feat: Support fsgroup in CSI calls; test: enable fsgroup e2e tests

Author: verult

pkg/smb/nodeserver.go

@@ -132,7 +132,12 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 
 	context := req.GetVolumeContext()
 	mountFlags := req.GetVolumeCapability().GetMount().GetMountFlags()
+	volumeMountGroup := req.GetVolumeCapability().GetMount().GetVolumeMountGroup()
 	secrets := req.GetSecrets()
+	gidPresent, err := checkGidPresentInMountFlags(volumeMountGroup, mountFlags)
+	if err != nil {
+		return nil, err
+	}
 
 	source, ok := context[sourceField]
 	if !ok {
@@ -172,6 +177,9 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 		}
 		sensitiveMountOptions = []string{fmt.Sprintf("%s=%s,%s=%s", usernameField, username, passwordField, password)}
 		mountOptions = mountFlags
+		if !gidPresent && volumeMountGroup != "" {
+			mountOptions = append(mountOptions, fmt.Sprintf("gid=%s", volumeMountGroup))
+		}
 		if domain != "" {
 			mountOptions = append(mountOptions, fmt.Sprintf("%s=%s", domainField, domain))
 		}
@@ -365,3 +373,17 @@ func makeDir(pathname string) error {
 	}
 	return nil
 }
+
+func checkGidPresentInMountFlags(volumeMountGroup string, mountFlags []string) (bool, error) {
+	gidPresentInMountFlags := false
+	for _, mountFlag := range mountFlags {
+		if strings.HasPrefix(mountFlag, "gid") {
+			gidPresentInMountFlags = true
+			kvpair := strings.Split(mountFlag, "=")
+			if volumeMountGroup != "" && len(kvpair) == 2 && !strings.EqualFold(volumeMountGroup, kvpair[1]) {
+				return false, status.Error(codes.InvalidArgument, fmt.Sprintf("gid(%s) in storageClass and pod fsgroup(%s) are not equal", kvpair[1], volumeMountGroup))
+			}
+		}
+	}
+	return gidPresentInMountFlags, nil
+}

pkg/smb/smb.go

@@ -88,6 +88,7 @@ func (d *Driver) Run(endpoint, kubeconfig string, testMode bool) {
 		csi.NodeServiceCapability_RPC_GET_VOLUME_STATS,
 		csi.NodeServiceCapability_RPC_STAGE_UNSTAGE_VOLUME,
 		csi.NodeServiceCapability_RPC_SINGLE_NODE_MULTI_WRITER,
+		csi.NodeServiceCapability_RPC_VOLUME_MOUNT_GROUP,
 	})
 
 	s := csicommon.NewNonBlockingGRPCServer()

test/external-e2e/run.sh

@@ -31,7 +31,7 @@ setup_e2e_binaries() {
 
     # test on alternative driver name
     export EXTRA_HELM_OPTIONS=" --set driver.name=$DRIVER.csi.k8s.io --set controller.name=csi-$DRIVER-controller --set linux.dsName=csi-$DRIVER-node --set windows.dsName=csi-$DRIVER-node-win --set image.csiProvisioner.tag=v3.0.0"
-    sed -i "s/smb.csi.k8s.io/$DRIVER.csi.k8s.io/g" deploy/example/storageclass-smb.yaml
+    sed -i "s/smb.csi.k8s.io/$DRIVER.csi.k8s.io/g" test/external-e2e/storageclass-test.yaml
     make install-smb-provisioner
     make e2e-bootstrap
     sed -i "s/csi-smb-controller/csi-$DRIVER-controller/g" deploy/example/metrics/csi-smb-controller-svc.yaml

test/external-e2e/storageclass-test.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: smb-test
+provisioner: smb.csi.k8s.io
+parameters:
+  # On Windows, "*.default.svc.cluster.local" could not be recognized by csi-proxy
+  source: "//smb-server.default.svc.cluster.local/share"
+  # if csi.storage.k8s.io/provisioner-secret is provided, will create a sub directory
+  # with PV name under source
+  csi.storage.k8s.io/provisioner-secret-name: "smbcreds"
+  csi.storage.k8s.io/provisioner-secret-namespace: "default"
+  csi.storage.k8s.io/node-stage-secret-name: "smbcreds"
+  csi.storage.k8s.io/node-stage-secret-namespace: "default"
+volumeBindingMode: Immediate
+mountOptions:
+  - dir_mode=0777
+  - file_mode=0777
+  - uid=1001

test/external-e2e/testdriver.yaml

@@ -11,3 +11,5 @@ DriverInfo:
     exec: true
     multipods: true
     RWX: true
+    fsGroup: true
+    volumeMountGroup: true