From 02f8eda7e600b7215caffa0c2386638cdb09682a Mon Sep 17 00:00:00 2001 From: Rohan Jayaraj Date: Mon, 7 Oct 2024 18:55:42 +0530 Subject: [PATCH] Refresh CSI drivers - FUSE 1.2.12 and NFS 1.0.12 * CSI-297 : Update helm-operator to 1.34 image (CVEs addressed) * CSI-299: Do not create mountPrefix directory if it doesn't exist on MapR-FS * CVE-2024-24790: Update golang to 1.23.1 & update sidecar containers to latest versions * EZAF-6755: Add check to verify if the mount is accessible to the existing check of mount availability * CSI-302: Handle failure to expand volume on controller/provisioner pod restart by quering kube-apiserver & more --- .../kubernetes/fuse/csi-maprkdf-v1.2.12.yaml | 478 ++++++++++++++++++ .../nfs/csi-maprnfskdf-v1.0.12.yaml | 478 ++++++++++++++++++ docs/hpe-ezmeral-csi-driver-1.2.12.tgz | Bin 0 -> 3730 bytes docs/hpe-ezmeral-nfs-csi-driver-1.0.12.tgz | Bin 0 -> 3748 bytes docs/index.yaml | 48 +- helm/charts/hpe-ezmeral-csi-driver/Chart.yaml | 4 +- .../templates/csi-controller.yaml | 12 +- .../templates/csi-node.yaml | 5 +- .../charts/hpe-ezmeral-csi-driver/values.yaml | 4 +- .../hpe-ezmeral-nfs-csi-driver/Chart.yaml | 4 +- .../templates/csi-controller.yaml | 12 +- .../templates/csi-node.yaml | 5 +- .../hpe-ezmeral-nfs-csi-driver/values.yaml | 4 +- .../v1.2.11/values.yaml | 8 + .../v1.2.12/values.yaml | 8 + .../v1.0.11/values.yaml | 8 + .../v1.0.12/values.yaml | 8 + operator/hpe-ezmeral-csi-operator/Dockerfile | 4 +- 18 files changed, 1063 insertions(+), 27 deletions(-) create mode 100644 deploy/kubernetes/fuse/csi-maprkdf-v1.2.12.yaml create mode 100644 deploy/kubernetes/nfs/csi-maprnfskdf-v1.0.12.yaml create mode 100644 docs/hpe-ezmeral-csi-driver-1.2.12.tgz create mode 100644 docs/hpe-ezmeral-nfs-csi-driver-1.0.12.tgz create mode 100644 helm/values/hpe-ezmeral-csi-driver/v1.2.11/values.yaml create mode 100644 helm/values/hpe-ezmeral-csi-driver/v1.2.12/values.yaml create mode 100644 helm/values/hpe-ezmeral-nfs-csi-driver/v1.0.11/values.yaml create mode 100644 helm/values/hpe-ezmeral-nfs-csi-driver/v1.0.12/values.yaml diff --git a/deploy/kubernetes/fuse/csi-maprkdf-v1.2.12.yaml b/deploy/kubernetes/fuse/csi-maprkdf-v1.2.12.yaml new file mode 100644 index 0000000..f0910c0 --- /dev/null +++ b/deploy/kubernetes/fuse/csi-maprkdf-v1.2.12.yaml @@ -0,0 +1,478 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mapr-csi + labels: + name: mapr-csi + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-nodeplugin-sa + namespace: mapr-csi + +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: mapr-csi-critical +value: 1000000000 +globalDefault: false +description: "This priority class is used for csi pods." + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-cr + namespace: mapr-csi +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-crb + namespace: mapr-csi +subjects: + - kind: ServiceAccount + name: csi-nodeplugin-sa + namespace: mapr-csi +roleRef: + kind: ClusterRole + name: csi-nodeplugin-cr + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-controller-sa + namespace: mapr-csi + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-cr + namespace: mapr-csi +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-crb + namespace: mapr-csi +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: mapr-csi +roleRef: + kind: ClusterRole + name: csi-attacher-cr + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-controller-cr + namespace: mapr-csi +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "update", "create", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-controller-crb + namespace: mapr-csi +subjects: + - kind: ServiceAccount + name: csi-controller-sa + namespace: mapr-csi +roleRef: + kind: ClusterRole + name: csi-controller-cr + apiGroup: rbac.authorization.k8s.io + +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-nodeplugin-kdf + namespace: mapr-csi +spec: + selector: + matchLabels: + app: csi-nodeplugin-kdf + template: + metadata: + labels: + app: csi-nodeplugin-kdf + spec: + serviceAccount: csi-nodeplugin-sa + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + priorityClassName: mapr-csi-critical + containers: + - name: csi-node-driver-registrar + securityContext: + privileged: true + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 + imagePullPolicy: "Always" + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=/var/lib/kubelet/plugins/com.mapr.csi-kdf/csi.sock" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/com.mapr.csi-kdf /registration/com.mapr.csi-kdf-reg.sock"] + env: + - name: ADDRESS + value: /plugin/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration/ + - name: liveness-probe + securityContext: + privileged: true + image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 + imagePullPolicy: "Always" + args: + - "--v=4" + - "--csi-address=$(ADDRESS)" + - "--probe-timeout=60s" + - "--health-port=9808" + env: + - name: ADDRESS + value: /plugin/csi.sock + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: mapr-kdfplugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: docker.io/maprtech/csi-kdfplugin:1.2.11 + imagePullPolicy: "Always" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + - "--maxvolumepernode=20" + - "--maxlogsizemb=10" + - "--createmountprefix=false" + - "--v=4" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 20 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 5 + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + - name: k8s-log-dir + mountPath: /var/log/csi-maprkdf + - name: timezone + mountPath: /etc/localtime + readOnly: true + - name: core-path + mountPath: /opt/cores + - name: device-dir + mountPath: /dev + volumes: + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/com.mapr.csi-kdf + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + - name: pods-mount-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: k8s-log-dir + hostPath: + path: /var/log/csi-maprkdf + type: DirectoryOrCreate + - name: timezone + hostPath: + path: /etc/localtime + - name: core-path + hostPath: + path: /opt/cores + type: DirectoryOrCreate + - name: device-dir + hostPath: + path: /dev + type: Directory + +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-controller-kdf + namespace: mapr-csi +spec: + selector: + matchLabels: + app: csi-controller-kdf # has to match .spec.template.metadata.labels + serviceName: "kdf-provisioner-svc" + replicas: 1 + template: + metadata: + labels: + app: csi-controller-kdf + spec: + serviceAccount: csi-controller-sa + priorityClassName: mapr-csi-critical + containers: + - name: csi-attacher + securityContext: + privileged: true + image: registry.k8s.io/sig-storage/csi-attacher:v4.7.0 + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0 + args: + - "--csi-address=$(ADDRESS)" + - "--default-fstype=maprfs" + - "--volume-name-prefix=mapr-pv" + - "--timeout=300s" # large timeout to accommodate volume clone + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-snapshotter + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0 + imagePullPolicy: "Always" + args: + - "--csi-address=$(ADDRESS)" + - "--snapshot-name-prefix=mapr-snapshot" + - "--timeout=300s" # large timeout to accommodate volume restore from snapshot + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-snapshot-controller + image: registry.k8s.io/sig-storage/snapshot-controller:v8.1.0 + imagePullPolicy: "Always" + args: + - "--leader-election=false" + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 + imagePullPolicy: "Always" + args: + - "--v=4" + - "--csi-address=$(ADDRESS)" + - "--probe-timeout=60s" + - "--health-port=9809" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-resizer + image: registry.k8s.io/sig-storage/csi-resizer:v1.12.0 + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: mapr-kdfprovisioner + securityContext: + privileged: true + allowPrivilegeEscalation: true + image: docker.io/maprtech/csi-kdfprovisioner:1.2.9 + imagePullPolicy: "Always" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + - "--driverversion=1.2.11" + - "--uniquename=k8s" + - "--statevolmountprefix=/apps/ksql" + - "--v=4" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/csi.sock + ports: + - containerPort: 9809 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 20 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 5 + volumeMounts: + - name: socket-dir + mountPath: /plugin + - name: k8s-log-dir + mountPath: /var/log/csi-maprkdf + - name: timezone + mountPath: /etc/localtime + readOnly: true + volumes: + - name: socket-dir + emptyDir: {} + - name: k8s-log-dir + hostPath: + path: /var/log/csi-maprkdf + type: DirectoryOrCreate + - name: timezone + hostPath: + path: /etc/localtime diff --git a/deploy/kubernetes/nfs/csi-maprnfskdf-v1.0.12.yaml b/deploy/kubernetes/nfs/csi-maprnfskdf-v1.0.12.yaml new file mode 100644 index 0000000..1731eaf --- /dev/null +++ b/deploy/kubernetes/nfs/csi-maprnfskdf-v1.0.12.yaml @@ -0,0 +1,478 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mapr-nfscsi + labels: + name: mapr-nfscsi + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-nodeplugin-nfs-sa + namespace: mapr-nfscsi + +--- +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: mapr-nfscsi-critical +value: 1000000000 +globalDefault: false +description: "This priority class is used for NFS csi pods." + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-nfs-cr + namespace: mapr-nfscsi +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-nodeplugin-nfs-crb + namespace: mapr-nfscsi +subjects: + - kind: ServiceAccount + name: csi-nodeplugin-nfs-sa + namespace: mapr-nfscsi +roleRef: + kind: ClusterRole + name: csi-nodeplugin-nfs-cr + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-controller-nfs-sa + namespace: mapr-nfscsi + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-nfs-cr + namespace: mapr-nfscsi +rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["pods"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-attacher-nfs-crb + namespace: mapr-nfscsi +subjects: + - kind: ServiceAccount + name: csi-controller-nfs-sa + namespace: mapr-nfscsi +roleRef: + kind: ClusterRole + name: csi-attacher-nfs-cr + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-controller-nfs-cr + namespace: mapr-nfscsi +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "update", "create", "patch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "update", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "patch", "update", "delete"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots/status"] + verbs: ["update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "watch", "list", "delete", "update", "create"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "list", "watch", "delete"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-controller-nfs-crb + namespace: mapr-nfscsi +subjects: + - kind: ServiceAccount + name: csi-controller-nfs-sa + namespace: mapr-nfscsi +roleRef: + kind: ClusterRole + name: csi-controller-nfs-cr + apiGroup: rbac.authorization.k8s.io + +--- +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-nodeplugin-nfskdf + namespace: mapr-nfscsi +spec: + selector: + matchLabels: + app: csi-nodeplugin-nfskdf + template: + metadata: + labels: + app: csi-nodeplugin-nfskdf + spec: + serviceAccount: csi-nodeplugin-nfs-sa + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + priorityClassName: mapr-nfscsi-critical + containers: + - name: csi-node-driver-registrar + securityContext: + privileged: true + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.12.0 + imagePullPolicy: "Always" + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + - "--kubelet-registration-path=/var/lib/kubelet/plugins/com.mapr.csi-nfskdf/nfscsi.sock" + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "rm -rf /registration/com.mapr.csi-nfskdf /registration/com.mapr.csi-nfskdf-reg.sock"] + env: + - name: ADDRESS + value: /plugin/nfscsi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: registration-dir + mountPath: /registration/ + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 + imagePullPolicy: "Always" + args: + - "--v=4" + - "--csi-address=$(ADDRESS)" + - "--probe-timeout=60s" + - "--health-port=9809" + env: + - name: ADDRESS + value: /plugin/nfscsi.sock + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: mapr-kdfplugin + securityContext: + privileged: true + capabilities: + add: ["SYS_ADMIN"] + allowPrivilegeEscalation: true + image: docker.io/maprtech/csi-nfsplugin:1.0.11 + imagePullPolicy: "Always" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + - "--maxvolumepernode=20" + - "--maxlogsizemb=10" + - "--createmountprefix=false" + - "--v=4" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/nfscsi.sock + ports: + - containerPort: 9809 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 20 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 5 + volumeMounts: + - name: plugin-dir + mountPath: /plugin + - name: pods-mount-dir + mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + - name: k8s-log-dir + mountPath: /var/log/csi-maprkdf + - name: timezone + mountPath: /etc/localtime + readOnly: true + - name: core-path + mountPath: /opt/cores + - name: device-dir + mountPath: /dev + volumes: + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/com.mapr.csi-nfskdf + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + - name: pods-mount-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: k8s-log-dir + hostPath: + path: /var/log/csi-maprkdf + type: DirectoryOrCreate + - name: timezone + hostPath: + path: /etc/localtime + - name: core-path + hostPath: + path: /opt/cores + type: DirectoryOrCreate + - name: device-dir + hostPath: + path: /dev + type: Directory + +--- +kind: StatefulSet +apiVersion: apps/v1 +metadata: + name: csi-controller-nfskdf + namespace: mapr-nfscsi +spec: + selector: + matchLabels: + app: csi-controller-nfskdf # has to match .spec.template.metadata.labels + serviceName: "kdf-provisioner-nfs-svc" + replicas: 1 + template: + metadata: + labels: + app: csi-controller-nfskdf + spec: + serviceAccount: csi-controller-nfs-sa + priorityClassName: mapr-nfscsi-critical + containers: + - name: csi-attacher + securityContext: + privileged: true + image: registry.k8s.io/sig-storage/csi-attacher:v4.7.0 + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/nfscsi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0 + args: + - "--csi-address=$(ADDRESS)" + - "--default-fstype=maprfs" + - "--volume-name-prefix=mapr-pv" + - "--timeout=300s" # large timeout to accommodate volume clone + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/nfscsi.sock + imagePullPolicy: "Always" + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-snapshotter + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.1.0 + imagePullPolicy: "Always" + args: + - "--csi-address=$(ADDRESS)" + - "--snapshot-name-prefix=mapr-snapshot" + - "--timeout=300s" # large timeout to accommodate volume restore from snapshot + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/nfscsi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-snapshot-controller + image: registry.k8s.io/sig-storage/snapshot-controller:v8.1.0 + imagePullPolicy: "Always" + args: + - "--leader-election=false" + - "--v=5" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/nfscsi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.14.0 + imagePullPolicy: "Always" + args: + - "--v=4" + - "--csi-address=$(ADDRESS)" + - "--probe-timeout=60s" + - "--health-port=9809" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/nfscsi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: csi-resizer + image: registry.k8s.io/sig-storage/csi-resizer:v1.12.0 + imagePullPolicy: "Always" + args: + - "--v=5" + - "--csi-address=$(ADDRESS)" + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/nfscsi.sock + volumeMounts: + - name: socket-dir + mountPath: /var/lib/csi/sockets/pluginproxy/ + - name: mapr-kdfprovisioner + securityContext: + privileged: true + allowPrivilegeEscalation: true + image: docker.io/maprtech/csi-kdfprovisioner:1.2.9 + imagePullPolicy: "Always" + args : + - "--nodeid=$(NODE_ID)" + - "--endpoint=$(CSI_ENDPOINT)" + - "--drivername=com.mapr.csi-nfskdf" + - "--driverversion=1.0.11" + - "--uniquename=k8s" + - "--statevolmountprefix=/apps/ksql" + - "--v=4" + env: + - name: NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CSI_ENDPOINT + value: unix://plugin/nfscsi.sock + ports: + - containerPort: 9809 + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 20 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + timeoutSeconds: 3 + periodSeconds: 5 + volumeMounts: + - name: socket-dir + mountPath: /plugin + - name: k8s-log-dir + mountPath: /var/log/csi-maprkdf + - name: timezone + mountPath: /etc/localtime + readOnly: true + volumes: + - name: socket-dir + emptyDir: {} + - name: k8s-log-dir + hostPath: + path: /var/log/csi-maprkdf + type: DirectoryOrCreate + - name: timezone + hostPath: + path: /etc/localtime diff --git a/docs/hpe-ezmeral-csi-driver-1.2.12.tgz b/docs/hpe-ezmeral-csi-driver-1.2.12.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7782717f19a586393cdd792cbf64e7a075ff248e GIT binary patch literal 3730 zcmV;D4sG!tiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI}4&#i7H7sakKmW_6JguEy=R2Bu?7ChCeutM9vI{GoKj_Erkg>_$5L?nBz<81cFXc zc&8x|%AJvjy?A)*bUK~G{eAPd)9KXzb~}grFS`3jozBsl!|vh1i%$1o|FHW4I$Pkq zv87TG@uKr!UiHa+CygZZ6ADRr+=FS?B1tm;x9je?-90Nn=?j`DbL|9vMHYdt%>zbU z0F9+0jL~=uDn$78@(j*0bAmom1m2OMpgx=q&Y^Ei3wGcAb8z<30yF&Y=@3PX3Z)hD z2zwAJmB^mwU0+|jVS=vDBQKR6#-8LObxj0%0a3&m8Mf zqVRdFFjj_6L=s^>w559ykqU(ua9?^vN>tJd6THfu!A;_^HNn|67lG_qj-Hw26m!#4 z%VuUd@QyMZ%%sBT6K83JmIJ>q?oa0by-Oup5uvdnG)7^_VMHkFLD}_Wnj~DP|IVjv z0mMYBWQ9(x>~6CITau^3N5iU6jGn2hl~?F4SFcvQcRD!FUEi1Vice8YDPCv#oz^Vk zYuoH|+g@9N|5L(Jlv@e_8}Prg-#x11|IuFO8ULT6?LZ$#BxMS+B{!(tY!t4w10O>w zfl46o@00ica7J82L@5klL>cN1ee@X-2vZ^`88VchI1CXI4Y2{xSaF!~RDi-LVML*H zEh|YGyX1`evmTs}F1WfBC^1%+74rbkBQnMw1l*sXa49zsuFwxPR5_Dil(2M6iX|>ItS1B|C6-aTkn;1c9W1eFbTX)DuIv8ca!D2 z)+_JNKdswa2Lc??7{Oi<9`sNfoJD67R@`hWd7${L~u9S?3`&*{5Y-}NC<>DQMO9YM82<*Q|=P%N((aM;%x3=c56&oxq zuJ)gNpQIPoEO2fuSuaM0$l5Qm8MIj8`pn8o&%Wo|cK8DXCXDz9_FrwVuk1Ta`D=sG zb9?f(G5+g|i?wf;y=lK5=ZKu=#PUj2lT`u-UFi=F{C}jgw zP#$1e6B-A-@_nmZP$Wqry=m8qP?3Nr(wo<`>SnjFu)K>*h>tzEy{)3SxvZf|$6ZZM zB12zsp}zw}MET)AG}6lK0%#f5v4b55iP@x@vEXXLZejjzA-QYdTLKuCVoH6yFcYyS z!N@7?BON*QZ3_$tQ=iBlbS;=~c5^99>d=i<1l}mJ=~v9(e9r_r@qM1gst48XjwE@% zL{KiMnw>HtWhVYA{W_ymqT>sys83ivK9Ap~f?3GwG*eSqey>-1X_A>(88auKq9$3S2VD{s zwveuIkxRB-BAsV=It$vx&)}YtgbXR8ilTINhMi-A`=0#H1=wBtCG5f&0d^}X$zSbt zV`m<{L&Wc9JQ+52N(~&mp03%|I zkYCjxOMIV45f60soKXg!@fbIH>W}S!PwQUYqpEwA-CxEeks(*=dvyPj@V)8Vn)^S< z-7A#exE*(IlfSkxvlTee+Q$p2mc6&Qvn3xEsFi^*5G@I$0gwamQASHA8#TJ-54GfshB7#q@apUi-R5 z<~_vu>K`_)eu#vr&`G#Z$3MUA{QTpX!V_kmhpRJBfs%e{LZ3~!Sw2w1P_etlW=IFmkMB>S0Sb2aJqc78%t`;iFz0iRQ@nv$2Yd6Wn& zezMX$R+|kp*iFm>q`~n|yB8n&XIJO_CN#o0NH~qv@lU&_gY&Dii~i+@^NWv-yLh9` z{NU;M_7-+!!l(kfXD?3Uir>(@bg#Pb=bsH^(wKfuQ7_i<y)KRE zP0!1%y~)LNEU5UFv#60?a-n*l14V^+Uj8<*(v zvQ*&5P@oJs3wp5EsdNaHO8$nbuB#+-?ItO*Ni|DIW2z`&ePm=dK%d8f>_NB6F^{41 z+i$9KL_v8lzj?5IxXKo*as1@1bQmAE!8<-Skwd48lVH?HO;7Yoy>eA0h06CB_X*Q| zYyAY0;6u!26|Bm1&`@1(oH|B{n)RvZ!R<2SHcvL>G83-4D(z;jW(oG7PlY*fnSBu1 zDfklW2FiO>l4-hU5 zghHQS#N$;*zVo~HJn+>f^(05VIioF{z~+=TpS|jiSsYrNy#}!?vdB}GN`>Mb6;l0+ zs_<7X)dd#i(lGn)nu|##Hazy>trj}>ekb2iktaOKZDen11Ydp2mUo<_Lu9Dt(&?Rs zqeIy7e2(E;z04Fp1R@9!uA%;=TStoTmHxPhBWqM zXuk&A@%5*Oz!4+x%5pDBw&Av(bSC)!JbW*^I-g!p`1?P9IlD4@gNu{*XHT{}*qnss zetqvGv|>H$sZ>^^eIf1<9rgcJ0q^Y=$}+1>`Ee}ikqat*sX$lvAQBjO8T@;2b<%%- zeo;Y!2i0Qc^@;Dc3KNl=Y`qf{n)GqE(`oL;_*l{}7!8lRO+9?Gqbe6!Rv%0~*H^Oo z%G>Aq%7XSo>MIWoZ3z#gWBRr%Dd*`@V^6^oGR_g?7aEwN1Lg5NovpI|_Defe4n7xX za>q3+c%nSrPc~8rP;WanOgO;lrpi*|qHit}wMcgFRXbXf9^FT%t0J3OC(N==RvGeL zM7R^j@3vZ3r`BZHYsocRd0XKdyQt!n%7k2YE#Oy9LK2?45c4pkTM#Ni~Z(Yh|6-pt3igA)vr9) z?9LxGx5kVQb(Up*|J(zUVOQUBW1H6;6csn{wFE%(r}{=*==qx{;o8}hGKurT-fx^? zWs=5yNUB0E=ob^(N|W8FT)*ujF(PGIgm-`>^lyTviPT%Re5WR`cqa_}$Cl^|R5HIc zMKLs&$EfVrU^6O}xz&P_mUJzh*I=hfKoqv7SWIdg;w5?!q{3L`DbNN{uZi-*^)lzx zkbDgrwVU-YcGHq$6Q6t^@A3p=8Pbtj#V+sYXB&Q>$2x_g@qB%Y-o{*vR_0ZJx^St~ zb8a^3UuYcAc)V5H9=1IMNQb|puX6itgeib^@YK?WIKzDNyX@2J9JE-uH5yq)zq3&uQAZ2^;o0)jXL)wy-Qa2s98@XRDZ8|Pd(pgllgq@3g&ZrNLx|=cSB?m z9mibY!+C6a|L4J*gZle_509ST|M?_s2QGZ=;DPm&}W9f&bI)rZ~e2QC=EHB}+}*Gm^Z z#B2sUHY2r2ke~oYV{|RIKe!qwF3{S6QyxV;hEJyh2&j;jJEqDrpPBfUJNzO%^I2R7 z$DaNu{*}|%TM!x&f08EV4aU-X<;v^CdgTtu#CqkbNPp*oj;&Y!Ywf@%A}CKKocGV9 wny=Q2AZqMzxear3t0ssL2|E5s>0{~_K0IL*f>;M1& literal 0 HcmV?d00001 diff --git a/docs/hpe-ezmeral-nfs-csi-driver-1.0.12.tgz b/docs/hpe-ezmeral-nfs-csi-driver-1.0.12.tgz new file mode 100644 index 0000000000000000000000000000000000000000..46a2b2e8a7fff0b286a7503659e7ee8c0485d9ba GIT binary patch literal 3748 zcmV;V4qNdbiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI} zkPD!RRD>~_3_(Q*zh0fgd2UW{MihZ}WFV*yr~L~!GiC+5m+$&7Eij}1nGH}Rs8CuF zkFf`lQmO2D-p$R88>Q&_JoYl_Vd6<1sv9EE3y304Xr^@|6*G(anzM4GAUE!iswf*| z5{1tbg^4or#3U8wLmRml6RA*m0r#axq(mjXD8=i-7u+-%S|gm?a1qF!<>-Z3PPsI_ zvV38d1Meuq{zNK_KXI1DXgTl;44h# zWR|8}sQ)fjZviAkOJ<2=t^DqCH?}0tgpYjTSIe;!VB1=`|mt z7*o8-MLnLgjjwIJ+xFPD0{_Q^Whgfg0M_7t=U{Jt9{&%H54ZUL9Bl{AFeDjMkgMCk z@^YhatsVFnQ3+H6fq%b!|CQ8!b5ngh2B~W6bEGyvwUc_XGJqWlzLg7+wa9p7uX^_%9 zrYsxMq-SucYiZaQoG}!u2abX;6?{xJsG;a}-97i`9}Co0`2SQp-sOjn=Y3b*s)x~7 z=l}Y9-T#k|_d8qve~#8l|JM<+6oqtE`jAktM*n-A{cc_Vd!3`b0m?LLgHLVaC`5K4*l{kYWHN zP0dnV>tC49ZTc%sK`%?f0DY241j%Ep>_c(^gcMmIK?gBLW2%Fj;-GZk+Z{}daLz9K zy06~&$Q1pTu5}TDK!!vXQq)0+&_ouyC3B4`xS@>cXqf3(NOTz0%op6=N7i~+UEVaD zinqKu6>-sJ>HRh;U~)RoPi8s2llD5E@i-MsK8gE#F137Y$!G22J()`dO;iZ>-=y<5 zY0u4-6K!vC&0lMFSW&R{qhgn&m1~q-SWMoFkpZ&%DcTI2X?cEiRl(=qi!D6-2?A3_ zd<6UNHrUtpJ(m5ofoa>GrL~Ix`r<65zW0uBb^Pxh?jP>W#s9tT!QM9hKS$fCG=S5o zlD(_hz6kn?C=4^!M+MaZmNlYD(5v3Jss%-orqUaCtr!&vh$6jdHEYi7>IPQyk}2`A z2X}XM05_L4Lg}!pXOzg$S6t}t05MU1^qU4*nO^|S#u|#S0}(OXR5Ki0J-1srfLrqK z8t|3?hN>7-A1}>v>`@Rpm7Sz#z@gO6_g9ACZ~)@nXhD-v~zF}R8gO>Vt5h9O)azJ*eMjO$r7cA z9~C^7-1(WI$Pgj7Ctj{zSKpdn{8gnsV!vfKWFo5!jZL-rz1I1{ zI&;o)dQL#a9CNWAbVXFug26^TR}8;0b&>4pglHE(gL_I+GN6nqiqh2ycL5Xbd-4Yt zV0Z18unR*3*sWzIf45hSr3n}C670Q>{ZfO%y-lWC{}~^;-IZ2TO*9`zsp}rKvCqnw z6Q9R!Oj6+%l`DImu{?2Gm}9*)7afaK-U+3eqSVvukv8lABVve9T-At6e4ocL4|F1(&kR1}39fb4AKnL_*TcHUbq}i|fJ{g# zBd*loH!rzbbl~#NhTK@776w8ncnsy- z-_ZT9@IGdQ+p9Z5}(Rf^@aK$7v}Q+d^imdKu{)>G?*IWCbD|&39_l_<5@K|W2}-FG*TFqEaOGGtv^U;! zy9YHOd4y$*PYxcm&6{Q61DqPbQKJDwNSKP8lnZt8^PA4kKa@2*V-|X}JPQ>l>6a!9 zT9>C412q_R_cmv9-$7~N8-kANLvY2TYcpaGts4Ol#`w)u+2dULgpvGN#^w^!-QD!~ zYVIi#_!B;7Ts0*!RST(1Fngw@d91b^XfU0G2S|gHpLQ=loSk1^oHbz*CPB(+qE3F= zJ?&pypI@F`eYm*%*toAZ($rF}*AS9W&Xo~r1Bzp;le;_El_{eN?4CV4+bf^SdFftv z;jh0MrpXfeIYUEt^ri_jr6LN)oEcLp!mwwG#v}QeHAdNkR<2UWt;tp12_E<6Za{wE z`#XkUil@7=L-}$<*F{4JvB?{ZO<#*V~JbpC{puBXI5;z;zIR6hnU*@ zMP1!Qp)Ygp!4>y8>%qsq_TN@G*$})i;BY`sFEa<^rr`91-D*Xqld2yvV z95iu}FRGbCnovavJ3~e$ee`(}$R2d-6pQFPy}e&wBMQoc>CMB1#3B`g2#^F^?PdbJrk|Wwv+R{JL-RIZ$J}IM)qs49bbQn7#tCTSLMEmzx6$|0CM*K z_whT}l^OADl7IfsFXz`L!M}X_{`}ce{Pk&M;pq=fBWuRAdX}1A+85!T&~LZJyP~zS z=BF{HC$6OUmEzpI6Oq6`P5$hj`FD`3%@Telpw9fF|mS19Wo9jD8p{G9Sb~?@7 z7#~Xd1>?arZuaWSrp4MTfPqq_oDdS7T)G(YqIT?(={7n}HDr9C^CD z&=+z6m+$&o3?>k`cD|~d>7u0fJ7-v1r|}??sfY{u#YC^ldRxiZZ~N02k+D3MJ3vzU z55cok>it=6U+r^EFAvG5W zZ?7(3s5>?|IuDk4+SI4-100(}NE~CbdZGs0c@1{D3>cmQ=N?PXXN1NNhPw6?JgJDv z76?6X6>Wmoa(rGJ2Xe-9?}#^S1P`FTM0O>Kr^Ng@gm^N{{df#({Tk zx!-!KxXHw>ti`tj{nuaz$T0V*nRn&I^(V*Jg3OGGrw7?@B76+HNvR6H&(nHL{X&GrfdUC_r0;jfjsFX?@fw8e;)21F1-KuaQptxXK6cdMU+C3n71G0 z+J>756BuNaX{3Xc_#-kzIeqtU@rrT@GD5~+$oL?C7MCW&*C3D)MaO7P(<;|V5?DKs zV18&1yZIw57{Cox5&YLn7d|9x0z5GzHA|4907esZE%&T{-B(