Skip to content

feat: support reading service account tokens from CSI secrets field for Kubernetes 1.35+#2305

Merged
k8s-ci-robot merged 9 commits into
kubernetes-sigs:masterfrom
aramase:aramase/c/fallback_sa_logic
May 20, 2026
Merged

feat: support reading service account tokens from CSI secrets field for Kubernetes 1.35+#2305
k8s-ci-robot merged 9 commits into
kubernetes-sigs:masterfrom
aramase:aramase/c/fallback_sa_logic

Conversation

@aramase
Copy link
Copy Markdown
Member

@aramase aramase commented Jan 21, 2026

/kind feature

implementing changes for KEP: kubernetes/enhancements#5538

see https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/5538-csi-sa-tokens-secrets-field/README.md#driver-migration-example for why we're doing this.

Support reading service account tokens from CSI secrets field for Kubernetes 1.35+

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 21, 2026
@aramase
Copy link
Copy Markdown
Member Author

aramase commented Jan 21, 2026

@andyzhangx what's the best way to handle this in the helm charts? do you create a new version of chart for every Kubernetes release?

for 1.35+, we should have serviceAccountTokenInSecrets: true in the CSIDriver. See the KEP and example for how I'm handling this in Secrets Store CSI Driver: kubernetes-sigs/secrets-store-csi-driver#1979 for reference.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 21, 2026
@k8s-triage-robot
Copy link
Copy Markdown

k8s-triage-robot commented Apr 22, 2026

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 22, 2026
@andyzhangx andyzhangx removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 27, 2026
@andyzhangx andyzhangx requested a review from Copilot April 27, 2026 11:41
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Kubernetes 1.35+ compatibility for the CSI “serviceAccountTokenInSecrets” migration by preferring service account tokens from the CSI request Secrets field while keeping backward compatibility with VolumeContext.

Changes:

  • Add getServiceAccountTokens() helper to prefer Node(Stage|Publish)VolumeRequest.Secrets over VolumeContext.
  • Update NodePublishVolume/NodeStageVolume workload-identity gating logic to use the helper.
  • Add unit tests covering helper precedence and nil-map behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
pkg/blob/nodeserver.go Reads SA tokens from req.Secrets (preferred) with fallback to VolumeContext, and threads Secrets into an internal NodeStageVolume call.
pkg/blob/nodeserver_test.go Adds unit tests for getServiceAccountTokens() precedence and nil handling.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/blob/nodeserver.go
Comment thread pkg/blob/nodeserver_test.go
Comment thread pkg/blob/nodeserver.go
@landreasyan
Copy link
Copy Markdown
Collaborator

landreasyan commented May 14, 2026

Should we enable the feature in this PR by setting serviceAccountTokenInSecrets: true for the latest CSIDriver in the charts?

@aramase
Copy link
Copy Markdown
Member Author

aramase commented May 14, 2026

Should we enable the feature in this PR by setting serviceAccountTokenInSecrets: true for the latest CSIDriver in the charts?

we should!
ref: #2305 (comment)

@landreasyan
Copy link
Copy Markdown
Collaborator

landreasyan commented May 19, 2026
edited
Loading

Should we enable the feature in this PR by setting serviceAccountTokenInSecrets: true for the latest CSIDriver in the charts?

we should! ref: #2305 (comment)

@aramase, I discussed with @andyzhangx - you can add the serviceAccountTokenInSecrets: true to CSIDriver in the latest charts in this PR and we will create a new tag, 1.36, once these changes merge! :)

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 19, 2026
aramase added 4 commits May 19, 2026 12:26
@aramase
feat: support reading service account tokens from CSI secrets field f…
b25659a 
…or Kubernetes 1.35+

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase
fix: propagate service account token from secrets to GetAuthEnv
91a40f2 
GetAuthEnv reads serviceAccountTokenField from attrib only, so the
token delivered via Secrets (k8s 1.35+ serviceAccountTokenInSecrets)
never reached the workload identity auth path. Copy attrib and inject
the resolved token before calling GetAuthEnv in NodeStageVolume.
@aramase
chore: enable serviceAccountTokenInSecrets in CSIDriver
3388484 
Gate on requiresRepublish in the helm template since the kube API
server rejects serviceAccountTokenInSecrets when requiresRepublish
is false.
@aramase
chore: repackage latest helm chart tgz
526616e
@aramase aramase force-pushed the aramase/c/fallback_sa_logic branch from 7b92102 to 526616e Compare May 19, 2026 19:28
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 19, 2026
@andyzhangx andyzhangx requested a review from Copilot May 20, 2026 04:46
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 3 comments.

Comment thread pkg/blob/nodeserver.go
Comment thread deploy/csi-blob-driver.yaml Outdated
Comment thread charts/latest/blob-csi-driver/templates/csi-blob-driver.yaml Outdated
andyzhangx added 2 commits May 20, 2026 05:29
@andyzhangx
feat: add dedicated serviceAccountTokenInSecrets helm feature flag
64c9558 
- Add feature.serviceAccountTokenInSecrets (default: false) in values.yaml
- Gate serviceAccountTokenInSecrets in CSIDriver template on its own flag
  instead of piggy-backing on requiresRepublish
- Enable by default in E2E_HELM_OPTIONS for pull-blob-csi-driver-e2e tests
- pull-blob-csi-driver-e2e-proxy tests use default (disabled) since they
  don't set EXTRA_HELM_OPTIONS to override

Signed-off-by: Andy Zhang <andyzhangx@live.com>
@andyzhangx
chore: repackage latest helm chart tgz
1930ce1 
Signed-off-by: Andy Zhang <andyzhangx@live.com>
@andyzhangx andyzhangx requested a review from Copilot May 20, 2026 05:33
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 3 comments.

Comment thread pkg/blob/nodeserver.go
Comment thread deploy/csi-blob-driver.yaml Outdated
Comment thread Makefile
andyzhangx added 2 commits May 20, 2026 06:52
@andyzhangx
fix: correct chart version to 0.0.0 and repackage tgz
c8ce0eb 
Chart.yaml used 'v0.0.0' which is not a valid semver for helm package.
Fix to '0.0.0' and regenerate the tgz with the correct filename.

Signed-off-by: Andy Zhang <andyzhangx@live.com>
@andyzhangx
revert: restore Chart.yaml version to v0.0.0 and repackage tgz
2a246a4 
Signed-off-by: Andy Zhang <andyzhangx@live.com>
@andyzhangx andyzhangx requested a review from Copilot May 20, 2026 08:46
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.

Comment thread deploy/csi-blob-driver.yaml Outdated
Comment thread Makefile
Comment thread pkg/blob/nodeserver_test.go
Comment thread pkg/blob/nodeserver.go
@andyzhangx
fix: remove serviceAccountTokenInSecrets from static deploy manifest
81d591b 
The deploy/csi-blob-driver.yaml must remain compatible with older
Kubernetes versions that don't recognize this field. Users on 1.35+
can enable it via the Helm chart feature flag instead.

Signed-off-by: Andy Zhang <andyzhangx@live.com>
andyzhangx
andyzhangx approved these changes May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@andyzhangx andyzhangx left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

I have made some changes to disable serviceAccountTokenInSecrets: true (enable in e2e test by default) in CSIdriver by default, so this version could still run on k8s cluster version < 1.35. We need to keep backward compatibility in the upstream version since many users are still running older k8s versions.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 20, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 20, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, aramase

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 20, 2026
@k8s-ci-robot k8s-ci-robot merged commit 77bc3fc into kubernetes-sigs:master May 20, 2026
22 checks passed
@aramase aramase deleted the aramase/c/fallback_sa_logic branch May 20, 2026 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andyzhangx andyzhangx andyzhangx approved these changes

@cvvz cvvz Awaiting requested review from cvvz

Assignees

@andyzhangx andyzhangx

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@aramase @k8s-triage-robot @landreasyan @k8s-ci-robot @andyzhangx @benjaminapetersen