feat(helm): update rook-ceph to v1.19.0

[homebot-0]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
rook-ceph	minor	v1.15.9 → v1.19.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

⚠️ Critical Infrastructure: This update affects core cluster components. Review changelog carefully.

💾 Storage: Monitor OSD health and PG states after update. Consider maintenance window.

🐄 Talos CATTLE: Major/minor version requires manual approval. Full VM rebuild via Terraform.

---

Release Notes

rook/rook (rook-ceph)

v1.19.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• The supported Kubernetes versions are v1.30 - v1.35
• The minimum supported Ceph version is v19.2.0. Rook v1.18 clusters running Ceph v18 must upgrade
  to Ceph v19.2.0 or higher before upgrading Rook.
• The behavior of the activeStandby property in the CephFilesystem CRD has changed. When set to false, the standby MDS daemon deployment will be scaled down and removed, rather than only disabling the standby cache while the daemon remains running.
• Helm: The rook-ceph-cluster chart has changed where the Ceph image is defined, to allow separate settings for the repository and tag. For more details, see the Rook upgrade guide.
• In external mode, when users provide a Ceph admin keyring to Rook, Rook will no longer create CSI Ceph clients automatically. This approach will provide more consistency to configure external mode clusters via the same external Python script.

Features

• Experimental: NVMe over Fabrics (NVMe-oF) allows RBD volumes to be exposed and accessed via the NVMe/TCP protocol. This enables both Kubernetes pods within the cluster and external clients outside the cluster to connect to Ceph block storage using standard NVMe-oF initiators, providing high-performance block storage access over the network. See the NVMe-oF Configuration Guide to get started.
• CephCSI v3.16 Integration:
  • NVMe-oF CSI driver for provisioning and mounting volumes over the NVMe over Fabrics protocol
  • Improved fencing for RBD and CephFS volumes during node failure
  • Block volume usage statistics
  • Configurable block encryption cipher
• Experimental: Allow concurrent reconciles of the CephCluster CR when there multiple clusters being managed by the same Rook operator. Concurrency is enabled by increasing the operator setting ROOK_RECONCILE_CONCURRENT_CLUSTERS to a value greater than 1.
• Improved logging with namespaced names for the controllers for more consistency in troubleshooting the rook operator log.

v1.18.9

Compare Source

Improvements

Rook v1.18.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• csi: Disable read affinity for ceph v20.2.0 to avoid corruption (#​16895, @​travisn)
• core: Allow skipping cephcluster reconcile via do-not-reconcile label (#​16874, @​OdedViner)
• helm: Merge rook-config-override ConfigMap into toolbox ceph.conf (#​16862, @​mheler)
• helm: Add cephclusters/finalizers permission for mgr sidecar (#​16854, @​grandeit)
• csi: Add fix to support multiple fs mount option (#​16837, @​subhamkrai)
• operator: Watch cephConfigFromSecret changes (#​16786, @​cyanidium)
• rgw: Support all S3 notification events in CRD validation (#​16804, @​arttor)
• docs: Add pool parameter for erasure code optimizations (#​16789, @​travisn)

v1.18.8

Compare Source

Improvements

Rook v1.18.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• core: Add support for ceph tentacle (#​16501, @​subhamkrai)
• helm: Include exporter options in CephCluster (#​16745, @​michaeltchapman)
• toolbox: Merge rook-config-override ConfigMap into ceph.conf (#​16731, @​mheler)
• csi: ControllerPlugin/NodePlugin resource settings were reversed (#​16735, @​swills)
• osd: Allow snaptrimp and snaptrip_wait PGs by the PDBs during node drains (#​16713, @​sp98)
• helm: Fix default pathType for HTTPRoute in the rook-ceph-cluster chart (#​16724, @​fancl20)
• pool: Retry if pool status is empty in the rados namespace controller (#​16705, @​parth-gr)
• namespace: Add retryOnConflict when updating status (#​16661, @​subhamkrai)

v1.18.7

Compare Source

Improvements

Rook v1.18.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• pool: Retry pool status updates in the radosnamespace controller (#​16700, @​parth-gr)
• osd: Add device class label to the osd prepare pods (#​16675, @​parth-gr)
• external: Fix quote parsing and message in import-external-cluster.sh (#​16646, @​GanghyeonSeo)
• object: Fix user quotas being overwritten when obc bucketOwner is set (#​16672, @​jhoblitt)
• docs: Example of application migration between clusters (#​16659, @​travisn)
• mgr: Add hostNetwork field to Ceph Mgr spec (#​16617, @​Sunnatillo)
• osd: Add CephCluster OSDMaxUpdatesInParallel to tune OSD updates (#​16655, @​jhoblitt)

v1.18.6

Compare Source

Improvements

Rook v1.18.6 is a patch release with changes only in the rook-ceph helm chart. If not affected by #​16636 in v1.18.5, no need to update to this release.

• helm: Remove duplicate YAML map entries (#​16637, @​hxtmdev)
• ci: Check for duplicates in the helm linter (#​16640, @​hxtmdev)

v1.18.5

Compare Source

Improvements

Rook v1.18.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• mon: Wait for the canary pods to be terminated before starting mon daemons (#​16619, @​sp98)
• mon: Trap the sigterm to respond quickly to the mon canary pod deletion (#​16629, @​travisn)
• osd: Set osd resources for specific device class (#​16614, @​travisn)
• mgr: Add required k8s label for endpointSlice (#​16618, @​subhamkrai)
• pool: Skip setting the target size ratio to 0 by default (#​16609, @​travisn)
• core: Fix ceph health check up status check (#​16595, @​parth-gr)
• osd: Allow OSD init keyring update to be best-effort instead of fail osd start (#​16603, @​BlaineEXE)
• osd: Add a timeout for osd create and update process (#​16594, @​parth-gr)
• core: Add missing labels to RBAC resources to prevent ArgoCD drift (#​16507, @​fullstackjam)
• mon: Update the clusterinfo with v2 port (#​16540, @​parth-gr)
• file: Allow overriding MDS cache memory limit. (#​16556, @​timbuchwaldt)
• osd: More detailed logging to check node topology conflicts (#​16573, @​OdedViner)

v1.18.4

Compare Source

Improvements

Rook v1.18.4 is a patch release with changes only in the rook-ceph-cluster helm chart. If not affected by #​16567 in v1.18.3, no need to update to this release.

• helm: Revert ceph image tag change (#​16567, @​travisn)

v1.18.3

Compare Source

Improvements

Rook v1.18.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• helm: Allow specifying the image tag and repository separately (#​16512, @​travisn)
• csi: Allow overriding volume settings in csi operator for nixos (#​16395, @​travisn)
• osd: Exclude down OSDs from main PDB when cluster is clean (#​16112, @​elias-dbx)
• build: Add csi operator image to images.txt (#​16563, @​travisn)
• csi: Update csi-operator version to v0.4.1 (#​16560, @​Madhu-1)
• rbdmirror: Fix mirroring monitoring settings for rados namespaces (#​16520, @​parth-gr)
• namespace: Blocklist ip:nonce in cleanup job (#​16532, @​Madhu-1)
• osd: Clean encrypted disks from other clusters (#​16488, @​sp98)
• csi: Avoid port conflict by removing liveness probe from the csi-operator (#​16516, @​Madhu-1)
• csi: Add labels to the csi-operator driver pod (#​16514, @​subhamkrai)
• helm: Refactoring to modernize templates (#​16494, @​consideRatio)
• osd: Updated blocking pdbs when drained node comes back online (#​16506, @​sp98)
• core: Use latest operator context to avoid reference to canceled context (#​16493, @​sp98)
• ci: Update latest k8s version to v1.34 (#​16418, @​obnoxxx)
• external: Fix ipv6 monitoring endpoint reconcile (#​16468, @​parth-gr)
• pool: Allow enableCrushUpdates to be nil (#​16478, @​travisn)
• mon: Fix mon health nil pointer exception with mons on PVC (#​16484, @​sp98)
• helm: Refactoring of rook-ceph's configmap to be easier to read and maintain (#​16457, @​consideRatio)
• nfs: Rotate nfs cephx key (#​16456, @​subhamkrai)
• external: Fixing rbd provisioner secret in import-external-cluster script (#​16474, @​rubentsirunyan)
• core: Add CRD Phase column to cephor, cephnfs, cephbn (#​16541 #​16542 #​16543, @​jhoblitt)
• object: Add status.{phase,observedGeneration} to cephbn (#​16499, @​jhoblitt)
• core: fix ObjectZoneSpec.ZoneGroup and ObjectZoneGroupSpec.Realm field descriptions (#​16496, @​jhoblitt)

v1.18.2

Compare Source

Improvements

Rook v1.18.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• helm: Upgrade requires either deletion of storage classes or removal of new storage class properties, see the Upgrade Guide (#​16454, @​parth-gr)
• csi: Set host networking on the csi controller pod if host networking is enforced (#​16462, @​travisn)
• csi: Fix cephx key deletion logic (#​16452, @​BlaineEXE)
• csi: Add multus network annotation to csi-operator (#​16448, @​subhamkrai)
• external: Fix secret values in import-external-cluster script (#​16433, @​rubentsirunyan)
• osd: Remove the osd bootstrap keyring that is not needed after creation (#​16421, @​parth-gr)
• core: Delete bootstrap keys not necessary for ceph daemons (#​16372, @​sp98)
• core: Allow rotation of the client.admin cephx key (#​16271, @​BlaineEXE)
• osd: Rotate lockbox keys for encrypted OSDs (#​16409, @​sp98)

v1.18.1

Compare Source

Improvements

Rook v1.18.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• csi: Set the cephfs kernel mount options when network encryption is enabled (#​16399, @​travisn)
• csi: Generate default crush topology labels for the csi operator settings (#​16376, @​travisn)
• csi: Create csi operator resources when operator settings configmap is updated (#​16382, @​subhamkrai)
• csi: Delete csi operator CR's when disabled (#​16381, @​subhamkrai)
• csi: Set csi operator as default if no settings found (#​16405, @​travisn)
• csi: Fix wrong use of daemon config for cephx status (#​16396, @​BlaineEXE)
• helm: Recreate storage classes with helm upgrades to add keep policy and new properties (#​16373, @​parth-gr)
• ci: Always initialize CSI driver names (#​16393, @​travisn)

v1.18.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• Kubernetes v1.29 is now the minimum version supported by Rook through the soon-to-be K8s release v1.34.
• Helm versions 3.13 and newer are supported. Previously, only the latest version of helm was tested and the docs stated only version 3.x of helm as a prerequisite. Now rook supports the six most recent minor versions of helm along with their their patch updates.
• Rook now validates node topology during CephCluster creation to prevent misconfigured CRUSH hierarchies for OSDs. If child labels like topology.rook.io/rack are duplicated across zones, cluster creation will fail. The check applies only to new clusters without OSDs. Clusters with existing OSDs will only log a warning and continue. If the checks are invalid in your topology, they can be suppressed by setting ROOK_SKIP_OSD_TOPOLOGY_CHECK=true in the rook-ceph-operator-config configmap.

Features

• The Ceph CSI operator is now the default and recommended component for configuring CSI drivers for RBD, CephFS, and NFS volumes. The CSI operator has been factored out of Rook to run independently to manage the Ceph-CSI driver. 
  • During the upgrade and throughout the v1.18.x releases, Rook will automatically convert any Rook CSI settings to the new CSI operator CRs. This transition is expected to be completely transparent. In the future v1.19 release, Rook will relinquish direct control of these settings so advanced users can have more flexibility when configuring the CSI drivers. At that time, we will have a guide on configuring these new Ceph CSI operator CRs directly.
  • During install, as mentioned in the Quickstart Guide, there is a new manifest to be created: csi-operator.yaml
  • If installing with the helm chart, the Ceph CSI operator will automatically be installed by default with the new helm setting csi.rookUseCsiOperator in the rook-ceph chart.
  • If a blocking issue is found, the previous CSI driver can be re-enabled by setting ROOK_USE_CSI_OPERATOR: false in operator.yaml or by applying the helm setting csi.rookUseCsiOperator: false.
• Ceph CSI v3.15 has a range of features and improvements for the RBD, CephFS, and NFS drivers. This release is supported both by the Ceph CSI operator and Rook's direct mode of configuration. Starting in the next release (at the end of the year), the Ceph CSI operator will be required to configure the CSI driver.
• CephX key rotation is now available as an experimental feature for the CephX authentication keys used by Ceph daemons and clients. Users will begin to see new cephx status items on some Rook resources in newly-deployed Rook clusters. Users can also find spec.security.cephx settings that allow initiating CephX key rotation for various Ceph components. Full documentation for key rotation can be found here.
  • Ceph version v19.2.3+ is required for key rotation.
  • The Ceph admin and mon keys cannot yet be rotated. Implementation is still in progress while in experimental mode.
• Add support for specifying the clusterID in the CephBlockPoolRadosNamespace and the CephFilesystemSubVolumeGroup CR.
• When a mon is being failed over, if the assigned node no longer exists, the mon is failed over immediately instead of waiting for a
  20 minute timeout.
• Support for Ceph Tentacle v20 will be available as soon as it is released.

v1.17.9

Compare Source

Improvements

Rook v1.17.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• pool: Retry pool status updates in the radosnamespace controller (#​16700, @​parth-gr)
• object: Fix user quotas being overwritten when OBC bucketOwner is set (#​16672, @​jhoblitt)
• mon: Wait for the canary pods to be terminated (#​16619, @​sp98)
• mon: Respond quickly to the mon canary pod deletion (#​16629, @​travisn)
• namespace: Blocklist ip:nonce in cleanup job (#​16532, @​Madhu-1)
• core: Fix typos in ObjectZoneSpec.ZoneGroup and ObjectZoneGroupSpec.Realm field descriptions (#​16496, @​jhoblitt)

v1.17.8

Compare Source

Improvements

Rook v1.17.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• helm: Enable host network for OpenShift if needed (#​16343, @​travisn)
• pool: Allow CephBlockPool CR removal when underlying Ceph pool is already removed (#​16329, @​degorenko)
• core: Set erasure-code-profile plugin based on pool algorithm (#​16104, @​BenoitKnecht)
• csi: Add CrossNamespaceVolumeDataSource feature gate (#​16244, @​CL0Pinette)
• object: Mark realm as default to avoid zone creation (#​16069, @​OdedViner)
• object: Simplify CephObjectStoreUser deletion logic (#​16052, @​jhoblitt)
• object: Fix bucket policy in sync detection (#​16220, @​jhoblitt)
• cleanup: Mount udev to cleanup job and disable udev sync (#​16293, @​degorenko)
• cleanup: Improve cleanup of /var/lib/rook during cluster teardown (#​16201, @​OdedViner)
• cleanup: Cleanup csi folders from /var/lib/rook during uninstall (#​16260, @​OdedViner)

v1.17.7

Compare Source

Improvements

Rook v1.17.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

Important: There is a known issue in Ceph v19.2.3 where object store bucket lifecycle deletion does not take effect. See #​16188 for more details.

• core: Update ceph version to v19.2.3 (#​16186, @​travisn)
• csi: Update ceph-csi to 3.14.2 (#​16157, @​Madhu-1)
• osd: Exclude labels with a value of null from the topology string (#​16109, @​hit1943)
• rgw: Increase timeout for admin user creation (#​16203, @​travisn)
• core: Log panics that were previously hidden during controller reconcile (#​16150, @​OdedViner)
• mds: Use bash for executing liveness probe script (#​16146, @​xose)
• helm: Correct example discover daemon resources (#​16123, @​swills)
• helm Update SecurityContextConstraints for rook-ceph helm chart (#​16153, @​masonwb)
• multus: Support copy file to cmd-proxy container for rgw zone set (#​16133, @​arttor)
• mds: Fix nil pointer panic when startupProbe is set in cephfilesystem (#​16144, @​OdedViner)
• core: Update go modules to latest except for go 1.24 (#​16140, @​travisn)
• helm: Add HTTPRoute for dashboard and objectstore (#​16135, @​synthe102)
• osd: Treat non existing OSD nodes as drained (#​16087, @​elias-dbx)
• test: Add pathType with ingress dashboard host (#​16129, @​subhamkrai)
• docs: Document how a storage class can consume a SubVolumeGroup (#​16079, @​raaizik)

v1.17.6

Compare Source

Improvements

Rook v1.17.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• mon: Failover with host network must use different node (#​16056, @​travisn)
• osd: Wipe new Ceph metadata in cleanup job disk shredding (#​15666, @​puskunalis)
• operator: Add missing udev env to discover pod (#​16105, @​subhamkrai)
• mon: Allow running mon pods as root (#​15846, @​patrostkowski)
• core: CephObjectRealm controller generated generated AccessKey invalid chars (#​16078, @​raaizik)
• csi: Provide a flag to skip csi user creation (#​16061, @​Madhu-1)
• ceph: Provide an option to specify the secretName in the cephClient CR (#​16059, @​Madhu-1)
• csi: Update csi version to 3.14.1 (#​16050, @​Madhu-1)
• exporter: Add Hostnetwork bool to ceph-exporter (#​16025, @​adilGhaffarDev)
• object: Allow deletion of CephObjectStoreUser even if secret is missing (#​16038, @​OdedViner)
• helm: Merge helm indexes instead of recreating for every release (#​16041, @​obnoxxx)

v1.17.5

Compare Source

Improvements

Rook v1.17.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• build: merge helm indexes instead of recreating for every release (#​16033, @​obnoxxx)
• rbd: Blocklist rados namespace image watchers during removal (#​16009, @​sp98)
• namespace: Report empty condition for rados namespace (#​16013, @​travisn)
• osd: Update the table of allowed configurations (#​16005, @​satoru-takeuchi)
• pool: Support targetSizeRatio=0 and default compressionMode (#​15951, @​OdedViner)
• core: Correct rados namespace log message (#​15996, @​OdedViner)
• rbdmirror: Fix the nil point error check during status updates (#​15989, @​parth-gr)
• helm: Use nested if clauses in prometheusrule template (#​15979, @​hedgieinsocks)
• helm: allow prometheusrule edits (#​15928, @​hedgieinsocks)
• ci: Use latest helm version v3.18 for helm builds (#​15952, @​obnoxxx)
• osd: Allow wiping encrypted osd disk from another cluster (#​15972, @​sp98)
• osd: Clean osd disks before reinstalling cluster (#​15796, @​sp98)
• csi: Replace hardcoded imagePullPolicy with dynamic Go template (#​15962, @​praveen21b)

v1.17.4

Compare Source

Improvements

Rook v1.17.4 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• nfs: Remove duplicate short NFS CRD name (#​15926, @​parth-gr)
• core: ensure consistent LeastUptodateDaemonVersion (#​15931, @​BlaineEXE)
• nfs: Use tabs instead of spaces in nfs rgw config (#​15934, @​parth-gr)
• helm: Add custom labels for toolbox deployment in rook-ceph-cluster chart (#​15914, @​jurim76)
• osd: Debug log for long image names in label (#​15887, @​travisn)

v1.17.3

Compare Source

Improvements

Rook v1.17.3 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• core: Add short names to rook CRDs (#​15888, @​patrostkowski)
• csi: Update Kubernetes CSI sidecar images to current versions (#​15878, @​nixpanic)
• mgr: Continue cluster reconcile even if prometheus not installed causing service monitor to fail creation (#​15862, @​travisn)
• core: Allow deletion of subvolumegroups or rados namespaces if another CR references the same resource (#​15853, @​subhamkrai)
• helm: quote object store ingress host (#​15908, @​synthe102)
• osd: Don't set dmcrypt environment variable in prepare pod job spec (#​15907, @​subhamkrai)
• nfs: Fix the skip reconcile for nfs daemons (#​15909, @​parth-gr)
• nfs: Skip NFS daemon reconciliation when labeled with skip-reconcile (#​15889, @​patrostkowski)
• core: Improve reporting for reconcile requeue cases (#​15884, @​OdedViner)
• csi: Enable CSI metadata injection setting by default (#​15867, @​OdedViner)
• core: Fix golangci-lint check ST1005 (#​15875, @​cbarria)
• osd: During PVC resize wait for a short time to restart OSDs (#​15824, @​parth-gr)
• rbdmirror: Update mirroring status on pools and rados namespaces for latest ceph changes (#​15858, @​parth-gr)
• crd: Allow network provider to be set to blank (#​15842, @​yifeng-cerebras)

v1.17.2

Compare Source

Improvements

Rook v1.17.2 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• block: Add more deletion conditions to blockpool and radosnamespace status (#​15817, @​travisn)
• object: fix uppercase serialization of fields in KafkaEndpointSpec (#​15815, @​jhoblitt)
• cephfs: Update ceph-csi CephFS caps to include executable permission (#​15793, @​flx5)
• object: Change CephObjectStore "foo" found log level to debug (#​15829, @​jhoblitt)
• rgw: Use pod name in ops log filename (#​15605, @​arttor)
• exporter: Add name to containerPort (#​15801, @​jrcichra)
• rbdmirror: Log message clarification with namespace (#​15798, @​subhamkrai)
• osd: Fix osd disk cleanup for mpath setups (#​15761, @​sp98)
• ci: Add test support for latest K8s version 1.33 (#​15795, @​subhamkrai)

v1.17.1

Compare Source

Improvements

Rook v1.17.1 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• cluster: Specify sensitive ceph config in the CephCluster CR via secrets (#​15696, @​patrostkowski)
• object: Lower retry log verbosity in notification OBC controller (#​15764, @​BlaineEXE)
• object: Log all reconcile errors during object store creation (#​15747, @​travisn)
• docs: Update Prometheus Operator to v0.82.0 (#​15750, @​OdedViner)
• build: Set correct helm version tag for the release (#​15748, @​travisn)
• build: Stop publishing release artifacts for non-released builds (#​15742, @​travisn)

v1.17.0

Compare Source

Upgrade Guide

To upgrade from previous versions of Rook, see the Rook upgrade guide.

Breaking Changes

• Kubernetes v1.28 is now the minimum version supported by Rook through the soon-to-be K8s release v1.33.
• Several ObjectBucketClaim options were added previously in Rook v1.16 that allowed more control over buckets. These controls allow users to self-serve their own S3 policies. Administrators may consider this flexibility a risk, depending on their environment. Rook now disables these options by default to ensure the safest off-the-shelf configurations. To enable the full range of OBC configurations, the new setting ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDS must be set to enable users to set all of these options. For more details, see the OBC additionalConfig documentation.
• First-class credential management added to CephObjectStoreUser resources, allowing multiple credentials and declarative credential rotation. For more details, see Managing User S3 Credentials. As a result, existing S3 users provisioned via CephObjectStoreUser resources no longer allow multiple credentials to exist on underlying S3 users, unless explicitly managed by Rook. Rook will purge all but one of the undeclared credentials. This could be a user observable regression for administrators who manually edited/rotated S3 user credentials for CephObjectStoreUsers, and affected users can make use of the new credential management feature as an alternative.
• Kafka notifications configured via CephBucketTopic resources will now default to setting the Kafka authentication mechanism to PLAIN. Previously, no auth mechanism was specified by default. It was possible to set the auth mechanism via CephBucketTopic.spec.endpoint.kafka.opaqueData. However, setting &mechanism=<auth type> via opaqueData is no longer possible. If any auth mechanism other than PLAIN is in use, modification to CephBucketTopic resources is required.

Features

• The name of a pre-existing Ceph RGW user account can be set as the bucket owner on an ObjectBucketClaim (OBC), rather than a unique RGW user being created for every bucket. A CephObjectStoreUser resource may be used to create the Ceph RGW user account which will be specified on the OBC. If the bucket owner is set on a bucket that already exists and is owned by a different user, the bucket will be re-linked to the specified user.
• The Ceph CSI 3.14 release has a number of features and improvements for RBD and CephFS volumes, volume snapshots, and many more areas. See the Ceph CSI 3.14 release notes for more details.
• External mons: In some two-datacenter clusters, there is no option to start an arbiter mon in an independent K8s node to configure a proper stretch cluster. The external mons now allow a mon to be configured outside the Kubernetes cluster, while Rook manages everything else inside the cluster. For more details, see the External Mon documentation. This feature is in currently in experimental mode.
• DNS resolution for mons: Allows clients outside the K8s cluster to resolve mon endpoints via DNS without requiring manual updates to the list of mon endpoints. This helps in scenarios such as virtual machine live migration. The Ceph client can connect to rook-ceph-active-mons..svc.cluster.local to dynamically resolve mon endpoints and receive automatic updates when mon IPs change. To configure this DNS resolution, see Tracking Mon Endpoints.
• Node-specific ceph.conf overrides: The ceph.conf overrides can now be customized per-node. This may be helpful for some ceph.conf settings that need to be unique per node depending on the hardware. This can be configured by creating a node-specific configmap that will be loaded for all OSDs and OSD prepare jobs on that node, instead of the default settings that are loaded from the rook-config-override configmap.

v1.16.9

Compare Source

Improvements

Rook v1.16.9 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• discover: Delete ceph-volume log to reduce discover daemon log size (#​16276, @​anshuman-agarwala)
• core: Update go modules needed for security checks (#​16140, @​travisn)
• core: CephObjectRealm controller generated generated AccessKey invalid chars (#​16078, @​raaizik)
• exporter: Add Hostnetwork bool to ceph-exporter (#​16025, @​adilGhaffarDev)

v1.16.8

Compare Source

Improvements

Rook v1.16.8 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• rbdmirror: Nil pointer check during status updates (#​15989, @​parth-gr)
• core: ensure consistent LeastUptodateDaemonVersion (#​15931, @​BlaineEXE)
• exporter: Add name to the exporter container port (#​15801, @​jrcichra)
• osd: Fix osd disk cleanup for mpath setups (#​15761, @​sp98)
• object: Log all reconcile errors during object store creation (#​15747, @​travisn)

v1.16.7

Compare Source

Improvements

Rook v1.16.7 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• core: Set default Ceph version to v19.2.2 (#​15704, @​travisn)
• mon: Ensure mon canary pods are cleaned up for multicluster service (#​15718, @​sp98)
• core: Print correct OSD ID in key rotation logs (#​15727, @​sp98)
• helm: Add labels to ingress resource (#​15719, @​chkpwd)
• core: Update cephstatus fsmap gid type to uint64 (#​15690, @​BlaineEXE)
• pool: Retry status update on fail (#​15593, @​prazumovsky)
• helm: Allow specifying an ingress object store port to override default (#​15669, @​travisn)
• rbdmirror: Fix the rados namespace health checkup (#​15677, @​parth-gr)
• osd: Stabilize oscillating maxUnavailable in pdbs in case of node drain (#​15634, @​sp98)
• ci: Update x/net version to fix snyk report (#​15659, @​subhamkrai)
• nfs: Set allow_set_io_flusher_fail=true in config (#​15652, @​BlaineEXE)

v1.16.6

Compare Source

Improvements

Rook v1.16.6 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• ci: Publish the Helm charts to OCI repos (#​15542, @​a1994sc)
• osd: Adjust OSD PDBs if they are down but PGs are clean (#​15408, @​sp98)
• build: bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#​15561, @​dependabot[bot])
• csi: Update ceph csi release version to v3.13.1 (#​15510, @​yati1998)
• object: All CephBucketTopic reconcile errors set .status.phase (#​15562, @​jhoblitt)
• operator: Set dns policy for host network if needed (#​15553, @​travisn)
• core: Improve error messages from ceph commands (#​15528, @​Madhu-1)
• docs: Update commands for zapping devices during cluster cleanup (#​15565, @​puskunalis)

v1.16.5

Compare Source

Improvements

Rook v1.16.5 is a patch release limited in scope and focusing on feature additions and bug fixes to the Ceph operator.

• ci: Push rook image to repositories quay.io and ghcr.io (#​15274, @​subhamkrai)
• object: Allow overriding rgw config value from secret (#​15426, @​arttor)
• exporter: Add missing rook-ceph-exporter container port definition (#​15496, @​patrostkowski)
• mgr: Wait for builtin mgr

---

Configuration

📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Walkthrough

Version bump of Rook-Ceph operator HelmRelease from v1.15.9 to v1.19.0. Single manifest update affecting the chart spec version field only.

Changes

Cohort / File(s)	Summary
Rook-Ceph Operator Versioning kubernetes/apps/rook-ceph/rook-ceph-operator/app/helmrelease.yaml	HelmRelease chart version updated from v1.15.9 to v1.19.0 (minor version jump of +3). Requires validation for breaking changes, CRD migrations, and Talos/K8s compatibility. No values or pattern changes detected.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Notes: Version jump spanning 3 minor releases warrants checking changelog for breaking changes, CRD updates, storage backend compatibility, and validation against current Talos K8s version. Standard HelmRelease pattern compliance maintained.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating rook-ceph Helm chart from v1.15.9 to v1.19.0, which directly matches the file modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/storage-rook-ceph

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[homebot-0]

✅ Gitleaks Secret Scan Passed

No secrets detected in this pull request.

Check	Status
Secret patterns	✅ Clean
Sensitive files	✅ None detected

[homebot-0]

ℹ️ SOPS Encryption Check

No SOPS files detected in this pull request.

Check	Status
SOPS files in PR	✅ None detected

No encryption validation required for this PR.

[homebot-0]

--- kubernetes/apps/rook-ceph/rook-ceph-operator/app Kustomization: rook-ceph/rook-ceph-operator HelmRelease: rook-ceph/rook-ceph-operator

+++ kubernetes/apps/rook-ceph/rook-ceph-operator/app Kustomization: rook-ceph/rook-ceph-operator HelmRelease: rook-ceph/rook-ceph-operator

@@ -11,13 +11,13 @@

   chart:
     spec:
       chart: rook-ceph
       sourceRef:
         kind: HelmRepository
         name: rook-ceph
-      version: v1.15.9
+      version: v1.19.0
   install:
     crds: CreateReplace
     remediation:
       retries: 3
     strategy:
       name: RetryOnFailure

[homebot-0]

--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-osd

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-osd
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-mgr

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-mgr
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-cmd-reporter

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-cmd-reporter

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-purge-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-purge-osd

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-purge-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-rgw

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-rgw

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-rgw
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-default

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-default

@@ -1,10 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-default
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-system

@@ -1,13 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-ceph-system
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-plugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-plugin-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-cephfs-plugin-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-provisioner-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-cephfs-provisioner-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-cephfs-provisioner-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-plugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-plugin-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-rbd-plugin-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-provisioner-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-csi-rbd-provisioner-sa

@@ -1,7 +1,15 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: rook-csi-rbd-provisioner-sa
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/objectstorage-provisioner

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/objectstorage-provisioner

@@ -1,9 +1,9 @@

 ---
+kind: ServiceAccount
 apiVersion: v1
-kind: ServiceAccount
 metadata:
   name: objectstorage-provisioner
   namespace: rook-ceph
   labels:
     app.kubernetes.io/part-of: container-object-storage-interface
     app.kubernetes.io/component: driver-ceph
--- HelmRelease: rook-ceph/rook-ceph-operator ConfigMap: rook-ceph/rook-ceph-operator-config

+++ HelmRelease: rook-ceph/rook-ceph-operator ConfigMap: rook-ceph/rook-ceph-operator-config

@@ -1,45 +1,55 @@

 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: rook-ceph-operator-config
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 data:
   ROOK_LOG_LEVEL: INFO
   ROOK_CEPH_COMMANDS_TIMEOUT_SECONDS: '15'
   ROOK_OBC_WATCH_OPERATOR_NAMESPACE: 'true'
+  ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDS: maxObjects,maxSize
   ROOK_CEPH_ALLOW_LOOP_DEVICES: 'false'
   ROOK_ENABLE_DISCOVERY_DAEMON: 'false'
+  ROOK_USE_CSI_OPERATOR: 'true'
   ROOK_CSI_ENABLE_RBD: 'true'
   ROOK_CSI_ENABLE_CEPHFS: 'true'
   ROOK_CSI_DISABLE_DRIVER: 'false'
   CSI_ENABLE_CEPHFS_SNAPSHOTTER: 'true'
   CSI_ENABLE_NFS_SNAPSHOTTER: 'true'
   CSI_ENABLE_RBD_SNAPSHOTTER: 'true'
   CSI_PLUGIN_ENABLE_SELINUX_HOST_MOUNT: 'false'
   CSI_ENABLE_ENCRYPTION: 'false'
   CSI_ENABLE_OMAP_GENERATOR: 'false'
   CSI_ENABLE_HOST_NETWORK: 'true'
-  CSI_DISABLE_HOLDER_PODS: 'true'
   CSI_ENABLE_METADATA: 'false'
   CSI_ENABLE_VOLUME_GROUP_SNAPSHOT: 'true'
   CSI_PLUGIN_PRIORITY_CLASSNAME: system-node-critical
   CSI_PROVISIONER_PRIORITY_CLASSNAME: system-cluster-critical
   CSI_RBD_FSGROUPPOLICY: File
   CSI_CEPHFS_FSGROUPPOLICY: File
   CSI_NFS_FSGROUPPOLICY: File
-  ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.12.3
-  ROOK_CSI_REGISTRAR_IMAGE: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
-  ROOK_CSI_PROVISIONER_IMAGE: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
-  ROOK_CSI_SNAPSHOTTER_IMAGE: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
-  ROOK_CSI_ATTACHER_IMAGE: registry.k8s.io/sig-storage/csi-attacher:v4.6.1
-  ROOK_CSI_RESIZER_IMAGE: registry.k8s.io/sig-storage/csi-resizer:v1.11.1
+  ROOK_CSI_CEPH_IMAGE: quay.io/cephcsi/cephcsi:v3.16.0
+  ROOK_CSI_REGISTRAR_IMAGE: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0
+  ROOK_CSI_PROVISIONER_IMAGE: registry.k8s.io/sig-storage/csi-provisioner:v6.0.0
+  ROOK_CSI_SNAPSHOTTER_IMAGE: registry.k8s.io/sig-storage/csi-snapshotter:v8.4.0
+  ROOK_CSI_ATTACHER_IMAGE: registry.k8s.io/sig-storage/csi-attacher:v4.10.0
+  ROOK_CSI_RESIZER_IMAGE: registry.k8s.io/sig-storage/csi-resizer:v2.0.0
   ROOK_CSI_IMAGE_PULL_POLICY: IfNotPresent
   CSI_ENABLE_CSIADDONS: 'false'
-  ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.9.1
+  ROOK_CSIADDONS_IMAGE: quay.io/csiaddons/k8s-sidecar:v0.14.0
+  CSI_ENABLE_CROSS_NAMESPACE_VOLUME_DATA_SOURCE: 'false'
   CSI_ENABLE_TOPOLOGY: 'false'
   ROOK_CSI_ENABLE_NFS: 'false'
   CSI_FORCE_CEPHFS_KERNEL_CLIENT: 'true'
   CSI_GRPC_TIMEOUT_SECONDS: '150'
   CSI_PROVISIONER_REPLICAS: '2'
   CSI_RBD_PROVISIONER_RESOURCE: |
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-system

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-system
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-cluster-mgmt

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-cluster-mgmt

@@ -1,14 +1,16 @@

 ---
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: rook-ceph-cluster-mgmt
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-global

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-global

@@ -1,14 +1,16 @@

 ---
+kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
 metadata:
   name: rook-ceph-global
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
@@ -21,18 +23,21 @@

   verbs:
   - get
   - list
   - watch
 - apiGroups:
   - ''
+  - discovery.k8s.io
   resources:
   - events
   - persistentvolumes
   - persistentvolumeclaims
   - endpoints
   - services
+  - endpointslices
+  - endpointslices/restricted
   verbs:
   - get
   - list
   - watch
   - patch
   - create
@@ -64,12 +69,13 @@

   resources:
   - cephclients
   - cephclusters
   - cephblockpools
   - cephfilesystems
   - cephnfses
+  - cephnvmeofgateways
   - cephobjectstores
   - cephobjectstoreusers
   - cephobjectrealms
   - cephobjectzonegroups
   - cephobjectzones
   - cephbuckettopics
@@ -89,12 +95,13 @@

   resources:
   - cephclients/status
   - cephclusters/status
   - cephblockpools/status
   - cephfilesystems/status
   - cephnfses/status
+  - cephnvmeofgateways/status
   - cephobjectstores/status
   - cephobjectstoreusers/status
   - cephobjectrealms/status
   - cephobjectzonegroups/status
   - cephobjectzones/status
   - cephbuckettopics/status
@@ -110,12 +117,13 @@

   resources:
   - cephclients/finalizers
   - cephclusters/finalizers
   - cephblockpools/finalizers
   - cephfilesystems/finalizers
   - cephnfses/finalizers
+  - cephnvmeofgateways/finalizers
   - cephobjectstores/finalizers
   - cephobjectstoreusers/finalizers
   - cephobjectrealms/finalizers
   - cephobjectzonegroups/finalizers
   - cephobjectzones/finalizers
   - cephbuckettopics/finalizers
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-cluster

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-cluster

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-cluster
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-mgr-system

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-system
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - configmaps
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-object-bucket

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-object-bucket

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-object-bucket
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rook-ceph-osd

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-csi-nodeplugin

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-csi-nodeplugin

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-external-provisioner-runner

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/cephfs-external-provisioner-runner

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-external-provisioner-runner
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
@@ -99,15 +107,12 @@

   resources:
   - volumesnapshots
   verbs:
   - get
   - list
   - watch
-  - update
-  - patch
-  - create
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:
   - volumesnapshotclasses
   verbs:
   - get
@@ -120,13 +125,12 @@

   verbs:
   - get
   - list
   - watch
   - patch
   - update
-  - create
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:
   - volumesnapshotcontents/status
   verbs:
   - update
@@ -165,7 +169,13 @@

 - apiGroups:
   - ''
   resources:
   - serviceaccounts/token
   verbs:
   - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-csi-nodeplugin

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-csi-nodeplugin

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-nodeplugin
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
@@ -52,7 +54,13 @@

 - apiGroups:
   - ''
   resources:
   - nodes
   verbs:
   - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-external-provisioner-runner

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/rbd-external-provisioner-runner

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-external-provisioner-runner
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
@@ -93,15 +101,12 @@

   resources:
   - volumesnapshots
   verbs:
   - get
   - list
   - watch
-  - update
-  - patch
-  - create
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:
   - volumesnapshotclasses
   verbs:
   - get
@@ -114,13 +119,12 @@

   verbs:
   - get
   - list
   - watch
   - patch
   - update
-  - create
 - apiGroups:
   - snapshot.storage.k8s.io
   resources:
   - volumesnapshotcontents/status
   verbs:
   - update
@@ -173,7 +177,37 @@

   resources:
   - nodes
   verbs:
   - get
   - list
   - watch
+- apiGroups:
+  - gateway.networking.k8s.io
+  resources:
+  - referencegrants
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationcontents
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-mgr-cluster

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-mgr-cluster

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-cluster
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-mgr-cluster
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-osd

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-osd
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-system

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-system
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-global

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-global

@@ -3,12 +3,14 @@

 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-global
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-object-bucket

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rook-ceph-object-bucket

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-object-bucket
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-object-bucket
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-nodeplugin

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-nodeplugin

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-nodeplugin
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-rbd-plugin-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-provisioner-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-provisioner-role

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-provisioner-role
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-cephfs-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-nodeplugin-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/cephfs-csi-nodeplugin-role

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-nodeplugin-role
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-cephfs-plugin-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-provisioner-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/rbd-csi-provisioner-role

@@ -1,11 +1,19 @@

 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-provisioner-role
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-rbd-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: ClusterRole
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-osd

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-mgr

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - pods
   - services
@@ -31,15 +39,17 @@

   - delete
 - apiGroups:
   - ceph.rook.io
   resources:
   - cephclients
   - cephclusters
+  - cephclusters/finalizers
   - cephblockpools
   - cephfilesystems
   - cephnfses
+  - cephnvmeofgateways
   - cephobjectstores
   - cephobjectstoreusers
   - cephobjectrealms
   - cephobjectzonegroups
   - cephobjectzones
   - cephbuckettopics
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-cmd-reporter

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-cmd-reporter

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - pods
   - configmaps
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-purge-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-purge-osd

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-purge-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
   resources:
   - configmaps
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-monitoring-mgr

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - monitoring.coreos.com
   resources:
   - servicemonitors
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rook-ceph-system

@@ -1,15 +1,17 @@

 ---
+kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
 metadata:
   name: rook-ceph-system
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - ''
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/cephfs-external-provisioner-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/cephfs-external-provisioner-cfg

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-external-provisioner-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - coordination.k8s.io
   resources:
   - leases
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rbd-external-provisioner-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/rbd-external-provisioner-cfg

@@ -1,12 +1,20 @@

 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-external-provisioner-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 rules:
 - apiGroups:
   - coordination.k8s.io
   resources:
   - leases
   verbs:
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cluster-mgmt

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cluster-mgmt

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-cluster-mgmt
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-cluster-mgmt
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-osd

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-osd
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-mgr
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr-system

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-mgr-system

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-mgr-system
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
   name: rook-ceph-mgr-system
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cmd-reporter

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-cmd-reporter

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-cmd-reporter
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-cmd-reporter
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-purge-osd

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-purge-osd

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-purge-osd
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-purge-osd
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-monitoring
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring-mgr

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-monitoring-mgr

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rook-ceph-monitoring-mgr
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
   name: rook-ceph-monitoring-mgr
 subjects:
 - kind: ServiceAccount
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-system

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rook-ceph-system

@@ -4,12 +4,14 @@

 metadata:
   name: rook-ceph-system
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/cephfs-csi-provisioner-role-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/cephfs-csi-provisioner-role-cfg

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: cephfs-csi-provisioner-role-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-cephfs-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: Role
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rbd-csi-provisioner-role-cfg

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/rbd-csi-provisioner-role-cfg

@@ -1,12 +1,20 @@

 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: rbd-csi-provisioner-role-cfg
   namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
 subjects:
 - kind: ServiceAccount
   name: rook-csi-rbd-provisioner-sa
   namespace: rook-ceph
 roleRef:
   kind: Role
--- HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/rook-ceph-operator

+++ HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/rook-ceph-operator

@@ -1,15 +1,17 @@

 ---
+kind: Deployment
 apiVersion: apps/v1
-kind: Deployment
 metadata:
   name: rook-ceph-operator
   namespace: rook-ceph
   labels:
     operator: rook
     storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
     app.kubernetes.io/part-of: rook-ceph-operator
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/created-by: helm
 spec:
   replicas: 1
   selector:
@@ -26,13 +28,13 @@

       - effect: NoExecute
         key: node.kubernetes.io/unreachable
         operator: Exists
         tolerationSeconds: 5
       containers:
       - name: rook-ceph-operator
-        image: docker.io/rook/ceph:v1.15.9
+        image: docker.io/rook/ceph:v1.19.0
         imagePullPolicy: IfNotPresent
         args:
         - ceph
         - operator
         securityContext:
           capabilities:
@@ -46,12 +48,14 @@

           name: rook-config
         - mountPath: /etc/ceph
           name: default-config-dir
         env:
         - name: ROOK_CURRENT_NAMESPACE_ONLY
           value: 'false'
+        - name: ROOK_RECONCILE_CONCURRENT_CLUSTERS
+          value: '1'
         - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
           value: 'false'
         - name: ROOK_DISABLE_DEVICE_HOTPLUG
           value: 'false'
         - name: ROOK_DISCOVER_DEVICES_INTERVAL
           value: 60m
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-ctrlplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-ctrlplugin-sa

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-sa
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-nodeplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-cephfs-nodeplugin-sa

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-sa
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-controller-manager

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-controller-manager

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-controller-manager
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-ctrlplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-ctrlplugin-sa

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-nfs-ctrlplugin-sa
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-nodeplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-nfs-nodeplugin-sa

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-nfs-nodeplugin-sa
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-ctrlplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-ctrlplugin-sa

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-sa
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-nodeplugin-sa

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/ceph-csi-rbd-nodeplugin-sa

@@ -0,0 +1,10 @@

+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ceph-csi-rbd-nodeplugin-sa
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-nvmeof

+++ HelmRelease: rook-ceph/rook-ceph-operator ServiceAccount: rook-ceph/rook-ceph-nvmeof

@@ -0,0 +1,15 @@

+---
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: rook-ceph-nvmeof
+  namespace: rook-ceph
+  labels:
+    operator: rook
+    storage-backend: ceph
+    app.kubernetes.io/name: rook-ceph
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/part-of: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/created-by: helm
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnection-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnection-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephconnection-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnections-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephconnections-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephconnections-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-ctrlplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-ctrlplugin-cr

@@ -0,0 +1,202 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-nodeplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-cephfs-nodeplugin-cr

@@ -0,0 +1,58 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofile-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofile-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofile-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofilemapping-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofilemapping-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofilemapping-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofiles-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-clientprofiles-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-clientprofiles-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofiles/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-driver-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-driver-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-driver-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - drivers/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-manager-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-manager-role

@@ -0,0 +1,107 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-manager-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - cbt.storage.k8s.io
+  resources:
+  - snapshotmetadataservices
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - cephconnections
+  verbs:
+  - delete
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings
+  - clientprofiles
+  - drivers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/finalizers
+  - clientprofiles/finalizers
+  - drivers/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - clientprofilemappings/status
+  - clientprofiles/status
+  - drivers/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-auth-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-auth-role

@@ -0,0 +1,23 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-metrics-auth-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-reader

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-metrics-reader

@@ -0,0 +1,15 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-metrics-reader
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-ctrlplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-ctrlplugin-cr

@@ -0,0 +1,138 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-nfs-ctrlplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - delete
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-nodeplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-nfs-nodeplugin-cr

@@ -0,0 +1,17 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-nfs-nodeplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-editor-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-editor-role

@@ -0,0 +1,29 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-operatorconfig-editor-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-viewer-role

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-operatorconfig-viewer-role

@@ -0,0 +1,25 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-operatorconfig-viewer-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - csi.ceph.io
+  resources:
+  - operatorconfigs/status
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-ctrlplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-ctrlplugin-cr

@@ -0,0 +1,231 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
+  - patch
+  - update
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments/status
+  verbs:
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - csinodes
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims/status
+  verbs:
+  - patch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshots
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - patch
+  - update
+- apiGroups:
+  - snapshot.storage.k8s.io
+  resources:
+  - volumesnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.k8s.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+  - groupsnapshot.storage.openshift.io
+  resources:
+  - volumegroupsnapshotcontents/status
+  verbs:
+  - update
+  - patch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationcontents
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - replication.storage.openshift.io
+  resources:
+  - volumegroupreplicationclasses
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+- apiGroups:
+  - cbt.storage.k8s.io
+  resources:
+  - snapshotmetadataservices
+  verbs:
+  - get
+  - list
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-nodeplugin-cr

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRole: rook-ceph/ceph-csi-rbd-nodeplugin-cr

@@ -0,0 +1,78 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ceph-csi-rbd-nodeplugin-cr
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumes
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - volumeattachments
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts
+  verbs:
+  - get
+- apiGroups:
+  - ''
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - nodes
+  verbs:
+  - get
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - list
+  - watch
+  - create
+  - update
+  - patch
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - get
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-cephfs-ctrlplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-cephfs-nodeplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-manager-rolebinding

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-manager-rolebinding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-manager-rolebinding
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-manager-role
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-metrics-auth-rolebinding

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-metrics-auth-rolebinding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-metrics-auth-rolebinding
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-metrics-auth-role
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-ctrlplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-ctrlplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-nfs-ctrlplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-nfs-ctrlplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-nfs-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-nodeplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-nfs-nodeplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-nfs-nodeplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-nfs-nodeplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-nfs-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-rbd-ctrlplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-crb

+++ HelmRelease: rook-ceph/rook-ceph-operator ClusterRoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-crb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ceph-csi-rbd-nodeplugin-crb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ceph-csi-rbd-nodeplugin-cr
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-ctrlplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-ctrlplugin-r

@@ -0,0 +1,52 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-r
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-nodeplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-cephfs-nodeplugin-r

@@ -0,0 +1,41 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-r
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-leader-election-role

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-leader-election-role

@@ -0,0 +1,42 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-leader-election-role
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-ctrlplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-ctrlplugin-r

@@ -0,0 +1,52 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-r
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - watch
+  - list
+  - delete
+  - update
+  - create
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-nodeplugin-r

+++ HelmRelease: rook-ceph/rook-ceph-operator Role: rook-ceph/ceph-csi-rbd-nodeplugin-r

@@ -0,0 +1,41 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: ceph-csi-rbd-nodeplugin-r
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+rules:
+- apiGroups:
+  - csiaddons.openshift.io
+  resources:
+  - csiaddonsnodes
+  verbs:
+  - get
+  - watch
+  - list
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - replicasets
+  verbs:
+  - get
+- apiGroups:
+  - apps
+  resources:
+  - deployments/finalizers
+  - daemonsets/finalizers
+  verbs:
+  - update
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-ctrlplugin-rb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-cephfs-ctrlplugin-rb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-cephfs-ctrlplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-cephfs-nodeplugin-rb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-cephfs-nodeplugin-rb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-cephfs-nodeplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-cephfs-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-leader-election-rolebinding

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-leader-election-rolebinding

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-leader-election-rolebinding
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-controller-manager
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-ctrlplugin-rb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-rbd-ctrlplugin-rb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-rbd-ctrlplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-ctrlplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-rb

+++ HelmRelease: rook-ceph/rook-ceph-operator RoleBinding: rook-ceph/ceph-csi-rbd-nodeplugin-rb

@@ -0,0 +1,18 @@

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: ceph-csi-rbd-nodeplugin-rb
+  labels:
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ceph-csi-rbd-nodeplugin-r
+subjects:
+- kind: ServiceAccount
+  name: ceph-csi-rbd-nodeplugin-sa
+  namespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/ceph-csi-controller-manager

+++ HelmRelease: rook-ceph/rook-ceph-operator Deployment: rook-ceph/ceph-csi-controller-manager

@@ -0,0 +1,75 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ceph-csi-controller-manager
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: ceph-csi
+    app.kubernetes.io/instance: rook-ceph-operator
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      control-plane: ceph-csi-op-controller-manager
+      app.kubernetes.io/name: ceph-csi
+      app.kubernetes.io/instance: rook-ceph-operator
+  template:
+    metadata:
+      labels:
+        control-plane: ceph-csi-op-controller-manager
+        app.kubernetes.io/name: ceph-csi
+        app.kubernetes.io/instance: rook-ceph-operator
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      containers:
+      - args:
+        - --leader-elect
+        command:
+        - /manager
+        env:
+        - name: OPERATOR_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: CSI_SERVICE_ACCOUNT_PREFIX
+          value: ceph-csi-
+        - name: WATCH_NAMESPACE
+          value: ''
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: cluster.local
+        image: quay.io/cephcsi/ceph-csi-operator:v0.4.1
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 10m
+            memory: 64Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+      imagePullSecrets: []
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: ceph-csi-controller-manager
+      terminationGracePeriodSeconds: 10
+