diff --git a/bin/update.sh b/bin/update.sh index 6851401..7c2a587 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -56,20 +56,5 @@ rm -fr files/digitalocean.old #https://github.com/juicedata/juicefs-csi-driver ? -SECRETS_STORE_FILE=vars/secrets_store_files_list.yml -echo -e "---\nsecrets_store_files:" > "${SECRETS_STORE_FILE}" -git clone https://github.com/kubernetes-sigs/secrets-store-csi-driver.git -kubernetes-split-yaml secrets-store-csi-driver/deploy/rbac-secretproviderclass.yaml > generated.log -kubernetes-split-yaml secrets-store-csi-driver/deploy/csidriver.yaml >> generated.log -kubernetes-split-yaml secrets-store-csi-driver/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml >> generated.log -kubernetes-split-yaml secrets-store-csi-driver/deploy/secrets-store-csi-driver.yaml >> generated.log -cat generated.log | while read LIGNE; do if [ $(echo "${LIGNE}" | grep -c ^File) -eq 1 ]; then echo -n "${LIGNE} "; else echo "${LIGNE}"; fi; done | grep ^File | sed 's|.*\(generated/\)\(.*\.yaml\)| - "secrets-store/\2"|' >> "${SECRETS_STORE_FILE}" -mv files/secrets-store{,.old} -mv generated files/secrets-store -sed "/^metadata:$/a \ namespace: csi-secrets-store" -i files/secrets-store/csi-secrets-store-DaemonSet.yaml -rm -fr files/secrets-store.old generated.log secrets-store-csi-driver -curl -s -o files/secrets-store/provider-vault-installer.yaml https://raw.githubusercontent.com/hashicorp/secrets-store-csi-driver-provider-vault/master/deployment/provider-vault-installer.yaml -sed "/^metadata:$/a \ namespace: csi-secrets-store" -i files/secrets-store/provider-vault-installer.yaml -echo ' - "secrets-store/provider-vault-installer.yaml"' >> "${SECRETS_STORE_FILE}" #https://github.com/Azure/secrets-store-csi-driver-provider-azure #https://github.com/hashicorp/secrets-store-csi-driver-provider-vault diff --git a/defaults/main.yml b/defaults/main.yml index 7287c1b..07dfe0f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,9 +13,11 @@ storage_longhorn_namespace: "longhorn-system" storage_nfs: false storage_nfs_namespace: "nfs-client-provisioner" +storage_secrets_store: false +storage_secrets_store_version: "0.0.21" + storage_linode: false storage_digitalocean: false -storage_secrets_store: false # local-path, longhorn, linode-block-storage, linode-block-storage-retain, do-block-storage storage_default_storageclass: local-path \ No newline at end of file diff --git a/files/secrets-store/csi-secrets-store-DaemonSet.yaml b/files/secrets-store/csi-secrets-store-DaemonSet.yaml deleted file mode 100644 index 4bd31d7..0000000 --- a/files/secrets-store/csi-secrets-store-DaemonSet.yaml +++ /dev/null @@ -1,129 +0,0 @@ -kind: DaemonSet -apiVersion: apps/v1 -metadata: - namespace: csi-secrets-store - name: csi-secrets-store - namespace: kube-system -spec: - selector: - matchLabels: - app: csi-secrets-store - template: - metadata: - labels: - app: csi-secrets-store - annotations: - kubectl.kubernetes.io/default-logs-container: secrets-store - spec: - serviceAccountName: secrets-store-csi-driver - containers: - - name: node-driver-registrar - image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0 - args: - - --v=5 - - --csi-address=/csi/csi.sock - - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock - env: - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - imagePullPolicy: Always - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: registration-dir - mountPath: /registration - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 10m - memory: 20Mi - - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 - args: - - "--endpoint=$(CSI_ENDPOINT)" - - "--nodeid=$(KUBE_NODE_NAME)" - - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - - "--metrics-addr=:8095" - - "--grpc-supported-providers=gcp;azure;vault;" - - "--enable-secret-rotation=false" - - "--rotation-poll-interval=2m" - env: - - name: CSI_ENDPOINT - value: unix:///csi/csi.sock - - name: KUBE_NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - imagePullPolicy: Always - securityContext: - privileged: true - ports: - - containerPort: 9808 - name: healthz - protocol: TCP - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: healthz - initialDelaySeconds: 30 - timeoutSeconds: 10 - periodSeconds: 15 - volumeMounts: - - name: plugin-dir - mountPath: /csi - - name: mountpoint-dir - mountPath: /var/lib/kubelet/pods - mountPropagation: Bidirectional - - name: providers-dir - mountPath: /etc/kubernetes/secrets-store-csi-providers - resources: - limits: - cpu: 200m - memory: 200Mi - requests: - cpu: 50m - memory: 100Mi - - name: liveness-probe - image: k8s.gcr.io/sig-storage/livenessprobe:v2.2.0 - imagePullPolicy: Always - args: - - --csi-address=/csi/csi.sock - - --probe-timeout=3s - - --http-endpoint=0.0.0.0:9808 - - -v=2 - volumeMounts: - - name: plugin-dir - mountPath: /csi - resources: - limits: - cpu: 100m - memory: 100Mi - requests: - cpu: 10m - memory: 20Mi - volumes: - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: DirectoryOrCreate - - name: registration-dir - hostPath: - path: /var/lib/kubelet/plugins_registry/ - type: Directory - - name: plugin-dir - hostPath: - path: /var/lib/kubelet/plugins/csi-secrets-store/ - type: DirectoryOrCreate - - name: providers-dir - hostPath: - path: /etc/kubernetes/secrets-store-csi-providers - type: DirectoryOrCreate - nodeSelector: - kubernetes.io/os: linux diff --git a/files/secrets-store/provider-vault-installer.yaml b/files/secrets-store/provider-vault-installer.yaml deleted file mode 100644 index e24dcb7..0000000 --- a/files/secrets-store/provider-vault-installer.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - namespace: csi-secrets-store - name: vault-csi-provider - namespace: csi ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - namespace: csi-secrets-store - name: vault-csi-provider-clusterrole -rules: -- apiGroups: - - "" - resources: - - serviceaccounts/token - verbs: - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - namespace: csi-secrets-store - name: vault-csi-provider-clusterrolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: vault-csi-provider-clusterrole -subjects: -- kind: ServiceAccount - name: vault-csi-provider - namespace: csi ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - namespace: csi-secrets-store - labels: - app: vault-csi-provider - name: vault-csi-provider - namespace: csi -spec: - updateStrategy: - type: RollingUpdate - selector: - matchLabels: - app: vault-csi-provider - template: - metadata: - labels: - app: vault-csi-provider - spec: - serviceAccountName: vault-csi-provider - tolerations: - containers: - - name: provider-vault-installer - image: hashicorp/vault-csi-provider:0.1.0 - imagePullPolicy: Always - args: - - --endpoint=/provider/vault.sock - - --debug=false - resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi - volumeMounts: - - name: providervol - mountPath: "/provider" - - name: mountpoint-dir - mountPath: /var/lib/kubelet/pods - mountPropagation: HostToContainer - livenessProbe: - httpGet: - path: "/health/ready" - port: 8080 - scheme: "HTTP" - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - readinessProbe: - httpGet: - path: "/health/ready" - port: 8080 - scheme: "HTTP" - failureThreshold: 2 - initialDelaySeconds: 5 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 3 - volumes: - - name: providervol - hostPath: - path: "/etc/kubernetes/secrets-store-csi-providers" - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - nodeSelector: - beta.kubernetes.io/os: linux diff --git a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml b/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml deleted file mode 100644 index 94451a0..0000000 --- a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: secretproviderclasses-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - secrets-store.csi.x-k8s.io - resources: - - secretproviderclasses - verbs: - - get - - list - - watch -- apiGroups: - - secrets-store.csi.x-k8s.io - resources: - - secretproviderclasspodstatuses - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - secrets-store.csi.x-k8s.io - resources: - - secretproviderclasspodstatuses/status - verbs: - - get - - patch - - update diff --git a/files/secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml b/files/secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml deleted file mode 100644 index 9dd0581..0000000 --- a/files/secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: secretproviderclasses-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: secretproviderclasses-role -subjects: -- kind: ServiceAccount - name: secrets-store-csi-driver - namespace: kube-system diff --git a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml b/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml deleted file mode 100644 index 8613dcf..0000000 --- a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml +++ /dev/null @@ -1,103 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: secretproviderclasses.secrets-store.csi.x-k8s.io -spec: - group: secrets-store.csi.x-k8s.io - names: - kind: SecretProviderClass - listKind: SecretProviderClassList - plural: secretproviderclasses - singular: secretproviderclass - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: SecretProviderClass is the Schema for the secretproviderclasses - API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: SecretProviderClassSpec defines the desired state of SecretProviderClass - properties: - parameters: - additionalProperties: - type: string - description: Configuration for specific provider - type: object - provider: - description: Configuration for provider name - type: string - secretObjects: - items: - description: SecretObject defines the desired state of synced K8s - secret objects - properties: - data: - items: - description: SecretObjectData defines the desired state of - synced K8s secret object data - properties: - key: - description: data field to populate - type: string - objectName: - description: name of the object to sync - type: string - type: object - type: array - labels: - additionalProperties: - type: string - description: labels of K8s secret object - type: object - secretName: - description: name of the K8s secret object - type: string - type: - description: type of K8s secret object - type: string - type: object - type: array - type: object - status: - description: SecretProviderClassStatus defines the observed state of SecretProviderClass - properties: - byPod: - items: - description: ByPodStatus defines the state of SecretProviderClass - as seen by an individual controller - properties: - id: - description: id of the pod that wrote the status - type: string - namespace: - description: namespace of the pod that wrote the status - type: string - type: object - type: array - type: object - type: object - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/files/secrets-store/secrets-store-csi-driver-ServiceAccount.yaml b/files/secrets-store/secrets-store-csi-driver-ServiceAccount.yaml deleted file mode 100644 index 9768889..0000000 --- a/files/secrets-store/secrets-store-csi-driver-ServiceAccount.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: secrets-store-csi-driver - namespace: kube-system diff --git a/files/secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml b/files/secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml deleted file mode 100644 index a04e928..0000000 --- a/files/secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: storage.k8s.io/v1beta1 -kind: CSIDriver -metadata: - name: secrets-store.csi.k8s.io -spec: - podInfoOnMount: true - attachRequired: false - volumeLifecycleModes: - - Ephemeral diff --git a/tasks/main.yml b/tasks/main.yml index 8ced229..585d73e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -29,6 +29,10 @@ tags: - nfs - storage + - include_tasks: "secrets-store.yml" + tags: + - secrets-store + - storage # https://medium.com/asl19-developers/create-readwritemany-persistentvolumeclaims-on-your-kubernetes-cluster-3a8db51f98e3 # https://github.com/ctrox/csi-s3 @@ -38,7 +42,6 @@ # - include_tasks: "digital_ocean.yml" # - include_tasks: "linode.yml" -# - include_tasks: "secrets-store.yml" - name: Select the default StorageClass k8s: diff --git a/tasks/secrets-store.yml b/tasks/secrets-store.yml index daca61b..476dd6c 100644 --- a/tasks/secrets-store.yml +++ b/tasks/secrets-store.yml @@ -1,4 +1,6 @@ --- +- name: Secrets Store + block: - name: Defined secrets-storage state to present set_fact: storage_secrets_store_state: present @@ -11,11 +13,19 @@ when: - not storage_secrets_store|bool - - name: secrets-storage need to be {{ storage_secrets_store_state }} - k8s: - state: "{{ storage_secrets_store_state }}" +# https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver + - name: Defined Secrets Store repository + community.kubernetes.helm_repository: + name: secrets-store-csi-driver + repo_url: "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts" + + - name: Deploy Secrets Store chart + community.kubernetes.helm: context: "{{ my_context }}" - merge_type: merge - resource_definition: "{{ lookup('file', item) | from_yaml }}" - with_items: - - '{{ secrets_store_files }}' + state: "{{ storage_secrets_store_state }}" + name: csi-secrets-store + chart_ref: secrets-store-csi-driver/secrets-store-csi-driver + + tags: + - storage + - secrets-store diff --git a/vars/secrets_store_files_list.yml b/vars/secrets_store_files_list.yml deleted file mode 100644 index b78f4cd..0000000 --- a/vars/secrets_store_files_list.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -secrets_store_files: - - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml" - - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml" - - "secrets-store/secretproviderclasses-role-ClusterRole.yaml" - - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml" - - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml" - - "secrets-store/csi-secrets-store-DaemonSet.yaml" - - "secrets-store/provider-vault-installer.yaml"