sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

디렉토리 구조 및 각 서비스 추가

Browse Source
This commit is contained in:
dsk-minchulahn
2024-01-03 17:29:11 +09:00
parent 98de2a7627
commit d601d0f259
1632 changed files with 207616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
helm/openebs/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,53 @@
Successfully installed OpenEBS.
Check the status by running: kubectl get pods -n {{ .Release.Namespace }}
The default values will install NDM and enable OpenEBS hostpath and device
storage engines along with their default StorageClasses. Use `kubectl get sc`
to see the list of installed OpenEBS StorageClasses.
**Note**: If you are upgrading from the older helm chart that was using cStor
and Jiva (non-csi) volumes, you will have to run the following command to include
the older provisioners:
helm upgrade {{ .Release.Name }} openebs/openebs \
--namespace {{ .Release.Namespace }} \
--set legacy.enabled=true \
--reuse-values
For other engines, you will need to perform a few more additional steps to
enable the engine, configure the engines (e.g. creating pools) and create
StorageClasses.
For example, cStor can be enabled using commands like:
helm upgrade {{ .Release.Name }} openebs/openebs \
--namespace {{ .Release.Namespace }} \
--set cstor.enabled=true \
--reuse-values
For more information,
- view the online documentation at https://openebs.io/docs or
- connect with an active community on Kubernetes slack #openebs channel.
{{- /*
The section below can be removed once enableDeviceClass and enableHostpathClass
options are removed.
*/}}
{{ if or (eq .Values.localprovisioner.enableHostpathClass false) (eq .Values.localprovisioner.enableDeviceClass false) }}
DEPRECATION NOTICE:
-------------------
The options 'enableHostpathClass' and 'enableDeviceClass' are deprecated and
will be removed in future releases.
Please use the options hostpathClass.enabled and deviceClass.enabled instead.
Example:
helm install {{ .Release.Name }} openebs/openebs \
--namespace {{ .Release.Namespace }} \
--set localprovisioner.deviceClass.enabled="false"
{{ end }}

160
helm/openebs/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,160 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "openebs.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openebs.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openebs.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "openebs.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "openebs.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Define meta labels for openebs components
*/}}
{{- define "openebs.common.metaLabels" -}}
chart: {{ template "openebs.chart" . }}
heritage: {{ .Release.Service }}
openebs.io/version: {{ .Values.release.version | quote }}
{{- end -}}
{{- define "openebs.ndm-cluster-exporter.name" -}}
{{- $ndmName := default .Chart.Name .Values.ndmExporter.clusterExporter.nameOverride | trunc 63 | trimSuffix "-" }}
{{- $componentName := .Values.ndmExporter.clusterExporter.name | trunc 63 | trimSuffix "-" }}
{{- printf "%s-%s" $ndmName $componentName | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified ndm cluster exporter name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openebs.ndm-cluster-exporter.fullname" -}}
{{- if .Values.ndmExporter.clusterExporter.fullnameOverride }}
{{- .Values.ndmExporter.clusterExporter.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $ndmClusterExporterName := include "openebs.ndm-cluster-exporter.name" .}}
{{- $name := default $ndmClusterExporterName .Values.ndmExporter.clusterExporter.nameOverride }}
{{- if contains .Release.Name $name }}
{{- $name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{- define "openebs.ndm-node-exporter.name" -}}
{{- $ndmName := default .Chart.Name .Values.ndmExporter.nodeExporter.nameOverride | trunc 63 | trimSuffix "-" }}
{{- $componentName := .Values.ndmExporter.nodeExporter.name | trunc 63 | trimSuffix "-" }}
{{- printf "%s-%s" $ndmName $componentName | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified ndm node exporter name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openebs.ndm-node-exporter.fullname" -}}
{{- if .Values.ndmExporter.nodeExporter.fullnameOverride }}
{{- .Values.ndmExporter.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $ndmNodeExporterName := include "openebs.ndm-node-exporter.name" .}}
{{- $name := default $ndmNodeExporterName .Values.ndmExporter.nodeExporter.nameOverride }}
{{- if contains .Release.Name $name }}
{{- $name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create match labels for ndm cluster exporter deployment
*/}}
{{- define "openebs.ndm-cluster-exporter.matchLabels" -}}
app: {{ template "openebs.ndm-cluster-exporter.name" . }}
release: {{ .Release.Name }}
component: {{ default (include "openebs.ndm-cluster-exporter.name" .) .Values.ndmExporter.clusterExporter.componentName }}
{{- end -}}
{{/*
Create component labels for ndm cluster exporter component
*/}}
{{- define "openebs.ndm-cluster-exporter.componentLabels" -}}
name: {{ template "openebs.ndm-node-exporter.name" . }}
openebs.io/component-name: {{ default (include "openebs.ndm-cluster-exporter.name" .) .Values.ndmExporter.clusterExporter.componentName }}
{{- end -}}
{{/*
Create labels for ndm cluster exporter component
*/}}
{{- define "openebs.ndm-cluster-exporter.labels" -}}
{{ include "openebs.common.metaLabels" . }}
{{ include "openebs.ndm-cluster-exporter.matchLabels" . }}
{{ include "openebs.ndm-cluster-exporter.componentLabels" . }}
{{- end -}}
{{/*
Create match labels for ndm node exporter deployment
*/}}
{{- define "openebs.ndm-node-exporter.matchLabels" -}}
app: {{ template "openebs.ndm-node-exporter.name" . }}
release: {{ .Release.Name }}
component: {{ default (include "openebs.ndm-node-exporter.name" .) .Values.ndmExporter.nodeExporter.componentName }}
{{- end -}}
{{/*
Create component labels for ndm node exporter component
*/}}
{{- define "openebs.ndm-node-exporter.componentLabels" -}}
name: {{ template "openebs.ndm-node-exporter.name" . }}
openebs.io/component-name: {{ default (include "openebs.ndm-node-exporter.name" .) .Values.ndmExporter.nodeExporter.componentName }}
{{- end -}}
{{/*
Create labels for ndm cluster node component
*/}}
{{- define "openebs.ndm-node-exporter.labels" -}}
{{ include "openebs.common.metaLabels" . }}
{{ include "openebs.ndm-node-exporter.matchLabels" . }}
{{ include "openebs.ndm-node-exporter.componentLabels" . }}
{{- end -}}

50
helm/openebs/templates/clusterrole.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "openebs.fullname" . }}
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups: ["*"]
resources: ["nodes", "nodes/proxy"]
verbs: ["*"]
- apiGroups: ["*"]
resources: ["namespaces", "services", "pods", "pods/exec", "deployments", "deployments/finalizers", "replicationcontrollers", "replicasets", "events", "endpoints", "configmaps", "secrets", "jobs", "cronjobs" ]
verbs: ["*"]
- apiGroups: ["*"]
resources: ["statefulsets", "daemonsets"]
verbs: ["*"]
- apiGroups: ["*"]
resources: ["resourcequotas", "limitranges"]
verbs: ["list", "watch"]
- apiGroups: ["*"]
resources: ["ingresses", "horizontalpodautoscalers", "verticalpodautoscalers", "poddisruptionbudgets", "certificatesigningrequests"]
verbs: ["list", "watch"]
- apiGroups: ["*"]
resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
verbs: ["*"]
- apiGroups: ["volumesnapshot.external-storage.k8s.io"]
resources: ["volumesnapshots", "volumesnapshotdatas"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: [ "get", "list", "create", "update", "delete", "patch"]
- apiGroups: ["openebs.io"]
resources: [ "*"]
verbs: ["*" ]
- apiGroups: ["cstor.openebs.io"]
resources: [ "*"]
verbs: ["*" ]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["get", "create", "list", "delete", "update", "patch"]
- nonResourceURLs: ["/metrics"]
verbs: ["get"]
{{- end }}

19
helm/openebs/templates/clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "openebs.fullname" . }}
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "openebs.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "openebs.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

30
helm/openebs/templates/kyverno/allow-capabilities.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-add-capabilities
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Provides a list of capabilities that are allowed to be added to a container.
spec:
validationFailureAction: enforce
background: true
rules:
- name: capabilities
match:
resources:
kinds:
- Pod
validate:
message: >-
Default set of capabilities are allowed.
pattern:
spec:
containers:
- =(securityContext):
=(capabilities):
=(add): "*"
{{- end }}

32
helm/openebs/templates/kyverno/allow-host-namespaces.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-host-namespaces
annotations:
policies.kyverno.io/category: Pod Security Standards
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Host namespaces (Process ID namespace, Inter-Process Communication namespace, and
network namespace) allow access to shared information and can be used to elevate
privileges. Pods should allowed access to host namespaces.
spec:
validationFailureAction: enforce
background: true
rules:
- name: host-namespaces
match:
resources:
kinds:
- Pod
validate:
message: >-
Sharing the host namespaces is allowed. The fields spec.hostNetwork,
spec.hostIPC, and spec.hostPID must be set to true.
pattern:
spec:
=(hostPID): "true"
=(hostIPC): "true"
=(hostNetwork): "true"
{{- end }}

31
helm/openebs/templates/kyverno/allow-host-ports.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-host-ports
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Access to host ports allows potential snooping of network traffic and should be
allowed, or at minimum restricted to a known list.
spec:
validationFailureAction: enforce
background: true
rules:
- name: host-ports
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of host ports is allowed. The fields spec.containers[*].ports[*].hostPort
should contain value in range [1,65535).
pattern:
spec:
containers:
- =(ports):
- =(hostPort): ">0 & <65535"
{{- end }}

30
helm/openebs/templates/kyverno/allow-privilege-escalation.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-privileged-escalation
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Privilege escalation, such as via set-user-ID or set-group-ID file mode, should be allowed.
spec:
validationFailureAction: enforce
background: true
rules:
- name: priviledged-escalation
match:
resources:
kinds:
- Pod
validate:
message: >-
Privilege escalation is allowed. The fields spec.containers[*].securityContext.allowPrivilegeEscalation
must be defined or set to `true`.
pattern:
spec:
containers:
- =(securityContext):
=(allowPrivilegeEscalation): "true"
{{- end }}

30
helm/openebs/templates/kyverno/allow-privileged-containers.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-privileged-containers
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Privileged policies only allow the OpenEBS containers to use privileged mode.
spec:
validationFailureAction: enforce
background: true
rules:
- name: priviledged-containers
match:
resources:
kinds:
- Pod
validate:
message: >-
Privileged mode is allowed. The fields spec.containers[*].securityContext.privileged
must be defined or set to true.
pattern:
spec:
containers:
- =(securityContext):
=(privileged): "true"
{{- end }}

31
helm/openebs/templates/kyverno/allow-proc-mount.yaml Normal file
View File

@@ -0,0 +1,31 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-default-proc-mount
annotations:
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
The default /proc masks are set up to reduce attack surface and should be required.
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-proc-mount
match:
resources:
kinds:
- Pod
validate:
message: >-
Changing the proc mount from the default is not allowed. The fields
spec.containers[*].securityContext.procMount should be defined or set
to Default
pattern:
spec:
containers:
- =(securityContext):
=(procMount): "Default"
{{- end }}

34
helm/openebs/templates/kyverno/allow-selinux.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: allow-selinux
annotations:
policies.kyverno.io/title: Allow SELinux
policies.kyverno.io/category: Pod Security Standards (Baseline)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
SELinux options can be used to escalate privileges and should be allowed.
spec:
validationFailureAction: enforce
background: true
rules:
- name: seLinux
match:
resources:
kinds:
- Pod
validate:
message: >-
Setting custom SELinux options is allowed. The fields
spec.securityContext.seLinuxOptions, spec.containers[*].securityContext.seLinuxOptions,
and spec.initContainers[*].securityContext.seLinuxOptions must be empty.
pattern:
spec:
=(securityContext):
=(seLinuxOptions): "on"
containers:
- =(securityContext):
=(seLinuxOptions): "on"
{{- end }}

56
helm/openebs/templates/kyverno/require-user-groups.yaml Normal file
View File

@@ -0,0 +1,56 @@
{{- if .Values.rbac.kyvernoEnabled }}
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: require-user-groups
annotations:
policies.kyverno.io/category: Pod Security Standards (Privileged)
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Containers should allow to run with a root primary or supplementary GID.
spec:
validationFailureAction: enforce
background: true
rules:
- name: check-runasuser
match:
resources:
kinds:
- Pod
validate:
message: >-
Running the user IDs are allowed.
pattern:
spec:
=(securityContext):
=(runAsUser): ">=0"
containers:
- =(securityContext):
=(runAsUser): ">=0"
- name: check-supplementalGroups
match:
resources:
kinds:
- Pod
validate:
message: >-
Adding of supplemental group IDs is allowed.
pattern:
spec:
=(securityContext):
=(supplementalGroups):
- ">=0"
- name: check-fsGroup
match:
resources:
kinds:
- Pod
validate:
message: >-
Changing to root group ID is allowed.
pattern:
spec:
=(securityContext):
=(fsGroup): ">=0"
{{- end }}

49
helm/openebs/templates/legacy/cleanup-webhook.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if and (.Values.webhook.enabled) (.Values.legacy.enabled) }}
# HELM first deletes RBAC, then it tries to delete other resources like SPC and PVC.
# We've got validating webhook on SPC and PVC.
# But even that the policy of this webhook is Ignore, it fails because the ServiceAccount
# does not have permission to access resources like BDC anymore which are used for validation.
# Therefore we first need to delete webhook so we can delete the rest of the deployments.
{{- $kubeMinor := .Capabilities.KubeVersion.Minor | replace "+" "" }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "openebs.fullname" . }}-webhook-cleanup
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
labels:
app: {{ template "openebs.name" . }}
spec:
template:
metadata:
name: {{ template "openebs.fullname" . }}-webhook-cleanup
labels:
app: {{ template "openebs.name" . }}
spec:
{{- if .Values.cleanup.image.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.cleanup.image.imagePullSecrets | indent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
{{- if .Values.webhook.tolerations }}
tolerations:
{{ toYaml .Values.webhook.tolerations | indent 8 }}
{{- end }}
containers:
- name: kubectl
{{- /* bitnami maintains an image for all k8s versions */}}
{{- /* see: https://hub.docker.com/r/bitnami/kubectl */}}
{{- if .Values.cleanup.image.tag }}
image: "{{ .Values.cleanup.image.registry }}{{ .Values.cleanup.image.repository }}:{{ .Values.cleanup.image.tag }}"
{{- else }}
image: "{{ .Values.cleanup.image.registry }}{{ .Values.cleanup.image.repository }}:{{ .Capabilities.KubeVersion.Major }}.{{ $kubeMinor }}"
{{- end }}
command:
- /bin/sh
- -c
- >
kubectl delete validatingWebhookConfiguration openebs-validation-webhook-cfg || true;
restartPolicy: OnFailure
{{- end }}

84
helm/openebs/templates/legacy/deployment-admission-server.yaml Normal file
View File

@@ -0,0 +1,84 @@
{{- if and (.Values.webhook.enabled) (.Values.legacy.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.fullname" . }}-admission-server
labels:
app: admission-webhook
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: admission-webhook
openebs.io/component-name: admission-webhook
openebs.io/version: {{ .Values.release.version }}
spec:
replicas: {{ .Values.webhook.replicas }}
strategy:
type: "Recreate"
rollingUpdate: null
selector:
matchLabels:
app: admission-webhook
template:
metadata:
labels:
app: admission-webhook
name: admission-webhook
release: {{ .Release.Name }}
openebs.io/version: {{ .Values.release.version }}
openebs.io/component-name: admission-webhook
spec:
{{- if .Values.webhook.hostNetwork }}
hostNetwork: true
{{- end }}
{{- if .Values.webhook.nodeSelector }}
nodeSelector:
{{ toYaml .Values.webhook.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.webhook.tolerations }}
tolerations:
{{ toYaml .Values.webhook.tolerations | indent 8 }}
{{- end }}
{{- if .Values.webhook.affinity }}
affinity:
{{ toYaml .Values.webhook.affinity | indent 8 }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: admission-webhook
image: "{{ .Values.image.repository }}{{ .Values.webhook.image }}:{{ .Values.webhook.imageTag }}"
{{- if .Values.webhook.resources }}
resources:
{{ toYaml .Values.webhook.resources | trimSuffix "\n" | indent 12 }}
{{- end }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- -alsologtostderr
- -v=2
- 2>&1
env:
- name: OPENEBS_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ADMISSION_WEBHOOK_FAILURE_POLICY
value: "{{ .Values.webhook.failurePolicy }}"
# Process name used for matching is limited to the 15 characters
# present in the pgrep output.
# So fullname can't be used here with pgrep (>15 chars).A regular expression
# Anchor `^` : matches any string that starts with `admission-serve`
# `.*`: matche any string that has `admission-serve` followed by zero or more char
# that matches the entire command name has to specified.
livenessProbe:
exec:
command:
- sh
- -c
- test `pgrep -c "^admission-serve.*"` = 1
initialDelaySeconds: {{ .Values.webhook.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.webhook.healthCheck.periodSeconds }}
{{- end }}

178
helm/openebs/templates/legacy/deployment-maya-apiserver.yaml Normal file
View File

@@ -0,0 +1,178 @@
{{- if and (.Values.apiserver.enabled) (.Values.legacy.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.fullname" . }}-apiserver
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: apiserver
name: maya-apiserver
openebs.io/component-name: maya-apiserver
openebs.io/version: {{ .Values.release.version }}
spec:
replicas: {{ .Values.apiserver.replicas }}
strategy:
type: "Recreate"
rollingUpdate: null
selector:
matchLabels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: apiserver
name: maya-apiserver
openebs.io/component-name: maya-apiserver
openebs.io/version: {{ .Values.release.version }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.name" . }}-apiserver
image: "{{ .Values.image.repository }}{{ .Values.apiserver.image }}:{{ .Values.apiserver.imageTag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.apiserver.resources }}
resources:
{{ toYaml .Values.apiserver.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
ports:
- containerPort: {{ .Values.apiserver.ports.internalPort }}
env:
# OPENEBS_IO_KUBE_CONFIG enables maya api service to connect to K8s
# based on this config. This is ignored if empty.
# This is supported for maya api server version 0.5.2 onwards
#- name: OPENEBS_IO_KUBE_CONFIG
# value: "/home/ubuntu/.kube/config"
# OPENEBS_IO_K8S_MASTER enables maya api service to connect to K8s
# based on this address. This is ignored if empty.
# This is supported for maya api server version 0.5.2 onwards
#- name: OPENEBS_IO_K8S_MASTER
# value: "http://172.28.128.3:8080"
# OPENEBS_NAMESPACE provides the namespace of this deployment as an
# environment variable
- name: OPENEBS_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as
# environment variable
- name: OPENEBS_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
# OPENEBS_MAYA_POD_NAME provides the name of this pod as
# environment variable
- name: OPENEBS_MAYA_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
# If OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG is false then OpenEBS default
# storageclass and storagepool will not be created.
- name: OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG
value: "{{ .Values.defaultStorageConfig.enabled }}"
# OPENEBS_IO_INSTALL_DEFAULT_CSTOR_SPARSE_POOL decides whether default cstor sparse pool should be
# configured as a part of openebs installation.
# If "true" a default cstor sparse pool will be configured, if "false" it will not be configured.
# This value takes effect only if OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG
# is set to true
- name: OPENEBS_IO_INSTALL_DEFAULT_CSTOR_SPARSE_POOL
value: "{{ .Values.apiserver.sparse.enabled }}"
# OPENEBS_IO_CSTOR_TARGET_DIR can be used to specify the hostpath
# to be used for saving the shared content between the side cars
# of cstor volume pod.
# The default path used is /var/openebs/sparse
- name: OPENEBS_IO_CSTOR_TARGET_DIR
value: "{{ .Values.ndm.sparse.path }}"
# OPENEBS_IO_CSTOR_POOL_SPARSE_DIR can be used to specify the hostpath
# to be used for saving the shared content between the side cars
# of cstor pool pod. This ENV is also used to indicate the location
# of the sparse devices.
# The default path used is /var/openebs/sparse
- name: OPENEBS_IO_CSTOR_POOL_SPARSE_DIR
value: "{{ .Values.ndm.sparse.path }}"
# OPENEBS_IO_JIVA_POOL_DIR can be used to specify the hostpath
# to be used for default Jiva StoragePool loaded by OpenEBS
# The default path used is /var/openebs
# This value takes effect only if OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG
# is set to true
- name: OPENEBS_IO_JIVA_POOL_DIR
value: "{{ .Values.jiva.defaultStoragePath }}"
# OPENEBS_IO_LOCALPV_HOSTPATH_DIR can be used to specify the hostpath
# to be used for default openebs-hostpath storageclass loaded by OpenEBS
# The default path used is /var/openebs/local
# This value takes effect only if OPENEBS_IO_CREATE_DEFAULT_STORAGE_CONFIG
# is set to true
- name: OPENEBS_IO_LOCALPV_HOSTPATH_DIR
value: "{{ .Values.localprovisioner.basePath }}"
# OPENEBS_IO_BASE_DIR used by the OpenEBS to store debug information and
# so forth that are generated in the course of running OpenEBS containers.
- name: OPENEBS_IO_BASE_DIR
value: "{{ .Values.varDirectoryPath.baseDir }}"
- name: OPENEBS_IO_JIVA_CONTROLLER_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.jiva.image }}:{{ .Values.jiva.imageTag }}"
- name: OPENEBS_IO_JIVA_REPLICA_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.jiva.image }}:{{ .Values.jiva.imageTag }}"
- name: OPENEBS_IO_JIVA_REPLICA_COUNT
value: "{{ .Values.jiva.replicas }}"
- name: OPENEBS_IO_CSTOR_TARGET_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.cstor.target.image }}:{{ .Values.cstor.target.imageTag }}"
- name: OPENEBS_IO_CSTOR_POOL_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.cstor.pool.image }}:{{ .Values.cstor.pool.imageTag }}"
- name: OPENEBS_IO_CSTOR_POOL_MGMT_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.cstor.poolMgmt.image }}:{{ .Values.cstor.poolMgmt.imageTag }}"
- name: OPENEBS_IO_CSTOR_VOLUME_MGMT_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.cstor.volumeMgmt.image }}:{{ .Values.cstor.volumeMgmt.imageTag }}"
- name: OPENEBS_IO_VOLUME_MONITOR_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.policies.monitoring.image }}:{{ .Values.policies.monitoring.imageTag }}"
- name: OPENEBS_IO_CSTOR_POOL_EXPORTER_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.policies.monitoring.image }}:{{ .Values.policies.monitoring.imageTag }}"
- name: OPENEBS_IO_HELPER_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.helper.image }}:{{ .Values.helper.imageTag }}"
# OPENEBS_IO_ENABLE_ANALYTICS if set to true sends anonymous usage
# events to Google Analytics
- name: OPENEBS_IO_ENABLE_ANALYTICS
value: "{{ .Values.analytics.enabled }}"
# OPENEBS_IO_ANALYTICS_PING_INTERVAL can be used to specify the duration (in hours)
# for periodic ping events sent to Google Analytics. Default is 24 hours.
- name: OPENEBS_IO_ANALYTICS_PING_INTERVAL
value: "{{ .Values.analytics.pingInterval }}"
- name: OPENEBS_IO_INSTALLER_TYPE
value: "charts-helm"
# OPENEBS_IO_INSTALL_CRD environment variable is used to enable/disable CRD installation
# from Maya API server. By default the CRDs will be installed
- name: OPENEBS_IO_INSTALL_CRD
value: "{{ .Values.crd.enableInstall }}"
livenessProbe:
exec:
command:
- /bin/sh
- -c
- /usr/local/bin/mayactl -m $MY_POD_IP version
initialDelaySeconds: {{ .Values.apiserver.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.apiserver.healthCheck.periodSeconds }}
{{- if .Values.apiserver.nodeSelector }}
nodeSelector:
{{ toYaml .Values.apiserver.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.apiserver.tolerations }}
tolerations:
{{ toYaml .Values.apiserver.tolerations | indent 8 }}
{{- end }}
{{- if .Values.apiserver.affinity }}
affinity:
{{ toYaml .Values.apiserver.affinity | indent 8 }}
{{- end }}
{{- end }}

