apiVersion: v1
kind: ServiceAccount
metadata:
  name: cmlc-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cmlc-nfs-client-provisioner-runner
rules:
  - apiGroups:
      - ""
    resources:
      - persistentvolumes
    verbs:
      - get
      - list
      - watch
      - create
      - delete
  - apiGroups:
      - ""
    resources:
      - persistentvolumeclaims
    verbs:
      - get
      - list
      - watch
      - update
  - apiGroups:
      - storage.k8s.io
    resources:
      - storageclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - watch
      - create
      - update
      - patch
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
  - apiGroups:
      - extensions
    resourceNames:
      - nfs-provisioner
    resources:
      - podsecuritypolicies
    verbs:
      - use
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cmlc-run-nfs-client-provisioner
subjects:
  - kind: ServiceAccount
    name: cmlc-nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cmlc-nfs-client-provisioner-runner
  apiGroup: rbac.authorization.k8s.io


---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cmlc-leader-locking-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: kube-system
rules:
  - apiGroups: [ "" ]
    resources: [ "endpoints" ]
    verbs: [ "get", "list", "watch", "create", "update", "patch" ]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cmlc-leader-locking-nfs-client-provisioner
subjects:
  - kind: ServiceAccount
    name: cmlc-nfs-client-provisioner
    # replace with namespace where provisioner is deployed
    namespace: kube-system
roleRef:
  kind: Role
  name: cmlc-leader-locking-nfs-client-provisioner
  apiGroup: rbac.authorization.k8s.io

---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: nfs-prod-distribute
provisioner: cmlc-nfs-client-provisioner
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cmlc-nfs-client-provisioner
  labels:
    app: cmlc-nfs-client-provisioner
  # replace with namespace where provisioner is deployed
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cmlc-nfs-client-provisioner
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: cmlc-nfs-client-provisioner
    spec:
      serviceAccountName: cmlc-nfs-client-provisioner
      imagePullSecrets:
        - name: harborsecret
      containers:
        - name: cmlc-nfs-client-provisioner
          image: harbor.cdcyy.com.cn/cmii/nfs-subdir-external-provisioner:v4.0.2
          volumeMounts:
            - name: nfs-client-root
              mountPath: /persistentvolumes
          env:
            - name: PROVISIONER_NAME
              value: cmlc-nfs-client-provisioner
            - name: NFS_SERVER
              value: yfcsnfs.com
            - name: NFS_PATH
              value: /drone/zyly
      volumes:
        - name: nfs-client-root
          nfs:
            server: yfcsnfs.com
            path: /drone/zyly