Add alpha overlay for snapshots

Author: msau42

deploy/kubernetes/base/setup-cluster.yaml

@@ -45,9 +45,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: external-provisioner-role
 rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list"]
   - apiGroups: [""]
     resources: ["persistentvolumes"]
     verbs: ["get", "list", "watch", "create", "delete"]
@@ -60,12 +57,6 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["list", "watch", "create", "update", "patch"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshots"]
-    verbs: ["get", "list"]
-  - apiGroups: ["snapshot.storage.k8s.io"]
-    resources: ["volumesnapshotcontents"]
-    verbs: ["get", "list"]
 
 ---
 
@@ -116,47 +107,3 @@ roleRef:
   kind: ClusterRole
   name: external-attacher-role
   apiGroup: rbac.authorization.k8s.io
-
----
-# xref: https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/rbac.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: external-snapshotter-role
-rules:
-- apiGroups: ["snapshot.storage.k8s.io"]
-  resources: ["volumesnapshotclasses"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: ["snapshot.storage.k8s.io"]
-  resources: ["volumesnapshotcontents"]
-  verbs: ["create", "get", "list", "watch", "update", "delete"]
-- apiGroups: ["snapshot.storage.k8s.io"]
-  resources: ["volumesnapshots"]
-  verbs: ["get", "list", "watch", "update"]
-- apiGroups: ["apiextensions.k8s.io"]
-  resources: ["customresourcedefinitions"]
-  verbs: ["create", "list", "watch", "delete"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["list", "watch", "create", "update", "patch"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["watch", "get", "list"]
-- apiGroups: ["admissionregistration.k8s.io"]
-  resources: ["mutatingwebhookconfigurations"]
-  verbs: ["create"]
-
----
-
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: csi-controller-snapshotter-binding
-subjects:
-  - kind: ServiceAccount
-    name: csi-controller-sa
-    namespace: default
-roleRef:
-  kind: ClusterRole
-  name: external-snapshotter-role
-  apiGroup: rbac.authorization.k8s.io

deploy/kubernetes/overlays/alpha/WARNING.md

@@ -0,0 +1,3 @@
+WARNING: DO NOT USE THE ALPHA VERSION OF THE DRIVER FOR PRODUCTION
+
+Alpha features are unsupported and may be unstable and have breaking changes across releases.

deploy/kubernetes/overlays/alpha/controller_add_snapshotter.yaml

@@ -0,0 +1,17 @@
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: csi-gce-pd-controller
+spec:
+  template:
+    spec:
+      containers:
+        - name: csi-snapshotter
+          imagePullPolicy: Always
+          image: quay.io/k8scsi/csi-snapshotter:v1.0.1
+          args:
+            - "--v=5"
+            - "--csi-address=/csi/csi.sock"
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi

deploy/kubernetes/overlays/alpha/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+bases:
+- ../stable
+patches:
+- controller_add_snapshotter.yaml
+patchesJson6902:
+- target:
+    group: rbac.authorization.k8s.io
+    version: v1
+    kind: ClusterRole
+    name: external-provisioner-role
+  path: rbac_add_snapshots_to_provisioner.yaml
+resources:
+- rbac_add_snapshotter.yaml

deploy/kubernetes/overlays/alpha/rbac_add_snapshots_to_provisioner.yaml

@@ -0,0 +1,16 @@
+# arrays without strategic patch merge defined need to be appended
+# using jsonpatch
+# https://github.com/kubernetes-sigs/kustomize/blob/master/examples/jsonpatch.md
+- op: add
+  path: /rules/-
+  value:
+    apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list"]
+
+- op: add
+  path: /rules/-
+  value:
+    apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["get", "list"]

deploy/kubernetes/overlays/alpha/rbac_add_snapshotter.yaml

@@ -0,0 +1,42 @@
+# xref: https://github.com/kubernetes-csi/external-snapshotter/blob/master/deploy/kubernetes/rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-snapshotter-role
+rules:
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotclasses"]
+  verbs: ["get", "list", "watch"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshotcontents"]
+  verbs: ["create", "get", "list", "watch", "update", "delete"]
+- apiGroups: ["snapshot.storage.k8s.io"]
+  resources: ["volumesnapshots"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: ["apiextensions.k8s.io"]
+  resources: ["customresourcedefinitions"]
+  verbs: ["create", "list", "watch", "delete"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["list", "watch", "create", "update", "patch"]
+- apiGroups: ["storage.k8s.io"]
+  resources: ["storageclasses"]
+  verbs: ["watch", "get", "list"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations"]
+  verbs: ["create"]
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-controller-snapshotter-binding
+subjects:
+  - kind: ServiceAccount
+    name: csi-controller-sa
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: external-snapshotter-role
+  apiGroup: rbac.authorization.k8s.io

deploy/kubernetes/overlays/dev/kustomization.yaml

@@ -7,10 +7,10 @@ patches:
 - controller_always_pull.yaml
 - node_always_pull.yaml
 images:
-- name: REPLACEME/gcp-compute-persistent-disk-csi-driver
-  # Replace this with your private image names and tags
-  newName: gcr.io/gke-release/gcp-compute-persistent-disk-csi-driver
-  newTag: "v0.4.0-gke.0"
+# Replace this with your private image names and tags
+#- name: REPLACEME/gcp-compute-persistent-disk-csi-driver
+#  newName: gcr.io/my-project/gcp-compute-persistent-disk-csi-driver
+#  newTag: "latest"
 - name: REPLACEME/csi-provisioner
   newName: gcr.io/gke-release/csi-provisioner
   newTag: "v1.0.1-gke.0"