Merge pull request #295 from aramase/release-v0.0.13

release: update manifest and helm charts for v0.0.13

Author: k8s-ci-robot

README.md

@@ -108,6 +108,10 @@ kubectl apply -f deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
 kubectl apply -f deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml
 kubectl apply -f deploy/secrets-store-csi-driver.yaml --namespace $NAMESPACE
 
+# If using the driver to sync secrets-store content as Kubernetes Secrets, deploy the additional RBAC permissions
+# required to enable this feature
+kubectl apply -f deploy/rbac-secretproviderclass.yaml
+
 # [OPTIONAL] For kubernetes version < 1.16 running `kubectl apply -f deploy/csidriver.yaml` will fail. To install the driver run
 kubectl apply -f deploy/csidriver-1.15.yaml
 

charts/index.yaml

@@ -1,9 +1,26 @@
 apiVersion: v1
 entries:
   secrets-store-csi-driver:
+  - apiVersion: v1
+    appVersion: 0.0.13
+    created: "2020-08-17T18:08:01.599946-07:00"
+    description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
+      cluster.
+    digest: 426ea403ad1083cae569a13d8ecf686e4797b7816f6254709070afc4f4b858ab
+    icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
+    kubeVersion: '>=1.15.0-0'
+    maintainers:
+    - email: ritazh@microsoft.com
+      name: Rita Zhang
+    name: secrets-store-csi-driver
+    sources:
+    - https://github.com/kubernetes-sigs/secrets-store-csi-driver
+    urls:
+    - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.13.tgz
+    version: 0.0.13
   - apiVersion: v1
     appVersion: 0.0.12
-    created: "2020-07-21T17:21:06.530228-07:00"
+    created: "2020-08-17T18:08:01.599247-07:00"
     description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
       cluster.
     digest: 0c132d4be8c4eb48109a4fe8cc0ce29e6fc9f68647bb522c4040d033861a0e78
@@ -20,7 +37,7 @@ entries:
     version: 0.0.12
   - apiVersion: v1
     appVersion: 0.0.11
-    created: "2020-07-21T17:21:06.529597-07:00"
+    created: "2020-08-17T18:08:01.597723-07:00"
     description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
       cluster.
     digest: 2751ae7aed8ea2fc7dcdcbbf26240fccb2eefd83d3943cef45bb58bb1d297692
@@ -37,7 +54,7 @@ entries:
     version: 0.0.11
   - apiVersion: v1
     appVersion: 0.0.10
-    created: "2020-07-21T17:21:06.528357-07:00"
+    created: "2020-08-17T18:08:01.595105-07:00"
     description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
       cluster.
     digest: 9fae95e4611c9c120ed12505e735680b70ed133ea987fd32db05046cb45eda9e
@@ -54,7 +71,7 @@ entries:
     version: 0.0.10
   - apiVersion: v1
     appVersion: 0.0.9
-    created: "2020-07-21T17:21:06.530963-07:00"
+    created: "2020-08-17T18:08:01.601014-07:00"
     description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
       cluster.
     digest: 0f74454ca36c979a352d8a7b6d847521897ebf78195527ed8946201a841887a7
@@ -69,4 +86,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.9.tgz
     version: 0.0.9
-generated: "2020-07-21T17:21:06.526827-07:00"
+generated: "2020-08-17T18:08:01.591471-07:00"

charts/secrets-store-csi-driver-0.0.13.tgz

@@ -1,7 +1,7 @@
 apiVersion: v1
 name: secrets-store-csi-driver
-version: 0.0.12
-appVersion: 0.0.12
+version: 0.0.13
+appVersion: 0.0.13
 kubeVersion: ">=1.15.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png

charts/secrets-store-csi-driver/Chart.yaml

@@ -19,26 +19,43 @@ $ helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driv
 
 The following table lists the configurable parameters of the csi-secrets-store-provider-azure chart and their default values.
 
