add hostpath storageclass and csi drivers

Signed-off-by: Huamin Chen <[email protected]>

charts/images.yaml

@@ -10,4 +10,28 @@ images:
 - name: cloud-controller-manager
   sourceRepository: https://github.com/kubevirt/cloud-provider-kubevirt
   repository: eu.gcr.io/gardener-project/gardener/kubevirt-cloud-controller-manager
-  tag: "v0.0.8"
+  tag: "v0.0.8"
+- name: csi-attacher
+  sourceRepository: https://github.com/kubernetes-csi/external-attacher
+  repository: quay.io/k8scsi/csi-attacher
+  tag: "v3.0.0-rc1"
+- name: csi-provisioner
+  sourceRepository: https://github.com/kubernetes-csi/external-provisioner
+  repository: gcr.io/k8s-staging-sig-storage/csi-provisioner
+  tag: "v2.0.0-rc2"
+- name: csi-resizer
+  sourceRepository: https://github.com/kubernetes-csi/external-resizer
+  repository: quay.io/k8scsi/csi-resizer
+  tag: "v0.6.0-rc1"
+- name: csi-liverness-probe
+  sourceRepository: https://github.com/kubernetes-csi/livenessprobe
+  repository:   quay.io/k8scsi/livenessprobe
+  tag: "v1.1.0"
+- name: csi-driver-registrar
+  sourceRepository: https://github.com/kubernetes-csi/node-driver-registrar
+  repository: quay.io/k8scsi/csi-node-driver-registrar
+  tag: v1.1.0
+- name: csi-hostpath-driver
+  sourceRepository: https://github.com/kubernetes-csi/csi-driver-host-path
+  repository: quay.io/k8scsi/hostpathplugin
+  tag: "v1.4.0-rc2"

charts/internal/seed-controlplane/charts/csi-hostpath/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Helm chart for kubernetes CSI components including external-attacher, external-provisioner, external-resizer
+name: csi-hostpath
+version: 0.1.0

charts/internal/seed-controlplane/charts/csi-hostpath/templates/csi-attacher.yaml

@@ -0,0 +1,60 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: csi-attacher
+  labels:
+    app: csi-attacher
+spec:
+  selector:
+    app: csi-attacher
+  ports:
+    - name: dummy
+      port: 12345
+
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: csi-attacher
+spec:
+  serviceName: "csi-attacher"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: csi-attacher
+  template:
+    metadata:
+      labels:
+        app: csi-attacher
+    spec:
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - csi-hostpathplugin
+            topologyKey: kubernetes.io/hostname
+      serviceAccountName: csi-attacher
+      containers:
+        - name: csi-attacher
+          image: {{ index .Values.images "csi-attacher" }}
+          args:
+            - --v=5
+            - --csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
+          volumeMounts:
+          - mountPath: /csi
+            name: socket-dir
+
+      volumes:
+        - hostPath:
+            path: /var/lib/kubelet/plugins/csi-hostpath
+            type: DirectoryOrCreate
+          name: socket-dir

charts/internal/seed-controlplane/charts/csi-hostpath/templates/csi-provisioner.yaml

@@ -0,0 +1,62 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: csi-provisioner 
+  namespace: kube-system  
+  labels:
+    app: csi-provisioner 
+spec:
+  selector:
+    app: csi-provisioner 
+  ports:
+    - name: dummy
+      port: 12345
+
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: csi-provisioner
+  namespace: kube-system  
+spec:
+  serviceName: "csi-provisioner"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: csi-provisioner
+  template:
+    metadata:
+      labels:
+        app: csi-provisioner
+    spec:
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - csi-hostpathplugin
+            topologyKey: kubernetes.io/hostname
+      serviceAccountName: csi-provisioner
+      containers:
+        - name: csi-provisioner
+          image: {{ index .Values.images "csi-provisioner" }}
+          args:
+            - -v=5
+            - --csi-address=/csi/csi.sock
+            - --feature-gates=Topology=true
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
+          volumeMounts:
+            - mountPath: /csi
+              name: socket-dir
+      volumes:
+        - hostPath:
+            path: /var/lib/kubelet/plugins/csi-hostpath
+            type: DirectoryOrCreate
+          name: socket-dir

charts/internal/seed-controlplane/charts/csi-hostpath/templates/csi-resizer.yaml

@@ -0,0 +1,61 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: csi-resizer
+  namespace: kube-system  
+  labels:
+    app: csi-resizer
+spec:
+  selector:
+    app: csi-resizer
+  ports:
+    - name: dummy
+      port: 12345
+
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: csi-resizer
+  namespace: kube-system  
+spec:
+  serviceName: "csi-resizer"
+  replicas: 1
+  selector:
+    matchLabels:
+      app: csi-resizer
+  template:
+    metadata:
+      labels:
+        app: csi-resizer
+    spec:
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - csi-hostpathplugin
+            topologyKey: kubernetes.io/hostname
+      serviceAccountName: csi-resizer
+      containers:
+        - name: csi-resizer
+          image: {{ index .Values.images "csi-resizer" }}
+          args:
+            - -v=5
+            - -csi-address=/csi/csi.sock
+          securityContext:
+            # This is necessary only for systems with SELinux, where
+            # non-privileged sidecar containers cannot access unix domain socket
+            # created by privileged CSI driver container.
+            privileged: true
+          volumeMounts:
+            - mountPath: /csi
+              name: socket-dir
+      volumes:
+        - hostPath:
+            path: /var/lib/kubelet/plugins/csi-hostpath
+            type: DirectoryOrCreate
+          name: socket-dir

charts/internal/seed-controlplane/charts/csi-hostpath/values.yaml

@@ -0,0 +1,4 @@
+images:
+  csi-attacher: image-repository:image-tag
+  csi-provisioner: image-repository:image-tag
+  csi-resizer: image-repository:image-tag

charts/internal/shoot-storageclasses/templates/hostpath-storageclass.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: csi-hostpath-sc
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: hostpath.csi.k8s.io
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+allowVolumeExpansion: true

charts/internal/shoot-system-components/charts/csi-hostpath/Chart.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+description: a hostpath provisioner for shoot control plane
+name: csi-hostpath
+version: 0.1.0

charts/internal/shoot-system-components/charts/csi-hostpath/templates/csi-attacher-rbac.yaml

@@ -0,0 +1,77 @@
+# This YAML file contains all RBAC objects that are necessary to run external
+# CSI attacher.
+#
+# In production, each CSI driver deployment has to be customized:
+# - to avoid conflicts, use non-default namespace and different names
+#   for non-namespaced entities like the ClusterRole
+# - decide whether the deployment replicates the external CSI
+#   attacher, in which case leadership election must be enabled;
+#   this influences the RBAC setup, see below
+
+# Attacher must be able to work with PVs, nodes and VolumeAttachments
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: gardener.cloud:csi-attacher
+rules:
+- apiGroups: [""]
+  resources: ["persistentvolumes"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["get", "list", "watch", "update"]
+{{- if semverCompare "< 1.14" .Values.kubernetesVersion }}
+- apiGroups: ["csi.storage.k8s.io"]
+  resources: ["csinodeinfos"]
+  verbs: ["get", "list", "watch"]
+{{- else }}
+- apiGroups: ["storage.k8s.io"]
+  resources: ["csinodes"]
+  verbs: ["get", "list", "watch"]
+{{- end }}
+- apiGroups: ["storage.k8s.io"]
+  resources: ["volumeattachments"]
+  verbs: ["get", "list", "watch", "update"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create", "patch", "update"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: gardener.cloud:csi-attacher
+subjects:
+- kind: User
+  name: system:csi-attacher
+roleRef:
+  kind: ClusterRole
+  name: gardener.cloud:csi-attacher
+  apiGroup: rbac.authorization.k8s.io
+
+{{- if semverCompare ">= 1.14" .Values.kubernetesVersion }}
+---
+# Attacher must be able to work with config map in current namespace
+# if (and only if) leadership election is enabled
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: kube-system
+  name: csi-attacher
+rules:
+- apiGroups: ["coordination.k8s.io"]
+  resources: ["leases"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-attacher
+  namespace: kube-system
+subjects:
+  - kind: User
+    name: system:csi-attacher
+roleRef:
+  kind: Role
+  name: csi-attacher
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}

charts/internal/shoot-system-components/charts/csi-hostpath/templates/csi-hostpath-driverinfo.yaml

@@ -0,0 +1,12 @@
+apiVersion: storage.k8s.io/v1beta1
+kind: CSIDriver
+metadata:
+  name: hostpath.csi.k8s.io
+spec:
+  # Supports persistent and ephemeral inline volumes.
+  volumeLifecycleModes:
+  - Persistent
+  - Ephemeral
+  # To determine at runtime which mode a volume uses, pod info and its
+  # "csi.storage.k8s.io/ephemeral" entry are needed.
+  podInfoOnMount: true