diff --git a/cluster/examples/kubernetes/ceph/pv-migrator/migrator.yaml b/cluster/examples/kubernetes/ceph/pv-migrator/migrator.yaml new file mode 100644 index 0000000000000..1c55d86c5f1bc --- /dev/null +++ b/cluster/examples/kubernetes/ceph/pv-migrator/migrator.yaml @@ -0,0 +1,154 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rook-ceph-migrator +rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list"] + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "delete", "update", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update", "delete", "create", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rook-ceph-migrator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rook-ceph-migrator +subjects: + - kind: ServiceAccount + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster +# imagePullSecrets: +# - name: my-registry-secret +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + - apiGroups: ["ceph.rook.io"] + resources: ["cephclusters", "cephclusters/finalizers"] + verbs: ["get", "list", "create", "update", "delete"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: rook-ceph-migrator +subjects: + - kind: ServiceAccount + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: rook-ceph-migrator-psp + namespace: rook-ceph # namespace:cluster +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp:rook +subjects: + - kind: ServiceAccount + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster +--- +# source https://github.com/rook/rook + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rook-ceph-migrator + namespace: rook-ceph # namespace:cluster + labels: + app: rook-ceph-migrator +spec: + replicas: 1 + selector: + matchLabels: + app: rook-ceph-migrator + template: + metadata: + labels: + app: rook-ceph-migrator + spec: + serviceAccountName: rook-ceph-migrator # only this field was newly added + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: rook-ceph-migrator + image: rook/ceph:v1.7.x + command: ["/tini"] + args: ["-g", "--", "/usr/local/bin/toolbox.sh"] + imagePullPolicy: IfNotPresent + env: + - name: ROOK_CEPH_USERNAME + valueFrom: + secretKeyRef: + name: rook-ceph-mon + key: ceph-username + - name: ROOK_CEPH_SECRET + valueFrom: + secretKeyRef: + name: rook-ceph-mon + key: ceph-secret + volumeMounts: + - mountPath: /etc/ceph + name: ceph-config + - name: mon-endpoint-volume + mountPath: /etc/rook + volumes: + - name: mon-endpoint-volume + configMap: + name: rook-ceph-mon-endpoints + items: + - key: data + path: mon-endpoints + - name: ceph-config + emptyDir: {} + tolerations: + - key: "node.kubernetes.io/unreachable" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 5