Merge pull request #864 from aramase/automated-cherry-pick-of-#863-up…

…stream-release-1.1 Automated cherry pick of #863: release: update manifest and helm charts for v1.1.0-rc.0
kubernetes-sigs · Feb 8, 2022 · f63c4ae · f63c4ae
2 parents 79e0a88 + 72f1bf8
commit f63c4ae
Show file tree

Hide file tree

Showing 24 changed files with 272 additions and 113 deletions.
diff --git a/charts/secrets-store-csi-driver/Chart.yaml b/charts/secrets-store-csi-driver/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: secrets-store-csi-driver
-version: 1.0.1
-appVersion: 1.0.1
+version: 1.1.0-rc.0
+appVersion: 1.1.0-rc.0
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png

diff --git a/charts/secrets-store-csi-driver/README.md b/charts/secrets-store-csi-driver/README.md
diff --git a/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
@@ -102,7 +102,10 @@ spec:
         type: object
     served: true
     storage: true
-  - name: v1alpha1
+  - deprecated: true
+    deprecationWarning: secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1
+      instead.
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: SecretProviderClass is the Schema for the secretproviderclasses

diff --git a/...rets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml b/...rets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml
@@ -61,7 +61,8 @@ spec:
         type: object
     served: true
     storage: true
-  - name: v1alpha1
+  - deprecated: true
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus

diff --git a/charts/secrets-store-csi-driver/templates/csidriver.yaml b/charts/secrets-store-csi-driver/templates/csidriver.yaml
@@ -8,3 +8,7 @@ spec:
   # Added in Kubernetes 1.16 with default mode of Persistent. Secrets store csi driver needs Ephermeral to be set.
   volumeLifecycleModes: 
   - Ephemeral
+  {{- if .Values.tokenRequests }}
+  tokenRequests:
+    {{- toYaml .Values.tokenRequests | nindent 2}}
+  {{- end }}
diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml
@@ -0,0 +1,25 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: secretproviderclasses-admin-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{ end }}
diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml
@@ -0,0 +1,20 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: secretproviderclasses-viewer-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+{{ end }}
diff --git a/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml b/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
@@ -0,0 +1,16 @@
+{{ if .Values.tokenRequests }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: secretprovidertokenrequest-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+{{ end }}
diff --git a/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml b/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
@@ -0,0 +1,14 @@
+{{ if .Values.tokenRequests }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretprovidertokenrequest-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretprovidertokenrequest-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: {{ .Release.Namespace }}
+{{ end }}
diff --git a/charts/secrets-store-csi-driver/templates/role.yaml b/charts/secrets-store-csi-driver/templates/role.yaml
@@ -50,6 +50,16 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - storage.k8s.io
+  resourceNames:
+  - secrets-store.csi.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
 {{- if .Values.rbac.pspEnabled }}
 - apiGroups:
   - policy

diff --git a/charts/secrets-store-csi-driver/values.yaml b/charts/secrets-store-csi-driver/values.yaml
@@ -2,13 +2,13 @@ linux:
   enabled: true
   image:
     repository: k8s.gcr.io/csi-secrets-store/driver
-    tag: v1.0.1
+    tag: v1.1.0-rc.0
     pullPolicy: IfNotPresent
 
   crds:
     image:
       repository: k8s.gcr.io/csi-secrets-store/driver-crds
-      tag: v1.0.1
+      tag: v1.1.0-rc.0
       pullPolicy: IfNotPresent
     annotations: {}
 
@@ -93,7 +93,7 @@ windows:
   enabled: false
   image:
     repository: k8s.gcr.io/csi-secrets-store/driver
-    tag: v1.0.1
+    tag: v1.1.0-rc.0
     pullPolicy: IfNotPresent
 
   ## Prevent the CSI driver from being scheduled on virtual-kubelet nodes
@@ -207,3 +207,9 @@ providerHealthCheck: false
 providerHealthCheckInterval: 2m
 
 imagePullSecrets: []
+
+## This allows CSI drivers to impersonate the pods that they mount the volumes for.
+# refer to https://kubernetes-csi.github.io/docs/token-requests.html for more details.
+tokenRequests: []
+# - audience: aud1
+# - audience: aud2
diff --git a/deploy/rbac-secretproviderclass.yaml b/deploy/rbac-secretproviderclass.yaml
@@ -53,6 +53,16 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - storage.k8s.io
+  resourceNames:
+  - secrets-store.csi.k8s.io
+  resources:
+  - csidrivers
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

diff --git a/deploy/rbac-secretprovidertokenrequest.yaml b/deploy/rbac-secretprovidertokenrequest.yaml
@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: secretprovidertokenrequest-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretprovidertokenrequest-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretprovidertokenrequest-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: kube-system
diff --git a/deploy/role-secretproviderclasses-admin.yaml b/deploy/role-secretproviderclasses-admin.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: secretproviderclasses-admin-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
diff --git a/deploy/role-secretproviderclasses-viewer.yaml b/deploy/role-secretproviderclasses-viewer.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: secretproviderclasses-viewer-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml
@@ -50,7 +50,7 @@ spec:
               cpu: 100m
               memory: 100Mi
         - name: secrets-store
-          image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1
+          image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"

diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml
@@ -50,7 +50,7 @@ spec:
               cpu: 10m
               memory: 20Mi
         - name: secrets-store
-          image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1
+          image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"

diff --git a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
@@ -102,7 +102,10 @@ spec:
         type: object
     served: true
     storage: true
-  - name: v1alpha1
+  - deprecated: true
+    deprecationWarning: secrets-store.csi.x-k8s.io/v1alpha1 is deprecated. Use secrets-store.csi.x-k8s.io/v1
+      instead.
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: SecretProviderClass is the Schema for the secretproviderclasses

diff --git a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml
@@ -61,7 +61,8 @@ spec:
         type: object
     served: true
     storage: true
-  - name: v1alpha1
+  - deprecated: true
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus

diff --git a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: secrets-store-csi-driver
-version: 1.0.1
-appVersion: 1.0.1
+version: 1.1.0-rc.0
+appVersion: 1.1.0-rc.0
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png

diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md
@@ -32,10 +32,10 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `fullnameOverride`                      | String to fully override secrets-store-csi-driver.fullname template with a string                                                         | `""`                                                    |
 | `linux.image.repository`                | Linux image repository                                                                                                                    | `k8s.gcr.io/csi-secrets-store/driver`                   |
 | `linux.image.pullPolicy`                | Linux image pull policy                                                                                                                   | `IfNotPresent`                                          |
-| `linux.image.tag`                       | Linux image tag                                                                                                                           | `v1.0.1`                                                |
+| `linux.image.tag`                       | Linux image tag                                                                                                                           | `v1.1.0-rc.0`                                                |
 | `linux.crds.image.repository`           | Linux crds image repository                                                                                                               | `k8s.gcr.io/csi-secrets-store/driver-crds`              |
 | `linux.crds.image.pullPolicy`           | Linux crds image pull policy                                                                                                              | `IfNotPresent`                                          |
-| `linux.crds.image.tag`                  | Linux crds image tag                                                                                                                      | `v1.0.1`                                                |
+| `linux.crds.image.tag`                  | Linux crds image tag                                                                                                                      | `v1.1.0-rc.0`                                                |
 | `linux.affinity`                        | Linux affinity                                                                                                                            | `key: type; operator: NotIn; values: [virtual-kubelet]` |
 | `linux.driver.resources`                | The resource request/limits for the linux secrets-store container image                                                                   | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi`     |
 | `linux.enabled`                         | Install secrets store csi driver on linux nodes                                                                                           | true                                                    |
@@ -64,7 +64,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `linux.updateStrategy`                  | Configure a custom update strategy for the daemonset on linux nodes                                                                       | `RollingUpdate with 1 maxUnavailable`                   |
 | `windows.image.repository`              | Windows image repository                                                                                                                  | `k8s.gcr.io/csi-secrets-store/driver`                   |
 | `windows.image.pullPolicy`              | Windows image pull policy                                                                                                                 | `IfNotPresent`                                          |
-| `windows.image.tag`                     | Windows image tag                                                                                                                         | `v1.0.1`                                                |
+| `windows.image.tag`                     | Windows image tag                                                                                                                         | `v1.1.0-rc.0`                                                |
 | `windows.affinity`                      | Windows affinity                                                                                                                          | `key: type; operator: NotIn; values: [virtual-kubelet]` |
 | `windows.driver.resources`              | The resource request/limits for the windows secrets-store container image                                                                 | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi`     |
 | `windows.enabled`                       | Install secrets store csi driver on windows nodes                                                                                         | false                                                   |

diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml
@@ -2,13 +2,13 @@ linux:
   enabled: true
   image:
     repository: k8s.gcr.io/csi-secrets-store/driver
-    tag: v1.0.1
+    tag: v1.1.0-rc.0
     pullPolicy: IfNotPresent
 
   crds:
     image:
       repository: k8s.gcr.io/csi-secrets-store/driver-crds
-      tag: v1.0.1
+      tag: v1.1.0-rc.0
       pullPolicy: IfNotPresent
     annotations: {}
 
@@ -93,7 +93,7 @@ windows:
   enabled: false
   image:
     repository: k8s.gcr.io/csi-secrets-store/driver
-    tag: v1.0.1
+    tag: v1.1.0-rc.0
     pullPolicy: IfNotPresent
 
   ## Prevent the CSI driver from being scheduled on virtual-kubelet nodes

diff --git a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml
@@ -50,7 +50,7 @@ spec:
               cpu: 100m
               memory: 100Mi
         - name: secrets-store
-          image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1
+          image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"

diff --git a/manifest_staging/deploy/secrets-store-csi-driver.yaml b/manifest_staging/deploy/secrets-store-csi-driver.yaml
@@ -50,7 +50,7 @@ spec:
               cpu: 10m
               memory: 20Mi
         - name: secrets-store
-          image: k8s.gcr.io/csi-secrets-store/driver:v1.0.1
+          image: k8s.gcr.io/csi-secrets-store/driver:v1.1.0-rc.0
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"