release: update manifest and helm charts for v1.0.1 (#756)

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Makefile

@@ -8,7 +8,7 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)"
 REGISTRY_NAME ?= upstreamk8sci
 REPO_PREFIX ?= k8s/csi/secrets-store
 REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX)
-IMAGE_VERSION ?= v1.0.0
+IMAGE_VERSION ?= v1.0.1
 IMAGE_NAME ?= provider-azure
 IMAGE_TAG := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION)
 

charts/csi-secrets-store-provider-azure/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: secrets-store-csi-driver
   repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
-  version: 1.0.0
-digest: sha256:21c9bdbedf3e250bce7e9b4a9eac408b8819f18504b26e8017fe2c8906419271
-generated: "2021-10-14T23:05:12.939759665Z"
+  version: 1.0.1
+digest: sha256:bf0bde14adcdbfa6e9b8379ad9fb13e93ee7682c64ceb5209b45d75244c582b2
+generated: "2022-01-14T01:06:20.678326867Z"

charts/csi-secrets-store-provider-azure/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: csi-secrets-store-provider-azure
-version: 1.0.0
-appVersion: 1.0.0
+version: 1.0.1
+appVersion: 1.0.1
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
 sources:
@@ -13,5 +13,5 @@ maintainers:
 dependencies:
 - name: secrets-store-csi-driver
   repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
-  version: 1.0.0
+  version: 1.0.1
   condition: secrets-store-csi-driver.install

charts/csi-secrets-store-provider-azure/templates/arc-proxy-secret.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.Azure.proxySettings.isProxyEnabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: arc-proxy-config
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  {{- if .Values.Azure.proxySettings.httpProxy }}
+    HTTP_PROXY: {{.Values.Azure.proxySettings.httpProxy | b64enc | quote}}
+  {{- end }}
+  {{- if .Values.Azure.proxySettings.httpsProxy }}
+    HTTPS_PROXY: {{.Values.Azure.proxySettings.httpsProxy | b64enc | quote}}
+  {{- end }}
+  {{- if .Values.Azure.proxySettings.noProxy }}
+    NO_PROXY: {{.Values.Azure.proxySettings.noProxy | b64enc | quote}}
+  {{- end }}
+---
+{{- if .Values.Azure.proxySettings.proxyCert }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: arc-proxy-cert
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data: 
+  proxy-cert.crt: {{.Values.Azure.proxySettings.proxyCert | b64enc | quote}}
+{{- end }}
+{{- end }}

charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml

@@ -48,9 +48,6 @@ spec:
             - --healthz-port={{ .Values.windows.healthzPort }}
             - --healthz-path={{ .Values.windows.healthzPath }}
             - --healthz-timeout={{ .Values.windows.healthzTimeout }}
-            {{- if .Values.driverWriteSecrets }}
-            - --driver-write-secrets={{ .Values.driverWriteSecrets }}
-            {{- end }}
           livenessProbe:
             httpGet:
               path: {{ .Values.windows.healthzPath }}
@@ -64,11 +61,6 @@ spec:
           volumeMounts:
             - name: provider-vol
               mountPath: "C:\\provider"
-            {{- if not .Values.driverWriteSecrets }}
-            - name: mountpoint-dir
-              mountPath: {{ .Values.windows.kubeletRootDir }}\pods
-              mountPropagation: HostToContainer
-            {{- end }}
             {{- if .Values.windows.volumeMounts }}
             {{- toYaml .Values.windows.volumeMounts | nindent 12 }}
             {{- end}}
@@ -80,13 +72,8 @@ spec:
       volumes:
         - name: provider-vol
           hostPath:
-            path: C:\k\secrets-store-csi-providers
+            path: {{ .Values.windows.providersDir }}
             type: DirectoryOrCreate
-        {{- if not .Values.driverWriteSecrets }}
-        - name: mountpoint-dir
-          hostPath:
-            path: {{ .Values.windows.kubeletRootDir }}\pods\
-        {{- end }}
         {{- if .Values.windows.volumes }}
         {{- toYaml .Values.windows.volumes | nindent 8 }}
         {{- end}}

charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml

@@ -17,9 +17,15 @@ spec:
 {{- if .Values.linux.podLabels }}
 {{- toYaml .Values.linux.podLabels | nindent 8 }}
 {{- end }}
-{{- if .Values.linux.podAnnotations }}
+{{- if or .Values.linux.podAnnotations .Values.Azure.proxySettings.isProxyEnabled }}
       annotations:
+{{- if .Values.linux.podAnnotations}}
 {{- toYaml .Values.linux.podAnnotations | nindent 8 }}
+{{- end }}
+# this will ensure pods are rolled in next helm upgrade if cert files are updated.
+{{- if .Values.Azure.proxySettings.isProxyEnabled }}
+        checksum/arc-proxy-config: {{ include (print $.Template.BasePath "/arc-proxy-secret.yaml") . | sha256sum }}
+{{- end }}
 {{- end }}
     spec:
       {{- if .Values.imagePullSecrets }}
@@ -49,9 +55,6 @@ spec:
             - --healthz-port={{ .Values.linux.healthzPort }}
             - --healthz-path={{ .Values.linux.healthzPath }}
             - --healthz-timeout={{ .Values.linux.healthzTimeout }}
-            {{- if .Values.driverWriteSecrets }}
-            - --driver-write-secrets={{ .Values.driverWriteSecrets }}
-            {{- end }}
           livenessProbe:
             httpGet:
               path: {{ .Values.linux.healthzPath }}
@@ -74,17 +77,22 @@ spec:
           {{- if .Values.linux.privileged }}
             privileged: true
           {{- end }}
+          {{- if .Values.Azure.proxySettings.isProxyEnabled }}
+          envFrom:
+            - secretRef:
+                name: arc-proxy-config
+          {{- end }}
           volumeMounts:
             - name: provider-vol
               mountPath: /provider
-            {{- if not .Values.driverWriteSecrets }}
-            - name: mountpoint-dir
-              mountPath: {{ .Values.linux.kubeletRootDir }}/pods
-              mountPropagation: HostToContainer
-            {{- end }}
             {{- if .Values.linux.volumeMounts }}
             {{- toYaml .Values.linux.volumeMounts | nindent 12 }}
             {{- end}}
+            {{- if  and .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.proxyCert }}
+            - mountPath: /etc/ssl/certs/proxy-cert.crt
+              subPath: proxy-cert.crt
+              name: proxy-certstore
+            {{- end }}
       affinity:
 {{ toYaml .Values.linux.affinity | indent 8 }}
       {{- if .Values.linux.priorityClassName }}
@@ -93,15 +101,15 @@ spec:
       volumes:
         - name: provider-vol
           hostPath:
-            path: "/etc/kubernetes/secrets-store-csi-providers"
-        {{- if not .Values.driverWriteSecrets }}
-        - name: mountpoint-dir
-          hostPath:
-            path: {{ .Values.linux.kubeletRootDir }}/pods
-        {{- end }}
+            path: {{ .Values.linux.providersDir }}
         {{- if .Values.linux.volumes }}
         {{- toYaml .Values.linux.volumes | nindent 8 }}
         {{- end}}
+        {{- if  and .Values.Azure.proxySettings.isProxyEnabled .Values.Azure.proxySettings.proxyCert }}
+        - name: proxy-certstore
+          secret:
+            secretName: arc-proxy-cert
+        {{- end }}
       nodeSelector:
         kubernetes.io/os: linux
 {{- if .Values.linux.nodeSelector }}

charts/csi-secrets-store-provider-azure/values.yaml

@@ -1,3 +1,12 @@
+# Values populated by Azure Arc K8s RP during the installation of the extension.
+Azure:
+  proxySettings:
+    isProxyEnabled: false
+    httpProxy: ""
+    httpsProxy: ""
+    noProxy: ""
+    proxyCert: ""
+
 # One or more secrets to be used when pulling images
 imagePullSecrets: []
 # - name: myRegistryKeySecretName
@@ -12,7 +21,7 @@ logVerbosity: 0
 linux:
   image:
     repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
-    tag: v1.0.0
+    tag: v1.0.1
     pullPolicy: IfNotPresent
   nodeSelector: {}
   tolerations: []
@@ -41,6 +50,7 @@ linux:
   volumes: []
   volumeMounts: []
   kubeletRootDir: /var/lib/kubelet
+  providersDir: /etc/kubernetes/secrets-store-csi-providers
   affinity:
     nodeAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
@@ -54,7 +64,7 @@ linux:
 windows:
   image:
     repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
-    tag: v1.0.0
+    tag: v1.0.1
     pullPolicy: IfNotPresent
   nodeSelector: {}
   tolerations: []
@@ -82,6 +92,7 @@ windows:
   volumes: []
   volumeMounts: []
   kubeletRootDir: C:\var\lib\kubelet
+  providersDir: C:\k\secrets-store-csi-providers
   affinity:
     nodeAffinity:
       requiredDuringSchedulingIgnoredDuringExecution:
@@ -106,20 +117,20 @@ secrets-store-csi-driver:
     metricsAddr: ":8080"
     image:
       repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
-      tag: v1.0.0
+      tag: v1.0.1
       pullPolicy: IfNotPresent
     registrarImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
-      tag: v2.3.0
+      tag: v2.4.0
       pullPolicy: IfNotPresent
     livenessProbeImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
-      tag: v2.4.0
+      tag: v2.5.0
       pullPolicy: IfNotPresent
     crds:
       image:
         repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds
-        tag: v1.0.0
+        tag: v1.0.1
         pullPolicy: IfNotPresent
 
   windows:
@@ -128,15 +139,15 @@ secrets-store-csi-driver:
     metricsAddr: ":8080"
     image:
       repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver
-      tag: v1.0.0
+      tag: v1.0.1
       pullPolicy: IfNotPresent
     registrarImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar
-      tag: v2.3.0
+      tag: v2.4.0
       pullPolicy: IfNotPresent
     livenessProbeImage:
       repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe
-      tag: v2.4.0
+      tag: v2.5.0
       pullPolicy: IfNotPresent
 
   enableSecretRotation: false
@@ -154,6 +165,3 @@ rbac:
 
 # explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT
 constructPEMChain: true
-
-# Return secrets in grpc response to the driver (supported in driver v0.0.21+) instead of writing to filesystem
-driverWriteSecrets: true

charts/index.yaml

@@ -1,6 +1,28 @@
 apiVersion: v1
 entries:
   csi-secrets-store-provider-azure:
+  - apiVersion: v2
+    appVersion: 1.0.1
+    created: "2022-01-14T20:15:30.827700408Z"
+    dependencies:
+    - condition: secrets-store-csi-driver.install
+      name: secrets-store-csi-driver
+      repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
+      version: 1.0.1
+    description: A Helm chart to install the Secrets Store CSI Driver and the Azure
+      Keyvault Provider inside a Kubernetes cluster.
+    digest: ae18725d1a2bd387e9a5f0a38cebba626377ed97cb776de6408c78a6dffd6864
+    home: https://github.com/Azure/secrets-store-csi-driver-provider-azure
+    kubeVersion: '>=1.16.0-0'
+    maintainers:
+    - email: anish.ramasekar@gmail.com
+      name: Anish Ramasekar
+    name: csi-secrets-store-provider-azure
+    sources:
+    - https://github.com/Azure/secrets-store-csi-driver-provider-azure
+    urls:
+    - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-1.0.1.tgz
+    version: 1.0.1
   - apiVersion: v2
     appVersion: 1.0.0
     created: "2021-10-25T10:09:26.384988-07:00"
@@ -463,4 +485,4 @@ entries:
     urls:
     - https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts/csi-secrets-store-provider-azure-0.0.5.tgz
     version: 0.0.5
-generated: "2021-10-25T10:09:26.379557-07:00"
+generated: "2022-01-14T20:15:30.825253171Z"

deployment/provider-azure-installer-windows.yaml

@@ -23,15 +23,14 @@ spec:
       serviceAccountName: csi-secrets-store-provider-azure
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.0
+          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.1
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=unix://C:\\provider\\azure.sock
             - --construct-pem-chain=true
             - --healthz-port=8989
             - --healthz-path=/healthz
             - --healthz-timeout=5s
-            - --driver-write-secrets=true
           livenessProbe:
             httpGet:
               path: /healthz

deployment/provider-azure-installer.yaml

@@ -24,15 +24,14 @@ spec:
       hostNetwork: true
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.0
+          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.1
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=unix:///provider/azure.sock
             - --construct-pem-chain=true
             - --healthz-port=8989
             - --healthz-path=/healthz
             - --healthz-timeout=5s
-            - --driver-write-secrets=true
           livenessProbe:
             httpGet:
               path: /healthz

manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: csi-secrets-store-provider-azure
-version: 1.0.0
-appVersion: 1.0.0
+version: 1.0.1
+appVersion: 1.0.1
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster.
 sources:

manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml

@@ -21,7 +21,7 @@ logVerbosity: 0
 linux:
   image:
     repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
-    tag: v1.0.0
+    tag: v1.0.1
     pullPolicy: IfNotPresent
   nodeSelector: {}
   tolerations: []
@@ -64,7 +64,7 @@ linux:
 windows:
   image:
     repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure
-    tag: v1.0.0
+    tag: v1.0.1
     pullPolicy: IfNotPresent
   nodeSelector: {}
   tolerations: []

manifest_staging/deployment/provider-azure-installer-windows.yaml

@@ -23,7 +23,7 @@ spec:
       serviceAccountName: csi-secrets-store-provider-azure
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.0
+          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.1
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=unix://C:\\provider\\azure.sock

manifest_staging/deployment/provider-azure-installer.yaml

@@ -24,7 +24,7 @@ spec:
       hostNetwork: true
       containers:
         - name: provider-azure-installer
-          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.0
+          image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.0.1
           imagePullPolicy: IfNotPresent
           args:
             - --endpoint=unix:///provider/azure.sock