starlingx/ansible-playbooks
Code Issues Proposed changes

Merge "Upgrade trident templates for version 23.10.0"

Browse Source
This commit is contained in:
Zuul
2023-12-21 15:12:21 +00:00
committed by Gerrit Code Review
parent f9fec399f6 cf0ed63ca7
commit 7aaac0726e
15 changed files with 354 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/tasks/configure-backend.yml
View File

@@ -1,34 +0,0 @@
---
#
# Copyright (c) 2020 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to configure a NetApp storage backend
#
- name: Set backend filename
set_fact:
backend_file: "{{ trident_setup_dir }}/backend-{{ backend.backendName }}.yaml"
# We create, use and delete the backend configuration file, all under one task.
# We do it under one task, because this configuration file may contain user
# credential and doing these steps from 3 different tasks add security issues
- block:
- name: Add NetApp backend
shell: "{{ item }}"
args:
chdir: "{{ trident_setup_dir }}"
environment:
KUBECONFIG: "/etc/kubernetes/admin.conf"
no_log: true
with_items:
- echo '{{ backend | to_nice_json }}' > {{ backend_file }}
- tridentctl -n {{ trident_namespace }} create backend -f {{ backend_file }}
always:
- name: Cleanup backend file
file:
path: "{{ backend_file }}"
state: absent
when: trident_clean_folder

17
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/tasks/configure-storage-classes.yml
View File

@@ -13,15 +13,24 @@
set_fact:
storageclass_file: "{{ trident_setup_dir }}/storage-class-{{ storage_class.metadata.name }}.yml"
- name: Remove provisioner from content
set_fact:
sc_without_provisioner: "{% set copy=storage_class.copy() %}{% set removed=copy.pop('provisioner') %}{{ copy }}"
with_items: "{{ storage_class }}"
when: "item == 'provisioner'"
- name: Set StorageClass headers
set_fact:
storageclass_headers:
apiVersion: storage.k8s.io/v1
kind: StorageClass
provisioner: "{{ netapp_k8s_storageclass[0].provisioner }}"
- name: Prepare StorageClass content
set_fact:
storageclass: "{{ storageclass_headers | combine(storage_class) }}"
storageclass: "{{ storageclass_headers | combine(storage_class_) }}"
vars:
storage_class_: "{{ sc_without_provisioner | default(storage_class) }}"
- name: Create storage-class.yaml
copy:
@@ -29,10 +38,10 @@
dest: "{{ storageclass_file }}"
- name: Remove StorageClass if it exists
command: >
"kubectl --kubeconfig=/etc/kubernetes/admin.conf
command: >-
kubectl --kubeconfig=/etc/kubernetes/admin.conf
-n {{ trident_namespace }}
delete storageclass {{ storage_class.metadata.name }}"
delete storageclasses {{ storage_class.metadata.name }}
failed_when: false
- name: Create K8s StorageClass

6
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/tasks/configure-trident-backend-config-secret.yml
View File

@@ -28,10 +28,10 @@
dest: "{{ secret_file }}"
- name: Remove Trident backend config secret if it exists
command: >
"kubectl -n {{ trident_namespace }}
command: >-
kubectl -n {{ trident_namespace }}
--kubeconfig=/etc/kubernetes/admin.conf
delete secret {{ backend_secret.metadata.name }}"
delete secret {{ backend_secret.metadata.name }}
failed_when: false
- name: Create Trident backend config secret

7
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/tasks/configure-trident-backend-config.yml
View File

@@ -27,13 +27,6 @@
content: "{{ tbc_yaml | to_nice_yaml }}"
dest: "{{ tbc_file }}"
- name: Remove TridentBackendConfig if it exists
command: >
"kubectl -n {{ trident_namespace }}
--kubeconfig=/etc/kubernetes/admin.conf
delete tbc {{ backend.metadata.name }}"
failed_when: false
- name: Create K8s TridentBackendConfig
command: "kubectl -n {{ trident_namespace }} --kubeconfig=/etc/kubernetes/admin.conf apply -f {{ tbc_file }}"

36
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-clusterrole.yaml.j2 → playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-controller-clusterrole.yaml.j2
View File

@@ -2,14 +2,19 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: trident-csi
name: trident-controller
labels:
app: controller.csi.trident.netapp.io
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes", "persistentvolumeclaims"]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
@@ -19,21 +24,15 @@ rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["resourcequotas"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
verbs: ["get", "list", "delete", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "update"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch"]
@@ -42,27 +41,26 @@ rules:
verbs: ["update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots", "volumesnapshotclasses"]
verbs: ["get", "list", "watch", "update", "patch"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status", "volumesnapshotcontents/status"]
verbs: ["update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csidrivers", "csinodes"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["trident.netapp.io"]
resources: ["tridentversions", "tridentbackends", "tridentstorageclasses", "tridentvolumes","tridentnodes",
"tridenttransactions", "tridentsnapshots", "tridentbackendconfigs", "tridentbackendconfigs/status",
"tridentmirrorrelationships", "tridentmirrorrelationships/status", "tridentsnapshotinfos",
"tridentsnapshotinfos/status", "tridentvolumepublications"]
"tridentsnapshotinfos/status", "tridentvolumepublications", "tridentvolumereferences",
"tridentactionmirrorupdates", "tridentactionmirrorupdates/status",
"tridentactionsnapshotrestores", "tridentactionsnapshotrestores/status"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- tridentpods
- trident-controller

8
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-clusterrolebinding.yaml.j2 → playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-controller-clusterrolebinding.yaml.j2
View File

@@ -2,13 +2,15 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: trident-csi
name: trident-controller
labels:
app: controller.csi.trident.netapp.io
subjects:
- kind: ServiceAccount
name: trident-csi
name: trident-controller
# STX_change: configurable namespace
namespace: {{ trident_namespace }}
roleRef:
kind: ClusterRole
name: trident-csi
name: trident-controller
apiGroup: rbac.authorization.k8s.io

16
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-controller-role.yaml.j2 Normal file
View File

@@ -0,0 +1,16 @@
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# STX_change: configurable namespace
namespace: {{ trident_namespace }}
name: trident-controller
labels:
app: controller.csi.trident.netapp.io
rules:
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]

17
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-controller-rolebinding.yaml.j2 Normal file
View File

@@ -0,0 +1,17 @@
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: trident-controller
# STX_change: configurable namespace
namespace: {{ trident_namespace }}
labels:
app: controller.csi.trident.netapp.io
subjects:
- kind: ServiceAccount
name: trident-controller
apiGroup: ""
roleRef:
kind: Role
name: trident-controller
apiGroup: rbac.authorization.k8s.io

10
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-controller-serviceaccount.yaml.j2 Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: trident-controller
labels:
app: controller.csi.trident.netapp.io
# STX_change: add imagePullSecrets
imagePullSecrets:
- name: {{ trident_secret_name }}

156
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-crds.yaml.j2
View File

@@ -128,6 +128,7 @@ spec:
- trident
- trident-internal
- trident-external
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -232,6 +233,66 @@ spec:
- trident
- trident-internal
- trident-external
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tridentactionmirrorupdates.trident.netapp.io
spec:
group: trident.netapp.io
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- description: Namespace
jsonPath: .metadata.namespace
name: Namespace
type: string
priority: 0
- description: State
jsonPath: .status.state
name: State
type: string
priority: 0
- description: CompletionTime
jsonPath: .status.completionTime
name: CompletionTime
type: date
priority: 0
- description: Message
jsonPath: .status.message
name: Message
type: string
priority: 1
- description: LocalVolumeHandle
jsonPath: .status.localVolumeHandle
name: LocalVolumeHandle
type: string
priority: 1
- description: RemoteVolumeHandle
jsonPath: .status.remoteVolumeHandle
name: RemoteVolumeHandle
type: string
priority: 1
scope: Namespaced
names:
plural: tridentactionmirrorupdates
singular: tridentactionmirrorupdate
kind: TridentActionMirrorUpdate
shortNames:
- tamu
- tamupdate
- tamirrorupdate
categories:
- trident
- trident-external
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
@@ -510,3 +571,98 @@ spec:
categories:
- trident
- trident-internal
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tridentvolumereferences.trident.netapp.io
spec:
group: trident.netapp.io
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
pvcName:
type: string
pvcNamespace:
type: string
required:
- pvcName
- pvcNamespace
additionalPrinterColumns:
scope: Namespaced
names:
plural: tridentvolumereferences
singular: tridentvolumereference
kind: TridentVolumeReference
shortNames:
- tvr
- tvref
categories:
- trident
- trident-external
- trident-internal
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: tridentactionsnapshotrestores.trident.netapp.io
spec:
group: trident.netapp.io
versions:
- name: v1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
additionalPrinterColumns:
- description: Namespace
jsonPath: .metadata.namespace
name: Namespace
type: string
priority: 0
- description: PVC
jsonPath: .spec.pvcName
name: PVC
type: string
priority: 0
- description: Snapshot
jsonPath: .spec.volumeSnapshotName
name: Snapshot
type: string
priority: 0
- description: State
jsonPath: .status.state
name: State
type: string
priority: 0
- description: CompletionTime
jsonPath: .status.completionTime
name: CompletionTime
type: date
priority: 0
- description: Message
jsonPath: .status.message
name: Message
type: string
priority: 1
scope: Namespaced
names:
plural: tridentactionsnapshotrestores
singular: tridentactionsnapshotrestore
kind: TridentActionSnapshotRestore
shortNames:
- tasr
categories:
- trident
- trident-external

58
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-daemonset.yaml.j2
View File

@@ -2,10 +2,10 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: trident-csi
name: trident-node-linux
labels:
app: node.csi.trident.netapp.io
kubectl.kubernetes.io/default-container: trident-main
app: node.csi.trident.netapp.io
spec:
selector:
matchLabels:
@@ -15,7 +15,7 @@ spec:
labels:
app: node.csi.trident.netapp.io
spec:
serviceAccount: trident-csi
serviceAccount: trident-node-linux
hostNetwork: true
hostIPC: true
hostPID: true
@@ -26,20 +26,32 @@ spec:
securityContext:
privileged: true
allowPrivilegeEscalation: true
capabilities:
drop:
- all
add:
- SYS_ADMIN
# STX_change: pull image from local registry
image: {{ local_registry }}/docker.io/netapp/trident:23.04.0
image: {{ local_registry }}/docker.io/netapp/trident:23.10.0
imagePullPolicy: IfNotPresent
command:
- /trident_orchestrator
args:
- "--no_persistence"
- "--k8s_pod"
- "--rest=false"
- "--csi_node_name=$(KUBE_NODE_NAME)"
- "--csi_endpoint=$(CSI_ENDPOINT)"
- "--csi_role=node"
- "--log_format=text"
- "--log_level=info"
- "--log_workflows="
- "--log_layers="
- "--disable_audit_log=true"
- "--http_request_timeout=1m30s"
- "--https_rest"
- "--https_port=17546"
- "--enable_force_detach=false"
#- -debug
startupProbe:
httpGet:
@@ -71,6 +83,8 @@ spec:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: KUBELET_DIR
value: /var/lib/kubelet
- name: CSI_ENDPOINT
value: unix://plugin/csi.sock
- name: PATH
@@ -99,7 +113,8 @@ spec:
readOnly: true
- name: driver-registrar
# STX_change: pull image from local registry
image: {{ local_registry }}/k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.7.0
image: {{ local_registry }}/registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0
imagePullPolicy: IfNotPresent
args:
- "--v=2"
- "--csi-address=$(ADDRESS)"
@@ -118,14 +133,35 @@ spec:
mountPath: /plugin
- name: registration-dir
mountPath: /registration
# STX_change: deploy only on controller nodes
# TODO: determine if this is needed or not
{% if trident_deploy_only_on_controllers is sameas true -%}
nodeSelector:
# STX_change: deploy only on controller nodes
# TODO: determine if this is needed or not
{% if trident_deploy_only_on_controllers is sameas true -%}
node-role.kubernetes.io/control-plane: ""
{%- endif -%}
kubernetes.io/os: linux
kubernetes.io/arch: amd64
{%- endif -%}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- node.csi.trident.netapp.io
topologyKey: kubernetes.io/hostname
tolerations:
- effect: "NoExecute"
operator: "Exists"

70
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-deployment.yaml.j2
View File

@@ -2,7 +2,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: trident-csi
name: trident-controller
labels:
app: controller.csi.trident.netapp.io
kubectl.kubernetes.io/default-container: trident-main
@@ -18,11 +18,17 @@ spec:
labels:
app: controller.csi.trident.netapp.io
spec:
serviceAccount: trident-csi
serviceAccount: trident-controller
containers:
- name: trident-main
# STX_change: pull image from local registry
image: {{ local_registry }}/docker.io/netapp/trident:23.04.0
image: {{ local_registry }}/docker.io/netapp/trident:23.10.0
imagePullPolicy: IfNotPresent
securityContext:
runAsNonRoot: false
capabilities:
drop:
- all
ports:
# STX_change: change ports
- containerPort: {{ trident_https_rest_api_port }}
@@ -39,13 +45,19 @@ spec:
- "--csi_endpoint=$(CSI_ENDPOINT)"
- "--csi_role=controller"
- "--log_format=text"
- "--log_level=info"
- "--log_workflows="
- "--log_layers="
- "--disable_audit_log=true"
- "--address=127.0.0.1"
# STX_change: change port
- "--port={{ trident_rest_api_port }}"
- "--http_request_timeout=1m30s"
- "--enable_force_detach=false"
- "--metrics"
# STX_change: change metrics port
- "--metrics_port={{ trident_metrics_port }}"
#- -debug
livenessProbe:
exec:
@@ -70,6 +82,7 @@ spec:
- name: TRIDENT_SERVER
# STX_change: change port
value: "127.0.0.1:{{ trident_rest_api_port }}"
volumeMounts:
- name: socket-dir
mountPath: /plugin
@@ -79,7 +92,12 @@ spec:
- name: trident-autosupport
# STX_change: pull image from local registry
image: {{ local_registry }}/docker.io/netapp/trident-autosupport:23.04
image: {{ local_registry }}/docker.io/netapp/trident-autosupport:23.10
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- all
command:
- /usr/local/bin/trident-autosupport
args:
@@ -95,14 +113,18 @@ spec:
mountPath: /asup
- name: csi-provisioner
# STX_change: pull image from local registry
image: {{ local_registry }}/k8s.gcr.io/sig-storage/csi-provisioner:v3.4.1
image: {{ local_registry }}/registry.k8s.io/sig-storage/csi-provisioner:v3.6.0
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- all
args:
- "--v=2"
- "--timeout=600s"
- "--csi-address=$(ADDRESS)"
- "--retry-interval-start=8s"
- "--retry-interval-max=30s"
env:
- name: ADDRESS
value: /var/lib/csi/sockets/pluginproxy/csi.sock
@@ -111,7 +133,12 @@ spec:
mountPath: /var/lib/csi/sockets/pluginproxy/
- name: csi-attacher
# STX_change: pull image from local registry
image: {{ local_registry }}/k8s.gcr.io/sig-storage/csi-attacher:v4.2.0
image: {{ local_registry }}/registry.k8s.io/sig-storage/csi-attacher:v4.4.0
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- all
args:
- "--v=2"
- "--timeout=60s"
@@ -125,7 +152,8 @@ spec:
mountPath: /var/lib/csi/sockets/pluginproxy/
- name: csi-resizer
# STX_change: pull image from local registry
image: {{ local_registry }}/k8s.gcr.io/sig-storage/csi-resizer:v1.7.0
image: {{ local_registry }}/registry.k8s.io/sig-storage/csi-resizer:v1.9.0
imagePullPolicy: IfNotPresent
args:
- "--v=2"
- "--timeout=300s"
@@ -138,7 +166,12 @@ spec:
mountPath: /var/lib/csi/sockets/pluginproxy/
- name: csi-snapshotter
# STX_change: pull image from local registry
image: {{ local_registry }}/k8s.gcr.io/sig-storage/csi-snapshotter:v6.2.1
image: {{ local_registry }}/registry.k8s.io/sig-storage/csi-snapshotter:v6.3.0
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop:
- all
args:
- "--v=2"
- "--timeout=300s"
@@ -149,11 +182,24 @@ spec:
volumeMounts:
- name: socket-dir
mountPath: /var/lib/csi/sockets/pluginproxy/
# STX_change: launch only on master nodes
nodeSelector:
# STX_change: launch only on master nodes
node-role.kubernetes.io/control-plane: ""
kubernetes.io/os: linux
kubernetes.io/arch: amd64
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
- amd64
- key: kubernetes.io/os
operator: In
values:
- linux
# STX_change: add tolerations
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"

4
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-serviceaccount.yaml.j2 → playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-node-linux-serviceaccount.yaml.j2
View File

@@ -2,7 +2,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: trident-csi
name: trident-node-linux
labels:
app: node.csi.trident.netapp.io
# STX_change: add imagePullSecrets
imagePullSecrets:
- name: {{ trident_secret_name }}

22
playbookconfig/src/playbooks/roles/k8s-storage-backends/netapp/templates/trident-podsecuritypolicy.yaml.j2
View File

@@ -1,22 +0,0 @@
apiVersion: policy/v1
kind: PodSecurityPolicy
metadata:
name: tridentpods
spec:
privileged: true
allowPrivilegeEscalation: true
hostIPC: true
hostPID: true
hostNetwork: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- hostPath
- projected
- emptyDir