Add CSI driver

bin/update_csi.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+cd "$(dirname ${0})"/../files/
+wget https://github.com/jetstack/cert-manager-csi/raw/master/deploy/cert-manager-csi-driver.yaml
+
+kubernetes-split-yaml cert-manager-csi-driver.yaml > generated.log
+mv generated csi
+cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)|    - "csi/\2"|'
+
+rm -f generated.log cert-manager-csi-driver.yaml

defaults/main.yml

@@ -5,4 +5,5 @@ ingress_domain: "local"
 #  - 10.244.0.0/16
 #  - 192.168.140.0/24
 
+certmanager_csi: true
 certmanager_version: "0.13"

files/csi/cert-manager-csi-ClusterRole.yaml

@@ -0,0 +1,8 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cert-manager-csi
+rules:
+- apiGroups: ["cert-manager.io"]
+  resources: ["certificaterequests"]
+  verbs: ["get", "create", "delete", "update"]

files/csi/cert-manager-csi-ClusterRoleBinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-csi
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-csi
+subjects:
+- apiGroup:
+  kind: ServiceAccount
+  name: cert-manager-csi
+  namespace: cert-manager

files/csi/cert-manager-csi-DaemonSet.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: cert-manager-csi
+  namespace: cert-manager
+spec:
+  selector:
+    matchLabels:
+      app: cert-manager-csi
+  template:
+    metadata:
+      labels:
+        app: cert-manager-csi
+    spec:
+      serviceAccount: cert-manager-csi
+      containers:
+
+        - name: node-driver-registrar
+          image: quay.io/k8scsi/csi-node-driver-registrar:v1.2.0
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/sh", "-c", "rm -rf /registration/cert-manager-csi /registration/cert-manager-csi-reg.sock"]
+          args:
+            - --v=5
+            - --csi-address=/plugin/csi.sock
+            - --kubelet-registration-path=/var/lib/kubelet/plugins/cert-manager-csi/csi.sock
+          env:
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /plugin
+            - name: registration-dir
+              mountPath: /registration
+
+        - name: cert-manager-csi
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          image: gcr.io/jetstack-josh/cert-manager-csi:v0.1.0-alpha.1
+          imagePullPolicy: "IfNotPresent"
+          args :
+            - --node-id=$(NODE_ID)
+            - --endpoint=$(CSI_ENDPOINT)
+            - --data-root=/csi-data-dir
+          env:
+            - name: NODE_ID
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: CSI_ENDPOINT
+              value: unix://plugin/csi.sock
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /plugin
+            - name: pods-mount-dir
+              mountPath: /var/lib/kubelet/pods
+              mountPropagation: "Bidirectional"
+            - name: csi-data-dir
+              mountPath: /csi-data-dir
+      volumes:
+        - name: plugin-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins/cert-manager-csi
+            type: DirectoryOrCreate
+        - name: pods-mount-dir
+          hostPath:
+            path: /var/lib/kubelet/pods
+            type: Directory
+        - hostPath:
+            path: /var/lib/kubelet/plugins_registry
+            type: Directory
+          name: registration-dir
+        - hostPath:
+            path: /tmp/cert-manager-csi
+            type: DirectoryOrCreate
+          name: csi-data-dir

files/csi/cert-manager-csi-ServiceAccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-csi
+  namespace: cert-manager

files/csi/csi.cert-manager.io-CSIDriver.yaml

@@ -0,0 +1,8 @@
+apiVersion: storage.k8s.io/v1beta1
+kind: CSIDriver
+metadata:
+  name: csi.cert-manager.io
+spec:
+  podInfoOnMount: true
+  volumeLifecycleModes:
+  - Ephemeral

tasks/csi.yml

@@ -0,0 +1,22 @@
+---
+- set_fact:
+    certmanager_csi_state: "present"
+  when:
+    - certmanager_csi
+
+- set_fact:
+    certmanager_csi_state: "absent"
+  when:
+    - not certmanager_csi
+
+- name: Cert Manager files version {{ certmanager_version }} need to be {{ certmanager_csi_state }}
+  k8s:
+    state: "{{ certmanager_csi_state }}"
+    context: "{{ my_context }}"
+    resource_definition: "{{ lookup('files', item) | from_yaml }}"
+  with_items:
+    - "csi/csi.cert-manager.io-CSIDriver.yaml"
+    - "csi/cert-manager-csi-ServiceAccount.yaml"
+    - "csi/cert-manager-csi-ClusterRole.yaml"
+    - "csi/cert-manager-csi-ClusterRoleBinding.yaml"
+    - "csi/cert-manager-csi-DaemonSet.yaml"

tasks/main.yml

@@ -52,3 +52,11 @@
     when:
       - certmanager_version | regex_search('(0.14)') or certmanager_actual_version.stdout | regex_search('(0.14)')
     tags: certmanager
+
+
+
+  - name: install / uninstall Cert-Manager CSI Kubernetes drivers
+    include_tasks: "csi.yml"
+    when:
+      - certmanager_csi
+    tags: certmanager