From a551967ef0c9657141f6aec5f57ba584262e09e3 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Wed, 8 Apr 2026 21:28:36 +0530 Subject: [PATCH 01/12] Restrict PVC and secret creation in same namespace during provisioning --- pkg/driver/controllerserver.go | 5 +++++ pkg/driver/controllerserver_test.go | 32 +++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index a2ee8de8..0f371c35 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -126,6 +126,11 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum secretNamespace = constants.DefaultNamespace } + // Validate that PVC and secret are not in the same namespace + if pvcNamespace == secretNamespace { + return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("PVC and secret cannot be in the same namespace. PVC namespace: %s, Secret namespace: %s", pvcNamespace, secretNamespace)) + } + secret, err := cs.Stats.GetSecret(customSecretName, secretNamespace) if err != nil { return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Secret resource not found %v", err)) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index b91826da..a3e3672e 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -440,6 +440,38 @@ func TestCreateVolume(t *testing.T) { expectedResp: nil, expectedErr: errors.New("Secret resource not found"), }, + { + testCaseName: "Negative: PVC and Secret in same namespace", + req: &csi.CreateVolumeRequest{ + Name: testVolumeName, + VolumeCapabilities: []*csi.VolumeCapability{ + { + AccessMode: &csi.VolumeCapability_AccessMode{ + Mode: volumeCapabilities[0], + }, + }, + }, + Parameters: map[string]string{ + constants.PVCNameKey: testPVCName, + constants.PVCNamespaceKey: testPVCNs, + }, + }, + cosSession: &s3client.FakeCOSSessionFactory{}, + driverStatsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ + GetPVCFn: func(pvcName, pvcNamespace string) (*v1.PersistentVolumeClaim, error) { + return &v1.PersistentVolumeClaim{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: map[string]string{ + constants.SecretNameKey: testSecretName, + constants.SecretNamespaceKey: testPVCNs, // Same namespace as PVC + }, + }, + }, nil + }, + }), + expectedResp: nil, + expectedErr: errors.New("PVC and secret cannot be in the same namespace"), + }, { testCaseName: "Negative: Invalid bucket versioning name in secret", req: &csi.CreateVolumeRequest{ From a902f01e22383abc0871dc745f5a68e1c3364027 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Wed, 8 Apr 2026 22:25:09 +0530 Subject: [PATCH 02/12] minor changes --- pkg/driver/controllerserver.go | 1 - pkg/driver/controllerserver_test.go | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index 0f371c35..4d2c4452 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -126,7 +126,6 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum secretNamespace = constants.DefaultNamespace } - // Validate that PVC and secret are not in the same namespace if pvcNamespace == secretNamespace { return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("PVC and secret cannot be in the same namespace. PVC namespace: %s, Secret namespace: %s", pvcNamespace, secretNamespace)) } diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index a3e3672e..98294d6d 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -740,6 +740,8 @@ func TestCreateVolume(t *testing.T) { "mounter": "s3fs", constants.QuotaLimitKey: "true", constants.ResourceConfigApiKey: "fake-res-conf-key", + "pvcNamespace": "test-namespace", + "secretNamespace": "different-namespace", }, }, cosSession: &s3client.FakeCOSSessionFactory{}, From 16c9ef07691258064a1dde041d803285d3efe2e5 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Thu, 9 Apr 2026 13:03:52 +0530 Subject: [PATCH 03/12] minor changes --- pkg/driver/controllerserver.go | 11 ++--------- pkg/driver/controllerserver_test.go | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 18 deletions(-) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index 4d2c4452..34cc1717 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -115,20 +115,13 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum pvcAnnotations := pvcRes.Annotations customSecretName = pvcAnnotations[constants.SecretNameKey] - secretNamespace := pvcAnnotations[constants.SecretNamespaceKey] if customSecretName == "" { return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("secretName annotation 'cos.csi.driver/secret' not specified in the PVC annotations, could