feat: support getting sasToken, msiSecret, SPN from secret

Author: andyzhangx

pkg/blob/blob.go

@@ -88,6 +88,9 @@ const (
 	trueValue                    = "true"
 	defaultSecretAccountName     = "azurestorageaccountname"
 	defaultSecretAccountKey      = "azurestorageaccountkey"
+	accountSasTokenField         = "azurestorageaccountsastoken"
+	msiSecretField               = "msisecret"
+	storageSPNClientSecretField  = "azurestoragespnclientsecret"
 	Fuse                         = "fuse"
 	Fuse2                        = "fuse2"
 	NFS                          = "nfs"
@@ -364,6 +367,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		subsID                  string
 		accountKey              string
 		accountSasToken         string
+		msiSecret               string
+		storageSPNClientSecret  string
 		secretName              string
 		pvcNamespace            string
 		keyVaultURL             string
@@ -460,7 +465,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			if secretName != "" && !strings.EqualFold(azureStorageAuthType, "msi") {
 				// read from k8s secret first
 				var name string
-				name, accountKey, err = d.GetStorageAccountFromSecret(secretName, secretNamespace)
+				name, accountKey, accountSasToken, msiSecret, storageSPNClientSecret, err = d.GetInfoFromSecret(secretName, secretNamespace)
 				if name != "" {
 					accountName = name
 				}
@@ -485,12 +490,12 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 					accountKey = v
 				case defaultSecretAccountKey: // for compatibility with built-in blobfuse plugin
 					accountKey = v
-				case "azurestorageaccountsastoken":
+				case accountSasTokenField:
 					accountSasToken = v
-				case "msisecret":
-					authEnv = append(authEnv, "MSI_SECRET="+v)
-				case "azurestoragespnclientsecret":
-					authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_SECRET="+v)
+				case msiSecretField:
+					msiSecret = v
+				case storageSPNClientSecretField:
+					storageSPNClientSecret = v
 				}
 			}
 		}
@@ -500,12 +505,23 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		err = fmt.Errorf("could not find containerName from attributes(%v) or volumeID(%v)", attrib, volumeID)
 	}
 
+	if accountKey != "" {
+		authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+	}
+
 	if accountSasToken != "" {
+		klog.V(2).Infof("accountSasToken is not empty, use it to access storage account(%s), container(%s)", accountName, containerName)
 		authEnv = append(authEnv, "AZURE_STORAGE_SAS_TOKEN="+accountSasToken)
 	}
 
-	if accountKey != "" {
-		authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
+	if msiSecret != "" {
+		klog.V(2).Infof("msiSecret is not empty, use it to access storage account(%s), container(%s)", accountName, containerName)
+		authEnv = append(authEnv, "MSI_SECRET="+msiSecret)
+	}
+
+	if storageSPNClientSecret != "" {
+		klog.V(2).Infof("storageSPNClientSecret is not empty, use it to access storage account(%s), container(%s)", accountName, containerName)
+		authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_SECRET="+storageSPNClientSecret)
 	}
 
 	return rgName, accountName, accountKey, containerName, authEnv, err
@@ -738,31 +754,34 @@ func (d *Driver) GetStorageAccesskey(ctx context.Context, accountOptions *azure.
 	if secretName == "" {
 		secretName = fmt.Sprintf(secretNameTemplate, accountOptions.Name)
 	}
-	_, accountKey, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
+	_, accountKey, _, _, _, err := d.GetInfoFromSecret(secretName, secretNamespace)
 	if err != nil {
 		klog.V(2).Infof("could not get account(%s) key from secret(%s) namespace(%s), error: %v, use cluster identity to get account key instead", accountOptions.Name, secretName, secretNamespace, err)
 		accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountOptions.SubscriptionID, accountOptions.Name, accountOptions.ResourceGroup)
 	}
 	return accountOptions.Name, accountKey, err
 }
 
-// GetStorageAccountFromSecret get storage account key from k8s secret
-// return <accountName, accountKey, error>
-func (d *Driver) GetStorageAccountFromSecret(secretName, secretNamespace string) (string, string, error) {
+// GetInfoFromSecret get info from k8s secret
+// return <accountName, accountKey, accountSasToken, msiSecret, spnClientSecret, error>
+func (d *Driver) GetInfoFromSecret(secretName, secretNamespace string) (string, string, string, string, string, error) {
 	if d.cloud.KubeClient == nil {
-		return "", "", fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
+		return "", "", "", "", "", fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
 	}
 
 	secret, err := d.cloud.KubeClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{})
 	if err != nil {
-		return "", "", fmt.Errorf("could not get secret(%v): %w", secretName, err)
+		return "", "", "", "", "", fmt.Errorf("could not get secret(%v): %w", secretName, err)
 	}
 
 	accountName := strings.TrimSpace(string(secret.Data[defaultSecretAccountName][:]))
 	accountKey := strings.TrimSpace(string(secret.Data[defaultSecretAccountKey][:]))
+	accountSasToken := strings.TrimSpace(string(secret.Data[accountSasTokenField][:]))
+	msiSecret := strings.TrimSpace(string(secret.Data[msiSecretField][:]))
+	spnClientSecret := strings.TrimSpace(string(secret.Data[storageSPNClientSecretField][:]))
 
 	klog.V(4).Infof("got storage account(%s) from secret", accountName)
-	return accountName, accountKey, nil
+	return accountName, accountKey, accountSasToken, msiSecret, spnClientSecret, nil
 }
 
 // getSubnetResourceID get default subnet resource ID from cloud provider config

pkg/blob/blob_test.go

@@ -1033,7 +1033,7 @@ func TestGetStorageAccesskey(t *testing.T) {
 	}
 }
 
-func TestGetStorageAccountFromSecret(t *testing.T) {
+func TestGetInfoFromSecret(t *testing.T) {
 	fakeClient := fake.NewSimpleClientset()
 	testCases := []struct {
 		name     string
@@ -1047,7 +1047,7 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 				d.cloud.KubeClient = nil
 				secretName := "foo"
 				secretNamespace := "bar"
-				_, _, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
+				_, _, _, _, _, err := d.GetInfoFromSecret(secretName, secretNamespace)
 				expectedErr := fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
 				if assert.Error(t, err) {
 					assert.Equal(t, expectedErr, err)
@@ -1062,7 +1062,7 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 				d.cloud.KubeClient = fakeClient
 				secretName := ""
 				secretNamespace := ""
-				_, _, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
+				_, _, _, _, _, err := d.GetInfoFromSecret(secretName, secretNamespace)
 				// expectedErr := fmt.Errorf("could not get secret(%v): %w", secretName, err)
 				assert.Error(t, err) // could not check what type of error, needs fix
 				/*if assert.Error(t, err) {
@@ -1071,12 +1071,12 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 			},
 		},
 		{
-			name: "Successful Input",
+			name: "get account name from secret",
 			testFunc: func(t *testing.T) {
 				d := NewFakeDriver()
 				d.cloud = &azure.Cloud{}
 				d.cloud.KubeClient = fakeClient
-				secretName := "john smith"
+				secretName := "store_account_name_key"
 				secretNamespace := "namespace"
 				accountName := "bar"
 				accountKey := "foo"
@@ -1095,9 +1095,50 @@ func TestGetStorageAccountFromSecret(t *testing.T) {
 				if secretCreateErr != nil {
 					t.Error("failed to create secret")
 				}
-				an, ak, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
-				assert.Equal(t, accountName, an, "accountName's should match")
-				assert.Equal(t, accountKey, ak, "accountKey's should match")
+				an, ak, accountSasToken, msiSecret, storageSPNClientSecret, err := d.GetInfoFromSecret(secretName, secretNamespace)
+				assert.Equal(t, accountName, an, "accountName should match")
+				assert.Equal(t, accountKey, ak, "accountKey should match")
+				assert.Equal(t, "", accountSasToken, "accountSasToken should be empty")
+				assert.Equal(t, "", msiSecret, "msiSecret should be empty")
+				assert.Equal(t, "", storageSPNClientSecret, "storageSPNClientSecret should be empty")
+				assert.Equal(t, nil, err, "error should be nil")
+			},
+		},
+		{
+			name: "get other info from secret",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{}
+				d.cloud.KubeClient = fakeClient
+				secretName := "store_other_info"
+				secretNamespace := "namespace"
+				accountName := "bar"
+				accountSasTokenValue := "foo"
+				msiSecretValue := "msiSecret"
+				storageSPNClientSecretValue := "storageSPNClientSecret"
+				secret := &v1api.Secret{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: secretNamespace,
+						Name:      secretName,
+					},
+					Data: map[string][]byte{
+						defaultSecretAccountName:    []byte(accountName),
+						accountSasTokenField:        []byte(accountSasTokenValue),
+						msiSecretField:              []byte(msiSecretValue),
+						storageSPNClientSecretField: []byte(storageSPNClientSecretValue),
+					},
+					Type: "Opaque",
+				}
+				_, secretCreateErr := d.cloud.KubeClient.CoreV1().Secrets(secretNamespace).Create(context.TODO(), secret, metav1.CreateOptions{})
+				if secretCreateErr != nil {
+					t.Error("failed to create secret")
+				}
+				an, ak, accountSasToken, msiSecret, storageSPNClientSecret, err := d.GetInfoFromSecret(secretName, secretNamespace)
+				assert.Equal(t, accountName, an, "accountName should match")
+				assert.Equal(t, "", ak, "accountKey should be empty")
+				assert.Equal(t, accountSasTokenValue, accountSasToken, "sasToken should match")
+				assert.Equal(t, msiSecretValue, msiSecret, "msiSecret should match")
+				assert.Equal(t, storageSPNClientSecretValue, storageSPNClientSecret, "storageSPNClientSecret should match")
 				assert.Equal(t, nil, err, "error should be nil")
 			},
 		},