feat: support PVC annotation template for provisioner secret

Provisioner can resolve templated per volume secret in storage class such as following example:
`csi.storage.k8s.io/provisioner-secret-name: ${pvc.annotations['example.com/foo_secret']}`
The secret will be stored as metadata in annotations of PV, so it can find the
secret OnDelete even the PVC was deleted

Signed-off-by: hoyho <luohaihao@gmail.com>

pkg/controller/controller.go

@@ -697,12 +697,7 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist
 	}
 
 	// Resolve provision secret credentials.
-	provisionerSecretRef, err := getSecretReference(provisionerSecretParams, sc.Parameters, pvName, &v1.PersistentVolumeClaim{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      claim.Name,
-			Namespace: claim.Namespace,
-		},
-	})
+	provisionerSecretRef, err := getSecretReference(provisionerSecretParams, sc.Parameters, pvName, claim)
 	if err != nil {
 		return nil, controller.ProvisioningNoChange, err
 	}

pkg/controller/controller_test.go

@@ -722,6 +722,23 @@ func TestGetSecretReference(t *testing.T) {
 			},
 			expectErr: true,
 		},
+		"template - valid PVC annotations for Provision and Delete": {
+			secretParams: provisionerSecretParams,
+			params: map[string]string{
+				prefixedProvisionerSecretNamespaceKey: "static-${pvc.namespace}",
+				prefixedProvisionerSecretNameKey:      "static-${pvc.name}-${pvc.annotations['akey']}",
+			},
+			pvName: "pvname",
+			pvc: &v1.PersistentVolumeClaim{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "name",
+					Namespace:   "pvcnamespace",
+					Annotations: map[string]string{"akey": "avalue"},
+				},
+			},
+			expectErr: false,
+			expectRef: &v1.SecretReference{Name: "static-name-avalue", Namespace: "static-pvcnamespace"},
+		},
 		"template - valid nodepublish secret ref": {
 			secretParams: nodePublishSecretParams,
 			params: map[string]string{