apiVersion: v1
kind: ServiceAccount
metadata:
  name: csi-snapshotter-sa
  namespace: synology-csi

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: synology-csi-snapshotter-role
rules:
  - apiGroups: [""]
    resources: ["events"]
    verbs: ["list", "watch", "create", "update", "patch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents"]
    verbs: ["create", "get", "list", "watch", "update", "delete"]
  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshotcontents/status"]
    verbs: ["update"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: synology-csi-snapshotter-role
  namespace: synology-csi
subjects:
  - kind: ServiceAccount
    name: csi-snapshotter-sa
    namespace: synology-csi
roleRef:
  kind: ClusterRole
  name: synology-csi-snapshotter-role
  apiGroup: rbac.authorization.k8s.io

---
kind: StatefulSet
apiVersion: apps/v1
metadata:
  name: synology-csi-snapshotter
  namespace: synology-csi
spec:
  serviceName: "synology-csi-snapshotter"
  replicas: 1
  selector:
    matchLabels:
      app: synology-csi-snapshotter
  template:
    metadata:
      labels:
        app: synology-csi-snapshotter
    spec:
      serviceAccountName: csi-snapshotter-sa
      hostNetwork: true
      containers:
        - name: csi-snapshotter
          securityContext:
            privileged: true
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
          image: k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3
          args:
            - --v=5
            - --csi-address=$(ADDRESS)
          env:
            - name: ADDRESS
              value: /var/lib/csi/sockets/pluginproxy/csi.sock
          imagePullPolicy: Always
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
        - name: csi-plugin
          securityContext:
            privileged: true
            capabilities:
              add: ["SYS_ADMIN"]
            allowPrivilegeEscalation: true
          image: synology/synology-csi:v1.0.1
          args:
            - --nodeid=NotUsed
            - --endpoint=$(CSI_ENDPOINT)
            - --client-info
            - /etc/synology/client-info.yml
            - --log-level=info
          env:
            - name: CSI_ENDPOINT
              value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
          imagePullPolicy: IfNotPresent
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
            - name: client-info
              mountPath: /etc/synology
              readOnly: true
      volumes:
        - name: socket-dir
          emptyDir: {}
        - name: client-info
          secret:
            secretName: client-info-secret