Remove controller changes

Makefile

@@ -432,7 +432,7 @@ e2e-helm-deploy:
 		--set linux.enabled=true \
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
-		--set rotationPollInterval=1m \
+		--set rotationPollInterval=30s \
 		--set tokenRequests[0].audience="aud1" \
 		--set tokenRequests[1].audience="aud2" \
 		--set tokenRequests[2].audience="conjur" \
@@ -459,7 +459,7 @@ e2e-helm-deploy-release:
 		--set linux.enabled=true \
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
-		--set rotationPollInterval=1m \
+		--set rotationPollInterval=30s \
 		--set tokenRequests[0].audience="api://AzureADTokenExchange"
 
 .PHONY: e2e-kind-cleanup

manifest_staging/charts/secrets-store-csi-driver/templates/csidriver.yaml

@@ -11,7 +11,6 @@ spec:
   volumeLifecycleModes: 
   - Ephemeral
   {{- if and (semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version) .Values.tokenRequests }}
-  requiresRepublish: true
   tokenRequests:
     {{- toYaml .Values.tokenRequests | nindent 2 }}
   {{- end }}

manifest_staging/deploy/csidriver.yaml

@@ -7,4 +7,3 @@ spec:
   attachRequired: false
   volumeLifecycleModes:
   - Ephemeral
-  requiresRepublish: true

test/bats/aws.bats

@@ -81,7 +81,7 @@ teardown_file() {
    [[ "${result//$'\r'}" == "BeforeRotation" ]]
 
    aws ssm put-parameter --name $PM_ROTATION_TEST_NAME --value AfterRotation --type SecureString --overwrite --region $REGION
-   sleep 300
+   sleep 40
    result=$(kubectl --namespace $NAMESPACE exec $POD_NAME -- cat /mnt/secrets-store/$PM_ROTATION_TEST_NAME)
    [[ "${result//$'\r'}" == "AfterRotation" ]]
 }
@@ -91,7 +91,7 @@ teardown_file() {
    [[ "${result//$'\r'}" == "BeforeRotation" ]]
 
    aws secretsmanager put-secret-value --secret-id $SM_ROT_TEST_NAME --secret-string AfterRotation --region $REGION
-   sleep 300
+   sleep 40
    result=$(kubectl --namespace $NAMESPACE exec $POD_NAME -- cat /mnt/secrets-store/$SM_ROT_TEST_NAME)
    [[ "${result//$'\r'}" == "AfterRotation" ]]
 }

test/bats/azure.bats

@@ -3,7 +3,7 @@
 load helpers
 
 BATS_TESTS_DIR=test/bats/tests/azure
-WAIT_TIME=100
+WAIT_TIME=60
 SLEEP_TIME=1
 NAMESPACE=default
 PROVIDER_NAMESPACE=kube-system
@@ -73,10 +73,6 @@ setup() {
 
   result=$(kubectl exec secrets-store-inline-crd -n $NAMESPACE -- cat /mnt/secrets-store/$SECRET_NAME)
   [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
-
-  sleep 20
-
-  archive_info
 }
 
 @test "CSI inline volume test with pod portability - unmount succeeds" {
@@ -165,14 +161,10 @@ setup() {
 
   envsubst < $BATS_TESTS_DIR/deployment-synck8s-azure.yaml | kubectl apply -n test-ns -f -
 
-  kubectl wait --for=condition=Ready --timeout=120s pod -l app=busybox -n test-ns
-
-  sleep 10
-  archive_info
+  kubectl wait --for=condition=Ready --timeout=60s pod -l app=busybox -n test-ns
 }
 
 @test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences" {
-  sleep 300
   POD=$(kubectl get pod -l app=busybox -n test-ns -o jsonpath="{.items[0].metadata.name}")
 
   result=$(kubectl exec -n test-ns $POD -- cat /mnt/secrets-store/secretalias)
@@ -227,7 +219,7 @@ setup() {
 @test "deploy pod with multiple secret provider class" {
   envsubst < $BATS_TESTS_DIR/pod-azure-inline-volume-multiple-spc.yaml | kubectl apply -n $NAMESPACE -f -
 
-  kubectl wait --for=condition=Ready --timeout=180s pod/secrets-store-inline-multiple-crd -n $NAMESPACE
+  kubectl wait --for=condition=Ready --timeout=60s pod/secrets-store-inline-multiple-crd -n $NAMESPACE
 
   run kubectl get pod/secrets-store-inline-multiple-crd -n $NAMESPACE
   assert_success

test/bats/conjur.bats

@@ -113,7 +113,7 @@ EXPECTED_PASSWORD="SecretPassword1234!"
 
   # Update the secret value and wait for rotation interval
   kubectl -n conjur exec conjur-cli-pod -- conjur variable set -i db-credentials/username -v rotated_value
-  sleep 300
+  sleep 40
 
   # Verify rotated value
   result=$(kubectl exec secrets-store-inline-rotation -- cat /mnt/secrets-store/relative/path/username)

test/bats/e2e-provider.bats

@@ -53,7 +53,6 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   log_secrets_store_api_version
   log_token_requests_audience
-  log_csi_driver
 }
 
 
@@ -134,7 +133,6 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   result=$(kubectl exec secrets-store-inline-crd -n test-v1alpha1 -- cat /mnt/secrets-store/$SECRET_NAME)
   [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
-
 }
 
 @test "[v1alpha1] CSI inline volume test with pod portability - read key from pod" {
@@ -150,8 +148,6 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/e2e-provider -o yaml | grep e2e-provider"
   wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
-  log_csi_driver
-  sleep 120
 }
 
 @test "CSI inline volume test with pod portability" {
@@ -161,22 +157,13 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   run kubectl get pod/secrets-store-inline-crd
   assert_success
-
-  sleep 120
-  archive_info
-
 }
 
 @test "CSI inline volume test with pod portability - read secret from pod" {
   wait_for_process $WAIT_TIME $SLEEP_TIME "kubectl exec secrets-store-inline-crd -- cat /mnt/secrets-store/$SECRET_NAME | grep '${SECRET_VALUE}'"
 
   result=$(kubectl exec secrets-store-inline-crd -- cat /mnt/secrets-store/$SECRET_NAME)
   [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
-
-  # Sleep to allow time for logs to propagate.
-  sleep 10
-
-  archive_info
 }
 
 @test "CSI inline volume test with pod portability - read key from pod" {
@@ -219,14 +206,11 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
   envsubst < $BATS_TESTS_DIR/deployment-two-synck8s-e2e-provider.yaml | kubectl apply -f -
 
   kubectl wait --for=condition=Ready --timeout=90s pod -l app=busybox
-
-  sleep 10
-  archive_info
 }
 
 @test "Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences with multiple owners" {
   POD=$(kubectl get pod -l app=busybox -o jsonpath="{.items[0].metadata.name}")
-  sleep 120
+
   result=$(kubectl exec $POD -- cat /mnt/secrets-store/$SECRET_NAME)
   [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
@@ -285,14 +269,10 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   envsubst < $BATS_TESTS_DIR/deployment-synck8s-e2e-provider.yaml | kubectl apply -n test-ns -f -
 
-  kubectl wait --for=condition=Ready --timeout=200s pod -l app=busybox -n test-ns
-
-  sleep 10
-  archive_info
+  kubectl wait --for=condition=Ready --timeout=60s pod -l app=busybox -n test-ns
 }
 
 @test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences" {
-  sleep 100
   POD=$(kubectl get pod -l app=busybox -n test-ns -o jsonpath="{.items[0].metadata.name}")
 
   result=$(kubectl exec -n test-ns $POD -- cat /mnt/secrets-store/$SECRET_NAME)
@@ -330,7 +310,7 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
   sleep 5
 
   POD=$(kubectl get pod -l app=busybox -n negative-test-ns -o jsonpath="{.items[0].metadata.name}")
-  cmd="kubectl describe pod $POD -n negative-test-ns | grep 'MountVolume.*failed to get secretproviderclass negative-test-ns/e2e-provider-sync.*not found'"
+  cmd="kubectl describe pod $POD -n negative-test-ns | grep 'FailedMount.*failed to get secretproviderclass negative-test-ns/e2e-provider-sync.*not found'"
   wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
 
   run kubectl delete -f $BATS_TESTS_DIR/deployment-synck8s-e2e-provider.yaml -n negative-test-ns
@@ -352,21 +332,15 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
 
   cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/e2e-provider-spc-1 -o yaml | grep e2e-provider-spc-1"
   wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
-
-  sleep 10
-  archive_info
 }
 
 @test "deploy pod with multiple secret provider class" {
   envsubst < $BATS_TESTS_DIR/pod-e2e-provider-inline-volume-multiple-spc.yaml | kubectl apply -f -
 
-  kubectl wait --for=condition=Ready --timeout=300s pod/secrets-store-inline-multiple-crd
+  kubectl wait --for=condition=Ready --timeout=60s pod/secrets-store-inline-multiple-crd
 
   run kubectl get pod/secrets-store-inline-multiple-crd
   assert_success
-
-  sleep 10
-  archive_info
 }
 
 @test "CSI inline volume test with multiple secret provider class" {
@@ -429,7 +403,7 @@ export VALIDATE_TOKENS_AUDIENCE=$(get_token_requests_audience)
   local pod_ip=$(kubectl get pod -n kube-system -l app=csi-secrets-store-e2e-provider -o jsonpath="{.items[0].status.podIP}")
   run kubectl exec ${curl_pod_name} -n rotation -- curl http://${pod_ip}:8080/rotation?rotated=true
 
-  sleep 100
+  sleep 60
 
   result=$(kubectl exec -n rotation secrets-store-inline-rotation -- cat /mnt/secrets-store/$SECRET_NAME)
   [[ "${result//$'\r'}" == "rotated" ]]

test/bats/helpers.bash

@@ -158,8 +158,3 @@ get_token_requests_audience() {
 log_token_requests_audience() {
   echo "Testing token requests audience $VALIDATE_TOKENS_AUDIENCE" >&3
 }
-
-log_csi_driver() {
-  local secret_csi_driver=$(kubectl describe csidriver secrets-store.csi.k8s.io)
-  echo "${secret_csi_driver}"
-}

test/bats/vault.bats

@@ -93,17 +93,14 @@ EOF
   run kubectl get pod/secrets-store-rotation
   assert_success
 
-  # wait for secrets to be mounted
-  sleep 300
-
   # verify starting value
   result=$(kubectl exec secrets-store-rotation -- cat /mnt/secrets-store/foo)
   [[ "$result" == "start" ]]
 
   # update the secret value
   kubectl exec vault-0 --namespace=vault -- vault kv put secret/rotation foo=rotated
 
-  sleep 300
+  sleep 60
 
   # verify rotated value
   result=$(kubectl exec secrets-store-rotation -- cat /mnt/secrets-store/foo)
@@ -217,7 +214,6 @@ EOF
 
 @test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences" {
   POD=$(kubectl get pod -l app=busybox -n test-ns -o jsonpath="{.items[0].metadata.name}")
-  sleep 120
   result=$(kubectl exec -n test-ns $POD -- cat /mnt/secrets-store/bar)
   [[ "$result" == "hello" ]]
 
@@ -248,7 +244,7 @@ EOF
   kubectl apply -n negative-test-ns -f $BATS_TESTS_DIR/deployment-synck8s.yaml
 
   POD=$(kubectl get pod -l app=busybox -n negative-test-ns -o jsonpath="{.items[0].metadata.name}")
-  cmd="kubectl describe pod $POD -n negative-test-ns | grep '*failed to get secretproviderclass negative-test-ns/vault-foo-sync.*not found'"
+  cmd="kubectl describe pod $POD -n negative-test-ns | grep 'FailedMount.*failed to get secretproviderclass negative-test-ns/vault-foo-sync.*not found'"
   wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
 
   run kubectl delete -f $BATS_TESTS_DIR/deployment-synck8s.yaml -n negative-test-ns
@@ -273,15 +269,13 @@ EOF
 
 @test "deploy pod with multiple secret provider class" {
   kubectl apply -f $BATS_TESTS_DIR/pod-vault-inline-volume-multiple-spc.yaml
-  kubectl wait --for=condition=Ready --timeout=180s pod/secrets-store-inline-multiple-crd
+  kubectl wait --for=condition=Ready --timeout=90s pod/secrets-store-inline-multiple-crd
 
   run kubectl get pod/secrets-store-inline-multiple-crd
   assert_success
 }
 
 @test "CSI inline volume test with multiple secret provider class" {
-  # wait for secret mount
-  sleep 180
   result=$(kubectl exec secrets-store-inline-multiple-crd -- cat /mnt/secrets-store-0/bar)
   [[ "$result" == "hello" ]]