From 9a8a79fb7bfd970ff1eed280fa7dd8e8a5053825 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 21 Nov 2023 19:04:45 -0800 Subject: [PATCH 01/37] release: update manifest and helm charts for v1.5.0 (#1374) Signed-off-by: Anish Ramasekar --- Makefile | 2 +- charts/csi-secrets-store-provider-azure/Chart.lock | 6 +++--- charts/csi-secrets-store-provider-azure/Chart.yaml | 6 +++--- charts/csi-secrets-store-provider-azure/README.md | 11 ++++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- .../config/gcstenant-conf.json | 2 +- .../templates/arc-monitoring.yaml | 12 ++++++++---- charts/csi-secrets-store-provider-azure/values.yaml | 10 +++++----- deployment/provider-azure-installer-windows.yaml | 6 +++++- deployment/provider-azure-installer.yaml | 6 +++++- .../csi-secrets-store-provider-azure/Chart.lock | 6 +++--- .../csi-secrets-store-provider-azure/Chart.yaml | 6 +++--- .../csi-secrets-store-provider-azure/README.md | 11 ++++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- .../csi-secrets-store-provider-azure/values.yaml | 10 +++++----- .../deployment/provider-azure-installer-windows.yaml | 4 ++-- .../deployment/provider-azure-installer.yaml | 4 ++-- test/e2e/framework/config.go | 2 +- test/e2e/framework/deploy/deploy.go | 2 +- website/content/en/_index.md | 4 ++-- 20 files changed, 72 insertions(+), 58 deletions(-) diff --git a/Makefile b/Makefile index f2d7f88fe..9ecf52df9 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)" REGISTRY_NAME ?= upstream REPO_PREFIX ?= k8s/csi/secrets-store REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX) -IMAGE_VERSION ?= v1.4.1 +IMAGE_VERSION ?= v1.5.0 IMAGE_NAME ?= provider-azure CONFORMANCE_IMAGE_NAME ?= provider-azure-arc-conformance IMAGE_TAG := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION) diff --git a/charts/csi-secrets-store-provider-azure/Chart.lock b/charts/csi-secrets-store-provider-azure/Chart.lock index a214b9e5e..b84954fe0 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.3.4 -digest: sha256:7df272f3ad149af2a2a52e0130778274448cd2418d26504213c37cd38d7eae14 -generated: "2023-07-31T17:32:41.008588145Z" + version: 1.4.0 +digest: sha256:a61620ef74155bd74e089b238246453c50120440ec59d58de5006a874fd46dfb +generated: "2023-11-21T21:59:54.191903133Z" diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index a819790db..1a38d34d8 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.4.4 -appVersion: 1.4.1 +version: 1.5.0 +appVersion: 1.5.0 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.3.4 + version: 1.4.0 condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md index a828205a1..f567f491f 100644 --- a/charts/csi-secrets-store-provider-azure/README.md +++ b/charts/csi-secrets-store-provider-azure/README.md @@ -23,6 +23,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.4.2` | `1.3.2` | `1.4.1` | | `1.4.3` | `1.3.3` | `1.4.1` | | `1.4.4` | `1.3.4` | `1.4.1` | +| `1.5.0` | `1.4.0` | `1.5.0` | ## Installation @@ -70,7 +71,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.4.1` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.0` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -91,7 +92,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.4.1` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.0` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -117,7 +118,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.4` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.0` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.8.0` | @@ -125,7 +126,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.10.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.3.4` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.0` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -134,7 +135,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.3.4` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.0` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.8.0` | diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml index 3212b7153..c51b4b0bf 100644 --- a/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -58,7 +58,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -112,7 +112,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -125,7 +125,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -137,7 +137,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/charts/csi-secrets-store-provider-azure/config/gcstenant-conf.json b/charts/csi-secrets-store-provider-azure/config/gcstenant-conf.json index a6201918c..ed9e49849 100644 --- a/charts/csi-secrets-store-provider-azure/config/gcstenant-conf.json +++ b/charts/csi-secrets-store-provider-azure/config/gcstenant-conf.json @@ -8,7 +8,7 @@ "GcsEnvironment": "DiagnosticsPROD", "GcsGenevaAccount": "akvsecretsprovider", "GcsNamespace": "akvsecretsprovider", - "GenevaConfigVersion": "1.0", + "GenevaConfigVersion": "2.2", "GcsRegion": "westus2" }, "EndpointConfigurations": [ diff --git a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index d74139810..9e0fde3dd 100644 --- a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -40,7 +40,7 @@ spec: memory: 100Mi # MDM - name: mdm - image: "linuxgeneva-microsoft.azurecr.io/genevamdm:master_20220401.1" + image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2023.1027.1417-08a588-20231027t1613" imagePullPolicy: IfNotPresent env: - name: ROLEINSTANCE @@ -113,7 +113,7 @@ spec: subPath: telegraf.conf # Pipeline agent for logging - name: amacoreagent - image: "pipelineagent.azurecr.io/amacoreagent:3.0" + image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.2.47" imagePullPolicy: IfNotPresent resources: requests: @@ -123,6 +123,10 @@ spec: cpu: 50m memory: 100Mi env: + - name: MONITORING_USE_GENEVA_CONFIG_SERVICE + value: "true" + - name: SKIP_IMDS_LOOKUP_FOR_LEGACY_AUTH + value: "1" - name: MONITORING_GCS_AUTH_ID_TYPE value: AuthMSIToken - name: PA_TENANTS_DIR @@ -164,7 +168,7 @@ spec: - name: MONITORING_GCS_NAMESPACE value: "akvsecretsprovider" - name: MONITORING_CONFIG_VERSION - value: "1.0" + value: "2.2" - name: MDSD_CONFIG_DIR value: /tmp - name: DOCKER_LOGGING @@ -178,7 +182,7 @@ spec: mountPath: /var/run/mdsd # FluentD - name: fluentd - image: "linuxgeneva-microsoft.azurecr.io/genevafluentd_td-agent:master_20220403.1" + image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20230915.3" imagePullPolicy: IfNotPresent resources: requests: diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml index 6955a79db..d99a48b23 100644 --- a/charts/csi-secrets-store-provider-azure/values.yaml +++ b/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -63,7 +63,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -120,7 +120,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -133,7 +133,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -144,7 +144,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml index 0e3812be8..7292f9fbd 100644 --- a/deployment/provider-azure-installer-windows.yaml +++ b/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock @@ -46,6 +46,10 @@ spec: limits: cpu: 100m memory: 200Mi + ports: + - containerPort: 8898 + name: metrics + protocol: TCP volumeMounts: - mountPath: "C:\\provider" name: providervol diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml index 5b0ddcceb..ae30fd05e 100644 --- a/deployment/provider-azure-installer.yaml +++ b/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock @@ -47,6 +47,10 @@ spec: limits: cpu: 50m memory: 100Mi + ports: + - containerPort: 8898 + name: metrics + protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock index a214b9e5e..b84954fe0 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.3.4 -digest: sha256:7df272f3ad149af2a2a52e0130778274448cd2418d26504213c37cd38d7eae14 -generated: "2023-07-31T17:32:41.008588145Z" + version: 1.4.0 +digest: sha256:a61620ef74155bd74e089b238246453c50120440ec59d58de5006a874fd46dfb +generated: "2023-11-21T21:59:54.191903133Z" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index a819790db..1a38d34d8 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.4.4 -appVersion: 1.4.1 +version: 1.5.0 +appVersion: 1.5.0 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.3.4 + version: 1.4.0 condition: secrets-store-csi-driver.install diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index a828205a1..f567f491f 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -23,6 +23,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.4.2` | `1.3.2` | `1.4.1` | | `1.4.3` | `1.3.3` | `1.4.1` | | `1.4.4` | `1.3.4` | `1.4.1` | +| `1.5.0` | `1.4.0` | `1.5.0` | ## Installation @@ -70,7 +71,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.4.1` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.0` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -91,7 +92,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.4.1` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.0` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -117,7 +118,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.3.4` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.0` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.8.0` | @@ -125,7 +126,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.10.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.3.4` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.0` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -134,7 +135,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.3.4` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.0` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.8.0` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index 3212b7153..c51b4b0bf 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -58,7 +58,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -112,7 +112,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -125,7 +125,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -137,7 +137,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index 6955a79db..d99a48b23 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -63,7 +63,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.4.1 + tag: v1.5.0 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -120,7 +120,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -133,7 +133,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -144,7 +144,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.3.4 + tag: v1.4.0 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/deployment/provider-azure-installer-windows.yaml b/manifest_staging/deployment/provider-azure-installer-windows.yaml index 3a172ff7d..7292f9fbd 100644 --- a/manifest_staging/deployment/provider-azure-installer-windows.yaml +++ b/manifest_staging/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock @@ -49,7 +49,7 @@ spec: ports: - containerPort: 8898 name: metrics - protocol: TCP + protocol: TCP volumeMounts: - mountPath: "C:\\provider" name: providervol diff --git a/manifest_staging/deployment/provider-azure-installer.yaml b/manifest_staging/deployment/provider-azure-installer.yaml index 1a95222b0..ae30fd05e 100644 --- a/manifest_staging/deployment/provider-azure-installer.yaml +++ b/manifest_staging/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.4.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock @@ -50,7 +50,7 @@ spec: ports: - containerPort: 8898 name: metrics - protocol: TCP + protocol: TCP securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go index 45075f10c..597d12bbe 100644 --- a/test/e2e/framework/config.go +++ b/test/e2e/framework/config.go @@ -18,7 +18,7 @@ type Config struct { KeyvaultName string `envconfig:"KEYVAULT_NAME"` Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"` ImageName string `envconfig:"IMAGE_NAME" default:"provider-azure"` - ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.4.1"` + ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.0"` IsSoakTest bool `envconfig:"IS_SOAK_TEST" default:"false"` IsWindowsTest bool `envconfig:"TEST_WINDOWS" default:"false"` IsGPUTest bool `envconfig:"TEST_GPU" default:"false"` diff --git a/test/e2e/framework/deploy/deploy.go b/test/e2e/framework/deploy/deploy.go index db75633d5..fbb6b803d 100644 --- a/test/e2e/framework/deploy/deploy.go +++ b/test/e2e/framework/deploy/deploy.go @@ -23,7 +23,7 @@ import ( ) var ( - driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.3.4/deploy" + driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.4.0/deploy" providerResourceDirectory = "manifest_staging/deployment" driverResources = []string{ diff --git a/website/content/en/_index.md b/website/content/en/_index.md index ca26ec82e..5d2059f32 100644 --- a/website/content/en/_index.md +++ b/website/content/en/_index.md @@ -15,8 +15,8 @@ Azure Key Vault provider for [Secrets Store CSI Driver](https://github.com/kuber | Azure Key Vault Provider | Compatible Kubernetes | `secrets-store.csi.x-k8s.io` Versions | | ---------------------------------------------------------------------------------------------- | --------------------- | ------------------------------------- | -| [v1.4.0](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.0) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | -| [v1.3.0](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.3.0) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | +| [v1.5.0](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.5.0) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | +| [v1.4.1](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.1) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | For Secrets Store CSI Driver project status and supported versions, check the doc [here](https://secrets-store-csi-driver.sigs.k8s.io/#project-status) From db8b56d74bb6aaec6f3e93dc2136970442de46bb Mon Sep 17 00:00:00 2001 From: Allen Greaves <111466195+agreaves-ms@users.noreply.github.com> Date: Wed, 29 Nov 2023 01:17:14 +0000 Subject: [PATCH 02/37] fix: update fluentd env var with new env var name (#1380) Merging with manual validation - https://github.com/Azure/secrets-store-csi-driver-provider-azure/pull/1380#issuecomment-1831033067 --- .../templates/arc-monitoring.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index 9e0fde3dd..e250082b9 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -192,7 +192,7 @@ spec: cpu: 50m memory: 250Mi env: - - name: FLUENTD_CONF + - name: FLUENT_CONF value: /etc/fluentd/fluentd.conf volumeMounts: - name: fluentd-conf-vol From eabab07fc0afc435ac0246e0d7558f430190a2d6 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Tue, 28 Nov 2023 17:48:30 -0800 Subject: [PATCH 03/37] fix: `v1.5.1` helm chart release to fix fluentd config env var name (#1381) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- charts/csi-secrets-store-provider-azure/Chart.yaml | 2 +- .../templates/arc-monitoring.yaml | 2 +- .../charts/csi-secrets-store-provider-azure/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 1a38d34d8..79e3d4bbd 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.0 +version: 1.5.1 appVersion: 1.5.0 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. diff --git a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index 9e0fde3dd..e250082b9 100644 --- a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -192,7 +192,7 @@ spec: cpu: 50m memory: 250Mi env: - - name: FLUENTD_CONF + - name: FLUENT_CONF value: /etc/fluentd/fluentd.conf volumeMounts: - name: fluentd-conf-vol diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 1a38d34d8..79e3d4bbd 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.0 +version: 1.5.1 appVersion: 1.5.0 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. From 514318ba92cc56e26df93e2e14d8695e695d466e Mon Sep 17 00:00:00 2001 From: Alexey Markevich Date: Fri, 1 Dec 2023 07:59:36 +0100 Subject: [PATCH 04/37] docs: specify service account for pod in workload identity mode (#1327) Co-authored-by: Anish Ramasekar --- .../identity-access-modes/workload-identity-mode.md | 1 + 1 file changed, 1 insertion(+) diff --git a/website/content/en/configurations/identity-access-modes/workload-identity-mode.md b/website/content/en/configurations/identity-access-modes/workload-identity-mode.md index c6dda3870..02f0d48ff 100644 --- a/website/content/en/configurations/identity-access-modes/workload-identity-mode.md +++ b/website/content/en/configurations/identity-access-modes/workload-identity-mode.md @@ -45,6 +45,7 @@ apiVersion: v1 metadata: name: busybox-secrets-store-inline-wi spec: + serviceAccountName: ${SERVICE_ACCOUNT_NAME} containers: - name: busybox image: registry.k8s.io/e2e-test-images/busybox:1.29-4 From 24a8729f4126f0f02d04327a4d49ad666a9f88fe Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 13 Dec 2023 13:57:19 -0800 Subject: [PATCH 05/37] chore: use base images from mcr (#1396) Signed-off-by: Anish Ramasekar --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9a1954a6c..2a5fe299f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static +FROM mcr.microsoft.com/cbl-mariner/distroless/minimal:2.0 ARG TARGETARCH COPY ./_output/${TARGETARCH}/secrets-store-csi-driver-provider-azure /bin/ From 087afe696a8c10d5e3b3f18ba9c42df53c2debcf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 9 Jan 2024 14:17:20 -0800 Subject: [PATCH 06/37] chore: bump golang.org/x/crypto from 0.14.0 to 0.18.0 (#1410) Signed-off-by: dependabot[bot] Signed-off-by: Anish Ramasekar Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anish Ramasekar --- go.mod | 6 +++--- go.sum | 12 ++++++------ test/e2e/go.mod | 8 ++++---- test/e2e/go.sum | 16 ++++++++-------- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index 775777835..9057c9028 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( go.opentelemetry.io/otel v0.20.0 go.opentelemetry.io/otel/exporters/metric/prometheus v0.20.0 go.opentelemetry.io/otel/metric v0.20.0 - golang.org/x/crypto v0.14.0 + golang.org/x/crypto v0.18.0 golang.org/x/net v0.17.0 google.golang.org/grpc v1.59.0 gopkg.in/yaml.v3 v3.0.1 @@ -62,8 +62,8 @@ require ( go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index c44bd83f8..d9fe1bc1e 100644 --- a/go.sum +++ b/go.sum @@ -482,8 +482,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -622,8 +622,8 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -631,8 +631,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 6400e2752..fa2e0ed7d 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -86,12 +86,12 @@ require ( go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.7.0 // indirect - golang.org/x/crypto v0.14.0 // indirect + golang.org/x/crypto v0.18.0 // indirect golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect - golang.org/x/sys v0.13.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/sys v0.16.0 // indirect + golang.org/x/term v0.16.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index f1e71c999..3cd906cc2 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -544,8 +544,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -682,19 +682,19 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= -golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= +golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= +golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 8fda55e1835e9a7a5d7c4677be537b242ddca7a6 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Fri, 19 Jan 2024 07:44:20 -0800 Subject: [PATCH 07/37] release: update manifest and helm charts for v1.5.1 (#1425) --- Makefile | 2 +- charts/csi-secrets-store-provider-azure/Chart.lock | 6 +++--- charts/csi-secrets-store-provider-azure/Chart.yaml | 4 ++-- charts/csi-secrets-store-provider-azure/README.md | 11 ++++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- charts/csi-secrets-store-provider-azure/values.yaml | 10 +++++----- deployment/provider-azure-installer-windows.yaml | 2 +- deployment/provider-azure-installer.yaml | 2 +- .../csi-secrets-store-provider-azure/Chart.lock | 6 +++--- .../csi-secrets-store-provider-azure/Chart.yaml | 4 ++-- .../charts/csi-secrets-store-provider-azure/README.md | 11 ++++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- .../csi-secrets-store-provider-azure/values.yaml | 10 +++++----- .../deployment/provider-azure-installer-windows.yaml | 2 +- .../deployment/provider-azure-installer.yaml | 2 +- test/e2e/framework/config.go | 2 +- test/e2e/framework/deploy/deploy.go | 2 +- website/content/en/_index.md | 2 +- 18 files changed, 50 insertions(+), 48 deletions(-) diff --git a/Makefile b/Makefile index 9ecf52df9..e04e22168 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)" REGISTRY_NAME ?= upstream REPO_PREFIX ?= k8s/csi/secrets-store REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX) -IMAGE_VERSION ?= v1.5.0 +IMAGE_VERSION ?= v1.5.1 IMAGE_NAME ?= provider-azure CONFORMANCE_IMAGE_NAME ?= provider-azure-arc-conformance IMAGE_TAG := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION) diff --git a/charts/csi-secrets-store-provider-azure/Chart.lock b/charts/csi-secrets-store-provider-azure/Chart.lock index b84954fe0..fc8d1fc0d 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.0 -digest: sha256:a61620ef74155bd74e089b238246453c50120440ec59d58de5006a874fd46dfb -generated: "2023-11-21T21:59:54.191903133Z" + version: 1.4.1 +digest: sha256:1ba3371ca94587ec5942cb2bb3840b5731da1b0629a4d89c37295f2c6ac0afb9 +generated: "2024-01-18T23:24:26.146818747Z" diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 79e3d4bbd..b3626b1ac 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure version: 1.5.1 -appVersion: 1.5.0 +appVersion: 1.5.1 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.0 + version: 1.4.1 condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md index f567f491f..6cfdc3de1 100644 --- a/charts/csi-secrets-store-provider-azure/README.md +++ b/charts/csi-secrets-store-provider-azure/README.md @@ -24,6 +24,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.4.3` | `1.3.3` | `1.4.1` | | `1.4.4` | `1.3.4` | `1.4.1` | | `1.5.0` | `1.4.0` | `1.5.0` | +| `1.5.1` | `1.4.1` | `1.5.1` | ## Installation @@ -71,7 +72,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.0` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.1` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -92,7 +93,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.0` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.1` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -118,7 +119,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.0` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.1` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.8.0` | @@ -126,7 +127,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.10.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.0` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.1` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -135,7 +136,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.0` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.1` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.8.0` | diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml index c51b4b0bf..55b59d245 100644 --- a/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -58,7 +58,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -112,7 +112,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -125,7 +125,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -137,7 +137,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml index d99a48b23..e7676afb6 100644 --- a/charts/csi-secrets-store-provider-azure/values.yaml +++ b/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -63,7 +63,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -120,7 +120,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -133,7 +133,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -144,7 +144,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml index 7292f9fbd..ce112d4d3 100644 --- a/deployment/provider-azure-installer-windows.yaml +++ b/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml index ae30fd05e..decbb57bf 100644 --- a/deployment/provider-azure-installer.yaml +++ b/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock index b84954fe0..fc8d1fc0d 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.0 -digest: sha256:a61620ef74155bd74e089b238246453c50120440ec59d58de5006a874fd46dfb -generated: "2023-11-21T21:59:54.191903133Z" + version: 1.4.1 +digest: sha256:1ba3371ca94587ec5942cb2bb3840b5731da1b0629a4d89c37295f2c6ac0afb9 +generated: "2024-01-18T23:24:26.146818747Z" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 79e3d4bbd..b3626b1ac 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure version: 1.5.1 -appVersion: 1.5.0 +appVersion: 1.5.1 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.0 + version: 1.4.1 condition: secrets-store-csi-driver.install diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index f567f491f..6cfdc3de1 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -24,6 +24,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.4.3` | `1.3.3` | `1.4.1` | | `1.4.4` | `1.3.4` | `1.4.1` | | `1.5.0` | `1.4.0` | `1.5.0` | +| `1.5.1` | `1.4.1` | `1.5.1` | ## Installation @@ -71,7 +72,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.0` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.1` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -92,7 +93,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.0` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.1` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -118,7 +119,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.0` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.1` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.8.0` | @@ -126,7 +127,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.10.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.0` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.1` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -135,7 +136,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.0` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.1` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.8.0` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index c51b4b0bf..55b59d245 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -58,7 +58,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -112,7 +112,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -125,7 +125,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -137,7 +137,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index d99a48b23..e7676afb6 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -63,7 +63,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.0 + tag: v1.5.1 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -120,7 +120,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -133,7 +133,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -144,7 +144,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.0 + tag: v1.4.1 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/deployment/provider-azure-installer-windows.yaml b/manifest_staging/deployment/provider-azure-installer-windows.yaml index 7292f9fbd..ce112d4d3 100644 --- a/manifest_staging/deployment/provider-azure-installer-windows.yaml +++ b/manifest_staging/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/manifest_staging/deployment/provider-azure-installer.yaml b/manifest_staging/deployment/provider-azure-installer.yaml index ae30fd05e..decbb57bf 100644 --- a/manifest_staging/deployment/provider-azure-installer.yaml +++ b/manifest_staging/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.0 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go index 597d12bbe..b0c139f12 100644 --- a/test/e2e/framework/config.go +++ b/test/e2e/framework/config.go @@ -18,7 +18,7 @@ type Config struct { KeyvaultName string `envconfig:"KEYVAULT_NAME"` Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"` ImageName string `envconfig:"IMAGE_NAME" default:"provider-azure"` - ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.0"` + ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.1"` IsSoakTest bool `envconfig:"IS_SOAK_TEST" default:"false"` IsWindowsTest bool `envconfig:"TEST_WINDOWS" default:"false"` IsGPUTest bool `envconfig:"TEST_GPU" default:"false"` diff --git a/test/e2e/framework/deploy/deploy.go b/test/e2e/framework/deploy/deploy.go index fbb6b803d..6d2920a6c 100644 --- a/test/e2e/framework/deploy/deploy.go +++ b/test/e2e/framework/deploy/deploy.go @@ -23,7 +23,7 @@ import ( ) var ( - driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.4.0/deploy" + driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.4.1/deploy" providerResourceDirectory = "manifest_staging/deployment" driverResources = []string{ diff --git a/website/content/en/_index.md b/website/content/en/_index.md index 5d2059f32..b5f04dd0b 100644 --- a/website/content/en/_index.md +++ b/website/content/en/_index.md @@ -15,7 +15,7 @@ Azure Key Vault provider for [Secrets Store CSI Driver](https://github.com/kuber | Azure Key Vault Provider | Compatible Kubernetes | `secrets-store.csi.x-k8s.io` Versions | | ---------------------------------------------------------------------------------------------- | --------------------- | ------------------------------------- | -| [v1.5.0](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.5.0) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | +| [v1.5.1](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.5.1) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | | [v1.4.1](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.1) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | For Secrets Store CSI Driver project status and supported versions, check the doc [here](https://secrets-store-csi-driver.sigs.k8s.io/#project-status) From 229d700148a9e327701d3b8a1ff0dd93983e1498 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Wed, 31 Jan 2024 07:49:09 -0800 Subject: [PATCH 08/37] fix: updates MSI adapter (#1439) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .../templates/arc-monitoring.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index e250082b9..33c6baf71 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -65,7 +65,7 @@ spec: memory: 100Mi # MSI Adapter - name: msi-adapter - image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.4" + image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.6" imagePullPolicy: IfNotPresent env: - name: TOKEN_NAMESPACE From 2fc9b5fd7e7090ba68c7aabd55ee240fdf5e2bc3 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Wed, 31 Jan 2024 12:31:39 -0800 Subject: [PATCH 09/37] fix: v1.5.2 helm chart release to upgrade msi-adapter image (#1440) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- charts/csi-secrets-store-provider-azure/Chart.yaml | 2 +- .../templates/arc-monitoring.yaml | 2 +- .../charts/csi-secrets-store-provider-azure/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index b3626b1ac..4c6ff1098 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.1 +version: 1.5.2 appVersion: 1.5.1 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. diff --git a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index e250082b9..33c6baf71 100644 --- a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -65,7 +65,7 @@ spec: memory: 100Mi # MSI Adapter - name: msi-adapter - image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.4" + image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.6" imagePullPolicy: IfNotPresent env: - name: TOKEN_NAMESPACE diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index b3626b1ac..4c6ff1098 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.1 +version: 1.5.2 appVersion: 1.5.1 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. From 67503d53333ee631386cfe75e6b044cfaefe3f09 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Fri, 23 Feb 2024 13:59:00 -0800 Subject: [PATCH 10/37] ci: enable tests with kubernetes v1.29 (#1466) Signed-off-by: Anish Ramasekar --- .pipelines/templates/e2e-test-kind.yaml | 34 +++++++++++++------------ Makefile | 4 +-- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/.pipelines/templates/e2e-test-kind.yaml b/.pipelines/templates/e2e-test-kind.yaml index e2b9a2723..a18fd3b26 100644 --- a/.pipelines/templates/e2e-test-kind.yaml +++ b/.pipelines/templates/e2e-test-kind.yaml @@ -1,5 +1,7 @@ jobs: - job: + # using the tmp pool as a workaround for the kind cluster creation issue. + pool: tmp-staging-pool-amd64-mariner-2 timeoutInMinutes: 20 cancelTimeoutInMinutes: 5 dependsOn: @@ -13,29 +15,29 @@ jobs: - group: csi-secrets-store-e2e-kind strategy: matrix: - kind_v1_24_12_helm: - KIND_K8S_VERSION: v1.24.12 + kind_v1_26_14_helm: + KIND_K8S_VERSION: v1.26.14 IS_HELM_TEST: true - kind_v1_25_8_helm: - KIND_K8S_VERSION: v1.25.8 + kind_v1_27_11_helm: + KIND_K8S_VERSION: v1.27.11 IS_HELM_TEST: true - kind_v1_26_3_helm: - KIND_K8S_VERSION: v1.26.3 + kind_v1_28_7_helm: + KIND_K8S_VERSION: v1.28.7 IS_HELM_TEST: true - kind_v1_27_1_helm: - KIND_K8S_VERSION: v1.27.1 + kind_v1_29_2_helm: + KIND_K8S_VERSION: v1.29.2 IS_HELM_TEST: true - kind_v1_24_12_deployment_manifest: - KIND_K8S_VERSION: v1.24.12 + kind_v1_26_14_deployment_manifest: + KIND_K8S_VERSION: v1.26.14 IS_HELM_TEST: false - kind_v1_25_8_deployment_manifest: - KIND_K8S_VERSION: v1.25.8 + kind_v1_27_11_deployment_manifest: + KIND_K8S_VERSION: v1.27.11 IS_HELM_TEST: false - kind_v1_26_3_deployment_manifest: - KIND_K8S_VERSION: v1.26.3 + kind_v1_28_7_deployment_manifest: + KIND_K8S_VERSION: v1.28.7 IS_HELM_TEST: false - kind_v1_27_1_deployment_manifest: - KIND_K8S_VERSION: v1.27.1 + kind_v1_29_2_deployment_manifest: + KIND_K8S_VERSION: v1.29.2 IS_HELM_TEST: false steps: diff --git a/Makefile b/Makefile index e04e22168..e005af0fa 100644 --- a/Makefile +++ b/Makefile @@ -57,8 +57,8 @@ BUILDKIT_VERSION ?= 0.10.6 STEP_CLI_VERSION=0.18.0 # E2E test variables -KIND_VERSION ?= 0.18.0 -KIND_K8S_VERSION ?= v1.27.1 +KIND_VERSION ?= 0.21.0 +KIND_K8S_VERSION ?= v1.29.2 SHELLCHECK_VER ?= v0.8.0 $(TOOLS_DIR)/golangci-lint: $(TOOLS_MOD_DIR)/go.mod $(TOOLS_MOD_DIR)/go.sum $(TOOLS_MOD_DIR)/tools.go From ce0c696c77405c1c82ae946fe88bd729af0ef7fb Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Fri, 23 Feb 2024 14:19:45 -0800 Subject: [PATCH 11/37] feat: make dns policy configurable in helm charts (#1462) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .../charts/csi-secrets-store-provider-azure/README.md | 1 + .../charts/csi-secrets-store-provider-azure/arc-values.yaml | 2 ++ .../templates/provider-azure-installer.yaml | 3 +++ .../charts/csi-secrets-store-provider-azure/values.yaml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index 6cfdc3de1..25377af3e 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -90,6 +90,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | | `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | | `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | +| `linux.dnsPolicy` | Configure DNS policy for the provider pod | `""` | | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index 55b59d245..ed886a3b1 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -54,6 +54,8 @@ linux: operator: NotIn values: - virtual-kubelet + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" windows: image: diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml index ff531ff47..22184ad6f 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml @@ -42,6 +42,9 @@ spec: {{- end }} serviceAccountName: csi-secrets-store-provider-azure hostNetwork: true + {{- if .Values.linux.dnsPolicy }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + {{- end }} containers: - name: provider-azure-installer image: "{{ .Values.linux.image.repository }}:{{ .Values.linux.image.tag }}" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index e7676afb6..f832ee501 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -59,6 +59,8 @@ linux: operator: NotIn values: - virtual-kubelet + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" windows: image: From 687c494a39b61bf7d277f55e617ef7ace2bd0097 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Fri, 23 Feb 2024 14:42:45 -0800 Subject: [PATCH 12/37] chore: disable arc ext ci (#1465) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .pipelines/e2e-job-azure.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.pipelines/e2e-job-azure.yaml b/.pipelines/e2e-job-azure.yaml index 3fd7bfe35..35c55f003 100644 --- a/.pipelines/e2e-job-azure.yaml +++ b/.pipelines/e2e-job-azure.yaml @@ -20,5 +20,7 @@ jobs: - "linux" - "windows_docker" - "windows_containerd" + # TODO: re-enable this job after implementing automated ext release process + # using https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/1382 for tracking # this will ensure any changes to provider works on arc extension too. - - template: templates/arc/e2e-extension-test.yaml + # - template: templates/arc/e2e-extension-test.yaml From ecaccb15f119e8c2cd47be70cf602e1f38eb307a Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 27 Feb 2024 12:21:11 -0800 Subject: [PATCH 13/37] ci: overwrite pool images using demands (#1473) Signed-off-by: Anish Ramasekar --- .pipelines/templates/e2e-test-kind.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.pipelines/templates/e2e-test-kind.yaml b/.pipelines/templates/e2e-test-kind.yaml index a18fd3b26..30693b925 100644 --- a/.pipelines/templates/e2e-test-kind.yaml +++ b/.pipelines/templates/e2e-test-kind.yaml @@ -1,7 +1,9 @@ jobs: - job: - # using the tmp pool as a workaround for the kind cluster creation issue. - pool: tmp-staging-pool-amd64-mariner-2 + pool: + name: staging-pool-amd64-mariner-2 + demands: + - ImageOverride -equals azcu-agent-amd64-mariner-2-cgv2-img timeoutInMinutes: 20 cancelTimeoutInMinutes: 5 dependsOn: From 1175fd93168a2185bb3dba4e8e622573867ab700 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Mon, 11 Mar 2024 14:21:21 -0700 Subject: [PATCH 14/37] feat: configures monitoring pod resources for Arc extension (#1481) --- .../README.md | 10 +++- .../arc-values.yaml | 48 +++++++++++++++++++ .../templates/arc-monitoring.yaml | 42 +++------------- 3 files changed, 62 insertions(+), 38 deletions(-) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index 25377af3e..ba4bd7ea2 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -63,7 +63,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p > Refer to [doc](https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md) for configurable parameters of the secrets-store-csi-driver chart. | Parameter | Description | Default | -| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | +|------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------------------------------------------------------------------------------------------ | | `nameOverride` | String to partially override csi-secrets-store-provider-azure.fullname template with a string (will prepend the release name) | `""` | | `fullnameOverride` | String to fully override csi-secrets-store-provider-azure.fullname template with a string | `""` | | `imagePullSecrets` | Secrets to be used when pulling images | `[]` | @@ -90,7 +90,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | | `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | | `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | -| `linux.dnsPolicy` | Configure DNS policy for the provider pod | `""` | +| `linux.dnsPolicy` | Configure DNS policy for the provider pod | `""` | | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | @@ -154,3 +154,9 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `constructPEMChain` | Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT | `true` | | `writeCertAndKeyInSeparateFiles` | Write cert and key in separate files. The individual files will be named as .crt and .key. These files will be created in addition to the single file. | `false` | | `metricsAddr` | Port that serves metrics | `8898` | +| `promMdmConverter.resources` | Resource limit for Arc ext monitoring pod's prom-mdm-converter container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `mdm.resources` | Resource limit for Arc ext monitoring pod's mdm container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `msiAdapter.resources` | Resource limit for Arc ext monitoring pod's msi-adapter container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `telegraf.resources` | Resource limit for Arc ext monitoring pod's telegraf container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `amacoreagent.resources` | Resource limit for Arc ext monitoring pod's amacoreagent container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `fluentd.resources` | Resource limit for Arc ext monitoring pod's fluentd container | `requests.cpu: 50m`
`requests.memory: 250Mi`
`limits.cpu: 50m`
`limits.memory: 250Mi` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index ed886a3b1..daf820b98 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -171,6 +171,54 @@ constructPEMChain: true # Azure Arc Extension enableArcExtension: true +promMdmConverter: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +mdm: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +msiAdapter: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +telegraf: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +amacoreagent: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +fluentd: + resources: + requests: + cpu: 50m + memory: 250Mi + limits: + cpu: 50m + memory: 250Mi # Values populated by Azure Arc K8s RP during the installation of the extension. Azure: diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index 33c6baf71..f2e56bc57 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -32,12 +32,7 @@ spec: - name: EXTENSION_RESOURCE_ID value: "{{ .Values.Azure.Extension.ResourceId }}" resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.promMdmConverter.resources | nindent 12 }} # MDM - name: mdm image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2023.1027.1417-08a588-20231027t1613" @@ -57,12 +52,7 @@ spec: - name: mdm-config mountPath: /tmp/geneva_mdm resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.mdm.resources | nindent 12 }} # MSI Adapter - name: msi-adapter image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.6" @@ -83,12 +73,7 @@ spec: - name: TEST_MODE value: "false" resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.msiAdapter.resources | nindent 12 }} securityContext: capabilities: add: @@ -101,12 +86,7 @@ spec: image: "mcr.microsoft.com/oss/mirror/docker.io/library/telegraf:1.21" imagePullPolicy: IfNotPresent resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.telegraf.resources | nindent 12 }} volumeMounts: - name: telegraf-conf mountPath: /etc/telegraf/telegraf.conf @@ -116,12 +96,7 @@ spec: image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.2.47" imagePullPolicy: IfNotPresent resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.amacoreagent.resources | nindent 12 }} env: - name: MONITORING_USE_GENEVA_CONFIG_SERVICE value: "true" @@ -185,12 +160,7 @@ spec: image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20230915.3" imagePullPolicy: IfNotPresent resources: - requests: - cpu: 50m - memory: 250Mi - limits: - cpu: 50m - memory: 250Mi + {{- toYaml .Values.fluentd.resources | nindent 12 }} env: - name: FLUENT_CONF value: /etc/fluentd/fluentd.conf From b6af05dd8deb08f812cf8757db5886ac173d728c Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 12 Mar 2024 09:22:53 -0700 Subject: [PATCH 15/37] ci: remove aks-preview pinned version and use cgv2 pool image for arc kind tests (#1484) Signed-off-by: Anish Ramasekar --- .pipelines/templates/aks-setup.yaml | 6 ++---- .pipelines/templates/arc/e2e-test-kind.yaml | 4 ++++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.pipelines/templates/aks-setup.yaml b/.pipelines/templates/aks-setup.yaml index dfe5d84c7..6dff427e2 100644 --- a/.pipelines/templates/aks-setup.yaml +++ b/.pipelines/templates/aks-setup.yaml @@ -72,8 +72,7 @@ steps: if [[ "$(OS_TYPE)" == "windows" ]]; then if [[ ${{ parameters.containerRuntime }} == "containerd" ]]; then - # pinning to 0.5.87 because of https://github.com/Azure/azure-cli/issues/23267 - az extension add --name aks-preview --version 0.5.87 + az extension add --name aks-preview EXTRA_ARGS="--aks-custom-headers WindowsContainerRuntime=containerd" fi @@ -83,8 +82,7 @@ steps: # add gpu node pool if [[ ${{ parameters.testWithGPU }} == True ]]; then echo "adding gpu node pool" - # pinning to 0.5.87 because of https://github.com/Azure/azure-cli/issues/23267 - az extension add --name aks-preview --version 0.5.87 + az extension add --name aks-preview az aks nodepool add -g ${AZURE_CLUSTER_NAME} --cluster-name ${AZURE_CLUSTER_NAME} --name gpu --node-count $(AGENT_COUNT) --node-vm-size Standard_NC6 --aks-custom-headers UseGPUDedicatedVHD=true fi diff --git a/.pipelines/templates/arc/e2e-test-kind.yaml b/.pipelines/templates/arc/e2e-test-kind.yaml index 8256c92f8..b3eb6b19c 100644 --- a/.pipelines/templates/arc/e2e-test-kind.yaml +++ b/.pipelines/templates/arc/e2e-test-kind.yaml @@ -1,5 +1,9 @@ jobs: - job: e2e_arc_kind + pool: + name: staging-pool-amd64-mariner-2 + demands: + - ImageOverride -equals azcu-agent-amd64-mariner-2-cgv2-img variables: - name: AZURE_ENVIRONMENT_FILEPATH value: /etc/kubernetes/custom_environment.json From b194d5f6b61bda9599aae4c0c9268dea61bbdff5 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 12 Mar 2024 10:21:54 -0700 Subject: [PATCH 16/37] chore: helm chart release for driver v1.4.2 and arc ext fixes (#1482) Signed-off-by: Anish Ramasekar --- .../Chart.lock | 6 +- .../Chart.yaml | 6 +- .../README.md | 25 +++++--- .../arc-values.yaml | 64 +++++++++++++++++-- .../templates/arc-monitoring.yaml | 42 ++---------- .../templates/provider-azure-installer.yaml | 3 + .../values.yaml | 16 +++-- .../Chart.lock | 6 +- .../Chart.yaml | 6 +- .../README.md | 18 +++--- .../arc-values.yaml | 14 ++-- .../values.yaml | 14 ++-- test/e2e/framework/deploy/deploy.go | 2 +- 13 files changed, 129 insertions(+), 93 deletions(-) diff --git a/charts/csi-secrets-store-provider-azure/Chart.lock b/charts/csi-secrets-store-provider-azure/Chart.lock index fc8d1fc0d..12e16ff3b 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.1 -digest: sha256:1ba3371ca94587ec5942cb2bb3840b5731da1b0629a4d89c37295f2c6ac0afb9 -generated: "2024-01-18T23:24:26.146818747Z" + version: 1.4.2 +digest: sha256:f77d79177355e150f733151d7577ec956a46d417309fdd89850dded32c34beda +generated: "2024-03-11T23:06:05.474547995Z" diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 4c6ff1098..2abd084f6 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.2 -appVersion: 1.5.1 +version: 1.5.3 +appVersion: 1.5.2 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.1 + version: 1.4.2 condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md index 6cfdc3de1..d4acffff7 100644 --- a/charts/csi-secrets-store-provider-azure/README.md +++ b/charts/csi-secrets-store-provider-azure/README.md @@ -25,6 +25,8 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.4.4` | `1.3.4` | `1.4.1` | | `1.5.0` | `1.4.0` | `1.5.0` | | `1.5.1` | `1.4.1` | `1.5.1` | +| `1.5.2` | `1.4.1` | `1.5.1` | +| `1.5.3` | `1.4.2` | `1.5.1` | ## Installation @@ -63,7 +65,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p > Refer to [doc](https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md) for configurable parameters of the secrets-store-csi-driver chart. | Parameter | Description | Default | -| ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------ | +|------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------------------------------------------------------------------------------------------ | | `nameOverride` | String to partially override csi-secrets-store-provider-azure.fullname template with a string (will prepend the release name) | `""` | | `fullnameOverride` | String to fully override csi-secrets-store-provider-azure.fullname template with a string | `""` | | `imagePullSecrets` | Secrets to be used when pulling images | `[]` | @@ -90,6 +92,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | | `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | | `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | +| `linux.dnsPolicy` | Configure DNS policy for the provider pod | `""` | | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | @@ -119,15 +122,15 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.1` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.2` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.8.0` | +| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.10.0` | | `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.10.0` | +| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.1` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.2` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -136,13 +139,13 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.1` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.2` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.8.0` | +| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.10.0` | | `secrets-store-csi-driver.windows.livenessProbeImage.repository` | Driver Windows liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy` | Driver Windows liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.10.0` | +| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | | `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | | `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` | @@ -153,3 +156,9 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `constructPEMChain` | Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT | `true` | | `writeCertAndKeyInSeparateFiles` | Write cert and key in separate files. The individual files will be named as .crt and .key. These files will be created in addition to the single file. | `false` | | `metricsAddr` | Port that serves metrics | `8898` | +| `promMdmConverter.resources` | Resource limit for Arc ext monitoring pod's prom-mdm-converter container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `mdm.resources` | Resource limit for Arc ext monitoring pod's mdm container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `msiAdapter.resources` | Resource limit for Arc ext monitoring pod's msi-adapter container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `telegraf.resources` | Resource limit for Arc ext monitoring pod's telegraf container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `amacoreagent.resources` | Resource limit for Arc ext monitoring pod's amacoreagent container | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | +| `fluentd.resources` | Resource limit for Arc ext monitoring pod's fluentd container | `requests.cpu: 50m`
`requests.memory: 250Mi`
`limits.cpu: 50m`
`limits.memory: 250Mi` | diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml index 55b59d245..790a6abae 100644 --- a/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -54,6 +54,8 @@ linux: operator: NotIn values: - virtual-kubelet + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" windows: image: @@ -112,20 +114,20 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -137,15 +139,15 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent enableSecretRotation: false @@ -169,6 +171,54 @@ constructPEMChain: true # Azure Arc Extension enableArcExtension: true +promMdmConverter: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +mdm: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +msiAdapter: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +telegraf: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +amacoreagent: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + cpu: 50m + memory: 100Mi +fluentd: + resources: + requests: + cpu: 50m + memory: 250Mi + limits: + cpu: 50m + memory: 250Mi # Values populated by Azure Arc K8s RP during the installation of the extension. Azure: diff --git a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index 33c6baf71..f2e56bc57 100644 --- a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -32,12 +32,7 @@ spec: - name: EXTENSION_RESOURCE_ID value: "{{ .Values.Azure.Extension.ResourceId }}" resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.promMdmConverter.resources | nindent 12 }} # MDM - name: mdm image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2023.1027.1417-08a588-20231027t1613" @@ -57,12 +52,7 @@ spec: - name: mdm-config mountPath: /tmp/geneva_mdm resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.mdm.resources | nindent 12 }} # MSI Adapter - name: msi-adapter image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.6" @@ -83,12 +73,7 @@ spec: - name: TEST_MODE value: "false" resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.msiAdapter.resources | nindent 12 }} securityContext: capabilities: add: @@ -101,12 +86,7 @@ spec: image: "mcr.microsoft.com/oss/mirror/docker.io/library/telegraf:1.21" imagePullPolicy: IfNotPresent resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.telegraf.resources | nindent 12 }} volumeMounts: - name: telegraf-conf mountPath: /etc/telegraf/telegraf.conf @@ -116,12 +96,7 @@ spec: image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.2.47" imagePullPolicy: IfNotPresent resources: - requests: - cpu: 50m - memory: 100Mi - limits: - cpu: 50m - memory: 100Mi + {{- toYaml .Values.amacoreagent.resources | nindent 12 }} env: - name: MONITORING_USE_GENEVA_CONFIG_SERVICE value: "true" @@ -185,12 +160,7 @@ spec: image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20230915.3" imagePullPolicy: IfNotPresent resources: - requests: - cpu: 50m - memory: 250Mi - limits: - cpu: 50m - memory: 250Mi + {{- toYaml .Values.fluentd.resources | nindent 12 }} env: - name: FLUENT_CONF value: /etc/fluentd/fluentd.conf diff --git a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml index ff531ff47..22184ad6f 100644 --- a/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml @@ -42,6 +42,9 @@ spec: {{- end }} serviceAccountName: csi-secrets-store-provider-azure hostNetwork: true + {{- if .Values.linux.dnsPolicy }} + dnsPolicy: {{ .Values.linux.dnsPolicy }} + {{- end }} containers: - name: provider-azure-installer image: "{{ .Values.linux.image.repository }}:{{ .Values.linux.image.tag }}" diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml index e7676afb6..c4ef90f24 100644 --- a/charts/csi-secrets-store-provider-azure/values.yaml +++ b/charts/csi-secrets-store-provider-azure/values.yaml @@ -59,6 +59,8 @@ linux: operator: NotIn values: - virtual-kubelet + # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + dnsPolicy: "" windows: image: @@ -120,20 +122,20 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -144,15 +146,15 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent enableSecretRotation: false diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock index fc8d1fc0d..12e16ff3b 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.1 -digest: sha256:1ba3371ca94587ec5942cb2bb3840b5731da1b0629a4d89c37295f2c6ac0afb9 -generated: "2024-01-18T23:24:26.146818747Z" + version: 1.4.2 +digest: sha256:f77d79177355e150f733151d7577ec956a46d417309fdd89850dded32c34beda +generated: "2024-03-11T23:06:05.474547995Z" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 4c6ff1098..2abd084f6 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.2 -appVersion: 1.5.1 +version: 1.5.3 +appVersion: 1.5.2 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.1 + version: 1.4.2 condition: secrets-store-csi-driver.install diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index ba4bd7ea2..d4acffff7 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -25,6 +25,8 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.4.4` | `1.3.4` | `1.4.1` | | `1.5.0` | `1.4.0` | `1.5.0` | | `1.5.1` | `1.4.1` | `1.5.1` | +| `1.5.2` | `1.4.1` | `1.5.1` | +| `1.5.3` | `1.4.2` | `1.5.1` | ## Installation @@ -90,7 +92,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.affinity` | Configures affinity for provider pods on linux nodes | Match expression `type NotIn virtual-kubelet` | | `linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` | | `linux.providersDir` | Configure the providers root dir | `/var/run/secrets-store-csi-providers` | -| `linux.dnsPolicy` | Configure DNS policy for the provider pod | `""` | +| `linux.dnsPolicy` | Configure DNS policy for the provider pod | `""` | | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | @@ -120,15 +122,15 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.1` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.2` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.8.0` | +| `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.10.0` | | `secrets-store-csi-driver.linux.livenessProbeImage.repository` | Driver Linux liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.10.0` | +| `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.1` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.2` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -137,13 +139,13 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.1` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.2` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.8.0` | +| `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.10.0` | | `secrets-store-csi-driver.windows.livenessProbeImage.repository` | Driver Windows liveness-probe image repository | `mcr.microsoft.com/oss/kubernetes-csi/livenessprobe` | | `secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy` | Driver Windows liveness-probe image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.10.0` | +| `secrets-store-csi-driver.windows.livenessProbeImage.tag` | Driver Windows liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.enableSecretRotation` | Enable secret rotation feature [alpha] | `false` | | `secrets-store-csi-driver.rotationPollInterval` | Secret rotation poll interval duration | `2m` | | `secrets-store-csi-driver.filteredWatchSecret` | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`. Refer to [doc](https://secrets-store-csi-driver.sigs.k8s.io/load-tests.html) for more details | `true` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index daf820b98..790a6abae 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -114,20 +114,20 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -139,15 +139,15 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent enableSecretRotation: false diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index f832ee501..c4ef90f24 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -122,20 +122,20 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -146,15 +146,15 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.1 + tag: v1.4.2 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar - tag: v2.8.0 + tag: v2.10.0 pullPolicy: IfNotPresent livenessProbeImage: repository: mcr.microsoft.com/oss/kubernetes-csi/livenessprobe - tag: v2.10.0 + tag: v2.12.0 pullPolicy: IfNotPresent enableSecretRotation: false diff --git a/test/e2e/framework/deploy/deploy.go b/test/e2e/framework/deploy/deploy.go index 6d2920a6c..46502f02b 100644 --- a/test/e2e/framework/deploy/deploy.go +++ b/test/e2e/framework/deploy/deploy.go @@ -23,7 +23,7 @@ import ( ) var ( - driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.4.1/deploy" + driverResourcePath = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/v1.4.2/deploy" providerResourceDirectory = "manifest_staging/deployment" driverResources = []string{ From 577f7d694889f13db636bc3a7d18b7104d1c754d Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Fri, 22 Mar 2024 14:10:18 -0700 Subject: [PATCH 17/37] security: CVE-2024-24786: bump google.golang.org/protobuf to v1.33.0 (#1499) Signed-off-by: Anish Ramasekar --- go.mod | 4 ++-- go.sum | 8 ++++---- test/e2e/go.mod | 4 ++-- test/e2e/go.sum | 8 ++++---- tools/go.mod | 4 ++-- tools/go.sum | 7 ++++--- 6 files changed, 18 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index 9057c9028..8e5865f44 100644 --- a/go.mod +++ b/go.mod @@ -42,7 +42,7 @@ require ( github.com/go-logr/zapr v1.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/uuid v1.3.1 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/kylelemons/godebug v1.1.0 // indirect @@ -65,7 +65,7 @@ require ( golang.org/x/sys v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect k8s.io/apimachinery v0.25.3 // indirect ) diff --git a/go.sum b/go.sum index d9fe1bc1e..6a1db562d 100644 --- a/go.sum +++ b/go.sum @@ -193,8 +193,8 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -778,8 +778,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index fa2e0ed7d..8d2d7045f 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -49,7 +49,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/golang/protobuf v1.5.3 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -98,7 +98,7 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/grpc v1.59.0 // indirect - google.golang.org/protobuf v1.31.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 3cd906cc2..2bf45ff52 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -220,8 +220,8 @@ github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= -github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= -github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -852,8 +852,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= -google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/tools/go.mod b/tools/go.mod index 1a0659276..9c0cdac59 100644 --- a/tools/go.mod +++ b/tools/go.mod @@ -55,7 +55,7 @@ require ( github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gofrs/flock v0.8.1 // indirect - github.com/golang/protobuf v1.5.2 // indirect + github.com/golang/protobuf v1.5.4 // indirect github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 // indirect github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect github.com/golangci/go-misc v0.0.0-20220329215616-d24fe342adfe // indirect @@ -170,7 +170,7 @@ require ( golang.org/x/sys v0.6.0 // indirect golang.org/x/text v0.7.0 // indirect golang.org/x/tools v0.7.0 // indirect - google.golang.org/protobuf v1.28.0 // indirect + google.golang.org/protobuf v1.33.0 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/tools/go.sum b/tools/go.sum index dcf4f1492..8d519ad71 100644 --- a/tools/go.sum +++ b/tools/go.sum @@ -200,8 +200,9 @@ github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QD github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= +github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 h1:23T5iq8rbUYlhpt5DB4XJkc6BU31uODLD1o1gKvZmD0= github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4= github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM= @@ -927,8 +928,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= -google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= From a17282cf71ec9977aaac2bf54e4189a24732a7d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?= <852750+sozercan@users.noreply.github.com> Date: Mon, 15 Apr 2024 14:32:14 -0700 Subject: [PATCH 18/37] chore: bump trivy to 0.50.1 (#1526) Signed-off-by: Sertac Ozercan --- .pipelines/templates/scan-images.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.pipelines/templates/scan-images.yaml b/.pipelines/templates/scan-images.yaml index d57ba90b7..b84f707c9 100644 --- a/.pipelines/templates/scan-images.yaml +++ b/.pipelines/templates/scan-images.yaml @@ -1,8 +1,8 @@ steps: - script: | # install trivy - wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION:-0.27.1}/trivy_${TRIVY_VERSION:-0.27.1}_Linux-64bit.tar.gz - tar zxvf trivy_${TRIVY_VERSION:-0.27.1}_Linux-64bit.tar.gz + wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION:-0.50.1}/trivy_${TRIVY_VERSION:-0.50.1}_Linux-64bit.tar.gz + tar zxvf trivy_${TRIVY_VERSION:-0.50.1}_Linux-64bit.tar.gz make container arc-conformance-container ./trivy image --reset @@ -18,4 +18,4 @@ steps: REGISTRY: e2e IMAGE_VERSION: test OUTPUT_TYPE: docker - TRIVY_VERSION: $(TRIVY_VERSION) + TRIVY_VERSION: "0.50.1" From 733f10d7e5235f0bd9bfb3237696c462327194a5 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 15 Apr 2024 14:55:57 -0700 Subject: [PATCH 19/37] chore: bump golang.org/x/net from 0.17.0 to 0.24.0 (#1527) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Anish Ramasekar Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ test/e2e/go.mod | 8 ++++---- test/e2e/go.sum | 16 ++++++++-------- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index 8e5865f44..699b37438 100644 --- a/go.mod +++ b/go.mod @@ -19,8 +19,8 @@ require ( go.opentelemetry.io/otel v0.20.0 go.opentelemetry.io/otel/exporters/metric/prometheus v0.20.0 go.opentelemetry.io/otel/metric v0.20.0 - golang.org/x/crypto v0.18.0 - golang.org/x/net v0.17.0 + golang.org/x/crypto v0.22.0 + golang.org/x/net v0.24.0 google.golang.org/grpc v1.59.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/component-base v0.25.3 @@ -62,7 +62,7 @@ require ( go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/sys v0.16.0 // indirect + golang.org/x/sys v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.33.0 // indirect diff --git a/go.sum b/go.sum index 6a1db562d..ebda63c60 100644 --- a/go.sum +++ b/go.sum @@ -482,8 +482,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -554,8 +554,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -622,8 +622,8 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 8d2d7045f..1fe1a4fbd 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -86,11 +86,11 @@ require ( go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.7.0 // indirect - golang.org/x/crypto v0.18.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/crypto v0.22.0 // indirect + golang.org/x/net v0.24.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect - golang.org/x/sys v0.16.0 // indirect - golang.org/x/term v0.16.0 // indirect + golang.org/x/sys v0.19.0 // indirect + golang.org/x/term v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect google.golang.org/appengine v1.6.7 // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 2bf45ff52..c5b674d77 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -544,8 +544,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= -golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= +golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= +golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -615,8 +615,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= +golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -682,11 +682,11 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= -golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= +golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= -golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= +golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= +golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= From 127a096d42250b26af61f936e2cf55398fecc0bf Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Mon, 15 Apr 2024 14:56:33 -0700 Subject: [PATCH 20/37] ci: bump ossf/scorecard-action to v2.3.1 (#1528) Signed-off-by: Anish Ramasekar --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 22b215d48..d17979e98 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -41,7 +41,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif From ea0d64d29a452cd8d8b05db0f736fad8046765b9 Mon Sep 17 00:00:00 2001 From: Chris Date: Wed, 17 Apr 2024 10:46:39 -0700 Subject: [PATCH 21/37] fix: cert chain sorting when the leaf certificate is missing the SubjectKeyIdentifier extension (#1509) Co-authored-by: Chris Curwick Co-authored-by: Anish Ramasekar --- pkg/provider/provider.go | 6 + pkg/provider/provider_test.go | 246 ++++++++++++++++++++++++++++++++++ 2 files changed, 252 insertions(+) diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index d16bdab98..31251dee9 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -700,6 +700,12 @@ func fetchCertChains(data []byte) ([]byte, error) { if i == j { continue } + + // a leaf cert SubjectKeyId is optional per RFC3280 + if nodes[i].cert.AuthorityKeyId == nil && nodes[j].cert.SubjectKeyId == nil { + continue + } + // if ith node AuthorityKeyId is same as jth node SubjectKeyId, jth node was used // to sign the ith certificate if string(nodes[i].cert.AuthorityKeyId) == string(nodes[j].cert.SubjectKeyId) { diff --git a/pkg/provider/provider_test.go b/pkg/provider/provider_test.go index e8f09a3c4..1215646d6 100644 --- a/pkg/provider/provider_test.go +++ b/pkg/provider/provider_test.go @@ -794,6 +794,252 @@ fpTPteqfpl8iGQIhAOo8tpUYiREVSYZu130fN0Gvy4WmJMFAi7JrVeSnZ7uP } } +func TestFetchCertChainWithLeafMissingSKI(t *testing.T) { + rootCACert := ` +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB3Rl +c3QtY2EwHhcNMjQwNDAyMTYwODU0WhcNMzQwNDAyMTYwODU0WjASMRAwDgYDVQQD +Ewd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0R6suEJ +zlRDkMUKUEFIRRnqPmbDUM+h5k4tc5bgAJgX1EGf/lVBJ4gzUGzYayc9qyIcsKqI +/wyxsEm9SOnqR5lQkE/dJ3BsiSV/+wts6OX86KLWn4gHFm1xzl3xAj0/7w0qrEGj +5ASEF+RsfQq+oY/jglZCRWaVq23F77L6NeOFCicEKCRRLKClwXFFrGErwoUk3ef1 +CJ7GD1C+7Pk4uHQC4BYttcSyVYfTn4fdYMEQtEY3hAWRsfZqJ/epRvxFFaDXnfGL +PWoj+IYRx0YWsV6FY8rqyat8PGtvY4JR5RdF9nNIKapV3n3W98tc6EiXBZybULsd +5z9PHU0hDabSxwIDAQABo1EwTzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH +AwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUALAG+YJ+DGejdTyT9T6+nYg+ +4ZIwDQYJKoZIhvcNAQELBQADggEBABgkDtHj51xeHwFfSYQmUXnTQl59VCXGdulU +Fx8yfI5aMJzWR0SGTnJ8/VpBUZi6VTTz45qvi8xJgnpF8SLtKjXQlbqIerO7KL+M +7EnK2O1IGMKPboGM3pgJJQ7jS6aPObtFvuLUwECYoFw6dEzQkauzZjNA5FjWPImM +9VonFvAOpA45r9/b5liZ/Lg7gfdOtlLYUpCU1bPtem4v60oFmKh5IMOdLDVCgcga +HXlyr1Q1xkPwnHMt1aOPJPuMs1DSfbhP40bUvYh3gU5B7XpUpaHxlltm/h9/CsPE +z9rzlA+Co/z78Wn/LtvjVrxJj4QHcfXhiIltAaAUnJP+kZ0+3I0= +-----END CERTIFICATE----- +` + + intermediateCert1 := ` +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB3Rl +c3QtY2EwHhcNMjQwNDAyMTYwODU1WhcNMzQwNDAyMTYwODU1WjAUMRIwEAYDVQQD +Ewl0ZXN0LWludDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtCcWc +98ConFAuw6PpsuljvSDfoee9UqFCpfxeIHdTu1wcxTtdRROvbwbdDfc0UYsOIRlR +J+zVJdPJBS2n/lCiXVjfWgCmPQpSQhXyJAmD1VwgDrT4YFm31RCQmkQlQCaY7s4Y +KG/eawzaSA0CYBjMS4ss58zFJeZyPB5y0OMb6Cu7Q5MsJBkwpdjADuT5otfZPIDG +wB1N7vRtS37ajPR3cxrR7+jehcjEiZBeiW0tTdTgH1TFpoDqxCITkAyqu40AhG1i +xH4DZs285LaeqVZnLiW2CwlKAMXaHwxL8FmhoFN6+FwXq/fBE2oUFhI5V00wp99Y +WucRgoHZHjPLm4j9AgMBAAGjcjBwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTOi/c99QBhXboU8Jo153ux +QY/QFjAfBgNVHSMEGDAWgBQAsAb5gn4MZ6N1PJP1Pr6diD7hkjANBgkqhkiG9w0B +AQsFAAOCAQEAhH5ygm9o2hxMJl4AuKfq3S2AKtDho+gW7D7XDTAyoCDjxskzTagz +DNi1sEkgOOt+pYPdzZLqAPb5qE+jvHpXSrIiG+wYEZ3I9bMjOfXFFh9wfgNNpiCO +KCP6c6XGJuAzDLLOqe726TjXFwh2rtCs6IXl6MZBfYEWpCYgbJytuGiVbEy/4zHu +REXmmUVKBTT7nq9zMGqK7rkyEJeq51uGrO4NfkgDEPJqN7RQySMi8drXFcjjyvEo +vfXoEug1sLeGyrEMD+8wfvhFJDtFIxCCu6gRIn6H8QMouNTIZBiZhtHPD9La5vh/ +RAqYxnujJ1Gw4ZpQExiLxPq0MdP3NLOibg== +-----END CERTIFICATE----- +` + + intermediateCert2 := ` +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCXRl +c3QtaW50MTAeFw0yNDA0MDIxNjA4NTVaFw0zNDA0MDIxNjA4NTVaMBQxEjAQBgNV +BAMTCXRlc3QtaW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYX +Dy2Uk67tIDsrVNnfTUJRFVCFNFgAEcFjTUZDLNPJiJy3i4QTDn+4oZpjlZjSC0l1 +QabxqQGgAycwA0TBJykKCKWN1uCucVBvXW8s4OdF/2HQIw13HZWZJOTJvMK+kfIx +2/4cUr7lXl7QoC01VnhHQW1cLrzjfs2WZ+Nv1VGOxFx1S8yjNc4CvV4pKzeeANxE +cgjAdMqwaT9uLKJ2fa/6jnlf4xVrTaO96LlPaiI/qn5Q/xdcdizQ3SDREV5BXe4V +MOVoI0K9uoluy98RZvGG0G92PN7gM1BOfc8S/2Qaulq5eKzMShK4LmE2sWNniWjd +4IEysKsOnllIxHae9wkCAwEAAaNyMHAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFC1hoo+AKqTs77o5YwSf +e11hmyX0MB8GA1UdIwQYMBaAFM6L9z31AGFduhTwmjXne7FBj9AWMA0GCSqGSIb3 +DQEBCwUAA4IBAQCQhr+0m+UukGYqhwZSIlgL8YKulwMz0SNhyMkEcrxEl03Nx7SZ +KgwZH+bxgykYocL0RxAZcjBCmcoLyy3Ebl743s4eRppBXQc+kYzYyaWEUpUxNoq2 +tFi+yqruQbkNSQ/rzKrRrwZAD8vP3mcUScjx9UNwXAbr4NbA10US1WlWYA17v4kf +HXGhV997/HNLNyUYizePeeU4DrdVNgI3hdy4mpyWRDWc6fyaKbeFJbWo+KHqT5zB +fTEBltyrpTqCdq0nXLwIzR+J4brtBH/LE2Wo9kp5bh4xUJQeybc46QeAyAvbV812 +e4t6jdnEGzymy5pzbGjtEp+gW4zaSGLBGL3V +-----END CERTIFICATE----- +` + + serverCert := ` +-----BEGIN CERTIFICATE----- +MIIDGjCCAgKgAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCXRl +c3QtaW50MjAeFw0yNDA0MDIxNjA4NTVaFw0yNTA0MDIxNjA4NTVaMBQxEjAQBgNV +BAMTCXRlc3QtbGVhZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALg2 +kdP54gsbku7vUfIYf59H5VQLoDXoCZpTO7lxsHEh9QveViINEgYJ5Ycq8YijRR9J +W2oAWSLdE+mEQ+kvzxjqIwcZgCq0cGwErXKaPZCNnQKiV0cGCgWBPyqZcE1noiSE +5FqWBK0FDXmdiA5p2TSNfu6okJqVB/u0Bxbxqq+/V+aQ5KuFjwmIBT+/2kxwBma2 +Si/SDJts/H9izYcjTuxyJ1Cq9FPe87r/5t9riJ8QT1Czd2m+39yYJ7frnd1rjuh7 +FAvqyULP9uSZN5FBR7+YPR3rWfUK+D5C1Nq2BJ+XUwdIZpZn+r848Vntgy631h+x +3O7tHO1aEhc0WXEIv0UCAwEAAaN1MHMwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW +MBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNVHSMEGDAWgBQtYaKPgCqk7O+6OWME +n3tdYZsl9DAhBgNVHREEGjAYhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqG +SIb3DQEBCwUAA4IBAQAvFuuaf+xbL8pZkJ8g8yYHlqA1xFOebTUmzBPZ1c1tVIkf +KaKPTmgENmp4iiBgL/yptLohxQoJG2jr5BQqFialbs+A0lwLUe1PaEu0QE8x8ko4 +BZl0xFVJ7Lm9/WcMDbXclIdnz2J/3Oqnv3ltEW/c0VKydHFMWds/P4DPNX50baI0 +eDTPs4f3ZQDjkiV0o7gS86SbeGl92ByT/1nhz82gysayo/H2Ywg6j5hyjtb0gq7E +sw1Z28Ia6wLxhTBxqtOmSB4N7Y3E8C868lmiCoK4ETFFAiFHZU7gmlIXVul3X6IT ++i3TggXpd0XjNatkK2EfmLOv1bQNPz5i0oyYtJBS +-----END CERTIFICATE----- +` + + expectedCertChain := `-----BEGIN CERTIFICATE----- +MIIDGjCCAgKgAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCXRl +c3QtaW50MjAeFw0yNDA0MDIxNjA4NTVaFw0yNTA0MDIxNjA4NTVaMBQxEjAQBgNV +BAMTCXRlc3QtbGVhZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALg2 +kdP54gsbku7vUfIYf59H5VQLoDXoCZpTO7lxsHEh9QveViINEgYJ5Ycq8YijRR9J +W2oAWSLdE+mEQ+kvzxjqIwcZgCq0cGwErXKaPZCNnQKiV0cGCgWBPyqZcE1noiSE +5FqWBK0FDXmdiA5p2TSNfu6okJqVB/u0Bxbxqq+/V+aQ5KuFjwmIBT+/2kxwBma2 +Si/SDJts/H9izYcjTuxyJ1Cq9FPe87r/5t9riJ8QT1Czd2m+39yYJ7frnd1rjuh7 +FAvqyULP9uSZN5FBR7+YPR3rWfUK+D5C1Nq2BJ+XUwdIZpZn+r848Vntgy631h+x +3O7tHO1aEhc0WXEIv0UCAwEAAaN1MHMwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW +MBQGCCsGAQUFBwMCBggrBgEFBQcDATAfBgNVHSMEGDAWgBQtYaKPgCqk7O+6OWME +n3tdYZsl9DAhBgNVHREEGjAYhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqG +SIb3DQEBCwUAA4IBAQAvFuuaf+xbL8pZkJ8g8yYHlqA1xFOebTUmzBPZ1c1tVIkf +KaKPTmgENmp4iiBgL/yptLohxQoJG2jr5BQqFialbs+A0lwLUe1PaEu0QE8x8ko4 +BZl0xFVJ7Lm9/WcMDbXclIdnz2J/3Oqnv3ltEW/c0VKydHFMWds/P4DPNX50baI0 +eDTPs4f3ZQDjkiV0o7gS86SbeGl92ByT/1nhz82gysayo/H2Ywg6j5hyjtb0gq7E +sw1Z28Ia6wLxhTBxqtOmSB4N7Y3E8C868lmiCoK4ETFFAiFHZU7gmlIXVul3X6IT ++i3TggXpd0XjNatkK2EfmLOv1bQNPz5i0oyYtJBS +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFzCCAf+gAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCXRl +c3QtaW50MTAeFw0yNDA0MDIxNjA4NTVaFw0zNDA0MDIxNjA4NTVaMBQxEjAQBgNV +BAMTCXRlc3QtaW50MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANYX +Dy2Uk67tIDsrVNnfTUJRFVCFNFgAEcFjTUZDLNPJiJy3i4QTDn+4oZpjlZjSC0l1 +QabxqQGgAycwA0TBJykKCKWN1uCucVBvXW8s4OdF/2HQIw13HZWZJOTJvMK+kfIx +2/4cUr7lXl7QoC01VnhHQW1cLrzjfs2WZ+Nv1VGOxFx1S8yjNc4CvV4pKzeeANxE +cgjAdMqwaT9uLKJ2fa/6jnlf4xVrTaO96LlPaiI/qn5Q/xdcdizQ3SDREV5BXe4V +MOVoI0K9uoluy98RZvGG0G92PN7gM1BOfc8S/2Qaulq5eKzMShK4LmE2sWNniWjd +4IEysKsOnllIxHae9wkCAwEAAaNyMHAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG +AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFC1hoo+AKqTs77o5YwSf +e11hmyX0MB8GA1UdIwQYMBaAFM6L9z31AGFduhTwmjXne7FBj9AWMA0GCSqGSIb3 +DQEBCwUAA4IBAQCQhr+0m+UukGYqhwZSIlgL8YKulwMz0SNhyMkEcrxEl03Nx7SZ +KgwZH+bxgykYocL0RxAZcjBCmcoLyy3Ebl743s4eRppBXQc+kYzYyaWEUpUxNoq2 +tFi+yqruQbkNSQ/rzKrRrwZAD8vP3mcUScjx9UNwXAbr4NbA10US1WlWYA17v4kf +HXGhV997/HNLNyUYizePeeU4DrdVNgI3hdy4mpyWRDWc6fyaKbeFJbWo+KHqT5zB +fTEBltyrpTqCdq0nXLwIzR+J4brtBH/LE2Wo9kp5bh4xUJQeybc46QeAyAvbV812 +e4t6jdnEGzymy5pzbGjtEp+gW4zaSGLBGL3V +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDFTCCAf2gAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB3Rl +c3QtY2EwHhcNMjQwNDAyMTYwODU1WhcNMzQwNDAyMTYwODU1WjAUMRIwEAYDVQQD +Ewl0ZXN0LWludDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtCcWc +98ConFAuw6PpsuljvSDfoee9UqFCpfxeIHdTu1wcxTtdRROvbwbdDfc0UYsOIRlR +J+zVJdPJBS2n/lCiXVjfWgCmPQpSQhXyJAmD1VwgDrT4YFm31RCQmkQlQCaY7s4Y +KG/eawzaSA0CYBjMS4ss58zFJeZyPB5y0OMb6Cu7Q5MsJBkwpdjADuT5otfZPIDG +wB1N7vRtS37ajPR3cxrR7+jehcjEiZBeiW0tTdTgH1TFpoDqxCITkAyqu40AhG1i +xH4DZs285LaeqVZnLiW2CwlKAMXaHwxL8FmhoFN6+FwXq/fBE2oUFhI5V00wp99Y +WucRgoHZHjPLm4j9AgMBAAGjcjBwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF +BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTOi/c99QBhXboU8Jo153ux +QY/QFjAfBgNVHSMEGDAWgBQAsAb5gn4MZ6N1PJP1Pr6diD7hkjANBgkqhkiG9w0B +AQsFAAOCAQEAhH5ygm9o2hxMJl4AuKfq3S2AKtDho+gW7D7XDTAyoCDjxskzTagz +DNi1sEkgOOt+pYPdzZLqAPb5qE+jvHpXSrIiG+wYEZ3I9bMjOfXFFh9wfgNNpiCO +KCP6c6XGJuAzDLLOqe726TjXFwh2rtCs6IXl6MZBfYEWpCYgbJytuGiVbEy/4zHu +REXmmUVKBTT7nq9zMGqK7rkyEJeq51uGrO4NfkgDEPJqN7RQySMi8drXFcjjyvEo +vfXoEug1sLeGyrEMD+8wfvhFJDtFIxCCu6gRIn6H8QMouNTIZBiZhtHPD9La5vh/ +RAqYxnujJ1Gw4ZpQExiLxPq0MdP3NLOibg== +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC8jCCAdqgAwIBAgIDEjRWMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNVBAMTB3Rl +c3QtY2EwHhcNMjQwNDAyMTYwODU0WhcNMzQwNDAyMTYwODU0WjASMRAwDgYDVQQD +Ewd0ZXN0LWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt0R6suEJ +zlRDkMUKUEFIRRnqPmbDUM+h5k4tc5bgAJgX1EGf/lVBJ4gzUGzYayc9qyIcsKqI +/wyxsEm9SOnqR5lQkE/dJ3BsiSV/+wts6OX86KLWn4gHFm1xzl3xAj0/7w0qrEGj +5ASEF+RsfQq+oY/jglZCRWaVq23F77L6NeOFCicEKCRRLKClwXFFrGErwoUk3ef1 +CJ7GD1C+7Pk4uHQC4BYttcSyVYfTn4fdYMEQtEY3hAWRsfZqJ/epRvxFFaDXnfGL +PWoj+IYRx0YWsV6FY8rqyat8PGtvY4JR5RdF9nNIKapV3n3W98tc6EiXBZybULsd +5z9PHU0hDabSxwIDAQABo1EwTzAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH +AwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUALAG+YJ+DGejdTyT9T6+nYg+ +4ZIwDQYJKoZIhvcNAQELBQADggEBABgkDtHj51xeHwFfSYQmUXnTQl59VCXGdulU +Fx8yfI5aMJzWR0SGTnJ8/VpBUZi6VTTz45qvi8xJgnpF8SLtKjXQlbqIerO7KL+M +7EnK2O1IGMKPboGM3pgJJQ7jS6aPObtFvuLUwECYoFw6dEzQkauzZjNA5FjWPImM +9VonFvAOpA45r9/b5liZ/Lg7gfdOtlLYUpCU1bPtem4v60oFmKh5IMOdLDVCgcga +HXlyr1Q1xkPwnHMt1aOPJPuMs1DSfbhP40bUvYh3gU5B7XpUpaHxlltm/h9/CsPE +z9rzlA+Co/z78Wn/LtvjVrxJj4QHcfXhiIltAaAUnJP+kZ0+3I0= +-----END CERTIFICATE----- +` + + cases := []struct { + desc string + cert string + expectedErr bool + }{ + { + desc: "order: root, intermediate1, intermediate2, server certs", + cert: rootCACert + intermediateCert1 + intermediateCert2 + serverCert, + expectedErr: false, + }, + { + desc: "order: root, server, intermediate1, intermediate2, certs", + cert: rootCACert + serverCert + intermediateCert1 + intermediateCert2, + expectedErr: false, + }, + { + desc: "order: intermediate1, intermediate2, root, server certs", + cert: intermediateCert1 + intermediateCert2 + rootCACert + serverCert, + expectedErr: false, + }, + { + desc: "order: intermediate1, intermediate2, server, root certs", + cert: intermediateCert1 + intermediateCert2 + serverCert + rootCACert, + expectedErr: false, + }, + { + desc: "order: server, root, intermediate1, intermediate2 certs", + cert: serverCert + rootCACert + intermediateCert1 + intermediateCert2, + expectedErr: false, + }, + { + desc: "order: server, intermediate1, intermediate2, root certs", + cert: serverCert + intermediateCert1 + intermediateCert2 + rootCACert, + expectedErr: false, + }, + + { + desc: "order: root, intermediate2, intermediate1, server certs", + cert: rootCACert + intermediateCert1 + intermediateCert2 + serverCert, + expectedErr: false, + }, + { + desc: "order: root, server, intermediate2, intermediate1 certs", + cert: rootCACert + serverCert + intermediateCert1 + intermediateCert2, + expectedErr: false, + }, + { + desc: "order: intermediate2, intermediate1, root, server certs", + cert: intermediateCert1 + intermediateCert2 + rootCACert + serverCert, + expectedErr: false, + }, + { + desc: "order: intermediate2, intermediate1, server, root certs", + cert: intermediateCert1 + intermediateCert2 + serverCert + rootCACert, + expectedErr: false, + }, + { + desc: "order: server, root, intermediate2, intermediate1 certs", + cert: serverCert + rootCACert + intermediateCert1 + intermediateCert2, + expectedErr: false, + }, + { + desc: "order: server, intermediate2, intermediate1, root certs", + cert: serverCert + intermediateCert1 + intermediateCert2 + rootCACert, + expectedErr: false, + }, + } + + for _, tc := range cases { + t.Run(tc.desc, func(t *testing.T) { + certChain, err := fetchCertChains([]byte(tc.cert)) + if tc.expectedErr && err == nil || !tc.expectedErr && err != nil { + t.Fatalf("expected error: %v, got error: %v", tc.expectedErr, err) + } + if string(certChain) != expectedCertChain { + t.Fatalf(cmp.Diff(expectedCertChain, string(certChain))) + } + }) + } +} + func TestFetchCertChainWarning(t *testing.T) { rootCACert := ` -----BEGIN CERTIFICATE----- From 6dce6a9d51401ab8f11cf10f8b64d06c700eb481 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Thu, 18 Apr 2024 11:43:32 -0700 Subject: [PATCH 22/37] release: update manifest and helm charts for v1.5.2 (#1537) Signed-off-by: Anish Ramasekar --- Makefile | 2 +- charts/csi-secrets-store-provider-azure/Chart.lock | 6 +++--- charts/csi-secrets-store-provider-azure/Chart.yaml | 4 ++-- charts/csi-secrets-store-provider-azure/README.md | 11 ++++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- charts/csi-secrets-store-provider-azure/values.yaml | 10 +++++----- deployment/provider-azure-installer-windows.yaml | 2 +- deployment/provider-azure-installer.yaml | 2 +- .../csi-secrets-store-provider-azure/Chart.lock | 6 +++--- .../csi-secrets-store-provider-azure/Chart.yaml | 4 ++-- .../charts/csi-secrets-store-provider-azure/README.md | 11 ++++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- .../csi-secrets-store-provider-azure/values.yaml | 10 +++++----- .../deployment/provider-azure-installer-windows.yaml | 2 +- .../deployment/provider-azure-installer.yaml | 2 +- test/e2e/framework/config.go | 2 +- website/content/en/_index.md | 2 +- 17 files changed, 49 insertions(+), 47 deletions(-) diff --git a/Makefile b/Makefile index e005af0fa..c8b2b3089 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)" REGISTRY_NAME ?= upstream REPO_PREFIX ?= k8s/csi/secrets-store REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX) -IMAGE_VERSION ?= v1.5.1 +IMAGE_VERSION ?= v1.5.2 IMAGE_NAME ?= provider-azure CONFORMANCE_IMAGE_NAME ?= provider-azure-arc-conformance IMAGE_TAG := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION) diff --git a/charts/csi-secrets-store-provider-azure/Chart.lock b/charts/csi-secrets-store-provider-azure/Chart.lock index 12e16ff3b..4af43864b 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.2 -digest: sha256:f77d79177355e150f733151d7577ec956a46d417309fdd89850dded32c34beda -generated: "2024-03-11T23:06:05.474547995Z" + version: 1.4.3 +digest: sha256:7e4867144ee8d28abcfe2d8517d379e34500ebaa2be0121a2eda5f3da5723110 +generated: "2024-04-18T09:11:04.509219-07:00" diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 2abd084f6..4cf0dbde5 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.3 +version: 1.5.4 appVersion: 1.5.2 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.2 + version: 1.4.3 condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md index d4acffff7..7e1578b47 100644 --- a/charts/csi-secrets-store-provider-azure/README.md +++ b/charts/csi-secrets-store-provider-azure/README.md @@ -27,6 +27,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.5.1` | `1.4.1` | `1.5.1` | | `1.5.2` | `1.4.1` | `1.5.1` | | `1.5.3` | `1.4.2` | `1.5.1` | +| `1.5.4` | `1.4.3` | `1.5.2` | ## Installation @@ -74,7 +75,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.1` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.2` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -96,7 +97,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.1` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.2` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -122,7 +123,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.2` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.3` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.10.0` | @@ -130,7 +131,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.2` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.3` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -139,7 +140,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.2` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.3` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.10.0` | diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml index 790a6abae..2efab0e16 100644 --- a/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -60,7 +60,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -114,7 +114,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -127,7 +127,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -139,7 +139,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml index c4ef90f24..d708841a1 100644 --- a/charts/csi-secrets-store-provider-azure/values.yaml +++ b/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -65,7 +65,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -122,7 +122,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -135,7 +135,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -146,7 +146,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml index ce112d4d3..887a1c6f9 100644 --- a/deployment/provider-azure-installer-windows.yaml +++ b/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml index decbb57bf..f28f01134 100644 --- a/deployment/provider-azure-installer.yaml +++ b/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock index 12e16ff3b..4af43864b 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.2 -digest: sha256:f77d79177355e150f733151d7577ec956a46d417309fdd89850dded32c34beda -generated: "2024-03-11T23:06:05.474547995Z" + version: 1.4.3 +digest: sha256:7e4867144ee8d28abcfe2d8517d379e34500ebaa2be0121a2eda5f3da5723110 +generated: "2024-04-18T09:11:04.509219-07:00" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 2abd084f6..4cf0dbde5 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.3 +version: 1.5.4 appVersion: 1.5.2 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.2 + version: 1.4.3 condition: secrets-store-csi-driver.install diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index d4acffff7..7e1578b47 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -27,6 +27,7 @@ Azure Key Vault provider for Secrets Store CSI driver allows you to get secret c | `1.5.1` | `1.4.1` | `1.5.1` | | `1.5.2` | `1.4.1` | `1.5.1` | | `1.5.3` | `1.4.2` | `1.5.1` | +| `1.5.4` | `1.4.3` | `1.5.2` | ## Installation @@ -74,7 +75,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.1` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.2` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -96,7 +97,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.1` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.2` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -122,7 +123,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.2` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.3` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.10.0` | @@ -130,7 +131,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.2` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.3` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -139,7 +140,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.2` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.3` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.10.0` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index 790a6abae..2efab0e16 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -60,7 +60,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -114,7 +114,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -127,7 +127,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -139,7 +139,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index c4ef90f24..d708841a1 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -65,7 +65,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.1 + tag: v1.5.2 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -122,7 +122,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -135,7 +135,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -146,7 +146,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.2 + tag: v1.4.3 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/deployment/provider-azure-installer-windows.yaml b/manifest_staging/deployment/provider-azure-installer-windows.yaml index ce112d4d3..887a1c6f9 100644 --- a/manifest_staging/deployment/provider-azure-installer-windows.yaml +++ b/manifest_staging/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/manifest_staging/deployment/provider-azure-installer.yaml b/manifest_staging/deployment/provider-azure-installer.yaml index decbb57bf..f28f01134 100644 --- a/manifest_staging/deployment/provider-azure-installer.yaml +++ b/manifest_staging/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.1 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go index b0c139f12..8d4af1cca 100644 --- a/test/e2e/framework/config.go +++ b/test/e2e/framework/config.go @@ -18,7 +18,7 @@ type Config struct { KeyvaultName string `envconfig:"KEYVAULT_NAME"` Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"` ImageName string `envconfig:"IMAGE_NAME" default:"provider-azure"` - ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.1"` + ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.2"` IsSoakTest bool `envconfig:"IS_SOAK_TEST" default:"false"` IsWindowsTest bool `envconfig:"TEST_WINDOWS" default:"false"` IsGPUTest bool `envconfig:"TEST_GPU" default:"false"` diff --git a/website/content/en/_index.md b/website/content/en/_index.md index b5f04dd0b..5d834e2a2 100644 --- a/website/content/en/_index.md +++ b/website/content/en/_index.md @@ -15,7 +15,7 @@ Azure Key Vault provider for [Secrets Store CSI Driver](https://github.com/kuber | Azure Key Vault Provider | Compatible Kubernetes | `secrets-store.csi.x-k8s.io` Versions | | ---------------------------------------------------------------------------------------------- | --------------------- | ------------------------------------- | -| [v1.5.1](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.5.1) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | +| [v1.5.2](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.5.2) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | | [v1.4.1](https://github.com/Azure/secrets-store-csi-driver-provider-azure/releases/tag/v1.4.1) | 1.21+ | `v1`, `v1alpha1 [DEPRECATED]` | For Secrets Store CSI Driver project status and supported versions, check the doc [here](https://secrets-store-csi-driver.sigs.k8s.io/#project-status) From 555435c35c4e663b360d3bf29f1157f9d9a9622b Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Tue, 30 Apr 2024 15:15:31 -0700 Subject: [PATCH 23/37] chore: removes conformance image from scan (#1547) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .pipelines/templates/scan-images.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.pipelines/templates/scan-images.yaml b/.pipelines/templates/scan-images.yaml index b84f707c9..c427360a0 100644 --- a/.pipelines/templates/scan-images.yaml +++ b/.pipelines/templates/scan-images.yaml @@ -9,10 +9,6 @@ steps: # show all vulnerabilities in the logs ./trivy image --vuln-type os,library "${REGISTRY}/provider-azure:${IMAGE_VERSION}" ./trivy image --vuln-type os,library --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL "${REGISTRY}/provider-azure:${IMAGE_VERSION}" || exit 1 - - # only enabling os vuln type for conformance image as we have external dependencies (helm, step-cli) - ./trivy image --vuln-type os "${REGISTRY}/provider-azure-arc-conformance:${IMAGE_VERSION}-linux-amd64" - ./trivy image --vuln-type os --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL "${REGISTRY}/provider-azure-arc-conformance:${IMAGE_VERSION}-linux-amd64" || exit 1 displayName: "Scan images for vulnerability" env: REGISTRY: e2e From 2b916e423244bc4f5dbabb96ccda2db4a068be90 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 30 Apr 2024 17:11:42 -0700 Subject: [PATCH 24/37] ci: cleanup windows pr gate (#1539) Signed-off-by: Anish Ramasekar --- .pipelines/e2e-job-azure.yaml | 3 +-- .pipelines/templates/aks-setup.yaml | 8 -------- .pipelines/templates/e2e-test-azure.yaml | 7 +------ 3 files changed, 2 insertions(+), 16 deletions(-) diff --git a/.pipelines/e2e-job-azure.yaml b/.pipelines/e2e-job-azure.yaml index 35c55f003..5dc40c3d8 100644 --- a/.pipelines/e2e-job-azure.yaml +++ b/.pipelines/e2e-job-azure.yaml @@ -18,8 +18,7 @@ jobs: parameters: osTypes: - "linux" - - "windows_docker" - - "windows_containerd" + - "windows" # TODO: re-enable this job after implementing automated ext release process # using https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/1382 for tracking # this will ensure any changes to provider works on arc extension too. diff --git a/.pipelines/templates/aks-setup.yaml b/.pipelines/templates/aks-setup.yaml index 6dff427e2..0bd727676 100644 --- a/.pipelines/templates/aks-setup.yaml +++ b/.pipelines/templates/aks-setup.yaml @@ -5,9 +5,6 @@ parameters: - name: testWithGPU type: boolean default: false - - name: containerRuntime - type: string - default: containerd steps: - script: | @@ -71,11 +68,6 @@ steps: echo "##vso[task.setvariable variable=MASTERINTERNALIP]${MASTERIP}" if [[ "$(OS_TYPE)" == "windows" ]]; then - if [[ ${{ parameters.containerRuntime }} == "containerd" ]]; then - az extension add --name aks-preview - EXTRA_ARGS="--aks-custom-headers WindowsContainerRuntime=containerd" - fi - az aks nodepool add -g ${AZURE_CLUSTER_NAME} --cluster-name ${AZURE_CLUSTER_NAME} --os-type Windows --name win --node-count 1 ${EXTRA_ARGS:-} > /dev/null fi diff --git a/.pipelines/templates/e2e-test-azure.yaml b/.pipelines/templates/e2e-test-azure.yaml index 8996f9ae2..c010223dc 100644 --- a/.pipelines/templates/e2e-test-azure.yaml +++ b/.pipelines/templates/e2e-test-azure.yaml @@ -27,11 +27,7 @@ jobs: OS_TYPE=$(echo ${{ osType }} | cut -d '_' -f1 | tr -d '[:space:]') echo "OS type: $OS_TYPE" echo "##vso[task.setvariable variable=OS_TYPE]$OS_TYPE" - - CONTAINER_RUNTIME=$(echo ${{ osType }} | cut -d '_' -f2 | tr -d '[:space:]') - echo "Container Runtime: $CONTAINER_RUNTIME" - echo "##vso[task.setvariable variable=CONTAINER_RUNTIME]$CONTAINER_RUNTIME" - displayName: 'Determine os type and container runtime' + displayName: 'Determine os type' - script: | # Download kubectl @@ -46,7 +42,6 @@ jobs: parameters: testClusterUpgrade: ${{ parameters.testClusterUpgrade }} testWithGPU: ${{ parameters.testWithGPU }} - containerRuntime: $(CONTAINER_RUNTIME) - template: assign-user-identity.yaml parameters: From 8296abd674fae7ae293d43c5c97d2ec8732f884c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 22 May 2024 23:53:43 +0000 Subject: [PATCH 25/37] chore: bump golang.org/x/crypto from 0.22.0 to 0.23.0 (#1559) Signed-off-by: dependabot[bot] Signed-off-by: Anish Ramasekar Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Anish Ramasekar --- go.mod | 6 +++--- go.sum | 12 ++++++------ test/e2e/go.mod | 8 ++++---- test/e2e/go.sum | 16 ++++++++-------- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/go.mod b/go.mod index 699b37438..2b1187408 100644 --- a/go.mod +++ b/go.mod @@ -19,7 +19,7 @@ require ( go.opentelemetry.io/otel v0.20.0 go.opentelemetry.io/otel/exporters/metric/prometheus v0.20.0 go.opentelemetry.io/otel/metric v0.20.0 - golang.org/x/crypto v0.22.0 + golang.org/x/crypto v0.23.0 golang.org/x/net v0.24.0 google.golang.org/grpc v1.59.0 gopkg.in/yaml.v3 v3.0.1 @@ -62,8 +62,8 @@ require ( go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index ebda63c60..f36e212fc 100644 --- a/go.sum +++ b/go.sum @@ -482,8 +482,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -622,8 +622,8 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -631,8 +631,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 1fe1a4fbd..c3a23d5f3 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -86,12 +86,12 @@ require ( go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.7.0 // indirect - golang.org/x/crypto v0.22.0 // indirect + golang.org/x/crypto v0.23.0 // indirect golang.org/x/net v0.24.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect - golang.org/x/sys v0.19.0 // indirect - golang.org/x/term v0.19.0 // indirect - golang.org/x/text v0.14.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index c5b674d77..2b21bc680 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -544,8 +544,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30= -golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -682,19 +682,19 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o= -golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q= -golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= -golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 4ef5092217a67699e51643dd952cd88705d3a3ca Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 29 May 2024 00:21:53 -0700 Subject: [PATCH 26/37] feat: allow configuring default cloud environment (#1555) Signed-off-by: Anish Ramasekar --- cmd/main.go | 16 +++++++++++++--- pkg/provider/provider.go | 19 +++++++++---------- pkg/provider/provider_test.go | 16 ++++++++++------ pkg/server/server.go | 6 ++++-- 4 files changed, 36 insertions(+), 21 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index 4404010ba..f7d8183e3 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -14,6 +14,8 @@ import ( "syscall" "time" + "github.com/Azure/go-autorest/autorest/azure" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/metrics" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/server" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/utils" @@ -49,6 +51,9 @@ var ( constructPEMChain = flag.Bool("construct-pem-chain", true, "explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT") writeCertAndKeyInSeparateFiles = flag.Bool("write-cert-and-key-in-separate-files", false, "Write cert and key in separate files. The individual files will be named as .crt and .key. These files will be created in addition to the single file.") + + cloudName = flag.String("cloud-name", "AzurePublicCloud", "default cloud environment to use for Azure SDK if not provided in the SecretProviderClass. "+ + "Allowed values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud or AzureStackCloud") ) func main() { @@ -75,6 +80,12 @@ func main() { } klog.InfoS("Starting Azure Key Vault Provider", "version", version.BuildVersion) + cloudEnv, err := azure.EnvironmentFromName(*cloudName) + if err != nil { + klog.ErrorS(err, "failed validating default cloud environment", "cloudName", *cloudName) + os.Exit(1) + } + if *enableProfile { klog.InfoS("Starting profiling", "port", *profilePort) go func() { @@ -86,8 +97,7 @@ func main() { }() } // initialize metrics exporter before creating measurements - err := metrics.InitMetricsExporter(*metricsBackend, *prometheusPort) - if err != nil { + if err = metrics.InitMetricsExporter(*metricsBackend, *prometheusPort); err != nil { klog.ErrorS(err, "failed to initialize metrics exporter") os.Exit(1) } @@ -130,7 +140,7 @@ func main() { grpc.UnaryInterceptor(utils.LogInterceptor()), } s := grpc.NewServer(opts...) - csiDriverProviderServer := server.New(*constructPEMChain, *writeCertAndKeyInSeparateFiles) + csiDriverProviderServer := server.New(*constructPEMChain, *writeCertAndKeyInSeparateFiles, cloudEnv) k8spb.RegisterCSIDriverProviderServer(s, csiDriverProviderServer) // Register the health service. grpc_health_v1.RegisterHealthServer(s, csiDriverProviderServer) diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 31251dee9..3938cf355 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -42,6 +42,8 @@ type provider struct { constructPEMChain bool writeCertAndKeyInSeparateFiles bool + + defaultCloudEnvironment azure.Environment } // mountConfig holds the information for the mount event @@ -49,7 +51,7 @@ type mountConfig struct { // the name of the Azure Key Vault instance keyvaultName string // the type of azure cloud based on azure go sdk - azureCloudEnvironment *azure.Environment + azureCloudEnvironment azure.Environment // authConfig is the config parameters for accessing Key Vault authConfig auth.Config // tenantID in AAD @@ -67,24 +69,21 @@ type keyvaultObject struct { } // NewProvider creates a new provider -func NewProvider(constructPEMChain, writeCertAndKeyInSeparateFiles bool) Interface { +func NewProvider(constructPEMChain, writeCertAndKeyInSeparateFiles bool, defaultCloudEnvironment azure.Environment) Interface { return &provider{ reporter: metrics.NewStatsReporter(), constructPEMChain: constructPEMChain, writeCertAndKeyInSeparateFiles: writeCertAndKeyInSeparateFiles, + defaultCloudEnvironment: defaultCloudEnvironment, } } // parseAzureEnvironment returns azure environment by name -func parseAzureEnvironment(cloudName string) (*azure.Environment, error) { - var env azure.Environment - var err error +func (p *provider) parseAzureEnvironment(cloudName string) (azure.Environment, error) { if cloudName == "" { - env = azure.PublicCloud - } else { - env, err = azure.EnvironmentFromName(cloudName) + return p.defaultCloudEnvironment, nil } - return &env, err + return azure.EnvironmentFromName(cloudName) } func (mc *mountConfig) initializeKvClient(vaultURI string) (KeyVault, error) { @@ -148,7 +147,7 @@ func (p *provider) GetSecretsStoreObjectContent(ctx context.Context, attrib, sec if err != nil { return nil, fmt.Errorf("failed to set AZURE_ENVIRONMENT_FILEPATH env to %s, error %w", cloudEnvFileName, err) } - azureCloudEnv, err := parseAzureEnvironment(cloudName) + azureCloudEnv, err := p.parseAzureEnvironment(cloudName) if err != nil { return nil, fmt.Errorf("cloudName %s is not valid, error: %w", cloudName, err) } diff --git a/pkg/provider/provider_test.go b/pkg/provider/provider_test.go index 1215646d6..beda8f1be 100644 --- a/pkg/provider/provider_test.go +++ b/pkg/provider/provider_test.go @@ -34,6 +34,7 @@ import ( func TestGetVaultURL(t *testing.T) { testEnvs := []string{"", "AZUREPUBLICCLOUD", "AZURECHINACLOUD", "AZUREGERMANCLOUD", "AZUREUSGOVERNMENTCLOUD"} vaultDNSSuffix := []string{"vault.azure.net", "vault.azure.net", "vault.azure.cn", "vault.microsoftazure.de", "vault.usgovcloudapi.net"} + testProvider := provider{defaultCloudEnvironment: azure.PublicCloud} cases := []struct { desc string @@ -69,7 +70,7 @@ func TestGetVaultURL(t *testing.T) { } for idx := range testEnvs { - azCloudEnv, err := parseAzureEnvironment(testEnvs[idx]) + azCloudEnv, err := testProvider.parseAzureEnvironment(testEnvs[idx]) if err != nil { t.Fatalf("Error parsing cloud environment %v", err) } @@ -88,8 +89,10 @@ func TestGetVaultURL(t *testing.T) { func TestParseAzureEnvironment(t *testing.T) { envNamesArray := []string{"AZURECHINACLOUD", "AZUREGERMANCLOUD", "AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", ""} + testProvider := provider{defaultCloudEnvironment: azure.PublicCloud} + for _, envName := range envNamesArray { - azureEnv, err := parseAzureEnvironment(envName) + azureEnv, err := testProvider.parseAzureEnvironment(envName) if err != nil { t.Fatalf("expected no error, got %v", err) } @@ -101,7 +104,7 @@ func TestParseAzureEnvironment(t *testing.T) { } wrongEnvName := "AZUREWRONGCLOUD" - _, err := parseAzureEnvironment(wrongEnvName) + _, err := testProvider.parseAzureEnvironment(wrongEnvName) if err == nil { t.Fatalf("expected error for wrong azure environment name") } @@ -226,6 +229,7 @@ lKn75l/9h0PwiiPaI0TGKN2O8AwvhGGwDElmFhYtXedbbaST6rbVRDUj } func TestParseAzureEnvironmentAzureStackCloud(t *testing.T) { + testProvider := provider{defaultCloudEnvironment: azure.PublicCloud} azureStackCloudEnvName := "AZURESTACKCLOUD" file, err := os.CreateTemp("", "ut") defer os.Remove(file.Name()) @@ -236,7 +240,7 @@ func TestParseAzureEnvironmentAzureStackCloud(t *testing.T) { if err != nil { t.Fatalf("expected error to be nil, got: %+v", err) } - _, err = parseAzureEnvironment(azureStackCloudEnvName) + _, err = testProvider.parseAzureEnvironment(azureStackCloudEnvName) if err == nil { t.Fatalf("expected error to be not nil as AZURE_ENVIRONMENT_FILEPATH is not set") } @@ -246,7 +250,7 @@ func TestParseAzureEnvironmentAzureStackCloud(t *testing.T) { if err != nil { t.Fatalf("expected error to be nil, got: %+v", err) } - env, err := parseAzureEnvironment(azureStackCloudEnvName) + env, err := testProvider.parseAzureEnvironment(azureStackCloudEnvName) if err != nil { t.Fatalf("expected error to be nil, got: %+v", err) } @@ -1250,7 +1254,7 @@ func TestGetSecretsStoreObjectContent(t *testing.T) { for _, tc := range cases { t.Run(tc.desc, func(t *testing.T) { - p := NewProvider(false, false) + p := NewProvider(false, false, azure.PublicCloud) _, err := p.GetSecretsStoreObjectContent(testContext(t), tc.parameters, tc.secrets, 0420) if tc.expectedErr { diff --git a/pkg/server/server.go b/pkg/server/server.go index 9aa03861c..936995def 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -5,6 +5,8 @@ import ( "fmt" "os" + "github.com/Azure/go-autorest/autorest/azure" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/provider" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/version" @@ -24,9 +26,9 @@ type CSIDriverProviderServer struct { } // New returns an instance of CSIDriverProviderServer -func New(constructPEMChain, writeCertAndKeyInSeparateFiles bool) *CSIDriverProviderServer { +func New(constructPEMChain, writeCertAndKeyInSeparateFiles bool, defaultCloudEnvironment azure.Environment) *CSIDriverProviderServer { return &CSIDriverProviderServer{ - provider: provider.NewProvider(constructPEMChain, writeCertAndKeyInSeparateFiles), + provider: provider.NewProvider(constructPEMChain, writeCertAndKeyInSeparateFiles, defaultCloudEnvironment), } } From 571cde60cb87b75d9a2ae9e9a1817ee0a5202d4b Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 4 Jun 2024 14:30:17 -0700 Subject: [PATCH 27/37] ci: increase days-before-stale to 60 (#1579) Signed-off-by: Anish Ramasekar --- .github/workflows/stale.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 4a9e7a517..bf043d2a7 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -19,7 +19,7 @@ jobs: - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: - days-before-stale: 14 + days-before-stale: 60 days-before-close: 7 operations-per-run: 100 exempt-issue-labels: 'known-issue,enhancement' From 9616f7049c3ca0880b819f62f377b4115542900e Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 25 Jun 2024 10:21:59 -0700 Subject: [PATCH 28/37] test: move all tests to use workload identity (#1578) Signed-off-by: Anish Ramasekar --- .pipelines/templates/aks-setup.yaml | 7 +- .pipelines/templates/create-fic.yaml | 25 +++++++ .pipelines/templates/e2e-test-azure.yaml | 2 + go.mod | 23 +++---- go.sum | 59 ++++++++--------- test/e2e/auto_rotation_test.go | 26 +++----- test/e2e/certificates_test.go | 32 ++++----- test/e2e/custom_cloudenv_test.go | 32 ++++----- test/e2e/framework/config.go | 6 +- test/e2e/framework/keyvault/keyvault.go | 6 +- test/e2e/go.mod | 23 +++---- test/e2e/go.sum | 56 ++++++++-------- test/e2e/key_test.go | 65 ++++++++----------- ...tiple_secret_versions_autorotation_test.go | 24 +++---- test/e2e/multiple_secret_versions_test.go | 23 ++----- test/e2e/secret_file_permission_test.go | 24 ++----- test/e2e/secret_test.go | 25 +++---- 17 files changed, 208 insertions(+), 250 deletions(-) create mode 100644 .pipelines/templates/create-fic.yaml diff --git a/.pipelines/templates/aks-setup.yaml b/.pipelines/templates/aks-setup.yaml index 0bd727676..120a7f769 100644 --- a/.pipelines/templates/aks-setup.yaml +++ b/.pipelines/templates/aks-setup.yaml @@ -59,13 +59,18 @@ steps: --load-balancer-sku standard \ --network-plugin azure \ --max-pods $(MAX_PODS) \ - --load-balancer-managed-outbound-ip-count 6 + --load-balancer-managed-outbound-ip-count 6 \ + --enable-oidc-issuer MASTERIP=$(az aks show \ -g ${AZURE_CLUSTER_NAME} \ -n ${AZURE_CLUSTER_NAME} \ --query 'fqdn' -o tsv) echo "##vso[task.setvariable variable=MASTERIP]${MASTERIP}" echo "##vso[task.setvariable variable=MASTERINTERNALIP]${MASTERIP}" + + OIDC_ISSUER_URL=$(az aks show -g ${AZURE_CLUSTER_NAME} -n ${AZURE_CLUSTER_NAME} --query "oidcIssuerProfile.issuerUrl" -otsv) + echo "##vso[task.setvariable variable=OIDC_ISSUER_URL]${OIDC_ISSUER_URL}" + echo "OIDC_ISSUER_URL=${OIDC_ISSUER_URL}" if [[ "$(OS_TYPE)" == "windows" ]]; then az aks nodepool add -g ${AZURE_CLUSTER_NAME} --cluster-name ${AZURE_CLUSTER_NAME} --os-type Windows --name win --node-count 1 ${EXTRA_ARGS:-} > /dev/null diff --git a/.pipelines/templates/create-fic.yaml b/.pipelines/templates/create-fic.yaml new file mode 100644 index 000000000..a694b0679 --- /dev/null +++ b/.pipelines/templates/create-fic.yaml @@ -0,0 +1,25 @@ +steps: + - script: | + echo "Creating user-assigned managed identity" + user_msi_name="${AZURE_CLUSTER_NAME}-msi-for-wi" + user_msi_principal_id=$(az identity create -g ${CLUSTER_RESOURCE_GROUP} -n $user_msi_name --subscription ${SUBSCRIPTION_ID} --query principalId -otsv) + + # Create federated identity credentials for all service account namespace/name used in e2e tests + # In future if we have more service accounts/namespace, we need to add them here as well + az identity federated-credential create --name fic-secret-test --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:secret-test:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-secret-file-permission --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:secret-file-permission:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-multiversionsecret --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:multiversionsecret:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-multiversionautorotation --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:multiversionautorotation:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-key-test --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:key-test:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-custom-cloud-test --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:custom-cloud-test:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-certificates-test --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:certificates-test:default" --audiences api://AzureADTokenExchange + az identity federated-credential create --name fic-autorotation --identity-name $user_msi_name -g ${CLUSTER_RESOURCE_GROUP} --issuer ${OIDC_ISSUER_URL} --subject "system:serviceaccount:autorotation:default" --audiences api://AzureADTokenExchange + + # Create role assignment for the user-assigned managed identity + az keyvault set-policy -n ${KEYVAULT_NAME} --object-id $user_msi_principal_id --secret-permissions get list set --key-permissions get list --certificate-permissions get list + + # set the user-assigned managed identity client id as a variable + AZURE_CLIENT_ID=$(az identity show -g ${CLUSTER_RESOURCE_GROUP} -n $user_msi_name --subscription $(SUBSCRIPTION_ID) --query clientId -otsv) + echo "##vso[task.setvariable variable=AZURE_CLIENT_ID]$AZURE_CLIENT_ID" + + displayName: "Create managed identity and FICs" diff --git a/.pipelines/templates/e2e-test-azure.yaml b/.pipelines/templates/e2e-test-azure.yaml index c010223dc..2a2d94930 100644 --- a/.pipelines/templates/e2e-test-azure.yaml +++ b/.pipelines/templates/e2e-test-azure.yaml @@ -49,6 +49,8 @@ jobs: - template: role-assignment.yaml + - template: create-fic.yaml + # Run e2e tests with Released Version - template: e2e-test.yaml parameters: diff --git a/go.mod b/go.mod index 2b1187408..86a96f47c 100644 --- a/go.mod +++ b/go.mod @@ -3,8 +3,8 @@ module github.com/Azure/secrets-store-csi-driver-provider-azure go 1.19 require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v0.10.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v0.11.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v0.13.0 @@ -15,12 +15,12 @@ require ( github.com/golang/mock v1.6.0 github.com/google/go-cmp v0.5.9 github.com/pkg/errors v0.9.1 - github.com/stretchr/testify v1.8.2 + github.com/stretchr/testify v1.9.0 go.opentelemetry.io/otel v0.20.0 go.opentelemetry.io/otel/exporters/metric/prometheus v0.20.0 go.opentelemetry.io/otel/metric v0.20.0 - golang.org/x/crypto v0.23.0 - golang.org/x/net v0.24.0 + golang.org/x/crypto v0.24.0 + golang.org/x/net v0.26.0 google.golang.org/grpc v1.59.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/component-base v0.25.3 @@ -29,12 +29,12 @@ require ( ) require ( - github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.1 // indirect @@ -42,12 +42,13 @@ require ( github.com/go-logr/zapr v1.2.3 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect github.com/kylelemons/godebug v1.1.0 // indirect github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect - github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/prometheus/client_golang v1.12.2 // indirect github.com/prometheus/client_model v0.2.0 // indirect @@ -62,8 +63,8 @@ require ( go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.8.0 // indirect go.uber.org/zap v1.24.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index f36e212fc..2607f502c 100644 --- a/go.sum +++ b/go.sum @@ -31,12 +31,12 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v0.10.0 h1:aU/OphkY5gszb4yEosR/HJdKuDU6zcEGmKqCp8A784w= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v0.10.0/go.mod h1:wS21P881yxQa4YNdbX1yP0gTcwWGUDhOAyzI6QaL4c0= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v0.11.0 h1:efdSCWUBtk2FUUIlEfZhRQyVIM3Ts8lA3vaF18amnwo= @@ -63,8 +63,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= @@ -119,7 +119,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= @@ -163,6 +162,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -222,8 +223,8 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= @@ -282,6 +283,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxv github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -319,7 +321,6 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo= @@ -341,8 +342,8 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= -github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -386,6 +387,7 @@ github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -410,16 +412,12 @@ github.com/streadway/amqp v0.0.0-20190827072141-edfb9018d271/go.mod h1:AZpEONHx3 github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5JnDBl6z3cMAg/SywNDC5ABu5ApDIw6lUbRmI= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= +github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= @@ -482,8 +480,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -554,8 +552,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -620,10 +618,10 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -631,8 +629,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -784,7 +782,7 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= @@ -801,7 +799,6 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/test/e2e/auto_rotation_test.go b/test/e2e/auto_rotation_test.go index 1da178bba..536bda9ea 100644 --- a/test/e2e/auto_rotation_test.go +++ b/test/e2e/auto_rotation_test.go @@ -39,7 +39,7 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() ) BeforeEach(func() { - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) @@ -54,20 +54,12 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() }) }) - It("should auto rotate mount contents with service principal", func() { + It("should auto rotate mount contents with workload identity", func() { if config.IsKindCluster { Skip("test case not supported for kind cluster") } - nodePublishSecretRef := secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - - secretName := fmt.Sprintf("secret-sp-%s", utilrand.String(randomLength)) + secretName := fmt.Sprintf("secret-wi-%s", utilrand.String(randomLength)) // create secret in keyvault err := kvClient.SetSecret(secretName, "secret") Expect(err).To(BeNil()) @@ -119,17 +111,17 @@ var _ = Describe("Test auto rotation of mount contents and K8s secrets", func() types.ObjectsParameter: string(objects), types.UsePodIdentityParameter: "false", types.UseVMManagedIdentityParameter: "false", + types.ClientIDParameter: config.AzureClientID, }, }, }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) pod.WaitFor(pod.WaitForInput{ diff --git a/test/e2e/certificates_test.go b/test/e2e/certificates_test.go index d4b28ecdf..d92ea13fb 100644 --- a/test/e2e/certificates_test.go +++ b/test/e2e/certificates_test.go @@ -13,7 +13,6 @@ import ( "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/openssl" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" - "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secret" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secretproviderclass" "github.com/ghodss/yaml" @@ -25,27 +24,18 @@ import ( var _ = Describe("When fetching certificates and private key from Key Vault", func() { var ( - specName = "certificates" - spc *v1alpha1.SecretProviderClass - ns *corev1.Namespace - nodePublishSecretRef *corev1.Secret - p *corev1.Pod + specName = "certificates-test" + spc *v1alpha1.SecretProviderClass + ns *corev1.Namespace + p *corev1.Pod ) BeforeEach(func() { - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) - nodePublishSecretRef = secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "pemcert1", @@ -124,17 +114,17 @@ var _ = Describe("When fetching certificates and private key from Key Vault", fu types.KeyVaultNameParameter: config.KeyvaultName, types.TenantIDParameter: config.TenantID, types.ObjectsParameter: string(objects), + types.ClientIDParameter: config.AzureClientID, }, }, }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd-certs", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd-certs", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) }) diff --git a/test/e2e/custom_cloudenv_test.go b/test/e2e/custom_cloudenv_test.go index fc7561d5b..87fe46164 100644 --- a/test/e2e/custom_cloudenv_test.go +++ b/test/e2e/custom_cloudenv_test.go @@ -10,7 +10,6 @@ import ( "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" - "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secret" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secretproviderclass" "github.com/ghodss/yaml" @@ -22,27 +21,18 @@ import ( var _ = Describe("When deploying SecretProviderClass CRD with secrets for custom cloud environment", func() { var ( - specName = "secret" - spc *v1alpha1.SecretProviderClass - ns *corev1.Namespace - nodePublishSecretRef *corev1.Secret - p *corev1.Pod + specName = "custom-cloud-test" + spc *v1alpha1.SecretProviderClass + ns *corev1.Namespace + p *corev1.Pod ) BeforeEach(func() { - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) - nodePublishSecretRef = secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", @@ -78,17 +68,17 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets for custom types.CloudNameParameter: "AzureStackCloud", types.CloudEnvFileNameParameter: config.AzureEnvironmentFilePath, types.ObjectsParameter: string(objects), + types.ClientIDParameter: config.AzureClientID, }, }, }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) }) diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go index 8d4af1cca..bdcc99d39 100644 --- a/test/e2e/framework/config.go +++ b/test/e2e/framework/config.go @@ -13,7 +13,6 @@ import ( type Config struct { SubscriptionID string `envconfig:"SUBSCRIPTION_ID"` AzureClientID string `envconfig:"AZURE_CLIENT_ID"` - AzureClientSecret string `envconfig:"AZURE_CLIENT_SECRET"` TenantID string `envconfig:"TENANT_ID"` KeyvaultName string `envconfig:"KEYVAULT_NAME"` Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"` @@ -36,13 +35,15 @@ type Config struct { IsBackwardCompatibilityTest bool `envconfig:"IS_BACKWARD_COMPATIBILITY_TEST"` AzureEnvironmentFilePath string `envconfig:"AZURE_ENVIRONMENT_FILEPATH"` IsArcTest bool `envconfig:"IS_ARC_TEST" default:"false"` + + // KeyvaultClientID is the client ID of the service principal used to access the keyvault + KeyvaultClientID string `envconfig:"KEYVAULT_CLIENT_ID" default:"878afdc6-3fc3-4c3e-be5c-f28377892326"` } func (c *Config) DeepCopy() *Config { copy := new(Config) copy.SubscriptionID = c.SubscriptionID copy.AzureClientID = c.AzureClientID - copy.AzureClientSecret = c.AzureClientSecret copy.TenantID = c.TenantID copy.KeyvaultName = c.KeyvaultName copy.Registry = c.Registry @@ -65,6 +66,7 @@ func (c *Config) DeepCopy() *Config { copy.AzureEnvironmentFilePath = c.AzureEnvironmentFilePath copy.IsHelmTest = c.IsHelmTest copy.IsArcTest = c.IsArcTest + copy.KeyvaultClientID = c.KeyvaultClientID return copy } diff --git a/test/e2e/framework/keyvault/keyvault.go b/test/e2e/framework/keyvault/keyvault.go index f037459a2..b49dea1e2 100644 --- a/test/e2e/framework/keyvault/keyvault.go +++ b/test/e2e/framework/keyvault/keyvault.go @@ -32,15 +32,15 @@ type client struct { } func NewClient(config *framework.Config) Client { - opts := &azidentity.ClientSecretCredentialOptions{ + opts := &azidentity.ManagedIdentityCredentialOptions{ ClientOptions: azcore.ClientOptions{ Cloud: cloud.Configuration{ ActiveDirectoryAuthorityHost: azure.PublicCloud.ActiveDirectoryEndpoint, }, }, + ID: azidentity.ClientID(config.KeyvaultClientID), } - - cred, err := azidentity.NewClientSecretCredential(config.TenantID, config.AzureClientID, config.AzureClientSecret, opts) + cred, err := azidentity.NewManagedIdentityCredential(opts) Expect(err).To(BeNil()) c, err := azsecrets.NewClient(getVaultURL(config.KeyvaultName), cred, nil) diff --git a/test/e2e/go.mod b/test/e2e/go.mod index c3a23d5f3..105fa13f6 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -3,8 +3,8 @@ module github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e go 1.19 require ( - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v0.13.0 github.com/Azure/go-autorest/autorest v0.11.28 github.com/Azure/go-autorest/autorest/to v0.4.0 @@ -23,14 +23,14 @@ require ( ) require ( - github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect - github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect + github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/beorn7/perks v1.0.1 // indirect @@ -48,12 +48,13 @@ require ( github.com/go-openapi/swag v0.19.14 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect + github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect github.com/google/gnostic v0.5.7-v3refs // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect - github.com/google/uuid v1.3.1 // indirect + github.com/google/uuid v1.6.0 // indirect github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/inconshreveable/mousetrap v1.0.1 // indirect @@ -67,7 +68,7 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect + github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.12.2 // indirect github.com/prometheus/client_model v0.2.0 // indirect @@ -86,12 +87,12 @@ require ( go.opentelemetry.io/otel/sdk/metric v0.20.0 // indirect go.opentelemetry.io/otel/trace v0.20.0 // indirect go.opentelemetry.io/proto/otlp v0.7.0 // indirect - golang.org/x/crypto v0.23.0 // indirect - golang.org/x/net v0.24.0 // indirect + golang.org/x/crypto v0.24.0 // indirect + golang.org/x/net v0.26.0 // indirect golang.org/x/oauth2 v0.11.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230822172742-b8732ec3820d // indirect diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 2b21bc680..3b5c0e06e 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -31,12 +31,12 @@ cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohl cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0 h1:8kDqDngH+DmVBiCtIjCFTGa7MBnsIOkF9IccInFEbjk= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v0.13.0 h1:XY0plaTx8oeipK+XogAck2Qzv39KdnJNBwrxC4A0GL4= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v0.13.0/go.mod h1:tj2JhpZY+NjcQcZ207YHkfwYuivmTrcj5ZNpQxpT3Qk= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028gtTPiYt/RMUfs8nVsAL7FDQrfLlrm/NnRG/zcC4= @@ -59,8 +59,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 h1:OBhqkivkhkMqLPymWEppkm7vgPQY2XsHoEkaMQ0AdZY= -github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU= +github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= @@ -124,7 +124,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= @@ -190,6 +189,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -253,8 +254,8 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= -github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= @@ -325,6 +326,7 @@ github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxv github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -373,7 +375,6 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= -github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= @@ -404,8 +405,8 @@ github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtP github.com/performancecopilot/speed v3.0.0+incompatible/go.mod h1:/CLtqpZ5gBg1M9iaPbIdPPGyKcA8hKdoy6hAWba7Yac= github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0jef7pBehbT1qWhCMrIgbYNnFAZCqQ5LRc= github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= -github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU= -github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= +github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -450,6 +451,7 @@ github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqn github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= +github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= @@ -481,7 +483,7 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= @@ -544,8 +546,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -615,8 +617,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w= -golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8= +golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -680,21 +682,21 @@ golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -858,8 +860,8 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw= gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= diff --git a/test/e2e/key_test.go b/test/e2e/key_test.go index a8bbfde5e..765388928 100644 --- a/test/e2e/key_test.go +++ b/test/e2e/key_test.go @@ -10,7 +10,6 @@ import ( "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" - "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secret" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secretproviderclass" "github.com/ghodss/yaml" @@ -22,27 +21,18 @@ import ( var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { var ( - specName = "key" - spc *v1alpha1.SecretProviderClass - ns *corev1.Namespace - nodePublishSecretRef *corev1.Secret - p *corev1.Pod + specName = "key-test" + spc *v1alpha1.SecretProviderClass + ns *corev1.Namespace + p *corev1.Pod ) BeforeEach(func() { - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) - nodePublishSecretRef = secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "key1", @@ -76,6 +66,7 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { types.KeyVaultNameParameter: config.KeyvaultName, types.TenantIDParameter: config.TenantID, types.ObjectsParameter: string(objects), + types.ClientIDParameter: config.AzureClientID, }, }, }) @@ -92,12 +83,11 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { It("should read key from pod", func() { p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) pod.WaitFor(pod.WaitForInput{ @@ -116,12 +106,11 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { It("should read key from pod with alias", func() { p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) pod.WaitFor(pod.WaitForInput{ @@ -168,12 +157,11 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) pod.WaitFor(pod.WaitForInput{ @@ -222,12 +210,11 @@ var _ = Describe("When deploying SecretProviderClass CRD with keys", func() { }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) pod.WaitFor(pod.WaitForInput{ diff --git a/test/e2e/multiple_secret_versions_autorotation_test.go b/test/e2e/multiple_secret_versions_autorotation_test.go index e4365045a..40671bd4d 100644 --- a/test/e2e/multiple_secret_versions_autorotation_test.go +++ b/test/e2e/multiple_secret_versions_autorotation_test.go @@ -43,7 +43,7 @@ var _ = Describe("[ObjectVersionHistory] Test auto rotation of mount contents an Skip("functionality not yet supported in release version") } - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) @@ -58,19 +58,11 @@ var _ = Describe("[ObjectVersionHistory] Test auto rotation of mount contents an }) }) - It("should auto rotate mount contents with service principal", func() { + It("should auto rotate mount contents with workload identity", func() { if config.IsKindCluster { Skip("test case not supported for kind cluster") } - nodePublishSecretRef := secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - secretName := fmt.Sprintf("secret-sp-%s", utilrand.String(multipleSecretsRandomLength)) // create secret in keyvault err := kvClient.SetSecret(secretName, "secret") @@ -124,17 +116,17 @@ var _ = Describe("[ObjectVersionHistory] Test auto rotation of mount contents an "objects": string(objects), "usePodIdentity": "false", "useVMManagedIdentity": "false", + "clientID": config.AzureClientID, }, }, }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) pod.WaitFor(pod.WaitForInput{ diff --git a/test/e2e/multiple_secret_versions_test.go b/test/e2e/multiple_secret_versions_test.go index 2a9f24445..dc7dc5820 100644 --- a/test/e2e/multiple_secret_versions_test.go +++ b/test/e2e/multiple_secret_versions_test.go @@ -25,7 +25,6 @@ var _ = Describe("[ObjectVersionHistory] When deploying SecretProviderClass CRD specName = "multiversionsecret" spc *v1alpha1.SecretProviderClass ns *corev1.Namespace - nodePublishSecretRef *corev1.Secret p *corev1.Pod syncTLSSecretName = "sync-tls-secret" syncOpaqueSecretName = "sync-opaque-secret" @@ -36,19 +35,11 @@ var _ = Describe("[ObjectVersionHistory] When deploying SecretProviderClass CRD Skip("functionality not yet supported in release version") } - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) - nodePublishSecretRef = secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", @@ -89,6 +80,7 @@ var _ = Describe("[ObjectVersionHistory] When deploying SecretProviderClass CRD "keyvaultName": config.KeyvaultName, "tenantId": config.TenantID, "objects": string(objects), + "clientID": config.AzureClientID, }, SecretObjects: []*v1alpha1.SecretObject{ { @@ -120,12 +112,11 @@ var _ = Describe("[ObjectVersionHistory] When deploying SecretProviderClass CRD }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) }) diff --git a/test/e2e/secret_file_permission_test.go b/test/e2e/secret_file_permission_test.go index 0ee46cabe..71178671d 100644 --- a/test/e2e/secret_file_permission_test.go +++ b/test/e2e/secret_file_permission_test.go @@ -11,7 +11,6 @@ import ( "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/exec" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/namespace" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/pod" - "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secret" "github.com/Azure/secrets-store-csi-driver-provider-azure/test/e2e/framework/secretproviderclass" "github.com/ghodss/yaml" @@ -26,25 +25,16 @@ var _ = Describe("When user provides file permission for secrets", func() { specName = "secret-file-permission" spc *v1alpha1.SecretProviderClass ns *corev1.Namespace - nodePublishSecretRef *corev1.Secret p *corev1.Pod expectedFilePermission = "755" ) BeforeEach(func() { - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) - nodePublishSecretRef = secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", @@ -74,17 +64,17 @@ var _ = Describe("When user provides file permission for secrets", func() { types.KeyVaultNameParameter: config.KeyvaultName, types.TenantIDParameter: config.TenantID, types.ObjectsParameter: string(objects), + types.ClientIDParameter: config.AzureClientID, }, }, }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) }) diff --git a/test/e2e/secret_test.go b/test/e2e/secret_test.go index 120d6bfe0..d7ab0a2e2 100644 --- a/test/e2e/secret_test.go +++ b/test/e2e/secret_test.go @@ -22,29 +22,20 @@ import ( var _ = Describe("When deploying SecretProviderClass CRD with secrets", func() { var ( - specName = "secret" + specName = "secret-test" spc *v1alpha1.SecretProviderClass ns *corev1.Namespace - nodePublishSecretRef *corev1.Secret p *corev1.Pod syncTLSSecretName = "sync-tls-secret" syncOpaqueSecretName = "sync-opaque-secret" ) BeforeEach(func() { - ns = namespace.Create(namespace.CreateInput{ + ns = namespace.CreateWithName(namespace.CreateInput{ Creator: kubeClient, Name: specName, }) - nodePublishSecretRef = secret.Create(secret.CreateInput{ - Creator: kubeClient, - Name: "secrets-store-creds", - Namespace: ns.Name, - Data: map[string][]byte{"clientid": []byte(config.AzureClientID), "clientsecret": []byte(config.AzureClientSecret)}, - Labels: map[string]string{"secrets-store.csi.k8s.io/used": "true"}, - }) - keyVaultObjects := []types.KeyVaultObject{ { ObjectName: "secret1", @@ -82,6 +73,7 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets", func() { types.KeyVaultNameParameter: config.KeyvaultName, types.TenantIDParameter: config.TenantID, types.ObjectsParameter: string(objects), + types.ClientIDParameter: config.AzureClientID, }, SecretObjects: []*v1alpha1.SecretObject{ { @@ -113,12 +105,11 @@ var _ = Describe("When deploying SecretProviderClass CRD with secrets", func() { }) p = pod.Create(pod.CreateInput{ - Creator: kubeClient, - Config: config, - Name: "busybox-secrets-store-inline-crd", - Namespace: ns.Name, - SecretProviderClassName: spc.Name, - NodePublishSecretRefName: nodePublishSecretRef.Name, + Creator: kubeClient, + Config: config, + Name: "busybox-secrets-store-inline-crd", + Namespace: ns.Name, + SecretProviderClassName: spc.Name, }) }) From 95ec8b6da359f1f01984088e4f5b8bb77b759c35 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Tue, 25 Jun 2024 16:09:49 -0700 Subject: [PATCH 29/37] chore: bumps monitoring images (#1603) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .../templates/arc-monitoring.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index f2e56bc57..3727e43d8 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -24,7 +24,7 @@ spec: containers: # Prom MDM Converter - name: prom-mdm-converter - image: "upstreamarc.azurecr.io/prom-mdm-converter:v1.0.2" + image: "upstreamarc.azurecr.io/prom-mdm-converter:v1.0.3" imagePullPolicy: IfNotPresent env: - name: SERVER_PORT @@ -35,7 +35,7 @@ spec: {{- toYaml .Values.promMdmConverter.resources | nindent 12 }} # MDM - name: mdm - image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2023.1027.1417-08a588-20231027t1613" + image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2024.614.1547-8b8fd6-20240614t1655" imagePullPolicy: IfNotPresent env: - name: ROLEINSTANCE @@ -55,7 +55,7 @@ spec: {{- toYaml .Values.mdm.resources | nindent 12 }} # MSI Adapter - name: msi-adapter - image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.6" + image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.10" imagePullPolicy: IfNotPresent env: - name: TOKEN_NAMESPACE @@ -83,7 +83,7 @@ spec: {{- end }} # Telegraf - name: telegraf - image: "mcr.microsoft.com/oss/mirror/docker.io/library/telegraf:1.21" + image: "mcr.microsoft.com/mirror/docker/library/telegraf:1.28" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.telegraf.resources | nindent 12 }} @@ -93,7 +93,7 @@ spec: subPath: telegraf.conf # Pipeline agent for logging - name: amacoreagent - image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.2.47" + image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.3.52" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.amacoreagent.resources | nindent 12 }} @@ -157,7 +157,7 @@ spec: mountPath: /var/run/mdsd # FluentD - name: fluentd - image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20230915.3" + image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20240524.1" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.fluentd.resources | nindent 12 }} From 1731e669df1ff0ee1dd5fc392d895fe14f4f6a28 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 26 Jun 2024 11:23:54 -0700 Subject: [PATCH 30/37] release: update manifest and helm charts for v1.5.3 (#1604) Signed-off-by: Anish Ramasekar --- Makefile | 2 +- charts/csi-secrets-store-provider-azure/Chart.lock | 6 +++--- charts/csi-secrets-store-provider-azure/Chart.yaml | 6 +++--- charts/csi-secrets-store-provider-azure/README.md | 10 +++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- .../templates/arc-monitoring.yaml | 12 ++++++------ charts/csi-secrets-store-provider-azure/values.yaml | 10 +++++----- deployment/provider-azure-installer-windows.yaml | 2 +- deployment/provider-azure-installer.yaml | 2 +- .../csi-secrets-store-provider-azure/Chart.lock | 6 +++--- .../csi-secrets-store-provider-azure/Chart.yaml | 6 +++--- .../csi-secrets-store-provider-azure/README.md | 10 +++++----- .../csi-secrets-store-provider-azure/arc-values.yaml | 10 +++++----- .../csi-secrets-store-provider-azure/values.yaml | 10 +++++----- .../deployment/provider-azure-installer-windows.yaml | 2 +- .../deployment/provider-azure-installer.yaml | 2 +- test/e2e/framework/config.go | 2 +- 17 files changed, 54 insertions(+), 54 deletions(-) diff --git a/Makefile b/Makefile index c8b2b3089..cad7b6e44 100644 --- a/Makefile +++ b/Makefile @@ -8,7 +8,7 @@ REPO_PATH="$(ORG_PATH)/$(PROJECT_NAME)" REGISTRY_NAME ?= upstream REPO_PREFIX ?= k8s/csi/secrets-store REGISTRY ?= $(REGISTRY_NAME).azurecr.io/$(REPO_PREFIX) -IMAGE_VERSION ?= v1.5.2 +IMAGE_VERSION ?= v1.5.3 IMAGE_NAME ?= provider-azure CONFORMANCE_IMAGE_NAME ?= provider-azure-arc-conformance IMAGE_TAG := $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_VERSION) diff --git a/charts/csi-secrets-store-provider-azure/Chart.lock b/charts/csi-secrets-store-provider-azure/Chart.lock index 4af43864b..84688a861 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.3 -digest: sha256:7e4867144ee8d28abcfe2d8517d379e34500ebaa2be0121a2eda5f3da5723110 -generated: "2024-04-18T09:11:04.509219-07:00" + version: 1.4.4 +digest: sha256:31bf604e6f6fd0e4b342b5d62b8a74420da2c7fee2360d5c23186ae04fc8f1a6 +generated: "2024-06-25T17:45:23.132725-07:00" diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 4cf0dbde5..1727a65c9 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.4 -appVersion: 1.5.2 +version: 1.5.5 +appVersion: 1.5.3 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.3 + version: 1.4.4 condition: secrets-store-csi-driver.install diff --git a/charts/csi-secrets-store-provider-azure/README.md b/charts/csi-secrets-store-provider-azure/README.md index 7e1578b47..f2b2c9855 100644 --- a/charts/csi-secrets-store-provider-azure/README.md +++ b/charts/csi-secrets-store-provider-azure/README.md @@ -75,7 +75,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.2` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.3` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -97,7 +97,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.2` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.3` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -123,7 +123,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.3` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.4` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.10.0` | @@ -131,7 +131,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.3` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.4` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -140,7 +140,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.3` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.4` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.10.0` | diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml index 2efab0e16..2e3730134 100644 --- a/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -60,7 +60,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -114,7 +114,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -127,7 +127,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -139,7 +139,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index f2e56bc57..3727e43d8 100644 --- a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -24,7 +24,7 @@ spec: containers: # Prom MDM Converter - name: prom-mdm-converter - image: "upstreamarc.azurecr.io/prom-mdm-converter:v1.0.2" + image: "upstreamarc.azurecr.io/prom-mdm-converter:v1.0.3" imagePullPolicy: IfNotPresent env: - name: SERVER_PORT @@ -35,7 +35,7 @@ spec: {{- toYaml .Values.promMdmConverter.resources | nindent 12 }} # MDM - name: mdm - image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2023.1027.1417-08a588-20231027t1613" + image: "linuxgeneva-microsoft.azurecr.io/distroless/genevamdm:2.2024.614.1547-8b8fd6-20240614t1655" imagePullPolicy: IfNotPresent env: - name: ROLEINSTANCE @@ -55,7 +55,7 @@ spec: {{- toYaml .Values.mdm.resources | nindent 12 }} # MSI Adapter - name: msi-adapter - image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.6" + image: "mcr.microsoft.com/azurearck8s/msi-adapter:1.0.10" imagePullPolicy: IfNotPresent env: - name: TOKEN_NAMESPACE @@ -83,7 +83,7 @@ spec: {{- end }} # Telegraf - name: telegraf - image: "mcr.microsoft.com/oss/mirror/docker.io/library/telegraf:1.21" + image: "mcr.microsoft.com/mirror/docker/library/telegraf:1.28" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.telegraf.resources | nindent 12 }} @@ -93,7 +93,7 @@ spec: subPath: telegraf.conf # Pipeline agent for logging - name: amacoreagent - image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.2.47" + image: "linuxgeneva-microsoft.azurecr.io/amacoreagentaot:1.3.52" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.amacoreagent.resources | nindent 12 }} @@ -157,7 +157,7 @@ spec: mountPath: /var/run/mdsd # FluentD - name: fluentd - image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20230915.3" + image: "linuxgeneva-microsoft.azurecr.io/distroless/genevafluentd_td-agent:mariner_20240524.1" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.fluentd.resources | nindent 12 }} diff --git a/charts/csi-secrets-store-provider-azure/values.yaml b/charts/csi-secrets-store-provider-azure/values.yaml index d708841a1..bbc39e7cb 100644 --- a/charts/csi-secrets-store-provider-azure/values.yaml +++ b/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -65,7 +65,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -122,7 +122,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -135,7 +135,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -146,7 +146,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/deployment/provider-azure-installer-windows.yaml b/deployment/provider-azure-installer-windows.yaml index 887a1c6f9..4ea9b451c 100644 --- a/deployment/provider-azure-installer-windows.yaml +++ b/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.3 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/deployment/provider-azure-installer.yaml b/deployment/provider-azure-installer.yaml index f28f01134..800974394 100644 --- a/deployment/provider-azure-installer.yaml +++ b/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.3 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock index 4af43864b..84688a861 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.3 -digest: sha256:7e4867144ee8d28abcfe2d8517d379e34500ebaa2be0121a2eda5f3da5723110 -generated: "2024-04-18T09:11:04.509219-07:00" + version: 1.4.4 +digest: sha256:31bf604e6f6fd0e4b342b5d62b8a74420da2c7fee2360d5c23186ae04fc8f1a6 +generated: "2024-06-25T17:45:23.132725-07:00" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 4cf0dbde5..1727a65c9 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.4 -appVersion: 1.5.2 +version: 1.5.5 +appVersion: 1.5.3 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. sources: @@ -13,5 +13,5 @@ maintainers: dependencies: - name: secrets-store-csi-driver repository: https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts - version: 1.4.3 + version: 1.4.4 condition: secrets-store-csi-driver.install diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md index 7e1578b47..f2b2c9855 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/README.md +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/README.md @@ -75,7 +75,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `linux.enabled` | Install azure keyvault provider on linux nodes | true | | `linux.image.repository` | Linux image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `linux.image.pullPolicy` | Linux image pull policy | `IfNotPresent` | -| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.2` | +| `linux.image.tag` | Azure Keyvault Provider Linux image tag | `v1.5.3` | | `linux.nodeSelector` | Node Selector for the daemonset on linux nodes | `{}` | | `linux.tolerations` | Tolerations for the daemonset on linux nodes | `[{"operator": "Exists"}]` | | `linux.resources` | Resource limit for provider pods on linux nodes | `requests.cpu: 50m`
`requests.memory: 100Mi`
`limits.cpu: 50m`
`limits.memory: 100Mi` | @@ -97,7 +97,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `windows.enabled` | Install azure keyvault provider on windows nodes | false | | `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` | | `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` | -| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.2` | +| `windows.image.tag` | Azure Keyvault Provider Windows image tag | `v1.5.3` | | `windows.nodeSelector` | Node Selector for the daemonset on windows nodes | `{}` | | `windows.tolerations` | Tolerations for the daemonset on windows nodes | `{}` | | `windows.resources` | Resource limit for provider pods on windows nodes | `requests.cpu: 100m`
`requests.memory: 200Mi`
`limits.cpu: 100m`
`limits.memory: 200Mi` | @@ -123,7 +123,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.linux.image.repository` | Driver Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.linux.image.pullPolicy` | Driver Linux image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.3` | +| `secrets-store-csi-driver.linux.image.tag` | Driver Linux image tag | `v1.4.4` | | `secrets-store-csi-driver.linux.registrarImage.repository` | Driver Linux node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.linux.registrarImage.pullPolicy` | Driver Linux node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.registrarImage.tag` | Driver Linux node-driver-registrar image tag | `v2.10.0` | @@ -131,7 +131,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy` | Driver Linux liveness-probe image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.linux.livenessProbeImage.tag` | Driver Linux liveness-probe image tag | `v2.12.0` | | `secrets-store-csi-driver.linux.crds.image.repository` | Driver CRDs Linux image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds` | -| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.3` | +| `secrets-store-csi-driver.linux.crds.image.tag` | Driver CRDs Linux image tag | `v1.4.4` | | `secrets-store-csi-driver.linux.crds.image.pullPolicy` | Driver CRDs Linux image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.enabled` | Install secrets-store-csi-driver on windows nodes | false | | `secrets-store-csi-driver.windows.kubeletRootDir` | Configure the kubelet root dir | `C:\var\lib\kubelet` | @@ -140,7 +140,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p | `secrets-store-csi-driver.windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods | `""` | | `secrets-store-csi-driver.windows.image.repository` | Driver Windows image repository | `mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver` | | `secrets-store-csi-driver.windows.image.pullPolicy` | Driver Windows image pull policy | `IfNotPresent` | -| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.3` | +| `secrets-store-csi-driver.windows.image.tag` | Driver Windows image tag | `v1.4.4` | | `secrets-store-csi-driver.windows.registrarImage.repository` | Driver Windows node-driver-registrar image repository | `mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar` | | `secrets-store-csi-driver.windows.registrarImage.pullPolicy` | Driver Windows node-driver-registrar image pull policy | `IfNotPresent` | | `secrets-store-csi-driver.windows.registrarImage.tag` | Driver Windows node-driver-registrar image tag | `v2.10.0` | diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index 2efab0e16..2e3730134 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -15,7 +15,7 @@ logVerbosity: 0 linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -60,7 +60,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} tolerations: [] @@ -114,7 +114,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -127,7 +127,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent podAnnotations: prometheus.io/scrape: "true" @@ -139,7 +139,7 @@ secrets-store-csi-driver: metricsAddr: ":8080" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml index d708841a1..bbc39e7cb 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml @@ -17,7 +17,7 @@ enableArcExtension: false linux: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -65,7 +65,7 @@ linux: windows: image: repository: mcr.microsoft.com/oss/azure/secrets-store/provider-azure - tag: v1.5.2 + tag: v1.5.3 pullPolicy: IfNotPresent nodeSelector: {} # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ @@ -122,7 +122,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar @@ -135,7 +135,7 @@ secrets-store-csi-driver: crds: image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent providersDir: /var/run/secrets-store-csi-providers @@ -146,7 +146,7 @@ secrets-store-csi-driver: priorityClassName: "" image: repository: mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver - tag: v1.4.3 + tag: v1.4.4 pullPolicy: IfNotPresent registrarImage: repository: mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar diff --git a/manifest_staging/deployment/provider-azure-installer-windows.yaml b/manifest_staging/deployment/provider-azure-installer-windows.yaml index 887a1c6f9..4ea9b451c 100644 --- a/manifest_staging/deployment/provider-azure-installer-windows.yaml +++ b/manifest_staging/deployment/provider-azure-installer-windows.yaml @@ -23,7 +23,7 @@ spec: serviceAccountName: csi-secrets-store-provider-azure containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.3 imagePullPolicy: IfNotPresent args: - --endpoint=unix://C:\\provider\\azure.sock diff --git a/manifest_staging/deployment/provider-azure-installer.yaml b/manifest_staging/deployment/provider-azure-installer.yaml index f28f01134..800974394 100644 --- a/manifest_staging/deployment/provider-azure-installer.yaml +++ b/manifest_staging/deployment/provider-azure-installer.yaml @@ -24,7 +24,7 @@ spec: hostNetwork: true containers: - name: provider-azure-installer - image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.2 + image: mcr.microsoft.com/oss/azure/secrets-store/provider-azure:v1.5.3 imagePullPolicy: IfNotPresent args: - --endpoint=unix:///provider/azure.sock diff --git a/test/e2e/framework/config.go b/test/e2e/framework/config.go index bdcc99d39..5b872516f 100644 --- a/test/e2e/framework/config.go +++ b/test/e2e/framework/config.go @@ -17,7 +17,7 @@ type Config struct { KeyvaultName string `envconfig:"KEYVAULT_NAME"` Registry string `envconfig:"REGISTRY" default:"mcr.microsoft.com/oss/azure/secrets-store"` ImageName string `envconfig:"IMAGE_NAME" default:"provider-azure"` - ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.2"` + ImageVersion string `envconfig:"IMAGE_VERSION" default:"v1.5.3"` IsSoakTest bool `envconfig:"IS_SOAK_TEST" default:"false"` IsWindowsTest bool `envconfig:"TEST_WINDOWS" default:"false"` IsGPUTest bool `envconfig:"TEST_GPU" default:"false"` From ac7d27d1dc89426039798d1e7dbcde7122003059 Mon Sep 17 00:00:00 2001 From: Deon <31973188+haodeon@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:58:11 +1200 Subject: [PATCH 31/37] fix: telegraf response_timeout to timeout (#1616) --- .../config/telegraf-conf.tmpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl b/manifest_staging/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl index 0a708d564..448d17153 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl @@ -13,7 +13,7 @@ bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" tls_ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" insecure_skip_verify = true - response_timeout = "15s" + timeout = "15s" [[inputs.prometheus]] metric_version = 2 @@ -24,7 +24,7 @@ bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" tls_ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" insecure_skip_verify = true - response_timeout = "15s" + timeout = "15s" [[outputs.http]] ## URL is the address to send metrics to From b551439d1ca1186535f38dc8dd87cea557097812 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Tue, 23 Jul 2024 15:39:03 -0700 Subject: [PATCH 32/37] feat: turning off Arc ext monitoring by default (#1618) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .../charts/csi-secrets-store-provider-azure/arc-values.yaml | 2 +- .../templates/arc-monitoring.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml index 2e3730134..172ffbc93 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -242,7 +242,7 @@ Azure: # Arc monitoring arc: - enableMonitoring: true + enableMonitoring: false # Port that serves metrics metricsAddr: "8898" diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index 3727e43d8..e13bfb552 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -83,7 +83,7 @@ spec: {{- end }} # Telegraf - name: telegraf - image: "mcr.microsoft.com/mirror/docker/library/telegraf:1.28" + image: "mcr.microsoft.com/cbl-mariner/base/telegraf:1.29" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.telegraf.resources | nindent 12 }} From e7fcef978065468b781c7f2f8e47774d5607ff07 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Tue, 23 Jul 2024 16:39:01 -0700 Subject: [PATCH 33/37] chore: v1.5.6 chart release to disable arc monitoring by default (#1619) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- charts/csi-secrets-store-provider-azure/Chart.yaml | 2 +- charts/csi-secrets-store-provider-azure/arc-values.yaml | 2 +- .../config/telegraf-conf.tmpl | 4 ++-- .../templates/arc-monitoring.yaml | 2 +- .../charts/csi-secrets-store-provider-azure/Chart.yaml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/charts/csi-secrets-store-provider-azure/Chart.yaml b/charts/csi-secrets-store-provider-azure/Chart.yaml index 1727a65c9..4a059137b 100644 --- a/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.5 +version: 1.5.6 appVersion: 1.5.3 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. diff --git a/charts/csi-secrets-store-provider-azure/arc-values.yaml b/charts/csi-secrets-store-provider-azure/arc-values.yaml index 2e3730134..172ffbc93 100644 --- a/charts/csi-secrets-store-provider-azure/arc-values.yaml +++ b/charts/csi-secrets-store-provider-azure/arc-values.yaml @@ -242,7 +242,7 @@ Azure: # Arc monitoring arc: - enableMonitoring: true + enableMonitoring: false # Port that serves metrics metricsAddr: "8898" diff --git a/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl b/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl index 0a708d564..448d17153 100644 --- a/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl +++ b/charts/csi-secrets-store-provider-azure/config/telegraf-conf.tmpl @@ -13,7 +13,7 @@ bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" tls_ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" insecure_skip_verify = true - response_timeout = "15s" + timeout = "15s" [[inputs.prometheus]] metric_version = 2 @@ -24,7 +24,7 @@ bearer_token = "/var/run/secrets/kubernetes.io/serviceaccount/token" tls_ca = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" insecure_skip_verify = true - response_timeout = "15s" + timeout = "15s" [[outputs.http]] ## URL is the address to send metrics to diff --git a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml index 3727e43d8..e13bfb552 100644 --- a/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml +++ b/charts/csi-secrets-store-provider-azure/templates/arc-monitoring.yaml @@ -83,7 +83,7 @@ spec: {{- end }} # Telegraf - name: telegraf - image: "mcr.microsoft.com/mirror/docker/library/telegraf:1.28" + image: "mcr.microsoft.com/cbl-mariner/base/telegraf:1.29" imagePullPolicy: IfNotPresent resources: {{- toYaml .Values.telegraf.resources | nindent 12 }} diff --git a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml index 1727a65c9..4a059137b 100644 --- a/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml +++ b/manifest_staging/charts/csi-secrets-store-provider-azure/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: csi-secrets-store-provider-azure -version: 1.5.5 +version: 1.5.6 appVersion: 1.5.3 kubeVersion: ">=1.16.0-0" description: A Helm chart to install the Secrets Store CSI Driver and the Azure Keyvault Provider inside a Kubernetes cluster. From a48f93472e577733803b3eefdc65a63bfffa61b3 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Wed, 21 Aug 2024 17:54:33 -0700 Subject: [PATCH 34/37] chore: remove direct dependency on adal (#1611) Signed-off-by: Anish Ramasekar --- cmd/main.go | 7 +------ go.mod | 4 ++-- go.sum | 20 ++++++++++++++++---- pkg/auth/auth.go | 21 +++++++++++++++++---- test/e2e/go.mod | 2 +- test/e2e/go.sum | 20 ++++++++++++++++---- 6 files changed, 53 insertions(+), 21 deletions(-) diff --git a/cmd/main.go b/cmd/main.go index f7d8183e3..2c57a21f4 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -21,7 +21,6 @@ import ( "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/utils" "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/version" - "github.com/Azure/go-autorest/autorest/adal" "google.golang.org/grpc" "google.golang.org/grpc/health/grpc_health_v1" logsapi "k8s.io/component-base/logs/api/v1" @@ -108,11 +107,7 @@ func main() { if *writeCertAndKeyInSeparateFiles { klog.Infof("write cert and key in separate files feature enabled") } - // Add csi-secrets-store user agent to adal requests - if err := adal.AddToUserAgent(version.GetUserAgent()); err != nil { - klog.ErrorS(err, "failed to add user agent to adal") - os.Exit(1) - } + // Initialize and run the gRPC server proto, addr, err := utils.ParseEndpoint(*endpoint) if err != nil { diff --git a/go.mod b/go.mod index 86a96f47c..444c93512 100644 --- a/go.mod +++ b/go.mod @@ -8,8 +8,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azcertificates v0.10.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v0.11.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v0.13.0 - github.com/Azure/go-autorest/autorest v0.11.28 - github.com/Azure/go-autorest/autorest/adal v0.9.22 + github.com/Azure/go-autorest/autorest v0.11.29 github.com/Azure/go-autorest/autorest/date v0.3.0 github.com/Azure/go-autorest/autorest/to v0.4.0 github.com/golang/mock v1.6.0 @@ -32,6 +31,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect + github.com/Azure/go-autorest/autorest/adal v0.9.22 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect diff --git a/go.sum b/go.sum index 2607f502c..21ef69ec6 100644 --- a/go.sum +++ b/go.sum @@ -47,9 +47,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028g github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= -github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= +github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc= github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= @@ -159,7 +158,6 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= @@ -427,6 +425,7 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -480,6 +479,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -513,6 +513,7 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -552,6 +553,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -571,6 +574,7 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -619,16 +623,23 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -685,6 +696,7 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index eb14dc993..e042187b4 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -9,13 +9,14 @@ import ( "strings" "time" + "github.com/Azure/go-autorest/autorest/date" + "github.com/Azure/secrets-store-csi-driver-provider-azure/pkg/utils" "github.com/Azure/azure-sdk-for-go/sdk/azcore" "github.com/Azure/azure-sdk-for-go/sdk/azcore/cloud" "github.com/Azure/azure-sdk-for-go/sdk/azcore/policy" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" - "github.com/Azure/go-autorest/autorest/adal" "github.com/pkg/errors" "k8s.io/klog/v2" ) @@ -28,7 +29,7 @@ const ( // For Azure AD Workload Identity, the audience recommended for use is // "api://AzureADTokenExchange" - DefaultTokenAudience = "api://AzureADTokenExchange" //nolint + DefaultTokenAudience = "api://AzureADTokenExchange" // nolint ) var ( @@ -50,11 +51,23 @@ type Token struct { Type string `json:"token_type"` } +// Expires returns the time.Time when the Token expires. +func (t Token) Expires() time.Time { + s, err := t.ExpiresOn.Float64() + if err != nil { + s = -3600 + } + + expiration := date.NewUnixTimeFromSeconds(s) + + return time.Time(expiration).UTC() +} + // PodIdentityResponse is the response received from aad-pod-identity when requesting token // on behalf of the pod type PodIdentityResponse struct { - Token adal.Token `json:"token"` - ClientID string `json:"clientid"` + Token Token `json:"token"` + ClientID string `json:"clientid"` } // Config is the required parameters for auth config diff --git a/test/e2e/go.mod b/test/e2e/go.mod index 105fa13f6..6aa92cda1 100644 --- a/test/e2e/go.mod +++ b/test/e2e/go.mod @@ -6,7 +6,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v0.13.0 - github.com/Azure/go-autorest/autorest v0.11.28 + github.com/Azure/go-autorest/autorest v0.11.29 github.com/Azure/go-autorest/autorest/to v0.4.0 github.com/Azure/secrets-store-csi-driver-provider-azure v0.0.0-00010101000000-000000000000 github.com/ghodss/yaml v1.0.0 diff --git a/test/e2e/go.sum b/test/e2e/go.sum index 3b5c0e06e..a4e9e005a 100644 --- a/test/e2e/go.sum +++ b/test/e2e/go.sum @@ -43,9 +43,8 @@ github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028g github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA= github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs= github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= -github.com/Azure/go-autorest/autorest v0.11.28 h1:ndAExarwr5Y+GaHE6VCaY1kyS/HwwGGyuimVhWsHOEM= -github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA= -github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ= +github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw= +github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs= github.com/Azure/go-autorest/autorest/adal v0.9.22 h1:/GblQdIudfEM3AWWZ0mrYJQSd7JS4S/Mbzh6F0ov0Xc= github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk= github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw= @@ -186,7 +185,6 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= @@ -492,6 +490,7 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= @@ -546,6 +545,7 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI= golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -578,6 +578,7 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -617,6 +618,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -637,6 +640,7 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -683,10 +687,15 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws= golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA= golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -695,6 +704,8 @@ golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -751,6 +762,7 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= From 8166dff1e6af8b422b7a15d49f025fe2a6d59f45 Mon Sep 17 00:00:00 2001 From: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> Date: Thu, 22 Aug 2024 15:42:30 -0700 Subject: [PATCH 35/37] ci: updates goreleaser (#1636) Signed-off-by: Nilekh Chaudhari <1626598+nilekhc@users.noreply.github.com> --- .github/workflows/create-release.yaml | 12 +++++------- .goreleaser.yml | 5 ++--- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml index 210479f64..11b52ce79 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release.yaml @@ -12,20 +12,18 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Harden Runner - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit - name: Checkout - # pinning to the sha 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f from https://github.com/actions/checkout/releases/tag/v2.3.4 - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - # pinning to the sha 79d4afbba1b4eff8b9a98e3d2e58c4dbaf094e2b from https://github.com/goreleaser/goreleaser-action/releases/tag/v2.8.1 - name: Goreleaser - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: - version: latest - args: release --rm-dist --timeout 60m --debug + version: '~> v2' + args: release --clean --fail-fast --timeout 60m --verbose env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.yml b/.goreleaser.yml index a43477d5c..b408a5977 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,6 +1,5 @@ # refer to https://goreleaser.com for more options -build: - skip: true +version: 2 release: prerelease: auto header: | @@ -8,7 +7,7 @@ release: extra_files: - glob: deployment/*.yaml changelog: - skip: false + disable: false groups: - title: Bug Fixes 🐞 regexp: ^.*fix[(\\w)]*:+.*$ From 675bffc8eba11a1a768b0fd144feb29be53f310b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 25 Aug 2024 23:19:21 -0700 Subject: [PATCH 36/37] chore: bump github/codeql-action from 2.21.4 to 3.26.5 (#1641) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yaml | 6 +++--- .github/workflows/scorecards.yml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 793cfbc20..9fd4328ea 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -29,12 +29,12 @@ jobs: uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab - name: Initialize CodeQL - uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 + uses: github/codeql-action/init@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 + uses: github/codeql-action/autobuild@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 + uses: github/codeql-action/analyze@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index d17979e98..4a8904523 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.3.1 + uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v2.3.1 with: sarif_file: results.sarif From f0c8a3aa37bf113e787e059e12ae2323f540f215 Mon Sep 17 00:00:00 2001 From: Anish Ramasekar Date: Tue, 27 Aug 2024 10:46:24 -0700 Subject: [PATCH 37/37] ci: skip builds goreleaser config (#1644) Signed-off-by: Anish Ramasekar --- .goreleaser.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index b408a5977..1249c6727 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,5 +1,7 @@ # refer to https://goreleaser.com for more options version: 2 +builds: +- skip: true release: prerelease: auto header: |