feat: require RequiresRepublish for rotation

Remove the rotation controller and rely exclusively on RequiresRepublish for secret rotation.

All supported k8s versions have RequiresRepublish support enabled by default.

Resolves: #585

The flags will be no-ops in this and removed in 1.5+.

Makefile

@@ -411,9 +411,9 @@ e2e-deploy-manifest:
 	kubectl apply -f manifest_staging/deploy/role-secretproviderclasses-admin.yaml
 	kubectl apply -f manifest_staging/deploy/role-secretproviderclasses-viewer.yaml
 
-	yq e '(.spec.template.spec.containers[1].image = "$(IMAGE_TAG)") | (.spec.template.spec.containers[1].args as $$x | $$x += "--enable-secret-rotation=true" | $$x[-1] style="double") | (.spec.template.spec.containers[1].args as $$x | $$x += "--rotation-poll-interval=30s" | $$x[-1] style="double")' 'manifest_staging/deploy/secrets-store-csi-driver.yaml' | kubectl apply -f -
+	yq e '(.spec.template.spec.containers[1].image = "$(IMAGE_TAG)")' 'manifest_staging/deploy/secrets-store-csi-driver.yaml' | kubectl apply -f -
 
-	yq e '(.spec.template.spec.containers[1].args as $$x | $$x += "--enable-secret-rotation=true" | $$x[-1] style="double") | (.spec.template.spec.containers[1].args as $$x | $$x += "--rotation-poll-interval=30s" | $$x[-1] style="double")' 'manifest_staging/deploy/secrets-store-csi-driver-windows.yaml' | kubectl apply -f -
+	yq e '' 'manifest_staging/deploy/secrets-store-csi-driver-windows.yaml' | kubectl apply -f -
 
 .PHONY: e2e-helm-deploy
 e2e-helm-deploy:
@@ -430,8 +430,6 @@ e2e-helm-deploy:
 		--set windows.enabled=true \
 		--set linux.enabled=true \
 		--set syncSecret.enabled=true \
-		--set enableSecretRotation=true \
-		--set rotationPollInterval=30s \
 		--set tokenRequests[0].audience="aud1" \
 		--set tokenRequests[1].audience="aud2"
 
@@ -517,22 +515,6 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE)
 	@sed -i '1s/^/{{ if .Values.syncSecret.enabled }}\n/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-syncsecret.yaml
 	@sed -i '1s/^/{{ if .Values.syncSecret.enabled }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-syncsecret_binding.yaml
 
-	# Generate rotation specific RBAC
-	$(CONTROLLER_GEN) rbac:roleName=secretproviderrotation-role paths="./pkg/rotation" output:dir=config/rbac-rotation
-	$(KUSTOMIZE) build config/rbac-rotation -o manifest_staging/deploy/rbac-secretproviderrotation.yaml
-	cp config/rbac-rotation/role.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation.yaml
-	cp config/rbac-rotation/role_binding.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml
-	@sed -i '1s/^/{{ if .Values.enableSecretRotation }}\n/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation.yaml
-	@sed -i '1s/^/{{ if .Values.enableSecretRotation }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml
-
-	# Generate token requests specific RBAC
-	$(CONTROLLER_GEN) rbac:roleName=secretprovidertokenrequest-role paths="./controllers/tokenrequest" output:dir=config/rbac-tokenrequest
-	$(KUSTOMIZE) build config/rbac-tokenrequest -o manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml
-	cp config/rbac-tokenrequest/role.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
-	cp config/rbac-tokenrequest/role_binding.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
-	@sed -i '1s/^/{{ if .Values.tokenRequests }}\n/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
-	@sed -i '1s/^/{{ if .Values.tokenRequests }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
-
 .PHONY: generate-protobuf
 generate-protobuf: $(PROTOC) $(PROTOC_GEN_GO) $(PROTOC_GEN_GO_GRPC) # generates protobuf
 	@PATH=$(PATH):$(TOOLS_BIN_DIR) $(PROTOC) -I . provider/v1alpha1/service.proto --go-grpc_out=require_unimplemented_servers=false:. --go_out=.

cmd/secrets-store-csi-driver/main.go

@@ -28,9 +28,7 @@ import (
 
 	secretsstorev1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 	"sigs.k8s.io/secrets-store-csi-driver/controllers"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/k8s"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/metrics"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/rotation"
 	secretsstore "sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/version"
 
@@ -40,7 +38,6 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	logsapi "k8s.io/component-base/logs/api/v1"
@@ -62,11 +59,12 @@ var (
 	// https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/823.
 	additionalProviderPaths = flag.String("additional-provider-volume-paths", "/etc/kubernetes/secrets-store-csi-providers", "Comma separated list of additional paths to communicate with providers")
 	metricsAddr             = flag.String("metrics-addr", ":8095", "The address the metric endpoint binds to")
-	enableSecretRotation    = flag.Bool("enable-secret-rotation", false, "Enable secret rotation feature [alpha]")
-	rotationPollInterval    = flag.Duration("rotation-poll-interval", 2*time.Minute, "Secret rotation poll interval duration")
-	enableProfile           = flag.Bool("enable-pprof", false, "enable pprof profiling")
-	profilePort             = flag.Int("pprof-port", 6065, "port for pprof profiling")
-	maxCallRecvMsgSize      = flag.Int("max-call-recv-msg-size", 1024*1024*4, "maximum size in bytes of gRPC response from plugins")
+	// TODO: remove these flags in 1.5.
+	enableSecretRotation = flag.Bool("enable-secret-rotation", false, "Enable secret rotation feature [deprecated]")
+	_                    = flag.Duration("rotation-poll-interval", 2*time.Minute, "Secret rotation poll interval duration [deprecated]")
+	enableProfile        = flag.Bool("enable-pprof", false, "enable pprof profiling")
+	profilePort          = flag.Int("pprof-port", 6065, "port for pprof profiling")
+	maxCallRecvMsgSize   = flag.Int("max-call-recv-msg-size", 1024*1024*4, "maximum size in bytes of gRPC response from plugins")
 
 	// Enable optional healthcheck for provider clients that exist in memory
 	providerHealthCheck         = flag.Bool("provider-health-check", false, "Enable health check for configured providers")
@@ -190,29 +188,12 @@ func main() {
 		reconciler.RunPatcher(ctx)
 	}()
 
-	// token request client
-	kubeClient := kubernetes.NewForConfigOrDie(cfg)
-	tokenClient := k8s.NewTokenClient(kubeClient, *driverName, 10*time.Minute)
-	if err != nil {
-		klog.ErrorS(err, "failed to create token client")
-		os.Exit(1)
-	}
-	if err = tokenClient.Run(ctx.Done()); err != nil {
-		klog.ErrorS(err, "failed to run token client")
-		os.Exit(1)
-	}
-
 	// Secret rotation
 	if *enableSecretRotation {
-		rec, err := rotation.NewReconciler(mgr.GetCache(), scheme, *providerVolumePath, *nodeID, *rotationPollInterval, providerClients, tokenClient)
-		if err != nil {
-			klog.ErrorS(err, "failed to initialize rotation reconciler")
-			os.Exit(1)
-		}
-		go rec.Run(ctx.Done())
+		klog.Warning("--enable-secret-rotation and --rotation-poll-interval are deprecated, use RequiresRepublish instead.")
 	}
 
-	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, *providerVolumePath, providerClients, mgr.GetClient(), mgr.GetAPIReader(), tokenClient)
+	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, *providerVolumePath, providerClients, mgr.GetClient(), mgr.GetAPIReader())
 	driver.Run(ctx)
 }
 

config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.10.0
   creationTimestamp: null
   name: secretproviderclasses.secrets-store.csi.x-k8s.io
 spec:

config/crd/bases/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.10.0
   creationTimestamp: null
   name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
 spec:

docs/book/src/topics/command-reference.md

@@ -15,8 +15,6 @@ The `secrets-store` container in the DaemonSet can be configured using the follo
 | `--provider-volume`                  | Volume path for provider                                               | `/etc/kubernetes/secrets-store-csi-providers` |
 | `--additional-provider-volume-paths` | Comma separated list of additional paths to communicate with providers | `/var/run/secrets-store-csi-providers`        |
 | `--metrics-addr`                     | The address the metric endpoint binds to                               | `:8095`                                       |
-| `--enable-secret-rotation`           | Enable secret rotation feature [alpha]                                 | `false`                                       |
-| `--rotation-poll-interval`           | Secret rotation poll interval duration                                 | `2m`                                            |
 | `--enable-pprof`                     | Enable pprof profiling                                                 | `false`                                       |
 | `--pprof-port`                       | Port for pprof profiling                                               | `6065`                                        |
 | `--max-call-recv-msg-size`           | Maximum size in bytes of gRPC response from plugins                    | `4194304`                                     |

manifest_staging/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.10.0
   creationTimestamp: null
   name: secretproviderclasses.secrets-store.csi.x-k8s.io
 spec:

manifest_staging/charts/secrets-store-csi-driver/crds/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.10.0
   creationTimestamp: null
   name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
 spec:

manifest_staging/charts/secrets-store-csi-driver/templates/role-syncsecret.yaml

@@ -5,8 +5,6 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretprovidersyncing-role
-  labels:
-{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

manifest_staging/charts/secrets-store-csi-driver/templates/role-syncsecret_binding.yaml

@@ -3,8 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretprovidersyncing-rolebinding
-  labels:
-{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifest_staging/charts/secrets-store-csi-driver/templates/role.yaml

@@ -5,8 +5,6 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretproviderclasses-role
-  labels:
-{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""
@@ -61,7 +59,7 @@ rules:
   - get
   - list
   - watch
-{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+{{- if .Values.rbac.pspEnabled }}
 - apiGroups:
   - policy
   resources:

manifest_staging/charts/secrets-store-csi-driver/templates/role_binding.yaml

@@ -3,8 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretproviderclasses-rolebinding
-  labels:
-{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml

@@ -74,12 +74,6 @@ spec:
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--provider-volume={{ .Values.windows.providersDir }}"
             - "--additional-provider-volume-paths={{ join "," .Values.windows.additionalProvidersDirs }}"
-            {{- if and (semverCompare ">= v0.0.15-0" .Values.windows.image.tag) .Values.enableSecretRotation }}
-            - "--enable-secret-rotation={{ .Values.enableSecretRotation }}"
-            {{- end }}
-            {{- if and (semverCompare ">= v0.0.15-0" .Values.windows.image.tag) .Values.rotationPollInterval }}
-            - "--rotation-poll-interval={{ .Values.rotationPollInterval }}"
-            {{- end }}
             - "--metrics-addr={{ .Values.windows.metricsAddr }}"
             {{- if and (semverCompare ">= v0.0.22-0" .Values.windows.image.tag) .Values.providerHealthCheck }}
             - "--provider-health-check={{ .Values.providerHealthCheck }}"

manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml

@@ -74,12 +74,6 @@ spec:
             - "--nodeid=$(KUBE_NODE_NAME)"
             - "--provider-volume={{ .Values.linux.providersDir }}"
             - "--additional-provider-volume-paths={{ join "," .Values.linux.additionalProvidersDirs }}"
-            {{- if and (semverCompare ">= v0.0.15-0" .Values.linux.image.tag) .Values.enableSecretRotation }}
-            - "--enable-secret-rotation={{ .Values.enableSecretRotation }}"
-            {{- end }}
-            {{- if and (semverCompare ">= v0.0.15-0" .Values.linux.image.tag) .Values.rotationPollInterval }}
-            - "--rotation-poll-interval={{ .Values.rotationPollInterval }}"
-            {{- end }}
             - "--metrics-addr={{ .Values.linux.metricsAddr }}"
             {{- if and (semverCompare ">= v0.0.22-0" .Values.linux.image.tag) .Values.providerHealthCheck }}
             - "--provider-health-check={{ .Values.providerHealthCheck }}"

manifest_staging/charts/secrets-store-csi-driver/templates/serviceaccount.yaml

@@ -4,6 +4,5 @@ kind: ServiceAccount
 metadata:
   name: secrets-store-csi-driver
   namespace: {{ .Release.Namespace }}
-  labels:
-{{ include "sscd.labels" . | indent 4 }}
+{{ include "sscd.labels" . | indent 2 }}
 {{ end }}

manifest_staging/deploy/secrets-store-csi-driver.yaml

@@ -51,8 +51,6 @@ spec:
             - "--provider-volume=/var/run/secrets-store-csi-providers"
             - "--additional-provider-volume-paths=/etc/kubernetes/secrets-store-csi-providers"
             - "--metrics-addr=:8095"
-            - "--enable-secret-rotation=false"
-            - "--rotation-poll-interval=2m"
             - "--provider-health-check=false"
             - "--provider-health-check-interval=2m"
           env:

manifest_staging/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.10.0
   creationTimestamp: null
   name: secretproviderclasses.secrets-store.csi.x-k8s.io
 spec:

manifest_staging/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.9.0
+    controller-gen.kubebuilder.io/version: v0.10.0
   creationTimestamp: null
   name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
 spec: