# Controller Service kind: Deployment apiVersion: apps/v1 metadata: name: ebs-csi-controller namespace: {{ .Release.Namespace }} labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} spec: replicas: {{ .Values.controller.replicaCount }} {{- with .Values.controller.updateStrategy }} strategy: {{ toYaml . | nindent 4 }} {{- end }} selector: matchLabels: app: ebs-csi-controller {{- include "aws-ebs-csi-driver.selectorLabels" . | nindent 6 }} template: metadata: labels: app: ebs-csi-controller {{- include "aws-ebs-csi-driver.labels" . | nindent 8 }} {{- if .Values.controller.podLabels }} {{- toYaml .Values.controller.podLabels | nindent 8 }} {{- end }} {{- if .Values.controller.podAnnotations }} annotations: {{- toYaml .Values.controller.podAnnotations | nindent 8 }} {{- end }} spec: nodeSelector: kubernetes.io/os: linux {{- with .Values.controller.nodeSelector }} {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ .Values.controller.serviceAccount.name }} priorityClassName: {{ .Values.controller.priorityClassName }} {{- with default .Values.controller.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} tolerations: - key: CriticalAddonsOnly operator: Exists - operator: Exists effect: NoExecute tolerationSeconds: 300 {{- with .Values.controller.tolerations }} {{- toYaml . | nindent 8 }} {{- end }} {{- if .Values.controller.topologySpreadConstraints }} {{- $tscLabelSelector := dict "labelSelector" ( dict "matchLabels" ( dict "app" "ebs-csi-controller" ) ) }} {{- $constraints := list }} {{- range .Values.controller.topologySpreadConstraints }} {{- $constraints = mustAppend $constraints (mergeOverwrite . $tscLabelSelector) }} {{- end }} topologySpreadConstraints: {{- $constraints | toYaml | nindent 8 }} {{- end }} {{- with .Values.controller.securityContext }} securityContext: {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.controller.initContainers }} initContainers: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: ebs-plugin image: {{ printf "%s:%s" .Values.image.repository (default (printf "v%s" .Chart.AppVersion) (.Values.image.tag | toString)) }} imagePullPolicy: {{ .Values.image.pullPolicy }} args: {{- if ne .Release.Name "kustomize" }} - controller {{- else }} # - {all,controller,node} # specify the driver mode {{- end }} - --endpoint=$(CSI_ENDPOINT) {{- if .Values.controller.extraVolumeTags }} {{- include "aws-ebs-csi-driver.extra-volume-tags" . | nindent 12 }} {{- end }} {{- with .Values.controller.k8sTagClusterId }} - --k8s-tag-cluster-id={{ . }} {{- end }} {{- if and (.Values.controller.enableMetrics) (not .Values.controller.httpEndpoint) }} - --http-endpoint=0.0.0.0:3301 {{- end}} {{- with .Values.controller.httpEndpoint }} - --http-endpoint={{ . }} {{- end }} - --logtostderr - --v={{ .Values.controller.logLevel }} {{- range .Values.controller.additionalArgs }} - {{ . }} {{- end }} env: - name: CSI_ENDPOINT value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock - name: CSI_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: AWS_ACCESS_KEY_ID valueFrom: secretKeyRef: name: aws-secret key: key_id optional: true - name: AWS_SECRET_ACCESS_KEY valueFrom: secretKeyRef: name: aws-secret key: access_key optional: true - name: AWS_EC2_ENDPOINT valueFrom: configMapKeyRef: name: aws-meta key: endpoint optional: true {{- with .Values.controller.region }} - name: AWS_REGION value: {{ . }} {{- end }} {{- if .Values.proxy.http_proxy }} {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} {{- end }} {{- with .Values.controller.env }} {{- . | toYaml | nindent 12 }} {{- end }} envFrom: {{- with .Values.controller.envFrom }} {{- . | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ - name: aws-token mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" readOnly: true ports: - name: healthz containerPort: 9808 protocol: TCP {{- if .Values.controller.enableMetrics }} - name: metrics containerPort: 3301 protocol: TCP {{- end}} livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 readinessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 10 timeoutSeconds: 3 periodSeconds: 10 failureThreshold: 5 {{- with .Values.controller.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.controller.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} - name: csi-provisioner image: {{ printf "%s:%s" .Values.sidecars.provisioner.image.repository .Values.sidecars.provisioner.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.provisioner.image.pullPolicy }} args: - --csi-address=$(ADDRESS) - --v={{ .Values.sidecars.provisioner.logLevel }} - --feature-gates=Topology=true {{- if .Values.controller.extraCreateMetadata }} - --extra-create-metadata {{- end}} - --leader-election={{ .Values.sidecars.provisioner.leaderElection.enabled | required "leader election state for csi-provisioner is required, must be set to true || false." }} {{- if .Values.sidecars.provisioner.leaderElection.enabled }} {{- if .Values.sidecars.provisioner.leaderElection.leaseDuration }} - --leader-election-lease-duration={{ .Values.sidecars.provisioner.leaderElection.leaseDuration }} {{- end }} {{- if .Values.sidecars.provisioner.leaderElection.renewDeadline}} - --leader-election-renew-deadline={{ .Values.sidecars.provisioner.leaderElection.renewDeadline }} {{- end }} {{- if .Values.sidecars.provisioner.leaderElection.retryPeriod }} - --leader-election-retry-period={{ .Values.sidecars.provisioner.leaderElection.retryPeriod }} {{- end }} {{- end }} - --default-fstype={{ .Values.controller.defaultFsType }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock {{- if .Values.proxy.http_proxy }} {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} {{- end }} {{- with .Values.sidecars.provisioner.env }} {{- . | toYaml | nindent 12 }} {{- end }} envFrom: {{- with .Values.controller.envFrom }} {{- . | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- with default .Values.controller.resources .Values.sidecars.provisioner.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.sidecars.provisioner.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} - name: csi-attacher image: {{ printf "%s:%s" .Values.sidecars.attacher.image.repository .Values.sidecars.attacher.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.attacher.image.pullPolicy }} args: - --csi-address=$(ADDRESS) - --v={{ .Values.sidecars.attacher.logLevel }} - --leader-election={{ .Values.sidecars.attacher.leaderElection.enabled | required "leader election state for csi-attacher is required, must be set to true || false." }} {{- if .Values.sidecars.attacher.leaderElection.enabled }} {{- if .Values.sidecars.attacher.leaderElection.leaseDuration }} - --leader-election-lease-duration={{ .Values.sidecars.attacher.leaderElection.leaseDuration }} {{- end }} {{- if .Values.sidecars.attacher.leaderElection.renewDeadline}} - --leader-election-renew-deadline={{ .Values.sidecars.attacher.leaderElection.renewDeadline }} {{- end }} {{- if .Values.sidecars.attacher.leaderElection.retryPeriod }} - --leader-election-retry-period={{ .Values.sidecars.attacher.leaderElection.retryPeriod }} {{- end }} {{- end }} env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock {{- if .Values.proxy.http_proxy }} {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} {{- end }} {{- with .Values.sidecars.attacher.env }} {{- . | toYaml | nindent 12 }} {{- end }} envFrom: {{- with .Values.controller.envFrom }} {{- . | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- with default .Values.controller.resources .Values.sidecars.attacher.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.sidecars.attacher.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} {{- if or (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "snapshot.storage.k8s.io/v1") }} - name: csi-snapshotter image: {{ printf "%s:%s" .Values.sidecars.snapshotter.image.repository .Values.sidecars.snapshotter.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.snapshotter.image.pullPolicy }} args: - --csi-address=$(ADDRESS) - --leader-election=true env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock {{- if .Values.proxy.http_proxy }} {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} {{- end }} {{- with .Values.sidecars.snapshotter.env }} {{- . | toYaml | nindent 12 }} {{- end }} envFrom: {{- with .Values.controller.envFrom }} {{- . | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- with default .Values.controller.resources .Values.sidecars.snapshotter.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.sidecars.snapshotter.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} {{- end }} - name: csi-resizer image: {{ printf "%s:%s" .Values.sidecars.resizer.image.repository .Values.sidecars.resizer.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.resizer.image.pullPolicy }} args: - --csi-address=$(ADDRESS) - --v={{ .Values.sidecars.resizer.logLevel }} - --handle-volume-inuse-error=false env: - name: ADDRESS value: /var/lib/csi/sockets/pluginproxy/csi.sock {{- if .Values.proxy.http_proxy }} {{- include "aws-ebs-csi-driver.http-proxy" . | nindent 12 }} {{- end }} {{- with .Values.sidecars.resizer.env }} {{- . | toYaml | nindent 12 }} {{- end }} envFrom: {{- with .Values.controller.envFrom }} {{- . | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: socket-dir mountPath: /var/lib/csi/sockets/pluginproxy/ {{- with default .Values.controller.resources .Values.sidecars.resizer.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.sidecars.resizer.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} - name: liveness-probe image: {{ printf "%s:%s" .Values.sidecars.livenessProbe.image.repository .Values.sidecars.livenessProbe.image.tag }} imagePullPolicy: {{ default .Values.image.pullPolicy .Values.sidecars.livenessProbe.image.pullPolicy }} args: - --csi-address=/csi/csi.sock envFrom: {{- with .Values.controller.envFrom }} {{- . | toYaml | nindent 12 }} {{- end }} volumeMounts: - name: socket-dir mountPath: /csi {{- with default .Values.controller.resources .Values.sidecars.livenessProbe.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} {{- with .Values.sidecars.livenessProbe.securityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{- range .Values.imagePullSecrets }} - name: {{ . }} {{- end }} {{- end }} volumes: - name: socket-dir emptyDir: {} - name: aws-token projected: sources: - serviceAccountToken: path: token expirationSeconds: 86400 audience: "sts.amazonaws.com"