feat: provide a flag to access key using Azure api with inline volume

Author: andyzhangx

charts/latest/blob-csi-driver-v1.10.0.tgz

@@ -125,6 +125,7 @@ spec:
             - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}"
             - "--append-timestamp-cache-dir={{ .Values.node.appendTimeStampInCacheDir }}"
             - "--mount-permissions={{ .Values.node.mountPermissions }}"
+            - "--only-get-key-from-secret-with-inline-volume={{ .Values.node.onlyGetKeyFromSecretWithInlineVolume }}"
           ports:
             - containerPort: {{ .Values.node.livenessProbe.healthPort }}
               name: healthz

charts/latest/blob-csi-driver/templates/csi-blob-node.yaml

@@ -108,6 +108,7 @@ node:
   cloudConfigSecretName: azure-cloud-provider
   cloudConfigSecretNamespace: kube-system
   allowEmptyCloudConfig: true
+  onlyGetKeyFromSecretWithInlineVolume: true
   maxUnavailable: 1
   metricsPort: 29635
   livenessProbe:

charts/latest/blob-csi-driver/values.yaml

@@ -113,20 +113,21 @@ var (
 
 // DriverOptions defines driver parameters specified in driver deployment
 type DriverOptions struct {
-	NodeID                     string
-	DriverName                 string
-	CloudConfigSecretName      string
-	CloudConfigSecretNamespace string
-	CustomUserAgent            string
-	UserAgentSuffix            string
-	BlobfuseProxyEndpoint      string
-	EnableBlobfuseProxy        bool
-	BlobfuseProxyConnTimout    int
-	EnableBlobMockMount        bool
-	AllowEmptyCloudConfig      bool
-	EnableGetVolumeStats       bool
-	AppendTimeStampInCacheDir  bool
-	MountPermissions           uint64
+	NodeID                               string
+	DriverName                           string
+	CloudConfigSecretName                string
+	CloudConfigSecretNamespace           string
+	CustomUserAgent                      string
+	UserAgentSuffix                      string
+	BlobfuseProxyEndpoint                string
+	EnableBlobfuseProxy                  bool
+	BlobfuseProxyConnTimout              int
+	EnableBlobMockMount                  bool
+	AllowEmptyCloudConfig                bool
+	OnlyGetKeyFromSecretWithInlineVolume bool
+	EnableGetVolumeStats                 bool
+	AppendTimeStampInCacheDir            bool
+	MountPermissions                     uint64
 }
 
 // Driver implements all interfaces of CSI drivers
@@ -140,15 +141,16 @@ type Driver struct {
 	userAgentSuffix            string
 	blobfuseProxyEndpoint      string
 	// enableBlobMockMount is only for testing, DO NOT set as true in non-testing scenario
-	enableBlobMockMount       bool
-	enableBlobfuseProxy       bool
-	allowEmptyCloudConfig     bool
-	enableGetVolumeStats      bool
-	appendTimeStampInCacheDir bool
-	blobfuseProxyConnTimout   int
-	mountPermissions          uint64
-	mounter                   *mount.SafeFormatAndMount
-	volLockMap                *util.LockMap
+	enableBlobMockMount                  bool
+	enableBlobfuseProxy                  bool
+	allowEmptyCloudConfig                bool
+	enableGetVolumeStats                 bool
+	onlyGetKeyFromSecretWithInlineVolume bool
+	appendTimeStampInCacheDir            bool
+	blobfuseProxyConnTimout              int
+	mountPermissions                     uint64
+	mounter                              *mount.SafeFormatAndMount
+	volLockMap                           *util.LockMap
 	// A map storing all volumes with ongoing operations so that additional operations
 	// for that same volume (as defined by VolumeID) return an Aborted error
 	volumeLocks *volumeLocks
@@ -164,20 +166,21 @@ type Driver struct {
 // does not support optional driver plugin info manifest field. Refer to CSI spec for more details.
 func NewDriver(options *DriverOptions) *Driver {
 	d := Driver{
-		volLockMap:                 util.NewLockMap(),
-		subnetLockMap:              util.NewLockMap(),
-		volumeLocks:                newVolumeLocks(),
-		cloudConfigSecretName:      options.CloudConfigSecretName,
-		cloudConfigSecretNamespace: options.CloudConfigSecretNamespace,
-		customUserAgent:            options.CustomUserAgent,
-		userAgentSuffix:            options.UserAgentSuffix,
-		blobfuseProxyEndpoint:      options.BlobfuseProxyEndpoint,
-		enableBlobfuseProxy:        options.EnableBlobfuseProxy,
-		blobfuseProxyConnTimout:    options.BlobfuseProxyConnTimout,
-		enableBlobMockMount:        options.EnableBlobMockMount,
-		allowEmptyCloudConfig:      options.AllowEmptyCloudConfig,
-		enableGetVolumeStats:       options.EnableGetVolumeStats,
-		mountPermissions:           options.MountPermissions,
+		volLockMap:                           util.NewLockMap(),
+		subnetLockMap:                        util.NewLockMap(),
+		volumeLocks:                          newVolumeLocks(),
+		cloudConfigSecretName:                options.CloudConfigSecretName,
+		cloudConfigSecretNamespace:           options.CloudConfigSecretNamespace,
+		customUserAgent:                      options.CustomUserAgent,
+		userAgentSuffix:                      options.UserAgentSuffix,
+		blobfuseProxyEndpoint:                options.BlobfuseProxyEndpoint,
+		enableBlobfuseProxy:                  options.EnableBlobfuseProxy,
+		onlyGetKeyFromSecretWithInlineVolume: options.OnlyGetKeyFromSecretWithInlineVolume,
+		blobfuseProxyConnTimout:              options.BlobfuseProxyConnTimout,
+		enableBlobMockMount:                  options.EnableBlobMockMount,
+		allowEmptyCloudConfig:                options.AllowEmptyCloudConfig,
+		enableGetVolumeStats:                 options.EnableGetVolumeStats,
+		mountPermissions:                     options.MountPermissions,
 	}
 	d.Name = options.DriverName
 	d.Version = driverVersion

pkg/blob/blob.go

@@ -77,9 +77,11 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	if context != nil {
 		if strings.EqualFold(context[ephemeralField], trueValue) {
 			context[secretNamespaceField] = context[podNamespaceField]
-			// only get storage account from secret
-			context[getAccountKeyFromSecretField] = trueValue
-			context[storageAccountField] = ""
+			if d.onlyGetKeyFromSecretWithInlineVolume {
+				// only get storage account from secret
+				context[getAccountKeyFromSecretField] = trueValue
+				context[storageAccountField] = ""
+			}
 			klog.V(2).Infof("NodePublishVolume: ephemeral volume(%s) mount on %s, VolumeContext: %v", volumeID, target, context)
 			_, err := d.NodeStageVolume(ctx, &csi.NodeStageVolumeRequest{
 				StagingTargetPath: target,

pkg/blob/nodeserver.go

@@ -36,24 +36,25 @@ func init() {
 }
 
 var (
-	endpoint                   = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
-	blobfuseProxyEndpoint      = flag.String("blobfuse-proxy-endpoint", "unix://tmp/blobfuse-proxy.sock", "blobfuse-proxy endpoint")
-	nodeID                     = flag.String("nodeid", "", "node id")
-	version                    = flag.Bool("version", false, "Print the version and exit.")
-	metricsAddress             = flag.String("metrics-address", "0.0.0.0:29634", "export the metrics")
-	kubeconfig                 = flag.String("kubeconfig", "", "Absolute path to the kubeconfig file. Required only when running out of cluster.")
-	driverName                 = flag.String("drivername", blob.DefaultDriverName, "name of the driver")
-	enableBlobfuseProxy        = flag.Bool("enable-blobfuse-proxy", false, "using blobfuse proxy for mounts")
-	blobfuseProxyConnTimout    = flag.Int("blobfuse-proxy-connect-timeout", 5, "blobfuse proxy connection timeout(seconds)")
-	enableBlobMockMount        = flag.Bool("enable-blob-mock-mount", false, "enable mock mount(only for testing)")
-	cloudConfigSecretName      = flag.String("cloud-config-secret-name", "azure-cloud-provider", "secret name of cloud config")
-	cloudConfigSecretNamespace = flag.String("cloud-config-secret-namespace", "kube-system", "secret namespace of cloud config")
-	customUserAgent            = flag.String("custom-user-agent", "", "custom userAgent")
-	userAgentSuffix            = flag.String("user-agent-suffix", "", "userAgent suffix")
-	allowEmptyCloudConfig      = flag.Bool("allow-empty-cloud-config", true, "allow running driver without cloud config")
-	enableGetVolumeStats       = flag.Bool("enable-get-volume-stats", false, "allow GET_VOLUME_STATS on agent node")
-	appendTimeStampInCacheDir  = flag.Bool("append-timestamp-cache-dir", false, "append timestamp into cache directory on agent node")
-	mountPermissions           = flag.Uint64("mount-permissions", 0777, "mounted folder permissions")
+	endpoint                             = flag.String("endpoint", "unix://tmp/csi.sock", "CSI endpoint")
+	blobfuseProxyEndpoint                = flag.String("blobfuse-proxy-endpoint", "unix://tmp/blobfuse-proxy.sock", "blobfuse-proxy endpoint")
+	nodeID                               = flag.String("nodeid", "", "node id")
+	version                              = flag.Bool("version", false, "Print the version and exit.")
+	metricsAddress                       = flag.String("metrics-address", "0.0.0.0:29634", "export the metrics")
+	kubeconfig                           = flag.String("kubeconfig", "", "Absolute path to the kubeconfig file. Required only when running out of cluster.")
