{WIP} Give node permissions secret and remove cloud-config

assets/overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: azure-disk-csi-driver-binding-node
+subjects:
+ - kind: ServiceAccount
+ name: azure-disk-csi-driver-node-sa
+ namespace: openshift-cluster-csi-drivers
+roleRef:
+ kind: ClusterRole
+ name: azure-disk-csi-driver-node-role
+ apiGroup: rbac.authorization.k8s.io

assets/overlays/azure-disk/base/csi-driver-cluster-role-node.yaml

@@ -0,0 +1,9 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: azure-disk-csi-driver-node-role
+rules:
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+

assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-binding-node.yaml

@@ -0,0 +1,18 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: azure-disk-csi-driver-binding-node
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: azure-disk-csi-driver-node-role
+subjects:
+- kind: ServiceAccount
+ name: azure-disk-csi-driver-node-sa
+ namespace: openshift-cluster-csi-drivers

assets/overlays/azure-disk/generated/hypershift/csi-driver-cluster-role-node.yaml

@@ -0,0 +1,19 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-node.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: azure-disk-csi-driver-node-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch

assets/overlays/azure-disk/generated/hypershift/manifests.yaml

@@ -5,6 +5,8 @@ controllerStaticAssetNames:
 - controller_sa.yaml
 - service.yaml
 guestStaticAssetNames:
+- csi-driver-cluster-role-binding-node.yaml
+- csi-driver-cluster-role-node.yaml
 - csidriver.yaml
 - lease_leader_election_binding.yaml
 - lease_leader_election_role.yaml

assets/overlays/azure-disk/generated/hypershift/node.yaml

@@ -37,11 +37,10 @@ spec:
  - --v=${LOG_LEVEL}
  - --nodeid=$(KUBE_NODE_NAME)
  - --metrics-address=localhost:8206
+ - --get-node-info-from-labels=true
  - --cloud-config-secret-name=""
  - --cloud-config-secret-namespace=""
  env:
- - name: AZURE_CREDENTIAL_FILE
- value: /etc/kubernetes/cloud.conf
  - name: CSI_ENDPOINT
  value: unix:///csi/csi.sock
  - name: KUBE_NODE_NAME
@@ -76,9 +75,6 @@ spec:
  - mountPath: /var/lib/kubelet
  mountPropagation: Bidirectional
  name: kubelet-dir
- - mountPath: /etc/kubernetes/
- name: cloud-config
- readOnly: true
  - mountPath: /dev
  name: device-dir
  - mountPath: /sys/bus/scsi/devices
@@ -145,46 +141,6 @@ spec:
  - mountPath: /csi
  name: socket-dir
  hostNetwork: true
- initContainers:
- - args:
- - --cloud-config-file-path=/etc/cloud-config/config
- - --output-file-path=/etc/merged-cloud-config/cloud.conf
- - --disable-identity-extension-auth
- - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY}
- command:
- - /azure-config-credentials-injector
- env:
- - name: AZURE_CLIENT_ID
- valueFrom:
- secretKeyRef:
- key: azure_client_id
- name: azure-disk-credentials
- - name: AZURE_CLIENT_SECRET
- valueFrom:
- secretKeyRef:
- key: azure_client_secret
- name: azure-disk-credentials
- optional: true
- - name: AZURE_TENANT_ID
- valueFrom:
- secretKeyRef:
- key: azure_tenant_id
- name: azure-disk-credentials
- optional: true
- - name: AZURE_FEDERATED_TOKEN_FILE
- valueFrom:
- secretKeyRef:
- key: azure_federated_token_file
- name: azure-disk-credentials
- optional: true
- image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE}
- name: azure-inject-credentials
- volumeMounts:
- - mountPath: /etc/cloud-config
- name: src-cloud-config
- readOnly: true
- - mountPath: /etc/merged-cloud-config
- name: cloud-config
  nodeSelector:
  kubernetes.io/os: linux
  priorityClassName: system-node-critical
@@ -216,9 +172,6 @@ spec:
  path: /sys/fs
  type: Directory
  name: sys-fs
- - configMap:
- name: azure-cloud-config
- name: src-cloud-config
  - hostPath:
  path: /sys/bus/scsi/devices
  type: Directory
@@ -227,8 +180,6 @@ spec:
  path: /sys/class/scsi_host/
  type: Directory
  name: scsi-host-dir
- - emptydir: {}
- name: cloud-config
  updateStrategy:
  rollingUpdate:
  maxUnavailable: 10%

assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-binding-node.yaml

@@ -0,0 +1,18 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-binding-node.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: azure-disk-csi-driver-binding-node
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: azure-disk-csi-driver-node-role
+subjects:
+- kind: ServiceAccount
+ name: azure-disk-csi-driver-node-sa
+ namespace: openshift-cluster-csi-drivers

assets/overlays/azure-disk/generated/standalone/csi-driver-cluster-role-node.yaml

@@ -0,0 +1,19 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/azure-disk/base/csi-driver-cluster-role-node.yaml
+#
+#
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: azure-disk-csi-driver-node-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch

assets/overlays/azure-disk/generated/standalone/manifests.yaml

@@ -10,6 +10,8 @@ controllerStaticAssetNames:
 - service.yaml
 - servicemonitor.yaml
 guestStaticAssetNames:
+- csi-driver-cluster-role-binding-node.yaml
+- csi-driver-cluster-role-node.yaml
 - csidriver.yaml
 - lease_leader_election_binding.yaml
 - lease_leader_election_role.yaml

assets/overlays/azure-disk/generated/standalone/node.yaml

@@ -37,11 +37,10 @@ spec:
  - --v=${LOG_LEVEL}
  - --nodeid=$(KUBE_NODE_NAME)
  - --metrics-address=localhost:8206
+ - --get-node-info-from-labels=true
  - --cloud-config-secret-name=""
  - --cloud-config-secret-namespace=""
  env:
- - name: AZURE_CREDENTIAL_FILE
- value: /etc/kubernetes/cloud.conf
  - name: CSI_ENDPOINT
  value: unix:///csi/csi.sock
  - name: KUBE_NODE_NAME
@@ -76,9 +75,6 @@ spec:
  - mountPath: /var/lib/kubelet
  mountPropagation: Bidirectional
  name: kubelet-dir
- - mountPath: /etc/kubernetes/
- name: cloud-config
- readOnly: true
  - mountPath: /dev
  name: device-dir
  - mountPath: /sys/bus/scsi/devices
@@ -145,46 +141,6 @@ spec:
  - mountPath: /csi
  name: socket-dir
  hostNetwork: true
- initContainers:
- - args:
- - --cloud-config-file-path=/etc/cloud-config/config
- - --output-file-path=/etc/merged-cloud-config/cloud.conf
- - --disable-identity-extension-auth
- - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY}
- command:
- - /azure-config-credentials-injector
- env:
- - name: AZURE_CLIENT_ID
- valueFrom:
- secretKeyRef:
- key: azure_client_id
- name: azure-disk-credentials
- - name: AZURE_CLIENT_SECRET
- valueFrom:
- secretKeyRef:
- key: azure_client_secret
- name: azure-disk-credentials
- optional: true
- - name: AZURE_TENANT_ID
- valueFrom:
- secretKeyRef:
- key: azure_tenant_id
- name: azure-disk-credentials
- optional: true
- - name: AZURE_FEDERATED_TOKEN_FILE
- valueFrom:
- secretKeyRef:
- key: azure_federated_token_file
- name: azure-disk-credentials
- optional: true
- image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE}
- name: azure-inject-credentials
- volumeMounts:
- - mountPath: /etc/cloud-config
- name: src-cloud-config
- readOnly: true
- - mountPath: /etc/merged-cloud-config
- name: cloud-config
  nodeSelector:
  kubernetes.io/os: linux
  priorityClassName: system-node-critical
@@ -216,9 +172,6 @@ spec:
  path: /sys/fs
  type: Directory
  name: sys-fs
- - configMap:
- name: azure-cloud-config
- name: src-cloud-config
  - hostPath:
  path: /sys/bus/scsi/devices
  type: Directory
@@ -227,8 +180,6 @@ spec:
  path: /sys/class/scsi_host/
  type: Directory
  name: scsi-host-dir
- - emptydir: {}
- name: cloud-config
  updateStrategy:
  rollingUpdate:
  maxUnavailable: 10%

