Update secret-store rbac

files/local/local-path-provisioner-Deployment.yaml

@@ -16,7 +16,7 @@ spec:
       serviceAccountName: local-path-provisioner-service-account
       containers:
       - name: local-path-provisioner
-        image: rancher/local-path-provisioner:v0.0.14
+        image: rancher/local-path-provisioner:v0.0.15
         imagePullPolicy: IfNotPresent
         command:
         - local-path-provisioner

files/nfs/leader-locking-nfs-provisioner-RoleBinding.yaml

@@ -6,7 +6,7 @@ subjects:
   - kind: ServiceAccount
     name: nfs-provisioner
     # replace with namespace where provisioner is deployed
-    namespace: default
+    namespace: nfs-provisioner
 roleRef:
   kind: Role
   name: leader-locking-nfs-provisioner

files/nfs/run-nfs-provisioner-ClusterRoleBinding.yaml

@@ -6,7 +6,7 @@ subjects:
   - kind: ServiceAccount
     name: nfs-provisioner
      # replace with namespace where provisioner is deployed
-    namespace: default
+    namespace: nfs-provisioner
 roleRef:
   kind: ClusterRole
   name: nfs-provisioner-runner

files/secrets-store/csi-secrets-store-DaemonSet.yaml

@@ -12,8 +12,6 @@ spec:
       labels:
         app: csi-secrets-store
     spec:
-      nodeSelector:
-        beta.kubernetes.io/os: linux
       serviceAccountName: secrets-store-csi-driver
       hostNetwork: true
       containers:
@@ -45,12 +43,13 @@ spec:
             - name: registration-dir
               mountPath: /registration
         - name: secrets-store
-          image: docker.io/deislabs/secrets-store-csi:v0.0.11
+          image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12
           args:
             - "--debug=true"
             - "--endpoint=$(CSI_ENDPOINT)"
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers"
+            - "--metrics-addr=:8080"
           env:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
@@ -83,12 +82,13 @@ spec:
             - name: providers-dir
               mountPath: /etc/kubernetes/secrets-store-csi-providers
         - name: liveness-probe
-          image: quay.io/k8scsi/livenessprobe:v1.1.0
+          image: quay.io/k8scsi/livenessprobe:v2.0.0
           imagePullPolicy: Always
           args:
           - --csi-address=/csi/csi.sock
           - --probe-timeout=3s
           - --health-port=9808
+          - -v=2
           volumeMounts:
             - name: plugin-dir
               mountPath: /csi
@@ -109,3 +109,5 @@ spec:
           hostPath:
             path: /etc/kubernetes/secrets-store-csi-providers
             type: DirectoryOrCreate
+      nodeSelector:
+        kubernetes.io/os: linux

files/secrets-store/secretproviderclasses-role-ClusterRole.yaml

@@ -11,6 +11,7 @@ rules:
   - get
   - list
   - update
+  - watch
 - apiGroups:
   - secrets-store.csi.x-k8s.io
   resources:
@@ -19,6 +20,7 @@ rules:
   - get
   - patch
   - update
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -28,3 +30,26 @@ rules:
   - delete
   - get
   - update
+  - patch
+  - list
+  - watch
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasspodstatuses
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasspodstatuses/status
+  verbs:
+  - get
+  - update
+  - patch

files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.2.4
+    controller-gen.kubebuilder.io/version: v0.3.0
   creationTimestamp: null
   name: secretproviderclasses.secrets-store.csi.x-k8s.io
 spec:
@@ -21,12 +21,12 @@ spec:
         apiVersion:
           description: 'APIVersion defines the versioned schema of this representation
             of an object. Servers should convert recognized schemas to the latest
-            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
           type: string
         kind:
           description: 'Kind is a string value representing the REST resource this
             object represents. Servers may infer this from the endpoint the client
-            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
           type: string
         metadata:
           type: object

vars/nfs.yml

@@ -0,0 +1,11 @@
+---
+store_nfs_files:
+  - "nfs-provisioner-PodSecurityPolicy.yaml"
+  - "nfs-provisioner-runner-ClusterRole.yaml"
+  - "run-nfs-provisioner-ClusterRoleBinding.yaml"
+  - "leader-locking-nfs-provisioner-Role.yaml"
+  - "leader-locking-nfs-provisioner-RoleBinding.yaml"
+  - "nfs-provisioner-ServiceAccount.yaml"
+  - "nfs-provisioner-Service.yaml"
+  - "nfs-provisioner-Deployment.yaml"
+  - "StorageClass.yaml"

vars/secrets_store_files_list.yml

@@ -1,8 +1,8 @@
 ---
 secrets_store_files:
+  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
   - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml"
   - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml"
-  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
   - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml"
   - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml"
   - "secrets-store/csi-secrets-store-DaemonSet.yaml"