Merge pull request #746 from GunaKKIBM/Mount-secret

k8s-ci-robot · web-flow · commit 7838d8425929 · 2024-09-27T01:56:02.000+01:00
Mounting secret - reading credentials from file
diff --git a/deploy/kubernetes/base/controller.yaml b/deploy/kubernetes/base/controller.yaml
@@ -41,13 +41,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            - name: IBMCLOUD_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ibm-secret
-                  key: IBMCLOUD_API_KEY
-                  optional: true
+            - name: API_KEY_PATH
+              value: /etc/secrets/IBMCLOUD_API_KEY
           volumeMounts:
+            - name: ibm-secret
+              mountPath: /etc/secrets
+              readOnly: true
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
           ports:
@@ -65,6 +64,9 @@ spec:
         - name: node-update-controller
           image: registry.k8s.io/cloud-provider-ibm/ibm-powervs-block-csi-driver:main
           command: ["/node-update-controller"]
+          env:
+            - name: API_KEY_PATH
+              value: /etc/secrets/IBMCLOUD_API_KEY
           ports:
             - name: metrics
               containerPort: 8081
@@ -80,13 +82,10 @@ spec:
             initialDelaySeconds: 5
             timeoutSeconds: 10
             periodSeconds: 30
-          env:
-            - name: IBMCLOUD_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ibm-secret
-                  key: IBMCLOUD_API_KEY
-                  optional: true
+          volumeMounts:
+            - name: ibm-secret
+              mountPath: /etc/secrets
+              readOnly: true
         - name: csi-provisioner
           image: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
           args:
@@ -136,3 +135,6 @@ spec:
       volumes:
         - name: socket-dir
           emptyDir: {}
+        - name: ibm-secret
+          secret:
+            secretName: ibm-secret
diff --git a/deploy/kubernetes/base/node.yaml b/deploy/kubernetes/base/node.yaml
@@ -45,12 +45,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            - name: IBMCLOUD_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ibm-secret
-                  key: IBMCLOUD_API_KEY
+            - name: API_KEY_PATH
+              value: /etc/secrets/IBMCLOUD_API_KEY
           volumeMounts:
+            - name: ibm-secret
+              mountPath: /etc/secrets
+              readOnly: true
             - name: kubelet-dir
               mountPath: /var/lib/kubelet
               mountPropagation: "Bidirectional"
@@ -120,3 +120,6 @@ spec:
           hostPath:
             path: /sys
             type: Directory
+        - name: ibm-secret
+          secret:
+            secretName: ibm-secret
diff --git a/pkg/cloud/powervs.go b/pkg/cloud/powervs.go
@@ -30,6 +30,7 @@ import (
 	"github.com/IBM/platform-services-go-sdk/resourcecontrollerv2"
 	"github.com/davecgh/go-spew/spew"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 
 	"sigs.k8s.io/ibm-powervs-block-csi-driver/pkg/util"
@@ -60,7 +61,10 @@ func NewPowerVSCloud(cloudInstanceID, zone string, debug bool) (Cloud, error) {
 }
 
 func newPowerVSCloud(cloudInstanceID, zone string, debug bool) (Cloud, error) {
-	apikey := os.Getenv("IBMCLOUD_API_KEY")
+	apikey, err := readCredentials()
+	if err != nil {
+		return nil, err
+	}
 
 	authenticator := &core.IamAuthenticator{ApiKey: apikey, URL: os.Getenv("IBMCLOUD_IAM_API_ENDPOINT")}
 
@@ -252,3 +256,35 @@ func (p *powerVSCloud) GetDiskByID(volumeID string) (disk *Disk, err error) {
 		CapacityGiB: int64(*v.Size),
 	}, nil
 }
+
+func readCredentials() (string, error) {
+	apiKey, err := readCredentialsFromFile()
+	if err != nil {
+		return "", err
+	}
+	if apiKey != "" {
+		return apiKey, nil
+	}
+
+	klog.Info("Falling back to read IBMCLOUD_API_KEY environment variable for the key")
+	apiKey = os.Getenv("IBMCLOUD_API_KEY")
+	if apiKey == "" {
+		return "", fmt.Errorf("IBMCLOUD_API_KEY is not provided")
+	}
+
+	return apiKey, nil
+}
+
+func readCredentialsFromFile() (string, error) {
+	apiKeyPath := os.Getenv("API_KEY_PATH")
+	if apiKeyPath == "" {
+		klog.Warning("API_KEY_PATH is undefined")
+		return "", nil
+	}
+
+	byteData, err := os.ReadFile(apiKeyPath)
+	if err != nil {
+		return "", fmt.Errorf("error reading apikey: %v", err)
+	}
+	return string(byteData), nil
+}
