terraform-talos/oracle/deployments/oci-csi-controller.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
 name: csi-oci-node-sa
 namespace: kube-system
---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: csi-oci
 namespace: kube-system
rules:
 - apiGroups: [""]
   resources: ["events"]
   verbs: ["get", "list", "watch", "create", "update", "patch"]
 - apiGroups: [""]
   resources: ["nodes"]
   verbs: ["get", "list", "watch"]
 - apiGroups: ["volume.oci.oracle.com"]
   resources: ["blockscsiinfos"]
   verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
 - apiGroups: [""]
   resources: ["persistentvolumes"]
   verbs: ["get", "list", "watch", "create", "delete", "patch"]
 - apiGroups: [""]
   resources: ["persistentvolumeclaims"]
   verbs: ["get", "list", "watch", "update", "create"]
 - apiGroups: ["storage.k8s.io"]
   resources: ["storageclasses", "volumeattachments", "volumeattachments/status", "csinodes"]
   verbs: ["get", "list", "watch", "patch"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
 - apiGroups: [""]
   resources: ["endpoints"]
   verbs: ["get", "watch", "create", "update"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["persistentvolumeclaims/status"]
   verbs: ["patch"]
---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
 name: csi-oci-binding
subjects:
 - kind: ServiceAccount
   name: csi-oci-node-sa
   namespace: kube-system
roleRef:
 kind: ClusterRole
 name: csi-oci
 apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deprecated.daemonset.template.generation: "1"
  generation: 1
  name: csi-oci-controller
  namespace: kube-system
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: csi-oci-controller
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: csi-oci-controller
        role: csi-oci
    spec:
      nodeSelector:
        node-role.kubernetes.io/control-plane: ""
        node.cloudprovider.kubernetes.io/platform: oracle
      tolerations:
        - key: "node-role.kubernetes.io/control-plane"
          effect: NoSchedule
      containers:
        - name: csi-volume-provisioner
          image: k8s.gcr.io/sig-storage/csi-provisioner:v3.2.1
          args:
            - --csi-address=/var/run/shared-tmpfs/csi.sock
            - --volume-name-prefix=csi
            - --feature-gates=Topology=true
            - --timeout=120s
            - --leader-election
            - --leader-election-namespace=kube-system
          volumeMounts:
            - name: config
              mountPath: /etc/oci/
              readOnly: true
            - mountPath: /var/run/shared-tmpfs
              name: shared-tmpfs
        - name: csi-attacher
          image: k8s.gcr.io/sig-storage/csi-attacher:v3.5.0
          args:
            - --csi-address=/var/run/shared-tmpfs/csi.sock
            - --timeout=120s
            - --leader-election=true
            - --leader-election-namespace=kube-system
          volumeMounts:
            - name: config
              mountPath: /etc/oci/
              readOnly: true
            - mountPath: /var/run/shared-tmpfs
              name: shared-tmpfs
        - name: csi-resizer
          image: k8s.gcr.io/sig-storage/csi-resizer:v1.5.0
          args:
            - --csi-address=/var/run/shared-tmpfs/csi.sock
            - --leader-election
          imagePullPolicy: "IfNotPresent"
          volumeMounts:
            - mountPath: /var/run/shared-tmpfs
              name: shared-tmpfs
        - name: oci-csi-controller-driver
          args:
            - --endpoint=unix://var/run/shared-tmpfs/csi.sock
          command:
            - /usr/local/bin/oci-csi-controller-driver
          image: ghcr.io/oracle/cloud-provider-oci:v1.24.0
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: config
              mountPath: /etc/oci/
              readOnly: true
            - mountPath: /var/run/shared-tmpfs
              name: shared-tmpfs
      volumes:
        - name: config
          secret:
            secretName: oci-volume-provisioner
        - name: shared-tmpfs
          emptyDir: {}
      dnsPolicy: ClusterFirst
      hostNetwork: true
      imagePullSecrets:
        - name: image-pull-secret
      restartPolicy: Always
      schedulerName: default-scheduler
      serviceAccount: csi-oci-node-sa
      serviceAccountName: csi-oci-node-sa
      terminationGracePeriodSeconds: 30