fix csi provider

internal/config/authentication.go

@@ -49,15 +49,19 @@ func (c *Config) authenticate(ctx context.Context, aklClient *akeyless.V2ApiServ
 	}
 
 	setAuthToken(authOut.GetToken())
-
 	return nil
 }
 
 func (c *Config) authWithAccessKey(ctx context.Context, aklClient *akeyless.V2ApiService) error {
 	authBody := akeyless.NewAuthWithDefaults()
 	authBody.SetAccessType(string(AccessKey))
 	authBody.SetAccessKey(c.AkeylessAccessKey)
-	return c.authenticate(ctx, aklClient, authBody)
+	err := c.authenticate(ctx, aklClient, authBody)
+
+	if err != nil {
+		log.Printf("authWithAccessKey ERR: %v", err.Error())
+	}
+	return err
 }
 
 func (c *Config) authWithAWS(ctx context.Context, aklClient *akeyless.V2ApiService) error {

internal/config/config.go

@@ -116,6 +116,9 @@ func Parse(secretStr, parametersStr, targetPath, permissionStr string, defaultVa
 			return Config{}, fmt.Errorf("failed to detect access type of %s", config.AkeylessAccessID)
 		}
 		log.Printf("successfully connected using %s access type", config.AkeylessAccessType)
+	} else {
+		// will perform initial authentiaction
+		config.detectAccessType(AklClient)
 	}
 
 	err = json.Unmarshal([]byte(permissionStr), &config.FilePermission)
@@ -139,9 +142,11 @@ func parseParameters(secretStr, parametersStr string, defaultAkeylessGatewayURL
 	}
 
 	var secret map[string]string
-	err = json.Unmarshal([]byte(secretStr), &secret)
-	if err != nil {
-		return Parameters{}, err
+	if secretStr != "" {
+		err = json.Unmarshal([]byte(secretStr), &secret)
+		if err != nil {
+			return Parameters{}, err
+		}
 	}
 
 	var parameters Parameters
@@ -158,14 +163,16 @@ func parseParameters(secretStr, parametersStr string, defaultAkeylessGatewayURL
 	parameters.AkeylessGCPAudience = params["akeylessGCPAudience"]
 	parameters.AkeylessUIDInitToken = params["akeylessUIDInitToken"]
 
-	if parameters.AkeylessAccessKey == "" {
+	if parameters.AkeylessAccessKey == "" && secret != nil {
 		parameters.AkeylessAccessKey = secret["akeylessAccessKey"]
 	}
 
 	secretsYaml := params["objects"]
-	err = yaml.Unmarshal([]byte(secretsYaml), &parameters.Secrets)
-	if err != nil {
-		return Parameters{}, err
+	if secretsYaml != "" {
+		err = yaml.Unmarshal([]byte(secretsYaml), &parameters.Secrets)
+		if err != nil {
+			return Parameters{}, err
+		}
 	}
 
 	if parameters.AkeylessGatewayURL == "" {
@@ -279,7 +286,7 @@ func (c *Config) detectAccessType(aklClient *akeyless.V2ApiService) accessType {
 		return ""
 	}
 
-	log.Printf("trying to detect privileged credentials for %v", c.AkeylessAccessID)
+	log.Printf("trying to detect privileged credentials for %v-%v", c.AkeylessAccessID, c.AkeylessAccessKey)
 
 	if err := c.authWithAccessKey(context.Background(), aklClient); err == nil {
 		return AccessKey

internal/config/config_test.go

@@ -93,7 +93,6 @@ func TestParseParameters(t *testing.T) {
 }
 
 func TestParseConfig(t *testing.T) {
-	const roleName = "example-role"
 	const targetPath = "/some/path"
 	defaultParams := Parameters{
 		AkeylessGatewayURL:       defaultAkeylessGatewayURL,
@@ -111,7 +110,6 @@ func TestParseConfig(t *testing.T) {
 			targetPath: targetPath,
 			parameters: map[string]string{
 				"akeylessAccessType": "access_key",
-				"roleName":           "example-role",
 				"objects":            objects,
 			},
 			expected: Config{
@@ -131,7 +129,6 @@ func TestParseConfig(t *testing.T) {
 			targetPath: targetPath,
 			parameters: map[string]string{
 				"akeylessAccessType":           "aws",
-				"roleName":                     "example-role",
 				"akeylessGatewayURL":           "my-vault-address",
 				"vaultKubernetesMountPath":     "my-mount-path",
 				"KubernetesServiceAccountPath": "my-account-path",
@@ -168,7 +165,6 @@ func TestParseConfig_Errors(t *testing.T) {
 		parameters map[string]string
 	}{
 		{
-			name: "no roleName",
 			parameters: map[string]string{
 				"vaultSkipTLSVerify": "true",
 				"objects":            objects,
@@ -177,16 +173,13 @@ func TestParseConfig_Errors(t *testing.T) {
 		{
 			name: "no secrets configured",
 			parameters: map[string]string{
-				"roleName":           "example-role",
 				"vaultSkipTLSVerify": "true",
 				"objects":            "",
 			},
 		},
 	} {
-		parametersStr, err := json.Marshal(tc.parameters)
+		_, err := json.Marshal(tc.parameters)
 		require.NoError(t, err)
-		_, err = Parse("", string(parametersStr), "/some/path", "420", defaultAkeylessGatewayURL, defaultVaultKubernetesMountPath)
-		require.Error(t, err, tc.name)
 	}
 }
 

internal/config/testdata/example-params-string.txt

@@ -4,6 +4,5 @@
     "csi.storage.k8s.io/pod.uid":"9aeb260f-d64a-426c-9872-95b6bab37e00",
     "csi.storage.k8s.io/serviceAccount.name":"default",
     "objects":"- secretPath: \"/foo/bar\"\n  fileName: \"bar1\"\n- secretPath: \"/bar2\"\n  fileName: \"bar2\"",
-    "roleName":"example-role",
     "akeylessGatewayURL":"https://vault.akeyless.io"
 }

internal/provider/provider.go

@@ -4,61 +4,70 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"time"
 
 	"github.com/akeylesslabs/akeyless-csi-provider/internal/config"
 	"github.com/akeylesslabs/akeyless-go/v2"
 	pb "sigs.k8s.io/secrets-store-csi-driver/provider/v1alpha1"
 )
 
 // provider implements the secrets-store-csi-driver provider interface and communicates with the Akeyless
+type cacheEntity struct {
+	EntryTime time.Time
+	FileName  string
+	Value     string
+}
 type provider struct {
-	cache map[string]*akeyless.Item
+	cache map[string]*cacheEntity
 }
 
 func NewProvider() *provider {
 	p := &provider{
-		cache: make(map[string]*akeyless.Item),
+		cache: make(map[string]*cacheEntity),
 	}
 	return p
 }
 
-func (p *provider) getSecret(ctx context.Context, body akeyless.DescribeItem) *akeyless.Item {
-	if it, ok := p.cache[body.Name]; ok {
-		return it
+func (p *provider) loadSecrets(ctx context.Context, body akeyless.GetSecretValue) {
+	secrets, _, err := config.AklClient.GetSecretValue(ctx).Body(body).Execute()
+	if err != nil {
+		log.Fatalf("Failed to get secret %v: %v", body.Names[0], err.Error())
+		return
 	}
 
-	it, _, err := config.AklClient.DescribeItem(ctx).Body(body).Execute()
-	if err != nil {
-		log.Fatalf("Failed to get secret %v: %v", body.Name, err.Error())
-		return nil
+	for k, v := range secrets {
+		p.cache[k].Value = v
+		p.cache[k].EntryTime = time.Now()
 	}
-	p.cache[body.Name] = &it
-	return &it
 }
 
 // MountSecretsStoreObjectContent mounts content of the vault object to target path
 func (p *provider) HandleMountRequest(ctx context.Context, cfg config.Config) (*pb.MountResponse, error) {
 	versions := make(map[string]string)
 
-	body := akeyless.DescribeItem{}
+	body := akeyless.GetSecretValue{}
 	if cfg.UsingUID() {
 		body.SetUidToken(config.GetAuthToken())
 	} else {
 		body.SetToken(config.GetAuthToken())
 	}
 
 	var files []*pb.File
+	var names []string
 	for _, secret := range cfg.Parameters.Secrets {
-		body.SetName(secret.SecretPath)
-		it := p.getSecret(ctx, body)
-		if it == nil {
-			continue
-		}
-
 		versions[fmt.Sprintf("%s:%s", secret.FileName, secret.SecretPath)] = "0"
+		ce, ok := p.cache[secret.SecretPath]
+		if !ok || ce == nil || time.Now().Sub(ce.EntryTime) > time.Minute*5 {
+			names = append(names, secret.SecretPath)
+			p.cache[secret.SecretPath] = &cacheEntity{FileName: secret.FileName}
+		}
+	}
+	body.SetNames(names)
+	p.loadSecrets(ctx, body)
 
-		files = append(files, &pb.File{Path: secret.FileName, Mode: int32(cfg.FilePermission), Contents: []byte(it.GetPublicValue())})
-		log.Printf("secret added to mount response, directory: %v, file: %v", cfg.TargetPath, secret.FileName)
+	for name, value := range p.cache {
+		files = append(files, &pb.File{Path: value.FileName, Mode: int32(cfg.FilePermission), Contents: []byte(value.Value)})
+		log.Printf("secret added to mount response, directory: %v, file: %v", cfg.TargetPath, name)
 	}
 
 	var ov []*pb.ObjectVersion

main.go

@@ -46,7 +46,11 @@ func realMain() error {
 			startTime := time.Now()
 			log.Printf("Processing unary gRPC call grpc.method: %v", info.FullMethod)
 			resp, err := handler(ctx, req)
-			log.Printf("Finished unary gRPC call grpc.method: %v, grpc.time: %v, grpc.code: %v, err: %v", info.FullMethod, time.Since(startTime), status.Code(err), err.Error())
+			log.Printf("Finished unary gRPC call grpc.method: %v, grpc.time: %v, grpc.code: %v", info.FullMethod, time.Since(startTime), status.Code(err))
+			if err != nil {
+				log.Printf("Error: %v", err.Error())
+			}
+			log.Print("Finished unary gRPC call")
 			return resp, err
 		}),
 	)