Last active
December 17, 2022 12:09
-
-
Save soeirosantos/11b69355f044ebd73e9dc04ab9014e24 to your computer and use it in GitHub Desktop.
Vault CSI configuration generated from helm.sh/chart: vault-0.23.0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: vault-secrets-store-csi-driver-upgrade-crds | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: vault-secrets-store-csi-driver-keep-crds | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: vault-secrets-store-csi-driver-upgrade-crds | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rules: | |
| - apiGroups: ["apiextensions.k8s.io"] | |
| resources: ["customresourcedefinitions"] | |
| verbs: ["get", "create", "update", "patch"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: vault-secrets-store-csi-driver-keep-crds | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rules: | |
| - apiGroups: ["apiextensions.k8s.io"] | |
| resources: ["customresourcedefinitions"] | |
| verbs: ["get", "patch"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: vault-secrets-store-csi-driver-upgrade-crds | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| subjects: | |
| - kind: ServiceAccount | |
| name: vault-secrets-store-csi-driver-upgrade-crds | |
| namespace: default | |
| roleRef: | |
| kind: ClusterRole | |
| name: vault-secrets-store-csi-driver-upgrade-crds | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: vault-secrets-store-csi-driver-keep-crds | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| subjects: | |
| - kind: ServiceAccount | |
| name: vault-secrets-store-csi-driver-keep-crds | |
| namespace: default | |
| roleRef: | |
| kind: ClusterRole | |
| name: vault-secrets-store-csi-driver-keep-crds | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| apiVersion: batch/v1 | |
| kind: Job | |
| metadata: | |
| name: secrets-store-csi-driver-upgrade-crds | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| spec: | |
| backoffLimit: 0 | |
| template: | |
| metadata: | |
| name: vault-secrets-store-csi-driver-upgrade-crds | |
| spec: | |
| serviceAccountName: vault-secrets-store-csi-driver-upgrade-crds | |
| restartPolicy: Never | |
| containers: | |
| - name: crds-upgrade | |
| image: "k8s.gcr.io/csi-secrets-store/driver-crds:v1.2.4" | |
| args: | |
| - apply | |
| - -f | |
| - crds/ | |
| imagePullPolicy: IfNotPresent | |
| nodeSelector: | |
| kubernetes.io/os: linux | |
| --- | |
| apiVersion: batch/v1 | |
| kind: Job | |
| metadata: | |
| name: secrets-store-csi-driver-keep-crds | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| spec: | |
| backoffLimit: 0 | |
| template: | |
| metadata: | |
| name: vault-secrets-store-csi-driver-keep-crds | |
| spec: | |
| serviceAccountName: vault-secrets-store-csi-driver-keep-crds | |
| restartPolicy: Never | |
| containers: | |
| - name: crds-keep | |
| image: "k8s.gcr.io/csi-secrets-store/driver-crds:v1.2.4" | |
| args: | |
| - patch | |
| - crd | |
| - secretproviderclasses.secrets-store.csi.x-k8s.io | |
| - secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io | |
| - -p | |
| - '{"metadata":{"annotations": {"helm.sh/resource-policy": "keep"}}}' | |
| imagePullPolicy: IfNotPresent | |
| nodeSelector: | |
| kubernetes.io/os: linux | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: secrets-store-csi-driver | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| creationTimestamp: null | |
| name: secretproviderrotation-role | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - secrets | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| creationTimestamp: null | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rbac.authorization.k8s.io/aggregate-to-admin: "true" | |
| rbac.authorization.k8s.io/aggregate-to-edit: "true" | |
| name: secretproviderclasses-admin-role | |
| rules: | |
| - apiGroups: | |
| - secrets-store.csi.x-k8s.io | |
| resources: | |
| - secretproviderclasses | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - create | |
| - update | |
| - patch | |
| - delete | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| creationTimestamp: null | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rbac.authorization.k8s.io/aggregate-to-view: "true" | |
| name: secretproviderclasses-viewer-role | |
| rules: | |
| - apiGroups: | |
| - secrets-store.csi.x-k8s.io | |
| resources: | |
| - secretproviderclasses | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| creationTimestamp: null | |
| name: secretprovidersyncing-role | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - secrets | |
| verbs: | |
| - create | |
| - delete | |
| - get | |
| - list | |
| - patch | |
| - update | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| creationTimestamp: null | |
| name: secretproviderclasses-role | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - events | |
| verbs: | |
| - create | |
| - patch | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - secrets-store.csi.x-k8s.io | |
| resources: | |
| - secretproviderclasses | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - secrets-store.csi.x-k8s.io | |
| resources: | |
| - secretproviderclasspodstatuses | |
| verbs: | |
| - create | |
| - delete | |
| - get | |
| - list | |
| - patch | |
| - update | |
| - watch | |
| - apiGroups: | |
| - secrets-store.csi.x-k8s.io | |
| resources: | |
| - secretproviderclasspodstatuses/status | |
| verbs: | |
| - get | |
| - patch | |
| - update | |
| - apiGroups: | |
| - storage.k8s.io | |
| resourceNames: | |
| - secrets-store.csi.k8s.io | |
| resources: | |
| - csidrivers | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: secretproviderrotation-rolebinding | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: secretproviderrotation-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: secrets-store-csi-driver | |
| namespace: default | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: secretprovidersyncing-rolebinding | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: secretprovidersyncing-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: secrets-store-csi-driver | |
| namespace: default | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: secretproviderclasses-rolebinding | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: secretproviderclasses-role | |
| subjects: | |
| - kind: ServiceAccount | |
| name: secrets-store-csi-driver | |
| namespace: default | |
| --- | |
| kind: DaemonSet | |
| apiVersion: apps/v1 | |
| metadata: | |
| name: vault-secrets-store-csi-driver | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: secrets-store-csi-driver | |
| updateStrategy: | |
| rollingUpdate: | |
| maxUnavailable: 1 | |
| type: RollingUpdate | |
| template: | |
| metadata: | |
| annotations: | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| kubectl.kubernetes.io/default-container: secrets-store | |
| spec: | |
| serviceAccountName: secrets-store-csi-driver | |
| affinity: | |
| nodeAffinity: | |
| requiredDuringSchedulingIgnoredDuringExecution: | |
| nodeSelectorTerms: | |
| - matchExpressions: | |
| - key: type | |
| operator: NotIn | |
| values: | |
| - virtual-kubelet | |
| containers: | |
| - name: node-driver-registrar | |
| image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.5.1" | |
| args: | |
| - --v=5 | |
| - --csi-address=/csi/csi.sock | |
| - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock | |
| livenessProbe: | |
| exec: | |
| command: | |
| - /csi-node-driver-registrar | |
| - --kubelet-registration-path=/var/lib/kubelet/plugins/csi-secrets-store/csi.sock | |
| - --mode=kubelet-registration-probe | |
| initialDelaySeconds: 30 | |
| timeoutSeconds: 15 | |
| imagePullPolicy: IfNotPresent | |
| volumeMounts: | |
| - name: plugin-dir | |
| mountPath: /csi | |
| - name: registration-dir | |
| mountPath: /registration | |
| resources: | |
| limits: | |
| cpu: 100m | |
| memory: 100Mi | |
| requests: | |
| cpu: 10m | |
| memory: 20Mi | |
| - name: secrets-store | |
| image: "k8s.gcr.io/csi-secrets-store/driver:v1.2.4" | |
| args: | |
| - "--endpoint=$(CSI_ENDPOINT)" | |
| - "--nodeid=$(KUBE_NODE_NAME)" | |
| - "--provider-volume=/var/run/secrets-store-csi-providers" | |
| - "--additional-provider-volume-paths=/etc/kubernetes/secrets-store-csi-providers" | |
| - "--enable-secret-rotation=true" | |
| - "--metrics-addr=:8095" | |
| - "--provider-health-check-interval=2m" | |
| - "--max-call-recv-msg-size=4194304" | |
| env: | |
| - name: CSI_ENDPOINT | |
| value: unix:///csi/csi.sock | |
| - name: KUBE_NODE_NAME | |
| valueFrom: | |
| fieldRef: | |
| apiVersion: v1 | |
| fieldPath: spec.nodeName | |
| imagePullPolicy: IfNotPresent | |
| securityContext: | |
| privileged: true | |
| ports: | |
| - containerPort: 9808 | |
| name: healthz | |
| protocol: TCP | |
| - containerPort: 8095 | |
| name: metrics | |
| protocol: TCP | |
| livenessProbe: | |
| failureThreshold: 5 | |
| httpGet: | |
| path: /healthz | |
| port: healthz | |
| initialDelaySeconds: 30 | |
| timeoutSeconds: 10 | |
| periodSeconds: 15 | |
| volumeMounts: | |
| - name: plugin-dir | |
| mountPath: /csi | |
| - name: mountpoint-dir | |
| mountPath: /var/lib/kubelet/pods | |
| mountPropagation: Bidirectional | |
| - name: providers-dir | |
| mountPath: /var/run/secrets-store-csi-providers | |
| - name: providers-dir-0 | |
| mountPath: "/etc/kubernetes/secrets-store-csi-providers" | |
| resources: | |
| limits: | |
| cpu: 200m | |
| memory: 200Mi | |
| requests: | |
| cpu: 50m | |
| memory: 100Mi | |
| - name: liveness-probe | |
| image: "k8s.gcr.io/sig-storage/livenessprobe:v2.7.0" | |
| imagePullPolicy: IfNotPresent | |
| args: | |
| - --csi-address=/csi/csi.sock | |
| - --probe-timeout=3s | |
| - --http-endpoint=0.0.0.0:9808 | |
| - -v=2 | |
| volumeMounts: | |
| - name: plugin-dir | |
| mountPath: /csi | |
| resources: | |
| limits: | |
| cpu: 100m | |
| memory: 100Mi | |
| requests: | |
| cpu: 10m | |
| memory: 20Mi | |
| volumes: | |
| - name: mountpoint-dir | |
| hostPath: | |
| path: /var/lib/kubelet/pods | |
| type: DirectoryOrCreate | |
| - name: registration-dir | |
| hostPath: | |
| path: /var/lib/kubelet/plugins_registry/ | |
| type: Directory | |
| - name: plugin-dir | |
| hostPath: | |
| path: /var/lib/kubelet/plugins/csi-secrets-store/ | |
| type: DirectoryOrCreate | |
| - name: providers-dir | |
| hostPath: | |
| path: /var/run/secrets-store-csi-providers | |
| type: DirectoryOrCreate | |
| - name: providers-dir-0 | |
| hostPath: | |
| path: "/etc/kubernetes/secrets-store-csi-providers" | |
| type: DirectoryOrCreate | |
| nodeSelector: | |
| kubernetes.io/os: linux | |
| --- | |
| apiVersion: csi.storage.k8s.io/v1alpha1 | |
| kind: CSIDriver | |
| metadata: | |
| name: secrets-store.csi.k8s.io | |
| labels: | |
| app.kubernetes.io/instance: "csi" | |
| app.kubernetes.io/name: "secrets-store-csi-driver" | |
| app.kubernetes.io/version: "1.2.4" | |
| app: secrets-store-csi-driver | |
| spec: | |
| podInfoOnMount: true | |
| attachRequired: false | |
| # Added in Kubernetes 1.16 with default mode of Persistent. Secrets store csi driver needs Ephermeral to be set. | |
| volumeLifecycleModes: | |
| - Ephemeral |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: vault-csi-provider | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/name: vault-csi-provider | |
| app.kubernetes.io/instance: vault | |
| --- | |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: vault | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/name: vault | |
| app.kubernetes.io/instance: vault | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: vault-csi-provider-clusterrole | |
| labels: | |
| app.kubernetes.io/name: vault-csi-provider | |
| app.kubernetes.io/instance: vault | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - serviceaccounts/token | |
| verbs: | |
| - create | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: vault-csi-provider-clusterrolebinding | |
| labels: | |
| app.kubernetes.io/name: vault-csi-provider | |
| app.kubernetes.io/instance: vault | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: vault-csi-provider-clusterrole | |
| subjects: | |
| - kind: ServiceAccount | |
| name: vault-csi-provider | |
| namespace: default | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: vault-server-binding | |
| labels: | |
| app.kubernetes.io/name: vault | |
| app.kubernetes.io/instance: vault | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: system:auth-delegator | |
| subjects: | |
| - kind: ServiceAccount | |
| name: vault | |
| namespace: default | |
| --- | |
| apiVersion: apps/v1 | |
| kind: DaemonSet | |
| metadata: | |
| name: vault-csi-provider | |
| namespace: default | |
| labels: | |
| app.kubernetes.io/name: vault-csi-provider | |
| app.kubernetes.io/instance: vault | |
| spec: | |
| updateStrategy: | |
| type: RollingUpdate | |
| selector: | |
| matchLabels: | |
| app.kubernetes.io/name: vault-csi-provider | |
| app.kubernetes.io/instance: vault | |
| template: | |
| metadata: | |
| labels: | |
| app.kubernetes.io/name: vault-csi-provider | |
| app.kubernetes.io/instance: vault | |
| spec: | |
| serviceAccountName: vault-csi-provider | |
| containers: | |
| - name: vault-csi-provider | |
| image: "hashicorp/vault-csi-provider:1.2.1" | |
| imagePullPolicy: IfNotPresent | |
| args: | |
| - --endpoint=/provider/vault.sock | |
| - --debug=false | |
| env: | |
| - name: VAULT_ADDR | |
| value: http://vault.default.svc:8200 | |
| volumeMounts: | |
| - name: providervol | |
| mountPath: "/provider" | |
| - name: mountpoint-dir | |
| mountPath: /var/lib/kubelet/pods | |
| mountPropagation: HostToContainer | |
| livenessProbe: | |
| httpGet: | |
| path: /health/ready | |
| port: 8080 | |
| failureThreshold: 2 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 5 | |
| successThreshold: 1 | |
| timeoutSeconds: 3 | |
| readinessProbe: | |
| httpGet: | |
| path: /health/ready | |
| port: 8080 | |
| failureThreshold: 2 | |
| initialDelaySeconds: 5 | |
| periodSeconds: 5 | |
| successThreshold: 1 | |
| timeoutSeconds: 3 | |
| volumes: | |
| - name: providervol | |
| hostPath: | |
| path: /etc/kubernetes/secrets-store-csi-providers | |
| - name: mountpoint-dir | |
| hostPath: | |
| path: /var/lib/kubelet/pods |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment