aramase

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: list-secrets
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:

aramase

Secret Sync Controller

This is a Kubernetes controller that watches for changes to a custom resource and syncs the secrets from external secrets-store as Kubernetes secret. This feature is useful for syncing secrets across multiple namespaces and making sure that the secrets are available when the cluster is offline.

NOTE: This code is in experimental stage and is not recommended for production use. The implementation is currently a pull request in the secrets-store-csi-driver repository and is being reviewed by the community.

Description

This proposal is a diversion from the current design of the Secrets Store CSI driver. Based on feedback, some of the users want the CSI driver to sync the secret store objects as Kubernetes secrets without the mount instead of the tight coupling between the mount and the sync as it is today.

aramase

goos: linux
goarch: amd64
pkg: k8s.io/kubernetes/test/integration/controlplane/transformation
cpu: AMD EPYC 7763 64-Core Processor
BenchmarkKMSv2REST-8   	       1	21497622897 ns/op	27747569264 B/op	 3422094 allocs/op
BenchmarkKMSv2REST-8   	1	21135845506 ns/op	27742618200 B/op	 3402804 allocs/op
BenchmarkKMSv2REST-8   	1	21673067043 ns/op	27736553824 B/op	 3398383 allocs/op
BenchmarkKMSv2REST-8   	1	21931368888 ns/op	27742958960 B/op	 3400567 allocs/op
BenchmarkKMSv2REST-8   	1	22107876172 ns/op	27740853328 B/op	 3404301 allocs/op
BenchmarkKMSv2REST-8   	1	21306196853 ns/op	27742975296 B/op	 3401799 allocs/op

aramase

package examples

import (
	"encoding/json"
	"fmt"
	"log"

	"github.com/google/cel-go/cel"
	"github.com/google/cel-go/common/types"
	"github.com/google/cel-go/common/types/ref"

aramase

# HELP aggregator_openapi_v2_regeneration_count [ALPHA] Counter of OpenAPI v2 spec regeneration count broken down by causing APIService name and reason.
# TYPE aggregator_openapi_v2_regeneration_count counter
aggregator_openapi_v2_regeneration_count{apiservice="*",reason="startup"} 0
aggregator_openapi_v2_regeneration_count{apiservice="k8s_internal_local_delegation_chain_0000000002",reason="update"} 0
aggregator_openapi_v2_regeneration_count{apiservice="v1alpha1.wardle.example.com",reason="add"} 0
aggregator_openapi_v2_regeneration_count{apiservice="v1alpha1.wardle.example.com",reason="delete"} 0
aggregator_openapi_v2_regeneration_count{apiservice="v1alpha1.wardle.example.com",reason="update"} 0
# HELP aggregator_openapi_v2_regeneration_duration [ALPHA] Gauge of OpenAPI v2 spec regeneration duration in seconds.
# TYPE aggregator_openapi_v2_regeneration_duration gauge
aggregator_openapi_v2_regeneration_duration{reason="add"} 0.126884566

aramase

anramase in kubernetes at zephyr01 on  master [$] using ☁️  default/ at ☸️  v1.23.3 capi-dual-stack-admin@capi-dual-stack
➜ _output/local/bin/linux/amd64/e2e.test --ginkgo.focus="Feature:IPv6DualStack"
Mar  9 21:22:36.364: INFO: The --provider flag is not set. Continuing as if --provider=skeleton had been used.
I0309 21:22:36.364801 1291071 e2e.go:129] Starting e2e run "60748a1e-411f-40ab-ae2c-a62723119fe1" on Ginkgo node 1
{"msg":"Test Suite starting","total":22,"completed":0,"skipped":0,"failed":0}
Running Suite: Kubernetes e2e suite
===================================
Random Seed: 1646860956 - Will randomize all specs
Will run 22 of 7119 specs

aramase

{
    "apiVersion": "vlabs",
    "properties": {
      "featureFlags": {
        "enableLondon": true
      },
      "orchestratorProfile": {
        "orchestratorType": "Kubernetes",
        "orchestratorRelease": "1.21",
        "kubernetesConfig": {

aramase

AAD Pod Identity v1.8.2-rc.0 adds a new feature flag to enable setting Retry-After header in the error response from NMI. The error is only when the identity is still being assigned by NMI or no valid AzureAssignedIdentity is found yet. This enables SDK's to retry based on the http status code 503 and the retry after header.

When enabling this feature, the default retries in NMI should be explicitly disabled to rather rely on the SDK for retries.

1. Change the NMI image to mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.2-rc.0

https://github.com/Azure/aad-pod-identity/blob/9e31f9cc308e1c091da0557920fe13f74c8a1c43/deploy/infra/deployment-rbac.yaml#L478

2. Append these args in the NMI container

aramase

using Microsoft.Identity.Client;
using System;
using System.Threading;
using System.Collections.Generic;

namespace aramase.test
{
    public class Program
    {
        static void Main(string[] args)

aramase

root@kind-control-plane:/# cat /var/log/containers/kube-apiserver-kind-control-plane_kube-system_kube-apiserver-9cdc4e13d5db46b8bbc2fd7f79782b84c11346793cd30b2f22fb125ee7c23474.log
2021-02-20T00:25:48.4408056Z stderr F Flag --insecure-port has been deprecated, This flag has no effect now and will be removed in v1.24.
2021-02-20T00:25:48.440882Z stderr F I0220 00:25:48.440675       1 server.go:632] external host was not specified, using 172.19.0.2
2021-02-20T00:25:48.4417801Z stderr F I0220 00:25:48.441541       1 server.go:182] Version: v1.20.2
2021-02-20T00:25:49.3579749Z stderr F I0220 00:25:49.357683       1 plugins.go:158] Loaded 12 mutating admission controller(s) successfully in the following order: NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass,StorageObjectInUseProtection,RuntimeClass,DefaultIngressClass,MutatingAdmissionWebhook.
2021-02-20T00:25:49.3580175Z stderr F I0220 00:25:49.357736       1 plugins.go:161]