Removed TokenClient and use CSI token propagation

Author: micahhausler

Makefile

@@ -401,7 +401,6 @@ e2e-deploy-manifest:
 	kubectl apply -f manifest_staging/deploy/rbac-secretproviderclass.yaml
 	kubectl apply -f manifest_staging/deploy/rbac-secretproviderrotation.yaml
 	kubectl apply -f manifest_staging/deploy/rbac-secretprovidersyncing.yaml
-	kubectl apply -f manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml
 	kubectl apply -f manifest_staging/deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
 	kubectl apply -f manifest_staging/deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml
 	kubectl apply -f manifest_staging/deploy/role-secretproviderclasses-admin.yaml
@@ -429,6 +428,7 @@ e2e-helm-deploy:
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
 		--set rotationPollInterval=30s \
+		--set requiresRepublish=true \
 		--set tokenRequests[0].audience="aud1" \
 		--set tokenRequests[1].audience="aud2" \
 		--set tokenRequests[2].audience="conjur" \
@@ -533,16 +533,6 @@ manifests: $(CONTROLLER_GEN) $(KUSTOMIZE)  ## Generate manifests e.g. CRD, RBAC
 	@sed -i '1s/^/{{ if .Values.enableSecretRotation }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml
 	@sed -i '/^roleRef:/i \ \ labels:\n{{ include \"sscd.labels\" . | indent 4 }}' manifest_staging/charts/secrets-store-csi-driver/templates/role-rotation_binding.yaml
 
-	# Generate token requests specific RBAC
-	$(CONTROLLER_GEN) rbac:roleName=secretprovidertokenrequest-role paths="./controllers/tokenrequest" output:dir=config/rbac-tokenrequest
-	$(KUSTOMIZE) build config/rbac-tokenrequest -o manifest_staging/deploy/rbac-secretprovidertokenrequest.yaml
-	cp config/rbac-tokenrequest/role.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
-	cp config/rbac-tokenrequest/role_binding.yaml manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
-	@sed -i '1s/^/{{ if .Values.tokenRequests }}\n/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
-	@sed -i '/^rules:/i \ \ labels:\n{{ include \"sscd.labels\" . | indent 4 }}' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest.yaml
-	@sed -i '1s/^/{{ if .Values.tokenRequests }}\n/gm; s/namespace: .*/namespace: {{ .Release.Namespace }}/gm; $$s/$$/\n{{ end }}/gm' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
-	@sed -i '/^roleRef:/i \ \ labels:\n{{ include \"sscd.labels\" . | indent 4 }}' manifest_staging/charts/secrets-store-csi-driver/templates/role-tokenrequest_binding.yaml
-
 .PHONY: generate-protobuf
 generate-protobuf: $(PROTOC) $(PROTOC_GEN_GO) $(PROTOC_GEN_GO_GRPC) # generates protobuf
 	@PATH=$(PATH):$(TOOLS_BIN_DIR) $(PROTOC) -I . provider/v1alpha1/service.proto --go-grpc_out=require_unimplemented_servers=false:. --go_out=.

cmd/secrets-store-csi-driver/main.go

@@ -203,26 +203,24 @@ func mainErr() error {
 		reconciler.RunPatcher(ctx)
 	}()
 
-	// token request client
 	kubeClient := kubernetes.NewForConfigOrDie(cfg)
-	tokenClient := k8s.NewTokenClient(kubeClient, *driverName, 10*time.Minute)
+	driverClient := k8s.NewDriverClient(kubeClient, *driverName, 10*time.Minute)
 
-	if err = tokenClient.Run(ctx.Done()); err != nil {
-		klog.ErrorS(err, "failed to run token client")
+	if err = driverClient.Run(ctx.Done()); err != nil {
+		klog.ErrorS(err, "failed to run driver client")
 		return err
 	}
-
 	// Secret rotation
 	if *enableSecretRotation {
-		rec, err := rotation.NewReconciler(*driverName, mgr.GetCache(), scheme, *rotationPollInterval, providerClients, tokenClient)
+		rec, err := rotation.NewReconciler(*driverName, mgr.GetCache(), scheme, *rotationPollInterval, providerClients)
 		if err != nil {
 			klog.ErrorS(err, "failed to initialize rotation reconciler")
 			return err
 		}
 		go rec.Run(ctx.Done())
 	}
 
-	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, providerClients, mgr.GetClient(), mgr.GetAPIReader(), tokenClient)
+	driver := secretsstore.NewSecretsStoreDriver(*driverName, *nodeID, *endpoint, providerClients, mgr.GetClient(), mgr.GetAPIReader(), driverClient)
 	driver.Run(ctx)
 
 	return nil

config/rbac-tokenrequest/kustomization.yaml

@@ -14,7 +14,7 @@
 
 ARG BASEIMAGE=registry.k8s.io/build-image/debian-base:bookworm-v1.0.4
 
-FROM golang:1.22 as builder
+FROM golang:1.23 as builder
 WORKDIR /go/src/sigs.k8s.io/secrets-store-csi-driver
 ADD . .
 ARG TARGETARCH

config/rbac-tokenrequest/role.yaml

@@ -50,10 +50,6 @@ kubectl apply -f deploy/rbac-secretprovidersyncing.yaml
 # required to enable this feature
 kubectl apply -f deploy/rbac-secretproviderrotation.yaml
 
-# If using the CSI Driver token requests feature (https://kubernetes-csi.github.io/docs/token-requests.html) to use
-# pod/workload identity to request a token and use with providers
-kubectl apply -f deploy/rbac-secretprovidertokenrequest.yaml
-
 # [OPTIONAL] To deploy driver on windows nodes
 kubectl apply -f deploy/secrets-store-csi-driver-windows.yaml
 ```

config/rbac-tokenrequest/role_binding.yaml

@@ -115,4 +115,5 @@ The following table lists the configurable parameters of the csi-secrets-store-p
 | `providerHealthCheck`                   | Enable health check for configured providers                                                                                                                                   | `false`                                                 |
 | `providerHealthCheckInterval`           | Provider healthcheck interval duration                                                                                                                                         | `2m`                                                    |
 | `imagePullSecrets`                      | One or more secrets to be used when pulling images                                                                                                                             | `""`                                                    |
-| `tokenRequests`                         | Token requests configuration for the csi driver. Refer to [doc](https://kubernetes-csi.github.io/docs/token-requests.html) for more info. Supported only for Kubernetes v1.20+ | `""`                                                    |
+| `tokenRequests`                         | Token requests configuration for the csi driver. Refer to [doc](https://kubernetes-csi.github.io/docs/token-requests.html) for more info. Supported only for Kubernetes v1.20+ | `[]`                                                    |
+| `requiresRepublish`                     | Setting this to `true` will enable propagation of refreshed Service Account tokens to secret plugins, allowing plugins to update the contents of a mount. `tokenRequests` must be populated for this to succeed. | `false` | 

deploy/rbac-secretprovidertokenrequest.yaml

@@ -7,6 +7,9 @@ metadata:
 spec:
   podInfoOnMount: true
   attachRequired: false
+  {{- if .Values.requiresRepublish }}
+  requiresRepublish: true
+  {{- end }}
   # Added in Kubernetes 1.16 with default mode of Persistent. Secrets store csi driver needs Ephermeral to be set.
   volumeLifecycleModes: 
   - Ephemeral