[cinder-csi-plugin] Cannot rotate secret dynamically

kubernetes / cloud-provider-openstack

Apache License 2.0

623 stars 611 forks source link

[cinder-csi-plugin] Cannot rotate secret dynamically #2629

Open emreberber opened 4 months ago

emreberber commented 4 months ago

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

/kind feature

What happened:

When I delete or rotate the Openstack application credential, I updated the cinder-csi-cloud-config secret but it does not receive the new credentials.

What you expected to happen:

I was expecting it to continue dynamically with new credentials without restarting any pods

How to reproduce it:

I installed the Cinder CSI Plugin, then deleted the applicaiton credential, then created a new credential and updated the secret

Anything else we need to know?:

Environment:

cinder-csi-plugin version: 2.30.0
OpenStack version: 6.6.0
Others:

jichenjc commented 4 months ago

not sure I fully understand this .. you had a application ID in CSI then it expired and you replace the new application ID but it doesn't work?

emreberber commented 4 months ago

Yes, that's right

jichenjc commented 4 months ago

did you try kill the pod then reload it o ensure at least in this way it works? I think it's in cloud-config which should reload when pod restart?

emreberber commented 4 months ago

It will be fixed after pod restart, but can't it dynamically get the current secret without doing that?

jichenjc commented 4 months ago

that will need recreate the openstack client which I think it's not currently supported, folks can comment if my understanding is correct

k8s-triage-robot commented 1 month ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot commented 5 days ago

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle rotten
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten