From 0e262efc2164bbb7a1412a2a90d8df70c5493d7e Mon Sep 17 00:00:00 2001
From: hoyho <luohaihao@gmail.com>
Date: Wed, 17 Apr 2024 17:41:16 +0800
Subject: [PATCH] feat: support PVC annotation template for provisioner secret

Provisioner can resolve templated per volume secret in storage class such as following example:
`csi.storage.k8s.io/provisioner-secret-name: ${pvc.annotations['example.com/foo_secret']}`
The secret will be stored as metadata in annotations of PV, so it can find the
secret OnDelete even the PVC was deleted

Signed-off-by: hoyho <luohaihao@gmail.com>
---
 pkg/controller/controller.go      |  7 +------
 pkg/controller/controller_test.go | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
index ecc1c12a7f..bbb79f0f54 100644
--- a/pkg/controller/controller.go
+++ b/pkg/controller/controller.go
@@ -697,12 +697,7 @@ func (p *csiProvisioner) prepareProvision(ctx context.Context, claim *v1.Persist
 	}
 
 	// Resolve provision secret credentials.
-	provisionerSecretRef, err := getSecretReference(provisionerSecretParams, sc.Parameters, pvName, &v1.PersistentVolumeClaim{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      claim.Name,
-			Namespace: claim.Namespace,
-		},
-	})
+	provisionerSecretRef, err := getSecretReference(provisionerSecretParams, sc.Parameters, pvName, claim)
 	if err != nil {
 		return nil, controller.ProvisioningNoChange, err
 	}
diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go
index b3aa8d7472..5883e670c2 100644
--- a/pkg/controller/controller_test.go
+++ b/pkg/controller/controller_test.go
@@ -722,6 +722,23 @@ func TestGetSecretReference(t *testing.T) {
 			},
 			expectErr: true,
 		},
+		"template - valid PVC annotations for Provision and Delete": {
+			secretParams: provisionerSecretParams,
+			params: map[string]string{
+				prefixedProvisionerSecretNamespaceKey: "static-${pvc.namespace}",
+				prefixedProvisionerSecretNameKey:      "static-${pvc.name}-${pvc.annotations['akey']}",
+			},
+			pvName: "pvname",
+			pvc: &v1.PersistentVolumeClaim{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "name",
+					Namespace:   "pvcnamespace",
+					Annotations: map[string]string{"akey": "avalue"},
+				},
+			},
+			expectErr: false,
+			expectRef: &v1.SecretReference{Name: "static-name-avalue", Namespace: "static-pvcnamespace"},
+		},
 		"template - valid nodepublish secret ref": {
 			secretParams: nodePublishSecretParams,
 			params: map[string]string{