├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── ask-a-question.md │ ├── bug_report.md │ ├── config.yml │ └── feature_request.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── charts-release-action.yml │ ├── helm-validations.yml │ ├── kubelinter.yaml │ ├── wizard-release-action.yml │ └── yamllinter.yaml ├── .yamllint ├── LICENSE ├── README.md ├── charts ├── cosi │ ├── Chart.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── deployment.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ ├── secret.yaml │ │ └── serviceaccount.yaml │ └── values.yaml ├── csi-isilon │ ├── Chart.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── controller.yaml │ │ ├── csidriver.yaml │ │ ├── driver-config-params.yaml │ │ └── node.yaml │ └── values.yaml ├── csi-powermax │ ├── Chart.yaml │ ├── charts │ │ └── csireverseproxy │ │ │ ├── Chart.yaml │ │ │ ├── conf │ │ │ └── config.yaml │ │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── certificate.yaml │ │ │ ├── configmap.yaml │ │ │ ├── reverseproxy-rbac.yaml │ │ │ ├── reverseproxy.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ │ └── values.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── controller.yaml │ │ ├── csidriver.yaml │ │ ├── driver-config-params.yaml │ │ ├── node.yaml │ │ └── powermax-array-config.yaml │ └── values.yaml ├── csi-powerstore │ ├── Chart.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── controller.yaml │ │ ├── csidriver.yaml │ │ ├── driver-config-params.yaml │ │ └── node.yaml │ └── values.yaml ├── csi-unity │ ├── Chart.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── controller.yaml │ │ ├── csidriver.yaml │ │ ├── driver-config-params.yaml │ │ └── node.yaml │ └── values.yaml ├── csi-vxflexos │ ├── Chart.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ ├── controller.yaml │ │ ├── csidriver.yaml │ │ ├── driver-config-params.yaml │ │ └── node.yaml │ └── values.yaml ├── csm-authorization-v2.0 │ ├── .gitignore │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── charts │ │ └── redis-csm │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ ├── _helpers.tpl │ │ │ ├── redis-cm.yaml │ │ │ ├── redis-secret.yaml │ │ │ ├── redis.yaml │ │ │ └── sentinel.yaml │ │ │ └── values.yaml │ ├── crds │ │ ├── csm-authorization.storage.dell.com_csmroles.yaml │ │ ├── csm-authorization.storage.dell.com_csmtenants.yaml │ │ └── csm-authorization.storage.dell.com_storages.yaml │ ├── policies │ │ ├── common.rego │ │ ├── sdc-approve.rego │ │ ├── snapshot-create-test.rego │ │ ├── snapshot-create.rego │ │ ├── volumes-create-test.rego │ │ ├── volumes-create.rego │ │ ├── volumes-delete.rego │ │ ├── volumes-map.rego │ │ ├── volumes-powermax-create.rego │ │ └── volumes-unmap.rego │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── authorization-controller.yaml │ │ ├── certificate.yaml │ │ ├── csm-config-params.yaml │ │ ├── ingress.yaml │ │ ├── policies.yaml │ │ ├── proxy-server.yaml │ │ ├── role-service.yaml │ │ ├── storage-service.yaml │ │ └── tenant-service.yaml │ └── values.yaml ├── csm-authorization │ ├── .gitignore │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── charts │ │ └── redis │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── templates │ │ │ └── redis.yaml │ │ │ └── values.yaml │ ├── policies │ │ ├── common.rego │ │ ├── sdc-approve.rego │ │ ├── volumes-create-test.rego │ │ ├── volumes-create.rego │ │ ├── volumes-delete.rego │ │ ├── volumes-map.rego │ │ ├── volumes-powermax-create.rego │ │ └── volumes-unmap.rego │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── certificate.yaml │ │ ├── csm-config-params.yaml │ │ ├── ingress.yaml │ │ ├── karavi-storage-secret.yaml │ │ ├── policies.yaml │ │ ├── proxy-server.yaml │ │ ├── role-service.yaml │ │ ├── storage-service.yaml │ │ └── tenant-service.yaml │ └── values.yaml ├── csm-replication │ ├── .helmignore │ ├── Chart.yaml │ ├── crds │ │ └── replicationcrds.all.yaml │ ├── templates │ │ ├── _helpers.tpl │ │ └── controller.yaml │ └── values.yaml └── karavi-observability │ ├── .gitignore │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── crds │ └── cert-manager.crds.yaml │ ├── otel-collector-config.yaml │ ├── otel-collector-nginx.conf │ ├── templates │ ├── NOTES.txt │ ├── _helpers.tpl │ ├── cert-manager.yaml │ ├── karavi-metrics-powerflex-service-account.yaml │ ├── karavi-metrics-powerflex.yaml │ ├── karavi-metrics-powermax-service-account.yaml │ ├── karavi-metrics-powermax.yaml │ ├── karavi-metrics-powerscale-service-account.yaml │ ├── karavi-metrics-powerscale.yaml │ ├── karavi-metrics-powerstore-service-account.yaml │ ├── karavi-metrics-powerstore.yaml │ ├── karavi-observability-configmap.yaml │ ├── karavi-topology-service-account.yaml │ ├── karavi-topology.yaml │ └── otel-collector.yaml │ └── values.yaml ├── ct.yaml ├── docs ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── ISSUE_TRIAGE.md ├── MAINTAINERS.md └── MAINTAINER_GUIDE.md ├── installation-wizard └── container-storage-modules │ ├── Chart.yaml │ └── values.yaml ├── kubelinter-config.yaml └── samples └── csm-authorization └── config.yaml /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # CODEOWNERS 2 | # 3 | # documentation for this file can be found at: 4 | # https://help.github.com/en/articles/about-code-owners 5 | 6 | # These are the default owners for the code and will 7 | # be requested for review when someone opens a pull request. 8 | # Order is alphabetical for easier maintenance. 9 | # 10 | # Aaron Tye (atye) 11 | # Alik Saring (alikdell) 12 | # Chaganti Rajitha (chaganti-rajitha) 13 | # Chiman Jain (chimanjain) 14 | # Harish H (HarishH-DELL) 15 | # Meghana G M (meggm) 16 | # Niranjan N (niranjan-n1) 17 | # Nitesh Rewatkar (nitesh3108) 18 | # Rajendra Indukuri (rajendraindukuri) 19 | # Sharmila Ramamoorthy (sharmilarama) 20 | # Shayna Finocchiaro (shaynafinocchiaro) 21 | # Shefali Malhotra (shefali-malhotra) 22 | # Spandita Panigrahi (panigs7) 23 | # Sushma T S (tssushma) 24 | # Trevor Dawe (tdawe) 25 | # Yamunadevi Shanmugam (shanmydell) 26 | 27 | # for all files: 28 | * @atye @alikdell @chaganti-rajitha @chimanjain @HarishH-DELL @meggm @niranjan-n1 @nitesh3108 @rajendraindukuri @sharmilarama @shaynafinocchiaro @shefali-malhotra @panigs7 @tssushma @tdawe @shanmydell 29 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/ask-a-question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Ask a question 3 | about: Ask a question. 4 | title: "[QUESTION]: [chart name (if applicable)]: question title" 5 | labels: type/question 6 | assignees: '' 7 | --- 8 | 9 | ### How can the Team help you today? 10 | 11 | **Details: ?** 12 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '[BUG]: [chart name (if applicable)]: bug title' 5 | labels: type/bug, needs-triage 6 | assignees: '' 7 | --- 8 | 14 | 15 | **Describe the bug** 16 | A clear and concise description of what the bug is. 17 | 18 | **Version of Helm and Kubernetes**: 19 | 20 | 21 | **Which chart**: 22 | 23 | 24 | **What happened**: 25 | 26 | 27 | **What you expected to happen**: 28 | 29 | 30 | **How to reproduce it** (as minimally and precisely as possible): 31 | 32 | **Provide logs, errors/output** 33 | 34 | **Anything else we need to know**: 35 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | contact_links: 3 | - name: CSM mailing list 4 | alias: container.storage.modules@dell.com 5 | about: Please ask and answer usage questions and report security issues here. 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '[FEATURE]: [chart name (if applicable)]: feature title' 5 | labels: type/feature-request, needs-triage 6 | assignees: '' 7 | 8 | --- 9 | 15 | 16 | **Is your feature request related to a problem? Please describe.** 17 | A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] 18 | 19 | **Describe the solution you'd like** 20 | A clear and concise description of what you want to happen. 21 | 22 | **Describe alternatives you've considered** 23 | A clear and concise description of any alternative solutions or features you've considered. 24 | 25 | **Additional context** 26 | Add any other context or screenshots about the feature request here. 27 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 22 | 23 | #### Is this a new chart? 24 | 25 | Yes/No 26 | 27 | #### What this PR does / why we need it: 28 | 29 | #### Which issue(s) is this PR associated with: 30 | 31 | - #Issue_Number 32 | 33 | #### Special notes for your reviewer: 34 | 35 | #### Checklist: 36 | 37 | [Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.] 38 | 39 | - [ ] Chart Version bumped 40 | - [ ] Variables are documented in the chart README.md 41 | - [ ] Title of the PR starts with the chart name (e.g. `[charts_dir/mychartname]`) if applicable 42 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file 5 | 6 | version: 2 7 | updates: 8 | # github actions 9 | - package-ecosystem: "github-actions" 10 | target-branch: "main" 11 | directory: "/" 12 | schedule: 13 | # Check for updates to GitHub Actions every week 14 | interval: "weekly" 15 | day: "saturday" 16 | groups: 17 | github-actions: 18 | patterns: 19 | - "*" 20 | 21 | # csi-powerstore packages 22 | - package-ecosystem: docker 23 | target-branch: "main" 24 | directories: 25 | - /charts/csi-powerstore 26 | labels: 27 | - dependencies 28 | schedule: 29 | # check daily 30 | interval: daily 31 | # at 6pm UTC 32 | time: "18:00" 33 | groups: 34 | csi-powerstore: 35 | patterns: 36 | - "*" 37 | 38 | # csi-isilon packages 39 | - package-ecosystem: docker 40 | target-branch: "main" 41 | directories: 42 | - /charts/csi-isilon 43 | labels: 44 | - dependencies 45 | schedule: 46 | # check daily 47 | interval: daily 48 | # at 6pm UTC 49 | time: "18:00" 50 | groups: 51 | csi-isilon: 52 | patterns: 53 | - "*" 54 | 55 | # csi-vxflexos packages 56 | - package-ecosystem: docker 57 | target-branch: "main" 58 | directories: 59 | - /charts/csi-vxflexos 60 | labels: 61 | - dependencies 62 | schedule: 63 | # check daily 64 | interval: daily 65 | # at 6pm UTC 66 | time: "18:00" 67 | groups: 68 | csi-vxflexos: 69 | patterns: 70 | - "*" 71 | 72 | # csi-unity packages 73 | - package-ecosystem: docker 74 | target-branch: "main" 75 | directories: 76 | - /charts/csi-unity 77 | labels: 78 | - dependencies 79 | schedule: 80 | # check daily 81 | interval: daily 82 | # at 6pm UTC 83 | time: "18:00" 84 | groups: 85 | csi-unity: 86 | patterns: 87 | - "*" 88 | 89 | # csi-powermax packages 90 | - package-ecosystem: docker 91 | target-branch: "main" 92 | directories: 93 | - /charts/csi-powermax 94 | labels: 95 | - dependencies 96 | schedule: 97 | # check daily 98 | interval: daily 99 | # at 6pm UTC 100 | time: "18:00" 101 | groups: 102 | csi-powermax: 103 | patterns: 104 | - "*" 105 | 106 | # csm-authorization v2 packages 107 | - package-ecosystem: docker 108 | target-branch: "main" 109 | directories: 110 | - /charts/csm-authorization-v2.0 111 | labels: 112 | - dependencies 113 | schedule: 114 | # check daily 115 | interval: daily 116 | # at 6pm UTC 117 | time: "18:00" 118 | groups: 119 | csm-authorization: 120 | patterns: 121 | - "*" 122 | 123 | # csm-authorization v1 packages 124 | - package-ecosystem: docker 125 | target-branch: "main" 126 | directories: 127 | - /charts/csm-authorization 128 | labels: 129 | - dependencies 130 | schedule: 131 | # check daily 132 | interval: daily 133 | # at 6pm UTC 134 | time: "18:00" 135 | groups: 136 | csm-authorization: 137 | patterns: 138 | - "*" 139 | ignore: 140 | # Ignore versions of authorization images that are equal to or greater than 2.0.0 141 | - dependency-name: "*/csm-authorization-proxy*" 142 | versions: [ ">=2.0.0" ] 143 | - dependency-name: "*/csm-authorization-tenant*" 144 | versions: [ ">=2.0.0" ] 145 | - dependency-name: "*/csm-authorization-role*" 146 | versions: [ ">=2.0.0" ] 147 | - dependency-name: "*/csm-authorization-storage*" 148 | versions: [ ">=2.0.0" ] 149 | 150 | # karavi-observability packages 151 | - package-ecosystem: docker 152 | target-branch: "main" 153 | directories: 154 | - /charts/karavi-observability 155 | labels: 156 | - dependencies 157 | schedule: 158 | # check daily 159 | interval: daily 160 | # at 6pm UTC 161 | time: "18:00" 162 | ignore: 163 | # ignore all updates to otel/opentelemetry-collector 164 | - dependency-name: "otel/opentelemetry-collector" 165 | groups: 166 | karavi-observability: 167 | patterns: 168 | - "*" 169 | 170 | # csm-replication packages 171 | - package-ecosystem: docker 172 | target-branch: "main" 173 | directories: 174 | - /charts/csm-replication 175 | labels: 176 | - dependencies 177 | schedule: 178 | # check daily 179 | interval: daily 180 | # at 6pm UTC 181 | time: "18:00" 182 | groups: 183 | csm-replication: 184 | patterns: 185 | - "*" 186 | 187 | # csm-installer packages 188 | - package-ecosystem: docker 189 | target-branch: "main" 190 | directories: 191 | - /charts/csm-installer 192 | labels: 193 | - dependencies 194 | schedule: 195 | # check daily 196 | interval: daily 197 | # at 6pm UTC 198 | time: "18:00" 199 | groups: 200 | csm-installer: 201 | patterns: 202 | - "*" 203 | 204 | # installation-wizard packages 205 | - package-ecosystem: docker 206 | target-branch: "main" 207 | directories: 208 | - /installation-wizard/container-storage-modules 209 | labels: 210 | - dependencies 211 | schedule: 212 | # check daily 213 | interval: daily 214 | # at 6pm UTC 215 | time: "18:00" 216 | groups: 217 | container-storage-modules: 218 | patterns: 219 | - "*" 220 | -------------------------------------------------------------------------------- /.github/workflows/charts-release-action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2025 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # This Github action will create a Github release for updated helm-charts 10 | name: Release Helm Charts 11 | 12 | # Invocable as a manual workflow 13 | on: 14 | workflow_dispatch: 15 | inputs: 16 | version: 17 | description: 'Release version. E.g. 1.14.0' 18 | required: true 19 | 20 | jobs: 21 | # This job will perform a helm release of all the csm charts that have been updated 22 | release-csm: 23 | runs-on: ubuntu-latest 24 | steps: 25 | # Check out code 26 | - name: Checkout 27 | uses: actions/checkout@v4 28 | with: 29 | fetch-depth: 0 30 | 31 | - name: Configure Git 32 | run: | 33 | git config user.name "$GITHUB_ACTOR" 34 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 35 | 36 | - name: Set release branch name for install wizard release action 37 | run: | 38 | echo "release-v${{ inputs.version }}" >> branch_name.txt 39 | 40 | - name: Upload release branch name artifact 41 | uses: actions/upload-artifact@v4 42 | with: 43 | name: branch_name 44 | path: branch_name.txt 45 | 46 | - name: Create release branch 47 | # Branch name should already exist for patch releases 48 | run: | 49 | branch_name=release-v${{ inputs.version }} 50 | 51 | git fetch origin 52 | if git ls-remote --heads origin $branch_name | grep $branch_name; then 53 | echo "Branch $branch_name already exists. Skipping creation." 54 | git checkout $branch_name 55 | else 56 | git checkout -b $branch_name 57 | git push origin $branch_name 58 | fi 59 | 60 | # Run the helm chart release command 61 | - name: Run csm chart-releaser 62 | uses: helm/chart-releaser-action@v1.7.0 63 | env: 64 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 65 | with: 66 | charts_dir: charts 67 | skip_existing: true 68 | -------------------------------------------------------------------------------- /.github/workflows/helm-validations.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2025 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # This action checks the Helm Chart changes for linting 10 | name: Validate Helm Charts 11 | 12 | # Check runs on PRs created to merge to main branch 13 | on: 14 | pull_request: 15 | branches: ["**"] 16 | 17 | jobs: 18 | # This job will run helm lint on updated charts 19 | lint: 20 | name: CSM Chart Linter 21 | runs-on: ubuntu-latest 22 | steps: 23 | # Check out the repo 24 | - name: Checkout 25 | uses: actions/checkout@v4 26 | with: 27 | fetch-depth: "0" 28 | 29 | - name: Set up Helm 30 | uses: azure/setup-helm@v4.3.0 31 | with: 32 | version: latest 33 | 34 | - name: Set up Python 35 | uses: actions/setup-python@v5 36 | with: 37 | python-version: '3.12' 38 | 39 | - name: Install chart-testing-action 40 | uses: helm/chart-testing-action@v2.7.0 41 | 42 | - name: Run chart-testing list-changed 43 | id: modified-charts 44 | run: | 45 | modified=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }}) 46 | if [[ -n "$modified" ]]; then 47 | echo "modified=true" >> "$GITHUB_OUTPUT" 48 | fi 49 | 50 | - name: Run chart-testing linter 51 | if: steps.modified-charts.outputs.modified == 'true' 52 | run: ct lint --config ct.yaml 53 | -------------------------------------------------------------------------------- /.github/workflows/kubelinter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2025 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | name: Kubelinter for COSI driver 10 | 11 | on: 12 | pull_request: 13 | branches: ["**"] 14 | 15 | env: 16 | GOPRIVATE: github.com/dell/* 17 | TOKEN: ${{ secrets.GH_DELL_ACCESS }} 18 | 19 | jobs: 20 | kube-linter: 21 | name: Kube Linter 22 | runs-on: ubuntu-latest 23 | steps: 24 | - name: Configure git for private modules 25 | run: | 26 | git config --global url."https://csmbot:$TOKEN@github.com".insteadOf "https://github.com" 27 | echo "machine github.com login csmbot password $TOKEN" >> ~/.netrc 28 | - name: Checkout the code 29 | uses: actions/checkout@v4 30 | - name: Scan repo with kube-linter 31 | uses: stackrox/kube-linter-action@v1.0.7 32 | with: 33 | directory: charts/cosi 34 | config: kubelinter-config.yaml 35 | -------------------------------------------------------------------------------- /.github/workflows/wizard-release-action.yml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2025 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # This Github action will create a Github release for the csm installation wizard 10 | name: Release CSM Installation Wizard 11 | 12 | # Triggers the action when a chart release has been created and deployed 13 | on: 14 | workflow_run: 15 | workflows: 16 | - pages-build-deployment 17 | types: 18 | - completed 19 | 20 | permissions: 21 | actions: read 22 | contents: write 23 | 24 | jobs: 25 | # This job will perform a helm release of the installation wizard chart if it has been updated 26 | release-installation-wizard: 27 | runs-on: ubuntu-latest 28 | if: ${{ github.event.workflow_run.conclusion == 'success' }} && ${{ github.event.release.action == 'released' }} 29 | steps: 30 | # Check out code 31 | - name: Checkout 32 | uses: actions/checkout@v4 33 | with: 34 | fetch-depth: 0 35 | 36 | - name: Configure Git 37 | run: | 38 | git config user.name "$GITHUB_ACTOR" 39 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 40 | 41 | - name: Get id from Release Helm Charts workflow 42 | id: run-id 43 | run: | 44 | latest_run_id=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ 45 | https://api.github.com/repos/${{ github.repository }}/actions/workflows/charts-release-action.yml/runs | jq -r '.workflow_runs[0].id') 46 | echo "run_id=$latest_run_id" >> $GITHUB_OUTPUT 47 | 48 | - name: Download release branch name artifact 49 | uses: actions/download-artifact@v4 50 | with: 51 | name: branch_name 52 | path: . 53 | run-id: ${{ steps.run-id.outputs.run_id }} 54 | github-token: ${{ secrets.GITHUB_TOKEN }} 55 | 56 | - name: Read release branch name 57 | run: | 58 | echo "branch_name=$(cat branch_name.txt)" >> $GITHUB_ENV 59 | 60 | - name: Checkout release branch 61 | run: | 62 | git checkout ${{ env.branch_name }} 63 | 64 | # Run the helm chart release command 65 | - name: Run csm chart-releaser for container-storage-modules 66 | uses: helm/chart-releaser-action@v1.7.0 67 | env: 68 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 69 | with: 70 | charts_dir: installation-wizard 71 | skip_existing: true 72 | -------------------------------------------------------------------------------- /.github/workflows/yamllinter.yaml: -------------------------------------------------------------------------------- 1 | # Copyright (c) 2025 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | # This action checks the linting errors in yaml files 10 | name: YAML Lint 11 | 12 | on: 13 | pull_request: 14 | branches: ["**"] 15 | 16 | jobs: 17 | yaml_lint_scan: 18 | name: Run Yaml Lint 19 | runs-on: ubuntu-latest 20 | steps: 21 | - name: Checkout the code 22 | uses: actions/checkout@v4 23 | - name: setup python 24 | uses: actions/setup-python@v5 25 | with: 26 | python-version: "3.12" 27 | - run: pip install yamllint 28 | - run: yamllint . 29 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | --- 2 | yaml-files: 3 | - "*.yaml" 4 | - "*.yml" 5 | - ".yamllint" 6 | 7 | rules: 8 | braces: 9 | level: warning 10 | max-spaces-inside: 1 11 | brackets: 12 | level: warning 13 | max-spaces-inside: 1 14 | colons: enable 15 | commas: enable 16 | comments: 17 | level: warning 18 | comments-indentation: disable 19 | document-end: disable 20 | document-start: disable 21 | empty-lines: enable 22 | empty-values: disable 23 | hyphens: enable 24 | indentation: enable 25 | key-duplicates: enable 26 | key-ordering: disable 27 | line-length: disable 28 | new-line-at-end-of-file: enable 29 | new-lines: enable 30 | octal-values: disable 31 | quoted-strings: disable 32 | trailing-spaces: enable 33 | truthy: 34 | level: warning 35 | 36 | ignore: | 37 | .github/workflows/ 38 | charts/*/templates/ 39 | charts/*/*/*/templates/ 40 | charts/csi-powermax/charts/csireverseproxy/conf/config.yaml 41 | charts/csm-replication/crds/replicationcrds.all.yaml 42 | charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmroles.yaml 43 | charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_csmtenants.yaml 44 | charts/csm-authorization-v2.0/crds/csm-authorization.storage.dell.com_storages.yaml 45 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Dell Community Kubernetes Helm Charts 12 | 13 | [![Contributor Covenant](https://img.shields.io/badge/Contributor%20Covenant-v2.0%20adopted-ff69b4.svg)](docs/CODE_OF_CONDUCT.md) 14 | [![License](https://img.shields.io/github/license/dell/helm-charts)](LICENSE) 15 | 16 | The source for Dell Helm charts [Dell Helm Hub](https://github.com/dell/helm-charts). 17 | 18 | For more information about installing and using Helm, see the 19 | [Helm Docs](https://helm.sh/docs/). For a quick introduction to Charts, see the [Chart Guide](https://helm.sh/docs/topics/charts/). 20 | 21 | ## Support 22 | For any issues, questions or feedback, please contact [Dell support](https://www.dell.com/support/incidents-online/en-us/contactus/product/container-storage-modules). 23 | 24 | ## How to Install 25 | 26 | ```console 27 | $ helm repo add dell https://dell.github.io/helm-charts 28 | ``` 29 | 30 | For documentation, please visit [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/deployment/helm). 31 | 32 | ## Contributing to an Existing Chart 33 | 34 | We'd love for you to contribute to an existing Chart that you find provides a useful application or service for Kubernetes. Please read our [Contribution Guide](docs/CONTRIBUTING.md) for more information on how you can contribute Charts. 35 | 36 | ## Owning and Maintaining A Chart 37 | 38 | Individual charts can be maintained by one or more users of [MAINTAINERS](docs/MAINTAINERS.md). When someone maintains a chart they have the access to merge changes to that chart. To have merge access to a chart someone needs to: 39 | 40 | 1. Be listed on the chart, in the [MAINTAINERS](docs/MAINTAINERS.md) file, as a maintainer. If you need sponsors and have contributed to the chart, please reach out to the existing maintainers, or if you are having trouble connecting with them, please reach out to one of the [MAINTAINERS](docs/MAINTAINERS.md) of the charts repository. 41 | 42 | ## Review Process 43 | 44 | For information related to the review procedure used by the Chart repository maintainers, see [Merge approval and release process](docs/CONTRIBUTING.md). 45 | 46 | ## Versioning Strategy 47 | 48 | Dell Helm Charts follow Semantic Versioning as defined on [http://semver.org/](http://semver.org). 49 | -------------------------------------------------------------------------------- /charts/cosi/Chart.yaml: -------------------------------------------------------------------------------- 1 | # Copyright © 2024 Dell Inc. or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # http://www.apache.org/licenses/LICENSE-2.0 7 | # Unless required by applicable law or agreed to in writing, software 8 | # distributed under the License is distributed on an "AS IS" BASIS, 9 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 10 | # See the License for the specific language governing permissions and 11 | # limitations under the License 12 | 13 | apiVersion: v2 14 | name: cosi 15 | description: Container Object Storage Interface (COSI) Driver for Dell ObjectScale 16 | 17 | # A chart can be either an 'application' or a 'library' chart. 18 | # 19 | # Application charts are a collection of templates that can be packaged into versioned archives 20 | # to be deployed. 21 | # 22 | # Library charts provide useful utilities or functions for the chart developer. They're included as 23 | # a dependency of application charts to inject those utilities and functions into the rendering 24 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 25 | type: application 26 | 27 | # This is the chart version. This version number should be incremented each time you make changes 28 | # to the chart and its templates, including the app version. 29 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 30 | version: 0.3.0 31 | 32 | # This is the version number of the application being deployed. This version number should be 33 | # incremented each time you make changes to the application. Versions are not expected to 34 | # follow Semantic Versioning. They should reflect the version the application is using. 35 | # It is recommended to use it with quotes. 36 | appVersion: 0.3.0-alpha 37 | -------------------------------------------------------------------------------- /charts/cosi/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | Thank you for installing {{ .Chart.Name }}. 2 | 3 | Your release is named {{ .Release.Name }}. 4 | 5 | For more information visit CSM documentation: https://dell.github.io/csm-docs/ 6 | -------------------------------------------------------------------------------- /charts/cosi/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "cosi.fullname" . }} 5 | labels: 6 | {{- include "cosi.labels" . | trim | nindent 4 }} 7 | {{- with .Values.rbac.role.annotations }} 8 | annotations: 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | {{- if not .Values.autoscaling.enabled }} 13 | replicas: {{ .Values.replicaCount }} 14 | {{- end }} 15 | selector: 16 | matchLabels: 17 | {{- include "cosi.selectorLabels" . | trim | nindent 6 }} 18 | template: 19 | metadata: 20 | labels: 21 | {{- include "cosi.labels" . | trim | nindent 8 }} 22 | {{- with .Values.podAnnotations }} 23 | annotations: 24 | {{- toYaml . | nindent 8 }} 25 | {{- end }} 26 | spec: 27 | {{- with .Values.imagePullSecrets }} 28 | imagePullSecrets: 29 | {{- toYaml . | nindent 8 }} 30 | {{- end }} 31 | serviceAccountName: {{ include "cosi.serviceAccountName" . }} 32 | {{- with .Values.podSecurityContext }} 33 | securityContext: 34 | {{- toYaml . | nindent 8 }} 35 | {{- end }} 36 | containers: 37 | - name: {{ include "cosi.provisionerContainerName" . }} 38 | {{- with .Values.securityContext }} 39 | securityContext: 40 | {{- toYaml . | nindent 12 }} 41 | {{- end }} 42 | image: {{ include "cosi.provisionerImageName" . }} 43 | imagePullPolicy: {{ .Values.provisioner.image.pullPolicy }} 44 | args: 45 | - "--log-level={{ include "cosi.logLevel" . }}" 46 | - "--log-format={{ include "cosi.logFormat" . }}" 47 | - "--otel-endpoint={{ include "cosi.otelEndpoint" . }}" 48 | {{- with .Values.resources }} 49 | resources: 50 | {{- toYaml . | nindent 12 }} 51 | {{- end }} 52 | volumeMounts: 53 | - name: {{ include "cosi.secretVolumeName" . }} 54 | mountPath: /cosi 55 | - name: cosi-socket-dir 56 | mountPath: /var/lib/cosi 57 | - name: {{ include "cosi.provisionerSidecarContainerName" . }} 58 | image: {{ include "cosi.provisionerSidecarImageName" . }} 59 | imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} 60 | args: 61 | - "-v={{ include "cosi.provisionerSidecarVerbosity" . }}" 62 | {{- with .Values.securityContext }} 63 | securityContext: 64 | {{- toYaml . | nindent 12 }} 65 | {{- end }} 66 | {{- with .Values.resources }} 67 | resources: 68 | {{- toYaml . | nindent 12 }} 69 | {{- end }} 70 | volumeMounts: 71 | - name: cosi-socket-dir 72 | mountPath: /var/lib/cosi 73 | {{- with .Values.nodeSelector }} 74 | nodeSelector: 75 | {{- toYaml . | nindent 8 }} 76 | {{- end }} 77 | {{- with .Values.affinity }} 78 | affinity: 79 | {{- toYaml . | nindent 8 }} 80 | {{- end }} 81 | {{- with .Values.tolerations }} 82 | tolerations: 83 | {{- toYaml . | nindent 8 }} 84 | {{- end }} 85 | volumes: 86 | - name: {{ include "cosi.secretVolumeName" . }} 87 | secret: 88 | secretName: {{ include "cosi.secretName" . }} 89 | - name: cosi-socket-dir 90 | emptyDir: {} 91 | -------------------------------------------------------------------------------- /charts/cosi/templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRole 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "cosi.roleName" . }} 6 | labels: 7 | {{- include "cosi.labels" . | trim | nindent 4 }} 8 | {{- with .Values.rbac.roleBinding.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | rules: 13 | - apiGroups: 14 | - objectstorage.k8s.io # COSI resources are grouped here 15 | resources: # we do not add bucketclasses here, as those are managed by COSI Controller 16 | - buckets 17 | - bucketclaims 18 | - bucketaccesses 19 | - bucketaccessclasses 20 | - buckets/status 21 | - bucketaccesses/status 22 | - bucketclaims/status 23 | - bucketaccessclasses/status 24 | verbs: # CRUD + list/watch 25 | - create 26 | - get 27 | - update 28 | - delete 29 | - list 30 | - watch 31 | - apiGroups: 32 | - coordination.k8s.io 33 | resources: 34 | - leases # lease is created during leader election process by COSI Provisioner Sidecar 35 | verbs: # CRUD + list/watch 36 | - create 37 | - get 38 | - update 39 | - delete 40 | - list 41 | - watch 42 | - apiGroups: 43 | - "" # empty for default API group 44 | resources: 45 | - events # events are emmited from COSI Provisioner Sidecar 46 | - secrets # secrets are created by COSI Provisioner Sidecar as a part of access granting 47 | verbs: # CRUD 48 | - create 49 | - get 50 | - update 51 | - delete 52 | {{- end }} 53 | -------------------------------------------------------------------------------- /charts/cosi/templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.rbac.create -}} 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ include "cosi.roleBindingName" . }} 6 | labels: 7 | {{- include "cosi.labels" . | trim | nindent 4 }} 8 | {{- with .Values.rbac.roleBinding.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | subjects: 13 | - kind: ServiceAccount 14 | name: {{ include "cosi.serviceAccountName" . }} 15 | namespace: {{ .Release.Namespace }} 16 | roleRef: 17 | kind: ClusterRole 18 | name: {{ include "cosi.roleName" . }} 19 | apiGroup: rbac.authorization.k8s.io 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /charts/cosi/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.configuration.create }} 2 | apiVersion: v1 3 | kind: Secret 4 | type: Opaque 5 | metadata: 6 | name: {{ include "cosi.secretName" . }} 7 | labels: 8 | {{- include "cosi.labels" . | trim | nindent 4 }} 9 | {{- with .Values.configuration.annotations }} 10 | annotations: 11 | {{- toYaml . | nindent 4 }} 12 | {{- end }} 13 | data: 14 | config.yaml: {{ toString .Values.configuration.data | b64enc }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/cosi/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.rbac.create -}} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ include "cosi.serviceAccountName" . }} 6 | labels: 7 | {{- include "cosi.labels" . | trim | nindent 4 }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | {{- end}} 13 | -------------------------------------------------------------------------------- /charts/csi-isilon/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: csi-isilon 3 | version: 2.14.0 4 | appVersion: "2.14.0" 5 | kubeVersion: ">= 1.21.0" 6 | # If you are using a complex K8s version like "v1.22.3-mirantis-1", use this kubeVersion check instead 7 | # kubeVersion: ">= 1.23.0-0" 8 | description: | 9 | PowerScale CSI (Container Storage Interface) driver Kubernetes 10 | integration. This chart includes everything required to provision via CSI as 11 | well as an Isilon StorageClass. 12 | type: application 13 | keywords: 14 | - csi 15 | - storage 16 | maintainers: 17 | - name: DellEMC 18 | sources: 19 | - https://github.com/dell/csi-isilon 20 | -------------------------------------------------------------------------------- /charts/csi-isilon/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Return true if storage capacity tracking is enabled and is supported based on k8s version 3 | */}} 4 | {{- define "csi-isilon.isStorageCapacitySupported" -}} 5 | {{- if eq .Values.storageCapacity.enabled true -}} 6 | {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} 7 | {{- true -}} 8 | {{- end -}} 9 | {{- end -}} 10 | {{- end -}} 11 | -------------------------------------------------------------------------------- /charts/csi-isilon/templates/csidriver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | name: csi-isilon.dellemc.com 5 | labels: 6 | security.openshift.io/csi-ephemeral-volume-profile: restricted 7 | spec: 8 | attachRequired: true 9 | podInfoOnMount: true 10 | storageCapacity: {{ (include "csi-isilon.isStorageCapacitySupported" .) | default false }} 11 | fsGroupPolicy: {{ .Values.fsGroupPolicy }} 12 | volumeLifecycleModes: 13 | - Persistent 14 | - Ephemeral 15 | -------------------------------------------------------------------------------- /charts/csi-isilon/templates/driver-config-params.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Release.Name }}-config-params 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | driver-config-params.yaml: | 8 | CSI_LOG_LEVEL: "{{ .Values.logLevel }}" 9 | {{ if .Values.podmon.enabled }} 10 | PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" 11 | PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}" 12 | PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" 13 | PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}" 14 | {{ end }} 15 | -------------------------------------------------------------------------------- /charts/csi-powermax/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: "2.14.0" 3 | name: csi-powermax 4 | version: 2.14.0 5 | description: | 6 | PowerMax CSI (Container Storage Interface) driver Kubernetes 7 | integration. This chart includes everything required to provision via CSI as 8 | well as a PowerMax StorageClass. 9 | type: application 10 | kubeVersion: ">= 1.23.0" 11 | # If you are using a complex K8s version like "v1.23.3-mirantis-1", use this kubeVersion check instead 12 | # kubeVersion: ">= 1.23.0-0" 13 | keywords: 14 | - csi 15 | - storage 16 | dependencies: 17 | - name: csireverseproxy 18 | version: 2.13.0 19 | condition: required 20 | home: https://github.com/dell/csi-powermax 21 | icon: https://avatars1.githubusercontent.com/u/20958494?s=200&v=4 22 | sources: 23 | - https://github.com/dell/csi-powermax 24 | maintainers: 25 | - name: DellEMC 26 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: csireverseproxy 3 | description: A Helm chart for CSI PowerMax ReverseProxy 4 | 5 | type: application 6 | 7 | version: 2.13.0 8 | 9 | appVersion: 2.13.0 10 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/conf/config.yaml: -------------------------------------------------------------------------------- 1 | port: {{ .Values.port }} 2 | logLevel: {{ .Values.global.logLevel | default "debug" }} 3 | logFormat: {{ .Values.global.logFormat | default "TEXT" }} 4 | config: 5 | {{- $defaultProxyCreds := .Values.global.defaultCredentialsSecret }} 6 | storageArrays: 7 | {{- $_ := first .Values.global.storageArrays }} 8 | {{- range $index, $value := .Values.global.storageArrays }} 9 | - storageArrayId: {{ required "Must provide a storage array id." $value.storageArrayId | toJson }} 10 | primaryURL: {{ required "Must provide a primary Unisphere HTTPS endpoint." $value.endpoint }} 11 | backupURL: {{ $value.backupEndpoint | default "" }} 12 | proxyCredentialSecrets: 13 | - {{ required "Must provide secret for proxy credentials" $defaultProxyCreds }} 14 | {{- end }} 15 | managementServers: 16 | {{- $_ := first .Values.global.managementServers }} 17 | {{- range $index, $value := .Values.global.managementServers }} 18 | - url: {{required "Must provide a Unisphere HTTPS endpoint." $value.endpoint }} 19 | {{- if empty $value.credentialsSecret }} 20 | arrayCredentialSecret: {{ required "Must provide an array credential secret" $defaultProxyCreds }} 21 | {{- else }} 22 | arrayCredentialSecret: {{ required "Must provide an array credential secret" $value.credentialsSecret }} 23 | {{- end }} 24 | {{- if $value.certSecret }} 25 | {{- $check := toString $value.skipCertificateValidation }} 26 | skipCertificateValidation: {{ ternary $value.skipCertificateValidation true (or (eq $check "true") (eq $check "false")) }} 27 | {{- else }} 28 | skipCertificateValidation: true 29 | {{- end }} 30 | certSecret: {{ $value.certSecret | default "" }} 31 | {{- if $value.limits }} 32 | limits: 33 | maxActiveRead: {{ $value.limits.maxActiveRead | default 0 }} 34 | maxActiveWrite: {{ $value.limits.maxActiveWrite | default 0 }} 35 | maxOutStandingRead: {{ $value.limits.maxOutStandingRead | default 0 }} 36 | maxOutStandingWrite: {{ $value.limits.maxOutStandingWrite | default 0 }} 37 | {{- end }} 38 | {{- end }} -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Namespace for all resources to be installed into 3 | If not defined in values file then the helm release namespace is used 4 | By default this is not set so the helm release namespace will be used 5 | */}} 6 | 7 | {{- define "custom.namespace" -}} 8 | {{ .Values.namespace | default .Release.Namespace }} 9 | {{- end -}} -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | # If the csireverseproxy cert and key are provided, deploy a CA Issuer using the cert and key 2 | {{- if ne .Values.certManager.selfSignedCert true }} 3 | apiVersion: v1 4 | data: 5 | tls.crt: {{ .Values.certManager.certificateFile }} 6 | tls.key: {{ .Values.certManager.privateKeyFile }} 7 | kind: Secret 8 | type: kubernetes.io/tls 9 | metadata: 10 | name: csirevproxy-tls-secret 11 | namespace: {{ .Release.Namespace }} 12 | 13 | --- 14 | apiVersion: cert-manager.io/v1 15 | kind: Issuer 16 | metadata: 17 | name: csirevproxy-issuer 18 | namespace: {{ .Release.Namespace }} 19 | spec: 20 | ca: 21 | secretName: csirevproxy-tls-secret 22 | --- 23 | {{- else }} 24 | # deploy a selfsigned-issuer 25 | apiVersion: cert-manager.io/v1 26 | kind: Issuer 27 | metadata: 28 | name: selfsigned-issuer 29 | namespace: {{ .Release.Namespace }} 30 | spec: 31 | selfSigned: {} 32 | 33 | --- 34 | {{- end }} 35 | 36 | --- 37 | apiVersion: cert-manager.io/v1 38 | kind: Certificate 39 | metadata: 40 | name: csirevproxy-tls-cert 41 | namespace: {{ .Release.Namespace }} 42 | spec: 43 | secretName: csirevproxy-tls-secret 44 | commonName: powermax-reverseproxy 45 | duration: 2160h # 90d 46 | renewBefore: 360h # 15d 47 | subject: 48 | organizations: 49 | - dellemc 50 | isCA: false 51 | privateKey: 52 | algorithm: RSA 53 | encoding: PKCS1 54 | size: 2048 55 | usages: 56 | - server auth 57 | - client auth 58 | dnsNames: 59 | - powermax-reverseproxy 60 | - powermax-reverseproxy.powermax.svc.cluster.local 61 | - reverseproxy 62 | ipAddresses: 63 | - 0.0.0.0 64 | issuerRef: 65 | {{- if ne .Values.certManager.selfSignedCert true }} 66 | name: csirevproxy-issuer 67 | {{- else }} 68 | name: selfsigned-issuer 69 | {{- end }} 70 | kind: Issuer 71 | group: cert-manager.io 72 | --- 73 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/configmap.yaml: -------------------------------------------------------------------------------- 1 | {{- /* 2 | Deprecation notice: use of reverseproxy-config ConfigMap is deprecated and will 3 | be removed in a future release. The ConfigMap remains for backward compatibility 4 | usage only. 5 | */}} 6 | {{- /* 7 | Use the ConfigMap only if the useSecret value is empty or the key is not found 8 | */}} 9 | {{- if or (not (hasKey .Values.global "useSecret")) (empty .Values.global.useSecret) }} 10 | apiVersion: v1 11 | kind: ConfigMap 12 | metadata: 13 | name: {{ .Release.Name }}-reverseproxy-config 14 | namespace: {{ .Release.Namespace }} 15 | data: 16 | {{ tpl (.Files.Glob "conf/config.yaml").AsConfig . | indent 2 }} 17 | {{- end }} 18 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy-rbac.yaml: -------------------------------------------------------------------------------- 1 | {{- if ne .Values.deployAsSidecar true }} 2 | kind: Role 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | metadata: 5 | name: {{ .Release.Name }}-reverseproxy 6 | namespace: {{ .Release.Namespace }} 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["secrets"] 10 | verbs: ["list", "watch", "get"] 11 | --- 12 | kind: RoleBinding 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | metadata: 15 | name: {{ .Release.Name }}-reverseproxy 16 | namespace: {{ .Release.Namespace }} 17 | subjects: 18 | - kind: ServiceAccount 19 | name: {{ .Release.Name }}-reverseproxy 20 | namespace: {{ .Release.Namespace }} 21 | roleRef: 22 | kind: Role 23 | name: {{ .Release.Name }}-reverseproxy 24 | apiGroup: rbac.authorization.k8s.io 25 | {{- end }} 26 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/reverseproxy.yaml: -------------------------------------------------------------------------------- 1 | {{- if ne .Values.deployAsSidecar true }} 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: {{ .Release.Name }}-reverseproxy 6 | namespace: {{ .Release.Namespace }} 7 | spec: 8 | replicas: 1 9 | selector: 10 | matchLabels: 11 | name: {{ .Release.Name }}-reverseproxy 12 | template: 13 | metadata: 14 | labels: 15 | name: {{ .Release.Name }}-reverseproxy 16 | spec: 17 | serviceAccountName: {{ .Release.Name }}-reverseproxy 18 | containers: 19 | - name: csireverseproxy 20 | image: {{ required "Must provided an image for reverseproxy container." .Values.image }} 21 | imagePullPolicy: Always 22 | env: 23 | {{- $useRevProxySecret := and (hasKey .Values.global "useSecret") (.Values.global.useSecret | default false) }} 24 | - name: X_CSI_REVPROXY_USE_SECRET 25 | value: {{ $useRevProxySecret | quote }} 26 | {{- if $useRevProxySecret }} 27 | - name: X_CSI_REVPROXY_SECRET_FILEPATH 28 | value: "/etc/powermax/config" 29 | - name: X_CSI_POWERMAX_CONFIG_PATH 30 | value: "/powermax-config-params/driver-config-params.yaml" 31 | {{- else }} 32 | - name: X_CSI_REVPROXY_CONFIG_DIR 33 | value: /etc/config/configmap 34 | - name: X_CSI_REVPROXY_CONFIG_FILE_NAME 35 | value: config.yaml 36 | {{- end }} 37 | - name: X_CSI_REVPROXY_IN_CLUSTER 38 | value: "true" 39 | - name: X_CSI_REVPROXY_TLS_CERT_DIR 40 | value: /app/tls 41 | - name: X_CSI_REVPROXY_WATCH_NAMESPACE 42 | value: {{ .Release.Namespace }} 43 | volumeMounts: 44 | {{- if and (hasKey .Values.global "useSecret") (.Values.global.useSecret | default false) }} 45 | - name: powermax-reverseproxy-secret 46 | mountPath: /etc/powermax 47 | - name: powermax-config-params 48 | mountPath: /powermax-config-params 49 | {{- else }} 50 | - name: configmap-volume 51 | mountPath: /etc/config/configmap 52 | {{- end }} 53 | - name: tls-secret 54 | mountPath: /app/tls 55 | - name: cert-dir 56 | mountPath: /app/certs 57 | volumes: 58 | {{- if and (hasKey .Values.global "useSecret") (.Values.global.useSecret | default false) }} 59 | - name: powermax-reverseproxy-secret 60 | secret: 61 | secretName: {{ required "Must provide defaultCredentialsSecret secret name." .Values.global.defaultCredentialsSecret }} 62 | - name: powermax-config-params 63 | configMap: 64 | name: {{ .Release.Name }}-config-params 65 | {{- else }} 66 | - name: configmap-volume 67 | configMap: 68 | name: {{ .Release.Name }}-reverseproxy-config 69 | optional: true 70 | {{- end }} 71 | - name: tls-secret 72 | secret: 73 | secretName: {{ .Values.tlsSecret }} 74 | - name: cert-dir 75 | emptyDir: 76 | {{- end }} 77 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ .Release.Name }}-reverseproxy 5 | namespace: {{ .Release.Namespace }} 6 | spec: 7 | ports: 8 | - port: {{ .Values.port }} 9 | protocol: TCP 10 | targetPort: 2222 11 | selector: 12 | {{- if eq .Values.deployAsSidecar true}} 13 | name: {{ .Release.Name }}-controller 14 | {{- else }} 15 | name: {{ .Release.Name }}-reverseproxy 16 | {{- end }} 17 | type: ClusterIP 18 | -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if ne .Values.deployAsSidecar true }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: {{ .Release.Name }}-reverseproxy 6 | namespace: {{ .Release.Namespace }} 7 | {{- end }} -------------------------------------------------------------------------------- /charts/csi-powermax/charts/csireverseproxy/values.yaml: -------------------------------------------------------------------------------- 1 | image: quay.io/dell/container-storage-modules/csipowermax-reverseproxy:v2.13.0 2 | port: 2222 3 | 4 | # TLS secret which is used for setting up the proxy HTTPS server 5 | # Don't change this value unless really necessary 6 | # If this value is modified, then the installation script will have to be modified 7 | tlsSecret: "csirevproxy-tls-secret" 8 | -------------------------------------------------------------------------------- /charts/csi-powermax/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | 2 | {{- define "csi-powermax.isStorageCapacitySupported" -}} 3 | {{- if eq .Values.storageCapacity.enabled true -}} 4 | {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} 5 | {{- true -}} 6 | {{- end -}} 7 | {{- end -}} 8 | {{- end -}} 9 | -------------------------------------------------------------------------------- /charts/csi-powermax/templates/csidriver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | {{- if eq .Values.customDriverName.enabled true}} 5 | name: {{ printf "%s-%s" .Release.Namespace .Values.customDriverName.value }} 6 | {{- else }} 7 | name: csi-powermax.dellemc.com 8 | {{- end }} 9 | spec: 10 | podInfoOnMount: true 11 | attachRequired: true 12 | storageCapacity: {{ (include "csi-powermax.isStorageCapacitySupported" .) | default false }} 13 | fsGroupPolicy: {{ .Values.fsGroupPolicy }} 14 | -------------------------------------------------------------------------------- /charts/csi-powermax/templates/driver-config-params.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Release.Name }}-config-params 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | driver-config-params.yaml: | 8 | CSI_LOG_LEVEL: {{ .Values.global.logLevel | default "debug" }} 9 | CSI_LOG_FORMAT: {{ .Values.global.logFormat | default "TEXT" }} 10 | {{- if and (hasKey .Values.global "useSecret") (.Values.global.useSecret | default false) }} 11 | CSI_POWERMAX_REVERSE_PROXY_PORT: {{ .Values.csireverseproxy.port | default 2222 }} 12 | {{- end }} 13 | -------------------------------------------------------------------------------- /charts/csi-powermax/templates/powermax-array-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Release.Name }}-array-config 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | powermax-array-config.yaml: | 8 | X_CSI_POWERMAX_PORTGROUPS: {{ .Values.global.portGroups | toYaml | default "" }} 9 | X_CSI_TRANSPORT_PROTOCOL: {{ .Values.global.transportProtocol | toYaml | default "" }} 10 | X_CSI_MANAGED_ARRAYS: {{ .Values.global.managedArrays | toYaml | default "" }} 11 | -------------------------------------------------------------------------------- /charts/csi-powerstore/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: "2.14.0" 3 | name: csi-powerstore 4 | version: 2.14.0 5 | description: | 6 | PowerStore CSI (Container Storage Interface) driver Kubernetes 7 | integration. This chart includes everything required to provision via CSI as 8 | well as a PowerStore StorageClass. 9 | type: application 10 | kubeVersion: ">= 1.24.0" 11 | # If you are using a complex K8s version like "v1.24.3-mirantis-1", use this kubeVersion check instead 12 | # kubeVersion: ">= 1.23.0-0" 13 | keywords: 14 | - csi 15 | - storage 16 | home: https://github.com/dell/csi-powerstore 17 | sources: 18 | - https://github.com/dell/csi-powerstore 19 | maintainers: 20 | - name: DellEMC 21 | -------------------------------------------------------------------------------- /charts/csi-powerstore/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Return true if storage capacity tracking is enabled and is supported based on k8s version 3 | */}} 4 | {{- define "csi-powerstore.isStorageCapacitySupported" -}} 5 | {{- if eq .Values.storageCapacity.enabled true -}} 6 | {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} 7 | {{- true -}} 8 | {{- end -}} 9 | {{- end -}} 10 | {{- end -}} 11 | -------------------------------------------------------------------------------- /charts/csi-powerstore/templates/csidriver.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # 16 | 17 | apiVersion: storage.k8s.io/v1 18 | kind: CSIDriver 19 | metadata: 20 | name: {{ .Values.driverName }} 21 | labels: 22 | security.openshift.io/csi-ephemeral-volume-profile: restricted 23 | spec: 24 | storageCapacity: {{ (include "csi-powerstore.isStorageCapacitySupported" .) | default false }} 25 | podInfoOnMount: true 26 | fsGroupPolicy: {{ .Values.fsGroupPolicy }} 27 | volumeLifecycleModes: 28 | - Persistent 29 | - Ephemeral 30 | -------------------------------------------------------------------------------- /charts/csi-powerstore/templates/driver-config-params.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # Copyright © 2021-2023 Dell Inc. or its subsidiaries. All Rights Reserved. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # 16 | 17 | apiVersion: v1 18 | kind: ConfigMap 19 | metadata: 20 | name: {{ .Release.Name }}-config-params 21 | namespace: {{ .Release.Namespace }} 22 | data: 23 | driver-config-params.yaml: | 24 | CSI_LOG_LEVEL: "{{ .Values.logLevel }}" 25 | CSI_LOG_FORMAT: "{{ .Values.logFormat }}" 26 | {{ if .Values.podmon.enabled }} 27 | PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" 28 | PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}" 29 | PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" 30 | PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}" 31 | {{ end }} -------------------------------------------------------------------------------- /charts/csi-unity/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: 2.14.0 3 | name: csi-unity 4 | version: 2.14.0 5 | description: | 6 | Unity XT CSI (Container Storage Interface) driver Kubernetes 7 | integration. This chart includes everything required to provision via CSI as 8 | well as a Unity XT StorageClass. 9 | type: application 10 | kubeVersion: ">= 1.24.0" 11 | # If you are using a complex K8s version like "v1.24.3-mirantis-1", use this kubeVersion check instead 12 | # kubeVersion: ">= 1.23.0-0" 13 | keywords: 14 | - csi 15 | - storage 16 | sources: 17 | - https://github.com/dell/csi-unity 18 | maintainers: 19 | - name: DellEMC 20 | -------------------------------------------------------------------------------- /charts/csi-unity/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Return true if storage capacity tracking is enabled and is supported based on k8s version 3 | */}} 4 | {{- define "csi-unity.isStorageCapacitySupported" -}} 5 | {{- if eq .Values.storageCapacity.enabled true -}} 6 | {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} 7 | {{- true -}} 8 | {{- end -}} 9 | {{- end -}} 10 | {{- end -}} 11 | -------------------------------------------------------------------------------- /charts/csi-unity/templates/csidriver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | name: csi-unity.dellemc.com 5 | labels: 6 | security.openshift.io/csi-ephemeral-volume-profile: restricted 7 | spec: 8 | storageCapacity: {{ (include "csi-unity.isStorageCapacitySupported" .) | default false }} 9 | attachRequired: true 10 | podInfoOnMount: true 11 | volumeLifecycleModes: 12 | - Persistent 13 | - Ephemeral 14 | fsGroupPolicy: {{ .Values.fsGroupPolicy }} 15 | -------------------------------------------------------------------------------- /charts/csi-unity/templates/driver-config-params.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Release.Name }}-config-params 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | driver-config-params.yaml: | 8 | CSI_LOG_LEVEL: "{{ .Values.logLevel }}" 9 | ALLOW_RWO_MULTIPOD_ACCESS: "{{ .Values.allowRWOMultiPodAccess }}" 10 | MAX_UNITY_VOLUMES_PER_NODE: "{{ .Values.maxUnityVolumesPerNode }}" 11 | SYNC_NODE_INFO_TIME_INTERVAL: "{{ .Values.syncNodeInfoInterval }}" 12 | TENANT_NAME: "{{ .Values.tenantName }}" 13 | {{ if .Values.podmon.enabled }} 14 | PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" 15 | PODMON_CONTROLLER_LOG_FORMAT: "TEXT" 16 | PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" 17 | PODMON_NODE_LOG_FORMAT: "TEXT" 18 | {{ end }} 19 | -------------------------------------------------------------------------------- /charts/csi-vxflexos/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: "2.14.0" 3 | name: csi-vxflexos 4 | version: "2.14.0" 5 | description: | 6 | VxFlex OS CSI (Container Storage Interface) driver Kubernetes 7 | integration. This chart includes everything required to provision via CSI as 8 | well as a VxFlex OS StorageClass. 9 | kubeVersion: ">= 1.21.0" 10 | # If you are using a complex K8s version like "v1.21.3-mirantis-1", use this kubeVersion check instead 11 | # kubeVersion: ">= 1.23.0-0" 12 | keywords: 13 | - csi 14 | - storage 15 | maintainers: 16 | - name: DellEMC 17 | sources: 18 | - https://github.com/dell/csi-vxflexos 19 | -------------------------------------------------------------------------------- /charts/csi-vxflexos/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Return true if storage capacity tracking is enabled and is supported based on k8s version 3 | */}} 4 | {{- define "csi-vxflexos.isStorageCapacitySupported" -}} 5 | {{- if eq .Values.storageCapacity.enabled true -}} 6 | {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}} 7 | {{- true -}} 8 | {{- end -}} 9 | {{- end -}} 10 | {{- end -}} -------------------------------------------------------------------------------- /charts/csi-vxflexos/templates/csidriver.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: storage.k8s.io/v1 2 | kind: CSIDriver 3 | metadata: 4 | name: csi-vxflexos.dellemc.com 5 | labels: 6 | security.openshift.io/csi-ephemeral-volume-profile: restricted 7 | spec: 8 | storageCapacity: {{ (include "csi-vxflexos.isStorageCapacitySupported" .) | default false }} 9 | fsGroupPolicy: {{ .Values.fsGroupPolicy }} 10 | attachRequired: true 11 | podInfoOnMount: true 12 | volumeLifecycleModes: 13 | - Persistent 14 | - Ephemeral 15 | -------------------------------------------------------------------------------- /charts/csi-vxflexos/templates/driver-config-params.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: {{ .Release.Name }}-config-params 5 | namespace: {{ .Release.Namespace }} 6 | data: 7 | driver-config-params.yaml: | 8 | CSI_LOG_LEVEL: "{{ .Values.logLevel }}" 9 | CSI_LOG_FORMAT: "{{ .Values.logFormat }}" 10 | {{ if .Values.podmon.enabled }} 11 | PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}" 12 | PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}" 13 | PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}" 14 | PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}" 15 | {{ end }} 16 | interfaceNames: 17 | {{- range $node, $interfaces := .Values.interfaceNames }} 18 | {{ $node }}: "{{ $interfaces }}" 19 | {{- end }} 20 | 21 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/.gitignore: -------------------------------------------------------------------------------- 1 | Chart.lock 2 | charts/*tgz 3 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | installer/ 25 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: csm-authorization 3 | version: v2.2.0 4 | appVersion: v2.2.0 5 | type: application 6 | description: | 7 | CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes 8 | storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability 9 | to apply RBAC for Dell CSI Drivers. 10 | dependencies: 11 | - name: redis-csm 12 | version: 0.1.0 13 | condition: required 14 | - name: cert-manager 15 | version: 1.10.0 16 | repository: https://charts.jetstack.io 17 | condition: cert-manager.enabled 18 | - name: ingress-nginx 19 | version: 4.12.1 20 | repository: https://kubernetes.github.io/ingress-nginx 21 | condition: nginx.enabled 22 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/README.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Container Storage Modules (CSM) for Authorization Dell Community Helm Chart 12 | 13 | CSM for Authorization V2 can be deployed using Helm. 14 | 15 | For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm). 16 | 17 | ## Helm Chart Versioning 18 | 19 | For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). 20 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/charts/redis-csm/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/charts/redis-csm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: redis-csm 3 | description: Helm Chart for Redis with Sentinels 4 | type: application 5 | version: 0.1.0 6 | appVersion: 0.1.0 7 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/charts/redis-csm/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Namespace for all resources to be installed into 3 | If not defined in values file then the helm release namespace is used 4 | By default this is not set so the helm release namespace will be used 5 | */}} 6 | 7 | {{- define "custom.namespace" -}} 8 | {{ .Values.namespace | default .Release.Namespace }} 9 | {{- end -}} -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/charts/redis-csm/templates/redis-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: redis-csm-secret 5 | namespace: {{ include "custom.namespace" . }} 6 | type: kubernetes.io/basic-auth 7 | stringData: 8 | password: K@ravi123! 9 | commander_user: dev 10 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/charts/redis-csm/templates/sentinel.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: StatefulSet 3 | metadata: 4 | name: {{ .Values.redis.sentinel }} 5 | spec: 6 | serviceName: {{ .Values.redis.sentinel }} 7 | replicas: {{ .Values.redis.replicas }} 8 | selector: 9 | matchLabels: 10 | app: {{ .Values.redis.sentinel }} 11 | template: 12 | metadata: 13 | labels: 14 | app: {{ .Values.redis.sentinel }} 15 | annotations: 16 | checksum/secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }} 17 | spec: 18 | initContainers: 19 | - name: config 20 | image: {{ .Values.redis.images.redis.image }} 21 | command: [ "sh", "-c" ] 22 | env: 23 | - name: REDIS_PASSWORD 24 | valueFrom: 25 | secretKeyRef: 26 | name: redis-csm-secret 27 | key: password 28 | args: 29 | - | 30 | replicas=$( expr {{ .Values.redis.replicas | int }} - 1) 31 | for i in $(seq 0 $replicas) 32 | do 33 | node=$( echo "{{ .Values.redis.name }}-$i.{{ .Values.redis.name }}" ) 34 | nodes=$( echo "$nodes*$node" ) 35 | done 36 | loop=$(echo $nodes | sed -e "s/"*"/\n/g") 37 | 38 | foundMaster="false" 39 | while [ "$foundMaster" != "true" ] 40 | do 41 | for i in $loop 42 | do 43 | echo "Finding master at $i" 44 | MASTER=$(redis-cli --no-auth-warning --raw -h $i -a $REDIS_PASSWORD info replication | awk '{print $1}' | grep master_host: | cut -d ":" -f2) 45 | if [ "$MASTER" = "" ]; then 46 | echo "Master not found..." 47 | echo "Sleeping 5 seconds for pods to come up..." 48 | sleep 5 49 | MASTER= 50 | else 51 | echo "Master found at $MASTER..." 52 | foundMaster="true" 53 | break 54 | fi 55 | done 56 | done 57 | 58 | echo "sentinel monitor mymaster $MASTER 6379 2" >> /tmp/master 59 | echo "port 5000 60 | sentinel resolve-hostnames yes 61 | sentinel announce-hostnames yes 62 | $(cat /tmp/master) 63 | sentinel down-after-milliseconds mymaster 5000 64 | sentinel failover-timeout mymaster 60000 65 | sentinel parallel-syncs mymaster 2 66 | sentinel auth-pass mymaster $REDIS_PASSWORD 67 | " > /etc/redis/sentinel.conf 68 | cat /etc/redis/sentinel.conf 69 | volumeMounts: 70 | - name: redis-config 71 | mountPath: /etc/redis/ 72 | containers: 73 | - name: sentinel 74 | image: {{ .Values.redis.images.redis.image }} 75 | command: ["redis-sentinel"] 76 | args: ["/etc/redis/sentinel.conf"] 77 | ports: 78 | - containerPort: 5000 79 | name: {{ .Values.redis.sentinel }} 80 | volumeMounts: 81 | - name: redis-config 82 | mountPath: /etc/redis/ 83 | - name: data 84 | mountPath: /data 85 | volumes: 86 | - name: redis-config 87 | emptyDir: {} 88 | - name: data 89 | emptyDir : {} 90 | --- 91 | apiVersion: v1 92 | kind: Service 93 | metadata: 94 | name: {{ .Values.redis.sentinel }} 95 | spec: 96 | clusterIP: None 97 | ports: 98 | - port: 5000 99 | targetPort: 5000 100 | name: sentinel 101 | selector: 102 | app: sentinel 103 | --- 104 | apiVersion: v1 105 | kind: Service 106 | metadata: 107 | name: {{ .Values.redis.sentinel }}-svc 108 | spec: 109 | type: NodePort 110 | ports: 111 | - port: 5000 112 | targetPort: 5000 113 | nodePort: 32003 114 | name: {{ .Values.redis.sentinel }}-svc 115 | selector: 116 | app: {{ .Values.redis.sentinel }} 117 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/charts/redis-csm/values.yaml: -------------------------------------------------------------------------------- 1 | redis: 2 | name: redis-csm 3 | sentinel: sentinel 4 | rediscommander: rediscommander 5 | replicas: 5 6 | images: 7 | redis: 8 | image: redis:7.4.3-alpine 9 | commander: 10 | image: rediscommander/redis-commander:latest 11 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/common.rego: -------------------------------------------------------------------------------- 1 | package karavi.common 2 | default roles = {} 3 | roles = {} 4 | 5 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/sdc-approve.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2023 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.sdc.approve 16 | 17 | import data.karavi.common 18 | 19 | # Allow requests by default. 20 | default allow = true 21 | 22 | default response = { 23 | "allowed": true 24 | } 25 | response = { 26 | "allowed": false, 27 | "status": { 28 | "reason": reason, 29 | }, 30 | } { 31 | reason = concat(", ", deny) 32 | reason != "" 33 | } 34 | 35 | default claims = {} 36 | claims = input.claims 37 | deny[msg] { 38 | claims == {} 39 | msg := sprintf("missing claims", []) 40 | } 41 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/snapshot-create.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2024 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.snapshot.create 16 | 17 | import data.karavi.common 18 | 19 | default allow := false 20 | 21 | allow { 22 | count(permitted_roles) == count(input.request) 23 | count(deny) == 0 24 | } 25 | 26 | # Deny if there are no roles found. 27 | deny[msg] { 28 | common.roles == {} 29 | msg := sprintf("no configured roles", []) 30 | } 31 | 32 | # Deny if claimed roles has no match for the request. 33 | deny[msg] { 34 | count(permitted_roles) != count(input.request) 35 | 36 | unpermitted_requests := [req | 37 | element := input.request[_] 38 | 39 | not permitted_roles[element.name] 40 | 41 | req := element 42 | ] 43 | 44 | msg := sprintf( 45 | "no roles in [%s] allow the %s Kb request on %s/%s/%s for %s", 46 | [ 47 | input.claims.roles, 48 | unpermitted_requests[_].volumeSizeInKb, 49 | input.systemtype, 50 | input.storagesystemid, 51 | unpermitted_requests[_].storagepool, 52 | unpermitted_requests[_].name, 53 | ], 54 | ) 55 | } 56 | 57 | # No OR in OPA, multiple rules are needed. 58 | size_is_valid(a, b) { 59 | to_number(a) >= to_number(b) 60 | } 61 | 62 | # No OR in OPA, multiple rules are needed. 63 | size_is_valid(a, _) { 64 | to_number(a) == 0 65 | } 66 | 67 | # Create a list of permitted roles. 68 | permitted_roles[snapshot] := roles { 69 | # Split the claimed roles by comma into an array. 70 | claimed_roles := split(input.claims.roles, ",") 71 | 72 | # Iterate through the requests. 73 | req := input.request[_] 74 | 75 | roles := [role | 76 | sp := req.storagepool 77 | size := req.volumeSizeInKb 78 | 79 | # Iterate through the roles in the request. 80 | c_role := claimed_roles[_] 81 | common.roles[c_role] 82 | 83 | system_ids := common.roles[c_role].system_types[input.systemtype].system_ids[input.storagesystemid] 84 | pool_quota := system_ids.pool_quotas[sp] 85 | 86 | # Validate that the pool quota is valid. 87 | size_is_valid(pool_quota, size) 88 | 89 | role := {"size": to_number(pool_quota), "storagepool": sp, "role": c_role} 90 | ] 91 | 92 | # Ensure that the role list is not empty. 93 | count(roles) != 0 94 | 95 | # Set the snapshot name which creates an entry in the list. 96 | snapshot := req.name 97 | } 98 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/volumes-create-test.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.create 16 | 17 | roles = { 18 | "us-east-1": { 19 | "system_types": { 20 | "powerflex": { 21 | "system_ids": { 22 | "2222": { 23 | "pool_quotas": { 24 | "bronze": "44000000" 25 | } 26 | } 27 | } 28 | } 29 | } 30 | }, 31 | "us-west-1": { 32 | "system_types": { 33 | "powerflex": { 34 | "system_ids": { 35 | "1111": { 36 | "pool_quotas": { 37 | "bronze": 83886080 38 | } 39 | } 40 | } 41 | } 42 | } 43 | }, 44 | "us-west-2-small": { 45 | "system_types": { 46 | "powerflex": { 47 | "system_ids": { 48 | "2222": { 49 | "pool_quotas": { 50 | "bronze": 83886080 51 | } 52 | } 53 | } 54 | } 55 | } 56 | }, 57 | "us-west-2-large": { 58 | "system_types": { 59 | "powerflex": { 60 | "system_ids": { 61 | "2222": { 62 | "pool_quotas": { 63 | "bronze": 838860800, 64 | "silver": 93886080000 65 | } 66 | } 67 | } 68 | } 69 | } 70 | } 71 | } 72 | 73 | test_small_request_allowed { 74 | allow with input as { 75 | "claims": { 76 | "aud": "karavi", 77 | "exp": 1615426023, 78 | "group": "DevOpsGroup1", 79 | "iss":"com.dell.karavi", 80 | "roles":"us-east-1", 81 | "sub":"karavi-tenant" 82 | }, 83 | "request": { 84 | "name":"k8s-0fc0695995", 85 | "protectionDomainId":"6b2ffe6c00000000", 86 | "storagePoolId":"ae376b0300000000", 87 | "volumeSizeInKb":"8388608", 88 | "volumeType":"ThinProvisioned" 89 | }, 90 | "storagepool":"bronze", 91 | "storagesystemid":"2222", 92 | "systemtype": "powerflex" 93 | } with data.karavi.common.roles as roles 94 | } 95 | 96 | test_large_request_not_allowed { 97 | not allow with input as { 98 | "claims": { 99 | "aud": "karavi", 100 | "exp": 1615426023, 101 | "group": "DevOpsGroup1", 102 | "iss":"com.dell.karavi", 103 | "roles":"us-west-2-small,us-west-2-large", 104 | "sub":"karavi-tenant" 105 | }, 106 | "request": { 107 | "name":"k8s-0fc0695995", 108 | "protectionDomainId":"6b2ffe6c00000000", 109 | "storagePoolId":"ae376b0300000000", 110 | "volumeSizeInKb":"9999999999", 111 | "volumeType":"ThinProvisioned" 112 | }, 113 | "storagepool":"bronze", 114 | "storagesystemid":"2222", 115 | "storagetype": "powerflex" 116 | } with data.karavi.common.roles as roles 117 | } 118 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/volumes-create.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.create 16 | 17 | import data.karavi.common 18 | 19 | # Deny requests by default. 20 | default allow = false 21 | 22 | # 23 | # Allows the request if one of the claimed roles matches 24 | # a role configured to allow the storage request. 25 | # 26 | allow { 27 | count(permitted_roles) != 0 28 | count(deny) == 0 29 | } 30 | 31 | # 32 | # Deny if there are no roles found. 33 | # 34 | deny[msg] { 35 | common.roles == {} 36 | msg := sprintf("no configured roles", []) 37 | } 38 | 39 | # 40 | # Deny if claimed roles has no match for the request. 41 | # 42 | deny[msg] { 43 | count(permitted_roles) == 0 44 | msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", 45 | [input.claims.roles, 46 | input.request.volumeSizeInKb, 47 | input.systemtype, 48 | input.storagesystemid, 49 | input.storagepool]) 50 | } 51 | 52 | # 53 | # These are permitted roles that are configured 54 | # with the requested storage system, mapped to 55 | # the allowable quota for the request storage 56 | # pool. 57 | # 58 | # Example: { "role-1": 800000 } 59 | # 60 | permitted_roles[v] = y { 61 | # Split the claimed roles by comma into an array. 62 | claimed_roles := split(input.claims.roles, ",") 63 | 64 | # This block filters 'a' to contain only roles 65 | # that are found in 'common.roles'. 66 | some i 67 | a := claimed_roles[i] 68 | common.roles[a] 69 | 70 | # v will contain permitted roles that match the storage request. 71 | v := claimed_roles[i] 72 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) 73 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 74 | } 75 | 76 | # These are the permitted roles that are configured 77 | # with zero quota, meaning infinite capacity. 78 | # 79 | permitted_roles[v] = y { 80 | # Split the claimed roles by comma into an array. 81 | claimed_roles := split(input.claims.roles, ",") 82 | 83 | # This block filters 'a' to contain only roles 84 | # that are found in 'common.roles'. 85 | some i 86 | a := claimed_roles[i] 87 | common.roles[a] 88 | 89 | # v will contain permitted roles that match the storage request. 90 | v := claimed_roles[i] 91 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 92 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 93 | } 94 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/volumes-delete.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.delete 16 | 17 | import data.karavi.common 18 | 19 | default response = { 20 | "allowed": true 21 | } 22 | response = { 23 | "allowed": false, 24 | "status": { 25 | "reason": reason, 26 | }, 27 | } { 28 | reason = concat(", ", deny) 29 | reason != "" 30 | } 31 | 32 | # 33 | # Ensure there are roles configured. 34 | # 35 | deny[msg] { 36 | common.roles == {} 37 | msg := sprintf("no role data found", []) 38 | } 39 | 40 | # 41 | # Validate input: claims. 42 | # 43 | default claims = {} 44 | claims = input.claims 45 | deny[msg] { 46 | claims == {} 47 | msg := sprintf("missing claims", []) 48 | } 49 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/volumes-map.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.map 16 | 17 | import data.karavi.common 18 | 19 | default response = { 20 | "allowed": true 21 | } 22 | response = { 23 | "allowed": false, 24 | "status": { 25 | "reason": reason, 26 | }, 27 | } { 28 | reason = concat(", ", deny) 29 | reason != "" 30 | } 31 | 32 | deny[msg] { 33 | common.roles == {} 34 | msg := sprintf("no role data found", []) 35 | } 36 | 37 | default claims = {} 38 | claims = input.claims 39 | deny[msg] { 40 | claims == {} 41 | msg := sprintf("missing claims", []) 42 | } 43 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/volumes-powermax-create.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.powermax.create 16 | 17 | import data.karavi.common 18 | 19 | # Deny requests by default. 20 | default allow = false 21 | 22 | # 23 | # Allows the request if one of the claimed roles matches 24 | # a role configured to allow the storage request. 25 | # 26 | allow { 27 | count(permitted_roles) != 0 28 | count(deny) == 0 29 | } 30 | 31 | # 32 | # Deny if there are no roles found. 33 | # 34 | deny[msg] { 35 | common.roles == {} 36 | msg := sprintf("no configured roles", []) 37 | } 38 | 39 | # 40 | # Deny if claimed roles has no match for the request. 41 | # 42 | deny[msg] { 43 | count(permitted_roles) == 0 44 | msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", 45 | [input.claims.roles, 46 | input.request.volumeSizeInKb, 47 | input.systemtype, 48 | input.storagesystemid, 49 | input.storagepool]) 50 | } 51 | 52 | # 53 | # These are permitted roles that are configured 54 | # with the requested storage system, mapped to 55 | # the allowable quota for the request storage 56 | # pool. 57 | # 58 | # Example: { "role-1": 800000 } 59 | # 60 | permitted_roles[v] = y { 61 | # Split the claimed roles by comma into an array. 62 | claimed_roles := split(input.claims.roles, ",") 63 | 64 | # This block filters 'a' to contain only roles 65 | # that are found in 'common.roles'. 66 | some i 67 | a := claimed_roles[i] 68 | common.roles[a] 69 | 70 | # v will contain permitted roles that match the storage request. 71 | v := claimed_roles[i] 72 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) 73 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 74 | } 75 | 76 | # These are the permitted roles that are configured 77 | # with zero quota, meaning infinite capacity. 78 | # 79 | permitted_roles[v] = y { 80 | # Split the claimed roles by comma into an array. 81 | claimed_roles := split(input.claims.roles, ",") 82 | 83 | # This block filters 'a' to contain only roles 84 | # that are found in 'common.roles'. 85 | some i 86 | a := claimed_roles[i] 87 | common.roles[a] 88 | 89 | # v will contain permitted roles that match the storage request. 90 | v := claimed_roles[i] 91 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 92 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 93 | } 94 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/policies/volumes-unmap.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.unmap 16 | 17 | import data.karavi.common 18 | 19 | default response = { 20 | "allowed": true 21 | } 22 | response = { 23 | "allowed": false, 24 | "status": { 25 | "reason": reason, 26 | }, 27 | } { 28 | reason = concat(", ", deny) 29 | reason != "" 30 | } 31 | 32 | deny[msg] { 33 | common.roles == {} 34 | msg := sprintf("no role data found", []) 35 | } 36 | 37 | default claims = {} 38 | claims = input.claims 39 | deny[msg] { 40 | claims == {} 41 | msg := sprintf("missing claims", []) 42 | } 43 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The CSM Authorization deployment has been successfully installed. 2 | 3 | Execute the following commands in your shell to print the URL of the CSM Authorization NodePort LoadBalancer: 4 | 5 | export NODE_PORT=$(kubectl get --namespace {{ include "custom.namespace" . }} -o jsonpath="{.spec.ports[1].nodePort}" service {{ include "custom.namespace" . }}-ingress-nginx-controller) 6 | export NODE_IP=$(kubectl get nodes --namespace {{ include "custom.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") 7 | echo https://$NODE_IP:$NODE_PORT 8 | 9 | LoadBalancer host rules for proxy-server: 10 | - {{ .Values.authorization.hostname }} 11 | - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local 12 | 13 | authorization.proxyHost value for a CSI Driver examples: 14 | - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) 15 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Namespace for all resources to be installed into 3 | If not defined in values file then the helm release namespace is used 4 | By default this is not set so the helm release namespace will be used 5 | */}} 6 | 7 | {{- define "custom.namespace" -}} 8 | {{ .Values.namespace | default .Release.Namespace }} 9 | {{- end -}} 10 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/authorization-controller.yaml: -------------------------------------------------------------------------------- 1 | # Controller 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: authorization-controller 6 | namespace: {{ include "custom.namespace" . }} 7 | --- 8 | kind: ClusterRole 9 | apiVersion: rbac.authorization.k8s.io/v1 10 | metadata: 11 | name: authorization-controller 12 | rules: 13 | - apiGroups: ["csm-authorization.storage.dell.com"] 14 | resources: ["csmroles"] 15 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 16 | - apiGroups: ["csm-authorization.storage.dell.com"] 17 | resources: ["csmroles/status"] 18 | verbs: ["get", "update", "patch"] 19 | - apiGroups: ["csm-authorization.storage.dell.com"] 20 | resources: ["csmroles/finalizers"] 21 | verbs: ["update"] 22 | - apiGroups: [""] 23 | resources: ["configmaps"] 24 | verbs: ["get", "list", "watch"] 25 | - apiGroups: ["csm-authorization.storage.dell.com"] 26 | resources: ["csmtenants"] 27 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 28 | - apiGroups: ["csm-authorization.storage.dell.com"] 29 | resources: ["csmtenants/status"] 30 | verbs: ["get", "update", "patch"] 31 | - apiGroups: ["csm-authorization.storage.dell.com"] 32 | resources: ["csmtenants/finalizers"] 33 | verbs: ["update"] 34 | - apiGroups: [""] 35 | resources: ["events"] 36 | verbs: ["create", "patch"] 37 | - apiGroups: ["csm-authorization.storage.dell.com"] 38 | resources: ["storages"] 39 | verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] 40 | - apiGroups: ["csm-authorization.storage.dell.com"] 41 | resources: ["storages/status"] 42 | verbs: ["get", "update", "patch"] 43 | - apiGroups: ["csm-authorization.storage.dell.com"] 44 | resources: ["storages/finalizers"] 45 | verbs: ["update"] 46 | --- 47 | kind: ClusterRoleBinding 48 | apiVersion: rbac.authorization.k8s.io/v1 49 | metadata: 50 | name: authorization-controller 51 | subjects: 52 | - kind: ServiceAccount 53 | name: authorization-controller 54 | namespace: {{ include "custom.namespace" . }} 55 | roleRef: 56 | kind: ClusterRole 57 | name: authorization-controller 58 | apiGroup: rbac.authorization.k8s.io 59 | --- 60 | kind: Role 61 | apiVersion: rbac.authorization.k8s.io/v1 62 | metadata: 63 | name: authorization-controller 64 | namespace: {{ include "custom.namespace" . }} 65 | rules: 66 | - apiGroups: ["coordination.k8s.io"] 67 | resources: ["leases"] 68 | verbs: ["create", "update", "get", "list"] 69 | --- 70 | kind: RoleBinding 71 | apiVersion: rbac.authorization.k8s.io/v1 72 | metadata: 73 | name: authorization-controller 74 | namespace: {{ include "custom.namespace" . }} 75 | subjects: 76 | - kind: ServiceAccount 77 | name: authorization-controller 78 | namespace: {{ include "custom.namespace" . }} 79 | roleRef: 80 | kind: Role 81 | name: authorization-controller 82 | apiGroup: rbac.authorization.k8s.io 83 | --- 84 | apiVersion: apps/v1 85 | kind: Deployment 86 | metadata: 87 | name: authorization-controller 88 | namespace: {{ include "custom.namespace" . }} 89 | labels: 90 | app: authorization-controller 91 | spec: 92 | replicas: 1 93 | selector: 94 | matchLabels: 95 | app: authorization-controller 96 | template: 97 | metadata: 98 | labels: 99 | app: authorization-controller 100 | spec: 101 | serviceAccountName: authorization-controller 102 | containers: 103 | - name: authorization-controller 104 | image: {{ required "Must provide the controller image." .Values.authorization.images.authorizationController.image }} 105 | imagePullPolicy: Always 106 | args: 107 | - "--authorization-namespace={{ .Release.Namespace }}" 108 | - "--health-probe-bind-address=:8081" 109 | - "--leader-elect=true" 110 | - "--tenant-service-address=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 111 | - "--storage-service-address=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 112 | - "--role-service-address=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 113 | env: 114 | - name: NAMESPACE 115 | value: {{ include "custom.namespace" . }} 116 | ports: 117 | - containerPort: 50052 118 | name: http 119 | --- 120 | apiVersion: v1 121 | kind: Service 122 | metadata: 123 | name: authorization-controller 124 | namespace: {{ include "custom.namespace" . }} 125 | spec: 126 | selector: 127 | app: authorization-controller 128 | ports: 129 | - port: 50052 130 | targetPort: 50052 131 | name: http 132 | --- 133 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | # If the cert and key are provided, use them to create a tls secret 2 | {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} 3 | {{- $certificateFileContents := .Values.authorization.certificate }} 4 | {{- $privateKeyFileContents := .Values.authorization.privateKey }} 5 | apiVersion: v1 6 | data: 7 | tls.crt: {{ $certificateFileContents | b64enc }} 8 | tls.key: {{ $privateKeyFileContents | b64enc }} 9 | kind: Secret 10 | type: kubernetes.io/tls 11 | metadata: 12 | name: user-provided-tls 13 | namespace: {{ include "custom.namespace" . }} 14 | 15 | --- 16 | {{- end }} 17 | 18 | 19 | # If the cert and key are not provided, user cert-manager to create a self-signed tls secret 20 | {{- if or (not .Values.authorization.certificate) (not .Values.authorization.privateKey) }} 21 | apiVersion: cert-manager.io/v1 22 | kind: Issuer 23 | metadata: 24 | name: selfsigned 25 | namespace: {{ include "custom.namespace" . }} 26 | spec: 27 | selfSigned: {} 28 | 29 | --- 30 | 31 | apiVersion: cert-manager.io/v1 32 | kind: Certificate 33 | metadata: 34 | name: karavi-auth 35 | namespace: {{ include "custom.namespace" . }} 36 | spec: 37 | secretName: karavi-selfsigned-tls 38 | duration: 2160h # 90d 39 | renewBefore: 360h # 15d 40 | subject: 41 | organizations: 42 | - dellemc 43 | isCA: false 44 | privateKey: 45 | algorithm: RSA 46 | encoding: PKCS1 47 | size: 2048 48 | usages: 49 | - server auth 50 | - client auth 51 | dnsNames: 52 | - karavi-auth 53 | - karavi-auth.{{ include "custom.namespace" . }}.svc.kubernetes.local 54 | - {{ .Values.authorization.hostname }} 55 | {{- if .Values.authorization.proxyServerIngress.hosts }} 56 | {{- range .Values.authorization.proxyServerIngress.hosts }} 57 | - {{ tpl . $}} 58 | {{- end }} 59 | {{- end}} 60 | issuerRef: 61 | name: selfsigned 62 | kind: Issuer 63 | group: cert-manager.io 64 | {{- end }} 65 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/csm-config-params.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: csm-config-params 5 | namespace: {{ include "custom.namespace" . }} 6 | data: 7 | csm-config-params.yaml: | 8 | CONCURRENT_POWERFLEX_REQUESTS: {{ .Values.authorization.concurrentPowerFlexRequests }} 9 | CONCURRENT_POWERSCALE_REQUESTS: {{ .Values.authorization.concurrentPowerScaleRequests }} 10 | LOG_LEVEL: {{ .Values.authorization.logLevel }} 11 | STORAGE_CAPACITY_POLL_INTERVAL: {{ .Values.authorization.storageCapacityPollInterval }} 12 | {{- if (.Values.authorization.zipkin.collectoruri) }} 13 | zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} 14 | zipkin.probability: {{ .Values.authorization.zipkin.probability }} 15 | {{- end }} 16 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: proxy-server 5 | namespace: {{ include "custom.namespace" . }} 6 | annotations: 7 | {{- if eq .Values.openshift true }} 8 | route.openshift.io/termination: "edge" 9 | {{- end }} 10 | {{- if .Values.authorization.proxyServerIngress.annotations }} 11 | {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} 12 | {{ $key }}: {{ tpl $value $ | quote }} 13 | {{- end }} 14 | {{- end }} 15 | spec: 16 | {{- if eq .Values.nginx.enabled true }} 17 | ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} 18 | {{- end }} 19 | tls: 20 | - hosts: 21 | - {{ .Values.authorization.hostname }} 22 | {{- if .Values.authorization.proxyServerIngress.hosts }} 23 | {{- range .Values.authorization.proxyServerIngress.hosts }} 24 | - {{ tpl . $}} 25 | {{- end }} 26 | {{- end}} 27 | {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} 28 | secretName: user-provided-tls 29 | {{- else }} 30 | secretName: karavi-selfsigned-tls 31 | {{- end }} 32 | rules: 33 | - host: {{ .Values.authorization.hostname }} 34 | http: 35 | paths: 36 | - backend: 37 | service: 38 | name: proxy-server 39 | port: 40 | number: 8080 41 | path: / 42 | pathType: Prefix 43 | {{- if .Values.authorization.proxyServerIngress.hosts }} 44 | {{- range .Values.authorization.proxyServerIngress.hosts }} 45 | - host: {{ tpl . $}} 46 | http: 47 | paths: 48 | - backend: 49 | service: 50 | name: proxy-server 51 | port: 52 | number: 8080 53 | path: / 54 | pathType: Prefix 55 | {{- end }} 56 | {{- end }} 57 | - http: 58 | paths: 59 | - backend: 60 | service: 61 | name: proxy-server 62 | port: 63 | number: 8080 64 | path: / 65 | pathType: Prefix 66 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/policies.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: common 5 | namespace: {{ include "custom.namespace" . }} 6 | labels: 7 | openpolicyagent.org/policy: rego 8 | data: 9 | {{- (.Files.Glob "policies/common.rego").AsConfig | nindent 2 }} 10 | --- 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | name: volumes-create 15 | namespace: {{ include "custom.namespace" . }} 16 | labels: 17 | openpolicyagent.org/policy: rego 18 | data: 19 | {{- (.Files.Glob "policies/volumes-create.rego").AsConfig | nindent 2 }} 20 | --- 21 | apiVersion: v1 22 | kind: ConfigMap 23 | metadata: 24 | name: volumes-delete 25 | namespace: {{ include "custom.namespace" . }} 26 | labels: 27 | openpolicyagent.org/policy: rego 28 | data: 29 | {{- (.Files.Glob "policies/volumes-delete.rego").AsConfig | nindent 2 }} 30 | --- 31 | apiVersion: v1 32 | kind: ConfigMap 33 | metadata: 34 | name: volumes-map 35 | namespace: {{ include "custom.namespace" . }} 36 | labels: 37 | openpolicyagent.org/policy: rego 38 | data: 39 | {{- (.Files.Glob "policies/volumes-map.rego").AsConfig | nindent 2 }} 40 | --- 41 | apiVersion: v1 42 | kind: ConfigMap 43 | metadata: 44 | name: powermax-volumes-create 45 | namespace: {{ include "custom.namespace" . }} 46 | labels: 47 | openpolicyagent.org/policy: rego 48 | data: 49 | {{- (.Files.Glob "policies/volumes-powermax-create.rego").AsConfig | nindent 2 }} 50 | --- 51 | apiVersion: v1 52 | kind: ConfigMap 53 | metadata: 54 | name: volumes-unmap 55 | namespace: {{ .Release.Namespace }} 56 | labels: 57 | openpolicyagent.org/policy: rego 58 | data: 59 | {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} 60 | --- 61 | apiVersion: v1 62 | kind: ConfigMap 63 | metadata: 64 | name: sdc-approve 65 | namespace: {{ .Release.Namespace }} 66 | labels: 67 | openpolicyagent.org/policy: rego 68 | data: 69 | {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} 70 | --- 71 | apiVersion: v1 72 | kind: ConfigMap 73 | metadata: 74 | name: snapshot-create 75 | namespace: {{ .Release.Namespace }} 76 | labels: 77 | openpolicyagent.org/policy: rego 78 | data: 79 | {{- (.Files.Glob "policies/snapshot-create.rego").AsConfig | nindent 2 }} 80 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/proxy-server.yaml: -------------------------------------------------------------------------------- 1 | # Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt 2 | # list configmaps to be loaded into OPA as policies. 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: csm-auth-view 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["configmaps"] 10 | verbs: ["get", "list", "watch"] 11 | --- 12 | kind: ClusterRoleBinding 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | metadata: 15 | name: opa-viewer 16 | roleRef: 17 | kind: ClusterRole 18 | name: csm-auth-view 19 | apiGroup: rbac.authorization.k8s.io 20 | subjects: 21 | - kind: Group 22 | name: system:serviceaccounts:{{ include "custom.namespace" . }} 23 | apiGroup: rbac.authorization.k8s.io 24 | --- 25 | # Define role for OPA/kube-mgmt to update configmaps with policy status. 26 | kind: Role 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | metadata: 29 | namespace: {{ include "custom.namespace" . }} 30 | name: configmap-modifier 31 | rules: 32 | - apiGroups: [""] 33 | resources: ["configmaps"] 34 | verbs: ["update", "patch"] 35 | --- 36 | # Grant OPA/kube-mgmt role defined above. 37 | kind: RoleBinding 38 | apiVersion: rbac.authorization.k8s.io/v1 39 | metadata: 40 | namespace: {{ include "custom.namespace" . }} 41 | name: opa-configmap-modifier 42 | roleRef: 43 | kind: Role 44 | name: configmap-modifier 45 | apiGroup: rbac.authorization.k8s.io 46 | subjects: 47 | - kind: Group 48 | name: system:serviceaccounts:{{ include "custom.namespace" . }} 49 | apiGroup: rbac.authorization.k8s.io 50 | --- 51 | apiVersion: v1 52 | kind: ServiceAccount 53 | metadata: 54 | name: proxy-server 55 | namespace: {{ include "custom.namespace" . }} 56 | --- 57 | kind: ClusterRole 58 | apiVersion: rbac.authorization.k8s.io/v1 59 | metadata: 60 | name: proxy-server 61 | rules: 62 | - apiGroups: [""] 63 | resources: ["events"] 64 | verbs: ["watch"] 65 | - apiGroups: ["csm-authorization.storage.dell.com"] 66 | resources: ["storages", "csmtenants"] 67 | verbs: ["get", "list"] 68 | --- 69 | kind: ClusterRoleBinding 70 | apiVersion: rbac.authorization.k8s.io/v1 71 | metadata: 72 | name: proxy-server 73 | subjects: 74 | - kind: ServiceAccount 75 | name: proxy-server 76 | namespace: {{ include "custom.namespace" . }} 77 | roleRef: 78 | kind: ClusterRole 79 | name: proxy-server 80 | apiGroup: rbac.authorization.k8s.io 81 | --- 82 | apiVersion: apps/v1 83 | kind: Deployment 84 | metadata: 85 | name: proxy-server 86 | namespace: {{ include "custom.namespace" . }} 87 | labels: 88 | app: proxy-server 89 | spec: 90 | replicas: 1 91 | selector: 92 | matchLabels: 93 | app: proxy-server 94 | template: 95 | metadata: 96 | labels: 97 | app: proxy-server 98 | spec: 99 | serviceAccount: proxy-server 100 | containers: 101 | 102 | - name: proxy-server 103 | image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService.image }} 104 | imagePullPolicy: Always 105 | env: 106 | {{- $str := "" -}} 107 | {{- $ns := include "custom.namespace" . -}} 108 | {{- $replicas := .Values.redis.replicas | int }} 109 | {{- $sentinel := .Values.redis.sentinel }} 110 | {{- range $i, $e := until $replicas }} 111 | {{- if $i }} 112 | {{- $str = print $str "," -}} 113 | {{- end }} 114 | {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} 115 | {{- end }} 116 | - name: REDIS_PASSWORD 117 | valueFrom: 118 | secretKeyRef: 119 | name: redis-csm-secret 120 | key: password 121 | args: 122 | - "--redis-sentinel={{ $str }}" 123 | - "--redis-password=$(REDIS_PASSWORD)" 124 | - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 125 | - "--role-service=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 126 | - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 127 | ports: 128 | - containerPort: 8080 129 | volumeMounts: 130 | - name: config-volume 131 | mountPath: /etc/karavi-authorization/config 132 | - name: csm-config-params 133 | mountPath: /etc/karavi-authorization/csm-config-params 134 | - name: opa 135 | image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa.image }} 136 | imagePullPolicy: IfNotPresent 137 | args: 138 | - "run" 139 | - "--ignore=." 140 | - "--server" 141 | - "--log-level=debug" 142 | ports: 143 | - name: http 144 | containerPort: 8181 145 | - name: kube-mgmt 146 | image: {{ required "Must provide the opaKubeMgmt image." .Values.authorization.images.opaKubeMgmt.image }} 147 | imagePullPolicy: IfNotPresent 148 | args: 149 | - "--namespaces={{ include "custom.namespace" . }}" 150 | - "--enable-data" 151 | volumes: 152 | - name: config-volume 153 | secret: 154 | secretName: karavi-config-secret 155 | - name: csm-config-params 156 | configMap: 157 | name: csm-config-params 158 | --- 159 | apiVersion: v1 160 | kind: Service 161 | metadata: 162 | name: proxy-server 163 | namespace: {{ include "custom.namespace" . }} 164 | spec: 165 | selector: 166 | app: proxy-server 167 | ports: 168 | - name: http 169 | protocol: TCP 170 | port: 8080 171 | targetPort: 8080 172 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/role-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: role-service 5 | namespace: {{ include "custom.namespace" . }} 6 | --- 7 | kind: ClusterRole 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | metadata: 10 | name: role-service 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["configmaps"] 14 | verbs: ["get", "patch"] 15 | --- 16 | kind: ClusterRoleBinding 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: role-service 20 | subjects: 21 | - kind: ServiceAccount 22 | name: role-service 23 | namespace: {{ include "custom.namespace" . }} 24 | roleRef: 25 | kind: ClusterRole 26 | name: role-service 27 | apiGroup: rbac.authorization.k8s.io 28 | --- 29 | apiVersion: apps/v1 30 | kind: Deployment 31 | metadata: 32 | name: role-service 33 | namespace: {{ include "custom.namespace" . }} 34 | labels: 35 | app: role-service 36 | spec: 37 | replicas: 1 38 | selector: 39 | matchLabels: 40 | app: role-service 41 | template: 42 | metadata: 43 | labels: 44 | app: role-service 45 | spec: 46 | serviceAccountName: role-service 47 | containers: 48 | - name: role-service 49 | image: {{ required "Must provide the role-service image." .Values.authorization.images.roleService.image }} 50 | imagePullPolicy: Always 51 | ports: 52 | - containerPort: 50051 53 | name: grpc 54 | env: 55 | - name: NAMESPACE 56 | value: {{ include "custom.namespace" . }} 57 | volumeMounts: 58 | - name: csm-config-params 59 | mountPath: /etc/karavi-authorization/csm-config-params 60 | volumes: 61 | - name: csm-config-params 62 | configMap: 63 | name: csm-config-params 64 | --- 65 | apiVersion: v1 66 | kind: Service 67 | metadata: 68 | name: role-service 69 | namespace: {{ include "custom.namespace" . }} 70 | spec: 71 | selector: 72 | app: role-service 73 | ports: 74 | - port: 50051 75 | targetPort: 50051 76 | name: grpc 77 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/templates/tenant-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tenant-service 5 | namespace: {{ include "custom.namespace" . }} 6 | labels: 7 | app: tenant-service 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: tenant-service 13 | template: 14 | metadata: 15 | labels: 16 | app: tenant-service 17 | spec: 18 | containers: 19 | - name: tenant-service 20 | image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService.image }} 21 | imagePullPolicy: Always 22 | env: 23 | {{- $str := "" -}} 24 | {{- $ns := include "custom.namespace" . -}} 25 | {{- $replicas := .Values.redis.replicas | int }} 26 | {{- $sentinel := .Values.redis.sentinel }} 27 | {{- range $i, $e := until $replicas }} 28 | {{- if $i }} 29 | {{- $str = print $str "," -}} 30 | {{- end }} 31 | {{- $str = printf "%s%s-%d.%s.%s.svc.cluster.local:5000" $str $sentinel $i $sentinel $ns -}} 32 | {{- end }} 33 | - name: REDIS_PASSWORD 34 | valueFrom: 35 | secretKeyRef: 36 | name: redis-csm-secret 37 | key: password 38 | args: 39 | - "--redis-sentinel={{ $str }}" 40 | - "--redis-password=$(REDIS_PASSWORD)" 41 | ports: 42 | - containerPort: 50051 43 | name: grpc 44 | volumeMounts: 45 | - name: config-volume 46 | mountPath: /etc/karavi-authorization/config 47 | - name: csm-config-params 48 | mountPath: /etc/karavi-authorization/csm-config-params 49 | volumes: 50 | - name: config-volume 51 | secret: 52 | secretName: karavi-config-secret 53 | - name: csm-config-params 54 | configMap: 55 | name: csm-config-params 56 | --- 57 | apiVersion: v1 58 | kind: Service 59 | metadata: 60 | name: tenant-service 61 | namespace: {{ include "custom.namespace" . }} 62 | spec: 63 | selector: 64 | app: tenant-service 65 | ports: 66 | - port: 50051 67 | targetPort: 50051 68 | name: grpc 69 | -------------------------------------------------------------------------------- /charts/csm-authorization-v2.0/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # set to true if installing on an OpenShift Container Platform 3 | # if enabled, the OpenShift Ingress Operator will be used 4 | # if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section 5 | openshift: false 6 | 7 | # set to true if installing on a Kubernetes Container Platform 8 | # if enabled, NGINX Ingress Controller will be deployed 9 | # if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section 10 | nginx: 11 | enabled: true 12 | 13 | # if enabled, cert-manager will be deployed 14 | # if cert-manager is already deployed, keep this false 15 | cert-manager: 16 | enabled: true 17 | 18 | authorization: 19 | # images to use in installation 20 | images: 21 | proxyService: 22 | image: quay.io/dell/container-storage-modules/csm-authorization-proxy:v2.2.0 23 | tenantService: 24 | image: quay.io/dell/container-storage-modules/csm-authorization-tenant:v2.2.0 25 | roleService: 26 | image: quay.io/dell/container-storage-modules/csm-authorization-role:v2.2.0 27 | storageService: 28 | image: quay.io/dell/container-storage-modules/csm-authorization-storage:v2.2.0 29 | authorizationController: 30 | image: quay.io/dell/container-storage-modules/csm-authorization-controller:v2.2.0 31 | opa: 32 | image: docker.io/openpolicyagent/opa:0.70.0 33 | opaKubeMgmt: 34 | image: openpolicyagent/kube-mgmt:8.5.12 35 | 36 | # proxy-server ingress will use this hostname 37 | # NOTE: additional hostnames can be configured in authorization.proxyServerIngress.hosts 38 | # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required 39 | hostname: csm-authorization.com 40 | 41 | # log level for csm-authorization 42 | logLevel: debug 43 | 44 | # number, as a string, of concurrent requests for the storage-service to make to PowerFlex 45 | # currently only used with dellctl to list tenant volumes 46 | concurrentPowerFlexRequests: "10" 47 | 48 | # number, as a string, of concurrent requests for the storage-service to make to PowerScale 49 | # currently only used with dellctl to list tenant volumes 50 | concurrentPowerScaleRequests: "10" 51 | 52 | # tracing configuration 53 | # this can be updated on the fly via the csm-config-params configMap 54 | zipkin: 55 | {} 56 | # collectoruri: http://DNS-hostname:9411/api/v2/spans 57 | # probability: 1 58 | 59 | # openTelemetryCollectorAddress: the OTLP receiving endpoint using gRPC 60 | openTelemetryCollectorAddress: "" 61 | 62 | # proxy-server ingress configuration 63 | proxyServerIngress: 64 | ingressClassName: nginx 65 | 66 | # additional host rules for the proxy-server ingress 67 | hosts: 68 | [] 69 | # - [application name]-ingress-nginx-controller.[namespace].svc.cluster.local 70 | 71 | # additional annotations for the proxy-server ingress 72 | annotations: {} 73 | 74 | # storage capacity poll interval 75 | storageCapacityPollInterval: 30m 76 | 77 | redis: 78 | name: redis-csm 79 | sentinel: sentinel 80 | rediscommander: rediscommander 81 | replicas: 5 82 | images: 83 | redis: 84 | image: redis:7.4.2-alpine 85 | commander: 86 | image: rediscommander/redis-commander:latest 87 | 88 | vault: 89 | - identifier: vault0 90 | address: https://10.0.0.1:8400 91 | role: csm-authorization 92 | skipCertificateValidation: true 93 | # clientCertificate: base64-encoded certificate for cert/private-key pair -- add certificate here to use custom certificates 94 | # for self-signed certs, leave empty string 95 | clientCertificate: 96 | # clientKey: base64-encoded private key for cert/private-key pair -- add private key here to use custom certificates 97 | # for self-signed certs, leave empty string 98 | clientKey: 99 | # certificateAuthority: base64-encoded certificate authority for validating vault server certificate -- add certificate authority here to use custom certificates 100 | # for self-signed certs, leave empty string 101 | certificateAuthority: 102 | # - identifier: vault1 103 | # address: https://10.0.0.2:8400 104 | # role: csm-authorization 105 | # skipCertificateValidation: true 106 | # clientCertificate: 107 | # clientKey: 108 | # certificateAuthority: 109 | -------------------------------------------------------------------------------- /charts/csm-authorization/.gitignore: -------------------------------------------------------------------------------- 1 | Chart.lock 2 | charts/*tgz 3 | -------------------------------------------------------------------------------- /charts/csm-authorization/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | installer/ 25 | -------------------------------------------------------------------------------- /charts/csm-authorization/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: csm-authorization 3 | version: 1.14.0 4 | appVersion: 1.14.0 5 | type: application 6 | description: | 7 | CSM for Authorization is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes 8 | storage enablers for Dell EMC storage products. CSM for Authorization provides storage and Kubernetes administrators the ability 9 | to apply RBAC for Dell CSI Drivers. 10 | dependencies: 11 | - name: redis 12 | version: 0.1.0 13 | condition: required 14 | - name: cert-manager 15 | version: 1.10.0 16 | repository: https://charts.jetstack.io 17 | condition: cert-manager.enabled 18 | - name: ingress-nginx 19 | version: 4.12.1 20 | repository: https://kubernetes.github.io/ingress-nginx 21 | condition: ingress-nginx.enabled 22 | -------------------------------------------------------------------------------- /charts/csm-authorization/README.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Container Storage Modules (CSM) for Authorization Dell Community Helm Chart 12 | 13 | CSM for Authorization can be deployed using Helm. 14 | 15 | For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/authorization/deployment/helm). 16 | 17 | ## Helm Chart Versioning 18 | 19 | For an explanation and examples on versioning/releasing the CSM for Authorization Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). 20 | -------------------------------------------------------------------------------- /charts/csm-authorization/charts/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/csm-authorization/charts/redis/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: redis 3 | description: A Helm chart for Redis 4 | type: application 5 | version: 0.1.0 6 | appVersion: 0.1.0 7 | -------------------------------------------------------------------------------- /charts/csm-authorization/charts/redis/templates/redis.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: redis-primary 5 | namespace: {{ include "custom.namespace" . }} 6 | labels: 7 | app: redis 8 | spec: 9 | selector: 10 | matchLabels: 11 | app: redis 12 | role: primary 13 | tier: backend 14 | replicas: 1 15 | template: 16 | metadata: 17 | labels: 18 | app: redis 19 | role: primary 20 | tier: backend 21 | spec: 22 | containers: 23 | - name: primary 24 | image: {{ .Values.images.redis.image }} 25 | imagePullPolicy: IfNotPresent 26 | args: ["--appendonly", "yes", "--appendfsync", "always"] 27 | resources: 28 | requests: 29 | cpu: 100m 30 | memory: 100Mi 31 | ports: 32 | - containerPort: 6379 33 | volumeMounts: 34 | - name: redis-primary-volume 35 | mountPath: /data 36 | volumes: 37 | - name: redis-primary-volume 38 | persistentVolumeClaim: 39 | claimName: redis-primary-pv-claim 40 | --- 41 | {{- if not (.Values.storageClass) }} 42 | apiVersion: storage.k8s.io/v1 43 | kind: StorageClass 44 | metadata: 45 | name: csm-authorization-local-storage 46 | provisioner: kubernetes.io/no-provisioner 47 | volumeBindingMode: WaitForFirstConsumer 48 | 49 | --- 50 | apiVersion: v1 51 | kind: PersistentVolume 52 | metadata: 53 | name: csm-authorization-redis 54 | spec: 55 | capacity: 56 | storage: 8Gi 57 | volumeMode: Filesystem 58 | accessModes: 59 | - ReadWriteOnce 60 | persistentVolumeReclaimPolicy: Recycle 61 | storageClassName: csm-authorization-local-storage 62 | hostPath: 63 | path: /csm-authorization/redis 64 | {{- end}} 65 | --- 66 | apiVersion: v1 67 | kind: PersistentVolumeClaim 68 | metadata: 69 | name: redis-primary-pv-claim 70 | namespace: {{ include "custom.namespace" . }} 71 | labels: 72 | app: redis-primary 73 | spec: 74 | accessModes: 75 | - ReadWriteOnce 76 | {{- if (.Values.storageClass) }} 77 | storageClassName: {{.Values.storageClass }} 78 | {{ else }} 79 | storageClassName: csm-authorization-local-storage 80 | {{- end}} 81 | resources: 82 | requests: 83 | storage: 8Gi 84 | --- 85 | apiVersion: apps/v1 86 | kind: Deployment 87 | metadata: 88 | name: redis-commander 89 | namespace: {{ include "custom.namespace" . }} 90 | spec: 91 | replicas: 1 92 | selector: 93 | matchLabels: 94 | app: redis-commander 95 | template: 96 | metadata: 97 | labels: 98 | app: redis-commander 99 | tier: backend 100 | spec: 101 | containers: 102 | - name: redis-commander 103 | image: {{ .Values.images.commander.image }} 104 | imagePullPolicy: IfNotPresent 105 | env: 106 | - name: REDIS_HOSTS 107 | value: "rbac:redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" 108 | - name: K8S_SIGTERM 109 | value: "1" 110 | ports: 111 | - name: redis-commander 112 | containerPort: 8081 113 | livenessProbe: 114 | httpGet: 115 | path: /favicon.png 116 | port: 8081 117 | initialDelaySeconds: 10 118 | timeoutSeconds: 5 119 | resources: 120 | limits: 121 | cpu: "500m" 122 | memory: "512M" 123 | securityContext: 124 | runAsNonRoot: true 125 | readOnlyRootFilesystem: false 126 | allowPrivilegeEscalation: false 127 | capabilities: 128 | drop: 129 | - ALL 130 | --- 131 | apiVersion: v1 132 | kind: Service 133 | metadata: 134 | name: redis 135 | namespace: {{ include "custom.namespace" . }} 136 | spec: 137 | selector: 138 | app: redis 139 | ports: 140 | - protocol: TCP 141 | port: 6379 142 | targetPort: 6379 143 | --- 144 | apiVersion: v1 145 | kind: Service 146 | metadata: 147 | name: redis-commander 148 | namespace: {{ include "custom.namespace" . }} 149 | spec: 150 | selector: 151 | app: redis-commander 152 | ports: 153 | - protocol: TCP 154 | port: 8081 155 | targetPort: 8081 156 | -------------------------------------------------------------------------------- /charts/csm-authorization/charts/redis/values.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dell/helm-charts/8ca9be0d645117ab6f5640ce501423a65f5ea65c/charts/csm-authorization/charts/redis/values.yaml -------------------------------------------------------------------------------- /charts/csm-authorization/policies/common.rego: -------------------------------------------------------------------------------- 1 | package karavi.common 2 | default roles = {} 3 | roles = {} 4 | 5 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/sdc-approve.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2023 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.sdc.approve 16 | 17 | import data.karavi.common 18 | 19 | # Allow requests by default. 20 | default allow = true 21 | 22 | default response = { 23 | "allowed": true 24 | } 25 | response = { 26 | "allowed": false, 27 | "status": { 28 | "reason": reason, 29 | }, 30 | } { 31 | reason = concat(", ", deny) 32 | reason != "" 33 | } 34 | 35 | default claims = {} 36 | claims = input.claims 37 | deny[msg] { 38 | claims == {} 39 | msg := sprintf("missing claims", []) 40 | } 41 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/volumes-create-test.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.create 16 | 17 | roles = { 18 | "us-east-1": { 19 | "system_types": { 20 | "powerflex": { 21 | "system_ids": { 22 | "2222": { 23 | "pool_quotas": { 24 | "bronze": "44000000" 25 | } 26 | } 27 | } 28 | } 29 | } 30 | }, 31 | "us-west-1": { 32 | "system_types": { 33 | "powerflex": { 34 | "system_ids": { 35 | "1111": { 36 | "pool_quotas": { 37 | "bronze": 83886080 38 | } 39 | } 40 | } 41 | } 42 | } 43 | }, 44 | "us-west-2-small": { 45 | "system_types": { 46 | "powerflex": { 47 | "system_ids": { 48 | "2222": { 49 | "pool_quotas": { 50 | "bronze": 83886080 51 | } 52 | } 53 | } 54 | } 55 | } 56 | }, 57 | "us-west-2-large": { 58 | "system_types": { 59 | "powerflex": { 60 | "system_ids": { 61 | "2222": { 62 | "pool_quotas": { 63 | "bronze": 838860800, 64 | "silver": 93886080000 65 | } 66 | } 67 | } 68 | } 69 | } 70 | } 71 | } 72 | 73 | test_small_request_allowed { 74 | allow with input as { 75 | "claims": { 76 | "aud": "karavi", 77 | "exp": 1615426023, 78 | "group": "DevOpsGroup1", 79 | "iss":"com.dell.karavi", 80 | "roles":"us-east-1", 81 | "sub":"karavi-tenant" 82 | }, 83 | "request": { 84 | "name":"k8s-0fc0695995", 85 | "protectionDomainId":"6b2ffe6c00000000", 86 | "storagePoolId":"ae376b0300000000", 87 | "volumeSizeInKb":"8388608", 88 | "volumeType":"ThinProvisioned" 89 | }, 90 | "storagepool":"bronze", 91 | "storagesystemid":"2222", 92 | "systemtype": "powerflex" 93 | } with data.karavi.common.roles as roles 94 | } 95 | 96 | test_large_request_not_allowed { 97 | not allow with input as { 98 | "claims": { 99 | "aud": "karavi", 100 | "exp": 1615426023, 101 | "group": "DevOpsGroup1", 102 | "iss":"com.dell.karavi", 103 | "roles":"us-west-2-small,us-west-2-large", 104 | "sub":"karavi-tenant" 105 | }, 106 | "request": { 107 | "name":"k8s-0fc0695995", 108 | "protectionDomainId":"6b2ffe6c00000000", 109 | "storagePoolId":"ae376b0300000000", 110 | "volumeSizeInKb":"9999999999", 111 | "volumeType":"ThinProvisioned" 112 | }, 113 | "storagepool":"bronze", 114 | "storagesystemid":"2222", 115 | "storagetype": "powerflex" 116 | } with data.karavi.common.roles as roles 117 | } 118 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/volumes-create.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.create 16 | 17 | import data.karavi.common 18 | 19 | # Deny requests by default. 20 | default allow = false 21 | 22 | # 23 | # Allows the request if one of the claimed roles matches 24 | # a role configured to allow the storage request. 25 | # 26 | allow { 27 | count(permitted_roles) != 0 28 | count(deny) == 0 29 | } 30 | 31 | # 32 | # Deny if there are no roles found. 33 | # 34 | deny[msg] { 35 | common.roles == {} 36 | msg := sprintf("no configured roles", []) 37 | } 38 | 39 | # 40 | # Deny if claimed roles has no match for the request. 41 | # 42 | deny[msg] { 43 | count(permitted_roles) == 0 44 | msg := sprintf("no roles in [%s] allow the %s Kb request on %s/%s/%s", 45 | [input.claims.roles, 46 | input.request.volumeSizeInKb, 47 | input.systemtype, 48 | input.storagesystemid, 49 | input.storagepool]) 50 | } 51 | 52 | # 53 | # These are permitted roles that are configured 54 | # with the requested storage system, mapped to 55 | # the allowable quota for the request storage 56 | # pool. 57 | # 58 | # Example: { "role-1": 800000 } 59 | # 60 | permitted_roles[v] = y { 61 | # Split the claimed roles by comma into an array. 62 | claimed_roles := split(input.claims.roles, ",") 63 | 64 | # This block filters 'a' to contain only roles 65 | # that are found in 'common.roles'. 66 | some i 67 | a := claimed_roles[i] 68 | common.roles[a] 69 | 70 | # v will contain permitted roles that match the storage request. 71 | v := claimed_roles[i] 72 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) 73 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 74 | } 75 | 76 | # These are the permitted roles that are configured 77 | # with zero quota, meaning infinite capacity. 78 | # 79 | permitted_roles[v] = y { 80 | # Split the claimed roles by comma into an array. 81 | claimed_roles := split(input.claims.roles, ",") 82 | 83 | # This block filters 'a' to contain only roles 84 | # that are found in 'common.roles'. 85 | some i 86 | a := claimed_roles[i] 87 | common.roles[a] 88 | 89 | # v will contain permitted roles that match the storage request. 90 | v := claimed_roles[i] 91 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 92 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 93 | } 94 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/volumes-delete.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.delete 16 | 17 | import data.karavi.common 18 | 19 | default response = { 20 | "allowed": true 21 | } 22 | response = { 23 | "allowed": false, 24 | "status": { 25 | "reason": reason, 26 | }, 27 | } { 28 | reason = concat(", ", deny) 29 | reason != "" 30 | } 31 | 32 | # 33 | # Ensure there are roles configured. 34 | # 35 | deny[msg] { 36 | common.roles == {} 37 | msg := sprintf("no role data found", []) 38 | } 39 | 40 | # 41 | # Validate input: claims. 42 | # 43 | default claims = {} 44 | claims = input.claims 45 | deny[msg] { 46 | claims == {} 47 | msg := sprintf("missing claims", []) 48 | } 49 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/volumes-map.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.map 16 | 17 | import data.karavi.common 18 | 19 | default response = { 20 | "allowed": true 21 | } 22 | response = { 23 | "allowed": false, 24 | "status": { 25 | "reason": reason, 26 | }, 27 | } { 28 | reason = concat(", ", deny) 29 | reason != "" 30 | } 31 | 32 | deny[msg] { 33 | common.roles == {} 34 | msg := sprintf("no role data found", []) 35 | } 36 | 37 | default claims = {} 38 | claims = input.claims 39 | deny[msg] { 40 | claims == {} 41 | msg := sprintf("missing claims", []) 42 | } 43 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/volumes-powermax-create.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.powermax.create 16 | 17 | import data.karavi.common 18 | 19 | # Deny requests by default. 20 | default allow = false 21 | 22 | # 23 | # Allows the request if one of the claimed roles matches 24 | # a role configured to allow the storage request. 25 | # 26 | allow { 27 | count(permitted_roles) != 0 28 | count(deny) == 0 29 | } 30 | 31 | # 32 | # Deny if there are no roles found. 33 | # 34 | deny[msg] { 35 | common.roles == {} 36 | msg := sprintf("no configured roles", []) 37 | } 38 | 39 | # 40 | # Deny if claimed roles has no match for the request. 41 | # 42 | deny[msg] { 43 | count(permitted_roles) == 0 44 | msg := sprintf("no roles in [%s] allow the %v Kb request on %s/%s/%s", 45 | [input.claims.roles, 46 | input.request.volumeSizeInKb, 47 | input.systemtype, 48 | input.storagesystemid, 49 | input.storagepool]) 50 | } 51 | 52 | # 53 | # These are permitted roles that are configured 54 | # with the requested storage system, mapped to 55 | # the allowable quota for the request storage 56 | # pool. 57 | # 58 | # Example: { "role-1": 800000 } 59 | # 60 | permitted_roles[v] = y { 61 | # Split the claimed roles by comma into an array. 62 | claimed_roles := split(input.claims.roles, ",") 63 | 64 | # This block filters 'a' to contain only roles 65 | # that are found in 'common.roles'. 66 | some i 67 | a := claimed_roles[i] 68 | common.roles[a] 69 | 70 | # v will contain permitted roles that match the storage request. 71 | v := claimed_roles[i] 72 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] >= to_number(input.request.volumeSizeInKb) 73 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 74 | } 75 | 76 | # These are the permitted roles that are configured 77 | # with zero quota, meaning infinite capacity. 78 | # 79 | permitted_roles[v] = y { 80 | # Split the claimed roles by comma into an array. 81 | claimed_roles := split(input.claims.roles, ",") 82 | 83 | # This block filters 'a' to contain only roles 84 | # that are found in 'common.roles'. 85 | some i 86 | a := claimed_roles[i] 87 | common.roles[a] 88 | 89 | # v will contain permitted roles that match the storage request. 90 | v := claimed_roles[i] 91 | common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool] == 0 92 | y := to_number(common.roles[v].system_types[input.systemtype].system_ids[input.storagesystemid].pool_quotas[input.storagepool]) 93 | } 94 | -------------------------------------------------------------------------------- /charts/csm-authorization/policies/volumes-unmap.rego: -------------------------------------------------------------------------------- 1 | # Copyright © 2022 Dell Inc., or its subsidiaries. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http:#www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | package karavi.volumes.unmap 16 | 17 | import data.karavi.common 18 | 19 | default response = { 20 | "allowed": true 21 | } 22 | response = { 23 | "allowed": false, 24 | "status": { 25 | "reason": reason, 26 | }, 27 | } { 28 | reason = concat(", ", deny) 29 | reason != "" 30 | } 31 | 32 | deny[msg] { 33 | common.roles == {} 34 | msg := sprintf("no role data found", []) 35 | } 36 | 37 | default claims = {} 38 | claims = input.claims 39 | deny[msg] { 40 | claims == {} 41 | msg := sprintf("missing claims", []) 42 | } 43 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | The CSM Authorization deployment has been successfully installed. 2 | 3 | Execute the following commands in your shell to print the URL of the CSM Authorization NodePort LoadBalancer: 4 | 5 | export NODE_PORT=$(kubectl get --namespace {{ include "custom.namespace" . }} -o jsonpath="{.spec.ports[1].nodePort}" service {{ include "custom.namespace" . }}-ingress-nginx-controller) 6 | export NODE_IP=$(kubectl get nodes --namespace {{ include "custom.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") 7 | echo https://$NODE_IP:$NODE_PORT 8 | 9 | LoadBalancer host rules for proxy-server: 10 | - {{ .Values.authorization.hostname }} 11 | - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local 12 | 13 | authorization.proxyHost value for a CSI Driver examples: 14 | - {{ .Release.Name }}-ingress-nginx-controller.{{ include "custom.namespace" . }}.svc.cluster.local:443 (CSI Driver in the same cluster as CSM Authorization) 15 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Namespace for all resources to be installed into 3 | If not defined in values file then the helm release namespace is used 4 | By default this is not set so the helm release namespace will be used 5 | */}} 6 | 7 | {{- define "custom.namespace" -}} 8 | {{ .Values.namespace | default .Release.Namespace }} 9 | {{- end -}} -------------------------------------------------------------------------------- /charts/csm-authorization/templates/certificate.yaml: -------------------------------------------------------------------------------- 1 | # If the cert and key are provided, use them to create a tls secret 2 | {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} 3 | {{- $certificateFileContents := .Values.authorization.certificate }} 4 | {{- $privateKeyFileContents := .Values.authorization.privateKey }} 5 | apiVersion: v1 6 | data: 7 | tls.crt: {{ $certificateFileContents | b64enc }} 8 | tls.key: {{ $privateKeyFileContents | b64enc }} 9 | kind: Secret 10 | type: kubernetes.io/tls 11 | metadata: 12 | name: user-provided-tls 13 | namespace: {{ include "custom.namespace" . }} 14 | 15 | --- 16 | {{- end }} 17 | 18 | 19 | # If the cert and key are not provided, user cert-manager to create a self-signed tls secret 20 | {{- if or (not .Values.authorization.certificate) (not .Values.authorization.privateKey) }} 21 | apiVersion: cert-manager.io/v1 22 | kind: Issuer 23 | metadata: 24 | name: selfsigned 25 | namespace: {{ include "custom.namespace" . }} 26 | spec: 27 | selfSigned: {} 28 | 29 | --- 30 | 31 | apiVersion: cert-manager.io/v1 32 | kind: Certificate 33 | metadata: 34 | name: karavi-auth 35 | namespace: {{ include "custom.namespace" . }} 36 | spec: 37 | secretName: karavi-selfsigned-tls 38 | duration: 2160h # 90d 39 | renewBefore: 360h # 15d 40 | subject: 41 | organizations: 42 | - dellemc 43 | isCA: false 44 | privateKey: 45 | algorithm: RSA 46 | encoding: PKCS1 47 | size: 2048 48 | usages: 49 | - server auth 50 | - client auth 51 | dnsNames: 52 | - karavi-auth 53 | - karavi-auth.{{ include "custom.namespace" . }}.svc.kubernetes.local 54 | - {{ .Values.authorization.hostname }} 55 | {{- if .Values.authorization.proxyServerIngress.hosts }} 56 | {{- range .Values.authorization.proxyServerIngress.hosts }} 57 | - {{ tpl . $}} 58 | {{- end }} 59 | {{- end}} 60 | issuerRef: 61 | name: selfsigned 62 | kind: Issuer 63 | group: cert-manager.io 64 | {{- end }} 65 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/csm-config-params.