Add helm chart

README.md

@@ -12,17 +12,19 @@ to access secrets stored in Secret Manager as files mounted in Kubernetes pods.
 * Create a new GKE cluster with Workload Identity or enable
  [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_existing_cluster)
  on an existing cluster.
-* Install the
- [Secret Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html)
- v1.0.1 or higher to the cluster.
-* Install the Google plugin DaemonSet & additional RoleBindings:
+* Install Google plugin DaemonSet & additional RoleBindings:
 
 ```shell
-kubectl apply -f deploy/provider-gcp-plugin.yaml
-# if you want to use helm
-# helm upgrade --install secrets-store-csi-driver-provider-gcp charts/secrets-store-csi-driver-provider-gcp
+$ export PROJECT_ID=<your gcp project>
+$ helm repo add secrets-store-csi-driver-provider-gcp <repo>
+$ helm install provider-chart secrets-store-csi-driver-provider-gcp/secrets-store-csi-driver-provider-gcp --set secrets-store-csi-driver.tokenRequests[0].audience=$PROJECT_ID.svc.id.goog --namespace kube-system
 ```
 
+* The provider has a dependency on the driver and hence will automatically install the [CSI Secret Store Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver). 
+
+During installation, it will set the tokenRequests audience value to PROJECT_ID.svc.id.goog i.e. [Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable_on_existing_cluster)
+which will enable the provider to utlize the same k8s token as the driver.
+
 NOTE: The driver's rotation and secret syncing functionality is still in Alpha and requires [additional installation
 steps](https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html#optional-values).
 

charts/secrets-store-csi-driver-provider-gcp/Chart.yaml

@@ -4,3 +4,7 @@ description: A Helm chart to install Google Secret Manager Provider for Secret S
 type: application
 version: 0.1.0
 appVersion: "1.2.0"
+dependencies:
+- name: secrets-store-csi-driver
+ version: "1.3.4"
+ repository: "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts" 

charts/secrets-store-csi-driver-provider-gcp/templates/daemonset.yaml

@@ -23,7 +23,7 @@ spec:
  serviceAccountName: {{ include "secrets-store-csi-driver-provider-gcp.serviceAccountName" . }}
  containers:
  - name: provider
- image: "{{ .Values.image.repository }}@{{ .Values.image.hash }}"
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
  imagePullPolicy: {{ .Values.image.pullPolicy }}
  resources:
  {{- toYaml .Values.resources | nindent 12 }}

charts/secrets-store-csi-driver-provider-gcp/values.yaml

@@ -6,8 +6,8 @@ serviceAccount:
 
 image:
  repository: us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin
+ tag: v1.2.0
  pullPolicy: IfNotPresent
- hash: sha256:b7dde5ed536b2c6500c9237e14f6851cf8a2ff6d7a72656c3741be38e2cddf4d
 
 app: csi-secrets-store-provider-gcp
 
@@ -27,3 +27,8 @@ nodeSelector:
 tolerations: []
 
 affinity: {}
+
+secrets-store-csi-driver: 
+ fullnameOverride: secrets-store-csi-driver
+ tokenRequests:
+ - audience: $PROJECT_ID.svc.id.goog

helm/Dockerfile

@@ -0,0 +1,24 @@
+FROM gcr.io/cloud-builders/gcloud
+
+ARG HELM_VERSION=v3.12.0
+ENV HELM_VERSION=$HELM_VERSION
+ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True
+
+COPY helm.bash /builder/helm.bash
+
+RUN chmod +x /builder/helm.bash && \
+ mkdir -p /builder/helm && \
+ apt-get update && \
+ apt-get install -y --no-install-recommends curl && \
+ curl -SL https://get.helm.sh/helm-${HELM_VERSION}-linux-amd64.tar.gz -o helm.tar.gz && \
+ tar zxvf helm.tar.gz --strip-components=1 -C /builder/helm linux-amd64 && \
+ rm helm.tar.gz && \
+ apt-get --purge -y autoremove && \
+ apt-get clean && \
+ rm -rf /var/lib/apt/lists/*
+
+RUN gcloud -q components install gke-gcloud-auth-plugin
+
+ENV PATH=/builder/helm/:$PATH
+
+ENTRYPOINT ["/builder/helm.bash"]

helm/helm.bash

@@ -0,0 +1,64 @@
+#!/bin/bash -e
+
+# If there is no current context, get one.
+if [[ $(kubectl config current-context 2> /dev/null) == "" && "$SKIP_CLUSTER_CONFIG" != true ]]; then
+ # This tries to read environment variables. If not set, it grabs from gcloud
+ cluster=${CLOUDSDK_CONTAINER_CLUSTER:-$(gcloud config get-value container/cluster 2> /dev/null)}
+ region=${CLOUDSDK_COMPUTE_REGION:-$(gcloud config get-value compute/region 2> /dev/null)}
+ zone=${CLOUDSDK_COMPUTE_ZONE:-$(gcloud config get-value compute/zone 2> /dev/null)}
+ project=${GCLOUD_PROJECT:-$(gcloud config get-value core/project 2> /dev/null)}
+
+ function var_usage() {
+ cat <<EOF
+No cluster is set. To set the cluster (and the region/zone where it is found), set the environment variables
+ CLOUDSDK_COMPUTE_REGION=<cluster region> (regional clusters)
+ CLOUDSDK_COMPUTE_ZONE=<cluster zone> (zonal clusters)
+ CLOUDSDK_CONTAINER_CLUSTER=<cluster name>
+EOF
+ exit 1
+ }
+
+ [[ -z "$cluster" ]] && var_usage
+ [ ! "$zone" -o "$region" ] && var_usage
+
+ if [ -n "$region" ]; then
+ echo "Running: gcloud container clusters get-credentials --project=\"$project\" --region=\"$region\" \"$cluster\""
+ gcloud container clusters get-credentials --project="$project" --region="$region" "$cluster"
+ else
+ echo "Running: gcloud container clusters get-credentials --project=\"$project\" --zone=\"$zone\" \"$cluster\""
+ gcloud container clusters get-credentials --project="$project" --zone="$zone" "$cluster"
+ fi
+fi
+
+# if GCS_PLUGIN_VERSION is set, install the plugin
+if [[ -n $GCS_PLUGIN_VERSION ]]; then
+ echo "Installing helm GCS plugin version $GCS_PLUGIN_VERSION "
+ helm plugin install https://github.com/nouney/helm-gcs --version $GCS_PLUGIN_VERSION
+fi
+
+# if DIFF_PLUGIN_VERSION is set, install the plugin
+if [[ -n $DIFF_PLUGIN_VERSION ]]; then
+ echo "Installing helm DIFF plugin version $DIFF_PLUGIN_VERSION "
+ helm plugin install https://github.com/databus23/helm-diff --version $DIFF_PLUGIN_VERSION
+fi
+
+# if HELMFILE_VERSION is set, install Helmfile
+if [[ -n $HELMFILE_VERSION ]]; then
+ echo "Installing Helmfile version $HELMFILE_VERSION "
+ curl -SsL https://github.com/helmfile/helmfile/releases/download/$HELMFILE_VERSION/helmfile_linux_amd64 > helmfile
+ chmod 700 helmfile
+fi
+
+# check if repo values provided then add that repo
+if [[ -n $HELM_REPO_NAME && -n $HELM_REPO_URL ]]; then
+ echo "Adding chart helm repo $HELM_REPO_URL"
+ helm repo add $HELM_REPO_NAME $HELM_REPO_URL
+fi
+
+echo "Running: helm repo update"
+helm repo list && helm repo update || true
+
+if [ "$DEBUG" = true ]; then
+ echo "Running: helm $@"
+fi
+helm "$@"

scripts/cloudbuild-dev.yaml

@@ -15,10 +15,30 @@
 # Usage: from the root directory run:
 #
 # $ gcloud builds submit --config scripts/cloudbuild-dev.yaml
-timeout: 1200s
+timeout: 3600s #increasing timeout else build crashes
 options:
  machineType: N1_HIGHCPU_8
 steps:
+- name: 'gcr.io/cloud-builders/docker'
+ args: ['buildx', 'build',
+ '--build-arg',
+ 'VERSION=$TAG_NAME',
+ '-t',
+ 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME',
+ '--push',
+ './helm']
+- name: 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME'
+ args: ['dependency', 'update', './charts/secrets-store-csi-driver-provider-gcp']
+ env:
+ - SKIP_CLUSTER_CONFIG=true
+- name: 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME'
+ args: ['package', './charts/secrets-store-csi-driver-provider-gcp', '--version', '0.1.0-$TAG_NAME']
+ env:
+ - SKIP_CLUSTER_CONFIG=true
+- name: 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/helm-image:$TAG_NAME'
+ args: ['push', 'secrets-store-csi-driver-provider-gcp-0.1.0-$TAG_NAME.tgz', 'oci://asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp' ]
+ env:
+ - SKIP_CLUSTER_CONFIG=true
 - name: 'gcr.io/cloud-builders/docker'
  args: ['buildx', 'create', '--use']
 - name: 'gcr.io/cloud-builders/docker'
@@ -27,6 +47,7 @@ steps:
  '--build-arg',
  'VERSION=$TAG_NAME',
  '-t',
- 'gcr.io/$PROJECT_ID/secrets-store-csi-driver-provider-gcp:$TAG_NAME',
+ 'asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image:$TAG_NAME',
  '--push',
  '.']
+

test/e2e/mount_test.go

@@ -136,19 +136,31 @@ func setupTestSuite() {
  gcloudCmd.Env = append(os.Environ(), "KUBECONFIG="+f.kubeconfigFile)
  check(execCmd(gcloudCmd))
 
- // Install Secret Store
- check(execCmd(exec.Command("kubectl", "apply", "--kubeconfig", f.kubeconfigFile,
- "-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/rbac-secretproviderclass.yaml", f.secretStoreVersion),
- "-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/rbac-secretprovidersyncing.yaml", f.secretStoreVersion),
- "-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/csidriver.yaml", f.secretStoreVersion),
- "-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml", f.secretStoreVersion),
- "-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml", f.secretStoreVersion),
- "-f", fmt.Sprintf("https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/%s/deploy/secrets-store-csi-driver.yaml", f.secretStoreVersion),
- )))
+ // Helm authentication
+ gcloudCmd := exec.Command("gcloud", "auth", "application-default", "print-access-token")
+
+ // Capture the output of the gcloud command
+ gcloudOutput, err := gcloudCmd.Output()
+
+ if err != nil {
+ fmt.Printf("Error running gcloud command: %s\n", err.Error())
+ os.Exit(1)
+ }
+ // Create the helm registry login command
+ helmCmd := exec.Command("helm", "registry", "login", "-u", "oauth2accesstoken", "--password-stdin", "https://asia-east1-docker.pkg.dev")
 
- // Install GCP Plugin and Workload Identity bindings
- check(execCmd(exec.Command("kubectl", "apply", "--kubeconfig", f.kubeconfigFile,
- "-f", pluginFile)))
+ // Set the access token as the input for the helm command
+ helmCmd.Stdin = strings.NewReader(string(gcloudOutput))
+
+ // Run the helm command
+ check(execCmd(helmCmd))
+
+ // Install GCP Plugin and Workload Identity bindings 
+ // set: drive image to oci://asia-east1-docker.pkg.dev/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image with tag GCP_PROVIDER_SHA
+ // set: audience token to PROJECT_ID.svc.id.goog
+ check(execCmd(exec.Command("helm", "install", "provider-chart", fmt.Sprintf("oci://asia-east1-docker.pkg.dev/%s/secrets-store-csi-driver-provider-gcp/secrets-store-csi-driver-provider-gcp", f.testProjectID),
+ "--version", fmt.Sprintf("0.1.0-%s", f.gcpProviderBranch), "--set", fmt.Sprintf("image.repository=asia-east1-docker.pkg.dev/%s/secrets-store-csi-driver-provider-gcp/provider-image", f.testProjectID),
+ "--set", fmt.Sprintf("image.tag=%s", f.gcpProviderBranch), "--set", fmt.Sprintf("secrets-store-csi-driver.tokenRequests[0].audience=%s.svc.id.goog", f.testProjectID), "--namespace", "kube-system" )))
 
  // Create test secret
  secretFile := filepath.Join(f.tempDir, "secretValue")
@@ -494,3 +506,4 @@ func TestMountRotateSecret(t *testing.T) {
  t.Fatalf("Secret value is %v, want: %v", got, secretB)
  }
 }
+

test/e2e/templates/provider-gcp-plugin-wif.yaml.tmpl

@@ -86,7 +86,7 @@ spec:
  serviceAccountName: secrets-store-csi-driver-provider-gcp
  containers:
  - name: provider
- image: gcr.io/$PROJECT_ID/secrets-store-csi-driver-provider-gcp:$GCP_PROVIDER_SHA
+ image: asia-east1-dev.pkg/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image:$GCP_PROVIDER_SHA
  args:
  - "-v=5"
  imagePullPolicy: Always

test/e2e/templates/provider-gcp-plugin.yaml.tmpl

@@ -69,7 +69,7 @@ spec:
  serviceAccountName: secrets-store-csi-driver-provider-gcp
  containers:
  - name: provider
- image: gcr.io/$PROJECT_ID/secrets-store-csi-driver-provider-gcp:$GCP_PROVIDER_SHA
+ image: asia-east1-dev.pkg/$PROJECT_ID/secrets-store-csi-driver-provider-gcp/provider-image:$GCP_PROVIDER_SHA
  args:
  - "-v=5"
  imagePullPolicy: Always

test/infra/runner.sh

@@ -26,6 +26,9 @@ export GKE_VERSION=${GKE_VERSION:-STABLE}
 export GCP_PROVIDER_SHA=${GITHUB_SHA:-main}
 export USE_GKE_GCLOUD_AUTH_PLUGIN=True
 
+# Creating a new repository secrets-store-csi-driver-provider-gcp
+gcloud artifacts repositories create secrets-store-csi-driver-provider-gcp --repository-format=docker --location=asia-east1 
+
 # Build the driver image
 gcloud builds submit --config scripts/cloudbuild-dev.yaml --substitutions=TAG_NAME=${GCP_PROVIDER_SHA} --project $PROJECT_ID