One new csi secret key that apply to all the CSI operations

[shay-berman]

According to k8s CSI spec, there are 2 ways to specify secrets for CSI plugin from the storage class:
option1 - to specify secret key per CSI operation (provisioner, controller-publish, snapshot, node-stage, node-publish...).

csi.storage.k8s.io/provisioner-secret-name: secret1
csi.storage.k8s.io/provisioner-secret-namespace: csi-plugin-namespace
csi.storage.k8s.io/controller-publish-secret-name: secret1
csi.storage.k8s.io/controller-publish-secret-namespace: csi-plugin-namespace
csi.storage.k8s.io/node-stage-secret-name: secret1
csi.storage.k8s.io/node-stage-secret-namespace: csi-plugin-namespace
csi.storage.k8s.io/node-publish-secret-name: secret1
csi.storage.k8s.io/node-publish-secret-namespace: csi-plugin-namespace

option2 - to specify secret per PV name by having ${pv.name} template.

But what if a CSI plugin requires the same credential fpr all the CSI operations?
So the user must specify many secret lines in each storage class object (5 secrets per operations + 5 namespace per operation * number of storage classes that uses the same backend).

So this issue is to propose another option(number 3) to simplify the user experience in case csi driver requires the same secret for all CSI operations.
So the secret key in the storage class can be called:
csi.storage.k8s.io/secret-name: SECRET
csi.storage.k8s.io/secret-namespace: NAMESPACE

Note: maybe we can distinguish secret for csi controller-ops vs csi node-ops, because I believe that usually the secrets for these operations are different, and maybe u don't even need secret for csi node ops at all.

[gnufied]

I think this could work. It might be considered less secure than per-sidecar secrets but if a admin wants to use same secret for all sidecards, why not. One problem is going to be to ensure that, same key is known to all sidecars.

cc @msau42 @liggitt

[msau42]

/kind feature

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.