Add blog article to announce Secret references in NodeExpandVolume

[humblec]

Ref# KEP: kubernetes/enhancements#3173
Implementation: kubernetes/kubernetes#105963

Signed-off-by: Humble Chirammal [email protected]

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	37b77be
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/63173cbba092e800084f6dae
😎 Deploy Preview	https://deploy-preview-33979--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[humblec]

Cc @sftim @xing-yang @zhucan

[Sea-n]

Here is some questions and format fixes.

[sftim]

Thanks for getting this draft in early! I hope this feedback helps.

[sftim]

/retitle Add blog article to announce Secret references in NodeExpandVolume

[sftim]

Thanks! Here's a bit more feedback.

[bradtopol]

Assigning @sftim since he is already engaged on this.
/assign @sftim

[Sea-n]

Hey @humblec,

It's been a while since last update, would you like to address issues in the previous comments so that we can move forward?

[humblec]

Hey @humblec,

It's been a while since last update, would you like to address issues in the previous comments so that we can move forward?

Indeed.. Just got busy with other PRs . I have accommodated all the comments from your and @sftim 's review.. thanks a lot!!
Ptal.. 👍

[sftim]

Thanks. I have a few suggestions for the article to tidy it up.

[sftim]

Does this provisioner actually work with NodeExpandVolume secret references?

(if not, maybe make up a fictional provisioner, eg blockstorage.cloudprovider.example?)

[humblec]

yeah.. the hostpath output and logs are from real testing. should be fine. 👍

[sftim]

How does the hostPath provisioner actually use these secrets? If it ignores them, that's maybe not an ideal example.

[humblec]

actually this feature is from the kubernetes csi client to push the secrets to the CSI driver as part of the NodeExpandVolume call.. The hostPath provisioner is a CSI driver who get those as shown in the example.. in that sense, it looks fine to me keep the current version as an example .. @sftim

[humblec]

if really needed I can replace the string hostpath to hostpath-example or something similar.. please let me know wdyt @sftim

[sftim]

Could you explain in a bit more detail (to reviewers, not readers) how a cluster admin works out what they put into test-secret? If I changed the contents of that Secret to have empty strings as the values, would it still work?

If so, then we're not really illustrating things end-to-end. Yes, the feature from the KEP is implemented, but the reader cares about the end-to-end story. They're less interested in seeing an integration test that proves that the secret reference gets to the CSI driver.

Is blockstorage.cloudprovider.example a plausible CSI driver name / reference? If it is, how about using that?

[humblec]

@sftim the nodeExpandSecret follow the same convention or rules of other similar secrets ( for ex: node stage, publish, controller expand) in the SC as described here
https://kubernetes-csi.github.io/docs/secrets-and-credentials-storage-class.html. The secret values will be sent to the CSI driver and if the credentials are correct to connect or perform the requested operation it will work otherwise fail.

Is blockstorage.cloudprovider.example a plausible CSI driver name / reference? If it is, how about using that?

Sure, I have changed the provisioner name to above.. it sound fine to have above as a pluasible CSI driver name..
ptal.. thanks.

[humblec]

Cc @xing-yang

[humblec]

It would be appreciated if we can get final reviews on this PR !

[sftim]

We (blog team) would like a lightweight tech review on this from SIG Storage (optionally also SIG Auth) folks, to make sure there's no obvious technical inaccuracy.
I'm sure that there isn't @humblec but it's nice to have that reassurance.

The article LGTM from a content / writing perspective.

@humblec could you find someone from SIG Storage to check that preview?

[humblec]

We (blog team) would like a lightweight tech review on this from SIG Storage (optionally also SIG Auth) folks, to make sure there's no obvious technical inaccuracy. I'm sure that there isn't @humblec but it's nice to have that reassurance.

The article LGTM from a content / writing perspective.

Thanks @sftim 👍

@humblec could you find someone from SIG Storage to check that preview?

Sure, let me find/get review from SIG Storage.
@xing-yang considering you have reviewed this PR, can you please review the preview/final version?

[xing-yang]

I added one comment. Otherwise, it looks good to me.

[humblec]

I added one comment. Otherwise, it looks good to me.

addressed the same .. Thanks

[sftim]

That last fix wasn't right, I'm afraid.

[humblec]

That last fix wasn't right, I'm afraid.

I have reformatted as suggested.. thanks 👍

[sftim]

Thanks

/lgtm
/approve

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: b51ee65e1affc5d78012fc27552d7b2b78c241cb

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sftim

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• content/en/blog/OWNERS [sftim]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment