Use credentials when calling ControllerModifyVolume

[nixpanic]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change

/kind bug

/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:

Storage providers expect to obtain secrets from the
ControllerMoodifyVolume CSI procedure. Without these credentials, it may
not be possible to apply the parameters of a VolumeAttributeClass.

A CSIPersistentVolumeSource does not have ControllerModifySecretRef
(like ControllerExpandSecretRef), so in order to resolve credentials a
secret reference from annotations on the PersistentVolume are used:

• volume.kubernetes.io/controller-modify-secret-name
• volume.kubernetes.io/controller-modify-secret-namespace

In absence of these annotations, the ControllerExpandSecretRef of the
CSIPersistentVolumeSource used as a fallback.

Which issue(s) this PR fixes:

Related to kubernetes-csi/external-provisioner#1440

Special notes for your reviewer:

Posting this for early review. @gadididi is implementing ControllerModifyVolume in Ceph-CSI and found out about the missing secrets the hard way.

Approach has been discussed in a thread at #csi.

/cc carlory gnufied

Does this PR introduce a user-facing change?:

A StorageClass can use `csi.storage.k8s.io/controller-modify-secret-name` and `csi.storage.k8s.io/controller-modify-secret-namespace` to reference the credentials that should be used to modify a volume according to the parameters of a VolumeAttributeClass. In absence of these credentials, the credentials of `controller-expand-secret`are used as a fallback.

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[nixpanic]

Container image for testing at quay.io/nixpanic/csi-resizer:pr544.

[carlory]

/cc @sunnylovestiramisu
Please have a look when it is ready for review.

[nixpanic]

@gnufied, this has been updated with the changes as discussed/proposed in the Slack #csi channel. kubernetes-csi/external-provisioner#1440 is the related change for the external-provisioner.

[Madhu-1]

LGTM

[gnufied]

nit: can we reuse the context from the caller please?

[nixpanic]

Added a context.TODO() in the top-level modify() call of the ModifyController and passing it all the way down.

Let me know if this wasn't what you were expecting, and I'll adjust it accordingly.

[nixpanic]

Tests fail with something during kind build node-image, looks like a generic issue in the CI at the moment.

[nixpanic]

/retest-required

[nixpanic]

/test pull-kubernetes-csi-external-resizer-1-34-on-kubernetes-1-34

[nixpanic]

@gnufied this one worked after #549 was merged.

[gnufied]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gnufied, Madhu-1, nixpanic

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [gnufied]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sunnylovestiramisu]

Do we need to patch to v2?

[nixpanic]

Do we need to patch to v2?

@sunnylovestiramisu, yes ideally we get a v2.1.0 release. PR kubernetes-csi/docs#631 is pending to document the feature with the new release.