From 64d5d55457a2f23bf4f4b5d7c1180ab79580fd64 Mon Sep 17 00:00:00 2001
From: mlmhl <malinbupt@gmail.com>
Date: Sun, 3 Mar 2019 16:10:48 +0800
Subject: [PATCH] add example YAMLs for deploying external-resizer

---
 deploy/kubernetes/deployment.yaml | 57 ++++++++++++++++++++
 deploy/kubernetes/rbac.yaml       | 90 +++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)
 create mode 100644 deploy/kubernetes/deployment.yaml
 create mode 100644 deploy/kubernetes/rbac.yaml

diff --git a/deploy/kubernetes/deployment.yaml b/deploy/kubernetes/deployment.yaml
new file mode 100644
index 000000000..7703e63b8
--- /dev/null
+++ b/deploy/kubernetes/deployment.yaml
@@ -0,0 +1,57 @@
+# This YAML file demonstrates how to deploy the external
+# resizer for use with the mock CSI driver. It
+# depends on the RBAC definitions from rbac.yaml.
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: csi-resizer
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      external-resizer: mock-driver
+  template:
+    metadata:
+      labels:
+        external-resizer: mock-driver
+    spec:
+      serviceAccount: csi-resizer
+      containers:
+        - name: csi-resizer
+          image: quay.io/k8scsi/csi-resizer
+          args:
+            - "--v=5"
+            - "--csi-address=$(ADDRESS)"
+            - "--leader-election"
+            - "--leader-election-namespace=$(MY_NAMESPACE)"
+            - "--leader-election-identity=$(MY_NAME)"
+          env:
+            - name: MY_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: ADDRESS
+              value: /var/lib/csi/sockets/pluginproxy/mock.socket
+          imagePullPolicy: "IfNotPresent"
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+
+        - name: mock-driver
+          image: quay.io/k8scsi/mock-plugin
+          imagePullPolicy: "IfNotPresent"
+          env:
+            - name: CSI_ENDPOINT
+              value: /var/lib/csi/sockets/pluginproxy/mock.socket
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/lib/csi/sockets/pluginproxy/
+
+      volumes:
+        - name: socket-dir
+          emptyDir:
diff --git a/deploy/kubernetes/rbac.yaml b/deploy/kubernetes/rbac.yaml
new file mode 100644
index 000000000..82b5640b5
--- /dev/null
+++ b/deploy/kubernetes/rbac.yaml
@@ -0,0 +1,90 @@
+# This YAML file contains all RBAC objects that are necessary to run external
+# CSI resizer.
+#
+# In production, each CSI driver deployment has to be customized:
+# - to avoid conflicts, use non-default namespace and different names
+#   for non-namespaced entities like the ClusterRole
+# - decide whether the deployment replicates the external CSI
+#   resizer, in which case leadership election must be enabled;
+#   this influences the RBAC setup, see below
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: csi-resizer
+  # replace with non-default namespace name
+  namespace: default
+
+---
+# Resizer must be able to work with PVCs, PVs, SCs.
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: external-resizer-runner
+rules:
+  # The following rule should be uncommented for plugins that require secrets
+  # for provisioning.
+  # - apiGroups: [""]
+  #   resources: ["secrets"]
+  #   verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-resizer-role
+subjects:
+  - kind: ServiceAccount
+    name: csi-resizer
+    # replace with non-default namespace name
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: external-resizer-runner
+  apiGroup: rbac.authorization.k8s.io
+
+---
+# Resizer must be able to work with end point in current namespace
+# if (and only if) leadership election is enabled
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  # replace with non-default namespace name
+  namespace: default
+  name: external-resizer-cfg
+rules:
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get", "watch", "list", "delete", "update", "create"]
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-resizer-role-cfg
+  # replace with non-default namespace name
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: csi-resizer
+    # replace with non-default namespace name
+    namespace: default
+roleRef:
+  kind: Role
+  name: external-resizer-cfg
+  apiGroup: rbac.authorization.k8s.io