diff --git a/charts/index.yaml b/charts/index.yaml index 58b667afc..4edf15149 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -1,6 +1,23 @@ apiVersion: v1 entries: secrets-store-csi-driver: + - apiVersion: v1 + appVersion: 0.0.23 + created: "2021-06-10T12:27:24.468813-07:00" + description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes + cluster. + digest: 8207abf0e14ffe7d828119937e11fa72340d19d824e9a326b8f40fc8b6c8bd86 + icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png + kubeVersion: '>=1.16.0-0' + maintainers: + - email: ritazh@microsoft.com + name: Rita Zhang + name: secrets-store-csi-driver + sources: + - https://github.com/kubernetes-sigs/secrets-store-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.23.tgz + version: 0.0.23 - apiVersion: v1 appVersion: 0.0.22 created: "2021-05-17T17:56:19.441550381-04:00" @@ -239,4 +256,4 @@ entries: urls: - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.9.tgz version: 0.0.9 -generated: "2021-05-17T17:56:19.439691442-04:00" +generated: "2021-06-10T12:27:24.466683-07:00" diff --git a/charts/secrets-store-csi-driver-0.0.23.tgz b/charts/secrets-store-csi-driver-0.0.23.tgz new file mode 100644 index 000000000..7706f1890 Binary files /dev/null and b/charts/secrets-store-csi-driver-0.0.23.tgz differ diff --git a/charts/secrets-store-csi-driver/Chart.yaml b/charts/secrets-store-csi-driver/Chart.yaml index 910f90177..6f348c6ce 100644 --- a/charts/secrets-store-csi-driver/Chart.yaml +++ b/charts/secrets-store-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: secrets-store-csi-driver -version: 0.0.22 -appVersion: 0.0.22 +version: 0.0.23 +appVersion: 0.0.23 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png diff --git a/charts/secrets-store-csi-driver/README.md b/charts/secrets-store-csi-driver/README.md index d2f3b25f9..ec8950c6e 100644 --- a/charts/secrets-store-csi-driver/README.md +++ b/charts/secrets-store-csi-driver/README.md @@ -25,7 +25,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | | `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Linux image tag | `v0.0.22` | +| `linux.image.tag` | Linux image tag | `v0.0.23` | | `linux.affinity` | Linux affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | | `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | | `linux.enabled` | Install secrets store csi driver on linux nodes | true | @@ -48,10 +48,12 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.daemonsetAnnotations` | Linux *DaemonSet* annotations | `{}` | | `linux.podAnnotations` | Linux *Pod* annotations | `{}` | | `linux.podLabels` | Linux *Pod* labels | `{}` | +| `linux.volumes` | Linux volumes | `{}` | +| `linux.volumeMounts` | Linux volumeMounts | `{}` | | `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | | `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Windows image tag | `v0.0.22` | +| `windows.image.tag` | Windows image tag | `v0.0.23` | | `windows.affinity` | Windows affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | | `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | | `windows.enabled` | Install secrets store csi driver on windows nodes | false | @@ -74,6 +76,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.daemonsetAnnotations` | Windows *DaemonSet* annotations | `{}` | | `windows.podAnnotations` | Windows *Pod* annotations | `{}` | | `windows.podLabels` | Windows *Pod* labels | `{}` | +| `windows.volumes` | Windows volumes | `{}` | +| `windows.volumeMounts` | Windows volumeMounts | `{}` | | `windows.updateStrategy` | Configure a custom update strategy for the daemonset on windows nodes | `RollingUpdate with 1 maxUnavailable` | | `logVerbosity` | Log level. Uses V logs (klog) | `0` | | `logFormatJSON` | Use JSON logging format | `false` | @@ -82,10 +86,10 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `maxCallRecvMsgSize` | Maximum size in bytes of gRPC response from plugins | `4194304` | | `rbac.install` | Install default rbac roles and bindings | true | | `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver pod(s) | `false` | -| `syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets (the default will change to false after v0.0.14) | true | -| `minimumProviderVersions` | [**DEPRECATED**] A comma delimited list of key-value pairs of minimum provider versions with driver | `""` | +| `syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets | false | | `enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | | `rotationPollInterval` | Secret rotation poll interval duration | `"120s"` | | `filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true` | `false` | | `providerHealthCheck` | Enable health check for configured providers | `false` | | `providerHealthCheckInterval` | Provider healthcheck interval duration | `2m` | +| `imagePullSecrets` | One or more secrets to be used when pulling images | `""` | diff --git a/charts/secrets-store-csi-driver/templates/role-rotation.yaml b/charts/secrets-store-csi-driver/templates/role-rotation.yaml new file mode 100644 index 000000000..432d0cd3b --- /dev/null +++ b/charts/secrets-store-csi-driver/templates/role-rotation.yaml @@ -0,0 +1,18 @@ +{{ if .Values.enableSecretRotation }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: secretproviderrotation-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{ end }} diff --git a/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml b/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml new file mode 100644 index 000000000..5e2a6ea0e --- /dev/null +++ b/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.enableSecretRotation }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretproviderrotation-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretproviderrotation-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml index 92f9064c7..37f8e47f1 100644 --- a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml +++ b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml @@ -28,6 +28,10 @@ spec: {{- end }} spec: serviceAccountName: secrets-store-csi-driver + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} affinity: {{ toYaml .Values.windows.affinity | indent 8 }} containers: @@ -123,6 +127,9 @@ spec: mountPropagation: Bidirectional - name: providers-dir mountPath: C:\k\secrets-store-csi-providers + {{- if .Values.windows.volumeMounts }} + {{- toYaml .Values.windows.volumeMounts | nindent 12}} + {{- end }} {{- with .Values.windows.driver.resources }} resources: {{ toYaml . | indent 12 }} @@ -164,6 +171,9 @@ spec: hostPath: path: {{ .Values.windows.providersDir }} type: DirectoryOrCreate + {{- if .Values.windows.volumes }} + {{- toYaml .Values.windows.volumes | nindent 8}} + {{- end }} nodeSelector: kubernetes.io/os: windows {{- if .Values.windows.nodeSelector }} diff --git a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml index 3528540ab..45651dd78 100644 --- a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml +++ b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml @@ -28,6 +28,10 @@ spec: {{- end }} spec: serviceAccountName: secrets-store-csi-driver + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} affinity: {{ toYaml .Values.linux.affinity | indent 8 }} containers: @@ -123,6 +127,9 @@ spec: mountPropagation: Bidirectional - name: providers-dir mountPath: /etc/kubernetes/secrets-store-csi-providers + {{- if .Values.linux.volumeMounts }} + {{- toYaml .Values.linux.volumeMounts | nindent 12}} + {{- end }} {{- with .Values.linux.driver.resources }} resources: {{ toYaml . | indent 12 }} @@ -164,6 +171,9 @@ spec: hostPath: path: {{ .Values.linux.providersDir }} type: DirectoryOrCreate + {{- if .Values.linux.volumes }} + {{- toYaml .Values.linux.volumes | nindent 8}} + {{- end }} nodeSelector: kubernetes.io/os: linux {{- if .Values.linux.nodeSelector }} diff --git a/charts/secrets-store-csi-driver/values.yaml b/charts/secrets-store-csi-driver/values.yaml index 1065cad6d..6ba16c6ae 100644 --- a/charts/secrets-store-csi-driver/values.yaml +++ b/charts/secrets-store-csi-driver/values.yaml @@ -2,7 +2,7 @@ linux: enabled: true image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.22 + tag: v0.0.23 pullPolicy: IfNotPresent ## Prevent the CSI driver from being scheduled on virtual-kublet nodes @@ -71,11 +71,22 @@ linux: podAnnotations: {} podLabels: {} + # volumes is a list of volumes made available to secrets store csi driver. + volumes: null + # - name: foo + # emptyDir: {} + + # volumeMounts is a list of volumeMounts for secrets store csi driver. + volumeMounts: null + # - name: foo + # mountPath: /bar + # readOnly: true + windows: enabled: false image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.22 + tag: v0.0.23 pullPolicy: IfNotPresent ## Prevent the CSI driver from being scheduled on virtual-kublet nodes @@ -143,6 +154,17 @@ windows: podAnnotations: {} podLabels: {} + # volumes is a list of volumes made available to secrets store csi driver. + volumes: null + # - name: foo + # emptyDir: {} + + # volumeMounts is a list of volumeMounts for secrets store csi driver. + volumeMounts: null + # - name: foo + # mountPath: /bar + # readOnly: true + # log level. Uses V logs (klog) logVerbosity: 0 @@ -161,15 +183,9 @@ rbac: install: true