From f0baecfec693989f8924ebbc33118bf0cad79305 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Sun, 21 Feb 2021 16:48:14 +0100 Subject: [PATCH] Deploy NFS provisioner with helm --- files/nfs/StorageClass.yaml | 7 -- .../leader-locking-nfs-provisioner-Role.yaml | 8 -- ...r-locking-nfs-provisioner-RoleBinding.yaml | 13 ---- files/nfs/nfs-provisioner-Deployment.yaml | 77 ------------------- .../nfs-provisioner-PodSecurityPolicy.yaml | 23 ------ files/nfs/nfs-provisioner-Service.yaml | 40 ---------- files/nfs/nfs-provisioner-ServiceAccount.yaml | 4 - .../nfs-provisioner-runner-ClusterRole.yaml | 24 ------ ...un-nfs-provisioner-ClusterRoleBinding.yaml | 13 ---- tasks/nfs.yml | 36 ++++++--- vars/nfs.yaml | 11 --- vars/nfs.yml | 11 --- 12 files changed, 26 insertions(+), 241 deletions(-) delete mode 100644 files/nfs/StorageClass.yaml delete mode 100644 files/nfs/leader-locking-nfs-provisioner-Role.yaml delete mode 100644 files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml delete mode 100644 files/nfs/nfs-provisioner-Deployment.yaml delete mode 100644 files/nfs/nfs-provisioner-PodSecurityPolicy.yaml delete mode 100644 files/nfs/nfs-provisioner-Service.yaml delete mode 100644 files/nfs/nfs-provisioner-ServiceAccount.yaml delete mode 100644 files/nfs/nfs-provisioner-runner-ClusterRole.yaml delete mode 100644 files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml delete mode 100644 vars/nfs.yaml delete mode 100644 vars/nfs.yml diff --git a/files/nfs/StorageClass.yaml b/files/nfs/StorageClass.yaml deleted file mode 100644 index 82a258f..0000000 --- a/files/nfs/StorageClass.yaml +++ /dev/null @@ -1,7 +0,0 @@ -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: nfs -provisioner: reslinger.net/nfs -mountOptions: - - vers=4.1 diff --git a/files/nfs/leader-locking-nfs-provisioner-Role.yaml b/files/nfs/leader-locking-nfs-provisioner-Role.yaml deleted file mode 100644 index c28bf55..0000000 --- a/files/nfs/leader-locking-nfs-provisioner-Role.yaml +++ /dev/null @@ -1,8 +0,0 @@ -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: leader-locking-nfs-provisioner -rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "list", "watch", "create", "update", "patch"] diff --git a/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml b/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml deleted file mode 100644 index d0dd6aa..0000000 --- a/files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: leader-locking-nfs-provisioner -subjects: - - kind: ServiceAccount - name: nfs-provisioner - # replace with namespace where provisioner is deployed - namespace: nfs-provisioner -roleRef: - kind: Role - name: leader-locking-nfs-provisioner - apiGroup: rbac.authorization.k8s.io diff --git a/files/nfs/nfs-provisioner-Deployment.yaml b/files/nfs/nfs-provisioner-Deployment.yaml deleted file mode 100644 index a837d63..0000000 --- a/files/nfs/nfs-provisioner-Deployment.yaml +++ /dev/null @@ -1,77 +0,0 @@ -kind: Deployment -apiVersion: apps/v1 -metadata: - name: nfs-provisioner -spec: - selector: - matchLabels: - app: nfs-provisioner - replicas: 1 - strategy: - type: Recreate - template: - metadata: - labels: - app: nfs-provisioner - spec: - serviceAccount: nfs-provisioner - containers: - - name: nfs-provisioner - image: quay.io/kubernetes_incubator/nfs-provisioner:latest - ports: - - name: nfs - containerPort: 2049 - - name: nfs-udp - containerPort: 2049 - protocol: UDP - - name: nlockmgr - containerPort: 32803 - - name: nlockmgr-udp - containerPort: 32803 - protocol: UDP - - name: mountd - containerPort: 20048 - - name: mountd-udp - containerPort: 20048 - protocol: UDP - - name: rquotad - containerPort: 875 - - name: rquotad-udp - containerPort: 875 - protocol: UDP - - name: rpcbind - containerPort: 111 - - name: rpcbind-udp - containerPort: 111 - protocol: UDP - - name: statd - containerPort: 662 - - name: statd-udp - containerPort: 662 - protocol: UDP - securityContext: - capabilities: - add: - - DAC_READ_SEARCH - - SYS_RESOURCE - args: - - "-provisioner=reslinger.net/nfs" - env: - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SERVICE_NAME - value: nfs-provisioner - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - imagePullPolicy: "IfNotPresent" - volumeMounts: - - name: export-volume - mountPath: /export - volumes: - - name: export-volume - hostPath: - path: /srv diff --git a/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml b/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml deleted file mode 100644 index 03fd080..0000000 --- a/files/nfs/nfs-provisioner-PodSecurityPolicy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: nfs-provisioner -spec: - fsGroup: - rule: RunAsAny - allowedCapabilities: - - DAC_READ_SEARCH - - SYS_RESOURCE - runAsUser: - rule: RunAsAny - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - volumes: - - configMap - - downwardAPI - - emptyDir - - persistentVolumeClaim - - secret - - hostPath diff --git a/files/nfs/nfs-provisioner-Service.yaml