S3CSI-5: Add sample YAML and docs for volume creds

Author: anurag4DSB

examples/kubernetes/static_provisioning/README.md

@@ -10,6 +10,7 @@ This example shows how to make a static provisioned Mountpoint for S3 persistent
 - `caching.yaml` - shows how to configure mountpoint to use a cache directory. See the [Mountpoint documentation](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#caching-configuration) for more details on caching options. Please thumbs up [#11](https://github.com/awslabs/mountpoint-s3-csi-driver/issues/141) or add details about your use case if you want improvements in this area.
 - `kms_sse.yaml` - demonstrates using SSE-KMS encryption with a customer supplied key id. See the [Mountpoint documentation](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#data-encryption) for more details.
 - `aws_max_attempts.yaml` - configure the number of retries for requests to S3. This option is passed to Mountpoint as the `AWS_MAX_ATTEMPTS` environment variable. See the [Mountpoint configuration documentation](https://github.com/awslabs/mountpoint-s3/blob/main/doc/CONFIGURATION.md#other-s3-bucket-configuration) for more details.
+- `secret_authentication.yaml` - demonstrates using a Kubernetes Secret to provide access credentials (access key and secret key) at Volume level for authenticating with S3. This is particularly useful when the user wants to set their own credentials which are different than the driver level credentials.
 
 ## AWS Endpoint URL Configuration
 For security and consistency reasons, if `--endpoint-url` is specified in the `mountOptions` of a PersistentVolume, it will be **ignored** by the driver. This is enforced in both systemd and pod mounters to prevent potential security risks like endpoint redirection attacks.

examples/kubernetes/static_provisioning/secret_authentication.yaml

@@ -0,0 +1,89 @@
+# Secret Authentication Example
+# This example demonstrates using a Kubernetes Secret to provide S3 credentials for the Mountpoint S3 CSI Driver.
+# This authentication method is particularly useful for:
+# 1. The user wants to set their own credentials which are different than the driver level credentials
+# 2. Using different credentials for different persistent volumes
+
+# First, create a Secret containing the S3 credentials
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-credentials
+  namespace: default
+type: Opaque
+data:
+  # Using base64 encoded values. Example:
+  # echo -n "ACCESS_KEY_ID" | base64
+  key_id: QUtJQVhYWFhYWFhYWFhYWFhY 
+  # echo -n "SECRET_ACCESS_KEY" | base64
+  access_key: U0VDUkVUWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWA==
+  
+  # You can also create the secret using kubectl:
+  # kubectl create secret generic s3-credentials \
+  #     --from-literal=key_id="ACCESS_KEY_ID" \
+  #     --from-literal=access_key="SECRET_ACCESS_KEY"
+  
+  # SECURITY CONSIDERATIONS:
+  # - Kubernetes Secrets are stored unencrypted in etcd by default
+  # - Consider enabling encryption at rest: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
+  # - Limit access to the Secret using appropriate RBAC rules
+  # - Consider using Secret rotation for production deployments
+---
+# Next, create a PersistentVolume that references the Secret
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: s3-pv
+spec:
+  capacity:
+    storage: 1000Gi # ignored, required
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: "" # Required for static provisioning
+  mountOptions:
+    - allow-delete
+    - force-path-style
+  csi:
+    driver: s3.csi.aws.com
+    volumeHandle: s3-csi-driver-volume
+    volumeAttributes:
+      bucketName: my-bucket
+      authenticationSource: secret # Set auth source to use the Secret
+    nodePublishSecretRef:
+      name: s3-credentials # Reference to the Secret containing credentials
+      namespace: default
+---
+# Create a PersistentVolumeClaim that references the PV
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: s3-pvc
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: ""
+  resources:
+    requests:
+      storage: 1000Gi # Ignored, required
+  volumeName: s3-pv
+---
+# Finally, create a Pod that uses the volume
+apiVersion: v1
+kind: Pod
+metadata:
+  name: s3-app
+  namespace: default
+spec:
+  containers:
+  - name: app
+    image: busybox
+    command: ["tail", "-f", "/dev/null"]
+    volumeMounts:
+    - name: s3-storage
+      mountPath: /data
+  volumes:
+  - name: s3-storage
+    persistentVolumeClaim:
+      claimName: s3-pvc