Skip to content

Commit

Permalink
refactor(chart): Complete refactor of chart
Browse files Browse the repository at this point in the history 
* Seperated sidecar settings
* Improved security w/ seccomp profiles, read only fs
* Adjusted node-driver-registrar liveness probe
* Improve security of node daemonset by using a service account & cluster role
* Reduce leases RBAC to a role instead of a clusterrole permission
* Disable podInfoOnMount in CSIDriver (not needed)
* Allow config of metadata source (cloud-init/ignition)
* Allow config of volume attach limit
  • Loading branch information
@hrak
hrak committed Jul 4, 2024
1 parent 461e295 commit c9c7cae
Show file tree
Hide file tree
Showing 19 changed files with 942 additions and 502 deletions.
67 changes: 15 additions & 52 deletions charts/cloudstack-csi/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "csi.name" -}}
{{- define "cloudstack-csi-driver.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}

Expand All @@ -11,7 +11,7 @@ Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "csi.fullname" -}}
{{- define "cloudstack-csi-driver.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
Expand All @@ -27,73 +27,36 @@ If release name contains chart name it will be used as a full name.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "csi.chart" -}}
{{- define "cloudstack-csi-driver.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

{{/*
Common labels
*/}}
{{- define "csi.labels" -}}
app.kubernetes.io/name: {{ include "csi.name" . }}
helm.sh/chart: {{ include "csi.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- define "cloudstack-csi-driver.labels" -}}
{{ include "cloudstack-csi-driver.selectorLabels" . }}
helm.sh/chart: {{ include "cloudstack-csi-driver.chart" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/component: csi-driver
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}


{{/*
Create the name of the service account to use
*/}}
{{- define "csi.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "csi.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- if .Values.customLabels }}
{{ toYaml .Values.extraLabels }}
{{- end }}
{{- end -}}

{{/*
Create unified labels for csi components
Common selector labels
*/}}
{{- define "csi.common.matchLabels" -}}
app: {{ template "csi.name" . }}
release: {{ .Release.Name }}
{{- end -}}

{{- define "csi.common.metaLabels" -}}
chart: {{ template "csi.chart" . }}
heritage: {{ .Release.Service }}
{{- if .Values.extraLabels }}
{{ toYaml .Values.extraLabels -}}
{{- end }}
{{- end -}}

{{- define "csi.controller.matchLabels" -}}
component: controller
{{ include "csi.common.matchLabels" . }}
{{- end -}}

{{- define "csi.controller.labels" -}}
{{ include "csi.controller.matchLabels" . }}
{{ include "csi.common.metaLabels" . }}
{{- end -}}

{{- define "csi.node.matchLabels" -}}
component: node
{{ include "csi.common.matchLabels" . }}
{{- end -}}

{{- define "csi.node.labels" -}}
{{ include "csi.node.matchLabels" . }}
{{ include "csi.common.metaLabels" . }}
{{- define "cloudstack-csi-driver.selectorLabels" -}}
app.kubernetes.io/name: {{ include "cloudstack-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

{{/*
Create cloud-config makro.
Create cloud-config macro.
*/}}
{{- define "cloudConfig" -}}
[Global]
Expand Down
39 changes: 14 additions & 25 deletions charts/cloudstack-csi/templates/csi-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,17 @@
{{ if .Values.controller.enabled }}
{{ if .Values.rbac.create }}
# This YAML file contains Cluster Role objects,
# which are necessary to run cloudstack-csi-controller
{{ $enableLeaderElection := gt (int .Values.controller.replicaCount) 1 }}
---
# external Attacher
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-attacher-role
labels:
{{- include "cloudstack-csi-driver.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
Expand All @@ -26,22 +25,18 @@ rules:
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
{{- if $enableLeaderElection}}
# leader election
- apiGroups: [coordination.k8s.io]
resources: [leases]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- end}}
---
# external Provisioner
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-provisioner-role
labels:
{{- include "cloudstack-csi-driver.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
Expand Down Expand Up @@ -70,18 +65,18 @@ rules:
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch"]
{{- if $enableLeaderElection}}
# leader election
- apiGroups: [coordination.k8s.io]
resources: [leases]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- end}}
---
# external Resizer
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-resizer-role
labels:
{{- include "cloudstack-csi-driver.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning.
Expand All @@ -103,11 +98,5 @@ rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
{{- if $enableLeaderElection}}
# leader election
- apiGroups: [coordination.k8s.io]
resources: [leases]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- end}}
{{- end}}
{{- end}}
26 changes: 15 additions & 11 deletions ...csi/templates/csi-clusterrolebinding.yaml → ...es/csi-controller-clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
{{ if .Values.controller.enabled }}
{{ if .Values.rbac.create }}
# This YAML file contains Cluster Role Binding objects,
# which are necessary to run cloudstack-csi-controller
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-attacher-binding
labels:
{{- include "cloudstack-csi-driver.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name }}
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
Expand All @@ -24,13 +24,15 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-provisioner-binding
labels:
{{- include "cloudstack-csi-driver.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name }}
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
Expand All @@ -41,13 +43,15 @@ kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-resizer-binding
labels:
{{- include "cloudstack-csi-driver.labels" . | nindent 4 }}
{{- with .Values.commonAnnotations }}
annotations:
{{- with .Values.commonAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name }}
name: {{ .Values.controller.serviceAccount.name }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
Expand Down
Loading

0 comments on commit c9c7cae

Please sign in to comment.