diff --git a/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml b/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml index 5aa2ff80..83e552a5 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml +++ b/charts/secrets-store-csi-driver-provider-gcp/Chart.yaml @@ -31,12 +31,12 @@ keywords: # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.5.0 +version: 0.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: 1.0.0 +appVersion: 1.5.0 maintainers: - name: nlamirault diff --git a/charts/secrets-store-csi-driver-provider-gcp/README.md b/charts/secrets-store-csi-driver-provider-gcp/README.md index bb0b64a0..a804de0b 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/README.md +++ b/charts/secrets-store-csi-driver-provider-gcp/README.md @@ -1,6 +1,6 @@ # secrets-store-csi-driver-provider-gcp -![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) +![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.5.0](https://img.shields.io/badge/AppVersion-1.5.0-informational?style=flat-square) A Helm chart for Google Secret Manager Provider for Secret Store CSI Driver @@ -8,36 +8,35 @@ A Helm chart for Google Secret Manager Provider for Secret Store CSI Driver ## Maintainers -| Name | Email | Url | -| ---------- | ----------------------------- | --- | -| nlamirault | | | +| Name | Email | Url | +| ---- | ------ | --- | +| nlamirault | | | ## Source Code -- +* ## Values -| Key | Type | Default | Description | -| ------------------------------- | ------ | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------- | -| additionalAnnotations | object | `{}` | Additional annotations to add to metadata | -| additionalLabels | object | `{}` | Additional labels to add to metadata | -| affinity | object | `{}` | Affinity settings for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | -| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin"` | | -| image.tag | string | `"v1.0.0"` | | -| imagePullSecrets | list | `[]` | | -| namespace | string | `"kube-system"` | Namespace to deploy the Secret Store CSI Driver | -| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ | -| rbac.create | bool | `true` | If true, create & use RBAC resources | -| resources | object | `{}` | Container resources (requests and limits for cpu and memory) | -| serviceAccount.annotations | object | `{}` | ServiceAccount annotations. # Use case: GKE Workload Identity for service accounts | -| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created, require rbac true | -| serviceAccount.imagePullSecrets | list | `[]` | | -| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template | -| tolerations | list | `[]` | Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | - ---- - -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| additionalAnnotations | object | `{}` | Additional annotations to add to metadata | +| additionalLabels | object | `{}` | Additional labels to add to metadata | +| affinity | object | `{}` | Affinity settings for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ | +| fullnameOverride | string | `""` | Provide a name to substitute for the full names of resources | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin"` | | +| image.tag | string | `"v1.5.0"` | | +| imagePullSecrets | list | `[]` | | +| namespace | string | `"kube-system"` | Namespace to deploy the Secret Store CSI Driver | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment # Ref: https://kubernetes.io/docs/user-guide/node-selection/ | +| rbac.create | bool | `true` | If true, create & use RBAC resources | +| resources | object | `{}` | Container resources (requests and limits for cpu and memory) | +| serviceAccount.annotations | object | `{}` | ServiceAccount annotations. # Use case: GKE Workload Identity for service accounts | +| serviceAccount.create | bool | `true` | Specifies whether a ServiceAccount should be created, require rbac true | +| serviceAccount.imagePullSecrets | list | `[]` | | +| serviceAccount.name | string | `nil` | The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template | +| tolerations | list | `[]` | Tolerations for pod assignment # Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml b/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml index fa0fb8db..5e35fea8 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml +++ b/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrole.yaml @@ -14,7 +14,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.rbac.create -}} +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml b/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml index 0c55f236..bd457382 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml +++ b/charts/secrets-store-csi-driver-provider-gcp/templates/clusterrolebinding.yaml @@ -14,7 +14,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.rbac.create -}} +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -34,4 +34,4 @@ subjects: - kind: ServiceAccount name: {{ template "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }} namespace: {{ template "secrets-store-csi-driver-provider-gcp.namespace" . }} -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml b/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml index e015f867..dda082ae 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml +++ b/charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml @@ -37,10 +37,33 @@ spec: {{- include "secrets-store-csi-driver-provider-gcp.labels" . | indent 8 }} spec: serviceAccountName: {{ template "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }} + initContainers: + - name: chown-provider-mount + image: busybox + command: + - chown + - "1000:1000" + - /etc/kubernetes/secrets-store-csi-providers + volumeMounts: + - mountPath: "/etc/kubernetes/secrets-store-csi-providers" + name: providervol + hostNetwork: false + hostPID: false + hostIPC: false containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL {{- if .Values.resources }} resources: {{ toYaml .Values.resources | indent 12 }} @@ -51,9 +74,8 @@ spec: volumeMounts: - mountPath: "/etc/kubernetes/secrets-store-csi-providers" name: providervol - - name: mountpoint-dir - mountPath: /var/lib/kubelet/pods - mountPropagation: HostToContainer + mountPropagation: None + readOnly: false livenessProbe: failureThreshold: 3 httpGet: @@ -62,6 +84,10 @@ spec: initialDelaySeconds: 5 timeoutSeconds: 10 periodSeconds: 30 + volumes: + - name: providervol + hostPath: + path: /etc/kubernetes/secrets-store-csi-providers {{- if .Values.affinity }} affinity: {{ toYaml .Values.affinity | indent 8 }} @@ -74,11 +100,3 @@ spec: tolerations: {{ toYaml .Values.tolerations | indent 8 }} {{- end }} - volumes: - - name: providervol - hostPath: - path: /etc/kubernetes/secrets-store-csi-providers - - name: mountpoint-dir - hostPath: - path: /var/lib/kubelet/pods - type: DirectoryOrCreate \ No newline at end of file diff --git a/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml b/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml index a81439d4..c4743626 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml +++ b/charts/secrets-store-csi-driver-provider-gcp/templates/serviceaccount.yaml @@ -14,7 +14,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{{- if .Values.serviceAccount.create -}} +{{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/secrets-store-csi-driver-provider-gcp/values.yaml b/charts/secrets-store-csi-driver-provider-gcp/values.yaml index 70c2aa9d..1d3b6771 100644 --- a/charts/secrets-store-csi-driver-provider-gcp/values.yaml +++ b/charts/secrets-store-csi-driver-provider-gcp/values.yaml @@ -35,7 +35,7 @@ namespace: kube-system image: repository: us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin - tag: v1.4.0 + tag: v1.5.0 pullPolicy: IfNotPresent imagePullSecrets: []