feat: provide a flag to access key using Azure api with inline volume

refine

fix

charts/README.md

@@ -117,6 +117,7 @@ The following table lists the configurable parameters of the latest Azure Blob S
 | `node.cloudConfigSecretName`                          | cloud config secret name of node driver               | `azure-cloud-provider`
 | `node.cloudConfigSecretNamespace`                     | cloud config secret namespace of node driver          | `kube-system`
 | `node.allowEmptyCloudConfig`                          | Whether allow running node driver without cloud config          | `true`
+| `node.allowInlineVolumeKeyAccessWithIdentity`         | Whether allow accessing storage account key using cluster identity for inline volume          | `false`
 | `node.maxUnavailable`                                 | `maxUnavailable` value of driver node daemonset       | `1`
 | `node.metricsPort`                                    | metrics port of csi-blob-node                         | `29635`                                                          |
 | `node.livenessProbe.healthPort `                      | health check port for liveness probe                  | `29633` |

charts/latest/blob-csi-driver/templates/csi-blob-node.yaml

@@ -125,6 +125,7 @@ spec:
             - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}"
             - "--append-timestamp-cache-dir={{ .Values.node.appendTimeStampInCacheDir }}"
             - "--mount-permissions={{ .Values.node.mountPermissions }}"
+            - "--allow-inline-volume-key-access-with-idenitity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}"
           ports:
             - containerPort: {{ .Values.node.livenessProbe.healthPort }}
               name: healthz

charts/latest/blob-csi-driver/values.yaml

@@ -108,6 +108,7 @@ node:
   cloudConfigSecretName: azure-cloud-provider
   cloudConfigSecretNamespace: kube-system
   allowEmptyCloudConfig: true
+  allowInlineVolumeKeyAccessWithIdentity: false
   maxUnavailable: 1
   metricsPort: 29635
   livenessProbe:

pkg/blob/blob.go

@@ -113,20 +113,21 @@ var (
 
 // DriverOptions defines driver parameters specified in driver deployment
 type DriverOptions struct {
-	NodeID                     string
-	DriverName                 string
-	CloudConfigSecretName      string
-	CloudConfigSecretNamespace string
-	CustomUserAgent            string
-	UserAgentSuffix            string
-	BlobfuseProxyEndpoint      string
-	EnableBlobfuseProxy        bool
-	BlobfuseProxyConnTimout    int
-	EnableBlobMockMount        bool
-	AllowEmptyCloudConfig      bool
-	EnableGetVolumeStats       bool
-	AppendTimeStampInCacheDir  bool
-	MountPermissions           uint64
+	NodeID                                 string
+	DriverName                             string
+	CloudConfigSecretName                  string
+	CloudConfigSecretNamespace             string
+	CustomUserAgent                        string
+	UserAgentSuffix                        string
+	BlobfuseProxyEndpoint                  string
+	EnableBlobfuseProxy                    bool
+	BlobfuseProxyConnTimout                int
+	EnableBlobMockMount                    bool
+	AllowEmptyCloudConfig                  bool
+	AllowInlineVolumeKeyAccessWithIdentity bool
+	EnableGetVolumeStats                   bool
+	AppendTimeStampInCacheDir              bool
+	MountPermissions                       uint64
 }
 
 // Driver implements all interfaces of CSI drivers
@@ -140,15 +141,16 @@ type Driver struct {
 	userAgentSuffix            string
 	blobfuseProxyEndpoint      string
 	// enableBlobMockMount is only for testing, DO NOT set as true in non-testing scenario
-	enableBlobMockMount       bool
-	enableBlobfuseProxy       bool
-	allowEmptyCloudConfig     bool
-	enableGetVolumeStats      bool
-	appendTimeStampInCacheDir bool
-	blobfuseProxyConnTimout   int
-	mountPermissions          uint64
-	mounter                   *mount.SafeFormatAndMount
-	volLockMap                *util.LockMap
+	enableBlobMockMount                    bool
+	enableBlobfuseProxy                    bool
+	allowEmptyCloudConfig                  bool
+	enableGetVolumeStats                   bool
+	allowInlineVolumeKeyAccessWithIdentity bool
+	appendTimeStampInCacheDir              bool
+	blobfuseProxyConnTimout                int
+	mountPermissions                       uint64
+	mounter                                *mount.SafeFormatAndMount
+	volLockMap                             *util.LockMap
 	// A map storing all volumes with ongoing operations so that additional operations
 	// for that same volume (as defined by VolumeID) return an Aborted error
 	volumeLocks *volumeLocks
@@ -164,20 +166,21 @@ type Driver struct {
 // does not support optional driver plugin info manifest field. Refer to CSI spec for more details.
 func NewDriver(options *DriverOptions) *Driver {
 	d := Driver{
-		volLockMap:                 util.NewLockMap(),
-		subnetLockMap:              util.NewLockMap(),
-		volumeLocks:                newVolumeLocks(),
-		cloudConfigSecretName:      options.CloudConfigSecretName,
-		cloudConfigSecretNamespace: options.CloudConfigSecretNamespace,
-		customUserAgent:            options.CustomUserAgent,
-		userAgentSuffix:            options.UserAgentSuffix,
-		blobfuseProxyEndpoint:      options.BlobfuseProxyEndpoint,
-		enableBlobfuseProxy:        options.EnableBlobfuseProxy,
-		blobfuseProxyConnTimout:    options.BlobfuseProxyConnTimout,
-		enableBlobMockMount:        options.EnableBlobMockMount,
-		allowEmptyCloudConfig:      options.AllowEmptyCloudConfig,
-		enableGetVolumeStats:       options.EnableGetVolumeStats,
-		mountPermissions:           options.MountPermissions,
+		volLockMap:                             util.NewLockMap(),
+		subnetLockMap:                          util.NewLockMap(),
+		volumeLocks:                            newVolumeLocks(),
+		cloudConfigSecretName:                  options.CloudConfigSecretName,
+		cloudConfigSecretNamespace:             options.CloudConfigSecretNamespace,
+		customUserAgent:                        options.CustomUserAgent,
+		userAgentSuffix:                        options.UserAgentSuffix,
+		blobfuseProxyEndpoint:                  options.BlobfuseProxyEndpoint,
+		enableBlobfuseProxy:                    options.EnableBlobfuseProxy,
+		allowInlineVolumeKeyAccessWithIdentity: options.AllowInlineVolumeKeyAccessWithIdentity,
+		blobfuseProxyConnTimout:                options.BlobfuseProxyConnTimout,
+		enableBlobMockMount:                    options.EnableBlobMockMount,
+		allowEmptyCloudConfig:                  options.AllowEmptyCloudConfig,
+		enableGetVolumeStats:                   options.EnableGetVolumeStats,
+		mountPermissions:                       options.MountPermissions,
 	}
 	d.Name = options.DriverName
 	d.Version = driverVersion

pkg/blob/nodeserver.go

@@ -77,9 +77,11 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	if context != nil {
 		if strings.EqualFold(context[ephemeralField], trueValue) {
 			context[secretNamespaceField] = context[podNamespaceField]
-			// only get storage account from secret
-			context[getAccountKeyFromSecretField] = trueValue
-			context[storageAccountField] = ""
+			if !d.allowInlineVolumeKeyAccessWithIdentity {
+				// only get storage account from secret
+				context[getAccountKeyFromSecretField] = trueValue
+				context[storageAccountField] = ""
+			}
 			klog.V(2).Infof("NodePublishVolume: ephemeral volume(%s) mount on %s, VolumeContext: %v", volumeID, target, context)
 			_, err := d.NodeStageVolume(ctx, &csi.NodeStageVolumeRequest{
 				StagingTargetPath: target,

pkg/blobplugin/main.go

@@ -36,24 +36,25 @@ func init() {
 }
 
 var (
-	endpoint                   = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
-	blobfuseProxyEndpoint      = flag.String("blobfuse-proxy-endpoint", "unix://tmp/blobfuse-proxy.sock", "blobfuse-proxy endpoint")
-	nodeID                     = flag.String("nodeid", "", "node id")
-	version                    = flag.Bool("version", false, "Print the version and exit.")
-	metricsAddress             = flag.String("metrics-address", "0.0.0.0:29634", "export the metrics")
-	kubeconfig                 = flag.String("kubeconfig", "", "Absolute path to the kubeconfig file. Required only when running out of cluster.")
-	driverName                 = flag.String("drivername", blob.DefaultDriverName, "name of the driver")
-	enableBlobfuseProxy        = flag.Bool("enable-blobfuse-proxy", false, "using blobfuse proxy for mounts")
-	blobfuseProxyConnTimout    = flag.Int("blobfuse-proxy-connect-timeout", 5, "blobfuse proxy connection timeout(seconds)")
-	enableBlobMockMount        = flag.Bool("enable-blob-mock-mount", false, "enable mock mount(only for testing)")
-	cloudConfigSecretName      = flag.String("cloud-config-secret-name", "azure-cloud-provider", "secret name of cloud config")
-	cloudConfigSecretNamespace = flag.String("cloud-config-secret-namespace", "kube-system", "secret namespace of cloud config")
-	customUserAgent            = flag.String("custom-user-agent", "", "custom userAgent")
-	userAgentSuffix            = flag.String("user-agent-suffix", "", "userAgent suffix")
-	allowEmptyCloudConfig      = flag.Bool("allow-empty-cloud-config", true, "allow running driver without cloud config")
-	enableGetVolumeStats       = flag.Bool("enable-get-volume-stats", false, "allow GET_VOLUME_STATS on agent node")
-	appendTimeStampInCacheDir  = flag.Bool("append-timestamp-cache-dir", false, "append timestamp into cache directory on agent node")
-	mountPermissions           = flag.Uint64("mount-permissions", 0777, "mounted folder permissions")
+	endpoint                               = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
+	blobfuseProxyEndpoint                  = flag.String("blobfuse-proxy-endpoint", "unix://tmp/blobfuse-proxy.sock", "blobfuse-proxy endpoint")
+	nodeID                                 = flag.String("nodeid", "", "node id")
+	version                                = flag.Bool("version", false, "Print the version and exit.")
+	metricsAddress                         = flag.String("metrics-address", "0.0.0.0:29634", "export the metrics")
+	kubeconfig                             = flag.String("kubeconfig", "", "Absolute path to the kubeconfig file. Required only when running out of cluster.")
+	driverName                             = flag.String("drivername", blob.DefaultDriverName, "name of the driver")
+	enableBlobfuseProxy                    = flag.Bool("enable-blobfuse-proxy", false, "using blobfuse proxy for mounts")
+	blobfuseProxyConnTimout                = flag.Int("blobfuse-proxy-connect-timeout", 5, "blobfuse proxy connection timeout(seconds)")
+	enableBlobMockMount                    = flag.Bool("enable-blob-mock-mount", false, "enable mock mount(only for testing)")
+	cloudConfigSecretName                  = flag.String("cloud-config-secret-name", "azure-cloud-provider", "secret name of cloud config")
+	cloudConfigSecretNamespace             = flag.String("cloud-config-secret-namespace", "kube-system", "secret namespace of cloud config")
+	customUserAgent                        = flag.String("custom-user-agent", "", "custom userAgent")
+	userAgentSuffix                        = flag.String("user-agent-suffix", "", "userAgent suffix")
+	allowEmptyCloudConfig                  = flag.Bool("allow-empty-cloud-config", true, "allow running driver without cloud config")
+	enableGetVolumeStats                   = flag.Bool("enable-get-volume-stats", false, "allow GET_VOLUME_STATS on agent node")
+	appendTimeStampInCacheDir              = flag.Bool("append-timestamp-cache-dir", false, "append timestamp into cache directory on agent node")
+	mountPermissions                       = flag.Uint64("mount-permissions", 0777, "mounted folder permissions")
+	allowInlineVolumeKeyAccessWithIdentity = flag.Bool("allow-inline-volume-key-access-with-idenitity", false, "allow accessing storage account key using cluster identity for inline volume")
 )
 
 func main() {
@@ -75,20 +76,21 @@ func main() {
 
 func handle() {
 	driverOptions := blob.DriverOptions{
-		NodeID:                     *nodeID,
-		DriverName:                 *driverName,
-		CloudConfigSecretName:      *cloudConfigSecretName,
-		CloudConfigSecretNamespace: *cloudConfigSecretNamespace,
-		BlobfuseProxyEndpoint:      *blobfuseProxyEndpoint,
-		EnableBlobfuseProxy:        *enableBlobfuseProxy,
-		BlobfuseProxyConnTimout:    *blobfuseProxyConnTimout,
-		EnableBlobMockMount:        *enableBlobMockMount,
-		CustomUserAgent:            *customUserAgent,
-		UserAgentSuffix:            *userAgentSuffix,
-		AllowEmptyCloudConfig:      *allowEmptyCloudConfig,
-		EnableGetVolumeStats:       *enableGetVolumeStats,
-		AppendTimeStampInCacheDir:  *appendTimeStampInCacheDir,
-		MountPermissions:           *mountPermissions,
+		NodeID:                                 *nodeID,
+		DriverName:                             *driverName,
+		CloudConfigSecretName:                  *cloudConfigSecretName,
+		CloudConfigSecretNamespace:             *cloudConfigSecretNamespace,
+		BlobfuseProxyEndpoint:                  *blobfuseProxyEndpoint,
+		EnableBlobfuseProxy:                    *enableBlobfuseProxy,
+		BlobfuseProxyConnTimout:                *blobfuseProxyConnTimout,
+		EnableBlobMockMount:                    *enableBlobMockMount,
+		CustomUserAgent:                        *customUserAgent,
+		UserAgentSuffix:                        *userAgentSuffix,
+		AllowEmptyCloudConfig:                  *allowEmptyCloudConfig,
+		EnableGetVolumeStats:                   *enableGetVolumeStats,
+		AppendTimeStampInCacheDir:              *appendTimeStampInCacheDir,
+		MountPermissions:                       *mountPermissions,
+		AllowInlineVolumeKeyAccessWithIdentity: *allowInlineVolumeKeyAccessWithIdentity,
 	}
 	driver := blob.NewDriver(&driverOptions)
 	if driver == nil {