Merge remote-tracking branch 'origin/main' into VAULT-40343/instant-updates-database-secrets

Author: jaireddjawed

.github/dependabot.yaml

@@ -10,7 +10,7 @@ updates:
   - package-ecosystem: "gomod"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "daily"
     groups:
       gomod-breaking:
         update-types:
@@ -22,7 +22,7 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "daily"
     # Disable version updates and only check security updates for github
     # actions, since we can't bump the versions until they're on our allow-list
     open-pull-requests-limit: 0

.github/workflows/build.yaml

@@ -122,7 +122,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        arch: ["arm64", "amd64"]
+        arch: ["arm64", "amd64", "s390x"]
       fail-fast: true
     steps:
       - name: Checkout
@@ -164,7 +164,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        arch: ["arm64", "amd64"]
+        arch: ["arm64", "amd64", "s390x"]
     env:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
@@ -207,7 +207,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        arch: ["arm64", "amd64"]
+        arch: ["arm64", "amd64", "s390x"]
     env:
       repo: ${{github.event.repository.name}}
       version: ${{needs.get-product-version.outputs.product-version}}
@@ -227,6 +227,7 @@ jobs:
           version: ${{env.version}}
           target: release-ubi
           arch: ${{matrix.arch}}
+          redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}}
           tags: |
             docker.io/hashicorp/${{env.repo}}:${{env.image_tag}}
             public.ecr.aws/hashicorp/${{env.repo}}:${{env.image_tag}}
@@ -243,51 +244,6 @@ jobs:
             exit 1
           fi
 
-  build-docker-ubi-redhat:
-    name: UBI ${{ matrix.arch }} RedHat build
-    needs:
-      - get-product-version
-      - build-pre-checks
-      - build
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        # Building only amd64 for the RedHat registry for now
-        arch: ["amd64"]
-    env:
-      repo: ${{github.event.repository.name}}
-      version: ${{needs.get-product-version.outputs.product-version}}
-      image_tag: ${{needs.get-product-version.outputs.product-version}}-ubi
-    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Setup scripts directory
-        shell: bash
-        run: |
-          make ci-build-scripts-dir GOARCH="${{ matrix.arch }}"
-      - name: Docker Build (Action)
-        uses: hashicorp/actions-docker-build@v2
-        env:
-          VERSION: ${{ needs.get-product-version.outputs.product-version }}
-          GO_VERSION: ${{ needs.build-pre-checks.outputs.go-version }}
-        with:
-          version: ${{env.version}}
-          target: release-ubi-redhat
-          arch: ${{matrix.arch}}
-          # The quay id here corresponds to the project id on RedHat's portal
-          redhat_tag: quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}}
-
-      - name: Check binary version in container
-        shell: bash
-        run: |
-          version_output=$(docker run quay.io/redhat-isv-containers/64b072322e2773c28d30d988:${{env.image_tag}} --version --output=json)
-          echo $version_output
-          git_version=$(echo $version_output | jq -r .gitVersion)
-
-          if [ "$git_version" != "${{ env.version }}" ]; then
-            echo "$gitVersion expected to be ${{ env.version }}"
-            exit 1
-          fi
-
   chart-upgrade-tests:
     runs-on: ubuntu-latest
     needs:
@@ -312,6 +268,7 @@ jobs:
         - "0.9.1"
         - "0.10.0"
         - "1.0.0"
+        - "1.0.1"
     steps:
       - uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
         with:
@@ -475,7 +432,6 @@ jobs:
       - build
       - build-docker
       - build-docker-ubi
-      - build-docker-ubi-redhat
       - chart-upgrade-tests
       - unit-tests
       - latest-vault

.release/vault-secrets-operator-artifacts.hcl

@@ -6,12 +6,17 @@ artifacts {
   zip = [
     "vault-secrets-operator_${version}_linux_amd64.zip",
     "vault-secrets-operator_${version}_linux_arm64.zip",
+    "vault-secrets-operator_${version}_linux_s390x.zip",
   ]
   container = [
     "vault-secrets-operator_release-default_linux_amd64_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-default_linux_arm64_${version}_${commit_sha}.docker.tar",
-    "vault-secrets-operator_release-ubi-redhat_linux_amd64_${version}_${commit_sha}.docker.redhat.tar",
+    "vault-secrets-operator_release-default_linux_s390x_${version}_${commit_sha}.docker.tar",
+    "vault-secrets-operator_release-ubi_linux_amd64_${version}_${commit_sha}.docker.redhat.tar",
+    "vault-secrets-operator_release-ubi_linux_arm64_${version}_${commit_sha}.docker.redhat.tar",
+    "vault-secrets-operator_release-ubi_linux_s390x_${version}_${commit_sha}.docker.redhat.tar",
     "vault-secrets-operator_release-ubi_linux_amd64_${version}_${commit_sha}.docker.tar",
     "vault-secrets-operator_release-ubi_linux_arm64_${version}_${commit_sha}.docker.tar",
+    "vault-secrets-operator_release-ubi_linux_s390x_${version}_${commit_sha}.docker.tar",
   ]
 }

chart/templates/_helpers.tpl

@@ -482,3 +482,18 @@ topologySpreadConstraints appends the "vso.chart.selectorLabels" to .Values.cont
 {{- end -}}
 {{- toYaml $out -}}
 {{- end -}}
+
+{{/*
+vso.privileged.securityContext extends the given securithContext to always
+include privileged: true
+*/}}
+{{- define "vso.privileged.securityContext" -}}
+{{- $sc := dict -}}
+{{- with . -}}
+{{- range $k, $v := . -}}
+{{- $_ := set $sc $k $v -}}
+{{- end -}}
+{{- end -}}
+{{- $_ := set $sc "privileged" "true" -}}
+{{- toYaml $sc -}}
+{{- end -}}

chart/templates/csi-driver.yaml

@@ -61,10 +61,12 @@ spec:
       annotations:
       {{- include "vso.csi.annotations" . | nindent 8 }}
     spec:
+      securityContext:
+      {{- include "vso.privileged.securityContext" .Values.csi.securityContext | nindent 8 }}
       serviceAccountName: {{ include "vso.chart.fullname" . }}-csi
       {{- with .Values.csi.hostAliases }}
       hostAliases:
-      {{- toYaml . | nindent 8 }}
+      {{ toYaml . | nindent 8 }}
       {{- end }}
       {{- if .Values.csi.affinity }}
       affinity:
@@ -131,7 +133,7 @@ spec:
         {{- end }}
         imagePullPolicy: {{ .Values.csi.driver.image.pullPolicy }}
         securityContext:
-          privileged: true
+        {{- include "vso.privileged.securityContext" .Values.csi.driver.securityContext | nindent 10 }}
         livenessProbe:
             failureThreshold: 5
             httpGet:

chart/values.yaml

@@ -928,6 +928,12 @@ csi:
   # @type: boolean
   enabled: false
 
+  # Configures the Pod level security context
+  # https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+  #
+  # Note: the driver container security context can be configured below.
+  securityContext: {}
+
   # Host Aliases settings for the `vault-secrets-operator-csi` pods as
   # an array of PodSpec HostAlias maps.
   # ref: https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/
@@ -1006,6 +1012,16 @@ csi:
   annotations: {}
 
   driver:
+    # Configures the driver container's security context
+    # https://kubernetes.io/docs/tasks/configure-pod-container/security-context
+    #
+    # Note: the Pod level security can also be configured above.
+    #
+    # Note: when deploying to an OpenShift cluster you should set:
+    #   privileged: true
+    #
+    securityContext: {}
+
     # Image information for the CSI driver.
     # ref: https://kubernetes.io/docs/concepts/containers/images/
     image:

config/manifests/bases/vault-secrets-operator.clusterserviceversion.yaml

@@ -72,6 +72,11 @@ metadata:
     features.operators.openshift.io/token-auth-gcp: "false"
     repository: https://github.com/hashicorp/vault-secrets-operator
     support: HashiCorp
+  labels:
+    operatorframework.io/arch.amd64: supported
+    operatorframework.io/arch.arm64: supported
+    operatorframework.io/arch.s390x: supported
+    operatorframework.io/os.linux: supported
   name: vault-secrets-operator.v0.0.0-dev
   namespace: placeholder
 spec:

go.mod

@@ -25,10 +25,10 @@ require (
 	github.com/argoproj/argo-rollouts v1.8.3
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/go-logr/logr v1.4.3
-	github.com/go-openapi/runtime v0.29.1
+	github.com/go-openapi/runtime v0.29.2
 	github.com/go-openapi/strfmt v0.25.0
 	github.com/google/uuid v1.6.0
-	github.com/gruntwork-io/terratest v0.52.0
+	github.com/gruntwork-io/terratest v0.54.0
 	github.com/hashicorp/go-hclog v1.6.3
 	github.com/hashicorp/go-rootcerts v1.0.2
 	github.com/hashicorp/go-secure-stdlib/awsutil v0.3.0
@@ -43,13 +43,13 @@ require (
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/client_model v0.6.2
 	github.com/stretchr/testify v1.11.1
-	golang.org/x/crypto v0.43.0
-	google.golang.org/api v0.255.0
+	golang.org/x/crypto v0.45.0
+	google.golang.org/api v0.256.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.34.1
-	k8s.io/apiextensions-apiserver v0.34.1
-	k8s.io/apimachinery v0.34.1
-	k8s.io/client-go v0.34.1
+	k8s.io/api v0.34.2
+	k8s.io/apiextensions-apiserver v0.34.2
+	k8s.io/apimachinery v0.34.2
+	k8s.io/client-go v0.34.2
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397
 	sigs.k8s.io/controller-runtime v0.22.4
 	sigs.k8s.io/yaml v1.6.0
@@ -114,10 +114,11 @@ require (
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.38.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.28.0 // indirect
-	golang.org/x/tools v0.37.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
@@ -158,7 +159,7 @@ require (
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
 	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gruntwork-io/go-commons v0.8.0 // indirect
@@ -221,15 +222,15 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/net v0.46.0 // indirect
-	golang.org/x/oauth2 v0.32.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.37.0 // indirect
-	golang.org/x/term v0.36.0 // indirect
-	golang.org/x/text v0.30.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20251029180050-ab9386a59fda // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251103181224-f26f9409b101 // indirect
 	google.golang.org/grpc v1.76.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect