diff --git a/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml b/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml index bff6577b34..957cb3a182 100644 --- a/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml +++ b/charts/aws-ebs-csi-driver/templates/clusterrole-attacher.yaml @@ -5,22 +5,22 @@ metadata: name: ebs-external-attacher-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "csi.storage.k8s.io" ] - resources: [ "csinodeinfos" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments/status" ] - verbs: [ "patch" ] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +# END AUTOGENERATED RULES {{- with .Values.sidecars.attacher.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} diff --git a/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml b/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml index cb69cc8d3e..d31e48476f 100644 --- a/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml +++ b/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml @@ -5,37 +5,50 @@ metadata: name: ebs-external-provisioner-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "create", "patch", "delete" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch", "update" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshots" ] - verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "get", "list" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "csinodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattributesclasses" ] - verbs: [ "get" ] + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + # Access to volumeattachments is only needed when the CSI driver + # has the PUBLISH_UNPUBLISH_VOLUME controller capability. + # In that case, external-provisioner will watch volumeattachments + # to determine when it is safe to delete a volume. + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch"] +# END AUTOGENERATED RULES + # Extra rule: VAC rules not present in upstream example + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get"] {{- with .Values.sidecars.provisioner.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} diff --git a/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml b/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml index 81858af34f..36b69eabc5 100644 --- a/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml +++ b/charts/aws-ebs-csi-driver/templates/clusterrole-resizer.yaml @@ -5,33 +5,34 @@ metadata: name: ebs-external-resizer-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims/status" ] - verbs: [ "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "pods" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattributesclasses" ] - verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # only required if enabling the alpha volume modify feature + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get", "list", "watch"] +# END AUTOGENERATED RULES {{- with .Values.sidecars.resizer.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} diff --git a/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml b/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml index 697e818d98..be6d9a2345 100644 --- a/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml +++ b/charts/aws-ebs-csi-driver/templates/clusterrole-snapshotter.yaml @@ -5,26 +5,41 @@ metadata: name: ebs-external-snapshotter-role labels: {{- include "aws-ebs-csi-driver.labels" . | nindent 4 }} +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] # Secret permission is optional. # Enable it if your driver needs secret. # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. - # - apiGroups: [ "" ] - # resources: [ "secrets" ] - # verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents/status" ] - verbs: [ "update", "patch" ] + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents/status"] + verbs: ["update", "patch"] +# END AUTOGENERATED RULES {{- with .Values.sidecars.snapshotter.additionalClusterRoleRules }} {{- . | toYaml | nindent 2 }} {{- end }} diff --git a/deploy/kubernetes/base/clusterrole-attacher.yaml b/deploy/kubernetes/base/clusterrole-attacher.yaml index be5e471bd8..ad1d4b51a7 100644 --- a/deploy/kubernetes/base/clusterrole-attacher.yaml +++ b/deploy/kubernetes/base/clusterrole-attacher.yaml @@ -6,19 +6,19 @@ metadata: name: ebs-external-attacher-role labels: app.kubernetes.io/name: aws-ebs-csi-driver +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "csi.storage.k8s.io" ] - resources: [ "csinodeinfos" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments/status" ] - verbs: [ "patch" ] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments/status"] + verbs: ["patch"] +# END AUTOGENERATED RULES diff --git a/deploy/kubernetes/base/clusterrole-provisioner.yaml b/deploy/kubernetes/base/clusterrole-provisioner.yaml index 8fc17effad..2fc45848d2 100644 --- a/deploy/kubernetes/base/clusterrole-provisioner.yaml +++ b/deploy/kubernetes/base/clusterrole-provisioner.yaml @@ -6,34 +6,47 @@ metadata: name: ebs-external-provisioner-role labels: app.kubernetes.io/name: aws-ebs-csi-driver +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "create", "patch", "delete" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch", "update" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshots" ] - verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "get", "list" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "csinodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "nodes" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattachments" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattributesclasses" ] - verbs: [ "get" ] + # The following rule should be uncommented for plugins that require secrets + # for provisioning. + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "create", "patch", "delete"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch", "update"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list"] + - apiGroups: ["storage.k8s.io"] + resources: ["csinodes"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] + # Access to volumeattachments is only needed when the CSI driver + # has the PUBLISH_UNPUBLISH_VOLUME controller capability. + # In that case, external-provisioner will watch volumeattachments + # to determine when it is safe to delete a volume. + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattachments"] + verbs: ["get", "list", "watch"] +# END AUTOGENERATED RULES + # Extra rule: VAC rules not present in upstream example + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get"] diff --git a/deploy/kubernetes/base/clusterrole-resizer.yaml b/deploy/kubernetes/base/clusterrole-resizer.yaml index c4a2acc9b8..4b8a9b0005 100644 --- a/deploy/kubernetes/base/clusterrole-resizer.yaml +++ b/deploy/kubernetes/base/clusterrole-resizer.yaml @@ -6,30 +6,31 @@ metadata: name: ebs-external-resizer-role labels: app.kubernetes.io/name: aws-ebs-csi-driver +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: # The following rule should be uncommented for plugins that require secrets # for provisioning. # - apiGroups: [""] # resources: ["secrets"] # verbs: ["get", "list", "watch"] - - apiGroups: [ "" ] - resources: [ "persistentvolumes" ] - verbs: [ "get", "list", "watch", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "persistentvolumeclaims/status" ] - verbs: [ "update", "patch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "storageclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] - - apiGroups: [ "" ] - resources: [ "pods" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "storage.k8s.io" ] - resources: [ "volumeattributesclasses" ] - verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["get", "list", "watch", "patch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["persistentvolumeclaims/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] + # only required if enabling the alpha volume modify feature + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get", "list", "watch"] +# END AUTOGENERATED RULES diff --git a/deploy/kubernetes/base/clusterrole-snapshotter.yaml b/deploy/kubernetes/base/clusterrole-snapshotter.yaml index 88309855a6..7760afc0a5 100644 --- a/deploy/kubernetes/base/clusterrole-snapshotter.yaml +++ b/deploy/kubernetes/base/clusterrole-snapshotter.yaml @@ -6,23 +6,38 @@ metadata: name: ebs-external-snapshotter-role labels: app.kubernetes.io/name: aws-ebs-csi-driver +# Do not modify the rules below manually, see `make update-sidecar-dependencies` +# BEGIN AUTOGENERATED RULES rules: - - apiGroups: [ "" ] - resources: [ "events" ] - verbs: [ "list", "watch", "create", "update", "patch" ] + - apiGroups: [""] + resources: ["events"] + verbs: ["list", "watch", "create", "update", "patch"] # Secret permission is optional. # Enable it if your driver needs secret. # For example, `csi.storage.k8s.io/snapshotter-secret-name` is set in VolumeSnapshotClass. # See https://kubernetes-csi.github.io/docs/secrets-and-credentials.html for more details. - # - apiGroups: [ "" ] - # resources: [ "secrets" ] - # verbs: [ "get", "list" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotclasses" ] - verbs: [ "get", "list", "watch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents" ] - verbs: [ "create", "get", "list", "watch", "update", "delete", "patch" ] - - apiGroups: [ "snapshot.storage.k8s.io" ] - resources: [ "volumesnapshotcontents/status" ] - verbs: [ "update", "patch" ] + # - apiGroups: [""] + # resources: ["secrets"] + # verbs: ["get", "list"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch", "create"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshotcontents/status"] + verbs: ["update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents/status"] + verbs: ["update", "patch"] +# END AUTOGENERATED RULES diff --git a/hack/release-scripts/generate-sidecar-tags b/hack/release-scripts/generate-sidecar-tags index 8143ea12d7..3056845956 100755 --- a/hack/release-scripts/generate-sidecar-tags +++ b/hack/release-scripts/generate-sidecar-tags @@ -75,13 +75,29 @@ update_gcr_kustomize_sidecar_tag() { $SED -i "\|$line_above|{n;s/.