feat(helm): update rook-ceph group ( v1.16.6 → v1.19.2 )

[flkr-23]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
rook-ceph	minor	v1.16.6 → v1.19.2
rook-ceph-cluster	minor	v1.16.6 → v1.19.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

rook/rook (rook-ceph)

v1.19.2

Compare Source

Improvements

Rook v1.19.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• csi: Update imagePullPolicy in operatorconfig and driver CR (#​17084, @​iPraveenParihar)
• osd: Fix OSDs on multipath device with metadata device (#​17083, @​satoru-takeuchi)
• build: Publish images with buildx instead of manifest-tool (#​17079, @​subhamkrai)
• rgw: Update status info when http is disabled (#​17050, @​sp98)
• object: Add ObjectStoreUserSpec.OpMask field (#​17037, @​jhoblitt)
• exporter: Add log collector for ceph exporter pod (#​16584, @​subhamkrai)
• csi: Update ceph-csi image to 3.16.1 (#​17060, @​iPraveenParihar)
• build(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.23.0 in the k8s-dependencies group (#​16963, @​dependabot[bot])
• osd: In cephx key init, don't overwrite key on failure (#​17052, @​BlaineEXE)
• nvmeof: Add default gateway topology spread constraints (#​17074, @​OdedViner)
• nvmeof: Update expansion fields and sidecar images (#​17019, @​OdedViner)

v1.19.1

Compare Source

Improvements

Rook v1.19.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

csi: Update to ceph csi operator to v0.5 (#​17029, @​subhamkrai)
security: Remove unnecessary nodes/proxy RBAC enablement (#​16979, @​ibotty)
helm: Set default ceph image pull policy (#​16954, @​travisn)
nfs: Add CephNFS.spec.server.{image,imagePullPolicy} fields (#​16982, @​jhoblitt)
osd: Assign correct osd container in case it is not index 0 (#​16969, @​kyrbrbik)
csi: Remove obsolete automated node fencing code (#​16922, @​subhamkrai)
osd: Enable proper cancellation during OSD reconcile (#​17022, @​sp98)
csi: Allow running the csi controller plugin on host network (#​16972, @​Madhu-1)
rgw: Update ca bundle mount perms to read-all (#​16968, @​BlaineEXE)
mon: Change do-not-reconcile to be more granular for individual mons (#​16939, @​travisn)
build(deps): Bump the k8s-dependencies group with 6 updates (#​16846, @​dependabot[bot])
doc: add csi-operator example in configuration doc (#​17001, @​subhamkrai)

v1.19.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• The supported Kubernetes versions are v1.30 - v1.35
• The minimum supported Ceph version is v19.2.0. Rook v1.18 clusters running Ceph v18 must upgrade
  to Ceph v19.2.0 or higher before upgrading Rook.
• The behavior of the activeStandby property in the CephFilesystem CRD has changed. When set to false, the standby MDS daemon deployment will be scaled down and removed, rather than only disabling the standby cache while the daemon remains running.
• Helm: The rook-ceph-cluster chart has changed where the Ceph image is defined, to allow separate settings for the repository and tag. For more details, see the Rook upgrade guide.
• In external mode, when users provide a Ceph admin keyring to Rook, Rook will no longer create CSI Ceph clients automatically. This approach will provide more consistency to configure external mode clusters via the same external Python script.

Features

• Experimental: NVMe over Fabrics (NVMe-oF) allows RBD volumes to be exposed and accessed via the NVMe/TCP protocol. This enables both Kubernetes pods within the cluster and external clients outside the cluster to connect to Ceph block storage using standard NVMe-oF initiators, providing high-performance block storage access over the network. See the NVMe-oF Configuration Guide to get started.
• CephCSI v3.16 Integration:
  • NVMe-oF CSI driver for provisioning and mounting volumes over the NVMe over Fabrics protocol
  • Improved fencing for RBD and CephFS volumes during node failure
  • Block volume usage statistics
  • Configurable block encryption cipher
• Experimental: Allow concurrent reconciles of the CephCluster CR when there multiple clusters being managed by the same Rook operator. Concurrency is enabled by increasing the operator setting ROOK_RECONCILE_CONCURRENT_CLUSTERS to a value greater than 1.
• Improved logging with namespaced names for the controllers for more consistency in troubleshooting the rook operator log.

v1.18.9

Compare Source

Improvements

Rook v1.18.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• csi: Disable read affinity for ceph v20.2.0 to avoid corruption (#​16895, @​travisn)
• core: Allow skipping cephcluster reconcile via do-not-reconcile label (#​16874, @​OdedViner)
• helm: Merge rook-config-override ConfigMap into toolbox ceph.conf (#​16862, @​mheler)
• helm: Add cephclusters/finalizers permission for mgr sidecar (#​16854, @​grandeit)
• csi: Add fix to support multiple fs mount option (#​16837, @​subhamkrai)
• operator: Watch cephConfigFromSecret changes (#​16786, @​cyanidium)
• rgw: Support all S3 notification events in CRD validation (#​16804, @​arttor)
• docs: Add pool parameter for erasure code optimizations (#​16789, @​travisn)

v1.18.8

Compare Source

Improvements

Rook v1.18.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• core: Add support for ceph tentacle (#​16501, @​subhamkrai)
• helm: Include exporter options in CephCluster (#​16745, @​michaeltchapman)
• toolbox: Merge rook-config-override ConfigMap into ceph.conf (#​16731, @​mheler)
• csi: ControllerPlugin/NodePlugin resource settings were reversed (#​16735, @​swills)
• osd: Allow snaptrimp and snaptrip_wait PGs by the PDBs during node drains (#​16713, @​sp98)
• helm: Fix default pathType for HTTPRoute in the rook-ceph-cluster chart (#​16724, @​fancl20)
• pool: Retry if pool status is empty in the rados namespace controller (#​16705, @​parth-gr)
• namespace: Add retryOnConflict when updating status (#​16661, @​subhamkrai)

v1.18.7

Compare Source

Improvements

Rook v1.18.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• pool: Retry pool status updates in the radosnamespace controller (#​16700, @​parth-gr)
• osd: Add device class label to the osd prepare pods (#​16675, @​parth-gr)
• external: Fix quote parsing and message in import-external-cluster.sh (#​16646, @​GanghyeonSeo)
• object: Fix user quotas being overwritten when obc bucketOwner is set (#​16672, @​jhoblitt)
• docs: Example of application migration between clusters (#​16659, @​travisn)
• mgr: Add hostNetwork field to Ceph Mgr spec (#​16617, @​Sunnatillo)
• osd: Add CephCluster OSDMaxUpdatesInParallel to tune OSD updates (#​16655, @​jhoblitt)

v1.18.6

Compare Source

Improvements

Rook v1.18.6 is a patch release with changes only in the rook-ceph helm chart. If not affected by #​16636 in v1.18.5, no need to update to this release.

