diff --git a/docs/deployment.md b/docs/deployment.md index 21c4a446..83547766 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -74,6 +74,73 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen - Modify variables using the `--set var=value` flag or by providing a custom `values.yaml` with `-f custom-values.yaml`. - For a comprehensive list of configurable variables, refer to [`helm-chart/csi-driver/values.yaml`](https://github.com/linode/linode-blockstorage-csi-driver/blob/main/helm-chart/csi-driver/values.yaml). +###### Controller kubeconfig (optional) + +If your environment requires the controller to use a kubeconfig file explicitly, enable the controller kubeconfig by providing the following values. The Secret will be mounted as a directory and the sidecars will read the file `/`. + +```yaml +controller: + kubeconfig: + mountDir: /etc/kubeconfig + secretName: csi-kubeconfig + secretKey: external-kubeconfig +``` + +Helm example: + +```sh +helm install linode-csi-driver \ + --set apiToken="$LINODE_API_TOKEN" \ + --set region="$REGION" \ + --set controller.kubeconfig.mountDir=/etc/kubeconfig \ + --set controller.kubeconfig.secretName=csi-kubeconfig \ + --set controller.kubeconfig.secretKey=external-kubeconfig \ + linode-csi/linode-blockstorage-csi-driver +``` + +The Secret should contain a key named `external-kubeconfig` (or your chosen `secretKey`). For example: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: csi-kubeconfig + namespace: kube-system +stringData: + external-kubeconfig: | + # contents of your kubeconfig file +``` + +###### Controller ServiceAccount and RBAC toggles + +By default, the chart creates the controller ServiceAccount and its RBAC ClusterRoleBindings. You can disable these if you want to manage them externally. The controller ServiceAccount name defaults to `csi-controller-sa`. + +```yaml +controller: + serviceAccount: + enabled: true # set to false to skip creating the SA (still referenced by the StatefulSet) + name: "" # optionally override the ServiceAccount name (defaults to "csi-controller-sa") + rbac: + enabled: true # set to false to skip creating controller ClusterRoleBindings +``` + +When `controller.serviceAccount.enabled=false`, ensure a ServiceAccount named `csi-controller-sa` exists in the target namespace. + +###### DaemonSet ServiceAccount and RBAC toggles + +By default, the chart also creates the node DaemonSet ServiceAccount and its RBAC ClusterRoleBinding. You can disable these if you manage them externally. The node ServiceAccount name defaults to `csi-node-sa`. + +```yaml +daemonSet: + serviceAccount: + enabled: true # set to false to skip creating the node SA (DaemonSet will omit serviceAccount when false) + name: "" # optionally override the ServiceAccount name (defaults to "csi-node-sa") + rbac: + enabled: true # set to false to skip creating the node ClusterRoleBinding +``` + +When `daemonSet.serviceAccount.enabled=false`, ensure a ServiceAccount named `csi-node-sa` exists in the target namespace if you intend to set it explicitly on the DaemonSet yourself. + ##### 👉 Recommendation Use a custom `values.yaml` file to override variables to avoid template rendering errors. diff --git a/helm-chart/csi-driver/templates/_helpers.tpl b/helm-chart/csi-driver/templates/_helpers.tpl index 774f8efd..cb516d0f 100644 --- a/helm-chart/csi-driver/templates/_helpers.tpl +++ b/helm-chart/csi-driver/templates/_helpers.tpl @@ -54,7 +54,7 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "csi-driver.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} +{{- if .Values.serviceAccount.enabled }} {{- default (include "csi-driver.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} diff --git a/helm-chart/csi-driver/templates/csi-controller-attacher-binding-rbac.yaml b/helm-chart/csi-driver/templates/csi-controller-attacher-binding-rbac.yaml index 68e51d0c..153dcbcf 100644 --- a/helm-chart/csi-driver/templates/csi-controller-attacher-binding-rbac.yaml +++ b/helm-chart/csi-driver/templates/csi-controller-attacher-binding-rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.controller.rbac.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8,5 +9,7 @@ roleRef: name: external-attacher-role subjects: - kind: ServiceAccount - name: csi-controller-sa + name: {{ default "csi-controller-sa" .Values.controller.serviceAccount.name }} namespace: {{ required ".Values.namespace required" .Values.namespace }} +{{- end }} + diff --git a/helm-chart/csi-driver/templates/csi-controller-provisioner-binding-rbac.yaml b/helm-chart/csi-driver/templates/csi-controller-provisioner-binding-rbac.yaml index 0b4c3336..9beffb98 100644 --- a/helm-chart/csi-driver/templates/csi-controller-provisioner-binding-rbac.yaml +++ b/helm-chart/csi-driver/templates/csi-controller-provisioner-binding-rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.controller.rbac.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8,5 +9,6 @@ roleRef: name: external-provisioner-role subjects: - kind: ServiceAccount - name: csi-controller-sa + name: {{ default "csi-controller-sa" .Values.controller.serviceAccount.name }} namespace: {{ required ".Values.namespace required" .Values.namespace }} +{{- end }} diff --git a/helm-chart/csi-driver/templates/csi-controller-resizer-binding-rbac.yaml b/helm-chart/csi-driver/templates/csi-controller-resizer-binding-rbac.yaml index 6d217986..de46691b 100644 --- a/helm-chart/csi-driver/templates/csi-controller-resizer-binding-rbac.yaml +++ b/helm-chart/csi-driver/templates/csi-controller-resizer-binding-rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.controller.rbac.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -8,5 +9,6 @@ roleRef: name: external-resizer-role subjects: - kind: ServiceAccount - name: csi-controller-sa + name: {{ default "csi-controller-sa" .Values.controller.serviceAccount.name }} namespace: {{ required ".Values.namespace required" .Values.namespace }} +{{- end }} diff --git a/helm-chart/csi-driver/templates/csi-controller-serviceaccount.yaml b/helm-chart/csi-driver/templates/csi-controller-serviceaccount.yaml index 637cff18..2c688bf0 100644 --- a/helm-chart/csi-driver/templates/csi-controller-serviceaccount.yaml +++ b/helm-chart/csi-driver/templates/csi-controller-serviceaccount.yaml @@ -1,5 +1,7 @@ +{{- if .Values.controller.serviceAccount.enabled }} apiVersion: v1 kind: ServiceAccount metadata: - name: csi-controller-sa + name: {{ default "csi-controller-sa" .Values.controller.serviceAccount.name }} namespace: {{ required ".Values.namespace required" .Values.namespace }} +{{- end }} diff --git a/helm-chart/csi-driver/templates/csi-linode-controller.yaml b/helm-chart/csi-driver/templates/csi-linode-controller.yaml index 21a7162f..e3672825 100644 --- a/helm-chart/csi-driver/templates/csi-linode-controller.yaml +++ b/helm-chart/csi-driver/templates/csi-linode-controller.yaml @@ -36,6 +36,11 @@ spec: - --csi-address=$(ADDRESS) - --feature-gates=Topology=true - --v=2 + {{- with .Values.controller.kubeconfig }} + {{- if and .mountDir .secretKey }} + - --kubeconfig={{ printf "%s/%s" .mountDir .secretKey }} + {{- end }} + {{- end }} {{- if .Values.enableMetrics}} - --metrics-address={{ .Values.csiProvisioner.metrics.address }} {{- end }} @@ -59,10 +64,22 @@ spec: volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir + {{- with .Values.controller.kubeconfig }} + {{- if and .mountDir .secretName }} + - mountPath: {{ .mountDir }} + name: controller-kubeconfig + readOnly: true + {{- end }} + {{- end }} - args: - --v=2 - --csi-address=$(ADDRESS) - --timeout=30s + {{- with .Values.controller.kubeconfig }} + {{- if and .mountDir .secretKey }} + - --kubeconfig={{ printf "%s/%s" .mountDir .secretKey }} + {{- end }} + {{- end }} {{- if .Values.enableMetrics}} - --metrics-address={{ .Values.csiAttacher.metrics.address }} {{- end }} @@ -86,9 +103,21 @@ spec: volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir + {{- with .Values.controller.kubeconfig }} + {{- if and .mountDir .secretName }} + - mountPath: {{ .mountDir }} + name: controller-kubeconfig + readOnly: true + {{- end }} + {{- end }} - args: - --v=2 - --csi-address=$(ADDRESS) + {{- with .Values.controller.kubeconfig }} + {{- if and .mountDir .secretKey }} + - --kubeconfig={{ printf "%s/%s" .mountDir .secretKey }} + {{- end }} + {{- end }} {{- if .Values.enableMetrics}} - --metrics-address={{ .Values.csiResizer.metrics.address }} {{- end }} @@ -112,6 +141,13 @@ spec: volumeMounts: - mountPath: /var/lib/csi/sockets/pluginproxy/ name: socket-dir + {{- with .Values.controller.kubeconfig }} + {{- if and .mountDir .secretName }} + - mountPath: {{ .mountDir }} + name: controller-kubeconfig + readOnly: true + {{- end }} + {{- end }} - args: - --v=2 env: @@ -162,7 +198,9 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - serviceAccount: csi-controller-sa + {{- if .Values.controller.serviceAccount.enabled }} + serviceAccount: {{ default "csi-controller-sa" .Values.controller.serviceAccount.name }} + {{- end }} {{- if .Values.controller.nodeSelector }} nodeSelector: {{- toYaml .Values.controller.nodeSelector | nindent 8 }} @@ -194,6 +232,16 @@ spec: path: /dev type: Directory name: dev + {{- with .Values.controller.kubeconfig }} + {{- if and .secretName .secretKey }} + - name: controller-kubeconfig + secret: + secretName: {{ .secretName }} + items: + - key: {{ .secretKey }} + path: {{ .secretKey }} + {{- end }} + {{- end }} {{- with .Values.csiLinodePlugin.volumes }} {{- toYaml . | nindent 8 }} {{- end }} diff --git a/helm-chart/csi-driver/templates/csi-node-serviceaccount.yaml b/helm-chart/csi-driver/templates/csi-node-serviceaccount.yaml index 9ddda6db..14cd0ec6 100644 --- a/helm-chart/csi-driver/templates/csi-node-serviceaccount.yaml +++ b/helm-chart/csi-driver/templates/csi-node-serviceaccount.yaml @@ -1,5 +1,7 @@ +{{- if .Values.daemonSet.serviceAccount.enabled }} apiVersion: v1 kind: ServiceAccount metadata: - name: csi-node-sa + name: {{ default "csi-node-sa" .Values.daemonSet.serviceAccount.name }} namespace: {{ required ".Values.namespace required" .Values.namespace }} +{{- end }} diff --git a/helm-chart/csi-driver/templates/daemonset.yaml b/helm-chart/csi-driver/templates/daemonset.yaml index ecb12661..6b2a9ae5 100644 --- a/helm-chart/csi-driver/templates/daemonset.yaml +++ b/helm-chart/csi-driver/templates/daemonset.yaml @@ -104,7 +104,9 @@ spec: {{- end }} hostNetwork: true priorityClassName: system-node-critical - serviceAccount: csi-node-sa + {{- if .Values.daemonSet.serviceAccount.enabled }} + serviceAccount: {{ default "csi-node-sa" .Values.daemonSet.serviceAccount.name }} + {{- end }} tolerations: - effect: NoSchedule operator: Exists diff --git a/helm-chart/csi-driver/templates/linode-csi-binding-rbac.yaml b/helm-chart/csi-driver/templates/linode-csi-binding-rbac.yaml index f1ed517f..86765e25 100644 --- a/helm-chart/csi-driver/templates/linode-csi-binding-rbac.yaml +++ b/helm-chart/csi-driver/templates/linode-csi-binding-rbac.yaml @@ -1,3 +1,4 @@ +{{- if .Values.daemonSet.rbac.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,5 +10,6 @@ roleRef: name: linode-csi-role subjects: - kind: ServiceAccount - name: csi-node-sa + name: {{ default "csi-node-sa" .Values.daemonSet.serviceAccount.name }} namespace: {{ required ".Values.namespace required" .Values.namespace }} +{{- end }} diff --git a/helm-chart/csi-driver/values.yaml b/helm-chart/csi-driver/values.yaml index dc58b96c..d97a8ae9 100644 --- a/helm-chart/csi-driver/values.yaml +++ b/helm-chart/csi-driver/values.yaml @@ -97,12 +97,26 @@ csiNodeDriverRegistrar: controller: enabled: true + kubeconfig: + mountDir: "" + secretName: "" + secretKey: "" + serviceAccount: + enabled: true + name: "csi-controller-sa" + rbac: + enabled: true nodeSelector: {} affinity: {} tolerations: [] daemonSet: enabled: true + serviceAccount: + enabled: true + name: "csi-node-sa" + rbac: + enabled: true # Add custom annotations to all pods podAnnotations: {}