From d57e884ff3186898427a872a359a37e5d4671442 Mon Sep 17 00:00:00 2001
From: Guna K Kambalimath <Guna.Kambalimath@ibm.com>
Date: Mon, 16 Sep 2024 09:53:00 +0530
Subject: [PATCH] Mounting secret - reading credentials from file

---
 deploy/kubernetes/base/controller.yaml | 28 ++++++++++---------
 deploy/kubernetes/base/node.yaml       | 13 +++++----
 pkg/cloud/powervs.go                   | 38 +++++++++++++++++++++++++-
 3 files changed, 60 insertions(+), 19 deletions(-)

diff --git a/deploy/kubernetes/base/controller.yaml b/deploy/kubernetes/base/controller.yaml
index 7aac895df..c3c33abe3 100644
--- a/deploy/kubernetes/base/controller.yaml
+++ b/deploy/kubernetes/base/controller.yaml
@@ -41,13 +41,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            - name: IBMCLOUD_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ibm-secret
-                  key: IBMCLOUD_API_KEY
-                  optional: true
+            - name: API_KEY_PATH
+              value: /etc/secrets/IBMCLOUD_API_KEY
           volumeMounts:
+            - name: ibm-secret
+              mountPath: /etc/secrets
+              readOnly: true
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
           ports:
@@ -65,6 +64,9 @@ spec:
         - name: node-update-controller
           image: registry.k8s.io/cloud-provider-ibm/ibm-powervs-block-csi-driver:main
           command: ["/node-update-controller"]
+          env:
+            - name: API_KEY_PATH
+              value: /etc/secrets/IBMCLOUD_API_KEY
           ports:
             - name: metrics
               containerPort: 8081
@@ -80,13 +82,10 @@ spec:
             initialDelaySeconds: 5
             timeoutSeconds: 10
             periodSeconds: 30
-          env:
-            - name: IBMCLOUD_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ibm-secret
-                  key: IBMCLOUD_API_KEY
-                  optional: true
+          volumeMounts:
+            - name: ibm-secret
+              mountPath: /etc/secrets
+              readOnly: true
         - name: csi-provisioner
           image: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
           args:
@@ -136,3 +135,6 @@ spec:
       volumes:
         - name: socket-dir
           emptyDir: {}
+        - name: ibm-secret
+          secret:
+            secretName: ibm-secret
diff --git a/deploy/kubernetes/base/node.yaml b/deploy/kubernetes/base/node.yaml
index 0ed35ff3f..36048e689 100644
--- a/deploy/kubernetes/base/node.yaml
+++ b/deploy/kubernetes/base/node.yaml
@@ -45,12 +45,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
-            - name: IBMCLOUD_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: ibm-secret
-                  key: IBMCLOUD_API_KEY
+            - name: API_KEY_PATH
+              value: /etc/secrets/IBMCLOUD_API_KEY
           volumeMounts:
+            - name: ibm-secret
+              mountPath: /etc/secrets
+              readOnly: true
             - name: kubelet-dir
               mountPath: /var/lib/kubelet
               mountPropagation: "Bidirectional"
@@ -120,3 +120,6 @@ spec:
           hostPath:
             path: /sys
             type: Directory
+        - name: ibm-secret
+          secret:
+            secretName: ibm-secret
diff --git a/pkg/cloud/powervs.go b/pkg/cloud/powervs.go
index 2b0e08531..8680ab80c 100644
--- a/pkg/cloud/powervs.go
+++ b/pkg/cloud/powervs.go
@@ -30,6 +30,7 @@ import (
 	"github.com/IBM/platform-services-go-sdk/resourcecontrollerv2"
 	"github.com/davecgh/go-spew/spew"
 	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
 
 	"sigs.k8s.io/ibm-powervs-block-csi-driver/pkg/util"
@@ -60,7 +61,10 @@ func NewPowerVSCloud(cloudInstanceID, zone string, debug bool) (Cloud, error) {
 }
 
 func newPowerVSCloud(cloudInstanceID, zone string, debug bool) (Cloud, error) {
-	apikey := os.Getenv("IBMCLOUD_API_KEY")
+	apikey, err := readCredentials()
+	if err != nil {
+		return nil, err
+	}
 
 	authenticator := &core.IamAuthenticator{ApiKey: apikey, URL: os.Getenv("IBMCLOUD_IAM_API_ENDPOINT")}
 
@@ -252,3 +256,35 @@ func (p *powerVSCloud) GetDiskByID(volumeID string) (disk *Disk, err error) {
 		CapacityGiB: int64(*v.Size),
 	}, nil
 }
+
+func readCredentials() (string, error) {
+	apiKey, err := readCredentialsFromFile()
+	if err != nil {
+		return "", err
+	}
+	if apiKey != "" {
+		return apiKey, nil
+	}
+
+	klog.Info("Falling back to read IBMCLOUD_API_KEY environment variable for the key")
+	apiKey = os.Getenv("IBMCLOUD_API_KEY")
+	if apiKey == "" {
+		return "", fmt.Errorf("IBMCLOUD_API_KEY is not provided")
+	}
+
+	return apiKey, nil
+}
+
+func readCredentialsFromFile() (string, error) {
+	apiKeyPath := os.Getenv("API_KEY_PATH")
+	if apiKeyPath == "" {
+		klog.Warning("API_KEY_PATH is undefined")
+		return "", nil
+	}
+
+	byteData, err := os.ReadFile(apiKeyPath)
+	if err != nil {
+		return "", fmt.Errorf("error reading apikey: %v", err)
+	}
+	return string(byteData), nil
+}