Update openstack-cinder-csi helm chart for multi cloud support (#2681)

* allow helm chart to accept different extraArgs for nodePlugin and controllerPlugin + documentation

* add extraRbac for resizer and snapshotter

* code review

---------

Co-authored-by: pýrus <[email protected]>

Author: guillaumebernard84

charts/cinder-csi-plugin/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: v1.32.0
 description: Cinder CSI Chart for OpenStack
 name: openstack-cinder-csi
-version: 2.33.0-alpha.0
+version: 2.33.0-alpha.1
 home: https://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml

@@ -183,6 +183,11 @@ spec:
             {{- tpl . $ | trim | nindent 12 }}
             {{- end }}
             {{- end }}
+            {{- if .Values.csi.plugin.controllerPlugin.extraArgs }}
+            {{- with .Values.csi.plugin.controllerPlugin.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
           env:
             - name: CSI_ENDPOINT
               value: unix://csi/csi.sock

charts/cinder-csi-plugin/templates/controllerplugin-rbac.yaml

@@ -97,13 +97,6 @@ rules:
   - apiGroups: [""]
     resources: ["events"]
     verbs: ["list", "watch", "create", "update", "patch"]
-  # Secret permission is optional.
-  # Enable it if your driver needs secret.
-  # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
-  # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
-  #  - apiGroups: [""]
-  #    resources: ["secrets"]
-  #    verbs: ["get", "list"]
   - apiGroups: ["snapshot.storage.k8s.io"]
     resources: ["volumesnapshotclasses"]
     verbs: ["get", "list", "watch"]
@@ -116,6 +109,9 @@ rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "watch", "list", "delete", "update", "create"]
+  {{- with .Values.csi.snapshotter.extraRbac }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -135,11 +131,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: csi-resizer-role
 rules:
-  # The following rule should be uncommented for plugins that require secrets
-  # for provisioning.
-  # - apiGroups: [""]
-  #   resources: ["secrets"]
-  #   verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["persistentvolumes"]
     verbs: ["get", "list", "watch", "patch"]
@@ -158,6 +149,9 @@ rules:
   - apiGroups: ["coordination.k8s.io"]
     resources: ["leases"]
     verbs: ["get", "watch", "list", "delete", "update", "create"]
+  {{- with .Values.csi.resizer.extraRbac }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml

@@ -96,6 +96,11 @@ spec:
             {{- tpl . $ | trim | nindent 12 }}
             {{- end }}
             {{- end }}
+            {{- if .Values.csi.plugin.nodePlugin.extraArgs }}
+            {{- with .Values.csi.plugin.nodePlugin.extraArgs }}
+            {{- tpl . $ | trim | nindent 12 }}
+            {{- end }}
+            {{- end }}
           env:
             - name: CSI_ENDPOINT
               value: unix://csi/csi.sock

charts/cinder-csi-plugin/values.yaml

@@ -30,6 +30,14 @@ csi:
     resources: {}
     extraArgs: {}
     extraEnv: []
+    # Secret permission is optional.
+    # Enable it if your driver needs secret.
+    # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass.
+    # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details.
+    extraRbac: {}
+    #  - apiGroups: [""]
+    #    resources: ["secrets"]
+    #    verbs: ["get", "list"]
   resizer:
     image:
       repository: registry.k8s.io/sig-storage/csi-resizer
@@ -38,6 +46,12 @@ csi:
     resources: {}
     extraArgs: {}
     extraEnv: []
+    # The following rule should be uncommented for plugins that require secrets
+    # for provisioning.
+    extraRbac: {}
+    # - apiGroups: [""]
+    #   resources: ["secrets"]
+    #   verbs: ["get", "list", "watch"]
   livenessprobe:
     image:
       repository: registry.k8s.io/sig-storage/livenessprobe
@@ -92,6 +106,7 @@ csi:
       tolerations:
         - operator: Exists
       kubeletDir: /var/lib/kubelet
+      extraArgs: {}
       # Allow for specifying internal IP addresses for multiple hostnames
       # hostAliases:
       #   - ip: "10.0.0.1"
@@ -130,6 +145,7 @@ csi:
       affinity: {}
       nodeSelector: {}
       tolerations: []
+      extraArgs: {}
       # Allow for specifying internal IP addresses for multiple hostnames
       # hostAliases:
       #   - ip: "10.0.0.1"

docs/cinder-csi-plugin/multi-region-clouds.md

@@ -318,3 +318,39 @@ spec:
       ...
 ```
 
+### When Using the cinder-csi-plugin Helm Chart
+
+When running the `cinder-csi-plugin` in a multi-region setup, you need to specify different `extraArgs` for the `cinder-csi-plugin` containers in both the Deployment and the DaemonSet.
+
+When using the Helm chart, set the different `extraArgs` using `plugin.nodePlugin.extraArgs` and `plugin.controllerPlugin.extraArgs`.
+
+If you set the `extraArgs` in `plugin.extraArgs`, the same arguments will be applied to both the Deployment and the DaemonSet `cinder-csi-plugin` containers.
+
+You will still need to manually create additional DaemonSets for your extra regions.
+
+```yaml
+nodePlugin:
+  extraArgs: |-
+    - --cloud-name=region-one
+    - --additional-topology
+    - topology.kubernetes.io/region=region-one
+controllerPlugin:
+  extraArgs: |-
+    - --cloud-name=region-one
+    - --cloud-name=region-two
+```
+
+In addition, if you use the `resizer` and the `snapshotter`, you will need them to be able to read the secrets you defined in the storage class' annotations in order to determine which cloud to address. You will need to add some `extraRbac` in YAML format, like this:
+
+```yaml
+snapshotter:
+  extraRbac:
+    - apiGroups: [""]
+      resources: ["secrets"]
+      verbs: ["get", "list"]
+resizer:
+  extraRbac:
+    - apiGroups: [""]
+      resources: ["secrets"]
+      verbs: ["get", "list", "watch"]
+```