLabels: + component: nodeplugin + app: openstack-cinder-csi + release: openstack-cinder-csi + template: + metadata: + labels: + component: nodeplugin + app: openstack-cinder-csi + release: openstack-cinder-csi + chart: openstack-cinder-csi-2.28.1 + heritage: Helm + annotations: + spec: + serviceAccount: csi-cinder-node-sa + hostNetwork: true + containers: + - name: node-driver-registrar + securityContext: + {} + image: "registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.6.2" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: + {} + - name: liveness-probe + securityContext: + {} + image: "registry.k8s.io/sig-storage/livenessprobe:v2.9.0" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - --csi-address=/csi/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: + {} + - name: cinder-csi-plugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: "registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.1" + imagePullPolicy: IfNotPresent + args: + - /bin/cinder-csi-plugin + - "-v=2" + - "--endpoint=$(CSI_ENDPOINT)" + - "--cloud-config=$(CLOUD_CONFIG)" + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/kubernetes/cloud.conf + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + # The probe + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 60 + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: pods-probe-dir + mountPath: /dev + mountPropagation: "HostToContainer" + - mountPath: /etc/cacert + name: cacert + readOnly: true + - mountPath: /etc/kubernetes + name: cloud-config + readOnly: true + resources: + {} + volumes: + - name: socket-dir + hostPath: + path: /var/lib/kubelet/plugins/cinder.csi.openstack.org + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + # - name: pods-cloud-data + # hostPath: + # path: /var/lib/cloud/data + # type: Directory + - name: pods-probe-dir + hostPath: + path: /dev + type: Directory + - name: cloud-config + hostPath: + path: /etc/kubernetes + - hostPath: + path: /etc/cacert + name: cacert + affinity: + {} + nodeSelector: + {} + tolerations: + - operator: Exists +--- +# Source: openstack-cinder-csi/templates/controllerplugin-deployment.yaml +kind: Deployment +apiVersion: apps/v1 +metadata: + name: openstack-cinder-csi-controllerplugin + namespace: default + labels: + component: controllerplugin + app: openstack-cinder-csi + release: openstack-cinder-csi + chart: openstack-cinder-csi-2.28.1 + heritage: Helm + annotations: +spec: + replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + selector: + matchLabels: + component: controllerplugin + app: openstack-cinder-csi + release: openstack-cinder-csi + template: + metadata: + labels: + component: controllerplugin + app: openstack-cinder-csi + release: openstack-cinder-csi + chart: openstack-cinder-csi-2.28.1 + heritage: Helm + annotations: + spec: + serviceAccount: csi-cinder-controller-sa + securityContext: + {} + containers: + - name: csi-attacher + securityContext: + {} + image: "registry.k8s.io/sig-storage/csi-attacher:v4.2.0" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--timeout=3m" + - "--leader-election=true" + - "--default-fstype=ext4" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + {} + - name: csi-provisioner + securityContext: + {} + image: "registry.k8s.io/sig-storage/csi-provisioner:v3.4.1" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--timeout=3m" + - "--leader-election=true" + - "--default-fstype=ext4" + - "--feature-gates=Topology=true" + - "--extra-create-metadata" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + {} + - name: csi-snapshotter + securityContext: + {} + image: "registry.k8s.io/sig-storage/csi-snapshotter:v6.2.1" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--timeout=3m" + - "--leader-election=true" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + resources: + {} + - name: csi-resizer + securityContext: + {} + image: "registry.k8s.io/sig-storage/csi-resizer:v1.8.0" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--timeout=3m" + - "--handle-volume-inuse-error=false" + - "--leader-election=true" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + resources: + {} + - name: liveness-probe + securityContext: + {} + image: "registry.k8s.io/sig-storage/livenessprobe:v2.9.0" + imagePullPolicy: IfNotPresent + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + resources: + {} + - name: cinder-csi-plugin + securityContext: + {} + image: "registry.k8s.io/provider-os/cinder-csi-plugin:v1.28.1" + imagePullPolicy: IfNotPresent + args: + - /bin/cinder-csi-plugin + - "-v=2" + - "--endpoint=$(CSI_ENDPOINT)" + - "--cloud-config=$(CLOUD_CONFIG)" + - "--cluster=$(CLUSTER_NAME)" + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/kubernetes/cloud.conf + - name: CLUSTER_NAME + value: "kubernetes" + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + # The probe + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 10 + periodSeconds: 60 + volumeMounts: + - name: socket-dir + mountPath: /csi + - mountPath: /etc/cacert + name: cacert + readOnly: true + - mountPath: /etc/kubernetes + name: cloud-config + readOnly: true + resources: + {} + volumes: + - name: socket-dir + emptyDir: + - name: cloud-config + hostPath: + path: /etc/kubernetes + - hostPath: + path: /etc/cacert + name: cacert + affinity: + {} + nodeSelector: + {} + tolerations: + [] +--- +# Source: openstack-cinder-csi/templates/cinder-csi-driver.yaml +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: cinder.csi.openstack.org +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/skopeo-manifests/csi-cinder.yaml b/skopeo-manifests/csi-cinder.yaml new file mode 100644 index 000000000..3b7dfaae4 --- /dev/null +++ b/skopeo-manifests/csi-cinder.yaml @@ -0,0 +1,16 @@ +registry.k8s.io: + images: + provider-os/cinder-csi-plugin: + - v1.28.1 + sig-storage/csi-attacher: + - v4.2.0 + sig-storage/csi-node-driver-registrar: + - v2.6.2 + sig-storage/csi-provisioner: + - v3.4.1 + sig-storage/csi-resizer: + - v1.8.0 + sig-storage/csi-snapshotter: + - v6.2.1 + sig-storage/livenessprobe: + - v2.9.0