diff --git a/parts/k8s/addons/secrets-store-csi-driver.yaml b/parts/k8s/addons/secrets-store-csi-driver.yaml index 5703384ae5..cd66809e62 100644 --- a/parts/k8s/addons/secrets-store-csi-driver.yaml +++ b/parts/k8s/addons/secrets-store-csi-driver.yaml @@ -19,6 +19,42 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secretproviderclasses-role + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: secretproviderclasses-rolebinding @@ -36,21 +72,44 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: secretproviderclasses-role + name: secretprovidersyncing-role labels: addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: - - secrets-store.csi.x-k8s.io + - "" resources: - - secretproviderclasses + - secrets verbs: + - create + - delete - get - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretprovidersyncing-rolebinding + labels: + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretprovidersyncing-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: kube-system --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null name: secretproviderclasses.secrets-store.csi.x-k8s.io labels: addonmanager.kubernetes.io/mode: Reconcile @@ -61,7 +120,8 @@ spec: listKind: SecretProviderClassList plural: secretproviderclasses singular: secretproviderclass - scope: "" + preserveUnknownFields: false + scope: Namespaced validation: openAPIV3Schema: description: SecretProviderClass is the Schema for the secretproviderclasses @@ -70,12 +130,12 @@ spec: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -90,9 +150,117 @@ spec: provider: description: Configuration for provider name type: string + secretObjects: + items: + description: SecretObject defines the desired state of synced K8s + secret objects + properties: + data: + items: + description: SecretObjectData defines the desired state of synced + K8s secret object data + properties: + key: + description: data field to populate + type: string + objectName: + description: name of the object to sync + type: string + type: object + type: array + labels: + additionalProperties: + type: string + description: labels of K8s secret object + type: object + secretName: + description: name of the K8s secret object + type: string + type: + description: type of K8s secret object + type: string + type: object + type: array type: object status: description: SecretProviderClassStatus defines the observed state of SecretProviderClass + properties: + byPod: + items: + description: ByPodStatus defines the state of SecretProviderClass + as seen by an individual controller + properties: + id: + description: id of the pod that wrote the status + type: string + namespace: + description: namespace of the pod that wrote the status + type: string + type: object + type: array + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io + labels: + addonmanager.kubernetes.io/mode: Reconcile +spec: + group: secrets-store.csi.x-k8s.io + names: + kind: SecretProviderClassPodStatus + listKind: SecretProviderClassPodStatusList + plural: secretproviderclasspodstatuses + singular: secretproviderclasspodstatus + preserveUnknownFields: false + scope: Namespaced + validation: + openAPIV3Schema: + description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: SecretProviderClassPodStatusStatus defines the observed state + of SecretProviderClassPodStatus + properties: + mounted: + type: boolean + podName: + type: string + podUID: + type: string + secretProviderClassName: + type: string + targetPath: + type: string type: object type: object version: v1alpha1 @@ -167,6 +335,7 @@ spec: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" + - "--metrics-addr=:8080" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock @@ -212,6 +381,7 @@ spec: - --csi-address=/csi/csi.sock - --probe-timeout=3s - --health-port=9808 + - -v=2 volumeMounts: - name: plugin-dir mountPath: /csi @@ -242,6 +412,14 @@ spec: nodeSelector: kubernetes.io/os: linux --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-secrets-store-provider-azure + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -261,7 +439,7 @@ spec: labels: app: csi-secrets-store-provider-azure spec: - tolerations: + serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer image: {{ContainerImage "provider-azure-installer"}} diff --git a/pkg/api/k8s_versions.go b/pkg/api/k8s_versions.go index 3ff4d3b479..617c3bbf71 100644 --- a/pkg/api/k8s_versions.go +++ b/pkg/api/k8s_versions.go @@ -36,7 +36,7 @@ const ( nodeProblemDetectorImageReference string = "k8s.gcr.io/node-problem-detector:v0.8.2" csiProvisionerImageReference string = "oss/kubernetes-csi/csi-provisioner:v1.5.0" csiAttacherImageReference string = "oss/kubernetes-csi/csi-attacher:v1.2.0" - csiLivenessProbeImageReference string = "oss/kubernetes-csi/livenessprobe:v1.1.0" + csiLivenessProbeImageReference string = "oss/kubernetes-csi/livenessprobe:v2.0.0" csiLivenessProbeWindowsImageReference string = "oss/kubernetes-csi/livenessprobe:v2.0.1-alpha.1-windows-1809-amd64" csiNodeDriverRegistrarImageReference string = "oss/kubernetes-csi/csi-node-driver-registrar:v1.2.0" csiNodeDriverRegistrarWindowsImageReference string = "oss/kubernetes-csi/csi-node-driver-registrar:v1.2.1-alpha.1-windows-1809-amd64" @@ -57,8 +57,8 @@ const ( virtualKubeletImageReference string = "virtual-kubelet:latest" azureCNINetworkMonitorImageReference string = "networkmonitor:v0.0.8" tillerImageReference string = "oss/kubernetes/tiller:v2.13.1" - csiSecretsStoreProviderAzureImageReference string = "k8s/csi/secrets-store/provider-azure:0.0.6" - csiSecretsStoreDriverImageReference string = "k8s/csi/secrets-store/driver:v0.0.11" + csiSecretsStoreProviderAzureImageReference string = "k8s/csi/secrets-store/provider-azure:0.0.8" + csiSecretsStoreDriverImageReference string = "k8s/csi/secrets-store/driver:v0.0.13" clusterProportionalAutoscalerImageReference string = "mcr.microsoft.com/oss/kubernetes/autoscaler/cluster-proportional-autoscaler:1.7.1" azureArcOnboardingImageReference string = "arck8sonboarding.azurecr.io/arck8sonboarding:v0.1.0" ) diff --git a/pkg/engine/templates_generated.go b/pkg/engine/templates_generated.go index e14bd4ba72..4b039cc85b 100644 --- a/pkg/engine/templates_generated.go +++ b/pkg/engine/templates_generated.go @@ -17401,6 +17401,42 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secretproviderclasses-role + labels: + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: secretproviderclasses-rolebinding @@ -17418,21 +17454,44 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: secretproviderclasses-role + name: secretprovidersyncing-role labels: addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: - - secrets-store.csi.x-k8s.io + - "" resources: - - secretproviderclasses + - secrets verbs: + - create + - delete - get - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secretprovidersyncing-rolebinding + labels: + addonmanager.kubernetes.io/mode: Reconcile +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretprovidersyncing-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: kube-system --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null name: secretproviderclasses.secrets-store.csi.x-k8s.io labels: addonmanager.kubernetes.io/mode: Reconcile @@ -17443,7 +17502,8 @@ spec: listKind: SecretProviderClassList plural: secretproviderclasses singular: secretproviderclass - scope: "" + preserveUnknownFields: false + scope: Namespaced validation: openAPIV3Schema: description: SecretProviderClass is the Schema for the secretproviderclasses @@ -17452,12 +17512,12 @@ spec: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object @@ -17472,9 +17532,117 @@ spec: provider: description: Configuration for provider name type: string + secretObjects: + items: + description: SecretObject defines the desired state of synced K8s + secret objects + properties: + data: + items: + description: SecretObjectData defines the desired state of synced + K8s secret object data + properties: + key: + description: data field to populate + type: string + objectName: + description: name of the object to sync + type: string + type: object + type: array + labels: + additionalProperties: + type: string + description: labels of K8s secret object + type: object + secretName: + description: name of the K8s secret object + type: string + type: + description: type of K8s secret object + type: string + type: object + type: array type: object status: description: SecretProviderClassStatus defines the observed state of SecretProviderClass + properties: + byPod: + items: + description: ByPodStatus defines the state of SecretProviderClass + as seen by an individual controller + properties: + id: + description: id of the pod that wrote the status + type: string + namespace: + description: namespace of the pod that wrote the status + type: string + type: object + type: array + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.3.0 + creationTimestamp: null + name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io + labels: + addonmanager.kubernetes.io/mode: Reconcile +spec: + group: secrets-store.csi.x-k8s.io + names: + kind: SecretProviderClassPodStatus + listKind: SecretProviderClassPodStatusList + plural: secretproviderclasspodstatuses + singular: secretproviderclasspodstatus + preserveUnknownFields: false + scope: Namespaced + validation: + openAPIV3Schema: + description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: SecretProviderClassPodStatusStatus defines the observed state + of SecretProviderClassPodStatus + properties: + mounted: + type: boolean + podName: + type: string + podUID: + type: string + secretProviderClassName: + type: string + targetPath: + type: string type: object type: object version: v1alpha1 @@ -17549,6 +17717,7 @@ spec: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" + - "--metrics-addr=:8080" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock @@ -17594,6 +17763,7 @@ spec: - --csi-address=/csi/csi.sock - --probe-timeout=3s - --health-port=9808 + - -v=2 volumeMounts: - name: plugin-dir mountPath: /csi @@ -17624,6 +17794,14 @@ spec: nodeSelector: kubernetes.io/os: linux --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: csi-secrets-store-provider-azure + namespace: kube-system + labels: + addonmanager.kubernetes.io/mode: Reconcile +--- apiVersion: apps/v1 kind: DaemonSet metadata: @@ -17643,7 +17821,7 @@ spec: labels: app: csi-secrets-store-provider-azure spec: - tolerations: + serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer image: {{ContainerImage "provider-azure-installer"}} diff --git a/vhd/packer/install-dependencies.sh b/vhd/packer/install-dependencies.sh index ec7d66dff8..6ce1a95b3a 100644 --- a/vhd/packer/install-dependencies.sh +++ b/vhd/packer/install-dependencies.sh @@ -472,7 +472,7 @@ for CSI_PROVISIONER_VERSION in ${CSI_PROVISIONER_VERSIONS}; do done LIVENESSPROBE_VERSIONS=" -1.1.0 +2.0.0 " for LIVENESSPROBE_VERSION in ${LIVENESSPROBE_VERSIONS}; do CONTAINER_IMAGE="mcr.microsoft.com/oss/kubernetes-csi/livenessprobe:v${LIVENESSPROBE_VERSION}" @@ -518,7 +518,7 @@ for NODE_PROBLEM_DETECTOR_VERSION in ${NODE_PROBLEM_DETECTOR_VERSIONS}; do done CSI_SECRETS_STORE_PROVIDER_AZURE_VERSIONS=" -0.0.6 +0.0.8 " for CSI_SECRETS_STORE_PROVIDER_AZURE_VERSION in ${CSI_SECRETS_STORE_PROVIDER_AZURE_VERSIONS}; do CONTAINER_IMAGE="mcr.microsoft.com/k8s/csi/secrets-store/provider-azure:${CSI_SECRETS_STORE_PROVIDER_AZURE_VERSION}" @@ -527,7 +527,7 @@ for CSI_SECRETS_STORE_PROVIDER_AZURE_VERSION in ${CSI_SECRETS_STORE_PROVIDER_AZU done CSI_SECRETS_STORE_DRIVER_VERSIONS=" -0.0.11 +0.0.13 " for CSI_SECRETS_STORE_DRIVER_VERSION in ${CSI_SECRETS_STORE_DRIVER_VERSIONS}; do CONTAINER_IMAGE="mcr.microsoft.com/k8s/csi/secrets-store/driver:v${CSI_SECRETS_STORE_DRIVER_VERSION}"