fix: solve cinder-csi usage

vexxhost · Feb 16, 2023 · 8e9157b · 8e9157b
1 parent 3b5df59
commit 8e9157b
Show file tree

Hide file tree

Showing 3 changed files with 324 additions and 30 deletions.
diff --git a/magnum_cluster_api/manifests/csi/cinder-csi-controllerplugin-rbac.yaml b/magnum_cluster_api/manifests/csi/cinder-csi-controllerplugin-rbac.yaml
@@ -1,3 +1,301 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-cinder-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-attacher-role
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-attacher-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-attacher-role
+subjects:
+- kind: ServiceAccount
+  name: csi-cinder-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-provisioner-role
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-provisioner-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-provisioner-role
+subjects:
+- kind: ServiceAccount
+  name: csi-cinder-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-snapshotter-role
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: csi-snapshotter-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: csi-snapshotter-role
+subjects:
+- kind: ServiceAccount
+  name: csi-cinder-controller-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-resizer-role
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

diff --git a/magnum_cluster_api/manifests/csi/cinder-csi-nodeplugin-rbac.yaml b/magnum_cluster_api/manifests/csi/cinder-csi-nodeplugin-rbac.yaml
@@ -1,3 +1,26 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-cinder-node-sa
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: csi-nodeplugin-role
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

diff --git a/tools/sync-csi-manifests b/tools/sync-csi-manifests
@@ -34,13 +34,12 @@ MANIFESTS = set(
 for manifest in MANIFESTS:
     url = f"https://raw.githubusercontent.com/kubernetes/cloud-provider-openstack/master/manifests/cinder-csi-plugin/{manifest}"  # noqa E501
 
+    docs = []
     r = requests.get(url)
 
     # NOTE(mnaser): CAPI does not like "List" type resources, so we refactor
     #               them to be a list of YAML documents.
     for doc in yaml.safe_load_all(r.text):
-        docs = []
-
         if doc["kind"] == "Deployment":
             # NOTE(mnaser): Use `/etc/kuberentes/cloud.conf` instead of the
             #               default mounted secret.
@@ -59,19 +58,6 @@ for manifest in MANIFESTS:
                 "runAsUser": 0,
             }
 
-            # NOTE(mnaser): Because of the above, Kubernetes will not create a
-            #               service account, so we make one manually.
-            docs.append(
-                {
-                    "apiVersion": "v1",
-                    "kind": "ServiceAccount",
-                    "metadata": {
-                        "name": "csi-cinder-controller-sa",
-                        "namespace": "kube-system",
-                    },
-                }
-            )
-
         if doc["kind"] == "DaemonSet":
             # NOTE(mnaser): Use `/etc/kuberentes/cloud.conf` instead of the
             #               default mounted secret.
@@ -90,24 +76,11 @@ for manifest in MANIFESTS:
                 "runAsUser": 0,
             }
 
-            # NOTE(mnaser): Because of the above, Kubernetes will not create a
-            #               service account, so we make one manually.
-            docs.append(
-                {
-                    "apiVersion": "v1",
-                    "kind": "ServiceAccount",
-                    "metadata": {
-                        "name": "csi-cinder-node-sa",
-                        "namespace": "kube-system",
-                    },
-                }
-            )
-
         if doc["kind"] == "List":
             for item in doc["items"]:
                 docs.append(item)
         else:
             docs.append(doc)
 
-        with open(f"magnum_cluster_api/manifests/csi/{manifest}", "w") as fd:
-            yaml.dump_all(docs, fd, default_flow_style=False)
+    with open(f"magnum_cluster_api/manifests/csi/{manifest}", "w") as fd:
+        yaml.dump_all(docs, fd, default_flow_style=False)