From e4fcf22d091627e6de8872c8dda82c913a60f62a Mon Sep 17 00:00:00 2001 From: Qovery Date: Mon, 30 Sep 2024 09:13:12 +0000 Subject: [PATCH] update 09/30/24 09:13:12 --- charts/qovery/Chart.yaml | 2 +- .../charts/aws-ebs-csi-driver/CHANGELOG.md | 79 +++++++++ .../charts/aws-ebs-csi-driver/Chart.yaml | 4 +- .../aws-ebs-csi-driver/templates/NOTES.txt | 2 - .../templates/_node-windows.tpl | 60 ++++++- .../aws-ebs-csi-driver/templates/_node.tpl | 18 +- .../templates/clusterrole-attacher.yaml | 32 ++-- .../templates/clusterrole-csi-node.yaml | 3 + .../templates/clusterrole-provisioner.yaml | 72 +++++--- .../templates/clusterrole-resizer.yaml | 42 +++-- .../templates/clusterrole-snapshotter.yaml | 47 ++++-- .../clusterrolebinding-attacher.yaml | 2 + .../clusterrolebinding-csi-node.yaml | 2 +- .../clusterrolebinding-provisioner.yaml | 2 + .../templates/clusterrolebinding-resizer.yaml | 2 + .../clusterrolebinding-snapshotter.yaml | 2 + .../templates/controller.yaml | 29 ++++ .../templates/csidriver.yaml | 2 + .../templates/ebs-csi-default-sc.yaml | 13 ++ .../aws-ebs-csi-driver/templates/metrics.yaml | 4 +- .../poddisruptionbudget-controller.yaml | 2 + .../templates/role-leases.yaml | 4 + .../templates/rolebinding-leases.yaml | 2 + .../serviceaccount-csi-controller.yaml | 2 +- .../templates/serviceaccount-csi-node.yaml | 2 +- .../templates/tests/helm-tester.yaml | 30 +++- .../charts/aws-ebs-csi-driver/values.yaml | 155 +++++++++++------- charts/qovery/values-aws.yaml | 2 - charts/qovery/values-gcp.yaml | 2 - charts/qovery/values-scaleway.yaml | 2 - 30 files changed, 461 insertions(+), 161 deletions(-) create mode 100644 charts/qovery/charts/aws-ebs-csi-driver/templates/ebs-csi-default-sc.yaml diff --git a/charts/qovery/Chart.yaml b/charts/qovery/Chart.yaml index e125e86..c00886a 100644 --- a/charts/qovery/Chart.yaml +++ b/charts/qovery/Chart.yaml @@ -16,7 +16,7 @@ dependencies: repository: file://charts/q-storageclass-scaleway - name: aws-ebs-csi-driver condition: services.aws.aws-ebs-csi-driver.enabled - version: 2.27.0 + version: 2.35.1 repository: file://charts/aws-ebs-csi-driver - name: aws-load-balancer-controller condition: services.aws.aws-load-balancer-controller.enabled diff --git a/charts/qovery/charts/aws-ebs-csi-driver/CHANGELOG.md b/charts/qovery/charts/aws-ebs-csi-driver/CHANGELOG.md index b5a8b1e..148c6ae 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/CHANGELOG.md +++ b/charts/qovery/charts/aws-ebs-csi-driver/CHANGELOG.md @@ -1,4 +1,83 @@ # Helm chart +## v2.35.1 +* Fix an issue causing the `csi-attacher` container to get stuck in `CrashLoopBackoff` on clusters with VAC enabled. Users with a VAC-enabled cluster are strongly encouraged to skip `v2.35.0` and/or upgrade directly to `v2.35.1` or later. + +## v2.35.0 +* Bump driver version to `v1.35.0` +* Add reservedVolumeAttachments to windows nodes ([#2134](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2134),[@AndrewSirenko](https://github.com/AndrewSirenko)) +* Add legacy-xfs driver option for clusters that mount XFS volumes to nodes with Linux kernel <= 5.4. Warning: This is a temporary workaround for customers unable to immediately upgrade their nodes. It will be removed in a future release. See [the options documentation](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/release-1.35/docs/options.md) for more details.([#2121](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2121),[@AndrewSirenko](https://github.com/AndrewSirenko)) +* Add back "Auto-enable VAC on clusters with beta API version" ([#2141](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2141), [@ConnorJC3](https://github.com/ConnorJC3)) + +## v2.34.0 +* Bump driver version to `v1.34.0` +* Add toggle for PodDisruptionBudget in chart ([#2109](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2109), [@AndrewSirenko](https://github.com/AndrewSirenko)) +* Add nodeComponentOnly parameter to helm chart ([#2106](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2106), [@AndrewSirenko](https://github.com/AndrewSirenko)) +* fix: sidecars.snapshotter.logLevel not being respect ([#2102](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2102), [@zyue110026](https://github.com/zyue110026)) + +## v2.33.0 +* Bump driver version to `v1.33.0` +* Bump CSI sidecar container versions +* Add fix for enableLinux node parameter ([#2078](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2078), [@ElijahQuinones](https://github.com/ElijahQuinones)) +* Fix dnsConfig indentation in controller template file ([#2084](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2084), [@cHiv0rz](https://github.com/cHiv0rz)) + +## v2.32.0 +* Bump driver version to `v1.32.0` +* Bump CSI sidecar container versions +* Add `patch` permission to `PV` to `external-provisioner` role (required by v5 and later) +* Add terminationGracePeriodSeconds as a helm parameter ([#2060](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2060), [@ElijahQuinones](https://github.com/ElijahQuinones)) +* Use release namespace in ClusterRoleBinding subject namespace ([#2059](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2059), [@etutuit](https://github.com/etutuit)) +* Add parameter to override node DaemonSet namespace ([#2052](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2052), [@RuStyC0der](https://github.com/RuStyC0der)) +* Set RuntimeDefault as default seccompProfile in securityContext ([#2061](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2061), [@torredil](https://github.com/torredil)) +* Increase default provisioner, resizer, snapshotter `retry-interval-max` ([#2057](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2057), [@AndrewSirenko](https://github.com/AndrewSirenko)) + +## v2.31.0 +* Bump driver version to `v1.31.0` +* Expose dnsConfig in Helm Chart for Custom DNS Configuration ([#2034](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2045), [@omerap12](https://github.com/omerap12)) +* Make scrape interval configurable ([#2035](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2035), [@omerap12](https://github.com/omerap12)) +* Add defaultStorageClass parameter ([#2039](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2039), [@torredil](https://github.com/torredil)) +* Upgrade sidecar containers ([#2041](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2041), [@torredil](https://github.com/torredil)) + +## v2.30.0 +* Bump driver version to `v1.30.0` +* Update voluemessnapshotcontents/status RBAC ([#1991](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1991), [@AndrewSirenko](https://github.com/AndrewSirenko)) +* Upgrade dependencies ([#2016](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/2016), [@torredil](https://github.com/torredil)) + +## v2.29.1 +* Bump driver version to `v1.29.1` +* Remove `--reuse-values` deprecation warning + +## v2.29.0 +### Urgent Upgrade Notes +*(No, really, you MUST read this before you upgrade)* + +The EBS CSI Driver Helm chart no longer supports upgrading with `--reuse-values`. This chart will not test for `--reuse-values` compatibility and upgrading with `--reuse-values` will likely fail. Users of `--reuse-values` are strongly encouraged to migrate to `--reset-then-reuse-values`. + +For more information see [the deprecation announcement](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1864). + +### Other Changes +* Bump driver version to `v1.29.0` and sidecars to latest versions +* Add helm-tester enabled flag ([#1954](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1954), [@nunodomingues-td](https://github.com/nunodomingues-td)) + +## v2.28.1 +* Add `reservedVolumeAttachments` that overrides heuristic-determined reserved attachments via `--reserved-volume-attachments` CLI option from [PR #1919](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1919) through Helm ([#1939](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1939), [@AndrewSirenko](https://github.com/AndrewSirenko)) +* Add `additionalArgs` parameter to node daemonSet ([#1939](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1939), [@AndrewSirenko](https://github.com/AndrewSirenko)) + +## v2.28.0 +### Urgent Upgrade Notes +*(No, really, you MUST read this before you upgrade)* + +This is the last minor version of the EBS CSI Driver Helm chart to support upgrading with `--reuse-values`. Future versions of the chart (starting with `v2.29.0`) will not test for `--reuse-values` compatibility and upgrading with `--reuse-values` will likely fail. Users of `--reuse-values` are strongly encouraged to migrate to `--reset-then-reuse-values`. + +For more information see [the deprecation announcement](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1864). + +### Other Changes +* Bump driver version to `v1.28.0` and sidecars to latest versions +* Add labels to leases role used by EBS CSI controller ([#1914](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1914), [@cHiv0rz](https://github.com/cHiv0rz)) +* Enforce `linux` and `amd64` node affinity for helm tester pod ([#1922](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1922), [@AndrewSirenko](https://github.com/AndrewSirenko)) +* Add configuration for `DaemonSet` annotations ([#1923](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1923), [@AndrewSirenko](https://github.com/AndrewSirenko)) +* Incorporate KubeLinter recommended best practices for chart tester pod ([#1924](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1924), [@torredil](https://github.com/torredil)) +* Add configuration for chart tester pod image ([#1928](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1928), [@AndrewSirenko](https://github.com/AndrewSirenko)) + ## v2.27.0 * Bump driver version to `v1.27.0` * Add parameters for tuning revisionHistoryLimit and emptyDir volumes ([#1840](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/pull/1840), [@bodgit](https://github.com/bodgit)) diff --git a/charts/qovery/charts/aws-ebs-csi-driver/Chart.yaml b/charts/qovery/charts/aws-ebs-csi-driver/Chart.yaml index 9033fea..7453188 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/Chart.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.27.0 +appVersion: 1.35.0 description: A Helm chart for AWS EBS CSI Driver home: https://github.com/kubernetes-sigs/aws-ebs-csi-driver keywords: @@ -13,4 +13,4 @@ maintainers: name: aws-ebs-csi-driver sources: - https://github.com/kubernetes-sigs/aws-ebs-csi-driver -version: 2.27.0 +version: 2.35.1 diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/NOTES.txt b/charts/qovery/charts/aws-ebs-csi-driver/templates/NOTES.txt index 4160aff..cb3e6ce 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/NOTES.txt +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/NOTES.txt @@ -3,5 +3,3 @@ To verify that aws-ebs-csi-driver has started, run: kubectl get pod -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "aws-ebs-csi-driver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" NOTE: The [CSI Snapshotter](https://github.com/kubernetes-csi/external-snapshotter) controller and CRDs will no longer be installed as part of this chart and moving forward will be a prerequisite of using the snap shotting functionality. - -WARNING: Upgrading the EBS CSI Driver Helm chart with --reuse-values will no longer be supported in a future release. For more information, see https://github.com/kubernetes-sigs/aws-ebs-csi-driver/issues/1864 diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/_node-windows.tpl b/charts/qovery/charts/aws-ebs-csi-driver/templates/_node-windows.tpl index 56e8dcf..9f09ed6 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/_node-windows.tpl +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/_node-windows.tpl @@ -5,7 +5,7 @@ kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ printf "%s-windows" .NodeName }} - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }} labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: @@ -40,6 +40,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ .Values.node.serviceAccount.name }} + terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriodSeconds }} priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }} tolerations: {{- if .Values.node.tolerateAllTaints }} @@ -49,16 +50,33 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} + {{- if .Values.node.windowsHostProcess }} + securityContext: + windowsOptions: + hostProcess: true + runAsUserName: "NT AUTHORITY\\SYSTEM" + hostNetwork: true + {{- end }} containers: - name: ebs-plugin image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (toString .Values.image.tag)) }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.node.windowsHostProcess }} + command: + - "aws-ebs-csi-driver.exe" + {{- end }} args: - node - --endpoint=$(CSI_ENDPOINT) + {{- with .Values.node.reservedVolumeAttachments }} + - --reserved-volume-attachments={{ . }} + {{- end }} {{- with .Values.node.volumeAttachLimit }} - --volume-attach-limit={{ . }} {{- end }} + {{- if .Values.node.legacyXFS }} + - --legacy-xfs=true + {{- end}} {{- with .Values.node.loggingFormat }} - --logging-format={{ . }} {{- end }} @@ -66,9 +84,16 @@ spec: {{- if .Values.node.otelTracing }} - --enable-otel-tracing=true {{- end}} + {{- if .Values.node.windowsHostProcess }} + - --windows-host-process=true + {{- end }} env: - name: CSI_ENDPOINT + {{- if .Values.node.windowsHostProcess }} + value: unix://C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock + {{- else }} value: unix:/csi/csi.sock + {{- end }} - name: CSI_NODE_NAME valueFrom: fieldRef: @@ -91,12 +116,14 @@ spec: mountPropagation: "None" - name: plugin-dir mountPath: C:\csi + {{- if not .Values.node.windowsHostProcess }} - name: csi-proxy-disk-pipe mountPath: \\.\pipe\csi-proxy-disk-v1 - name: csi-proxy-volume-pipe mountPath: \\.\pipe\csi-proxy-volume-v1 - name: csi-proxy-filesystem-pipe mountPath: \\.\pipe\csi-proxy-filesystem-v1 + {{- end }} ports: - name: healthz containerPort: 9808 @@ -113,9 +140,11 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} + {{- if not .Values.node.windowsHostProcess }} securityContext: windowsOptions: runAsUserName: "ContainerAdministrator" + {{- end }} lifecycle: preStop: exec: @@ -123,15 +152,34 @@ spec: - name: node-driver-registrar image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.nodeDriverRegistrar.image.repository .Values.sidecars.nodeDriverRegistrar.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.nodeDriverRegistrar.image.pullPolicy }} + {{- if .Values.node.windowsHostProcess }} + command: + - "csi-node-driver-registrar.exe" + {{- end }} args: - --csi-address=$(ADDRESS) - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + {{- if .Values.node.windowsHostProcess }} + - --plugin-registration-path=$(PLUGIN_REG_DIR) + {{- end }} - --v={{ .Values.sidecars.nodeDriverRegistrar.logLevel }} env: - name: ADDRESS + {{- if .Values.node.windowsHostProcess }} + value: unix://C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock + {{- else }} value: unix:/csi/csi.sock + {{- end }} - name: DRIVER_REG_SOCK_PATH + {{- if .Values.node.windowsHostProcess }} + value: C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock + {{- else }} value: C:\var\lib\kubelet\plugins\ebs.csi.aws.com\csi.sock + {{- end }} + {{- if .Values.node.windowsHostProcess }} + - name: PLUGIN_REG_DIR + value: C:\\var\\lib\\kubelet\\plugins_registry\\ + {{- end }} {{- if .Values.proxy.http_proxy }} {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} {{- end }} @@ -161,8 +209,16 @@ spec: - name: liveness-probe image: {{ printf "%s%s:%s" (default "" .Values.image.containerRegistry) .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }} + {{- if .Values.node.windowsHostProcess }} + command: + - "livenessprobe.exe" + {{- end }} args: + {{- if .Values.node.windowsHostProcess }} + - --csi-address=unix://C:\\var\\lib\\kubelet\\plugins\\ebs.csi.aws.com\\csi.sock + {{- else }} - --csi-address=unix:/csi/csi.sock + {{- end }} volumeMounts: - name: plugin-dir mountPath: C:\csi @@ -189,6 +245,7 @@ spec: hostPath: path: C:\var\lib\kubelet\plugins_registry type: Directory + {{- if not .Values.node.windowsHostProcess }} - name: csi-proxy-disk-pipe hostPath: path: \\.\pipe\csi-proxy-disk-v1 @@ -201,6 +258,7 @@ spec: hostPath: path: \\.\pipe\csi-proxy-filesystem-v1 type: "" + {{- end }} - name: probe-dir {{- if .Values.node.probeDirVolume }} {{- toYaml .Values.node.probeDirVolume | nindent 10 }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/_node.tpl b/charts/qovery/charts/aws-ebs-csi-driver/templates/_node.tpl index 7ae9660..a91b1b5 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/_node.tpl +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/_node.tpl @@ -1,13 +1,17 @@ {{- define "node" }} -{{- if or (eq (default true .Values.node.enableLinux) true) }} +{{- if .Values.node.enableLinux }} --- kind: DaemonSet apiVersion: apps/v1 metadata: name: {{ .NodeName }} - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }} labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} + {{- with .Values.node.daemonSetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: {{- if or (kindIs "float64" .Values.node.revisionHistoryLimit) (kindIs "int64" .Values.node.revisionHistoryLimit) }} revisionHistoryLimit: {{ .Values.node.revisionHistoryLimit }} @@ -40,6 +44,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ .Values.node.serviceAccount.name }} + terminationGracePeriodSeconds: {{ .Values.node.terminationGracePeriodSeconds }} priorityClassName: {{ .Values.node.priorityClassName | default "system-node-critical" }} tolerations: {{- if .Values.node.tolerateAllTaints }} @@ -63,9 +68,15 @@ spec: args: - node - --endpoint=$(CSI_ENDPOINT) + {{- with .Values.node.reservedVolumeAttachments }} + - --reserved-volume-attachments={{ . }} + {{- end }} {{- with .Values.node.volumeAttachLimit }} - --volume-attach-limit={{ . }} {{- end }} + {{- if .Values.node.legacyXFS }} + - --legacy-xfs=true + {{- end}} {{- with .Values.node.loggingFormat }} - --logging-format={{ . }} {{- end }} @@ -73,6 +84,9 @@ spec: {{- if .Values.node.otelTracing }} - --enable-otel-tracing=true {{- end}} + {{- range .Values.node.additionalArgs }} + - {{ . }} + {{- end }} env: - name: CSI_ENDPOINT value: unix:/csi/csi.sock diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml index bff6577..e3eaf00 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -5,22 +6,23 @@ metadata: name: ebs-external-attacher-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "csi.storage.k8s.io" ] - resources: [ "csinodeinfos" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments/status" ] - verbs: [ "patch" ] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +# END AUTOGENERATED RULES {{- with .Values.sidecars.attacher.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml index 43ca2ce..2b7295a 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-csi-node.yaml @@ -12,3 +12,6 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get"] diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml index 7b75148..9c4673d 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -5,34 +6,51 @@ metadata: name: ebs-external-provisioner-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "create", "delete" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch", "update" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshots" ] - verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "get", "list" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "csinodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch" ] + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + # Access to volumeattachments is only needed when the CSI driver + # has the PUBLISH_UNPUBLISH_VOLUME controller capability. + # In that case, external-provisioner will watch volumeattachments + # to determine when it is safe to delete a volume. + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch"] +# END AUTOGENERATED RULES + # Extra rule: VAC rules not present in upstream example + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get"] {{- with .Values.sidecars.provisioner.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml index c6d76d3..f175a61 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -5,30 +6,35 @@ metadata: name: ebs-external-resizer-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims/status" ] - verbs: [ "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "pods" ] - verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # only required if enabling the alpha volume modify feature + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get", "list", "watch"] +# END AUTOGENERATED RULES {{- with .Values.sidecars.resizer.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml index 3ef76a3..a018834 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -5,26 +6,42 @@ metadata: name: ebs-external-snapshotter-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] # Secret permission is optional. # Enable it if your driver needs secret. # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. - # - apiGroups: [ "" ] - # resources: [ "secrets" ] - # verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents/status" ] - verbs: [ "update" ] + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents/status"] + verbs: ["update", "patch"] +# END AUTOGENERATED RULES {{- with .Values.sidecars.snapshotter.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml index bb23044..32c4196 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-attacher.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -13,3 +14,4 @@ roleRef: kind: ClusterRole name: ebs-external-attacher-role apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml index 5523135..8615ad4 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-csi-node.yaml @@ -8,7 +8,7 @@ metadata: subjects: - kind: ServiceAccount name: {{ .Values.node.serviceAccount.name }} - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }} roleRef: kind: ClusterRole name: ebs-csi-node-role diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml index 9d2749a..3200848 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-provisioner.