├── .helmignore ├── Chart.yaml ├── LICENSE ├── README-CSI.md ├── README.md ├── templates ├── NOTES.txt ├── _helpers.tpl ├── credentials_csi.yaml ├── daemonset.yaml ├── daemonset_csi.yaml ├── ingress.yaml ├── namespace.yaml ├── role.yaml ├── rolebinding.yaml ├── secrets.yaml ├── serviceaccount.yaml ├── setup_csi.yaml ├── statefulset_csi.yaml ├── storageclass.yaml ├── svc.yaml ├── tests │ └── redis.yaml └── tls-secrets.yaml └── values.yaml /.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /Chart.yaml: -------------------------------------------------------------------------------- 1 | name: storageos 2 | version: 0.1.2 3 | description: Converged storage for containers 4 | appVersion: 1.1.2 5 | apiVersion: v1 6 | keywords: 7 | - storage 8 | - block-storage 9 | - volume 10 | home: https://storageos.com 11 | icon: https://storageos.com/wp-content/themes/storageOS/images/logo.svg 12 | sources: 13 | - https://github.com/storageos 14 | maintainers: 15 | - name: croomes 16 | email: simon.croome@storageos.com 17 | - name: darkowlzz 18 | email: sunny.gogoi@storageos.com 19 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 StorageOS 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README-CSI.md: -------------------------------------------------------------------------------- 1 | # StorageOS 2 | 3 | [StorageOS](https://storageos.com) is a software-based storage platform designed for cloud-native applications. By 4 | deploying StorageOS on your Kubernetes cluster, local storage from cluster node is aggregated into a distributed pool, 5 | and persistent volumes created from it using the native Kubernetes volume driver are available instantly to pods 6 | wherever they move in the cluster. 7 | 8 | Features such as replication, encryption and caching help protect data and maximise performance. 9 | 10 | ## Prerequisites 11 | 12 | - Kubernetes 1.10 and above 13 | - Kubernetes must be configured to allow: 14 | - Privileged mode containers (enabled by default) 15 | - Feature gate: MountPropagation=true. This can be done by appending `--feature-gates MountPropagation=true` to the 16 | kube-apiserver and kubelet services. Enabled by default in k8s 1.10. 17 | 18 | Refer to the [StorageOS prerequisites docs](https://docs.storageos.com/docs/prerequisites/overview) for more information. 19 | 20 | ## TL;DR 21 | 22 | ```console 23 | $ git clone https://github.com/storageos/helm-chart.git storageos 24 | $ cd storageos 25 | $ helm install . --name my-release --set cluster.join= --set csi.enable=true 26 | ``` 27 | 28 | ## Installing the Chart 29 | 30 | To install the chart with the release name `my-release`: 31 | 32 | ```console 33 | $ helm install . --name my-release --set cluster.join= --set csi.enable=true 34 | ``` 35 | 36 | The command deploys StorageOS on the Kubernetes cluster in the default configuration. The [configuration](#configuration) 37 | section lists the parameters that can be configured during installation. 38 | 39 | > **Tip**: List all releases using `helm list` 40 | 41 | ## Uninstalling the Chart 42 | 43 | To uninstall/delete the `my-release` deployment: 44 | 45 | ```console 46 | $ helm delete --purge my-release 47 | ``` 48 | 49 | The command removes all the Kubernetes components associated with the chart and deletes the release. 50 | 51 | ## Configuration 52 | 53 | The `cluster.join` parameter must be set to a valid join string. The join string helps bootstrap a new cluster and 54 | provides instructions to nodes joining an existing cluster. Typically the join string should be composed of a cluster 55 | id and/or hostname(s)/IP-address(es) of cluster nodes. For helm options the comma needs to be escaped like this "a\,b". 56 | 57 | Examples: 58 | 59 | ```console 60 | $ helm install . --name my-release --set cluster.join=node01 --set csi.enable=true 61 | ``` 62 | 63 | ```console 64 | $ storageos cluster create 65 | 61e476d0-5905-4be8-af33-d5109784e3d3 66 | $ helm install . --name my-release --set cluster.join=61e476d0-5905-4be8-af33-d5109784e3d3 --set csi.enable=true 67 | ``` 68 | 69 | ```console 70 | $ helm install . --name my-release --set cluster.join="61e476d0-5905-4be8-af33-d5109784e3d3\,node01" --set csi.enable=true 71 | ``` 72 | 73 | The first item in the list can be a cluster id as above, or a hostname or ip address of a single node in the cluster. 74 | 75 | A cluster id can be generated by running the `storageos cluster create` CLI command. The CLI is available to download 76 | from the [Github repository](https://github.com/storageos/go/-cli). 77 | 78 | Alternatively, set the first item in the list to be the ip address or hostname of one of the cluster nodes. This node 79 | will boostrap the cluster when StorageOS is started for the first time on it. It only serves a special purpose until 80 | the cluster has initialised. 81 | 82 | The remaining items in the join list should be one or more hostnames or ip addresses for new node to join to. 83 | 84 | > **Tip**: Future releases will remove the requirement to specify `cluster.join` and instead the [discovery service](https://github.com/storageos/discovery) 85 | will run as part of the deployment. 86 | 87 | The following tables lists the configurable parameters of the StorageOS chart and their default values. 88 | 89 | Parameter | Description | Default 90 | --------- | ----------- | ------- 91 | `cluster.join` | The cluster join string. See [cluster discovery](https://docs.storageos.com/docs/install/prerequisites/clusterdiscovery) documentation for details. 92 | `image.repository` | StorageOS container image repository | `storageos/node` 93 | `image.tag` | StorageOS container image tag | `1.1.2` 94 | `image.pullPolicy` | StorageOS container image pull policy | `IfNotPresent` 95 | `initContainer.repository` | StorageOS init container image repository | `storageos/init` 96 | `initContainer.tag` | StorageOS init container image tag | `0.1` 97 | `initContainer.pullPolicy` | StorageOS init container image pull policy | `IfNotPresent` 98 | `csiDriverRegistrar.repository` | CSI Driver Registrar container image repository | `quay.io/k8scsi/driver-registrar` 99 | `csiDriverRegistrar.tag` | CSI Driver Registrar container image tag | `v0.2.0` 100 | `csiDriverRegistrar.pullPolicy` | CSI Driver Registrar container image pull policy | `IfNotPresent` 101 | `csiExternalProvisioner.repository` | CSI External Provisioner container image repository | `quay.io/k8scsi/csi-provisioner` 102 | `csiExternalProvisioner.tag` | CSI External Provisioner container image tag | `v0.3.0` 103 | `csiExternalProvisioner.pullPolicy` | CSI External Provisioner container image pull policy | `Always` 104 | `csiExternalAttacher.repository` | CSI External Attacher container image repository | `quay.io/k8scsi/csi-attacher` 105 | `csiExternalAttacher.tag` | CSI External Attacher container image tag | `v0.3.0` 106 | `csiExternalAttacher.pullPolicy` | CSI External Attacher container image pull policy | `Always` 107 | `storageclass.name` | StorageOS storage class name | `fast` 108 | `storageclass.pool` | Default storage pool for storage class | `default` 109 | `storageclass.fsType` | Default filesystem type for storage class | `ext4` 110 | `resources` | Pod resource requests & limits | `{}` 111 | `csi.enable` | Enable CSI driver installation | `false` 112 | `csi.provisionCreds.enable` | Enable credentials for volume provision operations | `false` 113 | `csi.provisionCreds.username` | Username for CSI provision operation authentication | 114 | `csi.provisionCreds.password` | Password for CSI provision operatiion authentication | 115 | `csi.controllerPublishCreds.enable` | Enable credentials for CSI controller publish volume operations | `false` 116 | `csi.controllerPublishCreds.username` | Username for CSI controller publish volume operations | 117 | `csi.controllerPublishCreds.password` | Password for CSI controller publish volume operations | 118 | `csi.nodeStageCreds.enable` | Enable credentials for CSI node stage volume operations | `false` 119 | `csi.nodeStageCreds.username` | Username for CSI node stage volume operations | 120 | `csi.nodeStageCreds.password` | Password for CSI node stage volume operations | 121 | `csi.nodePublishCreds.enable` | Enable credentials for CSI node publish volume operations | `false` 122 | `csi.nodePublishCreds.username` | Username for CSI node publish volume operations | 123 | `csi.nodePublishCreds.password` | Password for CSI node publish volume operations | 124 | `ingress.enabled` | Enable ingress controller resource | `false` 125 | `ingress.hosts[0].name` | Hostname to your StorageOS installation | `storageos.local` 126 | `ingress.hosts[0].tls` | Utilize TLS backend in ingress | `false` 127 | `ingress.hosts[0].tlsSecret` | TLS Secret (certificates) | `storageos.local-tls-secret` 128 | `ingress.hosts[0].annotations` | Annotations for this host's ingress record | `[]` 129 | `ingress.secrets[0].name` | TLS Secret Name | `nil` 130 | `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` 131 | `ingress.secrets[0].key` | TLS Secret Key | `nil` 132 | 133 | 134 | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, 135 | 136 | ```console 137 | $ helm install . --name my-release \ 138 | --set cluster.join="74e8b44d-b1df-11e7-b0b3-42010a9a00b2\,node01" 139 | ``` 140 | 141 | Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, 142 | 143 | ```console 144 | $ helm install . --name my-release -f values.yaml 145 | ``` 146 | 147 | > **Tip**: You can use the default [values.yaml](values.yaml) 148 | 149 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DISCLAIMER 2 | > This repository is no longer maintained. Please see our 3 | > [charts](https://github.com/storageos/charts) repository for up to date helm 4 | > charts 5 | 6 | # StorageOS Helm Chart 7 | 8 | [StorageOS](https://storageos.com) is a software-based storage platform designed for cloud-native applications. By 9 | deploying StorageOS on your Kubernetes cluster, local storage from cluster node is aggregated into a distributed pool, 10 | and persistent volumes created from it using the native Kubernetes volume driver are available instantly to pods 11 | wherever they move in the cluster. 12 | 13 | Features such as replication, encryption and caching help protect data and maximise performance. 14 | 15 | **NOTE**: Refer [README-CSI.md](README-CSI.md) for CSI driver installation. 16 | 17 | ## Prerequisites 18 | 19 | - Kubernetes 1.8+ with Beta APIs enabled 20 | - Kubernetes must be configured to allow: 21 | - Privileged mode containers (enabled by default) 22 | - Feature gate: MountPropagation=true. This can be done by appending `--feature-gates MountPropagation=true` to the 23 | kube-apiserver and kubelet services. 24 | 25 | Refer to the [StorageOS prerequisites docs](https://docs.storageos.com/docs/prerequisites/overview) for more information. 26 | 27 | ## TL;DR 28 | 29 | ```console 30 | $ git clone https://github.com/storageos/helm-chart.git storageos 31 | $ cd storageos 32 | $ helm install . 33 | 34 | # Follow the instructions printed by helm install to update the link between Kubernetes and StorageOS. They look like: 35 | $ ClusterIP=$(kubectl get svc/storageos --namespace storageos -o custom-columns=IP:spec.clusterIP --no-headers=true) 36 | $ ApiAddress=$(echo -n "tcp://$ClusterIP:5705" | base64) 37 | $ kubectl patch secret/storageos-api --namespace storageos --patch "{\"data\":{\"apiAddress\": \"$ApiAddress\"}}" 38 | ``` 39 | 40 | > For more than one node clusters, the cluster.join variable must be set. 41 | 42 | ## Installing the Chart 43 | 44 | To install the chart with the release name `my-release`: 45 | 46 | ```console 47 | $ helm install --name my-release . 48 | ``` 49 | 50 | > For more than one node clusters, the cluster.join variable must be set. 51 | 52 | The command deploys StorageOS on the Kubernetes cluster in the default configuration. The [configuration](#configuration) 53 | section lists the parameters that can be configured during installation. 54 | 55 | > **Tip**: List all releases using `helm list` 56 | 57 | ## Post-install configuration 58 | 59 | Follow the instructions printed by helm install to update the link between Kubernetes and StorageOS. 60 | 61 | Example: 62 | ```console 63 | $ ClusterIP=$(kubectl get svc/storageos --namespace storageos -o custom-columns=IP:spec.clusterIP --no-headers=true) 64 | $ ApiAddress=$(echo -n "tcp://$ClusterIP:5705" | base64) 65 | $ kubectl patch secret/storageos-api --namespace storageos --patch "{\"data\":{\"apiAddress\": \"$ApiAddress\"}}" 66 | ``` 67 | 68 | ## Uninstalling the Chart 69 | 70 | To uninstall/delete the `my-release` deployment: 71 | 72 | ```console 73 | $ helm delete --purge my-release 74 | ``` 75 | 76 | The command removes all the Kubernetes components associated with the chart and deletes the release. 77 | 78 | ## Configuration 79 | 80 | The `cluster.join` parameter must be set to a valid join string. The join string helps bootstrap a new cluster and 81 | provides instructions to nodes joining an existing cluster. Typically the join string should be composed of a cluster 82 | id and/or hostname(s)/IP-address(es) of cluster nodes. For helm options the comma needs to be escaped like this "a\,b". 83 | 84 | Examples: 85 | 86 | ```console 87 | $ helm install . --name my-release --set cluster.join=node01 88 | ``` 89 | 90 | ```console 91 | $ storageos cluster create 92 | 61e476d0-5905-4be8-af33-d5109784e3d3 93 | $ helm install . --name my-release --set cluster.join=61e476d0-5905-4be8-af33-d5109784e3d3 94 | ``` 95 | 96 | ```console 97 | $ helm install . --name my-release --set cluster.join="61e476d0-5905-4be8-af33-d5109784e3d3\,node01" 98 | ``` 99 | 100 | The first item in the list can be a cluster id as above, or a hostname or ip address of a single node in the cluster. 101 | 102 | A cluster id can be generated by running the `storageos cluster create` CLI command. The CLI is available to download 103 | from the [Github repository](https://github.com/storageos/go/-cli). 104 | 105 | Alternatively, set the first item in the list to be the ip address or hostname of one of the cluster nodes. This node 106 | will boostrap the cluster when StorageOS is started for the first time on it. It only serves a special purpose until 107 | the cluster has initialised. 108 | 109 | The remaining items in the join list should be one or more hostnames or ip addresses for new node to join to. 110 | 111 | > **Tip**: Future releases will remove the requirement to specify `cluster.join` and instead the [discovery service](https://github.com/storageos/discovery) 112 | will run as part of the deployment. 113 | 114 | The following tables lists the configurable parameters of the StorageOS chart and their default values. 115 | 116 | Parameter | Description | Default 117 | --------- | ----------- | ------- 118 | `cluster.join` | The cluster join string. See [cluster discovery](https://docs.storageos.com/docs/install/prerequisites/clusterdiscovery) documentation for details. 119 | `image.repository` | StorageOS container image repository | `storageos/node` 120 | `image.tag` | StorageOS container image tag | `1.1.2` 121 | `image.pullPolicy` | StorageOS container image pull policy | `IfNotPresent` 122 | `initContainer.repository` | StorageOS init container image repository | `storageos/init` 123 | `initContainer.tag` | StorageOS init container image tag | `0.1` 124 | `initContainer.pullPolicy` | StorageOS init container image pull policy | `IfNotPresent` 125 | `rbacEnabled` | Use of k8s RBAC features | `true` 126 | `storageclass.name` | StorageOS storage class name | `fast` 127 | `storageclass.pool` | Default storage pool for storage class | `default` 128 | `storageclass.fsType` | Default filesystem type for storage class | `ext4` 129 | `api.secretName` | Name of the secret used for storing api location and credentials | `storageos-api` 130 | `api.secretNamespace` | Namespace of the secret used for storing api location and credentials. Needed in every namespace to use StorageOS. | `default` 131 | `api.address` | StorageOS service in Kubernetes | `http://storageos:5705` 132 | `api.username` | Username to authenticate to the StorageOS api with | `storageos` 133 | `api.password` | Password to authenticate to the StorageOS api with | `storageos` 134 | `service.name` | Name of the StorageOS service | `storageos` 135 | `service.externalPort` | External service port | `5705` 136 | `service.internalPort` | Internal service port | `5705` 137 | `resources` | Pod resource requests & limits | `{}` 138 | `ingress.enabled` | Enable ingress controller resource | `false` 139 | `ingress.hosts[0].name` | Hostname to your StorageOS installation | `storageos.local` 140 | `ingress.hosts[0].tls` | Utilize TLS backend in ingress | `false` 141 | `ingress.hosts[0].tlsSecret` | TLS Secret (certificates) | `storageos.local-tls-secret` 142 | `ingress.hosts[0].annotations` | Annotations for this host's ingress record | `[]` 143 | `ingress.secrets[0].name` | TLS Secret Name | `nil` 144 | `ingress.secrets[0].certificate` | TLS Secret Certificate | `nil` 145 | `ingress.secrets[0].key` | TLS Secret Key | `nil` 146 | 147 | 148 | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, 149 | 150 | ```console 151 | $ helm install . --name my-release \ 152 | --set cluster.join="74e8b44d-b1df-11e7-b0b3-42010a9a00b2\,node01" 153 | ``` 154 | 155 | Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, 156 | 157 | ```console 158 | $ helm install . --name my-release -f values.yaml 159 | ``` 160 | 161 | > **Tip**: You can use the default [values.yaml](values.yaml) 162 | 163 | 164 | ## RBAC 165 | 166 | Kubernetes implements Role-Based Access Control mode in the stable api (v1) since v1.8. In case your cluster's api server is started with `--authorization-mode=RBAC`, you should be running the chart with the configuration parameter `rbacEnabled: true` 167 | 168 | The chart will create a Role with permissions to manage secrets. With this functionality, StorageOS will be able to generate its own secrets for cluster discovery or volume encryption. 169 | 170 | -------------------------------------------------------------------------------- /templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | 1. Please run the following commands now to configure the link between Kubernetes and StorageOS(*): 4 | 5 | ClusterIP=$(kubectl get svc/{{ .Values.service.name }} --namespace {{ .Values.namespace }} -o custom-columns=IP:spec.clusterIP --no-headers=true) 6 | ApiAddress=$(echo -n "tcp://$ClusterIP:{{ .Values.service.externalPort }}" | base64) 7 | kubectl patch secret/{{ .Values.api.secretName }} --namespace {{ .Values.api.secretNamespace }} --patch "{\"data\": {\"apiAddress\": \"$ApiAddress\"}}" 8 | 9 | *) Unfortunately this is needed until the Kubernetes apiserver can use kube-dns to resolve service 10 | dns names like {{ .Values.service.name }}.{{ .Values.namespace }}.svc to the correct ClusterIP. 11 | This is a known limitation: https://github.com/kubernetes-incubator/bootkube/issues/456 12 | 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Expand the name of the chart. 4 | */}} 5 | {{- define "storageos.name" -}} 6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} 7 | {{- end -}} 8 | 9 | {{/* 10 | Create a default fully qualified app name. 11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 12 | */}} 13 | {{- define "storageos.fullname" -}} 14 | {{- $name := default .Chart.Name .Values.nameOverride -}} 15 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} 16 | {{- end -}} 17 | 18 | {{/* 19 | Create chart name and version as used by the chart label. 20 | */}} 21 | {{- define "storageos.chart" -}} 22 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} 23 | {{- end -}} 24 | -------------------------------------------------------------------------------- /templates/credentials_csi.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.csi.enable }} 2 | 3 | {{- if .Values.csi.provisionCreds.enable }} 4 | --- 5 | 6 | apiVersion: v1 7 | kind: Secret 8 | metadata: 9 | name: {{ .Values.csi.provisionCreds.secretName }} 10 | namespace: {{ .Values.namespace }} 11 | labels: 12 | app: {{ template "storageos.name" . }} 13 | chart: {{ template "storageos.chart" . }} 14 | heritage: {{ .Release.Service }} 15 | release: {{ .Release.Name }} 16 | type: Opaque 17 | data: 18 | username: {{ default "" .Values.csi.provisionCreds.username | b64enc | quote }} 19 | password: {{ default "" .Values.csi.provisionCreds.password | b64enc | quote }} 20 | 21 | {{- end }} 22 | 23 | {{- if .Values.csi.controllerPublishCreds.enable }} 24 | --- 25 | 26 | apiVersion: v1 27 | kind: Secret 28 | metadata: 29 | name: {{ .Values.csi.controllerPublishCreds.secretName }} 30 | namespace: {{ .Values.namespace }} 31 | labels: 32 | app: {{ template "storageos.name" . }} 33 | chart: {{ template "storageos.chart" . }} 34 | heritage: {{ .Release.Service }} 35 | release: {{ .Release.Name }} 36 | type: Opaque 37 | data: 38 | username: {{ default "" .Values.csi.controllerPublishCreds.username | b64enc | quote }} 39 | password: {{ default "" .Values.csi.controllerPublishCreds.password | b64enc | quote }} 40 | 41 | {{- end }} 42 | 43 | {{- if .Values.csi.nodeStageCreds.enable }} 44 | --- 45 | 46 | apiVersion: v1 47 | kind: Secret 48 | metadata: 49 | name: {{ .Values.csi.nodeStageCreds.secretName }} 50 | namespace: {{ .Values.namespace }} 51 | labels: 52 | app: {{ template "storageos.name" . }} 53 | chart: {{ template "storageos.chart" . }} 54 | heritage: {{ .Release.Service }} 55 | release: {{ .Release.Name }} 56 | type: Opaque 57 | data: 58 | username: {{ default "" .Values.csi.nodeStageCreds.username | b64enc | quote }} 59 | password: {{ default "" .Values.csi.nodeStageCreds.password | b64enc | quote }} 60 | 61 | {{- end }} 62 | 63 | {{- if .Values.csi.nodePublishCreds.enable }} 64 | --- 65 | 66 | apiVersion: v1 67 | kind: Secret 68 | metadata: 69 | name: {{ .Values.csi.nodePublishCreds.secretName }} 70 | namespace: {{ .Values.namespace }} 71 | labels: 72 | app: {{ template "storageos.name" . }} 73 | chart: {{ template "storageos.chart" . }} 74 | heritage: {{ .Release.Service }} 75 | release: {{ .Release.Name }} 76 | type: Opaque 77 | data: 78 | username: {{ default "" .Values.csi.nodePublishCreds.username | b64enc | quote }} 79 | password: {{ default "" .Values.csi.nodePublishCreds.password | b64enc | quote }} 80 | 81 | {{- end }} 82 | 83 | {{- end }} 84 | -------------------------------------------------------------------------------- /templates/daemonset.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | apiVersion: extensions/v1beta1 4 | kind: DaemonSet 5 | metadata: 6 | name: {{ template "storageos.fullname" . }} 7 | namespace: {{ .Values.namespace }} 8 | labels: 9 | app: {{ template "storageos.name" . }} 10 | chart: {{ template "storageos.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | selector: 15 | matchLabels: 16 | app: {{ template "storageos.name" . }} 17 | template: 18 | metadata: 19 | name: {{ template "storageos.fullname" . }} 20 | labels: 21 | app: {{ template "storageos.name" . }} 22 | chart: {{ template "storageos.chart" . }} 23 | heritage: {{ .Release.Service }} 24 | release: {{ .Release.Name }} 25 | kind: daemonset 26 | spec: 27 | hostPID: true 28 | hostNetwork: true 29 | {{- if .Values.rbacEnabled }} 30 | serviceAccountName: {{ template "storageos.fullname" . }} 31 | {{- end }} 32 | initContainers: 33 | - name: enable-lio 34 | image: "{{ .Values.initContainer.repository }}:{{ .Values.initContainer.tag }}" 35 | imagePullPolicy: {{ .Values.initContainer.pullPolicy }} 36 | volumeMounts: 37 | - name: kernel-modules 38 | mountPath: /lib/modules 39 | readOnly: true 40 | - name: sys 41 | mountPath: /sys 42 | mountPropagation: Bidirectional 43 | securityContext: 44 | privileged: true 45 | capabilities: 46 | add: 47 | - SYS_ADMIN 48 | containers: 49 | - name: {{ .Chart.Name }} 50 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 51 | imagePullPolicy: {{ .Values.image.pullPolicy }} 52 | args: 53 | - server 54 | ports: 55 | - containerPort: {{ .Values.service.internalPort }} 56 | name: api 57 | livenessProbe: 58 | initialDelaySeconds: 65 59 | timeoutSeconds: 10 60 | failureThreshold: 5 61 | httpGet: 62 | path: /v1/health 63 | port: api 64 | readinessProbe: 65 | initialDelaySeconds: 65 66 | timeoutSeconds: 10 67 | failureThreshold: 5 68 | httpGet: 69 | path: /v1/health 70 | port: api 71 | resources: 72 | {{ toYaml .Values.resources | indent 12 }} 73 | env: 74 | - name: HOSTNAME 75 | valueFrom: 76 | fieldRef: 77 | fieldPath: spec.nodeName 78 | - name: ADMIN_USERNAME 79 | valueFrom: 80 | secretKeyRef: 81 | name: {{ .Values.initSecretName }} 82 | key: username 83 | - name: ADMIN_PASSWORD 84 | valueFrom: 85 | secretKeyRef: 86 | name: {{ .Values.initSecretName }} 87 | key: password 88 | {{- if .Values.cluster.join }} 89 | - name: JOIN 90 | value: {{ .Values.cluster.join }} 91 | {{- else }} 92 | - name: JOIN 93 | valueFrom: 94 | fieldRef: 95 | fieldPath: status.podIP 96 | {{- end }} 97 | - name: ADVERTISE_IP 98 | valueFrom: 99 | fieldRef: 100 | fieldPath: status.podIP 101 | - name: NAMESPACE 102 | value: {{ .Values.namespace }} 103 | {{- if .Values.cluster.sharedDir }} 104 | - name: DEVICE_DIR 105 | value: {{ .Values.cluster.sharedDir }}/devices 106 | {{- end }} 107 | volumeMounts: 108 | - name: fuse 109 | mountPath: /dev/fuse 110 | - name: sys 111 | mountPath: /sys 112 | - name: state 113 | mountPath: /var/lib/storageos 114 | mountPropagation: Bidirectional 115 | {{- if .Values.cluster.sharedDir }} 116 | - name: shared 117 | mountPath: {{ .Values.cluster.sharedDir }} 118 | mountPropagation: Bidirectional 119 | {{- end }} 120 | securityContext: 121 | privileged: true 122 | capabilities: 123 | add: 124 | - SYS_ADMIN 125 | volumes: 126 | - name: kernel-modules 127 | hostPath: 128 | path: /lib/modules 129 | - name: fuse 130 | hostPath: 131 | path: /dev/fuse 132 | - name: sys 133 | hostPath: 134 | path: /sys 135 | - name: state 136 | hostPath: 137 | path: /var/lib/storageos 138 | {{- if .Values.cluster.sharedDir }} 139 | - name: shared 140 | hostPath: 141 | path: {{ .Values.cluster.sharedDir }} 142 | {{- end }} 143 | 144 | {{- end }} 145 | -------------------------------------------------------------------------------- /templates/daemonset_csi.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.csi.enable }} 2 | 3 | kind: DaemonSet 4 | apiVersion: apps/v1 5 | metadata: 6 | name: {{ template "storageos.fullname" . }}-daemon 7 | namespace: {{ .Values.namespace }} 8 | labels: 9 | app: {{ template "storageos.name" . }} 10 | chart: {{ template "storageos.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | selector: 15 | matchLabels: 16 | app: {{ template "storageos.name" . }} 17 | template: 18 | metadata: 19 | labels: 20 | app: {{ template "storageos.name" . }} 21 | chart: {{ template "storageos.chart" . }} 22 | heritage: {{ .Release.Service }} 23 | release: {{ .Release.Name }} 24 | kind: daemonset 25 | spec: 26 | serviceAccount: {{ template "storageos.fullname" . }}-daemonset-sa 27 | hostPID: true 28 | hostNetwork: true 29 | initContainers: 30 | - name: enable-lio 31 | image: "{{ .Values.initContainer.repository }}:{{ .Values.initContainer.tag }}" 32 | imagePullPolicy: {{ .Values.initContainer.pullPolicy }} 33 | volumeMounts: 34 | - name: kernel-modules 35 | mountPath: /lib/modules 36 | readOnly: true 37 | - name: sys 38 | mountPath: /sys 39 | mountPropagation: Bidirectional 40 | securityContext: 41 | privileged: true 42 | capabilities: 43 | add: 44 | - SYS_ADMIN 45 | containers: 46 | - name: csi-driver-registrar 47 | image: "{{ .Values.csiDriverRegistrar.repository }}:{{ .Values.csiDriverRegistrar.tag }}" 48 | imagePullPolicy: {{ .Values.csiDriverRegistrar.pullPolicy }} 49 | args: 50 | - "--v=5" 51 | - "--csi-address=$(ADDRESS)" 52 | env: 53 | - name: ADDRESS 54 | value: /csi/csi.sock # plugin-dir is mounted at /csi 55 | # value: unix://var/lib/kubelet/plugins/storageos/csi.sock 56 | - name: KUBE_NODE_NAME 57 | valueFrom: 58 | fieldRef: 59 | fieldPath: spec.nodeName 60 | volumeMounts: 61 | - name: plugin-dir 62 | mountPath: /csi 63 | # This is where kubelet.sock exists. 64 | - name: registrar-socket-dir 65 | mountPath: /var/lib/csi/sockets/ 66 | - name: {{ .Chart.Name }} 67 | image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 68 | imagePullPolicy: {{ .Values.image.pullPolicy }} 69 | args: 70 | - server 71 | ports: 72 | - containerPort: {{ .Values.service.internalPort }} 73 | name: api 74 | livenessProbe: 75 | initialDelaySeconds: 65 76 | timeoutSeconds: 10 77 | failureThreshold: 5 78 | httpGet: 79 | path: /v1/health 80 | port: api 81 | readinessProbe: 82 | initialDelaySeconds: 65 83 | timeoutSeconds: 10 84 | failureThreshold: 5 85 | httpGet: 86 | path: /v1/health 87 | port: api 88 | resources: 89 | {{ toYaml .Values.resources | indent 12 }} 90 | 91 | env: 92 | - name: HOSTNAME 93 | valueFrom: 94 | fieldRef: 95 | fieldPath: spec.nodeName 96 | - name: ADMIN_USERNAME 97 | valueFrom: 98 | secretKeyRef: 99 | name: {{ .Values.initSecretName }} 100 | key: username 101 | - name: ADMIN_PASSWORD 102 | valueFrom: 103 | secretKeyRef: 104 | name: {{ .Values.initSecretName }} 105 | key: password 106 | {{- if .Values.cluster.join }} 107 | - name: JOIN 108 | value: {{ .Values.cluster.join }} 109 | {{- else }} 110 | - name: JOIN 111 | valueFrom: 112 | fieldRef: 113 | fieldPath: status.podIP 114 | {{- end }} 115 | - name: ADVERTISE_IP 116 | valueFrom: 117 | fieldRef: 118 | fieldPath: status.podIP 119 | - name: NAMESPACE 120 | value: {{ .Values.namespace }} 121 | {{- if .Values.cluster.sharedDir }} 122 | - name: DEVICE_DIR 123 | value: {{ .Values.cluster.sharedDir }}/devices 124 | {{- end }} 125 | - name: CSI_ENDPOINT 126 | value: unix://var/lib/kubelet/plugins/storageos/csi.sock 127 | # CSI credentials config. 128 | {{- if .Values.csi.provisionCreds.enable }} 129 | - name: CSI_REQUIRE_CREDS_CREATE_VOL 130 | value: "true" 131 | - name: CSI_REQUIRE_CREDS_DELETE_VOL 132 | value: "true" 133 | - name: CSI_PROVISION_CREDS_USERNAME 134 | valueFrom: 135 | secretKeyRef: 136 | name: {{ .Values.csi.provisionCreds.secretName }} 137 | key: username 138 | - name: CSI_PROVISION_CREDS_PASSWORD 139 | valueFrom: 140 | secretKeyRef: 141 | name: {{ .Values.csi.provisionCreds.secretName }} 142 | key: password 143 | {{- end }} 144 | {{- if .Values.csi.controllerPublishCreds.enable }} 145 | - name: CSI_REQUIRE_CREDS_CTRL_PUB_VOL 146 | value: "true" 147 | - name: CSI_REQUIRE_CREDS_CTRL_UNPUB_VOL 148 | value: "true" 149 | - name: CSI_CTRL_PUB_CREDS_USERNAME 150 | valueFrom: 151 | secretKeyRef: 152 | name: {{ .Values.csi.controllerPublishCreds.secretName }} 153 | key: username 154 | - name: CSI_CTRL_PUB_CREDS_PASSWORD 155 | valueFrom: 156 | secretKeyRef: 157 | name: {{ .Values.csi.controllerPublishCreds.secretName }} 158 | key: password 159 | {{- end }} 160 | {{- if .Values.csi.nodeStageCreds.enable }} 161 | - name: CSI_REQUIRE_CREDS_NODE_STG_VOL 162 | value: "true" 163 | - name: CSI_NODE_STG_CREDS_USERNAME 164 | valueFrom: 165 | secretKeyRef: 166 | name: {{ .Values.csi.nodeStageCreds.secretName }} 167 | key: username 168 | - name: CSI_NODE_STG_CREDS_PASSWORD 169 | valueFrom: 170 | secretKeyRef: 171 | name: {{ .Values.csi.nodeStageCreds.secretName }} 172 | key: password 173 | {{- end }} 174 | {{- if .Values.csi.nodePublishCreds.enable }} 175 | - name: CSI_REQUIRE_CREDS_NODE_PUB_VOL 176 | value: "true" 177 | - name: CSI_NODE_PUB_CREDS_USERNAME 178 | valueFrom: 179 | secretKeyRef: 180 | name: {{ .Values.csi.nodePublishCreds.secretName }} 181 | key: username 182 | - name: CSI_NODE_PUB_CREDS_PASSWORD 183 | valueFrom: 184 | secretKeyRef: 185 | name: {{ .Values.csi.nodePublishCreds.secretName }} 186 | key: password 187 | {{- end }} 188 | securityContext: 189 | privileged: true 190 | capabilities: 191 | add: 192 | - SYS_ADMIN 193 | allowPrivilegeEscalation: true 194 | volumeMounts: 195 | - name: kubelet-dir 196 | mountPath: /var/lib/kubelet 197 | mountPropagation: "Bidirectional" 198 | - name: plugin-dir 199 | mountPath: /var/lib/kubelet/plugins/storageos/ 200 | - name: device-dir 201 | mountPath: /dev 202 | - name: fuse 203 | mountPath: /dev/fuse 204 | - name: sys 205 | mountPath: /sys 206 | - name: state 207 | mountPath: /var/lib/storageos 208 | mountPropagation: "Bidirectional" 209 | {{- if .Values.cluster.sharedDir }} 210 | - name: shared 211 | mountPath: {{ .Values.cluster.sharedDir }} 212 | mountPropagation: Bidirectional 213 | {{- end }} 214 | volumes: 215 | - name: kernel-modules 216 | hostPath: 217 | path: /lib/modules 218 | - name: registrar-socket-dir 219 | hostPath: 220 | path: /var/lib/kubelet/device-plugins/ 221 | type: DirectoryOrCreate 222 | - name: kubelet-dir 223 | hostPath: 224 | path: /var/lib/kubelet 225 | type: Directory 226 | - name: plugin-dir 227 | hostPath: 228 | path: /var/lib/kubelet/plugins/storageos/ 229 | type: DirectoryOrCreate 230 | - name: device-dir 231 | hostPath: 232 | path: /dev 233 | type: Directory 234 | - name: fuse 235 | hostPath: 236 | path: /dev/fuse 237 | - name: sys 238 | hostPath: 239 | path: /sys 240 | - name: state 241 | hostPath: 242 | path: /var/lib/storageos 243 | {{- if .Values.cluster.sharedDir }} 244 | - name: shared 245 | hostPath: 246 | path: {{ .Values.cluster.sharedDir }} 247 | {{- end }} 248 | 249 | {{- end }} 250 | -------------------------------------------------------------------------------- /templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled }} 2 | {{- range .Values.ingress.hosts }} 3 | apiVersion: extensions/v1beta1 4 | kind: Ingress 5 | metadata: 6 | name: {{ template "storageos.fullname" $ }} 7 | namespace: {{ $.Values.namespace }} 8 | labels: 9 | app: {{ template "storageos.name" $ }} 10 | chart: {{ template "storageos.chart" $ }} 11 | release: {{ $.Release.Name }} 12 | heritage: {{ $.Release.Service }} 13 | annotations: 14 | {{- if .tls }} 15 | ingress.kubernetes.io/secure-backends: "true" 16 | {{- end }} 17 | {{- range $key, $value := .annotations }} 18 | {{ $key }}: {{ $value | quote }} 19 | {{- end }} 20 | spec: 21 | rules: 22 | - host: {{ .name }} 23 | backend: 24 | serviceName: {{ $.Values.service.name }} 25 | servicePort: {{ $.Values.service.externalPort }} 26 | {{- if .tls }} 27 | tls: 28 | - hosts: 29 | - {{ .name }} 30 | secretName: {{ .tlsSecret }} 31 | {{- end }} 32 | --- 33 | {{- end }} 34 | {{- end }} 35 | -------------------------------------------------------------------------------- /templates/namespace.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: {{ .Values.namespace }} 5 | labels: 6 | name: {{ .Values.namespace }} 7 | app: {{ template "storageos.name" . }} 8 | chart: {{ template "storageos.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | -------------------------------------------------------------------------------- /templates/role.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | {{- if .Values.rbacEnabled -}} 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: Role 6 | metadata: 7 | name: {{ template "storageos.fullname" . }} 8 | namespace: {{ .Values.namespace }} 9 | labels: 10 | app: {{ template "storageos.name" . }} 11 | chart: {{ template "storageos.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | rules: 15 | - apiGroups: [""] 16 | resources: ["secrets"] 17 | verbs: ["create", "get", "list", "delete"] 18 | {{- end -}} 19 | 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /templates/rolebinding.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | {{- if .Values.rbacEnabled -}} 4 | apiVersion: rbac.authorization.k8s.io/v1 5 | kind: RoleBinding 6 | metadata: 7 | name: {{ template "storageos.fullname" . }} 8 | namespace: {{ .Values.namespace }} 9 | labels: 10 | app: {{ template "storageos.name" . }} 11 | chart: {{ template "storageos.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | roleRef: 15 | apiGroup: rbac.authorization.k8s.io 16 | kind: Role 17 | name: {{ template "storageos.fullname" . }} 18 | subjects: 19 | - kind: ServiceAccount 20 | name: {{ template "storageos.fullname" . }} 21 | {{- end -}} 22 | 23 | {{- end }} 24 | -------------------------------------------------------------------------------- /templates/secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ .Values.api.secretName }} 7 | namespace: {{ .Values.api.secretNamespace }} 8 | labels: 9 | app: {{ template "storageos.name" . }} 10 | chart: {{ template "storageos.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | type: "kubernetes.io/storageos" 14 | data: 15 | # apiAddress: {{ printf "http://%s:%.0f" .Values.service.name .Values.service.externalPort | b64enc | quote }} 16 | apiAddress: {{ default "" .Values.api.address | b64enc | quote }} 17 | apiUsername: {{ default "" .Values.api.username | b64enc | quote }} 18 | apiPassword: {{ default "" .Values.api.password | b64enc | quote }} 19 | 20 | {{- end }} 21 | 22 | --- 23 | 24 | # This secret is used to set the initial credentials of the node container. 25 | apiVersion: v1 26 | kind: Secret 27 | metadata: 28 | name: {{ .Values.initSecretName }} 29 | namespace: {{ .Values.namespace }} 30 | labels: 31 | app: {{ template "storageos.name" . }} 32 | chart: {{ template "storageos.chart" . }} 33 | heritage: {{ .Release.Service }} 34 | release: {{ .Release.Name }} 35 | type: "kubernetes.io/storageos" 36 | data: 37 | username: {{ default "" .Values.api.username | b64enc | quote }} 38 | password: {{ default "" .Values.api.password | b64enc | quote }} 39 | -------------------------------------------------------------------------------- /templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | {{- if .Values.rbacEnabled }} 4 | apiVersion: v1 5 | kind: ServiceAccount 6 | metadata: 7 | name: {{ template "storageos.fullname" . }} 8 | namespace: {{ .Values.namespace }} 9 | labels: 10 | app: {{ template "storageos.name" . }} 11 | chart: {{ template "storageos.chart" . }} 12 | heritage: {{ .Release.Service }} 13 | release: {{ .Release.Name }} 14 | {{- end -}} 15 | 16 | {{- end }} 17 | -------------------------------------------------------------------------------- /templates/setup_csi.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.csi.enable }} 2 | 3 | kind: StorageClass 4 | apiVersion: storage.k8s.io/v1 5 | metadata: 6 | name: {{ .Values.storageclass.name }} 7 | labels: 8 | app: {{ template "storageos.name" . }} 9 | chart: {{ template "storageos.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | provisioner: storageos 13 | parameters: 14 | pool: {{ .Values.storageclass.pool }} 15 | # Value with space is an invalid label in CSI volumes. 16 | # description: Kubernetes volume 17 | fsType: {{ .Values.storageclass.fsType }} 18 | 19 | # CSI credentials config. 20 | {{- if .Values.csi.provisionCreds.enable }} 21 | csiProvisionerSecretName: {{ .Values.csi.provisionCreds.secretName }} 22 | csiProvisionerSecretNamespace: {{ .Values.namespace }} 23 | {{- end }} 24 | 25 | {{- if .Values.csi.controllerPublishCreds.enable }} 26 | csiControllerPublishSecretName: {{ .Values.csi.controllerPublishCreds.secretName }} 27 | csiControllerPublishSecretNamespace: {{ .Values.namespace }} 28 | {{- end}} 29 | 30 | {{- if .Values.csi.nodeStageCreds.enable }} 31 | csiNodeStageSecretName: {{ .Values.csi.nodeStageCreds.secretName }} 32 | csiNodeStageSecretNamespace: {{ .Values.namespace }} 33 | {{- end }} 34 | 35 | {{- if .Values.csi.nodePublishCreds.enable }} 36 | csiNodePublishSecretName: {{ .Values.csi.nodePublishCreds.secretName }} 37 | csiNodePublishSecretNamespace: {{ .Values.namespace }} 38 | {{- end }} 39 | 40 | --- 41 | 42 | # Role for Key Management. 43 | kind: ClusterRole 44 | apiVersion: rbac.authorization.k8s.io/v1 45 | metadata: 46 | name: key-management-role 47 | labels: 48 | app: {{ template "storageos.name" . }} 49 | chart: {{ template "storageos.chart" . }} 50 | heritage: {{ .Release.Service }} 51 | release: {{ .Release.Name }} 52 | rules: 53 | - apiGroups: [""] 54 | resources: ["secrets"] 55 | verbs: ["get", "list", "create", "delete"] 56 | 57 | --- 58 | 59 | # Role for Driver Registrar. 60 | kind: ClusterRole 61 | apiVersion: rbac.authorization.k8s.io/v1 62 | metadata: 63 | name: driver-registrar-role 64 | labels: 65 | app: {{ template "storageos.name" . }} 66 | chart: {{ template "storageos.chart" . }} 67 | heritage: {{ .Release.Service }} 68 | release: {{ .Release.Name }} 69 | rules: 70 | - apiGroups: [""] 71 | resources: ["nodes"] 72 | verbs: ["get", "update"] 73 | - apiGroups: [""] 74 | resources: ["events"] 75 | verbs: ["list", "watch", "create", "update", "patch"] 76 | 77 | --- 78 | 79 | # Service account for StorageOS DaemonSet. 80 | kind: ServiceAccount 81 | apiVersion: v1 82 | metadata: 83 | name: {{ template "storageos.fullname" . }}-daemonset-sa 84 | namespace: {{ .Values.namespace }} 85 | labels: 86 | app: {{ template "storageos.name" . }} 87 | chart: {{ template "storageos.chart" . }} 88 | heritage: {{ .Release.Service }} 89 | release: {{ .Release.Name }} 90 | 91 | --- 92 | 93 | # Bind DaemonSet Service account to Driver Registrar role. 94 | kind: ClusterRoleBinding 95 | apiVersion: rbac.authorization.k8s.io/v1 96 | metadata: 97 | name: driver-registrar-binding 98 | labels: 99 | app: {{ template "storageos.name" . }} 100 | chart: {{ template "storageos.chart" . }} 101 | heritage: {{ .Release.Service }} 102 | release: {{ .Release.Name }} 103 | subjects: 104 | - kind: ServiceAccount 105 | name: {{ template "storageos.fullname" . }}-daemonset-sa 106 | namespace: {{ .Values.namespace }} 107 | roleRef: 108 | kind: ClusterRole 109 | name: driver-registrar-role 110 | apiGroup: rbac.authorization.k8s.io 111 | 112 | --- 113 | 114 | # Bind DaemonSet Service account to Key Management role. 115 | kind: ClusterRoleBinding 116 | apiVersion: rbac.authorization.k8s.io/v1 117 | metadata: 118 | name: key-management-binding 119 | labels: 120 | app: {{ template "storageos.name" . }} 121 | chart: {{ template "storageos.chart" . }} 122 | heritage: {{ .Release.Service }} 123 | release: {{ .Release.Name }} 124 | subjects: 125 | - kind: ServiceAccount 126 | name: {{ template "storageos.fullname" . }}-daemonset-sa 127 | namespace: {{ .Values.namespace }} 128 | roleRef: 129 | kind: ClusterRole 130 | name: key-management-role 131 | apiGroup: rbac.authorization.k8s.io 132 | 133 | --- 134 | 135 | # Role for CSI External Provisioner. 136 | kind: ClusterRole 137 | apiVersion: rbac.authorization.k8s.io/v1 138 | metadata: 139 | name: csi-provisioner-role 140 | labels: 141 | app: {{ template "storageos.name" . }} 142 | chart: {{ template "storageos.chart" . }} 143 | heritage: {{ .Release.Service }} 144 | release: {{ .Release.Name }} 145 | rules: 146 | - apiGroups: [""] 147 | resources: ["persistentvolumes"] 148 | verbs: ["list", "watch", "create", "delete"] 149 | - apiGroups: [""] 150 | resources: ["persistentvolumeclaims"] 151 | verbs: ["get", "list", "watch", "update"] 152 | - apiGroups: [""] 153 | resources: ["endpoints"] 154 | verbs: ["get", "update"] 155 | - apiGroups: ["storage.k8s.io"] 156 | resources: ["storageclasses"] 157 | verbs: ["list", "watch", "get"] 158 | - apiGroups: [""] 159 | resources: ["secrets"] 160 | verbs: ["get"] 161 | - apiGroups: [""] 162 | resources: ["events"] 163 | verbs: ["list", "watch", "create", "update", "patch"] 164 | 165 | --- 166 | 167 | # Role for CSI External Attacher. 168 | kind: ClusterRole 169 | apiVersion: rbac.authorization.k8s.io/v1 170 | metadata: 171 | name: csi-attacher-role 172 | labels: 173 | app: {{ template "storageos.name" . }} 174 | chart: {{ template "storageos.chart" . }} 175 | heritage: {{ .Release.Service }} 176 | release: {{ .Release.Name }} 177 | rules: 178 | - apiGroups: [""] 179 | resources: ["persistentvolumes"] 180 | verbs: ["get", "list", "watch", "update"] 181 | - apiGroups: [""] 182 | resources: ["nodes"] 183 | verbs: ["get", "list", "watch"] 184 | - apiGroups: ["storage.k8s.io"] 185 | resources: ["storageclasses"] 186 | verbs: ["list", "watch", "get"] 187 | - apiGroups: ["storage.k8s.io"] 188 | resources: ["volumeattachments"] 189 | verbs: ["get", "list", "watch", "update"] 190 | - apiGroups: [""] 191 | resources: ["events"] 192 | verbs: ["list", "watch", "create", "update", "patch"] 193 | 194 | --- 195 | 196 | # Service Account for StorageOS StatefulSet. 197 | kind: ServiceAccount 198 | apiVersion: v1 199 | metadata: 200 | name: {{ template "storageos.fullname" . }}-statefulset-sa 201 | namespace: {{ .Values.namespace }} 202 | labels: 203 | app: {{ template "storageos.name" . }} 204 | chart: {{ template "storageos.chart" . }} 205 | heritage: {{ .Release.Service }} 206 | release: {{ .Release.Name }} 207 | 208 | --- 209 | 210 | # Bind StatefulSet service account to External Provisioner role. 211 | kind: ClusterRoleBinding 212 | apiVersion: rbac.authorization.k8s.io/v1 213 | metadata: 214 | name: csi-provisioner-binding 215 | labels: 216 | app: {{ template "storageos.name" . }} 217 | chart: {{ template "storageos.chart" . }} 218 | heritage: {{ .Release.Service }} 219 | release: {{ .Release.Name }} 220 | subjects: 221 | - kind: ServiceAccount 222 | name: {{ template "storageos.fullname" . }}-statefulset-sa 223 | namespace: {{ .Values.namespace }} 224 | roleRef: 225 | kind: ClusterRole 226 | name: csi-provisioner-role 227 | apiGroup: rbac.authorization.k8s.io 228 | 229 | --- 230 | 231 | # Bind StatefulSet service account to External Attacher role. 232 | kind: ClusterRoleBinding 233 | apiVersion: rbac.authorization.k8s.io/v1 234 | metadata: 235 | name: csi-attacher-binding 236 | labels: 237 | app: {{ template "storageos.name" . }} 238 | chart: {{ template "storageos.chart" . }} 239 | heritage: {{ .Release.Service }} 240 | release: {{ .Release.Name }} 241 | subjects: 242 | - kind: ServiceAccount 243 | name: {{ template "storageos.fullname" . }}-statefulset-sa 244 | namespace: {{ .Values.namespace }} 245 | roleRef: 246 | kind: ClusterRole 247 | name: csi-attacher-role 248 | apiGroup: rbac.authorization.k8s.io 249 | 250 | --- 251 | 252 | # Bind StatefulSet service account to Key Management role. 253 | kind: ClusterRoleBinding 254 | apiVersion: rbac.authorization.k8s.io/v1 255 | metadata: 256 | name: sidecar-key-management-binding 257 | labels: 258 | app: {{ template "storageos.name" . }} 259 | chart: {{ template "storageos.chart" . }} 260 | heritage: {{ .Release.Service }} 261 | release: {{ .Release.Name }} 262 | subjects: 263 | - kind: ServiceAccount 264 | name: {{ template "storageos.fullname" . }}-statefulset-sa 265 | namespace: {{ .Values.namespace }} 266 | roleRef: 267 | kind: ClusterRole 268 | name: key-management-role 269 | apiGroup: rbac.authorization.k8s.io 270 | 271 | {{- end }} 272 | -------------------------------------------------------------------------------- /templates/statefulset_csi.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.csi.enable }} 2 | 3 | kind: StatefulSet 4 | apiVersion: apps/v1beta1 5 | metadata: 6 | name: {{ template "storageos.fullname" . }}-statefulset 7 | namespace: {{ .Values.namespace }} 8 | labels: 9 | app: {{ template "storageos.name" . }} 10 | chart: {{ template "storageos.chart" . }} 11 | heritage: {{ .Release.Service }} 12 | release: {{ .Release.Name }} 13 | spec: 14 | serviceName: {{ .Chart.Name }} 15 | replicas: 1 16 | selector: 17 | matchLabels: 18 | app: {{ template "storageos.name" . }} 19 | template: 20 | metadata: 21 | labels: 22 | app: {{ template "storageos.name" . }} 23 | chart: {{ template "storageos.chart" . }} 24 | heritage: {{ .Release.Service }} 25 | release: {{ .Release.Name }} 26 | kind: statefulset 27 | spec: 28 | serviceAccount: {{ template "storageos.fullname" . }}-statefulset-sa 29 | containers: 30 | - name: csi-external-provisioner 31 | image: "{{ .Values.csiExternalProvisioner.repository }}:{{ .Values.csiExternalProvisioner.tag }}" 32 | imagePullPolicy: {{ .Values.csiExternalProvisioner.pullPolicy }} 33 | args: 34 | - "--v=5" 35 | - "--provisioner=storageos" 36 | - "--csi-address=$(ADDRESS)" 37 | env: 38 | - name: ADDRESS 39 | value: /csi/csi.sock # plugin-dir is mounted at /csi 40 | volumeMounts: 41 | - name: plugin-dir 42 | mountPath: /csi 43 | - name: csi-external-attacher 44 | image: "{{ .Values.csiExternalAttacher.repository }}:{{ .Values.csiExternalAttacher.tag }}" 45 | imagePullPolicy: {{ .Values.csiExternalAttacher.pullPolicy }} 46 | args: 47 | - "--v=5" 48 | - "--csi-address=$(ADDRESS)" 49 | env: 50 | - name: ADDRESS 51 | value: /csi/csi.sock 52 | volumeMounts: 53 | - name: plugin-dir 54 | mountPath: /csi 55 | volumes: 56 | - name: plugin-dir 57 | hostPath: 58 | path: /var/lib/kubelet/plugins/storageos/ 59 | type: DirectoryOrCreate 60 | 61 | {{- end }} 62 | -------------------------------------------------------------------------------- /templates/storageclass.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.csi.enable }} 2 | 3 | apiVersion: storage.k8s.io/v1beta1 4 | kind: StorageClass 5 | metadata: 6 | name: {{ .Values.storageclass.name }} 7 | labels: 8 | app: {{ template "storageos.name" . }} 9 | chart: {{ template "storageos.chart" . }} 10 | heritage: {{ .Release.Service }} 11 | release: {{ .Release.Name }} 12 | provisioner: kubernetes.io/storageos 13 | parameters: 14 | pool: {{ .Values.storageclass.pool }} 15 | description: Kubernetes volume 16 | fsType: {{ .Values.storageclass.fsType }} 17 | adminSecretNamespace: {{ .Values.api.secretNamespace }} 18 | adminSecretName: {{ .Values.api.secretName }} 19 | 20 | {{- end }} 21 | -------------------------------------------------------------------------------- /templates/svc.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ .Values.service.name }} 5 | namespace: {{ .Values.namespace }} 6 | labels: 7 | app: {{ template "storageos.name" . }} 8 | chart: {{ template "storageos.chart" . }} 9 | heritage: {{ .Release.Service }} 10 | release: {{ .Release.Name }} 11 | spec: 12 | type: {{ .Values.service.type }} 13 | {{- if .Values.service.loadBalancerIP }} 14 | loadBalancerIP: {{ .Values.service.loadBalancerIP }} 15 | {{- end }} 16 | ports: 17 | - port: {{ .Values.service.internalPort }} 18 | targetPort: {{ .Values.service.externalPort }} 19 | protocol: TCP 20 | name: {{ .Values.service.name }} 21 | selector: 22 | app: {{ template "storageos.name" . }} 23 | release: {{ .Release.Name }} 24 | kind: daemonset 25 | -------------------------------------------------------------------------------- /templates/tests/redis.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: PersistentVolumeClaim 3 | metadata: 4 | name: {{ .Release.Name }}-redis-test 5 | annotations: 6 | volume.beta.kubernetes.io/storage-class: {{ .Values.storageclass.name }} 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | 14 | 15 | apiVersion: v1 16 | kind: Pod 17 | metadata: 18 | name: {{ .Release.Name }}-redis-test 19 | annotations: 20 | "helm.sh/hook": test-success 21 | spec: 22 | containers: 23 | - name: master 24 | image: kubernetes/redis:v1 25 | ports: 26 | - containerPort: 6379 27 | resources: 28 | limits: 29 | cpu: "0.1" 30 | volumeMounts: 31 | - mountPath: /redis-master-data 32 | name: redis-data 33 | volumes: 34 | - name: redis-data 35 | persistentVolumeClaim: 36 | claimName: {{ .Release.Name }}-redis-test 37 | -------------------------------------------------------------------------------- /templates/tls-secrets.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled }} 2 | {{- range .Values.ingress.secrets }} 3 | apiVersion: v1 4 | kind: Secret 5 | metadata: 6 | name: {{ .name }} 7 | labels: 8 | app: {{ template "storageos.name" $ }} 9 | chart: {{ template "storageos.chart" $ }} 10 | release: {{ $.Release.Name }} 11 | heritage: {{ $.Release.Service }} 12 | type: kubernetes.io/tls 13 | data: 14 | tls.crt: {{ .certificate | b64enc }} 15 | tls.key: {{ .key | b64enc }} 16 | --- 17 | {{- end }} 18 | {{- end }} 19 | -------------------------------------------------------------------------------- /values.yaml: -------------------------------------------------------------------------------- 1 | # Default values for storageos. 2 | # This is a YAML-formatted file. 3 | # Declare variables to be passed into your templates. 4 | image: 5 | repository: storageos/node 6 | tag: 1.1.2 7 | pullPolicy: IfNotPresent 8 | 9 | initContainer: 10 | repository: storageos/init 11 | tag: 0.1 12 | pullPolicy: IfNotPresent 13 | 14 | csiDriverRegistrar: 15 | repository: quay.io/k8scsi/driver-registrar 16 | tag: v0.2.0 17 | pullPolicy: IfNotPresent 18 | 19 | csiExternalProvisioner: 20 | repository: quay.io/k8scsi/csi-provisioner 21 | tag: v0.3.0 22 | pullPolicy: Always 23 | 24 | csiExternalAttacher: 25 | repository: quay.io/k8scsi/csi-attacher 26 | tag: v0.3.0 27 | pullPolicy: Always 28 | 29 | rbacEnabled: true 30 | 31 | cluster: 32 | # To generate a join token see: 33 | # https://docs.storageos.com/docs/install/prerequisites/clusterdiscovery 34 | # or use hostname/ip address of any or all of the cluster nodes. 35 | # Example: 36 | # join: node1,node2,node3 37 | # or 38 | # join: 10.1.5.07,10.1.5.08,10.1.5.09 39 | join: 40 | 41 | # sharedDir should be set if running kubelet in a container. This should 42 | # be the path shared into to kubelet container, typically: 43 | # "/var/lib/kubelet/plugins/kubernetes.io~storageos". If not set, defaults 44 | # will be used. 45 | sharedDir: 46 | storageclass: 47 | name: fast 48 | pool: default 49 | fsType: ext4 50 | api: 51 | secretName: storageos-api 52 | secretNamespace: storageos 53 | # secrets are namespace specific, create 1+N for every namespace. 54 | address: storageos:5705 55 | # address is used to generate the ApiAddress value in the secret. This 56 | # updated later with the service ClusterIP which is not known at this stage. 57 | username: storageos 58 | password: storageos 59 | namespace: storageos 60 | initSecretName: init-secret 61 | service: 62 | name: storageos 63 | type: ClusterIP 64 | externalPort: 5705 65 | internalPort: 5705 66 | resources: {} 67 | 68 | ## Configure the ingress resource that allows you to access the 69 | ## StorageOS API endpoints. Set up the URL 70 | ## ref: http://kubernetes.io/docs/user-guide/ingress/ 71 | ## 72 | ingress: 73 | ## Set to true to enable ingress record generation 74 | enabled: false 75 | 76 | ## The list of hostnames to be covered with this ingress record. 77 | ## Most likely this will be just one host, but in the event more hosts are needed, this is an array 78 | hosts: 79 | - name: storageos.local 80 | 81 | ## Set this to true in order to enable TLS on the ingress record 82 | ## A side effect of this will be that the backend joomla service will be connected at port 443 83 | tls: false 84 | 85 | ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS 86 | tlsSecret: storageos.local-tls 87 | 88 | ## Ingress annotations done as key:value pairs 89 | ## If you're using kube-lego, you will want to add: 90 | ## kubernetes.io/tls-acme: true 91 | ## 92 | ## For a full list of possible ingress annotations, please see 93 | ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/annotations.md 94 | ## 95 | ## If tls is set to true, annotation ingress.kubernetes.io/secure-backends: "true" will automatically be set 96 | annotations: 97 | # kubernetes.io/ingress.class: nginx 98 | # kubernetes.io/tls-acme: true 99 | 100 | secrets: 101 | ## If you're providing your own certificates, please use this to add the certificates as secrets 102 | ## key and certificate should start with -----BEGIN CERTIFICATE----- or 103 | ## -----BEGIN RSA PRIVATE KEY----- 104 | ## 105 | ## name should line up with a tlsSecret set further up 106 | ## If you're using kube-lego, this is unneeded, as it will create the secret for you if it is not set 107 | ## 108 | ## It is also possible to create and manage the certificates outside of this helm chart 109 | ## Please see README.md for more information 110 | # - name: storageos.local-tls 111 | # key: 112 | # certificate: 113 | 114 | csi: 115 | enable: false 116 | # provisionCreds are credentials for volume create and delete operations. 117 | provisionCreds: 118 | enable: false 119 | username: username1 120 | password: password1 121 | secretName: storageos-provision-creds 122 | # controllerPublishCreds are credentials for controller volume publish and unpublish operations. 123 | controllerPublishCreds: 124 | enable: false 125 | username: username2 126 | password: password2 127 | secretName: storageos-ctrl-publish-creds 128 | # nodeStageCreds are credentials for node volume stage operations. 129 | nodeStageCreds: 130 | enable: false 131 | username: username3 132 | password: password3 133 | secretName: storageos-node-stage-creds 134 | # nodePublishCreds are credentials for node volume publish operations. 135 | nodePublishCreds: 136 | enable: false 137 | username: username4 138 | password: password4 139 | secretName: storageos-node-publish-creds 140 | --------------------------------------------------------------------------------