Merge pull request #9 from DrFaust92/r/update

Add rbac + update image
DrFaust92 · May 16, 2021 · 73e5961 · 73e5961
2 parents 755da22 + 9894707
commit 73e5961
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -35,14 +35,19 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [kubernetes_cluster_role.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource |
+| [kubernetes_cluster_role_binding.provisioner](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource |
 | [kubernetes_csi_driver.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/csi_driver) | resource |
 | [kubernetes_daemonset.efs](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/daemonset) | resource |
+| [kubernetes_service_account.csi_driver](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service_account) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_annotations"></a> [annotations](#input\_annotations) | Optional annotations to add to EFS CSI driver resources | `map(string)` | `{}` | no |
+| <a name="input_csi_controller_tolerations"></a> [csi\_controller\_tolerations](#input\_csi\_controller\_tolerations) | CSI driver controller tolerations | `list(map(string))` | `[]` | no |
+| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level for the CSI Driver controller | `number` | `5` | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Namespace for EFS CSI driver resources | `string` | `"kube-system"` | no |
 
 ## Outputs

diff --git a/daemonset.tf b/daemonset.tf
@@ -32,12 +32,23 @@ resource "kubernetes_daemonset" "efs" {
           operator = "Exists"
         }
 
+        dynamic "toleration" {
+          for_each = var.csi_controller_tolerations
+          content {
+            key                = lookup(toleration.value, "key", null)
+            operator           = lookup(toleration.value, "operator", null)
+            effect             = lookup(toleration.value, "effect", null)
+            value              = lookup(toleration.value, "value", null)
+            toleration_seconds = lookup(toleration.value, "toleration_seconds", null)
+          }
+        }
+
         container {
           name              = "efs-plugin"
-          image             = "amazon/aws-efs-csi-driver:v1.0.0"
+          image             = "amazon/aws-efs-csi-driver:v1.2.0"
           image_pull_policy = "IfNotPresent"
 
-          args = ["--endpoint=$(CSI_ENDPOINT)", "--logtostderr", "--v=5"]
+          args = ["--endpoint=$(CSI_ENDPOINT)", "--logtostderr", "--v=${tostring(var.log_level)}"]
 
           env {
             name  = "CSI_ENDPOINT"
@@ -83,6 +94,18 @@ resource "kubernetes_daemonset" "efs" {
             failure_threshold     = 5
           }
 
+          readiness_probe {
+            http_get {
+              path = "/healthz"
+              port = "healthz"
+            }
+
+            initial_delay_seconds = 10
+            timeout_seconds       = 3
+            period_seconds        = 2
+            failure_threshold     = 5
+          }
+
           security_context {
             privileged = true
           }

diff --git a/rbac.tf b/rbac.tf
@@ -0,0 +1,73 @@
+resource "kubernetes_service_account" "csi_driver" {
+  metadata {
+    name      = local.name
+    namespace = var.namespace
+  }
+  automount_service_account_token = true
+}
+
+resource "kubernetes_cluster_role" "provisioner" {
+  metadata {
+    name = "efs-csi-external-provisioner-role"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["persistentvolumes"]
+    verbs      = ["get", "list", "watch", "create", "delete"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["persistentvolumeclaims"]
+    verbs      = ["get", "list", "watch", "update"]
+  }
+
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["storageclasses"]
+    verbs      = ["list", "watch", "create"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["events"]
+    verbs      = ["list", "watch", "create"]
+  }
+
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["csinodes"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["nodes"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["coordination.k8s.io"]
+    resources  = ["leases"]
+    verbs      = ["get", "watch", "list", "delete", "update", "create"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "provisioner" {
+  metadata {
+    name = "efs-csi-provisioner-binding"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role.provisioner.metadata[0].name
+  }
+
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account.csi_driver.metadata[0].name
+    namespace = kubernetes_service_account.csi_driver.metadata[0].namespace
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -8,4 +8,16 @@ variable "annotations" {
   description = "Optional annotations to add to EFS CSI driver resources"
   type        = map(string)
   default     = {}
+}
+
+variable "csi_controller_tolerations" {
+  description = "CSI driver controller tolerations"
+  type        = list(map(string))
+  default     = []
+}
+
+variable "log_level" {
+  description = "The log level for the CSI Driver controller"
+  default     = 5
+  type        = number
 }