diff --git a/Makefile b/Makefile
index 49fdfa496..f0f962711 100644
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)"
REGISTRY_NAME ?= upstream
REPO_PREFIX ?= k8s/csi/secrets-store
REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX)
-IMAGE_VERSION ?= v1.3.0
+IMAGE_VERSION ?= v1.4.0
IMAGE_NAME ?= provider-azure
CONFORMANCE_IMAGE_NAME ?= provider-azure-arc-conformance
IMAGE_TAG := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
diff --git a/charts/csi-secrets-store-provider-azure/Chart.lock b/charts/csi-secrets-store-provider-azure/Chart.lock
index ca1757997..2e026343e 100644
--- a/charts/csi-secrets-store-provider-azure/Chart.lock
+++ b/charts/csi-secrets-store-provider-azure/Chart.lock
@@ -1,6 +1,6 @@
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
- version: 1.2.3
-digest: sha256:9646ceda3b60e7795c1ecf730811a12770ba44160559065f660119cbdaf66641
-generated: "2022-08-11T21:35:23.149639291Z"
+ version: 1.3.0
+digest: sha256:fe75dc495385275b6cd108f2684d06d990dadbe8be9d82adba637b362c2b51a9
+generated: "2022-12-14T04:06:15.0527901Z"
diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml
index eb75b7d6b..76c7bd3f8 100644
--- a/charts/csi-secrets-store-provider-azure/Chart.yaml
+++ b/charts/csi-secrets-store-provider-azure/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
name: csi-secrets-store-provider-azure
-version: 1.3.0
-appVersion: 1.3.0
+version: 1.4.0
+appVersion: 1.4.0
kubeVersion: ">=1.16.0-0"
description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
sources:
@@ -13,5 +13,5 @@ maintainers:
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
- version: 1.2.3
+ version: 1.3.0
condition: secrets-store-csi-driver.install
diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md
index 7d2158827..7121497dc 100644
--- a/charts/csi-secrets-store-provider-azure/README.md
+++ b/charts/csi-secrets-store-provider-azure/README.md
@@ -18,6 +18,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c
| `1.2.1` | `1.2.0` | `1.2.0` |
| `1.2.2` | `1.2.2` | `1.2.0` |
| `1.3.0` | `1.2.3` | `1.3.0` |
+| `1.4.0` | `1.3.0` | `1.4.0` |
## Installation
@@ -65,9 +66,9 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `linux.enabled` | Install azure keyvault provider on linux nodes | true |
| `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` |
| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` |
-| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.3.0` |
+| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.4.0` |
| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` |
-| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` |
+| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` |
| `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` |
| `linux.podLabels` | Additional pod labels | `{}` |
| `linux.podAnnotations` | Additional pod annotations | `{}` |
@@ -86,7 +87,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `windows.enabled` | Install azure keyvault provider on windows nodes | false |
| `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` |
| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
-| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.3.0` |
+| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.4.0` |
| `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` |
| `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` |
| `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` |
@@ -112,15 +113,15 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` |
| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` |
| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.2.3` |
+| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.0` |
| `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.5.1` |
+| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.6.2` |
| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` |
| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.7.0` |
+| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.8.0` |
| `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` |
-| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.2.3` |
+| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.3.0` |
| `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` |
| `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false |
| `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` |
@@ -129,13 +130,13 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` |
| `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` |
| `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.2.3` |
+| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.3.0` |
| `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
| `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.5.1` |
+| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.6.2` |
| `secrets-store-csi-driver.windows.livenessProbeImage.repository` | Driver Windows liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` |
| `secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy` | Driver Windows liveness-probe image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.7.0` |
+| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.8.0` |
| `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` |
| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` |
| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` |
@@ -144,3 +145,4 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `rbac.install` | Install default service account | true |
| `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver AKV provider pod(s) | false |
| `constructPEMChain` | Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT | `true` |
+| `writeCertAndKeyInSeparateFiles` | Write cert and key in separate files. The individual files will be named as .crt and .key. These files will be created in addition to the single file. | `false` |
diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml
index 9ba4b0874..fb7a98614 100644
--- a/charts/csi-secrets-store-provider-azure/arc-values.yaml
+++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml
@@ -15,7 +15,7 @@ logVerbosity: 0
linux:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
tolerations: []
@@ -58,7 +58,7 @@ linux:
windows:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
tolerations: []
@@ -112,20 +112,20 @@ secrets-store-csi-driver:
metricsAddr: ":8080"
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.3
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
crds:
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds
- tag: v1.2.3
+ tag: v1.3.0
pullPolicy: IfNotPresent
podAnnotations:
prometheus.io/scrape: "true"
@@ -137,22 +137,22 @@ secrets-store-csi-driver:
metricsAddr: ":8080"
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.3
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
enableSecretRotation: false
rotationPollInterval: 2m
# Refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html for more details on actions to take before enabling this feature
filteredWatchSecret: true
-
+
syncSecret:
enabled: false
diff --git a/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml b/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml
index 4f4ea873b..d82f07dd8 100644
--- a/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml
+++ b/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml
index e8887bb3e..39ac6fdad 100644
--- a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml
+++ b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml
@@ -48,6 +48,9 @@ spec:
- --healthz-port={{ .Values.windows.healthzPort }}
- --healthz-path={{ .Values.windows.healthzPath }}
- --healthz-timeout={{ .Values.windows.healthzTimeout }}
+ {{- if .Values.writeCertAndKeyInSeparateFiles }}
+ - --write-cert-and-key-in-separate-files={{ .Values.writeCertAndKeyInSeparateFiles }}
+ {{- end }}
livenessProbe:
httpGet:
path: {{ .Values.windows.healthzPath }}
diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
index 5f3603c4d..cb222c5d3 100644
--- a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
+++ b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
@@ -24,7 +24,7 @@ spec:
{{- end }}
{{- if .Values.enableArcExtension }}
{{- if .Values.arc.enableMonitoring }}
- prometheus.io/scrape: "true"
+ prometheus.io/scrape: "true"
prometheus.io/port: "8898"
{{- end }}
{{- end }}
@@ -63,6 +63,9 @@ spec:
- --healthz-port={{ .Values.linux.healthzPort }}
- --healthz-path={{ .Values.linux.healthzPath }}
- --healthz-timeout={{ .Values.linux.healthzTimeout }}
+ {{- if .Values.writeCertAndKeyInSeparateFiles }}
+ - --write-cert-and-key-in-separate-files={{ .Values.writeCertAndKeyInSeparateFiles }}
+ {{- end }}
livenessProbe:
httpGet:
path: {{ .Values.linux.healthzPath }}
diff --git a/charts/csi-secrets-store-provider-azure/templates/role.yaml b/charts/csi-secrets-store-provider-azure/templates/role.yaml
index 9c08f8764..f995023c2 100644
--- a/charts/csi-secrets-store-provider-azure/templates/role.yaml
+++ b/charts/csi-secrets-store-provider-azure/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
diff --git a/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml b/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml
index 590f5a262..14365fc61 100644
--- a/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml
+++ b/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml
index c609fcc48..74b86829d 100644
--- a/charts/csi-secrets-store-provider-azure/values.yaml
+++ b/charts/csi-secrets-store-provider-azure/values.yaml
@@ -17,10 +17,13 @@ enableArcExtension: false
linux:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
- tolerations: []
+ # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ # An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything.
+ tolerations:
+ - operator: Exists
enabled: true
resources:
requests:
@@ -60,10 +63,13 @@ linux:
windows:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
- tolerations: []
+ # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+ # An empty key with operator Exists matches all keys, values and effects which means this will tolerate everything.
