csi: support Secrets parameter in CSI RPCs

CSI plugins can require credentials for some publishing and unpublishing workflow RPCs. Secrets are configured at the time of volume registration, stored in the volume struct, and then passed around as an opaque map by Nomad to the plugins.
hashicorp · May 11, 2020 · a0a7ba7 · a0a7ba7
1 parent 3d6c088
commit a0a7ba7
Show file tree

Hide file tree

Showing 26 changed files with 1,659 additions and 1,553 deletions.
diff --git a/api/csi.go b/api/csi.go
@@ -87,6 +87,8 @@ type CSIMountOptions struct {
 	ExtraKeysHCL []string `hcl:",unusedKeys" json:"-"` // report unexpected keys
 }
 
+type CSISecrets map[string]string
+
 // CSIVolume is used for serialization, see also nomad/structs/csi.go
 type CSIVolume struct {
 	ID             string
@@ -97,6 +99,7 @@ type CSIVolume struct {
 	AccessMode     CSIVolumeAccessMode     `hcl:"access_mode"`
 	AttachmentMode CSIVolumeAttachmentMode `hcl:"attachment_mode"`
 	MountOptions   *CSIMountOptions        `hcl:"mount_options"`
+	Secrets        CSISecrets              `hcl:"secrets"`
 
 	// Allocations, tracking claim status
 	ReadAllocs  map[string]*Allocation

diff --git a/client/csi_endpoint.go b/client/csi_endpoint.go
@@ -61,6 +61,7 @@ func (c *CSI) ControllerValidateVolume(req *structs.ClientCSIControllerValidateV
 	// CSI ValidateVolumeCapabilities errors for timeout, codes.Unavailable and
 	// codes.ResourceExhausted are retried; all other errors are fatal.
 	return plugin.ControllerValidateCapabilities(ctx, req.VolumeID, caps,
+		req.Secrets,
 		grpc_retry.WithPerRetryTimeout(CSIPluginRequestTimeout),
 		grpc_retry.WithMax(3),
 		grpc_retry.WithBackoff(grpc_retry.BackoffExponential(100*time.Millisecond)))

diff --git a/client/logmon/proto/logmon.pb.go b/client/logmon/proto/logmon.pb.go
diff --git a/client/pluginmanager/csimanager/volume.go b/client/pluginmanager/csimanager/volume.go
@@ -170,6 +170,7 @@ func (v *volumeManager) stageVolume(ctx context.Context, vol *structs.CSIVolume,
 		publishContext,
 		pluginStagingPath,
 		capability,
+		vol.Secrets,
 		grpc_retry.WithPerRetryTimeout(DefaultMountActionTimeout),
 		grpc_retry.WithMax(3),
 		grpc_retry.WithBackoff(grpc_retry.BackoffExponential(100*time.Millisecond)),
@@ -208,6 +209,7 @@ func (v *volumeManager) publishVolume(ctx context.Context, vol *structs.CSIVolum
 		TargetPath:        pluginTargetPath,
 		VolumeCapability:  capabilities,
 		Readonly:          usage.ReadOnly,
+		Secrets:           vol.Secrets,
 	},
 		grpc_retry.WithPerRetryTimeout(DefaultMountActionTimeout),
 		grpc_retry.WithMax(3),

diff --git a/client/structs/csi.go b/client/structs/csi.go
@@ -35,6 +35,8 @@ type ClientCSIControllerValidateVolumeRequest struct {
 
 	AttachmentMode structs.CSIVolumeAttachmentMode
 	AccessMode     structs.CSIVolumeAccessMode
+	Secrets        structs.CSISecrets
+	// Parameters map[string]string // TODO: https://github.com/hashicorp/nomad/issues/7670
 
 	CSIControllerQuery
 }
@@ -66,6 +68,15 @@ type ClientCSIControllerAttachVolumeRequest struct {
 	// only works when the Controller has the PublishReadonly capability.
 	ReadOnly bool
 
+	// Secrets required by plugin to complete the controller publish
+	// volume request. This field is OPTIONAL.
+	Secrets structs.CSISecrets
+
+	// TODO https://github.com/hashicorp/nomad/issues/7771
+	// Volume context as returned by storage provider in CreateVolumeResponse.
+	// This field is optional.
+	// VolumeContext map[string]string
+
 	CSIControllerQuery
 }
 
@@ -82,8 +93,10 @@ func (c *ClientCSIControllerAttachVolumeRequest) ToCSIRequest() (*csi.Controller
 	return &csi.ControllerPublishVolumeRequest{
 		VolumeID:         c.VolumeID,
 		NodeID:           c.ClientCSINodeID,
-		ReadOnly:         c.ReadOnly,
 		VolumeCapability: caps,
+		ReadOnly:         c.ReadOnly,
+		Secrets:          c.Secrets,
+		// VolumeContext:    c.VolumeContext, TODO: https://github.com/hashicorp/nomad/issues/7771
 	}, nil
 }
 
@@ -117,6 +130,10 @@ type ClientCSIControllerDetachVolumeRequest struct {
 	// by the target node for this plugin name.
 	ClientCSINodeID string
 
+	// Secrets required by plugin to complete the controller unpublish
+	// volume request. This field is OPTIONAL.
+	Secrets structs.CSISecrets
+
 	CSIControllerQuery
 }
 

diff --git a/command/agent/csi_endpoint.go b/command/agent/csi_endpoint.go
@@ -85,6 +85,10 @@ func (s *HTTPServer) csiVolumeGet(id string, resp http.ResponseWriter, req *http
 		return nil, CodedError(404, "volume not found")
 	}
 
+	// remove sensitive fields, as our redaction mechanism doesn't
+	// help serializing here
+	out.Volume.Secrets = nil
+	out.Volume.MountOptions = nil
 	return out.Volume, nil
 }
 

diff --git a/command/volume_register_test.go b/command/volume_register_test.go
@@ -57,13 +57,17 @@ namespace = "n"
 access_mode = "single-node-writer"
 attachment_mode = "file-system"
 plugin_id = "p"
+secrets {
+  mysecret = "secretvalue"
+}
 `,
 		q: &api.CSIVolume{
 			ID:             "foo",
 			Namespace:      "n",
 			AccessMode:     "single-node-writer",
 			AttachmentMode: "file-system",
 			PluginID:       "p",
+			Secrets:        api.CSISecrets{"mysecret": "secretvalue"},
 		},
 		err: "",
 	}, {