Skip to content

Commit da7492c

Browse files
committed
Update secrets documentation with supported keys
- there was a typo for NodePublish and NodeStage docs - added a new example with secret provided for multiple operations. - updated the provisioner secrets based on recent changes allowing pvc.name and pvc.namespace.
1 parent 8b0b4cd commit da7492c

File tree

1 file changed

+39
-5
lines changed

1 file changed

+39
-5
lines changed

book/src/secrets-and-credentials.md

Lines changed: 39 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,20 @@ The value of both parameters may be a literal or a template containing the follo
4848

4949
* `${pv.name}`
5050
* Automatically replaced with the name of the `PersistentVolume` object being provisioned at provision.
51+
* `${pvc.namespace}`
52+
* Automatically replaced with the namespace of the `PersistentVolumeClaim` object being provisione
53+
54+
The value of `csi.storage.k8s.io/provisioner-secret-name` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
55+
56+
* `${pvc.name}`
57+
* Automatically replaced with the name of the `PersistentVolumeClaim` object being provisioned.
5158

5259
If specified, the CSI `external-provisioner` will attempt to fetch the secret before provisioning and deletion.
5360

61+
If the entire namespace was deleted, including the secret needed for deletion, then no secret will be passed to the
62+
delete call. If this happens when the driver requires a secret for deletion, then the volume and PV may need to be
63+
manually cleaned up.
64+
5465
If no such secret exists in the Kubernetes API, or the provisioner is unable to fetch it, the provision or delete operation fails.
5566

5667
If the secret is retrieved successfully, the provisioner passes it to the CSI driver in the `CreateVolumeRequest.secrets` or `DeleteVolumeRequest.secrets` field.
@@ -71,7 +82,7 @@ The value of both parameters may be a literal or a template containing the follo
7182
* `${pvc.namespace}`
7283
* Automatically replaced with the namespace of the `PersistentVolumeClaim` object being provisioned.
7384

74-
The value of `csi.storage.k8s.io/controller-publish-secret-namespace` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
85+
The value of `csi.storage.k8s.io/controller-publish-secret-name` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
7586

7687
* `${pvc.name}`
7788
* Automatically replaced with the name of the `PersistentVolumeClaim` object being provisioned.
@@ -133,7 +144,7 @@ The value of both parameters may be a literal or a template containing the follo
133144
* `${pvc.namespace}`
134145
* Automatically replaced with the namespace of the `PersistentVolumeClaim` object being provisioned.
135146

136-
The value of `csi.storage.k8s.io/node-publish-secret-namespace` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
147+
The value of `csi.storage.k8s.io/node-publish-secret-name` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
137148

138149
* `${pvc.name}`
139150
* Automatically replaced with the name of the `PersistentVolumeClaim` object being provisioned.
@@ -148,7 +159,30 @@ If no such secret exists in the Kubernetes API, or the kubelet is unable to fetc
148159

149160
If the secret is retrieved successfully, the kubelet passes it to the CSI driver in the `NodePublishVolumeRequest.secrets` field.
150161

151-
For example, consider this `StorageClass`:
162+
## Example Storage Classes
163+
164+
The following storage classes supply secrets to a sample CSI driver named `csi-driver.team.example.com`.
165+
166+
### Multiple operations support secret keys
167+
A drivers may support secret keys for multiple operations. In this case, you can provide secrets references for each operation:
168+
169+
```yaml
170+
kind: StorageClass
171+
apiVersion: storage.k8s.io/v1
172+
metadata:
173+
name: fast-storage-all
174+
provisioner: csi-driver.team.example.com
175+
parameters:
176+
type: pd-ssd
177+
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
178+
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}-fast-storage
179+
csi.storage.k8s.io/node-publish-secret-name: ${pvc.name}-${pvc.annotations['team.example.com/key']}
180+
csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}-fast-storage
181+
182+
```
183+
184+
### Only NodePublish supports secret keys
185+
Some drivers may only support secret keys for a certain operation:
152186

153187
```yaml
154188
kind: StorageClass
@@ -158,8 +192,8 @@ metadata:
158192
provisioner: csi-driver.team.example.com
159193
parameters:
160194
type: pd-ssd
161-
csiNodePublishSecretName: ${pvc.annotations['team.example.com/key']}
162-
csiNodePublishSecretNamespace: ${pvc.namespace}
195+
csi.storage.k8s.io/node-publish-secret-name: ${pvc.annotations['team.example.com/key']}
196+
csi.storage.k8s.io/node-publish-secret-namespace: ${pvc.namespace}
163197
```
164198

165199
This StorageClass instructs the CSI provisioner to do the following:

0 commit comments

Comments
 (0)