diff --git a/bin/update.sh b/bin/update.sh index 7c2a587..6f068e4 100755 --- a/bin/update.sh +++ b/bin/update.sh @@ -36,6 +36,9 @@ for i in do-block-storage-StorageClass.yaml do-block-storage-VolumeSnapshotClass done rm -fr files/digitalocean.old +if [ ! -d files/secrets-provider-gopass ]; then mkdir files/secrets-provider-gopass; fi +wget https://github.com/camptocamp/secrets-store-csi-driver-provider-gopass/raw/master/deployment/provider-gopass-installer.yaml && \ + \mv provider-gopass-installer.yaml files/secrets-provider-gopass/ #https://github.com/scaleway/scaleway-csi diff --git a/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml b/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml index e2196e6..c08de2e 100644 --- a/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml +++ b/files/linode/csi-controller-attacher-binding-ClusterRoleBinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: external-attacher-runner + name: external-attacher-role subjects: - kind: ServiceAccount name: csi-controller-sa diff --git a/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml b/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml index 084723d..0afdda4 100644 --- a/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml +++ b/files/linode/csi-controller-provisioner-binding-ClusterRoleBinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: external-provisioner-runner + name: external-provisioner-role subjects: - kind: ServiceAccount name: csi-controller-sa diff --git a/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml b/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml index 5437085..831447f 100644 --- a/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml +++ b/files/linode/csi-controller-resizer-binding-ClusterRoleBinding.yaml @@ -5,7 +5,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: external-resizer-runner + name: external-resizer-role subjects: - kind: ServiceAccount name: csi-controller-sa diff --git a/files/linode/csi-linode-controller-StatefulSet.yaml b/files/linode/csi-linode-controller-StatefulSet.yaml index aca3b92..47f06bb 100644 --- a/files/linode/csi-linode-controller-StatefulSet.yaml +++ b/files/linode/csi-linode-controller-StatefulSet.yaml @@ -78,7 +78,7 @@ spec: secretKeyRef: key: token name: linode - image: linode/linode-blockstorage-csi-driver:v0.4.0 + image: linode/linode-blockstorage-csi-driver:v0.4.1 imagePullPolicy: Always name: linode-csi-plugin volumeMounts: diff --git a/files/linode/csi-linode-node-DaemonSet.yaml b/files/linode/csi-linode-node-DaemonSet.yaml index ec5ad39..6dcfa0b 100644 --- a/files/linode/csi-linode-node-DaemonSet.yaml +++ b/files/linode/csi-linode-node-DaemonSet.yaml @@ -56,7 +56,7 @@ spec: secretKeyRef: key: token name: linode - image: linode/linode-blockstorage-csi-driver:v0.4.0 + image: linode/linode-blockstorage-csi-driver:v0.4.1 imagePullPolicy: Always name: csi-linode-plugin securityContext: @@ -94,6 +94,13 @@ spec: - mountPath: /scripts name: get-linode-id serviceAccount: csi-node-sa + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists volumes: - emptyDir: {} name: linode-info diff --git a/files/secrets-provider-gopass/provider-gopass-installer.yaml b/files/secrets-provider-gopass/provider-gopass-installer.yaml new file mode 100644 index 0000000..74e1e90 --- /dev/null +++ b/files/secrets-provider-gopass/provider-gopass-installer.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: csi-secrets-store-provider-gopass + name: csi-secrets-store-provider-gopass +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: csi-secrets-store-provider-gopass + template: + metadata: + labels: + app: csi-secrets-store-provider-gopass + spec: + tolerations: + containers: + - name: provider-gopass-installer + image: camptocamp/secrets-store-csi-driver-provider-gopass:0.0.1 + imagePullPolicy: Always + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi + env: + # set TARGET_DIR env var and mount the same directory to to the container + - name: TARGET_DIR + value: "/etc/kubernetes/secrets-store-csi-providers" + volumeMounts: + - mountPath: "/etc/kubernetes/secrets-store-csi-providers" + name: providervol + volumes: + - name: providervol + hostPath: + path: "/etc/kubernetes/secrets-store-csi-providers" + nodeSelector: + beta.kubernetes.io/os: linux diff --git a/tasks/secrets-store.yml b/tasks/secrets-store.yml index 589ec22..791dc85 100644 --- a/tasks/secrets-store.yml +++ b/tasks/secrets-store.yml @@ -17,19 +17,43 @@ - name: Defined Secrets Store repository kubernetes.core.helm_repository: name: secrets-store-csi-driver - repo_url: "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts" + repo_url: "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts" - name: Deploy Secrets Store chart kubernetes.core.helm: context: "{{ my_context }}" state: "{{ storage_secrets_store_state }}" name: csi-secrets-store + namespace: "kube-system" chart_ref: secrets-store-csi-driver/secrets-store-csi-driver + # https://github.com/camptocamp/secrets-store-csi-driver-provider-gopass + - name: Deploy Secrets Store CSI driver provider gopass + kubernetes.core.k8s: + state: "{{ storage_secrets_store_state }}" + context: "{{ my_context }}" + namespace: "kube-system" + apply: true + resource_definition: "{{ lookup('file', 'secrets-provider-gopass/provider-gopass-installer.yaml') | from_yaml }}" + + # https://github.com/Azure/secrets-store-csi-driver-provider-azure + - name: Deploy Secrets Store CSI driver provider azure + kubernetes.core.helm_repository: + name: csi-secrets-store-provider-azure + repo_url: "https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts" + - name: Deploy Secrets Store chart + kubernetes.core.helm: + context: "{{ my_context }}" + state: "{{ storage_secrets_store_state }}" + name: csi-secrets-store-provider-azure + namespace: "kube-system" + chart_ref: csi-secrets-store-provider-azure/csi-secrets-store-provider-azure + values: + secrets-store-csi-driver: + install: false + tags: - storage - secrets-store -# https://github.com/camptocamp/secrets-store-csi-driver-provider-gopass # https://github.com/hashicorp/vault-csi-provider -# https://github.com/Azure/secrets-store-csi-driver-provider-azure