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -13,3 +14,4 @@ roleRef: kind: ClusterRole name: ebs-external-provisioner-role apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml index 88cb47d..f0c694f 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-resizer.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -13,3 +14,4 @@ roleRef: kind: ClusterRole name: ebs-external-resizer-role apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml index 2d42905..4c349ef 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/clusterrolebinding-snapshotter.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -13,3 +14,4 @@ roleRef: kind: ClusterRole name: ebs-external-snapshotter-role apiGroup: rbac.authorization.k8s.io +{{- end -}} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/controller.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/controller.yaml index 4d7eafa..30dbf4d 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/controller.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/controller.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} # Controller Service kind: Deployment apiVersion: apps/v1 @@ -6,6 +7,10 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} + {{- with .Values.controller.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.controller.replicaCount }} {{- if or (kindIs "float64" .Values.controller.revisionHistoryLimit) (kindIs "int64" .Values.controller.revisionHistoryLimit) }} @@ -223,6 +228,12 @@ spec: - --kube-api-burst=100 - --worker-threads=100 {{- end }} + {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.provisioner.additionalArgs)) }} + - --retry-interval-max=30m + {{- end }} + {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }} + - --feature-gates=VolumeAttributesClass=true + {{- end }} {{- range .Values.sidecars.provisioner.additionalArgs }} - {{ . }} {{- end }} @@ -276,6 +287,9 @@ spec: - --kube-api-burst=100 - --worker-threads=100 {{- end }} + {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.attacher.additionalArgs)) }} + - --retry-interval-max=5m + {{- end }} {{- range .Values.sidecars.attacher.additionalArgs }} - {{ . }} {{- end }} @@ -310,6 +324,7 @@ spec: args: - --csi-address=$(ADDRESS) - --leader-election=true + - --v={{ .Values.sidecars.snapshotter.logLevel }} {{- if .Values.controller.extraCreateMetadata }} - --extra-create-metadata {{- end}} @@ -318,6 +333,9 @@ spec: - --kube-api-burst=100 - --worker-threads=100 {{- end }} + {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.snapshotter.additionalArgs)) }} + - --retry-interval-max=30m + {{- end }} {{- range .Values.sidecars.snapshotter.additionalArgs }} - {{ . }} {{- end }} @@ -431,6 +449,12 @@ spec: - --kube-api-burst=100 - --workers=100 {{- end }} + {{- if not (regexMatch "(-retry-interval-max)" (join " " .Values.sidecars.resizer.additionalArgs)) }} + - --retry-interval-max=30m + {{- end }} + {{- if .Capabilities.APIVersions.Has "storage.k8s.io/v1beta1/VolumeAttributesClass" }} + - --feature-gates=VolumeAttributesClass=true + {{- end }} {{- range .Values.sidecars.resizer.additionalArgs }} - {{ . }} {{- end }} @@ -497,3 +521,8 @@ spec: {{- with .Values.controller.volumes }} {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.controller.dnsConfig }} + dnsConfig: + {{- toYaml .Values.controller.dnsConfig | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/csidriver.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/csidriver.yaml index a46d4b5..a78eb58 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/csidriver.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/csidriver.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} apiVersion: {{ ternary "storage.k8s.io/v1" "storage.k8s.io/v1beta1" (semverCompare ">=1.18.0-0" .Capabilities.KubeVersion.Version) }} kind: CSIDriver metadata: @@ -10,3 +11,4 @@ spec: {{- if not .Values.useOldCSIDriver }} fsGroupPolicy: File {{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/ebs-csi-default-sc.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/ebs-csi-default-sc.yaml new file mode 100644 index 0000000..95d7438 --- /dev/null +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/ebs-csi-default-sc.yaml @@ -0,0 +1,13 @@ +{{- if not .Values.nodeComponentOnly -}} +{{- if .Values.defaultStorageClass.enabled }} +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: ebs-csi-default-sc + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: ebs.csi.aws.com +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true +{{- end }} +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/metrics.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/metrics.yaml index 1dcdf4d..9792af4 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/metrics.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/metrics.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.enableMetrics -}} +{{- if and .Values.controller.enableMetrics (not .Values.nodeComponentOnly) -}} --- apiVersion: v1 kind: Service @@ -37,6 +37,6 @@ spec: endpoints: - targetPort: 3301 path: /metrics - interval: 15s + interval: {{ .Values.controller.serviceMonitor.interval | default "15s"}} {{- end }} {{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml index 0a1e97c..979a18a 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/poddisruptionbudget-controller.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.controller.podDisruptionBudget.enabled (not .Values.nodeComponentOnly) -}} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: @@ -15,3 +16,4 @@ spec: {{- else }} minAvailable: 2 {{- end }} +{{- end -}} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/role-leases.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/role-leases.yaml index 39e1546..f1260c0 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/role-leases.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/role-leases.yaml @@ -1,9 +1,13 @@ +{{- if not .Values.nodeComponentOnly -}} kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: {{ .Release.Namespace }} name: ebs-csi-leases-role + labels: + {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/rolebinding-leases.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/rolebinding-leases.yaml index 88fded8..f2826cb 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/rolebinding-leases.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/rolebinding-leases.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.nodeComponentOnly -}} kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -13,3 +14,4 @@ roleRef: kind: Role name: ebs-csi-leases-role apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml index d819f54..bfb8c4b 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml @@ -1,4 +1,4 @@ -{{- if .Values.controller.serviceAccount.create -}} +{{- if and .Values.controller.serviceAccount.create (not .Values.nodeComponentOnly) -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml index 9f3c7c7..1182460 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Values.node.serviceAccount.name }} - namespace: {{ .Release.Namespace }} + namespace: {{ .Values.node.namespaceOverride | default .Release.Namespace }} labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} {{- with .Values.node.serviceAccount.annotations }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/templates/tests/helm-tester.yaml b/charts/qovery/charts/aws-ebs-csi-driver/templates/tests/helm-tester.yaml index a4e2a8f..6c618b0 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/templates/tests/helm-tester.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/templates/tests/helm-tester.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.helmTester.enabled (not .Values.nodeComponentOnly) -}} --- apiVersion: v1 kind: ServiceAccount @@ -135,7 +136,7 @@ metadata: subjects: - kind: ServiceAccount name: ebs-csi-driver-test - namespace: kube-system + namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole name: ebs-csi-driver-test @@ -193,10 +194,18 @@ metadata: annotations: "helm.sh/hook": test "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + "ignore-check.kube-linter.io/run-as-non-root": "kubetest2 image runs as root" + "ignore-check.kube-linter.io/no-read-only-root-fs": "test pod requires privileged access" spec: containers: - name: kubetest2 - image: gcr.io/k8s-staging-test-infra/kubekins-e2e:v20231206-f7b83ffbe6-master + image: {{ .Values.helmTester.image }} + resources: + requests: + cpu: 2000m + memory: 4Gi + limits: + memory: 4Gi command: [ "/bin/sh", "-c" ] args: - | @@ -205,18 +214,25 @@ spec: kubectl config set-context kubetest2 --cluster=cluster kubectl config set-credentials sa --token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) kubectl config set-context kubetest2 --user=sa && kubectl config use-context kubetest2 - kubectl get crd volumesnapshots.snapshot.storage.k8s.io - if [ $? -eq 0 ]; then - SNAPSHOTS="|snapshot fields" + export FOCUS_REGEX='\bebs.csi.aws.com\b.+(validate content|resize volume|offline PVC|AllowedTopologies|store data' + if kubectl get crd volumesnapshots.snapshot.storage.k8s.io; then + FOCUS_REGEX="${FOCUS_REGEX}|snapshot fields)" + else + FOCUS_REGEX="${FOCUS_REGEX})" fi - export FOCUS_REGEX="\bebs.csi.aws.com\b.+(validate content|resize volume|offline PVC|AllowedTopologies|store data$SNAPSHOTS)" - kubetest2 noop --run-id='e2e-kubernetes' --test=ginkgo -- --test-package-version=$(curl -L https://dl.k8s.io/release/stable-1.28.txt) --skip-regex='\[Disruptive\]|\[Serial\]' --focus-regex="$FOCUS_REGEX" --parallel=25 --test-args='-storage.testdriver=/etc/config/manifests.yaml' + export KUBE_VERSION=$(kubectl version --output json | jq -r '.serverVersion.major + "." + .serverVersion.minor') + kubetest2 noop --run-id='e2e-kubernetes' --test=ginkgo -- --test-package-version="$(curl -L https://dl.k8s.io/release/stable-${KUBE_VERSION}.txt)" --skip-regex='[Disruptive]|[Serial]' --focus-regex="$FOCUS_REGEX" --parallel=25 --test-args='-storage.testdriver=/etc/config/manifests.yaml' volumeMounts: - name: config-vol mountPath: /etc/config + # kubekins-e2e v1 image is linux amd64 only. + nodeSelector: + kubernetes.io/os: linux + kubernetes.io/arch: amd64 serviceAccountName: ebs-csi-driver-test volumes: - name: config-vol configMap: name: ebs-csi-driver-test restartPolicy: Never +{{- end }} diff --git a/charts/qovery/charts/aws-ebs-csi-driver/values.yaml b/charts/qovery/charts/aws-ebs-csi-driver/values.yaml index 131ce3d..8a4e5c2 100644 --- a/charts/qovery/charts/aws-ebs-csi-driver/values.yaml +++ b/charts/qovery/charts/aws-ebs-csi-driver/values.yaml @@ -7,11 +7,9 @@ image: # Overrides the image tag whose default is v{{ .Chart.AppVersion }} tag: "" pullPolicy: IfNotPresent - # -- Custom labels to add into metadata -customLabels: - {} - # k8s-app: aws-ebs-csi-driver +customLabels: {} +# k8s-app: aws-ebs-csi-driver sidecars: provisioner: @@ -19,7 +17,7 @@ sidecars: image: pullPolicy: IfNotPresent repository: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner - tag: "v3.6.3-eks-1-29-3" + tag: "v5.1.0-eks-1-31-3" logLevel: 2 # Additional parameters provided by external-provisioner. additionalArgs: [] @@ -37,6 +35,8 @@ sidecars: # renewDeadline: "10s" # retryPeriod: "5s" securityContext: + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true allowPrivilegeEscalation: false attacher: @@ -44,7 +44,7 @@ sidecars: image: pullPolicy: IfNotPresent repository: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher - tag: "v4.4.3-eks-1-29-3" + tag: "v4.7.0-eks-1-31-3" # Tune leader lease election for csi-attacher. # Leader election is on by default. leaderElection: @@ -62,6 +62,8 @@ sidecars: additionalClusterRoleRules: [] resources: {} securityContext: + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true allowPrivilegeEscalation: false snapshotter: @@ -71,7 +73,7 @@ sidecars: image: pullPolicy: IfNotPresent repository: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter - tag: "v6.3.3-eks-1-29-3" + tag: "v8.0.1-eks-1-31-3" logLevel: 2 # Additional parameters provided by csi-snapshotter. additionalArgs: [] @@ -79,13 +81,15 @@ sidecars: additionalClusterRoleRules: [] resources: {} securityContext: + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true allowPrivilegeEscalation: false livenessProbe: image: pullPolicy: IfNotPresent repository: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe - tag: "v2.11.0-eks-1-29-3" + tag: "v2.14.0-eks-1-31-3" # Additional parameters provided by livenessprobe. additionalArgs: [] resources: {} @@ -97,7 +101,7 @@ sidecars: image: pullPolicy: IfNotPresent repository: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer - tag: "v1.9.3-eks-1-29-3" + tag: "v1.12.0-eks-1-31-3" # Tune leader lease election for csi-resizer. # Leader election is on by default. leaderElection: @@ -115,6 +119,8 @@ sidecars: additionalClusterRoleRules: [] resources: {} securityContext: + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true allowPrivilegeEscalation: false nodeDriverRegistrar: @@ -122,7 +128,7 @@ sidecars: image: pullPolicy: IfNotPresent repository: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar - tag: "v2.9.3-eks-1-29-3" + tag: "v2.12.0-eks-1-31-3" logLevel: 2 # Additional parameters provided by node-driver-registrar. additionalArgs: [] @@ -133,9 +139,9 @@ sidecars: livenessProbe: exec: command: - - /csi-node-driver-registrar - - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) - - --mode=kubelet-registration-probe + - /csi-node-driver-registrar + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + - --mode=kubelet-registration-probe initialDelaySeconds: 30 periodSeconds: 90 timeoutSeconds: 15 @@ -144,7 +150,7 @@ sidecars: image: pullPolicy: IfNotPresent repository: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s - tag: "v0.2.1" + tag: "v0.3.0" leaderElection: enabled: true # Optional values to tune lease behavior. @@ -158,22 +164,20 @@ sidecars: additionalArgs: [] resources: {} securityContext: + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true allowPrivilegeEscalation: false - proxy: http_proxy: no_proxy: - imagePullSecrets: [] nameOverride: fullnameOverride: - awsAccessSecret: name: aws-secret keyId: key_id accessKey: access_key - controller: batching: true volumeModificationFeature: @@ -185,24 +189,24 @@ controller: affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate + - weight: 1 + preference: + matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - ebs-csi-controller - topologyKey: kubernetes.io/hostname - weight: 100 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - ebs-csi-controller + topologyKey: kubernetes.io/hostname + weight: 100 # The default filesystem type of the volume to provision when fstype is unspecified in the StorageClass. # If the default is not set and fstype is unset in the StorageClass, then no fstype will be set defaultFsType: ext4 @@ -229,6 +233,7 @@ controller: # Additional labels for ServiceMonitor object labels: release: prometheus + interval: "15s" # If set to true, AWS API call metrics will be exported to the following # TCP endpoint: "0.0.0.0:3301" # --- @@ -237,8 +242,13 @@ controller: logLevel: 2 userAgentExtra: "helm" nodeSelector: {} + deploymentAnnotations: {} podAnnotations: {} podLabels: {} + podDisruptionBudget: + # Warning: Disabling PodDisruptionBudget may lead to delays in stateful workloads starting due to controller + # pod restarts or evictions. + enabled: true priorityClassName: system-cluster-critical # AWS region to use. If not specified then the region will be looked up via the AWS EC2 metadata # service. @@ -264,7 +274,7 @@ controller: limits: memory: 256Mi serviceAccount: - # A service account will be created for you if set to true. Set to false if you want to use your own. + # A service account will be created for you if set to true. Set to false if you want to use your own. create: true name: ebs-csi-controller-sa annotations: {} @@ -309,6 +319,8 @@ controller: # --- # securityContext on the controller container (see sidecars for securityContext on sidecar containers) containerSecurityContext: + seccompProfile: + type: RuntimeDefault readOnlyRootFilesystem: true allowPrivilegeEscalation: false initContainers: [] @@ -324,6 +336,8 @@ controller: # otelServiceName: ebs-csi-controller # otelExporterEndpoint: "http://localhost:4317" + # Enable dnsConfig for the controller and node pods + dnsConfig: {} node: env: [] envFrom: [] @@ -331,31 +345,34 @@ node: loggingFormat: text logLevel: 2 priorityClassName: + additionalArgs: [] affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - - matchExpressions: - - key: eks.amazonaws.com/compute-type - operator: NotIn - values: - - fargate - - key: node.kubernetes.io/instance-type - operator: NotIn - values: - - a1.medium - - a1.large - - a1.xlarge - - a1.2xlarge - - a1.4xlarge + - matchExpressions: + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate + - key: node.kubernetes.io/instance-type + operator: NotIn + values: + - a1.medium + - a1.large + - a1.xlarge + - a1.2xlarge + - a1.4xlarge nodeSelector: {} + daemonSetAnnotations: {} podAnnotations: {} podLabels: {} + terminationGracePeriodSeconds: 30 tolerateAllTaints: true tolerations: - - operator: Exists - effect: NoExecute - tolerationSeconds: 300 + - operator: Exists + effect: NoExecute + tolerationSeconds: 300 resources: requests: cpu: 10m @@ -375,7 +392,16 @@ node: # Enable the linux daemonset creation enableLinux: true enableWindows: false + # Warning: This option will be removed in a future release. It is a temporary workaround for users unable to immediately migrate off of older kernel versions. + # Formats XFS volumes with bigtime=0,inobtcount=0,reflink=0, for mounting onto nodes with linux kernel version <= 5.4. + # Note that XFS volumes formatted with this option will only have timestamp records until 2038. + legacyXFS: false + # The number of attachment slots to reserve for system use (and not to be used for CSI volumes) + # When this parameter is not specified (or set to -1), the EBS CSI Driver will attempt to determine the number of reserved slots via heuristic + # Cannot be specified at the same time as `node.volumeAttachLimit` + reservedVolumeAttachments: # The "maximum number of attachable volumes" per node + # Cannot be specified at the same time as `node.reservedVolumeAttachments` volumeAttachLimit: updateStrategy: type: RollingUpdate @@ -389,6 +415,8 @@ node: runAsUser: 0 runAsGroup: 0 fsGroup: 0 + # allows you to deploy aws-ebs-csi-node daemonset to separate namespace (make sure namespace exists before deploy) + namespaceOverride: "" # Add additional volume mounts on the node pods with node.volumes and node.volumeMounts volumes: [] # Add additional volumes to be mounted onto the node pods: @@ -402,6 +430,7 @@ node: # mountPath: /mount/path # --- # securityContext on the node container (see sidecars for securityContext on sidecar containers) + # Privileged containers always run as `Unconfined`, which means that they are not restricted by a seccomp profile. containerSecurityContext: readOnlyRootFilesystem: true privileged: true @@ -409,19 +438,17 @@ node: otelTracing: {} # otelServiceName: ebs-csi-node # otelExporterEndpoint: "http://localhost:4317" - additionalDaemonSets: - # Additional node DaemonSets, using the node config structure - # See docs/additional-daemonsets.md for more information - # - # example: - # nodeSelector: - # node.kubernetes.io/instance-type: c5.large - # volumeAttachLimit: 15 +# Additional node DaemonSets, using the node config structure +# See docs/additional-daemonsets.md for more information +# +# example: +# nodeSelector: +# node.kubernetes.io/instance-type: c5.large +# volumeAttachLimit: 15 # Enable compatibility for the A1 instance family via use of an AL2-based image in a separate DaemonSet # a1CompatibilityDaemonSet: true - storageClasses: [] # Add StorageClass resources like: # - name: ebs-sc @@ -438,6 +465,8 @@ storageClasses: [] # parameters: # encrypted: "true" +defaultStorageClass: + enabled: false volumeSnapshotClasses: [] # Add VolumeSnapshotClass resources like: # - name: ebs-vsc @@ -455,3 +484,9 @@ volumeSnapshotClasses: [] # Intended for use with older clusters that cannot easily replace the CSIDriver object # This parameter should always be false for new installations useOldCSIDriver: false +# Deploy EBS CSI Driver without controller and associated resources +nodeComponentOnly: false +helmTester: + enabled: true + # Supply a custom image to the ebs-csi-driver-test pod in helm-tester.yaml + image: "gcr.io/k8s-staging-test-infra/kubekins-e2e:v20240903-6a352c5344-master" diff --git a/charts/qovery/values-aws.yaml b/charts/qovery/values-aws.yaml index 77d61fb..63d7aa6 100644 --- a/charts/qovery/values-aws.yaml +++ b/charts/qovery/values-aws.yaml @@ -220,7 +220,6 @@ external-dns: image: registry: set-by-customer repository: set-by-customer - tag: 0.13.2-debian-11-r17 # set resources resources: limits: @@ -235,7 +234,6 @@ promtail: image: registry: set-by-customer repository: set-by-customer - tag: 2.9.7 # It's mandatory to get this class to ensure paused infra will behave properly on restore priorityClassName: system-node-critical config: diff --git a/charts/qovery/values-gcp.yaml b/charts/qovery/values-gcp.yaml index 6052a66..372ead9 100644 --- a/charts/qovery/values-gcp.yaml +++ b/charts/qovery/values-gcp.yaml @@ -204,7 +204,6 @@ external-dns: image: registry: set-by-customer repository: set-by-customer - tag: 0.13.2-debian-11-r17 # set resources resources: limits: @@ -219,7 +218,6 @@ promtail: image: registry: set-by-customer repository: set-by-customer - tag: 2.9.7 # It's mandatory to get this class to ensure paused infra will behave properly on restore priorityClassName: system-node-critical config: diff --git a/charts/qovery/values-scaleway.yaml b/charts/qovery/values-scaleway.yaml index f3d2841..99b43ec 100644 --- a/charts/qovery/values-scaleway.yaml +++ b/charts/qovery/values-scaleway.yaml @@ -222,7 +222,6 @@ external-dns: image: registry: set-by-customer repository: set-by-customer - tag: 0.13.2-debian-11-r17 # set resources resources: limits: @@ -237,7 +236,6 @@ promtail: image: registry: set-by-customer repository: set-by-customer - tag: 2.9.7 # It's mandatory to get this class to ensure paused infra will behave properly on restore priorityClassName: system-node-critical config: