@Yannig thanks for the issue. Indeed it's not supported yet. We may need to rework our "variable interpolation" implementation as, for now, it only supports a small set of things and is not "extendable" (aka on types we refer and that we don't "know in advance").

/kind feature

@vdemeester I made a fix for my specific case but maybe I could try to work on something more generic.
What do you think?

Right, we need to discuss the more "generic" approach. But we can fix the specific case in the mean time :angel:
/cc @sbwsg @jlpettersson @bobcatfish @skaegi

Is there any specific reason to mount the volume directly here, instead of using a PersistentVolumeClaim as shown in Container Storage Interface (CSI) for Kubernetes GA?

I think the intention with PVC was to decouple the app from storage-specific things (that may be specific to the platform.). In this case Tekton is "your app".

I also understand that all the _in-tree_ storage integrations will in future be more _external_ from the Kubernetes project. Kubernetes podcast about CSI.

In case a PVC is used, this can be used today, as how I understand, by specifying the storageClassName that is declared for your Storage type.

If we are going to have params for all kind of in-tree-volumes, there is a ton of them Kubernetes Volumes

@Yannig this use case come from Azure Secret Store examples, right? they have a few examples with _inline-volume_, but they also have a few examples using PV and PVC - that is methods to decouple the app, e.g. Tekton from the storage implementations. Would any of those satisfy your needs?

@jlpettersson Here I'm trying to mount a secret from Azure Vault using CSI for this purpose. The following example is close to what I'm trying to do: https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/examples/nginx-pod-secrets-store-inline-volume-secretproviderclass-podid.yaml

@Yannig that would be, like this without _inlining_ the volume:

apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-secrets-store
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadOnlyMany
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: secrets-store.csi.k8s.io
    readOnly: true
    volumeAttributes:
      secretProviderClass:
        secretProviderClass: "azure-kvname"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvc-secrets-store
spec:
  accessModes:
    - ReadOnlyMany
  resources:
    requests:
      storage: 1Gi
  volumeName: pv-secrets-store
  storageClassName: ""

and then used by a TaskRun or PipelineRun as a PVC workspace by declaring the PVC as:

    persistentVolumeClaim:
      claimName: pvc-secrets-store

by following pv example, pvc example and store pvc example

should work, right?

without adding anyting that is tightly coupled with CSI-volumes to Tekton.

@jlpettersson Thanks, I got the idea now. I'll do some test and give you feedback then :)

and then used by a TaskRun or PipelineRun as a PVC workspace by declaring the PVC as:

Actually, if you want, this can be set as a PersistentVolumeClaim in the Task, and pass the PVC ClaimName as a Parameter and do this reference (very similar to your initial example), too bad it is not well documented.

  volumes:
    - name: "secrets"
      persistentVolumeClaim:
        name: "$(params.claimName)"

By doing it like this, you can pass claimName as a parameter and do not need to use a PVC workspace in the PipelineRun.

Hi @jlpettersson

I was able to do some experiment and I get an error while trying to mount this kind of volume:

Events:
  Type     Reason       Age              From                                                  Message
  ----     ------       ----             ----                                                  -------
  Normal   Scheduled    8s               default-scheduler                                     Successfully assigned default/read-az-vault-secret-74bcb4c98b-gqr78 to ip-192-168-20-54.eu-west-1.compute.internal
  Warning  FailedMount  1s (x5 over 8s)  kubelet, ip-192-168-20-54.eu-west-1.compute.internal  MountVolume.NewMounter initialization failed for volume "pv-secrets-store" : volume mode "Persistent" not supported by driver secrets-store.csi.k8s.io (only supports ["Ephemeral"])

The driver does not support to be used through a PV: you must use this kind of volume through a Ephemeral definition (ie directly in a pod definition).

@Yannig sorry for late response on this.

The driver does not support to be used through a PV: you must use this kind of volume through a Ephemeral definition (ie directly in a pod definition).

Ah, I see. This seem to be a newer limitation in recent Kubernetes versions, ref CSI ephemeral inline volumes

In Tekton v0.13, a new feature, TaskRunSpecs was introduced - that allow you to declare _inline volumes_ in the PipelineRun for a specific TaskRun. As elaborated about in https://github.com/tektoncd/pipeline/issues/2680 - this way to declare volumes, let you design Tasks so that they are independent on what kind of volumes they are used with, e.g. a user could declare a PersistentVolumeClaim or a CSI inline volume in the TaskRunSpec - but they use the same Task.

An example, possible from Tekton v0.13+

apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  generateName: git-clone-ssh-
spec:
  pipelineRef:
    name: pipeline-with-git-clone
  taskRunSpecs:
  - pipelineTaskName: git-clone         # name of task in the Pipeline
    taskPodTemplate:
      volumes:
      - name: secrets
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "azure-kvname"
          nodePublishSecretRef:
            name: "secrets-store-creds"

Thanks for your answer. I will try to do some experiment and give you feedback as soon as possible.