115
helm/openebs/templates/legacy/deployment-maya-provisioner.yaml Normal file
View File

@@ -0,0 +1,115 @@
{{- if and (.Values.provisioner.enabled) (.Values.legacy.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.fullname" . }}-provisioner
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: provisioner
name: openebs-provisioner
openebs.io/component-name: openebs-provisioner
openebs.io/version: {{ .Values.release.version }}
spec:
replicas: {{ .Values.provisioner.replicas }}
strategy:
type: "Recreate"
rollingUpdate: null
selector:
matchLabels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: provisioner
name: openebs-provisioner
openebs.io/component-name: openebs-provisioner
openebs.io/version: {{ .Values.release.version }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.name" . }}-provisioner
image: "{{ .Values.image.repository }}{{ .Values.provisioner.image }}:{{ .Values.provisioner.imageTag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.provisioner.resources }}
resources:
{{ toYaml .Values.provisioner.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
env:
# OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s
# based on this address. This is ignored if empty.
# This is supported for openebs provisioner version 0.5.2 onwards
#- name: OPENEBS_IO_K8S_MASTER
# value: "http://10.128.0.12:8080"
# OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s
# based on this config. This is ignored if empty.
# This is supported for openebs provisioner version 0.5.2 onwards
#- name: OPENEBS_IO_KUBE_CONFIG
# value: "/home/ubuntu/.kube/config"
# OPENEBS_NAMESPACE is the namespace that this provisioner will
# lookup to find maya api service
- name: OPENEBS_NAMESPACE
value: "{{ .Release.Namespace }}"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# OPENEBS_MAYA_SERVICE_NAME provides the maya-apiserver K8s service name,
# that provisioner should forward the volume create/delete requests.
# If not present, "maya-apiserver-service" will be used for lookup.
# This is supported for openebs provisioner version 0.5.3-RC1 onwards
- name: OPENEBS_MAYA_SERVICE_NAME
value: "{{ template "openebs.fullname" . }}-apiservice"
# LEADER_ELECTION_ENABLED is used to enable/disable leader election. By default
# leader election is enabled.
- name: LEADER_ELECTION_ENABLED
value: "{{ .Values.provisioner.enableLeaderElection }}"
# OPENEBS_IO_JIVA_PATCH_NODE_AFFINITY is used to enable/disable setting node affinity
# to the jiva replica deployments. Default is `enabled`. The valid values are
# `enabled` and `disabled`.
- name: OPENEBS_IO_JIVA_PATCH_NODE_AFFINITY
value: "{{ .Values.provisioner.patchJivaNodeAffinity }}"
# The following values will be set as annotations to the PV object.
# Refer : https://github.com/openebs/external-storage/pull/15
#- name: OPENEBS_MONITOR_URL
# value: "{{ .Values.provisioner.monitorUrl }}"
#- name: OPENEBS_MONITOR_VOLKEY
# value: "{{ .Values.provisioner.monitorVolumeKey }}"
#- name: MAYA_PORTAL_URL
# value: "{{ .Values.provisioner.mayaPortalUrl }}"
# Process name used for matching is limited to the 15 characters
# present in the pgrep output.
# So fullname can't be used here with pgrep (>15 chars).A regular expression
# that matches the entire command name has to specified.
# Anchor `^` : matches any string that starts with `openebs-provis`
# `.*`: matches any string that has `openebs-provis` followed by zero or more char
livenessProbe:
exec:
command:
- sh
- -c
- test `pgrep "^openebs-provisi.*"` = 1
initialDelaySeconds: {{ .Values.provisioner.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.provisioner.healthCheck.periodSeconds }}
{{- if .Values.provisioner.nodeSelector }}
nodeSelector:
{{ toYaml .Values.provisioner.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.provisioner.tolerations }}
tolerations:
{{ toYaml .Values.provisioner.tolerations | indent 8 }}
{{- end }}
{{- if .Values.provisioner.affinity }}
affinity:
{{ toYaml .Values.provisioner.affinity | indent 8 }}
{{- end }}
{{- end }}

147
helm/openebs/templates/legacy/deployment-maya-snapshot-operator.yaml Normal file
View File