+ tolerations:
+ - operator: Exists
enabled: false
resources:
requests:
@@ -114,20 +120,20 @@ secrets-store-csi-driver:
priorityClassName: ""
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.3
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
crds:
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds
- tag: v1.2.3
+ tag: v1.3.0
pullPolicy: IfNotPresent
providersDir: /var/run/secrets-store-csi-providers
@@ -138,22 +144,22 @@ secrets-store-csi-driver:
priorityClassName: ""
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.3
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
enableSecretRotation: false
rotationPollInterval: 2m
# Refer to https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html for more details on actions to take before enabling this feature
filteredWatchSecret: true
-
+
syncSecret:
enabled: false
@@ -167,3 +173,6 @@ rbac:
# explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT
constructPEMChain: true
+
+# Write cert and key in separate files. The individual files will be named as .crt and .key. These files will be created in addition to the single file.
+writeCertAndKeyInSeparateFiles: false
diff --git a/deployment/pod-security-policy.yaml b/deployment/pod-security-policy.yaml
deleted file mode 100644
index edd3e8ac7..000000000
--- a/deployment/pod-security-policy.yaml
+++ /dev/null
@@ -1,101 +0,0 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: allow-csi-driver
-spec:
- seLinux:
- rule: RunAsAny
- volumes:
- - csi
- - hostPath
- - secret
- fsGroup:
- rule: RunAsAny
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
- privileged: true
- hostNetwork: true
- hostPorts:
- - min: 9808
- max: 9808
- allowedHostPaths:
- - pathPrefix: /etc/kubernetes/secrets-store-csi-providers
- - pathPrefix: /var/lib/kubelet
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: psp:allow-csi-driver
-rules:
-- apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames:
- - allow-csi-driver
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: default:allow-csi-driver
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:allow-csi-driver
-subjects:
-- kind: ServiceAccount
- name: secrets-store-csi-driver
- namespace: default
-- kind: ServiceAccount
- name: csi-secrets-store-provider-azure
- namespace: default
-- kind: Group
- name: system:authenticated
- apiGroup: rbac.authorization.k8s.io
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
- name: allow-csi-driver-provider-azure
-spec:
- seLinux:
- rule: RunAsAny
- privileged: true
- volumes:
- - hostPath
- - secret
- hostNetwork: true
- hostPorts:
- - min: 0
- max: 65535
- fsGroup:
- rule: RunAsAny
- runAsUser:
- rule: RunAsAny
- supplementalGroups:
- rule: RunAsAny
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: psp:allow-csi-driver-provider-azure
-rules:
-- apiGroups: ['extensions']
- resources: ['podsecuritypolicies']
- verbs: ['use']
- resourceNames:
- - allow-csi-driver-provider-azure
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: default:allow-csi-driver-provider-azure
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: psp:allow-csi-driver-provider-azure
-subjects:
-- kind: ServiceAccount
- name: csi-secrets-store-provider-azure
- namespace: default
diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml
index ab6dc0628..1e4c28cd1 100644
--- a/deployment/provider-azure-installer-windows.yaml
+++ b/deployment/provider-azure-installer-windows.yaml
@@ -23,7 +23,7 @@ spec:
serviceAccountName: csi-secrets-store-provider-azure
containers:
- name: provider-azure-installer
- image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.3.0
+ image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.0
imagePullPolicy: IfNotPresent
args:
- --endpoint=unix://C:\\provider\\azure.sock
@@ -63,5 +63,7 @@ spec:
hostPath:
path: "C:\\k\\secrets-store-csi-providers"
type: DirectoryOrCreate
+ tolerations:
+ - operator: Exists
nodeSelector:
kubernetes.io/os: windows
diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml
index 5bfd747d3..fb059ba0c 100644
--- a/deployment/provider-azure-installer.yaml
+++ b/deployment/provider-azure-installer.yaml
@@ -24,7 +24,7 @@ spec:
hostNetwork: true
containers:
- name: provider-azure-installer
- image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.3.0
+ image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.0
imagePullPolicy: IfNotPresent
args:
- --endpoint=unix:///provider/azure.sock
@@ -70,5 +70,7 @@ spec:
- name: providervol
hostPath:
path: "/var/run/secrets-store-csi-providers"
+ tolerations:
+ - operator: Exists
nodeSelector:
kubernetes.io/os: linux
diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock
index c5d6dc45e..2e026343e 100644
--- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock
+++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock
@@ -1,6 +1,6 @@
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
- version: 1.2.4
-digest: sha256:d97bc6f56c988ff2122036e7c89eac097f7200cd2923e1d3602dd3144a62bc64
-generated: "2022-12-02T00:01:43.727185604Z"
+ version: 1.3.0
+digest: sha256:fe75dc495385275b6cd108f2684d06d990dadbe8be9d82adba637b362c2b51a9
+generated: "2022-12-14T04:06:15.0527901Z"
diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml
index 380fc75be..76c7bd3f8 100644
--- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml
+++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml
@@ -1,7 +1,7 @@
apiVersion: v2
name: csi-secrets-store-provider-azure
-version: 1.3.0
-appVersion: 1.3.0
+version: 1.4.0
+appVersion: 1.4.0
kubeVersion: ">=1.16.0-0"
description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
sources:
@@ -13,5 +13,5 @@ maintainers:
dependencies:
- name: secrets-store-csi-driver
repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
- version: 1.2.4
+ version: 1.3.0
condition: secrets-store-csi-driver.install
diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md
index 7d926dda1..7121497dc 100644
--- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md
+++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md
@@ -18,6 +18,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c
| `1.2.1` | `1.2.0` | `1.2.0` |
| `1.2.2` | `1.2.2` | `1.2.0` |
| `1.3.0` | `1.2.3` | `1.3.0` |
+| `1.4.0` | `1.3.0` | `1.4.0` |
## Installation
@@ -65,7 +66,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `linux.enabled` | Install azure keyvault provider on linux nodes | true |
| `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` |
| `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` |
-| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.3.0` |
+| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.4.0` |
| `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` |
| `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` |
| `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` |
@@ -86,7 +87,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `windows.enabled` | Install azure keyvault provider on windows nodes | false |
| `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` |
| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
-| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.3.0` |
+| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.4.0` |
| `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` |
| `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` |
| `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` |
@@ -112,15 +113,15 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` |
| `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` |
| `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.2.3` |
+| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.0` |
| `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
| `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.5.1` |
+| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.6.2` |
| `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` |
| `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.7.0` |
+| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.8.0` |
| `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` |
-| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.2.3` |
+| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.3.0` |
| `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` |
| `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false |
| `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` |
@@ -129,13 +130,13 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` |
| `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` |
| `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.2.3` |
+| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.3.0` |
| `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` |
| `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.5.1` |
+| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.6.2` |
| `secrets-store-csi-driver.windows.livenessProbeImage.repository` | Driver Windows liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` |
| `secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy` | Driver Windows liveness-probe image pull policy | `IfNotPresent` |
-| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.7.0` |
+| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.8.0` |
| `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` |
| `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` |
| `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` |
diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml
index 092829032..fb7a98614 100644
--- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml
+++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml
@@ -15,7 +15,7 @@ logVerbosity: 0
linux:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
tolerations: []
@@ -58,7 +58,7 @@ linux:
windows:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
tolerations: []
@@ -112,20 +112,20 @@ secrets-store-csi-driver:
metricsAddr: ":8080"
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.4
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
crds:
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds
- tag: v1.2.4
+ tag: v1.3.0
pullPolicy: IfNotPresent
podAnnotations:
prometheus.io/scrape: "true"
@@ -137,15 +137,15 @@ secrets-store-csi-driver:
metricsAddr: ":8080"
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.4
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
enableSecretRotation: false
diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
index d2c3b6199..cb222c5d3 100644
--- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
+++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
@@ -22,14 +22,18 @@ spec:
{{- if .Values.linux.podAnnotations}}
{{- toYaml .Values.linux.podAnnotations | nindent 8 }}
{{- end }}
-{{- if and .Values.enableArcExtension .Values.arc.enableMonitoring }}
- prometheus.io/scrape: "true"
+{{- if .Values.enableArcExtension }}
+{{- if .Values.arc.enableMonitoring }}
+ prometheus.io/scrape: "true"
prometheus.io/port: "8898"
{{- end }}
+{{- end }}
# this will ensure pods are rolled in next helm upgrade if cert files are updated.
-{{- if and .Values.enableArcExtension .Values.Azure.proxySettings.isProxyEnabled }}
+{{- if .Values.enableArcExtension }}
+{{- if .Values.Azure.proxySettings.isProxyEnabled }}
checksum/arc-proxy-config: {{ include (print $.Template.BasePath "/arc-proxy-secret.yaml") . | sha256sum }}
{{- end }}
+{{- end }}
{{- end }}
spec:
{{- if .Values.imagePullSecrets }}
diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml
index b893f5279..74b86829d 100644
--- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml
+++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml
@@ -17,7 +17,7 @@ enableArcExtension: false
linux:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
@@ -63,7 +63,7 @@ linux:
windows:
image:
repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
- tag: v1.3.0
+ tag: v1.4.0
pullPolicy: IfNotPresent
nodeSelector: {}
# ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
@@ -120,20 +120,20 @@ secrets-store-csi-driver:
priorityClassName: ""
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.4
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
crds:
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds
- tag: v1.2.4
+ tag: v1.3.0
pullPolicy: IfNotPresent
providersDir: /var/run/secrets-store-csi-providers
@@ -144,15 +144,15 @@ secrets-store-csi-driver:
priorityClassName: ""
image:
repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
- tag: v1.2.4
+ tag: v1.3.0
pullPolicy: IfNotPresent
registrarImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
- tag: v2.5.1
+ tag: v2.6.2
pullPolicy: IfNotPresent
livenessProbeImage:
repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
- tag: v2.7.0
+ tag: v2.8.0
pullPolicy: IfNotPresent
enableSecretRotation: false
diff --git a/manifest_staging/deployment/provider-azure-installer-windows.yaml b/manifest_staging/deployment/provider-azure-installer-windows.yaml
index 430743534..1e4c28cd1 100644
--- a/manifest_staging/deployment/provider-azure-installer-windows.yaml
+++ b/manifest_staging/deployment/provider-azure-installer-windows.yaml
@@ -23,7 +23,7 @@ spec:
serviceAccountName: csi-secrets-store-provider-azure
containers:
- name: provider-azure-installer
- image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.3.0
+ image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.0
imagePullPolicy: IfNotPresent
args:
- --endpoint=unix://C:\\provider\\azure.sock
diff --git a/manifest_staging/deployment/provider-azure-installer.yaml b/manifest_staging/deployment/provider-azure-installer.yaml
index bd145ecfe..fb059ba0c 100644
--- a/manifest_staging/deployment/provider-azure-installer.yaml
+++ b/manifest_staging/deployment/provider-azure-installer.yaml
@@ -24,7 +24,7 @@ spec:
hostNetwork: true
containers:
- name: provider-azure-installer
- image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.3.0
+ image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.0
imagePullPolicy: IfNotPresent
args:
- --endpoint=unix:///provider/azure.sock
diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go
index ee1ed7a42..6ecefc6c7 100644
--- a/test/e2e/framework/config.go
+++ b/test/e2e/framework/config.go
@@ -18,7 +18,7 @@ type Config struct {
KeyvaultName string `envconfig:"KEYVAULT_NAME"`
Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"`
ImageName string `envconfig:"IMAGE_NAME" default:"provider-azure"`
- ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.3.0"`
+ ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.4.0"`
IsSoakTest bool `envconfig:"IS_SOAK_TEST" default:"false"`
IsWindowsTest bool `envconfig:"TEST_WINDOWS" default:"false"`
IsGPUTest bool `envconfig:"TEST_GPU" default:"false"`
diff --git a/test/e2e/framework/deploy/deploy.go b/test/e2e/framework/deploy/deploy.go
index 93a6603a1..0bfc66a64 100644
--- a/test/e2e/framework/deploy/deploy.go
+++ b/test/e2e/framework/deploy/deploy.go
@@ -23,7 +23,7 @@ import (
)
var (
- driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.1.0/deploy"
+ driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.3.0/deploy"
providerResourceDirectory = "manifest_staging/deployment"
driverResources = []string{