All notable changes to secrets-store-csi-driver-provider-gcp will be documented in this file. This file is maintained by humans and is therefore subject to error.
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.2.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.2.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.2.0
Digest: sha256:b7dde5ed536b2c6500c9237e14f6851cf8a2ff6d7a72656c3741be38e2cddf4d
See CHANGELOG.md for more details.
- Per-secret file permissions #182.
arm64
multi-platform image #193.- Fleet Workload Identity (Anthos Bare Metal) Support #190 (read more at docs/fleet-wif-notes.md).
- Many dependencies updated and now built with go 1.20.
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.1.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.1.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.1.0
Digest: sha256:f7fd197984e95f777557ba9f6daef6c578f49bcddd1080fba0fe8f2c19fffd84
- Remove default logging of request/responses. This is intended to make logs less verbose and more actionable. #161
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.0.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.0.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v1.0.0
Digest: sha256:cb491d4af4776ac352aac415676918fa7cd4ef1671e71c579175ef3e2820af09
- No code changes. This release is corresponds with the
v1.0.0
release of the secrets-store-csi-driver. - The deploy yaml no longer includes the
/var/lib/kubelet/pods
HostPath. This was needed when the plugin wrote the files to the pod filesystems but is not used sincev.0.5.0
set-write_secrets=false
.
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.6.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.6.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.6.0
Digest: sha256:2733764e6c008fd5d846f7e8a0795502acdc5c0997aac2effb66f39776386786
-sm_connection_pool_size
and-iam_connection_pool_size
flags added with default value of5
. Added as part of an optimization to reuse the same Secret Manager client across allMount
operations. #94- Secrets can now be written to nested paths. The
path
parameter is also added as an alias forfileName
in theSecretProviderClass
. #125
- The
-write_secrets
flag has been removed. All writes to the pod filesystem will now be done by the CSI driver instead of this plugin. This requiresv0.0.21+
of thesecrets-store-csi-driver
. #98
- Updated dependencies to bring in an updated Secret Manager client with better retry behavior for
RESOURCE_EXHAUSTED
errors. #135 - Updated build to use go1.17 #137
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.5.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.5.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.5.0
Digest: sha256:f2e84e7ae583ae048be54c8083fe6c2708116d540c5955b9ad732ac512d50dd4
- The
-write_secrets
flag defaults tofalse
. This requiresv0.0.21+
of thesecrets-store-csi-driver
. #98 wrote secret
andadded secret to response
log messages moved to level 5 (viewable by setting-v=5
). GoogleCloudPlatform#120
- Specify
auth: provider-adc
in the SecretProviderClass to use application default credentials instead of the mount's pod's workload identity. #101
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.4.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.4.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.4.0
Digest: sha256:d4b3b361dbf41ae407532358ec89510a20fc15d6e9620fd27f281c1e8f6db864
-write_secrets
flag. Set-write_secrets=false
withv0.0.21+
of thesecrets-store-csi-driver
to have the driver write the secrets instead of this provider. This will be made the default inv0.5.0
. #98
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.3.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.3.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.3.0
Digest: sha256:90eeaef1afcbac988fb9f5a96222dff91f79920e9fa1c0d4200688ebc2680622
AccessSecretVersion
is attempted on all secrets in aSecretProviderClass
before returning any errors or writing any data to the filesystem #83. This allows all errors to be reported together.SecretProviderClass
s that attempt to load ~hundreds of secrets may encounter memory pressure issues.
klog
structured logging #80grpc
mount request and response metadata logging #85- Initial prometheus metrics collection #85
livenessProbe
#85- Debugging documentation #85
- Optional pprof debugging endpoint #88
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.2.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.2.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.2.0
Digest: sha256:214f7aec249aaf450106eddd4455221f84283e8df2751ef5c70b6b1a69e598a0
- Cleanup unix domain socket #69
- Validate filenames against regex
[-._a-zA-Z0-9]+
and max length of 253 #74
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.1.0
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.1.0
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin:v0.1.0
Digest: sha256:625419e2104639f16b45a068c05a1da3d9bb9e714a3f3486b0fb11628580b7c8
If you were using a previous version, note that the following resources have been removed and should be deleted from your cluster:
ClusterRoleBinding
:secretproviderclasses-workload-id-rolebinding
ClusterRole
:secretproviderclasses-workload-id-role
These RBAC rules gave the CSI driver the necesssary permissions to perform
workload ID auth. The introduction of the grpc interface will have the plugin
DaemonSet
perform these operations instead.
Driver now requires v0.0.14+ of the CSI driver with:
--grpc-supported-providers=gcp;
set.
- Set Usage Agent String #31
DEBUG
environment variable #40- Support for
nodePublishSecretRef
authentication #58 - Switched to a grpc interface between the driver and plugin #47. This enables support for experimental driver features including periodic re-fetching of secrets.
- Plugin no longer needs to GET pod information #29
- The default installed namespace changed from
default
tokube-system
Images:
asia-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin@sha256:e8b491a72eb3f3337005565470972f41c52a8de47fc5266d6bf3e2a94d88df26
europe-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin@sha256:e8b491a72eb3f3337005565470972f41c52a8de47fc5266d6bf3e2a94d88df26
us-docker.pkg.dev/secretmanager-csi/secrets-store-csi-driver-provider-gcp/plugin@sha256:e8b491a72eb3f3337005565470972f41c52a8de47fc5266d6bf3e2a94d88df26
Digest: sha256:625419e2104639f16b45a068c05a1da3d9bb9e714a3f3486b0fb11628580b7c8
- Initial image built from
8929e57