adrien/ansible-role-k8s-storage
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Deploy NFS provisioner with helm
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Adrien Reslinger 2021-02-21 16:48:14 +01:00
parent f2ec497c75
commit f0baecfec6
Signed by: adrien
GPG key ID: DA7B27055C66D6DE
12 changed files with 26 additions and 241 deletions
Download patch file Download diff file Expand all files Collapse all files

7
files/nfs/StorageClass.yaml
View file

@ -1,7 +0,0 @@
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: nfs
provisioner: reslinger.net/nfs
mountOptions:
- vers=4.1

8
files/nfs/leader-locking-nfs-provisioner-Role.yaml
View file

@ -1,8 +0,0 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: leader-locking-nfs-provisioner
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]

13
files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml
View file

@ -1,13 +0,0 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: leader-locking-nfs-provisioner
subjects:
- kind: ServiceAccount
name: nfs-provisioner
# replace with namespace where provisioner is deployed
namespace: nfs-provisioner
roleRef:
kind: Role
name: leader-locking-nfs-provisioner
apiGroup: rbac.authorization.k8s.io

77
files/nfs/nfs-provisioner-Deployment.yaml
View file

@ -1,77 +0,0 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: nfs-provisioner
spec:
selector:
matchLabels:
app: nfs-provisioner
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app: nfs-provisioner
spec:
serviceAccount: nfs-provisioner
containers:
- name: nfs-provisioner
image: quay.io/kubernetes_incubator/nfs-provisioner:latest
ports:
- name: nfs
containerPort: 2049
- name: nfs-udp
containerPort: 2049
protocol: UDP
- name: nlockmgr
containerPort: 32803
- name: nlockmgr-udp
containerPort: 32803
protocol: UDP
- name: mountd
containerPort: 20048
- name: mountd-udp
containerPort: 20048
protocol: UDP
- name: rquotad
containerPort: 875
- name: rquotad-udp
containerPort: 875
protocol: UDP
- name: rpcbind
containerPort: 111
- name: rpcbind-udp
containerPort: 111
protocol: UDP
- name: statd
containerPort: 662
- name: statd-udp
containerPort: 662
protocol: UDP
securityContext:
capabilities:
add:
- DAC_READ_SEARCH
- SYS_RESOURCE
args:
- "-provisioner=reslinger.net/nfs"
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: SERVICE_NAME
value: nfs-provisioner
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
imagePullPolicy: "IfNotPresent"
volumeMounts:
- name: export-volume
mountPath: /export
volumes:
- name: export-volume
hostPath:
path: /srv

23
files/nfs/nfs-provisioner-PodSecurityPolicy.yaml
View file

@ -1,23 +0,0 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: nfs-provisioner
spec:
fsGroup:
rule: RunAsAny
allowedCapabilities:
- DAC_READ_SEARCH
- SYS_RESOURCE
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
- hostPath

40
files/nfs/nfs-provisioner-Service.yaml
View file

@ -1,40 +0,0 @@
kind: Service
apiVersion: v1
metadata:
name: nfs-provisioner
labels:
app: nfs-provisioner
spec:
ports:
- name: nfs
port: 2049
- name: nfs-udp
port: 2049
protocol: UDP
- name: nlockmgr
port: 32803
- name: nlockmgr-udp
port: 32803
protocol: UDP
- name: mountd
port: 20048
- name: mountd-udp
port: 20048
protocol: UDP
- name: rquotad
port: 875
- name: rquotad-udp
port: 875
protocol: UDP
- name: rpcbind
port: 111
- name: rpcbind-udp
port: 111
protocol: UDP
- name: statd
port: 662
- name: statd-udp
port: 662
protocol: UDP
selector:
app: nfs-provisioner

4
files/nfs/nfs-provisioner-ServiceAccount.yaml
View file

@ -1,4 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfs-provisioner

24
files/nfs/nfs-provisioner-runner-ClusterRole.yaml
View file

@ -1,24 +0,0 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nfs-provisioner-runner
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["get"]
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["nfs-provisioner"]
verbs: ["use"]

13
files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml
View file

@ -1,13 +0,0 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: run-nfs-provisioner
subjects:
- kind: ServiceAccount
name: nfs-provisioner
# replace with namespace where provisioner is deployed
namespace: nfs-provisioner
roleRef:
kind: ClusterRole
name: nfs-provisioner-runner
apiGroup: rbac.authorization.k8s.io

36
tasks/nfs.yml
View file

@ -2,26 +2,42 @@
# https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md # https://github.com/kubernetes-incubator/external-storage/blob/master/nfs/docs/deployment.md
# Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage # Ne pas oublier de "sudo chcon -Rt svirt_sandbox_file_t /srv" pour le stockage
# ou alors tourner le container en privileged # ou alors tourner le container en privileged
- name: Include file list
include_vars: "nfs.yaml"
- name: Defined nfs-provisioner state to present - name: Defined nfs-provisioner state to present
check_mode: false
set_fact: set_fact:
storage_nfs_state: present storage_nfs_state: present
when: when:
- storage_nfs|bool - storage_nfs|bool
- name: find state of nfs-provisioner - name: find state of nfs-provisioner
check_mode: false
set_fact: set_fact:
storage_nfs_state: absent storage_nfs_state: absent
when: when:
- not storage_nfs|bool - not storage_nfs|bool
- name: nfs-provisioner need to be {{ storage_nfs_state }} # https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/blob/master/charts/nfs-subdir-external-provisioner/README.md
k8s: - name: Defined NFS Provisioner repository
state: "{{ storage_nfs_state }}" community.kubernetes.helm_repository:
name: nfs-subdir-external-provisioner
repo_url: "https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner"
- name: Deploy latest version of NFS Provisioner
community.kubernetes.helm:
context: "{{ my_context }}" context: "{{ my_context }}"
merge_type: merge state: "{{ storage_nfs_state }}"
resource_definition: "{{ lookup('file', 'nfs/' + item) | from_yaml }}" name: nfs-subdir-external-provisioner
with_items: chart_ref: nfs-subdir-external-provisioner/nfs-subdir-external-provisioner
- "{{ store_nfs_files }}" create_namespace: yes
release_namespace: "{{ storage_nfs_namespace }}"
values:
nfs:
server: x.x.x.x
path: /exported/path
podSecurityPolicy:
enabled: true
# storageClass:
# name: nfs-client
# defaultClass: false
# provisionerName: ""
# accessModes: ReadWriteOnce

11
vars/nfs.yaml
View file

@ -1,11 +0,0 @@
---
store_nfs_files:
- "nfs-provisioner-PodSecurityPolicy.yaml"
- "nfs-provisioner-runner-ClusterRole.yaml"
- "run-nfs-provisioner-ClusterRoleBinding.yaml"
- "leader-locking-nfs-provisioner-Role.yaml"
- "leader-locking-nfs-provisioner-RoleBinding.yaml"
- "nfs-provisioner-ServiceAccount.yaml"
- "nfs-provisioner-Service.yaml"
- "nfs-provisioner-Deployment.yaml"
- "StorageClass.yaml"

11
vars/nfs.yml
View file

@ -1,11 +0,0 @@
---
store_nfs_files:
- "nfs-provisioner-PodSecurityPolicy.yaml"
- "nfs-provisioner-runner-ClusterRole.yaml"
- "run-nfs-provisioner-ClusterRoleBinding.yaml"
- "leader-locking-nfs-provisioner-Role.yaml"
- "leader-locking-nfs-provisioner-RoleBinding.yaml"
- "nfs-provisioner-ServiceAccount.yaml"
- "nfs-provisioner-Service.yaml"
- "nfs-provisioner-Deployment.yaml"
- "StorageClass.yaml"