From ec6ce474dc7bd318e55edb7a36856f3963bdd0fc Mon Sep 17 00:00:00 2001 From: Simon Lindblad Date: Fri, 12 Apr 2024 15:20:33 +0000 Subject: [PATCH] blob-csi-driver: add support for managed system identity --- BLOB_CSI_VERSION | 2 +- charts/index.yaml | 9 + charts/v4.9.0/blob-csi-driver-v4.9.0.tgz | Bin 0 -> 5872 bytes charts/v4.9.0/blob-csi-driver/Chart.yaml | 5 + .../blob-csi-driver/templates/NOTES.txt | 5 + .../blob-csi-driver/templates/_helpers.tpl | 49 +++ .../templates/csi-blob-controller.yaml | 224 +++++++++++++ .../templates/csi-blob-driver.yaml | 14 + .../templates/csi-blob-node.yaml | 296 ++++++++++++++++++ .../templates/rbac-csi-blob-controller.yaml | 121 +++++++ .../templates/rbac-csi-blob-node.yaml | 44 +++ .../serviceaccount-csi-blob-controller.yaml | 17 + .../serviceaccount-csi-blob-node.yaml | 17 + charts/v4.9.0/blob-csi-driver/values.yaml | 173 ++++++++++ pkg/edgecache/cachevolume/pvc_annotator.go | 2 +- 15 files changed, 976 insertions(+), 2 deletions(-) create mode 100644 charts/v4.9.0/blob-csi-driver-v4.9.0.tgz create mode 100644 charts/v4.9.0/blob-csi-driver/Chart.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/NOTES.txt create mode 100644 charts/v4.9.0/blob-csi-driver/templates/_helpers.tpl create mode 100644 charts/v4.9.0/blob-csi-driver/templates/csi-blob-controller.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/csi-blob-driver.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/csi-blob-node.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml create mode 100644 charts/v4.9.0/blob-csi-driver/values.yaml diff --git a/BLOB_CSI_VERSION b/BLOB_CSI_VERSION index 2b0e3dc6d..50d22d771 100644 --- a/BLOB_CSI_VERSION +++ b/BLOB_CSI_VERSION @@ -1 +1 @@ -BLOB_CSI_VERSION=v4.8.0 +BLOB_CSI_VERSION=v4.9.0 diff --git a/charts/index.yaml b/charts/index.yaml index 4f7fa1f78..661d5a7c6 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -388,6 +388,15 @@ entries: urls: - https://raw.githubusercontent.com/avoltz/blob-csi-driver/staging/charts/v4.8.0/blob-csi-driver-v4.8.0.tgz version: v4.8.0 + - apiVersion: v1 + appVersion: v4.9.0 + created: "2024-04-12T20:20:15.553036749Z" + description: Azure Blob Storage CSI driver + digest: 09953d07326d3ad59798923083946bffcf571c2e6c17de5803414c226e1a93cd + name: blob-csi-driver + urls: + - https://raw.githubusercontent.com/avoltz/blob-csi-driver/staging/charts/v4.9.0/blob-csi-driver-v4.9.0.tgz + version: v4.9.0 - apiVersion: v1 appVersion: latest created: "2023-12-01T09:01:28.976577418Z" diff --git a/charts/v4.9.0/blob-csi-driver-v4.9.0.tgz b/charts/v4.9.0/blob-csi-driver-v4.9.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..bb8b55f4405b8ffac82ce60cd177146603a31cc4 GIT binary patch literal 5872 zcmVDc zVQyr3R8em|NM&qo0PH>QbK5qu{j9$Nqx7b|d!ZyNw$sy$KiHO%YU0Qm$w}{Cr=x+$ zm4q`1umGr7b^X7;0YHks^~l5=K7P;76fV+#u?gAXUY;4(rSPmz1;PvYn=CZcH zp8MV2u12HLI6pnr|2G$mc6$gaPi7)lN%Rd4R=*nedG?a|vDWL0N z7a8HHQ0zeqWkjknU*bQl{j=7neC;kDuf&zr|2cL85c@R%tM&h+aenqTtN*9X^P~PB z;vycNLaTz%7z-GH&sxZ{dCem>XM#;+&1Rl@>awwdLWqOU1d)s{TBv^ilc?K*)FUa< z5E4(9#zXz~1J~^{m)MII>P~u0_BjZk>Y*)2pR+kp_5pYS0VYKKJ{SY1AVDY+ik{`i zjbf7XH?^}`V;xDC%z=Usea^5Eo9!E}wVy2ETymss43 zy3Oc>Oal&<&m7BURANGb*A+fXBeQ%?=2${Bq>Fk*-|q*mJ2c$1(67H$ULgyaIn7&y zFK_Vy76zn;J*ZR!@Hw&J(zaPZr5azG1D4Q2k_UiZp%|qyKYVBxitp=7@^VoXZ%hg&v>sXk0u7cNK;k4PY80%R<+Ikj%@pBUCcvfy54$ zxMFLNL_>sLq5GeNg?&Ho_$Z!kU=G?%!l=&)<3uj5T`V+yph9_5`eiDnkO=sk%mHx_ zEZ{aEF=JeAD*ZO2Huy4D06jW&r38LR+VVMor+vA4#ZU6n({Ds9gapsB-9Sj-md%MI zHg*;DA=rU}*761q5=|ASYCM_mGcE(F9!iFIK+#g^5Eh6s${CYryg&k^R4R>?(ra|r z2AiTVULbhDp6>!`soxop7J5{;FU2RJME#`EI6+U9JkV36l2D1Iuob9=l1pWtuJw4u zTHQie88AyfG;@tp4lR6aLkp=FVwv%)ASG+;OULuo=q}qV#ec?x?1B8k`2EsO$QcpK z@v&LpI!d7&BJkJ+M;U>bapW*i<0_E@K2QfSiarjzQS%B?63dA#`i#pKYX0;5&1vz} zHv{a-Sq#>!=;^^FHWn?Ue+BfGe#A;1TE-wnH?IvpeHT-RAGvI*WZrF|GmXngvM}U| z=6l7LN2G{;Dds&rH=Q*aA4zzZ!|wrzB$Vw3N(#JOvu4z)pugqBPM%3D_K?bHG@nT$ zJCVQC(Ba91D0L1^oU;ByP^Ojf@RnpQ@X-2dEEc+lMGIB+Ou?B8wX}uuv;Ufe0z02QZm{EnBGCV?%oePT)dyBmALq_(~XGoQm}fG8H|w=FO72{nZSTe%hrj zq41fxfd?O8acSEi#4kk7x(-mO#UWC14?ldOc#esytWyh}Y-U~F}bh2Y9%<4GW( z&)GwQ$~bjfVYjGfv9E0T9r0i&vFCTG z25FOo-Sw2O)d%hoA&lqKc>DHk-p(G>@|7-dzOu1>9+91FV1X&9OaRM(>$flw?>P(n zXzerr?EJ!sgj;HZQnYu&yM+%+wRjKGXyZ^~wIVT6P%++RE9FMlY(Z+;NQ4V^2eBG86hQ>LG*hVOeW-^g{rs1p)~{7Q%`mK_iWhyaI;j>Y8AagOHD^6Jfv>_NSV@Q z@%PuL-MRYo{x$0M-rc@Nzg!M_-QN4xs52Pc4wSQ_Jl0UNH52Ma{JY{38a$}pD1+sK zY@zxb^SVpM_3%zbYm?-xg&Y_YOe+=TI=KuxOVgx{Apt78?U2kX^efYzE_Q!I-HCQp zFE86l&6Im%mI->D!YwQWnNo0&hbf*acPqq;i1D)s)$N5^{Yao{DTal<75d7Wpj2x; zq1J91q}xVch@5G#?Wl$%x@{$9Auipmy~lsD@jnTkuVXj$-tApySd$O(*)-P0|KFT9 zGx5K(^Yi90{&$G$PHDxepuW<8X}BzLz<1dK^lDnKT0`NlRVsH3*)y>3*B~>?T#02M zUL)THEI=(LT9r`$ZRsM*qLCMK@%V^p1JH1_rEi0to)k+4nPrL4EMHW)fy}i+Pft~3 zSzoZUXUFtI>MGa&(F|N4xTs10nW=y^`rmwWewxw$^Rr|A?=aWnWBng!PP~?$w32lS_opC~I;{hunT zj;gzKhIt-So`f-MqKwH1zyu@>HthSEMXT`=A0JVq+o^X`Lxqj>iiz5$Vb++IvuuK= zW&FAcKGj1)Z8vbrdQ-xg%{-q`?b9Y=t$8>fb7`^3);$lMF>Aa?_dSYuN4!s>H-EXz znHM8m=D!uTT$4Z1?*WskQGI%q`Dw#lP8WY7N~l^wqf-Sg ze9*baIG<6BK6-9QM6*yUjPXf(c9URpV@8Wu&ChT#%jc$Hq<?g89h0Z{zByJX9FJsrVA~4Su2!&oFE&MN`-Kj z5|Z}Sm}ns#kSvqPq}_-!qX~&yod64Clc_;07ym4=WX5#^lBsM}3FTGNnH;c;Be_l@ z3u+4zFDv&n=>wEor7netj(vX!)Mp+dJ%H8HrReN@heo}O~g zR^e`~gO+%To}Q{^09*kZ^0Pmh=?McN%%>tL25Q)=*8HMb&E3?FE_NIaLR@_R<7K-& z=nRK{F937_JHRan>xtGwY!I_7K%yj-1@hvg*$@Sf;X!h2nc68U@&zu^ljssy=X)FX!<2f4OeUy>>S4iPO)&dDD+v8Wq2RiA92XU) zU+-LJz&`4Nxh#Js9cpr@QT1tj8SWKdAT5XR#N#+!iVD1nly4XUX4p;m8z;>q!_lBc z8Cc5{jc%avshsV86@CTkyzZrecU1R%QQSn?(`sENkOoq}jiuVX5jg-;vS9g)%Zp++ zCe3YJ;!rR$E9F0pXBY8bA>isN*Nz>;KgI1@>DQH=8_2v~hwN3<^BD8;reSsz?A`Eh zHfLG$GLZ|@@x_w}P{(J4%8T!RydHK(onE_t+wI*IO>1FU;8Ix{HT|zuOg2$OSWMZ( zjMOVnGH&ih3(%rjSce}ilLMaul?AOc^$W#_VhonhG4%pOnUaSRj&xy_shhP-sME@J zD={#IWmnr_j$MTf(Xa3#boG`6o-Y?EdL`%!OTjXjmHo>}=+ebC6|NcL&}9ERpy#t;szY_t{L=x<_!NrRq*o-=&h2At$FyREZe0-9A>;osvDQ;Zu2LA7-L1%P5=(Ib% zyYA)9=w0`wQ{)uB|ncBFsX9`!CiZo&J6fa{bnt)H1$HuBK5=_@4t;nP)T(CgfFhMI$6|ML2U+0bUA zkeB3KQS93XlsvTR^>U9YoZ%^Cjc#1?g{sx8{zVM@e0SF$j{1Y!fBn0de%_cT@Me$} zPP1z`+=RjH`P+uQv~In>9Sz$bMmM+bM>n0%otsUm=Ii!Kh5>$$O{FsZsH&@Vh7#NN zdM+p(3d3Nh_qjW`?S1U@?zHyzFYkUXSr&q{6MIzZnnj`LXu`Gs2u9Zr(0V6&nQlDT z(lOgO)6qgiu}RzSTM@!t;qxobgmCLNaG9OuIAG_Nx{CrcxmuGF%<4F4%~WQh>I59d z@nKm_Ah-Pc>`TlN@b5|8#+KxPkaZnev1R6sY(FqNETxppu3bST_h4=oE(~{u>^)Ri zh_^6g7eVeGB77#T&6Zi41_290h=&La{$R~8bzHEF0ka4V1X#d1;}^OH{D-d_wu{F8 zTaQ`9td^*oVYDD%U&x)gxYmYednCCpAU zN3khh%VXXym*;J_nH~1VPWddb7TKC9VO^p%lcXxoUKNRKwsBzwJHf%r)PHPH{}Xzd zyB`U%uKxe@ZLa?3q;ahOKgeZSR;uJjn410C{ZFQL@uXrZgsz8Ov&U<7F;F`8mnret zp>_vLiS5|{eh&x-C*BC>Gp9=@?3U_TX6dYDHdrMX3wL4FQV@nkGYj013D^tUg^$dE z<%X`l8W$nWIU4Fl$De@*9J_y!eFPimKV=R)>p-A2^?&EhH`)C^Z_nNw&;L2d71sY@ z@E9G!4&{GZI`&!kmqECb*$DKm+o9xG!Zh4EtlUFFr)EQLI*4tQP!g)q;f`J8VH;hPalGf_?hw+P{9c9nQk5O9K;8l@}`gQ~d5) z^p~p^Gs>}h9b8<_8Ie}VE^~Ly4t3?@v;$7)G(0bY&}nx{+46Sh0qj7Z#F$#qBpJK| z?ul%Mz%u5j^Wbv`PYx)^A%v%2NV5k$f5p4odrWp|AxyYIyzrT#Feh9F*tO!V-Ld>- zg)UhgTcFNqnDr`cZhX6yiMl^~s!7~hht(inuP9**PtdTU<0~v*wLjK)lm{Pkp|s4Y ze9>hy&%@No#VPCQp{}bpR1>pgu&`7VLqVSt7p7|2l!;}R#thq?tL|lQ^lot5yX*AY z#j(RGWt30}9NUu2bESv|Q@1y~yS%v>UESPXz56sQ%yOp3Udw3e$d_8?*p`A&sUa2- z8GY^yhTYrVPQ)??$dnSx_N=*&t~J;8t+|)ZHP`iS*tr{hy!_Ybw%_UL9N(z->Eli$ zb4TZt(p2=GMatWZPP;q2yt?U(KK0v|cb)dtPP8)T`ecZ$4}B|d$O^=&z_$XaXF*c! zLE7uuE0C><)H4;UG3rB?Bt`;A-yMeqF zoPxDqsas1RF9}6Wc9g)EpuW8{#_8G|Sh%2AzBHYC^|72?eE(y6(EZ#Qj0TysMZGjlQN+ZH=i3<#GX}s})xw0cQ#}wr5~zAxmQEwBL8GFRy>@j6U9e>fNnIqk{<mm^+L*8lBolh|aVfr-j( zu*D!PNK=qexs#Asii?8WZPBTiC5-B$RJCI&B=&sENW4RMp4GBbSBo(lrSanX(J@cv6nau>yf7?{Nt98jriMTOGw%g+K)hIKK7OeNJzZ!!Pav?uT1fd zn^s<8)5@+nokMJPS+&Y8T)}eY<0&?u4!k0cu4mR$Ng)fmjb4nr+@6~>A}^JRiyND& zIOPcLS0axacE0fqJDIr2imf`!y#rgP+E?a+R+g+ML09C1)|I^%#WSpxt)3NLOMB64 zb~daqN4vAQ69*;M=-C4`ia$EH3tOd;!_|yEYrDw`o4WCEq*AHNkDsK)qty5w_q!bT zyBx2VxXSDQ`54>QUJe0Xv;XJ(Jp28R=E>W}vHt%cS4P9tORt#&=k&qd;pQJxo;zSJ zq&5g>XdK8HB_OD%f!mLJhV zzgDZiX-o+x@Ykxp+~X7abRp0j_*er>K~`U*s!N3aUw=kK{b9yQ{pF}R9(21M2-+?t z-o{kT-i9Jt>AhP;ltT#H#X@Y@&kg$obD(mEkqdkC8dd!=a_hTg3!>bMy>{qX2yMo= zLugVZifHJ)F?$)bie*`qytZBu>JU1838l@PX=;r_QoC>Y3&#HeTZUR|x-v|a_E%yb zahsEWH`$V;tW6j+%bUFC*sn+|R*ZYu%X?8%8=fuk-(Y4pFcEvUvd^MWH=no4656pB z#dh_12KC_9Ny+!2ZPR`P{4ZdXG6S)(LE5W5Qg5X6Z6&@{Z)zwGXOzOv+LQ=+DASvo z1Ll+=T55?_n}fSlFQ$Ooz1IH+F2YW7zKKdcKE6y`WYhKka}EJm_x-=-*;)4dkJHoR z`5yzIuYm^>2GNY_^qPvy)vIXWDXz`!$)2qr2eGuBDn(`Nv0wDpRe_I(w3!` zQL-q+MkJbo6cOwX>MzcM=`6hSgLnat`X#*P@=(M#J3oG<$uKF}-^w(Y+$evL39vxF zzvk3;yjITtp|oHlEzijWteO8$8t2*h|FqFKe*fSF``I_j$DZN6UY_j@R)zUdQXe*Z&0o0RR8yf)^eD GqyPYVYL(;w literal 0 HcmV?d00001 diff --git a/charts/v4.9.0/blob-csi-driver/Chart.yaml b/charts/v4.9.0/blob-csi-driver/Chart.yaml new file mode 100644 index 000000000..40148bc6f --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +appVersion: latest +description: Azure Blob Storage CSI driver +name: blob-csi-driver +version: v4.9.0 diff --git a/charts/v4.9.0/blob-csi-driver/templates/NOTES.txt b/charts/v4.9.0/blob-csi-driver/templates/NOTES.txt new file mode 100644 index 000000000..9ad135dd4 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/NOTES.txt @@ -0,0 +1,5 @@ +The Azure Blob Storage CSI driver is getting deployed to your cluster. + +To check Azure Blob Storage CSI driver pods status, please run: + + kubectl --namespace={{ .Release.Namespace }} get pods --selector="release={{ .Release.Name }}" --watch diff --git a/charts/v4.9.0/blob-csi-driver/templates/_helpers.tpl b/charts/v4.9.0/blob-csi-driver/templates/_helpers.tpl new file mode 100644 index 000000000..d99392f32 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* Expand the name of the chart.*/}} +{{- define "blob.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "blob.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common selectors. +*/}} +{{- define "blob.selectorLabels" -}} +app.kubernetes.io/name: {{ template "blob.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Common labels. +*/}} +{{- define "blob.labels" -}} +{{- include "blob.selectorLabels" . }} +app.kubernetes.io/component: csi-driver +app.kubernetes.io/part-of: {{ template "blob.name" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +helm.sh/chart: {{ template "blob.chart" . }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- end -}} + + +{{/* pull secrets for containers */}} +{{- define "blob.pullSecrets" -}} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} + - name: {{ . }} +{{- end }} +{{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/v4.9.0/blob-csi-driver/templates/csi-blob-controller.yaml b/charts/v4.9.0/blob-csi-driver/templates/csi-blob-controller.yaml new file mode 100644 index 000000000..4d2353357 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/csi-blob-controller.yaml @@ -0,0 +1,224 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: {{ .Values.controller.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.controller.name }} + {{- include "blob.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + app: {{ .Values.controller.name }} + {{- include "blob.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.controller.name }} + {{- include "blob.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} + {{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} +{{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} +{{- end }} + spec: +{{- with .Values.controller.affinity }} + affinity: +{{ toYaml . | indent 8 }} +{{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + hostNetwork: {{ .Values.controller.hostNetwork }} + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: {{ .Values.serviceAccount.controller }} + nodeSelector: + kubernetes.io/os: linux + {{- if .Values.controller.runOnMaster}} + node-role.kubernetes.io/master: "" + {{- end}} + {{- if .Values.controller.runOnControlPlane}} + node-role.kubernetes.io/control-plane: "" + {{- end}} +{{- with .Values.controller.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + priorityClassName: {{ .Values.priorityClassName | quote }} + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.controller.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} + containers: + - name: csi-provisioner +{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- else }} + image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}" +{{- end }} + args: + - "-v=2" + - "--csi-address=$(ADDRESS)" + - "--leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - "--timeout=120s" + - "--extra-create-metadata=true" + - "--kube-api-qps=50" + - "--kube-api-burst=100" + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }} + - name: liveness-probe +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --health-port={{ .Values.controller.livenessProbe.healthPort }} + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }} + - name: blob +{{- if hasPrefix "/" .Values.image.blob.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" +{{- else }} + image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" +{{- end }} + args: + - "--v={{ .Values.controller.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}" + - "--drivername={{ .Values.driver.name }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}" + - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}" + ports: + - containerPort: {{ .Values.controller.livenessProbe.healthPort }} + name: healthz + protocol: TCP + - containerPort: {{ .Values.controller.metricsPort }} + name: metrics + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + {{- if eq .Values.cloud "AzureStackCloud" }} + - name: AZURE_ENVIRONMENT_FILEPATH + value: /etc/kubernetes/azurestackcloud.json + {{- end }} + imagePullPolicy: {{ .Values.image.blob.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + {{- if eq .Values.cloud "AzureStackCloud" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + {{- end }} + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.controller.resources.blob | nindent 12 }} + - name: csi-resizer +{{- if hasPrefix "/" .Values.image.csiResizer.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- else }} + image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}" +{{- end }} + args: + - "-csi-address=$(ADDRESS)" + - "-v=2" + - "-leader-election" + - "--leader-election-namespace={{ .Release.Namespace }}" + - '-handle-volume-inuse-error=false' + env: + - name: ADDRESS + value: /csi/csi.sock + imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }} + volumeMounts: + - name: socket-dir + mountPath: /csi + resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }} + volumes: + - name: socket-dir + emptyDir: {} + - name: azure-cred + hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + {{- if eq .Values.cloud "AzureStackCloud" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + {{- end }} + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} diff --git a/charts/v4.9.0/blob-csi-driver/templates/csi-blob-driver.yaml b/charts/v4.9.0/blob-csi-driver/templates/csi-blob-driver.yaml new file mode 100644 index 000000000..9a6aea64a --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/csi-blob-driver.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: {{ .Values.driver.name }} + labels: + {{- include "blob.labels" . | nindent 4 }} +spec: + attachRequired: false + podInfoOnMount: true + fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }} + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/charts/v4.9.0/blob-csi-driver/templates/csi-blob-node.yaml b/charts/v4.9.0/blob-csi-driver/templates/csi-blob-node.yaml new file mode 100644 index 000000000..91c02dda0 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/csi-blob-node.yaml @@ -0,0 +1,296 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ .Values.node.name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Values.node.name }} + {{- include "blob.labels" . | nindent 4 }} +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: {{ .Values.node.maxUnavailable }} + type: RollingUpdate + selector: + matchLabels: + app: {{ .Values.node.name }} + {{- include "blob.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + app: {{ .Values.node.name }} + {{- include "blob.labels" . | nindent 8 }} + {{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + {{- end }} + {{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} + {{- end }} +{{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} +{{- end }} + spec: + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} +{{- if .Values.node.enableBlobfuseProxy }} + hostPID: true +{{- end }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + serviceAccountName: {{ .Values.serviceAccount.node }} + nodeSelector: + kubernetes.io/os: linux +{{- with .Values.node.nodeSelector }} +{{ toYaml . | indent 8 }} +{{- end }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + {{- if .Values.node.affinity }} +{{- toYaml .Values.node.affinity | nindent 8 }} + {{- end }} + priorityClassName: {{ .Values.priorityClassName | quote }} + securityContext: + seccompProfile: + type: RuntimeDefault +{{- with .Values.node.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} +{{- end }} +{{- if .Values.node.enableBlobfuseProxy }} + initContainers: + - name: install-blobfuse-proxy +{{- if hasPrefix "/" .Values.image.blob.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" +{{- else }} + image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" +{{- end }} + imagePullPolicy: IfNotPresent + command: + - "/blobfuse-proxy/init.sh" + securityContext: + privileged: true + env: + - name: DEBIAN_FRONTEND + value: "noninteractive" + - name: INSTALL_BLOBFUSE + value: "{{ .Values.node.blobfuseProxy.installBlobfuse }}" + - name: BLOBFUSE_VERSION + value: "{{ .Values.node.blobfuseProxy.blobfuseVersion }}" + - name: INSTALL_BLOBFUSE2 + value: "{{ .Values.node.blobfuseProxy.installBlobfuse2 }}" + - name: BLOBFUSE2_VERSION + value: "{{ .Values.node.blobfuseProxy.blobfuse2Version }}" + - name: SET_MAX_OPEN_FILE_NUM + value: "{{ .Values.node.blobfuseProxy.setMaxOpenFileNum }}" + - name: MAX_FILE_NUM + value: "{{ .Values.node.blobfuseProxy.maxOpenFileNum }}" + - name: DISABLE_UPDATEDB + value: "{{ .Values.node.blobfuseProxy.disableUpdateDB }}" + volumeMounts: + - name: host-usr + mountPath: /host/usr + - name: host-etc + mountPath: /host/etc +{{- end }} + containers: + - name: liveness-probe + imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }} + volumeMounts: + - mountPath: /csi + name: socket-dir +{{- if hasPrefix "/" .Values.image.livenessProbe.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- else }} + image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}" +{{- end }} + args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --health-port={{ .Values.node.livenessProbe.healthPort }} + - --v=2 + resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }} + - name: node-driver-registrar +{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- else }} + image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}" +{{- end }} + args: + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --v=2 + livenessProbe: + exec: + command: + - /csi-node-driver-registrar + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --mode=kubelet-registration-probe + initialDelaySeconds: 30 + timeoutSeconds: 15 + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock + volumeMounts: + - name: socket-dir + mountPath: /csi + - name: registration-dir + mountPath: /registration + resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }} + - name: blob +{{- if hasPrefix "/" .Values.image.blob.repository }} + image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" +{{- else }} + image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}" +{{- end }} + args: + - "--v={{ .Values.node.logLevel }}" + - "--endpoint=$(CSI_ENDPOINT)" + - "--blobfuse-proxy-endpoint=$(BLOBFUSE_PROXY_ENDPOINT)" + - "--edgecache-mount-endpoint=$(EDGECACHE_MOUNT_ENDPOINT)" + - "--enable-blobfuse-proxy={{ .Values.node.enableBlobfuseProxy }}" + - "--nodeid=$(KUBE_NODE_NAME)" + - "--drivername={{ .Values.driver.name }}" + - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}" + - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}" + - "--custom-user-agent={{ .Values.driver.customUserAgent }}" + - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}" + - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}" + - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--append-timestamp-cache-dir={{ .Values.node.appendTimeStampInCacheDir }}" + - "--mount-permissions={{ .Values.node.mountPermissions }}" + - "--allow-inline-volume-key-access-with-idenitity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}" + ports: + - containerPort: {{ .Values.node.livenessProbe.healthPort }} + name: healthz + protocol: TCP + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 30 + timeoutSeconds: 10 + periodSeconds: 30 + env: + - name: AZURE_CREDENTIAL_FILE + valueFrom: + configMapKeyRef: + name: azure-cred-file + key: path + optional: true + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: EDGECACHE_MOUNT_ENDPOINT + value: unix:///csi/csi_mounts.sock + - name: BLOBFUSE_PROXY_ENDPOINT + value: unix:///csi/blobfuse-proxy.sock + {{- if ne .Values.driver.httpsProxy "" }} + - name: HTTPS_PROXY + value: {{ .Values.driver.httpsProxy }} + {{- end }} + {{- if ne .Values.driver.httpProxy "" }} + - name: HTTP_PROXY + value: {{ .Values.driver.httpProxy }} + {{- end }} + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: AZURE_GO_SDK_LOG_LEVEL + value: {{ .Values.driver.azureGoSDKLogLevel }} + {{- if eq .Values.cloud "AzureStackCloud" }} + - name: AZURE_ENVIRONMENT_FILEPATH + value: /etc/kubernetes/azurestackcloud.json + {{- end }} + imagePullPolicy: {{ .Values.image.blob.pullPolicy }} + securityContext: + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: {{ .Values.linux.kubelet }}/ + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /etc/kubernetes/ + name: azure-cred + - mountPath: /mnt + name: blob-cache + {{- if eq .Values.cloud "AzureStackCloud" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + {{- end }} + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + mountPath: /etc/ssl/certs + readOnly: true + - name: ssl-pki + mountPath: /etc/pki/ca-trust/extracted + readOnly: true + {{- end }} + resources: {{- toYaml .Values.node.resources.blob | nindent 12 }} + volumes: +{{- if .Values.node.enableBlobfuseProxy }} + - name: host-usr + hostPath: + path: /usr + - name: host-etc + hostPath: + path: /etc +{{- end }} + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }} + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/ + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: {{ .Values.linux.kubelet }}/plugins_registry/ + type: DirectoryOrCreate + name: registration-dir + - hostPath: + path: /etc/kubernetes/ + type: DirectoryOrCreate + name: azure-cred + - hostPath: + path: {{ .Values.node.blobfuseCachePath }} + name: blob-cache + {{- if eq .Values.cloud "AzureStackCloud" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + {{- end }} + {{- if eq .Values.linux.distro "fedora" }} + - name: ssl + hostPath: + path: /etc/ssl/certs + - name: ssl-pki + hostPath: + path: /etc/pki/ca-trust/extracted + {{- end }} + {{- if .Values.securityContext }} + securityContext: {{- toYaml .Values.securityContext | nindent 8 }} + {{- end }} diff --git a/charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml b/charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml new file mode 100644 index 000000000..f27935671 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml @@ -0,0 +1,121 @@ +{{- if .Values.rbac.create -}} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-provisioner-role + labels: + {{- include "blob.