*/ newTag: $tag/;}" "$KUSTOMIZE_FILEPATH" } -update_helm_chart_sidecar_tag() { +update_helm_chart_sidecar() { sidecar_name=$1 export TAG TAG=$(yq ".sidecars.$sidecar_name.tag" "$IMAGE_DIGESTS_FILEPATH") log "Updating helm $sidecar_name sidecar to $TAG" yq ".sidecars.$sidecar_name.image.tag = env(TAG)" -i "$HELM_VALUES_FILEPATH" + + # Update RBAC from upstream sidecar git repos + sidecar_repo="$(yq .sidecars.$sidecar_name.repo $IMAGE_DIGESTS_FILEPATH)" + rbac_tag="${TAG%%-*}" + if [[ "${sidecar_repo}" != "null" ]]; then + rbac_temp_dir="$(mktemp -d)" + trap 'rm -rf "${rbac_temp_dir}"' EXIT + + log "Updating ${sidecar_name} RBAC from ${sidecar_repo} at ${rbac_tag}" + git clone "${sidecar_repo}" "${rbac_temp_dir}" --depth 1 --branch "${rbac_tag}" --quiet + rbac_source="${rbac_temp_dir}/$(yq .sidecars.${sidecar_name}.rbacSource ${IMAGE_DIGESTS_FILEPATH})" + rbac_destination="${ROOT_DIRECTORY}/charts/aws-ebs-csi-driver/templates/$(yq .sidecars.${sidecar_name}.rbacDestination ${IMAGE_DIGESTS_FILEPATH})" + # Credit to https://stackoverflow.com/a/46575095 for the sed trick + cat $rbac_source | yq '{"rules": select(.kind == "ClusterRole") | .rules}' | + ${SED} -i "/BEGIN AUTOGENERATED RULES/,/END AUTOGENERATED RULES/!b;//!d;/BEGIN AUTOGENERATED RULES/r /dev/stdin" ${rbac_destination} + fi } generate_gcr_kustomize() { @@ -99,7 +115,7 @@ generate_helm_sidecars() { yq '.sidecars | keys | .[]' "$IMAGE_DIGESTS_FILEPATH" >"$tmp_filename" for sidecar in $(cat "$tmp_filename"); do - update_helm_chart_sidecar_tag "$sidecar" + update_helm_chart_sidecar "$sidecar" done log "Success: All sidecar tags in $HELM_VALUES_FILEPATH updated" diff --git a/hack/release-scripts/get-latest-sidecar-images b/hack/release-scripts/get-latest-sidecar-images index 6de372f241..1aaa8ca205 100755 --- a/hack/release-scripts/get-latest-sidecar-images +++ b/hack/release-scripts/get-latest-sidecar-images @@ -53,15 +53,7 @@ trap 'error_handler ${LINENO} $? "$BASH_COMMAND"' ERR trap 'rm $tmp_filename' EXIT generate_image_digests_file() { - touch "$OUTPUT_FILEPATH" - - yq '.sidecars.snapshotter.image = "public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter"' -i "$OUTPUT_FILEPATH" - yq '.sidecars.attacher.image = "public.ecr.aws/eks-distro/kubernetes-csi/external-attacher"' -i "$OUTPUT_FILEPATH" - yq '.sidecars.provisioner.image = "public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner"' -i "$OUTPUT_FILEPATH" - yq '.sidecars.resizer.image = "public.ecr.aws/eks-distro/kubernetes-csi/external-resizer"' -i "$OUTPUT_FILEPATH" - yq '.sidecars.livenessProbe.image = "public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe"' -i "$OUTPUT_FILEPATH" - yq '.sidecars.nodeDriverRegistrar.image = "public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar"' -i "$OUTPUT_FILEPATH" - yq '.sidecars.volumemodifier.image = "public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s"' -i "$OUTPUT_FILEPATH" + cp "${SCRIPT_PATH}/image-digests-template.yaml" "${OUTPUT_FILEPATH}" } crane_get_latest_image_tag() { diff --git a/hack/release-scripts/image-digests-template.yaml b/hack/release-scripts/image-digests-template.yaml new file mode 100644 index 0000000000..a426ebac8c --- /dev/null +++ b/hack/release-scripts/image-digests-template.yaml @@ -0,0 +1,41 @@ +# Copyright 2024 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the 'License'); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an 'AS IS' BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +sidecars: + snapshotter: + image: public.ecr.aws/eks-distro/kubernetes-csi/external-snapshotter/csi-snapshotter + repo: https://github.com/kubernetes-csi/external-snapshotter + rbacSource: deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml + rbacDestination: clusterrole-snapshotter.yaml + attacher: + image: public.ecr.aws/eks-distro/kubernetes-csi/external-attacher + repo: https://github.com/kubernetes-csi/external-attacher + rbacSource: deploy/kubernetes/rbac.yaml + rbacDestination: clusterrole-attacher.yaml + provisioner: + image: public.ecr.aws/eks-distro/kubernetes-csi/external-provisioner + repo: https://github.com/kubernetes-csi/external-provisioner + rbacSource: deploy/kubernetes/rbac.yaml + rbacDestination: clusterrole-provisioner.yaml + resizer: + image: public.ecr.aws/eks-distro/kubernetes-csi/external-resizer + repo: https://github.com/kubernetes-csi/external-resizer + rbacSource: deploy/kubernetes/rbac.yaml + rbacDestination: clusterrole-resizer.yaml + livenessProbe: + image: public.ecr.aws/eks-distro/kubernetes-csi/livenessprobe + nodeDriverRegistrar: + image: public.ecr.aws/eks-distro/kubernetes-csi/node-driver-registrar + volumemodifier: + image: public.ecr.aws/ebs-csi-driver/volume-modifier-for-k8s