Rotate only if enable-secret-rotation=true

Author: dargudear-google

cmd/secrets-store-csi-driver/main.go

@@ -57,8 +57,8 @@ var (
 	// https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/823.
 	additionalProviderPaths = flag.String("additional-provider-volume-paths", "/etc/kubernetes/secrets-store-csi-providers", "Comma separated list of additional paths to communicate with providers")
 	metricsAddr             = flag.String("metrics-addr", ":8095", "The address the metric endpoint binds to")
-	enableSecretRotation    = flag.Bool("enable-secret-rotation", false, "[Deprecated] 	Enable secret rotation feature [alpha]")
-	_                       = flag.Duration("rotation-poll-interval", 2*time.Minute, "[Deprecated] Secret rotation poll interval duration")
+	enableSecretRotation    = flag.Bool("enable-secret-rotation", false, "Enable secret rotation feature [alpha]")
+	rotationPollInterval    = flag.Duration("rotation-poll-interval", 2*time.Minute, "Secret rotation poll interval duration")
 	enableProfile           = flag.Bool("enable-pprof", false, "enable pprof profiling")
 	profilePort             = flag.Int("pprof-port", 6065, "port for pprof profiling")
 	maxCallRecvMsgSize      = flag.Int("max-call-recv-msg-size", 1024*1024*4, "maximum size in bytes of gRPC response from plugins")
@@ -200,12 +200,7 @@ func mainErr() error {
 		reconciler.RunPatcher(ctx)
 	}()
 
-	// Secret rotation
-	if *enableSecretRotation {
-		klog.Warning("--enable-secret-rotation and --rotation-poll-interval are deprecated, use RequiresRepublish instead.")
-	}
-
-	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, providerClients, mgr.GetClient(), mgr.GetAPIReader())
+	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, providerClients, mgr.GetClient(), mgr.GetAPIReader(), *enableSecretRotation, *rotationPollInterval)
 	driver.Run(ctx)
 
 	return nil

pkg/secrets-store/nodeserver.go

@@ -44,6 +44,7 @@ type nodeServer struct {
 	// This should be used sparingly and only when the client does not fit the use case.
 	reader          client.Reader
 	providerClients *PluginClientBuilder
+	rotationConfig  *RotationConfig
 }
 
 const (
@@ -73,6 +74,16 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	var targetPath string
 	var mounted bool
 	errorReason := internalerrors.FailedToMount
+	rotationEnabled := ns.rotationConfig.enabled
+
+	if ns.rotationConfig.enabled {
+		rotationEnabled = true
+		if ns.rotationConfig.nextRotationTime.After(startTime) {
+			klog.InfoS("Too soon !!!!, will rotate secret after", ns.rotationConfig.nextRotationTime)
+			return &csi.NodePublishVolumeResponse{}, nil
+		}
+		ns.rotationConfig.nextRotationTime = ns.rotationConfig.nextRotationTime.Add(ns.rotationConfig.interval)
+	}
 
 	defer func() {
 		if err != nil {
@@ -130,10 +141,10 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 			return nil, status.Errorf(codes.Internal, "failed to check if target path %s is mount point, err: %v", targetPath, err)
 		}
 	}
-	// if mounted {
-	// 	klog.InfoS("target path is already mounted", "targetPath", targetPath, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
-	// 	return &csi.NodePublishVolumeResponse{}, nil
-	// }
+	if !rotationEnabled && mounted {
+		klog.InfoS("target path is already mounted", "targetPath", targetPath, "pod", klog.ObjectRef{Namespace: podNamespace, Name: podName})
+		return &csi.NodePublishVolumeResponse{}, nil
+	}
 
 	klog.V(2).InfoS("node publish volume", "target", targetPath, "volumeId", volumeID, "mount flags", mountFlags)
 

pkg/secrets-store/nodeserver_test.go

@@ -37,7 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 )
 
-func testNodeServer(t *testing.T, client client.Client, reporter StatsReporter) (*nodeServer, error) {
+func testNodeServer(t *testing.T, client client.Client, reporter StatsReporter, rotationConfig *RotationConfig) (*nodeServer, error) {
 	t.Helper()
 
 	// Create a mock provider named "provider1".
@@ -53,7 +53,7 @@ func testNodeServer(t *testing.T, client client.Client, reporter StatsReporter)
 	t.Cleanup(server.Stop)
 
 	providerClients := NewPluginClientBuilder([]string{socketPath})
-	return newNodeServer("testnode", mount.NewFakeMounter([]mount.MountPoint{}), providerClients, client, client, reporter)
+	return newNodeServer("testnode", mount.NewFakeMounter([]mount.MountPoint{}), providerClients, client, client, reporter, rotationConfig)
 }
 
 func TestNodePublishVolume_Errors(t *testing.T) {
@@ -227,7 +227,7 @@ func TestNodePublishVolume_Errors(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			r := mocks.NewFakeReporter()
 
-			ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).WithObjects(test.initObjects...).Build(), r)
+			ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).WithObjects(test.initObjects...).Build(), r, &RotationConfig{})
 			if err != nil {
 				t.Fatalf("expected error to be nil, got: %+v", err)
 			}
@@ -338,7 +338,7 @@ func TestNodePublishVolume(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			r := mocks.NewFakeReporter()
 
-			ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).WithObjects(test.initObjects...).Build(), r)
+			ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).WithObjects(test.initObjects...).Build(), r, &RotationConfig{})
 			if err != nil {
 				t.Fatalf("expected error to be nil, got: %+v", err)
 			}
@@ -381,7 +381,7 @@ func TestNodeUnpublishVolume(t *testing.T) {
 	)
 
 	r := mocks.NewFakeReporter()
-	ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).Build(), r)
+	ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).Build(), r, &RotationConfig{})
 	if err != nil {
 		t.Fatalf("expected error to be nil, got: %+v", err)
 	}
@@ -460,7 +460,7 @@ func TestNodeUnpublishVolume_Error(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			r := mocks.NewFakeReporter()
-			ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).Build(), r)
+			ns, err := testNodeServer(t, fake.NewClientBuilder().WithScheme(s).Build(), r, &RotationConfig{})
 			if err != nil {
 				t.Fatalf("expected error to be nil, got: %+v", err)
 			}

pkg/secrets-store/secrets-store.go

@@ -19,6 +19,7 @@ package secretsstore
 import (
 	"context"
 	"os"
+	"time"
 
 	"sigs.k8s.io/secrets-store-csi-driver/pkg/version"
 
@@ -37,18 +38,27 @@ type SecretsStore struct {
 	ids *identityServer
 }
 
+// RotationConfig stores the informarmation required to rotate the secrets.
+type RotationConfig struct {
+	enabled          bool
+	interval         time.Duration
+	nextRotationTime time.Time
+}
+
 func NewSecretsStoreDriver(driverName, nodeID, endpoint string,
 	providerClients *PluginClientBuilder,
 	client client.Client,
-	reader client.Reader) *SecretsStore {
+	reader client.Reader, rotationEnabled bool, interval time.Duration) *SecretsStore {
 	klog.InfoS("Initializing Secrets Store CSI Driver", "driver", driverName, "version", version.BuildVersion, "buildTime", version.BuildTime)
 
 	sr, err := NewStatsReporter()
 	if err != nil {
 		klog.ErrorS(err, "failed to initialize stats reporter")
 		os.Exit(1)
 	}
-	ns, err := newNodeServer(nodeID, mount.New(""), providerClients, client, reader, sr)
+
+	rc := NewRotationConfig(rotationEnabled, interval)
+	ns, err := newNodeServer(nodeID, mount.New(""), providerClients, client, reader, sr, rc)
 	if err != nil {
 		klog.ErrorS(err, "failed to initialize node server")
 		os.Exit(1)
@@ -67,17 +77,27 @@ func newNodeServer(nodeID string,
 	providerClients *PluginClientBuilder,
 	client client.Client,
 	reader client.Reader,
-	statsReporter StatsReporter) (*nodeServer, error) {
+	statsReporter StatsReporter,
+	rotationConfig *RotationConfig) (*nodeServer, error) {
 	return &nodeServer{
 		mounter:         mounter,
 		reporter:        statsReporter,
 		nodeID:          nodeID,
 		client:          client,
 		reader:          reader,
 		providerClients: providerClients,
+		rotationConfig:  rotationConfig,
 	}, nil
 }
 
+func NewRotationConfig(enabled bool, interval time.Duration) *RotationConfig {
+	return &RotationConfig{
+		enabled:          enabled,
+		interval:         interval,
+		nextRotationTime: time.Now(),
+	}
+}
+
 // Run starts the CSI plugin
 func (s *SecretsStore) Run(ctx context.Context) {
 	server := NewNonBlockingGRPCServer()

test/sanity/sanity_test.go

@@ -36,7 +36,7 @@ const (
 )
 
 func TestSanity(t *testing.T) {
-	driver := secretsstore.NewSecretsStoreDriver("secrets-store.csi.k8s.io", "somenodeid", endpoint, nil, nil, nil)
+	driver := secretsstore.NewSecretsStoreDriver("secrets-store.csi.k8s.io", "somenodeid", endpoint, nil, nil, nil, false, time.Minute)
 	go func() {
 		driver.Run(context.Background())
 	}()