Merge pull request #61096 from mlmhl/csi_secret

Automatic merge from submit-queue (batch tested with PRs 61096, 61955, 61542, 60597). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Return error if get NodeStageSecret and NodePublishSecret failed

**What this PR does / why we need it**:

Currently, if got NodeStageSecret  or NodePublishSecret failed, we just log the error and assume that there is no credential. I think we should report the error as if user specified these secret, they expect to apply some credentials.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #61052

**Release note**:

```release-note
NONE
```

/sig storage

pkg/volume/csi/csi_attacher.go

@@ -318,6 +318,15 @@ func (c *csiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMo
 	}
 	publishVolumeInfo := attachment.Status.AttachmentMetadata
 
+	nodeStageSecrets := map[string]string{}
+	if csiSource.NodeStageSecretRef != nil {
+		nodeStageSecrets, err = getCredentialsFromSecret(c.k8s, csiSource.NodeStageSecretRef)
+		if err != nil {
+			return fmt.Errorf("fetching NodeStageSecretRef %s/%s failed: %v",
+				csiSource.NodeStageSecretRef.Namespace, csiSource.NodeStageSecretRef.Name, err)
+		}
+	}
+
 	// create target_dir before call to NodeStageVolume
 	if err := os.MkdirAll(deviceMountPath, 0750); err != nil {
 		glog.Error(log("attacher.MountDevice failed to create dir %#v:  %v", deviceMountPath, err))
@@ -336,11 +345,6 @@ func (c *csiAttacher) MountDevice(spec *volume.Spec, devicePath string, deviceMo
 		fsType = defaultFSType
 	}
 
-	nodeStageSecrets := map[string]string{}
-	if csiSource.NodeStageSecretRef != nil {
-		nodeStageSecrets = getCredentialsFromSecret(c.k8s, csiSource.NodeStageSecretRef)
-	}
-
 	err = csi.NodeStageVolume(ctx,
 		csiSource.VolumeHandle,
 		publishVolumeInfo,

pkg/volume/csi/csi_mounter.go

@@ -154,6 +154,15 @@ func (c *csiMountMgr) SetUpAt(dir string, fsGroup *int64) error {
 
 	attribs := csiSource.VolumeAttributes
 
+	nodePublishSecrets := map[string]string{}
+	if csiSource.NodePublishSecretRef != nil {
+		nodePublishSecrets, err = getCredentialsFromSecret(c.k8s, csiSource.NodePublishSecretRef)
+		if err != nil {
+			return fmt.Errorf("fetching NodePublishSecretRef %s/%s failed: %v",
+				csiSource.NodePublishSecretRef.Namespace, csiSource.NodePublishSecretRef.Name, err)
+		}
+	}
+
 	// create target_dir before call to NodePublish
 	if err := os.MkdirAll(dir, 0750); err != nil {
 		glog.Error(log("mouter.SetUpAt failed to create dir %#v:  %v", dir, err))
@@ -189,10 +198,6 @@ func (c *csiMountMgr) SetUpAt(dir string, fsGroup *int64) error {
 	if len(fsType) == 0 {
 		fsType = defaultFSType
 	}
-	nodePublishSecrets := map[string]string{}
-	if csiSource.NodePublishSecretRef != nil {
-		nodePublishSecrets = getCredentialsFromSecret(c.k8s, csiSource.NodePublishSecretRef)
-	}
 	err = csi.NodePublishVolume(
 		ctx,
 		c.volumeID,

pkg/volume/csi/csi_util.go

@@ -23,16 +23,16 @@ import (
 	"k8s.io/client-go/kubernetes"
 )
 
-func getCredentialsFromSecret(k8s kubernetes.Interface, secretRef *api.SecretReference) map[string]string {
+func getCredentialsFromSecret(k8s kubernetes.Interface, secretRef *api.SecretReference) (map[string]string, error) {
 	credentials := map[string]string{}
 	secret, err := k8s.CoreV1().Secrets(secretRef.Namespace).Get(secretRef.Name, meta.GetOptions{})
 	if err != nil {
-		glog.Warningf("failed to find the secret %s in the namespace %s with error: %v\n", secretRef.Name, secretRef.Namespace, err)
-		return credentials
+		glog.Errorf("failed to find the secret %s in the namespace %s with error: %v\n", secretRef.Name, secretRef.Namespace, err)
+		return credentials, err
 	}
 	for key, value := range secret.Data {
 		credentials[key] = string(value)
 	}
 
-	return credentials
+	return credentials, nil
 }