feat: migrate CSI drivers to dedicated storage project (#45)

- Migrate csi-cephfs from Terraform to ArgoCD
- Migrate csi-cephrbd from Terraform to ArgoCD
- Create dedicated storage project and ApplicationSet for CSI drivers
- Add csi-* pattern matching in storage ApplicationSet
- Remove CSI apps from platform project to separate concerns

Reviewed-on: #45
This commit was merged in pull request #45.
This commit is contained in:
2026-03-19 01:29:31 +11:00
parent 06a8f98b5c
commit 90f793464b
16 changed files with 394 additions and 0 deletions
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephfs
+83
View File
@@ -0,0 +1,83 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid6-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_6_2"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_6_2
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-delete
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs-raid5-retain
provisioner: cephfs.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "cephfs_csi_ssd_ec_4_1"
fsName: "cephfs"
subVolumeGroup: csi_ssd_ec_4_1
csi.storage.k8s.io/provisioner-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-expand-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/node-stage-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephfs"
csi.storage.k8s.io/controller-publish-secret-name: "csi-cephfs-secret"
csi.storage.k8s.io/controller-publish-secret-namespace: "csi-cephfs"
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-cephfs
namespace: csi-cephfs
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephfs
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-cephfs-csi-cephfs-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,15 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-cephfs-secret
namespace: csi-cephfs
spec:
vaultAuthRef: ceph-csi-cephfs
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-cephfs-secret
refreshAfter: 5m
destination:
name: csi-cephfs-secret
create: true
+9
View File
@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- vaultauth.yaml
- vaultstaticsecret.yaml
- storageclass.yaml
+5
View File
@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: csi-cephrbd
+39
View File
@@ -0,0 +1,39 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-delete
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: rbd.csi.ceph.com
reclaimPolicy: Delete
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephrbd-fast-retain
provisioner: rbd.csi.ceph.com
reclaimPolicy: Retain
allowVolumeExpansion: true
parameters:
clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
pool: "kubernetes"
imageFeatures: "layering"
csi.storage.k8s.io/provisioner-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/provisioner-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/controller-expand-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/controller-expand-secret-namespace: "csi-cephrbd"
csi.storage.k8s.io/node-stage-secret-name: "csi-rbd-secret"
csi.storage.k8s.io/node-stage-secret-namespace: "csi-cephrbd"
+18
View File
@@ -0,0 +1,18 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ceph-csi-rbd
namespace: csi-cephrbd
spec:
method: kubernetes
mount: k8s/au/syd1
vaultConnectionRef: vso-system/default
allowedNamespaces:
- csi-cephrbd
kubernetes:
role: ceph-csi
serviceAccount: ceph-csi-rbd-csi-rbd-provisioner
audiences:
- vault
tokenExpirationSeconds: 600
@@ -0,0 +1,15 @@
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: csi-rbd-secret
namespace: csi-cephrbd
spec:
vaultAuthRef: ceph-csi-rbd
mount: kv
type: kv-v2
path: service/kubernetes/au/syd1/csi/ceph-rbd-secret
refreshAfter: 5m
destination:
name: csi-rbd-secret
create: true
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/csi-cephfs
helmCharts:
- name: ceph-csi-cephfs
repo: https://ceph.github.io/csi-charts
version: "3.15.0"
releaseName: ceph-csi-cephfs
namespace: csi-cephfs
valuesFile: values.yaml
@@ -0,0 +1,41 @@
csiConfig:
# raid6, 75% space efficiency
- clusterID: "cephfs_csi_ssd_ec_6_2"
monitors:
- "198.18.23.9:6789"
- "198.18.23.10:6789"
- "198.18.23.11:6789"
- "198.18.23.12:6789"
- "198.18.23.13:6789"
cephFS:
subvolumeGroup: csi_ssd_ec_6_2
# raid5, 80% space efficiency
- clusterID: "cephfs_csi_ssd_ec_4_1"
monitors:
- "198.18.23.9:6789"
- "198.18.23.10:6789"
- "198.18.23.11:6789"
- "198.18.23.12:6789"
- "198.18.23.13:6789"
cephFS:
subvolumeGroup: csi_ssd_ec_4_1
# Secret containing Ceph credentials
secret:
create: false
name: "csi-cephfs-secret"
# Storage class configuration (disabled - managed separately when needed)
storageClass:
create: false
# Provisioner configuration
provisioner:
name: csi-cephfs-provisioner
replicaCount: 3
# Image versions
image:
repository: quay.io/cephcsi/cephcsi
tag: v3.15.0
@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../base/csi-cephrbd
helmCharts:
- name: ceph-csi-rbd
repo: https://ceph.github.io/csi-charts
version: "3.15.1"
releaseName: ceph-csi-rbd
namespace: csi-cephrbd
valuesFile: values.yaml
@@ -0,0 +1,48 @@
csiConfig:
- clusterID: "de96a98f-3d23-465a-a899-86d3d67edab8"
monitors:
- "198.18.23.9:6789"
- "198.18.23.10:6789"
- "198.18.23.11:6789"
- "198.18.23.12:6789"
- "198.18.23.13:6789"
# Secret containing Ceph credentials
secret:
create: false
name: "csi-rbd-secret"
# Storage class configuration (disabled - managed separately)
storageClass:
create: false
# CSI driver configuration
csiDriver:
name: "rbd.csi.ceph.com"
# Node plugin configuration
nodeplugin:
name: csi-rbdplugin
updateStrategy: RollingUpdate
# Provisioner configuration
provisioner:
name: csi-rbd-provisioner
replicaCount: 3
# Image versions
image:
repository: quay.io/cephcsi/cephcsi
tag: v3.15.0
# Enable snapshots
snapshotter:
image:
repository: registry.k8s.io/sig-storage/csi-snapshotter
tag: v8.0.1
# Enable volume expansion
resizer:
image:
repository: registry.k8s.io/sig-storage/csi-resizer
tag: v1.12.0
+29
View File
@@ -0,0 +1,29 @@
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: storage-apps
namespace: argocd
spec:
generators:
- git:
repoURL: https://git.unkin.net/unkin/argocd-apps
revision: HEAD
directories:
- path: apps/overlays/*/csi-*
template:
metadata:
name: 'storage-{{path[3]}}' # cluster-app format (e.g., storage-csi-cephfs)
spec:
project: storage
source:
repoURL: https://git.unkin.net/unkin/argocd-apps
targetRevision: HEAD
path: '{{path}}'
destination:
server: https://kubernetes.default.svc
namespace: '{{path[3]}}' # Use directory name as namespace
syncPolicy:
automated:
prune: true
selfHeal: true
+32
View File
@@ -0,0 +1,32 @@
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: storage
namespace: argocd
spec:
description: Storage infrastructure and CSI drivers
sourceRepos:
- https://git.unkin.net/unkin/argocd-apps
- https://ceph.github.io/csi-charts
destinations:
- namespace: 'csi-*'
server: https://kubernetes.default.svc
clusterResourceWhitelist:
- group: ''
kind: Namespace
- group: 'rbac.authorization.k8s.io'
kind: ClusterRole
- group: 'rbac.authorization.k8s.io'
kind: ClusterRoleBinding
- group: 'apiextensions.k8s.io'
kind: CustomResourceDefinition
- group: 'storage.k8s.io'
kind: StorageClass
- group: 'storage.k8s.io'
kind: CSIDriver
- group: 'scheduling.k8s.io'
kind: PriorityClass
namespaceResourceWhitelist:
- group: '*'
kind: '*'