diff --git a/Makefile b/Makefile index 5d7263f3a..7ecded7b8 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ REGISTRY ?= gcr.io/k8s-staging-csi-secrets-store IMAGE_NAME ?= driver # Release version is the current supported release for the driver # Update this version when the helm chart is being updated for release -RELEASE_VERSION := v0.0.20 +RELEASE_VERSION := v0.0.21 IMAGE_VERSION ?= v0.0.21 # Use a custom version for E2E tests if we are testing in CI ifdef CI @@ -293,7 +293,7 @@ e2e-helm-deploy: e2e-helm-deploy-release: set -x; \ current_release=$(shell (echo ${RELEASE_VERSION} | sed s/"v"//)); \ - helm install csi charts/secrets-store-csi-driver-$${current_release}.tgz --namespace default --wait --timeout=15m -v=5 --debug \ + helm install csi-secrets-store charts/secrets-store-csi-driver-$${current_release}.tgz --namespace default --wait --timeout=15m -v=5 --debug \ --set linux.image.pullPolicy="IfNotPresent" \ --set windows.image.pullPolicy="IfNotPresent" \ --set windows.enabled=true \ diff --git a/charts/index.yaml b/charts/index.yaml index 7a6556790..c1eb54e3b 100644 --- a/charts/index.yaml +++ b/charts/index.yaml @@ -1,6 +1,22 @@ apiVersion: v1 entries: secrets-store-csi-driver: + - apiVersion: v1 + appVersion: 0.0.21 + created: "2021-04-01T09:50:24.248603-07:00" + description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. + digest: cab95625686b388faa1e298dc913a14c5b28ffff7888074664e98dc392c94814 + icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png + kubeVersion: '>=1.16.0-0' + maintainers: + - email: ritazh@microsoft.com + name: Rita Zhang + name: secrets-store-csi-driver + sources: + - https://github.com/kubernetes-sigs/secrets-store-csi-driver + urls: + - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.21.tgz + version: 0.0.21 - apiVersion: v1 appVersion: 0.0.20 created: "2021-02-18T11:02:39.04869-08:00" @@ -193,4 +209,4 @@ entries: urls: - https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts/secrets-store-csi-driver-0.0.9.tgz version: 0.0.9 -generated: "2021-02-18T11:02:39.046817-08:00" +generated: "2021-04-01T09:50:24.246699-07:00" diff --git a/charts/secrets-store-csi-driver-0.0.21.tgz b/charts/secrets-store-csi-driver-0.0.21.tgz new file mode 100644 index 000000000..f5d6fad16 Binary files /dev/null and b/charts/secrets-store-csi-driver-0.0.21.tgz differ diff --git a/charts/secrets-store-csi-driver/Chart.yaml b/charts/secrets-store-csi-driver/Chart.yaml index f092edbdd..74e64172e 100644 --- a/charts/secrets-store-csi-driver/Chart.yaml +++ b/charts/secrets-store-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: secrets-store-csi-driver -version: 0.0.20 -appVersion: 0.0.20 +version: 0.0.21 +appVersion: 0.0.21 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png diff --git a/charts/secrets-store-csi-driver/README.md b/charts/secrets-store-csi-driver/README.md index d8a190e00..4ea53fe16 100644 --- a/charts/secrets-store-csi-driver/README.md +++ b/charts/secrets-store-csi-driver/README.md @@ -25,7 +25,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | | `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `linux.image.pullPolicy` | Linux image pull policy | `Always` | -| `linux.image.tag` | Linux image tag | `v0.0.20` | +| `linux.image.tag` | Linux image tag | `v0.0.21` | | `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | | `linux.enabled` | Install secrets store csi driver on linux nodes | true | | `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | @@ -50,7 +50,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | | `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Windows image tag | `v0.0.20` | +| `windows.image.tag` | Windows image tag | `v0.0.21` | | `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | | `windows.enabled` | Install secrets store csi driver on windows nodes | false | | `windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -80,6 +80,6 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `rbac.install` | Install default rbac roles and bindings | true | | `syncSecret.enabled` | Enable rbac roles and bindings required for syncing to Kubernetes native secrets (the default will change to false after v0.0.14) | true | | `minimumProviderVersions` | [**DEPRECATED**] A comma delimited list of key-value pairs of minimum provider versions with driver | `""` | -| `grpcSupportedProviders` | A `;` delimited list of providers that support grpc for driver-provider | `"gcp;azure;vault;"` | | `enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | | `rotationPollInterval` | Secret rotation poll interval duration | `"120s"` | +| `filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true` | `false` | diff --git a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml index 94065992a..1c915a83d 100644 --- a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml +++ b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml @@ -66,9 +66,6 @@ spec: {{- if and (semverCompare ">= v0.0.9-0" .Values.windows.image.tag) .Values.minimumProviderVersions }} - "--min-provider-version={{ .Values.minimumProviderVersions }}" {{- end }} - {{- if and (semverCompare ">= v0.0.14-0" .Values.windows.image.tag) .Values.grpcSupportedProviders }} - - "--grpc-supported-providers={{ .Values.grpcSupportedProviders }}" - {{- end }} {{- if and (semverCompare ">= v0.0.15-0" .Values.windows.image.tag) .Values.enableSecretRotation }} - "--enable-secret-rotation={{ .Values.enableSecretRotation }}" {{- end }} @@ -76,6 +73,9 @@ spec: - "--rotation-poll-interval={{ .Values.rotationPollInterval }}" {{- end }} - "--metrics-addr={{ .Values.windows.metricsAddr }}" + {{- if and (semverCompare ">= v0.0.21-0" .Values.windows.image.tag) .Values.filteredWatchSecret }} + - "--filtered-watch-secret={{ .Values.filteredWatchSecret }}" + {{- end }} env: {{- with .Values.windows.env }} {{- toYaml . | nindent 10 }} diff --git a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml index 3d6886919..277b1814a 100644 --- a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml +++ b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml @@ -66,9 +66,6 @@ spec: {{- if and (semverCompare ">= v0.0.8-0" .Values.linux.image.tag) .Values.minimumProviderVersions }} - "--min-provider-version={{ .Values.minimumProviderVersions }}" {{- end }} - {{- if and (semverCompare ">= v0.0.14-0" .Values.linux.image.tag) .Values.grpcSupportedProviders }} - - "--grpc-supported-providers={{ .Values.grpcSupportedProviders }}" - {{- end }} {{- if and (semverCompare ">= v0.0.15-0" .Values.linux.image.tag) .Values.enableSecretRotation }} - "--enable-secret-rotation={{ .Values.enableSecretRotation }}" {{- end }} @@ -76,6 +73,9 @@ spec: - "--rotation-poll-interval={{ .Values.rotationPollInterval }}" {{- end }} - "--metrics-addr={{ .Values.linux.metricsAddr }}" + {{- if and (semverCompare ">= v0.0.21-0" .Values.linux.image.tag) .Values.filteredWatchSecret }} + - "--filtered-watch-secret={{ .Values.filteredWatchSecret }}" + {{- end }} env: {{- with .Values.linux.env }} {{- toYaml . | nindent 10 }} diff --git a/charts/secrets-store-csi-driver/values.yaml b/charts/secrets-store-csi-driver/values.yaml index 210a4877b..f6ecda509 100644 --- a/charts/secrets-store-csi-driver/values.yaml +++ b/charts/secrets-store-csi-driver/values.yaml @@ -2,7 +2,7 @@ linux: enabled: true image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.20 + tag: v0.0.21 pullPolicy: Always driver: @@ -63,7 +63,7 @@ windows: enabled: false image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.20 + tag: v0.0.21 pullPolicy: IfNotPresent driver: @@ -144,11 +144,11 @@ syncSecret: ## e.g. provider1=0.0.2,provider2=0.0.3 minimumProviderVersions: -## ; delimited list of providers that support grpc for driver-provider [alpha] -grpcSupportedProviders: gcp;azure;vault; - ## Enable secret rotation feature [alpha] enableSecretRotation: false ## Secret rotation poll interval duration rotationPollInterval: + +## Filtered watch nodePublishSecretRef secrets +filteredWatchSecret: false diff --git a/deploy/csidriver-1.15.yaml b/deploy/csidriver-1.15.yaml deleted file mode 100644 index e6f4dc4dd..000000000 --- a/deploy/csidriver-1.15.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: storage.k8s.io/v1beta1 -kind: CSIDriver -metadata: - name: secrets-store.csi.k8s.io -spec: - podInfoOnMount: true - attachRequired: false diff --git a/deploy/secrets-store-csi-driver-windows.yaml b/deploy/secrets-store-csi-driver-windows.yaml index 6129d0137..92e0d839e 100644 --- a/deploy/secrets-store-csi-driver-windows.yaml +++ b/deploy/secrets-store-csi-driver-windows.yaml @@ -42,15 +42,15 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.21 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=C:\\k\\secrets-store-csi-providers" - "--metrics-addr=:8095" - - "--grpc-supported-providers=azure;" - "--enable-secret-rotation=false" - "--rotation-poll-interval=2m" + - "--filtered-watch-secret=false" env: - name: CSI_ENDPOINT value: unix://C:\\csi\\csi.sock diff --git a/deploy/secrets-store-csi-driver.yaml b/deploy/secrets-store-csi-driver.yaml index 73b6a4132..8c7050c7a 100644 --- a/deploy/secrets-store-csi-driver.yaml +++ b/deploy/secrets-store-csi-driver.yaml @@ -42,15 +42,15 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.21 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - "--metrics-addr=:8095" - - "--grpc-supported-providers=gcp;azure;vault;" - "--enable-secret-rotation=false" - "--rotation-poll-interval=2m" + - "--filtered-watch-secret=false" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock diff --git a/docs/book/src/load-tests.md b/docs/book/src/load-tests.md index 163f3d829..fa3c77b2e 100644 --- a/docs/book/src/load-tests.md +++ b/docs/book/src/load-tests.md @@ -61,7 +61,7 @@ As of Secrets Store CSI