From 2be4c03df176149bba653ae1f040519bc3c612fa Mon Sep 17 00:00:00 2001 From: Adrien Date: Sat, 10 Oct 2020 13:11:17 +0200 Subject: [PATCH] Update from upstream --- bin/update.sh | 6 +- .../csi-secrets-store-DaemonSet.yaml | 27 ++- ...ecretproviderclasses-role-ClusterRole.yaml | 15 ++ ...csi.x-k8s.io-CustomResourceDefinition.yaml | 162 +++++++++--------- tasks/digital_ocean.yml | 28 +-- tasks/linode.yml | 22 +-- vars/digitalocean.yaml | 26 +++ vars/linode.yaml | 20 +++ 8 files changed, 178 insertions(+), 128 deletions(-) create mode 100644 vars/digitalocean.yaml create mode 100644 vars/linode.yaml diff --git a/bin/update.sh b/bin/update.sh index 27eac07..47e1fa8 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -33,7 +33,8 @@ wget https://raw.githubusercontent.com/linode/linode-blockstorage-csi-driver/mas kubernetes-split-yaml linode-blockstorage-csi-driver.yaml > generated.log mv files/linode{,.old} mv generated files/linode -cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "linode/\2"|' +echo -e "---\nstorage_linode_files_list:" > vars/linode.yaml +cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "linode/\2"|' >> vars/linode.yaml sed -e /is-default-class/d -e /annotations/d -i files/linode/linode-block-storage-StorageClass.yaml sed -e /is-default-class/d -e /annotations/d -i files/linode/linode-block-storage-retain-StorageClass.yaml rm -fr files/linode.old generated.log linode-blockstorage-csi-driver.yaml @@ -42,11 +43,12 @@ rm -fr files/linode.old generated.log linode-blockstorage-csi-driver.yaml DO_CSI_VERSION=2.0.0 mv files/digitalocean{,.old} mkdir files/digitalocean +echo -e "---\nstorage_linode_files_list:" > vars/digitalocean.yaml for FICHIER in crds.yaml driver.yaml snapshot-controller.yaml; do wget https://github.com/digitalocean/csi-digitalocean/raw/master/deploy/kubernetes/releases/csi-digitalocean-v${DO_CSI_VERSION}/$FICHIER kubernetes-split-yaml $FICHIER >> generated.log mv generated/* files/digitalocean/ - cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "digitalocean/\2"|' + cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sort -V | sed 's|.*\(generated/\)\(.*\.yaml\)| - "digitalocean/\2"|' >> vars/digitalocean.yaml rm -f $FICHIER generated.log done for i in do-block-storage-StorageClass.yaml do-block-storage-VolumeSnapshotClass.yaml; do diff --git a/files/secrets-store/csi-secrets-store-DaemonSet.yaml b/files/secrets-store/csi-secrets-store-DaemonSet.yaml index e44a0a5..c518b73 100644 --- a/files/secrets-store/csi-secrets-store-DaemonSet.yaml +++ b/files/secrets-store/csi-secrets-store-DaemonSet.yaml @@ -42,14 +42,23 @@ spec: mountPath: /csi - name: registration-dir mountPath: /registration + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi - name: secrets-store - image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.13 + image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.16 args: - "--debug=true" - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - - "--metrics-addr=:8080" + - "--metrics-addr=:8095" + - "--enable-secret-rotation=false" + - "--rotation-poll-interval=2m" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock @@ -81,6 +90,13 @@ spec: mountPropagation: Bidirectional - name: providers-dir mountPath: /etc/kubernetes/secrets-store-csi-providers + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 50m + memory: 100Mi - name: liveness-probe image: quay.io/k8scsi/livenessprobe:v2.0.0 imagePullPolicy: Always @@ -92,6 +108,13 @@ spec: volumeMounts: - name: plugin-dir mountPath: /csi + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi volumes: - name: mountpoint-dir hostPath: diff --git a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml b/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml index 0c407d6..94451a0 100644 --- a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml +++ b/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml @@ -4,6 +4,21 @@ metadata: creationTimestamp: null name: secretproviderclasses-role rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - secrets-store.csi.x-k8s.io resources: diff --git a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml b/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml index bab9954..8613dcf 100644 --- a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml +++ b/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml @@ -1,8 +1,8 @@ -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.3.0 + controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: secretproviderclasses.secrets-store.csi.x-k8s.io spec: @@ -12,89 +12,87 @@ spec: listKind: SecretProviderClassList plural: secretproviderclasses singular: secretproviderclass - preserveUnknownFields: false scope: Namespaced - validation: - openAPIV3Schema: - description: SecretProviderClass is the Schema for the secretproviderclasses - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SecretProviderClassSpec defines the desired state of SecretProviderClass - properties: - parameters: - additionalProperties: - type: string - description: Configuration for specific provider - type: object - provider: - description: Configuration for provider name - type: string - secretObjects: - items: - description: SecretObject defines the desired state of synced K8s - secret objects - properties: - data: - items: - description: SecretObjectData defines the desired state of synced - K8s secret object data - properties: - key: - description: data field to populate - type: string - objectName: - description: name of the object to sync - type: string - type: object - type: array - labels: - additionalProperties: - type: string - description: labels of K8s secret object - type: object - secretName: - description: name of the K8s secret object - type: string - type: - description: type of K8s secret object - type: string - type: object - type: array - type: object - status: - description: SecretProviderClassStatus defines the observed state of SecretProviderClass - properties: - byPod: - items: - description: ByPodStatus defines the state of SecretProviderClass - as seen by an individual controller - properties: - id: - description: id of the pod that wrote the status - type: string - namespace: - description: namespace of the pod that wrote the status - type: string - type: object - type: array - type: object - type: object - version: v1alpha1 versions: - name: v1alpha1 + schema: + openAPIV3Schema: + description: SecretProviderClass is the Schema for the secretproviderclasses + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: SecretProviderClassSpec defines the desired state of SecretProviderClass + properties: + parameters: + additionalProperties: + type: string + description: Configuration for specific provider + type: object + provider: + description: Configuration for provider name + type: string + secretObjects: + items: + description: SecretObject defines the desired state of synced K8s + secret objects + properties: + data: + items: + description: SecretObjectData defines the desired state of + synced K8s secret object data + properties: + key: + description: data field to populate + type: string + objectName: + description: name of the object to sync + type: string + type: object + type: array + labels: + additionalProperties: + type: string + description: labels of K8s secret object + type: object + secretName: + description: name of the K8s secret object + type: string + type: + description: type of K8s secret object + type: string + type: object + type: array + type: object + status: + description: SecretProviderClassStatus defines the observed state of SecretProviderClass + properties: + byPod: + items: + description: ByPodStatus defines the state of SecretProviderClass + as seen by an individual controller + properties: + id: + description: id of the pod that wrote the status + type: string + namespace: + description: namespace of the pod that wrote the status + type: string + type: object + type: array + type: object + type: object served: true storage: true status: diff --git a/tasks/digital_ocean.yml b/tasks/digital_ocean.yml index 36e25c9..24759bd 100644 --- a/tasks/digital_ocean.yml +++ b/tasks/digital_ocean.yml @@ -1,5 +1,8 @@ --- # https://github.com/digitalocean/csi-digitalocean + - name: Include file list + include_vars: "digitalocean.yaml" + - name: Defined digitalocean-storage state to present set_fact: storage_digitalocean_state: present @@ -33,27 +36,4 @@ merge_type: merge resource_definition: "{{ lookup('file', item) | from_yaml }}" with_items: - - "digitalocean/volumesnapshotclasses.snapshot.storage.k8s.io-CustomResourceDefinition.yaml" - - "digitalocean/volumesnapshotcontents.snapshot.storage.k8s.io-CustomResourceDefinition.yaml" - - "digitalocean/volumesnapshots.snapshot.storage.k8s.io-CustomResourceDefinition.yaml" - - "digitalocean/dobs.csi.digitalocean.com-CSIDriver.yaml" - - "digitalocean/do-block-storage-VolumeSnapshotClass.yaml" - - "digitalocean/do-block-storage-StorageClass.yaml" - - "digitalocean/csi-do-controller-StatefulSet.yaml" - - "digitalocean/csi-do-controller-sa-ServiceAccount.yaml" - - "digitalocean/csi-do-provisioner-role-ClusterRole.yaml" - - "digitalocean/csi-do-provisioner-binding-ClusterRoleBinding.yaml" - - "digitalocean/csi-do-attacher-role-ClusterRole.yaml" - - "digitalocean/csi-do-attacher-binding-ClusterRoleBinding.yaml" - - "digitalocean/csi-do-snapshotter-role-ClusterRole.yaml" - - "digitalocean/csi-do-snapshotter-binding-ClusterRoleBinding.yaml" - - "digitalocean/csi-do-resizer-role-ClusterRole.yaml" - - "digitalocean/csi-do-resizer-binding-ClusterRoleBinding.yaml" - - "digitalocean/csi-do-node-DaemonSet.yaml" - - "digitalocean/csi-do-node-sa-ServiceAccount.yaml" - - "digitalocean/csi-do-node-driver-registrar-role-ClusterRole.yaml" - - "digitalocean/csi-do-node-driver-registrar-binding-ClusterRoleBinding.yaml" - - "digitalocean/snapshot-controller-StatefulSet.yaml" - - "digitalocean/snapshot-controller-ServiceAccount.yaml" - - "digitalocean/snapshot-controller-role-ClusterRole.yaml" - - "digitalocean/snapshot-controller-binding-ClusterRoleBinding.yaml" + - "{{ storage_digitalocean_files_list }}" diff --git a/tasks/linode.yml b/tasks/linode.yml index feaa5e1..02b3d06 100644 --- a/tasks/linode.yml +++ b/tasks/linode.yml @@ -1,5 +1,8 @@ --- # https://github.com/linode/linode-blockstorage-csi-driver + - name: Include file list + include_vars: "linode.yaml" + - name: Defined linode-storage state to present set_fact: storage_linode_state: present @@ -34,21 +37,4 @@ merge_type: merge resource_definition: "{{ lookup('file', item) | from_yaml }}" with_items: - - "linode/csinodeinfos.csi.storage.k8s.io-CustomResourceDefinition.yaml" - - "linode/csidrivers.csi.storage.k8s.io-CustomResourceDefinition.yaml" - - "linode/csi-node-sa-ServiceAccount.yaml" - - "linode/driver-registrar-role-ClusterRole.yaml" - - "linode/driver-registrar-binding-ClusterRoleBinding.yaml" - - "linode/csi-controller-sa-ServiceAccount.yaml" - - "linode/external-provisioner-role-ClusterRole.yaml" - - "linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml" - - "linode/external-attacher-role-ClusterRole.yaml" - - "linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml" - - "linode/external-snapshotter-role-ClusterRole.yaml" - - "linode/csi-controller-snapshotter-binding-ClusterRoleBinding.yaml" - - "linode/linodebs.csi.linode.com-CSIDriver.yaml" - - "linode/linode-block-storage-StorageClass.yaml" - - "linode/linode-block-storage-retain-StorageClass.yaml" - - "linode/csi-linode-controller-StatefulSet.yaml" - - "linode/csi-linode-node-DaemonSet.yaml" - - "linode/get-linode-id-ConfigMap.yaml" + - "{{ storage_linode_files_list }}" diff --git a/vars/digitalocean.yaml b/vars/digitalocean.yaml new file mode 100644 index 0000000..d202d28 --- /dev/null +++ b/vars/digitalocean.yaml @@ -0,0 +1,26 @@ +--- +storage_linode_files_list: + - "digitalocean/volumesnapshotclasses.snapshot.storage.k8s.io-CustomResourceDefinition.yaml" + - "digitalocean/volumesnapshotcontents.snapshot.storage.k8s.io-CustomResourceDefinition.yaml" + - "digitalocean/volumesnapshots.snapshot.storage.k8s.io-CustomResourceDefinition.yaml" + - "digitalocean/dobs.csi.digitalocean.com-CSIDriver.yaml" + - "digitalocean/do-block-storage-VolumeSnapshotClass.yaml" + - "digitalocean/do-block-storage-StorageClass.yaml" + - "digitalocean/csi-do-controller-StatefulSet.yaml" + - "digitalocean/csi-do-controller-sa-ServiceAccount.yaml" + - "digitalocean/csi-do-provisioner-role-ClusterRole.yaml" + - "digitalocean/csi-do-provisioner-binding-ClusterRoleBinding.yaml" + - "digitalocean/csi-do-attacher-role-ClusterRole.yaml" + - "digitalocean/csi-do-attacher-binding-ClusterRoleBinding.yaml" + - "digitalocean/csi-do-snapshotter-role-ClusterRole.yaml" + - "digitalocean/csi-do-snapshotter-binding-ClusterRoleBinding.yaml" + - "digitalocean/csi-do-resizer-role-ClusterRole.yaml" + - "digitalocean/csi-do-resizer-binding-ClusterRoleBinding.yaml" + - "digitalocean/csi-do-node-DaemonSet.yaml" + - "digitalocean/csi-do-node-sa-ServiceAccount.yaml" + - "digitalocean/csi-do-node-driver-registrar-role-ClusterRole.yaml" + - "digitalocean/csi-do-node-driver-registrar-binding-ClusterRoleBinding.yaml" + - "digitalocean/snapshot-controller-StatefulSet.yaml" + - "digitalocean/snapshot-controller-ServiceAccount.yaml" + - "digitalocean/snapshot-controller-role-ClusterRole.yaml" + - "digitalocean/snapshot-controller-binding-ClusterRoleBinding.yaml" diff --git a/vars/linode.yaml b/vars/linode.yaml new file mode 100644 index 0000000..b6314dc --- /dev/null +++ b/vars/linode.yaml @@ -0,0 +1,20 @@ +--- +storage_linode_files_list: + - "linode/csinodeinfos.csi.storage.k8s.io-CustomResourceDefinition.yaml" + - "linode/csidrivers.csi.storage.k8s.io-CustomResourceDefinition.yaml" + - "linode/csi-node-sa-ServiceAccount.yaml" + - "linode/driver-registrar-role-ClusterRole.yaml" + - "linode/driver-registrar-binding-ClusterRoleBinding.yaml" + - "linode/csi-controller-sa-ServiceAccount.yaml" + - "linode/external-provisioner-role-ClusterRole.yaml" + - "linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml" + - "linode/external-attacher-role-ClusterRole.yaml" + - "linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml" + - "linode/external-snapshotter-role-ClusterRole.yaml" + - "linode/csi-controller-snapshotter-binding-ClusterRoleBinding.yaml" + - "linode/linodebs.csi.linode.com-CSIDriver.yaml" + - "linode/linode-block-storage-StorageClass.yaml" + - "linode/linode-block-storage-retain-StorageClass.yaml" + - "linode/csi-linode-controller-StatefulSet.yaml" + - "linode/csi-linode-node-DaemonSet.yaml" + - "linode/get-linode-id-ConfigMap.yaml"