nfs-provisioner WIP

2020-07-12 00:49:52 +02:00 · 2020-07-12 00:49:52 +02:00 · 7f0a136cf7
commit 7f0a136cf7
parent 8dd47900cf
13 changed files with 265 additions and 0 deletions
--- a/bin/update.sh
+++ b/bin/update.sh
@ -45,6 +45,27 @@ done
 rm -fr files/digitalocean.old
 # https://github.com/kubernetes-incubator/external-storage/tree/master/nfs
 mv files/nfs{,.old}
 mkdir files/nfs
 for FICHIER in psp.yaml rbac.yaml deployment.yaml class.yaml; do
    wget https://github.com/kubernetes-incubator/external-storage/raw/master/nfs/deploy/kubernetes/$FICHIER
    kubernetes-split-yaml $FICHIER >> generated.log
    mv generated/* files/nfs/
    cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)|      - "nfs/\2"|'
    rm -f $FICHIER generated.log
 done
 for i in nfs-provisioner-runner-ClusterRole.yaml run-nfs-provisioner-ClusterRoleBinding.yaml leader-locking-nfs-provisioner-Role.yaml leader-locking-nfs-provisioner-RoleBinding.yaml; do
    sed "s/namespace:.*/namespace: nfs-provisioner/g" -i files/nfs/$i
 done
 sed 's|\(.*-provisioner=\).*"|\1reslinger.net/nfs"|' -i files/nfs/nfs-provisioner-Deployment.yaml
 mv files/nfs/example-nfs-StorageClass.yaml files/nfs/StorageClass.yaml
 sed 's|example-nfs|nfs|' -i files/nfs/StorageClass.yaml
 sed 's|example.com/nfs|reslinger.net/nfs|' -i files/nfs/StorageClass.yaml
 rm -fr files/nfs.old
 #https://github.com/scaleway/scaleway-csi
 #https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver
 #https://github.com/hetznercloud/csi-driver
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,5 +1,6 @@
 my_context: minikube
 storage_localpath: true
 storage_nfs: false
 storage_linode: false
 storage_digitalocean: false
 storage_secrets_store: false
--- a/files/nfs/StorageClass.yaml
+++ b/files/nfs/StorageClass.yaml
@ -0,0 +1,7 @@
 kind: StorageClass
 apiVersion: storage.k8s.io/v1
 metadata:
  name: nfs
 provisioner: reslinger.net/nfs
 mountOptions:
  - vers=4.1
--- a/files/nfs/leader-locking-nfs-provisioner-Role.yaml
+++ b/files/nfs/leader-locking-nfs-provisioner-Role.yaml
@ -0,0 +1,8 @@
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: leader-locking-nfs-provisioner
 rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
--- a/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml
+++ b/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml
@ -0,0 +1,13 @@
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: leader-locking-nfs-provisioner
 subjects:
  - kind: ServiceAccount
    name: nfs-provisioner
    # replace with namespace where provisioner is deployed
    namespace: default
 roleRef:
  kind: Role
  name: leader-locking-nfs-provisioner
  apiGroup: rbac.authorization.k8s.io
--- a/files/nfs/nfs-provisioner-Deployment.yaml
+++ b/files/nfs/nfs-provisioner-Deployment.yaml
@ -0,0 +1,77 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  name: nfs-provisioner
 spec:
  selector:
    matchLabels:
      app: nfs-provisioner
  replicas: 1
  strategy:
    type: Recreate 
  template:
    metadata:
      labels:
        app: nfs-provisioner
    spec:
      serviceAccount: nfs-provisioner
      containers:
        - name: nfs-provisioner
          image: quay.io/kubernetes_incubator/nfs-provisioner:latest
          ports:
            - name: nfs
              containerPort: 2049
            - name: nfs-udp
              containerPort: 2049
              protocol: UDP
            - name: nlockmgr
              containerPort: 32803
            - name: nlockmgr-udp
              containerPort: 32803
              protocol: UDP
            - name: mountd
              containerPort: 20048
            - name: mountd-udp
              containerPort: 20048
              protocol: UDP
            - name: rquotad
              containerPort: 875
            - name: rquotad-udp
              containerPort: 875
              protocol: UDP
            - name: rpcbind
              containerPort: 111
            - name: rpcbind-udp
              containerPort: 111
              protocol: UDP
            - name: statd
              containerPort: 662
            - name: statd-udp
              containerPort: 662
              protocol: UDP
          securityContext:
            capabilities:
              add:
                - DAC_READ_SEARCH
                - SYS_RESOURCE
          args:
            - "-provisioner=reslinger.net/nfs"
          env:
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: SERVICE_NAME
              value: nfs-provisioner
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          imagePullPolicy: "IfNotPresent"
          volumeMounts:
            - name: export-volume
              mountPath: /export
      volumes:
        - name: export-volume
          hostPath:
            path: /srv
--- a/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml
+++ b/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml
@ -0,0 +1,23 @@
 apiVersion: extensions/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: nfs-provisioner
 spec:
  fsGroup:
    rule: RunAsAny
  allowedCapabilities:
  - DAC_READ_SEARCH
  - SYS_RESOURCE
  runAsUser:
    rule: RunAsAny
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - configMap
  - downwardAPI
  - emptyDir
  - persistentVolumeClaim
  - secret
  - hostPath
--- a/files/nfs/nfs-provisioner-Service.yaml
+++ b/files/nfs/nfs-provisioner-Service.yaml
@ -0,0 +1,40 @@
 kind: Service
 apiVersion: v1
 metadata:
  name: nfs-provisioner
  labels:
    app: nfs-provisioner
 spec:
  ports:
    - name: nfs
      port: 2049
    - name: nfs-udp
      port: 2049
      protocol: UDP
    - name: nlockmgr
      port: 32803
    - name: nlockmgr-udp
      port: 32803
      protocol: UDP
    - name: mountd
      port: 20048
    - name: mountd-udp
      port: 20048
      protocol: UDP
    - name: rquotad
      port: 875
    - name: rquotad-udp
      port: 875
      protocol: UDP
    - name: rpcbind
      port: 111
    - name: rpcbind-udp
      port: 111
      protocol: UDP
    - name: statd
      port: 662
    - name: statd-udp
      port: 662
      protocol: UDP
  selector:
    app: nfs-provisioner
--- a/files/nfs/nfs-provisioner-ServiceAccount.yaml
+++ b/files/nfs/nfs-provisioner-ServiceAccount.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: nfs-provisioner
--- a/files/nfs/nfs-provisioner-runner-ClusterRole.yaml
+++ b/files/nfs/nfs-provisioner-runner-ClusterRole.yaml
@ -0,0 +1,24 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: nfs-provisioner-runner
 rules:
  - apiGroups: [""]
    resources: ["persistentvolumes"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs: ["get", "list", "watch", "update"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["create", "update", "patch"]
  - apiGroups: [""]
    resources: ["services", "endpoints"]
    verbs: ["get"]
  - apiGroups: ["extensions"]
    resources: ["podsecuritypolicies"]
    resourceNames: ["nfs-provisioner"]
    verbs: ["use"]
--- a/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml
+++ b/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml
@ -0,0 +1,13 @@
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: run-nfs-provisioner
 subjects:
  - kind: ServiceAccount
    name: nfs-provisioner
     # replace with namespace where provisioner is deployed
    namespace: default
 roleRef:
  kind: ClusterRole
  name: nfs-provisioner-runner
  apiGroup: rbac.authorization.k8s.io
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,6 +1,8 @@
 - name: Local Path setup
  block:
 #  - include_tasks: "manual.yml"
  - include_tasks: "local.yml"
  - include_tasks: "nfs.yml"
  - include_tasks: "digital_ocean.yml"
  - include_tasks: "linode.yml"
  - include_tasks: "secrets-store.yml"
--- a/tasks/nfs.yml
+++ b/tasks/nfs.yml
@ -0,0 +1,32 @@
 ---
 # https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md
 # Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage
 # ou alors tourner le container en privileged
  - name: Defined nfs-provisioner state to present
    set_fact:
      storage_nfs_state: present
    when:
      - storage_nfs|bool
  - name: find state of nfs-provisioner
    set_fact:
      storage_nfs_state: absent
    when:
      - not storage_nfs|bool
  - name: nfs-provisioner need to be {{ storage_nfs_state }}
    k8s:
      state: "{{ storage_nfs_state }}"
      context: "{{ my_context }}"
      merge_type: merge
      resource_definition: "{{ lookup('file', item) | from_yaml }}"
    with_items:
      - "nfs/nfs-provisioner-PodSecurityPolicy.yaml"
      - "nfs/nfs-provisioner-runner-ClusterRole.yaml"
      - "nfs/run-nfs-provisioner-ClusterRoleBinding.yaml"
      - "nfs/leader-locking-nfs-provisioner-Role.yaml"
      - "nfs/leader-locking-nfs-provisioner-RoleBinding.yaml"
      - "nfs/nfs-provisioner-ServiceAccount.yaml"
      - "nfs/nfs-provisioner-Service.yaml"
      - "nfs/nfs-provisioner-Deployment.yaml"
      - "nfs/example-nfs-StorageClass.yaml"