Update longhorn

Update secret-store
2020-08-24 15:20:25 +02:00 · 2020-08-24 15:20:02 +02:00
11 changed files with 80 additions and 32 deletions
--- a/files/longhorn/longhorn-driver-deployer-Deployment.yaml
+++ b/files/longhorn/longhorn-driver-deployer-Deployment.yaml
@ -15,18 +15,18 @@ spec:
    spec:
      initContainers:
        - name: wait-longhorn-manager
-          image: longhornio/longhorn-manager:v1.0.1
+          image: longhornio/longhorn-manager:v1.0.2
          command: ['sh', '-c', 'while [ $(curl -m 1 -s -o /dev/null -w "%{http_code}" http://longhorn-backend:9500/v1) != "200" ]; do echo waiting; sleep 2; done']
      containers:
        - name: longhorn-driver-deployer
-          image: longhornio/longhorn-manager:v1.0.1
+          image: longhornio/longhorn-manager:v1.0.2
          imagePullPolicy: IfNotPresent
          command:
          - longhorn-manager
          - -d
          - deploy-driver
          - --manager-image
-          - longhornio/longhorn-manager:v1.0.1
+          - longhornio/longhorn-manager:v1.0.2
          - --manager-url
          - http://longhorn-backend:9500/v1
          env:
--- a/files/longhorn/longhorn-manager-DaemonSet.yaml
+++ b/files/longhorn/longhorn-manager-DaemonSet.yaml
@ -16,7 +16,7 @@ spec:
    spec:
      containers:
      - name: longhorn-manager
-        image: longhornio/longhorn-manager:v1.0.1
+        image: longhornio/longhorn-manager:v1.0.2
        imagePullPolicy: IfNotPresent
        securityContext:
          privileged: true
@ -25,11 +25,11 @@ spec:
        - -d
        - daemon
        - --engine-image
-        - longhornio/longhorn-engine:v1.0.1
+        - longhornio/longhorn-engine:v1.0.2
        - --instance-manager-image
        - longhornio/longhorn-instance-manager:v1_20200514
        - --manager-image
-        - longhornio/longhorn-manager:v1.0.1
+        - longhornio/longhorn-manager:v1.0.2
        - --service-account
        - longhorn-service-account
        ports:
@ -45,6 +45,7 @@ spec:
          mountPath: /host/proc/
        - name: varrun
          mountPath: /var/run/
+          mountPropagation: Bidirectional
        - name: longhorn
          mountPath: /var/lib/longhorn/
          mountPropagation: Bidirectional
--- a/files/longhorn/longhorn-psp-PodSecurityPolicy.yaml
+++ b/files/longhorn/longhorn-psp-PodSecurityPolicy.yaml
@ -0,0 +1,29 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: longhorn-psp
+spec:
+  privileged: true
+  allowPrivilegeEscalation: true
+  requiredDropCapabilities:
+    - NET_RAW
+  allowedCapabilities:
+    - SYS_ADMIN
+  hostNetwork: false
+  hostIPC: false
+  hostPID: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+    - configMap
+    - downwardAPI
+    - emptyDir
+    - secret
+    - projected
+    - hostPath
--- a/files/longhorn/longhorn-psp-binding-RoleBinding.yaml
+++ b/files/longhorn/longhorn-psp-binding-RoleBinding.yaml
@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: longhorn-psp-binding
+  namespace: longhorn-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: longhorn-psp-role
+subjects:
+  - kind: ServiceAccount
+    name: longhorn-service-account
+    namespace: longhorn-system
+  - kind: ServiceAccount
+    name: default
+    namespace: longhorn-system
--- a/files/longhorn/longhorn-psp-role-Role.yaml
+++ b/files/longhorn/longhorn-psp-role-Role.yaml
@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: longhorn-psp-role
+  namespace: longhorn-system
+rules:
+  - apiGroups:
+      - policy
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+    resourceNames:
+      - longhorn-psp
