Add VolumeID to Mount request

Signed-off-by: Micah Hausler <[email protected]>

Author: micahhausler

docs/book/src/providers.md

@@ -35,6 +35,18 @@ The driver uses gRPC to communicate with the provider. To implement a secrets-st
 
 See [design doc](https://docs.google.com/document/d/10-RHUJGM0oMN88AZNxjOmGz0NsWAvOYrWUEV-FbLWyw/edit?usp=sharing) for more details.
 
+The `MountRequest` message structure includes several additional keys in the `Attributes` field that a provider can use when retrieving a secret. Keys beginning with `csi.storage.k8s.io` are [passed through from the Kubelet](https://kubernetes-csi.github.io/docs/pod-info.html?highlight=pod.name#pod-info-on-mount-with-csi-driver-object) if `podInfoOnMount` is `true` on the CSI driver.
+
+| Attribute Key | Description |
+| --- | ---- |
+| `csi.storage.k8s.io/pod-name` | Pod name |
+| `csi.storage.k8s.io/pod.namespace` | Pod namespace  |
+| `csi.storage.k8s.io/pod.uid` | Pod UID |
+| `csi.storage.k8s.io/serviceAccount.name` | The Pod's ServiceAccount name |
+| `csi.storage.k8s.io/serviceAccount.tokens` | A JSON structure serialized to a string containing service account tokens belonging to a pod [when a CSI driver has `tokenRequests` configured](https://kubernetes-csi.github.io/docs/token-requests.html).  |
+| `secrets-store-csi-driver.sigs.k8s.io/volume.id` | The CSI Volume's ID from the `NodePublishVolumeRequest` call. This may be useful as a cache key if using Service Account tokens to fetch secrets. |
+
+
 ## Features supported by current providers
 
 | Features \ Providers      | Azure | GCP | AWS | Vault | Akeyless | Conjur |

pkg/secrets-store/nodeserver.go

@@ -65,6 +65,8 @@ const (
 	// CSIPodServiceAccountTokens is the service account tokens of the pod that the mount is created for
 	CSIPodServiceAccountTokens = "csi.storage.k8s.io/serviceAccount.tokens" //nolint
 
+	SecretStoreVolumeID = "secrets-store-csi-driver.sigs.k8s.io/volume.id"
+
 	secretProviderClassField = "secretProviderClass"
 )
 
@@ -181,6 +183,8 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	for k, v := range attrib {
 		parameters[k] = v
 	}
+	// Add the volume ID to the parameters
+	parameters[SecretStoreVolumeID] = volumeID
 	// csi.storage.k8s.io/serviceAccount.tokens is empty for Kubernetes version < 1.20.
 	// For 1.20+, if tokenRequests is set in the CSI driver spec, kubelet will generate
 	// a token for the pod and send it to the CSI driver.

test/e2eprovider/server/server.go

@@ -50,7 +50,7 @@ This is mock key
 
 	podUIDAttribute               = "csi.storage.k8s.io/pod.uid"
 	serviceAccountTokensAttribute = "csi.storage.k8s.io/serviceAccount.tokens" //nolint
-
+	secretStoreVolumeID           = "secrets-store-csi-driver.sigs.k8s.io/volume.id"
 	// RWMutex is to safely access podCache
 	m sync.RWMutex
 )
@@ -186,6 +186,10 @@ func (s *Server) Mount(ctx context.Context, req *v1alpha1.MountRequest) (*v1alph
 		}
 	}
 
+	if err := validateVolumeIDAttr(attrib); err != nil {
+		return nil, fmt.Errorf("failed to validate volume ID, error: %w", err)
+	}
+
 	m.Lock()
 	podCache[attrib[podUIDAttribute]] = true
 	m.Unlock()
@@ -266,3 +270,14 @@ func validateTokens(tokenAudiences, saTokens string) error {
 	}
 	return nil
 }
+
+func validateVolumeIDAttr(attributes map[string]string) error {
+	volumeID, ok := attributes[secretStoreVolumeID]
+	if !ok {
+		return fmt.Errorf("volume ID is not set")
+	}
+	if volumeID == "" {
+		return fmt.Errorf("volume ID is empty")
+	}
+	return nil
+}