release: update manifest and helm charts for 0.0.15 (#509)

Signed-off-by: Anish Ramasekar <[email protected]>
Azure · May 18, 2021 · aec6376 · aec6376
1 parent a8a75aa
commit aec6376
Show file tree

Hide file tree

Showing 24 changed files with 215 additions and 65 deletions.
diff --git a/charts/csi-secrets-store-provider-azure-0.0.19.tgz b/charts/csi-secrets-store-provider-azure-0.0.19.tgz
diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 name: csi-secrets-store-provider-azure
-version: 0.0.18
-appVersion: 0.0.14
+version: 0.0.19
+appVersion: 0.0.15
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
 sources:

diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md
diff --git a/charts/csi-secrets-store-provider-azure/requirements.lock b/charts/csi-secrets-store-provider-azure/requirements.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: secrets-store-csi-driver
   repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
-  version: 0.0.21
-digest: sha256:60e7b4b099046b358fa55d84e2261eb231513ebb5f86b675c92d7ff11f410b82
-generated: "2021-04-01T15:27:53.43388-07:00"
+  version: 0.0.22
+digest: sha256:df1deee5af1d441df8fa62cfbf77eed5e62de380328ccede902fc3c3022a1b10
+generated: "2021-05-17T16:07:49.551453-07:00"
diff --git a/charts/csi-secrets-store-provider-azure/requirements.yaml b/charts/csi-secrets-store-provider-azure/requirements.yaml
@@ -1,5 +1,5 @@
 dependencies:
 - name: secrets-store-csi-driver
   repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
-  version: 0.0.21
+  version: 0.0.22
   condition: secrets-store-csi-driver.install
diff --git a/charts/csi-secrets-store-provider-azure/templates/_helpers.tpl b/charts/csi-secrets-store-provider-azure/templates/_helpers.tpl
@@ -32,3 +32,7 @@ labels:
   app: {{ template "sscdpa.name" . }}
   helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 {{- end -}}
+
+{{- define "sscdpa.psp.fullname" -}}
+{{- printf "%s-psp" (include "sscdpa.fullname" .) -}}
+{{- end }}
diff --git a/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml b/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "sscdpa.psp.fullname" . }}
+{{ include "sscdpa.labels" . | indent 2 }}
+spec:
+  seLinux:
+    rule: RunAsAny
+  privileged: true
+  volumes:
+    - hostPath
+    - secret
+  hostNetwork: true
+  hostPorts:
+    - min: 0
+      max: 65535
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+{{- end }}
diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml
@@ -29,8 +29,8 @@ spec:
       serviceAccountName: csi-secrets-store-provider-azure
       containers:
         - name: provider-azure-installer
-          image: "{{ .Values.image.repository | default .Values.windows.image.repository }}:{{ .Values.image.tag | default .Values.windows.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy | default .Values.windows.image.pullPolicy }}
+          image: "{{ .Values.windows.image.repository }}:{{ .Values.windows.image.tag }}"
+          imagePullPolicy: {{ .Values.windows.image.pullPolicy }}
           args:
             - --endpoint=unix://C:\\provider\\azure.sock
             {{- if .Values.logFormatJSON }}
@@ -48,6 +48,9 @@ spec:
             - --healthz-port={{ .Values.windows.healthzPort }}
             - --healthz-path={{ .Values.windows.healthzPath }}
             - --healthz-timeout={{ .Values.windows.healthzTimeout }}
+            {{- if .Values.driverWriteSecrets }}
+            - --driver-write-secrets={{ .Values.driverWriteSecrets }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: {{ .Values.windows.healthzPath }}
@@ -64,6 +67,11 @@ spec:
             - name: mountpoint-dir
               mountPath: "C:\\var\\lib\\kubelet\\pods"
               mountPropagation: HostToContainer
+            {{- if .Values.windows.volumeMounts }}
+            {{- toYaml .Values.windows.volumeMounts | nindent 12 }}
+            {{- end}}
+      affinity:
+{{ toYaml .Values.windows.affinity | indent 8 }}
       {{- if .Values.windows.priorityClassName }}
       priorityClassName: {{ .Values.windows.priorityClassName | quote }}
       {{- end }}
@@ -75,6 +83,9 @@ spec:
         - name: mountpoint-dir
           hostPath:
             path: C:\var\lib\kubelet\pods\
+        {{- if .Values.windows.volumes }}
+        {{- toYaml .Values.windows.volumes | nindent 8 }}
+        {{- end}}
       nodeSelector:
         kubernetes.io/os: windows
 {{- if .Values.windows.nodeSelector }}

diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
@@ -30,8 +30,8 @@ spec:
       hostNetwork: true
       containers:
         - name: provider-azure-installer
-          image: "{{ .Values.image.repository | default .Values.linux.image.repository }}:{{ .Values.image.tag | default .Values.linux.image.tag }}"
-          imagePullPolicy: {{ .Values.image.pullPolicy | default .Values.linux.image.pullPolicy }}
+          image: "{{ .Values.linux.image.repository }}:{{ .Values.linux.image.tag }}"
+          imagePullPolicy: {{ .Values.linux.image.pullPolicy }}
           args:
             - --endpoint=unix:///provider/azure.sock
             {{- if .Values.logFormatJSON }}
@@ -49,6 +49,9 @@ spec:
             - --healthz-port={{ .Values.linux.healthzPort }}
             - --healthz-path={{ .Values.linux.healthzPath }}
             - --healthz-timeout={{ .Values.linux.healthzTimeout }}
+            {{- if .Values.driverWriteSecrets }}
+            - --driver-write-secrets={{ .Values.driverWriteSecrets }}
+            {{- end }}
           livenessProbe:
             httpGet:
               path: {{ .Values.linux.healthzPath }}
@@ -69,6 +72,11 @@ spec:
             - name: mountpoint-dir
               mountPath: /var/lib/kubelet/pods
               mountPropagation: HostToContainer
+            {{- if .Values.linux.volumeMounts }}
+            {{- toYaml .Values.linux.volumeMounts | nindent 12 }}
+            {{- end}}
+      affinity:
+{{ toYaml .Values.linux.affinity | indent 8 }}
       {{- if .Values.linux.priorityClassName }}
       priorityClassName: {{ .Values.linux.priorityClassName | quote }}
       {{- end }}
@@ -79,6 +87,9 @@ spec:
         - name: mountpoint-dir
           hostPath:
             path: "/var/lib/kubelet/pods"
+        {{- if .Values.linux.volumes }}
+        {{- toYaml .Values.linux.volumes | nindent 8 }}
+        {{- end}}
       nodeSelector:
         kubernetes.io/os: linux
 {{- if .Values.linux.nodeSelector }}

diff --git a/charts/csi-secrets-store-provider-azure/templates/role.yaml b/charts/csi-secrets-store-provider-azure/templates/role.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "sscdpa.psp.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{ include "sscdpa.labels" . | indent 2 }}
+rules:
+  - apiGroups: [ 'policy' ]
+    resources: [ 'podsecuritypolicies' ]
+    verbs: [ 'use' ]
+    resourceNames:
+      - {{ template "sscdpa.psp.fullname" . }}
+{{- end }}
diff --git a/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml b/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.pspEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "sscdpa.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{ include "sscdpa.labels" . | indent 2 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "sscdpa.psp.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: csi-secrets-store-provider-azure
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml
@@ -1,9 +1,3 @@
-# [DEPRECATED] use linux.image and windows.image instead.
-image:
-  repository: ""
-  tag: ""
-  pullPolicy: ""
-
 # One or more secrets to be used when pulling images
 imagePullSecrets: []
 # - name: myRegistryKeySecretName
@@ -18,7 +12,7 @@ logVerbosity: 0
 linux:
   image:
     repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
-    tag: 0.0.14
+    tag: 0.0.15
     pullPolicy: IfNotPresent
   nodeSelector: {}
   tolerations: []
@@ -44,11 +38,22 @@ linux:
   healthzPort: 8989
   healthzPath: "/healthz"
   healthzTimeout: "5s"
+  volumes: []
+  volumeMounts: []
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: type
+            operator: NotIn
+            values:
+            - virtual-kubelet
 
 windows:
   image:
     repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
-    tag: 0.0.14
+    tag: 0.0.15
     pullPolicy: IfNotPresent
   nodeSelector: {}
   tolerations: []
@@ -73,6 +78,17 @@ windows:
   healthzPort: 8989
   healthzPath: "/healthz"
   healthzTimeout: "5s"
+  volumes: []
+  volumeMounts: []
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: type
+            operator: NotIn
+            values:
+            - virtual-kubelet
 
 ## Configuration values for the secrets-store-csi-driver dependency.
 ## ref: https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md
@@ -85,15 +101,15 @@ secrets-store-csi-driver:
     metricsAddr: ":8080"
     image:
       repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
-      tag: v0.0.21
+      tag: v0.0.22
       pullPolicy: IfNotPresent
     registrarImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
-      tag: v2.1.0
+      tag: v2.2.0
       pullPolicy: IfNotPresent
     livenessProbeImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
-      tag: v2.2.0
+      tag: v2.3.0
       pullPolicy: IfNotPresent
 
   windows:
@@ -102,15 +118,15 @@ secrets-store-csi-driver:
     metricsAddr: ":8080"
     image:
       repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
-      tag: v0.0.21
+      tag: v0.0.22
       pullPolicy: IfNotPresent
     registrarImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
-      tag: v2.1.0
+      tag: v2.2.0
       pullPolicy: IfNotPresent
     livenessProbeImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
-      tag: v2.2.0
+      tag: v2.3.0
       pullPolicy: IfNotPresent
 
   enableSecretRotation: false
@@ -121,6 +137,10 @@ secrets-store-csi-driver:
 ## Install default service account
 rbac:
   install: true
+  pspEnabled: false
 
 # explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT
 constructPEMChain: false
+
+# Return secrets in grpc response to the driver (supported in driver v0.0.21+) instead of writing to filesystem
+driverWriteSecrets: false
diff --git a/charts/index.yaml b/charts/index.yaml
@@ -1,6 +1,27 @@
 apiVersion: v1
 entries:
   csi-secrets-store-provider-azure:
+  - apiVersion: v1
+    appVersion: 0.0.15
+    created: "2021-05-17T16:10:33.398158-07:00"
+    dependencies:
+    - condition: secrets-store-csi-driver.install
+      name: secrets-store-csi-driver
+      repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
+      version: 0.0.22
+    description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
+    digest: c0ab718115bf88065c0dfb060a825217eeb6784b79067c36922619fba0e9c78b
+    home: https://github.com/Azure/secrets-store-csi-driver-provider-azure
+    kubeVersion: '>=1.16.0-0'
+    maintainers:
+    - email: [email protected]
+      name: Anish Ramasekar
+    name: csi-secrets-store-provider-azure
+    sources:
+    - https://github.com/Azure/secrets-store-csi-driver-provider-azure
+    urls:
+    - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.19.tgz
+    version: 0.0.19
   - apiVersion: v1
     appVersion: 0.0.14
     created: "2021-04-01T16:48:44.791244-07:00"
@@ -295,4 +316,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.5.tgz
     version: 0.0.5
-generated: "2021-04-01T16:48:44.78798-07:00"
+generated: "2021-05-17T16:10:33.395556-07:00"
diff --git a/deployment/pod-security-policy.yaml b/deployment/pod-security-policy.yaml
@@ -61,16 +61,20 @@ metadata:
 spec:
   seLinux:
     rule: RunAsAny
+  privileged: true
   volumes:
   - hostPath
+  - secret
+  hostNetwork: true
+  hostPort:
+  - min: 0
+  - max: 65535
   fsGroup:
     rule: RunAsAny
   runAsUser:
     rule: RunAsAny
   supplementalGroups:
     rule: RunAsAny
-  allowedHostPaths:
-    - pathPrefix: /etc/kubernetes/secrets-store-csi-providers
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml
@@ -23,7 +23,7 @@ spec:
       serviceAccountName: csi-secrets-store-provider-azure
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14
+          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=unix://C:\\provider\\azure.sock
@@ -52,6 +52,15 @@ spec:
             - name: mountpoint-dir
               mountPath: "C:\\var\\lib\\kubelet\\pods"
               mountPropagation: HostToContainer
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: type
+                operator: NotIn
+                values:
+                - virtual-kubelet
       volumes:
         - name: providervol
           hostPath:

diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml
@@ -24,7 +24,7 @@ spec:
       hostNetwork: true
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14
+          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=unix:///provider/azure.sock
@@ -53,6 +53,15 @@ spec:
             - name: mountpoint-dir
               mountPath: /var/lib/kubelet/pods
               mountPropagation: HostToContainer
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: type
+                operator: NotIn
+                values:
+                - virtual-kubelet
       volumes:
         - name: providervol
           hostPath: