[cinder-csi-plugin] node server should not use openstack credentials by default

[kayrus]

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

What happened:

Cinder CSI node server tries to create an openstack client based on cloud-config, when usually this is not necessary, since all openstack related communications are done on csi controller side.

What you expected to happen:

I expect CSI cinder node server not to use openstack credentials, when it is not necessary and respect the https://github.com/kubernetes/kubernetes/blob/08e1fd3bb947faf465e8a67d5c7106dbd10840c0/pkg/apis/core/types.go#L1607 and https://github.com/kubernetes/kubernetes/blob/08e1fd3bb947faf465e8a67d5c7106dbd10840c0/pkg/apis/core/types.go#L1664..L1670 API. So when ephemeral storage is requested, user must provide secret reference via pod manifest or storage manifest.

In addition, node server manifest should not refer to secrets. The node server configuration should be done via configMap. See discussion here: #861 (comment)

Anything else we need to know?:

kubernetes-csi/external-attacher#38

https://kubernetes-csi.github.io/docs/secrets-and-credentials.html

openstack client is used in functions listed below:

• nodePublishEphermeral
• nodeUnpublishEphermeral
• NodeStageVolume
• NodeUnstageVolume
• NodePublishVolume
• NodeUnpublishVolume

/cc @rfranzke

[rfranzke]

/cc @adisky

[jichenjc]

just to confirm, the overall idea is to use secret or related info to avoid usage of cloud-config, but still need the provided secret to do communication with openstck side(in other words ,the mechanism of communication between CSI node + openstack is not changed, how to provide cloud definition will be changed, correct?)

[kayrus]

Initial idea was to start nodeserver without secrets. It may be required by security purpose. Additionally, follow CSI spec and configure openstack client from secrets, provided in storageclass manifest when possible.

For now I'm confident that secrets are required by ephemeral inline storage. Nodeserver may work fine without secrets and ephemeral storage support.

The rest functions are:

• NodeStageVolume
• NodeUnstageVolume
• NodePublishVolume
• NodeUnpublishVolume

I haven't managed to clarify their purpose. But it would be fine if it is nodeserver just return an error, when openstack API operation is not possible.

[ramineni]

@kayrus we need to use openstack credentials for some of the operations in nodeserver . As per the https://kubernetes-csi.github.io/docs/secrets-and-credentials.html ,
secret is required at the "per driver" granularity (not different "per CSI operation" or "per volume"), then the secret SHOULD be injected directly in to CSI driver pods via standard Kubernetes secret distribution mechanisms during deployment. This is the way we are doing it currently , so it is fine.

IIUC, secrets needs to be provided per storageclass only when needed credentials per volume/per operation
If a CSI Driver requires secrets "per CSI operation" or "per volume" or "per storage pool", the CSI spec allows secrets to be passed in for various CSI operations. Cluster admins can populate such secrets by creating Kubernetes Secret objects and specifying the keys in the StorageClass or SnapshotClass objects (Ref: https://kubernetes-csi.github.io/docs/secrets-and-credentials.html)

updating slack discussion on questions you asked:

• do you agree that nodeserver must start without secrets?
  ramineni: we could explore this option, more investigation needed if this can be done without breaking the driver.
• do you agree that cloud-config should be split into two parts: config and secret?
  ramineni: yes, this would make sense

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ramineni]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ramineni]

/remove-lifecycle stale

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[ramineni]

/remove-lifecycle stale

[kayrus]

See an aws node controller for reference: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/deploy/kubernetes/base/node.yaml
It doesn't have secrets

[ramineni]

/assign
Explore nodeserver to be started without need of secrets

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ramineni]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ramineni]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[ramineni]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[jichenjc]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[puck]

It looks to me like node servers needed secrets for ephemeral storage, but ephemeral storage was removed in openshift/openstack-cinder-csi-driver-operator#76 . Does this mean the requirement to have secrets on the nodes is gone?