ci: include publish-secret in StorageClass for NFS

The NFS node-plugin does not support staging, it only uses publishing.
For VolumeAttributeClass / ControllerModifyVolume the mutable parameters
are stored in the Ceph backend. This means that during volume publishing
the node-plugin needs to get the updated parameters from the Ceph
cluster (hence the publish secret requirement).

/tmp/csi has been added to the node-plugin Pod so that the temporary
credentials file can be written.

Signed-off-by: Niels de Vos <ndevos@ibm.com>

Author: nixpanic

deploy/nfs/kubernetes/csi-nfsplugin.yaml

@@ -73,6 +73,8 @@ spec:
               mountPath: /etc/ceph/
             - name: ceph-csi-config
               mountPath: /etc/ceph-csi-config/
+            - name: keys-tmp-dir
+              mountPath: /tmp/csi/keys
         - name: driver-registrar
           # This is necessary only for systems with SELinux, where
           # non-privileged sidecar containers cannot access unix domain socket
@@ -133,3 +135,7 @@ spec:
         - name: ceph-csi-config
           configMap:
             name: ceph-csi-config
+        - name: keys-tmp-dir
+          emptyDir: {
+            medium: "Memory"
+          }

e2e/nfs.go

@@ -178,8 +178,8 @@ func createNFSStorageClass(
 	sc.Parameters["csi.storage.k8s.io/controller-expand-secret-namespace"] = cephCSINamespace
 	sc.Parameters["csi.storage.k8s.io/controller-expand-secret-name"] = cephFSProvisionerSecretName
 
-	sc.Parameters["csi.storage.k8s.io/node-stage-secret-namespace"] = cephCSINamespace
-	sc.Parameters["csi.storage.k8s.io/node-stage-secret-name"] = cephFSNodePluginSecretName
+	sc.Parameters["csi.storage.k8s.io/node-publish-secret-namespace"] = cephCSINamespace
+	sc.Parameters["csi.storage.k8s.io/node-publish-secret-name"] = cephFSNodePluginSecretName
 
 	if enablePool {
 		sc.Parameters["pool"] = "myfs-replicated"

examples/nfs/storageclass.yaml

@@ -38,8 +38,11 @@ parameters:
   csi.storage.k8s.io/provisioner-secret-namespace: default
   csi.storage.k8s.io/controller-expand-secret-name: csi-cephfs-secret
   csi.storage.k8s.io/controller-expand-secret-namespace: default
-  csi.storage.k8s.io/node-stage-secret-name: csi-cephfs-secret
-  csi.storage.k8s.io/node-stage-secret-namespace: default
+  csi.storage.k8s.io/controller-modify-secret-name: csi-cephfs-secret
+  csi.storage.k8s.io/controller-modify-secret-namespace: default
+  # publish-secret is needed for parameters set by a VolumeAttributeClass
+  csi.storage.k8s.io/node-publish-secret-name: csi-cephfs-secret
+  csi.storage.k8s.io/node-publish-secret-namespace: default
 
   # (optional) Prefix to use for naming subvolumes.
   # If omitted, defaults to "csi-vol-".