Skip to content

oss(credentials): support STS.Token in nodePublishSecretRef and rotation by republish #1591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
AlbeeSo wants to merge 7 commits into
base: master
Choose a base branch
from
Open

oss(credentials): support STS.Token in nodePublishSecretRef and rotation by republish #1591

AlbeeSo wants to merge 7 commits into from
+3,597 −431

Conversation

@AlbeeSo
Copy link
Member

@AlbeeSo AlbeeSo commented Dec 24, 2025

What type of PR is this?

/kind feature

What this PR does / why we need it:

  1. recreate OSS csidriver and set requiredRepublish to true.
  2. create secret like
    kubectl create -n default secret generic oss-secret --from-literal='accessKeyId=<yourAccessKeyFromAssumeRole>' --from-literal='accessKeySecret=<yourAccessKeySecretFromAssumeRole>' --from-literal='securityToken=<yourSecurityTokenFromAssumeRole>' --from-literal='Expiration=2025-12-22T04:11:50Z'
  3. create a OSS PV with nodePublishSecretRef with the secret created.
  4. rotate the credentials in secret (remain more than 20 minutes expiration)
  5. check the OSS PV can still access server, and the audit logs of OSS shows the new credentials are used.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 24, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 24, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlbeeSo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Dec 24, 2025
@AlbeeSo AlbeeSo force-pushed the oss/token-rotation-rewrite branch 2 times, most recently from 77d2b5d to da50d2e Compare December 24, 2025 06:07
@AlbeeSo AlbeeSo force-pushed the oss/token-rotation-rewrite branch from da50d2e to 5817fea Compare December 24, 2025 07:05
mowangdk
mowangdk reviewed Dec 24, 2025
View reviewed changes
pkg/mounter/utils/filelock.go Outdated
}

// WriteFileWithLock safely writes data to file with locking
func WriteFileWithLock(path string, data []byte, perm os.FileMode) (done bool, err error) {
Copy link
Contributor

@mowangdk mowangdk Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this lock secure the secret file update? If we write a new token to a separate file and then rename it, we wouldn't need locks?

@AlbeeSo AlbeeSo force-pushed the oss/token-rotation-rewrite branch 3 times, most recently from 9465193 to c3b1c21 Compare December 25, 2025 09:23
iltyty
iltyty reviewed Dec 25, 2025
View reviewed changes
@AlbeeSo AlbeeSo force-pushed the oss/token-rotation-rewrite branch from c3b1c21 to 4f91d33 Compare December 25, 2025 10:10
@AlbeeSo AlbeeSo force-pushed the oss/token-rotation-rewrite branch from 6021061 to 51b3bcf Compare December 25, 2025 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mowangdk mowangdk mowangdk left review comments

+1 more reviewer

@iltyty iltyty iltyty left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@AlbeeSo @k8s-ci-robot @mowangdk @iltyty