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + +--- + +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-provisioner-binding + labels: + {{- include "blob.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-provisioner-role + apiGroup: rbac.authorization.k8s.io + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-external-resizer-role + labels: + {{- include "blob.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["update", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "list", "watch", "create", "update", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ .Values.rbac.name }}-csi-resizer-role + labels: + {{- include "blob.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Values.rbac.name }}-external-resizer-role + apiGroup: rbac.authorization.k8s.io + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-role + labels: + {{- include "blob.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "create"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-controller-secret-binding + labels: + {{- include "blob.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-controller-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml b/charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml new file mode 100644 index 000000000..6676656cf --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml @@ -0,0 +1,44 @@ +{{- if .Values.rbac.create -}} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-role + labels: + {{- include "blob.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get"] + + # the node plugin must apply annotations to the PVC for edgecache volumes + # it gets the PVC's through the PV's + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "create"] + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-{{ .Values.rbac.name }}-node-secret-binding + labels: + {{- include "blob.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: csi-{{ .Values.rbac.name }}-node-secret-role + apiGroup: rbac.authorization.k8s.io +{{ end }} diff --git a/charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml b/charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml new file mode 100644 index 000000000..7433bccf1 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.controller }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "blob.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml b/charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml new file mode 100644 index 000000000..a25090e30 --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.serviceAccount.node }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "blob.labels" . | nindent 4 }} +{{- if .Values.workloadIdentity.clientID }} + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }} +{{- if .Values.workloadIdentity.tenantID }} + azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }} +{{- end }} +{{- end }} +{{- end -}} diff --git a/charts/v4.9.0/blob-csi-driver/values.yaml b/charts/v4.9.0/blob-csi-driver/values.yaml new file mode 100644 index 000000000..1ff9bbfaf --- /dev/null +++ b/charts/v4.9.0/blob-csi-driver/values.yaml @@ -0,0 +1,173 @@ +image: + baseRepo: mcr.microsoft.com + blob: + repository: /k8s/csi/blob-csi + tag: latest + pullPolicy: IfNotPresent + csiProvisioner: + repository: /oss/kubernetes-csi/csi-provisioner + tag: v3.5.0 + pullPolicy: IfNotPresent + livenessProbe: + repository: /oss/kubernetes-csi/livenessprobe + tag: v2.10.0 + pullPolicy: IfNotPresent + nodeDriverRegistrar: + repository: /oss/kubernetes-csi/csi-node-driver-registrar + tag: v2.8.0 + pullPolicy: IfNotPresent + csiResizer: + repository: /oss/kubernetes-csi/csi-resizer + tag: v1.8.0 + pullPolicy: IfNotPresent + +cloud: AzurePublicCloud + +## Reference to one or more secrets to be used when pulling images +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +serviceAccount: + create: true # When true, service accounts will be created for you. Set to false if you want to use your own. + controller: csi-blob-controller-sa # Name of Service Account to be created or used + node: csi-blob-node-sa # Name of Service Account to be created or used + +rbac: + create: true + name: blob + +## Collection of annotations to add to all the pods +podAnnotations: {} +## Collection of labels to add to all the pods +podLabels: {} +# -- Custom labels to add into metadata +customLabels: {} + # k8s-app: blob-csi-driver + +## Leverage a PriorityClass to ensure your pods survive resource shortages +## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ +priorityClassName: system-cluster-critical +## Security context give the opportunity to run container as nonroot by setting a securityContext +## by example : +## securityContext: { runAsUser: 1001 } +securityContext: {} + +controller: + name: csi-blob-controller + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting + metricsPort: 29634 + livenessProbe: + healthPort: 29632 + replicas: 2 + runOnMaster: false + runOnControlPlane: false + logLevel: 5 + resources: + csiProvisioner: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + blob: + limits: + memory: 200Mi + requests: + cpu: 10m + memory: 20Mi + csiResizer: + limits: + memory: 500Mi + requests: + cpu: 10m + memory: 20Mi + affinity: {} + nodeSelector: {} + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/controlplane" + operator: "Exists" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + +node: + name: csi-blob-node + cloudConfigSecretName: azure-cloud-provider + cloudConfigSecretNamespace: kube-system + allowEmptyCloudConfig: true + allowInlineVolumeKeyAccessWithIdentity: false + maxUnavailable: 1 + livenessProbe: + healthPort: 29633 + logLevel: 5 + enableBlobfuseProxy: false + blobfuseProxy: + installBlobfuse: true + blobfuseVersion: "1.4.5" + installBlobfuse2: true + blobfuse2Version: "2.0.3" + setMaxOpenFileNum: true + maxOpenFileNum: "9000000" + disableUpdateDB: true + blobfuseCachePath: /mnt + appendTimeStampInCacheDir: false + mountPermissions: 0777 + resources: + livenessProbe: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + nodeDriverRegistrar: + limits: + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + blob: + limits: + memory: 2100Mi + requests: + cpu: 10m + memory: 20Mi + affinity: {} + nodeSelector: {} + tolerations: + - operator: "Exists" + +feature: + fsGroupPolicy: ReadWriteOnceWithFSType + enableGetVolumeStats: false + +driver: + name: blob.csi.azure.com + customUserAgent: "" + userAgentSuffix: "OSS-helm" + azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR + httpsProxy: "" + httpProxy: "" + +linux: + kubelet: /var/lib/kubelet + distro: debian + +workloadIdentity: + clientID: "" + # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster + # then set tenantID with the application or user-assigned managed identity tenant ID + tenantID: "" diff --git a/pkg/edgecache/cachevolume/pvc_annotator.go b/pkg/edgecache/cachevolume/pvc_annotator.go index 0003e0ffd..2628557ed 100644 --- a/pkg/edgecache/cachevolume/pvc_annotator.go +++ b/pkg/edgecache/cachevolume/pvc_annotator.go @@ -44,7 +44,7 @@ const ( ) var ( - validStorageAuthentications = []string{"WorkloadIdentity", "AccountKey"} + validStorageAuthentications = []string{"WorkloadIdentity", "ManagedSystemIdentity", "AccountKey"} ErrVolumeAlreadyBeingProvisioned = errors.New("pv is already being provisioned") )