kubernetes-csi · mpatlasov · Jun 25, 2025 · andyzhangx · Jun 28, 2025 · johanot
diff --git a/pkg/smb/nodeserver.go b/pkg/smb/nodeserver.go
@@ -231,7 +231,7 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 			return nil, status.Error(codes.Internal, fmt.Sprintf("MkdirAll %s failed with error: %v", targetPath, err))
 		}
 		if requireUsernamePwdOption && !useKerberosCache {
-			sensitiveMountOptions = []string{fmt.Sprintf("%s=%s,%s=%s", usernameField, username, passwordField, password)}
+			sensitiveMountOptions = []string{fmt.Sprintf("%s=%s", usernameField, username), fmt.Sprintf("%s=%s", passwordField, password)}
 		}
 		mountOptions = mountFlags
 		if !gidPresent && volumeMountGroup != "" {

diff --git a/pkg/smb/smb_common_linux.go b/pkg/smb/smb_common_linux.go
@@ -20,12 +20,29 @@ limitations under the License.
 package smb
 
 import (
+	"fmt"
 	"os"
 
 	mount "k8s.io/mount-utils"
 )
 
 func Mount(m *mount.SafeFormatAndMount, source, target, fsType string, options, sensitiveMountOptions []string, _ string) error {
+	if len(sensitiveMountOptions) != 0 {
+		file, err := os.CreateTemp("/tmp/", "*.smb.credentials")
+		if err != nil {
+			return err
+		}
+
+		for _, option := range sensitiveMountOptions {
+			if _, err := file.Write([]byte(fmt.Sprintf("%s\n", option))); err != nil {
+				return err
+			}
+		}
+		file.Close()
+		defer os.Remove(file.Name())
+
+		sensitiveMountOptions = []string{fmt.Sprintf("credentials=%s", file.Name())}
+	}
 	return m.MountSensitive(source, target, fsType, options, sensitiveMountOptions)
 }