apiVersion: {{GetStorageAPIVersion}} kind: CSIDriver metadata: name: secrets-store.csi.k8s.io labels: addonmanager.kubernetes.io/mode: Reconcile spec: podInfoOnMount: true attachRequired: false volumeLifecycleModes: - Ephemeral --- apiVersion: v1 kind: ServiceAccount metadata: name: secrets-store-csi-driver namespace: kube-system labels: addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secretproviderclasses-role labels: addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - secrets-store.csi.x-k8s.io resources: - secretproviderclasses verbs: - get - list - watch - apiGroups: - secrets-store.csi.x-k8s.io resources: - secretproviderclasspodstatuses verbs: - create - delete - get - list - patch - update - watch - apiGroups: - secrets-store.csi.x-k8s.io resources: - secretproviderclasspodstatuses/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: secretproviderclasses-rolebinding labels: addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: secretproviderclasses-role subjects: - kind: ServiceAccount name: secrets-store-csi-driver namespace: kube-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: secretprovidersyncing-role labels: addonmanager.kubernetes.io/mode: Reconcile rules: - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: secretprovidersyncing-rolebinding labels: addonmanager.kubernetes.io/mode: Reconcile roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: secretprovidersyncing-role subjects: - kind: ServiceAccount name: secrets-store-csi-driver namespace: kube-system --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: secretproviderclasses.secrets-store.csi.x-k8s.io labels: addonmanager.kubernetes.io/mode: Reconcile spec: group: secrets-store.csi.x-k8s.io names: kind: SecretProviderClass listKind: SecretProviderClassList plural: secretproviderclasses singular: secretproviderclass scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: SecretProviderClass is the Schema for the secretproviderclasses API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: SecretProviderClassSpec defines the desired state of SecretProviderClass properties: parameters: additionalProperties: type: string description: Configuration for specific provider type: object provider: description: Configuration for provider name type: string secretObjects: items: description: SecretObject defines the desired state of synced K8s secret objects properties: data: items: description: SecretObjectData defines the desired state of synced K8s secret object data properties: key: description: data field to populate type: string objectName: description: name of the object to sync type: string type: object type: array labels: additionalProperties: type: string description: labels of K8s secret object type: object secretName: description: name of the K8s secret object type: string type: description: type of K8s secret object type: string type: object type: array type: object status: description: SecretProviderClassStatus defines the observed state of SecretProviderClass properties: byPod: items: description: ByPodStatus defines the state of SecretProviderClass as seen by an individual controller properties: id: description: id of the pod that wrote the status type: string namespace: description: namespace of the pod that wrote the status type: string type: object type: array type: object type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.0 creationTimestamp: null name: secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io labels: addonmanager.kubernetes.io/mode: Reconcile spec: group: secrets-store.csi.x-k8s.io names: kind: SecretProviderClassPodStatus listKind: SecretProviderClassPodStatusList plural: secretproviderclasspodstatuses singular: secretproviderclasspodstatus scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: SecretProviderClassPodStatus is the Schema for the secretproviderclassespodstatus API properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object status: description: SecretProviderClassPodStatusStatus defines the observed state of SecretProviderClassPodStatus properties: mounted: type: boolean objects: items: description: SecretProviderClassObject defines the object fetched from external secrets store properties: id: type: string version: type: string type: object type: array podName: type: string secretProviderClassName: type: string targetPath: type: string type: object type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- {{- /* A priority class for the daemonset such that they are not */}} {{- /* frozen out of a node due to the node filling up with "normal" */}} {{- /* pods before the daemonset controller can get the daemonset */}} {{- /* pods to be scheduled. */}} apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: csi-secrets-store labels: addonmanager.kubernetes.io/mode: EnsureExists value: 1000 globalDefault: false description: "This is the daemonset priority class for csi-secrets-store" --- kind: DaemonSet apiVersion: apps/v1 metadata: name: csi-secrets-store namespace: kube-system labels: addonmanager.kubernetes.io/mode: Reconcile spec: updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 50% selector: matchLabels: app: csi-secrets-store template: metadata: labels: app: csi-secrets-store spec: priorityClassName: csi-secrets-store serviceAccountName: secrets-store-csi-driver hostNetwork: true containers: - name: node-driver-registrar image: {{ContainerImage "csi-node-driver-registrar"}} args: - --v=5 - --csi-address=/csi/csi.sock - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock env: - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName imagePullPolicy: IfNotPresent volumeMounts: - name: plugin-dir mountPath: /csi - name: registration-dir mountPath: /registration resources: limits: cpu: {{ContainerCPULimits "csi-node-driver-registrar"}} memory: {{ContainerMemLimits "csi-node-driver-registrar"}} requests: cpu: {{ContainerCPUReqs "csi-node-driver-registrar"}} memory: {{ContainerMemReqs "csi-node-driver-registrar"}} - name: secrets-store image: {{ContainerImage "secrets-store"}} args: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--provider-volume=/etc/kubernetes/secrets-store-csi-providers" - "--grpc-supported-providers=azure" - "--metrics-addr=:{{ContainerConfig "metricsPort"}}" - "--enable-secret-rotation={{ContainerConfig "enableSecretRotation"}}" - "--rotation-poll-interval={{ContainerConfig "rotationPollInterval"}}" env: - name: CSI_ENDPOINT value: unix:///csi/csi.sock - name: KUBE_NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName imagePullPolicy: IfNotPresent securityContext: privileged: true ports: - containerPort: 9808 name: healthz protocol: TCP livenessProbe: failureThreshold: 5 httpGet: path: /healthz port: healthz initialDelaySeconds: 30 timeoutSeconds: 10 periodSeconds: 15 volumeMounts: - name: plugin-dir mountPath: /csi - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: Bidirectional - name: providers-dir mountPath: /etc/kubernetes/secrets-store-csi-providers {{- if IsCustomCloudProfile}} - name: custom-environment mountPath: /etc/kubernetes/azurestackcloud.json readOnly: true {{end}} resources: limits: cpu: {{ContainerCPULimits "secrets-store"}} memory: {{ContainerMemLimits "secrets-store"}} requests: cpu: {{ContainerCPUReqs "secrets-store"}} memory: {{ContainerMemReqs "secrets-store"}} - name: liveness-probe image: {{ContainerImage "livenessprobe"}} imagePullPolicy: IfNotPresent args: - --csi-address=/csi/csi.sock - --probe-timeout=3s - --http-endpoint=0.0.0.0:9808 - -v=2 volumeMounts: - name: plugin-dir mountPath: /csi resources: limits: cpu: {{ContainerCPULimits "livenessprobe"}} memory: {{ContainerMemLimits "livenessprobe"}} requests: cpu: {{ContainerCPUReqs "livenessprobe"}} memory: {{ContainerMemReqs "livenessprobe"}} volumes: - name: mountpoint-dir hostPath: path: /var/lib/kubelet/pods type: DirectoryOrCreate - name: registration-dir hostPath: path: /var/lib/kubelet/plugins_registry/ type: Directory - name: plugin-dir hostPath: path: /var/lib/kubelet/plugins/csi-secrets-store/ type: DirectoryOrCreate - name: providers-dir hostPath: path: /etc/kubernetes/secrets-store-csi-providers type: DirectoryOrCreate {{- if IsCustomCloudProfile}} - name: custom-environment hostPath: path: /etc/kubernetes/azurestackcloud.json type: FileOrCreate {{end}} nodeSelector: kubernetes.io/os: linux --- apiVersion: v1 kind: ServiceAccount metadata: name: csi-secrets-store-provider-azure namespace: kube-system labels: addonmanager.kubernetes.io/mode: Reconcile --- apiVersion: apps/v1 kind: DaemonSet metadata: name: csi-secrets-store-provider-azure namespace: kube-system labels: app: csi-secrets-store-provider-azure addonmanager.kubernetes.io/mode: Reconcile spec: updateStrategy: type: RollingUpdate rollingUpdate: maxUnavailable: 50% selector: matchLabels: app: csi-secrets-store-provider-azure template: metadata: labels: app: csi-secrets-store-provider-azure spec: priorityClassName: csi-secrets-store serviceAccountName: csi-secrets-store-provider-azure hostNetwork: true containers: - name: provider-azure-installer image: {{ContainerImage "provider-azure-installer"}} imagePullPolicy: IfNotPresent args: - --endpoint=unix:///etc/kubernetes/secrets-store-csi-providers/azure.sock lifecycle: preStop: exec: command: - "rm /etc/kubernetes/secrets-store-csi-providers/azure.sock" volumeMounts: - mountPath: "/etc/kubernetes/secrets-store-csi-providers" name: providervol - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: HostToContainer resources: limits: cpu: {{ContainerCPULimits "provider-azure-installer"}} memory: {{ContainerMemLimits "provider-azure-installer"}} requests: cpu: {{ContainerCPUReqs "provider-azure-installer"}} memory: {{ContainerMemReqs "provider-azure-installer"}} volumes: - name: providervol hostPath: path: "/etc/kubernetes/secrets-store-csi-providers" - name: mountpoint-dir hostPath: path: /var/lib/kubelet/pods nodeSelector: kubernetes.io/os: linux