Merge pull request #471 from andyzhangx/bring-sa

andyzhangx · web-flow · commit 7608118dcce9 · 2021-07-09T23:41:16.000+08:00
feat: bring you own service accounts in helm install
diff --git a/charts/README.md b/charts/README.md
@@ -68,9 +68,13 @@ The following table lists the configurable parameters of the latest Azure Blob S
 | `image.csiResizer.pullPolicy`                         | csi-resizer image pull policy                         | IfNotPresent                                                   |
 | `imagePullSecrets`                                    | Specify docker-registry secret names as an array      | [] (does not add image pull secrets to deployed pods)          |
 | `serviceAccount.create`                               | whether create service account of csi-blob-controller | true                                                           |
+| `serviceAccount.controller`                           | name of service account for csi-blob-controller       | csi-blob-controller-sa                                  |
+| `serviceAccount.node`                                 | name of service account for csi-blob-node             | csi-blob-node-sa                                        |
 | `rbac.create`                                         | whether create rbac of csi-blob-controller            | true                                                           |
+| `controller.name`                                     | name of driver deployment                  | `csi-blob-controller`
 | `controller.replicas`                                 | the replicas of csi-blob-controller                   | 2                                                              |
-| `controller.metricsPort`                              | metrics port of csi-blob-controller                   | 29634                                                          |
+| `controller.metricsPort`                              | metrics port of csi-blob-controller                   | `29634`                                                          |
+| `controller.livenessProbe.healthPort `                | health check port for liveness probe                   | `29632` |
 | `controller.runOnMaster`                              | run controller on master node                         | false                                                          |
 | `controller.logLevel`                                 | controller driver log level                           | `5`                                                            |
 | `controller.resources.csiProvisioner.limits.cpu`      | csi-provisioner cpu limits                            | 100m                                                           |
@@ -92,7 +96,9 @@ The following table lists the configurable parameters of the latest Azure Blob S
 | `controller.affinity`                                 | controller pod affinity                               | {}                                                             |
 | `controller.nodeSelector`                             | controller pod node selector                          | {}                                                             |
 | `controller.tolerations`                              | controller pod tolerations                            | []                                                             |
-| `node.metricsPort`                                    | metrics port of csi-blob-node                         | 29635                                                          |
+| `node.name`                                           | name of driver daemonset                  | `csi-blob-node`
+| `node.metricsPort`                                    | metrics port of csi-blob-node                         | `29635`                                                          |
+| `node.livenessProbe.healthPort `                      | health check port for liveness probe                   | `29633` |
 | `node.logLevel`                                       | node driver log level                                 | `5`                                                            |
 | `node.enableBlobfuseProxy`                            | node enable blobfuse-proxy                            | false                                                          |
 | `node.blobfuseCachePath`                              | blobfuse cache path(`tmp-path`)                       | `/mnt`                                                          |
diff --git a/charts/latest/blob-csi-driver-v1.4.0.tgz b/charts/latest/blob-csi-driver-v1.4.0.tgz
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml
@@ -1,18 +1,18 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
-  name: csi-blob-controller
+  name: {{ .Values.controller.name }}
   namespace: {{ .Release.Namespace }}
 {{ include "blob.labels" . | indent 2 }}
 spec:
   replicas: {{ .Values.controller.replicas }}
   selector:
     matchLabels:
-      app: csi-blob-controller
+      app: {{ .Values.controller.name }}
   template:
     metadata:
 {{ include "blob.labels" . | indent 6 }}
-        app: csi-blob-controller
+        app: {{ .Values.controller.name }}
         {{- if .Values.podLabels }}
 {{- toYaml .Values.podLabels | nindent 8 }}
         {{- end }}
@@ -30,7 +30,7 @@ spec:
 {{ toYaml .Values.imagePullSecrets | indent 8 }}
       {{- end }}
       hostNetwork: true
-      serviceAccountName: csi-blob-controller-sa
+      serviceAccountName: {{ .Values.serviceAccount.controller }}
       nodeSelector:
         kubernetes.io/os: linux
         {{- if .Values.controller.runOnMaster}}
@@ -66,7 +66,7 @@ spec:
           args:
             - --csi-address=/csi/csi.sock
             - --probe-timeout=3s
-            - --health-port=29632
+            - --health-port={{ .Values.controller.livenessProbe.healthPort }}
           imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
           volumeMounts:
             - name: socket-dir
@@ -80,7 +80,7 @@ spec:
             - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}"
             - "--drivername={{ .Values.driver.name }}"
           ports:
-            - containerPort: 29632
+            - containerPort: {{ .Values.controller.livenessProbe.healthPort }}
               name: healthz
               protocol: TCP
             - containerPort: {{ .Values.controller.metricsPort }}
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml
@@ -1,17 +1,17 @@
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
-  name: csi-blob-node
+  name: {{ .Values.node.name }}
   namespace: {{ .Release.Namespace }}
 {{ include "blob.labels" . | indent 2 }}
 spec:
   selector:
     matchLabels:
-      app: csi-blob-node
+      app: {{ .Values.node.name }}
   template:
     metadata:
 {{ include "blob.labels" . | indent 6 }}
-        app: csi-blob-node
+        app: {{ .Values.node.name }}
         {{- if .Values.podLabels }}
 {{- toYaml .Values.podLabels | nindent 8 }}
         {{- end }}
@@ -26,7 +26,7 @@ spec:
       {{- end }}
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
-      serviceAccountName: csi-blob-node-sa
+      serviceAccountName: {{ .Values.serviceAccount.node }}
       nodeSelector:
         kubernetes.io/os: linux
 {{- with .Values.node.nodeSelector }}
@@ -94,7 +94,7 @@ spec:
             - "--metrics-address=0.0.0.0:{{ .Values.node.metricsPort }}"
             - "--drivername={{ .Values.driver.name }}"
           ports:
-            - containerPort: 29633
+            - containerPort: {{ .Values.node.livenessProbe.healthPort }}
               name: healthz
               protocol: TCP
           livenessProbe:
diff --git a/charts/latest/blob-csi-driver/templates/rbac-csi-blob-controller.yaml b/charts/latest/blob-csi-driver/templates/rbac-csi-blob-controller.yaml
@@ -2,7 +2,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: blob-external-provisioner-role
+  name: {{ .Values.rbac.name }}-external-provisioner-role
 {{ include "blob.labels" . | indent 2 }}
 rules:
   - apiGroups: [""]
@@ -32,23 +32,23 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: blob-csi-provisioner-binding
+  name: {{ .Values.rbac.name }}-csi-provisioner-binding
 {{ include "blob.labels" . | indent 2 }}
 subjects:
   - kind: ServiceAccount
-    name: csi-blob-controller-sa
+    name: {{ .Values.serviceAccount.controller }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: blob-external-provisioner-role
+  name: {{ .Values.rbac.name }}-external-provisioner-role
   apiGroup: rbac.authorization.k8s.io
 
 ---
 
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: blob-external-resizer-role
+  name: {{ .Values.rbac.name }}-external-resizer-role
 {{ include "blob.labels" . | indent 2 }}
 rules:
   - apiGroups: [""]
@@ -70,22 +70,22 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: blob-csi-resizer-role
+  name: {{ .Values.rbac.name }}-csi-resizer-role
 {{ include "blob.labels" . | indent 2 }}
 subjects:
   - kind: ServiceAccount
-    name: csi-blob-controller-sa
+    name: {{ .Values.serviceAccount.controller }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: blob-external-resizer-role
+  name: {{ .Values.rbac.name }}-external-resizer-role
   apiGroup: rbac.authorization.k8s.io
 
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-blob-controller-secret-role
+  name: csi-{{ .Values.rbac.name }}-controller-secret-role
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
@@ -95,13 +95,13 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-blob-controller-secret-binding
+  name: csi-{{ .Values.rbac.name }}-controller-secret-binding
 subjects:
   - kind: ServiceAccount
-    name: csi-blob-controller-sa
+    name: {{ .Values.serviceAccount.controller }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: csi-blob-controller-secret-role
+  name: csi-{{ .Values.rbac.name }}-controller-secret-role
   apiGroup: rbac.authorization.k8s.io
 {{ end }}
diff --git a/charts/latest/blob-csi-driver/templates/rbac-csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/rbac-csi-blob-node.yaml
@@ -3,7 +3,7 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-blob-node-secret-role
+  name: csi-{{ .Values.rbac.name }}-node-secret-role
 rules:
   - apiGroups: [""]
     resources: ["secrets"]
@@ -13,13 +13,13 @@ rules:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: csi-blob-node-secret-binding
+  name: csi-{{ .Values.rbac.name }}-node-secret-binding
 subjects:
   - kind: ServiceAccount
-    name: csi-blob-node-sa
+    name: {{ .Values.serviceAccount.node }}
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: ClusterRole
-  name: csi-blob-node-secret-role
+  name: csi-{{ .Values.rbac.name }}-node-secret-role
   apiGroup: rbac.authorization.k8s.io
 {{ end }}
diff --git a/charts/latest/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml b/charts/latest/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-blob-controller-sa
+  name: {{ .Values.serviceAccount.controller }}
   namespace: {{ .Release.Namespace }}
 {{ include "blob.labels" . | indent 2 }}
 {{- end -}}
diff --git a/charts/latest/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: csi-blob-node-sa
+  name: {{ .Values.serviceAccount.node }}
   namespace: {{ .Release.Namespace }}
 {{ include "blob.labels" . | indent 2 }}
 {{- end -}}
diff --git a/charts/latest/blob-csi-driver/values.yaml b/charts/latest/blob-csi-driver/values.yaml
@@ -26,13 +26,19 @@ imagePullSecrets: []
 # - name: myRegistryKeySecretName
 
 serviceAccount:
-  create: true
+  create: true # When true, service accounts will be created for you. Set to false if you want to use your own.
+  controller: csi-blob-controller-sa # Name of Service Account to be created or used
+  node: csi-blob-node-sa # Name of Service Account to be created or used
 
 rbac:
   create: true
+  name: blob
 
 controller:
+  name: csi-blob-controller
   metricsPort: 29634
+  livenessProbe:
+    healthPort: 29632
   replicas: 2
   runOnMaster: false
   logLevel: 5
@@ -69,16 +75,17 @@ controller:
   nodeSelector: {}
   tolerations:
     - key: "node-role.kubernetes.io/master"
-      operator: "Equal"
-      value: "true"
+      operator: "Exists"
       effect: "NoSchedule"
     - key: "node-role.kubernetes.io/controlplane"
-      operator: "Equal"
-      value: "true"
+      operator: "Exists"
       effect: "NoSchedule"
 
 node:
+  name: csi-blob-node
   metricsPort: 29635
+  livenessProbe:
+    healthPort: 29633
   logLevel: 5
   enableBlobfuseProxy: false
   blobfuseCachePath: /mnt
diff --git a/deploy/csi-blob-controller.yaml b/deploy/csi-blob-controller.yaml
@@ -21,12 +21,10 @@ spec:
       priorityClassName: system-cluster-critical
       tolerations:
         - key: "node-role.kubernetes.io/master"
-          operator: "Equal"
-          value: "true"
+          operator: "Exists"
           effect: "NoSchedule"
         - key: "node-role.kubernetes.io/controlplane"
-          operator: "Equal"
-          value: "true"
+          operator: "Exists"
           effect: "NoSchedule"
       containers:
         - name: csi-provisioner
diff --git a/hack/verify-examples.sh b/hack/verify-examples.sh
@@ -15,24 +15,33 @@
 
 set -euo pipefail
 
+rollout_and_wait() {
+    echo "Applying config \"$1\""
+    trap "echo \"Failed to apply config \\\"$1\\\"\" >&2" err
+
+    APPNAME=$(kubectl apply -f $1 | grep -E "^(:?daemonset|deployment|statefulset|pod)" | awk '{printf $1}')
+    if [[ -n $(expr "${APPNAME}" : "\(daemonset\|deployment\|statefulset\)" || true) ]]; then
+        kubectl rollout status $APPNAME --watch --timeout=5m
+    else
+        kubectl wait "${APPNAME}" --for condition=ready --timeout=5m
+    fi
+}
+
 echo "begin to create deployment examples ..."
 kubectl apply -f deploy/example/storageclass-blobfuse.yaml
 kubectl apply -f deploy/example/storageclass-blob-nfs.yaml
-kubectl apply -f deploy/example/deployment.yaml
-kubectl apply -f deploy/example/statefulset.yaml
-kubectl apply -f deploy/example/statefulset-nonroot.yaml
-kubectl apply -f deploy/example/deployment-nfs.yaml
-kubectl apply -f deploy/example/statefulset-nfs.yaml
-kubectl apply -f deploy/example/statefulset-nonroot-nfs.yaml
 
-echo "sleep 90s ..."
-sleep 90
+EXAMPLES=(\
+    deploy/example/deployment.yaml \
+    deploy/example/statefulset.yaml \
+    deploy/example/statefulset-nonroot.yaml \
+    deploy/example/deployment-nfs.yaml \
+    deploy/example/statefulset-nfs.yaml \
+    deploy/example/statefulset-nonroot-nfs.yaml \
+)
 
