chore: remove deprecated --filtered-watch-secret flag

filtered watch secret is enabled by default starting from v0.1.0 release. Removing this flag as it's no longer possible for user to disable the filtered watch secret feature. Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
aramase · Nov 9, 2021 · 9750771 · 9750771
1 parent b8312d1
commit 9750771
Show file tree

Hide file tree

Showing 11 changed files with 3 additions and 27 deletions.
diff --git a/.local/Dockerfile b/.local/Dockerfile
@@ -17,4 +17,4 @@ RUN go mod download
 EXPOSE 30123
 
 # these dlv debug arguments replicate driver args from DaemonSet
-ENTRYPOINT ["/go/bin/dlv", "--listen=:30123", "--accept-multiclient", "--headless=true", "--api-version=2", "debug", "./cmd/secrets-store-csi-driver", "--", "-v", "5", "-endpoint", "unix:///csi/csi.sock", "-nodeid", "kind-control-plane", "-enable-secret-rotation", "false", "-rotation-poll-interval", "30s", "-metrics-addr", ":8080", "-provider-volume", "/etc/kubernetes/secrets-store-csi-providers", "-filtered-watch-secret", "false"]
+ENTRYPOINT ["/go/bin/dlv", "--listen=:30123", "--accept-multiclient", "--headless=true", "--api-version=2", "debug", "./cmd/secrets-store-csi-driver", "--", "-v", "5", "-endpoint", "unix:///csi/csi.sock", "-nodeid", "kind-control-plane", "-enable-secret-rotation", "false", "-rotation-poll-interval", "30s", "-metrics-addr", ":8080", "-provider-volume", "/etc/kubernetes/secrets-store-csi-providers"]
diff --git a/Makefile b/Makefile
@@ -431,7 +431,7 @@ e2e-helm-deploy:
 
 .PHONY: e2e-helm-upgrade
 e2e-helm-upgrade:
-	helm upgrade csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --reuse-values --timeout=5m -v=5 --debug --set filteredWatchSecret=true \
+	helm upgrade csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --reuse-values --timeout=5m -v=5 --debug \
 		--set linux.image.repository=$(REGISTRY)/$(IMAGE_NAME) \
 		--set linux.image.tag=$(IMAGE_VERSION) \
 		--set windows.image.repository=$(REGISTRY)/$(IMAGE_NAME) \

diff --git a/cmd/secrets-store-csi-driver/main.go b/cmd/secrets-store-csi-driver/main.go
@@ -62,11 +62,6 @@ var (
 	profilePort          = flag.Int("pprof-port", 6065, "port for pprof profiling")
 	maxCallRecvMsgSize   = flag.Int("max-call-recv-msg-size", 1024*1024*4, "maximum size in bytes of gRPC response from plugins")
 
-	// enable filtered watch for NodePublishSecretRef secrets. The filtering is done on the csi driver label: secrets-store.csi.k8s.io/used=true
-	// For Kubernetes secrets used to provide credentials for use with the CSI driver, set the label by running: kubectl label secret secrets-store-creds secrets-store.csi.k8s.io/used=true
-	// This feature is enabled by default starting v0.1.0 and can't be disabled starting v1.0.0 release.
-	filteredWatchSecret = flag.Bool("filtered-watch-secret", true, "enable filtered watch for NodePublishSecretRef secrets with label secrets-store.csi.k8s.io/used=true")
-
 	// Enable optional healthcheck for provider clients that exist in memory
 	providerHealthCheck         = flag.Bool("provider-health-check", false, "Enable health check for configured providers")
 	providerHealthCheckInterval = flag.Duration("provider-health-check-interval", 2*time.Minute, "Provider healthcheck interval duration")
@@ -97,10 +92,6 @@ func main() {
 		}()
 	}
 
-	if !*filteredWatchSecret {
-		klog.Warning("Filtered watch for nodePublishSecretRef secret based on secrets-store.csi.k8s.io/used=true label can't be disabled. The --filtered-watch-secret flag will be deprecated in future releases.")
-	}
-
 	// initialize metrics exporter before creating measurements
 	err := metrics.InitMetricsExporter()
 	if err != nil {

diff --git a/manifest_staging/charts/secrets-store-csi-driver/README.md b/manifest_staging/charts/secrets-store-csi-driver/README.md
@@ -115,7 +115,6 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `syncSecret.enabled`                    | Enable rbac roles and bindings required for syncing to Kubernetes native secrets                                      | false                                                   |
 | `enableSecretRotation`                  | Enable secret rotation feature [alpha]                                                                                | `false`                                                 |
 | `rotationPollInterval`                  | Secret rotation poll interval duration                                                                                | `"120s"`                                                |
-| `filteredWatchSecret`                   | Enable filtered watch for NodePublishSecretRef secrets with label `secrets-store.csi.k8s.io/used=true`                | `true`                                                  |
 | `providerHealthCheck`                   | Enable health check for configured providers                                                                          | `false`                                                 |
 | `providerHealthCheckInterval`           | Provider healthcheck interval duration                                                                                | `2m`                                                    |
 | `imagePullSecrets`                      | One or more secrets to be used when pulling images                                                                    | `""`                                                    |
diff --git a/...t_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml b/...t_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
@@ -87,9 +87,6 @@ spec:
             - "--rotation-poll-interval={{ .Values.rotationPollInterval }}"
             {{- end }}
             - "--metrics-addr={{ .Values.windows.metricsAddr }}"
-            {{- if and (semverCompare ">= v0.0.21-0" .Values.windows.image.tag) .Values.filteredWatchSecret }}
-            - "--filtered-watch-secret={{ .Values.filteredWatchSecret }}"
-            {{- end }}
             {{- if and (semverCompare ">= v0.0.22-0" .Values.windows.image.tag) .Values.providerHealthCheck }}
             - "--provider-health-check={{ .Values.providerHealthCheck }}"
             {{- end }}

diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
@@ -87,9 +87,6 @@ spec:
             - "--rotation-poll-interval={{ .Values.rotationPollInterval }}"
             {{- end }}
             - "--metrics-addr={{ .Values.linux.metricsAddr }}"
-            {{- if and (semverCompare ">= v0.0.21-0" .Values.linux.image.tag) .Values.filteredWatchSecret }}
-            - "--filtered-watch-secret={{ .Values.filteredWatchSecret }}"
-            {{- end }}
             {{- if and (semverCompare ">= v0.0.22-0" .Values.linux.image.tag) .Values.providerHealthCheck }}
             - "--provider-health-check={{ .Values.providerHealthCheck }}"
             {{- end }}

diff --git a/manifest_staging/charts/secrets-store-csi-driver/values.yaml b/manifest_staging/charts/secrets-store-csi-driver/values.yaml
@@ -200,9 +200,6 @@ enableSecretRotation: false
 ## Secret rotation poll interval duration
 rotationPollInterval:
 
-## Filtered watch nodePublishSecretRef secrets
-filteredWatchSecret: true
-
 ## Provider HealthCheck
 providerHealthCheck: false
 

diff --git a/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml b/manifest_staging/deploy/secrets-store-csi-driver-windows.yaml
@@ -58,7 +58,6 @@ spec:
             - "--metrics-addr=:8095"
             - "--enable-secret-rotation=false"
             - "--rotation-poll-interval=2m"
-            - "--filtered-watch-secret=true"
             - "--provider-health-check=false"
             - "--provider-health-check-interval=2m"
           env:

diff --git a/manifest_staging/deploy/secrets-store-csi-driver.yaml b/manifest_staging/deploy/secrets-store-csi-driver.yaml
@@ -58,7 +58,6 @@ spec:
             - "--metrics-addr=:8095"
             - "--enable-secret-rotation=false"
             - "--rotation-poll-interval=2m"
-            - "--filtered-watch-secret=true"
             - "--provider-health-check=false"
             - "--provider-health-check-interval=2m"
           env:

diff --git a/pkg/rotation/reconciler_test.go b/pkg/rotation/reconciler_test.go
@@ -480,12 +480,10 @@ func TestReconcileNoError(t *testing.T) {
 
 	tests := []struct {
 		name                            string
-		filteredWatchEnabled            bool
 		nodePublishSecretRefSecretToAdd *corev1.Secret
 	}{
 		{
-			name:                 "filtered watch for nodePublishSecretRef",
-			filteredWatchEnabled: true,
+			name: "filtered watch for nodePublishSecretRef",
 			nodePublishSecretRefSecretToAdd: &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "secret1",

diff --git a/test/bats/azure.bats b/test/bats/azure.bats
@@ -397,7 +397,6 @@ teardown_file() {
   archive_info || true
 
   #cleanup
-  run kubectl delete namespace non-filtered-watch
   run kubectl delete namespace rotation
   run kubectl delete namespace test-ns