feat: support reading service account tokens from CSI secrets field for Kubernetes 1.35+

[aramase]

/kind feature

implementing changes for KEP: kubernetes/enhancements#5538

see https://github.com/kubernetes/enhancements/blob/master/keps/sig-storage/5538-csi-sa-tokens-secrets-field/README.md#driver-migration-example for why we're doing this.

NONE

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aramase
Once this PR has been reviewed and has the lgtm label, please assign andyzhangx for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[aramase]

@andyzhangx what's the best way to handle this in the helm charts? do you create a new version of chart for every Kubernetes release?

for 1.35+, we should have serviceAccountTokenInSecrets: true in the CSIDriver. See the KEP and example for how I'm handling this in Secrets Store CSI Driver: kubernetes-sigs/secrets-store-csi-driver#1979 for reference.

[Copilot]

Pull request overview

This PR implements support for reading service account tokens from the CSI secrets field as specified in Kubernetes KEP-5538, enabling forward compatibility with Kubernetes 1.35+ while maintaining backward compatibility with the existing volumeContext approach.

Changes:

• Added getServiceAccountTokens helper function to check secrets field first, then fall back to volumeContext
• Updated NodePublishVolume and NodeStageVolume to use the new helper function for retrieving service account tokens
• Added comprehensive unit tests for the new helper function covering all scenarios including nil maps and priority ordering

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
pkg/azurefile/nodeserver.go	Implements the new getServiceAccountTokens helper function and integrates it into NodePublishVolume and NodeStageVolume to support reading service account tokens from the secrets field
pkg/azurefile/nodeserver_test.go	Adds unit tests for the getServiceAccountTokens function covering new behavior, backward compatibility, and edge cases with nil maps

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[andyzhangx]

is this assignment already covered by L822: serviceAccountToken = getValueInMap(secrets, serviceAccountTokenField)?

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

NodePublishVolume now forwards req.Secrets to NodeStageVolume only in the service-account-token branch, but the ephemeral volume path still calls NodeStageVolume without Secrets. With Kubernetes 1.35+ token delivery via request.Secrets, this can cause NodeStageVolume to treat the token as missing (and potentially skip staging when clientID is set). Consider passing the same secrets map in the ephemeral NodeStageVolumeRequest as well to keep behavior consistent.

[Copilot]

The token-precedence change (prefer Secrets over volumeContext) in GetAccountInfo isn’t covered by existing TestGetAccountInfo cases in pkg/azurefile/azurefile_test.go. Add a test that sets serviceAccountTokenField in secrets and a different value in reqContext to ensure secrets wins, plus a fallback case when secrets doesn’t include the token.

[k8s-ci-robot]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.