Merge pull request #1559 from andyzhangx/use-wi-for-e2e-test-1.23

[release-1.23] test: use workload identity for e2e test

Author: andyzhangx

deploy/example/storageclass-blob-nfs.yaml

@@ -6,6 +6,7 @@ metadata:
 provisioner: blob.csi.azure.com
 parameters:
   protocol: nfs
+  useDataPlaneAPI: "false"
 volumeBindingMode: Immediate
 allowVolumeExpansion: true
 mountOptions:

deploy/example/storageclass-blobfuse.yaml

@@ -6,6 +6,7 @@ metadata:
 provisioner: blob.csi.azure.com
 parameters:
   skuName: Premium_LRS  # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS
+  useDataPlaneAPI: "false"
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 allowVolumeExpansion: true

deploy/example/storageclass-blobfuse2.yaml

@@ -7,6 +7,7 @@ provisioner: blob.csi.azure.com
 parameters:
   skuName: Premium_LRS  # available values: Standard_LRS, Premium_LRS, Standard_GRS, Standard_RAGRS
   protocol: fuse2
+  useDataPlaneAPI: "false"
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
 allowVolumeExpansion: true

go.mod

@@ -17,7 +17,6 @@ require (
 	github.com/kubernetes-csi/csi-lib-utils v0.13.0
 	github.com/onsi/gomega v1.32.0
 	github.com/pborman/uuid v1.2.1
-	github.com/pelletier/go-toml v1.9.5
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/net v0.27.0
 	google.golang.org/grpc v1.65.0

go.sum

@@ -215,8 +215,6 @@ github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaL
 github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
 github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
-github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=

hack/verify-examples.sh

@@ -28,6 +28,9 @@ rollout_and_wait() {
 }
 
 echo "begin to create deployment examples ..."
+
+kubectl config set-context --current --namespace=default
+
 if [ -v EXTERNAL_E2E_TEST_BLOBFUSE_v2 ]; then
     echo "create blobfuse2 storage class ..."
     kubectl apply -f deploy/example/storageclass-blobfuse2.yaml

pkg/util/util.go

@@ -326,6 +326,10 @@ func parseAzcopyJobShow(jobshow string) (AzcopyJobState, string, error) {
 func GetKubeClient(kubeconfig string, kubeAPIQPS float64, kubeAPIBurst int, userAgent string) (kubernetes.Interface, error) {
 	var err error
 	var kubeCfg *rest.Config
+	if kubeconfig == "no-need-kubeconfig" {
+		klog.V(2).Infof("kubeconfig is set as no-need-kubeconfig, kubeClient will be nil")
+		return nil, nil
+	}
 	if kubeCfg, err = clientcmd.BuildConfigFromFlags("", kubeconfig); err != nil {
 		return nil, err
 	}

test/e2e/dynamic_provisioning_test.go

@@ -898,6 +898,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			Pod:                 pod,
 			PodWithClonedVolume: podWithClonedVolume,
 			StorageClassParameters: map[string]string{
+				"useDataPlaneAPI":  "true",
 				"skuName":          "Premium_LRS",
 				"protocol":         "nfs",
 				"mountPermissions": "0755",
@@ -930,6 +931,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			Pod:                 pod,
 			PodWithClonedVolume: podWithClonedVolume,
 			StorageClassParameters: map[string]string{
+				"useDataPlaneAPI":  "true",
 				"skuName":          "Premium_LRS",
 				"protocol":         "nfs",
 				"mountPermissions": "0755",
@@ -963,8 +965,9 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			Pod:                 pod,
 			PodWithClonedVolume: podWithClonedVolume,
 			StorageClassParameters: map[string]string{
-				"skuName":  "Standard_LRS",
-				"protocol": "fuse2",
+				"useDataPlaneAPI": "true",
+				"skuName":         "Standard_LRS",
+				"protocol":        "fuse2",
 			},
 		}
 		test.Run(ctx, cs, ns)
@@ -995,8 +998,9 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			Pod:                 pod,
 			PodWithClonedVolume: podWithClonedVolume,
 			StorageClassParameters: map[string]string{
-				"skuName":  "Standard_LRS",
-				"protocol": "fuse2",
+				"useDataPlaneAPI": "true",
+				"skuName":         "Standard_LRS",
+				"protocol":        "fuse2",
 			},
 		}
 		test.Run(ctx, cs, ns)
@@ -1026,12 +1030,14 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			Pod:                 pod,
 			PodWithClonedVolume: podWithClonedVolume,
 			StorageClassParameters: map[string]string{
+				"useDataPlaneAPI":      "true",
 				"skuName":              "Premium_LRS",
 				"protocol":             "nfs",
 				"mountPermissions":     "0755",
 				"allowsharedkeyaccess": "true",
 			},
 			ClonedStorageClassParameters: map[string]string{
+				"useDataPlaneAPI":      "true",
 				"skuName":              "Standard_LRS",
 				"protocol":             "nfs",
 				"mountPermissions":     "0755",
@@ -1066,12 +1072,14 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			Pod:                 pod,
 			PodWithClonedVolume: podWithClonedVolume,
 			StorageClassParameters: map[string]string{
-				"skuName":  "Standard_LRS",
-				"protocol": "fuse2",
+				"useDataPlaneAPI": "true",
+				"skuName":         "Standard_LRS",
+				"protocol":        "fuse2",
 			},
 			ClonedStorageClassParameters: map[string]string{
-				"skuName":  "Premium_LRS",
-				"protocol": "fuse2",
+				"useDataPlaneAPI": "true",
+				"skuName":         "Premium_LRS",
+				"protocol":        "fuse2",
 			},
 		}
 		test.Run(ctx, cs, ns)