not fetch the secret %v", err)) } - if secretNamespace == "" { - klog.Info("secretNamespace annotation 'cos.csi.driver/secret-namespace' not specified in PVC annotations:\t", pvcRes.Annotations, "\t trying to fetch the secret in default namespace") - secretNamespace = constants.DefaultNamespace - } - - if pvcNamespace == secretNamespace { - return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("PVC and secret cannot be in the same namespace. PVC namespace: %s, Secret namespace: %s", pvcNamespace, secretNamespace)) - } + secretNamespace := pvcNamespace + klog.Infof("Using secret '%s' from PVC namespace '%s'", customSecretName, secretNamespace) secret, err := cs.Stats.GetSecret(customSecretName, secretNamespace) if err != nil { diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index 98294d6d..052f741c 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -164,8 +164,7 @@ func TestCreateVolume(t *testing.T) { return &v1.PersistentVolumeClaim{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - constants.SecretNameKey: testSecretName, - constants.SecretNamespaceKey: testSecretNs, + constants.SecretNameKey: testSecretName, }, }, }, nil @@ -441,7 +440,7 @@ func TestCreateVolume(t *testing.T) { expectedErr: errors.New("Secret resource not found"), }, { - testCaseName: "Negative: PVC and Secret in same namespace", + testCaseName: "Negative: Secret not found in PVC namespace", req: &csi.CreateVolumeRequest{ Name: testVolumeName, VolumeCapabilities: []*csi.VolumeCapability{ @@ -462,15 +461,17 @@ func TestCreateVolume(t *testing.T) { return &v1.PersistentVolumeClaim{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - constants.SecretNameKey: testSecretName, - constants.SecretNamespaceKey: testPVCNs, // Same namespace as PVC + constants.SecretNameKey: testSecretName, }, }, }, nil }, + GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { + return nil, errors.New("secret not found") + }, }), expectedResp: nil, - expectedErr: errors.New("PVC and secret cannot be in the same namespace"), + expectedErr: errors.New("Secret resource not found"), }, { testCaseName: "Negative: Invalid bucket versioning name in secret", @@ -521,8 +522,7 @@ func TestCreateVolume(t *testing.T) { return &v1.PersistentVolumeClaim{ ObjectMeta: metav1.ObjectMeta{ Annotations: map[string]string{ - constants.SecretNameKey: testSecretName, - constants.SecretNamespaceKey: testSecretNs, + constants.SecretNameKey: testSecretName, }, }, }, nil @@ -741,7 +741,7 @@ func TestCreateVolume(t *testing.T) { constants.QuotaLimitKey: "true", constants.ResourceConfigApiKey: "fake-res-conf-key", "pvcNamespace": "test-namespace", - "secretNamespace": "different-namespace", + "secretNamespace": "test-namespace", }, }, cosSession: &s3client.FakeCOSSessionFactory{}, @@ -751,6 +751,7 @@ func TestCreateVolume(t *testing.T) { VolumeId: testVolumeName, CapacityBytes: 1073741824, VolumeContext: map[string]string{ + "bucketName": "", "userProvidedBucket": "false", "locationConstraint": "test-region", "cosEndpoint": "test-endpoint", From 295f1762a89ee717145fa6cde4deb3aecf0d19b2 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Thu, 9 Apr 2026 19:10:52 +0530 Subject: [PATCH 04/12] Restrict PVC and secret creation in same namespace during provisioning --- pkg/driver/controllerserver.go | 2 +- pkg/driver/controllerserver_test.go | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index 34cc1717..f0fcca9e 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -125,7 +125,7 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum secret, err := cs.Stats.GetSecret(customSecretName, secretNamespace) if err != nil { - return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Secret resource not found %v", err)) + return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err)) } secretMapCustom := parseCustomSecret(secret) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index 052f741c..2866a1a1 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -740,8 +740,6 @@ func TestCreateVolume(t *testing.T) { "mounter": "s3fs", constants.QuotaLimitKey: "true", constants.ResourceConfigApiKey: "fake-res-conf-key", - "pvcNamespace": "test-namespace", - "secretNamespace": "test-namespace", }, }, cosSession: &s3client.FakeCOSSessionFactory{}, From 3d5f82b9ccd3a16b8734c4597fbbdac6784f01ce Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Fri, 10 Apr 2026 11:05:04 +0530 Subject: [PATCH 05/12] fixed review comments --- pkg/driver/controllerserver_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index 2866a1a1..b4adc1c5 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -751,9 +751,6 @@ func TestCreateVolume(t *testing.T) { VolumeContext: map[string]string{ "bucketName": "", "userProvidedBucket": "false", - "locationConstraint": "test-region", - "cosEndpoint": "test-endpoint", - "mounter": "s3fs", }, }, }, @@ -788,6 +785,9 @@ func TestCreateVolume(t *testing.T) { actualResp.Volume.VolumeContext != nil { if bucketNameVal, ok := actualResp.Volume.VolumeContext["bucketName"]; ok { if strings.Contains(bucketNameVal, actualResp.Volume.VolumeId) { + if tc.expectedResp.Volume.VolumeContext == nil { + tc.expectedResp.Volume.VolumeContext = make(map[string]string) + } tc.expectedResp.Volume.VolumeContext["bucketName"] = bucketNameVal } } From 2523c2a36069bf31af9954f194b6b49d92fb9745 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Fri, 10 Apr 2026 11:25:00 +0530 Subject: [PATCH 06/12] minor changes --- pkg/driver/controllerserver_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index b4adc1c5..e2529594 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -751,6 +751,9 @@ func TestCreateVolume(t *testing.T) { VolumeContext: map[string]string{ "bucketName": "", "userProvidedBucket": "false", + "cosEndpoint": "test-endpoint", + "locationConstraint": "test-region", + "mounter": "s3fs", }, }, }, From db9495a92c8abd22834704b92acb64ac8f649633 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Fri, 10 Apr 2026 13:33:18 +0530 Subject: [PATCH 07/12] minor changes --- pkg/driver/controllerserver_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index e2529594..45c2ce8a 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -437,7 +437,7 @@ func TestCreateVolume(t *testing.T) { }, }), expectedResp: nil, - expectedErr: errors.New("Secret resource not found"), + expectedErr: errors.New("error getting Secret"), }, { testCaseName: "Negative: Secret not found in PVC namespace", @@ -471,7 +471,7 @@ func TestCreateVolume(t *testing.T) { }, }), expectedResp: nil, - expectedErr: errors.New("Secret resource not found"), + expectedErr: errors.New("error getting Secret"), }, { testCaseName: "Negative: Invalid bucket versioning name in secret", @@ -938,7 +938,7 @@ func TestDeleteVolume(t *testing.T) { }, }), expectedResp: nil, - expectedErr: errors.New("Secret resource not found"), + expectedErr: errors.New("error getting Secret"), }, { testCaseName: "Negative: Access Key not provided", From dd473eb1e13c980a2b5c6a2770b1e7ea565c42f9 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Fri, 10 Apr 2026 14:05:45 +0530 Subject: [PATCH 08/12] Fix review comments: simplify error messages in CreateVolume and DeleteVolume --- pkg/driver/controllerserver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index f0fcca9e..9483d353 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -379,7 +379,7 @@ func (cs *controllerServer) DeleteVolume(_ context.Context, req *csi.DeleteVolum secret, err := cs.Stats.GetSecret(secretName, secretNamespace) if err != nil { - return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Secret resource not found %v", err)) + return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err)) } secretMapCustom := parseCustomSecret(secret) From f0b32444eb471cdd7b8aa0c6819eb134fed9a051 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Mon, 13 Apr 2026 11:42:43 +0530 Subject: [PATCH 09/12] fixed review comments --- pkg/driver/controllerserver.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index 9483d353..278ef576 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -125,7 +125,7 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum secret, err := cs.Stats.GetSecret(customSecretName, secretNamespace) if err != nil { - return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err)) + return nil, status.Error(codes.InvalidArgument, err.Error()) } secretMapCustom := parseCustomSecret(secret) @@ -379,7 +379,7 @@ func (cs *controllerServer) DeleteVolume(_ context.Context, req *csi.DeleteVolum secret, err := cs.Stats.GetSecret(secretName, secretNamespace) if err != nil { - return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err)) + return nil, status.Error(codes.InvalidArgument, err.Error()) } secretMapCustom := parseCustomSecret(secret) From f4b2020476358ac2f6b0440f64b432e44b2a2811 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Mon, 13 Apr 2026 12:58:56 +0530 Subject: [PATCH 10/12] fixed review comments --- pkg/driver/controllerserver_test.