diff --git a/bin/update.sh b/bin/update.sh index 0e03dad..c912714 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -45,6 +45,27 @@ done rm -fr files/digitalocean.old +# https://github.com/kubernetes-incubator/external-storage/tree/master/nfs +mv files/nfs{,.old} +mkdir files/nfs +for FICHIER in psp.yaml rbac.yaml deployment.yaml class.yaml; do + wget https://github.com/kubernetes-incubator/external-storage/raw/master/nfs/deploy/kubernetes/$FICHIER + kubernetes-split-yaml $FICHIER >> generated.log + mv generated/* files/nfs/ + cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "nfs/\2"|' + rm -f $FICHIER generated.log +done +for i in nfs-provisioner-runner-ClusterRole.yaml run-nfs-provisioner-ClusterRoleBinding.yaml leader-locking-nfs-provisioner-Role.yaml leader-locking-nfs-provisioner-RoleBinding.yaml; do + sed "s/namespace:.*/namespace: nfs-provisioner/g" -i files/nfs/$i +done +sed 's|\(.*-provisioner=\).*"|\1reslinger.net/nfs"|' -i files/nfs/nfs-provisioner-Deployment.yaml +mv files/nfs/example-nfs-StorageClass.yaml files/nfs/StorageClass.yaml +sed 's|example-nfs|nfs|' -i files/nfs/StorageClass.yaml +sed 's|example.com/nfs|reslinger.net/nfs|' -i files/nfs/StorageClass.yaml +rm -fr files/nfs.old + + + #https://github.com/scaleway/scaleway-csi #https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver #https://github.com/hetznercloud/csi-driver diff --git a/defaults/main.yml b/defaults/main.yml index 9041aa0..074f2d7 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,6 @@ my_context: minikube storage_localpath: true +storage_nfs: false storage_linode: false storage_digitalocean: false storage_secrets_store: false diff --git a/files/nfs/StorageClass.yaml b/files/nfs/StorageClass.yaml new file mode 100644 index 0000000..82a258f --- /dev/null +++ b/files/nfs/StorageClass.yaml @@ -0,0 +1,7 @@ +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: nfs +provisioner: reslinger.net/nfs +mountOptions: + - vers=4.1 diff --git a/files/nfs/leader-locking-nfs-provisioner-Role.yaml b/files/nfs/leader-locking-nfs-provisioner-Role.yaml new file mode 100644 index 0000000..c28bf55 --- /dev/null +++ b/files/nfs/leader-locking-nfs-provisioner-Role.yaml @@ -0,0 +1,8 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-provisioner +rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml b/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml new file mode 100644 index 0000000..9d35d9e --- /dev/null +++ b/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml @@ -0,0 +1,13 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: leader-locking-nfs-provisioner +subjects: + - kind: ServiceAccount + name: nfs-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: Role + name: leader-locking-nfs-provisioner + apiGroup: rbac.authorization.k8s.io diff --git a/files/nfs/nfs-provisioner-Deployment.yaml b/files/nfs/nfs-provisioner-Deployment.yaml new file mode 100644 index 0000000..a837d63 --- /dev/null +++ b/files/nfs/nfs-provisioner-Deployment.yaml @@ -0,0 +1,77 @@ +kind: Deployment +apiVersion: apps/v1 +metadata: + name: nfs-provisioner +spec: + selector: + matchLabels: + app: nfs-provisioner + replicas: 1 + strategy: + type: Recreate + template: + metadata: + labels: + app: nfs-provisioner + spec: + serviceAccount: nfs-provisioner + containers: + - name: nfs-provisioner + image: quay.io/kubernetes_incubator/nfs-provisioner:latest + ports: + - name: nfs + containerPort: 2049 + - name: nfs-udp + containerPort: 2049 + protocol: UDP + - name: nlockmgr + containerPort: 32803 + - name: nlockmgr-udp + containerPort: 32803 + protocol: UDP + - name: mountd + containerPort: 20048 + - name: mountd-udp + containerPort: 20048 + protocol: UDP + - name: rquotad + containerPort: 875 + - name: rquotad-udp + containerPort: 875 + protocol: UDP + - name: rpcbind + containerPort: 111 + - name: rpcbind-udp + containerPort: 111 + protocol: UDP + - name: statd + containerPort: 662 + - name: statd-udp + containerPort: 662 + protocol: UDP + securityContext: + capabilities: + add: + - DAC_READ_SEARCH + - SYS_RESOURCE + args: + - "-provisioner=reslinger.net/nfs" + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: SERVICE_NAME + value: nfs-provisioner + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: export-volume + mountPath: /export + volumes: + - name: export-volume + hostPath: + path: /srv diff --git a/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml b/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml new file mode 100644 index 0000000..2f8e188 --- /dev/null +++ b/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml @@ -0,0 +1,23 @@ +apiVersion: extensions/v1beta1 +kind: PodSecurityPolicy +metadata: + name: nfs-provisioner +spec: + fsGroup: + rule: RunAsAny + allowedCapabilities: + - DAC_READ_SEARCH + - SYS_RESOURCE + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - secret + - hostPath diff --git a/files/nfs/nfs-provisioner-Service.yaml b/files/nfs/nfs-provisioner-Service.yaml new file mode 100644 index 0000000..cc12c38 --- /dev/null +++ b/files/nfs/nfs-provisioner-Service.yaml @@ -0,0 +1,40 @@ +kind: Service +apiVersion: v1 +metadata: + name: nfs-provisioner + labels: + app: nfs-provisioner +spec: + ports: + - name: nfs + port: 2049 + - name: nfs-udp + port: 2049 + protocol: UDP + - name: nlockmgr + port: 32803 + - name: nlockmgr-udp + port: 32803 + protocol: UDP + - name: mountd + port: 20048 + - name: mountd-udp + port: 20048 + protocol: UDP + - name: rquotad + port: 875 + - name: rquotad-udp + port: 875 + protocol: UDP + - name: rpcbind + port: 111 + - name: rpcbind-udp + port: 111 + protocol: UDP + - name: statd + port: 662 + - name: statd-udp + port: 662 + protocol: UDP + selector: + app: nfs-provisioner diff --git a/files/nfs/nfs-provisioner-ServiceAccount.yaml b/files/nfs/nfs-provisioner-ServiceAccount.yaml new file mode 100644 index 0000000..d76b2c7 --- /dev/null +++ b/files/nfs/nfs-provisioner-ServiceAccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: nfs-provisioner diff --git a/files/nfs/nfs-provisioner-runner-ClusterRole.yaml b/files/nfs/nfs-provisioner-runner-ClusterRole.yaml new file mode 100644 index 0000000..edebf4e --- /dev/null +++ b/files/nfs/nfs-provisioner-runner-ClusterRole.yaml @@ -0,0 +1,24 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: nfs-provisioner-runner +rules: + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "update", "patch"] + - apiGroups: [""] + resources: ["services", "endpoints"] + verbs: ["get"] + - apiGroups: ["extensions"] + resources: ["podsecuritypolicies"] + resourceNames: ["nfs-provisioner"] + verbs: ["use"] diff --git a/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml b/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml new file mode 100644 index 0000000..4478734 --- /dev/null +++ b/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml @@ -0,0 +1,13 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: run-nfs-provisioner +subjects: + - kind: ServiceAccount + name: nfs-provisioner + # replace with namespace where provisioner is deployed + namespace: default +roleRef: + kind: ClusterRole + name: nfs-provisioner-runner + apiGroup: rbac.authorization.k8s.io diff --git a/tasks/main.yml b/tasks/main.yml index b6c20f6..57bebbf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,6 +1,8 @@ - name: Local Path setup block: +# - include_tasks: "manual.yml" - include_tasks: "local.yml" + - include_tasks: "nfs.yml" - include_tasks: "digital_ocean.yml" - include_tasks: "linode.yml" - include_tasks: "secrets-store.yml" diff --git a/tasks/nfs.yml b/tasks/nfs.yml new file mode 100644 index 0000000..10b4365 --- /dev/null +++ b/tasks/nfs.yml @@ -0,0 +1,32 @@ +--- +# https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md +# Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage +# ou alors tourner le container en privileged + - name: Defined nfs-provisioner state to present + set_fact: + storage_nfs_state: present + when: + - storage_nfs|bool + + - name: find state of nfs-provisioner + set_fact: + storage_nfs_state: absent + when: + - not storage_nfs|bool + + - name: nfs-provisioner need to be {{ storage_nfs_state }} + k8s: + state: "{{ storage_nfs_state }}" + context: "{{ my_context }}" + merge_type: merge + resource_definition: "{{ lookup('file', item) | from_yaml }}" + with_items: + - "nfs/nfs-provisioner-PodSecurityPolicy.yaml" + - "nfs/nfs-provisioner-runner-ClusterRole.yaml" + - "nfs/run-nfs-provisioner-ClusterRoleBinding.yaml" + - "nfs/leader-locking-nfs-provisioner-Role.yaml" + - "nfs/leader-locking-nfs-provisioner-RoleBinding.yaml" + - "nfs/nfs-provisioner-ServiceAccount.yaml" + - "nfs/nfs-provisioner-Service.yaml" + - "nfs/nfs-provisioner-Deployment.yaml" + - "nfs/example-nfs-StorageClass.yaml"