Skip to content

fix: csi-s3-provisioner cannot rebuild when node outage #184

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ooninoo wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: csi-s3-provisioner cannot rebuild when node outage #184

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5a4a8bf
fix: csi-s3-provisioner cannot rebuild when node outage
Oct 24, 2025
d3aa369
fix: csi-s3-provisioner cannot rebuild when node outage
Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 50 additions & 3 deletions deploy/helm/csi-s3/templates/provisioner.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,52 @@ roleRef:
kind: ClusterRole
name: csi-s3-external-provisioner-runner
apiGroup: rbac.authorization.k8s.io

---
# Provisioner must be able to work with endpoints in current namespace
# if (and only if) leadership election is enabled
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: {{ .Release.Namespace }}
name: external-provisioner-cfg
rules:
# Only one of the following rules for endpoints or leases is required based on
# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
# Permissions for CSIStorageCapacity are only needed enabling the publishing
# of storage capacity information.
- apiGroups: ["storage.k8s.io"]
resources: ["csistoragecapacities"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# The GET permissions below are needed for walking up the ownership chain
# for CSIStorageCapacity. They are sufficient for deployment via
# StatefulSet (only needs to get Pod) and Deployment (needs to get
# Pod and then ReplicaSet to find the Deployment).
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-provisioner-role-cfg
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: csi-s3-provisioner-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: external-provisioner-cfg
apiGroup: rbac.authorization.k8s.io

---
kind: Service
apiVersion: v1
Expand All @@ -52,14 +98,13 @@ spec:
- name: csi-s3-dummy
port: 65535
---
kind: StatefulSet
kind: Deployment
apiVersion: apps/v1
metadata:
name: csi-s3-provisioner
namespace: {{ .Release.Namespace }}
spec:
serviceName: "csi-provisioner-s3"
replicas: 1
replicas: 3
selector:
matchLabels:
app: csi-s3-provisioner
Expand All @@ -86,6 +131,8 @@ spec:
image: {{ .Values.images.provisioner }}
args:
- "--csi-address=$(ADDRESS)"
- "--leader-election"
- "--http-endpoint=:8080"
- "--v=4"
env:
- name: ADDRESS
Expand Down