diff --git a/inventory/sample/group_vars/all/upcloud.yml b/inventory/sample/group_vars/all/upcloud.yml index 16e6e6fb2..c2d7f5df8 100644 --- a/inventory/sample/group_vars/all/upcloud.yml +++ b/inventory/sample/group_vars/all/upcloud.yml @@ -7,13 +7,18 @@ # upcloud_csi_provisioner_image_tag: "v3.1.0" # upcloud_csi_attacher_image_tag: "v3.4.0" # upcloud_csi_resizer_image_tag: "v1.4.0" -# upcloud_csi_plugin_image_tag: "v0.2.1" +# upcloud_csi_plugin_image_tag: "v0.3.3" # upcloud_csi_node_image_tag: "v2.5.0" # upcloud_tolerations: [] ## Storage class options -# expand_persistent_volumes: true -# parameters: -# tier: maxiops # or hdd # storage_classes: # - name: standard # is_default: true +# expand_persistent_volumes: true +# parameters: +# tier: maxiops +# - name: hdd +# is_default: false +# expand_persistent_volumes: true +# parameters: +# tier: hdd \ No newline at end of file diff --git a/roles/kubernetes-apps/csi_driver/upcloud/defaults/main.yml b/roles/kubernetes-apps/csi_driver/upcloud/defaults/main.yml index 01541ec1d..657b3006d 100644 --- a/roles/kubernetes-apps/csi_driver/upcloud/defaults/main.yml +++ b/roles/kubernetes-apps/csi_driver/upcloud/defaults/main.yml @@ -3,8 +3,14 @@ upcloud_csi_controller_replicas: 1 upcloud_csi_provisioner_image_tag: "v3.1.0" upcloud_csi_attacher_image_tag: "v3.4.0" upcloud_csi_resizer_image_tag: "v1.4.0" -upcloud_csi_plugin_image_tag: "v0.2.1" +upcloud_csi_plugin_image_tag: "v0.3.3" upcloud_csi_node_image_tag: "v2.5.0" upcloud_username: "{{ lookup('env','UPCLOUD_USERNAME') }}" upcloud_password: "{{ lookup('env','UPCLOUD_PASSWORD') }}" -upcloud_tolerations: [] \ No newline at end of file +upcloud_tolerations: [] +upcloud_csi_enable_volume_snapshot: false +upcloud_csi_snapshot_controller_replicas: 2 +upcloud_csi_snapshotter_image_tag: "v4.2.1" +upcloud_csi_snapshot_controller_image_tag: "v4.2.1" +upcloud_csi_snapshot_validation_webhook_image_tag: "v4.2.1" +upcloud_cacert: "{{ lookup('env','OS_CACERT') }}" \ No newline at end of file diff --git a/roles/kubernetes-apps/csi_driver/upcloud/tasks/main.yml b/roles/kubernetes-apps/csi_driver/upcloud/tasks/main.yml index 63e37bcf5..f37daba92 100644 --- a/roles/kubernetes-apps/csi_driver/upcloud/tasks/main.yml +++ b/roles/kubernetes-apps/csi_driver/upcloud/tasks/main.yml @@ -37,4 +37,4 @@ - inventory_hostname == groups['kube_control_plane'][0] - not item is skipped loop_control: - label: "{{ item.item.file }}" + label: "{{ item.item.file }}" \ No newline at end of file diff --git a/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-controller.yml.j2 b/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-controller.yml.j2 index 8f05f77fb..0d52837a9 100644 --- a/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-controller.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-controller.yml.j2 @@ -23,7 +23,7 @@ spec: args: - "--csi-address=$(ADDRESS)" - "--v=5" - - "--timeout=60s" + - "--timeout=600s" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock @@ -36,7 +36,7 @@ spec: args: - "--v=5" - "--csi-address=$(ADDRESS)" - - "--timeout=30s" + - "--timeout=120s" env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock @@ -48,7 +48,7 @@ spec: image: registry.k8s.io/sig-storage/csi-resizer:{{ upcloud_csi_resizer_image_tag }} args: - "--v=5" - - "--timeout=45s" + - "--timeout=120s" - "--csi-address=$(ADDRESS)" - "--handle-volume-inuse-error=true" env: @@ -68,8 +68,6 @@ spec: env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - - name: UPCLOUD_API_URL - value: https://api.upcloud.com/ - name: UPCLOUD_USERNAME valueFrom: secretKeyRef: @@ -92,4 +90,4 @@ spec: - name: regcred volumes: - name: socket-dir - emptyDir: { } \ No newline at end of file + emptyDir: {} \ No newline at end of file diff --git a/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-node.yml.j2 b/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-node.yml.j2 index 269f4cf54..7173c6baf 100644 --- a/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-node.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-node.yml.j2 @@ -23,15 +23,6 @@ spec: - "--v=5" - "--csi-address=$(ADDRESS)" - "--kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)" - lifecycle: - preStop: - exec: - command: - [ - "/bin/sh", - "-c", - "rm -rf /registration/storage.csi.upcloud.com /registration/storage.csi.upcloud.com-reg.sock", - ] env: - name: ADDRESS value: /csi/csi.sock @@ -56,8 +47,6 @@ spec: env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - - name: UPCLOUD_API_URL - value: https://api.upcloud.com/ - name: UPCLOUD_USERNAME valueFrom: secretKeyRef: @@ -76,7 +65,7 @@ spec: securityContext: privileged: true capabilities: - add: [ "SYS_ADMIN" ] + add: ["SYS_ADMIN"] allowPrivilegeEscalation: true volumeMounts: - name: plugin-dir diff --git a/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-setup.yml.j2 b/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-setup.yml.j2 index 2a9ec08be..3bc0bd580 100644 --- a/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-setup.yml.j2 +++ b/roles/kubernetes-apps/csi_driver/upcloud/templates/upcloud-csi-setup.yml.j2 @@ -5,6 +5,40 @@ metadata: namespace: kube-system --- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-upcloud-node-sa + namespace: kube-system + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-upcloud-node-driver-registrar-role + namespace: kube-system +rules: + - apiGroups: [ "" ] + resources: [ "events" ] + verbs: [ "get", "list", "watch", "create", "update", "patch" ] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-upcloud-node-driver-registrar-binding +subjects: + - kind: ServiceAccount + name: csi-upcloud-node-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: csi-upcloud-node-driver-registrar-role + apiGroup: rbac.authorization.k8s.io + +--- + kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -28,12 +62,6 @@ rules: - apiGroups: [ "" ] resources: [ "events" ] verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshots" ] - verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "get", "list" ] - apiGroups: [ "" ] resources: [ "nodes" ] verbs: [ "get", "list", "watch" ] @@ -90,87 +118,39 @@ roleRef: apiGroup: rbac.authorization.k8s.io --- -kind: ClusterRole +# Provisioner must be able to work with endpoints and leases in current namespace +# if (and only if) leadership election is enabled +kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-upcloud-snapshotter-role + namespace: kube-system + name: csi-upcloud-provisioner-cfg-role rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "secrets" ] - verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "create", "get", "list", "watch", "update", "delete" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshots" ] - verbs: [ "get", "list", "watch", "update" ] - - apiGroups: [ "apiextensions.k8s.io" ] - resources: [ "customresourcedefinitions" ] - verbs: [ "create", "list", "watch", "delete" ] +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] --- -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: csi-upcloud-snapshotter-binding + name: csi-provisioner-role-cfg-binding + namespace: kube-system subjects: - kind: ServiceAccount name: csi-upcloud-controller-sa namespace: kube-system roleRef: - kind: ClusterRole - name: csi-upcloud-snapshotter-role + kind: Role + name: csi-upcloud-provisioner-cfg-role apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: csi-upcloud-node-sa - namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-upcloud-node-driver-registrar-role - namespace: kube-system -rules: - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "get", "list", "watch", "create", "update", "patch" ] - ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: csi-upcloud-node-driver-registrar-binding -subjects: - - kind: ServiceAccount - name: csi-upcloud-node-sa - namespace: kube-system -roleRef: - kind: ClusterRole - name: csi-upcloud-node-driver-registrar-role - apiGroup: rbac.authorization.k8s.io ---- -# Resizer must be able to work with PVCs, PVs, SCs. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 metadata: name: csi-upcloud-resizer-role rules: diff --git a/roles/kubernetes-apps/persistent_volumes/upcloud-csi/defaults/main.yml b/roles/kubernetes-apps/persistent_volumes/upcloud-csi/defaults/main.yml index 7ca901ee1..5986e8cb0 100644 --- a/roles/kubernetes-apps/persistent_volumes/upcloud-csi/defaults/main.yml +++ b/roles/kubernetes-apps/persistent_volumes/upcloud-csi/defaults/main.yml @@ -1,7 +1,12 @@ --- -expand_persistent_volumes: true -parameters: - tier: maxiops storage_classes: - name: standard is_default: true + expand_persistent_volumes: true + parameters: + tier: maxiops + - name: hdd + is_default: false + expand_persistent_volumes: true + parameters: + tier: hdd diff --git a/roles/kubernetes-apps/persistent_volumes/upcloud-csi/templates/upcloud-csi-storage-class.yml.j2 b/roles/kubernetes-apps/persistent_volumes/upcloud-csi/templates/upcloud-csi-storage-class.yml.j2 index 058531a30..d5c84b544 100644 --- a/roles/kubernetes-apps/persistent_volumes/upcloud-csi/templates/upcloud-csi-storage-class.yml.j2 +++ b/roles/kubernetes-apps/persistent_volumes/upcloud-csi/templates/upcloud-csi-storage-class.yml.j2 @@ -7,9 +7,10 @@ metadata: annotations: storageclass.kubernetes.io/is-default-class: "{{ class.is_default | default(false) | ternary("true","false") }}" provisioner: storage.csi.upcloud.com +reclaimPolicy: Retain parameters: {% for key, value in (class.parameters | default({})).items() %} "{{ key }}": "{{ value }}" {% endfor %} -allowVolumeExpansion: {{ expand_persistent_volumes }} +allowVolumeExpansion: {{ class.expand_persistent_volumes | default(true) | ternary("true","false") }} {% endfor %}