tektoncd · tekton-robot · Dec 26, 2022 · Nov 16, 2022
diff --git a/docs/cmd/tkn_clustertask_start.md b/docs/cmd/tkn_clustertask_start.md
@@ -39,6 +39,13 @@ For passing the workspaces via flags:
    resources:
      requests:
        storage: 1Gi
+- In case of binding a CSI workspace, you can pass it like -w name=my-csi,csiFile=csi.yaml
+  but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+  driver: secrets-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault-database"
 
 
 ### Options

diff --git a/docs/cmd/tkn_pipeline_start.md b/docs/cmd/tkn_pipeline_start.md
@@ -33,6 +33,17 @@ To create a workspace-template.yaml
       			storage: 1Gi
 	EOF
 
+To create a csi-template.yaml
+
+	```sh
+	$ cat <<EOF > csi-template.yaml
+	driver: secrets-store.csi.k8s.io
+	readOnly: true
+	volumeAttributes:
+  		secretProviderClass: "vault-database"
+	EOF
+	```
+
 To run a Pipeline that has one git resource, one image resource,
 two parameters (foo and bar) and four workspaces (my-config, my-pvc,
 my-secret, my-empty-dir and my-volume-claim-template)
@@ -47,6 +58,7 @@ my-secret, my-empty-dir and my-volume-claim-template)
 		--workspace name=my-empty-dir,emptyDir="" \
 		--workspace name=my-pvc,claimName=pvc1,subPath=dir
 		--workspace name=my-volume-claim-template,volumeClaimTemplateFile=workspace-template.yaml
+		--workspace name=my-csi-template,csiFile=csi-template.yaml
 
 ### Options
 

diff --git a/docs/cmd/tkn_task_start.md b/docs/cmd/tkn_task_start.md
@@ -38,6 +38,13 @@ For passing the workspaces via flags:
    resources:
      requests:
        storage: 1Gi
+- In case of binding a CSI workspace, you can pass it like -w name=my-csi,csiFile=csi.yaml
+  but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+  driver: secrets-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault-database"
 
 
 ### Options

diff --git a/docs/man/man1/tkn-clustertask-start.1 b/docs/man/man1/tkn-clustertask-start.1
@@ -157,9 +157,20 @@ requests:
 storage: 1Gi
 
 .RE
+.IP \(bu 2
+In case of binding a CSI workspace, you can pass it like \-w name=my\-csi,csiFile=csi.yaml
+but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+.br
 
 .RE
 
+.PP
+driver: secrets\-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault\-database"
+
 
 .SH SEE ALSO
 .PP

diff --git a/docs/man/man1/tkn-pipeline-start.1 b/docs/man/man1/tkn-pipeline-start.1
@@ -158,6 +158,25 @@ EOF
 .fi
 .RE
 
+.PP
+To create a csi\-template.yaml
+
+.PP
+.RS
+
+.nf
+```sh
+$ cat <<EOF > csi\-template.yaml
+driver: secrets\-store.csi.k8s.io
+readOnly: true
+volumeAttributes:
+    secretProviderClass: "vault\-database"
+EOF
+```
+
+.fi
+.RE
+
 .PP
 To run a Pipeline that has one git resource, one image resource,
 two parameters (foo and bar) and four workspaces (my\-config, my\-pvc,
@@ -176,6 +195,7 @@ $ tkn pipeline start \-\-resource source=samples\-git \\
     \-\-workspace name=my\-empty\-dir,emptyDir="" \\
     \-\-workspace name=my\-pvc,claimName=pvc1,subPath=dir
     \-\-workspace name=my\-volume\-claim\-template,volumeClaimTemplateFile=workspace\-template.yaml
+    \-\-workspace name=my\-csi\-template,csiFile=csi\-template.yaml
 
 .fi
 .RE

diff --git a/docs/man/man1/tkn-task-start.1 b/docs/man/man1/tkn-task-start.1
@@ -157,9 +157,20 @@ requests:
 storage: 1Gi
 
 .RE
+.IP \(bu 2
+In case of binding a CSI workspace, you can pass it like \-w name=my\-csi,csiFile=csi.yaml
+but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+.br
 
 .RE
 
+.PP
+driver: secrets\-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault\-database"
+
 
 .SH SEE ALSO
 .PP

diff --git a/docs/reference/cmd/pipeline_start.md b/docs/reference/cmd/pipeline_start.md
@@ -25,6 +25,17 @@ To create a workspace-template.yaml
       			storage: 1Gi
 	EOF
 
+To create a csi-template.yaml
+
+	```sh
+	$ cat <<EOF > csi-template.yaml
+	driver: secrets-store.csi.k8s.io
+	readOnly: true
+	volumeAttributes:
+  		secretProviderClass: "vault-database"
+	EOF
+	```
+
 To run a Pipeline that has one git resource, one image resource,
 two parameters (foo and bar) and four workspaces (my-config, my-pvc,
 my-secret, my-empty-dir and my-volume-claim-template)
@@ -38,4 +49,5 @@ my-secret, my-empty-dir and my-volume-claim-template)
 		--workspace name=my-config,config=rpg,item=ultimav=1 \
 		--workspace name=my-empty-dir,emptyDir="" \
 		--workspace name=my-pvc,claimName=pvc1,subPath=dir
-		--workspace name=my-volume-claim-template,volumeClaimTemplateFile=workspace-template.yaml
+		--workspace name=my-volume-claim-template,volumeClaimTemplateFile=workspace-template.yaml
+		--workspace name=my-csi-template,csiFile=csi-template.yaml
diff --git a/pkg/cmd/clustertask/start.go b/pkg/cmd/clustertask/start.go
@@ -140,6 +140,13 @@ For passing the workspaces via flags:
    resources:
      requests:
        storage: 1Gi
+- In case of binding a CSI workspace, you can pass it like -w name=my-csi,csiFile=csi.yaml
+  but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+  driver: secrets-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault-database"
 `
 
 	c := &cobra.Command{

diff --git a/pkg/cmd/pipeline/start.go b/pkg/cmd/pipeline/start.go
@@ -135,6 +135,13 @@ For passing the workspaces via flags:
    resources:
      requests:
        storage: 1Gi
+- In case of binding a CSI workspace, you can pass it like -w name=my-csi,csiFile=csi.yaml
+  but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+  driver: secrets-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault-database"
 `,
 		SilenceUsage: true,
 

diff --git a/pkg/cmd/task/start.go b/pkg/cmd/task/start.go
@@ -148,6 +148,13 @@ For passing the workspaces via flags:
    resources:
      requests:
        storage: 1Gi
+- In case of binding a CSI workspace, you can pass it like -w name=my-csi,csiFile=csi.yaml
+  but you need to create a csi.yaml file before hand. Sample contents of the file are as follows:
+
+  driver: secrets-store.csi.k8s.io
+  readOnly: true
+  volumeAttributes:
+    secretProviderClass: "vault-database"
 `,
 		SilenceUsage:      true,
 		ValidArgsFunction: formatted.ParentCompletion,

diff --git a/pkg/formatted/workspace.go b/pkg/formatted/workspace.go
@@ -41,6 +41,9 @@ func Workspace(ws v1beta1.WorkspaceBinding) string {
 		secret := getWorkspaceSecret(ws.Secret)
 		return fmt.Sprintf("Secret (%s)", secret)
 	}
+	if ws.CSI != nil {
+		return fmt.Sprintf("CSI (Driver=%s)", ws.CSI.Driver)
+	}
 	return ""
 }
 

diff --git a/pkg/formatted/workspace_test.go b/pkg/formatted/workspace_test.go
@@ -47,6 +47,12 @@ func TestWorkspace(t *testing.T) {
 				SecretName: "foobar",
 			},
 		},
+		{
+			Name: "csi",
+			CSI: &corev1.CSIVolumeSource{
+				Driver: "secrets-store.csi.k8s.io",
+			},
+		},
 	}
 	defaultEmptyWorkspaceStr := Workspace(workspaceSpec[0]) // EmptyDir workspace with default storage medium
 	assert.Equal(t, defaultEmptyWorkspaceStr, "EmptyDir (emptyDir=)")
@@ -59,4 +65,7 @@ func TestWorkspace(t *testing.T) {
 
 	secretWorkspaceStr := Workspace(workspaceSpec[3]) // Secret Workspace
 	assert.Equal(t, secretWorkspaceStr, "Secret (secret=foobar)")
+
+	csiWorkspaceStr := Workspace(workspaceSpec[4]) // CSI Workspace
+	assert.Equal(t, csiWorkspaceStr, "CSI (Driver=secrets-store.csi.k8s.io)")
 }
diff --git a/pkg/workspaces/testdata/csi-typo.yaml b/pkg/workspaces/testdata/csi-typo.yaml
@@ -0,0 +1,4 @@
+drive: secrets-store.csi.k8s.io
+readOnly: true
+volumeAttributes:
+  secretProviderClass: "vault-database"
diff --git a/pkg/workspaces/testdata/csi.yaml b/pkg/workspaces/testdata/csi.yaml
@@ -0,0 +1,4 @@
+driver: secrets-store.csi.k8s.io
+readOnly: true
+volumeAttributes:
+  secretProviderClass: "vault-database"
diff --git a/pkg/workspaces/workspaces.go b/pkg/workspaces/workspaces.go
@@ -35,6 +35,7 @@ var (
 	secretParam             = "secret"
 	configItemParam         = "item"
 	volumeClaimTemplateFile = "volumeClaimTemplateFile"
+	csiFile                 = "csiFile"
 )
 
 const invalidWorkspace = "invalid input format for workspace : "
@@ -88,47 +89,54 @@ func parseWorkspace(w []string, httpClient http.Client) (map[string]v1beta1.Work
 			return nil, err
 		}
 
-		// check for volumeClaimTemplate
-		vctFile, err := getPar(r, volumeClaimTemplateFile)
-		if err != nil {
-			err = setWorkspaceConfig(r, &wB)
-			if err == nil {
-				ws[name] = wB
-				nWB++
-			} else if err != errNotFoundParam {
+		if vctFile, err := getPar(r, volumeClaimTemplateFile); err == nil {
+			err = setWorkspaceVCTemplate(r, &wB, vctFile, httpClient)
+			if err != nil {
 				return nil, err
 			}
+			ws[name] = wB
+			continue
+		}
 
-			err = setWorkspaceSecret(r, &wB)
-			if err == nil {
-				ws[name] = wB
-				nWB++
-			} else if err != errNotFoundParam {
+		if csiFile, err := getPar(r, csiFile); err == nil {
+			err = setWorkspaceCSITemplate(r, &wB, csiFile, httpClient)
+			if err != nil {
 				return nil, err
 			}
+			ws[name] = wB
+			continue
+		}
 
-			err = setWorkspaceEmptyDir(r, &wB)
-			if err == nil {
-				ws[name] = wB
-				nWB++
-			}
+		err = setWorkspaceConfig(r, &wB)
+		if err == nil {
+			ws[name] = wB
+			nWB++
+		} else if err != errNotFoundParam {
+			return nil, err
+		}
 
-			err = setWorkspacePVC(r, &wB)
-			if err == nil {
-				ws[name] = wB
-				nWB++
-			}
+		err = setWorkspaceSecret(r, &wB)
+		if err == nil {
+			ws[name] = wB
+			nWB++
+		} else if err != errNotFoundParam {
+			return nil, err
+		}
 
-			if nWB != 1 {
-				return nil, errors.New(invalidWorkspace + v)
-			}
-		} else {
-			err = setWorkspaceVCTemplate(r, &wB, vctFile, httpClient)
-			if err != nil {
-				return nil, err
-			}
+		if err = setWorkspaceEmptyDir(r, &wB); err == nil {
 			ws[name] = wB
+			nWB++
 		}
+
+		if err = setWorkspacePVC(r, &wB); err == nil {
+			ws[name] = wB
+			nWB++
+		}
+
+		if nWB != 1 {
+			return nil, errors.New(invalidWorkspace + v)
+		}
+
 	}
 
 	return ws, nil
@@ -246,6 +254,16 @@ func setWorkspaceVCTemplate(r []string, wB *v1beta1.WorkspaceBinding, vctFile st
 	return nil
 }
 
+func setWorkspaceCSITemplate(r []string, wB *v1beta1.WorkspaceBinding, vctFile string, httpClient http.Client) error {
+	csi, err := parseCSITemplate(vctFile, httpClient)
+	if err != nil {
+		return err
+	}
+
+	wB.CSI = csi
+	return nil
+}
+
 func parseVolumeClaimTemplate(filePath string, httpClient http.Client) (*corev1.PersistentVolumeClaim, error) {
 	b, err := file.LoadFileContent(httpClient, filePath, file.IsYamlFile(), fmt.Errorf("invalid file format for %s: .yaml or .yml file extension and format required", filePath))
 	if err != nil {
@@ -264,6 +282,24 @@ func parseVolumeClaimTemplate(filePath string, httpClient http.Client) (*corev1.
 	return &pvc, nil
 }
 
+func parseCSITemplate(filePath string, httpClient http.Client) (*corev1.CSIVolumeSource, error) {
+	b, err := file.LoadFileContent(httpClient, filePath, file.IsYamlFile(), fmt.Errorf("invalid file format for %s: .yaml or .yml file extension and format required", filePath))
+	if err != nil {
+		return nil, err
+	}
+	m := map[string]interface{}{}
+	err = yaml.UnmarshalStrict(b, &m)
+	if err != nil {
+		return nil, err
+	}
+
+	csi := corev1.CSIVolumeSource{}
+	if err := yaml.UnmarshalStrict(b, &csi); err != nil {
+		return nil, err
+	}
+	return &csi, nil
+}
+
 func getPar(r []string, par string) (string, error) {
 	var p string
 	for i := range r {