Update from upstream

files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml

@@ -5,7 +5,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: external-attacher-role
+  name: external-attacher-runner
 subjects:
 - kind: ServiceAccount
   name: csi-controller-sa

files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml

@@ -5,7 +5,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: external-provisioner-role
+  name: external-provisioner-runner
 subjects:
 - kind: ServiceAccount
   name: csi-controller-sa

files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml

@@ -5,7 +5,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: external-resizer-role
+  name: external-resizer-runner
 subjects:
 - kind: ServiceAccount
   name: csi-controller-sa

files/linode/csi-linode-controller-StatefulSet.yaml

@@ -78,7 +78,7 @@ spec:
             secretKeyRef:
               key: token
               name: linode
-        image: linode/linode-blockstorage-csi-driver:v0.3.0
+        image: linode/linode-blockstorage-csi-driver:v0.4.0
         imagePullPolicy: Always
         name: linode-csi-plugin
         volumeMounts:

files/linode/csi-linode-node-DaemonSet.yaml

@@ -56,7 +56,7 @@ spec:
             secretKeyRef:
               key: token
               name: linode
-        image: linode/linode-blockstorage-csi-driver:v0.3.0
+        image: linode/linode-blockstorage-csi-driver:v0.4.0
         imagePullPolicy: Always
         name: csi-linode-plugin
         securityContext:

files/linode/external-resizer-role-ClusterRole.yaml

@@ -11,7 +11,6 @@ rules:
   - get
   - list
   - watch
-  - update
   - patch
 - apiGroups:
   - ""
@@ -21,12 +20,19 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
   - persistentvolumeclaims/status
   verbs:
-  - update
   - patch
 - apiGroups:
   - ""

files/secrets-store/csi-secrets-store-DaemonSet.yaml

@@ -12,12 +12,13 @@ spec:
     metadata:
       labels:
         app: csi-secrets-store
+      annotations:
+        kubectl.kubernetes.io/default-logs-container: secrets-store
     spec:
       serviceAccountName: secrets-store-csi-driver
-      hostNetwork: true
       containers:
         - name: node-driver-registrar
-          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1
+          image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0
           args:
             - --v=5
             - --csi-address=/csi/csi.sock
@@ -42,13 +43,13 @@ spec:
               cpu: 10m
               memory: 20Mi
         - name: secrets-store
-          image: k8s.gcr.io/csi-secrets-store/driver:v0.0.18
+          image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20
           args:
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers"
             - "--metrics-addr=:8095"
-            - "--grpc-supported-providers=gcp;"
+            - "--grpc-supported-providers=gcp;azure;vault;"
             - "--enable-secret-rotation=false"
             - "--rotation-poll-interval=2m"
           env:
@@ -90,12 +91,12 @@ spec:
               cpu: 50m
               memory: 100Mi
         - name: liveness-probe
-          image: k8s.gcr.io/sig-storage/livenessprobe:v2.1.0
+          image: k8s.gcr.io/sig-storage/livenessprobe:v2.2.0
           imagePullPolicy: Always
           args:
           - --csi-address=/csi/csi.sock
           - --probe-timeout=3s
-          - --health-port=9808
+          - --http-endpoint=0.0.0.0:9808
           - -v=2
           volumeMounts:
             - name: plugin-dir

files/secrets-store/provider-vault-installer.yaml

@@ -1,26 +1,65 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: csi-secrets-store
+  name: vault-csi-provider
+  namespace: csi
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: csi-secrets-store
+  name: vault-csi-provider-clusterrole
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  namespace: csi-secrets-store
+  name: vault-csi-provider-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vault-csi-provider-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: vault-csi-provider
+  namespace: csi
+---
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   namespace: csi-secrets-store
   labels:
-    app: csi-secrets-store-provider-vault
-  name: csi-secrets-store-provider-vault
+    app: vault-csi-provider
+  name: vault-csi-provider
+  namespace: csi
 spec:
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app: csi-secrets-store-provider-vault
+      app: vault-csi-provider
   template:
     metadata:
       labels:
-        app: csi-secrets-store-provider-vault
+        app: vault-csi-provider
     spec:
+      serviceAccountName: vault-csi-provider
       tolerations:
       containers:
         - name: provider-vault-installer
-          image: hashicorp/secrets-store-csi-driver-provider-vault:0.0.6
+          image: hashicorp/vault-csi-provider:0.1.0
           imagePullPolicy: Always
+          args:
+            - --endpoint=/provider/vault.sock
+            - --debug=false
           resources:
             requests:
               cpu: 50m
@@ -28,16 +67,38 @@ spec:
             limits:
               cpu: 50m
               memory: 100Mi
-          env:
-            # set TARGET_DIR env var and mount the same directory to to the container
-            - name: TARGET_DIR
-              value: "/etc/kubernetes/secrets-store-csi-providers"
           volumeMounts:
-            - mountPath: "/etc/kubernetes/secrets-store-csi-providers"
-              name: providervol
+            - name: providervol
+              mountPath: "/provider"
+            - name: mountpoint-dir
+              mountPath: /var/lib/kubelet/pods
+              mountPropagation: HostToContainer
+          livenessProbe:
+            httpGet:
+              path: "/health/ready"
+              port: 8080
+              scheme: "HTTP"
+            failureThreshold: 2
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 3
+          readinessProbe:
+            httpGet:
+              path: "/health/ready"
+              port: 8080
+              scheme: "HTTP"
+            failureThreshold: 2
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            successThreshold: 1
+            timeoutSeconds: 3
       volumes:
         - name: providervol
           hostPath:
             path: "/etc/kubernetes/secrets-store-csi-providers"
+        - name: mountpoint-dir
+          hostPath:
+            path: /var/lib/kubelet/pods
       nodeSelector:
         beta.kubernetes.io/os: linux

vars/secrets_store_files_list.yml

@@ -1,8 +1,8 @@
 ---
 secrets_store_files:
-  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
   - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml"
   - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml"
+  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
   - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml"
   - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml"
   - "secrets-store/csi-secrets-store-DaemonSet.yaml"