Merge pull request #268 from scality/bugfix/S3CSI-195-fix-node-publish-creds-usage

S3CSI-195: Change length of access keys and update documentation + v2.0.1 bump

Author: anurag4DSB

Makefile

@@ -15,7 +15,7 @@
 SHELL = /bin/bash
 
 # MP CSI Driver version
-VERSION=2.0.0
+VERSION=2.0.1
 
 # List of allowed licenses in the CSI Driver's dependencies.
 # See https://github.com/google/licenseclassifier/blob/e6a9bb99b5a6f71d5a34336b8245e305f5430f99/license_type.go#L28 for list of canonical names for licenses.

charts/scality-mountpoint-s3-csi-driver/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: scality-mountpoint-s3-csi-driver
 description: A Helm chart for installing the Mountpoint for Scality CSI Driver for S3. This CSI driver allows your Kubernetes applications to access S3 objects through a file system interface.
-version: 2.0.0
+version: 2.0.1
 kubeVersion: ">=1.30.0-0"
 home: https://github.com/scality/mountpoint-s3-csi-driver
 sources:

charts/scality-mountpoint-s3-csi-driver/values.yaml

@@ -24,7 +24,7 @@ image:
   repository: ghcr.io/scality/mountpoint-s3-csi-driver
   pullPolicy: IfNotPresent
   # Overrides the image tag whose default is the chart appVersion.
-  tag: "2.0.0"
+  tag: "2.0.1"
 
 # Node plugin configuration (DaemonSet)
 node:

docs/README.md

@@ -35,13 +35,14 @@ Container images for the Scality CSI Driver for S3 are hosted on GHCR:
 
 | Driver Version | Image URL                                                                 |
 |---------------|----------------------------------------------------------------------------|
-| 2.0.0         | `ghcr.io/scality/mountpoint-s3-csi-driver:2.0.0`                           |
+| 2.0.1         | `ghcr.io/scality/mountpoint-s3-csi-driver:2.0.1`                           |
 
-Review [release notes](release-notes.md) for breaking changes and the [releases page](https://github.com/scality/mountpoint-s3-csi-driver/releases) for complete changelog details.
+Review [release notes](release-notes.md) for overview of changes and the [releases page](https://github.com/scality/mountpoint-s3-csi-driver/releases) for complete changelog details.
 
 ??? note "Previous Images"
     | Driver Version | Image URL                                                                 |
     |---------------|----------------------------------------------------------------------------|
+    | 2.0.0         | `ghcr.io/scality/mountpoint-s3-csi-driver:2.0.0`                           |
     | 1.2.0         | `ghcr.io/scality/mountpoint-s3-csi-driver:1.2.0`                           |
     | 1.1.1         | `ghcr.io/scality/mountpoint-s3-csi-driver:1.1.1`                           |
     | 1.1.0         | `ghcr.io/scality/mountpoint-s3-csi-driver:1.1.0`                           |

docs/architecture/ring-s3-credentials-management/dynamic-provisioning-credentials-management.md

@@ -126,6 +126,25 @@ For dynamic provisioning, credentials are used at two different stages:
 !!! tip "Security Best Practice"
     Use different credentials for provisioner (admin) and node-publish (user) operations to implement principle of least privilege.
 
+!!! important "Secret Configuration Requirement"
+    **Both `provisioner-secret` and `node-publish-secret` must be configured together** when using secret-based authentication for dynamic provisioning.
+    The controller uses `provisioner-secret` presence to determine if secret-based authentication is enabled
+    (it cannot directly detect `node-publish-secret` due to CSI specification limitations).
+
+**Technical Background:**
+
+The CSI external-provisioner strips all `csi.storage.k8s.io/*` prefixed parameters from `CreateVolumeRequest`:
+
+- `provisioner-secret-*` parameters → Resolved and VALUES passed in `req.GetSecrets()`
+- `node-publish-secret-*` parameters → Stored in `PV.Spec.CSI.NodePublishSecretRef` (not visible during CreateVolume)
+
+The controller cannot directly detect if only `node-publish-secret` is configured, so it uses `provisioner-secret` presence as a proxy indicator for secret-based authentication.
+
+**Workaround for Node-Only Use Case:**
+
+If you only need credentials for mounting (not bucket creation), configure both secrets pointing to the same Secret.
+Example: set both `provisioner-secret-name` and `node-publish-secret-name` to "shared-credentials" in the same namespace.
+
 ### Example 1: Same Credentials for Both Operations
 
 ```yaml title="StorageClass with fixed secret names for both provisioner and node-publish"
@@ -145,7 +164,9 @@ parameters:
   region: "us-west-2"
 ```
 
-### Example 2: Separate Admin and User Credentials
+### Example 2: Separate Admin and User Credentials (Recommended)
+
+This is the **recommended approach** for production environments, implementing the principle of least privilege with different credentials for controller and node operations.
 
 ```yaml title="StorageClass with separate admin (provisioner) and user (node-publish) secret names"
 apiVersion: storage.k8s.io/v1

docs/concepts-and-reference/helm-chart-configuration-reference.md

@@ -18,7 +18,7 @@ These parameters configure the overall behavior of the CSI driver components.
 |------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------|-----------------------------|
 | `image.repository`                                   | The container image repository for the CSI driver.                                                                                                 | `ghcr.io/scality/mountpoint-s3-csi-driver`             | No                          |
 | `image.pullPolicy`                                   | The image pull policy.                                                                                                                             | `IfNotPresent`                                         | No                          |
-| `image.tag`                                          | The image tag for the CSI driver. Overrides the chart's `appVersion` if set.                                                                       | `2.0.0`                                                | No                          |
+| `image.tag`                                          | The image tag for the CSI driver. Overrides the chart's `appVersion` if set.                                                                       | `2.0.1`                                                | No                          |
 
 ## S3 Global Configuration
 
@@ -116,11 +116,11 @@ These parameters configure the overall behavior of the CSI driver components.
 | `controller.serviceAccount.create`                   | Specifies whether a ServiceAccount should be created for the controller.                                                                          | `true`                                                 | No                          |
 | `controller.serviceAccount.name`                     | Name of the ServiceAccount to use for the controller.                                                                                             | `s3-csi-driver-controller-sa`                          | No                          |
 
-## Mountpoint Pod Configuration (v2.0.0+)
+## Mountpoint Pod Configuration (v2.0)
 
 <!-- markdownlint-disable MD046 -->
 !!! info "Pod Mounter Strategy"
-    Version 2.0.0 uses pod-based mounter as the default strategy. Mounter pods are created in the `mount-s3` namespace to handle S3 mount operations with improved isolation and resource management.
+    Version 2.0 uses pod-based mounter as the default strategy. Mounter pods are created in the `mount-s3` namespace to handle S3 mount operations with improved isolation and resource management.
 <!-- markdownlint-enable MD046 -->
 
 | Parameter                                            | Description                                                                                                                                        | Default                                                | Required                    |
@@ -133,7 +133,7 @@ These parameters configure the overall behavior of the CSI driver components.
 | `mountpointPod.headroomImage.tag`                   | Image tag for headroom pods.                                                                                                                       | `3.10`                                                 | No                          |
 | `mountpointPod.headroomImage.pullPolicy`            | Image pull policy for headroom pods.                                                                                                               | `IfNotPresent`                                         | No                          |
 
-## CRD Cleanup Configuration (v2.0.0+)
+## CRD Cleanup Configuration (v2.0)
 
 | Parameter                                            | Description                                                                                                                                        | Default                                                | Required                    |
 |------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------|-----------------------------|

docs/driver-deployment/installation-guide.md

@@ -118,7 +118,7 @@ Deploy the driver with minimal configuration.
 ```bash
 helm install scality-mountpoint-s3-csi-driver \
   oci://ghcr.io/scality/mountpoint-s3-csi-driver/helm-charts/scality-mountpoint-s3-csi-driver \
-  --version 2.0.0 \
+  --version 2.0.1 \
   --set node.s3EndpointUrl="${S3_ENDPOINT_URL}" \
   --set s3CredentialSecret.name="${SECRET_NAME}" \
   --namespace ${NAMESPACE}
@@ -192,7 +192,7 @@ Deploy the driver using the custom values file.
 ```bash
 helm install scality-mountpoint-s3-csi-driver \
   oci://ghcr.io/scality/mountpoint-s3-csi-driver/helm-charts/scality-mountpoint-s3-csi-driver \
-  --version 2.0.0 \
+  --version 2.0.1 \
   --values values-production.yaml \
   --namespace ${NAMESPACE}
 ```
@@ -227,7 +227,7 @@ Expected output: The CRD should be present with status `Ready`.
 
 !!! info "CRD Installation"
     For fresh installs, Helm v3 automatically installs CRDs from the chart's `crds/` directory.
-    For upgrades from v1.x to v2.0.0, CRDs must be installed manually before upgrading. See the [Upgrade Guide](upgrade-guide.md) for details.
+    For upgrades from v1.x to v2.0, CRDs must be installed manually before upgrading. See the [Upgrade Guide](upgrade-guide.md) for details.
 
 ### Check Driver Logs (Optional)
 
@@ -247,7 +247,7 @@ NodeGetInfo: called with args {}
 ```
 
 !!! note "Mounter Strategy"
-    Version 2.0.0 uses pod-based mounter by default. The mounter pods will be created in the `mount-s3` namespace when volumes are first mounted.
+    Version 2.0 uses pod-based mounter by default. The mounter pods will be created in the `mount-s3` namespace when volumes are first mounted.
 
 ## Uninstallation
 

docs/driver-deployment/prerequisites.md

@@ -25,7 +25,7 @@ The deployment of the Scality CSI Driver for S3 requires access to several conta
 
 | Component | Image | Registry | Purpose |
 |-----------|-------|----------|---------|
-| **Scality CSI Driver for S3** | `ghcr.io/scality/mountpoint-s3-csi-driver:2.0.0` | GitHub Container Registry (GHCR) | Main CSI driver functionality |
+| **Scality CSI Driver for S3** | `ghcr.io/scality/mountpoint-s3-csi-driver:2.0.1` | GitHub Container Registry (GHCR) | Main CSI driver functionality |
 | **CSI Node Driver Registrar** | `ghcr.io/scality/mountpoint-s3-csi-driver/csi-node-driver-registrar:v2.14.0` | GitHub Container Registry (GHCR) | Registers CSI driver with kubelet |
 | **Liveness Probe** | `ghcr.io/scality/mountpoint-s3-csi-driver/livenessprobe:v2.16.0` | GitHub Container Registry (GHCR) | Health monitoring for CSI driver pods |
 | **CSI Provisioner** | `ghcr.io/scality/mountpoint-s3-csi-driver/csi-provisioner:v5.3.0` | GitHub Container Registry (GHCR) | External provisioner for CSI driver (Dynamic provisioning feature) |

docs/driver-deployment/quick-start.md

@@ -47,7 +47,7 @@ kubectl create secret generic s3-secret \
 helm install \
   scality-mountpoint-s3-csi-driver \
   oci://ghcr.io/scality/mountpoint-s3-csi-driver/helm-charts/scality-mountpoint-s3-csi-driver \
-  --version 2.0.0 \
+  --version 2.0.1 \
   --set node.s3EndpointUrl="${S3_ENDPOINT_URL}"
 ```
 
@@ -79,8 +79,8 @@ Verify CRD installation:
 kubectl get crd mountpoints3podattachments.s3.csi.scality.com
 ```
 
-!!! info "v2.0.0 Features"
-    Version 2.0.0 introduces the MountpointS3PodAttachment CRD and pod-based mounter. The `mount-s3` namespace will be automatically created when volumes are first mounted.
+!!! info "v2.0 Features"
+    Version 2.0 introduces the MountpointS3PodAttachment CRD and pod-based mounter. The `mount-s3` namespace will be automatically created when volumes are first mounted.
 
 ## Uninstallation
 

docs/driver-deployment/uninstallation.md

@@ -48,10 +48,10 @@ kubectl get pv -o json | jq -r '.items[] | select(.spec.csi.driver == "s3.csi.sc
 # Delete PVs as needed
 ```
 
-### Step 3: Remove MountpointS3PodAttachment CRDs and Mounter Pods (v2.0.0+)
+### Step 3: Remove MountpointS3PodAttachment CRDs and Mounter Pods (v2.0+)
 
-!!! info "v2.0.0 Cleanup"
-    Version 2.0.0 introduces MountpointS3PodAttachment CRD instances and mounter pods that must be cleaned up before uninstalling.
+!!! info "v2.0 Cleanup"
+    Version 2.0 introduces MountpointS3PodAttachment CRD instances and mounter pods that must be cleaned up before uninstalling.
 
 Delete all MountpointS3PodAttachment CRD instances:
 
@@ -121,7 +121,7 @@ kubectl get namespace mount-s3
 kubectl delete namespace mount-s3
 ```
 
-### Step 5: Remove CRD Definitions (v2.0.0+)
+### Step 5: Remove CRD Definitions (v2.0)
 
 !!! warning "CRD Removal"
     Helm v3 does **not** automatically delete CRDs on uninstall. CRDs must be manually removed if they are no longer needed.