From 72f1bf8f4a9252ed0f6570e744f52063f6820404 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 7 Feb 2022 21:50:46 +0000 Subject: [PATCH] release: update manifest and helm charts for v1.1.0-rc.0 Signed-off-by: Anish Ramasekar --- charts/secrets-store-csi-driver/Chart.yaml | 4 +- charts/secrets-store-csi-driver/README.md | 170 ++++++++---------- ...re.csi.x-k8s.io_secretproviderclasses.yaml | 5 +- ...k8s.io_secretproviderclasspodstatuses.yaml | 3 +- .../templates/csidriver.yaml | 4 + .../role-secretproviderclasses-admin.yaml | 25 +++ .../role-secretproviderclasses-viewer.yaml | 20 +++ .../templates/role-tokenrequest.yaml | 16 ++ .../templates/role-tokenrequest_binding.yaml | 14 ++ .../templates/role.yaml | 10 ++ charts/secrets-store-csi-driver/values.yaml | 12 +- deploy/rbac-secretproviderclass.yaml | 10 ++ deploy/rbac-secretprovidertokenrequest.yaml | 25 +++ deploy/role-secretproviderclasses-admin.yaml | 20 +++ deploy/role-secretproviderclasses-viewer.yaml | 15 ++ deploy/secrets-store-csi-driver-windows.yaml | 2 +- deploy/secrets-store-csi-driver.yaml | 2 +- ...re.csi.x-k8s.io_secretproviderclasses.yaml | 5 +- ...k8s.io_secretproviderclasspodstatuses.yaml | 3 +- .../secrets-store-csi-driver/Chart.yaml | 4 +- .../charts/secrets-store-csi-driver/README.md | 6 +- .../secrets-store-csi-driver/values.yaml | 6 +- .../secrets-store-csi-driver-windows.yaml | 2 +- .../deploy/secrets-store-csi-driver.yaml | 2 +- 24 files changed, 272 insertions(+), 113 deletions(-) create mode 100644 charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml create mode 100644 charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml create mode 100644 charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml create mode 100644 charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml create mode 100644 deploy/rbac-secretprovidertokenrequest.yaml create mode 100644 deploy/role-secretproviderclasses-admin.yaml create mode 100644 deploy/role-secretproviderclasses-viewer.yaml diff --git a/charts/secrets-store-csi-driver/Chart.yaml b/charts/secrets-store-csi-driver/Chart.yaml index 816373591..043ebf099 100644 --- a/charts/secrets-store-csi-driver/Chart.yaml +++ b/charts/secrets-store-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: secrets-store-csi-driver -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0-rc.0 +appVersion: 1.1.0-rc.0 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png diff --git a/charts/secrets-store-csi-driver/README.md b/charts/secrets-store-csi-driver/README.md index 08070fcff..cad415571 100644 --- a/charts/secrets-store-csi-driver/README.md +++ b/charts/secrets-store-csi-driver/README.md @@ -10,21 +10,6 @@ Quick start instructions for the setup and configuration of secrets-store-csi-dr ### Installing the chart -> Note: The helm chart repository URL has changed from `https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts` to `https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts`. - -
-Update helm chart repository if using the old URL - -Run the following commands to update your Helm chart repositories if using the old URL: - -```bash -helm repo rm secrets-store-csi-driver -helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts -helm repo update -``` - -
- #### Add the chart repo ```bash @@ -41,80 +26,81 @@ helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver The following table lists the configurable parameters of the csi-secrets-store-provider-azure chart and their default values. -| Parameter | Description | Default | -| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | -| `nameOverride` | String to partially override secrets-store-csi-driver.fullname template with a string (will prepend the release name) | `""` | -| `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | -| `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | -| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Linux image tag | `v1.0.1` | -| `linux.crds.image.repository` | Linux crds image repository | `k8s.gcr.io/csi-secrets-store/driver-crds` | -| `linux.crds.image.pullPolicy` | Linux crds image pull policy | `IfNotPresent` | -| `linux.crds.image.tag` | Linux crds image tag | `v1.0.1` | -| `linux.affinity` | Linux affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | -| `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | -| `linux.enabled` | Install secrets store csi driver on linux nodes | true | -| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | -| `linux.providersDir` | Configure the providers root dir | `/etc/kubernetes/secrets-store-csi-providers` | -| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | -| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[]` | -| `linux.metricsAddr` | The address the metric endpoint binds to | `:8095` | -| `linux.registrarImage.repository` | Linux node-driver-registrar image repository | `k8s.gcr.io/sig-storage/csi-node-driver-registrar` | -| `linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `IfNotPresent` | -| `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.4.0` | -| `linux.registrar.resources` | The resource request/limits for the linux node-driver-registrar container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` | -| `linux.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` | -| `linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `k8s.gcr.io/sig-storage/livenessprobe` | -| `linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `IfNotPresent` | -| `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.5.0` | -| `linux.livenessProbe.resources` | The resource request/limits for the linux liveness-probe container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` | -| `linux.env` | Environment variables to be passed for the daemonset on linux nodes | `[]` | -| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | -| `linux.crds.annotations` | Linux *helm hook* annotations | `{}` | -| `linux.daemonsetAnnotations` | Linux *DaemonSet* annotations | `{}` | -| `linux.podAnnotations` | Linux *Pod* annotations | `{}` | -| `linux.podLabels` | Linux *Pod* labels | `{}` | -| `linux.volumes` | Linux volumes | `{}` | -| `linux.volumeMounts` | Linux volumeMounts | `{}` | -| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | -| `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | -| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Windows image tag | `v1.0.1` | -| `windows.affinity` | Windows affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | -| `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | -| `windows.enabled` | Install secrets store csi driver on windows nodes | false | -| `windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | -| `windows.providersDir` | Configure the providers root dir | `C:\k\secrets-store-csi-providers` | -| `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | -| `windows.tolerations` | Tolerations for the daemonset on windows nodes | `[]` | -| `windows.metricsAddr` | The address the metric endpoint binds to | `:8095` | -| `windows.registrarImage.repository` | Windows node-driver-registrar image repository | `k8s.gcr.io/sig-storage/csi-node-driver-registrar` | -| `windows.registrarImage.pullPolicy` | Windows node-driver-registrar image pull policy | `IfNotPresent` | -| `windows.registrarImage.tag` | Windows node-driver-registrar image tag | `v2.4.0` | -| `windows.registrar.resources` | The resource request/limits for the windows node-driver-registrar container image | `limits: 200m CPU, 200Mi; requests: 10m CPU, 20Mi` | -| `windows.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` | -| `windows.livenessProbeImage.repository` | Windows liveness-probe image repository | `k8s.gcr.io/sig-storage/livenessprobe` | -| `windows.livenessProbeImage.pullPolicy` | Windows liveness-probe image pull policy | `IfNotPresent` | -| `windows.livenessProbeImage.tag` | Windows liveness-probe image tag | `v2.5.0` | -| `windows.livenessProbe.resources` | The resource request/limits for the windows liveness-probe container image | `limits: 200m CPU, 200Mi; requests: 10m CPU, 20Mi` | -| `windows.env` | Environment variables to be passed for the daemonset on windows nodes | `[]` | -| `windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | -| `windows.daemonsetAnnotations` | Windows *DaemonSet* annotations | `{}` | -| `windows.podAnnotations` | Windows *Pod* annotations | `{}` | -| `windows.podLabels` | Windows *Pod* labels | `{}` | -| `windows.volumes` | Windows volumes | `{}` | -| `windows.volumeMounts` | Windows volumeMounts | `{}` | -| `windows.updateStrategy` | Configure a custom update strategy for the daemonset on windows nodes | `RollingUpdate with 1 maxUnavailable` | -| `logVerbosity` | Log level. Uses V logs (klog) | `0` | -| `logFormatJSON` | Use JSON logging format | `false` | -| `livenessProbe.port` | Liveness probe port | `9808` | -| `livenessProbe.logLevel` | Liveness probe container logging verbosity level | `2` | -| `maxCallRecvMsgSize` | Maximum size in bytes of gRPC response from plugins | `4194304` | -| `rbac.install` | Install default rbac roles and bindings | true | -| `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver pod(s) | `false` | -| `syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | false | -| `enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | -| `rotationPollInterval` | Secret rotation poll interval duration | `"120s"` | -| `providerHealthCheck` | Enable health check for configured providers | `false` | -| `providerHealthCheckInterval` | Provider healthcheck interval duration | `2m` | -| `imagePullSecrets` | One or more secrets to be used when pulling images | `""` | +| Parameter | Description | Default | +| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- | +| `nameOverride` | String to partially override secrets-store-csi-driver.fullname template with a string (will prepend the release name) | `""` | +| `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | +| `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | +| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | +| `linux.image.tag` | Linux image tag | `v1.1.0-rc.0` | +| `linux.crds.image.repository` | Linux crds image repository | `k8s.gcr.io/csi-secrets-store/driver-crds` | +| `linux.crds.image.pullPolicy` | Linux crds image pull policy | `IfNotPresent` | +| `linux.crds.image.tag` | Linux crds image tag | `v1.1.0-rc.0` | +| `linux.affinity` | Linux affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | +| `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | +| `linux.enabled` | Install secrets store csi driver on linux nodes | true | +| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | +| `linux.providersDir` | Configure the providers root dir | `/etc/kubernetes/secrets-store-csi-providers` | +| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | +| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[]` | +| `linux.metricsAddr` | The address the metric endpoint binds to | `:8095` | +| `linux.registrarImage.repository` | Linux node-driver-registrar image repository | `k8s.gcr.io/sig-storage/csi-node-driver-registrar` | +| `linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `IfNotPresent` | +| `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.4.0` | +| `linux.registrar.resources` | The resource request/limits for the linux node-driver-registrar container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` | +| `linux.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` | +| `linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `k8s.gcr.io/sig-storage/livenessprobe` | +| `linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `IfNotPresent` | +| `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.5.0` | +| `linux.livenessProbe.resources` | The resource request/limits for the linux liveness-probe container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` | +| `linux.env` | Environment variables to be passed for the daemonset on linux nodes | `[]` | +| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | +| `linux.crds.annotations` | Linux *helm hook* annotations | `{}` | +| `linux.daemonsetAnnotations` | Linux *DaemonSet* annotations | `{}` | +| `linux.podAnnotations` | Linux *Pod* annotations | `{}` | +| `linux.podLabels` | Linux *Pod* labels | `{}` | +| `linux.volumes` | Linux volumes | `{}` | +| `linux.volumeMounts` | Linux volumeMounts | `{}` | +| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | +| `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | +| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | +| `windows.image.tag` | Windows image tag | `v1.1.0-rc.0` | +| `windows.affinity` | Windows affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | +| `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | +| `windows.enabled` | Install secrets store csi driver on windows nodes | false | +| `windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | +| `windows.providersDir` | Configure the providers root dir | `C:\k\secrets-store-csi-providers` | +| `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | +| `windows.tolerations` | Tolerations for the daemonset on windows nodes | `[]` | +| `windows.metricsAddr` | The address the metric endpoint binds to | `:8095` | +| `windows.registrarImage.repository` | Windows node-driver-registrar image repository | `k8s.gcr.io/sig-storage/csi-node-driver-registrar` | +| `windows.registrarImage.pullPolicy` | Windows node-driver-registrar image pull policy | `IfNotPresent` | +| `windows.registrarImage.tag` | Windows node-driver-registrar image tag | `v2.4.0` | +| `windows.registrar.resources` | The resource request/limits for the windows node-driver-registrar container image | `limits: 200m CPU, 200Mi; requests: 10m CPU, 20Mi` | +| `windows.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` | +| `windows.livenessProbeImage.repository` | Windows liveness-probe image repository | `k8s.gcr.io/sig-storage/livenessprobe` | +| `windows.livenessProbeImage.pullPolicy` | Windows liveness-probe image pull policy | `IfNotPresent` | +| `windows.livenessProbeImage.tag` | Windows liveness-probe image tag | `v2.5.0` | +| `windows.livenessProbe.resources` | The resource request/limits for the windows liveness-probe container image | `limits: 200m CPU, 200Mi; requests: 10m CPU, 20Mi` | +| `windows.env` | Environment variables to be passed for the daemonset on windows nodes | `[]` | +| `windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` | +| `windows.daemonsetAnnotations` | Windows *DaemonSet* annotations | `{}` | +| `windows.podAnnotations` | Windows *Pod* annotations | `{}` | +| `windows.podLabels` | Windows *Pod* labels | `{}` | +| `windows.volumes` | Windows volumes | `{}` | +| `windows.volumeMounts` | Windows volumeMounts | `{}` | +| `windows.updateStrategy` | Configure a custom update strategy for the daemonset on windows nodes | `RollingUpdate with 1 maxUnavailable` | +| `logVerbosity` | Log level. Uses V logs (klog) | `0` | +| `logFormatJSON` | Use JSON logging format | `false` | +| `livenessProbe.port` | Liveness probe port | `9808` | +| `livenessProbe.logLevel` | Liveness probe container logging verbosity level | `2` | +| `maxCallRecvMsgSize` | Maximum size in bytes of gRPC response from plugins | `4194304` | +| `rbac.install` | Install default rbac roles and bindings | true | +| `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver pod(s) | `false` | +| `syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | false | +| `enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | +| `rotationPollInterval` | Secret rotation poll interval duration | `"120s"` | +| `providerHealthCheck` | Enable health check for configured providers | `false` | +| `providerHealthCheckInterval` | Provider healthcheck interval duration | `2m` | +| `imagePullSecrets` | One or more secrets to be used when pulling images | `""` | +| `tokenRequests` | Token requests configuration for the csi driver. Refer to [doc](https://kubernetes-csi.github.io/docs/token-requests.html) for more info. | `""` | diff --git a/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml index 9a3bf5022..413898d75 100644 --- a/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml +++ b/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml @@ -102,7 +102,10 @@ spec: type: object served: true storage: true - - name: v1alpha1 + - deprecated: true + deprecationWarning: secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1 + instead. + name: v1alpha1 schema: openAPIV3Schema: description: SecretProviderClass is the Schema for the secretproviderclasses diff --git a/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml b/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml index 0a436f4db..dd836668e 100644 --- a/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml +++ b/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml @@ -61,7 +61,8 @@ spec: type: object served: true storage: true - - name: v1alpha1 + - deprecated: true + name: v1alpha1 schema: openAPIV3Schema: description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus diff --git a/charts/secrets-store-csi-driver/templates/csidriver.yaml b/charts/secrets-store-csi-driver/templates/csidriver.yaml index bec85f39b..55bfaf57b 100644 --- a/charts/secrets-store-csi-driver/templates/csidriver.yaml +++ b/charts/secrets-store-csi-driver/templates/csidriver.yaml @@ -8,3 +8,7 @@ spec: # Added in Kubernetes 1.16 with default mode of Persistent. Secrets store csi driver needs Ephermeral to be set. volumeLifecycleModes: - Ephemeral + {{- if .Values.tokenRequests }} + tokenRequests: + {{- toYaml .Values.tokenRequests | nindent 2}} + {{- end }} diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml new file mode 100644 index 000000000..f121a4fda --- /dev/null +++ b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml @@ -0,0 +1,25 @@ +{{ if .Values.rbac.install }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: secretproviderclasses-admin-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +{{ end }} diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml new file mode 100644 index 000000000..23c54103c --- /dev/null +++ b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml @@ -0,0 +1,20 @@ +{{ if .Values.rbac.install }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: secretproviderclasses-viewer-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch +{{ end }} diff --git a/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml b/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml new file mode 100644 index 000000000..1580e8e07 --- /dev/null +++ b/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml @@ -0,0 +1,16 @@ +{{ if .Values.tokenRequests }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: secretprovidertokenrequest-role +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{ end }} diff --git a/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml b/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml new file mode 100644 index 000000000..e750c8c14 --- /dev/null +++ b/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.tokenRequests }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretprovidertokenrequest-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretprovidertokenrequest-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/charts/secrets-store-csi-driver/templates/role.yaml b/charts/secrets-store-csi-driver/templates/role.yaml index 637ff19ec..819ff03a2 100644 --- a/charts/secrets-store-csi-driver/templates/role.yaml +++ b/charts/secrets-store-csi-driver/templates/role.yaml @@ -50,6 +50,16 @@ rules: - get - patch - update +- apiGroups: + - storage.k8s.io + resourceNames: + - secrets-store.csi.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch {{- if .Values.rbac.pspEnabled }} - apiGroups: - policy diff --git a/charts/secrets-store-csi-driver/values.yaml b/charts/secrets-store-csi-driver/values.yaml index 9fcbc18f9..bfa5576bc 100644 --- a/charts/secrets-store-csi-driver/values.yaml +++ b/charts/secrets-store-csi-driver/values.yaml @@ -2,13 +2,13 @@ linux: enabled: true image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v1.0.1 + tag: v1.1.0-rc.0 pullPolicy: IfNotPresent crds: image: repository: k8s.gcr.io/csi-secrets-store/driver-crds - tag: v1.0.1 + tag: v1.1.0-rc.0 pullPolicy: IfNotPresent annotations: {} @@ -93,7 +93,7 @@ windows: enabled: false image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v1.0.1 + tag: v1.1.0-rc.0 pullPolicy: IfNotPresent ## Prevent the CSI driver from being scheduled on virtual-kubelet nodes @@ -207,3 +207,9 @@ providerHealthCheck: false providerHealthCheckInterval: 2m imagePullSecrets: [] + +## This allows CSI drivers to impersonate the pods that they mount the volumes for. +# refer to https://kubernetes-csi.github.io/docs/token-requests.html for more details. +tokenRequests: [] +# - audience: aud1 +# - audience: aud2 diff --git a/deploy/rbac-secretproviderclass.yaml b/deploy/rbac-secretproviderclass.yaml index abc704c19..26a025bf2 100644 --- a/deploy/rbac-secretproviderclass.yaml +++ b/deploy/rbac-secretproviderclass.yaml @@ -53,6 +53,16 @@ rules: - get - patch - update +- apiGroups: + - storage.k8s.io + resourceNames: + - secrets-store.csi.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/deploy/rbac-secretprovidertokenrequest.yaml b/deploy/rbac-secretprovidertokenrequest.yaml new file mode 100644 index 000000000..f96c8372f --- /dev/null +++ b/deploy/rbac-secretprovidertokenrequest.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: secretprovidertokenrequest-role +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretprovidertokenrequest-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretprovidertokenrequest-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: kube-system diff --git a/deploy/role-secretproviderclasses-admin.yaml b/deploy/role-secretproviderclasses-admin.yaml new file mode 100644 index 000000000..f3f02ff99 --- /dev/null +++ b/deploy/role-secretproviderclasses-admin.yaml @@ -0,0 +1,20 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: secretproviderclasses-admin-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/deploy/role-secretproviderclasses-viewer.yaml b/deploy/role-secretproviderclasses-viewer.yaml new file mode 100644 index 000000000..636d620b7 --- /dev/null +++ b/deploy/role-secretproviderclasses-viewer.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: secretproviderclasses-viewer-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml index 47584df74..4ec1c6fa5 100644 --- a/deploy/secrets-store-csi-driver-windows.yaml +++ b/deploy/secrets-store-csi-driver-windows.yaml @@ -50,7 +50,7 @@ spec: cpu: 100m memory: 100Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1 + image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml index 52dc8a58a..78f00a801 100644 --- a/deploy/secrets-store-csi-driver.yaml +++ b/deploy/secrets-store-csi-driver.yaml @@ -50,7 +50,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1 + image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml index 9a3bf5022..413898d75 100644 --- a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml +++ b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml @@ -102,7 +102,10 @@ spec: type: object served: true storage: true - - name: v1alpha1 + - deprecated: true + deprecationWarning: secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1 + instead. + name: v1alpha1 schema: openAPIV3Schema: description: SecretProviderClass is the Schema for the secretproviderclasses diff --git a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml index 0a436f4db..dd836668e 100644 --- a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml +++ b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml @@ -61,7 +61,8 @@ spec: type: object served: true storage: true - - name: v1alpha1 + - deprecated: true + name: v1alpha1 schema: openAPIV3Schema: description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus diff --git a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml index 816373591..043ebf099 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: secrets-store-csi-driver -version: 1.0.1 -appVersion: 1.0.1 +version: 1.1.0-rc.0 +appVersion: 1.1.0-rc.0 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md index 53819b9e7..cad415571 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/README.md +++ b/manifest_staging/charts/secrets-store-csi-driver/README.md @@ -32,10 +32,10 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | | `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Linux image tag | `v1.0.1` | +| `linux.image.tag` | Linux image tag | `v1.1.0-rc.0` | | `linux.crds.image.repository` | Linux crds image repository | `k8s.gcr.io/csi-secrets-store/driver-crds` | | `linux.crds.image.pullPolicy` | Linux crds image pull policy | `IfNotPresent` | -| `linux.crds.image.tag` | Linux crds image tag | `v1.0.1` | +| `linux.crds.image.tag` | Linux crds image tag | `v1.1.0-rc.0` | | `linux.affinity` | Linux affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | | `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | | `linux.enabled` | Install secrets store csi driver on linux nodes | true | @@ -64,7 +64,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | | `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Windows image tag | `v1.0.1` | +| `windows.image.tag` | Windows image tag | `v1.1.0-rc.0` | | `windows.affinity` | Windows affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | | `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | | `windows.enabled` | Install secrets store csi driver on windows nodes | false | diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml index 14dee94d9..bfa5576bc 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/values.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/values.yaml @@ -2,13 +2,13 @@ linux: enabled: true image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v1.0.1 + tag: v1.1.0-rc.0 pullPolicy: IfNotPresent crds: image: repository: k8s.gcr.io/csi-secrets-store/driver-crds - tag: v1.0.1 + tag: v1.1.0-rc.0 pullPolicy: IfNotPresent annotations: {} @@ -93,7 +93,7 @@ windows: enabled: false image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v1.0.1 + tag: v1.1.0-rc.0 pullPolicy: IfNotPresent ## Prevent the CSI driver from being scheduled on virtual-kubelet nodes diff --git a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml index 47584df74..4ec1c6fa5 100644 --- a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml +++ b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml @@ -50,7 +50,7 @@ spec: cpu: 100m memory: 100Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1 + image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/manifest_staging/deploy/secrets-store-csi-driver.yaml b/manifest_staging/deploy/secrets-store-csi-driver.yaml index 52dc8a58a..78f00a801 100644 --- a/manifest_staging/deploy/secrets-store-csi-driver.yaml +++ b/manifest_staging/deploy/secrets-store-csi-driver.yaml @@ -50,7 +50,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1 + image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)"