assets/overlays/azure-disk/patches/node_add_driver.yaml

@@ -23,11 +23,10 @@ spec:
  # network. We don't scrape metrics on node
  - --metrics-address=localhost:8206
  # Use credentials provided by the azure-inject-credentials container
+ - --get-node-info-from-labels=true
  - --cloud-config-secret-name=""
  - --cloud-config-secret-namespace=""
  env:
- - name: AZURE_CREDENTIAL_FILE
- value: "/etc/kubernetes/cloud.conf"
  - name: CSI_ENDPOINT
  value: unix:///csi/csi.sock
  - name: KUBE_NODE_NAME
@@ -58,9 +57,6 @@ spec:
  - mountPath: /var/lib/kubelet
  mountPropagation: Bidirectional
  name: kubelet-dir
- - mountPath: /etc/kubernetes/
- readOnly: true
- name: cloud-config
  - mountPath: /dev
  name: device-dir
  - mountPath: /sys/bus/scsi/devices
@@ -71,52 +67,7 @@ spec:
  name: etc-selinux
  - mountPath: /sys/fs
  name: sys-fs
- initContainers:
- # Merge /etc/kubernetes/cloud.conf (on the host) with secret "azure-disk-credentials" into "merged-cloud-config" emptydir.
- - name: azure-inject-credentials
- image: ${CLUSTER_CLOUD_CONTROLLER_MANAGER_OPERATOR_IMAGE}
- command:
- - /azure-config-credentials-injector
- args:
- - --cloud-config-file-path=/etc/cloud-config/config
- - --output-file-path=/etc/merged-cloud-config/cloud.conf
- # Force disable node's managed identity, azure-disk-credentials Secret should be used.
- - --disable-identity-extension-auth
- - --enable-azure-workload-identity=${ENABLE_AZURE_WORKLOAD_IDENTITY}
- env:
- - name: AZURE_CLIENT_ID
- valueFrom:
- secretKeyRef:
- name: azure-disk-credentials
- key: azure_client_id
- - name: AZURE_CLIENT_SECRET
- valueFrom:
- secretKeyRef:
- name: azure-disk-credentials
- key: azure_client_secret
- optional: true
- - name: AZURE_TENANT_ID
- valueFrom:
- secretKeyRef:
- name: azure-disk-credentials
- key: azure_tenant_id
- optional: true
- - name: AZURE_FEDERATED_TOKEN_FILE
- valueFrom:
- secretKeyRef:
- name: azure-disk-credentials
- key: azure_federated_token_file
- optional: true
- volumeMounts:
- - name: src-cloud-config
- mountPath: /etc/cloud-config
- readOnly: true
- - name: cloud-config
- mountPath: /etc/merged-cloud-config
  volumes:
- - name: src-cloud-config
- configMap:
- name: azure-cloud-config
  - hostPath:
  path: /sys/bus/scsi/devices
  type: Directory
@@ -125,6 +76,5 @@ spec:
  path: /sys/class/scsi_host/
  type: Directory
  name: scsi-host-dir
- - emptydir: {}
- name: cloud-config
+
 

assets/overlays/azure-file/base/csi-driver-cluster-role-binding-node.yaml

@@ -0,0 +1,12 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: azure-file-csi-driver-binding-node
+subjects:
+ - kind: ServiceAccount
+ name: azure-file-csi-driver-node-sa
+ namespace: openshift-cluster-csi-drivers
+roleRef:
+ kind: ClusterRole
+ name: azure-file-csi-driver-node-role
+ apiGroup: rbac.authorization.k8s.io