Merge pull request #103001 from zshihang/csi

CSIServiceAccountToken ga
2025-12-02 06:13:54 +00:00 · 2021-06-26 19:31:23 -07:00
parent 2d1026c664 8231a3e921
commit a0f9c8c277
19 changed files with 45 additions and 148 deletions
--- a/pkg/apis/storage/types.go
+++ b/pkg/apis/storage/types.go
@@ -381,9 +381,6 @@ type CSIDriverSpec struct {
 	// most one token is empty string. To receive a new token after expiry,
 	// RequiresRepublish can be used to trigger NodePublishVolume periodically.
 	//
-	// This is a beta feature and only available when the
-	// CSIServiceAccountToken feature is enabled.
-	//
 	// +optional
 	// +listType=atomic
 	TokenRequests []TokenRequest
@@ -396,9 +393,6 @@ type CSIDriverSpec struct {
 	// to NodePublishVolume should only update the contents of the volume. New
 	// mount points will not be seen by a running container.
 	//
-	// This is a beta feature and only available when the
-	// CSIServiceAccountToken feature is enabled.
-	//
 	// +optional
 	RequiresRepublish *bool
 }
--- a/pkg/apis/storage/v1/defaults.go
+++ b/pkg/apis/storage/v1/defaults.go
@@ -60,7 +60,7 @@ func SetDefaults_CSIDriver(obj *storagev1.CSIDriver) {
 	if len(obj.Spec.VolumeLifecycleModes) == 0 && utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
 		obj.Spec.VolumeLifecycleModes = append(obj.Spec.VolumeLifecycleModes, storagev1.VolumeLifecyclePersistent)
 	}
-	if obj.Spec.RequiresRepublish == nil && utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
+	if obj.Spec.RequiresRepublish == nil {
 		obj.Spec.RequiresRepublish = new(bool)
 		*(obj.Spec.RequiresRepublish) = false
 	}
--- a/pkg/apis/storage/v1/defaults_test.go
+++ b/pkg/apis/storage/v1/defaults_test.go
@@ -94,7 +94,6 @@ func TestSetDefaultVolumeBindingMode(t *testing.T) {

 func TestSetDefaultCSIDriver(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIInlineVolume, true)()
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountToken, true)()

 	enabled := true
 	disabled := false
--- a/pkg/apis/storage/v1beta1/defaults.go
+++ b/pkg/apis/storage/v1beta1/defaults.go
@@ -60,7 +60,7 @@ func SetDefaults_CSIDriver(obj *storagev1beta1.CSIDriver) {
 	if len(obj.Spec.VolumeLifecycleModes) == 0 && utilfeature.DefaultFeatureGate.Enabled(features.CSIInlineVolume) {
 		obj.Spec.VolumeLifecycleModes = append(obj.Spec.VolumeLifecycleModes, storagev1beta1.VolumeLifecyclePersistent)
 	}
-	if obj.Spec.RequiresRepublish == nil && utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
+	if obj.Spec.RequiresRepublish == nil {
 		obj.Spec.RequiresRepublish = new(bool)
 		*(obj.Spec.RequiresRepublish) = false
 	}
--- a/pkg/apis/storage/v1beta1/defaults_test.go
+++ b/pkg/apis/storage/v1beta1/defaults_test.go
@@ -142,7 +142,6 @@ func TestSetDefaultVolumeLifecycleModesDisabled(t *testing.T) {

 func TestSetDefaultCSIDriver(t *testing.T) {
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIInlineVolume, true)()
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountToken, true)()

 	enabled := true
 	disabled := false
--- a/pkg/features/kube_features.go
+++ b/pkg/features/kube_features.go
@@ -577,6 +577,7 @@ const (
 	// owner: @zshihang
 	// alpha: v1.20
 	// beta: v1.21
+	// ga: v1.22
 	//
 	// Enable kubelet to pass pod's service account token to NodePublishVolume
 	// call of CSI driver which is mounting volumes for that pod.
@@ -760,7 +761,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
 	ConfigurableFSGroupPolicy:                      {Default: true, PreRelease: featuregate.Beta},
 	CSIInlineVolume:                                {Default: true, PreRelease: featuregate.Beta},
 	CSIStorageCapacity:                             {Default: true, PreRelease: featuregate.Beta},
-	CSIServiceAccountToken:                         {Default: true, PreRelease: featuregate.Beta},
+	CSIServiceAccountToken:                         {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23
 	GenericEphemeralVolume:                         {Default: true, PreRelease: featuregate.Beta},
 	CSIVolumeFSGroupPolicy:                         {Default: true, PreRelease: featuregate.Beta},
 	RuntimeClass:                                   {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.23
--- a/pkg/printers/internalversion/printers.go
+++ b/pkg/printers/internalversion/printers.go
@@ -520,12 +520,11 @@ func AddHandlers(h printers.PrintHandler) {
 			Name: "StorageCapacity", Type: "boolean", Description: storagev1.CSIDriverSpec{}.SwaggerDoc()["storageCapacity"],
 		})
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		csiDriverColumnDefinitions = append(csiDriverColumnDefinitions, []metav1.TableColumnDefinition{
-			{Name: "TokenRequests", Type: "string", Description: storagev1.CSIDriverSpec{}.SwaggerDoc()["tokenRequests"]},
-			{Name: "RequiresRepublish", Type: "boolean", Description: storagev1.CSIDriverSpec{}.SwaggerDoc()["requiresRepublish"]},
-		}...)
-	}
+	csiDriverColumnDefinitions = append(csiDriverColumnDefinitions, []metav1.TableColumnDefinition{
+		{Name: "TokenRequests", Type: "string", Description: storagev1.CSIDriverSpec{}.SwaggerDoc()["tokenRequests"]},
+		{Name: "RequiresRepublish", Type: "boolean", Description: storagev1.CSIDriverSpec{}.SwaggerDoc()["requiresRepublish"]},
+	}...)
+
 	csiDriverColumnDefinitions = append(csiDriverColumnDefinitions, []metav1.TableColumnDefinition{
 		{Name: "Modes", Type: "string", Description: storagev1.CSIDriverSpec{}.SwaggerDoc()["volumeLifecycleModes"]},
 		{Name: "Age", Type: "string", Description: metav1.ObjectMeta{}.SwaggerDoc()["creationTimestamp"]},
@@ -1419,21 +1418,21 @@ func printCSIDriver(obj *storage.CSIDriver, options printers.GenerateOptions) ([
 		}
 		row.Cells = append(row.Cells, storageCapacity)
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		tokenRequests := "<unset>"
-		if obj.Spec.TokenRequests != nil {
-			audiences := []string{}
-			for _, t := range obj.Spec.TokenRequests {
-				audiences = append(audiences, t.Audience)
-			}
-			tokenRequests = strings.Join(audiences, ",")
+
+	tokenRequests := "<unset>"
+	if obj.Spec.TokenRequests != nil {
+		audiences := []string{}
+		for _, t := range obj.Spec.TokenRequests {
+			audiences = append(audiences, t.Audience)
 		}
-		requiresRepublish := false
-		if obj.Spec.RequiresRepublish != nil {
-			requiresRepublish = *obj.Spec.RequiresRepublish
-		}
-		row.Cells = append(row.Cells, tokenRequests, requiresRepublish)
+		tokenRequests = strings.Join(audiences, ",")
 	}
+	requiresRepublish := false
+	if obj.Spec.RequiresRepublish != nil {
+		requiresRepublish = *obj.Spec.RequiresRepublish
+	}
+	row.Cells = append(row.Cells, tokenRequests, requiresRepublish)
+
 	row.Cells = append(row.Cells, modes, translateTimestampSince(obj.CreationTimestamp))
 	return []metav1.TableRow{row}, nil
 }
--- a/pkg/registry/storage/csidriver/strategy.go
+++ b/pkg/registry/storage/csidriver/strategy.go
@@ -56,10 +56,6 @@ func (csiDriverStrategy) PrepareForCreate(ctx context.Context, obj runtime.Objec
 	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
 		csiDriver.Spec.FSGroupPolicy = nil
 	}
-	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		csiDriver.Spec.TokenRequests = nil
-		csiDriver.Spec.RequiresRepublish = nil
-	}
 }

 func (csiDriverStrategy) Validate(ctx context.Context, obj runtime.Object) field.ErrorList {
@@ -100,14 +96,6 @@ func (csiDriverStrategy) PrepareForUpdate(ctx context.Context, obj, old runtime.
 		!utilfeature.DefaultFeatureGate.Enabled(features.CSIVolumeFSGroupPolicy) {
 		newCSIDriver.Spec.FSGroupPolicy = nil
 	}
-	if oldCSIDriver.Spec.TokenRequests == nil &&
-		!utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		newCSIDriver.Spec.TokenRequests = nil
-	}
-	if oldCSIDriver.Spec.RequiresRepublish == nil &&
-		!utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		newCSIDriver.Spec.RequiresRepublish = nil
-	}

 	// Any changes to the mutable fields increment the generation number.
 	if !apiequality.Semantic.DeepEqual(oldCSIDriver.Spec.TokenRequests, newCSIDriver.Spec.TokenRequests) || !apiequality.Semantic.DeepEqual(oldCSIDriver.Spec.RequiresRepublish, newCSIDriver.Spec.RequiresRepublish) {
--- a/pkg/registry/storage/csidriver/strategy_test.go
+++ b/pkg/registry/storage/csidriver/strategy_test.go
@@ -92,10 +92,9 @@ func TestCSIDriverPrepareForCreate(t *testing.T) {
 	requiresRepublish := true

 	tests := []struct {
-		name                    string
-		withCapacity            bool
-		withInline              bool
-		withServiceAccountToken bool
+		name         string
+		withCapacity bool
+		withInline   bool
 	}{
 		{
 			name:       "inline enabled",
@@ -113,21 +112,12 @@ func TestCSIDriverPrepareForCreate(t *testing.T) {
 			name:         "capacity disabled",
 			withCapacity: false,
 		},
-		{
-			name:                    "serviceAccountToken enabled",
-			withServiceAccountToken: true,
-		},
-		{
-			name:                    "serviceAccountToken disabled",
-			withServiceAccountToken: false,
-		},
 	}

 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIStorageCapacity, test.withCapacity)()
 			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIInlineVolume, test.withInline)()
-			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountToken, test.withServiceAccountToken)()

 			csiDriver := &storage.CSIDriver{
 				ObjectMeta: metav1.ObjectMeta{
@@ -167,21 +157,6 @@ func TestCSIDriverPrepareForCreate(t *testing.T) {
 					t.Errorf("VolumeLifecycleModes not stripped: %v", csiDriver.Spec)
 				}
 			}
-			if test.withServiceAccountToken {
-				if csiDriver.Spec.TokenRequests == nil {
-					t.Errorf("TokenRequests modified: %v", csiDriver.Spec)
-				}
-				if csiDriver.Spec.RequiresRepublish == nil {
-					t.Errorf("RequiresRepublish modified: %v", csiDriver.Spec)
-				}
-			} else {
-				if csiDriver.Spec.TokenRequests != nil {
-					t.Errorf("TokenRequests stripped: %v", csiDriver.Spec)
-				}
-				if csiDriver.Spec.RequiresRepublish != nil {
-					t.Errorf("RequiresRepublish stripped: %v", csiDriver.Spec)
-				}
-			}
 		})
 	}
 }
@@ -227,7 +202,6 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 	enabled := true
 	disabled := false
 	gcp := "gcp"
-	vault := "vault"
 	driverWithCapacityEnabled := &storage.CSIDriver{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "foo",
@@ -253,29 +227,19 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 			RequiresRepublish: &enabled,
 		},
 	}
-	driverWithServiceAccountTokenVault := &storage.CSIDriver{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "foo",
-		},
-		Spec: storage.CSIDriverSpec{
-			TokenRequests:     []storage.TokenRequest{{Audience: vault}},
-			RequiresRepublish: &enabled,
-		},
-	}

 	resultPersistent := []storage.VolumeLifecycleMode{storage.VolumeLifecyclePersistent}

 	tests := []struct {
-		name                          string
-		old, update                   *storage.CSIDriver
-		csiStorageCapacityEnabled     bool
-		csiInlineVolumeEnabled        bool
-		csiServiceAccountTokenEnabled bool
-		wantCapacity                  *bool
-		wantModes                     []storage.VolumeLifecycleMode
-		wantTokenRequests             []storage.TokenRequest
-		wantRequiresRepublish         *bool
-		wantGeneration                int64
+		name                      string
+		old, update               *storage.CSIDriver
+		csiStorageCapacityEnabled bool
+		csiInlineVolumeEnabled    bool
+		wantCapacity              *bool
+		wantModes                 []storage.VolumeLifecycleMode
+		wantTokenRequests         []storage.TokenRequest
+		wantRequiresRepublish     *bool
+		wantGeneration            int64
 	}{
 		{
 			name:                      "capacity feature enabled, before: none, update: enabled",
@@ -316,25 +280,9 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 			wantModes: resultPersistent,
 		},
 		{
-			name:                          "service account token feature enabled, before: none, update: audience=gcp",
-			csiServiceAccountTokenEnabled: true,
-			old:                           driverWithNothing,
-			update:                        driverWithServiceAccountTokenGCP,
-			wantTokenRequests:             []storage.TokenRequest{{Audience: gcp}},
-			wantRequiresRepublish:         &enabled,
-			wantGeneration:                1,
-		},
-		{
-			name:                  "service account token feature disabled, before: none, update: audience=gcp",
+			name:                  "service account token feature enabled, before: none, update: audience=gcp",
 			old:                   driverWithNothing,
 			update:                driverWithServiceAccountTokenGCP,
-			wantTokenRequests:     nil,
-			wantRequiresRepublish: nil,
-		},
-		{
-			name:                  "service account token feature disabled, before: audience=vault, update: audience=gcp",
-			old:                   driverWithServiceAccountTokenVault,
-			update:                driverWithServiceAccountTokenGCP,
 			wantTokenRequests:     []storage.TokenRequest{{Audience: gcp}},
 			wantRequiresRepublish: &enabled,
 			wantGeneration:        1,
@@ -345,7 +293,6 @@ func TestCSIDriverPrepareForUpdate(t *testing.T) {
 		t.Run(test.name, func(t *testing.T) {
 			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIStorageCapacity, test.csiStorageCapacityEnabled)()
 			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIInlineVolume, test.csiInlineVolumeEnabled)()
-			defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountToken, test.csiServiceAccountTokenEnabled)()

 			csiDriver := test.update.DeepCopy()
 			Strategy.PrepareForUpdate(ctx, csiDriver, test.old)
--- a/pkg/volume/csi/csi_mounter.go
+++ b/pkg/volume/csi/csi_mounter.go
@@ -229,13 +229,11 @@ func (c *csiMountMgr) SetUpAt(dir string, mounterArgs volume.MounterArgs) error
 	}

 	// Inject pod service account token into volume attributes
-	if utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		serviceAccountTokenAttrs, err := c.podServiceAccountTokenAttrs()
-		if err != nil {
-			return volumetypes.NewTransientOperationFailure(log("mounter.SetUpAt failed to get service accoount token attributes: %v", err))
-		}
-		volAttribs = mergeMap(volAttribs, serviceAccountTokenAttrs)
+	serviceAccountTokenAttrs, err := c.podServiceAccountTokenAttrs()
+	if err != nil {
+		return volumetypes.NewTransientOperationFailure(log("mounter.SetUpAt failed to get service accoount token attributes: %v", err))
 	}
+	volAttribs = mergeMap(volAttribs, serviceAccountTokenAttrs)

 	err = csi.NodePublishVolume(
 		ctx,
--- a/pkg/volume/csi/csi_mounter_test.go
+++ b/pkg/volume/csi/csi_mounter_test.go
@@ -938,7 +938,6 @@ func TestIsCorruptedDir(t *testing.T) {
 }

 func TestPodServiceAccountTokenAttrs(t *testing.T) {
-	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIServiceAccountToken, true)()
 	defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSIInlineVolume, true)()
 	scheme := runtime.NewScheme()
 	utilruntime.Must(pkgauthenticationv1.RegisterDefaults(scheme))
--- a/pkg/volume/csi/csi_plugin.go
+++ b/pkg/volume/csi/csi_plugin.go
@@ -339,9 +339,6 @@ func (p *csiPlugin) CanSupport(spec *volume.Spec) bool {
 }

 func (p *csiPlugin) RequiresRemount(spec *volume.Spec) bool {
-	if !utilfeature.DefaultFeatureGate.Enabled(features.CSIServiceAccountToken) {
-		return false
-	}
 	if p.csiDriverLister == nil {
 		return false
 	}