Sample YAML files
hsm-pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: ibmblockchain-pv
spec:
accessModes:
- ReadWriteMany
capacity:
storage: 100Gi
nfs:
path: <nfs-directory>
server: <nfs-server-IP>
persistentVolumeReclaimPolicy: Retain
storageClassName: <storage-class-name>
volumeMode: Filesystemhsm-pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ibmblockchain-pvc
namespace: ibm-blockchain-proj
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 100Gi
storageClassName: <storage-class-name>
volumeMode: Filesystem
volumeName: ibmblockchain-pvhsm-cm.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: ibp-hsm-config
data:
ibp-hsm-config.yaml: |
library:
filepath: /opt/nfast/toolkits/pkcs11/libcknfast.so
image: >-
image-registry.openshift-image-registry.svc:5000/openshift/rh8nshieldibm
auth:
imagePullSecret: hsm-docker-secret
daemon:
image: >-
image-registry.openshift-image-registry.svc:5000/openshift/rh8nshieldibm
auth:
imagePullSecret: hsm-docker-secret
envs:
- name: LD_LIBRARY_PATH
value: /stdll
- name: CKNFAST_FAKE_ACCELERATOR_LOGIN
value: 1
- name: CKNFAST_DEBUG
value: 10
- name: CKNFAST_DEBUGFILE
value: /opt/nfast/kmdata/local/pkcs11.log
- name: NFAST_SERVER
value: /shared/sockets/nserver
- name: NFAST_PRIVSERVER
value: /shared/sockets/privnserver
mountpaths:
- mountpath: /opt/nfast/kmdata/local
name: tokeninfo
usePVC: true
type: hsm
version: v1nfs-rbac.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: nfs-client-provisioner
namespace: ibm-blockchain-proj
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nfs-client-provisioner-runner
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: run-nfs-client-provisioner
subjects:
- kind: ServiceAccount
name: nfs-client-provisioner
namespace: ibm-blockchain-proj
roleRef:
kind: ClusterRole
name: nfs-client-provisioner-runner
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: leader-locking-nfs-client-provisioner
namespace: ibm-blockchain-proj
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: leader-locking-nfs-client-provisioner
namespace: ibm-blockchain-proj
subjects:
- kind: ServiceAccount
name: nfs-client-provisioner
namespace: ibm-blockchain-proj
roleRef:
kind: Role
name: leader-locking-nfs-client-provisioner
apiGroup: rbac.authorization.k8s.iostorage-class.yaml
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: <storage-class-name>
provisioner: k8s-sigs.io/nfs-subdir-external-provisioner
parameters:
pathPattern: "ibmblockchain"
archiveOnDelete: "false"nfs-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: nfs-client-provisioner
namespace: ibm-blockchain-proj
labels:
app: nfs-client-provisioner
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: nfs-client-provisioner
template:
metadata:
labels:
app: nfs-client-provisioner
spec:
serviceAccountName: nfs-client-provisioner
containers:
- name: nfs-client-provisioner
image: k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2
volumeMounts:
- name: nfs-client-root
mountPath: /persistentvolumes
env:
- name: PROVISIONER_NAME
value: k8s-sigs.io/nfs-subdir-external-provisioner
- name: NFS_SERVER
value: <nfs-server-IP>
- name: NFS_PATH
value: <nfs-directory>
volumes:
- name: nfs-client-root
nfs:
server: <nfs-server-IP>
path: <nfs-directory>