JankySolutions/infra
2
0
Fork 0
Code Issues Pull requests 5 Projects Releases Packages 12 Wiki Activity Actions

Add WIP secret store CSI driver with openbao

Browse source
This commit is contained in:
Finn 2024-09-09 10:02:04 -07:00
parent c4342647f0
commit d1a494e295
8 changed files with 837 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
helm/openbao/kustomization.yaml
View file

@ -20,6 +20,12 @@ helmCharts:
enabled: true
ui:
enabled: true
csi:
enabled: true
debug: true
agent:
image:
repository: quay.io/openbao/openbao
releaseName: openbao
version: 0.5.0
repo: https://openbao.github.io/openbao-helm

2
helm/render-all.sh
View file

@ -4,7 +4,7 @@ set -exuo pipefail
header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten"
# operators
for component in openbao external-secrets; do
for component in openbao external-secrets secrets-store-csi-driver; do
mkdir -p ../k8s/operators/${component}
echo "${header}" > ../k8s/operators/${component}/bundle.yaml
kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml

11
helm/secrets-store-csi-driver/kustomization.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: secrets-store-csi-driver
helmCharts:
- name: secrets-store-csi-driver
valuesInline:
syncSecret:
enabled: true
releaseName: secrets-store-csi-driver
version: v1.4.5
repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

1
k8s/operators/kustomization.yaml
View file

@ -6,3 +6,4 @@ resources:
- cert-manager
- openbao
- kube-prometheus
- secrets-store-csi-driver

205
k8s/operators/openbao/bundle.yaml
View file

@ -10,6 +10,41 @@ metadata:
name: openbao
namespace: openbao
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-role
namespace: openbao
rules:
- apiGroups:
- ""
resourceNames:
- openbao-csi-provider-hmac-key
resources:
- secrets
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
@ -33,6 +68,40 @@ rules:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-clusterrole
rules:
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-rolebinding
namespace: openbao
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: openbao-csi-provider-role
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
@ -53,6 +122,23 @@ subjects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: openbao-csi-provider-clusterrole
subjects:
- kind: ServiceAccount
name: openbao-csi-provider
namespace: openbao
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: openbao
@ -102,6 +188,29 @@ metadata:
namespace: openbao
---
apiVersion: v1
data:
config.hcl: |
vault {
"address" = "http://openbao.openbao.svc:8200"
}
cache {}
listener "unix" {
address = "/var/run/vault/agent.sock"
tls_disable = true
}
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
helm.sh/chart: openbao-0.4.0
name: openbao-csi-provider-agent-config
namespace: openbao
---
apiVersion: v1
kind: Service
metadata:
labels:
@ -388,6 +497,102 @@ spec:
app.kubernetes.io/name: openbao
component: server
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: openbao-csi-provider
name: openbao-csi-provider
namespace: openbao
spec:
selector:
matchLabels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao-csi-provider
template:
metadata:
labels:
app.kubernetes.io/instance: openbao
app.kubernetes.io/name: openbao-csi-provider
spec:
containers:
- args:
- --endpoint=/provider/vault.sock
- --debug=true
- --hmac-secret-name=openbao-csi-provider-hmac-key
env:
- name: VAULT_ADDR
value: unix:///var/run/vault/agent.sock
image: docker.io/hashicorp/vault-csi-provider:1.4.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 2
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
name: openbao-csi-provider
readinessProbe:
failureThreshold: 2
httpGet:
path: /health/ready
port: 8080
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
volumeMounts:
- mountPath: /provider
name: providervol
- mountPath: /var/run/vault
name: agent-unix-socket
- args:
- agent
- -config=/etc/vault/config.hcl
command:
- bao
env:
- name: VAULT_LOG_LEVEL
value: info
- name: VAULT_LOG_FORMAT
value: standard
image: quay.io/openbao/openbao:2.0.0-alpha20240329
imagePullPolicy: IfNotPresent
name: openbao-agent
ports:
- containerPort: 8200
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 100
volumeMounts:
- mountPath: /etc/vault/config.hcl
name: agent-config
readOnly: true
subPath: config.hcl
- mountPath: /var/run/vault
name: agent-unix-socket
serviceAccountName: openbao-csi-provider
volumes:
- hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
name: providervol
- configMap:
name: openbao-csi-provider-agent-config
name: agent-config
- emptyDir:
medium: Memory
name: agent-unix-socket
updateStrategy:
type: RollingUpdate
---
apiVersion: v1
kind: Pod
metadata:

603
k8s/operators/secrets-store-csi-driver/bundle.yaml Normal file
View file

@ -0,0 +1,603 @@
# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "2"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-keep-crds
namespace: secrets-store-csi-driver
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "1"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-upgrade-crds
namespace: secrets-store-csi-driver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: secretproviderclasses-admin-role
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secretproviderclasses-role
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
verbs:
- get
- list
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses/status
verbs:
- get
- patch
- update
- apiGroups:
- storage.k8s.io
resourceNames:
- secrets-store.csi.k8s.io
resources:
- csidrivers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: secretproviderclasses-viewer-role
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: secretproviderclasspodstatuses-viewer-role
rules:
- apiGroups:
- secrets-store.csi.x-k8s.io
resources:
- secretproviderclasspodstatuses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secretprovidersyncing-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "2"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-keep-crds
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "1"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-upgrade-crds
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- create
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secretproviderclasses-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secretproviderclasses-role
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secretprovidersyncing-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secretprovidersyncing-role
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "2"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-keep-crds
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secrets-store-csi-driver-keep-crds
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver-keep-crds
namespace: secrets-store-csi-driver
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "1"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-upgrade-crds
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: secrets-store-csi-driver-upgrade-crds
subjects:
- kind: ServiceAccount
name: secrets-store-csi-driver-upgrade-crds
namespace: secrets-store-csi-driver
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver
namespace: secrets-store-csi-driver
spec:
selector:
matchLabels:
app: secrets-store-csi-driver
template:
metadata:
annotations:
kubectl.kubernetes.io/default-container: secrets-store
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: type
operator: NotIn
values:
- virtual-kubelet
containers:
- args:
- --v=5
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1
imagePullPolicy: IfNotPresent
name: node-driver-registrar
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- args:
- --endpoint=$(CSI_ENDPOINT)
- --nodeid=$(KUBE_NODE_NAME)
- --provider-volume=/var/run/secrets-store-csi-providers
- --additional-provider-volume-paths=/etc/kubernetes/secrets-store-csi-providers
- --metrics-addr=:8095
- --provider-health-check-interval=2m
- --max-call-recv-msg-size=4194304
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: registry.k8s.io/csi-secrets-store/driver:v1.4.5
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: healthz
initialDelaySeconds: 30
periodSeconds: 15
timeoutSeconds: 10
name: secrets-store
ports:
- containerPort: 9808
name: healthz
protocol: TCP
- containerPort: 8095
name: metrics
protocol: TCP
resources:
limits:
cpu: 200m
memory: 200Mi
requests:
cpu: 50m
memory: 100Mi
securityContext:
privileged: true
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
name: mountpoint-dir
- mountPath: /var/run/secrets-store-csi-providers
name: providers-dir
- mountPath: /etc/kubernetes/secrets-store-csi-providers
name: providers-dir-0
- args:
- --csi-address=/csi/csi.sock
- --probe-timeout=3s
- --http-endpoint=0.0.0.0:9808
- -v=2
image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1
imagePullPolicy: IfNotPresent
name: liveness-probe
resources:
limits:
cpu: 100m
memory: 100Mi
requests:
cpu: 10m
memory: 20Mi
volumeMounts:
- mountPath: /csi
name: plugin-dir
nodeSelector:
kubernetes.io/os: linux
serviceAccountName: secrets-store-csi-driver
tolerations:
- operator: Exists
volumes:
- hostPath:
path: /var/lib/kubelet/pods
type: DirectoryOrCreate
name: mountpoint-dir
- hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
name: registration-dir
- hostPath:
path: /var/lib/kubelet/plugins/csi-secrets-store/
type: DirectoryOrCreate
name: plugin-dir
- hostPath:
path: /var/run/secrets-store-csi-providers
type: DirectoryOrCreate
name: providers-dir
- hostPath:
path: /etc/kubernetes/secrets-store-csi-providers
type: DirectoryOrCreate
name: providers-dir-0
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "20"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-keep-crds
namespace: secrets-store-csi-driver
spec:
backoffLimit: 3
template:
metadata:
name: secrets-store-csi-driver-keep-crds
spec:
containers:
- args:
- patch
- crd
- secretproviderclasses.secrets-store.csi.x-k8s.io
- secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io
- -p
- '{"metadata":{"annotations": {"helm.sh/resource-policy": "keep"}}}'
image: registry.k8s.io/csi-secrets-store/driver-crds:v1.4.5
imagePullPolicy: IfNotPresent
name: crds-keep
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Never
serviceAccountName: secrets-store-csi-driver-keep-crds
tolerations:
- operator: Exists
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
helm.sh/hook-weight: "10"
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store-csi-driver-upgrade-crds
namespace: secrets-store-csi-driver
spec:
backoffLimit: 3
template:
metadata:
name: secrets-store-csi-driver-upgrade-crds
spec:
containers:
- args:
- apply
- -f
- crds/
image: registry.k8s.io/csi-secrets-store/driver-crds:v1.4.5
imagePullPolicy: IfNotPresent
name: crds-upgrade
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Never
serviceAccountName: secrets-store-csi-driver-upgrade-crds
tolerations:
- operator: Exists
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
labels:
app: secrets-store-csi-driver
app.kubernetes.io/instance: secrets-store-csi-driver
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: secrets-store-csi-driver
app.kubernetes.io/version: 1.4.5
helm.sh/chart: secrets-store-csi-driver-1.4.5
name: secrets-store.csi.k8s.io
spec:
attachRequired: false
podInfoOnMount: true
volumeLifecycleModes:
- Ephemeral

6
k8s/operators/secrets-store-csi-driver/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: secrets-store-csi-driver
resources:
- namespace.yaml
- bundle.yaml

4
k8s/operators/secrets-store-csi-driver/namespace.yaml Normal file
View file

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: secrets-store-csi-driver