Merge pull request #955 from andyzhangx/fix-blobfuse-msi-dynamic-supp…

…ort-1.21 [release-1.21] fix: dynamic provisioning support with blobfuse msi auth
kubernetes-sigs · Jun 15, 2023 · 92a59b8 · 92a59b8
2 parents 7164673 + bf37bf3
commit 92a59b8
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 62 deletions.
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -47,62 +47,68 @@ import (
 
 const (
 	// DefaultDriverName holds the name of the csi-driver
-	DefaultDriverName            = "blob.csi.azure.com"
-	blobCSIDriverName            = "blob_csi_driver"
-	separator                    = "#"
-	volumeIDTemplate             = "%s#%s#%s#%s#%s#%s"
-	secretNameTemplate           = "azure-storage-account-%s-secret"
-	serverNameField              = "server"
-	storageEndpointSuffixField   = "storageendpointsuffix"
-	tagsField                    = "tags"
-	matchTagsField               = "matchtags"
-	protocolField                = "protocol"
-	accountNameField             = "accountname"
-	accountKeyField              = "accountkey"
-	storageAccountField          = "storageaccount"
-	storageAccountTypeField      = "storageaccounttype"
-	skuNameField                 = "skuname"
-	subscriptionIDField          = "subscriptionid"
-	resourceGroupField           = "resourcegroup"
-	locationField                = "location"
-	secretNameField              = "secretname"
-	secretNamespaceField         = "secretnamespace"
-	containerNameField           = "containername"
-	containerNamePrefixField     = "containernameprefix"
-	storeAccountKeyField         = "storeaccountkey"
-	isHnsEnabledField            = "ishnsenabled"
-	softDeleteBlobsField         = "softdeleteblobs"
-	softDeleteContainersField    = "softdeletecontainers"
-	enableBlobVersioningField    = "enableblobversioning"
-	getAccountKeyFromSecretField = "getaccountkeyfromsecret"
-	storageSPNClientIDField      = "azurestoragespnclientid"
-	storageSPNTenantIDField      = "azurestoragespntenantid"
-	keyVaultURLField             = "keyvaulturl"
-	keyVaultSecretNameField      = "keyvaultsecretname"
-	keyVaultSecretVersionField   = "keyvaultsecretversion"
-	storageAccountNameField      = "storageaccountname"
-	allowBlobPublicAccessField   = "allowblobpublicaccess"
-	requireInfraEncryptionField  = "requireinfraencryption"
-	ephemeralField               = "csi.storage.k8s.io/ephemeral"
-	podNamespaceField            = "csi.storage.k8s.io/pod.namespace"
-	mountOptionsField            = "mountoptions"
-	falseValue                   = "false"
-	trueValue                    = "true"
-	defaultSecretAccountName     = "azurestorageaccountname"
-	defaultSecretAccountKey      = "azurestorageaccountkey"
-	accountSasTokenField         = "azurestorageaccountsastoken"
-	msiSecretField               = "msisecret"
-	storageSPNClientSecretField  = "azurestoragespnclientsecret"
-	Fuse                         = "fuse"
-	Fuse2                        = "fuse2"
-	NFS                          = "nfs"
-	vnetResourceGroupField       = "vnetresourcegroup"
-	vnetNameField                = "vnetname"
-	subnetNameField              = "subnetname"
-	accessTierField              = "accesstier"
-	networkEndpointTypeField     = "networkendpointtype"
-	mountPermissionsField        = "mountpermissions"
-	useDataPlaneAPIField         = "usedataplaneapi"
+	DefaultDriverName              = "blob.csi.azure.com"
+	blobCSIDriverName              = "blob_csi_driver"
+	separator                      = "#"
+	volumeIDTemplate               = "%s#%s#%s#%s#%s#%s"
+	secretNameTemplate             = "azure-storage-account-%s-secret"
+	serverNameField                = "server"
+	storageEndpointSuffixField     = "storageendpointsuffix"
+	tagsField                      = "tags"
+	matchTagsField                 = "matchtags"
+	protocolField                  = "protocol"
+	accountNameField               = "accountname"
+	accountKeyField                = "accountkey"
+	storageAccountField            = "storageaccount"
+	storageAccountTypeField        = "storageaccounttype"
+	skuNameField                   = "skuname"
+	subscriptionIDField            = "subscriptionid"
+	resourceGroupField             = "resourcegroup"
+	locationField                  = "location"
+	secretNameField                = "secretname"
+	secretNamespaceField           = "secretnamespace"
+	containerNameField             = "containername"
+	containerNamePrefixField       = "containernameprefix"
+	storeAccountKeyField           = "storeaccountkey"
+	isHnsEnabledField              = "ishnsenabled"
+	softDeleteBlobsField           = "softdeleteblobs"
+	softDeleteContainersField      = "softdeletecontainers"
+	enableBlobVersioningField      = "enableblobversioning"
+	getAccountKeyFromSecretField   = "getaccountkeyfromsecret"
+	storageSPNClientIDField        = "azurestoragespnclientid"
+	storageSPNTenantIDField        = "azurestoragespntenantid"
+	storageAuthTypeField           = "azurestorageauthtype"
+	storageIentityClientIDField    = "azurestorageidentityclientid"
+	storageIdentityObjectIDField   = "azurestorageidentityobjectid"
+	storageIdentityResourceIDField = "azurestorageidentityresourceid"
+	msiEndpointField               = "msiendpoint"
+	storageAADEndpointField        = "azurestorageaadendpoint"
+	keyVaultURLField               = "keyvaulturl"
+	keyVaultSecretNameField        = "keyvaultsecretname"
+	keyVaultSecretVersionField     = "keyvaultsecretversion"
+	storageAccountNameField        = "storageaccountname"
+	allowBlobPublicAccessField     = "allowblobpublicaccess"
+	requireInfraEncryptionField    = "requireinfraencryption"
+	ephemeralField                 = "csi.storage.k8s.io/ephemeral"
+	podNamespaceField              = "csi.storage.k8s.io/pod.namespace"
+	mountOptionsField              = "mountoptions"
+	falseValue                     = "false"
+	trueValue                      = "true"
+	defaultSecretAccountName       = "azurestorageaccountname"
+	defaultSecretAccountKey        = "azurestorageaccountkey"
+	accountSasTokenField           = "azurestorageaccountsastoken"
+	msiSecretField                 = "msisecret"
+	storageSPNClientSecretField    = "azurestoragespnclientsecret"
+	Fuse                           = "fuse"
+	Fuse2                          = "fuse2"
+	NFS                            = "nfs"
+	vnetResourceGroupField         = "vnetresourcegroup"
+	vnetNameField                  = "vnetname"
+	subnetNameField                = "subnetname"
+	accessTierField                = "accesstier"
+	networkEndpointTypeField       = "networkendpointtype"
+	mountPermissionsField          = "mountpermissions"
+	useDataPlaneAPIField           = "usedataplaneapi"
 
 	// See https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names
 	containerNameMinLength = 3
@@ -409,22 +415,22 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			pvcNamespace = v
 		case getAccountKeyFromSecretField:
 			getAccountKeyFromSecret = strings.EqualFold(v, trueValue)
-		case "azurestorageauthtype":
+		case storageAuthTypeField:
 			azureStorageAuthType = v
 			authEnv = append(authEnv, "AZURE_STORAGE_AUTH_TYPE="+v)
-		case "azurestorageidentityclientid":
+		case storageIentityClientIDField:
 			authEnv = append(authEnv, "AZURE_STORAGE_IDENTITY_CLIENT_ID="+v)
-		case "azurestorageidentityobjectid":
+		case storageIdentityObjectIDField:
 			authEnv = append(authEnv, "AZURE_STORAGE_IDENTITY_OBJECT_ID="+v)
-		case "azurestorageidentityresourceid":
+		case storageIdentityResourceIDField:
 			authEnv = append(authEnv, "AZURE_STORAGE_IDENTITY_RESOURCE_ID="+v)
-		case "msiendpoint":
+		case msiEndpointField:
 			authEnv = append(authEnv, "MSI_ENDPOINT="+v)
 		case storageSPNClientIDField:
 			storageSPNClientID = v
 		case storageSPNTenantIDField:
 			storageSPNTenantID = v
-		case "azurestorageaadendpoint":
+		case storageAADEndpointField:
 			authEnv = append(authEnv, "AZURE_STORAGE_AAD_ENDPOINT="+v)
 		}
 	}

diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -153,6 +153,12 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case pvNameKey:
 			containerNameReplaceMap[pvNameMetadata] = v
 		case serverNameField:
+		case storageAuthTypeField:
+		case storageIentityClientIDField:
+		case storageIdentityObjectIDField:
+		case storageIdentityResourceIDField:
+		case msiEndpointField:
+		case storageAADEndpointField:
 			// no op, only used in NodeStageVolume
 		case storageEndpointSuffixField:
 			storageEndpointSuffix = v

diff --git a/pkg/blob/controllerserver_test.go b/pkg/blob/controllerserver_test.go
@@ -546,6 +546,12 @@ func TestCreateVolume(t *testing.T) {
 				mp[resourceGroupField] = "unit-test"
 				mp[containerNameField] = "unit-test"
 				mp[mountPermissionsField] = "0750"
+				mp[storageAuthTypeField] = "msi"
+				mp[storageIentityClientIDField] = "msi"
+				mp[storageIdentityObjectIDField] = "msi"
+				mp[storageIdentityResourceIDField] = "msi"
+				mp[msiEndpointField] = "msi"
+				mp[storageAADEndpointField] = "msi"
 				req := &csi.CreateVolumeRequest{
 					Name:               "unit-test",
 					VolumeCapabilities: stdVolumeCapabilities,