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index 45c2ce8a..11222177 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -20,6 +20,7 @@ import ( "context" "errors" "flag" + "fmt" "reflect" "strings" "testing" @@ -433,7 +434,7 @@ func TestCreateVolume(t *testing.T) { }, nil }, GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { - return nil, errors.New("failed to get secret") + return nil, fmt.Errorf("error getting Secret: %v", errors.New("failed to get secret")) }, }), expectedResp: nil, @@ -467,7 +468,7 @@ func TestCreateVolume(t *testing.T) { }, nil }, GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { - return nil, errors.New("secret not found") + return nil, fmt.Errorf("error getting Secret: %v", errors.New("secret not found")) }, }), expectedResp: nil, @@ -934,7 +935,7 @@ func TestDeleteVolume(t *testing.T) { }, nil }, GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { - return nil, errors.New("secret not found") + return nil, fmt.Errorf("error getting Secret: %v", errors.New("secret not found")) }, }), expectedResp: nil, From 7c3beb68891060287f0fa67485f24a534414ec52 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Mon, 13 Apr 2026 15:10:39 +0530 Subject: [PATCH 11/12] minor changes --- pkg/driver/controllerserver.go | 4 ++-- pkg/driver/controllerserver_test.go | 6 +++--- pkg/utils/driver_utils.go | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/driver/controllerserver.go b/pkg/driver/controllerserver.go index 278ef576..9483d353 100644 --- a/pkg/driver/controllerserver.go +++ b/pkg/driver/controllerserver.go @@ -125,7 +125,7 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum secret, err := cs.Stats.GetSecret(customSecretName, secretNamespace) if err != nil { - return nil, status.Error(codes.InvalidArgument, err.Error()) + return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err)) } secretMapCustom := parseCustomSecret(secret) @@ -379,7 +379,7 @@ func (cs *controllerServer) DeleteVolume(_ context.Context, req *csi.DeleteVolum secret, err := cs.Stats.GetSecret(secretName, secretNamespace) if err != nil { - return nil, status.Error(codes.InvalidArgument, err.Error()) + return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err)) } secretMapCustom := parseCustomSecret(secret) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index 11222177..5fe962fd 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -434,7 +434,7 @@ func TestCreateVolume(t *testing.T) { }, nil }, GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { - return nil, fmt.Errorf("error getting Secret: %v", errors.New("failed to get secret")) + return nil, errors.New("secrets \"test-cos-secret1\" not found") }, }), expectedResp: nil, @@ -468,7 +468,7 @@ func TestCreateVolume(t *testing.T) { }, nil }, GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { - return nil, fmt.Errorf("error getting Secret: %v", errors.New("secret not found")) + return nil, errors.New("secrets \"testSecretName\" not found") }, }), expectedResp: nil, @@ -935,7 +935,7 @@ func TestDeleteVolume(t *testing.T) { }, nil }, GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) { - return nil, fmt.Errorf("error getting Secret: %v", errors.New("secret not found")) + return nil, errors.New("secrets \"testSecretName\" not found") }, }), expectedResp: nil, diff --git a/pkg/utils/driver_utils.go b/pkg/utils/driver_utils.go index d88568d5..5cd30b15 100644 --- a/pkg/utils/driver_utils.go +++ b/pkg/utils/driver_utils.go @@ -220,7 +220,7 @@ func (su *DriverStatsUtils) GetSecret(secretName, secretNamespace string) (*v1.S secret, err := k8sClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{}) if err != nil { - return nil, fmt.Errorf("error getting Secret: %v", err) + return nil, err } return secret, nil From e9fa43f78e9e6833ddc24cf4fe7534c4412e5ec4 Mon Sep 17 00:00:00 2001 From: Prachi Shivanand Anure Date: Mon, 13 Apr 2026 15:15:50 +0530 Subject: [PATCH 12/12] minor changes --- pkg/driver/controllerserver_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/driver/controllerserver_test.go b/pkg/driver/controllerserver_test.go index 5fe962fd..90f80aed 100644 --- a/pkg/driver/controllerserver_test.go +++ b/pkg/driver/controllerserver_test.go @@ -20,7 +20,6 @@ import ( "context" "errors" "flag" - "fmt" "reflect" "strings" "testing"