Skip to content

[cinder-csi-plugin] Support accepting OpenStack credentials passed via CSI requests #2963

New issue
New issue
Open
Open
[cinder-csi-plugin] Support accepting OpenStack credentials passed via CSI requests#2963
Labels
kind/featureCategorizes issue or PR as related to a new feature.
@musaprg

Description

@musaprg
musaprg
opened on Aug 3, 2025

/kind feature

What happened:

The original idea were come up in #2532 (comment).

Manila CSI plugin accepts OpenStack credentials passed via CSI requests. The credentials are stored in a Kubernetes Secret resource, and its name is specified with parameters in StorageClass resources, such as csi.storage.k8s.io/provisioner-secret-namespace. https://kubernetes-csi.github.io/docs/secrets-and-credentials-storage-class.html#storageclass-secrets

On the other hand, Cinder CSI plugin only supports accepting OpenStack credentials via cloud.conf file mounted to the container. The discrepancy makes it hard to share a single credential across two CSI plugins (Cinder and Manila).

What you expected to happen:

This PR proposes Cinder CSI plugin to support accepting OpenStack credentials passed via CSI requests, which is the same configuration mechanism as Manila CSI plugin.

Let's assume we have the following secret containing OpenStack credentials. This format is already supported on Manila CSI plugin.

apiVersion: v1
kind: Secret
metadata:
  name: csi-os-secrets
  namespace: default
stringData:
  os-authURL: "some-auth-url"
  os-region: "some-region"
  os-userName: "some-username"
  os-password: "some-password"
  os-projectName: "some-project-name"
  os-domainID: "some-domain-id"

I'd like to use this secret for not only Manila CSI plugin but also Cinder CSI plugin to reduce the maintenance cost of multiple secrets. For example, the following StorageClass can be used even without mounting cloud.conf file directly into the CSI plugin pods.

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: csi-sc-cinderplugin
provisioner: cinder.csi.openstack.org
parameters:
  csi.storage.k8s.io/provisioner-secret-name: csi-os-secrets
  csi.storage.k8s.io/provisioner-secret-namespace: default
  csi.storage.k8s.io/controller-expand-secret-name: csi-os-secrets
  csi.storage.k8s.io/controller-expand-secret-namespace: default
  csi.storage.k8s.io/node-stage-secret-name: csi-os-secrets
  csi.storage.k8s.io/node-stage-secret-namespace: default
  csi.storage.k8s.io/node-publish-secret-name: csi-os-secrets
  csi.storage.k8s.io/node-publish-secret-namespace: default

Anything else we need to know?:

There's another option where we add support of cloud.conf format to the Manila CSI plugin because the file format is used by other plugins hosted in cloud-provider-openstack. This should be discussed under the different issue, #2532.

Environment:

  • openstack-cloud-controller-manager(or other related binary) version: 1.33.1
  • OpenStack version: all

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions