Update for helm charts cephfs-canary

ceph · Dec 12, 2024 · e5f21f3 · e5f21f3
1 parent 6ae3780
commit e5f21f3
Show file tree

Hide file tree

Showing 13 changed files with 378 additions and 144 deletions.
diff --git a/docs/cephfs/ceph-csi-cephfs-3-canary.tgz b/docs/cephfs/ceph-csi-cephfs-3-canary.tgz
diff --git a/docs/cephfs/ceph-csi-cephfs/Chart.yaml b/docs/cephfs/ceph-csi-cephfs/Chart.yaml
@@ -1,15 +1,15 @@
 ---
 apiVersion: v1
-appVersion: 3.12-canary
+appVersion: canary
 description: "Container Storage Interface (CSI) driver,
 provisioner, snapshotter and resizer for Ceph cephfs"
 name: ceph-csi-cephfs
-version: 3.12-canary
+version: 3-canary
 keywords:
   - ceph
   - cephfs
   - ceph-csi
 home: https://github.com/ceph/ceph-csi
 sources:
-  - https://github.com/ceph/ceph-csi/tree/release-v3.12/charts/ceph-csi-cephfs
-icon: https://raw.githubusercontent.com/ceph/ceph-csi/release-v3.12/assets/ceph-logo.png
+  - https://github.com/ceph/ceph-csi/tree/devel/charts/ceph-csi-cephfs
+icon: https://raw.githubusercontent.com/ceph/ceph-csi/devel/assets/ceph-logo.png
diff --git a/docs/cephfs/ceph-csi-cephfs/README.md b/docs/cephfs/ceph-csi-cephfs/README.md
diff --git a/docs/cephfs/ceph-csi-cephfs/templates/encryptionkms-configmap.yaml b/docs/cephfs/ceph-csi-cephfs/templates/encryptionkms-configmap.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.kmsConfigMapName | quote }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    component: {{ .Values.nodeplugin.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+data:
+  config.json: |-
+{{ toJson .Values.encryptionKMSConfig | indent 4 -}}
diff --git a/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml b/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
@@ -14,10 +14,14 @@ rules:
   - apiGroups: [""]
     resources: ["nodes"]
     verbs: ["get"]
+  # allow to read Vault Token and connection options from the Tenants namespace
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["get"]
+{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not .Values.rbac.leastPrivileges) }}
+  # allow to read the encryption key used with the metadata KMS
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get"]
 {{- end -}}
+{{- end -}}
diff --git a/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml b/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-daemonset.yaml
@@ -10,6 +10,10 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
     {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+{{- if .Values.nodeplugin.annotations }}
+  annotations:
+    {{- toYaml .Values.nodeplugin.annotations | nindent 4 -}}
+{{- end }}
 spec:
   selector:
     matchLabels:
@@ -27,6 +31,10 @@ spec:
         release: {{ .Release.Name }}
         heritage: {{ .Release.Service }}
         {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+    {{- if .Values.nodeplugin.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.nodeplugin.podAnnotations | nindent 8 -}}
+    {{- end }}
     spec:
       securityContext: {{ toYaml .Values.nodeplugin.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
@@ -72,6 +80,7 @@ spec:
 {{- if and .Values.readAffinity .Values.readAffinity.enabled }}
             - "--crush-location-labels={{ .Values.readAffinity.crushLocationLabels | join "," }}"
 {{- end }}
+            - "--logslowopinterval={{ .Values.logSlowOperationInterval }}"
           env:
             - name: POD_IP
               valueFrom:

diff --git a/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-role.yaml b/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-role.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.rbac.create .Values.rbac.leastPrivileges -}}
+{{- if and .Values.encryptionKMSConfig (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName -}}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  namespace: {{ .Values.encryptionKMSConfig.secretNamespace }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    component: {{ .Values.nodeplugin.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+rules:
+  # allow to read the encryption key used with the metadata KMS
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames: [{{ .Values.encryptionKMSConfig.secretName | quote }}]
+{{- end -}}
+{{- end -}}
diff --git a/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml b/docs/cephfs/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
@@ -0,0 +1,24 @@
+{{- if and .Values.rbac.create .Values.rbac.leastPrivileges -}}
+{{- if and .Values.encryptionKMSConfig (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") .Values.encryptionKMSConfig.secretNamespace -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  namespace: {{ .Values.encryptionKMSConfig.secretNamespace }}
+  labels:
+    app: {{ include "ceph-csi-cephfs.name" . }}
+    chart: {{ include "ceph-csi-cephfs.chart" . }}
+    component: {{ .Values.nodeplugin.name }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "ceph-csi-cephfs.serviceAccountName.nodeplugin" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end -}}
+{{- end -}}
diff --git a/docs/cephfs/ceph-csi-cephfs/templates/provisioner-deployment.yaml b/docs/cephfs/ceph-csi-cephfs/templates/provisioner-deployment.yaml
@@ -10,6 +10,10 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
     {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
+{{- if .Values.provisioner.annotations }}
+  annotations:
+    {{- toYaml .Values.provisioner.annotations | nindent 4 -}}
+{{- end }}
 spec:
   replicas: {{ .Values.provisioner.replicaCount }}
   strategy:
@@ -32,6 +36,10 @@ spec:
         release: {{ .Release.Name }}
         heritage: {{ .Release.Service }}
         {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }}
+    {{- if .Values.provisioner.podAnnotations }}
+      annotations:
+        {{- toYaml .Values.provisioner.podAnnotations | nindent 8 -}}
+    {{- end }}
     spec:
 {{- if gt (int .Values.provisioner.replicaCount) 1 }}
       affinity:
@@ -92,6 +100,7 @@ spec:
             - "--clustername={{ .Values.provisioner.clustername }}"
 {{- end }}
             - "--setmetadata={{ .Values.provisioner.setmetadata }}"
+            - "--logslowopinterval={{ .Values.logSlowOperationInterval }}"
           env:
             - name: POD_IP
               valueFrom:
@@ -135,12 +144,25 @@ spec:
             - "--extra-create-metadata=true"
             - "--feature-gates=HonorPVReclaimPolicy=true"
             - "--prevent-volume-mode-conversion=true"
+{{- if and .Values.provisioner.provisioner.args .Values.provisioner.provisioner.args.httpEndpointPort }}
+            - "--http-endpoint=$(POD_IP):{{ .Values.provisioner.provisioner.args.httpEndpointPort }}"
+{{- end }}
 {{- range .Values.provisioner.provisioner.extraArgs }}
             - "--{{ . }}"
 {{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
+{{- if and .Values.provisioner.provisioner.args .Values.provisioner.provisioner.args.httpEndpointPort }}
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          ports:
+            - containerPort: {{ .Values.provisioner.provisioner.args.httpEndpointPort }}
+              name: http-endpoint
+              protocol: TCP
+{{- end }}
           volumeMounts:
             - name: socket-dir
               mountPath: /csi
@@ -156,12 +178,25 @@ spec:
             - "--leader-election=true"
             - "--extra-create-metadata=true"
             - "--enable-volume-group-snapshots={{.Values.provisioner.snapshotter.args.enableVolumeGroupSnapshots }}"
+{{- if and .Values.provisioner.snapshotter.args .Values.provisioner.snapshotter.args.httpEndpointPort }}
+            - "--http-endpoint=$(POD_IP):{{ .Values.provisioner.snapshotter.args.httpEndpointPort }}"
+{{- end }}
 {{- range .Values.provisioner.snapshotter.extraArgs }}
             - "--{{ . }}"
 {{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
+{{- if and .Values.provisioner.snapshotter.args .Values.provisioner.snapshotter.args.httpEndpointPort }}
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          ports:
+            - containerPort: {{ .Values.provisioner.snapshotter.args.httpEndpointPort }}
+              name: http-endpoint
+              protocol: TCP
+{{- end }}
           volumeMounts:
             - name: socket-dir
               mountPath: /csi
@@ -179,12 +214,25 @@ spec:
             - "--retry-interval-start=500ms"
             - "--handle-volume-inuse-error=false"
             - "--feature-gates=RecoverVolumeExpansionFailure=true"
+{{- if and .Values.provisioner.resizer.args .Values.provisioner.resizer.args.httpEndpointPort }}
+            - "--http-endpoint=$(POD_IP):{{ .Values.provisioner.resizer.args.httpEndpointPort }}"
+{{- end }}
 {{- range .Values.provisioner.resizer.extraArgs }}
             - "--{{ . }}"
 {{- end }}
           env:
             - name: ADDRESS
               value: "unix:///csi/{{ .Values.provisionerSocketFile }}"
+{{- if and .Values.provisioner.resizer.args .Values.provisioner.resizer.args.httpEndpointPort }}
+            - name: POD_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.podIP
+          ports:
+            - containerPort: {{ .Values.provisioner.resizer.args.httpEndpointPort }}
+              name: http-endpoint
+              protocol: TCP
+{{- end }}
           volumeMounts:
             - name: socket-dir
               mountPath: /csi

diff --git a/docs/cephfs/ceph-csi-cephfs/templates/secret.yaml b/docs/cephfs/ceph-csi-cephfs/templates/secret.yaml
@@ -14,6 +14,12 @@ metadata:
     heritage: {{ .Release.Service }}
     {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
 stringData:
+  {{- if .Values.secret.userID }}
+  userID: {{ .Values.secret.userID }}
+  {{- end }}
+  {{- if .Values.secret.userKey }}
+  userKey: {{ .Values.secret.userKey }}
+  {{- end }}
   adminID: {{ .Values.secret.adminID }}
   adminKey: {{ .Values.secret.adminKey }}
 {{- end -}}
diff --git a/docs/cephfs/ceph-csi-cephfs/templates/storageclass.yaml b/docs/cephfs/ceph-csi-cephfs/templates/storageclass.yaml
@@ -20,6 +20,12 @@ parameters:
 {{- if .Values.storageClass.pool }}
   pool: {{ .Values.storageClass.pool }}
 {{- end }}
+{{- if .Values.storageClass.encrypted }}
+  encrypted: "{{ .Values.storageClass.encrypted }}"
+{{- end }}
+{{- if .Values.storageClass.encryptionKMSID }}
+  encryptionKMSID: {{ .Values.storageClass.encryptionKMSID }}
+{{- end }}
 {{- if .Values.storageClass.fuseMountOptions }}
   fuseMountOptions: "{{ .Values.storageClass.fuseMountOptions }}"
 {{- end }}