From 838b0de25f82f6b3fb6c38306bf1b5adb6707688 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 24 Mar 2021 22:24:28 +0100 Subject: [PATCH] Update from upstream --- ...r-attacher-binding-ClusterRoleBinding.yaml | 2 +- ...rovisioner-binding-ClusterRoleBinding.yaml | 2 +- ...er-resizer-binding-ClusterRoleBinding.yaml | 2 +- .../csi-linode-controller-StatefulSet.yaml | 2 +- files/linode/csi-linode-node-DaemonSet.yaml | 2 +- .../external-resizer-role-ClusterRole.yaml | 10 ++- .../csi-secrets-store-DaemonSet.yaml | 13 +-- .../provider-vault-installer.yaml | 83 ++++++++++++++++--- vars/secrets_store_files_list.yml | 2 +- 9 files changed, 93 insertions(+), 25 deletions(-) diff --git a/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml b/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml index c08de2e..e2196e6 100644 --- a/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml +++ b/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: external-attacher-role + name: external-attacher-runner subjects: - kind: ServiceAccount name: csi-controller-sa diff --git a/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml b/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml index 0afdda4..084723d 100644 --- a/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml +++ b/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: external-provisioner-role + name: external-provisioner-runner subjects: - kind: ServiceAccount name: csi-controller-sa diff --git a/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml b/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml index 831447f..5437085 100644 --- a/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml +++ b/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: external-resizer-role + name: external-resizer-runner subjects: - kind: ServiceAccount name: csi-controller-sa diff --git a/files/linode/csi-linode-controller-StatefulSet.yaml b/files/linode/csi-linode-controller-StatefulSet.yaml index 353d2c1..aca3b92 100644 --- a/files/linode/csi-linode-controller-StatefulSet.yaml +++ b/files/linode/csi-linode-controller-StatefulSet.yaml @@ -78,7 +78,7 @@ spec: secretKeyRef: key: token name: linode - image: linode/linode-blockstorage-csi-driver:v0.3.0 + image: linode/linode-blockstorage-csi-driver:v0.4.0 imagePullPolicy: Always name: linode-csi-plugin volumeMounts: diff --git a/files/linode/csi-linode-node-DaemonSet.yaml b/files/linode/csi-linode-node-DaemonSet.yaml index ba2cbb3..ec5ad39 100644 --- a/files/linode/csi-linode-node-DaemonSet.yaml +++ b/files/linode/csi-linode-node-DaemonSet.yaml @@ -56,7 +56,7 @@ spec: secretKeyRef: key: token name: linode - image: linode/linode-blockstorage-csi-driver:v0.3.0 + image: linode/linode-blockstorage-csi-driver:v0.4.0 imagePullPolicy: Always name: csi-linode-plugin securityContext: diff --git a/files/linode/external-resizer-role-ClusterRole.yaml b/files/linode/external-resizer-role-ClusterRole.yaml index 3ce02a4..d30bff9 100644 --- a/files/linode/external-resizer-role-ClusterRole.yaml +++ b/files/linode/external-resizer-role-ClusterRole.yaml @@ -11,7 +11,6 @@ rules: - get - list - watch - - update - patch - apiGroups: - "" @@ -21,12 +20,19 @@ rules: - get - list - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch - apiGroups: - "" resources: - persistentvolumeclaims/status verbs: - - update - patch - apiGroups: - "" diff --git a/files/secrets-store/csi-secrets-store-DaemonSet.yaml b/files/secrets-store/csi-secrets-store-DaemonSet.yaml index 78cc353..4bd31d7 100644 --- a/files/secrets-store/csi-secrets-store-DaemonSet.yaml +++ b/files/secrets-store/csi-secrets-store-DaemonSet.yaml @@ -12,12 +12,13 @@ spec: metadata: labels: app: csi-secrets-store + annotations: + kubectl.kubernetes.io/default-logs-container: secrets-store spec: serviceAccountName: secrets-store-csi-driver - hostNetwork: true containers: - name: node-driver-registrar - image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.0.1 + image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0 args: - --v=5 - --csi-address=/csi/csi.sock @@ -42,13 +43,13 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.18 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - "--metrics-addr=:8095" - - "--grpc-supported-providers=gcp;" + - "--grpc-supported-providers=gcp;azure;vault;" - "--enable-secret-rotation=false" - "--rotation-poll-interval=2m" env: @@ -90,12 +91,12 @@ spec: cpu: 50m memory: 100Mi - name: liveness-probe - image: k8s.gcr.io/sig-storage/livenessprobe:v2.1.0 + image: k8s.gcr.io/sig-storage/livenessprobe:v2.2.0 imagePullPolicy: Always args: - --csi-address=/csi/csi.sock - --probe-timeout=3s - - --health-port=9808 + - --http-endpoint=0.0.0.0:9808 - -v=2 volumeMounts: - name: plugin-dir diff --git a/files/secrets-store/provider-vault-installer.yaml b/files/secrets-store/provider-vault-installer.yaml index 4574331..e24dcb7 100644 --- a/files/secrets-store/provider-vault-installer.yaml +++ b/files/secrets-store/provider-vault-installer.yaml @@ -1,26 +1,65 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: csi-secrets-store + name: vault-csi-provider + namespace: csi +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + namespace: csi-secrets-store + name: vault-csi-provider-clusterrole +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + namespace: csi-secrets-store + name: vault-csi-provider-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: vault-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: vault-csi-provider + namespace: csi +--- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: csi-secrets-store labels: - app: csi-secrets-store-provider-vault - name: csi-secrets-store-provider-vault + app: vault-csi-provider + name: vault-csi-provider + namespace: csi spec: updateStrategy: type: RollingUpdate selector: matchLabels: - app: csi-secrets-store-provider-vault + app: vault-csi-provider template: metadata: labels: - app: csi-secrets-store-provider-vault + app: vault-csi-provider spec: + serviceAccountName: vault-csi-provider tolerations: containers: - name: provider-vault-installer - image: hashicorp/secrets-store-csi-driver-provider-vault:0.0.6 + image: hashicorp/vault-csi-provider:0.1.0 imagePullPolicy: Always + args: + - --endpoint=/provider/vault.sock + - --debug=false resources: requests: cpu: 50m @@ -28,16 +67,38 @@ spec: limits: cpu: 50m memory: 100Mi - env: - # set TARGET_DIR env var and mount the same directory to to the container - - name: TARGET_DIR - value: "/etc/kubernetes/secrets-store-csi-providers" volumeMounts: - - mountPath: "/etc/kubernetes/secrets-store-csi-providers" - name: providervol + - name: providervol + mountPath: "/provider" + - name: mountpoint-dir + mountPath: /var/lib/kubelet/pods + mountPropagation: HostToContainer + livenessProbe: + httpGet: + path: "/health/ready" + port: 8080 + scheme: "HTTP" + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/health/ready" + port: 8080 + scheme: "HTTP" + failureThreshold: 2 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 volumes: - name: providervol hostPath: path: "/etc/kubernetes/secrets-store-csi-providers" + - name: mountpoint-dir + hostPath: + path: /var/lib/kubelet/pods nodeSelector: beta.kubernetes.io/os: linux diff --git a/vars/secrets_store_files_list.yml b/vars/secrets_store_files_list.yml index 21f90f8..b78f4cd 100644 --- a/vars/secrets_store_files_list.yml +++ b/vars/secrets_store_files_list.yml @@ -1,8 +1,8 @@ --- secrets_store_files: - - "secrets-store/secretproviderclasses-role-ClusterRole.yaml" - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml" - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml" + - "secrets-store/secretproviderclasses-role-ClusterRole.yaml" - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml" - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml" - "secrets-store/csi-secrets-store-DaemonSet.yaml"