-kubectl get pods --field-selector status.phase=Running | grep deployment-blob
-kubectl get pods --field-selector status.phase=Running | grep statefulset-blob-0
-kubectl get pods --field-selector status.phase=Running | grep statefulset-blob-nonroot-0
-kubectl get pods --field-selector status.phase=Running | grep deployment-blob-nfs
-kubectl get pods --field-selector status.phase=Running | grep statefulset-blob-nfs-0
-kubectl get pods --field-selector status.phase=Running | grep statefulset-blob-nonroot-nfs-0
+for EXAMPLE in "${EXAMPLES[@]}"; do
+    rollout_and_wait $EXAMPLE
+done
 
 echo "deployment examples running completed."
diff --git a/test/external-e2e/run.sh b/test/external-e2e/run.sh
@@ -17,6 +17,7 @@
 set -xe
 
 PROJECT_ROOT=$(git rev-parse --show-toplevel)
+DRIVER="test"
 
 install_ginkgo () {
     apt update -y
@@ -28,20 +29,24 @@ setup_e2e_binaries() {
     curl -sL https://storage.googleapis.com/kubernetes-release/release/v1.21.0/kubernetes-test-linux-amd64.tar.gz --output e2e-tests.tar.gz
     tar -xvf e2e-tests.tar.gz && rm e2e-tests.tar.gz
 
+    export EXTRA_HELM_OPTIONS="--set driver.name=$DRIVER.csi.azure.com --set controller.name=csi-$DRIVER-controller --set node.name=csi-$DRIVER-node"
     if [ ! -z ${EXTERNAL_E2E_TEST_NFS} ]; then
         # enable fsGroupPolicy (only available from k8s 1.20)
-        export EXTRA_HELM_OPTIONS="--set feature.enableFSGroupPolicy=true"
+        export EXTRA_HELM_OPTIONS=$EXTRA_HELM_OPTIONS" --set feature.enableFSGroupPolicy=true"
     fi
 
-    # install csi driver
+     # test on alternative driver name
+    sed -i "s/blob.csi.azure.com/$DRIVER.csi.azure.com/g" deploy/example/storageclass-blobfuse.yaml
+    sed -i "s/blob.csi.azure.com/$DRIVER.csi.azure.com/g" deploy/example/storageclass-blob-nfs.yaml
     make e2e-bootstrap
+    sed -i "s/csi-blob-controller/csi-$DRIVER-controller/g" deploy/example/metrics/csi-blob-controller-svc.yaml
     make create-metrics-svc
 }
 
 print_logs() {
     bash ./hack/verify-examples.sh
     echo "print out driver logs ..."
-    bash ./test/utils/blob_log.sh
+    bash ./test/utils/blob_log.sh $DRIVER
 }
 
 install_ginkgo
@@ -53,7 +58,7 @@ mkdir -p /tmp/csi
 if [ ! -z ${EXTERNAL_E2E_TEST_BLOBFUSE} ]; then
     echo "begin to run blobfuse tests ...."
     cp deploy/example/storageclass-blobfuse.yaml /tmp/csi/storageclass.yaml
-    ginkgo -p --progress --v -focus='External.Storage.*blob.csi.azure.com' \
+    ginkgo -p --progress --v -focus="External.Storage.*$DRIVER.csi.azure.com" \
         -skip='\[Disruptive\]|\[Slow\]|allow exec of files on the volume|unmount after the subpath directory is deleted' kubernetes/test/bin/e2e.test  -- \
         -storage.testdriver=$PROJECT_ROOT/test/external-e2e/testdriver-blobfuse.yaml \
         --kubeconfig=$KUBECONFIG
@@ -62,7 +67,7 @@ fi
 if [ ! -z ${EXTERNAL_E2E_TEST_NFS} ]; then
     echo "begin to run NFSv3 tests ...."
     cp deploy/example/storageclass-blob-nfs.yaml /tmp/csi/storageclass.yaml
-    ginkgo -p --progress --v -focus='External.Storage.*blob.csi.azure.com' \
+    ginkgo -p --progress --v -focus="External.Storage.*$DRIVER.csi.azure.com" \
         -skip='\[Disruptive\]|\[Slow\]|pod created with an initial fsgroup, volume contents ownership changed in first pod, new pod with same fsgroup skips ownership changes to the volume contents' kubernetes/test/bin/e2e.test  -- \
         -storage.testdriver=$PROJECT_ROOT/test/external-e2e/testdriver-nfs.yaml \
         --kubeconfig=$KUBECONFIG
diff --git a/test/external-e2e/testdriver-blobfuse.yaml b/test/external-e2e/testdriver-blobfuse.yaml
diff --git a/test/external-e2e/testdriver-nfs.yaml b/test/external-e2e/testdriver-nfs.yaml
diff --git a/test/utils/blob_log.sh b/test/utils/blob_log.sh
