This repository contains the implementation for the CSI-Addons specification that can be used with Kubernetes. As such, this project is part of the Container Storage Interface Addons community.
The CSI API is tightly integrated with Kubernetes. In order to extend the interface, a new CSI-Addons Controller is needed. The CSI-Addons Controller will watch for Kubernetes events (CRs) and relay operation initiated by the user to the CSI-driver.
.------. CR .------------.
| User |-------| CSI-Addons |
'------' | Controller |
'------------'
|
| gRPC
|
.---------+------------------------------.
| | |
| .------------. .------------. |
| | CSI-Addons | gRPC | CSI | |
| | side-car |--------| Controller | |
| '------------' | NodePlugin | |
| '------------' |
| CSI-driver Pod |
'----------------------------------------'
A CSI-Addons side-car will be running in the CSI-driver (provisioner and node-plugin) Pods. The side-car calls gRPC procedures for CSI-Addons operations.
The CSI-driver side-car is located with the CSI-Controller (provisioner) and
the CSI-nodeplugin containers. The side-car registers itself by creating a
CSIAddonsNode
CR that the CSI-Addons Controller can use to connect to the
side-car and execute operations.
When deploying the side-car set enable-auth
flag to true.
Self signed certificates are generated by the sidecar.
Checks for valid Bearer token on request headers and performs token review.
Sidecar must be deployed with TokenReview create and get access for the associated ServiceAccount.
The csi-addons
executable can be used to call CSI-Addons operations against a
CSI-driver. It is included in the side-car container image, so that manual
execution by admins and (automated) testing can easily be done.
See the csi-addons
tool documentation for more
details.
The CSI-Addons Controller handles the requests from users to initiate an operation. Users create a CR that the controller inspects, and forwards a request to one or more CSI-Addons side-cars for execution.
By listing the CSIAddonsNode
CRs, the CSI-Addons Controller knows how to
connect to the side-cars. By checking the supported capabilities of the
side-cars, it can decide where to execute operations that the user requested.
When deploying the manager set enable-auth
flag to true.
This will use TLS for transport layer and adds Bearer token to request headers.
Refer to the installation guide for more details.
The Contribution Guidelines contain details on the process to contribute to this project. For feature enhancements, or questions about particular features or design choices, there is a mailinglist. All regular contributors are encouraged to subscribe to the list, and participate in the discussions.
Subscribing can be done through the mailman web interface or by
sending an email to [email protected] with subject
subscribe
.