chore: update manifests and helm chart for 0.0.6 (#111)

* update manifests and helm chart for 0.0.6 * Review feedback
Azure · May 26, 2020 · 1c838b6 · 1c838b6 · travis-sobeck · May 27, 2020
1 parent 17dc59d
commit 1c838b6
Show file tree

Hide file tree

Showing 10 changed files with 95 additions and 14 deletions.
diff --git a/charts/csi-secrets-store-provider-azure-0.0.7.tgz b/charts/csi-secrets-store-provider-azure-0.0.7.tgz
diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: csi-secrets-store-provider-azure
-version: 0.0.6
-appVersion: 0.0.5
+version: 0.0.7
+appVersion: 0.0.6
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
 sources:

diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md
@@ -29,11 +29,15 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `fullnameOverride` | String to fully override csi-secrets-store-provider-azure.fullname template with a string | `""` |
 | `image.repository` | Image repository | `mcr.microsoft.com/k8s/csi/secrets-store/provider-azure` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
-| `image.tag` | Azure Keyvault Provider image | `0.0.5` |
+| `image.tag` | Azure Keyvault Provider image | `0.0.6` |
 | `linux.enabled` | Install azure keyvault provider on linux nodes | true |
+| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `beta.kubernetes.io/os: linux` |
 | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`<br>`requests.memory: 100Mi`<br>`limits.cpu: 50m`<br>`limits.memory: 100Mi` |
 | `windows.enabled` | Install azure keyvault provider on windows nodes | false |
+| `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `beta.kubernetes.io/os: windows` |
 | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`<br>`requests.memory: 200Mi`<br>`limits.cpu: 100m`<br>`limits.memory: 200Mi` |
 | `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true |
 | `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true |
+| `secrets-store-csi-driver.linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` |
 | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false |
+| `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` |
diff --git a/charts/csi-secrets-store-provider-azure/requirements.lock b/charts/csi-secrets-store-provider-azure/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: secrets-store-csi-driver
   repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
-  version: 0.0.10
-digest: sha256:2a6ac90a154cd0d5e9325396874f9073073c11dfd937dc87b02f41d3fcd8c9a7
-generated: "2020-05-04T14:51:22.72233-07:00"
+  version: 0.0.11
+digest: sha256:db629f7d1e653db495ce19c2bc661096561d33098abf2c436634ced634d0e3ee
+generated: "2020-05-26T09:26:40.360118-07:00"
diff --git a/charts/csi-secrets-store-provider-azure/requirements.yaml b/charts/csi-secrets-store-provider-azure/requirements.yaml
@@ -1,5 +1,5 @@
 dependencies:
 - name: secrets-store-csi-driver
   repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
-  version: 0.0.10
-  condition: driver.install
+  version: 0.0.11
+  condition: secrets-store-csi-driver.install
diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: mcr.microsoft.com/k8s/csi/secrets-store/provider-azure
-  tag: 0.0.5
+  tag: 0.0.6
   pullPolicy: IfNotPresent
 
 linux:
@@ -34,5 +34,7 @@ secrets-store-csi-driver:
   install: true
   linux:
     enabled: true
+    kubeletRootDir: /var/lib/kubelet
   windows:
     enabled: false
+    kubeletRootDir: C:\var\lib\kubelet
diff --git a/charts/index.yaml b/charts/index.yaml
@@ -1,9 +1,31 @@
 apiVersion: v1
 entries:
   csi-secrets-store-provider-azure:
+  - apiVersion: v1
+    appVersion: 0.0.6
+    created: "2020-05-26T10:35:06.49779-07:00"
+    dependencies:
+    - condition: secrets-store-csi-driver.install
+      name: secrets-store-csi-driver
+      repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
+      version: 0.0.11
+    description: A Helm chart to install the Secrets Store CSI Driver and the Azure
+      Keyvault Provider inside a Kubernetes cluster.
+    digest: 63f9d8c5b2c11924ea338d2ce2219dcebde8f4446c8893161afb6b7e8c90c98c
+    home: https://github.com/Azure/secrets-store-csi-driver-provider-azure
+    kubeVersion: '>=1.16.0-0'
+    maintainers:
+    - email: [email protected]
+      name: Anish Ramasekar
+    name: csi-secrets-store-provider-azure
+    sources:
+    - https://github.com/Azure/secrets-store-csi-driver-provider-azure
+    urls:
+    - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.7.tgz
+    version: 0.0.7
   - apiVersion: v1
     appVersion: 0.0.5
-    created: "2020-05-04T14:55:26.7225-07:00"
+    created: "2020-05-26T10:35:06.496776-07:00"
     dependencies:
     - condition: driver.install
       name: secrets-store-csi-driver
@@ -25,7 +47,7 @@ entries:
     version: 0.0.6
   - apiVersion: v1
     appVersion: 0.0.5
-    created: "2020-05-04T14:55:26.721449-07:00"
+    created: "2020-05-26T10:35:06.495341-07:00"
     dependencies:
     - condition: driver.install
       name: secrets-store-csi-driver
@@ -45,4 +67,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.5.tgz
     version: 0.0.5
-generated: "2020-05-04T14:55:26.718506-07:00"
+generated: "2020-05-26T10:35:06.4914-07:00"
diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml
@@ -19,7 +19,7 @@ spec:
         beta.kubernetes.io/os: windows
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/k8s/csi/secrets-store/provider-azure:0.0.5
+          image: mcr.microsoft.com/k8s/csi/secrets-store/provider-azure:0.0.6
           imagePullPolicy: Always
           resources:
             requests:

diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml
@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/k8s/csi/secrets-store/provider-azure:0.0.5
+          image: mcr.microsoft.com/k8s/csi/secrets-store/provider-azure:0.0.6
           imagePullPolicy: Always
           resources:
             requests:

diff --git a/docs/getting-certs-and-keys.md b/docs/getting-certs-and-keys.md
@@ -0,0 +1,53 @@
+# Getting Certificates and Keys using Azure Key Vault Provider
+
+> Note: This behavior was introduced in 0.0.6 release of Azure Key Vault Provider for Secrets Store CSI Driver. This is backward incompatible with the prior releases. 
+
+The Azure Key Vault Provider for Secrets Store CSI Driver has been designed to closely align with the current behavior of  [az keyvault certificate/secret/key download](https://docs.microsoft.com/en-us/cli/azure/keyvault?view=azure-cli-latest).
+
+[Azure Key Vault](https://docs.microsoft.com/azure/key-vault/) design makes sharp distinctions between Keys, Secrets and Certificates. The KeyVault service's Certificates features were designed making use of it's Keys and Secrets capabilities.
+
+> When a Key Vault certificate is created, an addressable key and secret are also created with the same name. The Key Vault key allows key operations and the Key Vault secret allows retrieval of the certificate value as a secret. A Key Vault certificate also contains public x509 certificate metadata.
+
+The KeyVault service stores both the public and the private parts of your certificate in a KeyVault secret, along with any other secret you might have created in that same KeyVault instance.
+
+## How to obtain the certificate
+
+Knowing that the certificate is stored in a Key Vault certificate, we can retrieve it by using object type `cert`
+
+```yaml
+        array:
+          - |
+            objectName: certName
+            objectType: cert
+            objectVersion: ""
+```
+
+The contents of the file will be the certificate in PEM format.
+
+## How to obtain the public key
+
+Knowing that the public key is stored in a Key Vault key, we can retrieve it by using object type `key`
+
+```yaml
+        array:
+          - |
+            objectName: certName
+            objectType: key
+            objectVersion: ""
+```
+
+The contents of the file will be the public key in PEM format.
+
+## How to obtain the private key
+
+Knowing that the private key is stored in a Key Vault secret with the public certificate included, we can retrieve it by using object type `secret`
+
+```yaml
+        array:
+          - |
+            objectName: certName
+            objectType: secret
+            objectVersion: ""
+```
+
+The contents of the file will be the private key and certificate in PEM format.