diff --git a/helm/openbao/kustomization.yaml b/helm/openbao/kustomization.yaml index 0c91f17..dd2cd1a 100644 --- a/helm/openbao/kustomization.yaml +++ b/helm/openbao/kustomization.yaml @@ -20,6 +20,12 @@ helmCharts: enabled: true ui: enabled: true + csi: + enabled: true + debug: true + agent: + image: + repository: quay.io/openbao/openbao releaseName: openbao version: 0.5.0 repo: https://openbao.github.io/openbao-helm diff --git a/helm/render-all.sh b/helm/render-all.sh index 2457d42..ffda144 100755 --- a/helm/render-all.sh +++ b/helm/render-all.sh @@ -4,7 +4,7 @@ set -exuo pipefail header="# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten" # operators -for component in openbao external-secrets; do +for component in openbao external-secrets secrets-store-csi-driver; do mkdir -p ../k8s/operators/${component} echo "${header}" > ../k8s/operators/${component}/bundle.yaml kubectl kustomize --enable-helm ${component}/ >> ../k8s/operators/${component}/bundle.yaml diff --git a/helm/secrets-store-csi-driver/kustomization.yaml b/helm/secrets-store-csi-driver/kustomization.yaml new file mode 100644 index 0000000..05eb61b --- /dev/null +++ b/helm/secrets-store-csi-driver/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: secrets-store-csi-driver +helmCharts: +- name: secrets-store-csi-driver + valuesInline: + syncSecret: + enabled: true + releaseName: secrets-store-csi-driver + version: v1.4.5 + repo: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts diff --git a/k8s/operators/kustomization.yaml b/k8s/operators/kustomization.yaml index a31b698..549e238 100644 --- a/k8s/operators/kustomization.yaml +++ b/k8s/operators/kustomization.yaml @@ -6,3 +6,4 @@ resources: - cert-manager - openbao - kube-prometheus + - secrets-store-csi-driver diff --git a/k8s/operators/openbao/bundle.yaml b/k8s/operators/openbao/bundle.yaml index 25e9c3b..011cfcb 100644 --- a/k8s/operators/openbao/bundle.yaml +++ b/k8s/operators/openbao/bundle.yaml @@ -10,6 +10,41 @@ metadata: name: openbao namespace: openbao --- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + name: openbao-csi-provider + namespace: openbao +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + name: openbao-csi-provider-role + namespace: openbao +rules: +- apiGroups: + - "" + resourceNames: + - openbao-csi-provider-hmac-key + resources: + - secrets + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -33,6 +68,40 @@ rules: - patch --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + name: openbao-csi-provider-clusterrole +rules: +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + name: openbao-csi-provider-rolebinding + namespace: openbao +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openbao-csi-provider-role +subjects: +- kind: ServiceAccount + name: openbao-csi-provider + namespace: openbao +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -53,6 +122,23 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + name: openbao-csi-provider-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openbao-csi-provider-clusterrole +subjects: +- kind: ServiceAccount + name: openbao-csi-provider + namespace: openbao +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/instance: openbao @@ -102,6 +188,29 @@ metadata: namespace: openbao --- apiVersion: v1 +data: + config.hcl: | + vault { + "address" = "http://openbao.openbao.svc:8200" + } + + cache {} + + listener "unix" { + address = "/var/run/vault/agent.sock" + tls_disable = true + } +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + helm.sh/chart: openbao-0.4.0 + name: openbao-csi-provider-agent-config + namespace: openbao +--- +apiVersion: v1 kind: Service metadata: labels: @@ -388,6 +497,102 @@ spec: app.kubernetes.io/name: openbao component: server --- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: openbao-csi-provider + name: openbao-csi-provider + namespace: openbao +spec: + selector: + matchLabels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao-csi-provider + template: + metadata: + labels: + app.kubernetes.io/instance: openbao + app.kubernetes.io/name: openbao-csi-provider + spec: + containers: + - args: + - --endpoint=/provider/vault.sock + - --debug=true + - --hmac-secret-name=openbao-csi-provider-hmac-key + env: + - name: VAULT_ADDR + value: unix:///var/run/vault/agent.sock + image: docker.io/hashicorp/vault-csi-provider:1.4.1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 2 + httpGet: + path: /health/ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + name: openbao-csi-provider + readinessProbe: + failureThreshold: 2 + httpGet: + path: /health/ready + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + volumeMounts: + - mountPath: /provider + name: providervol + - mountPath: /var/run/vault + name: agent-unix-socket + - args: + - agent + - -config=/etc/vault/config.hcl + command: + - bao + env: + - name: VAULT_LOG_LEVEL + value: info + - name: VAULT_LOG_FORMAT + value: standard + image: quay.io/openbao/openbao:2.0.0-alpha20240329 + imagePullPolicy: IfNotPresent + name: openbao-agent + ports: + - containerPort: 8200 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsGroup: 1000 + runAsNonRoot: true + runAsUser: 100 + volumeMounts: + - mountPath: /etc/vault/config.hcl + name: agent-config + readOnly: true + subPath: config.hcl + - mountPath: /var/run/vault + name: agent-unix-socket + serviceAccountName: openbao-csi-provider + volumes: + - hostPath: + path: /etc/kubernetes/secrets-store-csi-providers + name: providervol + - configMap: + name: openbao-csi-provider-agent-config + name: agent-config + - emptyDir: + medium: Memory + name: agent-unix-socket + updateStrategy: + type: RollingUpdate +--- apiVersion: v1 kind: Pod metadata: diff --git a/k8s/operators/secrets-store-csi-driver/bundle.yaml b/k8s/operators/secrets-store-csi-driver/bundle.yaml new file mode 100644 index 0000000..406bd14 --- /dev/null +++ b/k8s/operators/secrets-store-csi-driver/bundle.yaml @@ -0,0 +1,603 @@ +# DO NOT EDIT: This file has been automatically generated by the script in helm/render-all.sh, edits may get overwritten +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "2" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-keep-crds + namespace: secrets-store-csi-driver +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "1" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-upgrade-crds + namespace: secrets-store-csi-driver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + name: secretproviderclasses-admin-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secretproviderclasses-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses/status + verbs: + - get + - patch + - update +- apiGroups: + - storage.k8s.io + resourceNames: + - secrets-store.csi.k8s.io + resources: + - csidrivers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: secretproviderclasses-viewer-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + rbac.authorization.k8s.io/aggregate-to-view: "true" + name: secretproviderclasspodstatuses-viewer-role +rules: +- apiGroups: + - secrets-store.csi.x-k8s.io + resources: + - secretproviderclasspodstatuses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secretprovidersyncing-role +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "2" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-keep-crds +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "1" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-upgrade-crds +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - create + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secretproviderclasses-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretproviderclasses-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secretprovidersyncing-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secretprovidersyncing-role +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "2" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-keep-crds +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-store-csi-driver-keep-crds +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver-keep-crds + namespace: secrets-store-csi-driver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "1" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-upgrade-crds +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: secrets-store-csi-driver-upgrade-crds +subjects: +- kind: ServiceAccount + name: secrets-store-csi-driver-upgrade-crds + namespace: secrets-store-csi-driver +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver + namespace: secrets-store-csi-driver +spec: + selector: + matchLabels: + app: secrets-store-csi-driver + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: secrets-store + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: type + operator: NotIn + values: + - virtual-kubelet + containers: + - args: + - --v=5 + - --csi-address=/csi/csi.sock + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.11.1 + imagePullPolicy: IfNotPresent + name: node-driver-registrar + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - mountPath: /csi + name: plugin-dir + - mountPath: /registration + name: registration-dir + - args: + - --endpoint=$(CSI_ENDPOINT) + - --nodeid=$(KUBE_NODE_NAME) + - --provider-volume=/var/run/secrets-store-csi-providers + - --additional-provider-volume-paths=/etc/kubernetes/secrets-store-csi-providers + - --metrics-addr=:8095 + - --provider-health-check-interval=2m + - --max-call-recv-msg-size=4194304 + env: + - name: CSI_ENDPOINT + value: unix:///csi/csi.sock + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: registry.k8s.io/csi-secrets-store/driver:v1.4.5 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: healthz + initialDelaySeconds: 30 + periodSeconds: 15 + timeoutSeconds: 10 + name: secrets-store + ports: + - containerPort: 9808 + name: healthz + protocol: TCP + - containerPort: 8095 + name: metrics + protocol: TCP + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 50m + memory: 100Mi + securityContext: + privileged: true + volumeMounts: + - mountPath: /csi + name: plugin-dir + - mountPath: /var/lib/kubelet/pods + mountPropagation: Bidirectional + name: mountpoint-dir + - mountPath: /var/run/secrets-store-csi-providers + name: providers-dir + - mountPath: /etc/kubernetes/secrets-store-csi-providers + name: providers-dir-0 + - args: + - --csi-address=/csi/csi.sock + - --probe-timeout=3s + - --http-endpoint=0.0.0.0:9808 + - -v=2 + image: registry.k8s.io/sig-storage/livenessprobe:v2.13.1 + imagePullPolicy: IfNotPresent + name: liveness-probe + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 10m + memory: 20Mi + volumeMounts: + - mountPath: /csi + name: plugin-dir + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: secrets-store-csi-driver + tolerations: + - operator: Exists + volumes: + - hostPath: + path: /var/lib/kubelet/pods + type: DirectoryOrCreate + name: mountpoint-dir + - hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + name: registration-dir + - hostPath: + path: /var/lib/kubelet/plugins/csi-secrets-store/ + type: DirectoryOrCreate + name: plugin-dir + - hostPath: + path: /var/run/secrets-store-csi-providers + type: DirectoryOrCreate + name: providers-dir + - hostPath: + path: /etc/kubernetes/secrets-store-csi-providers + type: DirectoryOrCreate + name: providers-dir-0 + updateStrategy: + rollingUpdate: + maxUnavailable: 1 + type: RollingUpdate +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "20" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-keep-crds + namespace: secrets-store-csi-driver +spec: + backoffLimit: 3 + template: + metadata: + name: secrets-store-csi-driver-keep-crds + spec: + containers: + - args: + - patch + - crd + - secretproviderclasses.secrets-store.csi.x-k8s.io + - secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io + - -p + - '{"metadata":{"annotations": {"helm.sh/resource-policy": "keep"}}}' + image: registry.k8s.io/csi-secrets-store/driver-crds:v1.4.5 + imagePullPolicy: IfNotPresent + name: crds-keep + nodeSelector: + kubernetes.io/os: linux + restartPolicy: Never + serviceAccountName: secrets-store-csi-driver-keep-crds + tolerations: + - operator: Exists +--- +apiVersion: batch/v1 +kind: Job +metadata: + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation + helm.sh/hook-weight: "10" + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store-csi-driver-upgrade-crds + namespace: secrets-store-csi-driver +spec: + backoffLimit: 3 + template: + metadata: + name: secrets-store-csi-driver-upgrade-crds + spec: + containers: + - args: + - apply + - -f + - crds/ + image: registry.k8s.io/csi-secrets-store/driver-crds:v1.4.5 + imagePullPolicy: IfNotPresent + name: crds-upgrade + nodeSelector: + kubernetes.io/os: linux + restartPolicy: Never + serviceAccountName: secrets-store-csi-driver-upgrade-crds + tolerations: + - operator: Exists +--- +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + labels: + app: secrets-store-csi-driver + app.kubernetes.io/instance: secrets-store-csi-driver + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: secrets-store-csi-driver + app.kubernetes.io/version: 1.4.5 + helm.sh/chart: secrets-store-csi-driver-1.4.5 + name: secrets-store.csi.k8s.io +spec: + attachRequired: false + podInfoOnMount: true + volumeLifecycleModes: + - Ephemeral diff --git a/k8s/operators/secrets-store-csi-driver/kustomization.yaml b/k8s/operators/secrets-store-csi-driver/kustomization.yaml new file mode 100644 index 0000000..8cf173b --- /dev/null +++ b/k8s/operators/secrets-store-csi-driver/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: secrets-store-csi-driver +resources: + - namespace.yaml + - bundle.yaml diff --git a/k8s/operators/secrets-store-csi-driver/namespace.yaml b/k8s/operators/secrets-store-csi-driver/namespace.yaml new file mode 100644 index 0000000..fa6b7df --- /dev/null +++ b/k8s/operators/secrets-store-csi-driver/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: secrets-store-csi-driver