Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support refresh of SAS token (re-reading it from KeyVault, updating the mount) #1237

Open
calohmn opened this issue Feb 6, 2024 · 4 comments
Open

Support refresh of SAS token (re-reading it from KeyVault, updating the mount) #1237

calohmn opened this issue Feb 6, 2024 · 4 comments

Comments

@calohmn
Copy link

calohmn commented Feb 6, 2024

Is your feature request related to a problem?/Why is this needed
When mounting a storage container using a SAS token, the recommended kind of SAS to use would be a user delegation SAS.
Because of the limited validity period of such tokens, they have to be re-created periodically. The updated token (in an updated KeyVault Secret) then needs to be applied to the blobfuse volume mount.

Currently, the only way to apply an updated SAS token seems to be to restart the pod which contains the (inline) volume for the storage container mount.
For tokens that have a short validity period (of say 1 hour), this doesn't look practical, restarting pods every hour.
It would be better for the blob CSI driver (blobfuseproxy) to support this kind of scenario, applying the updated SAS automatically.

Describe the solution you'd like in detail
Ideally, changes to the K8s secret containing the SAS token would be detected (via Kubernetes "watch"), and the corresponding mount would be updated.
As far as I've seen, such a mount update would be possible when mounting using a config file - as noted in Azure/azure-storage-fuse#1246 and Azure/azure-storage-fuse#1301 (comment).
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 6, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 5, 2024
@Christian-Schmid
Copy link

/remove-lifecycle rotten We are still affected by this

@Christian-Schmid
Copy link

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@calohmn @Christian-Schmid @k8s-ci-robot @k8s-triage-robot