From f95133adc4f72fb977b1e450edc53463480a12a7 Mon Sep 17 00:00:00 2001 From: Marco De Luca Date: Wed, 15 Apr 2026 16:25:10 +0200 Subject: [PATCH 1/2] Initial implementation --- Makefile.vars.mk | 4 +- class/cloud-provider-openstack.yml | 27 + class/defaults.yml | 161 ++++++ component/app.jsonnet | 2 +- component/main.jsonnet | 90 ++- docs/modules/ROOT/pages/index.adoc | 8 +- .../ROOT/pages/references/parameters.adoc | 544 +++++++++++++++++- tests/cloud-config.yml | 55 ++ tests/defaults.yml | 11 +- .../apps/cloud-provider-openstack.yaml | 0 .../00_namespace.yaml | 7 + .../cloud-provider-openstack/01_secret.yaml | 32 ++ .../templates/clusterrole.yaml | 100 ++++ .../templates/clusterrolebinding-sm.yaml | 19 + .../templates/clusterrolebinding.yaml | 19 + .../templates/daemonset.yaml | 78 +++ .../templates/service-sm.yaml | 21 + .../templates/serviceaccount.yaml | 12 + .../templates/servicemonitor.yaml | 26 + .../10_storageclasses.yaml | 30 + .../10_volumesnapshotclasses.yaml | 9 + .../templates/cinder-csi-driver.yaml | 10 + .../controllerplugin-deployment.yaml | 188 ++++++ .../controllerplugin-podmonitor.yaml | 23 + .../templates/controllerplugin-rbac.yaml | 303 ++++++++++ .../templates/nodeplugin-daemonset.yaml | 143 +++++ .../templates/nodeplugin-rbac.yaml | 35 ++ .../00_namespace.yaml | 7 + .../cloud-provider-openstack/01_secret.yaml | 11 + .../templates/clusterrole.yaml | 100 ++++ .../templates/clusterrolebinding.yaml | 19 + .../templates/daemonset.yaml | 73 +++ .../templates/serviceaccount.yaml | 12 + .../templates/cinder-csi-driver.yaml | 10 + .../controllerplugin-deployment.yaml | 184 ++++++ .../templates/controllerplugin-rbac.yaml | 303 ++++++++++ .../templates/nodeplugin-daemonset.yaml | 143 +++++ .../templates/nodeplugin-rbac.yaml | 35 ++ 38 files changed, 2843 insertions(+), 11 deletions(-) create mode 100644 tests/cloud-config.yml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/apps/cloud-provider-openstack.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml create mode 100644 tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml create mode 100644 tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml diff --git a/Makefile.vars.mk b/Makefile.vars.mk index 281fdc9..1808b17 100644 --- a/Makefile.vars.mk +++ b/Makefile.vars.mk @@ -5,7 +5,7 @@ git_dir ?= $(shell git rev-parse --git-common-dir) compiled_path ?= compiled/$(COMPONENT_NAME)/$(COMPONENT_NAME) root_volume ?= -v "$${PWD}:/$(COMPONENT_NAME)" compiled_volume ?= -v "$${PWD}/$(compiled_path):/$(COMPONENT_NAME)" -commodore_args ?= --search-paths . -n $(COMPONENT_NAME) +commodore_args ?= --search-paths ./dependencies --search-paths . -n $(COMPONENT_NAME) ifneq "$(git_dir)" ".git" git_volume ?= -v "$(git_dir):$(git_dir):ro" @@ -50,4 +50,4 @@ KUBENT_IMAGE ?= ghcr.io/doitintl/kube-no-trouble:latest KUBENT_DOCKER ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE) instance ?= defaults -test_instances = tests/defaults.yml +test_instances = tests/defaults.yml tests/cloud-config.yml diff --git a/class/cloud-provider-openstack.yml b/class/cloud-provider-openstack.yml index 85ed60f..42183c8 100644 --- a/class/cloud-provider-openstack.yml +++ b/class/cloud-provider-openstack.yml @@ -1,10 +1,37 @@ parameters: kapitan: + dependencies: + - type: helm + source: ${cloud_provider_openstack:charts:openstack-cloud-controller-manager:source} + version: ${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + chart_name: openstack-cloud-controller-manager + output_path: ${_base_directory}/helmcharts/openstack-cloud-controller-manager/${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + - type: helm + source: ${cloud_provider_openstack:charts:openstack-cinder-csi:source} + version: ${cloud_provider_openstack:charts:openstack-cinder-csi:version} + chart_name: openstack-cinder-csi + output_path: ${_base_directory}/helmcharts/openstack-cinder-csi/${cloud_provider_openstack:charts:openstack-cinder-csi:version} compile: - input_paths: - ${_base_directory}/component/app.jsonnet input_type: jsonnet output_path: . + - input_paths: + - ${_base_directory}/helmcharts/openstack-cloud-controller-manager/${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + input_type: helm + helm_values: ${cloud_provider_openstack:ccm:helm_values} + helm_params: + name: openstack-ccm + namespace: ${cloud_provider_openstack:namespace} + output_path: cloud-provider-openstack/10_ccm_helm_chart + - input_paths: + - ${_base_directory}/helmcharts/openstack-cinder-csi/${cloud_provider_openstack:charts:openstack-cinder-csi:version} + input_type: helm + helm_values: ${cloud_provider_openstack:csi:helm_values} + helm_params: + name: cinder-csi + namespace: ${cloud_provider_openstack:namespace} + output_path: cloud-provider-openstack/20_csi_helm_chart - input_paths: - ${_base_directory}/component/main.jsonnet input_type: jsonnet diff --git a/class/defaults.yml b/class/defaults.yml index ba9d1a6..3cea6bb 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -3,3 +3,164 @@ parameters: =_metadata: multi_tenant: true namespace: syn-cloud-provider-openstack + + charts: + openstack-cloud-controller-manager: + source: https://kubernetes.github.io/cloud-provider-openstack + version: "2.35.0" + openstack-cinder-csi: + source: https://kubernetes.github.io/cloud-provider-openstack + version: "2.35.0" + + images: + openstack_cloud_controller_manager: + registry: registry.k8s.io + repository: provider-os/openstack-cloud-controller-manager + tag: v1.35.0 + cinder_csi_plugin: + registry: registry.k8s.io + repository: provider-os/cinder-csi-plugin + tag: v1.35.0 + + cloud_config_secret_name: cloud-config + + cloud_conf: + global: {} + networking: {} + load_balancer: {} + load_balancer_classes: {} + block_storage: {} + metadata: {} + route: {} + + ccm: + cluster_name: ${cluster:name} + service_account_name: cloud-controller-manager + resources: + requests: + cpu: 50m + memory: 64Mi + enabled_controllers: + - cloud-node + - cloud-node-lifecycle + - service + log_verbosity_level: 2 + node_selector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: node.cloudprovider.kubernetes.io/uninitialized + value: "true" + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + service_monitor: + enabled: false + additionalLabels: {} + extra_volumes: [] + extra_volume_mounts: [] + helm_values: + secret: + enabled: true + create: false + name: ${cloud_provider_openstack:cloud_config_secret_name} + cluster: + name: ${cloud_provider_openstack:ccm:cluster_name} + serviceAccountName: ${cloud_provider_openstack:ccm:service_account_name} + image: + repository: ${cloud_provider_openstack:images:openstack_cloud_controller_manager:registry}/${cloud_provider_openstack:images:openstack_cloud_controller_manager:repository} + tag: ${cloud_provider_openstack:images:openstack_cloud_controller_manager:tag} + resources: ${cloud_provider_openstack:ccm:resources} + enabledControllers: ${cloud_provider_openstack:ccm:enabled_controllers} + logVerbosityLevel: ${cloud_provider_openstack:ccm:log_verbosity_level} + nodeSelector: ${cloud_provider_openstack:ccm:node_selector} + tolerations: ${cloud_provider_openstack:ccm:tolerations} + serviceMonitor: ${cloud_provider_openstack:ccm:service_monitor} + extraVolumes: ${cloud_provider_openstack:ccm:extra_volumes} + extraVolumeMounts: ${cloud_provider_openstack:ccm:extra_volume_mounts} + + csi: + cluster_id: ${cluster:name} + fs_type: ext4 + volume_binding_mode: WaitForFirstConsumer + log_verbosity_level: 2 + pod_monitor: + enabled: false + additionalLabels: {} + node_driver_daemonset_tolerations: + - operator: Exists + resources: + controller: + csi-provisioner: + requests: + cpu: 20m + memory: 32Mi + csi-attacher: + requests: + cpu: 20m + memory: 32Mi + csi-resizer: + requests: + cpu: 20m + memory: 32Mi + csi-snapshotter: + requests: + cpu: 20m + memory: 32Mi + cinder-csi-plugin: + requests: + cpu: 20m + memory: 64Mi + node: + node-driver-registrar: + requests: + cpu: 20m + memory: 32Mi + cinder-csi-plugin: + requests: + cpu: 20m + memory: 64Mi + storage_classes: {} + volume_snapshot_classes: {} + helm_values: + secret: + enabled: true + create: false + hostMount: false + name: ${cloud_provider_openstack:cloud_config_secret_name} + clusterID: ${cloud_provider_openstack:csi:cluster_id} + logVerbosityLevel: ${cloud_provider_openstack:csi:log_verbosity_level} + storageClass: + enabled: false + csi: + provisioner: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-provisioner} + attacher: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-attacher} + resizer: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-resizer} + snapshotter: + resources: ${cloud_provider_openstack:csi:resources:controller:csi-snapshotter} + nodeDriverRegistrar: + resources: ${cloud_provider_openstack:csi:resources:node:node-driver-registrar} + plugin: + image: + repository: ${cloud_provider_openstack:images:cinder_csi_plugin:registry}/${cloud_provider_openstack:images:cinder_csi_plugin:repository} + tag: ${cloud_provider_openstack:images:cinder_csi_plugin:tag} + volumes: [] + volumeMounts: + - name: cloud-config + mountPath: /etc/config + readOnly: true + resources: ${cloud_provider_openstack:csi:resources:controller:cinder-csi-plugin} + httpEndpoint: + enabled: ${cloud_provider_openstack:csi:pod_monitor:enabled} + port: 8080 + controllerPlugin: + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + nodePlugin: + tolerations: ${cloud_provider_openstack:csi:node_driver_daemonset_tolerations} + podMonitor: ${cloud_provider_openstack:csi:pod_monitor} diff --git a/component/app.jsonnet b/component/app.jsonnet index 2708490..0632325 100644 --- a/component/app.jsonnet +++ b/component/app.jsonnet @@ -3,7 +3,7 @@ local inv = kap.inventory(); local params = inv.parameters.cloud_provider_openstack; local argocd = import 'lib/argocd.libjsonnet'; -local app = argocd.App('cloud-provider-openstack', params.namespace); +local app = argocd.App('cloud-provider-openstack', params.namespace, secrets=true); local appPath = local project = std.get(std.get(app, 'spec', {}), 'project', 'syn'); diff --git a/component/main.jsonnet b/component/main.jsonnet index 6884ac2..d42c7e0 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -1,10 +1,94 @@ -// main template for cloud-provider-openstack local kap = import 'lib/kapitan.libjsonnet'; local kube = import 'lib/kube.libjsonnet'; +local sc = import 'lib/storageclass.libsonnet'; + local inv = kap.inventory(); -// The hiera parameters for the component local params = inv.parameters.cloud_provider_openstack; -// Define outputs below +local renderValue(k, v) = + if v == null then [] + else if std.isArray(v) then + [ '%s=%s' % [ k, item ] for item in v if item != null ] + else if std.isBoolean(v) then + [ '%s=%s' % [ k, if v then 'true' else 'false' ] ] + else + [ '%s=%s' % [ k, std.toString(v) ] ]; + +local renderSection(name, dict) = + local lines = std.flattenArrays( + [ renderValue(k, dict[k]) for k in std.objectFields(dict) ] + ); + if std.length(lines) == 0 then [] + else [ '[%s]' % name ] + lines + [ '' ]; + +local renderLBClasses(classes) = + std.flattenArrays([ + renderSection('LoadBalancerClass "%s"' % cls, classes[cls]) + for cls in std.objectFields(classes) + if std.length(std.objectFields(classes[cls])) > 0 + ]); + +local renderCloudConf() = + std.join( + '\n', + renderSection('Global', params.cloud_conf.global) + + renderSection('Networking', params.cloud_conf.networking) + + renderSection('LoadBalancer', params.cloud_conf.load_balancer) + + renderLBClasses(params.cloud_conf.load_balancer_classes) + + renderSection('BlockStorage', params.cloud_conf.block_storage) + + renderSection('Metadata', params.cloud_conf.metadata) + + renderSection('Route', params.cloud_conf.route) + ); + +local secret = kube.Secret(params.cloud_config_secret_name) { + metadata+: { + namespace: params.namespace, + }, + data:: {}, + stringData: { + 'cloud.conf': renderCloudConf(), + }, +}; + +local scParameters(scDef) = + local base = + if params.csi.fs_type != null && params.csi.fs_type != '' + then { fsType: params.csi.fs_type } + else {}; + base + scDef.parameters; + +local storageClasses = [ + local scDef = params.csi.storage_classes[name]; + sc.storageClass(name) { + provisioner: 'cinder.csi.openstack.org', + reclaimPolicy: std.get(scDef, 'reclaim_policy', 'Delete'), + allowVolumeExpansion: std.get(scDef, 'allow_volume_expansion', true), + volumeBindingMode: params.csi.volume_binding_mode, + parameters: scParameters(scDef), + [if std.length(std.get(scDef, 'allowed_topologies', [])) > 0 + then 'allowedTopologies']: + scDef.allowed_topologies, + } + for name in std.objectFields(params.csi.storage_classes) +]; + +local volumeSnapshotClasses = [ + local vsc = params.csi.volume_snapshot_classes[name]; + kube._Object('snapshot.storage.k8s.io/v1', 'VolumeSnapshotClass', name) { + driver: 'cinder.csi.openstack.org', + deletionPolicy: vsc.deletion_policy, + [if std.length(vsc.parameters) > 0 then 'parameters']: vsc.parameters, + } + for name in std.objectFields(params.csi.volume_snapshot_classes) +]; + { + [if params.namespace != 'kube-system' then '00_namespace']: + kube.Namespace(params.namespace), + '01_secret': secret, + [if std.length(params.csi.storage_classes) > 0 then '10_storageclasses']: + storageClasses, + [if std.length(params.csi.volume_snapshot_classes) > 0 + then '10_volumesnapshotclasses']: + volumeSnapshotClasses, } diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index 1b5a67a..a305f33 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -1,5 +1,9 @@ -= Cloud Provider OpenStack += cloud-provider-openstack -cloud-provider-openstack is a Commodore component to manage Cloud Provider OpenStack. +cloud-provider-openstack is a Commodore component to manage the https://github.com/kubernetes/cloud-provider-openstack[OpenStack Cloud Controller Manager] (CCM) and https://github.com/kubernetes/cloud-provider-openstack[Cinder CSI driver]. + +Both sub-components are enabled by default and share a single `cloud.conf` Secret. +The CCM handles node initialization, node lifecycle, LoadBalancer Services (via Octavia), and optionally pod routes. +The CSI driver provides persistent block storage using OpenStack Cinder volumes, with configurable StorageClasses and VolumeSnapshotClasses. See the xref:references/parameters.adoc[parameters] reference for further details. diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 2c87483..dd17663 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -9,11 +9,553 @@ type:: string default:: `syn-cloud-provider-openstack` The namespace in which to deploy this component. +Unless `kube-system` is chosen, the component will take ownership of the namespace. +NOTE: The CCM DaemonSet uses `hostNetwork: true`. +On clusters that enforce https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards], the namespace must be labeled `pod-security.kubernetes.io/enforce: privileged`. + +== `charts` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Helm chart sources and versions for both the CCM and Cinder CSI charts. + +== `images` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Container images for the CCM and Cinder CSI plugin. +Each image is specified with separate `registry`, `repository`, and `tag` fields. + +== `cloud_config_secret_name` + +[horizontal] +type:: string +default:: `cloud-config` + +Name of the Kubernetes Secret which holds the rendered `cloud.conf`. +The component renders and manages this Secret itself; both charts' own Secret rendering is disabled via `secret.create: false` in `ccm.helm_values` and `csi.helm_values`. + +== `cloud_conf` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Structured input for the rendered `cloud.conf` INI file. +Each sub-section maps to an INI section. +Both the CCM and CSI driver consume this shared Secret; empty sections are suppressed. + +[IMPORTANT] +==== +Keys inside every `cloud_conf.*` dictionary must use the same *kebab-case* names as the upstream `cloud.conf` format (e.g. `auth-url`, `floating-network-id`). +The component passes keys through to the INI file as-is. +==== + +Render behavior: + +* `null` values are dropped (no line emitted). +* Boolean values render as lowercase `true`/`false`. +* List values render as multiple lines with the same key (used for multi-value keys such as `public-network-name`). +* Empty sections are suppressed entirely. + +Sensitive fields (passwords, application credential secrets, tokens) can be supplied as Vault references directly in `cloud_conf.global`: + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + global: + auth-url: https://identity.api.example.cloud/v3 + application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret: '?{vaultkv:${cluster:tenant}/${cluster:name}/openstack/application-credential-secret}' +---- + +=== `cloud_conf.global` + +Maps to `[Global]`. +Holds Keystone authentication endpoint, identifiers, and credentials. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#global[upstream CCM documentation] for the full list of supported keys. + +=== `cloud_conf.networking` + +Maps to `[Networking]`. +Controls how the CCM discovers node addresses. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#networking[upstream CCM documentation] for all supported keys. + +Multi-value keys (e.g. `public-network-name`) are specified as lists: + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + networking: + public-network-name: + - public + - public-v6 + internal-network-name: + - internal +---- + +=== `cloud_conf.load_balancer` + +Maps to `[LoadBalancer]`. +Configures the Octavia integration used by the CCM `service` controller. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#load-balancer[upstream CCM documentation] for all supported keys. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + load_balancer: + manage-security-groups: true + lb-provider: ovn + lb-method: SOURCE_IP_PORT + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 +---- + +=== `cloud_conf.load_balancer_classes` + +[horizontal] +type:: dictionary +default:: `{}` + +Maps to one `[LoadBalancerClass ""]` INI section per dictionary key. +Each value is itself a dictionary of kebab-case keys following the same rendering rules. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#load-balancer[upstream CCM documentation] for supported keys per class. + +[IMPORTANT] +==== +The upstream Helm chart's `cloudConfig` template helper does *not* support `[LoadBalancerClass ""]` sub-sections. +This component renders `cloud.conf` itself, so LoadBalancerClass definitions configured here work as documented by cloud-provider-openstack. +==== + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + load_balancer_classes: + public: + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + internal: + subnet-id: b2c3d4e5-f6a7-8901-bcde-f12345678901 +---- + +Renders to: + +[source,ini] +---- +[LoadBalancerClass "public"] +floating-network-id=a1b2c3d4-e5f6-7890-abcd-ef1234567890 + +[LoadBalancerClass "internal"] +subnet-id=b2c3d4e5-f6a7-8901-bcde-f12345678901 +---- + +To use a named class on a Service, set the `loadbalancer.openstack.org/class` annotation. + +=== `cloud_conf.block_storage` + +Maps to `[BlockStorage]`. +Consumed by the Cinder CSI driver. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/cinder-csi-plugin/using-cinder-csi-plugin.md#block-storage[upstream CSI documentation] for all supported keys. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + block_storage: + ignore-volume-az: true + rescan-on-resize: true +---- + +=== `cloud_conf.metadata` + +Maps to `[Metadata]`. +Controls how the CCM and CSI driver retrieve instance metadata. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + metadata: + search-order: configDrive +---- + +=== `cloud_conf.route` + +Maps to `[Route]`. +Only needed when the `route` controller is enabled in `ccm.enabled_controllers`. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/using-openstack-cloud-controller-manager.md#route[upstream CCM documentation] for details. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + route: + router-id: c3d4e5f6-a7b8-9012-cdef-123456789012 +---- + +== CCM parameters + +Parameters under the `ccm` key configure the OpenStack Cloud Controller Manager. + +=== `ccm.cluster_name` + +[horizontal] +type:: string +default:: `${cluster:name}` + +The cluster name passed to the CCM. +OpenStack uses this value to tag resources (e.g. load balancers) so they can be cleaned up if the cluster is deleted. + +=== `ccm.service_account_name` + +[horizontal] +type:: string +default:: `cloud-controller-manager` + +Name of the Kubernetes ServiceAccount used by the CCM DaemonSet. + +=== `ccm.resources` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Resource requests and limits for the CCM container. + +=== `ccm.enabled_controllers` + +[horizontal] +type:: list +default:: `[cloud-node, cloud-node-lifecycle, service]` + +List of CCM sub-controllers to enable. + +[cols="2,5,1"] +|=== +|Controller |Purpose |Default + +|`cloud-node` +|Initializes nodes with OpenStack metadata (ProviderID, availability zone, addresses, instance type) +|Enabled + +|`cloud-node-lifecycle` +|Monitors whether the underlying OpenStack instance still exists; removes the Node if the VM is deleted +|Enabled + +|`service` +|Manages LoadBalancer-type Services via Octavia +|Enabled + +|`route` +|Manages pod network routes via a Neutron router. Requires `router-id` in `cloud_conf.route`. +|Disabled +|=== + +=== `ccm.log_verbosity_level` + +[horizontal] +type:: integer +default:: `2` + +Log verbosity level passed to the CCM via `--v=`. + +=== `ccm.node_selector` + +[horizontal] +type:: dictionary +default:: `{node-role.kubernetes.io/control-plane: ""}` + +Node selector for the CCM DaemonSet. + +=== `ccm.tolerations` + +[horizontal] +type:: list +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Tolerations for the CCM DaemonSet. +Defaults allow scheduling on control-plane nodes and on freshly-initialized nodes (`node.cloudprovider.kubernetes.io/uninitialized`). + +=== `ccm.service_monitor` + +[horizontal] +type:: dictionary +default:: ++ +[source,yaml] +---- +enabled: false +additionalLabels: {} +---- + +Enables and configures a Prometheus Operator `ServiceMonitor` resource via the chart. + +=== `ccm.extra_volumes` + +[horizontal] +type:: list +default:: `[]` + +Extra volumes to attach to the CCM DaemonSet pod spec. + +=== `ccm.extra_volume_mounts` + +[horizontal] +type:: list +default:: `[]` + +Extra volume mounts for the CCM container, paired with `ccm.extra_volumes`. + +==== Mounting a custom CA certificate + +If the OpenStack API endpoint uses a custom CA, mount the certificate via `ccm.extra_volumes` / `ccm.extra_volume_mounts` and reference it from `cloud_conf.global.ca-file`: + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + cloud_conf: + global: + ca-file: /etc/cacert/ca.crt + ccm: + extra_volumes: + - name: ca-cert + secret: + secretName: openstack-ca-cert + extra_volume_mounts: + - name: ca-cert + mountPath: /etc/cacert + readOnly: true +---- + +=== `ccm.helm_values` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Escape hatch for any upstream CCM chart value not promoted to a top-level parameter. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cloud-controller-manager/values.yaml[upstream `values.yaml`] for the full list. + +NOTE: The component sets `secret.create: false` and manages the `cloud.conf` Secret itself via `cloud_conf`. +Do not re-enable `secret.create`. + +== CSI parameters + +Parameters under the `csi` key configure the Cinder CSI driver. + +=== `csi.cluster_id` + +[horizontal] +type:: string +default:: `${cluster:name}` + +The cluster identifier passed to the CSI driver. + +=== `csi.fs_type` + +[horizontal] +type:: string +default:: `ext4` + +Default filesystem type for dynamically provisioned volumes. +Set to `null` to omit `fsType` from StorageClass parameters. + +=== `csi.volume_binding_mode` + +[horizontal] +type:: string +default:: `WaitForFirstConsumer` + +The `volumeBindingMode` set on all StorageClasses created by this component. + +=== `csi.log_verbosity_level` + +[horizontal] +type:: integer +default:: `2` + +Log verbosity level for the CSI driver. + +=== `csi.pod_monitor` + +[horizontal] +type:: dictionary +default:: ++ +[source,yaml] +---- +enabled: false +additionalLabels: {} +---- + +Enables and configures a Prometheus Operator `PodMonitor` for the CSI driver. + +=== `csi.node_driver_daemonset_tolerations` + +[horizontal] +type:: list +default:: `[{operator: Exists}]` + +Tolerations for the CSI node plugin DaemonSet. +Defaults to tolerating everything so the node plugin runs on all nodes. + +NOTE: The CSI controller plugin Deployment is scheduled on control-plane nodes by default via `csi.helm_values`. +Override `csi.helm_values.csi.plugin.controllerPlugin.nodeSelector` and `csi.helm_values.csi.plugin.controllerPlugin.tolerations` to change this. + +=== `csi.resources` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Resource requests and limits for all CSI containers, organized by `controller` and `node` sub-keys. + +=== `csi.storage_classes` + +[horizontal] +type:: dictionary +default:: `{}` + +StorageClass definitions. +No storage classes are created by default; users must define all classes explicitly. + +The default StorageClass is managed cluster-wide via https://hub.syn.tools/storageclass/[component-storageclass] using `parameters.storageclass.defaultClass`. + +Each entry is keyed by the StorageClass name and supports: + +* `allow_volume_expansion` (boolean, default `true`) +* `reclaim_policy` (`Delete` or `Retain`, default `Delete`) +* `parameters` (dictionary) -- passed to the Cinder provisioner (e.g. `type: standard`) +* `allowed_topologies` (list) + +[source,yaml] +---- +parameters: + storageclass: + defaultClass: standard-delete + + cloud_provider_openstack: + csi: + storage_classes: + standard-delete: + allow_volume_expansion: true + reclaim_policy: Delete + parameters: + type: standard + performance-retain: + allow_volume_expansion: true + reclaim_policy: Retain + parameters: + type: performance +---- + +=== `csi.volume_snapshot_classes` + +[horizontal] +type:: dictionary +default:: `{}` + +VolumeSnapshotClass definitions. + +Each entry supports: + +* `deletion_policy` (`Delete` or `Retain`) +* `parameters` (dictionary) -- passed to the Cinder snapshotter + +NOTE: VolumeSnapshotClasses require the https://github.com/kubernetes-csi/external-snapshotter[snapshot CRDs and snapshot-controller] to be installed on the cluster. + +TIP: Set `force-create: "true"` in `parameters` to allow snapshots of in-use (attached) volumes. +Without this, Cinder rejects snapshots unless the volume is detached. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + csi: + volume_snapshot_classes: + cinder-snapshot: + deletion_policy: Delete + parameters: + force-create: "true" +---- + +=== `csi.helm_values` + +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Escape hatch for any upstream Cinder CSI chart value not promoted to a top-level parameter. +See the https://github.com/kubernetes/cloud-provider-openstack/blob/master/charts/openstack-cinder-csi/values.yaml[upstream `values.yaml`] for the full list. == Example +Realistic configuration using application credentials, Octavia with OVN, Cinder StorageClasses, and monitoring: + [source,yaml] ---- -namespace: example-namespace +parameters: + storageclass: + defaultClass: standard-delete + + cloud_provider_openstack: + cloud_conf: + global: + auth-url: https://identity.api.example.cloud/v3 + region: zhw + application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret: '?{vaultkv:${cluster:tenant}/${cluster:name}/openstack/application-credential-secret}' + load_balancer: + manage-security-groups: true + lb-version: v2 + lb-provider: ovn + lb-method: SOURCE_IP_PORT + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + block_storage: + ignore-volume-az: false + trust-device-path: false + bs-version: auto + metadata: + search-order: configDrive + + ccm: + service_monitor: + enabled: true + + csi: + storage_classes: + standard-delete: + reclaim_policy: Delete + parameters: + type: standard + standard-retain: + reclaim_policy: Retain + parameters: + type: standard + performance-delete: + reclaim_policy: Delete + parameters: + type: performance + volume_snapshot_classes: + cinder-snapshot: + deletion_policy: Delete + parameters: + force-create: "true" + pod_monitor: + enabled: true ---- diff --git a/tests/cloud-config.yml b/tests/cloud-config.yml new file mode 100644 index 0000000..22a1468 --- /dev/null +++ b/tests/cloud-config.yml @@ -0,0 +1,55 @@ +parameters: + kapitan: + dependencies: + - type: https + source: https://raw.githubusercontent.com/projectsyn/component-storageclass/v1.0.0/lib/storageclass.libsonnet + output_path: vendor/lib/storageclass.libsonnet + + storageclass: + defaultClass: standard-delete + defaults: {} + + cloud_provider_openstack: + cloud_conf: + global: + auth-url: https://identity.api.example.cloud/v3 + region: zhw + application-credential-id: d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret: verysecretsecret + block_storage: + ignore-volume-az: false + trust-device-path: false + bs-version: auto + load_balancer: + manage-security-groups: true + lb-version: v2 + lb-provider: ovn + subnet-id: "" + floating-network-id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lb-method: SOURCE_IP_PORT + metadata: + search-order: configDrive + + ccm: + service_monitor: + enabled: true + + csi: + storage_classes: + standard-delete: + reclaim_policy: Delete + parameters: + type: standard + standard-retain: + reclaim_policy: Retain + parameters: + type: standard + + volume_snapshot_classes: + cinder-snapshot: + deletion_policy: Delete + parameters: + force-create: "true" + + pod_monitor: + enabled: true diff --git a/tests/defaults.yml b/tests/defaults.yml index a4da5b7..d325495 100644 --- a/tests/defaults.yml +++ b/tests/defaults.yml @@ -1,3 +1,10 @@ -# Overwrite parameters here +parameters: + kapitan: + dependencies: + - type: https + source: https://raw.githubusercontent.com/projectsyn/component-storageclass/v1.0.0/lib/storageclass.libsonnet + output_path: vendor/lib/storageclass.libsonnet -# parameters: {...} + storageclass: + defaultClass: '' + defaults: {} diff --git a/tests/golden/cloud-config/cloud-provider-openstack/apps/cloud-provider-openstack.yaml b/tests/golden/cloud-config/cloud-provider-openstack/apps/cloud-provider-openstack.yaml new file mode 100644 index 0000000..e69de29 diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml new file mode 100644 index 0000000..8a6e871 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: syn-cloud-provider-openstack + name: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml new file mode 100644 index 0000000..520bb9b --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + name: cloud-config + name: cloud-config + namespace: syn-cloud-provider-openstack +stringData: + cloud.conf: | + [Global] + application-credential-id=d1a2b3c4e5f6a7b8c9d0e1f2a3b4c5d6 + application-credential-secret=verysecretsecret + auth-url=https://identity.api.example.cloud/v3 + region=zhw + + [LoadBalancer] + floating-network-id=a1b2c3d4-e5f6-7890-abcd-ef1234567890 + lb-method=SOURCE_IP_PORT + lb-provider=ovn + lb-version=v2 + manage-security-groups=true + subnet-id= + + [BlockStorage] + bs-version=auto + ignore-volume-az=false + trust-device-path=false + + [Metadata] + search-order=configDrive +type: Opaque diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml new file mode 100644 index 0000000..44b8c56 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml @@ -0,0 +1,100 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - '' + resources: + - nodes + verbs: + - '*' + - apiGroups: + - '' + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - '' + resources: + - services + verbs: + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - services/status + verbs: + - patch + - apiGroups: + - '' + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - create + - get + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - '*' + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - list + - get + - watch diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml new file mode 100644 index 0000000..28dd71b --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding-sm.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:openstack-cloud-controller-manager:auth-delegate +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: User + name: system:serviceaccount:syn-cloud-provider-openstack:cloud-controller-manager diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..497f427 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager +subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml new file mode 100644 index 0000000..8ca70b2 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml @@ -0,0 +1,78 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm + template: + metadata: + annotations: + checksum/config: b0b31d6311d187dd53758033396c83505652c1ec8a62bef0b9afe7f9572f8db4 + labels: + app: openstack-cloud-controller-manager + chart: openstack-cloud-controller-manager-2.35.0 + component: controllermanager + heritage: Helm + release: openstack-ccm + spec: + containers: + - args: + - /bin/openstack-cloud-controller-manager + - --v=2 + - --cloud-config=$(CLOUD_CONFIG) + - --cluster-name=$(CLUSTER_NAME) + - --cloud-provider=openstack + - --use-service-account-credentials=false + - --controllers=cloud-node,cloud-node-lifecycle,service + - --bind-address=0.0.0.0 + env: + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.35.0 + name: openstack-cloud-controller-manager + ports: + - containerPort: 10258 + hostPort: 10258 + name: http + protocol: TCP + resources: + requests: + cpu: 50m + memory: 64Mi + volumeMounts: + - mountPath: /etc/config + name: cloud-config-volume + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: + runAsUser: 1001 + serviceAccountName: cloud-controller-manager + tolerations: + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + value: 'true' + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - name: cloud-config-volume + secret: + secretName: cloud-config + updateStrategy: + type: RollingUpdate diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml new file mode 100644 index 0000000..952f16f --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/service-sm.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + ports: + - name: http + port: 10258 + protocol: TCP + selector: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..b24ebbe --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml new file mode 100644 index 0000000..67222c8 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/servicemonitor.yaml @@ -0,0 +1,26 @@ +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + interval: 30s + port: http + scheme: https + tlsConfig: + insecureSkipVerify: true + jobLabel: component + selector: + matchLabels: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml new file mode 100644 index 0000000..9dbb40e --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_storageclasses.yaml @@ -0,0 +1,30 @@ +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + annotations: + storageclass.kubernetes.io/is-default-class: 'true' + labels: + name: standard-delete + name: standard-delete +parameters: + fsType: ext4 + type: standard +provisioner: cinder.csi.openstack.org +reclaimPolicy: Delete +volumeBindingMode: WaitForFirstConsumer +--- +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + annotations: {} + labels: + name: standard-retain + name: standard-retain +parameters: + fsType: ext4 + type: standard +provisioner: cinder.csi.openstack.org +reclaimPolicy: Retain +volumeBindingMode: WaitForFirstConsumer diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml new file mode 100644 index 0000000..610404f --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml @@ -0,0 +1,9 @@ +apiVersion: snapshot.storage.k8s.io/v1 +deletionPolicy: Delete +driver: cinder.csi.openstack.org +kind: VolumeSnapshotClass +metadata: + annotations: {} + labels: + name: cinder-snapshot + name: cinder-snapshot diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml new file mode 100644 index 0000000..75940cd --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: cinder.csi.openstack.org +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml new file mode 100644 index 0000000..af0f50f --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml @@ -0,0 +1,188 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-controllerplugin + namespace: syn-cloud-provider-openstack +spec: + replicas: 1 + selector: + matchLabels: + app: openstack-cinder-csi + component: controllerplugin + release: cinder-csi + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0 + imagePullPolicy: IfNotPresent + name: csi-attacher + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + - --feature-gates=Topology=true + - --extra-create-metadata + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 + imagePullPolicy: IfNotPresent + name: csi-provisioner + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0 + imagePullPolicy: IfNotPresent + name: csi-snapshotter + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --handle-volume-inuse-error=false + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 + imagePullPolicy: IfNotPresent + name: csi-resizer + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --cloud-config=$(CLOUD_CONFIG) + - --cluster=$(CLUSTER_NAME) + - --provide-node-service=false + - --http-endpoint=:8080 + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + - containerPort: 8080 + name: http + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: {} + serviceAccount: csi-cinder-controller-sa + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - emptyDir: null + name: socket-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml new file mode 100644 index 0000000..bd35833 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-podmonitor.yaml @@ -0,0 +1,23 @@ +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-controllerplugin + namespace: syn-cloud-provider-openstack +spec: + jobLabel: component + podMetricsEndpoints: + - interval: 30s + port: http + scheme: http + selector: + matchLabels: + app: openstack-cinder-csi + component: controllerplugin + release: cinder-csi diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml new file mode 100644 index 0000000..f1091f9 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml @@ -0,0 +1,303 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-attacher-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-provisioner-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - get + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-snapshotter-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - create + - get + - list + - watch + - update + - delete + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-resizer-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - persistentvolumeclaims/status + verbs: + - patch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-attacher-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-attacher-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-provisioner-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-provisioner-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-snapshotter-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-snapshotter-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-resizer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml new file mode 100644 index 0000000..b8c8877 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml @@ -0,0 +1,143 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-nodeplugin + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cinder-csi + component: nodeplugin + release: cinder-csi + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + name: node-driver-registrar + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - args: + - -v=2 + - --csi-address=/csi/csi.sock + env: null + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --provide-controller-service=false + - --cloud-config=$(CLOUD_CONFIG) + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + name: kubelet-dir + - mountPath: /dev + mountPropagation: HostToContainer + name: pods-probe-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + nodeSelector: {} + securityContext: {} + serviceAccount: csi-cinder-node-sa + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/cinder.csi.openstack.org + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet + type: Directory + name: kubelet-dir + - hostPath: + path: /dev + type: Directory + name: pods-probe-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml new file mode 100644 index 0000000..132a375 --- /dev/null +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-nodeplugin-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-nodeplugin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-nodeplugin-role +subjects: + - kind: ServiceAccount + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml new file mode 100644 index 0000000..8a6e871 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/00_namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + annotations: {} + labels: + name: syn-cloud-provider-openstack + name: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml new file mode 100644 index 0000000..f1f898c --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/01_secret.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + name: cloud-config + name: cloud-config + namespace: syn-cloud-provider-openstack +stringData: + cloud.conf: '' +type: Opaque diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml new file mode 100644 index 0000000..44b8c56 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrole.yaml @@ -0,0 +1,100 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - update + - apiGroups: + - '' + resources: + - nodes + verbs: + - '*' + - apiGroups: + - '' + resources: + - nodes/status + verbs: + - patch + - apiGroups: + - '' + resources: + - services + verbs: + - list + - patch + - update + - watch + - apiGroups: + - '' + resources: + - services/status + verbs: + - patch + - apiGroups: + - '' + resources: + - serviceaccounts/token + verbs: + - create + - apiGroups: + - '' + resources: + - serviceaccounts + verbs: + - create + - get + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - '*' + - apiGroups: + - '' + resources: + - endpoints + verbs: + - create + - get + - list + - watch + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - secrets + verbs: + - list + - get + - watch diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml new file mode 100644 index 0000000..497f427 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/clusterrolebinding.yaml @@ -0,0 +1,19 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: system:cloud-controller-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:cloud-controller-manager +subjects: + - kind: ServiceAccount + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml new file mode 100644 index 0000000..964f516 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: openstack-cloud-controller-manager + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cloud-controller-manager + component: controllermanager + release: openstack-ccm + template: + metadata: + annotations: + checksum/config: b0b31d6311d187dd53758033396c83505652c1ec8a62bef0b9afe7f9572f8db4 + labels: + app: openstack-cloud-controller-manager + chart: openstack-cloud-controller-manager-2.35.0 + component: controllermanager + heritage: Helm + release: openstack-ccm + spec: + containers: + - args: + - /bin/openstack-cloud-controller-manager + - --v=2 + - --cloud-config=$(CLOUD_CONFIG) + - --cluster-name=$(CLUSTER_NAME) + - --cloud-provider=openstack + - --use-service-account-credentials=false + - --controllers=cloud-node,cloud-node-lifecycle,service + - --bind-address=127.0.0.1 + env: + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/openstack-cloud-controller-manager:v1.35.0 + name: openstack-cloud-controller-manager + resources: + requests: + cpu: 50m + memory: 64Mi + volumeMounts: + - mountPath: /etc/config + name: cloud-config-volume + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: + runAsUser: 1001 + serviceAccountName: cloud-controller-manager + tolerations: + - effect: NoSchedule + key: node.cloudprovider.kubernetes.io/uninitialized + value: 'true' + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - name: cloud-config-volume + secret: + secretName: cloud-config + updateStrategy: + type: RollingUpdate diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml new file mode 100644 index 0000000..b24ebbe --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: null + labels: + app.kubernetes.io/instance: openstack-ccm + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openstack-cloud-controller-manager + app.kubernetes.io/version: v1.35.0 + helm.sh/chart: openstack-cloud-controller-manager-2.35.0 + name: cloud-controller-manager + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml new file mode 100644 index 0000000..75940cd --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/cinder-csi-driver.yaml @@ -0,0 +1,10 @@ +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: cinder.csi.openstack.org +spec: + attachRequired: true + podInfoOnMount: true + volumeLifecycleModes: + - Persistent + - Ephemeral diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml new file mode 100644 index 0000000..254d950 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-deployment.yaml @@ -0,0 +1,184 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-controllerplugin + namespace: syn-cloud-provider-openstack +spec: + replicas: 1 + selector: + matchLabels: + app: openstack-cinder-csi + component: controllerplugin + release: cinder-csi + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + type: RollingUpdate + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: controllerplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-attacher:v4.10.0 + imagePullPolicy: IfNotPresent + name: csi-attacher + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + - --default-fstype=ext4 + - --feature-gates=Topology=true + - --extra-create-metadata + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-provisioner:v5.3.0 + imagePullPolicy: IfNotPresent + name: csi-provisioner + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0 + imagePullPolicy: IfNotPresent + name: csi-snapshotter + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --timeout=3m + - --handle-volume-inuse-error=false + - --leader-election=true + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/csi-resizer:v1.14.0 + imagePullPolicy: IfNotPresent + name: csi-resizer + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - -v=2 + - --csi-address=$(ADDRESS) + env: + - name: ADDRESS + value: /var/lib/csi/sockets/pluginproxy/csi.sock + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /var/lib/csi/sockets/pluginproxy/ + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --cloud-config=$(CLOUD_CONFIG) + - --cluster=$(CLUSTER_NAME) + - --provide-node-service=false + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + - name: CLUSTER_NAME + value: c-green-test-1234 + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + nodeSelector: + node-role.kubernetes.io/control-plane: '' + securityContext: {} + serviceAccount: csi-cinder-controller-sa + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + volumes: + - emptyDir: null + name: socket-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml new file mode 100644 index 0000000..f1091f9 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/controllerplugin-rbac.yaml @@ -0,0 +1,303 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-attacher-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - patch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-provisioner-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - get + - list + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - get + - list + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-snapshotter-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - create + - get + - list + - watch + - update + - delete + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-resizer-role +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - persistentvolumeclaims/status + verbs: + - patch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-attacher-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-attacher-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-provisioner-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-provisioner-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-snapshotter-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-snapshotter-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-resizer-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-resizer-role +subjects: + - kind: ServiceAccount + name: csi-cinder-controller-sa + namespace: syn-cloud-provider-openstack diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml new file mode 100644 index 0000000..b8c8877 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml @@ -0,0 +1,143 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + name: openstack-cinder-csi-nodeplugin + namespace: syn-cloud-provider-openstack +spec: + selector: + matchLabels: + app: openstack-cinder-csi + component: nodeplugin + release: cinder-csi + template: + metadata: + annotations: null + labels: + app: openstack-cinder-csi + chart: openstack-cinder-csi-2.35.0 + component: nodeplugin + heritage: Helm + release: cinder-csi + spec: + affinity: {} + containers: + - args: + - -v=2 + - --csi-address=$(ADDRESS) + - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH) + env: + - name: ADDRESS + value: /csi/csi.sock + - name: DRIVER_REG_SOCK_PATH + value: /var/lib/kubelet/plugins/cinder.csi.openstack.org/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0 + imagePullPolicy: IfNotPresent + name: node-driver-registrar + resources: + requests: + cpu: 20m + memory: 32Mi + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /registration + name: registration-dir + - args: + - -v=2 + - --csi-address=/csi/csi.sock + env: null + image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /csi + name: socket-dir + - args: + - /bin/cinder-csi-plugin + - -v=2 + - --endpoint=$(CSI_ENDPOINT) + - --provide-controller-service=false + - --cloud-config=$(CLOUD_CONFIG) + env: + - name: CSI_ENDPOINT + value: unix://csi/csi.sock + - name: CLOUD_CONFIG + value: /etc/config/cloud.conf + image: registry.k8s.io/provider-os/cinder-csi-plugin:v1.35.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 10 + periodSeconds: 60 + timeoutSeconds: 10 + name: cinder-csi-plugin + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + resources: + requests: + cpu: 20m + memory: 64Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + privileged: true + volumeMounts: + - mountPath: /csi + name: socket-dir + - mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + name: kubelet-dir + - mountPath: /dev + mountPropagation: HostToContainer + name: pods-probe-dir + - mountPath: /etc/config + name: cloud-config + readOnly: true + dnsPolicy: ClusterFirstWithHostNet + hostNetwork: true + nodeSelector: {} + securityContext: {} + serviceAccount: csi-cinder-node-sa + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/lib/kubelet/plugins/cinder.csi.openstack.org + type: DirectoryOrCreate + name: socket-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet + type: Directory + name: kubelet-dir + - hostPath: + path: /dev + type: Directory + name: pods-probe-dir + - name: cloud-config + secret: + secretName: cloud-config diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml new file mode 100644 index 0000000..132a375 --- /dev/null +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-rbac.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: csi-nodeplugin-role +rules: + - apiGroups: + - '' + resources: + - events + verbs: + - get + - list + - watch + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: csi-nodeplugin-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: csi-nodeplugin-role +subjects: + - kind: ServiceAccount + name: csi-cinder-node-sa + namespace: syn-cloud-provider-openstack From 5b4d48f597f393ce8a67e4786bbe7fd50447dcc6 Mon Sep 17 00:00:00 2001 From: Marco De Luca Date: Thu, 16 Apr 2026 15:45:15 +0200 Subject: [PATCH 2/2] Apply review feedback --- .gitignore | 1 + Makefile | 2 +- class/cloud-provider-openstack.yml | 52 ++++++--- class/defaults.yml | 33 +++--- component/app.jsonnet | 2 +- component/main.jsonnet | 29 +++-- component/render-helm-values.jsonnet | 36 ++++++ docs/modules/ROOT/pages/index.adoc | 5 +- .../ROOT/pages/references/parameters.adoc | 109 +++++++++++++++--- .../templates/daemonset.yaml | 4 +- .../10_volumesnapshotclasses.yaml | 2 + .../templates/nodeplugin-daemonset.yaml | 3 +- .../templates/daemonset.yaml | 4 +- .../templates/nodeplugin-daemonset.yaml | 3 +- 14 files changed, 223 insertions(+), 62 deletions(-) create mode 100644 component/render-helm-values.jsonnet diff --git a/.gitignore b/.gitignore index f6ff082..705eab5 100644 --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ /jsonnetfile.lock.json /crds /compiled +/helm_values # Antora /_archive diff --git a/Makefile b/Makefile index 696a2e9..1369a0d 100644 --- a/Makefile +++ b/Makefile @@ -81,4 +81,4 @@ $(test_instances): .PHONY: clean clean: ## Clean the project - rm -rf .cache compiled dependencies vendor helmcharts jsonnetfile*.json || true + rm -rf .cache compiled dependencies vendor helmcharts helm_values jsonnetfile*.json || true diff --git a/class/cloud-provider-openstack.yml b/class/cloud-provider-openstack.yml index 42183c8..7cef558 100644 --- a/class/cloud-provider-openstack.yml +++ b/class/cloud-provider-openstack.yml @@ -1,4 +1,36 @@ parameters: + _os_ccm_chart: + "True": + input_paths: + - ${_base_directory}/helmcharts/openstack-cloud-controller-manager/${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} + input_type: helm + helm_params: + name: openstack-ccm + namespace: ${cloud_provider_openstack:namespace:name} + helm_values_files: + - ${_base_directory}/helm_values/ccm-values.yaml + output_path: cloud-provider-openstack/10_ccm_helm_chart + "False": + input_type: jsonnet + input_paths: [] + output_path: cloud-provider-openstack/ + + _os_csi_chart: + "True": + input_paths: + - ${_base_directory}/helmcharts/openstack-cinder-csi/${cloud_provider_openstack:charts:openstack-cinder-csi:version} + input_type: helm + helm_params: + name: cinder-csi + namespace: ${cloud_provider_openstack:namespace:name} + helm_values_files: + - ${_base_directory}/helm_values/csi-values.yaml + output_path: cloud-provider-openstack/20_csi_helm_chart + "False": + input_type: jsonnet + input_paths: [] + output_path: cloud-provider-openstack/ + kapitan: dependencies: - type: helm @@ -17,21 +49,11 @@ parameters: input_type: jsonnet output_path: . - input_paths: - - ${_base_directory}/helmcharts/openstack-cloud-controller-manager/${cloud_provider_openstack:charts:openstack-cloud-controller-manager:version} - input_type: helm - helm_values: ${cloud_provider_openstack:ccm:helm_values} - helm_params: - name: openstack-ccm - namespace: ${cloud_provider_openstack:namespace} - output_path: cloud-provider-openstack/10_ccm_helm_chart - - input_paths: - - ${_base_directory}/helmcharts/openstack-cinder-csi/${cloud_provider_openstack:charts:openstack-cinder-csi:version} - input_type: helm - helm_values: ${cloud_provider_openstack:csi:helm_values} - helm_params: - name: cinder-csi - namespace: ${cloud_provider_openstack:namespace} - output_path: cloud-provider-openstack/20_csi_helm_chart + - ${_base_directory}/component/render-helm-values.jsonnet + input_type: jsonnet + output_path: ${_base_directory}/helm_values/ + - ${_os_ccm_chart:${cloud_provider_openstack:ccm:enabled}} + - ${_os_csi_chart:${cloud_provider_openstack:csi:enabled}} - input_paths: - ${_base_directory}/component/main.jsonnet input_type: jsonnet diff --git a/class/defaults.yml b/class/defaults.yml index 3cea6bb..73c29f6 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -2,7 +2,10 @@ parameters: cloud_provider_openstack: =_metadata: multi_tenant: true - namespace: syn-cloud-provider-openstack + namespace: + name: syn-cloud-provider-openstack + labels: {} + annotations: {} charts: openstack-cloud-controller-manager: @@ -34,6 +37,7 @@ parameters: route: {} ccm: + enabled: true cluster_name: ${cluster:name} service_account_name: cloud-controller-manager resources: @@ -48,10 +52,10 @@ parameters: node_selector: node-role.kubernetes.io/control-plane: "" tolerations: - - key: node.cloudprovider.kubernetes.io/uninitialized + node.cloudprovider.kubernetes.io/uninitialized: value: "true" effect: NoSchedule - - key: node-role.kubernetes.io/control-plane + node-role.kubernetes.io/control-plane: effect: NoSchedule service_monitor: enabled: false @@ -70,15 +74,14 @@ parameters: repository: ${cloud_provider_openstack:images:openstack_cloud_controller_manager:registry}/${cloud_provider_openstack:images:openstack_cloud_controller_manager:repository} tag: ${cloud_provider_openstack:images:openstack_cloud_controller_manager:tag} resources: ${cloud_provider_openstack:ccm:resources} - enabledControllers: ${cloud_provider_openstack:ccm:enabled_controllers} logVerbosityLevel: ${cloud_provider_openstack:ccm:log_verbosity_level} nodeSelector: ${cloud_provider_openstack:ccm:node_selector} - tolerations: ${cloud_provider_openstack:ccm:tolerations} serviceMonitor: ${cloud_provider_openstack:ccm:service_monitor} extraVolumes: ${cloud_provider_openstack:ccm:extra_volumes} extraVolumeMounts: ${cloud_provider_openstack:ccm:extra_volume_mounts} csi: + enabled: true cluster_id: ${cluster:name} fs_type: ext4 volume_binding_mode: WaitForFirstConsumer @@ -86,8 +89,16 @@ parameters: pod_monitor: enabled: false additionalLabels: {} - node_driver_daemonset_tolerations: - - operator: Exists + controller_plugin: + node_selector: + node-role.kubernetes.io/control-plane: "" + tolerations: + node-role.kubernetes.io/control-plane: + effect: NoSchedule + node_plugin: + tolerations: + "": + operator: Exists resources: controller: csi-provisioner: @@ -155,12 +166,4 @@ parameters: httpEndpoint: enabled: ${cloud_provider_openstack:csi:pod_monitor:enabled} port: 8080 - controllerPlugin: - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - key: node-role.kubernetes.io/control-plane - effect: NoSchedule - nodePlugin: - tolerations: ${cloud_provider_openstack:csi:node_driver_daemonset_tolerations} podMonitor: ${cloud_provider_openstack:csi:pod_monitor} diff --git a/component/app.jsonnet b/component/app.jsonnet index 0632325..2708490 100644 --- a/component/app.jsonnet +++ b/component/app.jsonnet @@ -3,7 +3,7 @@ local inv = kap.inventory(); local params = inv.parameters.cloud_provider_openstack; local argocd = import 'lib/argocd.libjsonnet'; -local app = argocd.App('cloud-provider-openstack', params.namespace, secrets=true); +local app = argocd.App('cloud-provider-openstack', params.namespace); local appPath = local project = std.get(std.get(app, 'spec', {}), 'project', 'syn'); diff --git a/component/main.jsonnet b/component/main.jsonnet index d42c7e0..b38502c 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -9,10 +9,10 @@ local renderValue(k, v) = if v == null then [] else if std.isArray(v) then [ '%s=%s' % [ k, item ] for item in v if item != null ] - else if std.isBoolean(v) then - [ '%s=%s' % [ k, if v then 'true' else 'false' ] ] + else if std.isObject(v) then + error 'cloud_conf value for key "%s" must be scalar or array, got object' % k else - [ '%s=%s' % [ k, std.toString(v) ] ]; + [ '%s=%s' % [ k, v ] ]; local renderSection(name, dict) = local lines = std.flattenArrays( @@ -42,7 +42,7 @@ local renderCloudConf() = local secret = kube.Secret(params.cloud_config_secret_name) { metadata+: { - namespace: params.namespace, + namespace: params.namespace.name, }, data:: {}, stringData: { @@ -74,17 +74,32 @@ local storageClasses = [ local volumeSnapshotClasses = [ local vsc = params.csi.volume_snapshot_classes[name]; + local vscParams = std.get(vsc, 'parameters', {}); kube._Object('snapshot.storage.k8s.io/v1', 'VolumeSnapshotClass', name) { driver: 'cinder.csi.openstack.org', deletionPolicy: vsc.deletion_policy, - [if std.length(vsc.parameters) > 0 then 'parameters']: vsc.parameters, + [if std.length(vscParams) > 0 then 'parameters']: vscParams, } for name in std.objectFields(params.csi.volume_snapshot_classes) ]; +local namespace = kube.Namespace(params.namespace.name) { + metadata+: { + labels+: { + [k]: params.namespace.labels[k] + for k in std.objectFields(params.namespace.labels) + if params.namespace.labels[k] != null + }, + annotations+: { + [k]: params.namespace.annotations[k] + for k in std.objectFields(params.namespace.annotations) + if params.namespace.annotations[k] != null + }, + }, +}; + { - [if params.namespace != 'kube-system' then '00_namespace']: - kube.Namespace(params.namespace), + [if params.namespace.name != 'kube-system' then '00_namespace']: namespace, '01_secret': secret, [if std.length(params.csi.storage_classes) > 0 then '10_storageclasses']: storageClasses, diff --git a/component/render-helm-values.jsonnet b/component/render-helm-values.jsonnet new file mode 100644 index 0000000..c428532 --- /dev/null +++ b/component/render-helm-values.jsonnet @@ -0,0 +1,36 @@ +local com = import 'lib/commodore.libjsonnet'; +local kap = import 'lib/kapitan.libjsonnet'; + +local inv = kap.inventory(); +local params = inv.parameters.cloud_provider_openstack; + +local renderTolerations(tol) = + [ + std.prune({ key: k } + tol[k]) + for k in std.objectFields(tol) + if tol[k] != null + ]; + +local ccm_values = params.ccm.helm_values { + enabledControllers: com.renderArray(params.ccm.enabled_controllers), + tolerations: renderTolerations(params.ccm.tolerations), +}; + +local csi_values = params.csi.helm_values { + csi+: { + plugin+: { + controllerPlugin: { + nodeSelector: std.prune(params.csi.controller_plugin.node_selector), + tolerations: renderTolerations(params.csi.controller_plugin.tolerations), + }, + nodePlugin: { + tolerations: renderTolerations(params.csi.node_plugin.tolerations), + }, + }, + }, +}; + +{ + 'ccm-values': ccm_values, + 'csi-values': csi_values, +} diff --git a/docs/modules/ROOT/pages/index.adoc b/docs/modules/ROOT/pages/index.adoc index a305f33..cff1fea 100644 --- a/docs/modules/ROOT/pages/index.adoc +++ b/docs/modules/ROOT/pages/index.adoc @@ -1,8 +1,9 @@ -= cloud-provider-openstack += Cloud Provider OpenStack cloud-provider-openstack is a Commodore component to manage the https://github.com/kubernetes/cloud-provider-openstack[OpenStack Cloud Controller Manager] (CCM) and https://github.com/kubernetes/cloud-provider-openstack[Cinder CSI driver]. -Both sub-components are enabled by default and share a single `cloud.conf` Secret. +The CCM and CSI driver are deployed into the same namespace and share a single `cloud.conf` Secret. +Each sub-component is toggleable via the `ccm.enabled` and `csi.enabled` parameters. The CCM handles node initialization, node lifecycle, LoadBalancer Services (via Octavia), and optionally pod routes. The CSI driver provides persistent block storage using OpenStack Cinder volumes, with configurable StorageClasses and VolumeSnapshotClasses. diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index dd17663..266c5bf 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -4,15 +4,49 @@ The parent key for all of the following parameters is `cloud_provider_openstack` == `namespace` +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Configures the namespace in which to deploy this component. + +=== `namespace.name` + [horizontal] type:: string default:: `syn-cloud-provider-openstack` -The namespace in which to deploy this component. -Unless `kube-system` is chosen, the component will take ownership of the namespace. +The namespace name. + +=== `namespace.labels` + +[horizontal] +type:: dictionary +default:: `{}` + +Labels applied to the namespace when the component owns it (i.e. `namespace.name != kube-system`). +Entries with value `null` (or `~`) are dropped, letting hierarchy overrides remove defaults set in a parent class. + +IMPORTANT: Both the CCM DaemonSet (`hostNetwork: true`) and the CSI node plugin (`privileged: true`, `SYS_ADMIN`, hostPath volumes for kubelet/registration/socket dirs) require the `privileged` Pod Security Standard. +On clusters that enforce https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards], set `pod-security.kubernetes.io/enforce: privileged` here or label the namespace externally, otherwise the pods will be rejected by the admission webhook. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + namespace: + labels: + pod-security.kubernetes.io/enforce: privileged +---- + +=== `namespace.annotations` + +[horizontal] +type:: dictionary +default:: `{}` -NOTE: The CCM DaemonSet uses `hostNetwork: true`. -On clusters that enforce https://kubernetes.io/docs/concepts/security/pod-security-standards/[Pod Security Standards], the namespace must be labeled `pod-security.kubernetes.io/enforce: privileged`. +Annotations applied to the namespace when the component owns it (i.e. `namespace.name != kube-system`). +Entries with value `null` (or `~`) are dropped. == `charts` @@ -211,6 +245,14 @@ parameters: Parameters under the `ccm` key configure the OpenStack Cloud Controller Manager. +=== `ccm.enabled` + +[horizontal] +type:: boolean +default:: `true` + +When `false`, the CCM chart output is skipped entirely. + === `ccm.cluster_name` [horizontal] @@ -243,6 +285,17 @@ type:: list default:: `[cloud-node, cloud-node-lifecycle, service]` List of CCM sub-controllers to enable. +The list is processed with `com.renderArray()`, so entries prefixed with `~` are removed. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + ccm: + enabled_controllers: + - ~service # drop the service controller + - route # add the route controller +---- [cols="2,5,1"] |=== @@ -284,11 +337,23 @@ Node selector for the CCM DaemonSet. === `ccm.tolerations` [horizontal] -type:: list +type:: dictionary default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] -Tolerations for the CCM DaemonSet. +Tolerations for the CCM DaemonSet, keyed by toleration key. Defaults allow scheduling on control-plane nodes and on freshly-initialized nodes (`node.cloudprovider.kubernetes.io/uninitialized`). +Set an entry to `null` (or `~`) to drop it via hierarchy merge. + +[source,yaml] +---- +parameters: + cloud_provider_openstack: + ccm: + tolerations: + node-role.kubernetes.io/control-plane: + effect: NoSchedule + node.cloudprovider.kubernetes.io/uninitialized: ~ +---- === `ccm.service_monitor` @@ -358,6 +423,14 @@ Do not re-enable `secret.create`. Parameters under the `csi` key configure the Cinder CSI driver. +=== `csi.enabled` + +[horizontal] +type:: boolean +default:: `true` + +When `false`, the CSI chart output is skipped entirely. + === `csi.cluster_id` [horizontal] @@ -405,17 +478,23 @@ additionalLabels: {} Enables and configures a Prometheus Operator `PodMonitor` for the CSI driver. -=== `csi.node_driver_daemonset_tolerations` +=== `csi.controller_plugin` [horizontal] -type:: list -default:: `[{operator: Exists}]` +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] + +Scheduling config for the CSI controller plugin Deployment. +`node_selector` and `tolerations` are maps keyed by selector/toleration key; entries can be disabled by setting their value to `null`. + +=== `csi.node_plugin` -Tolerations for the CSI node plugin DaemonSet. -Defaults to tolerating everything so the node plugin runs on all nodes. +[horizontal] +type:: dictionary +default:: https://github.com/projectsyn/component-cloud-provider-openstack/blob/master/class/defaults.yml[See `class/defaults.yml`] -NOTE: The CSI controller plugin Deployment is scheduled on control-plane nodes by default via `csi.helm_values`. -Override `csi.helm_values.csi.plugin.controllerPlugin.nodeSelector` and `csi.helm_values.csi.plugin.controllerPlugin.tolerations` to change this. +Scheduling config for the CSI node plugin DaemonSet. +`tolerations` is a map keyed by toleration key; an empty key (`""`) with `operator: Exists` tolerates all taints. === `csi.resources` @@ -474,8 +553,8 @@ VolumeSnapshotClass definitions. Each entry supports: -* `deletion_policy` (`Delete` or `Retain`) -* `parameters` (dictionary) -- passed to the Cinder snapshotter +* `deletion_policy` (`Delete` or `Retain`) -- *required* +* `parameters` (dictionary, optional) -- passed to the Cinder snapshotter NOTE: VolumeSnapshotClasses require the https://github.com/kubernetes-csi/external-snapshotter[snapshot CRDs and snapshot-controller] to be installed on the cluster. diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml index 8ca70b2..1135314 100644 --- a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml @@ -65,11 +65,11 @@ spec: runAsUser: 1001 serviceAccountName: cloud-controller-manager tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane - effect: NoSchedule key: node.cloudprovider.kubernetes.io/uninitialized value: 'true' - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane volumes: - name: cloud-config-volume secret: diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml index 610404f..372fec4 100644 --- a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/10_volumesnapshotclasses.yaml @@ -7,3 +7,5 @@ metadata: labels: name: cinder-snapshot name: cinder-snapshot +parameters: + force-create: 'true' diff --git a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml index b8c8877..a6c6d55 100644 --- a/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml +++ b/tests/golden/cloud-config/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml @@ -120,7 +120,8 @@ spec: securityContext: {} serviceAccount: csi-cinder-node-sa tolerations: - - operator: Exists + - key: '' + operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins/cinder.csi.openstack.org diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml index 964f516..36a7572 100644 --- a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/10_ccm_helm_chart/openstack-cloud-controller-manager/templates/daemonset.yaml @@ -60,11 +60,11 @@ spec: runAsUser: 1001 serviceAccountName: cloud-controller-manager tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane - effect: NoSchedule key: node.cloudprovider.kubernetes.io/uninitialized value: 'true' - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane volumes: - name: cloud-config-volume secret: diff --git a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml index b8c8877..a6c6d55 100644 --- a/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml +++ b/tests/golden/defaults/cloud-provider-openstack/cloud-provider-openstack/20_csi_helm_chart/openstack-cinder-csi/templates/nodeplugin-daemonset.yaml @@ -120,7 +120,8 @@ spec: securityContext: {} serviceAccount: csi-cinder-node-sa tolerations: - - operator: Exists + - key: '' + operator: Exists volumes: - hostPath: path: /var/lib/kubelet/plugins/cinder.csi.openstack.org