CSI volumes on kubernetes runner

Hello All,

I am running CE Gitlab 13.9.3 on a Kubernetes cluster with a 13.9 Kubernetes Runner.
I am trying to mount on the build pods a CSI volume as instructed here https://docs.gitlab.com/runner/kubernetes.html#using-volumes

The driver I am using is secrets-store.csi.k8s.io
I need to provide to the pods a volume attribute and a secret reference so here is the toml I am embedding in the helm chart

[[runners]]
[runners.kubernetes]
image = “ubuntu:18.04”
namespace = “runner”
privileged = true
service_account = “sa”
locked = false
cpu_request = “100m”
cpu_request_overwrite_max_allowed = “500m”
memory_request = “128Mi”
memory_request_overwrite_max_allowed = “512Mi”
[[runners.kubernetes.volumes.host_path]]
read_only = false
host_path = “/data”
mount_path = “/data”
name = “data”
[[runners.kubernetes.volumes.csi]]
name = “csi-volume”
mount_path = “/secrets-store”
driver = “secrets-store.csi.k8s.io
read_only = true
[runners.kubernetes.volumes.csi.volume_attributes]
secretProviderClass = “class”
[runners.kubernetes.volumes.csi.NodePublishSecretRef]
name = “secret”
[runners.kubernetes.node_tolerations]
“Runners=true” = “NoSchedule”
[runners.kubernetes.node_selector]
“agentpool” = “slaves”

secretProviderClass is a CRD that exists in the cluster

The pod starts, the host path volume is well mounted but the csi one isn’t. The weird thing is that the csi configuration looks like it is ignored, i.e. I can put wrong values in the attributes or the driver without getting any error.
Has anyone managed to make this work?

Thanks for your help

Hi @santr
did you look in the YAML definition of the Job Pod if the mount is defined there?

hi @balonik

no it’s not. Only the host path mount is available (and the standard emptydir and runner secret ones)

@santr did you install it using Helm or the new GitLab Runner Operator?

I think I was able to reproduce that the runners.kubernetes.volumes.csi is ommited from the template and not merged into the config.toml
I have raise an issue for it, because I will need this to work as well.

ok thanks.

It would be great that if they could add other csi properties such as NodePublishSecretRef

it seems fixed in version 13.11

However I need nodePublishSecretRef property to be taken into account.
This property is not a csi.volume_attribute so it seems not be considered by the runner toml

I suppose you need to create a feature request to support that custom property.