OSASINFRA-3675: Rework authentication in Manila CSI Driver Operator

assets/overlays/openstack-manila/base/config_secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: csi-manila-secrets
+  namespace: openshift-manila-csi-driver
+stringData:
+  os-cloud: openstack
+  os-cloudsFile: /etc/openstack/clouds.yaml
+  os-useClouds: "true"

assets/overlays/openstack-manila/generated/hypershift/config_secret.yaml

@@ -0,0 +1,15 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/openstack-manila/base/config_secret.yaml
+#
+#
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: csi-manila-secrets
+  namespace: openshift-manila-csi-driver
+stringData:
+  os-cloud: openstack
+  os-cloudsFile: /etc/openstack/clouds.yaml
+  os-useClouds: "true"

assets/overlays/openstack-manila/generated/hypershift/controller.yaml

@@ -146,6 +146,9 @@ spec:
           name: socket-dir
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
           name: cacert
+        - mountPath: /etc/openstack
+          name: cloud-credentials
+          readOnly: true
       - args:
         - --nodeid=$(NODE_ID)
         - --endpoint=unix://plugin/csi-nfs.sock
@@ -364,6 +367,12 @@ spec:
       - name: metrics-serving-cert
         secret:
           secretName: manila-csi-driver-controller-metrics-serving-cert
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: clouds.yaml
+            path: clouds.yaml
+          secretName: manila-cloud-credentials
       - configMap:
           items:
           - key: ca-bundle.pem

assets/overlays/openstack-manila/generated/hypershift/manifests.yaml

@@ -5,6 +5,7 @@ controllerStaticAssetNames:
 - controller_sa.yaml
 - service.yaml
 guestStaticAssetNames:
+- config_secret.yaml
 - csidriver.yaml
 - lease_leader_election_binding.yaml
 - lease_leader_election_role.yaml

assets/overlays/openstack-manila/generated/hypershift/node.yaml

@@ -82,6 +82,9 @@ spec:
           readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
+        - mountPath: /etc/openstack
+          name: cloud-credentials
+          readOnly: true
         - mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
           name: plugin-dir
         - mountPath: /var/lib/kubelet/plugins/csi-nfsplugin
@@ -189,6 +192,12 @@ spec:
       - name: metrics-serving-cert
         secret:
           secretName: manila-csi-driver-node-metrics-serving-cert
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: clouds.yaml
+            path: clouds.yaml
+          secretName: manila-cloud-credentials
       - hostPath:
           path: /var/lib/kubelet/plugins/manila.csi.openstack.org
           type: DirectoryOrCreate

assets/overlays/openstack-manila/generated/standalone/config_secret.yaml

@@ -0,0 +1,15 @@
+# Generated file. Do not edit. Update using "make update".
+#
+# Loaded from overlays/openstack-manila/base/config_secret.yaml
+#
+#
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: csi-manila-secrets
+  namespace: openshift-manila-csi-driver
+stringData:
+  os-cloud: openstack
+  os-cloudsFile: /etc/openstack/clouds.yaml
+  os-useClouds: "true"

assets/overlays/openstack-manila/generated/standalone/controller.yaml

@@ -112,6 +112,9 @@ spec:
           name: socket-dir
         - mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
           name: cacert
+        - mountPath: /etc/openstack
+          name: cloud-credentials
+          readOnly: true
       - args:
         - --nodeid=$(NODE_ID)
         - --endpoint=unix://plugin/csi-nfs.sock
@@ -309,6 +312,12 @@ spec:
       - name: metrics-serving-cert
         secret:
           secretName: manila-csi-driver-controller-metrics-serving-cert
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: clouds.yaml
+            path: clouds.yaml
+          secretName: manila-cloud-credentials
       - configMap:
           items:
           - key: ca-bundle.pem

assets/overlays/openstack-manila/generated/standalone/manifests.yaml

@@ -10,6 +10,7 @@ controllerStaticAssetNames:
 - service.yaml
 - servicemonitor.yaml
 guestStaticAssetNames:
+- config_secret.yaml
 - csidriver.yaml
 - lease_leader_election_binding.yaml
 - lease_leader_election_role.yaml

assets/overlays/openstack-manila/generated/standalone/node.yaml

@@ -82,6 +82,9 @@ spec:
           readOnlyRootFilesystem: true
         terminationMessagePolicy: FallbackToLogsOnError
         volumeMounts:
+        - mountPath: /etc/openstack
+          name: cloud-credentials
+          readOnly: true
         - mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
           name: plugin-dir
         - mountPath: /var/lib/kubelet/plugins/csi-nfsplugin
@@ -189,6 +192,12 @@ spec:
       - name: metrics-serving-cert
         secret:
           secretName: manila-csi-driver-node-metrics-serving-cert
+      - name: cloud-credentials
+        secret:
+          items:
+          - key: clouds.yaml
+            path: clouds.yaml
+          secretName: manila-cloud-credentials
       - hostPath:
           path: /var/lib/kubelet/plugins/manila.csi.openstack.org
           type: DirectoryOrCreate

assets/overlays/openstack-manila/patches/controller_add_driver.yaml

@@ -82,6 +82,9 @@ spec:
               mountPath: /plugin
             - name: cacert
               mountPath: /etc/kubernetes/static-pod-resources/configmaps/cloud-config
+            - name: cloud-credentials
+              mountPath: /etc/openstack
+              readOnly: true
           resources:
             requests:
               cpu: 10m
@@ -109,6 +112,12 @@ spec:
               memory: 50Mi
           terminationMessagePolicy: FallbackToLogsOnError
       volumes:
+        - name: cloud-credentials
+          secret:
+            secretName: manila-cloud-credentials
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml
         - name: socket-dir
           emptyDir: {}
         - name: cacert

assets/overlays/openstack-manila/patches/node_add_driver.yaml

@@ -59,6 +59,9 @@ spec:
             - name: MANILA_SHARE_PROTO
               value: NFS
           volumeMounts:
+            - name: cloud-credentials
+              mountPath: /etc/openstack
+              readOnly: true
             - name: plugin-dir
               mountPath: /var/lib/kubelet/plugins/manila.csi.openstack.org
             - name: fwd-plugin-dir
@@ -88,6 +91,12 @@ spec:
               memory: 50Mi
           terminationMessagePolicy: FallbackToLogsOnError
       volumes:
+        - name: cloud-credentials
+          secret:
+            secretName: manila-cloud-credentials
+            items:
+              - key: clouds.yaml
+                path: clouds.yaml
         - name: registration-dir
           hostPath:
             path: /var/lib/kubelet/plugins_registry/

pkg/driver/openstack-manila/openstack_manila.go

@@ -16,7 +16,6 @@ import (
 	"github.com/openshift/csi-operator/pkg/driver/common/operator"
 	"github.com/openshift/csi-operator/pkg/generator"
 	"github.com/openshift/csi-operator/pkg/openstack-manila/client"
-	"github.com/openshift/csi-operator/pkg/openstack-manila/secret"
 	"github.com/openshift/csi-operator/pkg/openstack-manila/util"
 	"github.com/openshift/csi-operator/pkg/operator/config"
 	"github.com/openshift/library-go/pkg/controller/factory"
@@ -98,6 +97,7 @@ func GetOpenStackManilaGeneratorConfig() *generator.CSIDriverGeneratorConfig {
 				"overlays/openstack-manila/base/csidriver.yaml",
 				"overlays/openstack-manila/base/volumesnapshotclass.yaml",
 				"overlays/openstack-manila/base/node_nfs.yaml",
+				"overlays/openstack-manila/base/config_secret.yaml",
 			),
 			AssetPatches: commongenerator.DefaultGuestAssetPatches,
 		},
@@ -187,11 +187,7 @@ func GetOpenStackManilaOperatorControllerConfig(ctx context.Context, flavour gen
 	}
 
 	cfg.PreconditionInformers = []factory.Informer{c.GetCSIDriverInformer().Informer(), c.GetStorageClassInformer().Informer()}
-	secretSyncer, err := createSecretSyncer(c)
-	if err != nil {
-		return nil, err
-	}
-	cfg.ExtraControlPlaneControllers = append(cfg.ExtraControlPlaneControllers, configMapSyncer, secretSyncer, nfsCSIDriverController)
+	cfg.ExtraControlPlaneControllers = append(cfg.ExtraControlPlaneControllers, configMapSyncer, nfsCSIDriverController)
 
 	cfg.ExtraReplacementsFunc = func() []string {
 		pairs := []string{}
@@ -324,19 +320,6 @@ func withCABundleDaemonSetHook(c *clients.Clients) (csidrivernodeservicecontroll
 	return hook, informers
 }
 
-func createSecretSyncer(c *clients.Clients) (factory.Controller, error) {
-	secretSyncController := secret.NewSecretSyncController(
-		c.OperatorClient,
-		c.KubeClient,
-		c.ControlPlaneKubeInformers,
-		c.ControlPlaneNamespace,
-		c.GuestNamespace,
-		resyncInterval,
-		c.EventRecorder)
-
-	return secretSyncController, nil
-}
-
 func createConfigMapSyncer(c *clients.Clients) (factory.Controller, error) {
 	// sync config map with OpenStack CA certificate to the operand namespace,
 	// so the driver can get it as a ConfigMap volume.