-| Parameter | Description | Default |
-| --------- | ----------- | ------- |
-| `nameOverride` | String to partially override secrets-store-csi-driver.fullname template with a string (will prepend the release name) | `""` |
-| `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` |
-| `linux.image.repository` | Linux image repository | `us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver` |
-| `linux.image.pullPolicy` | Linux image pull policy | `Always` |
-| `linux.image.tag` | Linux image tag | `v0.0.12` |
-| `linux.enabled` | Install secrets store csi driver on linux nodes | true |
-| `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` |
-| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` |
-| `linux.metricsAddr` | The address the metric endpoint binds to | `:8080` |
-| `windows.image.repository` | Windows image repository | `us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver` |
-| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
-| `windows.image.tag` | Windows image tag | `v0.0.12` |
-| `windows.enabled` | Install secrets store csi driver on windows nodes | false |
-| `windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` |
-| `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` |
-| `windows.metricsAddr` | The address the metric endpoint binds to | `:8080` |
-| `logLevel.debug` | Enable debug logging | true |
-| `livenessProbe.port` | Liveness probe port | `9808` |
-| `livenessProbe.logLevel` | Liveness probe container logging verbosity level | `2` |
-| `rbac.install` | Install default rbac roles and bindings | true |
-| `minimumProviderVersions` | A comma delimited list of key-value pairs of minimum provider versions with driver | `""` |
+| Parameter                               | Description                                                                                                                       | Default                                                          |
+| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------- |
+| `nameOverride`                          | String to partially override secrets-store-csi-driver.fullname template with a string (will prepend the release name)             | `""`                                                             |
+| `fullnameOverride`                      | String to fully override secrets-store-csi-driver.fullname template with a string                                                 | `""`                                                             |
+| `linux.image.repository`                | Linux image repository                                                                                                            | `us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver`          |
+| `linux.image.pullPolicy`                | Linux image pull policy                                                                                                           | `Always`                                                         |
+| `linux.image.tag`                       | Linux image tag                                                                                                                   | `v0.0.13`                                                        |
+| `linux.enabled`                         | Install secrets store csi driver on linux nodes                                                                                   | true                                                             |
+| `linux.kubeletRootDir`                  | Configure the kubelet root dir                                                                                                    | `/var/lib/kubelet`                                               |
+| `linux.nodeSelector`                    | Node Selector for the daemonset on linux nodes                                                                                    | `{}`                                                             |
+| `linux.tolerations`                     | Tolerations for the daemonset on linux nodes                                                                                      | `[]`                                                             |
+| `linux.metricsAddr`                     | The address the metric endpoint binds to                                                                                          | `:8080`                                                          |
+| `linux.registrarImage.repository`       | Linux node-driver-registrar image repository                                                                                      | `quay.io/k8scsi/csi-node-driver-registrar`                       |
+| `linux.registrarImage.pullPolicy`       | Linux node-driver-registrar image pull policy                                                                                     | `Always`                                                         |
+| `linux.registrarImage.tag`              | Linux node-driver-registrar image tag                                                                                             | `v1.2.0`                                                         |
+| `linux.livenessProbeImage.repository`   | Linux liveness-probe image repository                                                                                             | `quay.io/k8scsi/livenessprobe`                                   |
+| `linux.livenessProbeImage.pullPolicy`   | Linux liveness-probe image pull policy                                                                                            | `Always`                                                         |
+| `linux.livenessProbeImage.tag`          | Linux liveness-probe image tag                                                                                                    | `v2.0.0`                                                         |
+| `linux.env`                             | Environment variables to be passed for the daemonset on linux nodes                                                               | `[]`                                                             |
+| `windows.image.repository`              | Windows image repository                                                                                                          | `us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver`          |
+| `windows.image.pullPolicy`              | Windows image pull policy                                                                                                         | `IfNotPresent`                                                   |
+| `windows.image.tag`                     | Windows image tag                                                                                                                 | `v0.0.13`                                                        |
+| `windows.enabled`                       | Install secrets store csi driver on windows nodes                                                                                 | false                                                            |
+| `windows.kubeletRootDir`                | Configure the kubelet root dir                                                                                                    | `C:\var\lib\kubelet`                                             |
+| `windows.nodeSelector`                  | Node Selector for the daemonset on windows nodes                                                                                  | `{}`                                                             |
+| `windows.tolerations`                   | Tolerations for the daemonset on windows nodes                                                                                    | `[]`                                                             |
+| `windows.metricsAddr`                   | The address the metric endpoint binds to                                                                                          | `:8080`                                                          |
+| `windows.registrarImage.repository`     | Windows node-driver-registrar image repository                                                                                    | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
+| `windows.registrarImage.pullPolicy`     | Windows node-driver-registrar image pull policy                                                                                   | `Always`                                                         |
+| `windows.registrarImage.tag`            | Windows node-driver-registrar image tag                                                                                           | `v1.2.1-alpha.1-windows-1809-amd64`                              |
+| `windows.livenessProbeImage.repository` | Windows liveness-probe image repository                                                                                           | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe`             |
+| `windows.livenessProbeImage.pullPolicy` | Windows liveness-probe image pull policy                                                                                          | `Always`                                                         |
+| `windows.livenessProbeImage.tag`        | Windows liveness-probe image tag                                                                                                  | `v2.0.1-alpha.1-windows-1809-amd64`                              |
+| `windows.env`                           | Environment variables to be passed for the daemonset on windows nodes                                                             | `[]`                                                             |
+| `logLevel.debug`                        | Enable debug logging                                                                                                              | true                                                             |
+| `livenessProbe.port`                    | Liveness probe port                                                                                                               | `9808`                                                           |
+| `livenessProbe.logLevel`                | Liveness probe container logging verbosity level                                                                                  | `2`                                                              |
+| `rbac.install`                          | Install default rbac roles and bindings                                                                                           | true                                                             |
+| `syncSecret.enabled`                    | Enable rbac roles and bindings required for syncing to Kubernetes native secrets (the default will change to false after v0.0.14) | true                                                             |
+| `minimumProviderVersions`               | A comma delimited list of key-value pairs of minimum provider versions with driver                                                | `""`                                                             |

charts/secrets-store-csi-driver/README.md

@@ -25,10 +25,10 @@ Standard labels for helm resources
 */}}
 {{- define "sscd.labels" -}}
 labels:
-  heritage: "{{ .Release.Service }}"
-  release: "{{ .Release.Name }}"
-  revision: "{{ .Release.Revision }}"
-  chart: "{{ .Chart.Name }}"
-  chartVersion: "{{ .Chart.Version }}"
+  app.kubernetes.io/instance: "{{ .Release.Name }}"
+  app.kubernetes.io/managed-by: "{{ .Release.Service }}"
+  app.kubernetes.io/name: "{{ template "sscd.name" . }}"
+  app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
   app: {{ template "sscd.name" . }}
+  helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 {{- end -}}

charts/secrets-store-csi-driver/templates/_helpers.tpl

@@ -0,0 +1,22 @@
+{{ if .Values.syncSecret.enabled }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: secretprovidersyncing-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{ end }}

charts/secrets-store-csi-driver/templates/role-syncsecret.yaml

@@ -0,0 +1,14 @@
+{{ if .Values.syncSecret.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: secretprovidersyncing-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: secretprovidersyncing-role
+subjects:
+- kind: ServiceAccount
+  name: secrets-store-csi-driver
+  namespace: {{ .Release.Namespace }}
+{{ end }}

charts/secrets-store-csi-driver/templates/role-syncsecret_binding.yaml

@@ -1,8 +1,10 @@
 {{ if .Values.rbac.install }}
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
   name: secretproviderclasses-role
 rules:
 - apiGroups:
@@ -12,29 +14,7 @@ rules:
   verbs:
   - get
   - list
-  - update
   - watch
-- apiGroups:
-  - secrets-store.csi.x-k8s.io
-  resources:
-  - secretproviderclasses/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - update
-  - patch
-  - watch
-  - list
 - apiGroups:
   - secrets-store.csi.x-k8s.io
   resources:
@@ -53,6 +33,6 @@ rules:
   - secretproviderclasspodstatuses/status
   verbs:
   - get
-  - update
   - patch
+  - update
 {{ end }}

charts/secrets-store-csi-driver/templates/role.yaml

@@ -16,7 +16,7 @@ spec:
       serviceAccountName: secrets-store-csi-driver
       containers:
         - name: node-driver-registrar
-          image: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar:v1.2.1-alpha.1-windows-1809-amd64
+          image: "{{ .Values.windows.registrarImage.repository }}:{{ .Values.windows.registrarImage.tag }}"
           args:
             - --v=5
             - "--csi-address=unix://C:\\csi\\csi.sock"
@@ -31,12 +31,12 @@ spec:
                       "del /f C:\\registration\\secrets-store.csi.k8s.io-reg.sock",
                     ]
           env:
-            - name: KUBE_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: spec.nodeName
-          imagePullPolicy: Always
+          - name: KUBE_NODE_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.nodeName
+          imagePullPolicy: {{ .Values.windows.registrarImage.pullPolicy }}
           volumeMounts:
             - name: plugin-dir
               mountPath: C:\csi
@@ -54,13 +54,16 @@ spec:
             {{- end }}
             - "--metrics-addr={{ .Values.windows.metricsAddr }}"
           env:
-            - name: CSI_ENDPOINT
-              value: unix://C:\\csi\\csi.sock
-            - name: KUBE_NODE_NAME
-              valueFrom:
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: spec.nodeName
+          {{- with .Values.windows.env }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: CSI_ENDPOINT
+            value: unix://C:\\csi\\csi.sock
+          - name: KUBE_NODE_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: spec.nodeName
           imagePullPolicy: {{ .Values.windows.image.pullPolicy }}
           securityContext:
             privileged: true
@@ -88,8 +91,8 @@ spec:
               mountPath: C:\k\secrets-store-csi-providers
         {{- if semverCompare ">= v0.0.9-0" .Values.windows.image.tag }}
         - name: liveness-probe
-          image: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v2.0.1-alpha.1-windows-1809-amd64
-          imagePullPolicy: Always
+          image: "{{ .Values.windows.livenessProbeImage.repository }}:{{ .Values.windows.livenessProbeImage.tag }}"
+          imagePullPolicy: {{ .Values.windows.livenessProbeImage.pullPolicy }}
           args:
           - "--csi-address=unix://C:\\csi\\csi.sock"
           - --probe-timeout=3s
@@ -120,4 +123,8 @@ spec:
 {{- if .Values.windows.nodeSelector }}
 {{- toYaml .Values.windows.nodeSelector | nindent 8 }}
 {{- end }}
+{{- with .Values.windows.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+{{- end }}
 {{- end -}}