[cinder-csi-plugin] enable secret injection and common annotations (kubernetes#2264)

* feat(cinder-csi): enable secret injection and common annotations

* fix(cinder-csi): default secret value hostMount

* fix(cinder-csi): pod annotations

* fix(cinder-csi): pod annotations

* fix(cinder-csi): values typo

Author: simonostendorf

charts/cinder-csi-plugin/templates/controllerplugin-deployment.yaml

@@ -5,6 +5,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cinder-csi.controllerplugin.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   replicas: {{ .Values.csi.plugin.controllerPlugin.replicas }}
   strategy:
@@ -21,6 +25,10 @@ spec:
     metadata:
       labels:
         {{- include "cinder-csi.controllerplugin.labels" . | nindent 8 }}
+      annotations:
+        {{- with .Values.commonAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       serviceAccount: csi-cinder-controller-sa
       containers:
@@ -169,11 +177,13 @@ spec:
       volumes:
         - name: socket-dir
           emptyDir:
-        - name: cloud-config
         {{- if .Values.secret.enabled }}
+        - name: cloud-config
           secret:
             secretName: {{ .Values.secret.name }}
-        {{- else }}
+        {{- end }}
+        {{- if .Values.secret.hostMount }}
+        - name: cloud-config
           hostPath:
             path: /etc/kubernetes
         {{- end }}

charts/cinder-csi-plugin/templates/nodeplugin-daemonset.yaml

@@ -5,6 +5,10 @@ metadata:
   namespace: {{ .Release.Namespace }}
   labels:
     {{- include "cinder-csi.nodeplugin.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.commonAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   selector:
     matchLabels:
@@ -13,6 +17,10 @@ spec:
     metadata:
       labels:
         {{- include "cinder-csi.nodeplugin.labels" . | nindent 8 }}
+      annotations:
+        {{- with .Values.commonAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
       serviceAccount: csi-cinder-node-sa
       hostNetwork: true
@@ -127,11 +135,13 @@ spec:
           hostPath:
             path: /dev
             type: Directory
-        - name: cloud-config
         {{- if .Values.secret.enabled }}
+        - name: cloud-config
           secret:
             secretName: {{ .Values.secret.name }}
-        {{- else }}
+        {{- end }}
+        {{- if .Values.secret.hostMount }}
+        - name: cloud-config
           hostPath:
             path: /etc/kubernetes
         {{- end }}

charts/cinder-csi-plugin/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.secret.create }}
+{{- if and (.Values.secret.create) (.Values.secret.enabled) }}
 apiVersion: v1
 kind: Secret
 metadata:

charts/cinder-csi-plugin/values.yaml

@@ -98,8 +98,15 @@ csi:
 # for description of individual verbosity levels.
 logVerbosityLevel: 2
 
+# the secret should contain the openstack credentials
+# there are several options to inject the credentials:
+# 1) from kubernetes secret that doesn't exist: set "enabled" and "create" to true, this will create a secret from the values written to "data" down below
+# 2) from kubernetes secret that already exists: set "enabled" to true and "create" to false
+# 3) from host system path /etc/cloud/cloud.conf: set "enabled" to false and "hostMount" to true
+# 4) via agent-injector (e.g. hashicorp vault): set "enabled" and "hostMount" to false, you have to provide credentials on your own by injecting credentials into the pod
 secret:
   enabled: false
+  hostMount: true
   create: false
   filename: cloud.conf
 #  name: cinder-csi-cloud-config
@@ -149,3 +156,6 @@ priorityClassName: ""
 
 imagePullSecrets: []
 # - name: my-imagepull-secret
+
+# add annotations to all pods
+commonAnnotations: {}