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: csm-config-params 5 | namespace: {{ include "custom.namespace" . }} 6 | data: 7 | csm-config-params.yaml: | 8 | CONCURRENT_POWERFLEX_REQUESTS: {{ .Values.authorization.concurrentPowerFlexRequests }} 9 | LOG_LEVEL: {{ .Values.authorization.logLevel }} 10 | {{- if (.Values.authorization.zipkin.collectoruri) }} 11 | zipkin.collectoruri: {{ .Values.authorization.zipkin.collectoruri }} 12 | zipkin.probability: {{ .Values.authorization.zipkin.probability }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: Ingress 3 | metadata: 4 | name: proxy-server 5 | namespace: {{ include "custom.namespace" . }} 6 | {{- if .Values.authorization.proxyServerIngress.annotations }} 7 | annotations: 8 | {{- range $key, $value := .Values.authorization.proxyServerIngress.annotations }} 9 | {{ $key }}: {{ tpl $value $ | quote }} 10 | {{- end }} 11 | {{- end }} 12 | spec: 13 | ingressClassName: {{ .Values.authorization.proxyServerIngress.ingressClassName }} 14 | tls: 15 | - hosts: 16 | - {{ .Values.authorization.hostname }} 17 | {{- if .Values.authorization.proxyServerIngress.hosts }} 18 | {{- range .Values.authorization.proxyServerIngress.hosts }} 19 | - {{ tpl . $}} 20 | {{- end }} 21 | {{- end}} 22 | {{- if and (.Values.authorization.certificate) (.Values.authorization.privateKey) }} 23 | secretName: user-provided-tls 24 | {{- else }} 25 | secretName: karavi-selfsigned-tls 26 | {{- end }} 27 | rules: 28 | - host: {{ .Values.authorization.hostname }} 29 | http: 30 | paths: 31 | - path: / 32 | pathType: Prefix 33 | backend: 34 | service: 35 | name: proxy-server 36 | port: 37 | number: 8080 38 | {{- if .Values.authorization.proxyServerIngress.hosts }} 39 | {{- range .Values.authorization.proxyServerIngress.hosts }} 40 | - host: {{ tpl . $}} 41 | http: 42 | paths: 43 | - path: / 44 | pathType: Prefix 45 | backend: 46 | service: 47 | name: proxy-server 48 | port: 49 | number: 8080 50 | {{- end }} 51 | {{- end }} 52 | - http: 53 | paths: 54 | - backend: 55 | service: 56 | name: proxy-server 57 | port: 58 | number: 8080 59 | path: / 60 | pathType: Prefix 61 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/karavi-storage-secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | type: Opaque 4 | metadata: 5 | name: karavi-storage-secret 6 | namespace: {{ include "custom.namespace" . }} 7 | data: 8 | storage-systems.yaml: c3RvcmFnZToK 9 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/policies.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: common 5 | namespace: {{ include "custom.namespace" . }} 6 | labels: 7 | openpolicyagent.org/policy: rego 8 | data: 9 | {{- (.Files.Glob "policies/common.rego").AsConfig | nindent 2 }} 10 | --- 11 | apiVersion: v1 12 | kind: ConfigMap 13 | metadata: 14 | name: volumes-create 15 | namespace: {{ include "custom.namespace" . }} 16 | labels: 17 | openpolicyagent.org/policy: rego 18 | data: 19 | {{- (.Files.Glob "policies/volumes-create.rego").AsConfig | nindent 2 }} 20 | --- 21 | apiVersion: v1 22 | kind: ConfigMap 23 | metadata: 24 | name: volumes-delete 25 | namespace: {{ include "custom.namespace" . }} 26 | labels: 27 | openpolicyagent.org/policy: rego 28 | data: 29 | {{- (.Files.Glob "policies/volumes-delete.rego").AsConfig | nindent 2 }} 30 | --- 31 | apiVersion: v1 32 | kind: ConfigMap 33 | metadata: 34 | name: volumes-map 35 | namespace: {{ include "custom.namespace" . }} 36 | labels: 37 | openpolicyagent.org/policy: rego 38 | data: 39 | {{- (.Files.Glob "policies/volumes-map.rego").AsConfig | nindent 2 }} 40 | --- 41 | apiVersion: v1 42 | kind: ConfigMap 43 | metadata: 44 | name: powermax-volumes-create 45 | namespace: {{ include "custom.namespace" . }} 46 | labels: 47 | openpolicyagent.org/policy: rego 48 | data: 49 | {{- (.Files.Glob "policies/volumes-powermax-create.rego").AsConfig | nindent 2 }} 50 | --- 51 | apiVersion: v1 52 | kind: ConfigMap 53 | metadata: 54 | name: volumes-unmap 55 | namespace: {{ .Release.Namespace }} 56 | labels: 57 | openpolicyagent.org/policy: rego 58 | data: 59 | {{- (.Files.Glob "policies/volumes-unmap.rego").AsConfig | nindent 2 }} 60 | --- 61 | apiVersion: v1 62 | kind: ConfigMap 63 | metadata: 64 | name: sdc-approve 65 | namespace: {{ .Release.Namespace }} 66 | labels: 67 | openpolicyagent.org/policy: rego 68 | data: 69 | {{- (.Files.Glob "policies/sdc-approve.rego").AsConfig | nindent 2 }} 70 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/proxy-server.yaml: -------------------------------------------------------------------------------- 1 | # Grant OPA/kube-mgmt read-only access to resources. This lets kube-mgmt 2 | # list configmaps to be loaded into OPA as policies. 3 | apiVersion: rbac.authorization.k8s.io/v1 4 | kind: ClusterRole 5 | metadata: 6 | name: csm-auth-view 7 | rules: 8 | - apiGroups: [""] 9 | resources: ["configmaps"] 10 | verbs: ["get", "list", "watch"] 11 | --- 12 | kind: ClusterRoleBinding 13 | apiVersion: rbac.authorization.k8s.io/v1 14 | metadata: 15 | name: opa-viewer 16 | roleRef: 17 | kind: ClusterRole 18 | name: csm-auth-view 19 | apiGroup: rbac.authorization.k8s.io 20 | subjects: 21 | - kind: Group 22 | name: system:serviceaccounts:{{ include "custom.namespace" . }} 23 | apiGroup: rbac.authorization.k8s.io 24 | --- 25 | # Define role for OPA/kube-mgmt to update configmaps with policy status. 26 | kind: Role 27 | apiVersion: rbac.authorization.k8s.io/v1 28 | metadata: 29 | namespace: {{ include "custom.namespace" . }} 30 | name: configmap-modifier 31 | rules: 32 | - apiGroups: [""] 33 | resources: ["configmaps"] 34 | verbs: ["update", "patch"] 35 | --- 36 | # Grant OPA/kube-mgmt role defined above. 37 | kind: RoleBinding 38 | apiVersion: rbac.authorization.k8s.io/v1 39 | metadata: 40 | namespace: {{ include "custom.namespace" . }} 41 | name: opa-configmap-modifier 42 | roleRef: 43 | kind: Role 44 | name: configmap-modifier 45 | apiGroup: rbac.authorization.k8s.io 46 | subjects: 47 | - kind: Group 48 | name: system:serviceaccounts:{{ include "custom.namespace" . }} 49 | apiGroup: rbac.authorization.k8s.io 50 | --- 51 | apiVersion: apps/v1 52 | kind: Deployment 53 | metadata: 54 | name: proxy-server 55 | namespace: {{ include "custom.namespace" . }} 56 | labels: 57 | app: proxy-server 58 | spec: 59 | replicas: 1 60 | selector: 61 | matchLabels: 62 | app: proxy-server 63 | template: 64 | metadata: 65 | labels: 66 | app: proxy-server 67 | spec: 68 | containers: 69 | - name: proxy-server 70 | image: {{ required "Must provide the proxy-server image." .Values.authorization.images.proxyService.image }} 71 | imagePullPolicy: Always 72 | args: 73 | - "--redis-host=redis.{{ .Release.Namespace }}.svc.cluster.local:6379" 74 | - "--tenant-service=tenant-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 75 | - "--role-service=role-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 76 | - "--storage-service=storage-service.{{ .Release.Namespace }}.svc.cluster.local:50051" 77 | ports: 78 | - containerPort: 8080 79 | volumeMounts: 80 | - name: config-volume 81 | mountPath: /etc/karavi-authorization/config 82 | - name: storage-volume 83 | mountPath: /etc/karavi-authorization/storage 84 | - name: csm-config-params 85 | mountPath: /etc/karavi-authorization/csm-config-params 86 | - name: opa 87 | image: {{ required "Must provide the openpolicyagent image." .Values.authorization.images.opa.image }} 88 | imagePullPolicy: IfNotPresent 89 | args: 90 | - "run" 91 | - "--ignore=." 92 | - "--server" 93 | - "--log-level=debug" 94 | ports: 95 | - name: http 96 | containerPort: 8181 97 | - name: kube-mgmt 98 | image: {{ required "Must provide the opaKubeMgmt image." .Values.authorization.images.opaKubeMgmt.image }} 99 | imagePullPolicy: IfNotPresent 100 | args: 101 | - "--namespaces={{ include "custom.namespace" . }}" 102 | - "--enable-data" 103 | volumes: 104 | - name: config-volume 105 | secret: 106 | secretName: karavi-config-secret 107 | - name: storage-volume 108 | secret: 109 | secretName: karavi-storage-secret 110 | - name: csm-config-params 111 | configMap: 112 | name: csm-config-params 113 | --- 114 | apiVersion: v1 115 | kind: Service 116 | metadata: 117 | name: proxy-server 118 | namespace: {{ include "custom.namespace" . }} 119 | spec: 120 | selector: 121 | app: proxy-server 122 | ports: 123 | - name: http 124 | protocol: TCP 125 | port: 8080 126 | targetPort: 8080 127 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/role-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: role-service 5 | namespace: {{ include "custom.namespace" . }} 6 | --- 7 | kind: ClusterRole 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | metadata: 10 | name: role-service 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["configmaps"] 14 | verbs: ["get", "patch"] 15 | - apiGroups: [""] 16 | resources: ["secrets"] 17 | verbs: ["get"] 18 | --- 19 | kind: ClusterRoleBinding 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | metadata: 22 | name: role-service 23 | subjects: 24 | - kind: ServiceAccount 25 | name: role-service 26 | namespace: {{ include "custom.namespace" . }} 27 | roleRef: 28 | kind: ClusterRole 29 | name: role-service 30 | apiGroup: rbac.authorization.k8s.io 31 | --- 32 | apiVersion: apps/v1 33 | kind: Deployment 34 | metadata: 35 | name: role-service 36 | namespace: {{ include "custom.namespace" . }} 37 | labels: 38 | app: role-service 39 | spec: 40 | replicas: 1 41 | selector: 42 | matchLabels: 43 | app: role-service 44 | template: 45 | metadata: 46 | labels: 47 | app: role-service 48 | spec: 49 | serviceAccountName: role-service 50 | containers: 51 | - name: role-service 52 | image: {{ required "Must provide the role-service image." .Values.authorization.images.roleService.image }} 53 | imagePullPolicy: Always 54 | ports: 55 | - containerPort: 50051 56 | name: grpc 57 | env: 58 | - name: NAMESPACE 59 | value: {{ include "custom.namespace" . }} 60 | volumeMounts: 61 | - name: csm-config-params 62 | mountPath: /etc/karavi-authorization/csm-config-params 63 | volumes: 64 | - name: csm-config-params 65 | configMap: 66 | name: csm-config-params 67 | --- 68 | apiVersion: v1 69 | kind: Service 70 | metadata: 71 | name: role-service 72 | namespace: {{ include "custom.namespace" . }} 73 | spec: 74 | selector: 75 | app: role-service 76 | ports: 77 | - port: 50051 78 | targetPort: 50051 79 | name: grpc 80 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/storage-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: storage-service 5 | namespace: {{ include "custom.namespace" . }} 6 | --- 7 | kind: ClusterRole 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | metadata: 10 | name: storage-service 11 | rules: 12 | - apiGroups: [""] 13 | resources: ["secrets"] 14 | verbs: ["get", "patch", "post"] 15 | --- 16 | kind: ClusterRoleBinding 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | metadata: 19 | name: storage-service 20 | subjects: 21 | - kind: ServiceAccount 22 | name: storage-service 23 | namespace: {{ include "custom.namespace" . }} 24 | roleRef: 25 | kind: ClusterRole 26 | name: storage-service 27 | apiGroup: rbac.authorization.k8s.io 28 | --- 29 | apiVersion: apps/v1 30 | kind: Deployment 31 | metadata: 32 | name: storage-service 33 | namespace: {{ include "custom.namespace" . }} 34 | labels: 35 | app: storage-service 36 | spec: 37 | replicas: 1 38 | selector: 39 | matchLabels: 40 | app: storage-service 41 | template: 42 | metadata: 43 | labels: 44 | app: storage-service 45 | spec: 46 | serviceAccountName: storage-service 47 | containers: 48 | - name: storage-service 49 | image: {{ required "Must provide the storage-service image." .Values.authorization.images.storageService.image }} 50 | imagePullPolicy: Always 51 | ports: 52 | - containerPort: 50051 53 | name: grpc 54 | env: 55 | - name: NAMESPACE 56 | value: {{ include "custom.namespace" . }} 57 | volumeMounts: 58 | - name: storage-volume 59 | mountPath: /etc/karavi-authorization/storage 60 | - name: config-volume 61 | mountPath: /etc/karavi-authorization/config 62 | - name: csm-config-params 63 | mountPath: /etc/karavi-authorization/csm-config-params 64 | volumes: 65 | - name: storage-volume 66 | secret: 67 | secretName: karavi-storage-secret 68 | - name: config-volume 69 | secret: 70 | secretName: karavi-config-secret 71 | - name: csm-config-params 72 | configMap: 73 | name: csm-config-params 74 | --- 75 | apiVersion: v1 76 | kind: Service 77 | metadata: 78 | name: storage-service 79 | namespace: {{ include "custom.namespace" . }} 80 | spec: 81 | selector: 82 | app: storage-service 83 | ports: 84 | - port: 50051 85 | targetPort: 50051 86 | name: grpc 87 | -------------------------------------------------------------------------------- /charts/csm-authorization/templates/tenant-service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: tenant-service 5 | namespace: {{ include "custom.namespace" . }} 6 | labels: 7 | app: tenant-service 8 | spec: 9 | replicas: 1 10 | selector: 11 | matchLabels: 12 | app: tenant-service 13 | template: 14 | metadata: 15 | labels: 16 | app: tenant-service 17 | spec: 18 | containers: 19 | - name: tenant-service 20 | image: {{ required "Must provide the tenant-service image." .Values.authorization.images.tenantService.image }} 21 | imagePullPolicy: Always 22 | args: 23 | - "--redis-host=redis.{{ include "custom.namespace" . }}.svc.cluster.local:6379" 24 | ports: 25 | - containerPort: 50051 26 | name: grpc 27 | volumeMounts: 28 | - name: config-volume 29 | mountPath: /etc/karavi-authorization/config 30 | - name: csm-config-params 31 | mountPath: /etc/karavi-authorization/csm-config-params 32 | volumes: 33 | - name: config-volume 34 | secret: 35 | secretName: karavi-config-secret 36 | - name: csm-config-params 37 | configMap: 38 | name: csm-config-params 39 | --- 40 | apiVersion: v1 41 | kind: Service 42 | metadata: 43 | name: tenant-service 44 | namespace: {{ include "custom.namespace" . }} 45 | spec: 46 | selector: 47 | app: tenant-service 48 | ports: 49 | - port: 50051 50 | targetPort: 50051 51 | name: grpc 52 | -------------------------------------------------------------------------------- /charts/csm-authorization/values.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # if enabled, nginx ingress controller will be deployed 3 | # if you have your own ingress controller, keep this false and set the appropriate annotations for the ingresses in the authorization section 4 | ingress-nginx: 5 | enabled: true 6 | 7 | # if enabled, cert-manager will be deployed 8 | # if cert-manager is already deployed, keep this false 9 | cert-manager: 10 | enabled: true 11 | 12 | authorization: 13 | # images to use in installation 14 | images: 15 | proxyService: 16 | image: quay.io/dell/container-storage-modules/csm-authorization-proxy:v1.14.0 17 | tenantService: 18 | image: quay.io/dell/container-storage-modules/csm-authorization-tenant:v1.14.0 19 | roleService: 20 | image: quay.io/dell/container-storage-modules/csm-authorization-role:v1.14.0 21 | storageService: 22 | image: quay.io/dell/container-storage-modules/csm-authorization-storage:v1.14.0 23 | opa: 24 | image: docker.io/openpolicyagent/opa:0.70.0 25 | opaKubeMgmt: 26 | image: openpolicyagent/kube-mgmt:8.5.12 27 | 28 | # proxy-server ingress will use this hostname 29 | # NOTE: additional hostnames can be configured in authorization.proxyServerIngress.hosts 30 | # NOTE: proxy-server ingress is configured to accept IP address connections so hostnames are not required 31 | hostname: csm-authorization.com 32 | 33 | # log level for csm-authorization 34 | logLevel: debug 35 | 36 | # number, as a string, of concurrent requests for the storage-service to make to PowerFlex 37 | # currently only used with dellctl to list tenant volumes 38 | concurrentPowerFlexRequests: "10" 39 | 40 | # tracing configuration 41 | # this can be updated on the fly via the csm-config-params configMap 42 | zipkin: 43 | {} 44 | # collectoruri: http://DNS-hostname:9411/api/v2/spans 45 | # probability: 1 46 | 47 | # proxy-server ingress configuration 48 | proxyServerIngress: 49 | ingressClassName: nginx 50 | 51 | # additional host rules for the proxy-server ingress 52 | hosts: 53 | [] 54 | # - application-ingress-nginx-controller.namespace.svc.cluster.local 55 | 56 | # additional annotations for the proxy-server ingress 57 | annotations: {} 58 | 59 | redis: 60 | images: 61 | redis: 62 | image: redis:7.4.2-alpine 63 | commander: 64 | image: rediscommander/redis-commander:latest 65 | 66 | # by default, csm-authorization will deploy a local (https://kubernetes.io/docs/concepts/storage/storage-classes/#local) volume for redis 67 | # to use a different storage class for redis, uncomment the following line and specify the name of the storage class 68 | # NOTE: the storage class must NOT be a storage class provisioned by a CSI driver to be configured with this instance of CSM Authorization 69 | # storageClass: 70 | -------------------------------------------------------------------------------- /charts/csm-replication/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | -------------------------------------------------------------------------------- /charts/csm-replication/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: csm-replication 3 | type: application 4 | description: | 5 | CSM for Replication helm charts 6 | version: 1.12.0 7 | appVersion: "1.12.0" 8 | -------------------------------------------------------------------------------- /charts/csm-replication/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "csm-replication.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "csm-replication.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{/* 27 | Create chart name and version as used by the chart label. 28 | */}} 29 | {{- define "csm-replication.chart" -}} 30 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 31 | {{- end }} 32 | 33 | {{/* 34 | Common labels 35 | */}} 36 | {{- define "csm-replication.labels" -}} 37 | helm.sh/chart: {{ include "csm-replication.chart" . }} 38 | {{ include "csm-replication.selectorLabels" . }} 39 | {{- if .Chart.AppVersion }} 40 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 41 | {{- end }} 42 | app.kubernetes.io/managed-by: {{ .Release.Service }} 43 | {{- end }} 44 | 45 | {{/* 46 | Selector labels 47 | */}} 48 | {{- define "csm-replication.selectorLabels" -}} 49 | app.kubernetes.io/name: {{ include "csm-replication.name" . }} 50 | app.kubernetes.io/instance: {{ .Release.Name }} 51 | {{- end }} 52 | 53 | {{/* 54 | Create the name of the service account to use 55 | */}} 56 | {{- define "csm-replication.serviceAccountName" -}} 57 | {{- if .Values.serviceAccount.create }} 58 | {{- default (include "csm-replication.fullname" .) .Values.serviceAccount.name }} 59 | {{- else }} 60 | {{- default "default" .Values.serviceAccount.name }} 61 | {{- end }} 62 | {{- end }} 63 | -------------------------------------------------------------------------------- /charts/csm-replication/values.yaml: -------------------------------------------------------------------------------- 1 | # replicas: Defines number of controller replicas 2 | # Allowed values: int 3 | # Default value: 1 4 | replicas: 1 5 | 6 | # image: Defines controller image. This shouldn't be changed 7 | # Allowed values: string 8 | image: quay.io/dell/container-storage-modules/dell-replication-controller:v1.12.0 9 | 10 | # logLevel: Defines initial log level for controller. This can be changed in runtime 11 | # Allowed values: "debug", "info", "warn", "error", "panic" 12 | # Default value: "info" 13 | logLevel: "info" 14 | 15 | # leaderElection: Enable leader election for dell-replication-controller manager. 16 | # Enabling this will ensure there is only one active dell-replication-controller manager. 17 | # Allowed values: "true", "false" 18 | # Default value: "true" 19 | leaderElection: "true" 20 | 21 | # retryIntervalMin: Initial retry interval of failed reconcile request. 22 | # It doubles with each failure, upto retry-interval-max 23 | # Allowed values: time 24 | retryIntervalMin: 1s 25 | 26 | # retryIntervalMax: Maximum retry interval of failed reconcile request 27 | # Allowed values: time 28 | retryIntervalMax: 5m 29 | 30 | # disablePVCRemap: Disable PVC remapping for replication in single cluster configuration 31 | # Allowed values: "true", "false" 32 | # Default value: "false" 33 | disablePVCRemap: "false" 34 | 35 | # allowPvcCreationOnTarget: It Creates PVC on target cluster using replicated PV. 36 | # Allowed values: 37 | # true: It creates a PVC on target cluster against replicated PV 38 | # false: simply updates claimref on replicated PV on target cluster without actually creating a PVC 39 | # Default value: false 40 | allowPvcCreationOnTarget: "false" 41 | 42 | # HostAliases: Optional features that allows entries injection into pod's /etc/hosts file 43 | # hostAliases: 44 | # - ip: "10.10.10.10" 45 | # hostnames: 46 | # - "foo.bar" 47 | # - ip: "10.10.10.11" 48 | # hostnames: 49 | # - "foo.baz" 50 | -------------------------------------------------------------------------------- /charts/karavi-observability/.gitignore: -------------------------------------------------------------------------------- 1 | Chart.lock 2 | charts/ 3 | -------------------------------------------------------------------------------- /charts/karavi-observability/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *.orig 18 | *~ 19 | # Various IDEs 20 | .project 21 | .idea/ 22 | *.tmproj 23 | .vscode/ 24 | installer/ 25 | -------------------------------------------------------------------------------- /charts/karavi-observability/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | appVersion: "1.12.0" 3 | name: karavi-observability 4 | description: CSM for Observability is part of the [Container Storage Modules](https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell EMC storage products. CSM for Observability provides Kubernetes administrators with visibility into metrics and topology data related to containerized storage. 5 | type: application 6 | version: 1.12.0 7 | dependencies: 8 | - name: cert-manager 9 | version: 1.10.0 10 | repository: https://charts.jetstack.io 11 | condition: cert-manager.enabled 12 | -------------------------------------------------------------------------------- /charts/karavi-observability/README.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Container Storage Modules (CSM) for Observability Dell Community Helm Chart 12 | 13 | CSM for Observability can be deployed using Helm. 14 | 15 | For complete deployment instructions, refer to the [Container Storage Modules documentation](https://dell.github.io/csm-docs/docs/deployment/helm/modules/installation/observability/). 16 | 17 | ## Helm Chart Versioning 18 | 19 | For an explanation and examples on versioning/releasing the CSM for Observability Helm chart, please see the [contributing guide](../../docs/CONTRIBUTING.md#helm-chart-release-strategy). 20 | -------------------------------------------------------------------------------- /charts/karavi-observability/otel-collector-config.yaml: -------------------------------------------------------------------------------- 1 | receivers: 2 | otlp: 3 | protocols: 4 | grpc: 5 | endpoint: 0.0.0.0:55680 6 | tls: 7 | cert_file: /etc/ssl/certs/tls.crt 8 | key_file: /etc/ssl/certs/tls.key 9 | 10 | exporters: 11 | prometheus: 12 | endpoint: 0.0.0.0:8889 13 | debug: 14 | 15 | extensions: 16 | health_check: {} 17 | 18 | service: 19 | extensions: [health_check] 20 | pipelines: 21 | metrics: 22 | receivers: [otlp] 23 | processors: [] 24 | exporters: [debug, prometheus] 25 | -------------------------------------------------------------------------------- /charts/karavi-observability/otel-collector-nginx.conf: -------------------------------------------------------------------------------- 1 | worker_processes 1; 2 | events { 3 | worker_connections 1024; 4 | } 5 | 6 | pid /tmp/nginx.pid; 7 | 8 | http { 9 | include mime.types; 10 | default_type application/octet-stream; 11 | sendfile on; 12 | keepalive_timeout 65; 13 | server { 14 | listen 8443 ssl; 15 | server_name localhost; 16 | ssl_certificate /etc/ssl/certs/tls.crt; 17 | ssl_certificate_key /etc/ssl/certs/tls.key; 18 | ssl_protocols TLSv1.2; 19 | ssl_ciphers AESGCM:-aNULL:-DH:-kRSA:@STRENGTH; 20 | ssl_prefer_server_ciphers on; 21 | location / { 22 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 23 | proxy_set_header Host $http_host; 24 | proxy_pass http://127.0.0.1:8889/; 25 | } 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviTopology.enabled -}} 2 | 3 | CSM Topology 4 | The CSM Topology deployment has been successfully installed. 5 | 6 | {{ if contains "NodePort" .Values.karaviTopology.service.type -}} 7 | Execute the following commands in your shell to print the URL that can be used to access the CSM Topology service: 8 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services karavi-topology) 9 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 10 | echo https://$NODE_IP:$NODE_PORT 11 | {{ else if contains "ClusterIP" .Values.karaviTopology.service.type }} 12 | The CSM Topology service can be accessed at the following URL from within the Kubernetes cluster: https://karavi-topology.{{ .Release.Namespace }}.svc.cluster.local 13 | {{- end }} 14 | 15 | {{- end }} 16 | 17 | {{ if .Values.karaviMetricsPowerflex.enabled -}} 18 | 19 | CSM Metrics for PowerFlex 20 | 21 | The CSM Metrics for PowerFlex deployment has been successfully installed. 22 | 23 | Provisioner Names: {{ .Values.karaviMetricsPowerflex.provisionerNames }} 24 | Prometheus Scrape Target: 25 | From inside the Kubernetes cluster: otel-collector:8443 26 | 27 | {{- end }} 28 | 29 | {{ if .Values.karaviMetricsPowerstore.enabled -}} 30 | 31 | CSM Metrics for PowerStore 32 | 33 | The CSM Metrics for PowerStore deployment has been successfully installed. 34 | 35 | Provisioner Names: {{ .Values.karaviMetricsPowerstore.provisionerNames }} 36 | Prometheus Scrape Target: 37 | From inside the Kubernetes cluster: otel-collector:8443 38 | 39 | {{- end}} 40 | 41 | {{ if .Values.karaviMetricsPowerscale.enabled -}} 42 | 43 | CSM Metrics for PowerScale 44 | 45 | The CSM Metrics for PowerScale deployment has been successfully installed. 46 | 47 | Provisioner Names: {{ .Values.karaviMetricsPowerscale.provisionerNames }} 48 | Prometheus Scrape Target: 49 | From inside the Kubernetes cluster: otel-collector:8443 50 | 51 | {{- end}} 52 | 53 | {{ if .Values.karaviMetricsPowermax.enabled -}} 54 | 55 | CSM Metrics for PowerMax 56 | 57 | The CSM Metrics for PowerMax deployment has been successfully installed. 58 | 59 | Provisioner Names: {{ .Values.karaviMetricsPowermax.provisionerNames }} 60 | Prometheus Scrape Target: 61 | From inside the Kubernetes cluster: otel-collector:8443 62 | 63 | {{- end}} -------------------------------------------------------------------------------- /charts/karavi-observability/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Namespace for all resources to be installed into 3 | If not defined in values file then the helm release namespace is used 4 | By default this is not set so the helm release namespace will be used 5 | */}} 6 | 7 | {{- define "custom.namespace" -}} 8 | {{ .Values.namespace | default .Release.Namespace }} 9 | {{- end -}} -------------------------------------------------------------------------------- /charts/karavi-observability/templates/cert-manager.yaml: -------------------------------------------------------------------------------- 1 | # If the karavi-topology cert and key are provided, deploy a CA Issuer using the cert and key 2 | {{- if and (.Values.karaviTopology.certificateFile) (.Values.karaviTopology.privateKeyFile) }} 3 | {{- $certificateFileContents := .Values.karaviTopology.certificateFile }} 4 | {{- $privateKeyFileContents := .Values.karaviTopology.privateKeyFile }} 5 | apiVersion: v1 6 | data: 7 | tls.crt: {{ $certificateFileContents | b64enc }} 8 | tls.key: {{ $privateKeyFileContents | b64enc }} 9 | kind: Secret 10 | type: kubernetes.io/tls 11 | metadata: 12 | name: karavi-topology-secret 13 | namespace: {{ include "custom.namespace" . }} 14 | 15 | --- 16 | 17 | apiVersion: cert-manager.io/v1 18 | kind: Issuer 19 | metadata: 20 | name: karavi-topology-issuer 21 | namespace: {{ include "custom.namespace" . }} 22 | spec: 23 | ca: 24 | secretName: karavi-topology-secret 25 | 26 | --- 27 | {{- end }} 28 | 29 | # If the karavi-metrics-powerstore cert and key are provided, deploy a CA Issuer using the cert and key 30 | {{- if and (.Values.karaviMetricsPowerstore.certificateFile) (.Values.karaviMetricsPowerstore.privateKeyFile) }} 31 | {{- $certificateFileContents := .Values.karaviMetricsPowerstore.certificateFile }} 32 | {{- $privateKeyFileContents := .Values.karaviMetricsPowerstore.privateKeyFile }} 33 | apiVersion: v1 34 | data: 35 | tls.crt: {{ $certificateFileContents | b64enc }} 36 | tls.key: {{ $privateKeyFileContents | b64enc }} 37 | kind: Secret 38 | type: kubernetes.io/tls 39 | metadata: 40 | name: karavi-metrics-powerstore-secret 41 | namespace: {{ include "custom.namespace" . }} 42 | 43 | --- 44 | 45 | apiVersion: cert-manager.io/v1 46 | kind: Issuer 47 | metadata: 48 | name: karavi-metrics-powerstore-issuer 49 | namespace: {{ include "custom.namespace" . }} 50 | spec: 51 | ca: 52 | secretName: karavi-metrics-powerstore-secret 53 | 54 | --- 55 | {{- end }} 56 | 57 | # If the otelCollector cert and key are provided, deploy a CA Issuer using the cert and key 58 | {{- if and (.Values.otelCollector.certificateFile) (.Values.otelCollector.privateKeyFile) }} 59 | {{- $certificateFileContents := .Values.otelCollector.certificateFile }} 60 | {{- $privateKeyFileContents := .Values.otelCollector.privateKeyFile }} 61 | apiVersion: v1 62 | kind: Secret 63 | type: kubernetes.io/tls 64 | metadata: 65 | name: otel-collector-secret 66 | namespace: {{ include "custom.namespace" . }} 67 | data: 68 | tls.crt: {{ $certificateFileContents | b64enc }} 69 | tls.key: {{ $privateKeyFileContents | b64enc }} 70 | 71 | --- 72 | 73 | apiVersion: cert-manager.io/v1 74 | kind: Issuer 75 | metadata: 76 | name: otel-collector-issuer 77 | namespace: {{ include "custom.namespace" . }} 78 | spec: 79 | ca: 80 | secretName: otel-collector-secret 81 | 82 | --- 83 | {{- end }} 84 | 85 | # If any set of cert+key combos are not provided, deploy a selfsigned-issuer 86 | {{- if or (and (not .Values.karaviTopology.certificateFile) (not .Values.karaviTopology.privateKeyFile)) (and (not .Values.otelCollector.certificateFile) (not .Values.otelCollector.privateKeyFile)) (and (not .Values.karaviMetricsPowerstore.certificateFile) (not .Values.karaviMetricsPowerstore.privateKeyFile)) }} 87 | apiVersion: cert-manager.io/v1 88 | kind: Issuer 89 | metadata: 90 | name: selfsigned-issuer 91 | namespace: {{ include "custom.namespace" . }} 92 | spec: 93 | selfSigned: {} 94 | 95 | --- 96 | {{- end }} 97 | 98 | apiVersion: cert-manager.io/v1 99 | kind: Certificate 100 | metadata: 101 | name: otel-collector 102 | namespace: {{ include "custom.namespace" . }} 103 | spec: 104 | secretName: otel-collector-tls 105 | duration: 2160h # 90d 106 | renewBefore: 360h # 15d 107 | subject: 108 | organizations: 109 | - dellemc 110 | isCA: false 111 | privateKey: 112 | algorithm: RSA 113 | encoding: PKCS1 114 | size: 2048 115 | usages: 116 | - server auth 117 | - client auth 118 | dnsNames: 119 | - otel-collector 120 | - otel-collector.karavi.svc.kubernetes.local 121 | issuerRef: 122 | {{- if and (.Values.otelCollector.certificateFile) (.Values.otelCollector.privateKeyFile) }} 123 | name: otel-collector-issuer 124 | {{- else }} 125 | name: selfsigned-issuer 126 | {{- end }} 127 | kind: Issuer 128 | group: cert-manager.io 129 | 130 | --- 131 | 132 | apiVersion: cert-manager.io/v1 133 | kind: Certificate 134 | metadata: 135 | name: karavi-topology 136 | namespace: {{ include "custom.namespace" . }} 137 | spec: 138 | secretName: karavi-topology-tls 139 | duration: 2160h # 90d 140 | renewBefore: 360h # 15d 141 | subject: 142 | organizations: 143 | - dellemc 144 | isCA: false 145 | privateKey: 146 | algorithm: RSA 147 | encoding: PKCS1 148 | size: 2048 149 | usages: 150 | - server auth 151 | - client auth 152 | dnsNames: 153 | - karavi-topology 154 | - karavi-topology.karavi.svc.kubernetes.local 155 | issuerRef: 156 | {{- if and (.Values.karaviTopology.certificateFile) (.Values.karaviTopology.privateKeyFile) }} 157 | name: karavi-topology-issuer 158 | {{- else }} 159 | name: selfsigned-issuer 160 | {{- end }} 161 | kind: Issuer 162 | group: cert-manager.io 163 | 164 | --- 165 | 166 | apiVersion: cert-manager.io/v1 167 | kind: Certificate 168 | metadata: 169 | name: karavi-metrics-powerstore 170 | namespace: {{ include "custom.namespace" . }} 171 | spec: 172 | secretName: karavi-metrics-powerstore-tls 173 | duration: 2160h # 90d 174 | renewBefore: 360h # 15d 175 | subject: 176 | organizations: 177 | - dellemc 178 | isCA: false 179 | privateKey: 180 | algorithm: RSA 181 | encoding: PKCS1 182 | size: 2048 183 | usages: 184 | - server auth 185 | - client auth 186 | dnsNames: 187 | - karavi-metrics-powerstore 188 | - karavi-metrics-powerstore.karavi.svc.kubernetes.local 189 | issuerRef: 190 | {{- if and (.Values.karaviMetricsPowerstore.certificateFile) (.Values.karaviMetricsPowerstore.privateKeyFile) }} 191 | name: karavi-metrics-powerstore-issuer 192 | {{- else }} 193 | name: selfsigned-issuer 194 | {{- end }} 195 | kind: Issuer 196 | group: cert-manager.io 197 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powerflex-service-account.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowerflex.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Release.Name }}-metrics-powerflex-controller 7 | namespace: {{ include "custom.namespace" . }} 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: {{ .Release.Name }}-metrics-powerflex-controller 15 | rules: 16 | - apiGroups: ["storage.k8s.io"] 17 | resources: ["csinodes", "storageclasses"] 18 | verbs: ["get", "list", "watch"] 19 | - apiGroups: [""] 20 | resources: ["persistentvolumes", "nodes"] 21 | verbs: ["list"] 22 | - apiGroups: [""] 23 | resources: ["endpoints"] 24 | verbs: ["get", "list", "watch"] 25 | 26 | --- 27 | 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: {{ .Release.Name }}-metrics-powerflex-controller 32 | subjects: 33 | - kind: ServiceAccount 34 | name: {{ .Release.Name }}-metrics-powerflex-controller 35 | namespace: {{ include "custom.namespace" . }} 36 | roleRef: 37 | kind: ClusterRole 38 | name: {{ .Release.Name }}-metrics-powerflex-controller 39 | apiGroup: rbac.authorization.k8s.io 40 | 41 | {{ end }} 42 | 43 | --- 44 | 45 | apiVersion: rbac.authorization.k8s.io/v1 46 | kind: Role 47 | metadata: 48 | name: {{ .Release.Name }}-metrics-powerflex-controller 49 | namespace: {{ .Release.Namespace }} 50 | rules: 51 | - apiGroups: ["coordination.k8s.io"] 52 | resources: ["leases"] 53 | verbs: ["get", "watch", "list", "delete", "update", "create"] 54 | 55 | --- 56 | 57 | apiVersion: rbac.authorization.k8s.io/v1 58 | kind: RoleBinding 59 | metadata: 60 | name: {{ .Release.Name }}-metrics-powerflex-controller 61 | namespace: {{ .Release.Namespace }} 62 | subjects: 63 | - kind: ServiceAccount 64 | name: {{ .Release.Name }}-metrics-powerflex-controller 65 | namespace: {{ .Release.Namespace }} 66 | roleRef: 67 | kind: Role 68 | name: {{ .Release.Name }}-metrics-powerflex-controller 69 | apiGroup: rbac.authorization.k8s.io 70 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powerflex.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowerflex.enabled }} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | labels: 7 | app.kubernetes.io/name: karavi-metrics-powerflex 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | name: karavi-metrics-powerflex 10 | namespace: {{ include "custom.namespace" . }} 11 | spec: 12 | type: {{ .Values.karaviMetricsPowerflex.service.type }} 13 | ports: 14 | - name: karavi-metrics-powerflex 15 | port: 2222 16 | targetPort: 2222 17 | selector: 18 | app.kubernetes.io/name: karavi-metrics-powerflex 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | 21 | --- 22 | 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: karavi-metrics-powerflex 27 | namespace: {{ include "custom.namespace" . }} 28 | labels: 29 | app.kubernetes.io/name: karavi-metrics-powerflex 30 | app.kubernetes.io/instance: {{ .Release.Name }} 31 | {{- if hasKey .Values "karaviMetricsPowerflex.authorization" }} 32 | {{- if eq .Values.karaviMetricsPowerflex.authorization.enabled true }} 33 | annotations: 34 | com.dell.karavi-authorization-proxy: "true" 35 | {{ end }} 36 | {{ end }} 37 | spec: 38 | selector: 39 | matchLabels: 40 | app.kubernetes.io/name: karavi-metrics-powerflex 41 | app.kubernetes.io/instance: {{ .Release.Name }} 42 | replicas: 1 43 | strategy: {} 44 | template: 45 | metadata: 46 | labels: 47 | app.kubernetes.io/name: karavi-metrics-powerflex 48 | app.kubernetes.io/instance: {{ .Release.Name }} 49 | spec: 50 | serviceAccount: {{ .Release.Name }}-metrics-powerflex-controller 51 | containers: 52 | - name: karavi-metrics-powerflex 53 | image: {{ .Values.karaviMetricsPowerflex.image }} 54 | resources: {} 55 | env: 56 | - name: POWERFLEX_METRICS_ENDPOINT 57 | value: "{{ .Values.karaviMetricsPowerflex.endpoint }}" 58 | - name: POWERFLEX_METRICS_NAMESPACE 59 | valueFrom: 60 | fieldRef: 61 | fieldPath: metadata.namespace 62 | - name: TLS_ENABLED 63 | value: "true" 64 | volumeMounts: 65 | - name: vxflexos-config 66 | mountPath: /vxflexos-config 67 | - name: tls-secret 68 | mountPath: /etc/ssl/certs 69 | readOnly: true 70 | - name: karavi-metrics-powerflex-configmap 71 | mountPath: /etc/config 72 | {{- if hasKey .Values.karaviMetricsPowerflex "authorization" }} 73 | {{- if eq .Values.karaviMetricsPowerflex.authorization.enabled true }} 74 | - name: karavi-authorization-proxy 75 | imagePullPolicy: IfNotPresent 76 | image: {{ required "Must provide the authorization sidecar container image." .Values.karaviMetricsPowerflex.authorization.sidecarProxy.image }} 77 | env: 78 | - name: PROXY_HOST 79 | value: "{{ .Values.karaviMetricsPowerflex.authorization.proxyHost }}" 80 | - name: SKIP_CERTIFICATE_VALIDATION 81 | value: "{{ .Values.karaviMetricsPowerflex.authorization.skipCertificateValidation }}" 82 | - name: PLUGIN_IDENTIFIER 83 | value: powerflex 84 | - name: ACCESS_TOKEN 85 | valueFrom: 86 | secretKeyRef: 87 | name: proxy-authz-tokens 88 | key: access 89 | - name: REFRESH_TOKEN 90 | valueFrom: 91 | secretKeyRef: 92 | name: proxy-authz-tokens 93 | key: refresh 94 | volumeMounts: 95 | - name: karavi-authorization-config 96 | mountPath: /etc/karavi-authorization/config 97 | - name: proxy-server-root-certificate 98 | mountPath: /etc/karavi-authorization/root-certificates 99 | - name: vxflexos-config-params 100 | mountPath: /etc/karavi-authorization 101 | {{ end }} 102 | {{ end }} 103 | volumes: 104 | - name: vxflexos-config 105 | secret: 106 | secretName: vxflexos-config 107 | - name: tls-secret 108 | secret: 109 | secretName: otel-collector-tls 110 | items: 111 | - key: tls.crt 112 | path: cert.crt 113 | - name: karavi-metrics-powerflex-configmap 114 | configMap: 115 | name: karavi-metrics-powerflex-configmap 116 | {{- if hasKey .Values.karaviMetricsPowerflex "authorization" }} 117 | {{- if eq .Values.karaviMetricsPowerflex.authorization.enabled true }} 118 | - name: karavi-authorization-config 119 | secret: 120 | secretName: karavi-authorization-config 121 | - name: proxy-server-root-certificate 122 | secret: 123 | secretName: proxy-server-root-certificate 124 | - name: vxflexos-config-params 125 | configMap: 126 | name: vxflexos-config-params 127 | {{ end }} 128 | {{ end }} 129 | restartPolicy: Always 130 | status: {} 131 | 132 | {{ end }} 133 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powermax-service-account.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowermax.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Release.Name }}-metrics-powermax-controller 7 | namespace: {{ include "custom.namespace" . }} 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: {{ .Release.Name }}-metrics-powermax-controller 15 | rules: 16 | - apiGroups: ["storage.k8s.io"] 17 | resources: ["csinodes", "storageclasses"] 18 | verbs: ["get", "list", "watch"] 19 | - apiGroups: [""] 20 | resources: ["persistentvolumes", "nodes"] 21 | verbs: ["list"] 22 | - apiGroups: [""] 23 | resources: ["endpoints"] 24 | verbs: ["get", "list", "watch"] 25 | 26 | --- 27 | 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: {{ .Release.Name }}-metrics-powermax-controller 32 | subjects: 33 | - kind: ServiceAccount 34 | name: {{ .Release.Name }}-metrics-powermax-controller 35 | namespace: {{ include "custom.namespace" . }} 36 | roleRef: 37 | kind: ClusterRole 38 | name: {{ .Release.Name }}-metrics-powermax-controller 39 | apiGroup: rbac.authorization.k8s.io 40 | 41 | {{ end }} 42 | 43 | --- 44 | 45 | apiVersion: rbac.authorization.k8s.io/v1 46 | kind: Role 47 | metadata: 48 | name: {{ .Release.Name }}-metrics-powermax-controller 49 | namespace: {{ .Release.Namespace }} 50 | rules: 51 | - apiGroups: [""] 52 | resources: ["secrets"] 53 | verbs: ["list", "watch", "get"] 54 | - apiGroups: ["coordination.k8s.io"] 55 | resources: ["leases"] 56 | verbs: ["get", "watch", "list", "delete", "update", "create"] 57 | 58 | --- 59 | 60 | apiVersion: rbac.authorization.k8s.io/v1 61 | kind: RoleBinding 62 | metadata: 63 | name: {{ .Release.Name }}-metrics-powermax-controller 64 | namespace: {{ .Release.Namespace }} 65 | subjects: 66 | - kind: ServiceAccount 67 | name: {{ .Release.Name }}-metrics-powermax-controller 68 | namespace: {{ .Release.Namespace }} 69 | roleRef: 70 | kind: Role 71 | name: {{ .Release.Name }}-metrics-powermax-controller 72 | apiGroup: rbac.authorization.k8s.io -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powerscale-service-account.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowerscale.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Release.Name }}-metrics-powerscale-controller 7 | namespace: {{ include "custom.namespace" . }} 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: {{ .Release.Name }}-metrics-powerscale-controller 15 | rules: 16 | - apiGroups: ["storage.k8s.io"] 17 | resources: ["csinodes", "storageclasses"] 18 | verbs: ["get", "list", "watch"] 19 | - apiGroups: [""] 20 | resources: ["persistentvolumes", "nodes"] 21 | verbs: ["list"] 22 | - apiGroups: [""] 23 | resources: ["endpoints"] 24 | verbs: ["get", "list", "watch"] 25 | 26 | --- 27 | 28 | apiVersion: rbac.authorization.k8s.io/v1 29 | kind: ClusterRoleBinding 30 | metadata: 31 | name: {{ .Release.Name }}-metrics-powerscale-controller 32 | subjects: 33 | - kind: ServiceAccount 34 | name: {{ .Release.Name }}-metrics-powerscale-controller 35 | namespace: {{ include "custom.namespace" . }} 36 | roleRef: 37 | kind: ClusterRole 38 | name: {{ .Release.Name }}-metrics-powerscale-controller 39 | apiGroup: rbac.authorization.k8s.io 40 | 41 | {{ end }} 42 | 43 | --- 44 | 45 | apiVersion: rbac.authorization.k8s.io/v1 46 | kind: Role 47 | metadata: 48 | name: {{ .Release.Name }}-metrics-powerscale-controller 49 | namespace: {{ .Release.Namespace }} 50 | rules: 51 | - apiGroups: ["coordination.k8s.io"] 52 | resources: ["leases"] 53 | verbs: ["get", "watch", "list", "delete", "update", "create"] 54 | 55 | --- 56 | 57 | apiVersion: rbac.authorization.k8s.io/v1 58 | kind: RoleBinding 59 | metadata: 60 | name: {{ .Release.Name }}-metrics-powerscale-controller 61 | namespace: {{ .Release.Namespace }} 62 | subjects: 63 | - kind: ServiceAccount 64 | name: {{ .Release.Name }}-metrics-powerscale-controller 65 | namespace: {{ .Release.Namespace }} 66 | roleRef: 67 | kind: Role 68 | name: {{ .Release.Name }}-metrics-powerscale-controller 69 | apiGroup: rbac.authorization.k8s.io 70 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powerscale.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowerscale.enabled }} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | labels: 7 | app.kubernetes.io/name: karavi-metrics-powerscale 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | name: karavi-metrics-powerscale 10 | namespace: {{ include "custom.namespace" . }} 11 | spec: 12 | type: {{ .Values.karaviMetricsPowerscale.service.type }} 13 | ports: 14 | - name: karavi-metrics-powerscale 15 | port: 8080 16 | targetPort: 8080 17 | selector: 18 | app.kubernetes.io/name: karavi-metrics-powerscale 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | 21 | --- 22 | 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: karavi-metrics-powerscale 27 | namespace: {{ include "custom.namespace" . }} 28 | labels: 29 | app.kubernetes.io/name: karavi-metrics-powerscale 30 | app.kubernetes.io/instance: {{ .Release.Name }} 31 | {{- if hasKey .Values "karaviMetricsPowerscale.authorization" }} 32 | {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }} 33 | annotations: 34 | com.dell.karavi-authorization-proxy: "true" 35 | {{ end }} 36 | {{ end }} 37 | spec: 38 | selector: 39 | matchLabels: 40 | app.kubernetes.io/name: karavi-metrics-powerscale 41 | app.kubernetes.io/instance: {{ .Release.Name }} 42 | replicas: 1 43 | strategy: {} 44 | template: 45 | metadata: 46 | labels: 47 | app.kubernetes.io/name: karavi-metrics-powerscale 48 | app.kubernetes.io/instance: {{ .Release.Name }} 49 | spec: 50 | serviceAccount: {{ .Release.Name }}-metrics-powerscale-controller 51 | containers: 52 | - name: karavi-metrics-powerscale 53 | image: {{ .Values.karaviMetricsPowerscale.image }} 54 | resources: {} 55 | env: 56 | - name: POWERSCALE_METRICS_ENDPOINT 57 | value: "{{ .Values.karaviMetricsPowerscale.endpoint }}" 58 | - name: POWERSCALE_METRICS_NAMESPACE 59 | valueFrom: 60 | fieldRef: 61 | fieldPath: metadata.namespace 62 | - name: TLS_ENABLED 63 | value: "true" 64 | volumeMounts: 65 | - name: isilon-creds 66 | mountPath: /isilon-creds 67 | - name: tls-secret 68 | mountPath: /etc/ssl/certs 69 | readOnly: true 70 | - name: karavi-metrics-powerscale-configmap 71 | mountPath: /etc/config 72 | {{- if hasKey .Values.karaviMetricsPowerscale "authorization" }} 73 | {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }} 74 | - name: karavi-authorization-proxy 75 | imagePullPolicy: IfNotPresent 76 | image: {{ required "Must provide the authorization sidecar container image." .Values.karaviMetricsPowerscale.authorization.sidecarProxy.image }} 77 | env: 78 | - name: PROXY_HOST 79 | value: "{{ .Values.karaviMetricsPowerscale.authorization.proxyHost }}" 80 | - name: SKIP_CERTIFICATE_VALIDATION 81 | value: "{{ .Values.karaviMetricsPowerscale.authorization.skipCertificateValidation }}" 82 | - name: PLUGIN_IDENTIFIER 83 | value: powerscale 84 | - name: ACCESS_TOKEN 85 | valueFrom: 86 | secretKeyRef: 87 | name: isilon-proxy-authz-tokens 88 | key: access 89 | - name: REFRESH_TOKEN 90 | valueFrom: 91 | secretKeyRef: 92 | name: isilon-proxy-authz-tokens 93 | key: refresh 94 | volumeMounts: 95 | - name: karavi-authorization-config 96 | mountPath: /etc/karavi-authorization/config 97 | - name: proxy-server-root-certificate 98 | mountPath: /etc/karavi-authorization/root-certificates 99 | - name: isilon-config-params 100 | mountPath: /etc/karavi-authorization 101 | {{ end }} 102 | {{ end }} 103 | volumes: 104 | - name: isilon-creds 105 | secret: 106 | secretName: isilon-creds 107 | - name: tls-secret 108 | secret: 109 | secretName: otel-collector-tls 110 | items: 111 | - key: tls.crt 112 | path: cert.crt 113 | - name: karavi-metrics-powerscale-configmap 114 | configMap: 115 | name: karavi-metrics-powerscale-configmap 116 | {{- if hasKey .Values.karaviMetricsPowerscale "authorization" }} 117 | {{- if eq .Values.karaviMetricsPowerscale.authorization.enabled true }} 118 | - name: karavi-authorization-config 119 | secret: 120 | secretName: isilon-karavi-authorization-config 121 | - name: proxy-server-root-certificate 122 | secret: 123 | secretName: isilon-proxy-server-root-certificate 124 | - name: isilon-config-params 125 | configMap: 126 | name: isilon-config-params 127 | {{ end }} 128 | {{ end }} 129 | restartPolicy: Always 130 | status: {} 131 | 132 | {{ end }} 133 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powerstore-service-account.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowerstore.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Release.Name }}-metrics-powerstore-controller 7 | namespace: {{ include "custom.namespace" . }} 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: {{ .Release.Name }}-metrics-powerstore-controller 15 | rules: 16 | - apiGroups: [""] 17 | resources: ["persistentvolumes"] 18 | verbs: ["list"] 19 | - apiGroups: [""] 20 | resources: ["endpoints"] 21 | verbs: ["get", "list", "watch"] 22 | 23 | --- 24 | 25 | apiVersion: rbac.authorization.k8s.io/v1 26 | kind: ClusterRoleBinding 27 | metadata: 28 | name: {{ .Release.Name }}-metrics-powerstore-controller 29 | subjects: 30 | - kind: ServiceAccount 31 | name: {{ .Release.Name }}-metrics-powerstore-controller 32 | namespace: {{ include "custom.namespace" . }} 33 | roleRef: 34 | kind: ClusterRole 35 | name: {{ .Release.Name }}-metrics-powerstore-controller 36 | apiGroup: rbac.authorization.k8s.io 37 | 38 | {{ end }} 39 | 40 | --- 41 | 42 | apiVersion: rbac.authorization.k8s.io/v1 43 | kind: Role 44 | metadata: 45 | name: {{ .Release.Name }}-metrics-powerstore-controller 46 | namespace: {{ .Release.Namespace }} 47 | rules: 48 | - apiGroups: ["coordination.k8s.io"] 49 | resources: ["leases"] 50 | verbs: ["get", "watch", "list", "delete", "update", "create"] 51 | 52 | --- 53 | 54 | apiVersion: rbac.authorization.k8s.io/v1 55 | kind: RoleBinding 56 | metadata: 57 | name: {{ .Release.Name }}-metrics-powerstore-controller 58 | namespace: {{ .Release.Namespace }} 59 | subjects: 60 | - kind: ServiceAccount 61 | name: {{ .Release.Name }}-metrics-powerstore-controller 62 | namespace: {{ .Release.Namespace }} 63 | roleRef: 64 | kind: Role 65 | name: {{ .Release.Name }}-metrics-powerstore-controller 66 | apiGroup: rbac.authorization.k8s.io 67 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-metrics-powerstore.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviMetricsPowerstore.enabled }} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | labels: 7 | app.kubernetes.io/name: karavi-metrics-powerstore 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | name: karavi-metrics-powerstore 10 | namespace: {{ include "custom.namespace" . }} 11 | spec: 12 | type: {{ .Values.karaviMetricsPowerstore.service.type }} 13 | ports: 14 | - name: karavi-metrics-powerstore 15 | port: 9090 16 | targetPort: 9090 17 | selector: 18 | app.kubernetes.io/name: karavi-metrics-powerstore 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | 21 | --- 22 | 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: karavi-metrics-powerstore 27 | namespace: {{ include "custom.namespace" . }} 28 | labels: 29 | app.kubernetes.io/name: karavi-metrics-powerstore 30 | app.kubernetes.io/instance: {{ .Release.Name }} 31 | spec: 32 | selector: 33 | matchLabels: 34 | app.kubernetes.io/name: karavi-metrics-powerstore 35 | app.kubernetes.io/instance: {{ .Release.Name }} 36 | replicas: 1 37 | strategy: {} 38 | template: 39 | metadata: 40 | labels: 41 | app.kubernetes.io/name: karavi-metrics-powerstore 42 | app.kubernetes.io/instance: {{ .Release.Name }} 43 | spec: 44 | serviceAccount: {{ .Release.Name }}-metrics-powerstore-controller 45 | containers: 46 | - name: karavi-metrics-powerstore 47 | image: {{ .Values.karaviMetricsPowerstore.image }} 48 | resources: {} 49 | env: 50 | - name: POWERSTORE_METRICS_ENDPOINT 51 | value: "{{ .Values.karaviMetricsPowerstore.endpoint }}" 52 | - name: POWERSTORE_METRICS_NAMESPACE 53 | valueFrom: 54 | fieldRef: 55 | fieldPath: metadata.namespace 56 | - name: TLS_ENABLED 57 | value: "true" 58 | volumeMounts: 59 | - name: karavi-metrics-powerstore-secret-volume 60 | mountPath: "/certs" 61 | - name: powerstore-config 62 | mountPath: /powerstore-config 63 | - name: tls-secret 64 | mountPath: /etc/ssl/certs 65 | readOnly: true 66 | - name: karavi-metrics-powerstore-configmap 67 | mountPath: /etc/config 68 | volumes: 69 | - name: karavi-metrics-powerstore-secret-volume 70 | secret: 71 | secretName: karavi-metrics-powerstore-tls 72 | items: 73 | - key: tls.crt 74 | path: localhost.crt 75 | - key: tls.key 76 | path: localhost.key 77 | - name: powerstore-config 78 | secret: 79 | secretName: powerstore-config 80 | - name: tls-secret 81 | secret: 82 | secretName: otel-collector-tls 83 | items: 84 | - key: tls.crt 85 | path: cert.crt 86 | - name: karavi-metrics-powerstore-configmap 87 | configMap: 88 | name: karavi-metrics-powerstore-configmap 89 | restartPolicy: Always 90 | status: {} 91 | 92 | {{ end }} 93 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-topology-service-account.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviTopology.enabled }} 2 | 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ .Release.Name }}-topology-controller 7 | namespace: {{ include "custom.namespace" . }} 8 | 9 | --- 10 | 11 | apiVersion: rbac.authorization.k8s.io/v1 12 | kind: ClusterRole 13 | metadata: 14 | name: {{ .Release.Name }}-topology-controller 15 | rules: 16 | - apiGroups: [""] 17 | resources: ["persistentvolumes"] 18 | verbs: ["list"] 19 | 20 | --- 21 | 22 | apiVersion: rbac.authorization.k8s.io/v1 23 | kind: ClusterRoleBinding 24 | metadata: 25 | name: {{ .Release.Name }}-topology-controller 26 | subjects: 27 | - kind: ServiceAccount 28 | name: {{ .Release.Name }}-topology-controller 29 | namespace: {{ include "custom.namespace" . }} 30 | roleRef: 31 | kind: ClusterRole 32 | name: {{ .Release.Name }}-topology-controller 33 | apiGroup: rbac.authorization.k8s.io 34 | 35 | {{ end }} 36 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/karavi-topology.yaml: -------------------------------------------------------------------------------- 1 | {{ if .Values.karaviTopology.enabled }} 2 | 3 | apiVersion: v1 4 | kind: Service 5 | metadata: 6 | labels: 7 | app.kubernetes.io/name: karavi-topology 8 | app.kubernetes.io/instance: {{ .Release.Name }} 9 | name: karavi-topology 10 | namespace: {{ include "custom.namespace" . }} 11 | spec: 12 | type: {{ .Values.karaviTopology.service.type }} 13 | ports: 14 | - name: karavi-topology 15 | port: 8443 16 | targetPort: 8443 17 | selector: 18 | app.kubernetes.io/name: karavi-topology 19 | app.kubernetes.io/instance: {{ .Release.Name }} 20 | 21 | --- 22 | 23 | apiVersion: apps/v1 24 | kind: Deployment 25 | metadata: 26 | name: karavi-topology 27 | namespace: {{ include "custom.namespace" . }} 28 | labels: 29 | app.kubernetes.io/name: karavi-topology 30 | app.kubernetes.io/instance: {{ .Release.Name }} 31 | spec: 32 | selector: 33 | matchLabels: 34 | app.kubernetes.io/name: karavi-topology 35 | app.kubernetes.io/instance: {{ .Release.Name }} 36 | replicas: 1 37 | strategy: {} 38 | template: 39 | metadata: 40 | labels: 41 | app.kubernetes.io/name: karavi-topology 42 | app.kubernetes.io/instance: {{ .Release.Name }} 43 | spec: 44 | volumes: 45 | - name: karavi-topology-secret-volume 46 | secret: 47 | secretName: karavi-topology-tls 48 | items: 49 | - key: tls.crt 50 | path: localhost.crt 51 | - key: tls.key 52 | path: localhost.key 53 | - name: karavi-topology-configmap 54 | configMap: 55 | name: karavi-topology-configmap 56 | serviceAccount: {{ .Release.Name }}-topology-controller 57 | containers: 58 | - name: karavi-topology 59 | image: {{ .Values.karaviTopology.image }} 60 | resources: {} 61 | env: 62 | - name: PORT 63 | value: "8443" 64 | - name: DEBUG 65 | value: "false" 66 | volumeMounts: 67 | - name: karavi-topology-secret-volume 68 | mountPath: "/certs" 69 | - name: karavi-topology-configmap 70 | mountPath: "/etc/config" 71 | restartPolicy: Always 72 | status: {} 73 | 74 | {{ end }} 75 | -------------------------------------------------------------------------------- /charts/karavi-observability/templates/otel-collector.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | data: 3 | otel-collector-config.yaml: |- 4 | {{ (.Files.Get "otel-collector-config.yaml") | indent 4 }} 5 | kind: ConfigMap 6 | metadata: 7 | name: otel-collector-config 8 | namespace: {{ include "custom.namespace" . }} 9 | 10 | --- 11 | 12 | apiVersion: v1 13 | data: 14 | nginx.conf: |- 15 | {{ (.Files.Get "otel-collector-nginx.conf") | indent 4 }} 16 | kind: ConfigMap 17 | metadata: 18 | name: nginx-config 19 | namespace: {{ include "custom.namespace" . }} 20 | 21 | --- 22 | 23 | apiVersion: v1 24 | kind: Service 25 | metadata: 26 | name: otel-collector 27 | namespace: {{ include "custom.namespace" . }} 28 | labels: 29 | app.kubernetes.io/name: otel-collector 30 | app.kubernetes.io/instance: {{ .Release.Name }} 31 | spec: 32 | type: {{ .Values.otelCollector.service.type }} 33 | ports: 34 | - port: 55680 35 | targetPort: 55680 36 | name: receiver 37 | - port: 8443 38 | targetPort: 8443 39 | name: exporter-https 40 | selector: 41 | app.kubernetes.io/name: otel-collector 42 | app.kubernetes.io/instance: {{ .Release.Name }} 43 | 44 | --- 45 | 46 | apiVersion: apps/v1 47 | kind: Deployment 48 | metadata: 49 | name: otel-collector 50 | namespace: {{ include "custom.namespace" . }} 51 | labels: 52 | app.kubernetes.io/name: otel-collector 53 | app.kubernetes.io/instance: {{ .Release.Name }} 54 | spec: 55 | selector: 56 | matchLabels: 57 | app.kubernetes.io/name: otel-collector 58 | app.kubernetes.io/instance: {{ .Release.Name }} 59 | replicas: 1 60 | strategy: {} 61 | template: 62 | metadata: 63 | labels: 64 | app.kubernetes.io/name: otel-collector 65 | app.kubernetes.io/instance: {{ .Release.Name }} 66 | spec: 67 | volumes: 68 | - name: tls-secret 69 | secret: 70 | secretName: otel-collector-tls 71 | items: 72 | - key: tls.crt 73 | path: tls.crt 74 | - key: tls.key 75 | path: tls.key 76 | - name: nginx-config 77 | configMap: 78 | name: nginx-config 79 | - name: otel-collector-config 80 | configMap: 81 | name: otel-collector-config 82 | containers: 83 | - name: nginx-proxy 84 | image: {{ .Values.otelCollector.nginxProxy.image }} 85 | volumeMounts: 86 | - name: tls-secret 87 | mountPath: /etc/ssl/certs 88 | - name: nginx-config 89 | mountPath: /etc/nginx/nginx.conf 90 | subPath: nginx.conf 91 | - name: otel-collector 92 | image: {{ .Values.otelCollector.image }} 93 | args: 94 | - --config=/etc/otel-collector-config.yaml 95 | resources: {} 96 | volumeMounts: 97 | - name: otel-collector-config 98 | mountPath: /etc/otel-collector-config.yaml 99 | subPath: otel-collector-config.yaml 100 | - name: tls-secret 101 | mountPath: /etc/ssl/certs 102 | restartPolicy: Always 103 | status: {} 104 | -------------------------------------------------------------------------------- /ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing#configuration 2 | remote: origin 3 | target-branch: main 4 | # Not executed on installation-wizard because of the dependency on other charts 5 | chart-dirs: 6 | - charts 7 | validate-maintainers: false 8 | check-version-increment: false 9 | -------------------------------------------------------------------------------- /docs/CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Code of Conduct - Contributor Covenant 12 | 13 | ## Our Pledge 14 | 15 | We as members, contributors, and leaders pledge to make participation in our 16 | community a harassment-free experience for everyone, regardless of age, body 17 | size, visible or invisible disability, ethnicity, sex characteristics, gender 18 | identity and expression, level of experience, education, socio-economic status, 19 | nationality, personal appearance, race, religion, or sexual identity 20 | and orientation. 21 | 22 | We pledge to act and interact in ways that contribute to an open, welcoming, 23 | diverse, inclusive, and healthy community. 24 | 25 | ## Our Standards 26 | 27 | Examples of behavior that contributes to a positive environment for our 28 | community include: 29 | 30 | - Demonstrating empathy and kindness toward other people 31 | - Being respectful of differing opinions, viewpoints, and experiences 32 | - Giving and gracefully accepting constructive feedback 33 | - Accepting responsibility and apologizing to those affected by our mistakes, 34 | and learning from the experience 35 | - Focusing on what is best not just for us as individuals, but for the 36 | overall community 37 | 38 | Examples of unacceptable behavior include: 39 | 40 | - The use of sexualized language or imagery, and sexual attention or 41 | advances of any kind 42 | - Trolling, insulting or derogatory comments, and personal or political attacks 43 | - Public or private harassment 44 | - Publishing others' private information, such as a physical or email 45 | address, without their explicit permission 46 | - Other conduct which could reasonably be considered inappropriate in a 47 | professional setting 48 | 49 | ## Enforcement Responsibilities 50 | 51 | Community leaders are responsible for clarifying and enforcing our standards of 52 | acceptable behavior and will take appropriate and fair corrective action in 53 | response to any behavior that they deem inappropriate, threatening, offensive, 54 | or harmful. 55 | 56 | Community leaders have the right and responsibility to remove, edit, or reject 57 | comments, commits, code, wiki edits, issues, and other contributions that are 58 | not aligned to this Code of Conduct, and will communicate reasons for moderation 59 | decisions when appropriate. 60 | 61 | ## Scope 62 | 63 | This Code of Conduct applies within all community spaces, and also applies when 64 | an individual is officially representing the community in public spaces. 65 | Examples of representing our community include using an official e-mail address, 66 | posting via an official social media account, or acting as an appointed 67 | representative at an online or offline event. 68 | 69 | ## Enforcement 70 | 71 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 72 | reported to the community leaders responsible for enforcement at our Slack group. 73 | Click [Here](http://del.ly/Slack_request) to request your invite. 74 | 75 | All complaints will be reviewed and investigated promptly and fairly. 76 | 77 | All community leaders are obligated to respect the privacy and security of the 78 | reporter of any incident. 79 | 80 | ## Enforcement Guidelines 81 | 82 | Community leaders will follow these Community Impact Guidelines in determining 83 | the consequences for any action they deem in violation of this Code of Conduct: 84 | 85 | ### 1. Correction 86 | 87 | **Community Impact**: Use of inappropriate language or other behavior deemed 88 | unprofessional or unwelcome in the community. 89 | 90 | **Consequence**: A private, written warning from community leaders, providing 91 | clarity around the nature of the violation and an explanation of why the 92 | behavior was inappropriate. A public apology may be requested. 93 | 94 | ### 2. Warning 95 | 96 | **Community Impact**: A violation through a single incident or series 97 | of actions. 98 | 99 | **Consequence**: A warning with consequences for continued behavior. No 100 | interaction with the people involved, including unsolicited interaction with 101 | those enforcing the Code of Conduct, for a specified period of time. This 102 | includes avoiding interactions in community spaces as well as external channels 103 | like social media. Violating these terms may lead to a temporary or 104 | permanent ban. 105 | 106 | ### 3. Temporary Ban 107 | 108 | **Community Impact**: A serious violation of community standards, including 109 | sustained inappropriate behavior. 110 | 111 | **Consequence**: A temporary ban from any sort of interaction or public 112 | communication with the community for a specified period of time. No public or 113 | private interaction with the people involved, including unsolicited interaction 114 | with those enforcing the Code of Conduct, is allowed during this period. 115 | Violating these terms may lead to a permanent ban. 116 | 117 | ### 4. Permanent Ban 118 | 119 | **Community Impact**: Demonstrating a pattern of violation of community 120 | standards, including sustained inappropriate behavior, harassment of an 121 | individual, or aggression toward or disparagement of classes of individuals. 122 | 123 | **Consequence**: A permanent ban from any sort of public interaction within 124 | the community. 125 | 126 | ## Attribution 127 | 128 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 129 | version 2.0, available at 130 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 131 | 132 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 133 | enforcement ladder](https://github.com/mozilla/diversity). 134 | 135 | [homepage]: https://www.contributor-covenant.org 136 | 137 | For answers to common questions about this code of conduct, see the FAQ at 138 | https://www.contributor-covenant.org/faq. Translations are available at 139 | https://www.contributor-covenant.org/translations. 140 | -------------------------------------------------------------------------------- /docs/MAINTAINERS.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Maintainers 12 | 13 | * @alikdell 14 | * @atye 15 | * @gallacher 16 | * @hoppea2 17 | * @coulof 18 | * @shaynafinocchiaro 19 | * @sharmilarama 20 | * @tdawe 21 | -------------------------------------------------------------------------------- /docs/MAINTAINER_GUIDE.md: -------------------------------------------------------------------------------- 1 | 10 | 11 | # Maintainer Guidelines 12 | 13 | As a Maintainer of this project you have the responsibility of keeping true to the vision of the project with unprecedented quality. Being part of this group is a privilege that requires dedication and time to attend to the daily activities that are associated with the maintenance of this project. 14 | 15 | ## Becoming a Maintainer 16 | 17 | Most Maintainers started as Contributors that have demonstrated their commitment to the success of the project. Contributors wishing to become Maintainers, must demonstrate commitment to the success of the project by contributing code, reviewing others' work, and triaging issues on a regular basis for at least three months. 18 | 19 | The contributions alone don't make you a Maintainer. You need to earn the trust of the current Maintainers and other project Contributors, that your decisions and actions are in the best interest of the project. 20 | 21 | Periodically, the existing Maintainers curate a list of Contributors who have shown regular activity on the project over the prior months. It is from this list that Maintainer candidates are selected. 22 | 23 | After a candidate is selected, the existing Maintainers discuss the candidate over the next 5 business days, provide feedback, and vote. At least 75% of the current Maintainers must vote in the affirmative for a candidate to be moved to the role of Maintainer. 24 | 25 | If a candidate is approved, a Maintainer contacts the candidate to invite them to open a pull request that adds the contributor to the MAINTAINERS file. The candidate becomes a Maintainer once the pull request is merged. 26 | 27 | ## Maintainer Policies 28 | 29 | - Lead by example 30 | - Follow the [Code of Conduct](docs/CODE_OF_CONDUCT.md) and the guidelines in the [Contributing](docs/CONTRIBUTING.md) guide. 31 | - Promote a friendly and collaborative environment within our community. 32 | - Be actively engaged in discussions, answering questions, updating defects, and reviewing pull requests. 33 | - Criticize code, not people. Ideally, tell the contributor a better way to do what they need. 34 | - Clearly mark optional suggestions as such. Best practice, start your comment with _At your option: …_. 35 | 36 | ## Project Decision Making 37 | 38 | All project decisions should contribute to successfully executing on the project roadmap. Project milestones are established for each release. 39 | -------------------------------------------------------------------------------- /installation-wizard/container-storage-modules/Chart.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # 3 | # Copyright © 2023 Dell Inc. or its subsidiaries. All Rights Reserved. 4 | # 5 | # Licensed under the Apache License, Version 2.0 (the "License"); 6 | # you may not use this file except in compliance with the License. 7 | # You may obtain a copy of the License at 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # 16 | apiVersion: v2 17 | name: container-storage-modules 18 | description: Container Storage Modules(https://github.com/dell/csm) open source suite of Kubernetes storage enablers for Dell Technologies storage products. 19 | 20 | # A chart can be either an 'application' or a 'library' chart. 21 | # 22 | # Application charts are a collection of templates that can be packaged into versioned archives 23 | # to be deployed. 24 | # 25 | # Library charts provide useful utilities or functions for the chart developer. They're included as 26 | # a dependency of application charts to inject those utilities and functions into the rendering 27 | # pipeline. Library charts do not define any templates and therefore cannot be deployed. 28 | type: application 29 | 30 | # This is the chart version. This version number should be incremented each time you make changes 31 | # to the chart and its templates, including the app version. 32 | # Versions are expected to follow Semantic Versioning (https://semver.org/) 33 | version: 1.7.0 34 | 35 | # This is the version number of the application being deployed. This version number should be 36 | # incremented each time you make changes to the application. Versions are not expected to 37 | # follow Semantic Versioning. They should reflect the version the application is using. 38 | # It is recommended to use it with quotes. 39 | appVersion: "1.7.0" 40 | 41 | dependencies: 42 | - name: csi-powerstore 43 | version: 2.14.0 44 | repository: https://dell.github.io/helm-charts 45 | condition: csi-powerstore.enabled 46 | 47 | - name: csi-powermax 48 | version: 2.14.0 49 | repository: https://dell.github.io/helm-charts 50 | condition: csi-powermax.enabled 51 | 52 | - name: csi-isilon 53 | version: 2.14.0 54 | repository: https://dell.github.io/helm-charts 55 | condition: csi-isilon.enabled 56 | 57 | - name: csi-vxflexos 58 | version: 2.14.0 59 | repository: https://dell.github.io/helm-charts 60 | condition: csi-vxflexos.enabled 61 | 62 | - name: csi-unity 63 | version: 2.14.0 64 | repository: https://dell.github.io/helm-charts 65 | condition: csi-unity.enabled 66 | 67 | - name: csm-replication 68 | version: 1.12.0 69 | repository: https://dell.github.io/helm-charts 70 | condition: csm-replication.enabled 71 | 72 | - name: karavi-observability 73 | version: 1.12.0 74 | repository: https://dell.github.io/helm-charts 75 | condition: karavi-observability.enabled 76 | 77 | - name: cert-manager 78 | version: 1.11.0 79 | repository: https://charts.jetstack.io 80 | condition: cert-manager.enabled 81 | -------------------------------------------------------------------------------- /kubelinter-config.yaml: -------------------------------------------------------------------------------- 1 | checks: 2 | # NOTE: Include all checks, comment failing 3 | include: 4 | - "access-to-create-pods" 5 | # - "access-to-secrets" 6 | - "cluster-admin-role-binding" 7 | - "dangling-horizontalpodautoscaler" 8 | - "dangling-ingress" 9 | - "dangling-networkpolicy" 10 | - "dangling-networkpolicypeer-podselector" 11 | - "dangling-service" 12 | - "default-service-account" 13 | - "deprecated-service-account-field" 14 | # - "dnsconfig-options" 15 | - "docker-sock" 16 | - "drop-net-raw-capability" 17 | - "duplicate-env-var" 18 | - "env-var-secret" 19 | - "exposed-services" 20 | - "host-ipc" 21 | - "host-network" 22 | - "host-pid" 23 | - "hpa-minimum-three-replicas" 24 | - "invalid-target-ports" 25 | - "latest-tag" 26 | # - "minimum-three-replicas" 27 | - "mismatching-selector" 28 | - "no-anti-affinity" 29 | - "no-extensions-v1beta" 30 | # - "no-liveness-probe" 31 | # - "no-node-affinity" 32 | - "no-read-only-root-fs" 33 | # - "no-readiness-probe" 34 | # - "no-rolling-update-strategy" 35 | - "non-existent-service-account" 36 | # - "non-isolated-pod" 37 | - "privilege-escalation-container" 38 | - "privileged-container" 39 | - "privileged-ports" 40 | - "read-secret-from-env-var" 41 | # - "required-annotation-email" 42 | # - "required-label-owner" 43 | - "run-as-non-root" 44 | - "sensitive-host-mounts" 45 | - "ssh-port" 46 | - "unsafe-proc-mount" 47 | - "unsafe-sysctls" 48 | # - "unset-cpu-requirements" 49 | # - "unset-memory-requirements" 50 | # - "use-namespace" 51 | - "wildcard-in-rules" 52 | - "writable-host-mount" 53 | 54 | # NOTE: manually exclude failing for documentation, fix them in future or 55 | # comment why are they disabled. 56 | exclude: 57 | - "access-to-secrets" # NOTE: COSI Provisioner Sidecar requires access to secrets 58 | - "dnsconfig-options" 59 | - "minimum-three-replicas" 60 | - "no-liveness-probe" 61 | - "no-node-affinity" 62 | - "no-readiness-probe" 63 | - "no-rolling-update-strategy" 64 | - "non-isolated-pod" 65 | - "required-annotation-email" 66 | - "required-label-owner" 67 | - "unset-cpu-requirements" 68 | - "unset-memory-requirements" 69 | - "use-namespace" 70 | -------------------------------------------------------------------------------- /samples/csm-authorization/config.yaml: -------------------------------------------------------------------------------- 1 | web: 2 | jwtsigningsecret: secret 3 | --------------------------------------------------------------------------------