+	driverName                           = flag.String("drivername", blob.DefaultDriverName, "name of the driver")
+	enableBlobfuseProxy                  = flag.Bool("enable-blobfuse-proxy", false, "using blobfuse proxy for mounts")
+	blobfuseProxyConnTimout              = flag.Int("blobfuse-proxy-connect-timeout", 5, "blobfuse proxy connection timeout(seconds)")
+	enableBlobMockMount                  = flag.Bool("enable-blob-mock-mount", false, "enable mock mount(only for testing)")
+	cloudConfigSecretName                = flag.String("cloud-config-secret-name", "azure-cloud-provider", "secret name of cloud config")
+	cloudConfigSecretNamespace           = flag.String("cloud-config-secret-namespace", "kube-system", "secret namespace of cloud config")
+	customUserAgent                      = flag.String("custom-user-agent", "", "custom userAgent")
+	userAgentSuffix                      = flag.String("user-agent-suffix", "", "userAgent suffix")
+	allowEmptyCloudConfig                = flag.Bool("allow-empty-cloud-config", true, "allow running driver without cloud config")
+	enableGetVolumeStats                 = flag.Bool("enable-get-volume-stats", false, "allow GET_VOLUME_STATS on agent node")
+	appendTimeStampInCacheDir            = flag.Bool("append-timestamp-cache-dir", false, "append timestamp into cache directory on agent node")
+	mountPermissions                     = flag.Uint64("mount-permissions", 0777, "mounted folder permissions")
+	onlyGetKeyFromSecretWithInlineVolume = flag.Bool("only-get-key-from-secret-with-inline-volume", true, "only get key from secret with inline volume")
 )
 
 func main() {
@@ -75,20 +76,21 @@ func main() {
 
 func handle() {
 	driverOptions := blob.DriverOptions{
-		NodeID:                     *nodeID,
-		DriverName:                 *driverName,
-		CloudConfigSecretName:      *cloudConfigSecretName,
-		CloudConfigSecretNamespace: *cloudConfigSecretNamespace,
-		BlobfuseProxyEndpoint:      *blobfuseProxyEndpoint,
-		EnableBlobfuseProxy:        *enableBlobfuseProxy,
-		BlobfuseProxyConnTimout:    *blobfuseProxyConnTimout,
-		EnableBlobMockMount:        *enableBlobMockMount,
-		CustomUserAgent:            *customUserAgent,
-		UserAgentSuffix:            *userAgentSuffix,
-		AllowEmptyCloudConfig:      *allowEmptyCloudConfig,
-		EnableGetVolumeStats:       *enableGetVolumeStats,
-		AppendTimeStampInCacheDir:  *appendTimeStampInCacheDir,
-		MountPermissions:           *mountPermissions,
+		NodeID:                               *nodeID,
+		DriverName:                           *driverName,
+		CloudConfigSecretName:                *cloudConfigSecretName,
+		CloudConfigSecretNamespace:           *cloudConfigSecretNamespace,
+		BlobfuseProxyEndpoint:                *blobfuseProxyEndpoint,
+		EnableBlobfuseProxy:                  *enableBlobfuseProxy,
+		BlobfuseProxyConnTimout:              *blobfuseProxyConnTimout,
+		EnableBlobMockMount:                  *enableBlobMockMount,
+		CustomUserAgent:                      *customUserAgent,
+		UserAgentSuffix:                      *userAgentSuffix,
+		AllowEmptyCloudConfig:                *allowEmptyCloudConfig,
+		EnableGetVolumeStats:                 *enableGetVolumeStats,
+		AppendTimeStampInCacheDir:            *appendTimeStampInCacheDir,
+		MountPermissions:                     *mountPermissions,
+		OnlyGetKeyFromSecretWithInlineVolume: *onlyGetKeyFromSecretWithInlineVolume,
 	}
 	driver := blob.NewDriver(&driverOptions)
 	if driver == nil {