adrien/ansible-role-k8s-storage
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Update from upstream
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-03-24 22:24:28 +01:00
parent 154fce15e4
commit 838b0de25f
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
9 changed files with 93 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

2
files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml
View file

@ -5,7 +5,7 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: external-attacher-role name: external-attacher-runner
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: csi-controller-sa name: csi-controller-sa

2
files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml
View file

@ -5,7 +5,7 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: external-provisioner-role name: external-provisioner-runner
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: csi-controller-sa name: csi-controller-sa

2
files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml
View file

@ -5,7 +5,7 @@ metadata:
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: external-resizer-role name: external-resizer-runner
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: csi-controller-sa name: csi-controller-sa

2
files/linode/csi-linode-controller-StatefulSet.yaml
View file

@ -78,7 +78,7 @@ spec:
secretKeyRef: secretKeyRef:
key: token key: token
name: linode name: linode
image: linode/linode-blockstorage-csi-driver:v0.3.0 image: linode/linode-blockstorage-csi-driver:v0.4.0
imagePullPolicy: Always imagePullPolicy: Always
name: linode-csi-plugin name: linode-csi-plugin
volumeMounts: volumeMounts:

2
files/linode/csi-linode-node-DaemonSet.yaml
View file

@ -56,7 +56,7 @@ spec:
secretKeyRef: secretKeyRef:
key: token key: token
name: linode name: linode
image: linode/linode-blockstorage-csi-driver:v0.3.0 image: linode/linode-blockstorage-csi-driver:v0.4.0
imagePullPolicy: Always imagePullPolicy: Always
name: csi-linode-plugin name: csi-linode-plugin
securityContext: securityContext:

10
files/linode/external-resizer-role-ClusterRole.yaml
View file

@ -11,7 +11,6 @@ rules:
- get - get
- list - list
- watch - watch
- update
- patch - patch
- apiGroups: - apiGroups:
- "" - ""
@ -21,12 +20,19 @@ rules:
- get - get
- list - list
- watch - watch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups: - apiGroups:
- "" - ""
resources: resources:
- persistentvolumeclaims/status - persistentvolumeclaims/status
verbs: verbs:
- update
- patch - patch
- apiGroups: - apiGroups:
- "" - ""

13
files/secrets-store/csi-secrets-store-DaemonSet.yaml
View file

@ -12,12 +12,13 @@ spec:
metadata: metadata:
labels: labels:
app: csi-secrets-store app: csi-secrets-store
annotations:
kubectl.kubernetes.io/default-logs-container: secrets-store
spec: spec:
serviceAccountName: secrets-store-csi-driver serviceAccountName: secrets-store-csi-driver
hostNetwork: true
containers: containers:
- name: node-driver-registrar - name: node-driver-registrar
image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1 image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0
args: args:
- --v=5 - --v=5
- --csi-address=/csi/csi.sock - --csi-address=/csi/csi.sock
@ -42,13 +43,13 @@ spec:
cpu: 10m cpu: 10m
memory: 20Mi memory: 20Mi
- name: secrets-store - name: secrets-store
image: k8s.gcr.io/csi-secrets-store/driver:v0.0.18 image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20
args: args:
- "--endpoint=$(CSI_ENDPOINT)" - "--endpoint=$(CSI_ENDPOINT)"
- "--nodeid=$(KUBE_NODE_NAME)" - "--nodeid=$(KUBE_NODE_NAME)"
- "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers"
- "--metrics-addr=:8095" - "--metrics-addr=:8095"
- "--grpc-supported-providers=gcp;" - "--grpc-supported-providers=gcp;azure;vault;"
- "--enable-secret-rotation=false" - "--enable-secret-rotation=false"
- "--rotation-poll-interval=2m" - "--rotation-poll-interval=2m"
env: env:
@ -90,12 +91,12 @@ spec:
cpu: 50m cpu: 50m
memory: 100Mi memory: 100Mi
- name: liveness-probe - name: liveness-probe
image: k8s.gcr.io/sig-storage/livenessprobe:v2.1.0 image: k8s.gcr.io/sig-storage/livenessprobe:v2.2.0
imagePullPolicy: Always imagePullPolicy: Always
args: args:
- --csi-address=/csi/csi.sock - --csi-address=/csi/csi.sock
- --probe-timeout=3s - --probe-timeout=3s
- --health-port=9808 - --http-endpoint=0.0.0.0:9808
- -v=2 - -v=2
volumeMounts: volumeMounts:
- name: plugin-dir - name: plugin-dir

83
files/secrets-store/provider-vault-installer.yaml
View file

@ -1,26 +1,65 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: csi-secrets-store
name: vault-csi-provider
namespace: csi
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
namespace: csi-secrets-store
name: vault-csi-provider-clusterrole
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
namespace: csi-secrets-store
name: vault-csi-provider-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: vault-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: vault-csi-provider
namespace: csi
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
namespace: csi-secrets-store namespace: csi-secrets-store
labels: labels:
app: csi-secrets-store-provider-vault app: vault-csi-provider
name: csi-secrets-store-provider-vault name: vault-csi-provider
namespace: csi
spec: spec:
updateStrategy: updateStrategy:
type: RollingUpdate type: RollingUpdate
selector: selector:
matchLabels: matchLabels:
app: csi-secrets-store-provider-vault app: vault-csi-provider
template: template:
metadata: metadata:
labels: labels:
app: csi-secrets-store-provider-vault app: vault-csi-provider
spec: spec:
serviceAccountName: vault-csi-provider
tolerations: tolerations:
containers: containers:
- name: provider-vault-installer - name: provider-vault-installer
image: hashicorp/secrets-store-csi-driver-provider-vault:0.0.6 image: hashicorp/vault-csi-provider:0.1.0
imagePullPolicy: Always imagePullPolicy: Always
args:
- --endpoint=/provider/vault.sock
- --debug=false
resources: resources:
requests: requests:
cpu: 50m cpu: 50m
@ -28,16 +67,38 @@ spec:
limits: limits:
cpu: 50m cpu: 50m
memory: 100Mi memory: 100Mi
env:
# set TARGET_DIR env var and mount the same directory to to the container
- name: TARGET_DIR
value: "/etc/kubernetes/secrets-store-csi-providers"
volumeMounts: volumeMounts:
- mountPath: "/etc/kubernetes/secrets-store-csi-providers" - name: providervol
name: providervol mountPath: "/provider"
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: HostToContainer
livenessProbe:
httpGet:
path: "/health/ready"
port: 8080
scheme: "HTTP"
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/health/ready"
port: 8080
scheme: "HTTP"
failureThreshold: 2
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
volumes: volumes:
- name: providervol - name: providervol
hostPath: hostPath:
path: "/etc/kubernetes/secrets-store-csi-providers" path: "/etc/kubernetes/secrets-store-csi-providers"
- name: mountpoint-dir
hostPath:
path: /var/lib/kubelet/pods
nodeSelector: nodeSelector:
beta.kubernetes.io/os: linux beta.kubernetes.io/os: linux

2
vars/secrets_store_files_list.yml
View file

@ -1,8 +1,8 @@
--- ---
secrets_store_files: secrets_store_files:
- "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
- "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml" - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml"
- "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml" - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml"
- "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
- "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml" - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml"
- "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml" - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml"
- "secrets-store/csi-secrets-store-DaemonSet.yaml" - "secrets-store/csi-secrets-store-DaemonSet.yaml"