--- a/files/longhorn/longhorn-ui-Deployment.yaml
+++ b/files/longhorn/longhorn-ui-Deployment.yaml
@ -17,7 +17,7 @@ spec:
    spec:
      containers:
      - name: longhorn-ui
-        image: longhornio/longhorn-ui:v1.0.1
+        image: longhornio/longhorn-ui:v1.0.2
        imagePullPolicy: IfNotPresent
        securityContext:
          runAsUser: 0
--- a/files/secrets-store/csi-secrets-store-DaemonSet.yaml
+++ b/files/secrets-store/csi-secrets-store-DaemonSet.yaml
@ -43,7 +43,7 @@ spec:
            - name: registration-dir
              mountPath: /registration
        - name: secrets-store
-          image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.12
+          image: us.gcr.io/k8s-artifacts-prod/csi-secrets-store/driver:v0.0.13
          args:
            - "--debug=true"
            - "--endpoint=$(CSI_ENDPOINT)"
--- a/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml
+++ b/files/secrets-store/secretproviderclasses-role-ClusterRole.yaml
@ -1,6 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  creationTimestamp: null
  name: secretproviderclasses-role
 rules:
 - apiGroups:
@ -10,28 +11,6 @@ rules:
  verbs:
  - get
  - list
-  - update
-  - watch
- apiGroups:
-  - secrets-store.csi.x-k8s.io
-  resources:
-  - secretproviderclasses/status
-  verbs:
-  - get
-  - patch
-  - update
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
-  - get
-  - update
-  - patch
-  - list
  - watch
 - apiGroups:
  - secrets-store.csi.x-k8s.io
@ -51,5 +30,5 @@ rules:
  - secretproviderclasspodstatuses/status
  verbs:
  - get
-  - update
  - patch
+  - update
--- a/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml
+++ b/files/secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml
@ -12,6 +12,7 @@ spec:
    listKind: SecretProviderClassList
    plural: secretproviderclasses
    singular: secretproviderclass
+  preserveUnknownFields: false
  scope: Namespaced
  validation:
    openAPIV3Schema:
@ -59,6 +60,11 @@ spec:
                          type: string
                      type: object
                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: labels of K8s secret object
+                    type: object
                  secretName:
                    description: name of the K8s secret object
                    type: string
--- a/vars/longhorn.yaml
+++ b/vars/longhorn.yaml
@ -12,6 +12,9 @@ storage_longhorn_files_list:
  - "nodes.longhorn.io-CustomResourceDefinition.yaml"
  - "instancemanagers.longhorn.io-CustomResourceDefinition.yaml"
  - "longhorn-default-setting-ConfigMap.yaml"
+  - "longhorn-psp-PodSecurityPolicy.yaml"
+  - "longhorn-psp-role-Role.yaml"
+  - "longhorn-psp-binding-RoleBinding.yaml"
  - "longhorn-manager-DaemonSet.yaml"
  - "longhorn-backend-Service.yaml"
  - "longhorn-ui-Deployment.yaml"
--- a/vars/secrets_store_files_list.yml
+++ b/vars/secrets_store_files_list.yml
@ -1,7 +1,7 @@
 ---
 secrets_store_files:
-  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
  - "secrets-store/secrets-store-csi-driver-ServiceAccount.yaml"
+  - "secrets-store/secretproviderclasses-role-ClusterRole.yaml"
  - "secrets-store/secretproviderclasses-rolebinding-ClusterRoleBinding.yaml"
  - "secrets-store/secrets-store.csi.k8s.io-CSIDriver.yaml"
  - "secrets-store/secretproviderclasses.secrets-store.csi.x-k8s.io-CustomResourceDefinition.yaml"
Author	SHA1	Message	Date
Adrien	8cc1e01af4	Update longhorn All checks were successful continuous-integration/drone/push Build is passing Details	2020-08-24 15:20:25 +02:00
Adrien	3d54f0c30d	Update secret-store	2020-08-24 15:20:02 +02:00