Skip to content

Commit 7387c5a

Browse files
nixpanicnixpanic
committed
Use credentials when calling ControllerModifyVolume
Storage providers expect to obtain secrets from the ControllerMoodifyVolume CSI procedure. Without these credentials, it may not be possible to apply the parameters of a VolumeAttributeClass. A CSIPersistentVolumeSource does not have ControllerModifySecretRef (like ControllerExpandSecretRef). This workaround, uses the parameters to resolve the secrets by itself.
1 parent cba05cb commit 7387c5a

File tree

1 file changed

+29
-3
lines changed

1 file changed

+29
-3
lines changed

pkg/modifier/csi_modifier.go

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424

2525
"github.com/kubernetes-csi/external-resizer/pkg/csi"
2626
v1 "k8s.io/api/core/v1"
27+
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2728
"k8s.io/client-go/informers"
2829
"k8s.io/client-go/kubernetes"
2930
)
@@ -81,18 +82,43 @@ func (r *csiModifier) Modify(pv *v1.PersistentVolume, mutableParameters map[stri
8182
return errors.New("empty volume handle")
8283
}
8384

84-
var secrets map[string]string
85+
secrets, err := r.getModifyCredentials(source.VolumeAttributes)
86+
if err != nil {
87+
return err
88+
}
8589

8690
ctx, cancel := timeoutCtx(r.timeout)
87-
8891
defer cancel()
89-
err := r.client.Modify(ctx, volumeID, secrets, mutableParameters)
92+
93+
err = r.client.Modify(ctx, volumeID, secrets, mutableParameters)
9094
if err != nil {
9195
return err
9296
}
97+
9398
return nil
9499
}
95100

101+
// getModifyCredentials fetches the credential from the referenced secret in the VolumeAtttributes. A
102+
// CSIPersistentVolumeSource does not have ControllerModifySecretRef (like ControllerExpandSecretRef).
103+
func (r *csiModifier) getModifyCredentials(attrs map[string]string) (map[string]string, error) {
104+
secretName := attrs["csi.storage.k8s.io/controller-modify-secret-name"]
105+
secretNamespace := attrs["csi.storage.k8s.io/controller-modify-secret-namespace"]
106+
if secretNamespace == "" && secretName == "" {
107+
return nil, nil
108+
}
109+
110+
secret, err := r.k8sClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{})
111+
if err != nil {
112+
return nil, fmt.Errorf("error getting secret %s in namespace %s: %v", secretName, secretNamespace, err)
113+
}
114+
115+
credentials := map[string]string{}
116+
for key, value := range secret.Data {
117+
credentials[key] = string(value)
118+
}
119+
return credentials, nil
120+
}
121+
96122
func supportsControllerModify(client csi.Client, timeout time.Duration) (bool, error) {
97123
ctx, cancel := timeoutCtx(timeout)
98124
defer cancel()

0 commit comments

Comments
 (0)