[manila-csi-plugin] remove the necessity of having credentials for nodeserver

[kayrus]

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

What happened:

This task is similar to #2655
Currently manila csi nodeserver takes credentials from the node-publish-secret-* and node-stage-secret-* secrets. In k8s setups, where CSI controller resides in the admin control plane cluster, and the nodeserver resides in the actual workload cluster, having secrets required for the nodeserver is a security risk.

What you expected to happen:

nodeserver should not have an access to openstack secrets, all the operations (such as getting export locations and setting access rights) , which require credentials, can be done on the controller side.

How to reproduce it:

n/a

Anything else we need to know?:

currently node's kubelet gets secret's data from the reference and combines CSI requests with secrets, which is then forwarded to a nodecontroller:

kubernetes$ grep -r ' = getCredentialsFromSecret' pkg/
pkg/volume/csi/csi_block.go:            nodeStageSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodeStageSecretRef)
pkg/volume/csi/csi_block.go:            nodePublishSecrets, err = getCredentialsFromSecret(m.k8s, csiSource.NodePublishSecretRef)
pkg/volume/csi/csi_attacher.go:         nodeStageSecrets, err = getCredentialsFromSecret(c.k8s, csiSource.NodeStageSecretRef)
pkg/volume/csi/expander.go:             nodeExpandSecrets, err = getCredentialsFromSecret(expandClient, csiSource.NodeExpandSecretRef)
pkg/volume/csi/csi_mounter.go:          nodePublishSecrets, err = getCredentialsFromSecret(c.k8s, secretRef)

Environment:

• openstack-cloud-controller-manager(or other related binary) version:
• OpenStack version:
• Others: