gitea_admin/application
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add helm charts

Browse Source
This commit is contained in:
Ybehrooz
2025-11-09 13:22:40 +03:30
parent 282c3e52d0
commit 38e4d749ad
1352 changed files with 190457 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backing-services/aws-ebs-csi-driver/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,5 @@
To verify that aws-ebs-csi-driver has started, run:
kubectl get pod -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"
NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality.

85
backing-services/aws-ebs-csi-driver/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,85 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "aws-ebs-csi-driver.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "aws-ebs-csi-driver.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "aws-ebs-csi-driver.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "aws-ebs-csi-driver.labels" -}}
{{ include "aws-ebs-csi-driver.selectorLabels" . }}
{{- if ne .Release.Name "kustomize" }}
helm.sh/chart: {{ include "aws-ebs-csi-driver.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/component: csi-driver
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- if .Values.customLabels }}
{{ toYaml .Values.customLabels }}
{{- end }}
{{- end -}}
{{/*
Common selector labels
*/}}
{{- define "aws-ebs-csi-driver.selectorLabels" -}}
app.kubernetes.io/name: {{ include "aws-ebs-csi-driver.name" . }}
{{- if ne .Release.Name "kustomize" }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- end -}}
{{/*
Convert the `--extra-tags` command line arg from a map.
*/}}
{{- define "aws-ebs-csi-driver.extra-volume-tags" -}}
{{- $result := dict "pairs" (list) -}}
{{- range $key, $value := .Values.controller.extraVolumeTags -}}
{{- $noop := printf "%s=%v" $key $value | append $result.pairs | set $result "pairs" -}}
{{- end -}}
{{- if gt (len $result.pairs) 0 -}}
{{- printf "- \"--extra-tags=%s\"" (join "," $result.pairs) -}}
{{- end -}}
{{- end -}}
{{/*
Handle http proxy env vars
*/}}
{{- define "aws-ebs-csi-driver.http-proxy" -}}
- name: HTTP_PROXY
value: {{ .Values.proxy.http_proxy | quote }}
- name: HTTPS_PROXY
value: {{ .Values.proxy.http_proxy | quote }}
- name: NO_PROXY
value: {{ .Values.proxy.no_proxy | quote }}
{{- end -}}

263
backing-services/aws-ebs-csi-driver/templates/_node-windows.tpl Normal file
View File

@@ -0,0 +1,263 @@
{{- define "node-windows" }}
{{- if .Values.node.enableWindows }}
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: {{ printf "%s-windows" .NodeName }}
namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
{{- if or (kindIs "float64" .Values.node.revisionHistoryLimit) (kindIs "int64" .Values.node.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.node.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
app: {{ .NodeName }}
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
updateStrategy:
{{ toYaml .Values.node.updateStrategy | nindent 4 }}
template:
metadata:
labels:
app: {{ .NodeName }}
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.node.podLabels }}
{{- toYaml .Values.node.podLabels | nindent 8 }}
{{- end }}
{{- with .Values.node.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.node.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector:
kubernetes.io/os: windows
{{- with .Values.node.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.node.serviceAccount.name }}
terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriodSeconds }}
priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }}
tolerations:
{{- if .Values.node.tolerateAllTaints }}
- operator: Exists
{{- else }}
{{- with .Values.node.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.node.windowsHostProcess }}
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: "NT AUTHORITY\\SYSTEM"
hostNetwork: true
{{- end }}
containers:
- name: ebs-plugin
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.node.windowsHostProcess }}
command:
- "aws-ebs-csi-driver.exe"
{{- end }}
args:
- node
- --endpoint=$(CSI_ENDPOINT)
{{- with .Values.node.volumeAttachLimit }}
- --volume-attach-limit={{ . }}
{{- end }}
{{- with .Values.node.loggingFormat }}
- --logging-format={{ . }}
{{- end }}
- --v={{ .Values.node.logLevel }}
{{- if .Values.node.otelTracing }}
- --enable-otel-tracing=true
{{- end}}
{{- if .Values.node.windowsHostProcess }}
- --windows-host-process=true
{{- end }}
env:
- name: CSI_ENDPOINT
{{- if .Values.node.windowsHostProcess }}
value: unix://C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock
{{- else }}
value: unix:/csi/csi.sock
{{- end }}
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.node.otelTracing }}
- name: OTEL_SERVICE_NAME
value: {{ .otelServiceName }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ .otelExporterEndpoint }}
{{- end }}
{{- with .Values.node.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: kubelet-dir
mountPath: C:\var\lib\kubelet
mountPropagation: "None"
- name: plugin-dir
mountPath: C:\csi
{{- if not .Values.node.windowsHostProcess }}
- name: csi-proxy-disk-pipe
mountPath: \\.\pipe\csi-proxy-disk-v1
- name: csi-proxy-volume-pipe
mountPath: \\.\pipe\csi-proxy-volume-v1
- name: csi-proxy-filesystem-pipe
mountPath: \\.\pipe\csi-proxy-filesystem-v1
{{- end }}
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
{{- with .Values.node.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if not .Values.node.windowsHostProcess }}
securityContext:
windowsOptions:
runAsUserName: "ContainerAdministrator"
{{- end }}
lifecycle:
preStop:
exec:
command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"]
- name: node-driver-registrar
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }}
{{- if .Values.node.windowsHostProcess }}
command:
- "csi-node-driver-registrar.exe"
{{- end }}
args:
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
{{- if .Values.node.windowsHostProcess }}
- --plugin-registration-path=$(PLUGIN_REG_DIR)
{{- end }}
- --v={{ .Values.sidecars.nodeDriverRegistrar.logLevel }}
env:
- name: ADDRESS
{{- if .Values.node.windowsHostProcess }}
value: unix://C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock
{{- else }}
value: unix:/csi/csi.sock
{{- end }}
- name: DRIVER_REG_SOCK_PATH
{{- if .Values.node.windowsHostProcess }}
value: C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock
{{- else }}
value: C:\var\lib\kubelet\plugins\ebs.csi.aws.com\csi.sock
{{- end }}
{{- if .Values.node.windowsHostProcess }}
- name: PLUGIN_REG_DIR
value: C:\\var\\lib\\kubelet\\plugins_registry\\
{{- end }}
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrar.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
livenessProbe:
exec:
command:
- /csi-node-driver-registrar.exe
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --mode=kubelet-registration-probe
initialDelaySeconds: 30
timeoutSeconds: 15
periodSeconds: 90
volumeMounts:
- name: plugin-dir
mountPath: C:\csi
- name: registration-dir
mountPath: C:\registration
- name: probe-dir
mountPath: C:\var\lib\kubelet\plugins\ebs.csi.aws.com
{{- with default .Values.node.resources .Values.sidecars.nodeDriverRegistrar.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }}
{{- if .Values.node.windowsHostProcess }}
command:
- "livenessprobe.exe"
{{- end }}
args:
{{- if .Values.node.windowsHostProcess }}
- --csi-address=unix://C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock
{{- else }}
- --csi-address=unix:/csi/csi.sock
{{- end }}
volumeMounts:
- name: plugin-dir
mountPath: C:\csi
{{- with default .Values.node.resources .Values.sidecars.livenessProbe.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
volumes:
- name: kubelet-dir
hostPath:
path: C:\var\lib\kubelet
type: Directory
- name: plugin-dir
hostPath:
path: C:\var\lib\kubelet\plugins\ebs.csi.aws.com
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: C:\var\lib\kubelet\plugins_registry
type: Directory
{{- if not .Values.node.windowsHostProcess }}
- name: csi-proxy-disk-pipe
hostPath:
path: \\.\pipe\csi-proxy-disk-v1
type: ""
- name: csi-proxy-volume-pipe
hostPath:
path: \\.\pipe\csi-proxy-volume-v1
type: ""
- name: csi-proxy-filesystem-pipe
hostPath:
path: \\.\pipe\csi-proxy-filesystem-v1
type: ""
{{- end }}
- name: probe-dir
{{- if .Values.node.probeDirVolume }}
{{- toYaml .Values.node.probeDirVolume | nindent 10 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- end }}

245
backing-services/aws-ebs-csi-driver/templates/_node.tpl Normal file
View File

@@ -0,0 +1,245 @@
{{- define "node" }}
{{- if or (eq (default true .Values.node.enableLinux) true) }}
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: {{ .NodeName }}
namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.node.daemonSetAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if or (kindIs "float64" .Values.node.revisionHistoryLimit) (kindIs "int64" .Values.node.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.node.revisionHistoryLimit }}
{{- end }}
selector:
matchLabels:
app: {{ .NodeName }}
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
updateStrategy:
{{- toYaml .Values.node.updateStrategy | nindent 4 }}
template:
metadata:
labels:
app: {{ .NodeName }}
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.node.podLabels }}
{{- toYaml .Values.node.podLabels | nindent 8 }}
{{- end }}
{{- with .Values.node.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.node.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.node.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.node.serviceAccount.name }}
terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriodSeconds }}
priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }}
tolerations:
{{- if .Values.node.tolerateAllTaints }}
- operator: Exists
{{- else }}
{{- with .Values.node.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
- key: "ebs.csi.aws.com/agent-not-ready"
operator: "Exists"
{{- end }}
hostNetwork: {{ .Values.node.hostNetwork }}
{{- with .Values.node.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: ebs-plugin
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- node
- --endpoint=$(CSI_ENDPOINT)
{{- with .Values.node.reservedVolumeAttachments }}
- --reserved-volume-attachments={{ . }}
{{- end }}
{{- with .Values.node.volumeAttachLimit }}
- --volume-attach-limit={{ . }}
{{- end }}
{{- with .Values.node.loggingFormat }}
- --logging-format={{ . }}
{{- end }}
- --v={{ .Values.node.logLevel }}
{{- if .Values.node.otelTracing }}
- --enable-otel-tracing=true
{{- end}}
{{- range .Values.node.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: CSI_ENDPOINT
value: unix:/csi/csi.sock
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.node.otelTracing }}
- name: OTEL_SERVICE_NAME
value: {{ .otelServiceName }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ .otelExporterEndpoint }}
{{- end }}
{{- with .Values.node.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: kubelet-dir
mountPath: {{ .Values.node.kubeletPath }}
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /csi
- name: device-dir
mountPath: /dev
{{- with .Values.node.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: healthz
containerPort: 9808
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
{{- with .Values.node.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.node.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
lifecycle:
preStop:
exec:
command: ["/bin/aws-ebs-csi-driver", "pre-stop-hook"]
- name: node-driver-registrar
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }}
args:
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --v={{ .Values.sidecars.nodeDriverRegistrar.logLevel }}
{{- range .Values.sidecars.nodeDriverRegistrar.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REG_SOCK_PATH
value: {{ printf "%s/plugins/ebs.csi.aws.com/csi.sock" (trimSuffix "/" .Values.node.kubeletPath) }}
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrar.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrar.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
- name: probe-dir
mountPath: {{ printf "%s/plugins/ebs.csi.aws.com/" (trimSuffix "/" .Values.node.kubeletPath) }}
{{- with default .Values.node.resources .Values.sidecars.nodeDriverRegistrar.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrar.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }}
args:
- --csi-address=/csi/csi.sock
{{- range .Values.sidecars.livenessProbe.additionalArgs }}
- {{ . }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: plugin-dir
mountPath: /csi
{{- with default .Values.node.resources .Values.sidecars.livenessProbe.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbe.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
volumes:
- name: kubelet-dir
hostPath:
path: {{ .Values.node.kubeletPath }}
type: Directory
- name: plugin-dir
hostPath:
path: {{ printf "%s/plugins/ebs.csi.aws.com/" (trimSuffix "/" .Values.node.kubeletPath) }}
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: {{ printf "%s/plugins_registry/" (trimSuffix "/" .Values.node.kubeletPath) }}
type: Directory
- name: device-dir
hostPath:
path: /dev
type: Directory
- name: probe-dir
{{- if .Values.node.probeDirVolume }}
{{- toYaml .Values.node.probeDirVolume | nindent 10 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.node.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

26
backing-services/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-attacher-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [ "" ]
resources: [ "persistentvolumes" ]
verbs: [ "get", "list", "watch", "update", "patch" ]
- apiGroups: [ "" ]
resources: [ "nodes" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "csi.storage.k8s.io" ]
resources: [ "csinodeinfos" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattachments" ]
verbs: [ "get", "list", "watch", "update", "patch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattachments/status" ]
verbs: [ "patch" ]
{{- with .Values.sidecars.attacher.additionalClusterRoleRules }}
{{- . | toYaml | nindent 2 }}
{{- end }}

17
backing-services/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get"]

41
backing-services/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-provisioner-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [ "" ]
resources: [ "persistentvolumes" ]
verbs: [ "get", "list", "watch", "create", "patch", "delete" ]
- apiGroups: [ "" ]
resources: [ "persistentvolumeclaims" ]
verbs: [ "get", "list", "watch", "update" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "events" ]
verbs: [ "list", "watch", "create", "update", "patch" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshots" ]
verbs: [ "get", "list" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotcontents" ]
verbs: [ "get", "list" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "csinodes" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "nodes" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattachments" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattributesclasses" ]
verbs: [ "get" ]
{{- with .Values.sidecars.provisioner.additionalClusterRoleRules }}
{{- . | toYaml | nindent 2 }}
{{- end }}

37
backing-services/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-resizer-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning.
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list", "watch"]
- apiGroups: [ "" ]
resources: [ "persistentvolumes" ]
verbs: [ "get", "list", "watch", "update", "patch" ]
- apiGroups: [ "" ]
resources: [ "persistentvolumeclaims" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "persistentvolumeclaims/status" ]
verbs: [ "update", "patch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "events" ]
verbs: [ "list", "watch", "create", "update", "patch" ]
- apiGroups: [ "" ]
resources: [ "pods" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "volumeattributesclasses" ]
verbs: [ "get", "list", "watch" ]
{{- with .Values.sidecars.resizer.additionalClusterRoleRules }}
{{- . | toYaml | nindent 2 }}
{{- end }}

30
backing-services/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-external-snapshotter-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: [ "" ]
resources: [ "events" ]
verbs: [ "list", "watch", "create", "update", "patch" ]
# Secret permission is optional.
# Enable it if your driver needs secret.
# For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
# See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
# - apiGroups: [ "" ]
# resources: [ "secrets" ]
# verbs: [ "get", "list" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotclasses" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotcontents" ]
verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "volumesnapshotcontents/status" ]
verbs: [ "update", "patch" ]
{{- with .Values.sidecars.snapshotter.additionalClusterRoleRules }}
{{- . | toYaml | nindent 2 }}
{{- end }}

15
backing-services/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-attacher-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: ebs-external-attacher-role
apiGroup: rbac.authorization.k8s.io

15
backing-services/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-node-getter-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.node.serviceAccount.name }}
namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }}
roleRef:
kind: ClusterRole
name: ebs-csi-node-role
apiGroup: rbac.authorization.k8s.io

15
backing-services/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-provisioner-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: ebs-external-provisioner-role
apiGroup: rbac.authorization.k8s.io

15
backing-services/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-resizer-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: ebs-external-resizer-role
apiGroup: rbac.authorization.k8s.io

15
backing-services/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml Normal file
View File

@@ -0,0 +1,15 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-snapshotter-binding
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: ebs-external-snapshotter-role
apiGroup: rbac.authorization.k8s.io

519
backing-services/aws-ebs-csi-driver/templates/controller.yaml Normal file
View File

@@ -0,0 +1,519 @@
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
name: ebs-csi-controller
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.controller.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.controller.replicaCount }}
{{- if or (kindIs "float64" .Values.controller.revisionHistoryLimit) (kindIs "int64" .Values.controller.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }}
{{- end }}
{{- with .Values.controller.updateStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.labels" . | nindent 8 }}
{{- if .Values.controller.podLabels }}
{{- toYaml .Values.controller.podLabels | nindent 8 }}
{{- end }}
{{- if .Values.controller.podAnnotations }}
annotations:
{{- tpl ( .Values.controller.podAnnotations | toYaml ) . | nindent 8 }}
{{- end }}
spec:
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.controller.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.controller.serviceAccount.name }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- with default .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- with .Values.controller.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
{{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "ebs-csi-controller" ) ) }}
{{- $constraints := list }}
{{- range .Values.controller.topologySpreadConstraints }}
{{- $constraints = mustAppend $constraints (mergeOverwrite . $tscLabelSelector) }}
{{- end }}
topologySpreadConstraints:
{{- $constraints | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.controller.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: ebs-plugin
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
{{- if ne .Release.Name "kustomize" }}
- controller
{{- else }}
# - {all,controller,node} # specify the driver mode
{{- end }}
- --endpoint=$(CSI_ENDPOINT)
{{- if .Values.controller.extraVolumeTags }}
{{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }}
{{- end }}
{{- with (tpl (default "" .Values.controller.k8sTagClusterId) . ) }}
- --k8s-tag-cluster-id={{ . }}
{{- end }}
{{- if and (.Values.controller.enableMetrics) (not .Values.controller.httpEndpoint) }}
- --http-endpoint=0.0.0.0:3301
{{- end}}
{{- with .Values.controller.httpEndpoint }}
- --http-endpoint={{ . }}
{{- end }}
{{- if .Values.controller.sdkDebugLog }}
- --aws-sdk-debug-log=true
{{- end}}
{{- if .Values.controller.batching }}
- --batching=true
{{- end}}
{{- with .Values.controller.loggingFormat }}
- --logging-format={{ . }}
{{- end }}
{{- with .Values.controller.userAgentExtra }}
- --user-agent-extra={{ . }}
{{- end }}
{{- if .Values.controller.otelTracing }}
- --enable-otel-tracing=true
{{- end}}
- --v={{ .Values.controller.logLevel }}
{{- range .Values.controller.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: CSI_ENDPOINT
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- with .Values.awsAccessSecret }}
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: {{ .name }}
key: {{ .keyId }}
optional: true
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: {{ .name }}
key: {{ .accessKey }}
optional: true
{{- end }}
- name: AWS_EC2_ENDPOINT
valueFrom:
configMapKeyRef:
name: aws-meta
key: endpoint
optional: true
{{- with .Values.controller.region }}
- name: AWS_REGION
value: {{ . }}
{{- end }}
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.controller.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.otelTracing }}
- name: OTEL_SERVICE_NAME
value: {{ .otelServiceName }}
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: {{ .otelExporterEndpoint }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: healthz
containerPort: 9808
protocol: TCP
{{- if .Values.controller.enableMetrics }}
- name: metrics
containerPort: 3301
protocol: TCP
{{- end}}
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
{{- with .Values.controller.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.controller.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: csi-provisioner
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.provisioner.image.repository .Values.sidecars.provisioner.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.provisioner.image.pullPolicy }}
args:
{{- if not (regexMatch "(-timeout)" (join " " .Values.sidecars.provisioner.additionalArgs)) }}
- --timeout=60s
{{- end }}
- --csi-address=$(ADDRESS)
- --v={{ .Values.sidecars.provisioner.logLevel }}
- --feature-gates=Topology=true
{{- if .Values.controller.extraCreateMetadata }}
- --extra-create-metadata
{{- end}}
- --leader-election={{ .Values.sidecars.provisioner.leaderElection.enabled | required "leader election state for csi-provisioner is required, must be set to true || false." }}
{{- if .Values.sidecars.provisioner.leaderElection.enabled }}
{{- if .Values.sidecars.provisioner.leaderElection.leaseDuration }}
- --leader-election-lease-duration={{ .Values.sidecars.provisioner.leaderElection.leaseDuration }}
{{- end }}
{{- if .Values.sidecars.provisioner.leaderElection.renewDeadline}}
- --leader-election-renew-deadline={{ .Values.sidecars.provisioner.leaderElection.renewDeadline }}
{{- end }}
{{- if .Values.sidecars.provisioner.leaderElection.retryPeriod }}
- --leader-election-retry-period={{ .Values.sidecars.provisioner.leaderElection.retryPeriod }}
{{- end }}
{{- end }}
- --default-fstype={{ .Values.controller.defaultFsType }}
{{- if not (regexMatch "(-kube-api-qps)|(-kube-api-burst)|(-worker-threads)" (join " " .Values.sidecars.provisioner.additionalArgs)) }}
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
{{- end }}
{{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.provisioner.additionalArgs)) }}
- --retry-interval-max=30m
{{- end }}
{{- range .Values.sidecars.provisioner.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.provisioner.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with default .Values.controller.resources .Values.sidecars.provisioner.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.provisioner.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: csi-attacher
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.attacher.image.repository .Values.sidecars.attacher.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.attacher.image.pullPolicy }}
args:
{{- if not (regexMatch "(-timeout)" (join " " .Values.sidecars.attacher.additionalArgs)) }}
- --timeout=60s
{{- end }}
- --csi-address=$(ADDRESS)
- --v={{ .Values.sidecars.attacher.logLevel }}
- --leader-election={{ .Values.sidecars.attacher.leaderElection.enabled | required "leader election state for csi-attacher is required, must be set to true || false." }}
{{- if .Values.sidecars.attacher.leaderElection.enabled }}
{{- if .Values.sidecars.attacher.leaderElection.leaseDuration }}
- --leader-election-lease-duration={{ .Values.sidecars.attacher.leaderElection.leaseDuration }}
{{- end }}
{{- if .Values.sidecars.attacher.leaderElection.renewDeadline}}
- --leader-election-renew-deadline={{ .Values.sidecars.attacher.leaderElection.renewDeadline }}
{{- end }}
{{- if .Values.sidecars.attacher.leaderElection.retryPeriod }}
- --leader-election-retry-period={{ .Values.sidecars.attacher.leaderElection.retryPeriod }}
{{- end }}
{{- end }}
{{- if not (regexMatch "(-kube-api-qps)|(-kube-api-burst)|(-worker-threads)" (join " " .Values.sidecars.attacher.additionalArgs)) }}
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
{{- end }}
{{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.attacher.additionalArgs)) }}
- --retry-interval-max=5m
{{- end }}
{{- range .Values.sidecars.attacher.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.attacher.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with default .Values.controller.resources .Values.sidecars.attacher.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.attacher.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if or .Values.sidecars.snapshotter.forceEnable (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1") }}
- name: csi-snapshotter
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.snapshotter.image.repository .Values.sidecars.snapshotter.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.snapshotter.image.pullPolicy }}
args:
- --csi-address=$(ADDRESS)
- --leader-election=true
{{- if .Values.controller.extraCreateMetadata }}
- --extra-create-metadata
{{- end}}
{{- if not (regexMatch "(-kube-api-qps)|(-kube-api-burst)|(-worker-threads)" (join " " .Values.sidecars.snapshotter.additionalArgs)) }}
- --kube-api-qps=20
- --kube-api-burst=100
- --worker-threads=100
{{- end }}
{{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.snapshotter.additionalArgs)) }}
- --retry-interval-max=30m
{{- end }}
{{- range .Values.sidecars.snapshotter.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.snapshotter.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with default .Values.controller.resources .Values.sidecars.snapshotter.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.snapshotter.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if (.Values.controller.volumeModificationFeature).enabled }}
- name: volumemodifier
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.volumemodifier.image.repository .Values.sidecars.volumemodifier.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.volumemodifier.image.pullPolicy }}
args:
{{- if not (regexMatch "(-timeout)" (join " " .Values.sidecars.volumemodifier.additionalArgs)) }}
- --timeout=60s
{{- end }}
- --csi-address=$(ADDRESS)
- --v={{ .Values.sidecars.volumemodifier.logLevel }}
- --leader-election={{ .Values.sidecars.volumemodifier.leaderElection.enabled | required "leader election state for csi-volumemodifier is required, must be set to true || false." }}
{{- if .Values.sidecars.volumemodifier.leaderElection.enabled }}
{{- if .Values.sidecars.volumemodifier.leaderElection.leaseDuration }}
- --leader-election-lease-duration={{ .Values.sidecars.volumemodifier.leaderElection.leaseDuration }}
{{- end }}
{{- if .Values.sidecars.volumemodifier.leaderElection.renewDeadline}}
- --leader-election-renew-deadline={{ .Values.sidecars.volumemodifier.leaderElection.renewDeadline }}
{{- end }}
{{- if .Values.sidecars.volumemodifier.leaderElection.retryPeriod }}
- --leader-election-retry-period={{ .Values.sidecars.volumemodifier.leaderElection.retryPeriod }}
{{- end }}
{{- end }}
{{- range .Values.sidecars.volumemodifier.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.volumemodifier.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with default .Values.controller.resources .Values.sidecars.volumemodifier.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.volumemodifier.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
- name: csi-resizer
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.resizer.image.repository .Values.sidecars.resizer.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.resizer.image.pullPolicy }}
args:
{{- if not (regexMatch "(-timeout)" (join " " .Values.sidecars.resizer.additionalArgs)) }}
- --timeout=60s
{{- end }}
- --csi-address=$(ADDRESS)
- --v={{ .Values.sidecars.resizer.logLevel }}
- --handle-volume-inuse-error=false
{{- with .Values.sidecars.resizer.leaderElection }}
- --leader-election={{ .enabled | default true }}
{{- if .leaseDuration }}
- --leader-election-lease-duration={{ .leaseDuration }}
{{- end }}
{{- if .renewDeadline }}
- --leader-election-renew-deadline={{ .renewDeadline }}
{{- end }}
{{- if .retryPeriod }}
- --leader-election-retry-period={{ .retryPeriod }}
{{- end }}
{{- end }}
{{- if not (regexMatch "(-kube-api-qps)|(-kube-api-burst)|(-workers)" (join " " .Values.sidecars.resizer.additionalArgs)) }}
- --kube-api-qps=20
- --kube-api-burst=100
- --workers=100
{{- end }}
{{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.resizer.additionalArgs)) }}
- --retry-interval-max=30m
{{- end }}
{{- range .Values.sidecars.resizer.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
{{- if .Values.proxy.http_proxy }}
{{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.resizer.env }}
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with default .Values.controller.resources .Values.sidecars.resizer.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.resizer.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }}
args:
- --csi-address=/csi/csi.sock
{{- range .Values.sidecars.livenessProbe.additionalArgs }}
- {{ . }}
{{- end }}
{{- with .Values.controller.envFrom }}
envFrom:
{{- . | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /csi
{{- with default .Values.controller.resources .Values.sidecars.livenessProbe.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbe.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
volumes:
- name: socket-dir
{{- if .Values.controller.socketDirVolume }}
{{- toYaml .Values.controller.socketDirVolume | nindent 10 }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.controller.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml .Values.controller.dnsConfig | nindent 4 }}
{{- end }}

12
backing-services/aws-ebs-csi-driver/templates/csidriver.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }}
kind: CSIDriver
metadata:
name: ebs.csi.aws.com
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
attachRequired: true
podInfoOnMount: false
{{- if not .Values.useOldCSIDriver }}
fsGroupPolicy: File
{{- end }}

11
backing-services/aws-ebs-csi-driver/templates/ebs-csi-default-sc.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.defaultStorageClass.enabled }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: ebs-csi-default-sc
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
{{- end }}

42
backing-services/aws-ebs-csi-driver/templates/metrics.yaml Normal file
View File

@@ -0,0 +1,42 @@
{{- if .Values.controller.enableMetrics -}}
---
apiVersion: v1
kind: Service
metadata:
name: ebs-csi-controller
namespace: {{ .Release.Namespace }}
labels:
app: ebs-csi-controller
spec:
selector:
app: ebs-csi-controller
ports:
- name: metrics
port: 3301
targetPort: 3301
type: ClusterIP
---
{{- if or .Values.controller.serviceMonitor.forceEnable (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: ebs-csi-controller
namespace: {{ .Release.Namespace }}
labels:
app: ebs-csi-controller
{{- if .Values.controller.serviceMonitor.labels }}
{{- toYaml .Values.controller.serviceMonitor.labels | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: ebs-csi-controller
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
endpoints:
- targetPort: 3301
path: /metrics
interval: {{ .Values.controller.serviceMonitor.interval | default "15s"}}
{{- end }}
{{- end }}

13
backing-services/aws-ebs-csi-driver/templates/node-windows.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{$defaultArgs := dict
"NodeName" "ebs-csi-node"
}}
{{- include "node-windows" (deepCopy $ | mustMerge $defaultArgs) -}}
{{- range $name, $values := .Values.additionalDaemonSets }}
{{$args := dict
"NodeName" (printf "ebs-csi-node-%s" $name)
"Values" (dict
"node" (deepCopy $.Values.node | mustMerge $values)
)
}}
{{- include "node-windows" (deepCopy $ | mustMerge $args) -}}
{{- end }}

46
backing-services/aws-ebs-csi-driver/templates/node.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{$defaultArgs := dict
"NodeName" "ebs-csi-node"
}}
{{- include "node" (deepCopy $ | mustMerge $defaultArgs) -}}
{{- range $name, $values := .Values.additionalDaemonSets }}
{{$args := dict
"NodeName" (printf "ebs-csi-node-%s" $name)
"Values" (dict
"node" (deepCopy $.Values.node | mustMerge $values)
)
}}
{{- include "node" (deepCopy $ | mustMerge $args) -}}
{{- end }}
{{- if .Values.a1CompatibilityDaemonSet }}
{{$args := dict
"NodeName" "ebs-csi-node-a1compat"
"Values" (dict
"image" (dict
"tag" (printf "%s-a1compat" (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)))
)
"node" (dict
"affinity" (dict
"nodeAffinity" (dict
"requiredDuringSchedulingIgnoredDuringExecution" (dict
"nodeSelectorTerms" (list
(dict "matchExpressions" (list
(dict
"key" "eks.amazonaws.com/compute-type"
"operator" "NotIn"
"values" (list "fargate")
)
(dict
"key" "node.kubernetes.io/instance-type"
"operator" "In"
"values" (list "a1.medium" "a1.large" "a1.xlarge" "a1.2xlarge" "a1.4xlarge")
)
))
)
)
)
)
)
)
}}
{{- include "node" (deepCopy $ | mustMerge $args) -}}
{{- end }}

17
backing-services/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: ebs-csi-controller
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: ebs-csi-controller
{{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }}
{{- if le (.Values.controller.replicaCount | int) 2 }}
maxUnavailable: 1
{{- else }}
minAvailable: 2
{{- end }}

11
backing-services/aws-ebs-csi-driver/templates/role-leases.yaml Normal file
View File

@@ -0,0 +1,11 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: {{ .Release.Namespace }}
name: ebs-csi-leases-role
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]

15
backing-services/aws-ebs-csi-driver/templates/rolebinding-leases.yaml Normal file
View File

@@ -0,0 +1,15 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-leases-rolebinding
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: ebs-csi-leases-role
apiGroup: rbac.authorization.k8s.io

21
backing-services/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if .Values.controller.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if eq .Release.Name "kustomize" }}
#Enable if EKS IAM roles for service accounts (IRSA) is used. See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html for details.
#annotations:
# eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
{{- end }}
{{- if .Values.controller.serviceAccount.automountServiceAccountToken }}
automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end -}}

16
backing-services/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.node.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.node.serviceAccount.name }}
namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }}
labels:
{{- include "aws-ebs-csi-driver.labels" . | nindent 4 }}
{{- with .Values.node.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.node.serviceAccount.automountServiceAccountToken }}
automountServiceAccountToken: {{ .Values.node.serviceAccount.automountServiceAccountToken }}
{{- end }}
{{- end -}}

15
backing-services/aws-ebs-csi-driver/templates/storageclass.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- range .Values.storageClasses }}
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: {{ .name }}
{{- with .annotations }}
annotations: {{- . | toYaml | trim | nindent 4 }}
{{- end }}
{{- with .labels }}
labels: {{- . | toYaml | trim | nindent 4 }}
{{- end }}
provisioner: ebs.csi.aws.com
{{ omit (dict "volumeBindingMode" "WaitForFirstConsumer" | merge .) "name" "annotations" "labels" | toYaml }}
{{- end }}

238
backing-services/aws-ebs-csi-driver/templates/tests/helm-tester.yaml Normal file
View File

@@ -0,0 +1,238 @@
{{- if .Values.helmTester.enabled -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ebs-csi-driver-test
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-driver-test
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups: [ "" ]
resources:
- events
- nodes
- pods
- replicationcontrollers
- serviceaccounts
- configmaps
- persistentvolumes
- persistentvolumeclaims
verbs: [ "list" ]
- apiGroups: [ "" ]
resources:
- services
- nodes
- nodes/proxy
- persistentvolumes
- persistentvolumeclaims
- pods
- pods/log
verbs: [ "get" ]
- apiGroups: [ "" ]
resources:
- namespaces
- persistentvolumes
- persistentvolumeclaims
- pods
- pods/exec
verbs: [ "create" ]
- apiGroups: [ "" ]
resources:
- namespaces
- persistentvolumes
- persistentvolumeclaims
- pods
verbs: [ "delete" ]
- apiGroups: [ "" ]
resources:
- persistentvolumeclaims
verbs: [ "update" ]
- apiGroups: [ "" ]
resources:
- pods/ephemeralcontainers
verbs: [ "patch" ]
- apiGroups: [ "" ]
resources:
- serviceaccounts
- configmaps
verbs: [ "watch" ]
- apiGroups: [ "apps" ]
resources:
- replicasets
- daemonsets
verbs: [ "list" ]
- apiGroups: [ "storage.k8s.io" ]
resources:
- storageclasses
verbs: [ "create" ]
- apiGroups: [ "storage.k8s.io" ]
resources:
- storageclasses
- csinodes
verbs: [ "get" ]
- apiGroups: [ "storage.k8s.io" ]
resources:
- storageclasses
verbs: [ "delete" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources:
- volumesnapshots
- volumesnapshotclasses
- volumesnapshotcontents
verbs: [ "create" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources:
- volumesnapshots
- volumesnapshotclasses
- volumesnapshotcontents
verbs: [ "get" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources:
- volumesnapshotcontents
verbs: [ "update" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources:
- volumesnapshots
- volumesnapshotclasses
- volumesnapshotcontents
verbs: [ "delete" ]
- apiGroups: [ "authorization.k8s.io" ]
resources:
- clusterroles
verbs: [ "list" ]
- apiGroups: [ "authorization.k8s.io" ]
resources:
- subjectaccessreviews
verbs: [ "create" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources:
- clusterroles
verbs: [ "list" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources:
- clusterrolebindings
verbs: [ "create" ]
- apiGroups: [ "apiextensions.k8s.io" ]
resources:
- customresourcedefinitions
verbs: [ "get" ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ebs-csi-driver-test
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
subjects:
- kind: ServiceAccount
name: ebs-csi-driver-test
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: ebs-csi-driver-test
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ConfigMap
data:
manifests.yaml: |
ShortName: ebs
StorageClass:
FromFile: storageclass.yaml
SnapshotClass:
FromName: true
DriverInfo:
Name: ebs.csi.aws.com
SupportedSizeRange:
Min: 1Gi
Max: 16Ti
SupportedFsType:
xfs: {}
ext4: {}
SupportedMountOption:
dirsync: {}
TopologyKeys: ["topology.ebs.csi.aws.com/zone"]
Capabilities:
persistence: true
fsGroup: true
block: true
exec: true
snapshotDataSource: true
pvcDataSource: false
multipods: true
controllerExpansion: true
nodeExpansion: true
volumeLimits: true
topology: true
storageclass.yaml: |
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: ebs.csi.aws.com
provisioner: ebs.csi.aws.com
volumeBindingMode: WaitForFirstConsumer
metadata:
name: ebs-csi-driver-test
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
---
apiVersion: v1
kind: Pod
metadata:
name: ebs-csi-driver-test
annotations:
"helm.sh/hook": test
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
"ignore-check.kube-linter.io/run-as-non-root": "kubetest2 image runs as root"
"ignore-check.kube-linter.io/no-read-only-root-fs": "test pod requires privileged access"
spec:
containers:
- name: kubetest2
image: {{ .Values.helmTester.image }}
resources:
requests:
cpu: 2000m
memory: 4Gi
limits:
memory: 4Gi
command: [ "/bin/sh", "-c" ]
args:
- |
cp /etc/config/storageclass.yaml /workspace/storageclass.yaml
kubectl config set-cluster cluster --server=https://kubernetes.default --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
kubectl config set-context kubetest2 --cluster=cluster
kubectl config set-credentials sa --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
kubectl config set-context kubetest2 --user=sa && kubectl config use-context kubetest2
export FOCUS_REGEX='\bebs.csi.aws.com\b.+(validate content|resize volume|offline PVC|AllowedTopologies|store data'
if kubectl get crd volumesnapshots.snapshot.storage.k8s.io; then
FOCUS_REGEX="${FOCUS_REGEX}|snapshot fields)"
else
FOCUS_REGEX="${FOCUS_REGEX})"
fi
export KUBE_VERSION=$(kubectl version --output json | jq -r '.serverVersion.major + "." + .serverVersion.minor')
kubetest2 noop --run-id='e2e-kubernetes' --test=ginkgo -- --test-package-version="$(curl -L https://dl.k8s.io/release/stable-${KUBE_VERSION}.txt)" --skip-regex='[Disruptive]|[Serial]' --focus-regex="$FOCUS_REGEX" --parallel=25 --test-args='-storage.testdriver=/etc/config/manifests.yaml'
volumeMounts:
- name: config-vol
mountPath: /etc/config
# kubekins-e2e v1 image is linux amd64 only.
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/arch: amd64
serviceAccountName: ebs-csi-driver-test
volumes:
- name: config-vol
configMap:
name: ebs-csi-driver-test
restartPolicy: Never
{{- end }}

20
backing-services/aws-ebs-csi-driver/templates/volumesnapshotclass.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if or .Values.sidecars.snapshotter.forceEnable (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1") }}
{{- range .Values.volumeSnapshotClasses }}
---
kind: VolumeSnapshotClass
apiVersion: snapshot.storage.k8s.io/v1
metadata:
name: {{ .name }}
{{- with .annotations }}
annotations: {{- . | toYaml | trim | nindent 4 }}
{{- end }}
{{- with .labels }}
labels: {{- . | toYaml | trim | nindent 4 }}
{{- end }}
driver: ebs.csi.aws.com
deletionPolicy: {{ .deletionPolicy }}
{{- with .parameters }}
parameters: {{- . | toYaml | trim | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}