# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. kind: DaemonSet apiVersion: apps/v1 metadata: name: csi-secrets-store namespace: kube-system spec: selector: matchLabels: app: csi-secrets-store template: metadata: labels: app: csi-secrets-store annotations: kubectl.kubernetes.io/default-logs-container: secrets-store spec: serviceAccountName: secrets-store-csi-driver containers: - name: node-driver-registrar image: k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0 args: - --v=5 - --csi-address=/csi/csi.sock - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock env: - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName imagePullPolicy: Always volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration resources: limits: cpu: 100m memory: 100Mi requests: cpu: 10m memory: 20Mi - name: secrets-store image: k8s.gcr.io/csi-secrets-store/driver:v0.0.20 args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - "--metrics-addr=:8095" - "--grpc-supported-providers=gcp;azure;vault;" - "--enable-secret-rotation=false" - "--rotation-poll-interval=2m" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName imagePullPolicy: Always securityContext: privileged: true ports: - containerPort: 9808 name: healthz protocol: TCP livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: healthz initialDelaySeconds: 30 timeoutSeconds: 10 periodSeconds: 15 volumeMounts: - name: plugin-dir mountPath: /csi - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: Bidirectional - name: providers-dir mountPath: /etc/kubernetes/secrets-store-csi-providers resources: limits: cpu: 200m memory: 200Mi requests: cpu: 50m memory: 100Mi - name: liveness-probe image: k8s.gcr.io/sig-storage/livenessprobe:v2.2.0 imagePullPolicy: Always args: - --csi-address=/csi/csi.sock - --probe-timeout=3s - --http-endpoint=0.0.0.0:9808 - -v=2 volumeMounts: - name: plugin-dir mountPath: /csi resources: limits: cpu: 100m memory: 100Mi requests: cpu: 10m memory: 20Mi volumes: - name: mountpoint-dir hostPath: path: /var/lib/kubelet/pods type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/csi-secrets-store/ type: DirectoryOrCreate - name: providers-dir hostPath: path: /etc/kubernetes/secrets-store-csi-providers type: DirectoryOrCreate nodeSelector: kubernetes.io/os: linux