# This YAML file shows how to deploy the CSI snapshotter together
# with the hostpath CSI driver. It depends on the RBAC rules
# from rbac.yaml and rbac-external-provisioner.yaml.
#
# Because external-snapshotter and external-provisioner get
# deployed in the same pod, we have to merge the permissions
# for the provisioner into the service account. This is not
# necessary when deploying separately.

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-snapshotter-provisioner-role
subjects:
  - kind: ServiceAccount
    name: csi-snapshotter # from rbac.yaml
    # replace with non-default namespace name
    namespace: default
roleRef:
  kind: ClusterRole
  name: external-provisioner-runner # from rbac-external-provisioner.yaml
  apiGroup: rbac.authorization.k8s.io

---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: csi-snapshotter-provisioner-role-cfg
  # replace with non-default namespace name
  namespace: default
subjects:
  - kind: ServiceAccount
    name: csi-snapshotter # from rbac.yaml
    # replace with non-default namespace name
    namespace: default
roleRef:
  kind: Role
  name: external-provisioner-cfg # from rbac-external-provisioner.yaml
  apiGroup: rbac.authorization.k8s.io

---
kind: Service
apiVersion: v1
metadata:
  name: csi-snapshotter
  labels:
    app: csi-snapshotter
spec:
  selector:
    app: csi-snapshotter
  ports:
    - name: dummy
      port: 12345

---
kind: StatefulSet
apiVersion: apps/v1
metadata:
  name: csi-snapshotter
spec:
  serviceName: "csi-snapshotter"
  replicas: 1
  selector:
    matchLabels:
      app: csi-snapshotter
  template:
    metadata:
      labels:
        app: csi-snapshotter
    spec:
      serviceAccount: csi-snapshotter
      containers:
        - name: csi-provisioner
          image: quay.io/k8scsi/csi-provisioner:v1.1.0
          args:
            - "--provisioner=csi-hostpath"
            - "--csi-address=$(ADDRESS)"
            - "--connection-timeout=15s"
          env:
            - name: ADDRESS
              value: /csi/csi.sock
          imagePullPolicy: Always
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
        - name: csi-snapshotter
          image: quay.io/k8scsi/csi-snapshotter:v1.1.0
          args:
            - "--csi-address=$(ADDRESS)"
            - "--connection-timeout=15s"
            - "--leader-election=false"
          env:
            - name: ADDRESS
              value: /csi/csi.sock
          imagePullPolicy: Always
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
        - name: hostpath
          image: quay.io/k8scsi/hostpathplugin:v1.1.0
          args:
            - "--v=5"
            - "--endpoint=$(CSI_ENDPOINT)"
            - "--nodeid=$(KUBE_NODE_NAME)"
          env:
            - name: CSI_ENDPOINT
              value: unix:///csi/csi.sock
            - name: KUBE_NODE_NAME
              valueFrom:
                fieldRef:
                  apiVersion: v1
                  fieldPath: spec.nodeName
          imagePullPolicy: Always
          securityContext:
            privileged: true
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
      volumes:
        - name: socket-dir
          emptyDir: