From 4f914d304839008a2c231003ea52d8ae4ae1c0e9 Mon Sep 17 00:00:00 2001 From: Eryu Guan Date: Wed, 3 Jan 2024 23:46:34 +0800 Subject: [PATCH] WIP: Add controller and rbac yaml for CacheFSRuntime Fixes: #3674 Signed-off-by: Eryu Guan --- .../controller/cachefsruntime_controller.yaml | 86 ++++++++++ .../fluid/templates/role/cachefs/rbac.yaml | 152 ++++++++++++++++++ .../fluid/fluid/templates/role/csi/rbac.yaml | 4 +- .../fluid/templates/role/dataset/rbac.yaml | 2 + .../fluid/fluid/templates/role/thin/rbac.yaml | 1 + .../fluid/templates/role/webhook/rabc.yaml | 1 + charts/fluid/fluid/values.yaml | 12 +- 7 files changed, 256 insertions(+), 2 deletions(-) create mode 100644 charts/fluid/fluid/templates/controller/cachefsruntime_controller.yaml create mode 100644 charts/fluid/fluid/templates/role/cachefs/rbac.yaml diff --git a/charts/fluid/fluid/templates/controller/cachefsruntime_controller.yaml b/charts/fluid/fluid/templates/controller/cachefsruntime_controller.yaml new file mode 100644 index 00000000000..dcbf7f7bf5d --- /dev/null +++ b/charts/fluid/fluid/templates/controller/cachefsruntime_controller.yaml @@ -0,0 +1,86 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cachefsruntime-controller + namespace: {{ include "fluid.namespace" . }} + labels: + control-plane: cachefsruntime-controller +spec: + selector: + matchLabels: + control-plane: cachefsruntime-controller + {{ if .Values.runtime.cachefs.enabled -}} + replicas: {{ .Values.runtime.cachefs.replicas }} + {{- else }} + replicas: 0 + {{- end }} + template: + metadata: + labels: + control-plane: cachefsruntime-controller + annotations: + {{ if gt (.Values.runtime.cachefs.replicas | int) 1 -}} + controller.runtime.fluid.io/replicas: {{ .Values.runtime.cachefs.replicas | quote }} + {{- end }} + spec: + {{- with .Values.image.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: cachefsruntime-controller + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + {{- if .Values.runtime.cachefs.tolerations }} + tolerations: +{{ toYaml .Values.runtime.cachefs.tolerations | indent 6 }} + {{- end }} + #hostNetwork: true + containers: + - image: "{{ .Values.runtime.cachefs.controller.image }}" + name: manager + args: + - --development=false + - --pprof-addr=:6060 + - --enable-leader-election + - --runtime-workers={{ .Values.runtime.cachefs.runtimeWorkers }} + - --leader-election-namespace={{ include "fluid.namespace" . }} + command: ["cachefsruntime-controller", "start"] + env: + {{- if .Values.runtime.cachefs.fuse.image }} + - name: CACHEFS_IMAGE_ENV + value: {{ .Values.runtime.cachefs.fuse.image | quote }} + {{- end }} + {{- if .Values.runtime.mountRoot }} + - name: MOUNT_ROOT + value: {{ .Values.runtime.mountRoot | quote }} + {{- end }} + {{- if .Values.runtime.criticalFusePod }} + - name: CRITICAL_FUSE_POD + value: {{ ternary "true" "false" (semverCompare ">=1.16.0-0" .Capabilities.KubeVersion.Version) | quote }} + {{- end }} + {{- if .Values.runtime.syncRetryDuration }} + - name: FLUID_SYNC_RETRY_DURATION + value: {{ .Values.runtime.syncRetryDuration | quote }} + {{- end }} + - name: HELM_DRIVER + value: {{ template "fluid.helmDriver" . }} + ports: + - containerPort: 8080 + name: metrics + protocol: TCP + resources: + limits: + cpu: 100m + memory: 1536Mi + requests: + cpu: 100m + memory: 200Mi + terminationGracePeriodSeconds: 10 diff --git a/charts/fluid/fluid/templates/role/cachefs/rbac.yaml b/charts/fluid/fluid/templates/role/cachefs/rbac.yaml new file mode 100644 index 00000000000..e2ae9ce7827 --- /dev/null +++ b/charts/fluid/fluid/templates/role/cachefs/rbac.yaml @@ -0,0 +1,152 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cachefsruntime-controller +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - create + - update + - delete + - apiGroups: + - "" + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - create + - watch + - apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - get + - list + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- template "fluid.helmDriver.rbacs" . }} + - apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - list + - watch + - get + - apiGroups: + - data.fluid.io + resources: + - cachefsruntimes + - datasets + - cachefsruntimes/status + - datasets/status + verbs: + - '*' + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - list + - get + - delete + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - create + - list + - get + - delete + - apiGroups: + - apps + resources: + - daemonsets + - statefulsets + - daemonsets/status + - statefulsets/status + verbs: + - '*' + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cachefsruntime-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cachefsruntime-controller +subjects: + - kind: ServiceAccount + name: cachefsruntime-controller + namespace: {{ include "fluid.namespace" . }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cachefsruntime-controller + namespace: {{ include "fluid.namespace" . }} diff --git a/charts/fluid/fluid/templates/role/csi/rbac.yaml b/charts/fluid/fluid/templates/role/csi/rbac.yaml index a37774f7466..a0feaa84e2b 100644 --- a/charts/fluid/fluid/templates/role/csi/rbac.yaml +++ b/charts/fluid/fluid/templates/role/csi/rbac.yaml @@ -20,6 +20,7 @@ rules: - efcruntimes - datasets - vineyardruntimes + - cachefsruntimes - alluxioruntimes/status - jindoruntimes/status - goosefsruntimes/status @@ -28,6 +29,7 @@ rules: - efcruntimes/status - datasets/status - vineyardruntimes/status + - cachefsruntimes/status verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["persistentvolumes"] @@ -56,4 +58,4 @@ subjects: roleRef: kind: ClusterRole name: fluid-csi-plugin - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io diff --git a/charts/fluid/fluid/templates/role/dataset/rbac.yaml b/charts/fluid/fluid/templates/role/dataset/rbac.yaml index b72375c7c0b..25c1228390f 100644 --- a/charts/fluid/fluid/templates/role/dataset/rbac.yaml +++ b/charts/fluid/fluid/templates/role/dataset/rbac.yaml @@ -95,6 +95,8 @@ rules: - efcruntimes/status - vineyardruntimes - vineyardruntimes/status + - cachefsruntimes + - cachefsruntimes/status verbs: - '*' - apiGroups: diff --git a/charts/fluid/fluid/templates/role/thin/rbac.yaml b/charts/fluid/fluid/templates/role/thin/rbac.yaml index 46d7a1e60f7..1b70d7f0dde 100644 --- a/charts/fluid/fluid/templates/role/thin/rbac.yaml +++ b/charts/fluid/fluid/templates/role/thin/rbac.yaml @@ -101,6 +101,7 @@ rules: - thinruntimes/status - thinruntimeprofiles/status - datasets/status + - cachefsruntimes verbs: - '*' - apiGroups: diff --git a/charts/fluid/fluid/templates/role/webhook/rabc.yaml b/charts/fluid/fluid/templates/role/webhook/rabc.yaml index 9c56c036341..c42907203f3 100644 --- a/charts/fluid/fluid/templates/role/webhook/rabc.yaml +++ b/charts/fluid/fluid/templates/role/webhook/rabc.yaml @@ -65,6 +65,7 @@ rules: - thinruntimes - efcruntimes - vineyardruntimes + - cachefsruntimes verbs: - get - list diff --git a/charts/fluid/fluid/values.yaml b/charts/fluid/fluid/values.yaml index 68583501762..cd4398ee9d1 100644 --- a/charts/fluid/fluid/values.yaml +++ b/charts/fluid/fluid/values.yaml @@ -41,7 +41,7 @@ csi: kubeConfigFile: /etc/kubernetes/kubelet.conf certDir: /var/lib/kubelet/pki rootDir: /var/lib/kubelet - pruneFs: fuse.alluxio-fuse,fuse.jindofs-fuse,fuse.juicefs,fuse.goosefs-fuse,ossfs,alifuse.aliyun-alinas-efc + pruneFs: fuse.alluxio-fuse,fuse.jindofs-fuse,fuse.juicefs,fuse.goosefs-fuse,ossfs,alifuse.aliyun-alinas-efc,fuse.cachefs recoverWarningThreshold: 50 # default method is "bindMount", "symlink" is also support # Notice: if use nodePublishMethod symlink, fuse recovery is not support @@ -148,6 +148,16 @@ runtime: controller: image: fluidcloudnative/vineyardruntime-controller:v1.0.0-5206a2b imagePullPolicy: Always + cachefs: + replicas: 1 + tolerations: + - operator: Exists + enabled: false + runtimeWorkers: 3 + controller: + image: fluidcloudnative/cachefsruntime-controller:v1.0.0-TODO + fuse: + image: kangaroo-registry.cn-hangzhou.cr.aliyuncs.com/storage/cachefs:1.0.5-2.1 webhook: enabled: true