fix: support getting sasToken, msiSecret, SPN from secret

andyzhangx · andyzhangx · commit 371bf4033e51 · 2023-04-07T07:47:07.000Z
diff --git a/hack/verify-examples.sh b/hack/verify-examples.sh
@@ -21,9 +21,9 @@ rollout_and_wait() {
 
     APPNAME=$(kubectl apply -f $1 | grep -E "^(:?daemonset|deployment|statefulset|pod)" | awk '{printf $1}')
     if [[ -n $(expr "${APPNAME}" : "\(daemonset\|deployment\|statefulset\)" || true) ]]; then
-        kubectl rollout status $APPNAME --watch --timeout=5m
+        kubectl rollout status $APPNAME --watch --timeout=20m
     else
-        kubectl wait "${APPNAME}" --for condition=ready --timeout=5m
+        kubectl wait "${APPNAME}" --for condition=ready --timeout=20m
     fi
 }
 
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -88,6 +88,9 @@ const (
 	trueValue                    = "true"
 	defaultSecretAccountName     = "azurestorageaccountname"
 	defaultSecretAccountKey      = "azurestorageaccountkey"
+	accountSasTokenField         = "azurestorageaccountsastoken"
+	msiSecretField               = "msisecret"
+	storageSPNClientSecretField  = "azurestoragespnclientsecret"
 	Fuse                         = "fuse"
 	Fuse2                        = "fuse2"
 	NFS                          = "nfs"
@@ -364,6 +367,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		subsID                  string
 		accountKey              string
 		accountSasToken         string
+		msiSecret               string
+		storageSPNClientSecret  string
 		secretName              string
 		pvcNamespace            string
 		keyVaultURL             string
@@ -456,15 +461,14 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			if secretName == "" && accountName != "" {
 				secretName = fmt.Sprintf(secretNameTemplate, accountName)
 			}
-			// if msi is specified, don't list account key using cluster identity
-			if secretName != "" && !strings.EqualFold(azureStorageAuthType, "msi") {
+			if secretName != "" {
 				// read from k8s secret first
 				var name string
-				name, accountKey, err = d.GetStorageAccountFromSecret(secretName, secretNamespace)
+				name, accountKey, accountSasToken, msiSecret, storageSPNClientSecret, err = d.GetInfoFromSecret(ctx, secretName, secretNamespace)
 				if name != "" {
 					accountName = name
 				}
-				if err != nil && !getAccountKeyFromSecret {
+				if err != nil && !getAccountKeyFromSecret && (azureStorageAuthType == "" || strings.EqualFold(azureStorageAuthType, "key")) {
 					klog.V(2).Infof("get account(%s) key from secret(%s, %s) failed with error: %v, use cluster identity to get account key instead",
 						accountName, secretNamespace, secretName, err)
 					accountKey, err = d.cloud.GetStorageAccesskey(ctx, subsID, accountName, rgName)
@@ -485,12 +489,12 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 					accountKey = v
 				case defaultSecretAccountKey: // for compatibility with built-in blobfuse plugin
 					accountKey = v
-				case "azurestorageaccountsastoken":
+				case accountSasTokenField:
 					accountSasToken = v
-				case "msisecret":
-					authEnv = append(authEnv, "MSI_SECRET="+v)
-				case "azurestoragespnclientsecret":
-					authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_SECRET="+v)
+				case msiSecretField:
+					msiSecret = v
+				case storageSPNClientSecretField:
+					storageSPNClientSecret = v
 				}
 			}
 		}
@@ -500,12 +504,23 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		err = fmt.Errorf("could not find containerName from attributes(%v) or volumeID(%v)", attrib, volumeID)
 	}
 
+	if accountKey != "" {
+		authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+	}
+
 	if accountSasToken != "" {
+		klog.V(2).Infof("accountSasToken is not empty, use it to access storage account(%s), container(%s)", accountName, containerName)
 		authEnv = append(authEnv, "AZURE_STORAGE_SAS_TOKEN="+accountSasToken)
 	}
 
-	if accountKey != "" {
-		authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+	if msiSecret != "" {
+		klog.V(2).Infof("msiSecret is not empty, use it to access storage account(%s), container(%s)", accountName, containerName)
+		authEnv = append(authEnv, "MSI_SECRET="+msiSecret)
+	}
+
+	if storageSPNClientSecret != "" {
+		klog.V(2).Infof("storageSPNClientSecret is not empty, use it to access storage account(%s), container(%s)", accountName, containerName)
+		authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_SECRET="+storageSPNClientSecret)
 	}
 
 	return rgName, accountName, accountKey, containerName, authEnv, err
@@ -738,7 +753,7 @@ func (d *Driver) GetStorageAccesskey(ctx context.Context, accountOptions *azure.
 	if secretName == "" {
 		secretName = fmt.Sprintf(secretNameTemplate, accountOptions.Name)
 	}
-	_, accountKey, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
+	_, accountKey, _, _, _, err := d.GetInfoFromSecret(ctx, secretName, secretNamespace) //nolint
 	if err != nil {
 		klog.V(2).Infof("could not get account(%s) key from secret(%s) namespace(%s), error: %v, use cluster identity to get account key instead", accountOptions.Name, secretName, secretNamespace, err)
 		accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountOptions.SubscriptionID, accountOptions.Name, accountOptions.ResourceGroup)
@@ -748,21 +763,24 @@ func (d *Driver) GetStorageAccesskey(ctx context.Context, accountOptions *azure.
 
 // GetStorageAccountFromSecret get storage account key from k8s secret
 // return <accountName, accountKey, error>
-func (d *Driver) GetStorageAccountFromSecret(secretName, secretNamespace string) (string, string, error) {
+func (d *Driver) GetInfoFromSecret(ctx context.Context, secretName, secretNamespace string) (string, string, string, string, string, error) {
 	if d.cloud.KubeClient == nil {
-		return "", "", fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
+		return "", "", "", "", "", fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
 	}
 
 	secret, err := d.cloud.KubeClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{})
 	if err != nil {
-		return "", "", fmt.Errorf("could not get secret(%v): %w", secretName, err)
+		return "", "", "", "", "", fmt.Errorf("could not get secret(%v): %w", secretName, err)
 	}
 
 	accountName := strings.TrimSpace(string(secret.Data[defaultSecretAccountName][:]))
 	accountKey := strings.TrimSpace(string(secret.Data[defaultSecretAccountKey][:]))
+        accountSasToken := strings.TrimSpace(string(secret.Data[accountSasTokenField][:]))
+        msiSecret := strings.TrimSpace(string(secret.Data[msiSecretField][:]))
+        spnClientSecret := strings.TrimSpace(string(secret.Data[storageSPNClientSecretField][:]))
 
 	klog.V(4).Infof("got storage account(%s) from secret", accountName)
-	return accountName, accountKey, nil
+	return accountName, accountKey, accountSasToken, msiSecret, spnClientSecret, nil
 }
 
 // getSubnetResourceID get default subnet resource ID from cloud provider config
diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -1033,7 +1033,7 @@ func TestGetStorageAccesskey(t *testing.T) {
 	}
 }
 
-func TestGetStorageAccountFromSecret(t *testing.T) {
+func TestGetInfoFromSecret(t *testing.T) {
 	fakeClient := fake.NewSimpleClientset()
 	testCases := []struct {
 		name     string
@@ -1047,7 +1047,7 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 				d.cloud.KubeClient = nil
 				secretName := "foo"
 				secretNamespace := "bar"
-				_, _, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
+				_, _, _, _, _, err := d.GetInfoFromSecret(context.TODO(), secretName, secretNamespace)
 				expectedErr := fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
 				if assert.Error(t, err) {
 					assert.Equal(t, expectedErr, err)
@@ -1062,7 +1062,7 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 				d.cloud.KubeClient = fakeClient
 				secretName := ""
 				secretNamespace := ""
-				_, _, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
+				_, _, _, _, _, err := d.GetInfoFromSecret(context.TODO(), secretName, secretNamespace)
 				// expectedErr := fmt.Errorf("could not get secret(%v): %w", secretName, err)
 				assert.Error(t, err) // could not check what type of error, needs fix
 				/*if assert.Error(t, err) {
@@ -1071,12 +1071,12 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 			},
 		},
 		{
-			name: "Successful Input",
+			name: "get account name from secret",
 			testFunc: func(t *testing.T) {
 				d := NewFakeDriver()
 				d.cloud = &azure.Cloud{}
 				d.cloud.KubeClient = fakeClient
-				secretName := "john smith"
+				secretName := "store_account_name_key"
 				secretNamespace := "namespace"
 				accountName := "bar"
 				accountKey := "foo"
@@ -1095,9 +1095,50 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 				if secretCreateErr != nil {
 					t.Error("failed to create secret")
 				}
-				an, ak, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
-				assert.Equal(t, accountName, an, "accountName's should match")
-				assert.Equal(t, accountKey, ak, "accountKey's should match")
+				an, ak, accountSasToken, msiSecret, storageSPNClientSecret, err := d.GetInfoFromSecret(context.TODO(), secretName, secretNamespace)
+				assert.Equal(t, accountName, an, "accountName should match")
+				assert.Equal(t, accountKey, ak, "accountKey should match")
+				assert.Equal(t, "", accountSasToken, "accountSasToken should be empty")
+				assert.Equal(t, "", msiSecret, "msiSecret should be empty")
+				assert.Equal(t, "", storageSPNClientSecret, "storageSPNClientSecret should be empty")
+				assert.Equal(t, nil, err, "error should be nil")
+			},
+		},
+		{
+			name: "get other info from secret",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{}
+				d.cloud.KubeClient = fakeClient
+				secretName := "store_other_info"
+				secretNamespace := "namespace"
+				accountName := "bar"
+				accountSasTokenValue := "foo"
+				msiSecretValue := "msiSecret"
+				storageSPNClientSecretValue := "storageSPNClientSecret"
+				secret := &v1api.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: secretNamespace,
+						Name:      secretName,
+					},
+					Data: map[string][]byte{
+						defaultSecretAccountName:    []byte(accountName),
+						accountSasTokenField:        []byte(accountSasTokenValue),
+						msiSecretField:              []byte(msiSecretValue),
+						storageSPNClientSecretField: []byte(storageSPNClientSecretValue),
+					},
+					Type: "Opaque",
+				}
+				_, secretCreateErr := d.cloud.KubeClient.CoreV1().Secrets(secretNamespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+				if secretCreateErr != nil {
+					t.Error("failed to create secret")
+				}
+				an, ak, accountSasToken, msiSecret, storageSPNClientSecret, err := d.GetInfoFromSecret(context.TODO(), secretName, secretNamespace)
+				assert.Equal(t, accountName, an, "accountName should match")
+				assert.Equal(t, "", ak, "accountKey should be empty")
+				assert.Equal(t, accountSasTokenValue, accountSasToken, "sasToken should match")
+				assert.Equal(t, msiSecretValue, msiSecret, "msiSecret should match")
+				assert.Equal(t, storageSPNClientSecretValue, storageSPNClientSecret, "storageSPNClientSecret should match")
 				assert.Equal(t, nil, err, "error should be nil")
 			},
 		},
