add envFrom to container specs; sanitize comment with account info

[jebbens]

Is this a bug fix or adding new feature?
Adding envFrom property to container specs in the controller, node, and values templates. Sanitize comment related to EKS IRSA in the serviceaccount-csi-controller template.

What is this PR about? / Why do we need it?
envFrom provides a simple way to reference configMaps across multiple resources. Sanitizing the comment in the template removes sensitive AWS account information and also makes the value more generic.

What testing is done?
Deployed the AWS EBS CSI driver using Helm with these changes made to the templates and referencing a configMap with values for http/s_proxy and no_proxy, and successfully ran a test using the dynamic provisioning example.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: jebbens (e845401)

[k8s-ci-robot]

Welcome @jebbens!

It looks like this is your first PR to kubernetes-sigs/aws-ebs-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-ebs-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @jebbens. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[torredil]

/ok-to-test

[torredil]

Can you bump up the Helm chart version here and update the CHANGELOG?

Rendered Helm chart, lgtm. Thanks for your contribution.

• values.yaml

controller:
  # If arbitrary args like "--aws-sdk-debug-log=true" need to be passed, use this value
  additionalArgs: []
  affinity: {}
  # The default filesystem type of the volume to provision when fstype is unspecified in the StorageClass.
  # If the default is not set and fstype is unset in the StorageClass, then no fstype will be set
  defaultFsType: ext4
  env: []
  envFrom:
  - configMapRef:
      name: env-configmap
  # If set, add pv/pvc metadata to plugin create requests as parameters.
  extraCreateMetadata: true

• $ helm template ./ | grep -A 20 envFrom

          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: kubelet-dir
              mountPath: /var/lib/kubelet
              mountPropagation: "Bidirectional"
            - name: plugin-dir
              mountPath: /csi
            - name: device-dir
              mountPath: /dev
          ports:
            - name: healthz
              containerPort: 9808
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
--
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
            - name: registration-dir
              mountPath: /registration
        - name: liveness-probe
          image: k8s.gcr.io/sig-storage/livenessprobe:v2.5.0
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=/csi/csi.sock
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: plugin-dir
              mountPath: /csi
      volumes:
        - name: kubelet-dir
          hostPath:
            path: /var/lib/kubelet
            type: Directory
        - name: plugin-dir
          hostPath:
            path: /var/lib/kubelet/plugins/ebs.csi.aws.com/
            type: DirectoryOrCreate
        - name: registration-dir
          hostPath:
            path: /var/lib/kubelet/plugins_registry/
            type: Directory
        - name: device-dir
          hostPath:
--
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
          ports:
            - name: healthz
              containerPort: 9808
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthz
              port: healthz
            initialDelaySeconds: 10
            timeoutSeconds: 3
            periodSeconds: 10
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /healthz
--
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
        - name: csi-attacher
          image: k8s.gcr.io/sig-storage/csi-attacher:v3.4.0
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=$(ADDRESS)
            - --v=2
            - --leader-election=true
          env:
            - name: ADDRESS
              value: /var/lib/csi/sockets/pluginproxy/csi.sock
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
        - name: csi-resizer
          image: k8s.gcr.io/sig-storage/csi-resizer:v1.4.0
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=$(ADDRESS)
            - --v=2
            - --handle-volume-inuse-error=false
          env:
            - name: ADDRESS
              value: /var/lib/csi/sockets/pluginproxy/csi.sock
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: socket-dir
              mountPath: /var/lib/csi/sockets/pluginproxy/
        - name: liveness-probe
          image: k8s.gcr.io/sig-storage/livenessprobe:v2.5.0
          imagePullPolicy: IfNotPresent
          args:
            - --csi-address=/csi/csi.sock
          envFrom:
            - configMapRef:
                name: env-configmap
          volumeMounts:
            - name: socket-dir
              mountPath: /csi
      volumes:
        - name: socket-dir
          emptyDir: {}

[torredil]

Can you include a comment here for clarity? Something like "envFrom provides a way to reference configMaps across multiple resources".

[jebbens]

Added "Use envFrom to reference ConfigMaps and Secrets across all containers in the deployment"

[torredil]

/lgtm
/hold

[rdpsin]

/lgtm

[gtxu]

/lgtm Thanks for the contribution @jebbens !

[torredil]

/approve
/unhold

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jebbens, torredil

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [torredil]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment