kubernetes-sigs
diff --git a/‎.github/workflows/static.yaml
+1-1 b/‎.github/workflows/static.yaml
+1-1
diff --git a/‎.github/workflows/trivy.yaml
+1-1 b/‎.github/workflows/trivy.yaml
+1-1
diff --git a/‎docs/driver-parameters.md
+1 b/‎docs/driver-parameters.md
+1
diff --git a/‎go.mod
+3-3 b/‎go.mod
+3-3
diff --git a/‎go.sum
+4-4 b/‎go.sum
+4-4
diff --git a/‎pkg/blob/blob.go
+1 b/‎pkg/blob/blob.go
+1
diff --git a/‎pkg/blob/controllerserver.go
+22-17 b/‎pkg/blob/controllerserver.go
+22-17
diff --git a/‎test/e2e/dynamic_provisioning_test.go
+2-1 b/‎test/e2e/dynamic_provisioning_test.go
+2-1
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2021-07-01/compute/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2021-07-01/compute/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2021-10-01/containerservice/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2021-10-01/containerservice/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/msi/mgmt/2018-11-30/msi/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/msi/mgmt/2018-11-30/msi/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-08-01/network/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/network/mgmt/2021-08-01/network/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/preview/authorization/mgmt/2018-01-01-preview/authorization/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/privatedns/mgmt/2018-09-01/privatedns/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/privatedns/mgmt/2018-09-01/privatedns/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2017-05-10/resources/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2017-05-10/resources/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2018-05-01/resources/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/resources/mgmt/2018-05-01/resources/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage/client.go
+2 b/‎vendor/github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage/client.go
+2
diff --git a/‎vendor/github.com/Azure/azure-sdk-for-go/version/version.go
+1-1 b/‎vendor/github.com/Azure/azure-sdk-for-go/version/version.go
+1-1
diff --git a/‎vendor/modules.txt
+3-3 b/‎vendor/modules.txt
+3-3
diff --git a/‎vendor/sigs.k8s.io/cloud-provider-azure/pkg/auth/azure_auth.go
+1-1 b/‎vendor/sigs.k8s.io/cloud-provider-azure/pkg/auth/azure_auth.go
+1-1
diff --git a/‎vendor/sigs.k8s.io/cloud-provider-azure/pkg/azureclients/armclient/util.go
+2-2 b/‎vendor/sigs.k8s.io/cloud-provider-azure/pkg/azureclients/armclient/util.go
+2-2
@@ -5,7 +5,7 @@ on:
 jobs:
     go_lint:
         name: Go Lint
-        runs-on: ubuntu-18.04
+        runs-on: ubuntu-latest
         steps:
             - name: Checkout code
               uses: actions/checkout@master
 
@@ -7,7 +7,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
       - name: Set up Go 1.x
         uses: actions/setup-go@v2
 
@@ -17,6 +17,7 @@ containerName | specify the existing container(directory) name | existing contai
 containerNamePrefix | specify Azure storage directory prefix created by driver | can only contain lowercase letters, numbers, hyphens, and length should be less than 21 | No |
 server | specify Azure storage account server address | existing server address, e.g. `accountname.privatelink.blob.core.windows.net` | No | if empty, driver will use default `accountname.blob.core.windows.net` or other sovereign cloud account address
 allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `false`
+requireInfraEncryption | specify whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest for storage account created by driver | `true`,`false` | No | `false`
 storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net`, `core.chinacloudapi.cn`, etc | No | if empty, driver will use default storage endpoint suffix according to cloud environment
 tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | ""
 matchTags | whether matching tags when driver tries to find a suitable storage account | `true`,`false` | No | `false`
 
@@ -3,7 +3,7 @@ module sigs.k8s.io/blob-csi-driver
 go 1.18
 
 require (
-	github.com/Azure/azure-sdk-for-go v65.0.0+incompatible
+	github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0
 	github.com/Azure/go-autorest/autorest v0.11.28
 	github.com/Azure/go-autorest/autorest/adal v0.9.21
@@ -30,7 +30,7 @@ require (
 	k8s.io/kubernetes v1.23.3
 	k8s.io/mount-utils v0.23.3
 	k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
-	sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561
+	sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -158,5 +158,5 @@ replace (
 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.3
 	k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.23.3
 	k8s.io/sample-controller => k8s.io/sample-controller v0.23.3
-	sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561
+	sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e
 )
@@ -41,8 +41,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20201218220906-28db891af037/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/Azure/azure-sdk-for-go v55.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v65.0.0+incompatible h1:HzKLt3kIwMm4KeJYTdx9EbjRYTySD/t8i1Ee/W5EGXw=
-github.com/Azure/azure-sdk-for-go v65.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE=
+github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1 h1:tz19qLF65vuu2ibfTqGVJxG/zZAI27NEIIbvAOQwYbw=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0 h1:Yoicul8bnVdQrhDMTHxdEckRGX01XvwXDHUT9zYZ3k0=
@@ -1229,8 +1229,8 @@ rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30 h1:dUk62HQ3ZFhD48Qr8MIXCiKA8wInBQCtuE4QGfFW7yA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.30/go.mod h1:fEO7lRTdivWO2qYVCVG7dEADOMo/MLDCVr8So2g88Uw=
-sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561 h1:STGz1EqxvY7vskck4iudgfCBuDrA+VjETRGyrtLKTWs=
-sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561/go.mod h1:KRSedLdzH6Y6wuqQRf3UdRj5hHv9NtTNxsokyuVE87w=
+sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e h1:KqPyU5xLPIB9hiTjOb+YW0H+aATRtWZshny8OarWsKI=
+sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e/go.mod h1:WejUASLh1xSH1eJrmpQBTX83RH4qF7mSr6Q3cThaCMY=
 sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 h1:kDi4JBNAsJWfz1aEXhO8Jg87JJaPNLh5tIzYHgStQ9Y=
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
 
@@ -76,6 +76,7 @@ const (
 	keyVaultSecretVersionField   = "keyvaultsecretversion"
 	storageAccountNameField      = "storageaccountname"
 	allowBlobPublicAccessField   = "allowblobpublicaccess"
+	requireInfraEncryptionField  = "requireinfraencryption"
 	ephemeralField               = "csi.storage.k8s.io/ephemeral"
 	podNamespaceField            = "csi.storage.k8s.io/pod.namespace"
 	mountOptionsField            = "mountoptions"
 
@@ -68,7 +68,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		parameters = make(map[string]string)
 	}
 	var storageAccountType, subsID, resourceGroup, location, account, containerName, containerNamePrefix, protocol, customTags, secretName, secretNamespace, pvcNamespace string
-	var isHnsEnabled *bool
+	var isHnsEnabled, requireInfraEncryption *bool
 	var vnetResourceGroup, vnetName, subnetName string
 	var matchTags, useDataPlaneAPI bool
 	// set allowBlobPublicAccess as false by default
@@ -121,6 +121,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			if strings.EqualFold(v, trueValue) {
 				allowBlobPublicAccess = to.BoolPtr(true)
 			}
+		case requireInfraEncryptionField:
+			if strings.EqualFold(v, trueValue) {
+				requireInfraEncryption = to.BoolPtr(true)
+			}
 		case pvcNamespaceKey:
 			pvcNamespace = v
 			containerNameReplaceMap[pvcNamespaceMetadata] = v
@@ -228,22 +232,23 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 
 	accountOptions := &azure.AccountOptions{
-		Name:                      account,
-		Type:                      storageAccountType,
-		Kind:                      accountKind,
-		SubscriptionID:            subsID,
-		ResourceGroup:             resourceGroup,
-		Location:                  location,
-		EnableHTTPSTrafficOnly:    enableHTTPSTrafficOnly,
-		VirtualNetworkResourceIDs: vnetResourceIDs,
-		Tags:                      tags,
-		MatchTags:                 matchTags,
-		IsHnsEnabled:              isHnsEnabled,
-		EnableNfsV3:               enableNfsV3,
-		AllowBlobPublicAccess:     allowBlobPublicAccess,
-		VNetResourceGroup:         vnetResourceGroup,
-		VNetName:                  vnetName,
-		SubnetName:                subnetName,
+		Name:                            account,
+		Type:                            storageAccountType,
+		Kind:                            accountKind,
+		SubscriptionID:                  subsID,
+		ResourceGroup:                   resourceGroup,
+		Location:                        location,
+		EnableHTTPSTrafficOnly:          enableHTTPSTrafficOnly,
+		VirtualNetworkResourceIDs:       vnetResourceIDs,
+		Tags:                            tags,
+		MatchTags:                       matchTags,
+		IsHnsEnabled:                    isHnsEnabled,
+		EnableNfsV3:                     enableNfsV3,
+		AllowBlobPublicAccess:           allowBlobPublicAccess,
+		RequireInfrastructureEncryption: requireInfraEncryption,
+		VNetResourceGroup:               vnetResourceGroup,
+		VNetName:                        vnetName,
+		SubnetName:                      subnetName,
 	}
 
 	var accountKey string
 
@@ -85,7 +85,8 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 				"skuName":         "Standard_GRS",
 				"secretNamespace": "default",
 				// make sure this is the first test case due to storeAccountKey is set as false
-				"storeAccountKey": "false",
+				"storeAccountKey":        "false",
+				"requireInfraEncryption": "true",
 			},
 		}
 		test.Run(cs, ns)
 
@@ -1,4 +1,4 @@
-# github.com/Azure/azure-sdk-for-go v65.0.0+incompatible
+# github.com/Azure/azure-sdk-for-go v66.0.0+incompatible
 ## explicit
 github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2021-07-01/compute
 github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2021-10-01/containerservice
@@ -1162,7 +1162,7 @@ k8s.io/utils/trace
 ## explicit; go 1.17
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client
-# sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561 => sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561
+# sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e => sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e
 ## explicit; go 1.18
 sigs.k8s.io/cloud-provider-azure/pkg/auth
 sigs.k8s.io/cloud-provider-azure/pkg/azureclients
@@ -1259,4 +1259,4 @@ sigs.k8s.io/yaml
 # k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.3
 # k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.23.3
 # k8s.io/sample-controller => k8s.io/sample-controller v0.23.3
-# sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220810033612-3e07f125e561
+# sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v1.24.1-0.20220822075409-fcea76e6a17e