From 7fa73a5d2cbbd8dd1079988669125191043ffd1d Mon Sep 17 00:00:00 2001 From: Ustuzhanin Anton Date: Tue, 2 Feb 2021 15:04:18 +0500 Subject: [PATCH] feat: fix helm chert --- .../templates/_helpers.tpl | 3 + .../templates/configmap-security.yaml | 61 +++++++++++++++++++ .../templates/csidriver.yml | 2 +- .../templates/daemonset.yml | 28 ++++----- .../seaweedfs-csi-driver/templates/rbac.yml | 40 ++++++------ .../templates/serviceaccounts.yml | 4 +- .../templates/statefulset.yml | 17 ++---- .../templates/storageclass.yml | 4 +- deploy/helm/seaweedfs-csi-driver/values.yaml | 6 ++ 9 files changed, 112 insertions(+), 53 deletions(-) create mode 100644 deploy/helm/seaweedfs-csi-driver/templates/_helpers.tpl create mode 100644 deploy/helm/seaweedfs-csi-driver/templates/configmap-security.yaml diff --git a/deploy/helm/seaweedfs-csi-driver/templates/_helpers.tpl b/deploy/helm/seaweedfs-csi-driver/templates/_helpers.tpl new file mode 100644 index 0000000..642cee9 --- /dev/null +++ b/deploy/helm/seaweedfs-csi-driver/templates/_helpers.tpl @@ -0,0 +1,3 @@ +{{- define "seaweedfs-csi-driver.name" -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/deploy/helm/seaweedfs-csi-driver/templates/configmap-security.yaml b/deploy/helm/seaweedfs-csi-driver/templates/configmap-security.yaml new file mode 100644 index 0000000..ecdcf8b --- /dev/null +++ b/deploy/helm/seaweedfs-csi-driver/templates/configmap-security.yaml @@ -0,0 +1,61 @@ +{{- if .Values.tlsSecret }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "seaweedfs-csi-driver.name" . }} + labels: + app: {{ template "seaweedfs-csi-driver.name" . }} +data: + security.toml: |- + # this file is read by master, volume server, and filer + + # the jwt signing key is read by master and volume server + # a jwt expires in 10 seconds + #[jwt.signing] + # key = "{{ .Values.jwtSigningKey }}" + #expires_after_seconds = 10 # seconds + + #[jwt.signing.read] + #key = "" + #expires_after_seconds = 10 # seconds + # all grpc tls authentications are mutual + # the values for the following ca, cert, and key are paths to the PERM files. + [grpc] + ca = "/usr/local/share/ca-certificates/ca.crt" + + [grpc.volume] + cert = "/usr/local/share/ca-certificates/tls.crt" + key = "/usr/local/share/ca-certificates/tls.key" + ca = "/usr/local/share/ca-certificates/ca.crt" + + [grpc.master] + cert = "/usr/local/share/ca-certificates/tls.crt" + key = "/usr/local/share/ca-certificates/tls.key" + ca = "/usr/local/share/ca-certificates/ca.crt" + + [grpc.filer] + cert = "/usr/local/share/ca-certificates/tls.crt" + key = "/usr/local/share/ca-certificates/tls.key" + ca = "/usr/local/share/ca-certificates/ca.crt" + + [grpc.msg_broker] + cert = "/usr/local/share/ca-certificates/tls.crt" + key = "/usr/local/share/ca-certificates/tls.key" + ca = "/usr/local/share/ca-certificates/ca.crt" + + # use this for any place needs a grpc client + # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload" + [grpc.client] + cert = "/usr/local/share/ca-certificates/tls.crt" + key = "/usr/local/share/ca-certificates/tls.key" + ca = "/usr/local/share/ca-certificates/ca.crt" + + # volume server https options + # Note: work in progress! + # this does not work with other clients, e.g., "weed filer|mount" etc, yet. + #[https.client] + #enabled = false + #[https.volume] + #cert = "" + #key = "" +{{- end }} diff --git a/deploy/helm/seaweedfs-csi-driver/templates/csidriver.yml b/deploy/helm/seaweedfs-csi-driver/templates/csidriver.yml index 07d5c85..561cb2b 100644 --- a/deploy/helm/seaweedfs-csi-driver/templates/csidriver.yml +++ b/deploy/helm/seaweedfs-csi-driver/templates/csidriver.yml @@ -1,7 +1,7 @@ apiVersion: storage.k8s.io/v1 kind: CSIDriver metadata: - name: seaweedfs-csi-driver + name: {{ .Values.driverName }} spec: attachRequired: true podInfoOnMount: true diff --git a/deploy/helm/seaweedfs-csi-driver/templates/daemonset.yml b/deploy/helm/seaweedfs-csi-driver/templates/daemonset.yml index 8a92880..aa887c2 100644 --- a/deploy/helm/seaweedfs-csi-driver/templates/daemonset.yml +++ b/deploy/helm/seaweedfs-csi-driver/templates/daemonset.yml @@ -1,23 +1,23 @@ +{{- if .Values.node.enabled}} --- kind: DaemonSet apiVersion: apps/v1 metadata: - name: csi-seaweedfs-node + name: {{ template "seaweedfs-csi-driver.name" . }}-node spec: selector: matchLabels: - app: csi-seaweedfs-node + app: {{ template "seaweedfs-csi-driver.name" . }}-node updateStrategy: rollingUpdate: maxUnavailable: 25% template: metadata: labels: - app: csi-seaweedfs-node - role: csi-seaweedfs + app: {{ template "seaweedfs-csi-driver.name" . }}-node spec: priorityClassName: system-node-critical - serviceAccountName: csi-seaweedfs-node-sa + serviceAccountName: {{ template "seaweedfs-csi-driver.name" . }}-node-sa #hostNetwork: true #dnsPolicy: ClusterFirstWithHostNet containers: @@ -32,7 +32,7 @@ spec: - name: ADDRESS value: /csi/csi.sock - name: DRIVER_REG_SOCK_PATH - value: /var/lib/kubelet/plugins/com.seaweedfs.csi/csi.sock + value: /var/lib/kubelet/plugins/{{ .Values.driverName }}/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: @@ -56,6 +56,7 @@ spec: - "--endpoint=$(CSI_ENDPOINT)" - "--filer=$(SEAWEEDFS_FILER)" - "--nodeid=$(NODE_ID)" + - "-v=9" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock @@ -70,7 +71,7 @@ spec: value: /var/run/secrets/app/tls/tls.key - name: WEED_GRPC_CLIENT_CERT value: /var/run/secrets/app/tls/tls.crt - - name: WEED_GRPC_CLIENT_GRPC_CA + - name: WEED_GRPC_CA value: /var/run/secrets/app/tls/ca.crt {{- end }} resources: @@ -79,7 +80,7 @@ spec: - name: plugin-dir mountPath: /csi - name: pods-mount-dir - mountPath: /var/lib/kubelet + mountPath: /var/lib/kubelet/pods mountPropagation: "Bidirectional" - mountPath: /dev name: device-dir @@ -87,12 +88,6 @@ spec: - name: tls mountPath: /var/run/secrets/app/tls {{- end }} - - name: tools - image: registry.tech.bank24.int/devexp/network-multitool:1.0 - command: - - bash - - -c - - tail -f /dev/null volumes: - name: registration-dir hostPath: @@ -100,11 +95,11 @@ spec: type: DirectoryOrCreate - name: plugin-dir hostPath: - path: /var/lib/kubelet/plugins/com.seaweedfs.csi + path: /var/lib/kubelet/plugins/{{ .Values.driverName }} type: DirectoryOrCreate - name: pods-mount-dir hostPath: - path: /var/lib/kubelet + path: /var/lib/kubelet/pods type: Directory - name: device-dir hostPath: @@ -114,3 +109,4 @@ spec: secret: secretName: {{ .Values.tlsSecret }} {{- end }} +{{- end }} diff --git a/deploy/helm/seaweedfs-csi-driver/templates/rbac.yml b/deploy/helm/seaweedfs-csi-driver/templates/rbac.yml index 6783751..fced728 100644 --- a/deploy/helm/seaweedfs-csi-driver/templates/rbac.yml +++ b/deploy/helm/seaweedfs-csi-driver/templates/rbac.yml @@ -2,7 +2,7 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-provisioner-role + name: {{ template "seaweedfs-csi-driver.name" . }}-provisioner-role rules: - apiGroups: [""] resources: ["secrets"] @@ -30,20 +30,20 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-provisioner-binding + name: {{ template "seaweedfs-csi-driver.name" . }}-provisioner-binding subjects: - kind: ServiceAccount - name: csi-seaweedfs-controller-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: csi-seaweedfs-provisioner-role + name: {{ template "seaweedfs-csi-driver.name" . }}-provisioner-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-attacher-role + name: {{ template "seaweedfs-csi-driver.name" . }}-attacher-role rules: - apiGroups: [""] resources: ["persistentvolumes"] @@ -62,20 +62,20 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-attacher-binding + name: {{ template "seaweedfs-csi-driver.name" . }}-attacher-binding subjects: - kind: ServiceAccount - name: csi-seaweedfs-controller-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: csi-seaweedfs-attacher-role + name: {{ template "seaweedfs-csi-driver.name" . }}-attacher-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-snapshotter-role + name: {{ template "seaweedfs-csi-driver.name" . }}-snapshotter-role rules: - apiGroups: [""] resources: ["persistentvolumes"] @@ -108,20 +108,20 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-snapshotter-binding + name: {{ template "seaweedfs-csi-driver.name" . }}-snapshotter-binding subjects: - kind: ServiceAccount - name: csi-seaweedfs-controller-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: csi-seaweedfs-snapshotter-role + name: {{ template "seaweedfs-csi-driver.name" . }}-snapshotter-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-driver-registrar-controller-role + name: {{ template "seaweedfs-csi-driver.name" . }}-driver-registrar-controller-role rules: - apiGroups: ["csi.storage.k8s.io"] resources: ["csidrivers"] @@ -133,20 +133,20 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-driver-registrar-controller-binding + name: {{ template "seaweedfs-csi-driver.name" . }}-driver-registrar-controller-binding subjects: - kind: ServiceAccount - name: csi-seaweedfs-controller-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-controller-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: csi-seaweedfs-driver-registrar-controller-role + name: {{ template "seaweedfs-csi-driver.name" . }}-driver-registrar-controller-role apiGroup: rbac.authorization.k8s.io --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-driver-registrar-node-role + name: {{ template "seaweedfs-csi-driver.name" . }}-driver-registrar-node-role rules: - apiGroups: [""] resources: ["events"] @@ -161,12 +161,12 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-seaweedfs-driver-registrar-node-binding + name: {{ template "seaweedfs-csi-driver.name" . }}-driver-registrar-node-binding subjects: - kind: ServiceAccount - name: csi-seaweedfs-node-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-node-sa namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole - name: csi-seaweedfs-driver-registrar-node-role + name: {{ template "seaweedfs-csi-driver.name" . }}-driver-registrar-node-role apiGroup: rbac.authorization.k8s.io diff --git a/deploy/helm/seaweedfs-csi-driver/templates/serviceaccounts.yml b/deploy/helm/seaweedfs-csi-driver/templates/serviceaccounts.yml index 21f39ce..6576c4e 100644 --- a/deploy/helm/seaweedfs-csi-driver/templates/serviceaccounts.yml +++ b/deploy/helm/seaweedfs-csi-driver/templates/serviceaccounts.yml @@ -2,9 +2,9 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: csi-seaweedfs-controller-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-controller-sa --- apiVersion: v1 kind: ServiceAccount metadata: - name: csi-seaweedfs-node-sa + name: {{ template "seaweedfs-csi-driver.name" . }}-node-sa diff --git a/deploy/helm/seaweedfs-csi-driver/templates/statefulset.yml b/deploy/helm/seaweedfs-csi-driver/templates/statefulset.yml index ea3a984..afdef7d 100644 --- a/deploy/helm/seaweedfs-csi-driver/templates/statefulset.yml +++ b/deploy/helm/seaweedfs-csi-driver/templates/statefulset.yml @@ -2,21 +2,20 @@ kind: StatefulSet apiVersion: apps/v1 metadata: - name: csi-seaweedfs-controller + name: {{ template "seaweedfs-csi-driver.name" . }}-controller spec: selector: matchLabels: - app: csi-seaweedfs-controller + app: {{ template "seaweedfs-csi-driver.name" . }}-controller serviceName: "csi-seaweedfs" replicas: 1 template: metadata: labels: - app: csi-seaweedfs-controller - role: csi-seaweedfs + app: {{ template "seaweedfs-csi-driver.name" . }}-controller spec: priorityClassName: system-cluster-critical - serviceAccountName: csi-seaweedfs-controller-sa + serviceAccountName: {{ template "seaweedfs-csi-driver.name" . }}-controller-sa containers: # provisioner - name: csi-provisioner @@ -74,7 +73,7 @@ spec: value: /var/run/secrets/app/tls/tls.key - name: WEED_GRPC_CLIENT_CERT value: /var/run/secrets/app/tls/tls.crt - - name: WEED_GRPC_CLIENT_GRPC_CA + - name: WEED_GRPC_CA value: /var/run/secrets/app/tls/ca.crt {{- end }} volumeMounts: @@ -84,12 +83,6 @@ spec: - name: tls mountPath: /var/run/secrets/app/tls {{- end }} - - name: tools - image: registry.tech.bank24.int/devexp/network-multitool:1.0 - command: - - bash - - -c - - tail -f /dev/null volumes: - name: socket-dir emptyDir: {} diff --git a/deploy/helm/seaweedfs-csi-driver/templates/storageclass.yml b/deploy/helm/seaweedfs-csi-driver/templates/storageclass.yml index 5e79a7a..c79c29d 100644 --- a/deploy/helm/seaweedfs-csi-driver/templates/storageclass.yml +++ b/deploy/helm/seaweedfs-csi-driver/templates/storageclass.yml @@ -1,10 +1,10 @@ kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: - name: seaweedfs-storage + name: {{ .Values.storageClassName }} namespace: {{ .Release.Namespace }} annotations: {{- if .Values.isDefaultStorageClass }} storageclass.kubernetes.io/is-default-class: "true" {{- end }} -provisioner: seaweedfs-csi-driver +provisioner: {{ .Values.driverName }} diff --git a/deploy/helm/seaweedfs-csi-driver/values.yaml b/deploy/helm/seaweedfs-csi-driver/values.yaml index 6490e13..38be436 100644 --- a/deploy/helm/seaweedfs-csi-driver/values.yaml +++ b/deploy/helm/seaweedfs-csi-driver/values.yaml @@ -1,6 +1,7 @@ # host and port of your SeaweedFs filer seaweedfsFiller: "" +storageClassName: seaweedfs-storage isDefaultStorageClass: false tlsSecret: "" @@ -22,4 +23,9 @@ seaweedfsCsiPlugin: image: chrislusf/seaweedfs-csi-driver:latest resources: {} +# NOT Change, for future releases. Must be equal Name in GetPluginInfoResponse +driverName: seaweedfs-csi-driver +node: + # Deploy node daemonset + enabled: true