From aec63765e9f2b03bb03a689358f664d74078736b Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 17 May 2021 17:20:26 -0700 Subject: [PATCH] release: update manifest and helm charts for 0.0.15 (#509) Signed-off-by: Anish Ramasekar --- ...si-secrets-store-provider-azure-0.0.19.tgz | Bin 0 -> 13664 bytes .../Chart.yaml | 4 +- .../README.md | 28 ++++++---- .../requirements.lock | 6 +-- .../requirements.yaml | 2 +- .../templates/_helpers.tpl | 4 ++ .../templates/podsecuritypolicy.yaml | 24 +++++++++ .../provider-azure-installer-windows.yaml | 15 +++++- .../templates/provider-azure-installer.yaml | 15 +++++- .../templates/role.yaml | 14 +++++ .../templates/rolebinding.yaml | 16 ++++++ .../values.yaml | 48 +++++++++++++----- charts/index.yaml | 23 ++++++++- deployment/pod-security-policy.yaml | 8 ++- .../provider-azure-installer-windows.yaml | 11 +++- deployment/provider-azure-installer.yaml | 11 +++- .../Chart.yaml | 4 +- .../README.md | 17 ++++--- .../requirements.lock | 6 +-- .../requirements.yaml | 2 +- .../values.yaml | 16 +++--- .../provider-azure-installer-windows.yaml | 2 +- .../deployment/provider-azure-installer.yaml | 2 +- test/e2e/framework/config.go | 2 +- 24 files changed, 215 insertions(+), 65 deletions(-) create mode 100644 charts/csi-secrets-store-provider-azure-0.0.19.tgz create mode 100644 charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml create mode 100644 charts/csi-secrets-store-provider-azure/templates/role.yaml create mode 100644 charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml diff --git a/charts/csi-secrets-store-provider-azure-0.0.19.tgz b/charts/csi-secrets-store-provider-azure-0.0.19.tgz new file mode 100644 index 0000000000000000000000000000000000000000..1b4644e0680ce4f996751f7cf900326672b61400 GIT binary patch literal 13664 zcmV-mHJ{2KiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYMa~rv_Fr3fxE4t{U)^?T@NnOqJI&~CDNpyBC>qxS<&TDP0 zz!{K4G&7h5FtoXr|NB$8%$0K^MN*O@eAtzTxO6ufjYc=nZFAD**k)MpHW!rPcEISA zIGDB3A0fkAM-#+EXNElYPs^5Wx7*#@*-`)RcDwoiclUd{f9maYce}g$+xxq{KXrTi zyW6{eg6`5IE>J=)5c^a2-ecvFdm;q|M8F4ITVo<7;jm*blcq@EDsT1AmU@j2UZ)fhlo1>92L`$>KC*HdaI38>wk#s@_;j%zy3rpCUKJ{9Xc}X8rH)?rdk*f4|%9 z_MX@OCdvzV?_;10Jh^BMC&-mO#1L}qz~>3}AqZWU_+ua*8e?v$|DA`fYnJ=~KK*LF zfVNo~-s}R82^Vbk6Q1cRXUM~r^#WWv9?OnKlzB+Nzd7}-7jTS6N+J*r0)G)5%cbLg zs2cxs`TlGGBjoa^IkMlezO1sbumLysA}o~U>^-#>#TGEGjhIzlWF$^Dh89 z2nVp+^~^s#>?xFb-R?W0zPZFBjjIRL`56td%MEw|bq;->iU>mekrB#>m>s!@^D{No zt(FB41`ZPVQZOX&c&0}bvj7j^f-1iGpekrI(qAIrJoM#*kEV#Yk^}?j>A|MN#bZek zJ^uhN;B*9LDx4qHo)U7*4#(IRzy*_>^_jS?WL^{m*mtlad09+!>%*TuM$MUO2}m~O zk{v;AW5_|S+OBS+O)4UL#{#fJE~xh*8qr`s!N?VpKh7x=12}kd@Fw*QiOB$3Tjrms z+E>KGG?ZQJa`|~m-O$4kE9if{qoFUNPiQnEzT|5~GRaVfnJ=0_2*b{CDCux%Pp}h8 zQlE}}8h<|dg6&Xk<)&4ZIj=DDc=A&lJS6PN$(Mj(&J`!bzsX;3@ob=GI`tKR29mQS zr=L-A>Sun_yU8H)tqoJcM2OtB+@xJBEbBAz9r~F+xuqL1YLm6w>&~sle%0cwsQ>s@ z@AFFi4_T=%UceFcM`Rr8C1KjBd6KhUrpkhY)vWvWtRp*NcvPt6-^NFRHYa0Vsv2(z zhVhn%|P5wY~r6^z*Y&~exRT7!e`LARxTNXfY-k}gFTo0FW#(+HTpl(3shY1i+YPZjb` zj;(Yz#7^%8ktC#K*y!jIcbfsL-|2U{O`vkg6#JO-b4G{wevn071+uFgG~4yiSOBT* zsX+M8bHdT!dWzV!ONQ6ayzrgzf}VbT%DFIGZb}g_U(TuPp85i_DRKwU_tYkLfk&9h zT`!V*WumAfMPKLkfOiPpaw&4!LhW=D;kioEs>7Ru1tKm7>I1UX&aZY3 zRc^gvLO6^t5?Uh~5m#V_onPc0qESf>T`%C&7I*rBM1sQ*+bHB1IQ4Ma7_HD95$rk~5X1U(79Cg!hnK^d zBE|99rK~H30}rtMs$-pwfMFLSZfIsxWozcfg08+15g&z=#SL*l3U~u;8D(XaEOq~^ z`Ww7$PUfg386}|UUOE>VZrwPlm;Kskl3boN4;b;q2wH#P?Z5C=t~WjIA`?H)1eXH& z4q^_t>O8DA#|d`5^bvU*|M#L;o%5YPsP`&@Ro7?|)`n&tj`~N125&qHUAXWKJqPNTSllBnn zdEc7$hFGAUbxV9_0O!=XG<=~CNtTBNa*#lS*jZX6VzO&piJGrpA-}XEvD|?>Aijfr z0ex9jZm_a{j(<*!GAwlQ04_rRkRST9oEO2IN+JWEr7c<$%EdVn6Z22K7NpFhT%2L? znX=ossj5qvh#PzIz|l?Ypaa<3-QC`mM=JhLM#G>4EGGZ_z_pR7;CFczaj}Pefn3!O zFRZu%DYwY_&-~Cfr#;Nt#vD>A4r9cGsFhp(CJP&#v`|YfKX!AX~S~XjJO+l9D0s*pM*M|3jWThi$fI(%p_$e|Y5o z(N;So?8(ouf+$NfEh_qT5E=gr&6=UM2Z^elhd=iJM0HB=OzPc%Z~8reth!V_M9QV4 z5mKn9{7f}Nr`wm0FFTE9P?j7#`Kt#BBy*P%3MPE6bxhuaq@x@#5ZSv9wYlr8**zcK z)EuhR-J-;cqSr{7JWaV=v>{k4+&O}(pE`-b6TW>LlvWdHY!v=X&*v$-W@+2R_?b{d z%{&{=xrf?q>^lJ^zIYq@u7L&9U*#stuXCyYTsrW=H@ta`y)H39>k^Nw!T5q z{x_%o+Z61TZRcjTZ20&ZNx|sT+;F9Jn~gSS!7M^JuG9{&*H$*tG!(UcGy^4?_nh~% z5Fk~h9dgOOveMfE{;BDw1Sr|P@x8VK$_jfM#@xzMiPiXMz}xQ4Ft zrs1Mdjc??$tQLuu^w9Oa6cRM!EXl6di4eg*vB-V|2$U~;F|q*!%B#NET#XQMLx!&= z4D$(fodIlTekVQ=1i8o9MYBt6Q{UkO*v(Wia}@vD>t=oqFeB=CqJP~^|C+j_QLY-q zm6ENZ*U#dSxdV`!)|{lDQa497Pc}2R57M%-RoIcLt>kOlA*`mWDPq^k=NLI1udn41 zzE#+a(EyE&^Xgxeiz|8*ZCy=7Mw$jiY*|9xOtVBM$Wu6G?L_T}uT+#zT~w!ZlP^+p z@|R?i76tcb3b=i~gFE;=qyksy7nu`j1HOrltXXE$%l2q+eS1CcM~r&n*~O!-`5Y6b z)Z5v6rfukRaFnuL4J0|Iw_?9*s}U<@xTuzc<`l{@zR6tYifd&Jr<4yO4}Y09obIMZ z=gw5ER=YnFF_~+hx^0#qmcD|PUI95)&-EV}Ueo8l6`cQT&46|Hzq{MH_aFV;o#*ra zW=dZ7C4Ts21E>FoJoRfFpX!-kLtl5|&(~^v-j5qDb=og%{hxByFR~cJT5JHC%rzE( zbfv}4|LKAV>xp|S@X>r6IxqX*r_Yi1s9ZK!$NB{R)ba{Z?(#d2I)Dk zGZ|#-uGnCpIxkkH8yE`;DlT9u(5=^OD0nX4Wm&-f!>EgwiUUx0|7)+em$U!$cDA>l z?LV6+i{1ZHKci4gC?kI;u@b#XiS0rc)WyqR09(0Ph=s1+4BLPLV(wDGC-^~MW%~hs zRgyB%5A|=^n~ntYsNxi}p{^8ioNujwjCP53^Gk0Jcvp47^* zsxS`BGNP;?>YsT#ja-+0<}jln2nu5?%-ag(4^y#R)M)Ctb$*2Cjh%|{5^`J;U(k$1 ze1X|WN)17^)k)U(hrrYUuc5l)KIP>vM=3}-Lw#!wCI^Qemyw@#nx=82y zg`M|mJKt;4`N5K%?>FiEO=0K#)pVXEZ}f4yw)2BVo%f15->L1qlA)|Z3Pc|(cwwQ= zw~IQj;Dv=c-zn<6V!E0v1*?z((Z`DEYQn8nAqAq36-YPXR;!Q#=3~Ep`B!qQRY-xT z^ZFH9$*oo)1)|RDS7;@-rUR*{Q=T$j*e=qNDP# zTC%p5G4WD4wwM?{tfC6%yTIDDX-NVr5js`U3m>Csk@sPgR2xc0X=sZ@ds@DSBZjZ5# z84|cH4`32$J!_c|ZkBa5!7!pye^c{_hAsw|aG|FxW=8orKn!_UV8-KkAazh^E-({B zSRAavL>jiNza^28J~`CB7bh$i7w(nfj~YZv*Pw}rV%@=c)TmT2)Ra3oPQq_5+sPv+ zcX5p0^$k&|GA~vdXwOfgYyc0vU#5e}R47a3lLnVM7^t9fg$aUOcLp>HPg5sLV*6`i zomHN36vY^QsUqtHOa+@%t2P~u=hf<%4{lnmWeBjq5R%>zzRS`)O>Z3^X?3*TWZ4wG z^OuO1pm(E?>TAMbW#tZTKK;4@dS@>2E-~I6eBc<=4d7g;`KMLnQb#UdN~Sg)!q7Xu z#k`#S{<$h7{~EwvPmxEs^|H62clv$JQv4kS<19PaP+#9gQ#aQhtz1!2-tc;dNa&q^ zDbbwpcc7vRX(^owFS}OA*HG@@X4#1OO^G!}@8s#ovhYkX%LbST_l%!=DDp@8BlRClaMj zy7~Wx>~G2EObR9ao6g#jYhXTRt7qvQztdetemf44+>PW;8OObSYGt$hoqeFZ$gp$t zPQ8d;BkU_L8>V;u9aH0x<$1>;HWFC-9*7rErmu$35g<6H4lwK@L8j{V2Ne^{R-;pZ_12SopOh^UbQLKa~u#MiqO(uJlHdXd=xvK6pAzA)5uQ?aD z59*uNsRyCpNexlbSgYW#U&nNQ{rWxtud{5-URCtOe1Spl;K=ZFoKsAS4dgibe`QI< z)`!+|WwY`m^{jhg{aeaw6NX=Q0`>&kx9fs=ZAH@i;LX9CHPXC*-bhRqr#BLl?}OfP zGQRcDe4gGWy2E1o<;D3?6qw)%lU>q#m#=wr6xwvI~T8h3HwO{f0`NOvCkw&rFY8gegI^3WpSDMB zQ~tEFQ0&Xn`>A@=Hsw#73!A^N{$1uz%g)1N_o!{kpH>tlcQO6Dfj{j@$nVYAV+*1R zFEnZcf7%nE_U7rmtVgYxKkf08e9oWN>y|py`o#{lq(#o7rt4?vy{t#=*`L;Yh#b9_ z@~A!g)0z*Fq4$y=wP$}?^C8moUe=?wyg%)6$@ES6(@IhYE#NPH_U|+uB2DjQJv`6; zo#sOn(R)!3&$EB0`49#4Uf9F)?B8iVM4H~qdU&4wJI#kk(|cKu!vg+>$EA?u%BKAd z%X-wF{b|jIkn}ElV;=>ns{q7pxnXDv@T5AeTQg3Z-&Q&3x?Qf ziD1dmTdE*YAg;LWQ;;%E<%y(FA(Hjev;@891Jc$rg_$_#qcsY7!Wl9rzKWaf@$|I2{ z1@z9!lqU3k)PlqmEl;)|PM$QpsNBqc@~BO*s%+{$axJ}UEGXZR{p4tHJw@!=CBy5r zSWueLyT*d@Y(Hr}L?e3FSWsg5{lu@`Ke+v*;YIusdOrn~BvT$-KWTUozl7dTK_$tQ z2e+Rj7nLh5D0B3Fq85|~x1W^IJ1=YI3(Tgd=(1H5-##I9KwVd7u;3-9blQEC_aVc`zLOtr62+!5obUey1I9MR! z@{RF#I-%`y@$DmfY?P(QWI+a#26+vDucK`0K3gt-_%iW0MsTB8@W<%Vca#GZ0mED{ zVhil3w}MfQ{zz3RPDg4s;KQFjX71Cz7;@!#d>EYGMk8tt+{nff~ zZGgvS3QW;_H-~x+~`LSFkK8#slOV$pk&()*LBrhGj|WZ1*L;2oFRw~LQa zm;ZlfXD^rkzt`_R=l|YFaa3kB?ArwMfz>t{{L8dF3sSb2L4)L%jngz{^Ik%fWqSbH zDsDMsjJX&9pP>Hk-oP349E|ZU8ugr=ot`r~7@@tsJsOVo_c3;M@m}A-+Xvn4{()^{ z2fyj|NA|Y8-R<{LZ`kWvQ6fxd0Ihzv-)nbw+r9m(-rk_QKiGNG+1>5!>~6Qa`-5(` z^&Ly1#n%4}dG6w4)UE&R{`~sy?LM#nO_Zmy{sC<2>z8xo;6*3B?|8kgy3{8XuF09J zGCWrchPw5?*Wb^r|J}X){`30ZL_q=h7%jDF&q6`)F~9RB35W-9sM3dKHNV z!4MOF4BVbzCv>p`H1nX}#X?_%wIGgQFaR~C{CpUFvb0&j=(Emo$cR6_)SVK4d^+}N z{Q2YywnHWHtjHXZj!=1pna7i#+TbB!Pfp_41F7HSueW$M05J=&m9}rtKpsFS8|WAX zncwuH8f3n;^HB^W=*eEQ7rY0Me@1RWZ1(56 z0v2{!rI_E@;`&y0*$?3BHwz#YJ9Pk`ezgEnm!1dE8XR=r?6#Chotg@B;ra&9k~QLp zZ>ivkW|VA1#pI(7YpMQinM(*6@vY3V&+_}bmESu>OLONxQhqPHm3{y6d*zhbnE0N5 z#WE+rj|SJb*H2h#zmPmuo-^Oda$wgq7)u#CqRc}A{^#=jnXL8?^-uY)NbXy6EE7;B z2Jq&fdtfQ%{#lMYfWBqDcmeOw7vhB;aPkKR;=^zz59f3Q+ z?#Ee0_wCa2(d^onRdkI^!|{*o1t!1Z@{(0>IVufHO#XkV*o;RLY~NZDQBvRP+Qje| zHIAW&zV{v3m+x)=5!ee{Bo*ni_g5#E9q~ov$EdacZs+Yk``i0F&-R~9l&i#WJAY@2 za2R8uu9Y}AaOn)IFv>F;vc!UGT~R5b$Y=&)f<$?56U0FhTVUr$V4**V_J3Qr&~E$4 z!#qGXe*5(+bS|)q5yzdg=qr5tCV|o6DBCWyP!PzP5&uDpbKB|2URuzBZ{J#$bw)o+ zV8KQ{jHv6<&+>f2F>rwc4h!9BG=yjy47Ng!##mi%w37Iw$Y38y7o|DGI@^zG%R+{h zo;)svT;17;Cn3|YvjI7?!u9{#1iJxdyd#3FDY$0+_xE>pv+IAm+uwh-|8Asw{kruU zro@Dq%-E4dvQ~&PVM)kTu^=F=NER`nsxb!``;~lX#cmXhgn1tDSU)eMkMRfjf#8 zU^K=kbln;J9wL{F2zCGkfdac@{epGxs=kn8NEA2>v5i709H@uWzAA<6h+x;@fS5_d zq9vgU8~SoMQ-nA^yOed6ts}tptB!R#0;c7d?!>0b5fw!mRo{q!&%||Mh#}+>P7X)` zZ=fxvtE`Zv?VnX|gSX9z9JM5)1Tfu8M*7C}vR@lbk<_oFe*}#9Vg#+f@b+JLE7zMI zcadqIXMszBdks1f9f8D7OH0Qt@qh49ss)YQHIJ z;~^i7vC|&Ta;+}SJ@T@K+V9w^-rHuP1*^>F#3%ttqgHy!aO_PnJEC47WkO3ioDbUF7IcnK zfQG~+f?(eHDRE18k|{_qgqATCMS8}xSG9f$st>V1z3TN*A^%sn|0g8NIfHBU|K8mG zzt?-d|GANpzW`ip`x9j^j4Zh^YO9oU>W}DqUxiSQ zZ9hmzt>ePja-#Ek#fsZ&yy5^}z@g*li}b18U3Q{hM@1W_M;)cyoXf^sU1dwGN$OBz za}qf?e2g6qC&2_W4>ROStzd|yGS#ubM0o$1jIcekUHpzZm@D5#TQyNFtgl}q;q?IX zzryt|PiE#tj((66$$^^n-|Oyd=hlCJr}upSYa_+1tw=%4z2A~dnU)ZGUZYLN2!eC! zT$*{;j*J39{Bv}D1%QPv9>7KDAM!(g zrp@ zt{RrFV%(HU_0TN(T-I1tDE}FCahuP4Th~prz&ibJXTO`1|GoX4XZ!C)ij=vD_)olF zQJ_k7rfRp_nQcJr5-1cC%E%wezmptCBJEI{hcBp$GuweOloIM+5f5{LykG!+=(;)0 zG4|zZ=UrQ}mL)}$x@e06k_fuC_Q_`a;_cXTq#hCs%|~sdRew6z#pchk68UZAl2d;K zNZ1qgR~UJ;+uBR@u&UZxN^a5qW*n+ZzVsZH|oxRd%JV~-`)M~C%*olNXf4Mbhwm<-T7@7agO=o zJHNVyTE6k?&Am}i0d;cy%&7{Wi+h_le|>4kVyaM6$)Wuq!%BPw65-tV_t%@&2)bn5EdLAj$6EbwcPD@T z>pyw@?}?OZ`M-Y6FD>WSuK8s)mH%|jPnR;}+EIYZ6&wVs*MDz!Z#QrM+3oe7`ucw| z=fBK`m`hUZNTw$Bp=ASQR_v726@Ad;*8P~{b0=6B(a-gad`5Mrpfuv?(^USo>b&{^E)~>n-QqFSm z2{4OP>R^~!sL6`#^$TP}8tAMn%n`nL4d(Oylq@~cc*W&JV)g3EuFa~t1y~o4mb_&v z7*6gUZTC|uIXgaoe|mQHDlZdSZS}~NIB);_ zGP^X3s>WKLX7#sH|X8Kk9Q^`B9LSlHtPl2v$ zrm0-s*F5;;^Ie5iZ?_>@MNiX8CRkQ9Vz?bWMN4B<($&UMDtabYh*DIs9Z=V8NAK0r zD3x^82qn!4`dO^nI*aza)U(;berssb?=_@J!K1%Ic%yo4Wok6Dod&$PqgBmuzuyp_ zf;WYQ_{6JlqAIp+Su>4KaYv5|;Ogi+^;<#MiPTge;)V=gO&I1A>N*41&DEF)5&RR2`AH7c z1a1`r6GbX0{#BlF3389Ii)NSDroO`mu-(no62!wa6mf-KzCwT*QMXmi@4IyiXYJ<| zRZFR%)m=0@d}@#7d>4!cXl&l_|D8C5VOxhMC`KvLOlz^Kj>AzZ-J%>bD?U!GY9U5+ z$mVKlb}p;TcUE#pE6yR6+fbUwx60&SSt92TfJ<3Sht9x~ zxknF8#94IJKDVnbCflwvjdk#$VJfJ;{oKc`J?8EvW{TJHDh&@G(M^}2Jn?(fXqs&?h(dFv54ay3Xb zZrpUGXD9B%IdK<=8NRSX>>zEI%1!w9;ma*W>Zy8iOA&eseq0UwO1-$H^mvj!+)`|w zqz88qY@YqMb&%EhZ=>_`Lwaw^l;NkVjXs3mwrX2`_S$B#|31C8rN@#be72>h%Z++$ z7fF3nBHA9rb=!0;F5|e>-7Vs_Ep4%w)3&sm<}TZ2Mv(8@OS@I*qb(rr#yzyghPbSM zwygOBdS@F;vCX+=Ys_}BV|J?wzB#z=y>4sGo5H&-n}GVTe)J#jHKXzLJf@khl(JnSkZfZf8ejMO!LVOs68I zNaUa!>sSJn(MNm~@10RtfVs>Z>Q|R=@l#oipLJ9ekXs2uZVAk)1}FYFbP+48V*zlR zN=Y2M#+@WRz6mIzsWR=U+)ern&g}{IP$ZdYfc?Ys(~sMina=>3#b}wmCIiL~5>gYmS%+iSFc_S%W02DcCXq-0fSm|Lg#|=k*jSYI(3VO zX27uQ7eYVPgUNvn?;aMO+7F4iI{Dv^+1N9pp0)hQZrUb0}-<)L||J; z@qhx-R>1mdA$2_GMXag*P_R*R!H7Rj{h*k)g36M0<@6%cRAZ44GfGTzadLSTE6JMR znzl(*o{(9Ri1;JSbWN2xPWBQVE_BKem&h%aheMAD9w#FNK|64yq=!m}p{_SL9XR#j z2zl5&LL9H1$da18Es58R%-MSt*~*$uX;W3|qCm3+co|?jvkDx{Rh~O8kWgXD%fwUl zN>slfhCD1X7YE{%>NrFj9L`JIS5Tz@xg+Y2$k-%?Q<6kdgN%qB>#}nll#tP&rP|B` zRWoXwSI^IyA#3r`LhpSPH74JZ2<#P-s9=h9C)M-HXTFUc`00R0$@(-M^7bOAoMQvR z9D_E1y9WAWB+zmgC~!&#tiwf@TRf}!IS02KP@AHqln-bSy6H1jQK@9?q-c!P;k`LH z>GVm4B!Vh(-5;ciC6ld!7(=td8gAysTD~-u42@yVkjCWhp`&@Wsl=wDiteOpib^ME zF&HYaR271JCN%cJ8BQzLYc2BvdkA5++BsjRS$5v;29m)yf>~)IV+NYpEC|msUqh zCr-U9Kd$v0zie5|{*#Kkxqu<4#{RRj+s(!Q-RbvspL+b?XZz1a?LTSG+@K*S-a+au zLUGk5rlD*s-WnTGT={{GMag!$fYm4l{@Hx=Y(9E6A64o<%V^;7qFh!L&x*L}1qzXG z9v3LI8mS?rE=GRtSGo$TN(Sr#6N}-y5f=6YJDR!VUZ>V6PiOdBsS01KdrymGTI2Rh z>B=etWATx=)&iCx^TK@y#KyS5LtWYIS+!qRSz-Kl^YRVpmv5=_L0$a!?Y#cK-P_xK z&i}fR(meiqdUgQrq6yKb7b|WQSQC|FHR1R-<@a1gD{BCqq zIt+yJYzzOwuGf)6zJPOvrAkjY5tv(68$QV&VY=Pv{`J?Fkwo-TGaE zr=Z(?NzhY||NamwM10AT2IXH3K-9EKb- zd0fE0=-AXt-LP(RGOk!V9^wKsv&13@BJn%7GD|@!9Y7+danHCxE$eE6VMJY*epb{# zLl-OKh1Qefxs#t0Cvjx!trHoVvWg4D1QQk~);8x{%esT}sMmRYHdF54IMMTK>aMFu z7&HP4x3un{-K;?4n(Hge!=Ny|k(>MbDQ1i~_@;`Um)c?=sN^m|kn7HXnueuZ9>)+# zVrQt^p0NSqaX73!przv3~L~az+Ae3Qe{vdtg)!gJ9uOq)K6$eMwS)@LjCkX~(;10E|)r4yjYIR#NWZ zW^0PrmP>|PX8eW=Hic>WHA-RYJf?Aj4dN;>ZT^h%rWn)oin1(Q&vXo~dYUcqD#WG(A2{al5nMXv@bcEB<5x>yRDtOd(g?DcRzBaq zNpWvBGQeh!tK||Yf=U5Zq~TR!nw3hGm~QB}x)O<09AF{Kz2%s0=(wsS()Rr%Qc0MC zo75=HB~p$WD?7HWL?U5-T1}`sIPs^1QQyP9fGJ``9`lq=G{g`f&aty@C2=L%;9T5> ze24OU>JS?Vb2){00c8UD`c5^1bLs%YE)rylCHhoMFq2<-=brebVOW7}uqaUSO?DK$ zPG84iq+h46h^`EqN_basmdS=EEw_I~y)5!898~ zyT-bLz*hI4&D}!aQRwaUOQZ{`JeMEzz{(}i0}p-q;G-!bu9T9cmhG~fp>rDkFS_Cb zTJi5`!!JwpRfFk6Sn=@d_q5@cV47D8n_;?M9dSk4V2u^O8K&#i5$|ckpTo3R zOm~P~_x*~~GW5ut* zbR);rd)n}8(!nO4;zcCVdaU>>l1MdH{N-)@d zD>}>6Sn*SsKA07Mb(mIJ@$;BIgcW~9nATYFm$%`sR3hEShF@}nV}6ua8(g!_R|Uh( z;#;Y1X)sMv!BySw{lGD(ba5^nkBL79om=i6kS`1`+$iJV(zogINfk=&g8pnOg4PC9 z`i0GwJGgms&^=gUS_?3Z(m@oyt;k@S=snRKPvabg`pC2LatAjH`zcIIiRpZTsggN; zhrSRm^njB;Fc2SxGpR+;5sWX+kEEU$NFk(yRG8EO_eE_EhMS$a^;V4FMvipzqYhz(6@np`yAH!# zFk%brs9j zn@aV5ml-u*c4{8M{S;rC2VZN&kz?njjv%W!L_OrQC&(WwwOKo0&`4lrvN7(wy6>Ep z*JI2i<6_ntCQo`uYZL@u&L)EaIiW{VMo23l`Hoa&)PZ)QhfrNm=n`%^ zxWMrvea)QeJODTIG4f2TtdL{ptrB-NnBHej3vx+TVyY9-fl5xP@Qfa_OSv1n8rM=* yk7*GT-$5j^46Yj0O>=MGTT&uDbij+}@?4(Fb9pYR{J#JI0RR72(8jd@x&Z(jHHF{+ literal 0 HcmV?d00001 diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 00b52f698..94b146541 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: csi-secrets-store-provider-azure -version: 0.0.18 -appVersion: 0.0.14 +version: 0.0.19 +appVersion: 0.0.15 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md index 70e5a44f1..27d2bf4a0 100644 --- a/charts/csi-secrets-store-provider-azure/README.md +++ b/charts/csi-secrets-store-provider-azure/README.md @@ -20,6 +20,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `0.0.16` | `0.0.19` | `0.0.12` | | `0.0.17` | `0.0.20` | `0.0.13` | | `0.0.18` | `0.0.21` | `0.0.14` | +| `0.0.19` | `0.0.22` | `0.0.15` | ## Installation @@ -48,16 +49,13 @@ The following table lists the configurable parameters of the csi-secrets-store-p | ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | | `nameOverride` | String to partially override csi-secrets-store-provider-azure.fullname template with a string (will prepend the release name) | `""` | | `fullnameOverride` | String to fully override csi-secrets-store-provider-azure.fullname template with a string | `""` | -| `image.repository` | Image repository [**DEPRECATED**]. Use `linux.image.repository` and `windows.image.repository` instead. | `""` | -| `image.pullPolicy` | Image pull policy [**DEPRECATED**]. Use `linux.image.pullPolicy` and `windows.image.pullPolicy` instead. | `""` | -| `image.tag` | Azure Keyvault Provider image [**DEPRECATED**]. Use `linux.image.tag` and `windows.image.tag` instead. | `""` | | `imagePullSecrets` | Secrets to be used when pulling images | `[]` | | `logFormatJSON` | Use JSON logging format | `false` | | `logVerbosity` | Log level. Uses V logs (klog) | `0` | | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `0.0.14` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `0.0.15` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -70,10 +68,13 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.healthzPort` | port for health check | `"8989"` | | `linux.healthzPath` | path for health check | `"/healthz"` | | `linux.healthzTimeout` | RPC timeout for health check | `"5s"` | +| `linux.volumes` | Additional volumes to create for the KeyVault provider pods. | `[]` | +| `linux.volumeMounts` | Additional volumes to mount on the KeyVault provider pods. | `[]` | +| `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `0.0.14` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `0.0.15` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -85,33 +86,38 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.healthzPort` | port for health check | `"8989"` | | `windows.healthzPath` | path for health check | `"/healthz"` | | `windows.healthzTimeout` | RPC timeout for health check | `"5s"` | +| `windows.volumes` | Additional volumes to create for the KeyVault provider pods. | `[]` | +| `windows.affinity` | Configures affinity for provider pods on windows nodes | Match expression `type NotIn virtual-kubelet` | +| `windows.volumeMounts` | Additional volumes to mount on the KeyVault provider pods. | `[]` | | `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true | | `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true | | `secrets-store-csi-driver.linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | | `secrets-store-csi-driver.linux.metricsAddr` | The address the metric endpoint binds to | `:8080` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v0.0.21` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v0.0.22` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.1.0` | +| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.2.0` | | `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.2.0` | +| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.3.0` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | | `secrets-store-csi-driver.windows.metricsAddr` | The address the metric endpoint binds to | `:8080` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v0.0.21` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v0.0.22` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.1.0` | +| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.2.0` | | `secrets-store-csi-driver.windows.livenessProbeImage.repository` | Driver Windows liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy` | Driver Windows liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.2.0` | +| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.3.0` | | `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | | `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | | `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `false` | | `rbac.install` | Install default service account | true | +| `rbac.pspEnabled` | If `true`, create and use a restricted pod security policy for Secrets Store CSI Driver AKV provider pod(s) | false | | `constructPEMChain` | Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT | `false` | +| `driverWriteSecrets` | Return secrets in grpc response to the driver (supported in driver v0.0.21+) instead of writing to filesystem | `false` | diff --git a/charts/csi-secrets-store-provider-azure/requirements.lock b/charts/csi-secrets-store-provider-azure/requirements.lock index c432d8997..eca42357a 100644 --- a/charts/csi-secrets-store-provider-azure/requirements.lock +++ b/charts/csi-secrets-store-provider-azure/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts - version: 0.0.21 -digest: sha256:60e7b4b099046b358fa55d84e2261eb231513ebb5f86b675c92d7ff11f410b82 -generated: "2021-04-01T15:27:53.43388-07:00" + version: 0.0.22 +digest: sha256:df1deee5af1d441df8fa62cfbf77eed5e62de380328ccede902fc3c3022a1b10 +generated: "2021-05-17T16:07:49.551453-07:00" diff --git a/charts/csi-secrets-store-provider-azure/requirements.yaml b/charts/csi-secrets-store-provider-azure/requirements.yaml index 0126d5ffd..0738cb98c 100644 --- a/charts/csi-secrets-store-provider-azure/requirements.yaml +++ b/charts/csi-secrets-store-provider-azure/requirements.yaml @@ -1,5 +1,5 @@ dependencies: - name: secrets-store-csi-driver repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts - version: 0.0.21 + version: 0.0.22 condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-azure/templates/_helpers.tpl b/charts/csi-secrets-store-provider-azure/templates/_helpers.tpl index 95dfdb2d2..da9dc3435 100644 --- a/charts/csi-secrets-store-provider-azure/templates/_helpers.tpl +++ b/charts/csi-secrets-store-provider-azure/templates/_helpers.tpl @@ -32,3 +32,7 @@ labels: app: {{ template "sscdpa.name" . }} helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" {{- end -}} + +{{- define "sscdpa.psp.fullname" -}} +{{- printf "%s-psp" (include "sscdpa.fullname" .) -}} +{{- end }} diff --git a/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml b/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..4f4ea873b --- /dev/null +++ b/charts/csi-secrets-store-provider-azure/templates/podsecuritypolicy.yaml @@ -0,0 +1,24 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "sscdpa.psp.fullname" . }} +{{ include "sscdpa.labels" . | indent 2 }} +spec: + seLinux: + rule: RunAsAny + privileged: true + volumes: + - hostPath + - secret + hostNetwork: true + hostPorts: + - min: 0 + max: 65535 + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny +{{- end }} diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml index 6b4cef45c..9bb89cd8f 100644 --- a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml @@ -29,8 +29,8 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: "{{ .Values.image.repository | default .Values.windows.image.repository }}:{{ .Values.image.tag | default .Values.windows.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy | default .Values.windows.image.pullPolicy }} + image: "{{ .Values.windows.image.repository }}:{{ .Values.windows.image.tag }}" + imagePullPolicy: {{ .Values.windows.image.pullPolicy }} args: - --endpoint=unix://C:\\provider\\azure.sock {{- if .Values.logFormatJSON }} @@ -48,6 +48,9 @@ spec: - --healthz-port={{ .Values.windows.healthzPort }} - --healthz-path={{ .Values.windows.healthzPath }} - --healthz-timeout={{ .Values.windows.healthzTimeout }} + {{- if .Values.driverWriteSecrets }} + - --driver-write-secrets={{ .Values.driverWriteSecrets }} + {{- end }} livenessProbe: httpGet: path: {{ .Values.windows.healthzPath }} @@ -64,6 +67,11 @@ spec: - name: mountpoint-dir mountPath: "C:\\var\\lib\\kubelet\\pods" mountPropagation: HostToContainer + {{- if .Values.windows.volumeMounts }} + {{- toYaml .Values.windows.volumeMounts | nindent 12 }} + {{- end}} + affinity: +{{ toYaml .Values.windows.affinity | indent 8 }} {{- if .Values.windows.priorityClassName }} priorityClassName: {{ .Values.windows.priorityClassName | quote }} {{- end }} @@ -75,6 +83,9 @@ spec: - name: mountpoint-dir hostPath: path: C:\var\lib\kubelet\pods\ + {{- if .Values.windows.volumes }} + {{- toYaml .Values.windows.volumes | nindent 8 }} + {{- end}} nodeSelector: kubernetes.io/os: windows {{- if .Values.windows.nodeSelector }} diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml index 76942ad3c..047f14f49 100644 --- a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml @@ -30,8 +30,8 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: "{{ .Values.image.repository | default .Values.linux.image.repository }}:{{ .Values.image.tag | default .Values.linux.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy | default .Values.linux.image.pullPolicy }} + image: "{{ .Values.linux.image.repository }}:{{ .Values.linux.image.tag }}" + imagePullPolicy: {{ .Values.linux.image.pullPolicy }} args: - --endpoint=unix:///provider/azure.sock {{- if .Values.logFormatJSON }} @@ -49,6 +49,9 @@ spec: - --healthz-port={{ .Values.linux.healthzPort }} - --healthz-path={{ .Values.linux.healthzPath }} - --healthz-timeout={{ .Values.linux.healthzTimeout }} + {{- if .Values.driverWriteSecrets }} + - --driver-write-secrets={{ .Values.driverWriteSecrets }} + {{- end }} livenessProbe: httpGet: path: {{ .Values.linux.healthzPath }} @@ -69,6 +72,11 @@ spec: - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: HostToContainer + {{- if .Values.linux.volumeMounts }} + {{- toYaml .Values.linux.volumeMounts | nindent 12 }} + {{- end}} + affinity: +{{ toYaml .Values.linux.affinity | indent 8 }} {{- if .Values.linux.priorityClassName }} priorityClassName: {{ .Values.linux.priorityClassName | quote }} {{- end }} @@ -79,6 +87,9 @@ spec: - name: mountpoint-dir hostPath: path: "/var/lib/kubelet/pods" + {{- if .Values.linux.volumes }} + {{- toYaml .Values.linux.volumes | nindent 8 }} + {{- end}} nodeSelector: kubernetes.io/os: linux {{- if .Values.linux.nodeSelector }} diff --git a/charts/csi-secrets-store-provider-azure/templates/role.yaml b/charts/csi-secrets-store-provider-azure/templates/role.yaml new file mode 100644 index 000000000..708bf572a --- /dev/null +++ b/charts/csi-secrets-store-provider-azure/templates/role.yaml @@ -0,0 +1,14 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "sscdpa.psp.fullname" . }} + namespace: {{ .Release.Namespace }} +{{ include "sscdpa.labels" . | indent 2 }} +rules: + - apiGroups: [ 'policy' ] + resources: [ 'podsecuritypolicies' ] + verbs: [ 'use' ] + resourceNames: + - {{ template "sscdpa.psp.fullname" . }} +{{- end }} diff --git a/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml b/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml new file mode 100644 index 000000000..60be5bedf --- /dev/null +++ b/charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "sscdpa.fullname" . }} + namespace: {{ .Release.Namespace }} +{{ include "sscdpa.labels" . | indent 2 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "sscdpa.psp.fullname" . }} +subjects: + - kind: ServiceAccount + name: csi-secrets-store-provider-azure + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml index 15b5769c4..4c555ccbc 100644 --- a/charts/csi-secrets-store-provider-azure/values.yaml +++ b/charts/csi-secrets-store-provider-azure/values.yaml @@ -1,9 +1,3 @@ -# [DEPRECATED] use linux.image and windows.image instead. -image: - repository: "" - tag: "" - pullPolicy: "" - # One or more secrets to be used when pulling images imagePullSecrets: [] # - name: myRegistryKeySecretName @@ -18,7 +12,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: 0.0.14 + tag: 0.0.15 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -44,11 +38,22 @@ linux: healthzPort: 8989 healthzPath: "/healthz" healthzTimeout: "5s" + volumes: [] + volumeMounts: [] + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: 0.0.14 + tag: 0.0.15 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -73,6 +78,17 @@ windows: healthzPort: 8989 healthzPath: "/healthz" healthzTimeout: "5s" + volumes: [] + volumeMounts: [] + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet ## Configuration values for the secrets-store-csi-driver dependency. ## ref: https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md @@ -85,15 +101,15 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v0.0.21 + tag: v0.0.22 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.1.0 + tag: v2.2.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.2.0 + tag: v2.3.0 pullPolicy: IfNotPresent windows: @@ -102,15 +118,15 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v0.0.21 + tag: v0.0.22 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.1.0 + tag: v2.2.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.2.0 + tag: v2.3.0 pullPolicy: IfNotPresent enableSecretRotation: false @@ -121,6 +137,10 @@ secrets-store-csi-driver: ## Install default service account rbac: install: true + pspEnabled: false # explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT constructPEMChain: false + +# Return secrets in grpc response to the driver (supported in driver v0.0.21+) instead of writing to filesystem +driverWriteSecrets: false diff --git a/charts/index.yaml b/charts/index.yaml index 35d3007c7..b542c3437 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -1,6 +1,27 @@ apiVersion: v1 entries: csi-secrets-store-provider-azure: + - apiVersion: v1 + appVersion: 0.0.15 + created: "2021-05-17T16:10:33.398158-07:00" + dependencies: + - condition: secrets-store-csi-driver.install + name: secrets-store-csi-driver + repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts + version: 0.0.22 + description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. + digest: c0ab718115bf88065c0dfb060a825217eeb6784b79067c36922619fba0e9c78b + home: https://github.com/Azure/secrets-store-csi-driver-provider-azure + kubeVersion: '>=1.16.0-0' + maintainers: + - email: anish.ramasekar@gmail.com + name: Anish Ramasekar + name: csi-secrets-store-provider-azure + sources: + - https://github.com/Azure/secrets-store-csi-driver-provider-azure + urls: + - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.19.tgz + version: 0.0.19 - apiVersion: v1 appVersion: 0.0.14 created: "2021-04-01T16:48:44.791244-07:00" @@ -295,4 +316,4 @@ entries: urls: - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.5.tgz version: 0.0.5 -generated: "2021-04-01T16:48:44.78798-07:00" +generated: "2021-05-17T16:10:33.395556-07:00" diff --git a/deployment/pod-security-policy.yaml b/deployment/pod-security-policy.yaml index 46ab38a5a..880e5a4a0 100644 --- a/deployment/pod-security-policy.yaml +++ b/deployment/pod-security-policy.yaml @@ -61,16 +61,20 @@ metadata: spec: seLinux: rule: RunAsAny + privileged: true volumes: - hostPath + - secret + hostNetwork: true + hostPort: + - min: 0 + - max: 65535 fsGroup: rule: RunAsAny runAsUser: rule: RunAsAny supplementalGroups: rule: RunAsAny - allowedHostPaths: - - pathPrefix: /etc/kubernetes/secrets-store-csi-providers --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml index 2fab22ca8..8fcb91485 100644 --- a/deployment/provider-azure-installer-windows.yaml +++ b/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock @@ -52,6 +52,15 @@ spec: - name: mountpoint-dir mountPath: "C:\\var\\lib\\kubelet\\pods" mountPropagation: HostToContainer + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet volumes: - name: providervol hostPath: diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml index 2ccf7528c..32f97d5fb 100644 --- a/deployment/provider-azure-installer.yaml +++ b/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock @@ -53,6 +53,15 @@ spec: - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: HostToContainer + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet volumes: - name: providervol hostPath: diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 00b52f698..94b146541 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: csi-secrets-store-provider-azure -version: 0.0.18 -appVersion: 0.0.14 +version: 0.0.19 +appVersion: 0.0.15 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index 91a7eff16..27d2bf4a0 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -20,6 +20,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `0.0.16` | `0.0.19` | `0.0.12` | | `0.0.17` | `0.0.20` | `0.0.13` | | `0.0.18` | `0.0.21` | `0.0.14` | +| `0.0.19` | `0.0.22` | `0.0.15` | ## Installation @@ -54,7 +55,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `0.0.14` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `0.0.15` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `{}` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -73,7 +74,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `0.0.14` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `0.0.15` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -94,25 +95,25 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.metricsAddr` | The address the metric endpoint binds to | `:8080` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v0.0.21` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v0.0.22` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.1.0` | +| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.2.0` | | `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.2.0` | +| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.3.0` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | | `secrets-store-csi-driver.windows.metricsAddr` | The address the metric endpoint binds to | `:8080` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v0.0.21` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v0.0.22` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.1.0` | +| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.2.0` | | `secrets-store-csi-driver.windows.livenessProbeImage.repository` | Driver Windows liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy` | Driver Windows liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.2.0` | +| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.3.0` | | `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | | `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | | `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `false` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.lock index c432d8997..eca42357a 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.lock +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts - version: 0.0.21 -digest: sha256:60e7b4b099046b358fa55d84e2261eb231513ebb5f86b675c92d7ff11f410b82 -generated: "2021-04-01T15:27:53.43388-07:00" + version: 0.0.22 +digest: sha256:df1deee5af1d441df8fa62cfbf77eed5e62de380328ccede902fc3c3022a1b10 +generated: "2021-05-17T16:07:49.551453-07:00" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.yaml index 0126d5ffd..0738cb98c 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/requirements.yaml @@ -1,5 +1,5 @@ dependencies: - name: secrets-store-csi-driver repository: https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts - version: 0.0.21 + version: 0.0.22 condition: secrets-store-csi-driver.install diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index efb4e043f..4c555ccbc 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -12,7 +12,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: 0.0.14 + tag: 0.0.15 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -53,7 +53,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: 0.0.14 + tag: 0.0.15 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -101,15 +101,15 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v0.0.21 + tag: v0.0.22 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.1.0 + tag: v2.2.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.2.0 + tag: v2.3.0 pullPolicy: IfNotPresent windows: @@ -118,15 +118,15 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v0.0.21 + tag: v0.0.22 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.1.0 + tag: v2.2.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.2.0 + tag: v2.3.0 pullPolicy: IfNotPresent enableSecretRotation: false diff --git a/manifest_staging/deployment/provider-azure-installer-windows.yaml b/manifest_staging/deployment/provider-azure-installer-windows.yaml index 1b599d018..8fcb91485 100644 --- a/manifest_staging/deployment/provider-azure-installer-windows.yaml +++ b/manifest_staging/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/manifest_staging/deployment/provider-azure-installer.yaml b/manifest_staging/deployment/provider-azure-installer.yaml index 1f1626d71..32f97d5fb 100644 --- a/manifest_staging/deployment/provider-azure-installer.yaml +++ b/manifest_staging/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.14 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:0.0.15 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go index 2c2d9b9cc..1c116fa4a 100644 --- a/test/e2e/framework/config.go +++ b/test/e2e/framework/config.go @@ -15,7 +15,7 @@ type Config struct { KeyvaultName string `envconfig:"KEYVAULT_NAME"` Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"` ImageName string `envconfig:"IMAGE_NAME" default:"provider-azure"` - ImageVersion string `envconfig:"IMAGE_VERSION" default:"0.0.14"` + ImageVersion string `envconfig:"IMAGE_VERSION" default:"0.0.15"` IsSoakTest bool `envconfig:"IS_SOAK_TEST" default:"false"` IsWindowsTest bool `envconfig:"TEST_WINDOWS" default:"false"` IsKindCluster bool `envconfig:"CI_KIND_CLUSTER" default:"false"`