Merge pull request #1044 from nilekhc/automated-cherry-pick-of-#1043-…

…upstream-release-1.2 Automated cherry pick of #1043: release: update manifest and helm charts for v1.2.4
kubernetes-sigs · Sep 7, 2022 · 7f4aef9 · 7f4aef9
2 parents eebfa99 + f7ff1b2
commit 7f4aef9
Show file tree

Hide file tree

Showing 28 changed files with 98 additions and 53 deletions.
diff --git a/charts/secrets-store-csi-driver/Chart.yaml b/charts/secrets-store-csi-driver/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: secrets-store-csi-driver
-version: 1.2.3
-appVersion: 1.2.3
+version: 1.2.4
+appVersion: 1.2.4
 kubeVersion: ">=1.16.0-0"
 description: A Helm chart to install the SecretsStore CSI Driver inside a Kubernetes cluster.
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png

diff --git a/charts/secrets-store-csi-driver/README.md b/charts/secrets-store-csi-driver/README.md
@@ -29,13 +29,14 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | Parameter                               | Description                                                                                                                                                                    | Default                                                 |
 | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------- |
 | `nameOverride`                          | String to partially override secrets-store-csi-driver.fullname template with a string (will prepend the release name)                                                          | `""`                                                    |
+| `commonLabels`                          | Labels to apply to all resources                                                                                                                                               | `""`                                                    |
 | `fullnameOverride`                      | String to fully override secrets-store-csi-driver.fullname template with a string                                                                                              | `""`                                                    |
 | `linux.image.repository`                | Linux image repository                                                                                                                                                         | `k8s.gcr.io/csi-secrets-store/driver`                   |
 | `linux.image.pullPolicy`                | Linux image pull policy                                                                                                                                                        | `IfNotPresent`                                          |
-| `linux.image.tag`                       | Linux image tag                                                                                                                                                                | `v1.2.3`                                                |
+| `linux.image.tag`                       | Linux image tag                                                                                                                                                                | `v1.2.4`                                                |
 | `linux.crds.image.repository`           | Linux crds image repository                                                                                                                                                    | `k8s.gcr.io/csi-secrets-store/driver-crds`              |
 | `linux.crds.image.pullPolicy`           | Linux crds image pull policy                                                                                                                                                   | `IfNotPresent`                                          |
-| `linux.crds.image.tag`                  | Linux crds image tag                                                                                                                                                           | `v1.2.3`                                                |
+| `linux.crds.image.tag`                  | Linux crds image tag                                                                                                                                                           | `v1.2.4`                                                |
 | `linux.crds.podLabels`                  | Linux *Pod* labels appended to CRD helm hook job pods                                                                                                                          | `{}`                                                    |
 | `linux.affinity`                        | Linux affinity                                                                                                                                                                 | `key: type; operator: NotIn; values: [virtual-kubelet]` |
 | `linux.driver.resources`                | The resource request/limits for the linux secrets-store container image                                                                                                        | `limits: 200m CPU, 200Mi; requests: 50m CPU, 100Mi`     |
@@ -66,7 +67,7 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `linux.updateStrategy`                  | Configure a custom update strategy for the daemonset on linux nodes                                                                                                            | `RollingUpdate with 1 maxUnavailable`                   |
 | `windows.image.repository`              | Windows image repository                                                                                                                                                       | `k8s.gcr.io/csi-secrets-store/driver`                   |
 | `windows.image.pullPolicy`              | Windows image pull policy                                                                                                                                                      | `IfNotPresent`                                          |
-| `windows.image.tag`                     | Windows image tag                                                                                                                                                              | `v1.2.3`                                                |
+| `windows.image.tag`                     | Windows image tag                                                                                                                                                              | `v1.2.4`                                                |
 | `windows.affinity`                      | Windows affinity                                                                                                                                                               | `key: type; operator: NotIn; values: [virtual-kubelet]` |
 | `windows.driver.resources`              | The resource request/limits for the windows secrets-store container image                                                                                                      | `limits: 400m CPU, 400Mi; requests: 50m CPU, 100Mi`     |
 | `windows.enabled`                       | Install secrets store csi driver on windows nodes                                                                                                                              | false                                                   |

diff --git a/charts/secrets-store-csi-driver/templates/_helpers.tpl b/charts/secrets-store-csi-driver/templates/_helpers.tpl
@@ -28,13 +28,15 @@ If release name contains chart name it will be used as a full name.
 Standard labels for helm resources
 */}}
 {{- define "sscd.labels" -}}
-labels:
-  app.kubernetes.io/instance: "{{ .Release.Name }}"
-  app.kubernetes.io/managed-by: "{{ .Release.Service }}"
-  app.kubernetes.io/name: "{{ template "sscd.name" . }}"
-  app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
-  app: {{ template "sscd.name" . }}
-  helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+app.kubernetes.io/instance: "{{ .Release.Name }}"
+app.kubernetes.io/managed-by: "{{ .Release.Service }}"
+app.kubernetes.io/name: "{{ template "sscd.name" . }}"
+app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
+app: {{ template "sscd.name" . }}
+helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+{{- if .Values.commonLabels}}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
 {{- end -}}
 
 {{- define "sscd-psp.fullname" -}}

diff --git a/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml b/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml
@@ -2,7 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -11,7 +12,7 @@ rules:
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["get", "create", "update", "patch"]
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
   - apiGroups: ['policy']
     resources: ['podsecuritypolicies']
     verbs:     ['use']
@@ -23,7 +24,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -37,11 +39,13 @@ roleRef:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
   apiGroup: rbac.authorization.k8s.io
 ---
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: allow-upgrade-crds
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -64,7 +68,8 @@ kind: ServiceAccount
 metadata:
   name: {{ template "sscd.fullname" . }}-upgrade-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -75,7 +80,8 @@ kind: Job
 metadata:
   name: secrets-store-csi-driver-upgrade-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-install,pre-upgrade
     helm.sh/hook-weight: "10"

diff --git a/charts/secrets-store-csi-driver/templates/csidriver.yaml b/charts/secrets-store-csi-driver/templates/csidriver.yaml
@@ -2,6 +2,8 @@ apiVersion: {{ template "csidriver.apiVersion" . }}
 kind: CSIDriver
 metadata:
   name: secrets-store.csi.k8s.io
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 spec:
   podInfoOnMount: true
   attachRequired: false

diff --git a/charts/secrets-store-csi-driver/templates/keep-crds-upgrade-hook.yaml b/charts/secrets-store-csi-driver/templates/keep-crds-upgrade-hook.yaml
@@ -2,7 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ template "sscd.fullname" . }}-keep-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -11,7 +12,7 @@ rules:
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["get", "patch"]
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
   - apiGroups: ['policy']
     resources: ['podsecuritypolicies']
     verbs:     ['use']
@@ -23,7 +24,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ template "sscd.fullname" . }}-keep-crds
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -37,11 +39,13 @@ roleRef:
   name: {{ template "sscd.fullname" . }}-keep-crds
   apiGroup: rbac.authorization.k8s.io
 ---
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: allow-keep-crds
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -64,7 +68,8 @@ kind: ServiceAccount
 metadata:
   name: {{ template "sscd.fullname" . }}-keep-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation"
@@ -75,7 +80,8 @@ kind: Job
 metadata:
   name: secrets-store-csi-driver-keep-crds
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
   annotations:
     helm.sh/hook: pre-upgrade
     helm.sh/hook-weight: "20"

diff --git a/charts/secrets-store-csi-driver/templates/podsecuritypolicy.yaml b/charts/secrets-store-csi-driver/templates/podsecuritypolicy.yaml
@@ -1,9 +1,10 @@
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
   name: {{ template "sscd-psp.fullname" . }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 spec:
   seLinux:
     rule: RunAsAny

diff --git a/charts/secrets-store-csi-driver/templates/role-rotation.yaml b/charts/secrets-store-csi-driver/templates/role-rotation.yaml
@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretproviderrotation-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

diff --git a/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml b/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretproviderrotation-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml
@@ -6,6 +6,7 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   labels:
+{{ include "sscd.labels" . | indent 4 }}
     rbac.authorization.k8s.io/aggregate-to-admin: "true"
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
   name: secretproviderclasses-admin-role

diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml
@@ -6,6 +6,7 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   labels:
+{{ include "sscd.labels" . | indent 4 }}
     rbac.authorization.k8s.io/aggregate-to-view: "true"
   name: secretproviderclasses-viewer-role
 rules:

diff --git a/charts/secrets-store-csi-driver/templates/role-syncsecret.yaml b/charts/secrets-store-csi-driver/templates/role-syncsecret.yaml
@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretprovidersyncing-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

diff --git a/charts/secrets-store-csi-driver/templates/role-syncsecret_binding.yaml b/charts/secrets-store-csi-driver/templates/role-syncsecret_binding.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretprovidersyncing-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml b/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretprovidertokenrequest-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""

diff --git a/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml b/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretprovidertokenrequest-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/charts/secrets-store-csi-driver/templates/role.yaml b/charts/secrets-store-csi-driver/templates/role.yaml
@@ -5,6 +5,8 @@ kind: ClusterRole
 metadata:
   creationTimestamp: null
   name: secretproviderclasses-role
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 rules:
 - apiGroups:
   - ""
@@ -59,7 +61,7 @@ rules:
   - get
   - list
   - watch
-{{- if .Values.rbac.pspEnabled }}
+{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
 - apiGroups:
   - policy
   resources:

diff --git a/charts/secrets-store-csi-driver/templates/role_binding.yaml b/charts/secrets-store-csi-driver/templates/role_binding.yaml
@@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: secretproviderclasses-rolebinding
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
@@ -4,7 +4,8 @@ apiVersion: apps/v1
 metadata:
   name: {{ template "sscd.fullname" . }}-windows
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 {{- if .Values.windows.daemonsetAnnotations }}
   annotations:
 {{ toYaml .Values.windows.daemonsetAnnotations | indent 4 }}
@@ -17,14 +18,15 @@ spec:
 {{ toYaml .Values.windows.updateStrategy | indent 4 }}
   template:
     metadata:
+      labels:
+{{ include "sscd.labels" . | indent 8 }}
+{{- if .Values.windows.podLabels }}
+{{- toYaml .Values.windows.podLabels | nindent 8 }}
+{{- end }}
       annotations:
         kubectl.kubernetes.io/default-container: secrets-store
 {{- if .Values.windows.podAnnotations }}
 {{ toYaml .Values.windows.podAnnotations | indent 8 }}
-{{- end }}
-{{ include "sscd.labels" . | indent 6 }}
-{{- if .Values.windows.podLabels }}
-{{- toYaml .Values.windows.podLabels | nindent 8 }}
 {{- end }}
     spec:
       serviceAccountName: secrets-store-csi-driver

diff --git a/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
@@ -4,7 +4,8 @@ apiVersion: apps/v1
 metadata:
   name: {{ template "sscd.fullname" . }}
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 {{- if .Values.linux.daemonsetAnnotations }}
   annotations:
 {{ toYaml .Values.linux.daemonsetAnnotations | indent 4 }}
@@ -18,13 +19,14 @@ spec:
   template:
     metadata:
       annotations:
+      labels:
+{{ include "sscd.labels" . | indent 8 }}
+{{- if .Values.linux.podLabels }}
+{{- toYaml .Values.linux.podLabels | nindent 8 }}
+{{- end }}
         kubectl.kubernetes.io/default-container: secrets-store
 {{- if .Values.linux.podAnnotations }}
 {{ toYaml .Values.linux.podAnnotations | indent 8 }}
-{{- end }}
-{{ include "sscd.labels" . | indent 6 }}
-{{- if .Values.linux.podLabels }}
-{{- toYaml .Values.linux.podLabels | nindent 8 }}
 {{- end }}
     spec:
       serviceAccountName: secrets-store-csi-driver

diff --git a/charts/secrets-store-csi-driver/templates/serviceaccount.yaml b/charts/secrets-store-csi-driver/templates/serviceaccount.yaml
@@ -4,5 +4,6 @@ kind: ServiceAccount
 metadata:
   name: secrets-store-csi-driver
   namespace: {{ .Release.Namespace }}
-{{ include "sscd.labels" . | indent 2 }}
+  labels:
+{{ include "sscd.labels" . | indent 4 }}
 {{ end }}