csi: allow -secret flag in nomad volume snapshot create command

Pass-through the `-secret` flag to allow overriding the secrets we've stored on the CSI volume in the state store.
hashicorp · Mar 23, 2022 · f1ee18b · f1ee18b
1 parent fe65d80
commit f1ee18b
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 1 deletion.
diff --git a/.changelog/12360.txt b/.changelog/12360.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+csi: Added `-secret` flag to `volume snapshot create` command
+```
diff --git a/command/volume_snapshot_create.go b/command/volume_snapshot_create.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/hashicorp/nomad/api"
 	"github.com/hashicorp/nomad/api/contexts"
+	flaghelper "github.com/hashicorp/nomad/helper/flags"
 	"github.com/posener/complete"
 )
 
@@ -30,6 +31,14 @@ Usage: nomad volume snapshot create <volume id> [snapshot_name]
   When ACLs are enabled, this command requires a token with the
   'csi-write-volume' capability for the volume's namespace.
 
+
+Snapshot Create Options:
+
+  -secret
+    Secrets to pass to the plugin to list snapshots. Accepts multiple
+    flags in the form -secret key=value
+
+
 General Options:
 
   ` + generalOptionsUsage(usageOptsDefault) + `
@@ -70,7 +79,9 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {
 	flags.Usage = func() { c.Ui.Output(c.Help()) }
 
 	var verbose bool
+	var secretsArgs flaghelper.StringFlag
 	flags.BoolVar(&verbose, "verbose", false, "")
+	flags.Var(&secretsArgs, "secret", "secrets for snapshot, ex. -secret key=value")
 
 	if err := flags.Parse(args); err != nil {
 		c.Ui.Error(fmt.Sprintf("Error parsing arguments %s", err))
@@ -97,9 +108,18 @@ func (c *VolumeSnapshotCreateCommand) Run(args []string) int {
 		return 1
 	}
 
+	secrets := api.CSISecrets{}
+	for _, kv := range secretsArgs {
+		s := strings.Split(kv, "=")
+		if len(s) == 2 {
+			secrets[s[0]] = s[1]
+		}
+	}
+
 	snaps, _, err := client.CSIVolumes().CreateSnapshot(&api.CSISnapshot{
 		SourceVolumeID: volID,
 		Name:           snapshotName,
+		Secrets:        secrets,
 	}, nil)
 	if err != nil {
 		c.Ui.Error(fmt.Sprintf("Error snapshotting volume: %s", err))

diff --git a/nomad/csi_endpoint.go b/nomad/csi_endpoint.go
@@ -1195,10 +1195,16 @@ func (v *CSIVolume) CreateSnapshot(args *structs.CSISnapshotCreateRequest, reply
 			continue
 		}
 
+		secrets := vol.Secrets
+		for k, v := range snap.Secrets {
+			// merge request secrets onto volume secrets
+			secrets[k] = v
+		}
+
 		cReq := &cstructs.ClientCSIControllerCreateSnapshotRequest{
 			ExternalSourceVolumeID: vol.ExternalID,
 			Name:                   snap.Name,
-			Secrets:                vol.Secrets,
+			Secrets:                secrets,
 			Parameters:             snap.Parameters,
 		}
 		cReq.PluginID = pluginID

diff --git a/website/content/docs/commands/volume/snapshot-create.mdx b/website/content/docs/commands/volume/snapshot-create.mdx
@@ -35,6 +35,11 @@ When ACLs are enabled, this command requires a token with the
 
 @include 'general_options.mdx'
 
+## Snapshot Create Options
+
+- `-secret`: Secrets to pass to the plugin to list snapshots. Accepts
+  multiple flags in the form `-secret key=value`
+
 ## Examples
 
 Snapshot a volume: