You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- there was a typo for NodePublish and NodeStage docs
- added a new example with secret provided for multiple operations.
- updated the provisioner secrets based on recent changes allowing pvc.name and pvc.namespace.
Copy file name to clipboardExpand all lines: book/src/secrets-and-credentials.md
+39-5Lines changed: 39 additions & 5 deletions
Original file line number
Diff line number
Diff line change
@@ -48,9 +48,20 @@ The value of both parameters may be a literal or a template containing the follo
48
48
49
49
* `${pv.name}`
50
50
* Automatically replaced with the name of the `PersistentVolume` object being provisioned at provision.
51
+
* `${pvc.namespace}`
52
+
* Automatically replaced with the namespace of the `PersistentVolumeClaim` object being provisione
53
+
54
+
The value of `csi.storage.k8s.io/provisioner-secret-name` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
55
+
56
+
* `${pvc.name}`
57
+
* Automatically replaced with the name of the `PersistentVolumeClaim` object being provisioned.
51
58
52
59
If specified, the CSI `external-provisioner` will attempt to fetch the secret before provisioning and deletion.
53
60
61
+
If the entire namespace was deleted, including the secret needed for deletion, then no secret will be passed to the
62
+
delete call. If this happens when the driver requires a secret for deletion, then the volume and PV may need to be
63
+
manually cleaned up.
64
+
54
65
If no such secret exists in the Kubernetes API, or the provisioner is unable to fetch it, the provision or delete operation fails.
55
66
56
67
If the secret is retrieved successfully, the provisioner passes it to the CSI driver in the `CreateVolumeRequest.secrets` or `DeleteVolumeRequest.secrets` field.
@@ -71,7 +82,7 @@ The value of both parameters may be a literal or a template containing the follo
71
82
* `${pvc.namespace}`
72
83
* Automatically replaced with the namespace of the `PersistentVolumeClaim` object being provisioned.
73
84
74
-
The value of `csi.storage.k8s.io/controller-publish-secret-namespace` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
85
+
The value of `csi.storage.k8s.io/controller-publish-secret-name` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
75
86
76
87
* `${pvc.name}`
77
88
* Automatically replaced with the name of the `PersistentVolumeClaim` object being provisioned.
@@ -133,7 +144,7 @@ The value of both parameters may be a literal or a template containing the follo
133
144
* `${pvc.namespace}`
134
145
* Automatically replaced with the namespace of the `PersistentVolumeClaim` object being provisioned.
135
146
136
-
The value of `csi.storage.k8s.io/node-publish-secret-namespace` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
147
+
The value of `csi.storage.k8s.io/node-publish-secret-name` also supports the following template variables which are automatically replaced by the `external-provisioner` at provision time:
137
148
138
149
* `${pvc.name}`
139
150
* Automatically replaced with the name of the `PersistentVolumeClaim` object being provisioned.
@@ -148,7 +159,30 @@ If no such secret exists in the Kubernetes API, or the kubelet is unable to fetc
148
159
149
160
If the secret is retrieved successfully, the kubelet passes it to the CSI driver in the `NodePublishVolumeRequest.secrets` field.
150
161
151
-
For example, consider this `StorageClass`:
162
+
## Example Storage Classes
163
+
164
+
The following storage classes supply secrets to a sample CSI driver named `csi-driver.team.example.com`.
165
+
166
+
### Multiple operations support secret keys
167
+
A drivers may support secret keys for multiple operations. In this case, you can provide secrets references for each operation:
0 commit comments