feat: support reading service account tokens from CSI secrets field for Kubernetes 1.35+

[aramase]

/kind feature

implementing changes for KEP: kubernetes/enhancements#5538

see https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/5538-csi-sa-tokens-secrets-field/README.md#driver-migration-example for why we're doing this.

Support reading service account tokens from CSI secrets field for Kubernetes 1.35+

[aramase]

@andyzhangx what's the best way to handle this in the helm charts? do you create a new version of chart for every Kubernetes release?

for 1.35+, we should have serviceAccountTokenInSecrets: true in the CSIDriver. See the KEP and example for how I'm handling this in Secrets Store CSI Driver: kubernetes-sigs/secrets-store-csi-driver#1979 for reference.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aramase
Once this PR has been reviewed and has the lgtm label, please assign feiskyer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[Copilot]

Pull request overview

Adds Kubernetes 1.35+ compatibility for the CSI “serviceAccountTokenInSecrets” migration by preferring service account tokens from the CSI request Secrets field while keeping backward compatibility with VolumeContext.

Changes:

• Add getServiceAccountTokens() helper to prefer Node(Stage|Publish)VolumeRequest.Secrets over VolumeContext.
• Update NodePublishVolume/NodeStageVolume workload-identity gating logic to use the helper.
• Add unit tests covering helper precedence and nil-map behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
pkg/blob/nodeserver.go	Reads SA tokens from req.Secrets (preferred) with fallback to VolumeContext, and threads Secrets into an internal NodeStageVolume call.
pkg/blob/nodeserver_test.go	Adds unit tests for getServiceAccountTokens() precedence and nil handling.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

NodePublishVolume now uses getServiceAccountTokens(req.Secrets, req.VolumeContext) to decide whether to take the workload-identity path, but the token is not guaranteed to be present in VolumeContext anymore (Kubernetes 1.35+ moves it to Secrets). Unless NodeStageVolume / GetAuthEnv also reads serviceAccountTokenField from Secrets, this will still fail later when the token is parsed from volumeContext only.

[Copilot]

This test validates the precedence logic of getServiceAccountTokens, but it doesn’t cover the actual workload-identity auth flow when Kubernetes supplies serviceAccountTokenField only via Node(Stage|Publish)VolumeRequest.Secrets (the 1.35+ behavior). Adding a test that exercises NodeStageVolume/GetAuthEnv with the token present only in secrets would catch regressions where the token is still read exclusively from volumeContext.

[Copilot]

serviceAccountTokens is computed from req.Secrets, but the token is still consumed downstream via GetAuthEnv/parseServiceAccountToken from attrib (volumeContext) only (see pkg/blob/blob.go switch on serviceAccountTokenField). In Kubernetes 1.35+ with serviceAccountTokenInSecrets, mounts that rely on workload identity will fail unless the secrets token is propagated into the data consumed by GetAuthEnv (either read from secrets there, or inject into the map passed to it).

Suggested change

	serviceAccountTokens := getServiceAccountTokens(secrets, attrib)
	serviceAccountTokens := getServiceAccountTokens(secrets, attrib)
	if serviceAccountTokens != "" {
	attribWithServiceAccountToken := make(map[string]string, len(attrib)+1)
	for k, v := range attrib {
	attribWithServiceAccountToken[k] = v
	}
	attribWithServiceAccountToken[serviceAccountTokenField] = serviceAccountTokens
	attrib = attribWithServiceAccountToken
	}

[landreasyan]

Should we enable the feature in this PR by setting serviceAccountTokenInSecrets: true for the latest CSIDriver in the charts?

[aramase]

Should we enable the feature in this PR by setting serviceAccountTokenInSecrets: true for the latest CSIDriver in the charts?

we should!
ref: #2305 (comment)

[landreasyan]

Should we enable the feature in this PR by setting serviceAccountTokenInSecrets: true for the latest CSIDriver in the charts?

we should! ref: #2305 (comment)

Discussed with @andyzhangx - you can add the serviceAccountTokenInSecrets: true to CSIDriver in the latest charts in this PR and we will create a new tag, 1.36, once these changes merge! :)