S3CSI-5: Add secret auth for volume creds

This commit implements Kubernetes Secret-based authentication for
S3 credentials. Key features include:

- Support for "secret" authentication source using nodePublishSecretRef
- Proper validation of AWS credential formats using regex patterns
- Secure handling with key_id and access_key expected in the Secret
- Improved logging that redacts sensitive credentials
- Example YAML and documentation for credential-based authentication

The implementation follows AWS credential format standards while
allowing flexibility for test credentials with different lengths.

Author: anurag4DSB

pkg/driver/node/credentialprovider/provider.go

@@ -33,7 +33,8 @@ const (
 	// We're defaulting to `driver` in this case.
 	AuthenticationSourceUnspecified AuthenticationSource = ""
 	AuthenticationSourceDriver      AuthenticationSource = "driver"
-	AuthenticationSourcePod         AuthenticationSource = "pod"
+	AuthenticationSourcePod         AuthenticationSource = "pod" // TODO(S3C-9762): Remove other sources of credentials
+	AuthenticationSourceSecret      AuthenticationSource = "secret"
 )
 
 // A Provider provides methods for accessing AWS credentials.
@@ -70,6 +71,8 @@ type ProvideContext struct {
 	StsRegion string
 	// BucketRegion is the `--region` parameter passed via mount options.
 	BucketRegion string
+	// SecretData is a map of key-value pairs from the Kubernetes Secret referenced by nodePublishSecretRef.
+	SecretData map[string]string
 }
 
 // SetWriteAndEnvPath sets `WritePath` and `EnvPath` for `ctx`.
@@ -99,11 +102,14 @@ func (c *Provider) Provide(ctx context.Context, provideCtx ProvideContext) (envp
 	case AuthenticationSourcePod:
 		env, err := c.provideFromPod(ctx, provideCtx)
 		return env, AuthenticationSourcePod, err
+	case AuthenticationSourceSecret:
+		env, err := c.provideFromSecret(ctx, provideCtx)
+		return env, AuthenticationSourceSecret, err
 	case AuthenticationSourceUnspecified, AuthenticationSourceDriver:
 		env, err := c.provideFromDriver(provideCtx)
 		return env, AuthenticationSourceDriver, err
 	default:
-		return nil, AuthenticationSourceUnspecified, fmt.Errorf("unknown `authenticationSource`: %s, only `driver` (default option if not specified) and `pod` supported", authenticationSource)
+		return nil, AuthenticationSourceUnspecified, fmt.Errorf("unknown `authenticationSource`: %s, only `driver` (default option if not specified), `pod`, and `secret` supported", authenticationSource)
 	}
 }
 

pkg/driver/node/credentialprovider/provider_secret.go

@@ -0,0 +1,95 @@
+package credentialprovider
+
+import (
+	"context"
+	"regexp"
+	"strconv"
+	"strings"
+	"unicode/utf8"
+
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/envprovider"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"k8s.io/klog/v2"
+)
+
+const (
+	// Keys expected in the Secret map from NodePublishVolumeRequest.
+	keyID           = "key_id"
+	secretAccessKey = "access_key"
+
+	// Upper limits (not exact) — suits Vault & test creds.
+	maxAccessKeyIDLen     = 16
+	maxSecretAccessKeyLen = 40
+)
+
+/*
+Validation rules (loosened for cloudserver test credentials):
+
+	key_id     – 1 … 16 chars, uppercase A–Z or 0–9
+	access_key – 1 … 40 chars, [A-Za-z0-9 / + =]
+
+The patterns are supersets of AWS IAM and permit shorter dummy keys.
+*/
+var (
+	accessKeyIDRe     = regexp.MustCompile(`^[A-Z0-9]{1,` + strconv.Itoa(maxAccessKeyIDLen) + `}$`)
+	secretAccessKeyRe = regexp.MustCompile(`^[A-Za-z0-9/+=]{1,` + strconv.Itoa(maxSecretAccessKeyLen) + `}$`)
+)
+
+// provideFromSecret validates credentials from a Kubernetes Secret.
+func (c *Provider) provideFromSecret(_ context.Context, provideCtx ProvideContext) (envprovider.Environment, error) {
+	env := envprovider.Environment{}
+
+	valid := map[string]struct{}{keyID: {}, secretAccessKey: {}}
+	for k := range provideCtx.SecretData {
+		if _, ok := valid[k]; !ok {
+			klog.Warningf("credentialprovider: Secret contains unexpected key %q (ignored). Only %q and %q are supported.",
+				k, keyID, secretAccessKey)
+		}
+	}
+
+	id, okID := provideCtx.SecretData[keyID]
+	sec, okSec := provideCtx.SecretData[secretAccessKey]
+
+	if okID {
+		id = strings.TrimSpace(id)
+		if !accessKeyIDRe.MatchString(id) {
+			klog.Warningf("credentialprovider: key_id %q is not uppercase alphanumeric or exceeds %d chars",
+				id, maxAccessKeyIDLen)
+			okID = false
+		}
+	}
+
+	if okSec {
+		sec = strings.TrimSpace(sec)
+		if !secretAccessKeyRe.MatchString(sec) || !utf8.ValidString(sec) {
+			klog.Warningf("credentialprovider: access_key is invalid or exceeds %d chars",
+				maxSecretAccessKeyLen)
+			okSec = false
+		}
+	}
+
+	if okID && okSec {
+		env.Set(envprovider.EnvAccessKeyID, id)
+		env.Set(envprovider.EnvSecretAccessKey, sec)
+
+		// FULL key_id logged (no masking) for audit purposes.
+		klog.V(3).Infof("credentialprovider: volume %s authenticated with key_id %s",
+			provideCtx.VolumeID, id)
+
+		return env, nil
+	}
+
+	var missing []string
+	if !okID {
+		missing = append(missing, keyID)
+	}
+	if !okSec {
+		missing = append(missing, secretAccessKey)
+	}
+	return nil, status.Errorf(
+		codes.InvalidArgument,
+		"credentialprovider: missing or invalid keys in Kubernetes Secret: %s",
+		strings.Join(missing, ", "),
+	)
+}

pkg/driver/node/node.go

@@ -268,6 +268,7 @@ func credentialProvideContextFromPublishRequest(req *csi.NodePublishVolumeReques
 		ServiceAccountName:   volumeCtx[volumecontext.CSIServiceAccountName],
 		StsRegion:            volumeCtx[volumecontext.STSRegion],
 		BucketRegion:         bucketRegion,
+		SecretData:           req.GetSecrets(),
 	}
 }
 
@@ -294,6 +295,17 @@ func logSafeNodePublishVolumeRequest(req *csi.NodePublishVolumeRequest) *csi.Nod
 	safeVolumeContext := maps.Clone(req.VolumeContext)
 	delete(safeVolumeContext, volumecontext.CSIServiceAccountTokens)
 
+	// Create a copy of credential with sensitive values redacted
+	redactedCredential := make(map[string]string)
+	for k, v := range req.Secrets {
+		if k == "access_key" {
+			// Redact the secret access key
+			redactedCredential[k] = "[REDACTED]"
+		} else {
+			redactedCredential[k] = v
+		}
+	}
+
 	return &csi.NodePublishVolumeRequest{
 		VolumeId:          req.VolumeId,
 		PublishContext:    req.PublishContext,
@@ -302,5 +314,6 @@ func logSafeNodePublishVolumeRequest(req *csi.NodePublishVolumeRequest) *csi.Nod
 		VolumeCapability:  req.VolumeCapability,
 		Readonly:          req.Readonly,
 		VolumeContext:     safeVolumeContext,
+		Secrets:           redactedCredential,
 	}
 }