Merge pull request #199 from ritazh/bump-yaml-0.0.10

k8s-ci-robot · web-flow · commit 7d29b46f6831 · 2020-05-04T14:29:07.000-07:00
Update crd, yaml, chart for v0.0.10
diff --git a/README.md b/README.md
@@ -15,16 +15,17 @@ The Secrets Store CSI driver `secrets-store.csi.k8s.io` allows Kubernetes to mou
 - Supports multiple secrets stores as providers. Multiple providers can run in the same cluster simultaneously.
 - Supports pod portability with the SecretProviderClass CRD
 - Supports windows containers (Kubernetes version v1.18+)
+- Supports sync with Kubernetes Secrets (Secrets Store CSI Driver v0.0.10+)
 
 #### Table of Contents
 
 - [How It Works](#how-it-works)
 - [Demo](#demo)
 - [Usage](#usage)
 - [Providers](#providers)
-  - [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure) - Supports linux and windows
-  - [HashiCorp Vault Provider](https://github.com/hashicorp/secrets-store-csi-driver-provider-vault) - Supports linux
-  - [Adding a New Provider via the Provider Interface](#adding-a-new-provider-via-the-provider-interface)
+  - [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure) - Supports Linux and Windows
+  - [HashiCorp Vault Provider](https://github.com/hashicorp/secrets-store-csi-driver-provider-vault) - Supports Linux
+  - [Adding a New Provider via the Provider Interface](#criteria-for-supported-providers)
 - [Testing](#testing)
   - [Unit Tests](#unit-tests)
   - [End-to-end Tests](#end-to-end-tests)
@@ -121,6 +122,91 @@ Select a provider from the following list, then follow the installation steps fo
 -  [Azure Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure#usage)
 -  [Vault Provider](https://github.com/hashicorp/secrets-store-csi-driver-provider-vault)
 
+### Create your own SecretProviderClass Object
+
+To use the Secrets Store CSI driver, create a `SecretProviderClass` custom resource to provide driver configurations and provider-specific parameters to the CSI driver.
+
+A `SecretProviderClass` custom resource should have the following components:
+```yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: my-provider
+spec:
+  provider: vault                             # accepted provider options: azure or vault
+  parameters:                                 # provider-specific parameters
+```
+
+Here is a sample [`SecretProviderClass` custom resource](https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/test/bats/tests/vault_v1alpha1_secretproviderclass.yaml)
+
+### Update your Deployment Yaml
+
+To ensure your application is using the Secrets Store CSI driver, update your deployment yaml to use the `secrets-store.csi.k8s.io` driver and reference the `SecretProviderClass` resource created in the previous step.
+
+```yaml
+volumes:
+  - name: secrets-store-inline
+    csi:
+      driver: secrets-store.csi.k8s.io
+      readOnly: true
+      volumeAttributes:
+        secretProviderClass: "my-provider"
+```
+
+Here is a sample [deployment yaml](https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/test/bats/tests/nginx-pod-vault-inline-volume-secretproviderclass.yaml) using the Secrets Store CSI driver.
+
+### Secret Content is Mounted on Pod Start
+On pod start and restart, the driver will call the provider binary to retrieve the secret content from the external Secrets Store you have specified in the `SecretProviderClass` custom resource. Then the content will be mounted to the container's file system. 
+
+To validate, once the pod is started, you should see the new mounted content at the volume path specified in your deployment yaml.
+
+```bash
+kubectl exec -it nginx-secrets-store-inline ls /mnt/secrets-store/
+foo
+```
+
+### [OPTIONAL] Sync with Kubernetes Secrets
+
+In some cases, you may want to create a Kubernetes Secret to mirror the mounted content. Use the optional `secretObjects` field to define the desired state of the synced Kubernetes secret objects.
+
+A `SecretProviderClass` custom resource should have the following components:
+```yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
+kind: SecretProviderClass
+metadata:
+  name: my-provider
+spec:
+  provider: vault                             # accepted provider options: azure or vault
+  parameters:                                 # provider-specific parameters
+  secretObjects:                              # [OPTIONAL] SecretObject defines the desired state of synced K8s secret objects
+  - data:
+    - key: username                           # data field to populate
+      objectName: foo1                        # name of the object to sync
+    secretName: foosecret                     # name of the Kubernetes Secret object
+    type: Opaque                              # type of the Kubernetes Secret object e.g. Opaque, kubernetes.io/tls
+```
+> NOTE: Here is the list of [supported Kubernetes Secret types](https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/pkg/secrets-store/utils.go#L660-L675). 
+
+Here is a sample [`SecretProviderClass` custom resource](https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/test/bats/tests/vault_synck8s_v1alpha1_secretproviderclass.yaml) that syncs Kubernetes secrets.
+
+### [OPTIONAL] Set ENV VAR
+
+Once the secret is created, you may wish to set an ENV VAR in your deployment to reference the new Kubernetes secret.
+
+```yaml
+spec:
+  containers:
+  - image: nginx
+    name: nginx
+    env:
+    - name: SECRET_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: foosecret
+          key: username
+```
+Here is a sample [deployment yaml](https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/master/test/bats/tests/nginx-deployment-synck8s.yaml) that creates an ENV VAR from the synced Kubernetes secret.
+
 
 ## Providers
 
diff --git a/charts/index.yaml b/charts/index.yaml
@@ -1,6 +1,23 @@
 apiVersion: v1
 entries:
   secrets-store-csi-driver:
+  - apiVersion: v1
+    appVersion: 0.0.10
+    created: "2020-05-04T13:43:34.653627-07:00"
+    description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
+      cluster.
+    digest: 9fae95e4611c9c120ed12505e735680b70ed133ea987fd32db05046cb45eda9e
+    icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
+    kubeVersion: '>=1.15.0-0'
+    maintainers:
+    - email: ritazh@microsoft.com
+      name: Rita Zhang
+    name: secrets-store-csi-driver
+    sources:
+    - https://github.com/kubernetes-sigs/secrets-store-csi-driver
+    urls:
+    - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.10.tgz
+    version: 0.0.10
   - apiVersion: v1
     appVersion: 0.0.9
     created: "2020-04-28T22:05:38.049737+01:00"
@@ -18,4 +35,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.9.tgz
     version: 0.0.9
-generated: "2020-04-28T22:05:38.04544+01:00"
+generated: "2020-05-04T13:43:34.652813-07:00"
diff --git a/charts/secrets-store-csi-driver-0.0.10.tgz b/charts/secrets-store-csi-driver-0.0.10.tgz
diff --git a/charts/secrets-store-csi-driver/Chart.yaml b/charts/secrets-store-csi-driver/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: secrets-store-csi-driver
-version: 0.0.9
-appVersion: 0.0.9
+version: 0.0.10
+appVersion: 0.0.10
 kubeVersion: ">=1.15.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
diff --git a/charts/secrets-store-csi-driver/README.md b/charts/secrets-store-csi-driver/README.md
@@ -25,11 +25,11 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` |
 | `linux.image.repository` | Linux image repository | `docker.io/deislabs/secrets-store-csi` |
 | `linux.image.pullPolicy` | Linux image pull policy | `Always` |
-| `linux.image.tag` | Linux image tag | `v0.0.9` |
+| `linux.image.tag` | Linux image tag | `v0.0.10` |
 | `linux.enabled` | Install secrets store csi driver on linux nodes | true |
 | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/k8s/csi/secrets-store/driver` |
 | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
-| `windows.image.tag` | Windows image tag | `v0.0.9` |
+| `windows.image.tag` | Windows image tag | `v0.0.10` |
 | `windows.enabled` | Install secrets store csi driver on windows nodes | false |
 | `logLevel.debug` | Enable debug logging | true |
 | `livenessProbe.port` | Liveness probe port | `9808` |
diff --git a/charts/secrets-store-csi-driver/templates/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/charts/secrets-store-csi-driver/templates/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
@@ -3,6 +3,9 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.4
+  creationTimestamp: null
   name: secretproviderclasses.secrets-store.csi.x-k8s.io
 spec:
   group: secrets-store.csi.x-k8s.io
@@ -11,7 +14,7 @@ spec:
     listKind: SecretProviderClassList
     plural: secretproviderclasses
     singular: secretproviderclass
-  scope: ""
+  scope: Namespaced
   validation:
     openAPIV3Schema:
       description: SecretProviderClass is the Schema for the secretproviderclasses
@@ -40,10 +43,51 @@ spec:
             provider:
               description: Configuration for provider name
               type: string
+            secretObjects:
+              items:
+                description: SecretObject defines the desired state of synced K8s
+                  secret objects
+                properties:
+                  data:
+                    items:
+                      description: SecretObjectData defines the desired state of synced
+                        K8s secret object data
+                      properties:
+                        key:
+                          description: data field to populate
+                          type: string
+                        objectName:
+                          description: name of the object to sync
+                          type: string
+                      type: object
+                    type: array
+                  secretName:
+                    description: name of the K8s secret object
+                    type: string
+                  type:
+                    description: type of K8s secret object
+                    type: string
+                type: object
+              type: array
           type: object
         status:
           description: SecretProviderClassStatus defines the observed state of SecretProviderClass
+          properties:
+            byPod:
+              items:
+                description: ByPodStatus defines the state of SecretProviderClass
+                  as seen by an individual controller
+                properties:
+                  id:
+                    description: id of the pod that wrote the status
+                    type: string
+                  namespace:
+                    description: namespace of the pod that wrote the status
+                    type: string
+                type: object
+              type: array
           type: object
+      type: object
   version: v1alpha1
   versions:
   - name: v1alpha1
diff --git a/charts/secrets-store-csi-driver/values.yaml b/charts/secrets-store-csi-driver/values.yaml
@@ -2,14 +2,14 @@ linux:
   enabled: true
   image:
     repository: docker.io/deislabs/secrets-store-csi
-    tag: v0.0.9
+    tag: v0.0.10
     pullPolicy: Always
 
 windows:
   enabled: false
   image:
     repository: mcr.microsoft.com/k8s/csi/secrets-store/driver
-    tag: v0.0.9
+    tag: v0.0.10
     pullPolicy: IfNotPresent
 
 logLevel:
diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml
@@ -43,7 +43,7 @@ spec:
             - name: registration-dir
               mountPath: C:\registration
         - name: secrets-store
-          image: mcr.microsoft.com/k8s/csi/secrets-store/driver:v0.0.9
+          image: mcr.microsoft.com/k8s/csi/secrets-store/driver:v0.0.10
           args:
             - "--debug=true"
             - "--endpoint=$(CSI_ENDPOINT)"
diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml
@@ -44,7 +44,7 @@ spec:
             - name: registration-dir
               mountPath: /registration
         - name: secrets-store
-          image: docker.io/deislabs/secrets-store-csi:v0.0.9
+          image: docker.io/deislabs/secrets-store-csi:v0.0.10
           args:
             - "--debug=true"
             - "--endpoint=$(CSI_ENDPOINT)"
diff --git a/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
@@ -3,6 +3,9 @@
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.4
+  creationTimestamp: null
   name: secretproviderclasses.secrets-store.csi.x-k8s.io
 spec:
   group: secrets-store.csi.x-k8s.io
@@ -11,7 +14,7 @@ spec:
     listKind: SecretProviderClassList
     plural: secretproviderclasses
     singular: secretproviderclass
-  scope: ""
+  scope: Namespaced
   validation:
     openAPIV3Schema:
       description: SecretProviderClass is the Schema for the secretproviderclasses
@@ -40,10 +43,51 @@ spec:
             provider:
               description: Configuration for provider name
               type: string
+            secretObjects:
+              items:
+                description: SecretObject defines the desired state of synced K8s
+                  secret objects
+                properties:
+                  data:
+                    items:
+                      description: SecretObjectData defines the desired state of synced
+                        K8s secret object data
+                      properties:
+                        key:
+                          description: data field to populate
+                          type: string
+                        objectName:
+                          description: name of the object to sync
+                          type: string
+                      type: object
+                    type: array
+                  secretName:
+                    description: name of the K8s secret object
+                    type: string
+                  type:
+                    description: type of K8s secret object
+                    type: string
+                type: object
+              type: array
           type: object
         status:
           description: SecretProviderClassStatus defines the observed state of SecretProviderClass
+          properties:
+            byPod:
+              items:
+                description: ByPodStatus defines the state of SecretProviderClass
+                  as seen by an individual controller
+                properties:
+                  id:
+                    description: id of the pod that wrote the status
+                    type: string
+                  namespace:
+                    description: namespace of the pod that wrote the status
+                    type: string
+                type: object
+              type: array
           type: object
+      type: object
   version: v1alpha1
   versions:
   - name: v1alpha1
diff --git a/pkg/secrets-store/secrets-store.go b/pkg/secrets-store/secrets-store.go
@@ -36,7 +36,7 @@ type SecretsStore struct {
 }
 
 var (
-	vendorVersion = "0.0.9"
+	vendorVersion = "0.0.10"
 )
 
 // GetDriver returns a new secrets store driver
diff --git a/secretProviderClass/api/v1alpha1/secretproviderclass_types.go b/secretProviderClass/api/v1alpha1/secretproviderclass_types.go
@@ -19,16 +19,44 @@ const (
 
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
+// SecretObjectData defines the desired state of synced K8s secret object data
+type SecretObjectData struct {
+	// name of the object to sync
+	ObjectName string `json:"objectName,omitempty"`
+	// data field to populate
+	Key string `json:"key,omitempty"`
+}
+
+// SecretObject defines the desired state of synced K8s secret objects
+type SecretObject struct {
+	// name of the K8s secret object
+	SecretName string `json:"secretName,omitempty"`
+	// type of K8s secret object
+	Type string              `json:"type,omitempty"`
+	Data []*SecretObjectData `json:"data,omitempty"`
+}
+
 // SecretProviderClassSpec defines the desired state of SecretProviderClass
 type SecretProviderClassSpec struct {
 	// Configuration for provider name
 	Provider Provider `json:"provider,omitempty"`
 	// Configuration for specific provider
-	Parameters map[string]string `json:"parameters,omitempty"`
+	Parameters    map[string]string `json:"parameters,omitempty"`
+	SecretObjects []*SecretObject   `json:"secretObjects,omitempty"`
+}
+
+// ByPodStatus defines the state of SecretProviderClass as seen by
+// an individual controller
+type ByPodStatus struct {
+	// id of the pod that wrote the status
+	ID string `json:"id,omitempty"`
+	// namespace of the pod that wrote the status
+	Namespace string `json:"namespace,omitempty"`
 }
 
 // SecretProviderClassStatus defines the observed state of SecretProviderClass
 type SecretProviderClassStatus struct {
+	ByPod []*ByPodStatus `json:"byPod,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/secretProviderClass/config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml b/secretProviderClass/config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
diff --git a/test/bats/azure.bats b/test/bats/azure.bats
diff --git a/test/bats/vault.bats b/test/bats/vault.bats

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ type SecretsStore struct {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`var (`
`39`		`- vendorVersion = "0.0.9"`
	`39`	`+ vendorVersion = "0.0.10"`
`40`	`40`	`)`
`41`	`41`
`42`	`42`	`// GetDriver returns a new secrets store driver`