@@ -0,0 +1,147 @@
{{- if and (.Values.snapshotOperator.enabled) (.Values.legacy.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.fullname" . }}-snapshot-operator
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: snapshot-operator
openebs.io/component-name: openebs-snapshot-operator
openebs.io/version: {{ .Values.release.version }}
spec:
replicas: {{ .Values.snapshotOperator.replicas }}
selector:
matchLabels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
strategy:
type: "Recreate"
rollingUpdate: null
template:
metadata:
labels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: snapshot-operator
name: openebs-snapshot-operator
openebs.io/version: {{ .Values.release.version }}
openebs.io/component-name: openebs-snapshot-operator
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.name" . }}-snapshot-controller
image: "{{ .Values.image.repository }}{{ .Values.snapshotOperator.controller.image }}:{{ .Values.snapshotOperator.controller.imageTag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.snapshotOperator.controller.resources }}
resources:
{{ toYaml .Values.snapshotOperator.controller.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
env:
# OPENEBS_IO_K8S_MASTER enables openebs snapshot controller to connect to K8s
# based on this address. This is ignored if empty.
# This is supported for openebs snapshot controller version 0.6-RC1 onwards
#- name: OPENEBS_IO_K8S_MASTER
# value: "http://10.128.0.12:8080"
# OPENEBS_IO_KUBE_CONFIG enables openebs snapshot controller to connect to K8s
# based on this config. This is ignored if empty.
# This is supported for openebs snapshot controller version 0.6-RC1 onwards
#- name: OPENEBS_IO_KUBE_CONFIG
# value: "/home/ubuntu/.kube/config"
# OPENEBS_NAMESPACE is the namespace that this snapshot controller will
# lookup to find maya api service
- name: OPENEBS_NAMESPACE
value: "{{ .Release.Namespace }}"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# OPENEBS_MAYA_SERVICE_NAME provides the maya-apiserver K8s service name,
# that snapshot controller should forward the volume snapshot requests.
# If not present, "maya-apiserver-service" will be used for lookup.
# This is supported for openebs snapshot controller version 0.6-RC1 onwards
- name: OPENEBS_MAYA_SERVICE_NAME
value: "{{ template "openebs.fullname" . }}-apiservice"
# Process name used for matching is limited to the 15 characters
# present in the pgrep output.
# So fullname can't be used here with pgrep (>15 chars).A regular expression
# that matches the entire command name has to specified.
# Anchor `^` : matches any string that starts with `snapshot-contro`
# `.*`: matches any string that has `snapshot-contro` followed by zero or more char
livenessProbe:
exec:
command:
- sh
- -c
- test `pgrep -c "^snapshot-contro.*"` = 1
initialDelaySeconds: {{ .Values.snapshotOperator.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.snapshotOperator.healthCheck.periodSeconds }}
- name: {{ template "openebs.name" . }}-snapshot-provisioner
image: "{{ .Values.image.repository }}{{ .Values.snapshotOperator.provisioner.image }}:{{ .Values.snapshotOperator.provisioner.imageTag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.snapshotOperator.provisioner.resources }}
resources:
{{ toYaml .Values.snapshotOperator.provisioner.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
env:
# OPENEBS_IO_K8S_MASTER enables openebs snapshot provisioner to connect to K8s
# based on this address. This is ignored if empty.
# This is supported for openebs snapshot provisioner version 0.6-RC1 onwards
#- name: OPENEBS_IO_K8S_MASTER
# value: "http://10.128.0.12:8080"
# OPENEBS_IO_KUBE_CONFIG enables openebs snapshot provisioner to connect to K8s
# based on this config. This is ignored if empty.
# This is supported for openebs snapshot provisioner version 0.6-RC1 onwards
#- name: OPENEBS_IO_KUBE_CONFIG
# value: "/home/ubuntu/.kube/config"
# OPENEBS_NAMESPACE is the namespace that this snapshot provisioner will
# lookup to find maya api service
- name: OPENEBS_NAMESPACE
value: "{{ .Release.Namespace }}"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# OPENEBS_MAYA_SERVICE_NAME provides the maya-apiserver K8s service name,
# that snapshot provisioner should forward the volume snapshot PV requests.
# If not present, "maya-apiserver-service" will be used for lookup.
# This is supported for openebs snapshot provisioner version 0.6-RC1 onwards
- name: OPENEBS_MAYA_SERVICE_NAME
value: "{{ template "openebs.fullname" . }}-apiservice"
# LEADER_ELECTION_ENABLED is used to enable/disable leader election. By default
# leader election is enabled.
- name: LEADER_ELECTION_ENABLED
value: "{{ .Values.snapshotOperator.enableLeaderElection }}"
# Process name used for matching is limited to the 15 characters
# present in the pgrep output.
# So fullname can't be used here with pgrep (>15 chars).A regular expression
# that matches the entire command name has to specified.
# Anchor `^` : matches any string that starts with `snapshot-provis`
# `.*`: matches any string that has `snapshot-provis` followed by zero or more char
livenessProbe:
exec:
command:
- sh
- -c
- test `pgrep -c "^snapshot-provis.*"` = 1
initialDelaySeconds: {{ .Values.snapshotOperator.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.snapshotOperator.healthCheck.periodSeconds }}
{{- if .Values.snapshotOperator.nodeSelector }}
nodeSelector:
{{ toYaml .Values.snapshotOperator.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.snapshotOperator.tolerations }}
tolerations:
{{ toYaml .Values.snapshotOperator.tolerations | indent 8 }}
{{- end }}
{{- if .Values.snapshotOperator.affinity }}
affinity:
{{ toYaml .Values.snapshotOperator.affinity | indent 8 }}
{{- end }}
{{- end }}

23
helm/openebs/templates/legacy/service-maya-apiserver.yaml Normal file
View File

@@ -0,0 +1,23 @@
{{- if and (.Values.apiserver.enabled) (.Values.legacy.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "openebs.fullname" . }}-apiservice
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
openebs.io/component-name: maya-apiserver-svc
spec:
ports:
- name: api
port: {{ .Values.apiserver.ports.externalPort }}
targetPort: {{ .Values.apiserver.ports.internalPort }}
protocol: TCP
selector:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: apiserver
sessionAffinity: None
{{- end }}

128
helm/openebs/templates/localprovisioner/deployment-local-provisioner.yaml Normal file
View File

@@ -0,0 +1,128 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.localprovisioner.enabled }}
{{- $localpvprovisionerValues := index .Values "localpv-provisioner" }}
{{- if not $localpvprovisionerValues.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.fullname" . }}-localpv-provisioner
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: localpv-provisioner
openebs.io/component-name: openebs-localpv-provisioner
openebs.io/version: {{ .Values.release.version }}
spec:
replicas: {{ .Values.localprovisioner.replicas }}
strategy:
type: "Recreate"
rollingUpdate: null
selector:
matchLabels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: localpv-provisioner
name: openebs-localpv-provisioner
openebs.io/component-name: openebs-localpv-provisioner
openebs.io/version: {{ .Values.release.version }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.name" . }}-localpv-provisioner
image: "{{ .Values.image.repository }}{{ .Values.localprovisioner.image }}:{{ .Values.localprovisioner.imageTag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.localprovisioner.resources }}
resources:
{{ toYaml .Values.localprovisioner.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
args:
- "--bd-time-out=$(BDC_BD_BIND_RETRIES)"
env:
# OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s
# based on this address. This is ignored if empty.
# This is supported for openebs provisioner version 0.5.2 onwards
#- name: OPENEBS_IO_K8S_MASTER
# value: "http://10.128.0.12:8080"
# OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s
# based on this config. This is ignored if empty.
# This is supported for openebs provisioner version 0.5.2 onwards
#- name: OPENEBS_IO_KUBE_CONFIG
# value: "/home/ubuntu/.kube/config"
# This sets the number of times the provisioner should try
# with a polling interval of 5 seconds, to get the Blockdevice
# Name from a BlockDeviceClaim, before the BlockDeviceClaim
# is deleted. E.g. 12 * 5 seconds = 60 seconds timeout
- name: BDC_BD_BIND_RETRIES
value: "{{ .Values.localprovisioner.waitForBDBindTimeoutRetryCount }}"
# OPENEBS_NAMESPACE is the namespace that this provisioner will
# lookup to find maya api service
- name: OPENEBS_NAMESPACE
value: "{{ .Release.Namespace }}"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as
# environment variable
- name: OPENEBS_SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
# OPENEBS_IO_BASE_PATH is the environment variable that provides the
# default base path on the node where host-path PVs will be provisioned.
- name: OPENEBS_IO_ENABLE_ANALYTICS
value: "{{ .Values.analytics.enabled }}"
- name: OPENEBS_IO_BASE_PATH
value: "{{ .Values.localprovisioner.basePath }}"
- name: OPENEBS_IO_HELPER_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.helper.image }}:{{ .Values.helper.imageTag }}"
- name: OPENEBS_IO_INSTALLER_TYPE
value: "charts-helm"
# LEADER_ELECTION_ENABLED is used to enable/disable leader election. By default
# leader election is enabled.
- name: LEADER_ELECTION_ENABLED
value: "{{ .Values.localprovisioner.enableLeaderElection }}"
{{- if .Values.imagePullSecrets }}
- name: OPENEBS_IO_IMAGE_PULL_SECRETS
value: "{{- range $.Values.imagePullSecrets }}{{ .name }},{{- end }}"
{{- end }}
# Process name used for matching is limited to the 15 characters
# present in the pgrep output.
# So fullname can't be used here with pgrep (>15 chars).A regular expression
# that matches the entire command name has to specified.
# Anchor `^` : matches any string that starts with `provisioner-loc`
# `.*`: matches any string that has `provisioner-loc` followed by zero or more char
livenessProbe:
exec:
command:
- sh
- -c
- test `pgrep -c "^provisioner-loc.*"` = 1
initialDelaySeconds: {{ .Values.localprovisioner.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.localprovisioner.healthCheck.periodSeconds }}
{{- if .Values.localprovisioner.nodeSelector }}
nodeSelector:
{{ toYaml .Values.localprovisioner.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.localprovisioner.tolerations }}
tolerations:
{{ toYaml .Values.localprovisioner.tolerations | indent 8 }}
{{- end }}
{{- if .Values.localprovisioner.affinity }}
affinity:
{{ toYaml .Values.localprovisioner.affinity | indent 8 }}
{{ end }}
{{ end }}
{{ end }}
{{ end }}

40
helm/openebs/templates/localprovisioner/device-class.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.localprovisioner.enabled }}
{{- $localpvprovisionerValues := index .Values "localpv-provisioner" }}
{{- if not $localpvprovisionerValues.enabled }}
# The second operand in the AND operation can be removed
# when enableDeviceClass is deprecated.
{{- if and .Values.localprovisioner.deviceClass.enabled .Values.localprovisioner.enableDeviceClass }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{ .Values.localprovisioner.deviceClass.name }}
annotations:
openebs.io/cas-type: local
cas.openebs.io/config: |
- name: StorageType
value: "device"
{{- if .Values.localprovisioner.deviceClass.fsType }}
- name: FSType
value: {{ .Values.localprovisioner.deviceClass.fsType | quote }}
{{- end }}
{{- if .Values.localprovisioner.deviceClass.blockDeviceSelectors }}
- name: BlockDeviceSelectors
data:
{{ toYaml .Values.localprovisioner.deviceClass.blockDeviceSelectors | indent 10 }}
{{- end }}
{{- if .Values.localprovisioner.deviceClass.nodeAffinityLabels }}
- name: NodeAffinityLabels
list:
{{ toYaml .Values.localprovisioner.deviceClass.nodeAffinityLabels | indent 10 }}
{{- end }}
{{- if .Values.localprovisioner.deviceClass.isDefaultClass }}
storageclass.kubernetes.io/is-default-class: "true"
{{- end }}
provisioner: openebs.io/local
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: {{ .Values.localprovisioner.deviceClass.reclaimPolicy }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

49
helm/openebs/templates/localprovisioner/hostpath-class.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.localprovisioner.enabled }}
{{- $localpvprovisionerValues := index .Values "localpv-provisioner" }}
{{- if not $localpvprovisionerValues.enabled }}
# The second operand in the AND operation can be removed
# when enableHostpathClass is deprecated.
{{- if and .Values.localprovisioner.hostpathClass.enabled .Values.localprovisioner.enableHostpathClass }}
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{ .Values.localprovisioner.hostpathClass.name }}
annotations:
openebs.io/cas-type: local
cas.openebs.io/config: |
- name: StorageType
value: "hostpath"
{{- if or .Values.localprovisioner.basePath .Values.localprovisioner.hostpathClass.basePath }}
- name: BasePath
value: {{ .Values.localprovisioner.hostpathClass.basePath | default .Values.localprovisioner.basePath | quote }}
{{- end }}
{{- if .Values.localprovisioner.hostpathClass.nodeAffinityLabels }}
- name: NodeAffinityLabels
list:
{{ toYaml .Values.localprovisioner.hostpathClass.nodeAffinityLabels | indent 10 }}
{{- end }}
{{- if .Values.localprovisioner.hostpathClass.xfsQuota.enabled }}
- name: XFSQuota
enabled: "{{ .Values.localprovisioner.hostpathClass.xfsQuota.enabled }}"
data:
softLimitGrace: "{{ .Values.localprovisioner.hostpathClass.xfsQuota.softLimitGrace }}"
hardLimitGrace: "{{ .Values.localprovisioner.hostpathClass.xfsQuota.hardLimitGrace }}"
{{- end }}
{{- if .Values.localprovisioner.hostpathClass.ext4Quota.enabled }}
- name: EXT4Quota
enabled: "{{ .Values.localprovisioner.hostpathClass.ext4Quota.enabled }}"
data:
softLimitGrace: "{{ .Values.localprovisioner.hostpathClass.ext4Quota.softLimitGrace }}"
hardLimitGrace: "{{ .Values.localprovisioner.hostpathClass.ext4Quota.hardLimitGrace }}"
{{- end }}
{{- if .Values.localprovisioner.hostpathClass.isDefaultClass }}
storageclass.kubernetes.io/is-default-class: "true"
{{- end }}
provisioner: openebs.io/local
volumeBindingMode: WaitForFirstConsumer
reclaimPolicy: {{ .Values.localprovisioner.hostpathClass.reclaimPolicy }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
helm/openebs/templates/ndm/cluster-exporter-service.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.ndm.enabled }}
{{- if and .Values.ndmExporter.enabled .Values.ndmExporter.clusterExporter.metricsPort }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "openebs.ndm-cluster-exporter.fullname" . }}-service
labels:
{{- include "openebs.ndm-cluster-exporter.labels" . | nindent 4 }}
spec:
clusterIP: None
ports:
- name: metrics
port: {{ .Values.ndmExporter.clusterExporter.metricsPort }}
targetPort: {{ .Values.ndmExporter.clusterExporter.metricsPort }}
selector:
{{- with .Values.ndmExporter.clusterExporter.podLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

53
helm/openebs/templates/ndm/cluster-exporter.yaml Normal file
View File

@@ -0,0 +1,53 @@
{{- if not .Values.mayastor.enabled -}}
{{- if and (.Values.ndm.enabled) (.Values.ndmExporter.enabled) }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.ndm-cluster-exporter.fullname" . }}
labels:
{{- include "openebs.ndm-cluster-exporter.labels" . | nindent 4 }}
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
{{- include "openebs.ndm-cluster-exporter.matchLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "openebs.ndm-cluster-exporter.labels" . | nindent 8 }}
{{- with .Values.ndmExporter.clusterExporter.podLabels }}
{{ toYaml . }}
{{- end }}
spec:
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.ndm-cluster-exporter.fullname" . }}
image: "{{ .Values.ndmExporter.image.registry }}{{ .Values.ndmExporter.image.repository }}:{{ .Values.ndmExporter.image.tag }}"
command:
- /usr/local/bin/exporter
args:
- "start"
- "--mode=cluster"
- "--port=$(METRICS_LISTEN_PORT)"
- "--metrics=/metrics"
ports:
- containerPort: {{ .Values.ndmExporter.clusterExporter.metricsPort }}
protocol: TCP
name: metrics
imagePullPolicy: {{ .Values.ndmExporter.image.pullPolicy }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.ndmExporter.clusterExporter.metricsPort }}
- name: METRICS_LISTEN_PORT
value: :{{ .Values.ndmExporter.clusterExporter.metricsPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

50
helm/openebs/templates/ndm/cm-node-disk-manager.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.ndm.enabled }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
# This is the node-disk-manager related config.
# It can be used to customize the disks probes and filters
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "openebs.fullname" . }}-ndm-config
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: ndm-config
openebs.io/component-name: ndm-config
data:
# udev-probe is default or primary probe which should be enabled to run ndm
# filterconfigs contains configs of filters - in the form of include
# and exclude comma separated strings
node-disk-manager.config: |
probeconfigs:
- key: udev-probe
name: udev probe
state: true
- key: seachest-probe
name: seachest probe
state: {{ .Values.ndm.probes.enableSeachest }}
- key: smart-probe
name: smart probe
state: true
filterconfigs:
- key: os-disk-exclude-filter
name: os disk exclude filter
state: {{ .Values.ndm.filters.enableOsDiskExcludeFilter }}
exclude: "{{ .Values.ndm.filters.osDiskExcludePaths }}"
- key: vendor-filter
name: vendor filter
state: {{ .Values.ndm.filters.enableVendorFilter }}
include: ""
exclude: "{{ .Values.ndm.filters.excludeVendors }}"
- key: path-filter
name: path filter
state: {{ .Values.ndm.filters.enablePathFilter }}
include: "{{ .Values.ndm.filters.includePaths }}"
exclude: "{{ .Values.ndm.filters.excludePaths }}"
{{- end }}
{{- end }}
{{- end }}

188
helm/openebs/templates/ndm/daemonset-ndm.yaml Normal file
View File

@@ -0,0 +1,188 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.ndm.enabled }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "openebs.fullname" . }}-ndm
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: ndm
openebs.io/component-name: ndm
openebs.io/version: {{ .Values.release.version }}
spec:
updateStrategy:
type: "RollingUpdate"
selector:
matchLabels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: ndm
template:
metadata:
labels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: ndm
openebs.io/component-name: ndm
name: openebs-ndm
openebs.io/version: {{ .Values.release.version }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
hostNetwork: true
# host PID is used to check status of iSCSI Service when the NDM
# API service is enabled
{{- if .Values.featureGates.enabled }}
{{- if .Values.featureGates.APIService.enabled }}
hostPID: true
{{- end}}
{{- end}}
containers:
- name: {{ template "openebs.name" . }}-ndm
image: "{{ .Values.image.repository }}{{ .Values.ndm.image }}:{{ .Values.ndm.imageTag }}"
args:
- -v=4
{{- if .Values.featureGates.enabled }}
{{- if .Values.featureGates.GPTBasedUUID.enabled }}
- --feature-gates={{ .Values.featureGates.GPTBasedUUID.featureGateFlag }}
{{- end}}
{{- if .Values.featureGates.APIService.enabled }}
- --feature-gates={{ .Values.featureGates.APIService.featureGateFlag }}
- --api-service-address={{ .Values.featureGates.APIService.address }}
{{- end}}
{{- if .Values.featureGates.UseOSDisk.enabled }}
- --feature-gates={{ .Values.featureGates.UseOSDisk.featureGateFlag }}
{{- end}}
{{- if .Values.featureGates.ChangeDetection.enabled }}
- --feature-gates={{ .Values.featureGates.ChangeDetection.featureGateFlag }}
{{- end}}
{{- if .Values.featureGates.PartitionTableUUID.enabled }}
- --feature-gates={{ .Values.featureGates.PartitionTableUUID.featureGateFlag }}
{{- end}}
{{- end}}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.ndm.resources }}
resources:
{{ toYaml .Values.ndm.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
securityContext:
privileged: true
env:
# namespace in which NDM is installed will be passed to NDM Daemonset
# as environment variable
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# pass hostname as env variable using downward API to the NDM container
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
{{- if .Values.ndm.sparse }}
{{- if .Values.ndm.sparse.path }}
# specify the directory where the sparse files need to be created.
# if not specified, then sparse files will not be created.
- name: SPARSE_FILE_DIR
value: "{{ .Values.ndm.sparse.path }}"
{{- end }}
{{- if .Values.ndm.sparse.size }}
# Size(bytes) of the sparse file to be created.
- name: SPARSE_FILE_SIZE
value: "{{ .Values.ndm.sparse.size }}"
{{- end }}
{{- if .Values.ndm.sparse.count }}
# Specify the number of sparse files to be created
- name: SPARSE_FILE_COUNT
value: "{{ .Values.ndm.sparse.count }}"
{{- end }}
{{- end }}
# Process name used for matching is limited to the 15 characters
# present in the pgrep output.
# So fullname can be used here with pgrep (cmd is < 15 chars).
livenessProbe:
exec:
command:
- pgrep
- "ndm"
initialDelaySeconds: {{ .Values.ndm.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.ndm.healthCheck.periodSeconds }}
volumeMounts:
- name: config
mountPath: /host/node-disk-manager.config
subPath: node-disk-manager.config
readOnly: true
- name: udev
mountPath: /run/udev
- name: procmount
mountPath: /host/proc
readOnly: true
- name: devmount
mountPath: /dev
- name: basepath
mountPath: /var/openebs/ndm
{{- if .Values.ndm.sparse }}
{{- if .Values.ndm.sparse.path }}
- name: sparsepath
mountPath: {{ .Values.ndm.sparse.path }}
{{- end }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ template "openebs.fullname" . }}-ndm-config
- name: udev
hostPath:
path: /run/udev
type: Directory
# mount /proc (to access mount file of process 1 of host) inside container
# to read mount-point of disks and partitions
- name: procmount
hostPath:
path: /proc
type: Directory
# the /dev directory is mounted so that we have access to the devices that
# are connected at runtime of the pod.
- name: devmount
hostPath:
path: /dev
type: Directory
- name: basepath
hostPath:
path: "{{ .Values.varDirectoryPath.baseDir }}/ndm"
type: DirectoryOrCreate
{{- if .Values.ndm.sparse }}
{{- if .Values.ndm.sparse.path }}
- name: sparsepath
hostPath:
path: {{ .Values.ndm.sparse.path }}
{{- end }}
{{- end }}
# By default the node-disk-manager will be run on all kubernetes nodes
# If you would like to limit this to only some nodes, say the nodes
# that have storage attached, you could label those node and use
# nodeSelector.
#
# e.g. label the storage nodes with - "openebs.io/nodegroup"="storage-node"
# kubectl label node <node-name> "openebs.io/nodegroup"="storage-node"
#nodeSelector:
# "openebs.io/nodegroup": "storage-node"
{{- if .Values.ndm.nodeSelector }}
nodeSelector:
{{ toYaml .Values.ndm.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.ndm.tolerations }}
tolerations:
{{ toYaml .Values.ndm.tolerations | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

93
helm/openebs/templates/ndm/deployment-ndm-operator.yaml Normal file
View File

@@ -0,0 +1,93 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.ndmOperator.enabled }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "openebs.fullname" . }}-ndm-operator
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
component: ndm-operator
openebs.io/component-name: ndm-operator
openebs.io/version: {{ .Values.release.version }}
name: ndm-operator
spec:
replicas: {{ .Values.ndmOperator.replicas }}
strategy:
type: "Recreate"
rollingUpdate: null
selector:
matchLabels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
template:
metadata:
labels:
app: {{ template "openebs.name" . }}
release: {{ .Release.Name }}
component: ndm-operator
name: ndm-operator
openebs.io/component-name: ndm-operator
openebs.io/version: {{ .Values.release.version }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.fullname" . }}-ndm-operator
image: "{{ .Values.image.repository }}{{ .Values.ndmOperator.image }}:{{ .Values.ndmOperator.imageTag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.ndmOperator.resources }}
resources:
{{ toYaml .Values.ndmOperator.resources | trimSuffix "\n" | indent 10 }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 8585
initialDelaySeconds: {{ .Values.ndmOperator.healthCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.ndmOperator.healthCheck.periodSeconds }}
readinessProbe:
httpGet:
path: /readyz
port: 8585
initialDelaySeconds: {{ .Values.ndmOperator.readinessCheck.initialDelaySeconds }}
periodSeconds: {{ .Values.ndmOperator.readinessCheck.periodSeconds }}
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: SERVICE_ACCOUNT
valueFrom:
fieldRef:
fieldPath: spec.serviceAccountName
- name: OPERATOR_NAME
value: "node-disk-operator"
- name: CLEANUP_JOB_IMAGE
value: "{{ .Values.image.repository }}{{ .Values.helper.image }}:{{ .Values.helper.imageTag }}"
{{- if .Values.imagePullSecrets }}
- name: OPENEBS_IO_IMAGE_PULL_SECRETS
value: "{{- range $index, $secret := .Values.imagePullSecrets}}{{if $index}},{{end}}{{ $secret.name }}{{- end}}"
{{- end }}
{{- if .Values.ndmOperator.nodeSelector }}
nodeSelector:
{{ toYaml .Values.ndmOperator.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.ndmOperator.tolerations }}
tolerations:
{{ toYaml .Values.ndmOperator.tolerations | indent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

25
helm/openebs/templates/ndm/node-exporter-service.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if not .Values.mayastor.enabled -}}
{{- if .Values.ndm.enabled }}
{{- if and .Values.ndmExporter.enabled .Values.ndmExporter.nodeExporter.metricsPort }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "openebs.ndm-node-exporter.fullname" . }}-service
labels:
{{- include "openebs.ndm-node-exporter.labels" . | nindent 4 }}
spec:
clusterIP: None
ports:
- name: metrics
port: {{ .Values.ndmExporter.nodeExporter.metricsPort }}
targetPort: {{ .Values.ndmExporter.nodeExporter.metricsPort }}
selector:
{{- with .Values.ndmExporter.nodeExporter.podLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

54
helm/openebs/templates/ndm/node-exporter.yaml Normal file
View File

@@ -0,0 +1,54 @@
{{- if not .Values.mayastor.enabled -}}
{{- if and .Values.ndm.enabled .Values.ndmExporter.enabled }}
{{- $ndmValues := index .Values "openebs-ndm" }}
{{- if not $ndmValues.enabled }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ template "openebs.ndm-node-exporter.fullname" . }}
labels:
{{- include "openebs.ndm-node-exporter.labels" . | nindent 4 }}
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
{{- include "openebs.ndm-node-exporter.matchLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "openebs.ndm-node-exporter.labels" . | nindent 8 }}
{{- with .Values.ndmExporter.nodeExporter.podLabels }}
{{ toYaml . }}
{{- end }}
spec:
serviceAccountName: {{ template "openebs.serviceAccountName" . }}
containers:
- name: {{ template "openebs.ndm-node-exporter.fullname" . }}
image: "{{ .Values.ndmExporter.image.registry }}{{ .Values.ndmExporter.image.repository }}:{{ .Values.ndmExporter.image.tag }}"
command:
- /usr/local/bin/exporter
args:
- "start"
- "--mode=node"
- "--port=$(METRICS_LISTEN_PORT)"
- "--metrics=/metrics"
ports:
- containerPort: {{ .Values.ndmExporter.nodeExporter.metricsPort }}
protocol: TCP
name: metrics
imagePullPolicy: {{ .Values.ndmExporter.image.pullPolicy }}
securityContext:
privileged: true
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.ndmExporter.nodeExporter.metricsPort }}
- name: METRICS_LISTEN_PORT
value: :{{ .Values.ndmExporter.nodeExporter.metricsPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

14
helm/openebs/templates/psp-clusterrole.yaml Normal file
View File

@@ -0,0 +1,14 @@
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "openebs.fullname" . }}-psp
labels:
app: {{ template "openebs.name" . }}
rules:
- apiGroups: ['extensions']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ template "openebs.fullname" . }}-psp
{{- end }}

17
helm/openebs/templates/psp-clusterrolebinding.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "openebs.fullname" . }}-psp
labels:
app: {{ template "openebs.name" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "openebs.fullname" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ template "openebs.serviceAccountName" . }}
namespace: {{ $.Release.Namespace }}
{{- end }}

28
helm/openebs/templates/psp.yaml Normal file
View File

@@ -0,0 +1,28 @@
{{- if and .Values.rbac.create .Values.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ template "openebs.fullname" . }}-psp
namespace: {{ $.Release.Namespace }}
labels:
app: {{ template "openebs.name" . }}
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities: ['*']
volumes: ['*']
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
{{- end }}

11
helm/openebs/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "openebs.serviceAccountName" . }}
labels:
app: {{ template "openebs.name" . }}
chart: {{ template "openebs.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- end }}