mountpoint-s3-csi-driver/charts/scality-mountpoint-s3-csi-driver/templates/controller.yaml at 164fdb10438fb81b8da91dca4acf1bdce110427a · scality/mountpoint-s3-csi-driver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
kind: Deployment
apiVersion: apps/v1
metadata:
  name: s3-csi-controller
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "scality-mountpoint-s3-csi-driver.labels" . | nindent 4 }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: s3-csi-controller
      {{- include "scality-mountpoint-s3-csi-driver.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        app: s3-csi-controller
        {{- include "scality-mountpoint-s3-csi-driver.labels" . | nindent 8 }}
    spec:
      nodeSelector:
        kubernetes.io/os: linux
        {{- with .Values.controller.nodeSelector }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      serviceAccountName: {{ .Values.controller.serviceAccount.name }}
      priorityClassName: system-cluster-critical
      {{- with .Values.controller.affinity }}
      affinity: {{- toYaml . | nindent 8 }}
      {{- end }}
      tolerations:
        # TODO: Should we add some default tolerations for controller?
        {{- with .Values.controller.tolerations }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- if .Values.imagePullSecrets }}
      imagePullSecrets:
      {{- range .Values.imagePullSecrets }}
        - name: {{ . }}
      {{- end }}
      {{- end }}
      containers:
        # CSI Controller Service for dynamic provisioning
        - name: s3-csi-controller
          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          args:
            - "--endpoint=unix:///csi/csi.sock"
            - "--node-id=controller"
          command:
            - "/bin/scality-s3-csi-driver"
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            {{- with .Values.controller.seLinuxOptions }}
            seLinuxOptions:
              user: {{ .user }}
              type: {{ .type }}
              role: {{ .role }}
              level: {{ .level }}
            {{- end }}
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
            {{- if .Values.tls.caCertConfigMap }}
            - name: custom-ca-cert
              mountPath: /etc/ssl/custom-ca
              readOnly: true
            {{- end }}
          {{- with .Values.controller.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          env:
            - name: AWS_ENDPOINT_URL
              value: {{ coalesce .Values.node.s3EndpointUrl .Values.s3.endpointUrl }}
            - name: AWS_REGION
              value: {{ coalesce .Values.node.s3Region .Values.s3.region }}
            - name: CSI_NODE_NAME
              value: "controller"
            - name: CSI_CONTROLLER_ONLY
              value: "true"
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.s3CredentialSecret.name }}
                  key: {{ .Values.s3CredentialSecret.accessKeyId }}
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.s3CredentialSecret.name }}
                  key: {{ .Values.s3CredentialSecret.secretAccessKey }}
            {{- if .Values.tls.caCertConfigMap }}
            - name: AWS_CA_BUNDLE
              value: "/etc/ssl/custom-ca/ca-bundle.crt"
            {{- end }}
        # Reconciler for MountpointS3PodAttachment CRDs
        - name: s3-pod-reconciler
          image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          command:
            - "/bin/scality-csi-controller"
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
          {{- with .Values.controller.resources }}
          resources:
            {{- toYaml . | nindent 12 }}
          {{- end }}
          env:
            # Environment variables for Mountpoint Pod configuration
            - name: MOUNTPOINT_NAMESPACE
              value: {{ .Values.mountpointPod.namespace | quote }}
            - name: MOUNTPOINT_VERSION
              value: {{ .Values.node.mountpointVersion | quote }}
            - name: MOUNTPOINT_PRIORITY_CLASS_NAME
              value: {{ .Values.mountpointPod.priorityClassName | quote }}
            - name: MOUNTPOINT_PREEMPTING_PRIORITY_CLASS_NAME
              value: {{ .Values.mountpointPod.preemptingPriorityClassName | quote }}
            - name: MOUNTPOINT_HEADROOM_PRIORITY_CLASS_NAME
              value: {{ .Values.mountpointPod.headroomPriorityClassName | quote }}
            - name: MOUNTPOINT_IMAGE
              value: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }}
            - name: MOUNTPOINT_HEADROOM_IMAGE
              value: {{ printf "%s:%s" .Values.mountpointPod.headroomImage.repository .Values.mountpointPod.headroomImage.tag | quote }}
            - name: MOUNTPOINT_IMAGE_PULL_POLICY
              value: {{ .Values.image.pullPolicy | quote }}
            {{- if .Values.tls.caCertConfigMap }}
            - name: TLS_CA_CERT_CONFIGMAP
              value: {{ .Values.tls.caCertConfigMap | quote }}
            - name: TLS_INIT_IMAGE
              value: {{ printf "%s:%s" .Values.tls.initImage.repository .Values.tls.initImage.tag | quote }}
            - name: TLS_INIT_IMAGE_PULL_POLICY
              value: {{ .Values.tls.initImage.pullPolicy | quote }}
            - name: TLS_INIT_RESOURCES_REQUESTS_CPU
              value: {{ .Values.tls.initResources.requests.cpu | quote }}
            - name: TLS_INIT_RESOURCES_REQUESTS_MEMORY
              value: {{ .Values.tls.initResources.requests.memory | quote }}
            - name: TLS_INIT_RESOURCES_LIMITS_MEMORY
              value: {{ .Values.tls.initResources.limits.memory | quote }}
            {{- end }}
        - name: csi-provisioner
          image: {{ .Values.sidecars.csiProvisioner.image.repository }}:{{ .Values.sidecars.csiProvisioner.image.tag }}
          imagePullPolicy: {{ .Values.sidecars.csiProvisioner.image.pullPolicy }}
          args:
            - "--csi-address=/csi/csi.sock"
            - "--v=2"
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
      volumes:
        - name: socket-dir
          emptyDir: {}
        {{- if .Values.tls.caCertConfigMap }}
        # ConfigMap volume is NOT optional — if the ConfigMap doesn't exist, the pod stays in
        # ContainerCreating with a clear event, matching the behavior of the credentials Secret above.
        - name: custom-ca-cert
          configMap:
            name: {{ .Values.tls.caCertConfigMap }}
            items:
              - key: ca-bundle.crt
                path: ca-bundle.crt
        {{- end }}