feat(helm)!: Allows for the CSI Provisioner Deployment and CSI Node Driver DaemonSet to be configured independently (#334)

* chore: Add docs to run modes

* chore(helm)!: Rename resources, labels, and containers

Note: This tries to align as well as possible to the rather scattered and vague CSI terminology.

The charts should be uninstalled and reinstalled to ensure no orphaned and conflicting resources remain.

This could impact monitoring setups that depend on the old resource names, labels, and container names.

* chore(helm)!: Use with to set context for the Deployment/DaemonSet.

BREAKING: Helm values that were under `csiNodeDriverRegistrar` are now under `csiNodeDriver`.
The reason being is that the "registrar" is only one of the containers in the DaemonSet for the Node Driver.

* chore(helm): Rename csi-provisioner deployment filename

* chore(helm)!: Separate configs for the Provisioner Deployment

* chore(helm)!: Separate configs for the NodeDriver DaemonSet

* chore(helm): Show example for overriding the operator image tag

* chore(helm): Remove "with" directive because Deployment/DaemonSet containers are not optional

NOTE: These were incorrectly introduced in 463592a while trying to hash out the structure of the values.

* feat(helm): Allow Pod priority, priorityClassName, and preemptionPolicy to be configured

* chore: Update changelog

* chore: Disable yamllint for comments-indentation

This would be rolled out by stackabletech/operator-templating#551

* fix(helm): Remove unconfigurable Pod fields

These were introduced in 010207b. Only priorityClassName is valid.

* chore: Update changelog

* fix(helm): Rename nodeRegistrar to nodeDriverRegistrar for consistency

* Apply suggestions from code review

Co-authored-by: Techassi <[email protected]>

---------

Co-authored-by: Techassi <[email protected]>

Author: NickLarsenNZ

CHANGELOG.md

@@ -4,6 +4,25 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- New helm values for `csiProvisioner.priorityClassName` and `csiNodeDriver.priorityClassName` ([#334]).
+
+### Changed
+
+- BREAKING: Split helm values for independent configuration ([#334]).
+  - `controller` values have been moved to `csiProvisioner.controllerService`.
+  - `csiProvisioner` values have been moved to `csiProvisioner.externalProvisioner`
+  - `csiNodeDriverRegistrar` values have been moved to `csiNodeDriver.nodeRegistrar`.
+  - `node.driver` values have been moved to `csiNodeDriver.nodeService`.
+  - `podAnnotations` has been split into `csiProvisioner.podAnnotations` and `csiNodeDriver.podAnnotations`.
+  - `podSecurityContext` has been split into `csiProvisioner.podSecurityContext` and `csiNodeDriver.podSecurityContext`.
+  - `nodeSelector` has been split into `csiProvisioner.nodeSelector` and `csiNodeDriver.nodeSelector`.
+  - `tolerations` has been split into `csiProvisioner.tolerations` and `csiNodeDriver.tolerations`.
+  - `affinity` has been split into `csiProvisioner.affinity` and `csiNodeDriver.affinity`.
+
+[#334]: https://github.com/stackabletech/listener-operator/pull/334
+
 ## [25.7.0] - 2025-07-23
 
 ## [25.7.0-rc1] - 2025-07-18

deploy/helm/listener-operator/templates/node-daemonset.yaml renamed to deploy/helm/listener-operator/templates/csi-node-driver-daemonset.yaml

@@ -2,22 +2,22 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ include "operator.fullname" . }}-node-daemonset
+  name: {{ include "operator.fullname" . }}-csi-node-driver
   labels:
     {{- include "operator.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/role: node
+      app.kubernetes.io/role: node-driver
       {{- include "operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
-      {{- with .Values.podAnnotations }}
+      {{- with .Values.csiNodeDriver.podAnnotations }}
       annotations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        app.kubernetes.io/role: node
+        app.kubernetes.io/role: node-driver
         {{- include "operator.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.image.pullSecrets }}
@@ -26,15 +26,15 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "operator.fullname" . }}-serviceaccount
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.csiNodeDriver.podSecurityContext | nindent 8 }}
       containers:
-        - name: {{ include "operator.appname" . }}
+        - name: csi-node-service
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.csiNodeDriver.nodeService.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
-            {{ .Values.node.driver.resources | toYaml | nindent 12 }}
+            {{ .Values.csiNodeDriver.nodeService.resources | toYaml | nindent 12 }}
           args:
             - run
             - node
@@ -85,10 +85,10 @@ spec:
             - name: mountpoint
               mountPath: {{ .Values.kubeletDir }}/pods
         - name: node-driver-registrar
-          image: "{{ .Values.csiNodeDriverRegistrar.image.repository }}:{{ .Values.csiNodeDriverRegistrar.image.tag }}"
-          imagePullPolicy: {{ .Values.csiNodeDriverRegistrar.image.pullPolicy }}
+          image: "{{ .Values.csiNodeDriver.nodeDriverRegistrar.image.repository }}:{{ .Values.csiNodeDriver.nodeDriverRegistrar.image.tag }}"
+          imagePullPolicy: {{ .Values.csiNodeDriver.nodeDriverRegistrar.image.pullPolicy }}
           resources:
-            {{ .Values.csiNodeDriverRegistrar.resources | toYaml | nindent 12 }}
+            {{ .Values.csiNodeDriver.nodeDriverRegistrar.resources | toYaml | nindent 12 }}
           args:
             - --csi-address=/csi/csi.sock
             - --kubelet-registration-path={{ .Values.kubeletDir }}/plugins/listeners.stackable.tech/csi.sock
@@ -109,15 +109,18 @@ spec:
         - name: mountpoint
           hostPath:
             path: {{ .Values.kubeletDir }}/pods/
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.csiNodeDriver.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with .Values.csiNodeDriver.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.csiNodeDriver.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.csiNodeDriver.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}

deploy/helm/listener-operator/templates/controller-deployment.yaml renamed to deploy/helm/listener-operator/templates/csi-provisioner-deployment.yaml

@@ -2,23 +2,23 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "operator.fullname" . }}-deployment
+  name: {{ include "operator.fullname" . }}-csi-provisioner
   labels:
     {{- include "operator.labels" . | nindent 4 }}
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/role: controller
+      app.kubernetes.io/role: provisioner
       {{- include "operator.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       annotations:
         internal.stackable.tech/image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
-        {{- with .Values.podAnnotations }}
+        {{- with .Values.csiProvisioner.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
       labels:
-        app.kubernetes.io/role: controller
+        app.kubernetes.io/role: provisioner
         {{- include "operator.selectorLabels" . | nindent 8 }}
     spec:
       {{- with .Values.imagePullSecrets }}
@@ -27,15 +27,15 @@ spec:
       {{- end }}
       serviceAccountName: {{ include "operator.fullname" . }}-serviceaccount
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.csiProvisioner.podSecurityContext | nindent 8 }}
       containers:
-        - name: {{ include "operator.appname" . }}
+        - name: csi-controller-service
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- toYaml .Values.csiProvisioner.controllerService.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
-            {{ .Values.controller.resources | toYaml | nindent 12 }}
+            {{- .Values.csiProvisioner.controllerService.resources | toYaml | nindent 12 }}
           args:
             - run
             - controller
@@ -84,10 +84,10 @@ spec:
             - name: csi
               mountPath: /csi
         - name: external-provisioner
-          image: "{{ .Values.csiProvisioner.image.repository }}:{{ .Values.csiProvisioner.image.tag }}"
-          imagePullPolicy: {{ .Values.csiProvisioner.image.pullPolicy }}
+          image: "{{ .Values.csiProvisioner.externalProvisioner.image.repository }}:{{ .Values.csiProvisioner.externalProvisioner.image.tag }}"
+          imagePullPolicy: {{ .Values.csiProvisioner.externalProvisioner.image.pullPolicy }}
           resources:
-            {{ .Values.csiProvisioner.resources | toYaml | nindent 12 }}
+            {{ .Values.csiProvisioner.externalProvisioner.resources | toYaml | nindent 12 }}
           args:
             - --csi-address=/csi/csi.sock
             - --feature-gates=Topology=true
@@ -98,15 +98,18 @@ spec:
       volumes:
         - name: csi
           emptyDir: {}
-      {{- with .Values.nodeSelector }}
+      {{- with .Values.csiProvisioner.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.affinity }}
+      {{- with .Values.csiProvisioner.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.tolerations }}
+      {{- with .Values.csiProvisioner.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.csiProvisioner.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}

deploy/helm/listener-operator/values.yaml

@@ -1,34 +1,117 @@
 # Default values for listener-operator.
 ---
+# Used by both the Controller Service and Node Service containers
 image:
   repository: oci.stackable.tech/sdp/listener-operator
+  # tag: 0.0.0-dev
   pullPolicy: IfNotPresent
   pullSecrets: []
 
 csiProvisioner:
-  image:
-    repository: oci.stackable.tech/sdp/sig-storage/csi-provisioner
-    tag: v5.2.0
-    pullPolicy: IfNotPresent
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 100m
-      memory: 128Mi
-csiNodeDriverRegistrar:
-  image:
-    repository: oci.stackable.tech/sdp/sig-storage/csi-node-driver-registrar
-    tag: v2.13.0
-    pullPolicy: IfNotPresent
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 100m
-      memory: 128Mi
+  podAnnotations: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  # priority: ...
+  # priorityClassName: ...
+  # preemptionPolicy: ...
+
+  controllerService:
+    resources:
+      # Resource requests and limits for the controller pod
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+
+    securityContext:
+      # listener-operator requires root permissions
+      runAsUser: 0
+      seLinuxOptions:
+        # Run as "Super Privileged Container" to be allowed to write into
+        # the Listener volumes
+        type: spc_t
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+
+  externalProvisioner:
+    image:
+      repository: oci.stackable.tech/sdp/sig-storage/csi-provisioner
+      tag: v5.2.0
+      pullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+
+csiNodeDriver:
+  podAnnotations: {}
+
+  podSecurityContext: {}
+    # fsGroup: 2000
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  affinity: {}
+
+  # priority: ...
+  # priorityClassName: ...
+  # preemptionPolicy: ...
+
+  nodeService:
+    resources:
+      # Resource requests and limits for the controller pod
+      limits:
+        cpu: 100m
+        memory: 128Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+
+    securityContext:
+      # listener-operator requires root permissions
+      runAsUser: 0
+      seLinuxOptions:
+        # Run as "Super Privileged Container" to be allowed to write into
+        # the Listener volumes
+        type: spc_t
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+
+  nodeDriverRegistrar:
+    image:
+      repository: oci.stackable.tech/sdp/sig-storage/csi-node-driver-registrar
+      tag: v2.13.0
+      pullPolicy: IfNotPresent
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
 
 nameOverride: ""
 fullnameOverride: ""
@@ -42,56 +125,10 @@ serviceAccount:
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
-podAnnotations: {}
-
 # Provide additional labels which get attached to all deployed resources
 labels:
   stackable.tech/vendor: Stackable
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext:
-  # listener-operator requires root permissions
-  runAsUser: 0
-  seLinuxOptions:
-    # Run as "Super Privileged Container" to be allowed to write into
-    # the Listener volumes
-    type: spc_t
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
-controller:
-  resources:
-    # Resource requests and limits for the controller pod
-    limits:
-      cpu: 100m
-      memory: 128Mi
-    requests:
-      cpu: 100m
-      memory: 128Mi
-
-node:
-  driver:
-    resources:
-      # Resource requests and limits for the per node driver container
-      limits:
-        cpu: 100m
-        memory: 128Mi
-      requests:
-        cpu: 100m
-        memory: 128Mi
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
-
 # When running on a non-default Kubernetes cluster domain, the cluster domain can be configured here.
 # See the https://docs.stackable.tech/home/stable/guides/kubernetes-cluster-domain guide for details.
 # kubernetesClusterDomain: my-cluster.local
@@ -100,7 +137,7 @@ affinity: {}
 kubeletDir: /var/lib/kubelet
 
 # Options: none, stable-nodes, ephemeral-nodes
-# none: No ListenerClasses are preinstalled, the administrator must supply them themself
+# none: No ListenerClasses are preinstalled, administrators must supply them themselves
 # stable-nodes: ListenerClasses are preinstalled that are suitable for on-prem/"pet" environments, assuming long-running Nodes but not requiring a LoadBalancer controller
 # ephemeral-nodes: ListenerClasses are preinstalled that are suitable for cloud/"cattle" environments with short-lived nodes, however this requires a LoadBalancer controller to be installed
 preset: stable-nodes