test/e2e/pre_provisioning_test.go

@@ -219,6 +219,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 
 	ginkgo.It("should use Key Vault", func(ctx ginkgo.SpecContext) {
+		ginkgo.Skip("test case is not available currently due to test-infra migration")
 		volumeSize := fmt.Sprintf("%dGi", defaultVolumeSize)
 		reclaimPolicy := v1.PersistentVolumeReclaimRetain
 		volumeBindingMode := storagev1.VolumeBindingImmediate
@@ -252,6 +253,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 
 	ginkgo.It("should use SAS token", func(ctx ginkgo.SpecContext) {
+		ginkgo.Skip("test case is not available currently due to test-infra migration")
 		pods := []testsuites.PodDetails{
 			{
 				Cmd: "echo 'hello world' > /mnt/test-1/data && grep 'hello world' /mnt/test-1/data",

test/e2e/suite_test.go

@@ -18,7 +18,6 @@ package e2e
 
 import (
 	"context"
-	"encoding/json"
 	"flag"
 	"fmt"
 	"log"
@@ -42,7 +41,6 @@ import (
 	"sigs.k8s.io/blob-csi-driver/pkg/util"
 	"sigs.k8s.io/blob-csi-driver/test/utils/azure"
 	"sigs.k8s.io/blob-csi-driver/test/utils/credentials"
-	"sigs.k8s.io/blob-csi-driver/test/utils/testutil"
 )
 
 const (
@@ -82,24 +80,11 @@ func TestE2E(t *testing.T) {
 var _ = ginkgo.SynchronizedBeforeSuite(func(ctx ginkgo.SpecContext) []byte {
 	creds, err := credentials.CreateAzureCredentialFile()
 	gomega.Expect(err).NotTo(gomega.HaveOccurred())
-	azureClient, err := azure.GetClient(creds.Cloud, creds.SubscriptionID, creds.AADClientID, creds.TenantID, creds.AADClientSecret)
+	azureClient, err := azure.GetClient(creds.Cloud, creds.SubscriptionID, creds.AADClientID, creds.TenantID, creds.AADClientSecret, creds.AADFederatedTokenFile)
 	gomega.Expect(err).NotTo(gomega.HaveOccurred())
 	_, err = azureClient.EnsureResourceGroup(ctx, creds.ResourceGroup, creds.Location, nil)
 	gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
-	if testutil.IsRunningInProw() {
-		// Need to login to ACR using SP credential if we are running in Prow so we can push test images.
-		// If running locally, user should run 'docker login' before running E2E tests
-		registry := os.Getenv("REGISTRY")
-		gomega.Expect(registry).NotTo(gomega.Equal(""))
-
-		log.Println("Attempting docker login with Azure service principal")
-		cmd := exec.Command("docker", "login", fmt.Sprintf("--username=%s", creds.AADClientID), fmt.Sprintf("--password=%s", creds.AADClientSecret), registry)
-		err = cmd.Run()
-		gomega.Expect(err).NotTo(gomega.HaveOccurred())
-		log.Println("docker login is successful")
-	}
-
 	// Install Azure Blob Storage CSI driver on cluster from project root
 	e2eBootstrap := testCmd{
 		command:  "make",
@@ -115,25 +100,8 @@ var _ = ginkgo.SynchronizedBeforeSuite(func(ctx ginkgo.SpecContext) []byte {
 		endLog:   "metrics service created",
 	}
 	execTestCmd([]testCmd{e2eBootstrap, createMetricsSVC})
-
-	if testutil.IsRunningInProw() {
-		data, err := json.Marshal(creds)
-		gomega.Expect(err).NotTo(gomega.HaveOccurred())
-		return data
-	}
-
 	return nil
 }, func(ctx ginkgo.SpecContext, data []byte) {
-	if testutil.IsRunningInProw() {
-		creds := &credentials.Credentials{}
-		err := json.Unmarshal(data, creds)
-		gomega.Expect(err).NotTo(gomega.HaveOccurred())
-		// set env for azidentity.EnvironmentCredential
-		os.Setenv("AZURE_TENANT_ID", creds.TenantID)
-		os.Setenv("AZURE_CLIENT_ID", creds.AADClientID)
-		os.Setenv("AZURE_CLIENT_SECRET", creds.AADClientSecret)
-	}
-
 	// k8s.io/kubernetes/test/e2e/framework requires env KUBECONFIG to be set
 	// it does not fall back to defaults
 	if os.Getenv(kubeconfigEnvVar) == "" {
@@ -226,7 +194,7 @@ func execTestCmd(cmds []testCmd) {
 func checkAccountCreationLeak(ctx context.Context) {
 	creds, err := credentials.CreateAzureCredentialFile()
 	gomega.Expect(err).NotTo(gomega.HaveOccurred())
-	azureClient, err := azure.GetClient(creds.Cloud, creds.SubscriptionID, creds.AADClientID, creds.TenantID, creds.AADClientSecret)
+	azureClient, err := azure.GetClient(creds.Cloud, creds.SubscriptionID, creds.AADClientID, creds.TenantID, creds.AADClientSecret, creds.AADFederatedTokenFile)
 	gomega.Expect(err).NotTo(gomega.HaveOccurred())
 
 	accountNum, err := azureClient.GetAccountNumByResourceGroup(ctx, creds.ResourceGroup)