Skip to content

Commit

Permalink
Use kustomize for csi driver
Browse files Browse the repository at this point in the history
Signed-off-by: Jirka Kremser <[email protected]>
  • Loading branch information
jkremser committed Oct 5, 2023
1 parent 4000124 commit 4beeb44
Show file tree
Hide file tree
Showing 19 changed files with 290 additions and 213 deletions.
2 changes: 1 addition & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# binary
/bin/kustomize
/bin/*

18 changes: 16 additions & 2 deletions Makefile.custom.mk
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,11 @@ OS ?= $(shell go env GOOS 2>/dev/null || echo linux)
ARCH ?= $(shell go env GOARCH 2>/dev/null || echo amd64)
KUSTOMIZE := ./bin/kustomize
KUSTOMIZE_VERSION ?= v4.5.7
YQ = ./bin/yq
YQ_VERSION := 4.31.2

.PHONY: all
all: update-cpi-chart update-csi-chart update-kubevip-chart update-kubevip-cloud-provider-chart
all: update-cpi-chart update-csi-chart apply-custom-patches-for-csi update-kubevip-chart update-kubevip-cloud-provider-chart
@$(call say,Sync has been done ✓)

.PHONY: update-cpi-chart
Expand All @@ -15,11 +17,16 @@ update-cpi-chart:
./hack/update-cpi-chart.sh
./hack/common-labels-injector.sh cloud-provider-for-vsphere

.PHONY: apply-custom-patches-for-csi
apply-custom-patches-for-csi: $(YQ) ## apply giantswarm specific patches that are not possible via kustomize
@$(call say,Custom yq magic for CSI)
./hack/custom-patches.sh
./hack/common-labels-injector.sh vsphere-csi-driver

.PHONY: update-csi-chart
update-csi-chart: $(KUSTOMIZE)
@$(call say,CSI helm chart)
./hack/update-csi-chart.sh $(KUSTOMIZE)
./hack/common-labels-injector.sh vsphere-csi-driver

.PHONY: update-kubevip-chart
update-kubevip-chart:
Expand All @@ -40,6 +47,13 @@ $(KUSTOMIZE): ## Download kustomize locally if necessary.
chmod +x $@
@echo "kustomize downloaded"

$(YQ): ## Download yq locally if necessary.
@$(call say,Download yq)
curl -sfL https://github.com/mikefarah/yq/releases/download/v$(YQ_VERSION)/yq_$(OS)_$(ARCH) > $@
chmod +x $@
@echo "yq downloaded"


ifndef NO_COLOR
YELLOW=\033[0;33m
# no color
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ spec:
- {{ .Release.Namespace }}
names:
- cloud-provider-for-vsphere*
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ spec:
- {{ .Release.Namespace }}
names:
- kube-vip-cloud-provider*
{{- end }}
{{- end }}
2 changes: 1 addition & 1 deletion config/kube-vip/overwrites/templates/pss-exceptions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,4 @@ spec:
- {{ .Release.Namespace }}
names:
- kube-vip
{{- end }}
{{- end }}
30 changes: 15 additions & 15 deletions config/vsphere-csi-driver/overwrites/templates/pss-exceptions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,24 +28,24 @@ spec:
ruleNames:
- restricted-volumes
- autogen-restricted-volumes
- policyName: require-run-as-nonroot
ruleNames:
- run-as-non-root
- autogen-run-as-non-root
# - policyName: require-run-as-nonroot
# ruleNames:
# - run-as-non-root
# - autogen-run-as-non-root
- policyName: restrict-seccomp-strict
ruleNames:
- check-seccomp-strict
- autogen-check-seccomp-strict
- policyName: disallow-capabilities
ruleNames:
- adding-capabilities
- autogen-adding-capabilities
- policyName: disallow-capabilities-strict
ruleNames:
- adding-capabilities-strict
- autogen-adding-capabilities-strict
- require-drop-all
- autogen-require-drop-all
# - policyName: disallow-capabilities
# ruleNames:
# - adding-capabilities
# - autogen-adding-capabilities
# - policyName: disallow-capabilities-strict
# ruleNames:
# - adding-capabilities-strict
# - autogen-adding-capabilities-strict
# - require-drop-all
# - autogen-require-drop-all
- policyName: disallow-privilege-escalation
ruleNames:
- privilege-escalation
Expand All @@ -62,4 +62,4 @@ spec:
- {{ .Release.Namespace }}
names:
- vsphere-csi*
{{- end }}
{{- end }}
6 changes: 6 additions & 0 deletions config/vsphere-csi-driver/overwrites/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,9 @@ storageClass:
isDefault: false
vcdStorageProfileName: "vSAN Default Storage Policy"
fileSystem: "ext4"

containerSecurityContext:
allowPrivilegeEscalation: false
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
20 changes: 20 additions & 0 deletions hack/custom-patches.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#!/bin/bash

set -o errexit
set -o nounset
set -o pipefail

YQ="./bin/yq"

f="helm/cloud-provider-vsphere/charts/vsphere-csi-driver/templates/apps_v1_deployment_vsphere-csi-controller.yaml"
${YQ} e '.spec.template.spec.securityContext.remove-this-key="'"
{{- with .Values.podSecurityContext }}
{{- . | toYaml | nindent 8 }}
{{- end }}
"'" | .spec.template.spec.containers[].securityContext.remove-this-key="'"
{{- with .Values.containerSecurityContext }}
{{- . | toYaml | nindent 12 }}
{{- end }}
"'"' ${f} > ${f}.tmp
cat ${f}.tmp | grep -v 'remove-this-key' > ${f}
rm -rf ${f}.tmp
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ spec:
- {{ .Release.Namespace }}
names:
- cloud-provider-for-vsphere*
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,4 @@ spec:
- {{ .Release.Namespace }}
names:
- kube-vip-cloud-provider*
{{- end }}
{{- end }}
Original file line number Diff line number Diff line change
Expand Up @@ -62,4 +62,4 @@ spec:
- {{ .Release.Namespace }}
names:
- kube-vip
{{- end }}
{{- end }}
Loading

0 comments on commit 4beeb44

Please sign in to comment.