fix: marshal secrets for non node publish secret ref

Author: aramase

pkg/rotation/reconciler.go

@@ -68,6 +68,11 @@ const (
 	mountRotationCompleteReason     = "MountRotationComplete"
 	k8sSecretRotationFailedReason   = "SecretRotationFailed"
 	k8sSecretRotationCompleteReason = "SecretRotationComplete"
+
+	csipodname      = "csi.storage.k8s.io/pod.name"
+	csipodnamespace = "csi.storage.k8s.io/pod.namespace"
+	csipoduid       = "csi.storage.k8s.io/pod.uid"
+	csipodsa        = "csi.storage.k8s.io/serviceAccount.name"
 )
 
 // Reconciler reconciles and rotates contents in the pod
@@ -183,14 +188,6 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid
 		errorReason = internalerrors.SecretProviderClassNotFound
 		return fmt.Errorf("failed to get secret provider class %s/%s, err: %+v", spcNamespace, spcName, err)
 	}
-	paramsJSON, err := json.Marshal(spc.Spec.Parameters)
-	if err != nil {
-		return fmt.Errorf("failed to marshal parameters, err: %+v", err)
-	}
-	permissionJSON, err := json.Marshal(permission)
-	if err != nil {
-		return fmt.Errorf("failed to marshal permission, err: %+v", err)
-	}
 	// get pod from informer cache
 	podName, podNamespace := spcps.Status.PodName, spcps.Namespace
 	pod, err := r.store.GetPod(podName, podNamespace)
@@ -199,6 +196,25 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid
 		return fmt.Errorf("failed to get pod %s/%s, err: %+v", podNamespace, podName, err)
 	}
 
+	parameters := make(map[string]string)
+	if spc.Spec.Parameters != nil {
+		parameters = spc.Spec.Parameters
+	}
+	// Set these parameters to mimic the exact same attributes we get as part of NodePublishVolumeRequest
+	parameters[csipodname] = podName
+	parameters[csipodnamespace] = podNamespace
+	parameters[csipoduid] = string(pod.UID)
+	parameters[csipodsa] = pod.Spec.ServiceAccountName
+
+	paramsJSON, err := json.Marshal(parameters)
+	if err != nil {
+		return fmt.Errorf("failed to marshal parameters, err: %+v", err)
+	}
+	permissionJSON, err := json.Marshal(permission)
+	if err != nil {
+		return fmt.Errorf("failed to marshal permission, err: %+v", err)
+	}
+
 	// check if the volume pertaining to the current spc is using nodePublishSecretRef for
 	// accessing external secrets store
 	var nodePublishSecretRef *v1.LocalObjectReference
@@ -217,6 +233,7 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid
 	}
 
 	var secretsJSON []byte
+	nodePublishSecretData := make(map[string]string)
 	// read the Kubernetes secret referenced in NodePublishSecretRef and marshal it
 	// This comprises the secret parameter in the MountRequest to the provider
 	if nodePublishSecretRef != nil {
@@ -231,15 +248,15 @@ func (r *Reconciler) reconcile(ctx context.Context, spcps *v1alpha1.SecretProvid
 			return fmt.Errorf("failed to get node publish secret %s/%s, err: %+v", secretNamespace, secretName, err)
 		}
 
-		nodePublishSecretData := make(map[string]string)
 		for k, v := range secret.Data {
 			nodePublishSecretData[k] = string(v)
 		}
-		secretsJSON, err = json.Marshal(nodePublishSecretData)
-		if err != nil {
-			r.generateEvent(pod, v1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("failed to marshal node publish secret data, err: %+v", err))
-			return fmt.Errorf("failed to marshal node publish secret data, err: %+v", err)
-		}
+	}
+
+	secretsJSON, err = json.Marshal(nodePublishSecretData)
+	if err != nil {
+		r.generateEvent(pod, v1.EventTypeWarning, mountRotationFailedReason, fmt.Sprintf("failed to marshal node publish secret data, err: %+v", err))
+		return fmt.Errorf("failed to marshal node publish secret data, err: %+v", err)
 	}
 
 	// generate a map with the current object versions stored in spc pod status

pkg/secrets-store/provider_client_test.go

@@ -55,7 +55,8 @@ func TestMountContent(t *testing.T) {
 			socketPath:            getTempTestDir(t),
 			attributes:            "{}",
 			targetPath:            "/var/lib/kubelet/pods/d448c6a2-cda8-42e3-84fb-3cf75faa8399/volumes/kubernetes.io~csi/secrets-store-inline/mount",
-			permission:            "0644",
+			permission:            "420",
+			secrets:               "{}",
 			expectedObjectVersion: map[string]string{"secret/secret1": "v1", "secret/secret2": "v2"},
 		},
 	}
@@ -160,7 +161,8 @@ func TestMountContentError(t *testing.T) {
 			socketPath:        getTempTestDir(t),
 			attributes:        "{}",
 			targetPath:        "/var/lib/kubelet/pods/d448c6a2-cda8-42e3-84fb-3cf75faa8399/volumes/kubernetes.io~csi/secrets-store-inline/mount",
-			permission:        "0644",
+			permission:        "420",
+			secrets:           "{}",
 			expectedErrorCode: "AuthenticationFailed",
 		},
 	}

provider/fake/fake_server.go

@@ -18,8 +18,10 @@ package fake
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
+	"os"
 
 	"google.golang.org/grpc"
 
@@ -77,18 +79,25 @@ func (m *MockCSIProviderServer) Start() error {
 
 // Mount implements provider csi-provider method
 func (m *MockCSIProviderServer) Mount(ctx context.Context, req *v1alpha1.MountRequest) (*v1alpha1.MountResponse, error) {
+	var attrib, secret map[string]string
+	var filePermission os.FileMode
+	var err error
+
 	if m.returnErr != nil {
 		return &v1alpha1.MountResponse{}, m.returnErr
 	}
-	if len(req.GetAttributes()) == 0 {
-		return nil, fmt.Errorf("missing attributes")
+	if err = json.Unmarshal([]byte(req.GetAttributes()), &attrib); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal attributes, error: %+v", err)
+	}
+	if err = json.Unmarshal([]byte(req.GetSecrets()), &secret); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal secrets, error: %+v", err)
+	}
+	if err = json.Unmarshal([]byte(req.GetPermission()), &filePermission); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal file permission, error: %+v", err)
 	}
 	if len(req.GetTargetPath()) == 0 {
 		return nil, fmt.Errorf("missing target path")
 	}
-	if len(req.GetPermission()) == 0 {
-		return nil, fmt.Errorf("missing permissions")
-	}
 	return &v1alpha1.MountResponse{
 		ObjectVersion: m.objects,
 		Error: &v1alpha1.Error{