cloud-provider-openstack icon indicating copy to clipboard operation
cloud-provider-openstack copied to clipboard
verified publisher icon kubernetes

[cinder-csi-plugin] Support accepting OpenStack credentials passed via CSI requests

Open musaprg opened this issue 5 months ago • 2 comments

/kind feature

What happened:

The original idea were come up in https://github.com/kubernetes/cloud-provider-openstack/issues/2532#issuecomment-3133393603.

Manila CSI plugin accepts OpenStack credentials passed via CSI requests. The credentials are stored in a Kubernetes Secret resource, and its name is specified with parameters in StorageClass resources, such as csi.storage.k8s.io/provisioner-secret-namespace. https://kubernetes-csi.github.io/docs/secrets-and-credentials-storage-class.html#storageclass-secrets

On the other hand, Cinder CSI plugin only supports accepting OpenStack credentials via cloud.conf file mounted to the container. The discrepancy makes it hard to share a single credential across two CSI plugins (Cinder and Manila).

What you expected to happen:

This PR proposes Cinder CSI plugin to support accepting OpenStack credentials passed via CSI requests, which is the same configuration mechanism as Manila CSI plugin.

Let's assume we have the following secret containing OpenStack credentials. This format is already supported on Manila CSI plugin.

apiVersion: v1
kind: Secret
metadata:
  name: csi-os-secrets
  namespace: default
stringData:
  os-authURL: "some-auth-url"
  os-region: "some-region"
  os-userName: "some-username"
  os-password: "some-password"
  os-projectName: "some-project-name"
  os-domainID: "some-domain-id"

I'd like to use this secret for not only Manila CSI plugin but also Cinder CSI plugin to reduce the maintenance cost of multiple secrets. For example, the following StorageClass can be used even without mounting cloud.conf file directly into the CSI plugin pods.

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-sc-cinderplugin
provisioner: cinder.csi.openstack.org
parameters:
  csi.storage.k8s.io/provisioner-secret-name: csi-os-secrets
  csi.storage.k8s.io/provisioner-secret-namespace: default
  csi.storage.k8s.io/controller-expand-secret-name: csi-os-secrets
  csi.storage.k8s.io/controller-expand-secret-namespace: default
  csi.storage.k8s.io/node-stage-secret-name: csi-os-secrets
  csi.storage.k8s.io/node-stage-secret-namespace: default
  csi.storage.k8s.io/node-publish-secret-name: csi-os-secrets
  csi.storage.k8s.io/node-publish-secret-namespace: default

Anything else we need to know?:

There's another option where we add support of cloud.conf format to the Manila CSI plugin because the file format is used by other plugins hosted in cloud-provider-openstack. This should be discussed under the different issue, https://github.com/kubernetes/cloud-provider-openstack/issues/2532.

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: 1.33.1
  • OpenStack version: all

musaprg avatar Aug 03 '25 17:08 musaprg

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 01 '25 17:11 k8s-triage-robot

/remove-lifecycle stale

musaprg avatar Nov 02 '25 02:11 musaprg