Add secret reference in PV annotations for ControllerModifyVolume

The ControllerModifyVolume CSI procedure should be able to receive credentials if the storage provider requires them. The values of the following keys in the StorageClass are copied into annotations of the PersistentVolume: - csi.storage.k8s.io/controller-modify-secret-name > volume.kubernetes.io/controller-modify-secret-name - csi.storage.k8s.io/controller-modify-secret-namespace > volume.kubernetes.io/controller-modify-secret-namespace The external-resizer can use these annotations to resolve the secret that needs to be passed in ControllerModifyVolume.

Author: nixpanic

pkg/controller/controller.go

@@ -105,6 +105,9 @@ const (
 prefixedNodeExpandSecretNameKey = csiParameterPrefix + "node-expand-secret-name"
 prefixedNodeExpandSecretNamespaceKey = csiParameterPrefix + "node-expand-secret-namespace"
 
+prefixedControllerModifySecretNameKey = csiParameterPrefix + "controller-modify-secret-name"
+prefixedControllerModifySecretNamespaceKey = csiParameterPrefix + "controller-modify-secret-namespace"
+
 // [Deprecated] CSI Parameters that are put into fields but
 // NOT stripped from the parameters passed to CreateVolume
 provisionerSecretNameKey = "csiProvisionerSecretName"
@@ -148,6 +151,11 @@ const (
 annDeletionProvisionerSecretRefName = "volume.kubernetes.io/provisioner-deletion-secret-name"
 annDeletionProvisionerSecretRefNamespace = "volume.kubernetes.io/provisioner-deletion-secret-namespace"
 
+// Annotation for secret name and namespace will be added to the pv object
+// and used for ControllerModifyVolume procedures by the external-resizer
+annModifyControllerSecretRefName = "volume.kubernetes.io/controller-modify-secret-name"
+annModifyControllerSecretRefNamespace = "volume.kubernetes.io/controller-modify-secret-namespace"
+
 snapshotNotBound = "snapshot %s not bound"
 
 pvcCloneFinalizer = "provisioner.storage.kubernetes.io/cloning-protection"
@@ -205,6 +213,12 @@ var (
 secretNameKey: prefixedNodeExpandSecretNameKey,
 secretNamespaceKey: prefixedNodeExpandSecretNamespaceKey,
 }
+
+controllerModifySecretParams = secretParamsMap{
+name: "ControllerModify",
+secretNameKey: prefixedControllerModifySecretNameKey,
+secretNamespaceKey: prefixedControllerModifySecretNamespaceKey,
+}
 )
 
 // ProvisionerCSITranslator contains the set of CSI Translation functionality
@@ -540,7 +554,7 @@ func (p *csiProvisioner) getVolumeCapabilities(
 return volumeCaps, nil
 }
 
-type deletionSecretParams struct {
+type annotatedSecretParams struct {
 name string
 namespace string
 }
@@ -550,7 +564,8 @@ type prepareProvisionResult struct {
 migratedVolume bool
 req *csi.CreateVolumeRequest
 csiPVSource *v1.CSIPersistentVolumeSource
-provDeletionSecrets *deletionSecretParams
+provDeletionSecrets *annotatedSecretParams
+provModifySecrets *annotatedSecretParams
 }
 
 // prepareProvision does non-destructive parameter checking and preparations for provisioning a volume.
@@ -739,6 +754,10 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist
 if err != nil {
 return nil, controller.ProvisioningNoChange, err
 }
+controllerModifySecretRef, err := getSecretReference(controllerModifySecretParams, sc.Parameters, pvName, claim)
+if err != nil {
+return nil, controller.ProvisioningNoChange, err
+}
 csiPVSource := &v1.CSIPersistentVolumeSource{
 Driver: p.driverName,
 // VolumeHandle and VolumeAttributes will be added after provisioning.
@@ -760,13 +779,21 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist
 req.Parameters[pvcNamespaceKey] = claim.GetNamespace()
 req.Parameters[pvNameKey] = pvName
 }
-deletionAnnSecrets := new(deletionSecretParams)
 
+deletionAnnSecrets := new(annotatedSecretParams)
 if provisionerSecretRef != nil {
 deletionAnnSecrets.name = provisionerSecretRef.Name
 deletionAnnSecrets.namespace = provisionerSecretRef.Namespace
 }
 
+var modifyAnnSecrets *annotatedSecretParams
+if controllerModifySecretRef != nil {
+modifyAnnSecrets = &annotatedSecretParams{
+name: controllerModifySecretRef.Name,
+namespace: controllerModifySecretRef.Namespace,
+}
+}
+
 if vacName != "" {
 vac, err := p.client.StorageV1().VolumeAttributesClasses().Get(ctx, vacName, metav1.GetOptions{})
 if err != nil {
@@ -786,6 +813,7 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist
 req: &req,
 csiPVSource: csiPVSource,
 provDeletionSecrets: deletionAnnSecrets,
+provModifySecrets: modifyAnnSecrets,
 }, controller.ProvisioningNoChange, nil
 
 }
@@ -868,6 +896,7 @@ func (p *csiProvisioner) Provision(ctx context.Context, options controller.Provi
 klog.V(3).Infof("create volume rep: %+v", rep.Volume)
 }
 volumeAttributes := map[string]string{provisionerIDKey: p.identity}
+
 maps.Copy(volumeAttributes, rep.Volume.VolumeContext)
 respCap := rep.GetVolume().GetCapacityBytes()
 
@@ -943,6 +972,13 @@ func (p *csiProvisioner) Provision(ctx context.Context, options controller.Provi
 metav1.SetMetaDataAnnotation(&pv.ObjectMeta, annDeletionProvisionerSecretRefNamespace, "")
 }
 
+// Set annModifyControllerSecretRefName and namespace in PV object when modify secrets are configured.
+if result.provModifySecrets != nil {
+klog.V(5).Infof("createVolumeOperation: set annotation [%s/%s] on pv [%s].", annModifyControllerSecretRefNamespace, annModifyControllerSecretRefName, pv.Name)
+metav1.SetMetaDataAnnotation(&pv.ObjectMeta, annModifyControllerSecretRefName, result.provModifySecrets.name)
+metav1.SetMetaDataAnnotation(&pv.ObjectMeta, annModifyControllerSecretRefNamespace, result.provModifySecrets.namespace)
+}
+
 if options.StorageClass.ReclaimPolicy != nil {
 pv.Spec.PersistentVolumeReclaimPolicy = *options.StorageClass.ReclaimPolicy
 }
@@ -1030,6 +1066,8 @@ func removePrefixedParameters(param map[string]string) (map[string]string, error
 case prefixedDefaultSecretNamespaceKey:
 case prefixedNodeExpandSecretNameKey:
 case prefixedNodeExpandSecretNamespaceKey:
+case prefixedControllerModifySecretNameKey:
+case prefixedControllerModifySecretNamespaceKey:
 default:
 return map[string]string{}, fmt.Errorf("found unknown parameter key \"%s\" with reserved namespace %s", k, csiParameterPrefix)
 }

pkg/controller/controller_test.go

@@ -237,6 +237,8 @@ func TestStripPrefixedCSIParams(t *testing.T) {
 prefixedDefaultSecretNamespaceKey: "csiBar",
 prefixedNodeExpandSecretNameKey: "csiBar",
 prefixedNodeExpandSecretNamespaceKey: "csiBar",
+prefixedControllerModifySecretNameKey: "csiBar",
+prefixedControllerModifySecretNamespaceKey: "csiBar",
 },
 expectedParams: map[string]string{},
 },
@@ -926,6 +928,8 @@ func getDefaultStorageClassSecretParameters() map[string]string {
 prefixedProvisionerSecretNamespaceKey: defaultSecretNsName,
 prefixedNodeExpandSecretNameKey: "nodeexpandsecret",
 prefixedNodeExpandSecretNamespaceKey: defaultSecretNsName,
+prefixedControllerModifySecretNameKey: "ctrlmodifysecret",
+prefixedControllerModifySecretNamespaceKey: defaultSecretNsName,
 }
 }
 
@@ -1623,6 +1627,8 @@ func provisionTestcases() (int64, map[string]provisioningTestcase) {
 expectedPVSpec: &pvSpec{
 Name: "test-testi",
 Annotations: map[string]string{
+annModifyControllerSecretRefName: "ctrlmodifysecret",
+annModifyControllerSecretRefNamespace: defaultSecretNsName,
 annDeletionProvisionerSecretRefName: "provisionersecret",
 annDeletionProvisionerSecretRefNamespace: defaultSecretNsName,
 },
@@ -1682,6 +1688,8 @@ func provisionTestcases() (int64, map[string]provisioningTestcase) {
 expectedPVSpec: &pvSpec{
 Name: "test-testi",
 Annotations: map[string]string{
+annModifyControllerSecretRefName: "default-secret",
+annModifyControllerSecretRefNamespace: "default-ns",
 annDeletionProvisionerSecretRefName: "default-secret",
 annDeletionProvisionerSecretRefNamespace: "default-ns",
 },
@@ -1741,6 +1749,8 @@ func provisionTestcases() (int64, map[string]provisioningTestcase) {
 expectedPVSpec: &pvSpec{
 Name: "test-testi",
 Annotations: map[string]string{
+annModifyControllerSecretRefName: "my-pvc",
+annModifyControllerSecretRefNamespace: "default-ns",
 annDeletionProvisionerSecretRefName: "my-pvc",
 annDeletionProvisionerSecretRefNamespace: "default-ns",
 },