diff --git a/.gitignore b/.gitignore index f6ff082..705eab5 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ /jsonnetfile.lock.json /crds /compiled +/helm_values # Antora /_archive diff --git a/Makefile b/Makefile index 696a2e9..1369a0d 100644 --- a/Makefile +++ b/Makefile @@ -81,4 +81,4 @@ $(test_instances): .PHONY: clean clean: ## Clean the project - rm -rf .cache compiled dependencies vendor helmcharts jsonnetfile*.json || true + rm -rf .cache compiled dependencies vendor helmcharts helm_values jsonnetfile*.json || true diff --git a/Makefile.vars.mk b/Makefile.vars.mk index 281fdc9..1808b17 100644 --- a/Makefile.vars.mk +++ b/Makefile.vars.mk @@ -5,7 +5,7 @@ git_dir ?= $(shell git rev-parse --git-common-dir) compiled_path ?= compiled/$(COMPONENT_NAME)/$(COMPONENT_NAME) root_volume ?= -v "$${PWD}:/$(COMPONENT_NAME)" compiled_volume ?= -v "$${PWD}/$(compiled_path):/$(COMPONENT_NAME)" -commodore_args ?= --search-paths . -n $(COMPONENT_NAME) +commodore_args ?= --search-paths ./dependencies --search-paths . -n $(COMPONENT_NAME) ifneq "$(git_dir)" ".git" git_volume ?= -v "$(git_dir):$(git_dir):ro" @@ -50,4 +50,4 @@ KUBENT_IMAGE ?= ghcr.io/doitintl/kube-no-trouble:latest KUBENT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE) instance ?= defaults -test_instances = tests/defaults.yml +test_instances = tests/defaults.yml tests/cloud-config.yml diff --git a/class/cloud-provider-openstack.yml b/class/cloud-provider-openstack.yml index 85ed60f..7cef558 100644 --- a/class/cloud-provider-openstack.yml +++ b/class/cloud-provider-openstack.yml @@ -1,10 +1,59 @@ parameters: + _os_ccm_chart: + "True": + input_paths: + - ${_base_directory}/helmcharts/openstack-cloud-controller-manager/${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + input_type: helm + helm_params: + name: openstack-ccm + namespace: ${cloud_provider_openstack:namespace:name} + helm_values_files: + - ${_base_directory}/helm_values/ccm-values.yaml + output_path: cloud-provider-openstack/10_ccm_helm_chart + "False": + input_type: jsonnet + input_paths: [] + output_path: cloud-provider-openstack/ + + _os_csi_chart: + "True": + input_paths: + - ${_base_directory}/helmcharts/openstack-cinder-csi/${cloud_provider_openstack:charts:openstack-cinder-csi:version} + input_type: helm + helm_params: + name: cinder-csi + namespace: ${cloud_provider_openstack:namespace:name} + helm_values_files: + - ${_base_directory}/helm_values/csi-values.yaml + output_path: cloud-provider-openstack/20_csi_helm_chart + "False": + input_type: jsonnet + input_paths: [] + output_path: cloud-provider-openstack/ + kapitan: + dependencies: + - type: helm + source: ${cloud_provider_openstack:charts:openstack-cloud-controller-manager:source} + version: ${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + chart_name: openstack-cloud-controller-manager + output_path: ${_base_directory}/helmcharts/openstack-cloud-controller-manager/${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + - type: helm + source: ${cloud_provider_openstack:charts:openstack-cinder-csi:source} + version: ${cloud_provider_openstack:charts:openstack-cinder-csi:version} + chart_name: openstack-cinder-csi + output_path: ${_base_directory}/helmcharts/openstack-cinder-csi/${cloud_provider_openstack:charts:openstack-cinder-csi:version} compile: - input_paths: - ${_base_directory}/component/app.jsonnet input_type: jsonnet output_path: . + - input_paths: + - ${_base_directory}/component/render-helm-values.jsonnet + input_type: jsonnet + output_path: ${_base_directory}/helm_values/ + - ${_os_ccm_chart:${cloud_provider_openstack:ccm:enabled}} + - ${_os_csi_chart:${cloud_provider_openstack:csi:enabled}} - input_paths: - ${_base_directory}/component/main.jsonnet input_type: jsonnet diff --git a/class/defaults.yml b/class/defaults.yml index ba9d1a6..73c29f6 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -2,4 +2,168 @@ parameters: cloud_provider_openstack: =_metadata: multi_tenant: true - namespace: syn-cloud-provider-openstack + namespace: + name: syn-cloud-provider-openstack + labels: {} + annotations: {} + + charts: + openstack-cloud-controller-manager: + source: https://kubernetes.github.io/cloud-provider-openstack + version: "2.35.0" + openstack-cinder-csi: + source: https://kubernetes.github.io/cloud-provider-openstack + version: "2.35.0" + + images: + openstack_cloud_controller_manager: + registry: registry.k8s.io + repository: provider-os/openstack-cloud-controller-manager + tag: v1.35.0 + cinder_csi_plugin: + registry: registry.k8s.io + repository: provider-os/cinder-csi-plugin + tag: v1.35.0 + + cloud_config_secret_name: cloud-config + + cloud_conf: + global: {} + networking: {} + load_balancer: {} + load_balancer_classes: {} + block_storage: {} + metadata: {} + route: {} + + ccm: + enabled: true + cluster_name: ${cluster:name} + service_account_name: cloud-controller-manager + resources: + requests: + cpu: 50m + memory: 64Mi + enabled_controllers: + - cloud-node + - cloud-node-lifecycle + - service + log_verbosity_level: 2 + node_selector: + node-role.kubernetes.io/control-plane: "" + tolerations: + node.cloudprovider.kubernetes.io/uninitialized: + value: "true" + effect: NoSchedule + node-role.kubernetes.io/control-plane: + effect: NoSchedule + service_monitor: + enabled: false + additionalLabels: {} + extra_volumes: [] + extra_volume_mounts: [] + helm_values: + secret: + enabled: true + create: false + name: ${cloud_provider_openstack:cloud_config_secret_name} + cluster: + name: ${cloud_provider_openstack:ccm:cluster_name} + serviceAccountName: ${cloud_provider_openstack:ccm:service_account_name} + image: + repository: ${cloud_provider_openstack:images:openstack_cloud_controller_manager:registry}/${cloud_provider_openstack:images:openstack_cloud_controller_manager:repository} + tag: ${cloud_provider_openstack:images:openstack_cloud_controller_manager:tag} + resources: ${cloud_provider_openstack:ccm:resources} + logVerbosityLevel: ${cloud_provider_openstack:ccm:log_verbosity_level} + nodeSelector: ${cloud_provider_openstack:ccm:node_selector} + serviceMonitor: ${cloud_provider_openstack:ccm:service_monitor} + extraVolumes: ${cloud_provider_openstack:ccm:extra_volumes} + extraVolumeMounts: ${cloud_provider_openstack:ccm:extra_volume_mounts} + + csi: + enabled: true + cluster_id: ${cluster:name} + fs_type: ext4 + volume_binding_mode: WaitForFirstConsumer + log_verbosity_level: 2 + pod_monitor: + enabled: false + additionalLabels: {} + controller_plugin: + node_selector: + node-role.kubernetes.io/control-plane: "" + tolerations: + node-role.kubernetes.io/control-plane: + effect: NoSchedule + node_plugin: + tolerations: + "": + operator: Exists + resources: + controller: + csi-provisioner: + requests: + cpu: 20m + memory: 32Mi + csi-attacher: + requests: + cpu: 20m + memory: 32Mi + csi-resizer: + requests: + cpu: 20m + memory: 32Mi + csi-snapshotter: + requests: + cpu: 20m + memory: 32Mi + cinder-csi-plugin: + requests: + cpu: 20m + memory: 64Mi + node: + node-driver-registrar: + requests: + cpu: 20m + memory: 32Mi + cinder-csi-plugin: + requests: + cpu: 20m + memory: 64Mi + storage_classes: {} + volume_snapshot_classes: {} + helm_values: + secret: + enabled: true + create: false + hostMount: false + name: ${cloud_provider_openstack:cloud_config_secret_name} + clusterID: ${cloud_provider_openstack:csi:cluster_id} + logVerbosityLevel: ${cloud_provider_openstack:csi:log_verbosity_level} + storageClass: + enabled: false + csi: + provisioner: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-provisioner} + attacher: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-attacher} + resizer: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-resizer} + snapshotter: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-snapshotter} + nodeDriverRegistrar: + resources: ${cloud_provider_openstack:csi:resources:node:node-driver-registrar} + plugin: + image: + repository: ${cloud_provider_openstack:images:cinder_csi_plugin:registry}/${cloud_provider_openstack:images:cinder_csi_plugin:repository} + tag: ${cloud_provider_openstack:images:cinder_csi_plugin:tag} + volumes: [] + volumeMounts: + - name: cloud-config + mountPath: /etc/config + readOnly: true + resources: ${cloud_provider_openstack:csi:resources:controller:cinder-csi-plugin} + httpEndpoint: + enabled: ${cloud_provider_openstack:csi:pod_monitor:enabled} + port: 8080 + podMonitor: ${cloud_provider_openstack:csi:pod_monitor} diff --git a/component/main.jsonnet b/component/main.jsonnet index 6884ac2..b38502c 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -1,10 +1,109 @@ -// main template for cloud-provider-openstack local kap = import 'lib/kapitan.libjsonnet'; local kube = import 'lib/kube.libjsonnet'; +local sc = import 'lib/storageclass.libsonnet'; + local inv = kap.inventory(); -// The hiera parameters for the component local params = inv.parameters.cloud_provider_openstack; -// Define outputs below +local renderValue(k, v) = + if v == null then [] + else if std.isArray(v) then + [ '%s=%s' % [ k, item ] for item in v if item != null ] + else if std.isObject(v) then + error 'cloud_conf value for key "%s" must be scalar or array, got object' % k + else + [ '%s=%s' % [ k, v ] ]; + +local renderSection(name, dict) = + local lines = std.flattenArrays( + [ renderValue(k, dict[k]) for k in std.objectFields(dict) ] + ); + if std.length(lines) == 0 then [] + else [ '[%s]' % name ] + lines + [ '' ]; + +local renderLBClasses(classes) = + std.flattenArrays([ + renderSection('LoadBalancerClass "%s"' % cls, classes[cls]) + for cls in std.objectFields(classes) + if std.length(std.objectFields(classes[cls])) > 0 + ]); + +local renderCloudConf() = + std.join( + '\n', + renderSection('Global', params.cloud_conf.global) + + renderSection('Networking', params.cloud_conf.networking) + + renderSection('LoadBalancer', params.cloud_conf.load_balancer) + + renderLBClasses(params.cloud_conf.load_balancer_classes) + + renderSection('BlockStorage', params.cloud_conf.block_storage) + + renderSection('Metadata', params.cloud_conf.metadata) + + renderSection('Route', params.cloud_conf.route) + ); + +local secret = kube.Secret(params.cloud_config_secret_name) { + metadata+: { + namespace: params.namespace.name, + }, + data:: {}, + stringData: { + 'cloud.conf': renderCloudConf(), + }, +}; + +local scParameters(scDef) = + local base = + if params.csi.fs_type != null && params.csi.fs_type != '' + then { fsType: params.csi.fs_type } + else {}; + base + scDef.parameters; + +local storageClasses = [ + local scDef = params.csi.storage_classes[name]; + sc.storageClass(name) { + provisioner: 'cinder.csi.openstack.org', + reclaimPolicy: std.get(scDef, 'reclaim_policy', 'Delete'), + allowVolumeExpansion: std.get(scDef, 'allow_volume_expansion', true), + volumeBindingMode: params.csi.volume_binding_mode, + parameters: scParameters(scDef), + [if std.length(std.get(scDef, 'allowed_topologies', [])) > 0 + then 'allowedTopologies']: + scDef.allowed_topologies, + } + for name in std.objectFields(params.csi.storage_classes) +]; + +local volumeSnapshotClasses = [ + local vsc = params.csi.volume_snapshot_classes[name]; + local vscParams = std.get(vsc, 'parameters', {}); + kube._Object('snapshot.storage.k8s.io/v1', 'VolumeSnapshotClass', name) { + driver: 'cinder.csi.openstack.org', + deletionPolicy: vsc.deletion_policy, + [if std.length(vscParams) > 0 then 'parameters']: vscParams, + } + for name in std.objectFields(params.csi.volume_snapshot_classes) +]; + +local namespace = kube.Namespace(params.namespace.name) { + metadata+: { + labels+: { + [k]: params.namespace.labels[k] + for k in std.objectFields(params.namespace.labels) + if params.namespace.labels[k] != null + }, + annotations+: { + [k]: params.namespace.annotations[k] + for k in std.objectFields(params.namespace.annotations) + if params.namespace.annotations[k] != null + }, + }, +}; + { + [if params.namespace.name != 'kube-system' then '00_namespace']: namespace, + '01_secret': secret, + [if std.length(params.csi.storage_classes) > 0 then '10_storageclasses']: + storageClasses, + [if std.length(params.csi.volume_snapshot_classes) > 0 + then '10_volumesnapshotclasses']: + volumeSnapshotClasses, } diff --git a/component/render-helm-values.jsonnet b/component/render-helm-values.jsonnet new file mode 100644 index 0000000..c428532 --- /dev/null +++ b/component/render-helm-values.jsonnet @@ -0,0 +1,36 @@ +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; + +local inv = kap.inventory(); +local params = inv.parameters.cloud_provider_openstack; + +local renderTolerations(tol) = + [ + std.prune({ key: k } + tol[k]) + for k in std.objectFields(tol) + if tol[k] != null + ]; + +local ccm_values = params.ccm.helm_values { + enabledControllers: com.renderArray(params.ccm.enabled_controllers), + tolerations: renderTolerations(params.ccm.tolerations), +}; + +local csi_values = params.csi.helm_values { + csi+: { + plugin+: { + controllerPlugin: { + nodeSelector: std.prune(params.csi.controller_plugin.node_selector), + tolerations: renderTolerations(params.csi.controller_plugin.tolerations), + }, + nodePlugin: { + tolerations: renderTolerations(params.csi.node_plugin.tolerations), + }, + }, + }, +}; + +{ + 'ccm-values': ccm_values, + 'csi-values': csi_values, +} diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index 1b5a67a..cff1fea 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -1,5 +1,10 @@ = Cloud Provider OpenStack -cloud-provider-openstack is a Commodore component to manage Cloud Provider OpenStack. +cloud-provider-openstack is a Commodore component to manage the https://github.com/kubernetes/cloud-provider-openstack[OpenStack Cloud Controller Manager] (CCM) and https://github.com/kubernetes/cloud-provider-openstack[Cinder CSI driver]. + +The CCM and CSI driver are deployed into the same namespace and share a single `cloud.conf` Secret. +Each sub-component is toggleable via the `ccm.enabled` and `csi.enabled` parameters. +The CCM handles node initialization, node lifecycle, LoadBalancer Services (via Octavia), and optionally pod routes. +The CSI driver provides persistent block storage using OpenStack Cinder volumes, with configurable StorageClasses and VolumeSnapshotClasses. See the xref:references/parameters.adoc[parameters] reference for further details. diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 2c87483..266c5bf 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -4,16 +4,637 @@ The parent key for all of the following parameters is `cloud_provider_openstack` == `namespace` +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Configures the namespace in which to deploy this component. + +=== `namespace.name` + [horizontal] type:: string default:: `syn-cloud-provider-openstack` -The namespace in which to deploy this component. +The namespace name. + +=== `namespace.labels` + +[horizontal] +type:: dictionary +default:: `{}` + +Labels applied to the namespace when the component owns it (i.e. `namespace.name != kube-system`). +Entries with value `null` (or `~`) are dropped, letting hierarchy overrides remove defaults set in a parent class. + +IMPORTANT: Both the CCM DaemonSet (`hostNetwork: true`) and the CSI node plugin (`privileged: true`, `SYS_ADMIN`, hostPath volumes for kubelet/registration/socket dirs) require the `privileged` Pod Security Standard. +On clusters that enforce https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards], set `pod-security.kubernetes.io/enforce: privileged` here or label the namespace externally, otherwise the pods will be rejected by the admission webhook. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + namespace: + labels: + pod-security.kubernetes.io/enforce: privileged +---- + +=== `namespace.annotations` + +[horizontal] +type:: dictionary +default:: `{}` + +Annotations applied to the namespace when the component owns it (i.e. `namespace.name != kube-system`). +Entries with value `null` (or `~`) are dropped. + +== `charts` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Helm chart sources and versions for both the CCM and Cinder CSI charts. + +== `images` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Container images for the CCM and Cinder CSI plugin. +Each image is specified with separate `registry`, `repository`, and `tag` fields. + +== `cloud_config_secret_name` + +[horizontal] +type:: string +default:: `cloud-config` + +Name of the Kubernetes Secret which holds the rendered `cloud.conf`. +The component renders and manages this Secret itself; both charts' own Secret rendering is disabled via `secret.create: false` in `ccm.helm_values` and `csi.helm_values`. + +== `cloud_conf` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Structured input for the rendered `cloud.conf` INI file. +Each sub-section maps to an INI section. +Both the CCM and CSI driver consume this shared Secret; empty sections are suppressed. + +[IMPORTANT] +==== +Keys inside every `cloud_conf.*` dictionary must use the same *kebab-case* names as the upstream `cloud.conf` format (e.g. `auth-url`, `floating-network-id`). +The component passes keys through to the INI file as-is. +==== + +Render behavior: + +* `null` values are dropped (no line emitted). +* Boolean values render as lowercase `true`/`false`. +* List values render as multiple lines with the same key (used for multi-value keys such as `public-network-name`). +* Empty sections are suppressed entirely. + +Sensitive fields (passwords, application credential secrets, tokens) can be supplied as Vault references directly in `cloud_conf.global`: + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + global: + auth-url: https://identity.api.example.cloud/v3 + application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret: '?{vaultkv:${cluster:tenant}/${cluster:name}/openstack/application-credential-secret}' +---- + +=== `cloud_conf.global` + +Maps to `[Global]`. +Holds Keystone authentication endpoint, identifiers, and credentials. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#global[upstream CCM documentation] for the full list of supported keys. + +=== `cloud_conf.networking` + +Maps to `[Networking]`. +Controls how the CCM discovers node addresses. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#networking[upstream CCM documentation] for all supported keys. + +Multi-value keys (e.g. `public-network-name`) are specified as lists: + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + networking: + public-network-name: + - public + - public-v6 + internal-network-name: + - internal +---- + +=== `cloud_conf.load_balancer` + +Maps to `[LoadBalancer]`. +Configures the Octavia integration used by the CCM `service` controller. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#load-balancer[upstream CCM documentation] for all supported keys. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + load_balancer: + manage-security-groups: true + lb-provider: ovn + lb-method: SOURCE_IP_PORT + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 +---- + +=== `cloud_conf.load_balancer_classes` + +[horizontal] +type:: dictionary +default:: `{}` + +Maps to one `[LoadBalancerClass ""]` INI section per dictionary key. +Each value is itself a dictionary of kebab-case keys following the same rendering rules. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#load-balancer[upstream CCM documentation] for supported keys per class. + +[IMPORTANT] +==== +The upstream Helm chart's `cloudConfig` template helper does *not* support `[LoadBalancerClass ""]` sub-sections. +This component renders `cloud.conf` itself, so LoadBalancerClass definitions configured here work as documented by cloud-provider-openstack. +==== + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + load_balancer_classes: + public: + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + internal: + subnet-id: b2c3d4e5-f6a7-8901-bcde-f12345678901 +---- + +Renders to: + +[source,ini] +---- +[LoadBalancerClass "public"] +floating-network-id=a1b2c3d4-e5f6-7890-abcd-ef1234567890 + +[LoadBalancerClass "internal"] +subnet-id=b2c3d4e5-f6a7-8901-bcde-f12345678901 +---- + +To use a named class on a Service, set the `loadbalancer.openstack.org/class` annotation. + +=== `cloud_conf.block_storage` + +Maps to `[BlockStorage]`. +Consumed by the Cinder CSI driver. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md#block-storage[upstream CSI documentation] for all supported keys. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + block_storage: + ignore-volume-az: true + rescan-on-resize: true +---- + +=== `cloud_conf.metadata` + +Maps to `[Metadata]`. +Controls how the CCM and CSI driver retrieve instance metadata. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + metadata: + search-order: configDrive +---- + +=== `cloud_conf.route` + +Maps to `[Route]`. +Only needed when the `route` controller is enabled in `ccm.enabled_controllers`. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#route[upstream CCM documentation] for details. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + route: + router-id: c3d4e5f6-a7b8-9012-cdef-123456789012 +---- + +== CCM parameters + +Parameters under the `ccm` key configure the OpenStack Cloud Controller Manager. + +=== `ccm.enabled` + +[horizontal] +type:: boolean +default:: `true` + +When `false`, the CCM chart output is skipped entirely. + +=== `ccm.cluster_name` + +[horizontal] +type:: string +default:: `${cluster:name}` + +The cluster name passed to the CCM. +OpenStack uses this value to tag resources (e.g. load balancers) so they can be cleaned up if the cluster is deleted. + +=== `ccm.service_account_name` + +[horizontal] +type:: string +default:: `cloud-controller-manager` + +Name of the Kubernetes ServiceAccount used by the CCM DaemonSet. + +=== `ccm.resources` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Resource requests and limits for the CCM container. + +=== `ccm.enabled_controllers` + +[horizontal] +type:: list +default:: `[cloud-node, cloud-node-lifecycle, service]` + +List of CCM sub-controllers to enable. +The list is processed with `com.renderArray()`, so entries prefixed with `~` are removed. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + ccm: + enabled_controllers: + - ~service # drop the service controller + - route # add the route controller +---- + +[cols="2,5,1"] +|=== +|Controller |Purpose |Default + +|`cloud-node` +|Initializes nodes with OpenStack metadata (ProviderID, availability zone, addresses, instance type) +|Enabled +|`cloud-node-lifecycle` +|Monitors whether the underlying OpenStack instance still exists; removes the Node if the VM is deleted +|Enabled + +|`service` +|Manages LoadBalancer-type Services via Octavia +|Enabled + +|`route` +|Manages pod network routes via a Neutron router. Requires `router-id` in `cloud_conf.route`. +|Disabled +|=== + +=== `ccm.log_verbosity_level` + +[horizontal] +type:: integer +default:: `2` + +Log verbosity level passed to the CCM via `--v=`. + +=== `ccm.node_selector` + +[horizontal] +type:: dictionary +default:: `{node-role.kubernetes.io/control-plane: ""}` + +Node selector for the CCM DaemonSet. + +=== `ccm.tolerations` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Tolerations for the CCM DaemonSet, keyed by toleration key. +Defaults allow scheduling on control-plane nodes and on freshly-initialized nodes (`node.cloudprovider.kubernetes.io/uninitialized`). +Set an entry to `null` (or `~`) to drop it via hierarchy merge. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + ccm: + tolerations: + node-role.kubernetes.io/control-plane: + effect: NoSchedule + node.cloudprovider.kubernetes.io/uninitialized: ~ +---- + +=== `ccm.service_monitor` + +[horizontal] +type:: dictionary +default:: ++ +[source,yaml] +---- +enabled: false +additionalLabels: {} +---- + +Enables and configures a Prometheus Operator `ServiceMonitor` resource via the chart. + +=== `ccm.extra_volumes` + +[horizontal] +type:: list +default:: `[]` + +Extra volumes to attach to the CCM DaemonSet pod spec. + +=== `ccm.extra_volume_mounts` + +[horizontal] +type:: list +default:: `[]` + +Extra volume mounts for the CCM container, paired with `ccm.extra_volumes`. + +==== Mounting a custom CA certificate + +If the OpenStack API endpoint uses a custom CA, mount the certificate via `ccm.extra_volumes` / `ccm.extra_volume_mounts` and reference it from `cloud_conf.global.ca-file`: + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + global: + ca-file: /etc/cacert/ca.crt + ccm: + extra_volumes: + - name: ca-cert + secret: + secretName: openstack-ca-cert + extra_volume_mounts: + - name: ca-cert + mountPath: /etc/cacert + readOnly: true +---- + +=== `ccm.helm_values` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Escape hatch for any upstream CCM chart value not promoted to a top-level parameter. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cloud-controller-manager/values.yaml[upstream `values.yaml`] for the full list. + +NOTE: The component sets `secret.create: false` and manages the `cloud.conf` Secret itself via `cloud_conf`. +Do not re-enable `secret.create`. + +== CSI parameters + +Parameters under the `csi` key configure the Cinder CSI driver. + +=== `csi.enabled` + +[horizontal] +type:: boolean +default:: `true` + +When `false`, the CSI chart output is skipped entirely. + +=== `csi.cluster_id` + +[horizontal] +type:: string +default:: `${cluster:name}` + +The cluster identifier passed to the CSI driver. + +=== `csi.fs_type` + +[horizontal] +type:: string +default:: `ext4` + +Default filesystem type for dynamically provisioned volumes. +Set to `null` to omit `fsType` from StorageClass parameters. + +=== `csi.volume_binding_mode` + +[horizontal] +type:: string +default:: `WaitForFirstConsumer` + +The `volumeBindingMode` set on all StorageClasses created by this component. + +=== `csi.log_verbosity_level` + +[horizontal] +type:: integer +default:: `2` + +Log verbosity level for the CSI driver. + +=== `csi.pod_monitor` + +[horizontal] +type:: dictionary +default:: ++ +[source,yaml] +---- +enabled: false +additionalLabels: {} +---- + +Enables and configures a Prometheus Operator `PodMonitor` for the CSI driver. + +=== `csi.controller_plugin` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Scheduling config for the CSI controller plugin Deployment. +`node_selector` and `tolerations` are maps keyed by selector/toleration key; entries can be disabled by setting their value to `null`. + +=== `csi.node_plugin` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Scheduling config for the CSI node plugin DaemonSet. +`tolerations` is a map keyed by toleration key; an empty key (`""`) with `operator: Exists` tolerates all taints. + +=== `csi.resources` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Resource requests and limits for all CSI containers, organized by `controller` and `node` sub-keys. + +=== `csi.storage_classes` + +[horizontal] +type:: dictionary +default:: `{}` + +StorageClass definitions. +No storage classes are created by default; users must define all classes explicitly. + +The default StorageClass is managed cluster-wide via https://hub.syn.tools/storageclass/[component-storageclass] using `parameters.storageclass.defaultClass`. + +Each entry is keyed by the StorageClass name and supports: + +* `allow_volume_expansion` (boolean, default `true`) +* `reclaim_policy` (`Delete` or `Retain`, default `Delete`) +* `parameters` (dictionary) -- passed to the Cinder provisioner (e.g. `type: standard`) +* `allowed_topologies` (list) + +[source,yaml] +---- +parameters: + storageclass: + defaultClass: standard-delete + + cloud_provider_openstack: + csi: + storage_classes: + standard-delete: + allow_volume_expansion: true + reclaim_policy: Delete + parameters: + type: standard + performance-retain: + allow_volume_expansion: true + reclaim_policy: Retain + parameters: + type: performance +---- + +=== `csi.volume_snapshot_classes` + +[horizontal] +type:: dictionary +default:: `{}` + +VolumeSnapshotClass definitions. + +Each entry supports: + +* `deletion_policy` (`Delete` or `Retain`) -- *required* +* `parameters` (dictionary, optional) -- passed to the Cinder snapshotter + +NOTE: VolumeSnapshotClasses require the https://github.com/kubernetes-csi/external-snapshotter[snapshot CRDs and snapshot-controller] to be installed on the cluster. + +TIP: Set `force-create: "true"` in `parameters` to allow snapshots of in-use (attached) volumes. +Without this, Cinder rejects snapshots unless the volume is detached. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + csi: + volume_snapshot_classes: + cinder-snapshot: + deletion_policy: Delete + parameters: + force-create: "true" +---- + +=== `csi.helm_values` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Escape hatch for any upstream Cinder CSI chart value not promoted to a top-level parameter. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cinder-csi/values.yaml[upstream `values.yaml`] for the full list. == Example +Realistic configuration using application credentials, Octavia with OVN, Cinder StorageClasses, and monitoring: + [source,yaml] ---- -namespace: example-namespace +parameters: + storageclass: + defaultClass: standard-delete + + cloud_provider_openstack: + cloud_conf: + global: + auth-url: https://identity.api.example.cloud/v3 + region: zhw + application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret: '?{vaultkv:${cluster:tenant}/${cluster:name}/openstack/application-credential-secret}' + load_balancer: + manage-security-groups: true + lb-version: v2 + lb-provider: ovn + lb-method: SOURCE_IP_PORT + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + block_storage: + ignore-volume-az: false + trust-device-path: false + bs-version: auto + metadata: + search-order: configDrive + + ccm: + service_monitor: + enabled: true + + csi: + storage_classes: + standard-delete: + reclaim_policy: Delete + parameters: + type: standard + standard-retain: + reclaim_policy: Retain + parameters: + type: standard + performance-delete: + reclaim_policy: Delete + parameters: + type: performance + volume_snapshot_classes: + cinder-snapshot: + deletion_policy: Delete + parameters: + force-create: "true" + pod_monitor: + enabled: true ---- diff --git a/tests/cloud-config.yml b/tests/cloud-config.yml new file mode 100644 index 0000000..22a1468 --- /dev/null +++ b/tests/cloud-config.yml @@ -0,0 +1,55 @@ +parameters: + kapitan: + dependencies: + - type: https + source: https://raw.githubusercontent.com/projectsyn/component-storageclass/v1.0.0/lib/storageclass.libsonnet + output_path: vendor/lib/storageclass.libsonnet + + storageclass: + defaultClass: standard-delete + defaults: {} + + cloud_provider_openstack: + cloud_conf: + global: + auth-url: https://identity.api.example.cloud/v3 + region: zhw + application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret: verysecretsecret + block_storage: + ignore-volume-az: false + trust-device-path: false + bs-version: auto + load_balancer: + manage-security-groups: true + lb-version: v2 + lb-provider: ovn + subnet-id: "" + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lb-method: SOURCE_IP_PORT + metadata: + search-order: configDrive + + ccm: + service_monitor: + enabled: true + + csi: + storage_classes: + standard-delete: + reclaim_policy: Delete + parameters: + type: standard + standard-retain: + reclaim_policy: Retain + parameters: + type: standard + + volume_snapshot_classes: + cinder-snapshot: + deletion_policy: Delete + parameters: + force-create: "true" + + pod_monitor: + enabled: true diff --git a/tests/defaults.yml b/tests/defaults.yml index a4da5b7..d325495 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,3 +1,10 @@ -# Overwrite parameters here +parameters: + kapitan: + dependencies: + - type: https + source: https://raw.githubusercontent.com/projectsyn/component-storageclass/v1.0.0/lib/storageclass.libsonnet + output_path: vendor/lib/storageclass.libsonnet -# parameters: {...} + storageclass: + defaultClass: '' + defaults: {} diff --git a/tests/golden/cloud-config/cloud-provider-openstack/apps/cloud-provider-openstack.yaml b/tests/golden/cloud-config/cloud-provider-openstack/apps/cloud-provider-openstack.yaml new file mode 100644 index 0000000..e69de29 diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml new file mode 100644 index 0000000..8a6e871 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: syn-cloud-provider-openstack + name: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml new file mode 100644 index 0000000..520bb9b --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + name: cloud-config + name: cloud-config + namespace: syn-cloud-provider-openstack +stringData: + cloud.conf: | + [Global] + application-credential-id=d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret=verysecretsecret + auth-url=https://identity.api.example.cloud/v3 + region=zhw + + [LoadBalancer] + floating-network-id=a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lb-method=SOURCE_IP_PORT + lb-provider=ovn + lb-version=v2 + manage-security-groups=true + subnet-id= + + [BlockStorage] + bs-version=auto + ignore-volume-az=false + trust-device-path=false + + [Metadata] + search-order=configDrive +type: Opaque diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml new file mode 100644 index 0000000..44b8c56 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml @@ -0,0 +1,100 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - '' + resources: + - nodes + verbs: + - '*' + - apiGroups: + - '' + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - '' + resources: + - services + verbs: + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - services/status + verbs: + - patch + - apiGroups: + - '' + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - create + - get + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - '*' + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - list + - get + - watch diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml new file mode 100644 index 0000000..28dd71b --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:openstack-cloud-controller-manager:auth-delegate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:serviceaccount:syn-cloud-provider-openstack:cloud-controller-manager diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..497f427 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager +subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml new file mode 100644 index 0000000..1135314 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm + template: + metadata: + annotations: + checksum/config: b0b31d6311d187dd53758033396c83505652c1ec8a62bef0b9afe7f9572f8db4 + labels: + app: openstack-cloud-controller-manager + chart: openstack-cloud-controller-manager-2.35.0 + component: controllermanager + heritage: Helm + release: openstack-ccm + spec: + containers: + - args: + - /bin/openstack-cloud-controller-manager + - --v=2 + - --cloud-config=$(CLOUD_CONFIG) + - --cluster-name=$(CLUSTER_NAME) + - --cloud-provider=openstack + - --use-service-account-credentials=false + - --controllers=cloud-node,cloud-node-lifecycle,service + - --bind-address=0.0.0.0 + env: + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.35.0 + name: openstack-cloud-controller-manager + ports: + - containerPort: 10258 + hostPort: 10258 + name: http + protocol: TCP + resources: + requests: + cpu: 50m + memory: 64Mi + volumeMounts: + - mountPath: /etc/config + name: cloud-config-volume + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: + runAsUser: 1001 + serviceAccountName: cloud-controller-manager + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + value: 'true' + volumes: + - name: cloud-config-volume + secret: + secretName: cloud-config + updateStrategy: + type: RollingUpdate diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml new file mode 100644 index 0000000..952f16f --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + ports: + - name: http + port: 10258 + protocol: TCP + selector: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..b24ebbe --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml new file mode 100644 index 0000000..67222c8 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml @@ -0,0 +1,26 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + port: http + scheme: https + tlsConfig: + insecureSkipVerify: true + jobLabel: component + selector: + matchLabels: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml new file mode 100644 index 0000000..9dbb40e --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml @@ -0,0 +1,30 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + annotations: + storageclass.kubernetes.io/is-default-class: 'true' + labels: + name: standard-delete + name: standard-delete +parameters: + fsType: ext4 + type: standard +provisioner: cinder.csi.openstack.org +reclaimPolicy: Delete +volumeBindingMode: WaitForFirstConsumer +--- +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + annotations: {} + labels: + name: standard-retain + name: standard-retain +parameters: + fsType: ext4 + type: standard +provisioner: cinder.csi.openstack.org +reclaimPolicy: Retain +volumeBindingMode: WaitForFirstConsumer diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml new file mode 100644 index 0000000..372fec4 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml @@ -0,0 +1,11 @@ +apiVersion: snapshot.storage.k8s.io/v1 +deletionPolicy: Delete +driver: cinder.csi.openstack.org +kind: VolumeSnapshotClass +metadata: + annotations: {} + labels: + name: cinder-snapshot + name: cinder-snapshot +parameters: + force-create: 'true' diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml new file mode 100644 index 0000000..75940cd --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: cinder.csi.openstack.org +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml new file mode 100644 index 0000000..af0f50f --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml @@ -0,0 +1,188 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-controllerplugin + namespace: syn-cloud-provider-openstack +spec: + replicas: 1 + selector: + matchLabels: + app: openstack-cinder-csi + component: controllerplugin + release: cinder-csi + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0 + imagePullPolicy: IfNotPresent + name: csi-attacher + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + - --feature-gates=Topology=true + - --extra-create-metadata + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 + imagePullPolicy: IfNotPresent + name: csi-provisioner + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0 + imagePullPolicy: IfNotPresent + name: csi-snapshotter + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --handle-volume-inuse-error=false + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 + imagePullPolicy: IfNotPresent + name: csi-resizer + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --cloud-config=$(CLOUD_CONFIG) + - --cluster=$(CLUSTER_NAME) + - --provide-node-service=false + - --http-endpoint=:8080 + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + - containerPort: 8080 + name: http + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: {} + serviceAccount: csi-cinder-controller-sa + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - emptyDir: null + name: socket-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml new file mode 100644 index 0000000..bd35833 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-controllerplugin + namespace: syn-cloud-provider-openstack +spec: + jobLabel: component + podMetricsEndpoints: + - interval: 30s + port: http + scheme: http + selector: + matchLabels: + app: openstack-cinder-csi + component: controllerplugin + release: cinder-csi diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml new file mode 100644 index 0000000..f1091f9 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml @@ -0,0 +1,303 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-attacher-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-provisioner-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - get + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-snapshotter-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - create + - get + - list + - watch + - update + - delete + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-resizer-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - persistentvolumeclaims/status + verbs: + - patch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-attacher-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-attacher-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-provisioner-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-provisioner-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-snapshotter-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-snapshotter-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-resizer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml new file mode 100644 index 0000000..a6c6d55 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml @@ -0,0 +1,144 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-nodeplugin + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cinder-csi + component: nodeplugin + release: cinder-csi + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + name: node-driver-registrar + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - args: + - -v=2 + - --csi-address=/csi/csi.sock + env: null + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --provide-controller-service=false + - --cloud-config=$(CLOUD_CONFIG) + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + name: kubelet-dir + - mountPath: /dev + mountPropagation: HostToContainer + name: pods-probe-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + nodeSelector: {} + securityContext: {} + serviceAccount: csi-cinder-node-sa + tolerations: + - key: '' + operator: Exists + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/cinder.csi.openstack.org + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet + type: Directory + name: kubelet-dir + - hostPath: + path: /dev + type: Directory + name: pods-probe-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml new file mode 100644 index 0000000..132a375 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-nodeplugin-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-nodeplugin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-nodeplugin-role +subjects: + - kind: ServiceAccount + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml new file mode 100644 index 0000000..8a6e871 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: syn-cloud-provider-openstack + name: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml new file mode 100644 index 0000000..f1f898c --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + name: cloud-config + name: cloud-config + namespace: syn-cloud-provider-openstack +stringData: + cloud.conf: '' +type: Opaque diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml new file mode 100644 index 0000000..44b8c56 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml @@ -0,0 +1,100 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - '' + resources: + - nodes + verbs: + - '*' + - apiGroups: + - '' + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - '' + resources: + - services + verbs: + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - services/status + verbs: + - patch + - apiGroups: + - '' + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - create + - get + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - '*' + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - list + - get + - watch diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..497f427 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager +subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml new file mode 100644 index 0000000..36a7572 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm + template: + metadata: + annotations: + checksum/config: b0b31d6311d187dd53758033396c83505652c1ec8a62bef0b9afe7f9572f8db4 + labels: + app: openstack-cloud-controller-manager + chart: openstack-cloud-controller-manager-2.35.0 + component: controllermanager + heritage: Helm + release: openstack-ccm + spec: + containers: + - args: + - /bin/openstack-cloud-controller-manager + - --v=2 + - --cloud-config=$(CLOUD_CONFIG) + - --cluster-name=$(CLUSTER_NAME) + - --cloud-provider=openstack + - --use-service-account-credentials=false + - --controllers=cloud-node,cloud-node-lifecycle,service + - --bind-address=127.0.0.1 + env: + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.35.0 + name: openstack-cloud-controller-manager + resources: + requests: + cpu: 50m + memory: 64Mi + volumeMounts: + - mountPath: /etc/config + name: cloud-config-volume + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: + runAsUser: 1001 + serviceAccountName: cloud-controller-manager + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + value: 'true' + volumes: + - name: cloud-config-volume + secret: + secretName: cloud-config + updateStrategy: + type: RollingUpdate diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..b24ebbe --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml new file mode 100644 index 0000000..75940cd --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: cinder.csi.openstack.org +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml new file mode 100644 index 0000000..254d950 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml @@ -0,0 +1,184 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-controllerplugin + namespace: syn-cloud-provider-openstack +spec: + replicas: 1 + selector: + matchLabels: + app: openstack-cinder-csi + component: controllerplugin + release: cinder-csi + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0 + imagePullPolicy: IfNotPresent + name: csi-attacher + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + - --feature-gates=Topology=true + - --extra-create-metadata + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 + imagePullPolicy: IfNotPresent + name: csi-provisioner + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0 + imagePullPolicy: IfNotPresent + name: csi-snapshotter + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --handle-volume-inuse-error=false + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 + imagePullPolicy: IfNotPresent + name: csi-resizer + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --cloud-config=$(CLOUD_CONFIG) + - --cluster=$(CLUSTER_NAME) + - --provide-node-service=false + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: {} + serviceAccount: csi-cinder-controller-sa + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - emptyDir: null + name: socket-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml new file mode 100644 index 0000000..f1091f9 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml @@ -0,0 +1,303 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-attacher-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-provisioner-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - get + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-snapshotter-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - create + - get + - list + - watch + - update + - delete + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-resizer-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - persistentvolumeclaims/status + verbs: + - patch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-attacher-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-attacher-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-provisioner-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-provisioner-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-snapshotter-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-snapshotter-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-resizer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml new file mode 100644 index 0000000..a6c6d55 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml @@ -0,0 +1,144 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-nodeplugin + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cinder-csi + component: nodeplugin + release: cinder-csi + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + name: node-driver-registrar + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - args: + - -v=2 + - --csi-address=/csi/csi.sock + env: null + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --provide-controller-service=false + - --cloud-config=$(CLOUD_CONFIG) + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + name: kubelet-dir + - mountPath: /dev + mountPropagation: HostToContainer + name: pods-probe-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + nodeSelector: {} + securityContext: {} + serviceAccount: csi-cinder-node-sa + tolerations: + - key: '' + operator: Exists + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/cinder.csi.openstack.org + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet + type: Directory + name: kubelet-dir + - hostPath: + path: /dev + type: Directory + name: pods-probe-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml new file mode 100644 index 0000000..132a375 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-nodeplugin-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-nodeplugin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-nodeplugin-role +subjects: + - kind: ServiceAccount + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack