gitea_admin/application
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add helm charts

Browse Source
This commit is contained in:
Ybehrooz
2025-11-09 13:22:40 +03:30
parent 282c3e52d0
commit 38e4d749ad
1352 changed files with 190457 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backing-services/aws-efs-csi-driver/.helmignore Normal file
View File

@@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

245
backing-services/aws-efs-csi-driver/CHANGELOG.md Normal file
View File

@@ -0,0 +1,245 @@
# Helm chart
# v3.1.5
* Bump app/driver version to `v2.1.4`
# v3.1.4
* Bump app/driver version to `v2.1.3`
# v3.1.3
* Bump app/driver version to `v2.1.2`
# v3.1.2
* Bump app/driver version to `v2.1.1`
# v3.1.1
* Bump app/driver version to `v2.1.0`
# v3.1.0
* Bump app/driver version to `v2.0.9`
# v3.0.9
* Bump app/driver version to `v2.0.8`
# v3.0.8
* Bump app/driver version to `v2.0.7`
# v3.0.7
* Bump app/driver version to `v2.0.6`
# v3.0.6
* Bump app/driver version to `v2.0.5`
# v3.0.5
* Bump app/driver version to `v2.0.4`
# v3.0.4
* Bump app/driver version to `v2.0.3`
# v3.0.3
* Bump app/driver version to `v2.0.2`
# v3.0.2
* Update Helm to use the image from Public ECR rather than DockerHub
# v3.0.1
* Bump app/driver version to `v2.0.1`
# v3.0.0
* Bump app/driver version to `v2.0.0`
# v2.5.7
* Bump app/driver version to `v1.7.7`
# v2.5.6
* Bump app/driver version to `v1.7.6`
# v2.5.5
* Bump app/driver version to `v1.7.5`
# v2.5.4
* Bump app/driver version to `v1.7.4`
# v2.5.3
* Bump app/driver version to `v1.7.3`
# v2.5.2
* Bump app/driver version to `v1.7.2`
# v2.5.1
* Bump app/driver version to `v1.7.1`
# v2.5.0
* Bump app/driver version to `v1.7.0`
# v2.4.9
* Bump app/driver version to `v1.6.0`
# v2.4.8
* Bump app/driver version to `v1.5.9`
# v2.4.7
* Bump app/driver version to `v1.5.8`
# v2.4.6
* Bump app/driver version to `v1.5.7`
# v2.4.5
* Bump helm version for change of state-dir path to avoid losing track of state files which exists already to `v2.4.5`
# v2.4.4
* Bump helm version to pick the latest side-car images `v2.4.4`
# v2.4.3
* Bump app/driver version to `v1.5.6`
# v2.4.2
* Bump app/driver version to `v1.5.5`
# v2.4.1
* Bump app/driver version to `v1.5.4`
# v2.4.0
* Bump app/driver version to `v1.5.3`
# v2.3.9
* Bump app/driver version to `v1.5.2`
# v2.3.8
* Bump app/driver version to `v1.5.1`
# v2.3.7
* Bump app/driver version to `v1.5.0`
# v2.3.6
* Bump app/driver version to `v1.4.9`
# v2.3.5
* Bump app/driver version to `v1.4.8`
# v2.3.4
* Bump app/driver version to `v1.4.7`
# v2.3.3
* Bump app/driver version to `v1.4.6`
# v2.3.2
* Bump app/driver version to `v1.4.5`
# v2.3.1
* Bump app/driver version to `v1.4.4`
# v2.3.0
* Bump app/driver version to `v1.4.3`
# v2.2.9
* Bump app/driver version to `v1.4.2`
# v2.2.8
* Bump app/driver version to `v1.4.1`
# v2.2.7
* Bump app/driver version to `v1.4.0`
# v2.2.6
* Bump app/driver version to `v1.3.8`
# v2.2.5
* Bump app/driver version to `v1.3.7`
# v2.2.4
* Add STS regional endpoints flag to fix PV creation on private EKS
# v2.2.3
* Bump app/driver version to `v1.3.6`
# v2.2.2
* Add controller.volMetricsOptIn for emitting volume metrics
* Update ECR sidecars to 1-18-13
# v2.2.1
* Bump app/driver version to `v1.3.5`
# v2.2.0
* Allow health ports to be configured
* Add Missing "patch" permission for "events"
# v2.1.6
* Bump app/driver version to `v1.3.4`
# v2.1.5
* Bump app/driver version to `v1.3.3`
# v2.1.4
* Add node.serviceAccount values for creating and/or specifying daemonset service account
# v2.1.3
* Bump app/driver version to `v1.3.2`
# v2.1.2
* Add extra-create-metadata
# v2.1.1
* Update app/driver version to `v1.3.1`
# v2.1.0
## New features
* Update app/driver version to `v1.3.0`
## Bug fixes
* Put comments back in place inside the values file ([#475](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/475), [@pierluigilenoci](https://github.com/pierluigilenoci))
# v2.0.1
## Bug fixes
* Helm chart: fix reclaimPolicy and volumeBindingMode ([#464](https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/464), [@devinsmith911](https://github.com/devinsmith911))
# v2.0.0
## Breaking changes
Multiple changes in values file at `sidecars`, `controller` and `node`
---
```yaml
sidecars:
xxxxxxxxx:
repository:
tag:
```
Moving to
```yaml
sidecars:
xxxxxxxxx:
image:
repository:
tag:
```
---
```yaml
podAnnotations:
resources:
nodeSelector:
tolerations:
affinity:
```
Moving to
```yaml
controller:
podAnnotations:
resources:
nodeSelector:
tolerations:
affinity:
```
---
```yaml
hostAliases:
dnsPolicy:
dnsConfig:
```
Moving to
```yaml
node:
hostAliases:
dnsPolicy:
dnsConfig:
```
---
```yaml
serviceAccount:
controller:
```
Moving to
```yaml
controller:
serviceAccount:
```
## New features
* Chart API `v2` (requires Helm 3)
* Set `resources` and `imagePullPolicy` fields independently for containers
* Set `logLevel`, `affinity`, `nodeSelector`, `podAnnotations` and `tolerations` fields independently
for Controller deployment and Node daemonset
* Set `reclaimPolicy` and `volumeBindingMode` fields in storage class
## Fixes
* Fixing Controller deployment using `podAnnotations` and `tolerations` values from Node daemonset
* Let the user define the whole `tolerations` array, default to `- operator: Exists`
* Default `logLevel` lowered from `5` to `2`
* Default `imagePullPolicy` everywhere set to `IfNotPresent`