• helm: Remove duplicate YAML map entries (#​16637, @​hxtmdev)
• ci: Check for duplicates in the helm linter (#​16640, @​hxtmdev)

v1.18.5

Compare Source

Improvements

Rook v1.18.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• mon: Wait for the canary pods to be terminated before starting mon daemons (#​16619, @​sp98)
• mon: Trap the sigterm to respond quickly to the mon canary pod deletion (#​16629, @​travisn)
• osd: Set osd resources for specific device class (#​16614, @​travisn)
• mgr: Add required k8s label for endpointSlice (#​16618, @​subhamkrai)
• pool: Skip setting the target size ratio to 0 by default (#​16609, @​travisn)
• core: Fix ceph health check up status check (#​16595, @​parth-gr)
• osd: Allow OSD init keyring update to be best-effort instead of fail osd start (#​16603, @​BlaineEXE)
• osd: Add a timeout for osd create and update process (#​16594, @​parth-gr)
• core: Add missing labels to RBAC resources to prevent ArgoCD drift (#​16507, @​fullstackjam)
• mon: Update the clusterinfo with v2 port (#​16540, @​parth-gr)
• file: Allow overriding MDS cache memory limit. (#​16556, @​timbuchwaldt)
• osd: More detailed logging to check node topology conflicts (#​16573, @​OdedViner)

v1.18.4

Compare Source

Improvements

Rook v1.18.4 is a patch release with changes only in the rook-ceph-cluster helm chart. If not affected by #​16567 in v1.18.3, no need to update to this release.

• helm: Revert ceph image tag change (#​16567, @​travisn)

v1.18.3

Compare Source

Improvements

Rook v1.18.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• helm: Allow specifying the image tag and repository separately (#​16512, @​travisn)
• csi: Allow overriding volume settings in csi operator for nixos (#​16395, @​travisn)
• osd: Exclude down OSDs from main PDB when cluster is clean (#​16112, @​elias-dbx)
• build: Add csi operator image to images.txt (#​16563, @​travisn)
• csi: Update csi-operator version to v0.4.1 (#​16560, @​Madhu-1)
• rbdmirror: Fix mirroring monitoring settings for rados namespaces (#​16520, @​parth-gr)
• namespace: Blocklist ip:nonce in cleanup job (#​16532, @​Madhu-1)
• osd: Clean encrypted disks from other clusters (#​16488, @​sp98)
• csi: Avoid port conflict by removing liveness probe from the csi-operator (#​16516, @​Madhu-1)
• csi: Add labels to the csi-operator driver pod (#​16514, @​subhamkrai)
• helm: Refactoring to modernize templates (#​16494, @​consideRatio)
• osd: Updated blocking pdbs when drained node comes back online (#​16506, @​sp98)
• core: Use latest operator context to avoid reference to canceled context (#​16493, @​sp98)
• ci: Update latest k8s version to v1.34 (#​16418, @​obnoxxx)
• external: Fix ipv6 monitoring endpoint reconcile (#​16468, @​parth-gr)
• pool: Allow enableCrushUpdates to be nil (#​16478, @​travisn)
• mon: Fix mon health nil pointer exception with mons on PVC (#​16484, @​sp98)
• helm: Refactoring of rook-ceph's configmap to be easier to read and maintain (#​16457, @​consideRatio)
• nfs: Rotate nfs cephx key (#​16456, @​subhamkrai)
• external: Fixing rbd provisioner secret in import-external-cluster script (#​16474, @​rubentsirunyan)
• core: Add CRD Phase column to cephor, cephnfs, cephbn (#​16541 #​16542 #​16543, @​jhoblitt)
• object: Add status.{phase,observedGeneration} to cephbn (#​16499, @​jhoblitt)
• core: fix ObjectZoneSpec.ZoneGroup and ObjectZoneGroupSpec.Realm field descriptions (#​16496, @​jhoblitt)

v1.18.2

Compare Source

Improvements

Rook v1.18.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• helm: Upgrade requires either deletion of storage classes or removal of new storage class properties, see the Upgrade Guide (#​16454, @​parth-gr)
• csi: Set host networking on the csi controller pod if host networking is enforced (#​16462, @​travisn)
• csi: Fix cephx key deletion logic (#​16452, @​BlaineEXE)
• csi: Add multus network annotation to csi-operator (#​16448, @​subhamkrai)
• external: Fix secret values in import-external-cluster script (#​16433, @​rubentsirunyan)
• osd: Remove the osd bootstrap keyring that is not needed after creation (#​16421, @​parth-gr)
• core: Delete bootstrap keys not necessary for ceph daemons (#​16372, @​sp98)
• core: Allow rotation of the client.admin cephx key (#​16271, @​BlaineEXE)
• osd: Rotate lockbox keys for encrypted OSDs (#​16409, @​sp98)

v1.18.1

Compare Source

Improvements

Rook v1.18.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• csi: Set the cephfs kernel mount options when network encryption is enabled (#​16399, @​travisn)
• csi: Generate default crush topology labels for the csi operator settings (#​16376, @​travisn)
• csi: Create csi operator resources when operator settings configmap is updated (#​16382, @​subhamkrai)
• csi: Delete csi operator CR's when disabled (#​16381, @​subhamkrai)
• csi: Set csi operator as default if no settings found (#​16405, @​travisn)
• csi: Fix wrong use of daemon config for cephx status (#​16396, @​BlaineEXE)
• helm: Recreate storage classes with helm upgrades to add keep policy and new properties (#​16373, @​parth-gr)
• ci: Always initialize CSI driver names (#​16393, @​travisn)

v1.18.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• Kubernetes v1.29 is now the minimum version supported by Rook through the soon-to-be K8s release v1.34.
• Helm versions 3.13 and newer are supported. Previously, only the latest version of helm was tested and the docs stated only version 3.x of helm as a prerequisite. Now rook supports the six most recent minor versions of helm along with their their patch updates.
• Rook now validates node topology during CephCluster creation to prevent misconfigured CRUSH hierarchies for OSDs. If child labels like topology.rook.io/rack are duplicated across zones, cluster creation will fail. The check applies only to new clusters without OSDs. Clusters with existing OSDs will only log a warning and continue. If the checks are invalid in your topology, they can be suppressed by setting ROOK_SKIP_OSD_TOPOLOGY_CHECK=true in the rook-ceph-operator-config configmap.

Features

• The Ceph CSI operator is now the default and recommended component for configuring CSI drivers for RBD, CephFS, and NFS volumes. The CSI operator has been factored out of Rook to run independently to manage the Ceph-CSI driver. 
  • During the upgrade and throughout the v1.18.x releases, Rook will automatically convert any Rook CSI settings to the new CSI operator CRs. This transition is expected to be completely transparent. In the future v1.19 release, Rook will relinquish direct control of these settings so advanced users can have more flexibility when configuring the CSI drivers. At that time, we will have a guide on configuring these new Ceph CSI operator CRs directly.
  • During install, as mentioned in the Quickstart Guide, there is a new manifest to be created: csi-operator.yaml
  • If installing with the helm chart, the Ceph CSI operator will automatically be installed by default with the new helm setting csi.rookUseCsiOperator in the rook-ceph chart.
  • If a blocking issue is found, the previous CSI driver can be re-enabled by setting ROOK_USE_CSI_OPERATOR: false in operator.yaml or by applying the helm setting csi.rookUseCsiOperator: false.
• Ceph CSI v3.15 has a range of features and improvements for the RBD, CephFS, and NFS drivers. This release is supported both by the Ceph CSI operator and Rook's direct mode of configuration. Starting in the next release (at the end of the year), the Ceph CSI operator will be required to configure the CSI driver.
• CephX key rotation is now available as an experimental feature for the CephX authentication keys used by Ceph daemons and clients. Users will begin to see new cephx status items on some Rook resources in newly-deployed Rook clusters. Users can also find spec.security.cephx settings that allow initiating CephX key rotation for various Ceph components. Full documentation for key rotation can be found here.
  • Ceph version v19.2.3+ is required for key rotation.
  • The Ceph admin and mon keys cannot yet be rotated. Implementation is still in progress while in experimental mode.
• Add support for specifying the clusterID in the CephBlockPoolRadosNamespace and the CephFilesystemSubVolumeGroup CR.
• When a mon is being failed over, if the assigned node no longer exists, the mon is failed over immediately instead of waiting for a
  20 minute timeout.
• Support for Ceph Tentacle v20 will be available as soon as it is released.

v1.17.9

Compare Source

Improvements

Rook v1.17.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• pool: Retry pool status updates in the radosnamespace controller (#​16700, @​parth-gr)
• object: Fix user quotas being overwritten when OBC bucketOwner is set (#​16672, @​jhoblitt)
• mon: Wait for the canary pods to be terminated (#​16619, @​sp98)
• mon: Respond quickly to the mon canary pod deletion (#​16629, @​travisn)
• namespace: Blocklist ip:nonce in cleanup job (#​16532, @​Madhu-1)
• core: Fix typos in ObjectZoneSpec.ZoneGroup and ObjectZoneGroupSpec.Realm field descriptions (#​16496, @​jhoblitt)

v1.17.8

Compare Source

Improvements

Rook v1.17.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• helm: Enable host network for OpenShift if needed (#​16343, @​travisn)
• pool: Allow CephBlockPool CR removal when underlying Ceph pool is already removed (#​16329, @​degorenko)
• core: Set erasure-code-profile plugin based on pool algorithm (#​16104, @​BenoitKnecht)
• csi: Add CrossNamespaceVolumeDataSource feature gate (#​16244, @​CL0Pinette)
• object: Mark realm as default to avoid zone creation (#​16069, @​OdedViner)
• object: Simplify CephObjectStoreUser deletion logic (#​16052, @​jhoblitt)
• object: Fix bucket policy in sync detection (#​16220, @​jhoblitt)
• cleanup: Mount udev to cleanup job and disable udev sync (#​16293, @​degorenko)
• cleanup: Improve cleanup of /var/lib/rook during cluster teardown (#​16201, @​OdedViner)
• cleanup: Cleanup csi folders from /var/lib/rook during uninstall (#​16260, @​OdedViner)

v1.17.7

Compare Source

Improvements

Rook v1.17.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

Important: There is a known issue in Ceph v19.2.3 where object store bucket lifecycle deletion does not take effect. See #​16188 for more details.

• core: Update ceph version to v19.2.3 (#​16186, @​travisn)
• csi: Update ceph-csi to 3.14.2 (#​16157, @​Madhu-1)
• osd: Exclude labels with a value of null from the topology string (#​16109, @​hit1943)
• rgw: Increase timeout for admin user creation (#​16203, @​travisn)
• core: Log panics that were previously hidden during controller reconcile (#​16150, @​OdedViner)
• mds: Use bash for executing liveness probe script (#​16146, @​xose)
• helm: Correct example discover daemon resources (#​16123, @​swills)
• helm Update SecurityContextConstraints for rook-ceph helm chart (#​16153, @​masonwb)
• multus: Support copy file to cmd-proxy container for rgw zone set (#​16133, @​arttor)
• mds: Fix nil pointer panic when startupProbe is set in cephfilesystem (#​16144, @​OdedViner)
• core: Update go modules to latest except for go 1.24 (#​16140, @​travisn)
• helm: Add HTTPRoute for dashboard and objectstore (#​16135, @​synthe102)
• osd: Treat non existing OSD nodes as drained (#​16087, @​elias-dbx)
• test: Add pathType with ingress dashboard host (#​16129, @​subhamkrai)
• docs: Document how a storage class can consume a SubVolumeGroup (#​16079, @​raaizik)

v1.17.6

Compare Source

Improvements

Rook v1.17.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• mon: Failover with host network must use different node (#​16056, @​travisn)
• osd: Wipe new Ceph metadata in cleanup job disk shredding (#​15666, @​puskunalis)
• operator: Add missing udev env to discover pod (#​16105, @​subhamkrai)
• mon: Allow running mon pods as root (#​15846, @​patrostkowski)
• core: CephObjectRealm controller generated generated AccessKey invalid chars (#​16078, @​raaizik)
• csi: Provide a flag to skip csi user creation (#​16061, @​Madhu-1)
• ceph: Provide an option to specify the secretName in the cephClient CR (#​16059, @​Madhu-1)
• csi: Update csi version to 3.14.1 (#​16050, @​Madhu-1)
• exporter: Add Hostnetwork bool to ceph-exporter (#​16025, @​adilGhaffarDev)
• object: Allow deletion of CephObjectStoreUser even if secret is missing (#​16038, @​OdedViner)
• helm: Merge helm indexes instead of recreating for every release (#​16041, @​obnoxxx)

v1.17.5

Compare Source

Improvements

Rook v1.17.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• build: merge helm indexes instead of recreating for every release (#​16033, @​obnoxxx)
• rbd: Blocklist rados namespace image watchers during removal (#​16009, @​sp98)
• namespace: Report empty condition for rados namespace (#​16013, @​travisn)
• osd: Update the table of allowed configurations (#​16005, @​satoru-takeuchi)
• pool: Support targetSizeRatio=0 and default compressionMode (#​15951, @​OdedViner)
• core: Correct rados namespace log message (#​15996, @​OdedViner)
• rbdmirror: Fix the nil point error check during status updates (#​15989, @​parth-gr)
• helm: Use nested if clauses in prometheusrule template (#​15979, @​hedgieinsocks)
• helm: allow prometheusrule edits (#​15928, @​hedgieinsocks)
• ci: Use latest helm version v3.18 for helm builds (#​15952, @​obnoxxx)
• osd: Allow wiping encrypted osd disk from another cluster (#​15972, @​sp98)
• osd: Clean osd disks before reinstalling cluster (#​15796, @​sp98)
• csi: Replace hardcoded imagePullPolicy with dynamic Go template (#​15962, @​praveen21b)

v1.17.4

Compare Source

Improvements

Rook v1.17.4 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• nfs: Remove duplicate short NFS CRD name (#​15926, @​parth-gr)
• core: ensure consistent LeastUptodateDaemonVersion (#​15931, @​BlaineEXE)
• nfs: Use tabs instead of spaces in nfs rgw config (#​15934, @​parth-gr)
• helm: Add custom labels for toolbox deployment in rook-ceph-cluster chart (#​15914, @​jurim76)
• osd: Debug log for long image names in label (#​15887, @​travisn)

v1.17.3

Compare Source

Improvements

Rook v1.17.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• core: Add short names to rook CRDs (#​15888, @​patrostkowski)
• csi: Update Kubernetes CSI sidecar images to current versions (#​15878, @​nixpanic)
• mgr: Continue cluster reconcile even if prometheus not installed causing service monitor to fail creation (#​15862, @​travisn)
• core: Allow deletion of subvolumegroups or rados namespaces if another CR references the same resource (#​15853, @​subhamkrai)
• helm: quote object store ingress host (#​15908, @​synthe102)
• osd: Don't set dmcrypt environment variable in prepare pod job spec (#​15907, @​subhamkrai)
• nfs: Fix the skip reconcile for nfs daemons (#​15909, @​parth-gr)
• nfs: Skip NFS daemon reconciliation when labeled with skip-reconcile (#​15889, @​patrostkowski)
• core: Improve reporting for reconcile requeue cases (#​15884, @​OdedViner)
• csi: Enable CSI metadata injection setting by default (#​15867, @​OdedViner)
• core: Fix golangci-lint check ST1005 (#​15875, @​cbarria)
• osd: During PVC resize wait for a short time to restart OSDs (#​15824, @​parth-gr)
• rbdmirror: Update mirroring status on pools and rados namespaces for latest ceph changes (#​15858, @​parth-gr)
• crd: Allow network provider to be set to blank (#​15842, @​yifeng-cerebras)

v1.17.2

Compare Source

Improvements

Rook v1.17.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• block: Add more deletion conditions to blockpool and radosnamespace status (#​15817, @​travisn)
• object: fix uppercase serialization of fields in KafkaEndpointSpec (#​15815, @​jhoblitt)
• cephfs: Update ceph-csi CephFS caps to include executable permission (#​15793, @​flx5)
• object: Change CephObjectStore "foo" found log level to debug (#​15829, @​jhoblitt)
• rgw: Use pod name in ops log filename (#​15605, @​arttor)
• exporter: Add name to containerPort (#​15801, @​jrcichra)
• rbdmirror: Log message clarification with namespace (#​15798, @​subhamkrai)
• osd: Fix osd disk cleanup for mpath setups (#​15761, @​sp98)
• ci: Add test support for latest K8s version 1.33 (#​15795, @​subhamkrai)

v1.17.1

Compare Source

Improvements

Rook v1.17.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• cluster: Specify sensitive ceph config in the CephCluster CR via secrets (#​15696, @​patrostkowski)
• object: Lower retry log verbosity in notification OBC controller (#​15764, @​BlaineEXE)
• object: Log all reconcile errors during object store creation (#​15747, @​travisn)
• docs: Update Prometheus Operator to v0.82.0 (#​15750, @​OdedViner)
• build: Set correct helm version tag for the release (#​15748, @​travisn)
• build: Stop publishing release artifacts for non-released builds (#​15742, @​travisn)

v1.17.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• Kubernetes v1.28 is now the minimum version supported by Rook through the soon-to-be K8s release v1.33.
• Several ObjectBucketClaim options were added previously in Rook v1.16 that allowed more control over buckets. These controls allow users to self-serve their own S3 policies. Administrators may consider this flexibility a risk, depending on their environment. Rook now disables these options by default to ensure the safest off-the-shelf configurations. To enable the full range of OBC configurations, the new setting ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDS must be set to enable users to set all of these options. For more details, see the OBC additionalConfig documentation.
• First-class credential management added to CephObjectStoreUser resources, allowing multiple credentials and declarative credential rotation. For more details, see Managing User S3 Credentials. As a result, existing S3 users provisioned via CephObjectStoreUser resources no longer allow multiple credentials to exist on underlying S3 users, unless explicitly managed by Rook. Rook will purge all but one of the undeclared credentials. This could be a user observable regression for administrators who manually edited/rotated S3 user credentials for CephObjectStoreUsers, and affected users can make use of the new credential management feature as an alternative.
• Kafka notifications configured via CephBucketTopic resources will now default to setting the Kafka authentication mechanism to PLAIN. Previously, no auth mechanism was specified by default. It was possible to set the auth mechanism via CephBucketTopic.spec.endpoint.kafka.opaqueData. However, setting &mechanism=<auth type> via opaqueData is no longer possible. If any auth mechanism other than PLAIN is in use, modification to CephBucketTopic resources is required.

Features

• The name of a pre-existing Ceph RGW user account can be set as the bucket owner on an ObjectBucketClaim (OBC), rather than a unique RGW user being created for every bucket. A CephObjectStoreUser resource may be used to create the Ceph RGW user account which will be specified on the OBC. If the bucket owner is set on a bucket that already exists and is owned by a different user, the bucket will be re-linked to the specified user.
• The Ceph CSI 3.14 release has a number of features and improvements for RBD and CephFS volumes, volume snapshots, and many more areas. See the Ceph CSI 3.14 release notes for more details.
• External mons: In some two-datacenter clusters, there is no option to start an arbiter mon in an independent K8s node to configure a proper stretch cluster. The external mons now allow a mon to be configured outside the Kubernetes cluster, while Rook manages everything else inside the cluster. For more details, see the External Mon documentation. This feature is in currently in experimental mode.
• DNS resolution for mons: Allows clients outside the K8s cluster to resolve mon endpoints via DNS without requiring manual updates to the list of mon endpoints. This helps in scenarios such as virtual machine live migration. The Ceph client can connect to rook-ceph-active-mons..svc.cluster.local to dynamically resolve mon endpoints and receive automatic updates when mon IPs change. To configure this DNS resolution, see Tracking Mon Endpoints.
• Node-specific ceph.conf overrides: The ceph.conf overrides can now be customized per-node. This may be helpful for some ceph.conf settings that need to be unique per node depending on the hardware. This can be configured by creating a node-specific configmap that will be loaded for all OSDs and OSD prepare jobs on that node, instead of the default settings that are loaded from the rook-config-override configmap.

v1.16.9

Compare Source

Improvements

Rook v1.16.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• discover: Delete ceph-volume log to reduce discover daemon log size (#​16276, @​anshuman-agarwala)
• core: Update go modules needed for security checks (#​16140, @​travisn)
• core: CephObjectRealm controller generated generated AccessKey invalid chars (#​16078, @​raaizik)
• exporter: Add Hostnetwork bool to ceph-exporter (#​16025, @​adilGhaffarDev)

v1.16.8

Compare Source

Improvements

Rook v1.16.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• rbdmirror: Nil pointer check during status updates (#​15989, @​parth-gr)
• core: ensure consistent LeastUptodateDaemonVersion (#​15931, @​BlaineEXE)
• exporter: Add name to the exporter container port (#​15801, @​jrcichra)
• osd: Fix osd disk cleanup for mpath setups (#​15761, @​sp98)
• object: Log all reconcile errors during object store creation (#​15747, @​travisn)

v1.16.7

Compare Source

Improvements

Rook v1.16.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[flkr-23]

--- HelmRelease: rook-ceph/rook-ceph-cluster ConfigMap: rook-ceph/rook-config-override

+++ HelmRelease: rook-ceph/rook-ceph-cluster ConfigMap: rook-ceph/rook-config-override

@@ -2,13 +2,12 @@

 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: rook-config-override
   namespace: rook-ceph
 data:
-  config: |2
-
+  config: |
     [global]
     bdev_enable_discard = true
     bdev_async_discard = true
     osd_class_update_on_start = false
 
--- HelmRelease: rook-ceph/rook-ceph-cluster StorageClass: rook-ceph/ceph-block

+++ HelmRelease: rook-ceph/rook-ceph-cluster StorageClass: rook-ceph/ceph-block

@@ -1,9 +1,9 @@

 ---
+kind: StorageClass
 apiVersion: storage.k8s.io/v1
-kind: StorageClass
 metadata:
   name: ceph-block
   annotations:
     storageclass.kubernetes.io/is-default-class: 'true'
 provisioner: rook-ceph.rbd.csi.ceph.com
 parameters:
--- HelmRelease: rook-ceph/rook-ceph-cluster StorageClass: rook-ceph/ceph-filesystem

+++ HelmRelease: rook-ceph/rook-ceph-cluster StorageClass: rook-ceph/ceph-filesystem

@@ -1,9 +1,9 @@

 ---
+kind: StorageClass
 apiVersion: storage.k8s.io/v1
-kind: StorageClass
 metadata:
   name: ceph-filesystem
   annotations:
     storageclass.kubernetes.io/is-default-class: 'false'
 provisioner: rook-ceph.cephfs.csi.ceph.com
 parameters:
--- HelmRelease: rook-ceph/rook-ceph-cluster Deployment: rook-ceph/rook-ceph-tools

+++ HelmRelease: rook-ceph/rook-ceph-cluster Deployment: rook-ceph/rook-ceph-tools

@@ -1,9 +1,9 @@

 ---
+kind: Deployment
 apiVersion: apps/v1
-kind: Deployment
 metadata:
   name: rook-ceph-tools
   namespace: rook-ceph
   labels:
     app: rook-ceph-tools
 spec:
@@ -17,22 +17,23 @@

         app: rook-ceph-tools
     spec:
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       containers:
       - name: rook-ceph-tools
-        image: quay.io/ceph/ceph:v19.2.1
+        image: quay.io/ceph/ceph:v19.2.3
         command:
         - /bin/bash
         - -c
         - |
           # Replicate the script from toolbox.sh inline so the ceph image
           # can be run directly, instead of requiring the rook toolbox
           CEPH_CONFIG="/etc/ceph/ceph.conf"
           MON_CONFIG="/etc/rook/mon-endpoints"
           KEYRING_FILE="/etc/ceph/keyring"
+          CONFIG_OVERRIDE="/etc/rook-config-override/config"
 
           # create a ceph config file in its default location so ceph/rados tools can be used
           # without specifying any arguments
           write_endpoints() {
             endpoints=$(cat ${MON_CONFIG})
 
@@ -47,12 +48,19 @@

           [global]
           mon_host = ${mon_endpoints}
 
           [client.admin]
           keyring = ${KEYRING_FILE}
           EOF
+
+            # Merge the config override if it exists and is not empty
+            if [ -f "${CONFIG_OVERRIDE}" ] && [ -s "${CONFIG_OVERRIDE}" ]; then
+              echo "$DATE merging config override from ${CONFIG_OVERRIDE}"
+              echo "" >> ${CEPH_CONFIG}
+              cat ${CONFIG_OVERRIDE} >> ${CEPH_CONFIG}
+            fi
           }
 
           # watch the endpoints config file and update if the mon endpoints ever change
           watch_endpoints() {
             # get the timestamp for the target of the soft link
             real_path=$(realpath ${MON_CONFIG})
@@ -112,12 +120,15 @@

         - mountPath: /etc/ceph
           name: ceph-config
         - name: mon-endpoint-volume
           mountPath: /etc/rook
         - name: ceph-admin-secret
           mountPath: /var/lib/rook-ceph-mon
+        - name: rook-config-override
+          mountPath: /etc/rook-config-override
+          readOnly: true
       serviceAccountName: rook-ceph-default
       volumes:
       - name: ceph-admin-secret
         secret:
           secretName: rook-ceph-mon
           optional: false
@@ -127,12 +138,16 @@

       - name: mon-endpoint-volume
         configMap:
           name: rook-ceph-mon-endpoints
           items:
           - key: data
             path: mon-endpoints
+      - name: rook-config-override
+        configMap:
+          name: rook-config-override
+          optional: true
       - name: ceph-config
         emptyDir: {}
       tolerations:
       - key: node.kubernetes.io/unreachable
         operator: Exists
         effect: NoExecute
--- HelmRelease: rook-ceph/rook-ceph-cluster Ingress: rook-ceph/rook-ceph-dashboard

+++ HelmRelease: rook-ceph/rook-ceph-cluster Ingress: rook-ceph/rook-ceph-dashboard

@@ -1,9 +1,9 @@

 ---
+kind: Ingress
 apiVersion: networking.k8s.io/v1
-kind: Ingress
 metadata:
   name: rook-ceph-dashboard
   namespace: rook-ceph
 spec:
   rules:
   - host: rook.kyle.fail
--- HelmRelease: rook-ceph/rook-ceph-cluster CephBlockPool: rook-ceph/ceph-blockpool

+++ HelmRelease: rook-ceph/rook-ceph-cluster CephBlockPool: rook-ceph/ceph-blockpool

@@ -1,9 +1,9 @@

 ---
+kind: CephBlockPool
 apiVersion: ceph.rook.io/v1
-kind: CephBlockPool
 metadata:
   name: ceph-blockpool
   namespace: rook-ceph
 spec:
   failureDomain: host
   replicated:
--- HelmRelease: rook-ceph/rook-ceph-cluster CephCluster: rook-ceph/rook-ceph

+++ HelmRelease: rook-ceph/rook-ceph-cluster CephCluster: rook-ceph/rook-ceph

@@ -5,14 +5,14 @@

   name: rook-ceph
   namespace: rook-ceph
 spec:
   monitoring:
     enabled: true
   cephVersion:
+    image: quay.io/ceph/ceph:v19.2.3
     allowUnsupported: false
-    image: quay.io/ceph/ceph:v19.2.1
   cleanupPolicy:
     allowUninstallWithVolumes: false
     confirmation: ''
     sanitizeDisks:
       dataSource: zero
       iteration: 1
--- HelmRelease: rook-ceph/rook-ceph-cluster CephFilesystem: rook-ceph/ceph-filesystem

+++ HelmRelease: rook-ceph/rook-ceph-cluster CephFilesystem: rook-ceph/ceph-filesystem

@@ -1,9 +1,9 @@

 ---
+kind: CephFilesystem
 apiVersion: ceph.rook.io/v1
-kind: CephFilesystem
 metadata:
   name: ceph-filesystem
   namespace: rook-ceph
 spec:
   dataPools:
   - failureDomain: host
--- HelmRelease: rook-ceph/rook-ceph-cluster CephFilesystemSubVolumeGroup: rook-ceph/ceph-filesystem-csi

+++ HelmRelease: rook-ceph/rook-ceph-cluster CephFilesystemSubVolumeGroup: rook-ceph/ceph-filesystem-csi

@@ -1,9 +1,9 @@

 ---
+kind: CephFilesystemSubVolumeGroup
 apiVersion: ceph.rook.io/v1
-kind: CephFilesystemSubVolumeGroup
 metadata:
   name: ceph-filesystem-csi
   namespace: rook-ceph
 spec:
   name: csi
   filesystemName: ceph-filesystem
--- HelmRelease: rook-ceph/rook-ceph-cluster PrometheusRule: rook-ceph/prometheus-ceph-rules

+++ HelmRelease: rook-ceph/rook-ceph-cluster PrometheusRule: rook-ceph/prometheus-ceph-rules

@@ -1,9 +1,9 @@

 ---
+kind: PrometheusRule
 apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
 metadata:
   labels:
     prometheus: rook-prometheus
     role: alert-rules
   name: prometheus-ceph-rules
   namespace: rook-ceph
--- HelmRelease: rook-ceph/rook-ceph-cluster VolumeSnapshotClass: rook-ceph/csi-ceph-filesystem

+++ HelmRelease: rook-ceph/rook-ceph-cluster VolumeSnapshotClass: rook-ceph/csi-ceph-filesystem

@@ -1,9 +1,9 @@

 ---
+kind: VolumeSnapshotClass
 apiVersion: snapshot.storage.k8s.io/v1
-kind: VolumeSnapshotClass
 metadata:
   name: csi-ceph-filesystem
   annotations:
     snapshot.storage.kubernetes.io/is-default-class: 'false'
 driver: rook-ceph.cephfs.csi.ceph.com
 parameters:
--- HelmRelease: rook-ceph/rook-ceph-cluster VolumeSnapshotClass: rook-ceph/csi-ceph-blockpool

+++ HelmRelease: rook-ceph/rook-ceph-cluster VolumeSnapshotClass: rook-ceph/csi-ceph-blockpool

@@ -1,9 +1,9 @@

 ---
+kind: VolumeSnapshotClass
 apiVersion: snapshot.storage.k8s.io/v1
-kind: VolumeSnapshotClass
 metadata:
   name: csi-ceph-blockpool
   annotations:
     snapshot.storage.kubernetes.io/is-default-class: 'false'
 driver: rook-ceph.rbd.csi.ceph.com
 parameters:
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-osd

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-osd
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-mgr

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-mgr
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-cmd-reporter

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-cmd-reporter

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-purge-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-purge-osd

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-purge-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-rgw

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-rgw

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-rgw
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-default

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-default

@@ -1,10 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-default
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-system

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-system
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-plugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-plugin-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-cephfs-plugin-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-provisioner-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-provisioner-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-cephfs-provisioner-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-plugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-plugin-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-rbd-plugin-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-provisioner-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-provisioner-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-rbd-provisioner-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/objectstorage-provisioner

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/objectstorage-provisioner

@@ -1,9 +1,9 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: objectstorage-provisioner
   namespace: rook-ceph
   labels:
     app.kubernetes.io/part-of: container-object-storage-interface
     app.kubernetes.io/component: driver-ceph
--- HelmRelease: rook-ceph/rook-ceph-operator ConfigMap: rook-ceph/rook-ceph-operator-config

+++ HelmRelease: rook-ceph/rook-ceph-operator ConfigMap: rook-ceph/rook-ceph-operator-config

@@ -1,18 +1,28 @@

 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: rook-ceph-operator-config
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 data:
   ROOK_LOG_LEVEL: INFO
   ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: '15'
   ROOK_OBC_WATCH_OPERATOR_NAMESPACE: 'true'
+  ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDS: maxObjects,maxSize
   ROOK_CEPH_ALLOW_LOOP_DEVICES: 'false'
   ROOK_ENABLE_DISCOVERY_DAEMON: 'true'
+  ROOK_USE_CSI_OPERATOR: 'true'
   ROOK_CSI_ENABLE_RBD: 'true'
   ROOK_CSI_ENABLE_CEPHFS: 'true'
   ROOK_CSI_DISABLE_DRIVER: 'false'
   CSI_ENABLE_CEPHFS_SNAPSHOTTER: 'true'
   CSI_ENABLE_NFS_SNAPSHOTTER: 'true'
   CSI_ENABLE_RBD_SNAPSHOTTER: 'true'
@@ -25,21 +35,22 @@

   CSI_PLUGIN_PRIORITY_CLASSNAME: system-node-critical
   CSI_PROVISIONER_PRIORITY_CLASSNAME: system-cluster-critical
   CSI_RBD_FSGROUPPOLICY: File
   CSI_CEPHFS_FSGROUPPOLICY: File
   CSI_NFS_FSGROUPPOLICY: File
   CSI_CEPHFS_KERNEL_MOUNT_OPTIONS: ms_mode=prefer-crc
-  ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.13.1
-  ROOK_CSI_REGISTRAR_IMAGE: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.13.0
-  ROOK_CSI_PROVISIONER_IMAGE: registry.k8s.io/sig-storage/csi-provisioner:v5.1.0
-  ROOK_CSI_SNAPSHOTTER_IMAGE: registry.k8s.io/sig-storage/csi-snapshotter:v8.2.0
-  ROOK_CSI_ATTACHER_IMAGE: registry.k8s.io/sig-storage/csi-attacher:v4.8.0
-  ROOK_CSI_RESIZER_IMAGE: registry.k8s.io/sig-storage/csi-resizer:v1.13.1
+  ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.16.1
+  ROOK_CSI_REGISTRAR_IMAGE: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0
+  ROOK_CSI_PROVISIONER_IMAGE: registry.k8s.io/sig-storage/csi-provisioner:v6.0.0
+  ROOK_CSI_SNAPSHOTTER_IMAGE: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0
+  ROOK_CSI_ATTACHER_IMAGE: registry.k8s.io/sig-storage/csi-attacher:v4.10.0
+  ROOK_CSI_RESIZER_IMAGE: registry.k8s.io/sig-storage/csi-resizer:v2.0.0
   ROOK_CSI_IMAGE_PULL_POLICY: IfNotPresent
   CSI_ENABLE_CSIADDONS: 'false'
-  ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.11.0
+  ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.14.0
+  CSI_ENABLE_CROSS_NAMESPACE_VOLUME_DATA_SOURCE: 'false'
   CSI_ENABLE_TOPOLOGY: 'false'
   ROOK_CSI_ENABLE_NFS: 'false'
   CSI_ENABLE_LIVENESS: 'true'
   CSI_FORCE_CEPHFS_KERNEL_CLIENT: 'true'
   CSI_GRPC_TIMEOUT_SECONDS: '150'
   CSI_PROVISIONER_REPLICAS: '2'
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-system

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-system
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-cluster-mgmt

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-cluster-mgmt

@@ -1,14 +1,16 @@

 ---
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: rook-ceph-cluster-mgmt
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-global

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-global

@@ -1,46 +1,58 @@

 ---
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: rook-ceph-global
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - pods
   - nodes
-  - nodes/proxy
   - secrets
   - configmaps
   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
+  - discovery.k8s.io
   resources:
   - events
   - persistentvolumes
   - persistentvolumeclaims
   - endpoints
   - services
+  - endpointslices
+  - endpointslices/restricted
   verbs:
   - get
   - list
   - watch
   - patch
   - create
   - update
   - delete
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
 - apiGroups:
   - storage.k8s.io
   resources:
   - storageclasses
   verbs:
   - get
@@ -64,12 +76,13 @@

   resources:
   - cephclients
   - cephclusters
   - cephblockpools
   - cephfilesystems
   - cephnfses
+  - cephnvmeofgateways
   - cephobjectstores
   - cephobjectstoreusers
   - cephobjectrealms
   - cephobjectzonegroups
   - cephobjectzones
   - cephbuckettopics
@@ -89,12 +102,13 @@

   resources:
   - cephclients/status
   - cephclusters/status
   - cephblockpools/status
   - cephfilesystems/status
   - cephnfses/status
+  - cephnvmeofgateways/status
   - cephobjectstores/status
   - cephobjectstoreusers/status
   - cephobjectrealms/status
   - cephobjectzonegroups/status
   - cephobjectzones/status
   - cephbuckettopics/status
@@ -110,12 +124,13 @@

   resources:
   - cephclients/finalizers
   - cephclusters/finalizers
   - cephblockpools/finalizers
   - cephfilesystems/finalizers
   - cephnfses/finalizers
+  - cephnvmeofgateways/finalizers
   - cephobjectstores/finalizers
   - cephobjectstoreusers/finalizers
   - cephobjectrealms/finalizers
   - cephobjectzonegroups/finalizers
   - cephobjectzones/finalizers
   - cephbuckettopics/finalizers
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-cluster

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-cluster

@@ -3,22 +3,23 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-cluster
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - configmaps
   - nodes
-  - nodes/proxy
   - persistentvolumes
   verbs:
   - get
   - list
   - watch
 - apiGroups:
@@ -29,12 +30,20 @@

   - create
   - patch
   - list
   - get
   - watch
 - apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
   - storage.k8s.io
   resources:
   - storageclasses
   verbs:
   - get
   - list
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-system

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-system
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - configmaps
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-object-bucket

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-object-bucket

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-object-bucket
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-osd

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-csi-nodeplugin

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-csi-nodeplugin

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-external-provisioner-runner

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-external-provisioner-runner

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-external-provisioner-runner
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
@@ -70,12 +78,20 @@

   verbs:
   - list
   - watch
   - create
   - update
   - patch
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
 - apiGroups:
   - storage.k8s.io
   resources:
   - volumeattachments
   verbs:
   - get
@@ -161,7 +177,13 @@

 - apiGroups:
   - ''
   resources:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-csi-nodeplugin

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-csi-nodeplugin

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-nodeplugin
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
@@ -52,7 +54,13 @@

 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-external-provisioner-runner

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-external-provisioner-runner

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-external-provisioner-runner
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
@@ -49,12 +57,20 @@

   - list
   - watch
   - create
   - update
   - patch
 - apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
   - storage.k8s.io
   resources:
   - volumeattachments
   verbs:
   - get
   - list
@@ -169,7 +185,37 @@

   resources:
   - nodes
   verbs:
   - get
   - list
   - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - referencegrants
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationcontents
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/objectstorage-provisioner-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/objectstorage-provisioner-role

@@ -44,7 +44,15 @@

   - events
   verbs:
   - get
   - delete
   - update
   - create
+- apiGroups:
+  - events.k8s.io
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-mgr-cluster

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-mgr-cluster

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-cluster
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-mgr-cluster
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-osd

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-osd
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-system

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-system
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-global

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-global

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-global
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-object-bucket

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-object-bucket

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-object-bucket
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-object-bucket
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-nodeplugin

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-nodeplugin

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-nodeplugin
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-rbd-plugin-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-provisioner-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-provisioner-role

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-provisioner-role
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-cephfs-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-nodeplugin-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-nodeplugin-role

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin-role
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-cephfs-plugin-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-provisioner-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-provisioner-role

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-provisioner-role
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-rbd-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-osd

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-mgr

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - pods
   - services
@@ -31,15 +39,17 @@

   - delete
 - apiGroups:
   - ceph.rook.io
   resources:
   - cephclients
   - cephclusters
+  - cephclusters/finalizers
   - cephblockpools
   - cephfilesystems
   - cephnfses
+  - cephnvmeofgateways
   - cephobjectstores
   - cephobjectstoreusers
   - cephobjectrealms
   - cephobjectzonegroups
   - cephobjectzones
   - cephbuckettopics
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-cmd-reporter

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-cmd-reporter

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - pods
   - configmaps
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-purge-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-purge-osd

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-purge-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - configmaps
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring-mgr

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-system

@@ -1,15 +1,17 @@

 ---
+kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
   name: rook-ceph-system
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/cephfs-external-provisioner-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/cephfs-external-provisioner-cfg

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-external-provisioner-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - coordination.k8s.io
   resources:
   - leases
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rbd-external-provisioner-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rbd-external-provisioner-cfg

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-external-provisioner-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - coordination.k8s.io
   resources:
   - leases
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cluster-mgmt

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cluster-mgmt

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-cluster-mgmt
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-cluster-mgmt
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-osd

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-osd
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-mgr
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr-system

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr-system

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-system
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-mgr-system
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cmd-reporter

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cmd-reporter

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-cmd-reporter
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-purge-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-purge-osd

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-purge-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-purge-osd
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-monitoring
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring-mgr

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-monitoring-mgr
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-system

@@ -4,12 +4,14 @@

 metadata:
   name: rook-ceph-system
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/cephfs-csi-provisioner-role-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/cephfs-csi-provisioner-role-cfg

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-provisioner-role-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-cephfs-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: Role
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rbd-csi-provisioner-role-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rbd-csi-provisioner-role-cfg

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-provisioner-role-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-rbd-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: Role
--- HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/rook-ceph-operator

+++ HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/rook-ceph-operator

@@ -1,15 +1,17 @@

 ---
+kind: Deployment
 apiVersion: apps/v1
-kind: Deployment
 metadata:
   name: rook-ceph-operator
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 spec:
   replicas: 1
   selector:
@@ -26,13 +28,13 @@

       - effect: NoExecute
         key: node.kubernetes.io/unreachable
         operator: Exists
         tolerationSeconds: 5
       containers:
       - name: rook-ceph-operator
-        image: docker.io/rook/ceph:v1.16.6
+        image: docker.io/rook/ceph:v1.19.2
         imagePullPolicy: IfNotPresent
         args:
         - ceph
         - operator
         securityContext:
           capabilities:
@@ -46,12 +48,14 @@

           name: rook-config
         - mountPath: /etc/ceph
           name: default-config-dir
         env:
         - name: ROOK_CURRENT_NAMESPACE_ONLY
           value: 'false'
+        - name: ROOK_RECONCILE_CONCURRENT_CLUSTERS
+          value: '1'
         - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
           value: 'false'
         - name: ROOK_DISABLE_DEVICE_HOTPLUG
           value: 'false'
         - name: ROOK_DISCOVER_DEVICES_INTERVAL
           value: 60m
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceMonitor: rook-ceph/csi-metrics

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceMonitor: rook-ceph/csi-metrics

@@ -1,13 +1,17 @@

 ---
+kind: ServiceMonitor
 apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
 metadata:
   name: csi-metrics
   namespace: rook-ceph
   labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 spec:
   namespaceSelector:
     matchNames:
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-ctrlplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-ctrlplugin-sa

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-sa
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-nodeplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-nodeplugin-sa

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-sa
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-controller-manager

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-controller-manager

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-ctrlplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-ctrlplugin-sa

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-nfs-ctrlplugin-sa
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-nodeplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-nodeplugin-sa

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-nfs-nodeplugin-sa
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-ctrlplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-ctrlplugin-sa

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-sa
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-nodeplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-nodeplugin-sa

@@ -0,0 +1,11 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-rbd-nodeplugin-sa
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-nvmeof

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-nvmeof

@@ -0,0 +1,15 @@

+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: rook-ceph-nvmeof
+  namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnection-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnection-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephconnection-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnections-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnections-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephconnections-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-ctrlplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-ctrlplugin-cr

@@ -0,0 +1,210 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattributesclasses
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-nodeplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-nodeplugin-cr

@@ -0,0 +1,66 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofile-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofile-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofile-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofilemapping-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofilemapping-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofiles-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofiles-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofiles-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-driver-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-driver-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-manager-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-manager-role

@@ -0,0 +1,107 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-manager-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - cbt.storage.k8s.io
+  resources:
+  - snapshotmetadataservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections
+  verbs:
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings
+  - clientprofiles
+  - drivers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/finalizers
+  - clientprofiles/finalizers
+  - drivers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/status
+  - clientprofiles/status
+  - drivers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-auth-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-auth-role

@@ -0,0 +1,23 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-metrics-auth-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-reader

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-reader

@@ -0,0 +1,15 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-metrics-reader
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-ctrlplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-ctrlplugin-cr

@@ -0,0 +1,146 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-nfs-ctrlplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattributesclasses
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-nodeplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-nodeplugin-cr

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-nfs-nodeplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-operatorconfig-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-operatorconfig-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-ctrlplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-ctrlplugin-cr

@@ -0,0 +1,239 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationcontents
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - cbt.storage.k8s.io
+  resources:
+  - snapshotmetadataservices
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattributesclasses
+  verbs:
+  - get
+  - list
+  - watch
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-nodeplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-nodeplugin-cr

@@ -0,0 +1,79 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-rbd-nodeplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-cephfs-ctrlplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-cephfs-nodeplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-manager-rolebinding

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-manager-rolebinding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-manager-rolebinding
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-manager-role
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-metrics-auth-rolebinding

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-metrics-auth-rolebinding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-metrics-auth-rolebinding
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-ctrlplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-ctrlplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-nfs-ctrlplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-nfs-ctrlplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-nfs-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-nodeplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-nodeplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-nfs-nodeplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-nfs-nodeplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-nfs-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-rbd-ctrlplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-rbd-nodeplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-rbd-nodeplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-ctrlplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-ctrlplugin-r

@@ -0,0 +1,53 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-r
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-nodeplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-nodeplugin-r

@@ -0,0 +1,42 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-r
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-leader-election-role

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-leader-election-role

@@ -0,0 +1,43 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-leader-election-role
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-ctrlplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-ctrlplugin-r

@@ -0,0 +1,53 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-r
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-nodeplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-nodeplugin-r

@@ -0,0 +1,42 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-rbd-nodeplugin-r
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-rb

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-rb
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-cephfs-ctrlplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-rb

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-rb
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-cephfs-nodeplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-leader-election-rolebinding

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-leader-election-rolebinding

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-leader-election-rolebinding
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-rb

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-rb
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-rbd-ctrlplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-rb

@@ -0,0 +1,19 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-rbd-nodeplugin-rb
+  namespace: rook-ceph
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-rbd-nodeplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/ceph-csi-controller-manager

+++ HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/ceph-csi-controller-manager

@@ -0,0 +1,76 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: ceph-csi-op-controller-manager
+      app.kubernetes.io/name: ceph-csi
+      app.kubernetes.io/instance: rook-ceph-operator
+  template:
+    metadata:
+      labels:
+        control-plane: ceph-csi-op-controller-manager
+        app.kubernetes.io/name: ceph-csi
+        app.kubernetes.io/instance: rook-ceph-operator
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        command:
+        - /manager
+        env:
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CSI_SERVICE_ACCOUNT_PREFIX
+          value: ceph-csi-
+        - name: WATCH_NAMESPACE
+          value: ''
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: quay.io/cephcsi/ceph-csi-operator:v0.5.0
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      imagePullSecrets: []
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: ceph-csi-controller-manager
+      terminationGracePeriodSeconds: 10
+

[flkr-23]

--- kubernetes/apps/rook-ceph/rook-ceph/cluster Kustomization: rook-ceph/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster

+++ kubernetes/apps/rook-ceph/rook-ceph/cluster Kustomization: rook-ceph/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster

@@ -13,13 +13,13 @@

     spec:
       chart: rook-ceph-cluster
       sourceRef:
         kind: HelmRepository
         name: rook-ceph
         namespace: flux-system
-      version: v1.16.6
+      version: v1.19.2
   dependsOn:
   - name: rook-ceph-operator
     namespace: rook-ceph
   - name: snapshot-controller
     namespace: storage
   install:
--- kubernetes/apps/rook-ceph/rook-ceph/app Kustomization: rook-ceph/rook-ceph HelmRelease: rook-ceph/rook-ceph-operator

+++ kubernetes/apps/rook-ceph/rook-ceph/app Kustomization: rook-ceph/rook-ceph HelmRelease: rook-ceph/rook-ceph-operator

@@ -13,13 +13,13 @@

     spec:
       chart: rook-ceph
       sourceRef:
         kind: HelmRepository
         name: rook-ceph
         namespace: flux-system
-      version: v1.16.6
+      version: v1.19.2
   dependsOn:
   - name: snapshot-controller
     namespace: storage
   install:
     remediation:
       retries: 3