diff --git a/system/linstor/.helmignore b/system/linstor/.helmignore new file mode 100644 index 00000000..1e107f52 --- /dev/null +++ b/system/linstor/.helmignore @@ -0,0 +1 @@ +examples diff --git a/system/linstor/Chart.yaml b/system/linstor/Chart.yaml new file mode 100644 index 00000000..0aa33800 --- /dev/null +++ b/system/linstor/Chart.yaml @@ -0,0 +1,2 @@ +name: app +version: 0.0.0 diff --git a/system/linstor/Makefile b/system/linstor/Makefile new file mode 100644 index 00000000..f6bd5a15 --- /dev/null +++ b/system/linstor/Makefile @@ -0,0 +1 @@ +include ../../hack/app-helm.mk diff --git a/system/linstor/README.md b/system/linstor/README.md new file mode 100644 index 00000000..1708af21 --- /dev/null +++ b/system/linstor/README.md @@ -0,0 +1,9 @@ +# LINSTOR + +DRBD and LVM storage provisioner + +- Docs: https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/ +- Docs: https://habr.com/ru/companies/flant/articles/680286/ +- Github: https://github.com/LINBIT/linstor-server +- Docs: https://piraeus.io/site/docs/intro/ +- Github: https://github.com/piraeusdatastore/piraeus-operator diff --git a/system/linstor/examples/1.yaml b/system/linstor/examples/1.yaml new file mode 100644 index 00000000..e43081e8 --- /dev/null +++ b/system/linstor/examples/1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: myclaim +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 8Gi + #storageClassName: linstor-lvm +--- +apiVersion: v1 +kind: Pod +metadata: + name: mypod +spec: + containers: + - name: myfrontend + image: nginx + volumeMounts: + - mountPath: "/var/www/html" + name: mypd + volumes: + - name: mypd + persistentVolumeClaim: + claimName: myclaim diff --git a/system/linstor/hack/proxmox-install-module.sh b/system/linstor/hack/proxmox-install-module.sh new file mode 100644 index 00000000..679a53ed --- /dev/null +++ b/system/linstor/hack/proxmox-install-module.sh @@ -0,0 +1,9 @@ +wget -O /tmp/package-signing-pubkey.asc https://packages.linbit.com/package-signing-pubkey.asc +gpg --yes -o /etc/apt/trusted.gpg.d/linbit-keyring.gpg --dearmor /tmp/package-signing-pubkey.asc +PVERS=$(pveversion | awk -F'[/.]' '{print $2}') +echo "deb [signed-by=/etc/apt/trusted.gpg.d/linbit-keyring.gpg] http://packages.linbit.com/public/ proxmox-$PVERS drbd-9" > /etc/apt/sources.list +apt update && apt -y install drbd-dkms +echo "options drbd usermode_helper=disabled" > /etc/modprobe.d/drbd.conf +echo drbd > /etc/modules-load.d/drbd.conf +modprobe drbd +kubectl label node "${HOSTNAME}" node-role.kubernetes.io/linstor= --overwrite diff --git a/system/linstor/templates/cluster.yaml b/system/linstor/templates/cluster.yaml new file mode 100644 index 00000000..0e28aa2e --- /dev/null +++ b/system/linstor/templates/cluster.yaml @@ -0,0 +1,15 @@ +apiVersion: piraeus.io/v1 +kind: LinstorCluster +metadata: + name: linstorcluster +spec: + nodeSelector: + node-role.kubernetes.io/linstor: "" + internalTLS: + certManager: + name: linstor-internal-ca + kind: Issuer + apiTLS: + certManager: + name: linstor-api-ca + kind: Issuer diff --git a/system/linstor/templates/linstor-api-tls.yaml b/system/linstor/templates/linstor-api-tls.yaml new file mode 100644 index 00000000..eeda9731 --- /dev/null +++ b/system/linstor/templates/linstor-api-tls.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: linstor-api-ca + namespace: {{ .Release.namespace }} +spec: + commonName: linstor-api-ca + secretName: linstor-api-ca + duration: 87600h # 10 years + isCA: true + usages: + - signing + - key encipherment + - cert sign + issuerRef: + name: ca-bootstrapper + kind: Issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: linstor-api-ca + namespace: {{ .Release.namespace }} +spec: + ca: + secretName: linstor-api-ca diff --git a/system/linstor/templates/linstor-internal-tls.yaml b/system/linstor/templates/linstor-internal-tls.yaml new file mode 100644 index 00000000..5d536625 --- /dev/null +++ b/system/linstor/templates/linstor-internal-tls.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: linstor-internal-ca + namespace: {{ .Release.namespace }} +spec: + commonName: linstor-internal-ca + secretName: linstor-internal-ca + duration: 87600h # 10 years + isCA: true + usages: + - signing + - key encipherment + - cert sign + issuerRef: + name: ca-bootstrapper + kind: Issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: linstor-internal-ca + namespace: {{ .Release.namespace }} +spec: + ca: + secretName: linstor-internal-ca diff --git a/system/linstor/templates/satellites.yaml b/system/linstor/templates/satellites.yaml new file mode 100644 index 00000000..6510890d --- /dev/null +++ b/system/linstor/templates/satellites.yaml @@ -0,0 +1,48 @@ +apiVersion: piraeus.io/v1 +kind: LinstorSatelliteConfiguration +metadata: + name: linstor-satellites +spec: + internalTLS: + certManager: + name: linstor-internal-ca + kind: Issuer + storagePools: + - name: "data" + lvmPool: + volumeGroup: "data" + patches: + - target: + kind: Pod + name: satellite + patch: | + apiVersion: v1 + kind: Pod + metadata: + name: satellite + spec: + hostNetwork: true + initContainers: + - name: drbd-shutdown-guard + $patch: delete + - name: drbd-module-loader + $patch: delete + volumes: + - name: run-systemd-system + $patch: delete + - name: run-drbd-shutdown-guard + $patch: delete + - name: systemd-bus-socket + $patch: delete + - name: lib-modules + $patch: delete + - name: usr-src + $patch: delete + - name: etc-lvm-backup + hostPath: + path: /var/etc/lvm/backup + type: DirectoryOrCreate + - name: etc-lvm-archive + hostPath: + path: /var/etc/lvm/archive + type: DirectoryOrCreate diff --git a/system/linstor/templates/sc.yaml b/system/linstor/templates/sc.yaml new file mode 100644 index 00000000..6504a350 --- /dev/null +++ b/system/linstor/templates/sc.yaml @@ -0,0 +1,30 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: linstor-lvm + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: linstor.csi.linbit.com +parameters: + linstor.csi.linbit.com/storagePool: "data" + linstor.csi.linbit.com/layerList: "storage" + linstor.csi.linbit.com/allowRemoteVolumeAccess: "false" +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: linstor-drbd-lvm +provisioner: linstor.csi.linbit.com +parameters: + linstor.csi.linbit.com/storagePool: "data" + linstor.csi.linbit.com/autoPlace: "3" + linstor.csi.linbit.com/layerList: "drbd storage" + linstor.csi.linbit.com/allowRemoteVolumeAccess: "false" + property.linstor.csi.linbit.com/DrbdOptions/auto-quorum: suspend-io + property.linstor.csi.linbit.com/DrbdOptions/Resource/on-no-data-accessible: suspend-io + property.linstor.csi.linbit.com/DrbdOptions/Resource/on-suspended-primary-outdated: force-secondary + property.linstor.csi.linbit.com/DrbdOptions/Net/rr-conflict: retry-connect +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true diff --git a/system/linstor/values.yaml b/system/linstor/values.yaml new file mode 100644 index 00000000..e80703b8 --- /dev/null +++ b/system/linstor/values.yaml @@ -0,0 +1,9 @@ +_helm: + name: linstor + namespace: cozy-linstor + createNamespace: true + privilegedNamespace: true + crds: CreateReplace + dependsOn: + - name: cert-manager + - name: piraeus-operator diff --git a/system/piraeus-operator/.helmignore b/system/piraeus-operator/.helmignore new file mode 100644 index 00000000..1e107f52 --- /dev/null +++ b/system/piraeus-operator/.helmignore @@ -0,0 +1 @@ +examples diff --git a/system/piraeus-operator/Chart.yaml b/system/piraeus-operator/Chart.yaml new file mode 100644 index 00000000..0aa33800 --- /dev/null +++ b/system/piraeus-operator/Chart.yaml @@ -0,0 +1,2 @@ +name: app +version: 0.0.0 diff --git a/system/piraeus-operator/Makefile b/system/piraeus-operator/Makefile new file mode 100644 index 00000000..1979a2d7 --- /dev/null +++ b/system/piraeus-operator/Makefile @@ -0,0 +1,7 @@ +include ../../hack/app-helm.mk + +update: + rm -rf charts + tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/piraeusdatastore/piraeus-operator | awk -F'[/^]' 'END{print $$3}') && \ + curl -sSL https://github.com/piraeusdatastore/piraeus-operator/archive/refs/tags/$${tag}.tar.gz | \ + tar xzvf - --strip 1 piraeus-operator-$${tag#*v}/charts diff --git a/system/piraeus-operator/README.md b/system/piraeus-operator/README.md new file mode 100644 index 00000000..34a9b9ff --- /dev/null +++ b/system/piraeus-operator/README.md @@ -0,0 +1,12 @@ +# Piraeus Operator + +The Piraeus Operator manages LINSTOR clusters in Kubernetes. + +We use v2 with [patches](https://github.com/piraeusdatastore/piraeus-operator/blob/v2/docs/how-to/talos.md) for Talos + +- Docs: https://linbit.com/drbd-user-guide/linstor-guide-1_0-en/ +- Docs: https://habr.com/ru/companies/flant/articles/680286/ +- Docs: https://github.com/piraeusdatastore/piraeus-operator/tree/v2/docs +- Github: https://github.com/LINBIT/linstor-server +- Docs: https://piraeus.io/site/docs/intro/ +- Github: https://github.com/piraeusdatastore/piraeus-operator diff --git a/system/piraeus-operator/charts/piraeus/.helmignore b/system/piraeus-operator/charts/piraeus/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/system/piraeus-operator/charts/piraeus/Chart.yaml b/system/piraeus-operator/charts/piraeus/Chart.yaml new file mode 100644 index 00000000..2afc4450 --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +name: piraeus +description: | + The Piraeus Operator manages software defined storage clusters using LINSTOR in Kubernetes. +type: application +version: 2.3.0 +appVersion: "v2.3.0" +maintainers: + - name: Piraeus Datastore + url: https://piraeus.io +home: https://piraeus.io +icon: https://raw.githubusercontent.com/piraeusdatastore/piraeus/master/artwork/sandbox-artwork/icon/color.svg +keywords: + - storage +sources: + - https://github.com/piraeusdatastore/piraeus-operator + - https://github.com/piraeusdatastore/linstor-csi + - https://github.com/LINBIT/linstor-server diff --git a/system/piraeus-operator/charts/piraeus/README.md b/system/piraeus-operator/charts/piraeus/README.md new file mode 100644 index 00000000..abda911d --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/README.md @@ -0,0 +1,35 @@ +# Piraeus Operator + +Deploys the [Piraeus Operator](https://github.com/piraeusdatastore/piraeus-operator) which deploys and manages a simple +and resilient storage solution for Kubernetes. + +The main deployment method for Piraeus Operator switched to [`kustomize`](../../docs/tutorial) +in release `v2.0.0`. This chart is intended for users who want to continue using Helm. + +This chart **only** configures the Operator, but does not create the `LinstorCluster` resource creating the actual +storage system. Refer to the existing [tutorials](../../docs/tutorial) +and [how-to guides](../../docs/how-to). + +## Deploying Piraeus Operator + +To deploy Piraeus Operator with Helm, clone this repository and deploy the chart: + +``` +$ git clone --branch v2 https://github.com/piraeusdatastore/piraeus-operator +$ cd piraeus-operator +$ helm install piraeus-operator charts/piraeus-operator --create-namespace -n piraeus-datastore +``` + +Follow the instructions printed by Helm to create your storage cluster: + +``` +$ kubectl apply -f - <']`, `metadata.annotations['']`. + minLength: 1 + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + storagePools: + description: StoragePools is a list of storage pools to configure + on the node. + items: + properties: + filePool: + description: Configures a file system based storage pool, allocating + a regular file per volume. + properties: + directory: + description: Directory is the path to the host directory + used to store volume data. + type: string + type: object + fileThinPool: + description: Configures a file system based storage pool, allocating + a sparse file per volume. + properties: + directory: + description: Directory is the path to the host directory + used to store volume data. + type: string + type: object + lvmPool: + description: Configures a LVM Volume Group as storage pool. + properties: + volumeGroup: + type: string + type: object + lvmThinPool: + description: Configures a LVM Thin Pool as storage pool. + properties: + thinPool: + description: ThinPool is the name of the thinpool LV (without + VG prefix). + type: string + volumeGroup: + type: string + type: object + name: + description: Name of the storage pool in linstor. + minLength: 3 + type: string + properties: + description: Properties to set on the storage pool. + items: + properties: + name: + description: Name of the property to set. + minLength: 1 + type: string + optional: + description: Optional values are only set if they have + a non-empty value + type: boolean + value: + description: Value to set the property to. + type: string + valueFrom: + description: ValueFrom sets the value from an existing + resource. + properties: + nodeFieldRef: + description: Select a field of the node. Supports + `metadata.name`, `metadata.labels['']`, `metadata.annotations['']`. + minLength: 1 + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + source: + properties: + hostDevices: + description: HostDevices is a list of device paths used + to configure the given pool. + items: + type: string + minItems: 1 + type: array + type: object + required: + - name + type: object + type: array + type: object + status: + description: LinstorSatelliteConfigurationStatus defines the observed + state of LinstorSatelliteConfiguration + properties: + conditions: + description: Current LINSTOR Satellite Config state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: linstorsatellites.piraeus.io +spec: + group: piraeus.io + names: + kind: LinstorSatellite + listKind: LinstorSatelliteList + plural: linstorsatellites + singular: linstorsatellite + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: LinstorSatellite is the Schema for the linstorsatellites API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: LinstorSatelliteSpec defines the desired state of LinstorSatellite + properties: + clusterRef: + description: ClusterRef references the LinstorCluster used to create + this LinstorSatellite. + properties: + clientSecretName: + description: ClientSecretName references the secret used by the + operator to validate the https endpoint. + type: string + externalController: + description: ExternalController references an external controller. + When set, the Operator uses the external cluster to register + satellites. + properties: + url: + description: URL of the external controller. + minLength: 3 + type: string + required: + - url + type: object + name: + description: Name of the LinstorCluster resource controlling this + satellite. + type: string + type: object + internalTLS: + description: "InternalTLS configures secure communication for the + LINSTOR Satellite. \n If set, the control traffic between LINSTOR + Controller and Satellite will be encrypted using mTLS. The Controller + will use the client key from `LinstorCluster.spec.internalTLS` when + connecting." + nullable: true + properties: + certManager: + description: CertManager references a cert-manager Issuer or ClusterIssuer. + If set, a Certificate resource will be created, provisioning + the secret references in SecretName using the issuer configured + here. + properties: + group: + description: Group of the resource being referred to. + type: string + kind: + description: Kind of the resource being referred to. + type: string + name: + description: Name of the resource being referred to. + type: string + required: + - name + type: object + secretName: + description: SecretName references a secret holding the TLS key + and certificates. + type: string + tlsHandshakeDaemon: + description: "TLSHandshakeDaemon enables tlshd for establishing + TLS sessions for use by DRBD. \n If enabled, adds a new sidecar + to the LINSTOR Satellite that runs the tlshd handshake daemon. + The daemon uses the TLS certificate and key to establish secure + connections on behalf of DRBD." + type: boolean + type: object + patches: + description: "Patches is a list of kustomize patches to apply. \n + See https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/patches/ + for how to create patches." + items: + description: Patch represent either a Strategic Merge Patch or a + JSON patch and its targets. + properties: + options: + additionalProperties: + type: boolean + description: Options is a list of options for the patch + type: object + patch: + description: Patch is the content of a patch. + minLength: 1 + type: string + target: + description: Target points to the resources that the patch is + applied to + properties: + annotationSelector: + description: AnnotationSelector is a string that follows + the label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches against the resource annotations. + type: string + group: + type: string + kind: + type: string + labelSelector: + description: LabelSelector is a string that follows the + label selection expression https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#api + It matches against the resource labels. + type: string + name: + description: Name of the resource. + type: string + namespace: + description: Namespace the resource belongs to, if it can + belong to a namespace. + type: string + version: + type: string + type: object + type: object + type: array + properties: + description: Properties is a list of properties to set on the node. + items: + properties: + name: + description: Name of the property to set. + minLength: 1 + type: string + optional: + description: Optional values are only set if they have a non-empty + value + type: boolean + value: + description: Value to set the property to. + type: string + valueFrom: + description: ValueFrom sets the value from an existing resource. + properties: + nodeFieldRef: + description: Select a field of the node. Supports `metadata.name`, + `metadata.labels['']`, `metadata.annotations['']`. + minLength: 1 + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + repository: + description: Repository used to pull workload images. + type: string + storagePools: + description: StoragePools is a list of storage pools to configure + on the node. + items: + properties: + filePool: + description: Configures a file system based storage pool, allocating + a regular file per volume. + properties: + directory: + description: Directory is the path to the host directory + used to store volume data. + type: string + type: object + fileThinPool: + description: Configures a file system based storage pool, allocating + a sparse file per volume. + properties: + directory: + description: Directory is the path to the host directory + used to store volume data. + type: string + type: object + lvmPool: + description: Configures a LVM Volume Group as storage pool. + properties: + volumeGroup: + type: string + type: object + lvmThinPool: + description: Configures a LVM Thin Pool as storage pool. + properties: + thinPool: + description: ThinPool is the name of the thinpool LV (without + VG prefix). + type: string + volumeGroup: + type: string + type: object + name: + description: Name of the storage pool in linstor. + minLength: 3 + type: string + properties: + description: Properties to set on the storage pool. + items: + properties: + name: + description: Name of the property to set. + minLength: 1 + type: string + optional: + description: Optional values are only set if they have + a non-empty value + type: boolean + value: + description: Value to set the property to. + type: string + valueFrom: + description: ValueFrom sets the value from an existing + resource. + properties: + nodeFieldRef: + description: Select a field of the node. Supports + `metadata.name`, `metadata.labels['']`, `metadata.annotations['']`. + minLength: 1 + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + source: + properties: + hostDevices: + description: HostDevices is a list of device paths used + to configure the given pool. + items: + type: string + minItems: 1 + type: array + type: object + required: + - name + type: object + type: array + required: + - clusterRef + type: object + status: + description: LinstorSatelliteStatus defines the observed state of LinstorSatellite + properties: + conditions: + description: Current LINSTOR Satellite state + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +{{ end }} diff --git a/system/piraeus-operator/charts/piraeus/templates/deployment.yaml b/system/piraeus-operator/charts/piraeus/templates/deployment.yaml new file mode 100644 index 00000000..d10e931c --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/templates/deployment.yaml @@ -0,0 +1,101 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "piraeus-operator.fullname" . }}-controller-manager + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "piraeus-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "piraeus-operator.selectorLabels" . | nindent 8 }} + annotations: + kubectl.kubernetes.io/default-container: manager + spec: + containers: + - args: + - --health-probe-bind-address=:8081 + {{- if .Values.kubeRbacProxy.enabled }} + - --metrics-bind-address=127.0.0.1:8080 + {{- else }} + - --metrics-bind-address=0 + {{- end }} + {{- range $opt, $val := .Values.operator.options }} + - --{{ $opt | kebabcase }}={{ $val }} + {{- end }} + command: + - /manager + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: IMAGE_CONFIG_MAP_NAME + value: {{ include "piraeus-operator.fullname" . }}-image-config + image: {{ .Values.operator.image.repository }}:{{ .Values.operator.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + {{- toYaml .Values.operator.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.operator.securityContext | nindent 12}} + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + {{- if .Values.kubeRbacProxy.enabled }} + - args: + - --secure-listen-address=0.0.0.0:8443 + - --upstream=http://127.0.0.1:8080/ + - --tls-private-key-file=/etc/tls/tls.key + - --tls-cert-file=/etc/tls/tls.crt + {{- range $opt, $val := .Values.kubeRbacProxy.options }} + - --{{ $opt | kebabcase }}={{ $val }} + {{- end }} + image: {{ .Values.kubeRbacProxy.image.repository }}:{{ .Values.kubeRbacProxy.image.tag }} + imagePullPolicy: {{ .Values.kubeRbacProxy.image.pullPolicy }} + name: kube-rbac-proxy + ports: + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.kubeRbacProxy.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.kubeRbacProxy.securityContext | nindent 12}} + volumeMounts: + - mountPath: /etc/tls + name: cert + {{- end }} + securityContext: + runAsNonRoot: true + serviceAccountName: {{ include "piraeus-operator.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ include "piraeus-operator.certifcateName" . }} diff --git a/system/piraeus-operator/charts/piraeus/templates/metrics-service.yaml b/system/piraeus-operator/charts/piraeus/templates/metrics-service.yaml new file mode 100644 index 00000000..d1a24e3c --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/templates/metrics-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "piraeus-operator.fullname" . }}-controller-manager-metrics-service + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "piraeus-operator.selectorLabels" . | nindent 4 }} + ports: + - name: metrics + port: 443 + targetPort: 8443 diff --git a/system/piraeus-operator/charts/piraeus/templates/rbac.yaml b/system/piraeus-operator/charts/piraeus/templates/rbac.yaml new file mode 100644 index 00000000..e487114c --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/templates/rbac.yaml @@ -0,0 +1,461 @@ +{{ if .Values.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "piraeus-operator.serviceAccountName" . }} + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "piraeus-operator.fullname" . }}-controller-manager + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - events + - persistentvolumes + - secrets + - serviceaccounts + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + - persistentvolumeclaims + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - persistentvolumeclaims/status + verbs: + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - watch + - apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - daemonsets + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - events.k8s.io + resources: + - events + verbs: + - create + - get + - list + - patch + - update + - watch + - apiGroups: + - internal.linstor.linbit.com + resources: + - '*' + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch + - apiGroups: + - piraeus.io + resources: + - linstorclusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - piraeus.io + resources: + - linstorclusters/finalizers + verbs: + - update + - apiGroups: + - piraeus.io + resources: + - linstorclusters/status + verbs: + - get + - patch + - update + - apiGroups: + - piraeus.io + resources: + - linstornodeconnections + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - piraeus.io + resources: + - linstornodeconnections/finalizers + verbs: + - update + - apiGroups: + - piraeus.io + resources: + - linstornodeconnections/status + verbs: + - get + - patch + - update + - apiGroups: + - piraeus.io + resources: + - linstorsatelliteconfigurations + verbs: + - get + - list + - watch + - apiGroups: + - piraeus.io + resources: + - linstorsatelliteconfigurations/status + verbs: + - get + - patch + - update + - apiGroups: + - piraeus.io + resources: + - linstorsatellites + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - piraeus.io + resources: + - linstorsatellites/finalizers + verbs: + - update + - apiGroups: + - piraeus.io + resources: + - linstorsatellites/status + verbs: + - get + - patch + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - rolebindings + - roles + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + - volumesnapshots + verbs: + - get + - list + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - patch + - update + - apiGroups: + - storage.k8s.io + resources: + - csidrivers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - patch + - watch + - apiGroups: + - storage.k8s.io + resources: + - csistoragecapacities + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - delete + - get + - list + - patch + - watch + - apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "piraeus-operator.fullname" . }}-manager-rolebinding + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "piraeus-operator.fullname" . }}-controller-manager' +subjects: + - kind: ServiceAccount + name: '{{ include "piraeus-operator.serviceAccountName" . }}' + namespace: '{{ .Release.Namespace }}' +{{ end }} +{{ if.Values.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "piraeus-operator.fullname" . }}-proxy-role + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "piraeus-operator.fullname" . }}-proxy-rolebinding + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ include "piraeus-operator.fullname" . }}-proxy-role' +subjects: + - kind: ServiceAccount + name: {{ include "piraeus-operator.serviceAccountName" . }} + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "piraeus-operator.fullname" . }}-leader-election-role + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "piraeus-operator.fullname" . }}-leader-election-rolebinding + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ include "piraeus-operator.fullname" . }}-leader-election-role' +subjects: + - kind: ServiceAccount + name: {{ include "piraeus-operator.serviceAccountName" . }} + namespace: '{{ .Release.Namespace }}' +{{ end }} diff --git a/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml b/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml new file mode 100644 index 00000000..ef22851b --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/templates/validating-webhook-configuration.yaml @@ -0,0 +1,154 @@ +# Check if the TLS secret already exists and initialize variables for later use at the top level +{{- $secret := lookup "v1" "Secret" .Release.Namespace (include "piraeus-operator.certifcateName" .) }} +{{ $ca := "" }} +{{ $key := "" }} +{{ $crt := "" }} +{{- if .Values.tls.certManagerIssuerRef }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "piraeus-operator.fullname" . }} + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +spec: + secretName: {{ include "piraeus-operator.certifcateName" . }} + dnsNames: + - {{ include "piraeus-operator.fullname" . }}-webhook-service.{{ .Release.Namespace }}.svc + issuerRef: + {{- toYaml .Values.tls.certManagerIssuerRef | nindent 4 }} + privateKey: + rotationPolicy: Always +--- +{{- else if .Values.tls.autogenerate }} + {{- if and $secret (not .Values.tls.renew) }} + {{- $ca = get $secret.data "ca.crt" }} + {{- $key = get $secret.data "tls.key" }} + {{- $crt = get $secret.data "tls.crt" }} + {{- else }} + {{- $serviceName := (printf "%s-webhook-service.%s.svc" (include "piraeus-operator.fullname" .) .Release.Namespace)}} + {{- $cert := genSelfSignedCert $serviceName nil (list $serviceName) 3650 }} + {{- $ca = b64enc $cert.Cert }} + {{- $key = b64enc $cert.Key }} + {{- $crt = b64enc $cert.Cert }} + {{- end }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "piraeus-operator.certifcateName" . }} + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca }} + tls.key: {{ $key }} + tls.crt: {{ $crt }} +{{- end }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "piraeus-operator.fullname" . }}-validating-webhook-configuration + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} + {{- if .Values.tls.certManagerIssuerRef }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "piraeus-operator.fullname" . }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "piraeus-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-piraeus-io-v1-linstorcluster + {{- if not .Values.tls.certManagerIssuerRef }} + caBundle: {{ $ca }} + {{- end }} + failurePolicy: {{ .Values.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + name: vlinstorcluster.kb.io + rules: + - apiGroups: + - piraeus.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - linstorclusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "piraeus-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-piraeus-io-v1-linstornodeconnection + {{- if not .Values.tls.certManagerIssuerRef }} + caBundle: {{ $ca }} + {{- end }} + failurePolicy: {{ .Values.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + name: vlinstornodeconnection.kb.io + rules: + - apiGroups: + - piraeus.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - linstornodeconnections + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "piraeus-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-piraeus-io-v1-linstorsatellite + {{- if not .Values.tls.certManagerIssuerRef }} + caBundle: {{ $ca }} + {{- end }} + failurePolicy: {{ .Values.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + name: vlinstorsatellite.kb.io + rules: + - apiGroups: + - piraeus.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - linstorsatellites + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: '{{ include "piraeus-operator.fullname" . }}-webhook-service' + namespace: '{{ .Release.Namespace }}' + path: /validate-piraeus-io-v1-linstorsatelliteconfiguration + {{- if not .Values.tls.certManagerIssuerRef }} + caBundle: {{ $ca }} + {{- end }} + failurePolicy: {{ .Values.webhook.failurePolicy }} + timeoutSeconds: {{ .Values.webhook.timeoutSeconds }} + name: vlinstorsatelliteconfiguration.kb.io + rules: + - apiGroups: + - piraeus.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - linstorsatelliteconfigurations + sideEffects: None diff --git a/system/piraeus-operator/charts/piraeus/templates/webhook-service.yaml b/system/piraeus-operator/charts/piraeus/templates/webhook-service.yaml new file mode 100644 index 00000000..d360269b --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/templates/webhook-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "piraeus-operator.fullname" . }}-webhook-service + labels: + {{- include "piraeus-operator.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "piraeus-operator.selectorLabels" . | nindent 4 }} + ports: + - name: https + port: 443 + targetPort: 9443 diff --git a/system/piraeus-operator/charts/piraeus/values.yaml b/system/piraeus-operator/charts/piraeus/values.yaml new file mode 100644 index 00000000..ada590fe --- /dev/null +++ b/system/piraeus-operator/charts/piraeus/values.yaml @@ -0,0 +1,108 @@ +replicaCount: 1 + +installCRDs: false + +operator: + image: + repository: quay.io/piraeusdatastore/piraeus-operator + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + + options: + leaderElect: true + + resources: { } + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +kubeRbacProxy: + enabled: false + image: + repository: gcr.io/kubebuilder/kube-rbac-proxy + pullPolicy: IfNotPresent + tag: v0.13.1 + options: + logtostderr: "true" + v: 0 + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + + resources: { } + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +webhook: + timeoutSeconds: 2 + failurePolicy: Fail + +tls: + certificateSecret: "" + autogenerate: true + renew: false + certManagerIssuerRef: {} + +imagePullSecrets: [ ] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: { } + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +rbac: + # Specifies whether RBAC resources should be created + create: true + +podAnnotations: { } + +podSecurityContext: {} + # fsGroup: 2000 + +nodeSelector: { } + +tolerations: + - key: drbd.linbit.com/lost-quorum + effect: NoSchedule + - key: drbd.linbit.com/force-io-error + effect: NoSchedule +affinity: { } + +podDisruptionBudget: + enabled: true + minAvailable: 1 + # maxUnavailable: 1 + +imageConfigOverride: [] + # - base: example.com/piraeus + # components: + # linstor-csi: + # image: linstor-csi + # tag: my-custom-tag + # Results in the image example.com/piraeus/linstor-csi:my-custom-tag being used. + # See templates/config.yaml for available components. diff --git a/system/piraeus-operator/examples/1.yaml b/system/piraeus-operator/examples/1.yaml new file mode 100644 index 00000000..e43081e8 --- /dev/null +++ b/system/piraeus-operator/examples/1.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: myclaim +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 8Gi + #storageClassName: linstor-lvm +--- +apiVersion: v1 +kind: Pod +metadata: + name: mypod +spec: + containers: + - name: myfrontend + image: nginx + volumeMounts: + - mountPath: "/var/www/html" + name: mypd + volumes: + - name: mypd + persistentVolumeClaim: + claimName: myclaim diff --git a/system/piraeus-operator/hack/proxmox-install-module.sh b/system/piraeus-operator/hack/proxmox-install-module.sh new file mode 100644 index 00000000..679a53ed --- /dev/null +++ b/system/piraeus-operator/hack/proxmox-install-module.sh @@ -0,0 +1,9 @@ +wget -O /tmp/package-signing-pubkey.asc https://packages.linbit.com/package-signing-pubkey.asc +gpg --yes -o /etc/apt/trusted.gpg.d/linbit-keyring.gpg --dearmor /tmp/package-signing-pubkey.asc +PVERS=$(pveversion | awk -F'[/.]' '{print $2}') +echo "deb [signed-by=/etc/apt/trusted.gpg.d/linbit-keyring.gpg] http://packages.linbit.com/public/ proxmox-$PVERS drbd-9" > /etc/apt/sources.list +apt update && apt -y install drbd-dkms +echo "options drbd usermode_helper=disabled" > /etc/modprobe.d/drbd.conf +echo drbd > /etc/modules-load.d/drbd.conf +modprobe drbd +kubectl label node "${HOSTNAME}" node-role.kubernetes.io/linstor= --overwrite diff --git a/system/piraeus-operator/templates/piraeus-tls.yaml b/system/piraeus-operator/templates/piraeus-tls.yaml new file mode 100644 index 00000000..1d787ceb --- /dev/null +++ b/system/piraeus-operator/templates/piraeus-tls.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: ca-bootstrapper + namespace: {{ .Release.namespace }} +spec: + selfSigned: {} diff --git a/system/piraeus-operator/values.yaml b/system/piraeus-operator/values.yaml new file mode 100644 index 00000000..f4300f0a --- /dev/null +++ b/system/piraeus-operator/values.yaml @@ -0,0 +1,16 @@ +_helm: + name: piraeus-operator + namespace: cozy-linstor # must be same namespace as linstor + createNamespace: true + privilegedNamespace: false + crds: CreateReplace + dependsOn: + - name: cert-manager + +piraeus: + installCRDs: true + autogenerate: false + tls: + certManagerIssuerRef: + name: ca-bootstrapper + kind: Issuer