Driver `v0.0.21`, the memory consumption for the driver If the secret rotation feature is enabled and filtered secret watch is not enabled, it'll cache Kubernetes secrets across all namespaces. To only cache the secrets with the above 2 labels: 1. Label all existing `nodePublishSecretRef` secrets with `secrets-store.csi.k8s.io/used=true` by running `kubectl label secret secrets-store.csi.k8s.io/used=true`. -2. Enable filtered secret watch by setting `--filtered-secret-watch=true` in `secrets-store` container or via helm using `--set filteredSecretWatch=true`. +2. Enable filtered secret watch by setting `--filtered-watch-secret=true` in `secrets-store` container or via helm using `--set filteredWatchSecret=true`. -**NOTE:** `--filtered-secret-watch=true` will be enabled by default in n+3 releases (`v0.0.25`). Please take the necessary action to label the `nodePublishSecretRef` secrets with the `secrets-store.csi.k8s.io/used=true` label. +**NOTE:** `--filtered-watch-secret=true` will be enabled by default in n+3 releases (`v0.0.25`). Please take the necessary action to label the `nodePublishSecretRef` secrets with the `secrets-store.csi.k8s.io/used=true` label. diff --git a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml index f092edbdd..74e64172e 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: secrets-store-csi-driver -version: 0.0.20 -appVersion: 0.0.20 +version: 0.0.21 +appVersion: 0.0.21 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster. icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md index b162f76f1..4ea53fe16 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/README.md +++ b/manifest_staging/charts/secrets-store-csi-driver/README.md @@ -25,7 +25,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `fullnameOverride` | String to fully override secrets-store-csi-driver.fullname template with a string | `""` | | `linux.image.repository` | Linux image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `linux.image.pullPolicy` | Linux image pull policy | `Always` | -| `linux.image.tag` | Linux image tag | `v0.0.20` | +| `linux.image.tag` | Linux image tag | `v0.0.21` | | `linux.driver.resources` | The resource request/limits for the linux secrets-store container image | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi` | | `linux.enabled` | Install secrets store csi driver on linux nodes | true | | `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | @@ -50,7 +50,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` | | `windows.image.repository` | Windows image repository | `k8s.gcr.io/csi-secrets-store/driver` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Windows image tag | `v0.0.20` | +| `windows.image.tag` | Windows image tag | `v0.0.21` | | `windows.driver.resources` | The resource request/limits for the windows secrets-store container image | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi` | | `windows.enabled` | Install secrets store csi driver on windows nodes | false | | `windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml index b5c1650f6..f6ecda509 100644 --- a/manifest_staging/charts/secrets-store-csi-driver/values.yaml +++ b/manifest_staging/charts/secrets-store-csi-driver/values.yaml @@ -2,7 +2,7 @@ linux: enabled: true image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.20 + tag: v0.0.21 pullPolicy: Always driver: @@ -63,7 +63,7 @@ windows: enabled: false image: repository: k8s.gcr.io/csi-secrets-store/driver - tag: v0.0.20 + tag: v0.0.21 pullPolicy: IfNotPresent driver: diff --git a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml index 09c0b0b61..92e0d839e 100644 --- a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml +++ b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml @@ -42,7 +42,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.21 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" @@ -50,7 +50,7 @@ spec: - "--metrics-addr=:8095" - "--enable-secret-rotation=false" - "--rotation-poll-interval=2m" - - "--filtered-secret-watch=false" + - "--filtered-watch-secret=false" env: - name: CSI_ENDPOINT value: unix://C:\\csi\\csi.sock diff --git a/manifest_staging/deploy/secrets-store-csi-driver.yaml b/manifest_staging/deploy/secrets-store-csi-driver.yaml index bde860251..8c7050c7a 100644 --- a/manifest_staging/deploy/secrets-store-csi-driver.yaml +++ b/manifest_staging/deploy/secrets-store-csi-driver.yaml @@ -42,7 +42,7 @@ spec: cpu: 10m memory: 20Mi - name: secrets-store - image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 + image: k8s.gcr.io/csi-secrets-store/driver:v0.0.21 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" @@ -50,7 +50,7 @@ spec: - "--metrics-addr=:8095" - "--enable-secret-rotation=false" - "--rotation-poll-interval=2m" - - "--filtered-secret-watch=false" + - "--filtered-watch-secret=false" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock