support mountpod|serverless mountpod|sidecar mode (#195)

* support mountpod|serverless mountpod|sidecar mode

Signed-off-by: Xuhui zhang <xuhui@juicedata.io>

* bump chart version

Signed-off-by: Xuhui zhang <xuhui@juicedata.io>

* update

Signed-off-by: Xuhui zhang <xuhui@juicedata.io>

---------

Signed-off-by: Xuhui zhang <xuhui@juicedata.io>

Author: zxh326

charts/juicefs-csi-driver/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: juicefs-csi-driver
 description: A Helm chart for JuiceFS CSI Driver
 type: application
-version: 0.30.1
+version: 0.30.2
 appVersion: 0.30.1
 kubeVersion: ">=1.14.0-0"
 home: https://github.com/juicedata/juicefs-csi-driver

charts/juicefs-csi-driver/templates/controller.yaml

@@ -70,7 +70,7 @@ spec:
         {{- if hasKey .Values.controller "cacheClientConf" }}
         - --cache-client-conf={{ .Values.controller.cacheClientConf }}
         {{- end }}
-        {{- if or (eq .Values.mountMode "sidecar") (.Values.validatingWebhook.enabled)  (eq .Values.mountMode "serverless") }}
+        {{- if or (contains "sidecar" .Values.mountMode) (.Values.validatingWebhook.enabled)  (contains "serverless" .Values.mountMode) }}
         - --webhook=true
         {{- end }}
         {{- if .Values.validatingWebhook.enabled }}
@@ -154,7 +154,7 @@ spec:
             add:
             - SYS_ADMIN
           runAsNonRoot: false
-          {{- if ne .Values.mountMode "serverless" }}
+          {{- if not (contains "serverless" .Values.mountMode) }}
           allowPrivilegeEscalation: true
           privileged: true
           {{- end }}
@@ -163,17 +163,17 @@ spec:
           name: socket-dir
         {{- if ne .Values.mountMode "process" }}
         - mountPath: /jfs
-          {{- if ne .Values.mountMode "serverless" }}
+          {{- if not (contains "serverless" .Values.mountMode) }}
           mountPropagation: Bidirectional
           {{- end }}
           name: jfs-dir
         - mountPath: /root/.juicefs
-          {{- if ne .Values.mountMode "serverless" }}
+          {{- if not (contains "serverless" .Values.mountMode) }}
           mountPropagation: Bidirectional
           {{- end }}
           name: jfs-root-dir
         {{- end }}
-        {{- if or (eq .Values.mountMode "sidecar") (.Values.validatingWebhook.enabled) (eq .Values.mountMode "serverless") }}
+        {{- if or (contains "sidecar" .Values.mountMode) (.Values.validatingWebhook.enabled) (contains "serverless" .Values.mountMode) }}
         - name: webhook-certs
           mountPath: /etc/webhook/certs
           readOnly: true
@@ -274,13 +274,13 @@ spec:
           path: {{ .Values.jfsConfigDir }}
           type: DirectoryOrCreate
         name: jfs-root-dir
-      {{- else if eq .Values.mountMode "serverless" }}
+      {{- else if contains "serverless" .Values.mountMode }}
       - emptyDir: {}
         name: jfs-dir
       - emptyDir: {}
         name: jfs-root-dir
       {{- end }}
-      {{- if or (eq .Values.mountMode "sidecar") (.Values.validatingWebhook.enabled)  (eq .Values.mountMode "serverless")}}
+      {{- if or (contains "sidecar" .Values.mountMode) (.Values.validatingWebhook.enabled)  (contains "serverless" .Values.mountMode) }}
       - name: webhook-certs
         secret:
           secretName: {{ template "juicefs-csi.webhook.secret" . }}

charts/juicefs-csi-driver/templates/daemonset.yaml

@@ -82,7 +82,7 @@ spec:
         {{- if .Values.node.debug }}
         - --v=1
         {{- end }}
-        {{- if eq .Values.mountMode "mountpod" }}
+        {{- if contains "mountpod" .Values.mountMode }}
         - --enable-manager=true
         {{- end }}
         {{- if eq .Values.mountMode "process" }}

charts/juicefs-csi-driver/templates/secret.yaml

@@ -1,6 +1,6 @@
 {{- $certEnabled := .Values.webhook.certManager.enabled }}
 
-{{- if or (eq .Values.mountMode "sidecar") (.Values.validatingWebhook.enabled)  (eq .Values.mountMode "serverless") }}
+{{- if or (contains "sidecar" .Values.mountMode) (.Values.validatingWebhook.enabled)  (contains "serverless" .Values.mountMode) }}
 {{- if not $certEnabled }}
 kind: Secret
 apiVersion: v1

charts/juicefs-csi-driver/templates/service.yaml

@@ -21,7 +21,7 @@ spec:
     {{- include "juicefs-csi.selectorLabels" . | nindent 4 }}
 {{- end }}
 
-{{- if or (eq .Values.mountMode "sidecar") (.Values.validatingWebhook.enabled) (eq .Values.mountMode "serverless") }}
+{{- if or (contains "sidecar" .Values.mountMode) (.Values.validatingWebhook.enabled) (contains "serverless" .Values.mountMode) }}
 ---
 apiVersion: v1
 kind: Service

charts/juicefs-csi-driver/templates/serviceaccount.yaml

@@ -154,7 +154,7 @@ rules:
     - update
     - create
 {{- end }}
-{{- if or (eq .Values.mountMode "sidecar") (eq .Values.mountMode "serverless") }}
+{{- if or (contains "sidecar" .Values.mountMode) (contains "serverless" .Values.mountMode) }}
 - apiGroups:
     - ""
   resources:

charts/juicefs-csi-driver/templates/webhook.yaml

@@ -5,7 +5,7 @@
 {{- $keyPEM := include "webhook.keyPEM" . -}}
 {{- $timeoutSeconds := .Values.webhook.timeoutSeconds }}
 
-{{- if eq .Values.mountMode "sidecar" }}
+{{- if contains "sidecar" .Values.mountMode }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -36,12 +36,23 @@ webhooks:
     failurePolicy: {{ $.Values.webhook.FailurePolicy }}
     sideEffects: None
     admissionReviewVersions: ["v1","v1beta1"]
+    {{- if .Values.webhook.selector }}
+    {{- if .Values.webhook.selector.objectSelector }}
+    objectSelector:
+    {{- toYaml .Values.webhook.selector.objectSelector | nindent 6  }}
+    {{- end }}
+    {{- if .Values.webhook.selector.namespaceSelector }}
+    namespaceSelector:
+    {{- toYaml .Values.webhook.selector.namespaceSelector | nindent 6  }}
+    {{- end }}
+    {{- else }}
     namespaceSelector:
       matchLabels:
         juicefs.com/enable-injection: "true"
+    {{- end }}
 {{- end }}
 
-{{- if eq .Values.mountMode "serverless" }}
+{{- if contains "serverless" .Values.mountMode }}
 ---
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
@@ -72,9 +83,20 @@ webhooks:
     failurePolicy: {{ $.Values.webhook.FailurePolicy }}
     sideEffects: None
     admissionReviewVersions: ["v1","v1beta1"]
+    {{- if .Values.webhook.selector }}
+    {{- if .Values.webhook.selector.objectSelector }}
+    objectSelector:
+    {{- toYaml .Values.webhook.selector.objectSelector | nindent 6  }}
+    {{- end }}
+    {{- if .Values.webhook.selector.namespaceSelector }}
+    namespaceSelector:
+    {{- toYaml .Values.webhook.selector.namespaceSelector | nindent 6  }}
+    {{- end }}
+    {{- else }}
     namespaceSelector:
       matchLabels:
         juicefs.com/enable-serverless-injection: "true"
+    {{- end }}
 {{- end }}
 
 {{- if .Values.validatingWebhook.enabled -}}
@@ -197,7 +219,7 @@ webhooks:
 {{- end }}
 {{- end }}
 
-{{- if or (eq .Values.mountMode "sidecar") (.Values.validatingWebhook.enabled) }}
+{{- if or (contains "sidecar" .Values.mountMode) (contains "serverless" .Values.mountMode) (.Values.validatingWebhook.enabled) }}
 {{- if $certEnabled }}
 ---
 apiVersion: cert-manager.io/v1

charts/juicefs-csi-driver/values.yaml

@@ -42,6 +42,8 @@ imagePullSecrets: []
 # - sidecar: run JuiceFS Client as a sidecar container in the same pod with application
 # - process: run JuiceFS Client as a process in the JuiceFS CSI node service
 # - serverless: a special "sidecar" mode that requires no privilege, creates no hostPath volumes, to allow full serverless deployment
+# - "mountpod|serverless": support both mountpod and serverless modes
+# - "mountpod|sidecar": support both mountpod and sidecar modes
 # Ref: https://juicefs.com/docs/csi/introduction/
 mountMode: mountpod
 
@@ -396,6 +398,18 @@ webhook:
   # FailurePolicy defines how unrecognized errors and timeout errors from the admission webhook are handled
   # https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#failure-policy
   FailurePolicy: Fail
+  # For serverless & sidecar mountMode, configure webhook selectors
+  # default namespace selector
+  # - for sidecar mode: juicefs.com/enable-injection: "true"
+  # - for serverless mode: juicefs.com/enable-serverless-injection: "true"
+  # Example configuration:
+  #   namespaceSelector:
+  #     matchLabels:
+  #       juicefs.com/enable-injection: "true"
+  #   objectSelector:
+  #     matchLabels:
+  #       juicefs.com/enable-injection: "true"
+  selector: {}
 
 validatingWebhook:
   enabled: false