b/files/nfs/nfs-provisioner-Service.yaml deleted file mode 100644 index cc12c38..0000000 --- a/files/nfs/nfs-provisioner-Service.yaml +++ /dev/null @@ -1,40 +0,0 @@ -kind: Service -apiVersion: v1 -metadata: - name: nfs-provisioner - labels: - app: nfs-provisioner -spec: - ports: - - name: nfs - port: 2049 - - name: nfs-udp - port: 2049 - protocol: UDP - - name: nlockmgr - port: 32803 - - name: nlockmgr-udp - port: 32803 - protocol: UDP - - name: mountd - port: 20048 - - name: mountd-udp - port: 20048 - protocol: UDP - - name: rquotad - port: 875 - - name: rquotad-udp - port: 875 - protocol: UDP - - name: rpcbind - port: 111 - - name: rpcbind-udp - port: 111 - protocol: UDP - - name: statd - port: 662 - - name: statd-udp - port: 662 - protocol: UDP - selector: - app: nfs-provisioner diff --git a/files/nfs/nfs-provisioner-ServiceAccount.yaml b/files/nfs/nfs-provisioner-ServiceAccount.yaml deleted file mode 100644 index d76b2c7..0000000 --- a/files/nfs/nfs-provisioner-ServiceAccount.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nfs-provisioner diff --git a/files/nfs/nfs-provisioner-runner-ClusterRole.yaml b/files/nfs/nfs-provisioner-runner-ClusterRole.yaml deleted file mode 100644 index edebf4e..0000000 --- a/files/nfs/nfs-provisioner-runner-ClusterRole.yaml +++ /dev/null @@ -1,24 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-provisioner-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["create", "update", "patch"] - - apiGroups: [""] - resources: ["services", "endpoints"] - verbs: ["get"] - - apiGroups: ["extensions"] - resources: ["podsecuritypolicies"] - resourceNames: ["nfs-provisioner"] - verbs: ["use"] diff --git a/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml b/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml deleted file mode 100644 index 847b86e..0000000 --- a/files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: run-nfs-provisioner -subjects: - - kind: ServiceAccount - name: nfs-provisioner - # replace with namespace where provisioner is deployed - namespace: nfs-provisioner -roleRef: - kind: ClusterRole - name: nfs-provisioner-runner - apiGroup: rbac.authorization.k8s.io diff --git a/tasks/nfs.yml b/tasks/nfs.yml index 3b45651..3f08a57 100644 --- a/tasks/nfs.yml +++ b/tasks/nfs.yml @@ -2,26 +2,42 @@ # https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md # Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage # ou alors tourner le container en privileged - - name: Include file list - include_vars: "nfs.yaml" - - name: Defined nfs-provisioner state to present + check_mode: false set_fact: storage_nfs_state: present when: - storage_nfs|bool - name: find state of nfs-provisioner + check_mode: false set_fact: storage_nfs_state: absent when: - not storage_nfs|bool - - name: nfs-provisioner need to be {{ storage_nfs_state }} - k8s: - state: "{{ storage_nfs_state }}" +# https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/charts/nfs-subdir-external-provisioner/README.md + - name: Defined NFS Provisioner repository + community.kubernetes.helm_repository: + name: nfs-subdir-external-provisioner + repo_url: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner" + + - name: Deploy latest version of NFS Provisioner + community.kubernetes.helm: context: "{{ my_context }}" - merge_type: merge - resource_definition: "{{ lookup('file', 'nfs/' + item) | from_yaml }}" - with_items: - - "{{ store_nfs_files }}" + state: "{{ storage_nfs_state }}" + name: nfs-subdir-external-provisioner + chart_ref: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner + create_namespace: yes + release_namespace: "{{ storage_nfs_namespace }}" + values: + nfs: + server: x.x.x.x + path: /exported/path + podSecurityPolicy: + enabled: true +# storageClass: +# name: nfs-client +# defaultClass: false +# provisionerName: "" +# accessModes: ReadWriteOnce diff --git a/vars/nfs.yaml b/vars/nfs.yaml deleted file mode 100644 index de8e5f3..0000000 --- a/vars/nfs.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -store_nfs_files: - - "nfs-provisioner-PodSecurityPolicy.yaml" - - "nfs-provisioner-runner-ClusterRole.yaml" - - "run-nfs-provisioner-ClusterRoleBinding.yaml" - - "leader-locking-nfs-provisioner-Role.yaml" - - "leader-locking-nfs-provisioner-RoleBinding.yaml" - - "nfs-provisioner-ServiceAccount.yaml" - - "nfs-provisioner-Service.yaml" - - "nfs-provisioner-Deployment.yaml" - - "StorageClass.yaml" diff --git a/vars/nfs.yml b/vars/nfs.yml deleted file mode 100644 index de8e5f3..0000000 --- a/vars/nfs.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -store_nfs_files: - - "nfs-provisioner-PodSecurityPolicy.yaml" - - "nfs-provisioner-runner-ClusterRole.yaml" - - "run-nfs-provisioner-ClusterRoleBinding.yaml" - - "leader-locking-nfs-provisioner-Role.yaml" - - "leader-locking-nfs-provisioner-RoleBinding.yaml" - - "nfs-provisioner-ServiceAccount.yaml" - - "nfs-provisioner-Service.yaml" - - "nfs-provisioner-Deployment.yaml" - - "StorageClass.yaml"