From f3798c49e3fcf7d115afd96cf98403e3465040cd Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 6 Sep 2025 22:57:05 -0500 Subject: [PATCH 1/3] democratic-csi: Initial deployment Deploying _democratic-csi_ to manage PersistentVolumeClaim resources, mapping them to iSCSI volumes on the Synology. Eventually, all Longhorn-managed PVCs will be replaced with Synology iSCSI volumes. Getting rid of Longhorn should free up a lot of resources and remove a point of failure from the cluster. --- argocd/applications/csi-synology.yaml | 16 ++ democratic-csi/.gitignore | 2 + democratic-csi/democratic-csi.yaml | 325 +++++++++++++++++++++++++ democratic-csi/driver-config-file.yaml | 93 +++++++ democratic-csi/kustomization.yaml | 32 +++ democratic-csi/namespace.yaml | 4 + democratic-csi/rbac.yaml | 316 ++++++++++++++++++++++++ democratic-csi/secrets.yaml | 69 ++++++ democratic-csi/storageclass.yaml | 11 + 9 files changed, 868 insertions(+) create mode 100644 argocd/applications/csi-synology.yaml create mode 100644 democratic-csi/.gitignore create mode 100644 democratic-csi/democratic-csi.yaml create mode 100644 democratic-csi/driver-config-file.yaml create mode 100644 democratic-csi/kustomization.yaml create mode 100644 democratic-csi/namespace.yaml create mode 100644 democratic-csi/rbac.yaml create mode 100644 democratic-csi/secrets.yaml create mode 100644 democratic-csi/storageclass.yaml diff --git a/argocd/applications/csi-synology.yaml b/argocd/applications/csi-synology.yaml new file mode 100644 index 0000000..ce14247 --- /dev/null +++ b/argocd/applications/csi-synology.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: csi-synology + namespace: argocd +spec: + destination: + server: https://kubernetes.default.svc + project: default + source: + path: democratic-csi + repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git + targetRevision: master + syncPolicy: + automated: + prune: true diff --git a/democratic-csi/.gitignore b/democratic-csi/.gitignore new file mode 100644 index 0000000..99be357 --- /dev/null +++ b/democratic-csi/.gitignore @@ -0,0 +1,2 @@ +synology.password +synology-iscsi-chap.yaml diff --git a/democratic-csi/democratic-csi.yaml b/democratic-csi/democratic-csi.yaml new file mode 100644 index 0000000..3287974 --- /dev/null +++ b/democratic-csi/democratic-csi.yaml @@ -0,0 +1,325 @@ +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: csi-synology-democratic-csi-node + namespace: democratic-csi + labels: + app.kubernetes.io/name: democratic-csi + app.kubernetes.io/csi-role: node + app.kubernetes.io/component: node-linux +spec: + selector: + matchLabels: + app.kubernetes.io/name: democratic-csi + app.kubernetes.io/csi-role: node + app.kubernetes.io/component: node-linux + template: + metadata: + labels: + app.kubernetes.io/name: democratic-csi + app.kubernetes.io/csi-role: node + app.kubernetes.io/component: node-linux + spec: + serviceAccount: csi-synology-democratic-csi-node-sa + priorityClassName: system-node-critical + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + hostAliases: [] + hostIPC: true + hostPID: false + containers: + - name: csi-driver + image: docker.io/democraticcsi/democratic-csi:latest + args: + - --csi-version=1.5.0 + - --csi-name=org.democratic-csi.iscsi-synology + - --driver-config-file=/config/driver-config-file.yaml + - --log-level=info + - --csi-mode=node + - --server-socket=/csi-data/csi.sock.internal + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_ADMIN + privileged: true + env: + - name: CSI_NODE_ID + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + terminationMessagePath: /tmp/termination-log + terminationMessagePolicy: File + livenessProbe: + failureThreshold: 3 + exec: + command: + - bin/liveness-probe + - --csi-version=1.5.0 + - --csi-address=/csi-data/csi.sock.internal + initialDelaySeconds: 10 + timeoutSeconds: 15 + periodSeconds: 60 + volumeMounts: + - name: socket-dir + mountPath: /csi-data + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: Bidirectional + - name: iscsi-dir + mountPath: /etc/iscsi + mountPropagation: Bidirectional + - name: iscsi-info + mountPath: /var/lib/iscsi + mountPropagation: Bidirectional + - name: modules-dir + mountPath: /lib/modules + readOnly: true + - name: localtime + mountPath: /etc/localtime + readOnly: true + - name: udev-data + mountPath: /run/udev + - name: host-dir + mountPath: /host + mountPropagation: Bidirectional + - mountPath: /sys + name: sys-dir + - name: dev-dir + mountPath: /dev + - name: config + mountPath: /config + - name: csi-proxy + image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6 + env: + - name: BIND_TO + value: unix:///csi-data/csi.sock + - name: PROXY_TO + value: unix:///csi-data/csi.sock.internal + volumeMounts: + - mountPath: /csi-data + name: socket-dir + - name: driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.0 + args: + - --v=5 + - --csi-address=/csi-data/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock + env: + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + livenessProbe: + exec: + command: + - /csi-node-driver-registrar + - --kubelet-registration-path=/var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology/csi.sock + - --mode=kubelet-registration-probe + volumeMounts: + - mountPath: /csi-data + name: socket-dir + - name: registration-dir + mountPath: /registration + - name: kubelet-dir + mountPath: /var/lib/kubelet + - name: cleanup + image: docker.io/busybox:1.37.0 + command: + - /bin/sh + args: + - -c + - |- + sleep infinity & + trap 'kill !$' INT TERM + wait + lifecycle: + preStop: + exec: + command: + - /bin/sh + - -c + - rm -rf /plugins/org.democratic-csi.iscsi-synology /registration/org.democratic-csi.iscsi-synology-reg.sock + volumeMounts: + - name: plugins-dir + mountPath: /plugins + - name: registration-dir + mountPath: /registration + volumes: + - name: socket-dir + hostPath: + path: /var/lib/kubelet/plugins/org.democratic-csi.iscsi-synology + type: DirectoryOrCreate + - name: plugins-dir + hostPath: + path: /var/lib/kubelet/plugins + type: Directory + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry + type: Directory + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: iscsi-dir + hostPath: + path: /etc/iscsi + type: Directory + - name: iscsi-info + hostPath: + path: /var/lib/iscsi + - name: dev-dir + hostPath: + path: /dev + type: Directory + - name: modules-dir + hostPath: + path: /lib/modules + - name: localtime + hostPath: + path: /etc/localtime + - name: udev-data + hostPath: + path: /run/udev + - name: sys-dir + hostPath: + path: /sys + type: Directory + - name: host-dir + hostPath: + path: / + type: Directory + - name: config + secret: + secretName: csi-synology-democratic-csi-driver-config + nodeSelector: + kubernetes.io/os: linux + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: csi-synology-democratic-csi-controller + namespace: democratic-csi + labels: + app.kubernetes.io/name: democratic-csi + app.kubernetes.io/csi-role: controller + app.kubernetes.io/component: controller-linux +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: democratic-csi + app.kubernetes.io/csi-role: controller + app.kubernetes.io/component: controller-linux + template: + metadata: + labels: + app.kubernetes.io/name: democratic-csi + app.kubernetes.io/csi-role: controller + app.kubernetes.io/component: controller-linux + spec: + serviceAccount: csi-synology-democratic-csi-controller-sa + priorityClassName: system-cluster-critical + hostNetwork: false + dnsPolicy: ClusterFirst + hostAliases: [] + hostIPC: false + containers: + - name: external-attacher + image: registry.k8s.io/sig-storage/csi-attacher:v4.4.0 + args: + - --v=5 + - --leader-election + - --leader-election-namespace=democratic-csi + - --timeout=90s + - --worker-threads=10 + - --csi-address=/csi-data/csi.sock + volumeMounts: + - mountPath: /csi-data + name: socket-dir + - name: external-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v3.6.0 + args: + - --v=5 + - --leader-election + - --leader-election-namespace=democratic-csi + - --timeout=90s + - --worker-threads=10 + - --extra-create-metadata + - --csi-address=/csi-data/csi.sock + volumeMounts: + - mountPath: /csi-data + name: socket-dir + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: csi-driver + image: docker.io/democraticcsi/democratic-csi:latest + args: + - --csi-version=1.5.0 + - --csi-name=org.democratic-csi.iscsi-synology + - --driver-config-file=/config/driver-config-file.yaml + - --log-level=debug + - --csi-mode=controller + - --server-socket=/csi-data/csi.sock.internal + livenessProbe: + failureThreshold: 3 + exec: + command: + - bin/liveness-probe + - --csi-version=1.5.0 + - --csi-address=/csi-data/csi.sock.internal + initialDelaySeconds: 10 + timeoutSeconds: 15 + periodSeconds: 60 + volumeMounts: + - name: socket-dir + mountPath: /csi-data + - name: config + mountPath: /config + - name: csi-proxy + image: docker.io/democraticcsi/csi-grpc-proxy:v0.5.6 + env: + - name: BIND_TO + value: unix:///csi-data/csi.sock + - name: PROXY_TO + value: unix:///csi-data/csi.sock.internal + volumeMounts: + - mountPath: /csi-data + name: socket-dir + volumes: + - name: socket-dir + emptyDir: {} + - name: config + secret: + secretName: csi-synology-democratic-csi-driver-config + nodeSelector: + kubernetes.io/os: linux + +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: org.democratic-csi.iscsi-synology + labels: + app.kubernetes.io/name: democratic-csi +spec: + attachRequired: true + podInfoOnMount: true diff --git a/democratic-csi/driver-config-file.yaml b/democratic-csi/driver-config-file.yaml new file mode 100644 index 0000000..b16d742 --- /dev/null +++ b/democratic-csi/driver-config-file.yaml @@ -0,0 +1,93 @@ +driver: synology-iscsi +httpConnection: + protocol: https + host: storage0.pyrocufflink.blue + port: 5001 + username: democratic-csi + allowInsecure: true + # should be uniqe across all installs to the same nas + session: "democratic-csi" + serialize: true + +# Choose the DSM volume this driver operates on. The default value is /volume1. +# synology: +# volume: /volume1 + +iscsi: + targetPortal: "server[:port]" + # for multipath + targetPortals: [] # [ "server[:port]", "server[:port]", ... ] + # leave empty to omit usage of -I with iscsiadm + interface: "" + # can be whatever you would like + baseiqn: "iqn.2000-01.com.synology:csi." + + # MUST ensure uniqueness + # full iqn limit is 223 bytes, plan accordingly + namePrefix: "" + nameSuffix: "" + + # documented below are several blocks + # pick the option appropriate for you based on what your backing fs is and desired features + # you do not need to alter dev_attribs under normal circumstances but they may be altered in advanced use-cases + # These options can also be configured per storage-class: + # See https://github.com/democratic-csi/democratic-csi/blob/master/docs/storage-class-parameters.md + lunTemplate: + # can be static value or handlebars template + #description: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}" + + # btrfs thin provisioning + type: "BLUN" + # tpws = Hardware-assisted zeroing + # caw = Hardware-assisted locking + # 3pc = Hardware-assisted data transfer + # tpu = Space reclamation + # can_snapshot = Snapshot + #dev_attribs: + #- dev_attrib: emulate_tpws + # enable: 1 + #- dev_attrib: emulate_caw + # enable: 1 + #- dev_attrib: emulate_3pc + # enable: 1 + #- dev_attrib: emulate_tpu + # enable: 0 + #- dev_attrib: can_snapshot + # enable: 1 + + # btfs thick provisioning + # only zeroing and locking supported + #type: "BLUN_THICK" + # tpws = Hardware-assisted zeroing + # caw = Hardware-assisted locking + #dev_attribs: + #- dev_attrib: emulate_tpws + # enable: 1 + #- dev_attrib: emulate_caw + # enable: 1 + + # ext4 thinn provisioning UI sends everything with enabled=0 + #type: "THIN" + + # ext4 thin with advanced legacy features set + # can only alter tpu (all others are set as enabled=1) + #type: "ADV" + #dev_attribs: + #- dev_attrib: emulate_tpu + # enable: 1 + + # ext4 thick + # can only alter caw + #type: "FILE" + #dev_attribs: + #- dev_attrib: emulate_caw + # enable: 1 + + lunSnapshotTemplate: + is_locked: true + # https://kb.synology.com/en-me/DSM/tutorial/What_is_file_system_consistent_snapshot + is_app_consistent: true + + targetTemplate: + auth_type: 0 + max_sessions: 0 diff --git a/democratic-csi/kustomization.yaml b/democratic-csi/kustomization.yaml new file mode 100644 index 0000000..d9dbf34 --- /dev/null +++ b/democratic-csi/kustomization.yaml @@ -0,0 +1,32 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: democratic-csi + +labels: +- pairs: + app.kubernetes.io/instance: csi-synology + +resources: +- namespace.yaml +- rbac.yaml +- democratic-csi.yaml +- secrets.yaml +- storageclass.yaml + +patches: +- patch: | + kind: Deployment + apiVersion: apps/v1 + metadata: + name: csi-synology-democratic-csi-controller + namespace: democratic-csi + spec: + template: + spec: + hostNetwork: true + +images: +- name: docker.io/democraticcsi/democratic-csi + newName: ghcr.io/democratic-csi/democratic-csi + digest: sha256:da41c0c24cbcf67426519b48676175ab3a16e1d3e50847fa06152f5eddf834b1 diff --git a/democratic-csi/namespace.yaml b/democratic-csi/namespace.yaml new file mode 100644 index 0000000..961f7c5 --- /dev/null +++ b/democratic-csi/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: democratic-csi diff --git a/democratic-csi/rbac.yaml b/democratic-csi/rbac.yaml new file mode 100644 index 0000000..6b255a5 --- /dev/null +++ b/democratic-csi/rbac.yaml @@ -0,0 +1,316 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-synology-democratic-csi-controller-sa + namespace: democratic-csi + labels: + app.kubernetes.io/name: democratic-csi + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-synology-democratic-csi-node-sa + namespace: democratic-csi + labels: + app.kubernetes.io/name: democratic-csi + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-synology-democratic-csi-controller-cr + labels: + app.kubernetes.io/name: democratic-csi +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - create +- apiGroups: + - + resources: + - persistentvolumes + verbs: + - create + - delete + - get + - list + - watch + - update + - patch +- apiGroups: + - + resources: + - secrets + verbs: + - get + - list +- apiGroups: + - + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - + resources: + - persistentvolumeclaims/status + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - update + - patch +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments/status + verbs: + - patch +- apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch +- apiGroups: + - csi.storage.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch + - update + - create +- apiGroups: + - + resources: + - events + verbs: + - list + - watch + - create + - update + - patch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots/status + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotcontents/status + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - storage.k8s.io + resources: + - csinodes + verbs: + - get + - list + - watch +- apiGroups: + - csi.storage.k8s.io + resources: + - csinodeinfos + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - watch + - list + - delete + - update + - create +- apiGroups: + - storage.k8s.io + resources: + - csistoragecapacities + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - replicasets + - statefulsets + verbs: + - get + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-synology-democratic-csi-node-cr + labels: + app.kubernetes.io/name: democratic-csi +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - create +- apiGroups: + - + resources: + - nodes + verbs: + - get + - list + - watch + - update +- apiGroups: + - + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - update +- apiGroups: + - storage.k8s.io + resources: + - volumeattachments + verbs: + - get + - list + - watch + - update + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-synology-democratic-csi-controller-rb + labels: + app.kubernetes.io/name: democratic-csi +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: csi-synology-democratic-csi-controller-cr +subjects: +- kind: ServiceAccount + name: csi-synology-democratic-csi-controller-sa + namespace: democratic-csi + +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: csi-synology-democratic-csi-node-rb + labels: + app.kubernetes.io/name: democratic-csi +roleRef: + kind: ClusterRole + apiGroup: rbac.authorization.k8s.io + name: csi-synology-democratic-csi-node-cr +subjects: +- kind: ServiceAccount + name: csi-synology-democratic-csi-node-sa + namespace: democratic-csi diff --git a/democratic-csi/secrets.yaml b/democratic-csi/secrets.yaml new file mode 100644 index 0000000..1754b73 --- /dev/null +++ b/democratic-csi/secrets.yaml @@ -0,0 +1,69 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: csi-synology-democratic-csi-driver-config + namespace: democratic-csi + labels: &labels + app.kubernetes.io/name: synology-iscsi-driver-config + app.kubernetes.io/component: democratic-csi + app.kubernetes.io/part-of: democratic-csi +spec: + encryptedData: + synology.password: AgC6Ai4YXYUZZ0ve8MwzeWFb5QzLbCunHOhjela/TGCzPr48evXbj6wKKVIailXS2cpD948wQ9tEX5bK3ojlMIuuzjbux0ATpTuSN81JQPbvArINp9kYu/QK2Eg46tEk6f5W1VFVC2yYQySC9+7NLJRg8qk8gGUGUMt11mRcsyJ6iBnzEt+5xwK+adQB0/pHJPGGKKcOJY9ZUCdl+Q930ZvnSvrdZNcFKH1meFww7ujQ0NBV8ABpcJwEjJhfFi3tMBKpIPrYGsSVEmHYciwK2YLyeJ/Ao7GBIBKX5lIQl0aTi40oIsc3BV2ZTmM1a2ZuuQWg33+9/r3FaU6ZdYL84B9S+W6IG893yFH+22fcArxCzjVnb8oftzrl2J/M3UZhtL4vYakHjEVMqCm2hzHjGCAadXD1cs6xiqcl4mA40KbaEojxodZJyzlNBbTi4ZN4cIaIFO8FNYnewSXtYZBIUzgdNe65k9orpmaV+qpK4Q8Cd3uZg4RQwiygBPQE9BGSJ7cBc/dCqxevuZB1F1yOetpPlQgyIN6gixt6xzefPp0VWY1I1TI3kjLSRiRGWUK1NIL4J3TIdcBsuO8OXWh0D2c+n4/dIPX9peCN8COKXMwjBm9AHDZ1ImlnVZrAxzYCTPxtGRtJVp/4pW6aDWXCA7UWPdKroipw9FUAK64knqMoV7QS7c6Kw7cz2ajvAV84O/jNkRc7L20J35z30rSncH7l1/JV0XPOZh0XWE5068TQKQ== + template: + metadata: + name: csi-synology-democratic-csi-driver-config + namespace: democratic-csi + data: + driver-config-file.yaml: | + driver: synology-iscsi + httpConnection: + protocol: https + host: storage0.pyrocufflink.blue + port: 5001 + username: democratic-csi + password: {{ index . "synology.password" }} + allowInsecure: true + session: democratic-csi + serialize: true + iscsi: + targetPortal: '[fd68:c2d2:500e:3ea3:8d42:e33e:264b:7c30]:3260' + baseiqn: iqn.2000-01.com.synology:csi. + lunTemplate: + type: BLUN + targetTemplate: + auth_type: 2 # 0: None; 1: CHAP; 2: Mutual CHAP + max_sessions: 0 # 0: Unlimited + chap: true + mutual_chap: true +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: synology-iscsi-provisioner + namespace: democratic-csi +spec: + encryptedData: + targetTemplate: AgDWYcaVFVlqHO1XCH0d0Okz2RHt1R1pc2ygTtP4ZYuc44IdfERzgGh9CWNbjY+Qf5K7kF4TOIwgRs1MLumaUg637VO7SYCl1kwWV6pZ/g4bLX1FGTl+XFIAH53EKxDD5nC9fl3VG46IA+dYBPoWFb0UYoI09eWHUg7vTRk1/0MTu19UPkc6VafhFXTfVNiUykF+264Ck3I9i9hMk3Buf9+E4qLHeyyfpMob7IRpdkz+ONYYrxHOGrwDgqFwcyiyliIYWjmOh/FV6kolffeNgSkXpWNNrLQOkkSOwUF6DalKiZd16nzLrvzKFWuDcdcRqxBBKaMUF/JK4BAkfi+MNRTaceCmoSkS21gVLbATb0L3Z7JaifdqRInPNMbkFYs+wILkozyJX0JANg4kuMBCW8GfPEMj9ck21dyeR+ucXcIc67GYS7L92d/ITZd2SWT6a6LRT1vBvroE8ybVf+3oOPUOtaSiZsZpNan2DO4kk/1ZD6clBvn5Cz0BqbVQxwwPSuGkvFXNpDX+xliN+QkohnWDQKi4cMvUqVUG7MyfbaCiGyXcH7enYxccBvIVVy6rXWXDtkzP4B30KeO7rfz0eDn7f+zYZPpwFE6TIorCNe+5zNC0uDwMKf7Csz3x78ZxXtYpdPpFpnboP5zWXhKZY4EfgiyV1HDoSAkzfC4zQV26DnH1nfN9OjYwNUdc75tw7VYuSWS8cEH71E9DdvcJv1XL0f7D5uV5RlGQP3sonWhFi73dLuqCNNwHtEOIV3XxJvN/gaoDRvQQMTosWK5pOs3CpiBGq+EYoM5KWZZhp29axSQ3NRefGoLwOsbeEg== + template: + metadata: + name: synology-iscsi-provisioner + namespace: democratic-csi + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: synology-iscsi-chap + namespace: democratic-csi +spec: + encryptedData: + node-db.node.session.auth.password: AgC2kAta4SiM1EcDAVdenwtKLGTrDJte1qSK3W8WO80zKycj54KBlWMvCLzala70/e1e26iRUWotgwUrrPQpYoAspR9kHIaGFccZvVh+JWJY1OIfCryvumN8jGk0ynN5IMo/ZTFTEE76XrEckvnRrZIcqb9K1RlpS5jRPA8vXDGBofXG4in/scZ08SNIsrELfcKvIsSZsYQF6aY3cQ+rcqePJBBG+5hDsu6qsBoib1tsfe2DoCZ2bYRu5BJFD6CneUTCcVvoBBYmMX+nS2Cvfz8OK+5H42q0W3Gzg6VJYrTsQ1PN5LLg5+xk6ENovw/PtohiwvP6RV9I2r6ev+RrrlWUPlC7XOD0qm2nUeG8D8J+9aP2prQ9zFgpuIZ//gIKKvMSsSJRZvSkbjJ6nrC9ViVmaC65dx89bYjr5vB+7Dm5ytQ6ars5rEpEexiPgGiobnCosn0wwMN1WP97VcpW8udqsticLSBFtANUUtnW2yZMRuVh7a2MutnlUXgODG+ZgkNaZE0cELfOynkhaf10aByuXIN1NX9VIdzfIbdZaIKvr0xKQSdKnbszoHQNOZieE4mXZ/w0BiiDilvyqtLP+3Maa+mFIjoo17zlf8PJD1dEUFckNUBJifVIV6vOHCKXO565IxyE9nNokXR7xkd6XEd3qefoV+9IpOt0NEkHehbSZzUy3JpyNbicdF1WyXb/uY9riacLptssZ4LF8eQ= + node-db.node.session.auth.password_in: AgCMw56LgARt7/dn2WhebQIv+uNLkGUxBkgbYOw+Po9eqgk622F7Y6pVWRAwicdPBM2cjnSrGjPO7nzgXhD0GIbW44WyvwM2w+n5klWmSC9prK+Orup3TMty2hKnSMLOR3rIfpUiRJ0NFvGkTvPzQ/ZDX3O4c88oG6UGVG3B4bQu6Kn5GJ5is2XAnh2dipBx18kLpEmL3hMMqpAy2x0qyf8vJxy39ZvAntk69ziliumqpxePecvbLPkkh2A1jwZR0guBDvBiksvoOyh+P7hTxj3ioVC3HZ4+i52tuvfqugo+INqKJfr15k6fA2cTFEHJ8kwkPtFQCA3bbvRAbcjl0malOIqBFBFwbJYvcauXZGP9m1uoMRni3FHn+1YkBdsvSnw66aYHc4gjN8VrLSziYH72TH8XJ6jEikeK5+nCN2+uhC+AetEUFcLCNM7sKXlS7pzIOQiZ3oB7FcQrsSUkt1Zjax5F6i0reRTdZd/qPLvt65NFwjG/a3yMLf141aHSRog+HGugm4/1A2USGmURmwGSVwAjfrK7b/dj3tMOG8BI4vVJ0UCyw65v0R9h4VEORyr4sXTgNx2+5HewEskDt3LyMzmw4Y6Sw2ftZmQxNEsSy+8BEF4zZj6foIAGuLShjI+4BR9aGnX4maL7IjR6cmj6qwinybfFYAMSx23Icw/aXUBgJ6Slgnd6l96g2RWcNGDxWM8Wq6p2W9VHvDY= + node-db.node.session.auth.username: AgBXplj0SXTinhqbpu5SvYJheYt9G4YNGE99UIi2F0n5QrCI7zvuuSQvA8EKCS5LQni+Og/wToJs1wLeUX4OstlQd3OvkpFDD+jrPVUDv04tlSeNJmaMrQe1pNk04GiLJKeDRRkG+9eTYSIKMsDLroofjHgiRH5wsBh0ncWDW1v5cNlpgq3EzgEQiKnL5zIPIXlHKkadZ9cvebtGoW7mGEnPI/QSnurhVfzEWCXCilxvyNDnBNIKK1rf79eDg1+ZecA0bvE2d7d1cfLhKG+Hd7JcRI0fxii+u1KTCBqbl6goCiCUi5KBfCMP45m7DTyMMPNSfsx9WVjR3ueEXucRGIfhTrV5Zo5Y+WY2c4MoW9XDw0JG/zzHJAOzd9CYk2b6EgEhJLXyHdhNp3JfN4lBpbM6r8RIoQTRImLH0BxytIXQ8kzMtJdkYt2rjV4ZR/fQB9UzGYBtLgWTrNbA+PgEBDB5nlVzbCXZ6uxfRadc2jv2fjGvzidIsfFOicrxWTQtnwSqbs8XAOydHU3Kk7Hrv8k22uaFETcz/tZI619wQL63SmA2igM0fBZcuc64Lx6wmzQBFA9CNKVuPHKFdPXM3s4GzrLqKMskAmDpYvtSlvSqsE2nv6sObS8Iyzm4o69V9+ma2LGD5bl6i7L2wiLlgvc8Ef+YviVzn8lVYqdKCce6F/5TQKNzvbdnJ0bJn6Q01CVHlYqbnyworsmf + node-db.node.session.auth.username_in: AgCT8KR/4GNoDa/TIv6YykoDaGKIP5yXkC/krWFYU5lBMSc3DreECmmow88/5xB4v+5dVt9eE7bJkgPqsUVNXlzDXpSSB/TS2iM/3sAd4ZHzZroTLIf+0QnDC2ZrybokcdmCjkFUgnDzJ9Vs+GqjUjL97LHPbTMc8ONwgiy6YmKLpc11V+JxWqSsKwGPM9ObdmI9rh/IZa19sksh86va3oqjDfElXEwKFkztV1f/NHCsWsuuov/Ku6Lisk5X0JIMKPTUUza0q3tZlJ/NotxNydHef+PA9R648XURQs/xp/hzrdttuMzxo7gT0YEsr8y9h7xlTPlR8we7/igjUMmS+ORRafg5m6PpHWanDxtHafhw9wfmvh0wEgXjC8Sz6Ub3Q9idBlHock60h+uyfsdlP3A2qMjdUXr0dFNBwXcGTaM/n5T18gO05/JSUv7CEdiuSlMnPjYzChAHDSCzxblk8CRDTcSjsSMvVBPjr5L+KQqGj3f6mm3lQnPwzXprS0//SsehRReAvbX5eGfd8Bu8nhRRtgEXvLqQdC7WxbWe0QjwB5ZRHt/4v5N1K8TXo8h6iZ6fcEtTfloMH07TitdwdYQm4uG7dfA7PA9KuqDs+R+phGFGWuzq1cMtp+hOJ6XpFgGyVhYAL/lyl3DddT1o9o7UhDCi4w7nSyxVamwyaGuUsF3lX2TyGVPjdGN1D5dlhRJ8YSPMDWOrZw== + template: + metadata: + name: synology-iscsi-chap + namespace: democratic-csi diff --git a/democratic-csi/storageclass.yaml b/democratic-csi/storageclass.yaml new file mode 100644 index 0000000..309bdd1 --- /dev/null +++ b/democratic-csi/storageclass.yaml @@ -0,0 +1,11 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: synology-iscsi +provisioner: org.democratic-csi.iscsi-synology +parameters: + fsType: xfs + csi.storage.k8s.io/provisioner-secret-name: synology-iscsi-provisioner + csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi + csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap + csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi From d909fc056687329ab4d9f627e4533df9a66de6bb Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 6 Sep 2025 23:43:25 -0500 Subject: [PATCH 2/3] democratic-csi: Enable volume snapshot support The _democratic-csi_ controller can create Synology LUN snapshots based on VolumeSnapshot resources. This feature can be used to e.g. create data snapshots before upgrades, etc. --- democratic-csi/democratic-csi.yaml | 32 ++++++++++++++++++++++++++ democratic-csi/secrets.yaml | 4 ++++ democratic-csi/storageclass.yaml | 8 +++++++ snapshot-controller/kustomization.yaml | 8 +++++++ 4 files changed, 52 insertions(+) create mode 100644 snapshot-controller/kustomization.yaml diff --git a/democratic-csi/democratic-csi.yaml b/democratic-csi/democratic-csi.yaml index 3287974..360b539 100644 --- a/democratic-csi/democratic-csi.yaml +++ b/democratic-csi/democratic-csi.yaml @@ -270,6 +270,38 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name + # https://github.com/kubernetes-csi/external-snapshotter + # beware upgrading version: + # - https://github.com/rook/rook/issues/4178 + # - https://github.com/kubernetes-csi/external-snapshotter/issues/147#issuecomment-513664310 + - name: external-snapshotter + image: "registry.k8s.io/sig-storage/csi-snapshotter:v8.2.1" + args: + - --v=5 + - --leader-election + - --leader-election-namespace=democratic-csi + - --timeout=90s + - --worker-threads=10 + - --csi-address=/csi-data/csi.sock + volumeMounts: + - mountPath: /csi-data + name: socket-dir + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name - name: csi-driver image: docker.io/democraticcsi/democratic-csi:latest args: diff --git a/democratic-csi/secrets.yaml b/democratic-csi/secrets.yaml index 1754b73..62fbf8f 100644 --- a/democratic-csi/secrets.yaml +++ b/democratic-csi/secrets.yaml @@ -37,6 +37,10 @@ spec: max_sessions: 0 # 0: Unlimited chap: true mutual_chap: true + lunSnapshotTemplate: + is_app_consistent: true + is_locked: true + --- apiVersion: bitnami.com/v1alpha1 kind: SealedSecret diff --git a/democratic-csi/storageclass.yaml b/democratic-csi/storageclass.yaml index 309bdd1..1bf9318 100644 --- a/democratic-csi/storageclass.yaml +++ b/democratic-csi/storageclass.yaml @@ -9,3 +9,11 @@ parameters: csi.storage.k8s.io/provisioner-secret-namespace: democratic-csi csi.storage.k8s.io/node-stage-secret-name: synology-iscsi-chap csi.storage.k8s.io/node-stage-secret-namespace: democratic-csi + +--- +apiVersion: snapshot.storage.k8s.io/v1 +kind: VolumeSnapshotClass +metadata: + name: synology-iscsi +driver: org.democratic-csi.iscsi-synology +deletionPolicy: Delete diff --git a/snapshot-controller/kustomization.yaml b/snapshot-controller/kustomization.yaml new file mode 100644 index 0000000..32bb120 --- /dev/null +++ b/snapshot-controller/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: kube-system + +resources: +- https://github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v8.3.0 +- https://github.com/kubernetes-csi/external-snapshotter//deploy/kubernetes/snapshot-controller?ref=v8.3.0 From 67a1d8d0d53122fce0ebf495d99e2f3901b42d23 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 6 Sep 2025 23:49:53 -0500 Subject: [PATCH 3/3] democratic-csi: Enable volume resize _democratic-csi_ can also dynamically resize Synology iSCSI LUNs when PVC resource requests increase. This requires enabling the external resizer in the controller pod and marking the StorageClass as supporting resize. --- democratic-csi/democratic-csi.yaml | 28 ++++++++++++++++++++++++++++ democratic-csi/storageclass.yaml | 1 + 2 files changed, 29 insertions(+) diff --git a/democratic-csi/democratic-csi.yaml b/democratic-csi/democratic-csi.yaml index 360b539..0580dbf 100644 --- a/democratic-csi/democratic-csi.yaml +++ b/democratic-csi/democratic-csi.yaml @@ -270,6 +270,34 @@ spec: fieldRef: apiVersion: v1 fieldPath: metadata.name + - name: external-resizer + image: "registry.k8s.io/sig-storage/csi-resizer:v1.9.0" + args: + - --v=5 + - --leader-election + - --leader-election-namespace=democratic-csi + - --timeout=90s + - --workers=10 + - --csi-address=/csi-data/csi.sock + volumeMounts: + - mountPath: /csi-data + name: socket-dir + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name # https://github.com/kubernetes-csi/external-snapshotter # beware upgrading version: # - https://github.com/rook/rook/issues/4178 diff --git a/democratic-csi/storageclass.yaml b/democratic-csi/storageclass.yaml index 1bf9318..8f4c475 100644 --- a/democratic-csi/storageclass.yaml +++ b/democratic-csi/storageclass.yaml @@ -2,6 +2,7 @@ apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: synology-iscsi +allowVolumeExpansion: true provisioner: org.democratic-csi.iscsi-synology parameters: fsType: xfs