Use in secret rotation

Author: dargudear-google

cmd/secrets-store-csi-driver/main.go

@@ -27,9 +27,7 @@ import (
 
 	secretsstorev1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 	"sigs.k8s.io/secrets-store-csi-driver/controllers"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/k8s"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/metrics"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/rotation"
 	secretsstore "sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/version"
 
@@ -39,7 +37,6 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/client-go/kubernetes"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
@@ -60,8 +57,8 @@ var (
 	// https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/823.
 	additionalProviderPaths = flag.String("additional-provider-volume-paths", "/etc/kubernetes/secrets-store-csi-providers", "Comma separated list of additional paths to communicate with providers")
 	metricsAddr             = flag.String("metrics-addr", ":8095", "The address the metric endpoint binds to")
-	enableSecretRotation    = flag.Bool("enable-secret-rotation", false, "Enable secret rotation feature [alpha]")
-	rotationPollInterval    = flag.Duration("rotation-poll-interval", 2*time.Minute, "Secret rotation poll interval duration")
+	enableSecretRotation    = flag.Bool("enable-secret-rotation", false, "[Deprecated] 	Enable secret rotation feature [alpha]")
+	_                       = flag.Duration("rotation-poll-interval", 2*time.Minute, "[Deprecated] Secret rotation poll interval duration")
 	enableProfile           = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort             = flag.Int("pprof-port", 6065, "port for pprof profiling")
 	maxCallRecvMsgSize      = flag.Int("max-call-recv-msg-size", 1024*1024*4, "maximum size in bytes of gRPC response from plugins")
@@ -203,26 +200,12 @@ func mainErr() error {
 		reconciler.RunPatcher(ctx)
 	}()
 
-	// token request client
-	kubeClient := kubernetes.NewForConfigOrDie(cfg)
-	tokenClient := k8s.NewTokenClient(kubeClient, *driverName, 10*time.Minute)
-
-	if err = tokenClient.Run(ctx.Done()); err != nil {
-		klog.ErrorS(err, "failed to run token client")
-		return err
-	}
-
 	// Secret rotation
 	if *enableSecretRotation {
-		rec, err := rotation.NewReconciler(*driverName, mgr.GetCache(), scheme, *rotationPollInterval, providerClients, tokenClient)
-		if err != nil {
-			klog.ErrorS(err, "failed to initialize rotation reconciler")
-			return err
-		}
-		go rec.Run(ctx.Done())
+		klog.Warning("--enable-secret-rotation and --rotation-poll-interval are deprecated, use RequiresRepublish instead.")
 	}
 
-	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, providerClients, mgr.GetClient(), mgr.GetAPIReader(), tokenClient)
+	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, providerClients, mgr.GetClient(), mgr.GetAPIReader())
 	driver.Run(ctx)
 
 	return nil

deploy/csidriver.yaml

@@ -7,3 +7,4 @@ spec:
   attachRequired: false
   volumeLifecycleModes:
   - Ephemeral
+  requiresRepublish: true

pkg/rotation/reconciler.go

@@ -93,8 +93,7 @@ func NewReconciler(driverName string,
 	client client.Reader,
 	s *runtime.Scheme,
 	rotationPollInterval time.Duration,
-	providerClients *secretsstore.PluginClientBuilder,
-	tokenClient *k8s.TokenClient) (*Reconciler, error) {
+	providerClients *secretsstore.PluginClientBuilder) (*Reconciler, error) {
 	config, err := buildConfig()
 	if err != nil {
 		return nil, err
@@ -105,7 +104,7 @@ func NewReconciler(driverName string,
 	eventBroadcaster := record.NewBroadcaster()
 	eventBroadcaster.StartRecordingToSink(&clientcorev1.EventSinkImpl{Interface: kubeClient.CoreV1().Events("")})
 	recorder := eventBroadcaster.NewRecorder(s, corev1.EventSource{Component: "csi-secrets-store-rotation"})
-	secretStore, err := k8s.New(kubeClient, 5*time.Second)
+	secretStore, err := k8s.New(kubeClient, 5*time.Minute)
 	if err != nil {
 		return nil, err
 	}
@@ -125,7 +124,6 @@ func NewReconciler(driverName string,
 		// cache store Pod,
 		cache:       client,
 		secretStore: secretStore,
-		tokenClient: tokenClient,
 
 		driverName: driverName,
 	}, nil

pkg/secrets-store/nodeserver.go

@@ -26,13 +26,10 @@ import (
 	"time"
 
 	internalerrors "sigs.k8s.io/secrets-store-csi-driver/pkg/errors"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/k8s"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/util/fileutil"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
 	mount "k8s.io/mount-utils"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -47,7 +44,6 @@ type nodeServer struct {
 	// This should be used sparingly and only when the client does not fit the use case.
 	reader          client.Reader
 	providerClients *PluginClientBuilder
-	tokenClient     *k8s.TokenClient
 }
 
 const (
@@ -73,7 +69,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	startTime := time.Now()
 	var parameters map[string]string
 	var providerName string
-	var podName, podNamespace, podUID, serviceAccountName string
+	var podName, podNamespace, podUID string
 	var targetPath string
 	var mounted bool
 	errorReason := internalerrors.FailedToMount
@@ -120,7 +116,6 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	podName = attrib[CSIPodName]
 	podNamespace = attrib[CSIPodNamespace]
 	podUID = attrib[CSIPodUID]
-	serviceAccountName = attrib[CSIPodServiceAccountName]
 
 	mounted, err = ns.ensureMountPoint(targetPath)
 	if err != nil {
@@ -135,10 +130,10 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 			return nil, status.Errorf(codes.Internal, "failed to check if target path %s is mount point, err: %v", targetPath, err)
 		}
 	}
-	if mounted {
-		klog.InfoS("target path is already mounted", "targetPath", targetPath, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
-		return &csi.NodePublishVolumeResponse{}, nil
-	}
+	// if mounted {
+	// 	klog.InfoS("target path is already mounted", "targetPath", targetPath, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
+	// 	return &csi.NodePublishVolumeResponse{}, nil
+	// }
 
 	klog.V(2).InfoS("node publish volume", "target", targetPath, "volumeId", volumeID, "mount flags", mountFlags)
 
@@ -190,14 +185,8 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	// and send it to the provider in the parameters.
 	if parameters[CSIPodServiceAccountTokens] == "" {
 		// Inject pod service account token into volume attributes
-		serviceAccountTokenAttrs, err := ns.tokenClient.PodServiceAccountTokenAttrs(podNamespace, podName, serviceAccountName, types.UID(podUID))
-		if err != nil {
-			klog.ErrorS(err, "failed to get service account token attrs", "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
-			return nil, err
-		}
-		for k, v := range serviceAccountTokenAttrs {
-			parameters[k] = v
-		}
+		klog.Error("csi.storage.k8s.io/serviceAccount.tokens is not populated, set RequiresRepublish")
+
 	}
 
 	// ensure it's read-only
@@ -296,13 +285,6 @@ func (ns *nodeServer) NodeUnpublishVolume(ctx context.Context, req *csi.NodeUnpu
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
-	podUID := fileutil.GetPodUIDFromTargetPath(targetPath)
-	if podUID != "" {
-		// delete service account token from cache as the pod is deleted
-		// to ensure the cache isn't growing indefinitely
-		ns.tokenClient.DeleteServiceAccountToken(types.UID(podUID))
-	}
-
 	klog.InfoS("node unpublish volume complete", "targetPath", targetPath, "time", time.Since(startTime))
 	return &csi.NodeUnpublishVolumeResponse{}, nil
 }

pkg/secrets-store/nodeserver_test.go

@@ -21,10 +21,8 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
-	"time"
 
 	secretsstorev1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/k8s"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/secrets-store/mocks"
 	providerfake "sigs.k8s.io/secrets-store-csi-driver/provider/fake"
 
@@ -33,7 +31,6 @@ import (
 	"google.golang.org/grpc/status"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	fakeclient "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/kubernetes/scheme"
 	mount "k8s.io/mount-utils"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -56,7 +53,7 @@ func testNodeServer(t *testing.T, client client.Client, reporter StatsReporter)
 	t.Cleanup(server.Stop)
 
 	providerClients := NewPluginClientBuilder([]string{socketPath})
-	return newNodeServer("testnode", mount.NewFakeMounter([]mount.MountPoint{}), providerClients, client, client, reporter, k8s.NewTokenClient(fakeclient.NewSimpleClientset(), "test-driver", 1*time.Second))
+	return newNodeServer("testnode", mount.NewFakeMounter([]mount.MountPoint{}), providerClients, client, client, reporter)
 }
 
 func TestNodePublishVolume_Errors(t *testing.T) {

pkg/secrets-store/secrets-store.go

@@ -20,7 +20,6 @@ import (
 	"context"
 	"os"
 
-	"sigs.k8s.io/secrets-store-csi-driver/pkg/k8s"
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/version"
 
 	"k8s.io/klog/v2"
@@ -41,16 +40,15 @@ type SecretsStore struct {
 func NewSecretsStoreDriver(driverName, nodeID, endpoint string,
 	providerClients *PluginClientBuilder,
 	client client.Client,
-	reader client.Reader,
-	tokenClient *k8s.TokenClient) *SecretsStore {
+	reader client.Reader) *SecretsStore {
 	klog.InfoS("Initializing Secrets Store CSI Driver", "driver", driverName, "version", version.BuildVersion, "buildTime", version.BuildTime)
 
 	sr, err := NewStatsReporter()
 	if err != nil {
 		klog.ErrorS(err, "failed to initialize stats reporter")
 		os.Exit(1)
 	}
-	ns, err := newNodeServer(nodeID, mount.New(""), providerClients, client, reader, sr, tokenClient)
+	ns, err := newNodeServer(nodeID, mount.New(""), providerClients, client, reader, sr)
 	if err != nil {
 		klog.ErrorS(err, "failed to initialize node server")
 		os.Exit(1)
@@ -69,16 +67,14 @@ func newNodeServer(nodeID string,
 	providerClients *PluginClientBuilder,
 	client client.Client,
 	reader client.Reader,
-	statsReporter StatsReporter,
-	tokenClient *k8s.TokenClient) (*nodeServer, error) {
+	statsReporter StatsReporter) (*nodeServer, error) {
 	return &nodeServer{
 		mounter:         mounter,
 		reporter:        statsReporter,
 		nodeID:          nodeID,
 		client:          client,
 		reader:          reader,
 		providerClients: providerClients,
-		tokenClient:     tokenClient,
 	}, nil
 }
 

test/sanity/sanity_test.go

@@ -36,7 +36,7 @@ const (
 )
 
 func TestSanity(t *testing.T) {
-	driver := secretsstore.NewSecretsStoreDriver("secrets-store.csi.k8s.io", "somenodeid", endpoint, nil, nil, nil, nil)
+	driver := secretsstore.NewSecretsStoreDriver("secrets-store.csi.k8s.io", "somenodeid", endpoint, nil, nil, nil)
 	go func() {
 		driver.Run(context.Background())
 	}()