Skip to content

Commit 924dbcf

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #717 from tam7t/automated-cherry-pick-of-#716-upstream-release-0.3
Automated cherry pick of #716: release: update manifests and helm chart for v0.3.0
2 parents e2a65fc + 1fe352a commit 924dbcf

15 files changed

+130
-37
lines changed

Makefile

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -420,8 +420,7 @@ e2e-helm-upgrade:
420420
.PHONY: e2e-helm-deploy-release # test helm package for the release
421421
e2e-helm-deploy-release:
422422
set -x; \
423-
current_release=$(shell (echo ${RELEASE_VERSION} | sed s/"v"//)); \
424-
helm install csi-secrets-store charts/secrets-store-csi-driver-$${current_release}.tgz --namespace kube-system --wait --timeout=5m -v=5 --debug \
423+
helm install csi-secrets-store charts/secrets-store-csi-driver --namespace kube-system --wait --timeout=5m -v=5 --debug \
425424
--set linux.image.pullPolicy="IfNotPresent" \
426425
--set windows.image.pullPolicy="IfNotPresent" \
427426
--set windows.enabled=true \

charts/secrets-store-csi-driver/Chart.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: v2
22
name: secrets-store-csi-driver
3-
version: 0.2.0
4-
appVersion: 0.2.0
3+
version: 0.3.0
4+
appVersion: 0.3.0
55
kubeVersion: ">=1.16.0-0"
66
description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
77
icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png

charts/secrets-store-csi-driver/README.md

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ Quick start instructions for the setup and configuration of secrets-store-csi-dr
1313
> Note: The helm chart repository URL has changed from `https://raw.githubusercontent.com/kuberentes-sigs/secrets-store-csi-driver/master/charts` to `https://kuberentes-sigs.github.io/secrets-store-csi-driver/charts`.
1414
1515
<details>
16-
<summary>Update helm chart repositories if using the old URL</summary>
16+
<summary>Update helm chart repository if using the old URL</summary>
1717

1818
Run the following commands to update your Helm chart repositories if using the old URL:
1919

@@ -47,7 +47,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
4747
| `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` |
4848
| `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` |
4949
| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` |
50-
| `linux.image.tag` | Linux image tag | `v0.2.0` |
50+
| `linux.image.tag` | Linux image tag | `v0.3.0` |
5151
| `linux.affinity` | Linux affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` |
5252
| `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` |
5353
| `linux.enabled` | Install secrets store csi driver on linux nodes | true |
@@ -58,15 +58,16 @@ The following table lists the configurable parameters of the csi-secrets-store-p
5858
| `linux.metricsAddr` | The address the metric endpoint binds to | `:8095` |
5959
| `linux.registrarImage.repository` | Linux node-driver-registrar image repository | `k8s.gcr.io/sig-storage/csi-node-driver-registrar` |
6060
| `linux.registrarImage.pullPolicy` | Linux node-driver-registrar image pull policy | `IfNotPresent` |
61-
| `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.2.0` |
61+
| `linux.registrarImage.tag` | Linux node-driver-registrar image tag | `v2.3.0` |
6262
| `linux.registrar.resources` | The resource request/limits for the linux node-driver-registrar container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` |
6363
| `linux.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` |
6464
| `linux.livenessProbeImage.repository` | Linux liveness-probe image repository | `k8s.gcr.io/sig-storage/livenessprobe` |
6565
| `linux.livenessProbeImage.pullPolicy` | Linux liveness-probe image pull policy | `IfNotPresent` |
66-
| `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.3.0` |
66+
| `linux.livenessProbeImage.tag` | Linux liveness-probe image tag | `v2.4.0` |
6767
| `linux.livenessProbe.resources` | The resource request/limits for the linux liveness-probe container image | `limits: 100m CPU, 100Mi; requests: 10m CPU, 20Mi` |
6868
| `linux.env` | Environment variables to be passed for the daemonset on linux nodes | `[]` |
6969
| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` |
70+
| `linux.crds.annotations` | Linux *helm hook* annotations | `{}` |
7071
| `linux.daemonsetAnnotations` | Linux *DaemonSet* annotations | `{}` |
7172
| `linux.podAnnotations` | Linux *Pod* annotations | `{}` |
7273
| `linux.podLabels` | Linux *Pod* labels | `{}` |
@@ -75,7 +76,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
7576
| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` |
7677
| `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` |
7778
| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
78-
| `windows.image.tag` | Windows image tag | `v0.2.0` |
79+
| `windows.image.tag` | Windows image tag | `v0.3.0` |
7980
| `windows.affinity` | Windows affinity | `key: type; operator: NotIn; values: [virtual-kubelet]` |
8081
| `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` |
8182
| `windows.enabled` | Install secrets store csi driver on windows nodes | false |
@@ -86,12 +87,12 @@ The following table lists the configurable parameters of the csi-secrets-store-p
8687
| `windows.metricsAddr` | The address the metric endpoint binds to | `:8095` |
8788
| `windows.registrarImage.repository` | Windows node-driver-registrar image repository | `k8s.gcr.io/sig-storage/csi-node-driver-registrar` |
8889
| `windows.registrarImage.pullPolicy` | Windows node-driver-registrar image pull policy | `IfNotPresent` |
89-
| `windows.registrarImage.tag` | Windows node-driver-registrar image tag | `v2.2.0` |
90+
| `windows.registrarImage.tag` | Windows node-driver-registrar image tag | `v2.3.0` |
9091
| `windows.registrar.resources` | The resource request/limits for the windows node-driver-registrar container image | `limits: 200m CPU, 200Mi; requests: 10m CPU, 20Mi` |
9192
| `windows.registrar.logVerbosity` | Log level for node-driver-registrar. Uses V logs (klog) | `5` |
9293
| `windows.livenessProbeImage.repository` | Windows liveness-probe image repository | `k8s.gcr.io/sig-storage/livenessprobe` |
9394
| `windows.livenessProbeImage.pullPolicy` | Windows liveness-probe image pull policy | `IfNotPresent` |
94-
| `windows.livenessProbeImage.tag` | Windows liveness-probe image tag | `v2.3.0` |
95+
| `windows.livenessProbeImage.tag` | Windows liveness-probe image tag | `v2.4.0` |
9596
| `windows.livenessProbe.resources` | The resource request/limits for the windows liveness-probe container image | `limits: 200m CPU, 200Mi; requests: 10m CPU, 20Mi` |
9697
| `windows.env` | Environment variables to be passed for the daemonset on windows nodes | `[]` |
9798
| `windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` |

charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,13 @@ rules:
1111
- apiGroups: ["apiextensions.k8s.io"]
1212
resources: ["customresourcedefinitions"]
1313
verbs: ["get", "create", "update", "patch"]
14+
{{- if .Values.rbac.pspEnabled }}
15+
- apiGroups: ['policy']
16+
resources: ['podsecuritypolicies']
17+
verbs: ['use']
18+
resourceNames:
19+
- allow-upgrade-crds
20+
{{- end }}
1421
---
1522
apiVersion: rbac.authorization.k8s.io/v1
1623
kind: ClusterRoleBinding
@@ -30,6 +37,28 @@ roleRef:
3037
name: {{ template "sscd.fullname" . }}-upgrade-crds
3138
apiGroup: rbac.authorization.k8s.io
3239
---
40+
{{- if .Values.rbac.pspEnabled }}
41+
apiVersion: policy/v1beta1
42+
kind: PodSecurityPolicy
43+
metadata:
44+
name: allow-upgrade-crds
45+
annotations:
46+
helm.sh/hook: pre-install,pre-upgrade
47+
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
48+
helm.sh/hook-weight: "1"
49+
spec:
50+
fsGroup:
51+
rule: RunAsAny
52+
runAsUser:
53+
rule: RunAsAny
54+
seLinux:
55+
rule: RunAsAny
56+
supplementalGroups:
57+
rule: RunAsAny
58+
volumes:
59+
- secret
60+
{{- end }}
61+
---
3362
apiVersion: v1
3463
kind: ServiceAccount
3564
metadata:
@@ -44,7 +73,7 @@ metadata:
4473
apiVersion: batch/v1
4574
kind: Job
4675
metadata:
47-
name: {{ template "sscd.fullname" . }}-upgrade-crds
76+
name: secrets-store-csi-driver-upgrade-crds
4877
namespace: {{ .Release.Namespace }}
4978
{{ include "sscd.labels" . | indent 2 }}
5079
annotations:
@@ -56,6 +85,10 @@ spec:
5685
template:
5786
metadata:
5887
name: {{ template "sscd.fullname" . }}-upgrade-crds
88+
{{- if .Values.linux.crds.annotations }}
89+
annotations:
90+
{{ toYaml .Values.linux.crds.annotations}}
91+
{{- end }}
5992
spec:
6093
serviceAccountName: {{ template "sscd.fullname" . }}-upgrade-crds
6194
restartPolicy: Never

charts/secrets-store-csi-driver/templates/keep-crds-upgrade-hook.yaml

Lines changed: 32 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,13 @@ rules:
1111
- apiGroups: ["apiextensions.k8s.io"]
1212
resources: ["customresourcedefinitions"]
1313
verbs: ["get", "patch"]
14+
{{- if .Values.rbac.pspEnabled }}
15+
- apiGroups: ['policy']
16+
resources: ['podsecuritypolicies']
17+
verbs: ['use']
18+
resourceNames:
19+
- allow-keep-crds
20+
{{- end }}
1421
---
1522
apiVersion: rbac.authorization.k8s.io/v1
1623
kind: ClusterRoleBinding
@@ -30,6 +37,26 @@ roleRef:
3037
name: {{ template "sscd.fullname" . }}-keep-crds
3138
apiGroup: rbac.authorization.k8s.io
3239
---
40+
apiVersion: policy/v1beta1
41+
kind: PodSecurityPolicy
42+
metadata:
43+
name: allow-keep-crds
44+
annotations:
45+
helm.sh/hook: pre-upgrade
46+
helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
47+
helm.sh/hook-weight: "2"
48+
spec:
49+
fsGroup:
50+
rule: RunAsAny
51+
runAsUser:
52+
rule: RunAsAny
53+
seLinux:
54+
rule: RunAsAny
55+
supplementalGroups:
56+
rule: RunAsAny
57+
volumes:
58+
- secret
59+
---
3360
apiVersion: v1
3461
kind: ServiceAccount
3562
metadata:
@@ -44,7 +71,7 @@ metadata:
4471
apiVersion: batch/v1
4572
kind: Job
4673
metadata:
47-
name: {{ template "sscd.fullname" . }}-keep-crds
74+
name: secrets-store-csi-driver-keep-crds
4875
namespace: {{ .Release.Namespace }}
4976
{{ include "sscd.labels" . | indent 2 }}
5077
annotations:
@@ -56,6 +83,10 @@ spec:
5683
template:
5784
metadata:
5885
name: {{ template "sscd.fullname" . }}-keep-crds
86+
{{- if .Values.linux.crds.annotations }}
87+
annotations:
88+
{{ toYaml .Values.linux.crds.annotations}}
89+
{{- end }}
5990
spec:
6091
serviceAccountName: {{ template "sscd.fullname" . }}-keep-crds
6192
restartPolicy: Never

charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,13 @@ spec:
4141
- --v={{ .Values.windows.registrar.logVerbosity }}
4242
- "--csi-address=unix://C:\\csi\\csi.sock"
4343
- --kubelet-registration-path={{ .Values.windows.kubeletRootDir }}\plugins\csi-secrets-store\csi.sock
44+
livenessProbe:
45+
exec:
46+
command:
47+
- /csi-node-driver-registrar.exe
48+
- --kubelet-registration-path={{ .Values.windows.kubeletRootDir }}\plugins\csi-secrets-store\csi.sock
49+
- --mode=kubelet-registration-probe
50+
initialDelaySeconds: 3
4451
env:
4552
- name: KUBE_NODE_NAME
4653
valueFrom:

charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,13 @@ spec:
4141
- --v={{ .Values.linux.registrar.logVerbosity }}
4242
- --csi-address=/csi/csi.sock
4343
- --kubelet-registration-path={{ .Values.linux.kubeletRootDir }}/plugins/csi-secrets-store/csi.sock
44+
livenessProbe:
45+
exec:
46+
command:
47+
- /csi-node-driver-registrar
48+
- --kubelet-registration-path={{ .Values.linux.kubeletRootDir }}/plugins/csi-secrets-store/csi.sock
49+
- --mode=kubelet-registration-probe
50+
initialDelaySeconds: 3
4451
env:
4552
- name: KUBE_NODE_NAME
4653
valueFrom:

charts/secrets-store-csi-driver/values.yaml

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,17 @@ linux:
22
enabled: true
33
image:
44
repository: k8s.gcr.io/csi-secrets-store/driver
5-
tag: v0.2.0
5+
tag: v0.3.0
66
pullPolicy: IfNotPresent
77

88
crds:
99
image:
1010
repository: k8s.gcr.io/csi-secrets-store/driver-crds
11-
tag: v0.2.0
11+
tag: v0.3.0
1212
pullPolicy: IfNotPresent
13+
annotations: {}
1314

14-
## Prevent the CSI driver from being scheduled on virtual-kublet nodes
15+
## Prevent the CSI driver from being scheduled on virtual-kubelet nodes
1516
affinity:
1617
nodeAffinity:
1718
requiredDuringSchedulingIgnoredDuringExecution:
@@ -33,7 +34,7 @@ linux:
3334

3435
registrarImage:
3536
repository: k8s.gcr.io/sig-storage/csi-node-driver-registrar
36-
tag: v2.2.0
37+
tag: v2.3.0
3738
pullPolicy: IfNotPresent
3839

3940
registrar:
@@ -48,7 +49,7 @@ linux:
4849

4950
livenessProbeImage:
5051
repository: k8s.gcr.io/sig-storage/livenessprobe
51-
tag: v2.3.0
52+
tag: v2.4.0
5253
pullPolicy: IfNotPresent
5354

5455
livenessProbe:
@@ -92,10 +93,10 @@ windows:
9293
enabled: false
9394
image:
9495
repository: k8s.gcr.io/csi-secrets-store/driver
95-
tag: v0.2.0
96+
tag: v0.3.0
9697
pullPolicy: IfNotPresent
9798

98-
## Prevent the CSI driver from being scheduled on virtual-kublet nodes
99+
## Prevent the CSI driver from being scheduled on virtual-kubelet nodes
99100
affinity:
100101
nodeAffinity:
101102
requiredDuringSchedulingIgnoredDuringExecution:
@@ -117,7 +118,7 @@ windows:
117118

118119
registrarImage:
119120
repository: k8s.gcr.io/sig-storage/csi-node-driver-registrar
120-
tag: v2.2.0
121+
tag: v2.3.0
121122
pullPolicy: IfNotPresent
122123

123124
registrar:
@@ -132,7 +133,7 @@ windows:
132133

133134
livenessProbeImage:
134135
repository: k8s.gcr.io/sig-storage/livenessprobe
135-
tag: v2.3.0
136+
tag: v2.4.0
136137
pullPolicy: IfNotPresent
137138

138139
livenessProbe:

0 commit comments

Comments
 (0)