Merge remote-tracking branch 'kubernetes/master' into sync-master

Author: pierreprinetti

Dockerfile

@@ -14,19 +14,19 @@
 ##                               BUILD ARGS                                   ##
 ################################################################################
 # This build arg allows the specification of a custom Golang image.
-ARG GOLANG_IMAGE=golang:1.20.1
+ARG GOLANG_IMAGE=golang:1.20.3
 
 # The distroless image on which the CPI manager image is built.
 #
 # Please do not use "latest". Explicit tags should be used to provide
 # deterministic builds. Follow what kubernetes uses to build
-# kube-controller-manager, for example for 1.23.x:
-# https://github.com/kubernetes/kubernetes/blob/release-1.24/build/common.sh#L94
-ARG DISTROLESS_IMAGE=k8s.gcr.io/build-image/go-runner:v2.3.1-go1.20.1-bullseye.0
+# kube-controller-manager, for example for 1.27.x:
+# https://github.com/kubernetes/kubernetes/blob/release-1.27/build/common.sh#L99
+ARG DISTROLESS_IMAGE=registry.k8s.io/build-image/go-runner:v2.3.1-go1.20.3-bullseye.0
 
 # We use Alpine as the source for default CA certificates and some output
 # images
-ARG ALPINE_IMAGE=alpine:3.15.4
+ARG ALPINE_IMAGE=alpine:3.17.3
 
 # cinder-csi-plugin uses Debian as a base image
 ARG DEBIAN_IMAGE=registry.k8s.io/build-image/debian-base:bullseye-v1.4.3

charts/cinder-csi-plugin/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.27.0-alpha.1
+appVersion: v1.27.1
 description: Cinder CSI Chart for OpenStack
 name: openstack-cinder-csi
-version: 2.27.0-alpha.1
+version: 2.28.0-alpha.2
 home: https://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/cinder-csi-plugin/values.yaml

@@ -8,36 +8,36 @@ csi:
   attacher:
     image:
       repository: registry.k8s.io/sig-storage/csi-attacher
-      tag: v4.0.0
+      tag: v4.2.0
       pullPolicy: IfNotPresent
     resources: {}
     extraArgs: {}
   provisioner:
     topology: "true"
     image:
       repository: registry.k8s.io/sig-storage/csi-provisioner
-      tag: v3.4.0
+      tag: v3.4.1
       pullPolicy: IfNotPresent
     resources: {}
     extraArgs: {}
   snapshotter:
     image:
       repository: registry.k8s.io/sig-storage/csi-snapshotter
-      tag: v6.1.0
+      tag: v6.2.1
       pullPolicy: IfNotPresent
     resources: {}
     extraArgs: {}
   resizer:
     image:
       repository: registry.k8s.io/sig-storage/csi-resizer
-      tag: v1.6.0
+      tag: v1.7.0
       pullPolicy: IfNotPresent
     resources: {}
     extraArgs: {}
   livenessprobe:
     image:
       repository: registry.k8s.io/sig-storage/livenessprobe
-      tag: v2.8.0
+      tag: v2.9.0
       pullPolicy: IfNotPresent
     failureThreshold: 5
     initialDelaySeconds: 10

charts/manila-csi-plugin/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
-appVersion: v1.27.0-alpha.1
+appVersion: v1.27.1
 description: Manila CSI Chart for OpenStack
 name: openstack-manila-csi
-version: 2.27.0-alpha.1
+version: 2.28.0-alpha.2
 home: http://github.com/kubernetes/cloud-provider-openstack
 icon: https://github.com/kubernetes/kubernetes/blob/master/logo/logo.png
 maintainers:

charts/openstack-cloud-controller-manager/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v1
-appVersion: v1.27.0-alpha.1
+appVersion: v1.27.1
 description: Openstack Cloud Controller Manager Helm Chart
 icon: https://object-storage-ca-ymq-1.vexxhost.net/swift/v1/6e4619c416ff4bd19e1c087f27a43eea/www-images-prod/openstack-logo/OpenStack-Logo-Vertical.png
 home: https://github.com/kubernetes/cloud-provider-openstack
 name: openstack-cloud-controller-manager
-version: 2.27.0-alpha.1
+version: 2.28.0-alpha.3
 maintainers:
   - name: eumel8
     email: [email protected]

charts/openstack-cloud-controller-manager/templates/daemonset.yaml

@@ -95,6 +95,9 @@ spec:
       initContainers: {{ toYaml .Values.extraInitContainers | nindent 6 }}
       {{- end }}
       hostNetwork: true
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
       volumes:
       - name: cloud-config-volume
         secret:

charts/openstack-cloud-controller-manager/values.yaml

@@ -98,6 +98,10 @@ cloudConfig:
   blockStorage:
   metadata:
 
+## Pod priority settings
+## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+priorityClassName:
+
 # The following three volumes are required to use all OCCM controllers,
 # but might not be needed if you just use a specific controller
 # Additional volumes that should be available to the pods:

cloudbuild.yaml

@@ -29,8 +29,7 @@ steps:
       /buildx-entrypoint version
 
       make push-multiarch-images \
-        REGISTRY=gcr.io/$PROJECT_ID \
-        VERSION=$_SHORT_TAG
+        REGISTRY=gcr.io/$PROJECT_ID
 substitutions:
   # _GIT_TAG will be filled with a git-based tag for the image, of the form
   # vYYYYMMDD-hash, and can be used as a substitution

docs/barbican-kms-plugin/using-barbican-kms-plugin.md

@@ -17,10 +17,14 @@ It is recommended to read following kubernetes documents
 * [Encrypting Secret Data at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#verifying-that-data-is-encrypted)  
 * [Using a KMS provider for data encryption](https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/)
 
+
 ## Installation Steps
+
 The following installation steps assumes that you have a Kubernetes cluster(v1.10+) running on OpenStack Cloud.
 
-1. Create 256bit(32 byte) cbc key and store in barbican
+
+### Create 256bit(32 byte) cbc key and store in barbican
+
 ```
 $ openstack secret order create --name k8s_key --algorithm aes --mode cbc --bit-length 256 --payload-content-type=application/octet-stream key
 +----------------+-----------------------------------------------------------------------+
@@ -37,7 +41,8 @@ $ openstack secret order create --name k8s_key --algorithm aes --mode cbc --bit-
 +----------------+----------------------------------------------------------------------+
 ```
 
-2. Get the Key Id, It is the uuid in *Secret href*
+### Get the Key ID, It is the **uuid** in *Secret href*
+
 ```
 $ openstack secret order get http://hostname:9311/v1/orders/e477a578-4a46-4c3f-b071-79e220207b0e
  +----------------+-----------------------------------------------------------------------+
@@ -54,39 +59,39 @@ $ openstack secret order get http://hostname:9311/v1/orders/e477a578-4a46-4c3f-b
 +----------------+-----------------------------------------------------------------------+
 ```
 
-3. Add the key-id in your cloud-config file
-```
+
+### Add the Key ID in your cloud-config file
+
+```toml
 [Global]
-username = <username>
-password = <password>
-domain-name = <domain-name>
-auth-url =  <keystone-url>
-tenant-id = <project-id>
-region = <region>
+username = "<username>"
+password = "<password>"
+domain-name = "<domain-name>"
+auth-url = "<keystone-url>"
+tenant-id = "<project-id>"
+region = "<region>"
 
 [KeyManager]
-key-id = <key-id>
+key-id = "<key-id>"
 ```
 
-4. Clone the cloud-provider-openstack repo and build the docker image for barbican-kms-plugin in architecture amd64
-```
-$ git clone https://github.com/kubernetes/cloud-provider-openstack.git $GOPATH/k8s.io/src/
-$ cd $GOPATH/k8s.io/src/cloud-provider-openstack/
-$ export ARCH=amd64
-$ export VERSION=latest
-$ make image-barbican-kms-plugin
-```
 
-5. Run the KMS Plugin in docker container
-```
-$ docker run -d --volume=/var/lib/kms:/var/lib/kms \
---volume=/etc/kubernetes:/etc/kubernetes \
--e socketpath=/var/lib/kms/kms.sock \
--e cloudconfig=/etc/kubernetes/cloud-config \
-registry.k8s.io/provider-os/barbican-kms-plugin:v1.27.0-alpha.0
+### Run the KMS Plugin in your cluster
+
+This will provide a socket at `/var/lib/kms/kms.sock` on each of the control
+plane node
 ```
-6. Create /etc/kubernetes/encryption-config.yaml
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/cloud-provider-openstack/master/manifests/barbican-kms/ds.yaml
 ```
+*recommendation:* Use the tag corresponding to your Kubernetes release, for
+example `release-1.25` for kubernetes version 1.25.
+
+
+### Create encrytion configuration
+
+Create `/etc/kubernetes/encryption-config.yaml` on each of your control plane
+nodes
+```yaml
 kind: EncryptionConfig
 apiVersion: v1
 resources:
@@ -98,12 +103,44 @@ resources:
         endpoint: unix:///var/lib/kms/kms.sock
         cachesize: 100
     - identity: {}
- ```
-7. Enable --experimental-encryption-provider-config flag in kube-apiserver and restart it.
 ```
---experimental-encryption-provider-config=/etc/kubernetes/encryption-config.yaml
+
+
+### Update the API server
+
+On each of your control plane nodes you need to edit the kube-apiserver, the
+configuration is usually found at
+`/etc/kubernetes/manifests/kube-apiserver.yaml`. You can just edit it and
+kubernetes will eventually restart the pod with the new configuration.
+
+Add the following volumes and volume mounts to the `kube-apiserver.yaml`
+```yaml
+spec:
+  containers:
+  - command:
+    - kube-apiserver
+    - --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
+    ...
+    volumeMounts:
+    - mountPath: /var/lib/kms/kms.sock
+      name: kms-sock
+    - mountPath: /etc/kubernetes/encryption.yaml
+      name: encryption-config
+      readOnly: true
+  ...
+  volumes:
+  - hostPath:
+      path: /var/lib/kms/kms.sock
+      type: Socket
+    name: kms-sock
+  - hostPath:
+      path: /etc/kubernetes/encryption.yaml
+      type: File
+    name: encryption-config
+  ...
 ```
 
+
 ### Verify
 [Verify the secret data is encrypted](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#verifying-that-data-is-encrypted
 )

docs/keystone-auth/using-keystone-webhook-authenticator-and-authorizer.md

@@ -252,7 +252,7 @@ it as a service. There are several things we need to notice in the
 deployment manifest:
 
 - We are using image
-  `registry.k8s.io/provider-os/k8s-keystone-auth:v1.27.0-alpha.0`
+  `registry.k8s.io/provider-os/k8s-keystone-auth:v1.27.1`
 - We use `k8s-auth-policy` configmap created above.
 - The pod uses service account `keystone-auth` created above.
 - We use `keystone-auth-certs` secret created above to inject the