Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / refs/heads/stable/zed / . / charts / cinder / templates / deployment-volume.yaml
blob: f029aff0733bea8ce207f617069813aa4d4b3b1e [file] [log] [blame]
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]1{{/*
2Licensed under the Apache License, Version 2.0 (the "License");
3you may not use this file except in compliance with the License.
4You may obtain a copy of the License at
5
6 http://www.apache.org/licenses/LICENSE-2.0
7
8Unless required by applicable law or agreed to in writing, software
9distributed under the License is distributed on an "AS IS" BASIS,
10WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11See the License for the specific language governing permissions and
12limitations under the License.
13*/}}
14
15{{- if .Values.manifests.deployment_volume }}
16{{- $envAll := . }}
17
18{{- $internal_ceph_backend := .Values.ceph_client.internal_ceph_backend }}
19
20{{- $mounts_cinder_volume := .Values.pod.mounts.cinder_volume.cinder_volume }}
21{{- $mounts_cinder_volume_init := .Values.pod.mounts.cinder_volume.init_container }}
22
23{{- $serviceAccountName := "cinder-volume" }}
24{{ tuple $envAll "volume" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
25---
26apiVersion: apps/v1
27kind: Deployment
28metadata:
29 name: cinder-volume
30 annotations:
31 {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
32 labels:
33{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
34spec:
35 replicas: {{ .Values.pod.replicas.volume }}
36 selector:
37 matchLabels:
38{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
39{{ tuple $envAll | include "helm-toolkit.snippets.kubernetes_upgrades_deployment" | indent 2 }}
40 template:
41 metadata:
42 labels:
43{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
44 annotations:
45{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
46 configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
47 configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
48{{ dict "envAll" $envAll "podName" "cinder-volume" "containerNames" (list "cinder-volume" "ceph-coordination-volume-perms" "init-cinder-conf" "init" ) | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
49 spec:
50 serviceAccountName: {{ $serviceAccountName }}
51{{ dict "envAll" $envAll "application" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
52 affinity:
53{{ tuple $envAll "cinder" "volume" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
54{{ if $envAll.Values.pod.tolerations.cinder.enabled }}
55{{ tuple $envAll "cinder" | include "helm-toolkit.snippets.kubernetes_tolerations" | indent 6 }}
56{{ end }}
57 nodeSelector:
58 {{ .Values.labels.volume.node_selector_key }}: {{ .Values.labels.volume.node_selector_value }}
59{{- if .Values.pod.useHostNetwork.volume }}
60 hostNetwork: true
61 dnsPolicy: ClusterFirstWithHostNet
62{{- end }}
63{{- if .Values.conf.enable_iscsi }}
64 hostIPC: true
65{{- end }}
66 initContainers:
67{{ tuple $envAll "volume" $mounts_cinder_volume_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
68 {{- range $name := rest (splitList "," (include "cinder.utils.ceph_backend_list" $envAll)) }}
69 {{- $backend := index $envAll.Values.conf.backends $name }}
70 {{- if eq $internal_ceph_backend $name }}
Mohammed Naser6a7426e2023-02-23 18:30:25 +0000[diff] [blame]71 - name: ceph-keyring-placement-{{ $name | lower }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]72{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
73{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_keyring_placement" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
74 command:
75 - /tmp/ceph-keyring.sh
76 env:
77 - name: RBD_USER
78 value: {{ $backend.rbd_user | quote }}
79{{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
80 - name: EXTERNAL_RBD_USER
81 value: {{ $envAll.Values.ceph_client.external_ceph.rbd_user | quote }}
82{{- end }}
83 volumeMounts:
84 - name: pod-tmp
85 mountPath: /tmp
86 - name: etcceph
87 mountPath: /etc/ceph
88 - name: cinder-bin
89 mountPath: /tmp/ceph-keyring.sh
90 subPath: ceph-keyring.sh
91 readOnly: true
92 - name: ceph-keyring
93 mountPath: /tmp/client-keyring
94 subPath: key
95 readOnly: true
96 {{- if and $envAll.Values.ceph_client.enable_external_ceph_backend $envAll.Values.ceph_client.external_ceph.rbd_user }}
97 - name: external-ceph-keyring
98 mountPath: /tmp/external-ceph-client-keyring
99 subPath: key
100 readOnly: true
101 {{- end }}
102 {{- end }}
103 {{- end }}
104 {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
105 - name: ceph-coordination-volume-perms
106{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
107{{ dict "envAll" $envAll "application" "cinder_volume" "container" "ceph_coordination_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
108 command:
109 - chown
110 - -R
111 - "cinder:"
112 - {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
113 volumeMounts:
114 - name: pod-tmp
115 mountPath: /tmp
116 - name: cinder-coordination
117 mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
118 {{ end }}
119 - name: init-cinder-conf
120{{ dict "envAll" $envAll "application" "cinder_volume" "container" "init_cinder_conf" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
121 image: {{ .Values.images.tags.ks_user }}
122 imagePullPolicy: {{ .Values.images.pull_policy }}
123 command:
124 - /tmp/retrieve-internal-tenant.sh
125 volumeMounts:
126 - name: pod-tmp
127 mountPath: /tmp
128 - name: cinder-bin
129 mountPath: /tmp/retrieve-internal-tenant.sh
130 subPath: retrieve-internal-tenant.sh
131 readOnly: true
132 - name: pod-shared
133 mountPath: /tmp/pod-shared
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]134{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]135 env:
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]136{{- with $env := dict "ksUserSecret" .Values.secrets.identity.admin "useCA" (or .Values.manifests.certificates .Values.tls.identity) }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]137{{- include "helm-toolkit.snippets.keystone_openrc_env_vars" $env | indent 12 }}
138{{- end }}
139 - name: INTERNAL_PROJECT_NAME
140 value: {{ .Values.conf.cinder.DEFAULT.internal_project_name | quote }}
141 - name: INTERNAL_USER_NAME
142 value: {{ .Values.conf.cinder.DEFAULT.internal_user_name | quote }}
143{{- with $env := dict "ksUserSecret" (index .Values.secrets.identity "cinder" ) }}
144{{- include "helm-toolkit.snippets.keystone_user_create_env_vars" $env | indent 12 }}
145{{- end }}
146 containers:
147 - name: cinder-volume
148{{ tuple $envAll "cinder_volume" | include "helm-toolkit.snippets.image" | indent 10 }}
149{{ tuple $envAll $envAll.Values.pod.resources.volume | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
150{{ dict "envAll" $envAll "application" "cinder_volume" "container" "cinder_volume" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
151 command:
152 - /tmp/cinder-volume.sh
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]153 env:
154{{- if or .Values.manifests.certificates .Values.tls.identity }}
155 - name: REQUESTS_CA_BUNDLE
156 value: "/etc/cinder/certs/ca.crt"
157{{- end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]158 terminationMessagePath: /var/log/termination-log
159 volumeMounts:
160 - name: pod-tmp
161 mountPath: /tmp
162 - name: cinder-bin
163 mountPath: /tmp/cinder-volume.sh
164 subPath: cinder-volume.sh
165 readOnly: true
166 - name: pod-shared
167 mountPath: /tmp/pod-shared
168 - name: cinder-conversion
169 mountPath: /var/lib/cinder/conversion
170 - name: cinder-etc
171 mountPath: /etc/cinder/cinder.conf
172 subPath: cinder.conf
173 readOnly: true
174 {{- if .Values.conf.cinder.DEFAULT.log_config_append }}
175 - name: cinder-etc
176 mountPath: {{ .Values.conf.cinder.DEFAULT.log_config_append }}
177 subPath: {{ base .Values.conf.cinder.DEFAULT.log_config_append }}
178 readOnly: true
179 {{- end }}
180 - name: cinder-etc
181 mountPath: /etc/cinder/conf/backends.conf
182 subPath: backends.conf
183 readOnly: true
184 {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
185 - name: etcceph
186 mountPath: /etc/ceph
187 - name: ceph-etc
188 mountPath: /etc/ceph/ceph.conf
189 subPath: ceph.conf
190 readOnly: true
191 - name: ceph-keyring
192 mountPath: /tmp/client-keyring
193 subPath: key
194 readOnly: true
195 {{- if .Values.ceph_client.enable_external_ceph_backend }}
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]196 {{- if .Values.ceph_client.external_ceph.configmap }}
197 - name: external-ceph-etc
198 mountPath: /etc/ceph/external-ceph.conf
199 subPath: external-ceph.conf
200 readOnly: true
201 {{- else }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]202 - name: cinder-etc
203 mountPath: /etc/ceph/external-ceph.conf
204 subPath: external-ceph.conf
205 readOnly: true
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]206 {{- end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]207 {{- if .Values.ceph_client.external_ceph.rbd_user }}
208 - name: external-ceph-keyring
209 mountPath: /tmp/external-ceph-client-keyring
210 subPath: key
211 readOnly: true
212 {{- end }}
213 {{- end }}
214 {{- end }}
215 {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
216 - name: cinder-coordination
217 mountPath: {{ ( split "://" .Values.conf.cinder.coordination.backend_url )._1 }}
218 {{- end }}
219 - name: cinder-etc
220 # NOTE (Portdirect): We mount here to override Kollas
221 # custom sudoers file when using Kolla images, this
222 # location will also work fine for other images.
