|
3 | 3 |
|
4 | 4 | This is an example external provisioner for Kubernetes which provisions using CSI Volume drivers.. It's under heavy development, so at this time README.md is notes for the developers coding. Once complete this will change to something user friendly. |
5 | 5 |
|
| 6 | +# User Guide |
| 7 | + |
| 8 | +## Parameters |
| 9 | + |
| 10 | +The CSI dynamic provisioner makes `CreateVolumeRequest` and `DeleteVolumeRequest` calls to CSI drivers. |
| 11 | +The `controllerCreateSecrets` and `controllerDeleteSecrets` fields in those requests can be populated |
| 12 | +with data from a Kubernetes `Secret` object by setting `csiProvisionerSecretName` and `csiProvisionerSecretNamespace` |
| 13 | +parameters in the `StorageClass`. For example: |
| 14 | + |
| 15 | +```yaml |
| 16 | +kind: StorageClass |
| 17 | +apiVersion: storage.k8s.io/v1 |
| 18 | +metadata: |
| 19 | + name: fast-storage |
| 20 | +provisioner: com.example.team/csi-driver |
| 21 | +parameters: |
| 22 | + type: pd-ssd |
| 23 | + csiProvisionerSecretName: fast-storage-provision-key |
| 24 | + csiProvisionerSecretNamespace: pd-ssd-credentials |
| 25 | +``` |
| 26 | +
|
| 27 | +The `csiProvisionerSecretName` and `csiProvisionerSecretNamespace` parameters |
| 28 | +may specify literal values, or a template containing the following variables: |
| 29 | +* `${pv.name}` - replaced with the name of the PersistentVolume object being provisioned |
| 30 | + |
| 31 | +Once the CSI volume is created, a corresponding Kubernetes `PersistentVolume` object is created. |
| 32 | +The `controllerPublishSecretRef`, `nodeStageSecretRef`, and `nodePublishSecretRef` fields in the |
| 33 | +`PersistentVolume` object can be populated via the following storage class parameters: |
| 34 | + |
| 35 | +* `controllerPublishSecretRef` in the PersistentVolume is populated by setting these StorageClass parameters: |
| 36 | + * `csiControllerPublishSecretName` |
| 37 | + * `csiControllerPublishSecretNamespace` |
| 38 | +* `nodeStageSecretRef` in the PersistentVolume is populated by setting these StorageClass parameters: |
| 39 | + * `csiNodeStageSecretName` |
| 40 | + * `csiNodeStageSecretNamespace` |
| 41 | +* `nodePublishSecretRef` in the PersistentVolume is populated by setting these StorageClass parameters: |
| 42 | + * `csiNodePublishSecretName` |
| 43 | + * `csiNodePublishSecretNamespace` |
| 44 | + |
| 45 | +The `csiControllerPublishSecretName`, `csiNodeStageSecretName`, and `csiNodePublishSecretName` parameters |
| 46 | +may specify a literal secret name, or a template containing the following variables: |
| 47 | +* `${pv.name}` - replaced with the name of the PersistentVolume |
| 48 | +* `${pvc.name}` - replaced with the name of the PersistentVolumeClaim |
| 49 | +* `${pvc.namespace}` - replaced with the namespace of the PersistentVolumeClaim |
| 50 | +* `${pvc.annotations['<ANNOTATION_KEY>']}` (e.g. `${pvc.annotations['example.com/key']}`) - replaced with the value of the specified annotation in the PersistentVolumeClaim |
| 51 | + |
| 52 | +The `csiControllerPublishSecretNamespace`, `csiNodeStageSecretNamespace`, and `csiNodePublishSecretNamespace` parameters |
| 53 | +may specify a literal namespace name, or a template containing the following variables: |
| 54 | +* `${pv.name}` - replaced with the name of the PersistentVolume |
| 55 | +* `${pvc.namespace}` - replaced with the namespace of the PersistentVolumeClaim |
| 56 | + |
| 57 | +As an example, consider this StorageClass: |
| 58 | + |
| 59 | +```yaml |
| 60 | +kind: StorageClass |
| 61 | +apiVersion: storage.k8s.io/v1 |
| 62 | +metadata: |
| 63 | + name: fast-storage |
| 64 | +provisioner: com.example.team/csi-driver |
| 65 | +parameters: |
| 66 | + type: pd-ssd |
| 67 | +
|
| 68 | + csiProvisionerSecretName: fast-storage-provision-key |
| 69 | + csiProvisionerSecretNamespace: pd-ssd-credentials |
| 70 | +
|
| 71 | + csiControllerPublishSecretName: ${pv.name}-publish |
| 72 | + csiControllerPublishSecretNamespace: pd-ssd-credentials |
| 73 | +
|
| 74 | + csiNodeStageSecretName: ${pv.name}-stage |
| 75 | + csiNodeStageSecretNamespace: pd-ssd-credentials |
| 76 | +
|
| 77 | + csiNodePublishSecretName: ${pvc.annotations['com.example.team/key']} |
| 78 | + csiNodePublishSecretNamespace: ${pvc.namespace} |
| 79 | +``` |
| 80 | + |
| 81 | +This StorageClass instructs the CSI provisioner to do the following: |
| 82 | +* send the data in the `fast-storage-provision-key` secret in the `pd-ssd-credentials` namespace as part of the create request to the CSI driver |
| 83 | +* create a PersistentVolume with: |
| 84 | + * a per-volume controller publish and node stage secret, both in the `pd-ssd-credentials` (those secrets would need to be created separately in response to the PersistentVolume creation before the PersistentVolume could be attached/mounted) |
| 85 | + * a node publish secret in the same namespace as the PersistentVolumeClaim that triggered the provisioning, with a name specified as an annotation on the PersistentVolumeClaim. This could be used to give the creator of the PersistentVolumeClaim the ability to specify a secret containing a decryption key they have control over. |
6 | 86 |
|
7 | 87 | # Build |
8 | 88 |
|
|
0 commit comments