Merge pull request #662 from aramase/automated-cherry-pick-of-#660-upstream-release-0.1

Automated cherry pick of #660: release: update manifests for v0.1.0

Author: k8s-ci-robot

Makefile

@@ -436,7 +436,7 @@ e2e-aws:
 manifests: $(CONTROLLER_GEN) $(KUSTOMIZE)
 	# Generate the base CRD/RBAC
 	$(CONTROLLER_GEN) $(CRD_OPTIONS) rbac:roleName=secretproviderclasses-role paths="./apis/..." paths="./controllers" output:crd:artifacts:config=config/crd/bases
-	cp config/crd/bases/* manifest_staging/charts/secrets-store-csi-driver/templates
+	cp config/crd/bases/* manifest_staging/charts/secrets-store-csi-driver/crds
 	cp config/crd/bases/* manifest_staging/deploy/
 
 	# generate rbac-secretproviderclass

charts/index.yaml

@@ -1,6 +1,23 @@
 apiVersion: v1
 entries:
   secrets-store-csi-driver:
+  - apiVersion: v2
+    appVersion: 0.1.0
+    created: "2021-07-26T09:41:27.883002-07:00"
+    description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes
+      cluster.
+    digest: 4a8afc66ad5d9b42c3759213520da7024e966dbe0ab13a005f03fe32b10fac2e
+    icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
+    kubeVersion: '>=1.16.0-0'
+    maintainers:
+    - email: ritazh@microsoft.com
+      name: Rita Zhang
+    name: secrets-store-csi-driver
+    sources:
+    - https://github.com/kubernetes-sigs/secrets-store-csi-driver
+    urls:
+    - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.1.0.tgz
+    version: 0.1.0
   - apiVersion: v1
     appVersion: 0.0.23
     created: "2021-06-10T12:27:24.468813-07:00"
@@ -256,4 +273,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.9.tgz
     version: 0.0.9
-generated: "2021-06-10T12:27:24.466683-07:00"
+generated: "2021-07-26T09:41:27.881293-07:00"

charts/secrets-store-csi-driver-0.1.0.tgz

@@ -1,7 +1,7 @@
-apiVersion: v1
+apiVersion: v2
 name: secrets-store-csi-driver
-version: 0.0.23
-appVersion: 0.0.23
+version: 0.1.0
+appVersion: 0.1.0
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png

charts/secrets-store-csi-driver/Chart.yaml

@@ -44,6 +44,11 @@ spec:
                 items:
                   description: SecretObject defines the desired state of synced K8s secret objects
                   properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description: annotations of k8s secret object
+                      type: object
                     data:
                       items:
                         description: SecretObjectData defines the desired state of synced K8s secret object data

charts/secrets-store-csi-driver/README.md

@@ -0,0 +1,71 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "sscd.fullname" . }}-upgrade-crds
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+rules:
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "sscd.fullname" . }}-upgrade-crds
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "sscd.fullname" . }}-upgrade-crds
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "sscd.fullname" . }}-upgrade-crds
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "sscd.fullname" . }}-upgrade-crds
+  namespace: {{ .Release.Namespace }}
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "1"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "sscd.fullname" . }}-upgrade-crds
+  namespace: {{ .Release.Namespace }}
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      name: {{ template "sscd.fullname" . }}-upgrade-crds
+    spec:
+      serviceAccountName: {{ template "sscd.fullname" . }}-upgrade-crds
+      restartPolicy: Never
+      containers:
+      - name: crds-upgrade
+        image: "{{ .Values.linux.crds.image.repository }}:{{ .Values.linux.crds.image.tag }}"
+        args:
+        - apply
+        - -f
+        - crds/
+        imagePullPolicy: {{ .Values.linux.crds.image.pullPolicy }}
+      nodeSelector:
+        kubernetes.io/os: linux

charts/secrets-store-csi-driver/templates/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml renamed to charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -5,8 +5,6 @@ metadata:
 spec:
   podInfoOnMount: true
   attachRequired: false
-{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.Version }}
   # Added in Kubernetes 1.16 with default mode of Persistent. Secrets store csi driver needs Ephermeral to be set.
   volumeLifecycleModes: 
   - Ephemeral
-{{ end }}

charts/secrets-store-csi-driver/templates/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml renamed to charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -0,0 +1,74 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "sscd.fullname" . }}-keep-crds
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+rules:
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "sscd.fullname" . }}-keep-crds
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "sscd.fullname" . }}-keep-crds
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "sscd.fullname" . }}-keep-crds
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "sscd.fullname" . }}-keep-crds
+  namespace: {{ .Release.Namespace }}
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+    helm.sh/hook-weight: "2"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "sscd.fullname" . }}-keep-crds
+  namespace: {{ .Release.Namespace }}
+{{ include "sscd.labels" . | indent 2 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-weight: "2"
+    helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      name: {{ template "sscd.fullname" . }}-keep-crds
+    spec:
+      serviceAccountName: {{ template "sscd.fullname" . }}-keep-crds
+      restartPolicy: Never
+      containers:
+      - name: crds-keep
+        image: "{{ .Values.linux.crds.image.repository }}:{{ .Values.linux.crds.image.tag }}"
+        args:
+        - patch
+        - crd
+        - secretproviderclasses.secrets-store.csi.x-k8s.io
+        - secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
+        - -p
+        - '{"metadata":{"annotations": {"helm.sh/resource-policy": "keep"}}}'
+        imagePullPolicy: {{ .Values.linux.crds.image.pullPolicy }}
+      nodeSelector:
+        kubernetes.io/os: linux

charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml

@@ -17,11 +17,11 @@ spec:
 {{ toYaml .Values.windows.updateStrategy | indent 4 }}
   template:
     metadata:
-    {{- if .Values.windows.podAnnotations }}
       annotations:
         kubectl.kubernetes.io/default-logs-container: secrets-store
+{{- if .Values.windows.podAnnotations }}
 {{ toYaml .Values.windows.podAnnotations | indent 8 }}
-    {{- end }}
+{{- end }}
 {{ include "sscd.labels" . | indent 6 }}
 {{- if .Values.windows.podLabels }}
 {{- toYaml .Values.windows.podLabels | nindent 8 }}
@@ -103,8 +103,6 @@ spec:
                 apiVersion: v1
                 fieldPath: spec.nodeName
           imagePullPolicy: {{ .Values.windows.image.pullPolicy }}
-          securityContext:
-            privileged: true
           {{- if semverCompare ">= v0.0.9-0" .Values.windows.image.tag }}
           ports:
             - containerPort: {{ .Values.livenessProbe.port }}
@@ -124,7 +122,6 @@ spec:
               mountPath: C:\csi
             - name: mountpoint-dir
               mountPath: {{ .Values.windows.kubeletRootDir }}\pods
-              mountPropagation: Bidirectional
             - name: providers-dir
               mountPath: C:\k\secrets-store-csi-providers
             {{- if .Values.windows.volumeMounts }}

charts/secrets-store-csi-driver/templates/csidriver.yaml

@@ -17,11 +17,11 @@ spec:
 {{ toYaml .Values.linux.updateStrategy | indent 4 }}
   template:
     metadata:
-    {{- if .Values.linux.podAnnotations }}
       annotations:
         kubectl.kubernetes.io/default-logs-container: secrets-store
+{{- if .Values.linux.podAnnotations }}
 {{ toYaml .Values.linux.podAnnotations | indent 8 }}
-    {{- end }}
+{{- end }}
 {{ include "sscd.labels" . | indent 6 }}
 {{- if .Values.linux.podLabels }}
 {{- toYaml .Values.linux.podLabels | nindent 8 }}

charts/secrets-store-csi-driver/templates/keep-crds-upgrade-hook.yaml

@@ -2,8 +2,14 @@ linux:
   enabled: true
   image:
     repository: k8s.gcr.io/csi-secrets-store/driver
-    tag: v0.0.23
+    tag: v0.1.0
     pullPolicy: IfNotPresent
+  
+  crds:
+    image:
+      repository: k8s.gcr.io/csi-secrets-store/driver-crds
+      tag: v0.1.0
+      pullPolicy: IfNotPresent
 
   ## Prevent the CSI driver from being scheduled on virtual-kublet nodes
   affinity: 
@@ -86,7 +92,7 @@ windows:
   enabled: false
   image:
     repository: k8s.gcr.io/csi-secrets-store/driver
-    tag: v0.0.23
+    tag: v0.1.0
     pullPolicy: IfNotPresent
 
   ## Prevent the CSI driver from being scheduled on virtual-kublet nodes
@@ -194,7 +200,7 @@ enableSecretRotation: false
 rotationPollInterval:
 
 ## Filtered watch nodePublishSecretRef secrets
-filteredWatchSecret: false
+filteredWatchSecret: true
 
 ## Provider HealthCheck
 providerHealthCheck: false

charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml

@@ -44,6 +44,11 @@ spec:
                 items:
                   description: SecretObject defines the desired state of synced K8s secret objects
                   properties:
+                    annotations:
+                      additionalProperties:
+                        type: string
+                      description: annotations of k8s secret object
+                      type: object
                     data:
                       items:
                         description: SecretObjectData defines the desired state of synced K8s secret object data
@@ -61,11 +66,6 @@ spec:
                         type: string
                       description: labels of K8s secret object
                       type: object
-                    annotations:
-                      additionalProperties:
-                        type: string
-                      description: annotations of K8s secret object
-                      type: object
                     secretName:
                       description: name of the K8s secret object
                       type: string

charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml

@@ -42,15 +42,15 @@ spec:
               cpu: 10m
               memory: 20Mi
         - name: secrets-store
-          image: k8s.gcr.io/csi-secrets-store/driver:v0.0.23
+          image: k8s.gcr.io/csi-secrets-store/driver:v0.1.0
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--provider-volume=C:\\k\\secrets-store-csi-providers"
             - "--metrics-addr=:8095"
             - "--enable-secret-rotation=false"
             - "--rotation-poll-interval=2m"
-            - "--filtered-watch-secret=false"
+            - "--filtered-watch-secret=true"
             - "--provider-health-check=false"
             - "--provider-health-check-interval=2m"
           env:
@@ -62,20 +62,18 @@ spec:
                   apiVersion: v1
                   fieldPath: spec.nodeName
           imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true
           ports:
             - containerPort: 9808
               name: healthz
               protocol: TCP
           livenessProbe:
-            failureThreshold: 5
-            httpGet:
-              path: /healthz
-              port: healthz
-            initialDelaySeconds: 30
-            timeoutSeconds: 10
-            periodSeconds: 15
+              failureThreshold: 5
+              httpGet:
+                path: /healthz
+                port: healthz
+              initialDelaySeconds: 30
+              timeoutSeconds: 10
+              periodSeconds: 15
           resources:
             limits:
               cpu: 400m
@@ -88,17 +86,16 @@ spec:
               mountPath: C:\csi
             - name: mountpoint-dir
               mountPath: "C:\\var\\lib\\kubelet\\pods"
-              mountPropagation: Bidirectional
             - name: providers-dir
               mountPath: C:\k\secrets-store-csi-providers
         - name: liveness-probe
           image: k8s.gcr.io/sig-storage/livenessprobe:v2.3.0
           imagePullPolicy: IfNotPresent
           args:
-            - "--csi-address=unix://C:\\csi\\csi.sock"
-            - --probe-timeout=3s
-            - --http-endpoint=0.0.0.0:9808
-            - -v=2
+          - "--csi-address=unix://C:\\csi\\csi.sock"
+          - --probe-timeout=3s
+          - --http-endpoint=0.0.0.0:9808
+          - -v=2
           volumeMounts:
             - name: plugin-dir
               mountPath: C:\csi