223 mountPath: /etc/sudoers.d/kolla_cinder_sudoers
224 subPath: cinder_sudoers
225 readOnly: true
226 - name: cinder-etc
227 mountPath: /etc/sudoers.d/kolla_cinder_volume_sudoers
228 subPath: cinder_sudoers
229 readOnly: true
230 - name: cinder-etc
231 mountPath: /etc/cinder/rootwrap.conf
232 subPath: rootwrap.conf
233 readOnly: true
234 {{- range $key, $value := $envAll.Values.conf.rootwrap_filters }}
235 {{- if ( has "volume" $value.pods ) }}
236 {{- $filePrefix := replace "_" "-" $key }}
237 {{- $rootwrapFile := printf "/etc/cinder/rootwrap.d/%s.filters" $filePrefix }}
238 - name: cinder-etc
239 mountPath: {{ $rootwrapFile }}
240 subPath: {{ base $rootwrapFile }}
241 readOnly: true
242 {{- end }}
243 {{- end }}
vexxhost-bot0d93f222024-11-24 21:08:09 -0500[diff] [blame]244 {{- range $key, $backend := .Values.conf.backends }}
245 {{- if $backend.nfs_shares_config }}
246 - name: cinder-etc
247 mountPath: /etc/cinder/nfs/{{ $key }}
248 subPath: nfs-{{ $key }}
249 readOnly: true
250 {{- end }}
251 {{- end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]252 {{- if .Values.conf.enable_iscsi }}
253 - name: host-rootfs
254 mountPath: /mnt/host-rootfs
255 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
256 mountPropagation: HostToContainer
257 {{- end }}
258 - name: host-dev
259 mountPath: /dev
260 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
261 mountPropagation: HostToContainer
262 {{- end }}
263 - name: runlock
264 mountPath: /run/lock
265 - name: etciscsi
266 mountPath: /etc/iscsi
267 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
268 mountPropagation: HostToContainer
269 {{- end }}
270 - name: usrlocalsbin
271 mountPath: /usr/local/sbin
272 - name: cinder-bin
273 mountPath: /usr/local/sbin/iscsiadm
274 subPath: iscsiadm
275 - name: cinder-bin
276 mountPath: /usr/local/sbin/multipath
277 subPath: multipath
278 - name: cinder-bin
279 mountPath: /usr/local/sbin/multipathd
280 subPath: multipathd
281 - name: etcmultipath
282 mountPath: /etc/multipath
283 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
284 mountPropagation: Bidirectional
285 {{- end }}
286 - name: sys
287 mountPath: /sys
288 {{- if or ( gt .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "10" ) }}
289 mountPropagation: HostToContainer
290 {{- end }}
291 {{- end }}
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]292{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal "path" "/etc/cinder/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]293{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
294{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
295{{ if $mounts_cinder_volume.volumeMounts }}{{ toYaml $mounts_cinder_volume.volumeMounts | indent 12 }}{{ end }}
296 volumes:
297 - name: pod-tmp
298 emptyDir: {}
299 - name: cinder-bin
300 configMap:
301 name: cinder-bin
302 defaultMode: 0555
303 - name: cinder-etc
304 secret:
305 secretName: cinder-etc
306 defaultMode: 0444
307 - name: pod-shared
308 emptyDir: {}
309 - name: cinder-conversion
310 emptyDir: {}
311 {{- if eq "true" (include "cinder.utils.has_ceph_backend" $envAll) }}
312 - name: etcceph
313 emptyDir: {}
314 - name: ceph-etc
315 configMap:
316 name: {{ .Values.ceph_client.configmap }}
317 defaultMode: 0444
Mohammed Naserbcdd25c2023-01-18 03:38:47 +0000[diff] [blame]318 {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.configmap }}
319 - name: external-ceph-etc
320 configMap:
321 name: {{ .Values.ceph_client.external_ceph.configmap }}
322 defaultMode: 0444
323 {{- end }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]324 - name: ceph-keyring
325 secret:
326 secretName: {{ .Values.secrets.rbd.volume | quote }}
327 {{- if and .Values.ceph_client.enable_external_ceph_backend .Values.ceph_client.external_ceph.rbd_user }}
328 - name: external-ceph-keyring
329 secret:
330 secretName: {{ .Values.secrets.rbd.volume_external | quote }}
331 {{ end }}
332 {{ end }}
333 {{- if eq ( split "://" .Values.conf.cinder.coordination.backend_url )._0 "file" }}
334 # NOTE (portdirect): this will need to be set to a shared mount amongst all cinder
335 # pods for the coordination backend to be fully functional.
336 - name: cinder-coordination
337 emptyDir: {}
338 {{- end }}
339 {{- if .Values.conf.enable_iscsi }}
340 - name: host-rootfs
341 hostPath:
342 path: /
343 - name: host-dev
344 hostPath:
345 path: /dev
346 - name: runlock
347 hostPath:
348 path: /run/lock
349 - name: etciscsi
350 hostPath:
351 path: /etc/iscsi
352 - name: usrlocalsbin
353 emptyDir: {}
354 - name: etcmultipath
355 hostPath:
356 path: /etc/multipath
357 - name: sys
358 hostPath:
359 path: /sys
360 {{- end }}
361{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
Oleksandr Kozachenkoa10d7852023-02-02 22:01:16 +0100[diff] [blame]362{{- dict "enabled" (or .Values.manifests.certificates .Values.tls.identity) "name" .Values.secrets.tls.volume.api.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
Mohammed Naserf3f59a72023-01-15 21:02:04 -0500[diff] [blame]363{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
364{{ if $mounts_cinder_volume.volumes }}{{ toYaml $mounts_cinder_volume.volumes | indent 8 }}{{ end }}
365{{- end }}