Restrict PVC and secret creation in same namespace during provisioning

pkg/driver/controllerserver.go

@@ -115,20 +115,17 @@ func (cs *controllerServer) CreateVolume(_ context.Context, req *csi.CreateVolum
 		pvcAnnotations := pvcRes.Annotations
 
 		customSecretName = pvcAnnotations[constants.SecretNameKey]
-		secretNamespace := pvcAnnotations[constants.SecretNamespaceKey]
 
 		if customSecretName == "" {
 			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("secretName annotation 'cos.csi.driver/secret' not specified in the PVC annotations, could not fetch the secret %v", err))
 		}
 
-		if secretNamespace == "" {
-			klog.Info("secretNamespace annotation 'cos.csi.driver/secret-namespace' not specified in PVC annotations:\t", pvcRes.Annotations, "\t trying to fetch the secret in default namespace")
-			secretNamespace = constants.DefaultNamespace
-		}
+		secretNamespace := pvcNamespace
+		klog.Infof("Using secret '%s' from PVC namespace '%s'", customSecretName, secretNamespace)
 
 		secret, err := cs.Stats.GetSecret(customSecretName, secretNamespace)
 		if err != nil {
-			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Secret resource not found %v", err))
+			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err))
 		}
 
 		secretMapCustom := parseCustomSecret(secret)
@@ -382,7 +379,7 @@ func (cs *controllerServer) DeleteVolume(_ context.Context, req *csi.DeleteVolum
 
 		secret, err := cs.Stats.GetSecret(secretName, secretNamespace)
 		if err != nil {
-			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Secret resource not found %v", err))
+			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("error getting Secret: %v", err))
 		}
 
 		secretMapCustom := parseCustomSecret(secret)

pkg/driver/controllerserver_test.go

@@ -164,8 +164,7 @@ func TestCreateVolume(t *testing.T) {
 					return &v1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
 							Annotations: map[string]string{
-								constants.SecretNameKey:      testSecretName,
-								constants.SecretNamespaceKey: testSecretNs,
+								constants.SecretNameKey: testSecretName,
 							},
 						},
 					}, nil
@@ -434,11 +433,45 @@ func TestCreateVolume(t *testing.T) {
 					}, nil
 				},
 				GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) {
-					return nil, errors.New("failed to get secret")
+					return nil, errors.New("secrets \"test-cos-secret1\" not found")
+				},
+			}),
+			expectedResp: nil,
+			expectedErr:  errors.New("error getting Secret"),
+		},
+		{
+			testCaseName: "Negative: Secret not found in PVC namespace",
+			req: &csi.CreateVolumeRequest{
+				Name: testVolumeName,
+				VolumeCapabilities: []*csi.VolumeCapability{
+					{
+						AccessMode: &csi.VolumeCapability_AccessMode{
+							Mode: volumeCapabilities[0],
+						},
+					},
+				},
+				Parameters: map[string]string{
+					constants.PVCNameKey:      testPVCName,
+					constants.PVCNamespaceKey: testPVCNs,
+				},
+			},
+			cosSession: &s3client.FakeCOSSessionFactory{},
+			driverStatsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{
+				GetPVCFn: func(pvcName, pvcNamespace string) (*v1.PersistentVolumeClaim, error) {
+					return &v1.PersistentVolumeClaim{
+						ObjectMeta: metav1.ObjectMeta{
+							Annotations: map[string]string{
+								constants.SecretNameKey: testSecretName,
+							},
+						},
+					}, nil
+				},
+				GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) {
+					return nil, errors.New("secrets \"testSecretName\" not found")
 				},
 			}),
 			expectedResp: nil,
-			expectedErr:  errors.New("Secret resource not found"),
+			expectedErr:  errors.New("error getting Secret"),
 		},
 		{
 			testCaseName: "Negative: Invalid bucket versioning name in secret",
@@ -489,8 +522,7 @@ func TestCreateVolume(t *testing.T) {
 					return &v1.PersistentVolumeClaim{
 						ObjectMeta: metav1.ObjectMeta{
 							Annotations: map[string]string{
-								constants.SecretNameKey:      testSecretName,
-								constants.SecretNamespaceKey: testSecretNs,
+								constants.SecretNameKey: testSecretName,
 							},
 						},
 					}, nil
@@ -717,9 +749,10 @@ func TestCreateVolume(t *testing.T) {
 					VolumeId:      testVolumeName,
 					CapacityBytes: 1073741824,
 					VolumeContext: map[string]string{
+						"bucketName":         "",
 						"userProvidedBucket": "false",
-						"locationConstraint": "test-region",
 						"cosEndpoint":        "test-endpoint",
+						"locationConstraint": "test-region",
 						"mounter":            "s3fs",
 					},
 				},
@@ -755,6 +788,9 @@ func TestCreateVolume(t *testing.T) {
 					actualResp.Volume.VolumeContext != nil {
 					if bucketNameVal, ok := actualResp.Volume.VolumeContext["bucketName"]; ok {
 						if strings.Contains(bucketNameVal, actualResp.Volume.VolumeId) {
+							if tc.expectedResp.Volume.VolumeContext == nil {
+								tc.expectedResp.Volume.VolumeContext = make(map[string]string)
+							}
 							tc.expectedResp.Volume.VolumeContext["bucketName"] = bucketNameVal
 						}
 					}
@@ -898,11 +934,11 @@ func TestDeleteVolume(t *testing.T) {
 					}, nil
 				},
 				GetSecretFn: func(secretName, secretNamespace string) (*v1.Secret, error) {
-					return nil, errors.New("secret not found")
+					return nil, errors.New("secrets \"testSecretName\" not found")
 				},
 			}),
 			expectedResp: nil,
-			expectedErr:  errors.New("Secret resource not found"),
+			expectedErr:  errors.New("error getting Secret"),
 		},
 		{
 			testCaseName: "Negative: Access Key not provided",

pkg/utils/driver_utils.go

@@ -220,7 +220,7 @@ func (su *DriverStatsUtils) GetSecret(secretName, secretNamespace string) (*v1.S
 
 	secret, err := k8sClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("error getting Secret: %v", err)
+		return nil, err
 	}
 
 	return secret, nil