Jafner.net/homelab/silver-hand/artisans-tools/datashim.yml
Joey Hafner 4a6f6c3d79
Init k3s cluster with Terraform-provisioned AWS S3 bucket for Jafner.dev
- Add Terraform statefiles to gitignore
    - Add *.secret.yml to gitignore for k8s secrets manifests
- Init the "sellswords" directory for Terraform code interacting with public cloud providers.
    - Provision S3 bucket "Jafner-dev" to store static site files.
    - Describe CORS and access policies to apply to the bucket.
    - Throw in a budget to prevent nasty surprises.
- Init "silver-hand" directory for Kubernetes manifests to be used with the local K3s cluster.
    - Datashim manifest to facilitate abstracted interaction with S3 bucket.
    - Kubernetes-dashboard to visualize cluster state.
    - Jafner-dev to serve contents of S3 bucket.
2024-08-07 16:23:20 -07:00

1390 lines
42 KiB
YAML

---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml
# This YAML file contains RBAC API objects that are necessary to run external
# CSI attacher for nfs flex adapter
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-attacher-nfs
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml
# This YAML defines all API objects to create RBAC roles for CSI node plugin
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-nodeplugin
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
---
# Source: datashim-charts/charts/csi-s3-chart/templates/csi-s3.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-s3
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml
# This YAML file contains all RBAC objects that are necessary to run external
# CSI attacher.
#
# In production, each CSI driver deployment has to be customized:
# - to avoid conflicts, use non-default namespace and different names
# for non-namespaced entities like the ClusterRole
# - decide whether the deployment replicates the external CSI
# attacher, in which case leadership election must be enabled;
# this influences the RBAC setup, see below
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-attacher
# replace with non-default namespace name
namespace: dlf
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml
# This YAML file contains all RBAC objects that are necessary to run external
# CSI provisioner.
#
# In production, each CSI driver deployment has to be customized:
# - to avoid conflicts, use non-default namespace and different names
# for non-namespaced entities like the ClusterRole
# - decide whether the deployment replicates the external CSI
# provisioner, in which case leadership election must be enabled;
# this influences the RBAC setup, see below
apiVersion: v1
kind: ServiceAccount
metadata:
name: csi-provisioner
# replace with non-default namespace name
namespace: dlf
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/rbac/service_account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: dataset-operator
labels:
helm.sh/chart: dataset-operator-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/secrets/server-tls.yaml
apiVersion: v1
kind: Secret
metadata:
labels:
app.kubernetes.io/name: dlf
name: webhook-server-tls
namespace: dlf
type: kubernetes.io/tls
data:
tls.crt: YmFyCg==
tls.key: YmFyCg==
---
# Source: datashim-charts/charts/csi-s3-chart/templates/storageclass.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: csi-s3
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
provisioner: ch.ctrox.csi.s3-driver
parameters:
# specify which mounter to use
# can be set to s3fs, goofys
# OTHER OPTIONS NOT WORKING!
mounter: goofys
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/controller-publish-secret-name: ${pvc.name}
csi.storage.k8s.io/controller-publish-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/node-stage-secret-name: ${pvc.name}
csi.storage.k8s.io/node-stage-secret-namespace: ${pvc.namespace}
csi.storage.k8s.io/node-publish-secret-name: ${pvc.name}
csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/crds/com.ie.ibm.hpsys_datasetinternals_crd.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: datasetsinternal.datashim.io
spec:
group: datashim.io
names:
kind: DatasetInternal
listKind: DatasetInternalList
plural: datasetsinternal
singular: datasetinternal
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: DatasetInternal is the Schema for the datasetsinternal API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DatasetSpec defines the desired state of Dataset
properties:
extract:
type: string
format:
type: string
local:
additionalProperties:
type: string
description: Foo is an example field of Dataset. Edit dataset_types.go
to remove/update
type: object
remote:
additionalProperties:
type: string
type: object
type:
description: TODO temp definition for archive
type: string
url:
type: string
type: object
status:
description: DatasetInternalStatus defines the observed state of DatasetInternal
properties:
caching:
properties:
placements:
properties:
datalocations:
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
gateways:
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
type: object
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/crds/com.ie.ibm.hpsys_datasets_crd.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.8.0
creationTimestamp: null
name: datasets.datashim.io
spec:
group: datashim.io
names:
kind: Dataset
listKind: DatasetList
plural: datasets
singular: dataset
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Dataset is the Schema for the datasets API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: DatasetSpec defines the desired state of Dataset
properties:
extract:
type: string
format:
type: string
local:
additionalProperties:
type: string
description: Foo is an example field of Dataset. Edit dataset_types.go
to remove/update
type: object
remote:
additionalProperties:
type: string
type: object
type:
description: TODO temp definition for archive
type: string
url:
type: string
type: object
status:
description: DatasetStatus defines the observed state of Dataset
properties:
caching:
properties:
info:
type: string
status:
type: string
type: object
provision:
properties:
info:
type: string
status:
type: string
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: external-attacher-runner-nfs
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch"]
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-nodeplugin
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update"]
---
# Source: datashim-charts/charts/csi-s3-chart/templates/csi-s3.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-s3
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "update"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update","create"]
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml
# Attacher must be able to work with PVs, CSINodes and VolumeAttachments
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: external-attacher-runner
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "update", "patch"] #Adding "update"
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch", "create"] #Adding "update"
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments/status"]
verbs: ["patch"]
#Secret permission is optional.
#Enable it if you need value from secret.
#For example, you have key `csi.storage.k8s.io/controller-publish-secret-name` in StorageClass.parameters
#see https://kubernetes-csi.github.io/docs/secrets-and-credentials.html
# - apiGroups: [""]
# resources: ["secrets"]
# verbs: ["get", "list"]
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: external-provisioner-runner
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
rules:
# The following rule should be uncommented for plugins that require secrets
# for provisioning. #Enabling secrets
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
# Access to volumeattachments is only needed when the CSI driver
# has the PUBLISH_UNPUBLISH_VOLUME controller capability.
# In that case, external-provisioner will watch volumeattachments
# to determine when it is safe to delete a volume.
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch","create"]
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/rbac/role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: dataset-operator
labels:
helm.sh/chart: dataset-operator-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- persistentvolumes
- events
- configmaps
- secrets
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- get
- create
- apiGroups:
- apps
resourceNames:
- dataset-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- apiGroups:
- datashim.io
resources:
- '*'
- datasetsinternal
- datasets
verbs:
- '*'
- apiGroups:
- storage.k8s.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- objectbucket.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- '*'
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-attacher-rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-attacher-role-nfs
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-attacher-nfs
namespace: dlf
roleRef:
kind: ClusterRole
name: external-attacher-runner-nfs
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-nodeplugin-rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-nodeplugin
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-nodeplugin
namespace: dlf
roleRef:
kind: ClusterRole
name: csi-nodeplugin
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-s3-chart/templates/csi-s3.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-s3
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-s3
namespace: dlf
roleRef:
kind: ClusterRole
name: csi-s3
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-attacher-role
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-attacher
# replace with non-default namespace name
namespace: dlf
roleRef:
kind: ClusterRole
name: external-attacher-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-provisioner-role
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-provisioner
# replace with non-default namespace name
namespace: dlf
roleRef:
kind: ClusterRole
name: external-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/rbac/role_binding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dataset-operator
labels:
helm.sh/chart: dataset-operator-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
subjects:
- kind: ServiceAccount
name: dataset-operator
namespace: dlf
roleRef:
kind: ClusterRole
name: dataset-operator
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml
# Attacher must be able to work with configmaps or leases in the current namespace
# if (and only if) leadership election is enabled
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# replace with non-default namespace name
namespace: dlf
name: external-attacher-cfg
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml
# Provisioner must be able to work with endpoints in current namespace
# if (and only if) leadership election is enabled
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
# replace with non-default namespace name
namespace: dlf
name: external-provisioner-cfg
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
rules:
# Only one of the following rules for endpoints or leases is required based on
# what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases.
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
# Permissions for CSIStorageCapacity are only needed enabling the publishing
# of storage capacity information.
- apiGroups: ["storage.k8s.io"]
resources: ["csistoragecapacities"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# The GET permissions below are needed for walking up the ownership chain
# for CSIStorageCapacity. They are sufficient for deployment via
# StatefulSet (only needs to get Pod) and Deployment (needs to get
# Pod and then ReplicaSet to find the Deployment).
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/attacher-rbac.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-attacher-role-cfg
# replace with non-default namespace name
namespace: dlf
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-attacher
# replace with non-default namespace name
namespace: dlf
roleRef:
kind: Role
name: external-attacher-cfg
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-sidecars-rbac/templates/provisioner-rbac.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: csi-provisioner-role-cfg
# replace with non-default namespace name
namespace: dlf
labels:
helm.sh/chart: csi-sidecars-rbac-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
subjects:
- kind: ServiceAccount
name: csi-provisioner
# replace with non-default namespace name
namespace: dlf
roleRef:
kind: Role
name: external-provisioner-cfg
apiGroup: rbac.authorization.k8s.io
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-attacher-nfsplugin.yaml
# This YAML file contains attacher & csi driver API objects that are necessary
# to run external CSI attacher for nfs
kind: Service
apiVersion: v1
metadata:
name: csi-attacher-nfsplugin
namespace: dlf
labels:
app: csi-attacher-nfsplugin
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
spec:
selector:
app: csi-attacher-nfsplugin
ports:
- name: dummy
port: 12345
---
# Source: datashim-charts/charts/csi-s3-chart/templates/attacher.yaml
# needed for StatefulSet
kind: Service
apiVersion: v1
metadata:
name: csi-attacher-s3
namespace: dlf
labels:
app: csi-attacher-s3
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
spec:
selector:
app: csi-attacher-s3
ports:
- name: dummy
port: 12345
---
# Source: datashim-charts/charts/csi-s3-chart/templates/provisioner.yaml
kind: Service
apiVersion: v1
metadata:
name: csi-provisioner-s3
namespace: dlf
labels:
app: csi-provisioner-s3
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
spec:
selector:
app: csi-provisioner-s3
ports:
- name: dummy
port: 12345
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/apps/operator.yaml
apiVersion: v1
kind: Service
metadata:
name: webhook-server
labels:
helm.sh/chart: dataset-operator-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
spec:
ports:
- port: 443
protocol: TCP
targetPort: webhook-api
selector:
name: dataset-operator
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-nodeplugin-nfsplugin.yaml
# This YAML file contains driver-registrar & csi driver nodeplugin API objects
# that are necessary to run CSI nodeplugin for nfs
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: csi-nodeplugin-nfsplugin
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
spec:
selector:
matchLabels:
app: csi-nodeplugin-nfsplugin
template:
metadata:
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
app: csi-nodeplugin-nfsplugin
spec:
serviceAccountName: csi-nodeplugin
hostNetwork: true
containers:
- name: node-driver-registrar
image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0"
lifecycle:
preStop:
exec:
command: ["/bin/sh", "-c", "rm -rf /registration/csi-nfsplugin /registration/csi-nfsplugin-reg.sock"]
args:
- --v=10
- --csi-address=/plugin/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-nfsplugin/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: plugin-dir
mountPath: /plugin
- name: registration-dir
mountPath: /registration
- name: nfs
securityContext:
privileged: true
capabilities:
add: ["SYS_ADMIN"]
allowPrivilegeEscalation: true
image: "quay.io/datashim-io/csi-nfs:latest"
args :
- "--nodeid=$(NODE_ID)"
- "--endpoint=$(CSI_ENDPOINT)"
env:
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CSI_ENDPOINT
value: unix://plugin/csi.sock
imagePullPolicy: "Always"
volumeMounts:
- name: plugin-dir
mountPath: /plugin
- name: pods-mount-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: "Bidirectional"
volumes:
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/csi-nfsplugin
type: DirectoryOrCreate
- name: pods-mount-dir
hostPath:
path: /var/lib/kubelet/pods
type: Directory
- hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
name: registration-dir
---
# Source: datashim-charts/charts/csi-s3-chart/templates/csi-s3.yaml
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: csi-s3
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
spec:
selector:
matchLabels:
app: csi-s3
template:
metadata:
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
app: csi-s3
spec:
serviceAccountName: csi-s3
containers:
- name: driver-registrar
image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.3.0"
imagePullPolicy: Always
args:
- --v=5
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-s3/csi.sock
securityContext:
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
privileged: false
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /registration
name: registration-dir
- name: csi-s3
image: "quay.io/datashim-io/csi-s3:latest"
imagePullPolicy: Always
args:
- "--v=5"
- "--endpoint=$(CSI_ENDPOINT)"
- "--nodeid=$(KUBE_NODE_NAME)"
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: cheap
value: "off"
securityContext:
privileged: true
# ports:
# - containerPort: 9898
# name: healthz
# protocol: TCP
# TODO make it configurable and build it for ppc64le
# livenessProbe:
# failureThreshold: 5
# httpGet:
# path: /healthz
# port: healthz
# initialDelaySeconds: 10
# timeoutSeconds: 3
# periodSeconds: 2
volumeMounts:
- mountPath: /csi
name: socket-dir
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
- mountPath: /dev
name: dev-dir
##TODO make it configurable and build it for ppc64le
# - name: liveness-probe
# volumeMounts:
# - mountPath: /csi
# name: socket-dir
# image: quay.io/k8scsi/livenessprobe:v1.1.0
# args:
# - --csi-address=/csi/csi.sock
# - --health-port=9898
volumes:
- hostPath:
path: /var/lib/kubelet/plugins/csi-s3
type: DirectoryOrCreate
name: socket-dir
- hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
name: mountpoint-dir
- hostPath:
path: /var/lib/kubelet/plugins_registry
type: Directory
name: registration-dir
- hostPath:
path: /dev
type: Directory
name: dev-dir
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/apps/operator.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: dataset-operator
labels:
helm.sh/chart: dataset-operator-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
spec:
replicas: 1
selector:
matchLabels:
name: dataset-operator
template:
metadata:
annotations:
sidecar.istio.io/inject: "false"
labels:
name: dataset-operator
helm.sh/chart: dataset-operator-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
spec:
serviceAccountName: dataset-operator
initContainers:
- name: generate-keys
image: "quay.io/datashim-io/generate-keys:latest"
imagePullPolicy: Always
env:
- name: DATASET_OPERATOR_NAMESPACE
value: dlf
containers:
- name: dataset-operator
# Replace this with the built image name
image: "quay.io/datashim-io/dataset-operator:latest"
command:
- /manager
imagePullPolicy: Always
ports:
- containerPort: 9443
name: webhook-api
env:
- name: WATCH_NAMESPACE
value: ""
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: "dataset-operator"
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: webhook-tls-certs
mountPath: /tmp/k8s-webhook-server/serving-certs
readOnly: true
volumes:
- name: webhook-tls-certs
secret:
secretName: webhook-server-tls
---
# Source: datashim-charts/charts/csi-nfs-chart/templates/csi-attacher-nfsplugin.yaml
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: csi-attacher-nfsplugin
namespace: dlf
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
spec:
selector:
matchLabels:
app: csi-attacher-nfsplugin
serviceName: "csi-attacher-nfsplugin"
replicas: 1
template:
metadata:
labels:
helm.sh/chart: csi-nfs-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
app: csi-attacher-nfsplugin
spec:
serviceAccountName: csi-attacher-nfs
containers:
- name: csi-attacher
image: "k8s.gcr.io/sig-storage/csi-attacher:v3.3.0"
args:
- "--v=10"
- "--csi-address=$(ADDRESS)"
env:
- name: ADDRESS
value: /csi/csi.sock
imagePullPolicy: Always
volumeMounts:
- name: socket-dir
mountPath: /csi
- name: nfs
image: "quay.io/datashim-io/csi-nfs:latest"
args :
- "--nodeid=$(NODE_ID)"
- "--endpoint=$(CSI_ENDPOINT)"
env:
- name: NODE_ID
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: CSI_ENDPOINT
value: unix://plugin/csi.sock
imagePullPolicy: Always
volumeMounts:
- name: socket-dir
mountPath: /plugin
volumes:
- name: socket-dir
emptyDir: {}
---
# Source: datashim-charts/charts/csi-s3-chart/templates/attacher.yaml
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: csi-attacher-s3
namespace: dlf
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
spec:
serviceName: "csi-attacher-s3"
replicas: 1
selector:
matchLabels:
app: csi-attacher-s3
template:
metadata:
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
app: csi-attacher-s3
spec:
serviceAccountName: csi-attacher
containers:
- name: csi-attacher
image: "k8s.gcr.io/sig-storage/csi-attacher:v3.3.0"
imagePullPolicy: Always
args:
- --v=5
- --csi-address=/csi/csi.sock
securityContext:
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
privileged: true
volumeMounts:
- mountPath: /csi
name: socket-dir
volumes:
- hostPath:
path: /var/lib/kubelet/plugins/csi-s3
type: DirectoryOrCreate
name: socket-dir
---
# Source: datashim-charts/charts/csi-s3-chart/templates/provisioner.yaml
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: csi-provisioner-s3
labels:
helm.sh/chart: csi-s3-chart-0.1.0
app.kubernetes.io/name: datashim
app.kubernetes.io/instance: default
app.kubernetes.io/managed-by: Helm
meta.helm.sh/release-name: default
meta.helm.sh/release-namespace: dlf
namespace: dlf
spec:
serviceName: "csi-provisioner-s3"
replicas: 1
selector:
matchLabels:
app: csi-provisioner-s3
template:
metadata:
labels:
app: csi-provisioner-s3
spec:
serviceAccountName: csi-provisioner
containers:
- name: csi-provisioner
image: "k8s.gcr.io/sig-storage/csi-provisioner:v2.2.2"
imagePullPolicy: Always
args:
- -v=5
- --csi-address=/csi/csi.sock
- --feature-gates=Topology=true
securityContext:
# This is necessary only for systems with SELinux, where
# non-privileged sidecar containers cannot access unix domain socket
# created by privileged CSI driver container.
privileged: true
volumeMounts:
- mountPath: /csi
name: socket-dir
volumes:
- hostPath:
path: /var/lib/kubelet/plugins/csi-s3
type: DirectoryOrCreate
name: socket-dir
---
# Source: datashim-charts/charts/csi-s3-chart/templates/driver.yaml
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: ch.ctrox.csi.s3-driver
spec:
attachRequired: false
podInfoOnMount: false
volumeLifecycleModes:
- Persistent
# - Ephemeral
---
# Source: datashim-charts/charts/dataset-operator-chart/templates/apps/webhook-definition.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: dlf-mutating-webhook-cfg