18
backing-services/aws-efs-csi-driver/Chart.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v2
appVersion: 2.1.4
description: A Helm chart for AWS EFS CSI Driver
home: https://github.com/kubernetes-sigs/aws-efs-csi-driver
keywords:
- aws
- efs
- csi
kubeVersion: '>=1.17.0-0'
maintainers:
- name: leakingtapan
url: https://github.com/leakingtapan
- name: krmichel
url: https://github.com/krmichel
name: aws-efs-csi-driver
sources:
- https://github.com/kubernetes-sigs/aws-efs-csi-driver
version: 3.1.5

28
backing-services/aws-efs-csi-driver/auction-stage-eks.values.yaml Normal file
View File

@@ -0,0 +1,28 @@
controller:
serviceAccount:
create: true
name: efs-csi-node-sa
node:
# Specifies whether a service account should be created
serviceAccount:
create: true
name: efs-csi-node-sa
annotations:
## Enable if EKS IAM for SA is used
eks.amazonaws.com/role-arn: "arn:aws:iam::667294666490:role/auction-cluster-20241126163757775000000001"
storageClasses:
- name: efs-sc
annotations:
storageclass.kubernetes.io/is-default-class: "true"
mountOptions:
- tls
parameters:
provisioningMode: efs-ap
fileSystemId: fs-09f60032cda93f18a
directoryPerms: "700"
gidRangeStart: "1000"
gidRangeEnd: "2000"
reclaimPolicy: Delete
volumeBindingMode: Immediate

28
backing-services/aws-efs-csi-driver/school-stage-eks.values.yaml Normal file
View File

@@ -0,0 +1,28 @@
controller:
serviceAccount:
create: true
name: efs-csi-node-sa
node:
# Specifies whether a service account should be created
serviceAccount:
create: true
name: efs-csi-node-sa
annotations:
## Enable if EKS IAM for SA is used
eks.amazonaws.com/role-arn: "arn:aws:iam::889565812003:role/schoolbuses-cluster-20241110104436981500000002"
storageClasses:
- name: efs-sc
annotations:
storageclass.kubernetes.io/is-default-class: "true"
mountOptions:
- tls
parameters:
provisioningMode: efs-ap
fileSystemId: fs-0a434a5de93866ab1
directoryPerms: "700"
gidRangeStart: "1000"
gidRangeEnd: "2000"
reclaimPolicy: Delete
volumeBindingMode: Immediate

28
backing-services/aws-efs-csi-driver/schoolbuses.values.yaml Normal file
View File

@@ -0,0 +1,28 @@
controller:
serviceAccount:
create: true
name: efs-csi-controller-sa
node:
# Specifies whether a service account should be created
serviceAccount:
create: true
name: efs-csi-node-sa
annotations:
## Enable if EKS IAM for SA is used
eks.amazonaws.com/role-arn: arn:aws:iam::889565812003:role/schoolbuses_Cluster_IAM
storageClasses:
- name: efs-sc
annotations:
storageclass.kubernetes.io/is-default-class: "true"
mountOptions:
- tls
parameters:
provisioningMode: efs-ap
fileSystemId: fs-08694c721b539abe2
directoryPerms: "700"
gidRangeStart: "1000"
gidRangeEnd: "2000"
reclaimPolicy: Delete
volumeBindingMode: Immediate

3
backing-services/aws-efs-csi-driver/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,3 @@
To verify that aws-efs-csi-driver has started, run:
kubectl get pod -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "aws-efs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"

56
backing-services/aws-efs-csi-driver/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,56 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "aws-efs-csi-driver.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "aws-efs-csi-driver.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "aws-efs-csi-driver.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "aws-efs-csi-driver.labels" -}}
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
helm.sh/chart: {{ include "aws-efs-csi-driver.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{/*
Create a string out of the map for controller tags flag
*/}}
{{- define "aws-efs-csi-driver.tags" -}}
{{- $tags := list -}}
{{ range $key, $val := . }}
{{- $tags = print $key ":" $val | append $tags -}}
{{- end -}}
{{- join " " $tags -}}
{{- end -}}

193
backing-services/aws-efs-csi-driver/templates/controller-deployment.yaml Normal file
View File

@@ -0,0 +1,193 @@
{{- if .Values.controller.create }}
# Controller Service
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ .Values.controller.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
{{- with .Values.controller.additionalLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.controller.replicaCount }}
selector:
matchLabels:
app: {{ .Values.controller.name }}
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.controller.updateStrategy }}
strategy:
{{ toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: {{ .Values.controller.name }}
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.controller.podLabels }}
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.podAnnotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if hasKey .Values.controller "hostNetwork" }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.controller.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.controller.serviceAccount.name }}
priorityClassName: {{ .Values.controller.priorityClassName | default "system-cluster-critical" }}
{{- with .Values.controller.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.dnsPolicy }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig: {{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: efs-plugin
{{- with .Values.controller.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --endpoint=$(CSI_ENDPOINT)
- --logtostderr
{{- if .Values.controller.tags }}
- --tags={{ include "aws-efs-csi-driver.tags" .Values.controller.tags }}
{{- end }}
- --v={{ .Values.controller.logLevel }}
- --delete-access-point-root-dir={{ hasKey .Values.controller "deleteAccessPointRootDir" | ternary .Values.controller.deleteAccessPointRootDir false }}
env:
- name: CSI_ENDPOINT
value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
{{- if .Values.controller.regionalStsEndpoints }}
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
{{- end }}
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.useFIPS }}
- name: AWS_USE_FIPS_ENDPOINT
value: "true"
{{- end }}
- name: PORT_RANGE_UPPER_BOUND
value: "{{ .Values.portRangeUpperBound }}"
{{- with .Values.controller.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: healthz
containerPort: {{ .Values.controller.healthPort }}
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 10
failureThreshold: 5
{{- with .Values.controller.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
- name: csi-provisioner
image: {{ printf "%s:%s" .Values.sidecars.csiProvisioner.image.repository .Values.sidecars.csiProvisioner.image.tag }}
imagePullPolicy: {{ .Values.sidecars.csiProvisioner.image.pullPolicy }}
args:
- --csi-address=$(ADDRESS)
- --v={{ .Values.controller.logLevel }}
- --feature-gates=Topology=true
{{- if .Values.controller.extraCreateMetadata }}
- --extra-create-metadata
{{- end }}
- --leader-election
{{- if hasKey .Values.controller "leaderElectionRenewDeadline" }}
- --leader-election-renew-deadline={{ .Values.controller.leaderElectionRenewDeadline }}
{{- end }}
{{- if hasKey .Values.controller "leaderElectionLeaseDuration" }}
- --leader-election-lease-duration={{ .Values.controller.leaderElectionLeaseDuration }}
{{- end }}
{{- range .Values.sidecars.csiProvisioner.additionalArgs }}
- {{ . }}
{{- end }}
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
{{- with default .Values.controller.resources .Values.sidecars.csiProvisioner.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.csiProvisioner.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
imagePullPolicy: {{ .Values.sidecars.livenessProbe.image.pullPolicy }}
args:
- --csi-address=/csi/csi.sock
- --health-port={{ .Values.controller.healthPort }}
volumeMounts:
- name: socket-dir
mountPath: /csi
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with default .Values.controller.resources .Values.sidecars.livenessProbe.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbe.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: socket-dir
emptyDir: {}
{{- with .Values.controller.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.controller.topologySpreadConstraints }}
{{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "efs-csi-controller" ) ) }}
{{- $constraints := list }}
{{- range .Values.controller.topologySpreadConstraints }}
{{- $constraints = mustAppend $constraints (mergeOverwrite . $tscLabelSelector) }}
{{- end }}
topologySpreadConstraints:
{{- $constraints | toYaml | nindent 8 }}
{{- end }}
{{- end }}

24
backing-services/aws-efs-csi-driver/templates/controller-pdb.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.controller.podDisruptionBudget.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ .Values.controller.name }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "aws-efs-csi-driver.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
app: {{ .Values.controller.name }}
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
unhealthyPodEvictionPolicy: {{ .Values.controller.podDisruptionBudget.unhealthyPodEvictionPolicy }}
{{- end }}
{{- if .Values.controller.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }}
{{- end }}
{{- if .Values.controller.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.controller.podDisruptionBudget.minAvailable }}
{{- end }}
{{- end -}}

88
backing-services/aws-efs-csi-driver/templates/controller-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,88 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-external-provisioner-role
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-external-provisioner-role-describe-secrets
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
rules:
- apiGroups: [ "" ]
resources: [ "secrets" ]
resourceNames: ["x-account"]
verbs: [ "get", "watch", "list" ]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-provisioner-binding
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: efs-csi-external-provisioner-role
apiGroup: rbac.authorization.k8s.io
---
# We use a RoleBinding to restrict Secret access to the namespace that the
# RoleBinding is created in (typically kube-system)
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-provisioner-binding-describe-secrets
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
subjects:
- kind: ServiceAccount
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: efs-csi-external-provisioner-role-describe-secrets
apiGroup: rbac.authorization.k8s.io

12
backing-services/aws-efs-csi-driver/templates/csidriver.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }}
kind: CSIDriver
metadata:
name: efs.csi.aws.com
annotations:
{{- if .Values.useHelmHooksForCSIDriver }}
"helm.sh/hook": pre-install, pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation
{{- end }}
"helm.sh/resource-policy": keep
spec:
attachRequired: false

202
backing-services/aws-efs-csi-driver/templates/node-daemonset.yaml Normal file
View File

@@ -0,0 +1,202 @@
# Node Service
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: efs-csi-node
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
{{- with .Values.node.additionalLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app: efs-csi-node
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.node.updateStrategy }}
updateStrategy:
{{ toYaml . | nindent 4 }}
{{- end }}
template:
metadata:
labels:
app: efs-csi-node
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.node.podLabels }}
{{ toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.node.podAnnotations }}
annotations: {{ toYaml .Values.node.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- with .Values.node.hostAliases }}
hostAliases:
{{- range $k, $v := . }}
- ip: {{ $v.ip }}
hostnames:
- {{ $k }}.efs.{{ $v.region }}.amazonaws.com
{{- end }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.node.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.node.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: true
dnsPolicy: {{ .Values.node.dnsPolicy }}
{{- with .Values.node.dnsConfig }}
dnsConfig: {{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ .Values.node.serviceAccount.name }}
priorityClassName: {{ .Values.node.priorityClassName}}
{{- with .Values.node.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.node.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: efs-plugin
securityContext:
privileged: true
image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- --endpoint=$(CSI_ENDPOINT)
- --logtostderr
- --v={{ .Values.node.logLevel }}
- --vol-metrics-opt-in={{ hasKey .Values.node "volMetricsOptIn" | ternary .Values.node.volMetricsOptIn false }}
- --vol-metrics-refresh-period={{ hasKey .Values.node "volMetricsRefreshPeriod" | ternary .Values.node.volMetricsRefreshPeriod 240 }}
- --vol-metrics-fs-rate-limit={{ hasKey .Values.node "volMetricsFsRateLimit" | ternary .Values.node.volMetricsFsRateLimit 5 }}
env:
- name: CSI_ENDPOINT
value: unix:/csi/csi.sock
- name: CSI_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.useFIPS }}
- name: AWS_USE_FIPS_ENDPOINT
value: "true"
{{- end }}
- name: PORT_RANGE_UPPER_BOUND
value: "{{ .Values.portRangeUpperBound }}"
{{- with .Values.node.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: kubelet-dir
mountPath: {{ .Values.node.kubeletPath }}
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /csi
- name: efs-state-dir
mountPath: /var/run/efs
- name: efs-utils-config
mountPath: /var/amazon/efs
- name: efs-utils-config-legacy
mountPath: /etc/amazon/efs-legacy
{{- with .Values.node.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: healthz
containerPort: {{ .Values.node.healthPort }}
protocol: TCP
livenessProbe:
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 2
failureThreshold: 5
{{- with .Values.node.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
- name: csi-driver-registrar
image: {{ printf "%s:%s" .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }}
imagePullPolicy: {{ .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }}
args:
- --csi-address=$(ADDRESS)
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
- --v={{ .Values.node.logLevel }}
env:
- name: ADDRESS
value: /csi/csi.sock
- name: DRIVER_REG_SOCK_PATH
value: {{ printf "%s/plugins/efs.csi.aws.com/csi.sock" (trimSuffix "/" .Values.node.kubeletPath) }}
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: plugin-dir
mountPath: /csi
- name: registration-dir
mountPath: /registration
{{- with .Values.sidecars.nodeDriverRegistrar.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.nodeDriverRegistrar.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
- name: liveness-probe
image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }}
imagePullPolicy: {{ .Values.sidecars.livenessProbe.image.pullPolicy }}
args:
- --csi-address=/csi/csi.sock
- --health-port={{ .Values.node.healthPort }}
- --v={{ .Values.node.logLevel }}
volumeMounts:
- name: plugin-dir
mountPath: /csi
{{- with .Values.sidecars.livenessProbe.resources }}
resources: {{ toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.sidecars.livenessProbe.securityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: kubelet-dir
hostPath:
path: {{ .Values.node.kubeletPath }}
type: Directory
- name: plugin-dir
hostPath:
path: {{ printf "%s/plugins/efs.csi.aws.com/" (trimSuffix "/" .Values.node.kubeletPath) }}
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: {{ printf "%s/plugins_registry/" (trimSuffix "/" .Values.node.kubeletPath) }}
type: Directory
- name: efs-state-dir
hostPath:
path: /var/run/efs
type: DirectoryOrCreate
- name: efs-utils-config
hostPath:
path: /var/amazon/efs
type: DirectoryOrCreate
- name: efs-utils-config-legacy
hostPath:
path: /etc/amazon/efs
type: DirectoryOrCreate
{{- with .Values.node.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}

40
backing-services/aws-efs-csi-driver/templates/node-serviceaccount.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if .Values.node.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.node.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
{{- with .Values.node.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-node-role
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-node-binding
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
subjects:
- kind: ServiceAccount
name: {{ .Values.node.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: efs-csi-node-role
apiGroup: rbac.authorization.k8s.io

26
backing-services/aws-efs-csi-driver/templates/storageclass.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- range .Values.storageClasses }}
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: {{ .name }}
{{- with .annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
provisioner: efs.csi.aws.com
{{- with .mountOptions }}
mountOptions:
{{ toYaml . }}
{{- end }}
{{- with .parameters }}
parameters:
{{ toYaml . | indent 2 }}
{{- end }}
{{- with .reclaimPolicy }}
reclaimPolicy: {{ . }}
{{- end }}
{{- with .volumeBindingMode }}
volumeBindingMode: {{ . }}
{{- end }}
---
{{- end }}

237
backing-services/aws-efs-csi-driver/values.yaml Normal file
View File

@@ -0,0 +1,237 @@
# Default values for aws-efs-csi-driver.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
nameOverride: ""
fullnameOverride: ""
useFIPS: false
portRangeUpperBound: "21049"
image:
repository: public.ecr.aws/efs-csi-driver/amazon/aws-efs-csi-driver
tag: "v2.1.4"
pullPolicy: IfNotPresent
sidecars:
livenessProbe:
image:
repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe
tag: v2.14.0-eks-1-31-5
pullPolicy: IfNotPresent
resources: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
nodeDriverRegistrar:
image:
repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar
tag: v2.12.0-eks-1-31-5
pullPolicy: IfNotPresent
resources: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
csiProvisioner:
image:
repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner
tag: v5.1.0-eks-1-31-5
pullPolicy: IfNotPresent
resources: {}
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
additionalArgs: []
imagePullSecrets: []
## Controller deployment variables
controller:
# Specifies whether a deployment should be created
create: true
# Name of the CSI controller service
name: efs-csi-controller
# Number of replicas for the CSI controller service deployment
replicaCount: 2
# Number for the log level verbosity
logLevel: 2
# If set, add pv/pvc metadata to plugin create requests as parameters.
extraCreateMetadata: true
# Add additional tags to access points
tags:
{}
# environment: prod
# region: us-east-1
# Enable if you want the controller to also delete the
# path on efs when deleteing an access point
deleteAccessPointRootDir: false
podAnnotations: {}
podLabels: {}
hostNetwork: false
priorityClassName: system-cluster-critical
dnsPolicy: ClusterFirst
dnsConfig: {}
additionalLabels: {}
resources:
{}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
updateStrategy: {}
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- key: efs.csi.aws.com/agent-not-ready
operator: Exists
affinity: {}
env: []
volumes: []
volumeMounts: []
# Specifies whether a service account should be created
serviceAccount:
create: true
name: efs-csi-controller-sa
annotations: {}
## Enable if EKS IAM for SA is used
# eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role
healthPort: 9909
regionalStsEndpoints: false
# Pod Disruption Budget
podDisruptionBudget:
enabled: false
# maxUnavailable: 1
minAvailable: 1
unhealthyPodEvictionPolicy: IfHealthyBudget
# securityContext on the controller pod
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
fsGroup: 0
# securityContext on the controller container
# Setting privileged=false will cause the "delete-access-point-root-dir" controller option to fail
containerSecurityContext:
privileged: true
leaderElectionRenewDeadline: 10s
leaderElectionLeaseDuration: 15s
# TSCs without the label selector stanza
#
# Example:
#
# topologySpreadConstraints:
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# - maxSkew: 1
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: ScheduleAnyway
topologySpreadConstraints: []
## Node daemonset variables
node:
# Number for the log level verbosity
logLevel: 2
volMetricsOptIn: false
volMetricsRefreshPeriod: 240
volMetricsFsRateLimit: 5
hostAliases:
{}
# For cross VPC EFS, you need to poison or overwrite the DNS for the efs volume as per
# https://docs.aws.amazon.com/efs/latest/ug/efs-different-vpc.html#wt6-efs-utils-step3
# implementing the suggested solution found here:
# https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/240#issuecomment-676849346
# EFS Vol ID, IP, Region
# "fs-01234567":
# ip: 10.10.2.2
# region: us-east-2
priorityClassName: system-node-critical
dnsPolicy: ClusterFirst
dnsConfig:
{}
# Example config which uses the AWS nameservers
# dnsPolicy: "None"
# dnsConfig:
# nameservers:
# - 169.254.169.253
podLabels: {}
podAnnotations: {}
additionalLabels: {}
resources:
{}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
updateStrategy:
{}
# Override default strategy (RollingUpdate) to speed up deployment.
# This can be useful if helm timeouts are observed.
# type: OnDelete
tolerations:
- operator: Exists
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: eks.amazonaws.com/compute-type
operator: NotIn
values:
- fargate
- hybrid
# Specifies whether a service account should be created
serviceAccount:
create: true
name: efs-csi-node-sa
annotations: {}
## Enable if EKS IAM for SA is used
# eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/efs-csi-role
healthPort: 9809
# securityContext on the node pod
securityContext:
# The node pod must be run as root to bind to the registration/driver sockets
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
fsGroup: 0
env: []
volumes: []
volumeMounts: []
kubeletPath: /var/lib/kubelet
storageClasses: []
# Add StorageClass resources like:
# - name: efs-sc
# annotations:
# # Use that annotation if you want this to your default storageclass
# storageclass.kubernetes.io/is-default-class: "true"
# mountOptions:
# - tls
# parameters:
# provisioningMode: efs-ap
# fileSystemId: fs-1122aabb
# directoryPerms: "700"
# gidRangeStart: "1000"
# gidRangeEnd: "2000"
# basePath: "/dynamic_provisioning"
# subPathPattern: "/subPath"
# ensureUniqueDirectory: true
# reclaimPolicy: Delete
# volumeBindingMode: Immediate
# Specifies wether to use helm hooks to apply the CSI driver
useHelmHooksForCSIDriver: true