pspEnabled: false -## Install RBAC roles and bindings required for K8S Secrets syncing. Change this -## to false after v0.0.14 +## Install RBAC roles and bindings required for K8S Secrets syncing if true syncSecret: - enabled: true - -## [DEPRECATED] Minimum Provider Versions (optional) -## A comma delimited list of key-value pairs of minimum provider versions -## e.g. provider1=0.0.2,provider2=0.0.3 -minimumProviderVersions: + enabled: false ## Enable secret rotation feature [alpha] enableSecretRotation: false @@ -185,3 +201,5 @@ providerHealthCheck: false ## Provider HealthCheck interval providerHealthCheckInterval: 2m + +imagePullSecrets: [] diff --git a/deploy/rbac-secretproviderrotation.yaml b/deploy/rbac-secretproviderrotation.yaml new file mode 100644 index 000000000..53af8cd97 --- /dev/null +++ b/deploy/rbac-secretproviderrotation.yaml @@ -0,0 +1,27 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + name: secretproviderrotation-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretproviderrotation-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretproviderrotation-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: kube-system diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml index 7bbb14371..07f67dcf0 100644 --- a/deploy/secrets-store-csi-driver-windows.yaml +++ b/deploy/secrets-store-csi-driver-windows.yaml @@ -42,7 +42,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.22 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.23 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml index 764ea13fa..9f9e42f5c 100644 --- a/deploy/secrets-store-csi-driver.yaml +++ b/deploy/secrets-store-csi-driver.yaml @@ -42,7 +42,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.22 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.23 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml index 910f90177..6f348c6ce 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: secrets-store-csi-driver -version: 0.0.22 -appVersion: 0.0.22 +version: 0.0.23 +appVersion: 0.0.23 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md index bf91d1531..ec8950c6e 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/README.md +++ b/manifest_staging/charts/secrets-store-csi-driver/README.md @@ -25,7 +25,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | | `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Linux image tag | `v0.0.22` | +| `linux.image.tag` | Linux image tag | `v0.0.23` | | `linux.affinity` | Linux affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | | `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | | `linux.enabled` | Install secrets store csi driver on linux nodes | true | @@ -53,7 +53,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | | `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Windows image tag | `v0.0.22` | +| `windows.image.tag` | Windows image tag | `v0.0.23` | | `windows.affinity` | Windows affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` | | `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | | `windows.enabled` | Install secrets store csi driver on windows nodes | false | diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml index 12f16b880..6ba16c6ae 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/values.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/values.yaml @@ -2,7 +2,7 @@ linux: enabled: true image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.22 + tag: v0.0.23 pullPolicy: IfNotPresent ## Prevent the CSI driver from being scheduled on virtual-kublet nodes @@ -86,7 +86,7 @@ windows: enabled: false image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.22 + tag: v0.0.23 pullPolicy: IfNotPresent ## Prevent the CSI driver from being scheduled on virtual-kublet nodes diff --git a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml index 7bbb14371..07f67dcf0 100644 --- a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml +++ b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml @@ -42,7 +42,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.22 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.23 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/manifest_staging/deploy/secrets-store-csi-driver.yaml b/manifest_staging/deploy/secrets-store-csi-driver.yaml index 764ea13fa..9f9e42f5c 100644 --- a/manifest_staging/deploy/secrets-store-csi-driver.yaml +++ b/manifest_staging/deploy/secrets-store-csi-driver.yaml @@ -42,7 +42,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.22 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.23 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)"