feat: mount with managed identity auth

Author: andyzhangx

pkg/azurefile/azurefile.go

@@ -128,8 +128,8 @@ const (
 	podNameField                      = "csi.storage.k8s.io/pod.name"
 	podNamespaceField                 = "csi.storage.k8s.io/pod.namespace"
 	serviceAccountTokenField          = "csi.storage.k8s.io/serviceAccount.tokens"
-	clientIDField                     = "clientID"
-	tenantIDField                     = "tenantID"
+	clientIDField                     = "clientid"
+	tenantIDField                     = "tenantid"
 	mountOptionsField                 = "mountoptions"
 	mountPermissionsField             = "mountpermissions"
 	encryptInTransitField             = "encryptintransit"
@@ -777,7 +777,7 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 
 	var protocol, accountKey, secretName, pvcNamespace string
 	// getAccountKeyFromSecret indicates whether get account key only from k8s secret
-	var getAccountKeyFromSecret, getLatestAccountKey bool
+	var getAccountKeyFromSecret, getLatestAccountKey, mountWithManagedIdentity bool
 	var clientID, tenantID, serviceAccountToken string
 
 	for k, v := range reqContext {
@@ -808,8 +808,12 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 			if getLatestAccountKey, err = strconv.ParseBool(v); err != nil {
 				return rgName, accountName, accountKey, fileShareName, diskName, subsID, fmt.Errorf("invalid %s: %s in volume context", getLatestAccountKeyField, v)
 			}
-		case strings.ToLower(clientIDField):
+		case clientIDField:
 			clientID = v
+		case mountWithManagedIdentityField:
+			if mountWithManagedIdentity, err = strconv.ParseBool(v); err != nil {
+				return rgName, accountName, accountKey, fileShareName, diskName, subsID, fmt.Errorf("invalid %s: %s in volume context", mountWithManagedIdentityField, v)
+			}
 		case strings.ToLower(tenantIDField):
 			tenantID = v
 		case strings.ToLower(serviceAccountTokenField):
@@ -839,7 +843,11 @@ func (d *Driver) GetAccountInfo(ctx context.Context, volumeID string, secrets, r
 		}
 	}
 
-	// if client id is specified, we only use service account token to get account key
+	if mountWithManagedIdentity {
+		klog.V(2).Infof("mountWithManagedIdentity is true, use managed identity auth")
+		return rgName, accountName, accountKey, fileShareName, diskName, subsID, nil
+	}
+
 	if clientID != "" {
 		klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
 		accountKey, err := d.cloud.GetStorageAccesskeyFromServiceAccountToken(ctx, subsID, accountName, rgName, clientID, tenantID, serviceAccountToken)

pkg/azurefile/nodeserver.go

@@ -77,7 +77,7 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	context := req.GetVolumeContext()
 	if context != nil {
 		// token request
-		if context[serviceAccountTokenField] != "" && getValueInMap(context, clientIDField) != "" {
+		if !strings.EqualFold(getValueInMap(context, mountWithManagedIdentityField), trueValue) && context[serviceAccountTokenField] != "" && getValueInMap(context, clientIDField) != "" {
 			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with service account token, clientID: %s", volumeID, target, getValueInMap(context, clientIDField))
 			_, err := d.NodeStageVolume(ctx, &csi.NodeStageVolumeRequest{
 				StagingTargetPath: target,

pkg/azurefile/utils.go

@@ -377,7 +377,8 @@ func removeOptionIfExists(options []string, removeOption string) ([]string, bool
 }
 
 func setCredentialCache(server, clientID string) ([]byte, error) {
-	klog.V(2).Infof("setCredentialCache for server %s with clientID %s", server, clientID)
-	cmd := exec.Command("sudo", "azfilesauthmanager", "set", server, "--imds-client-id", clientID)
+	cmd := exec.Command("azfilesauthmanager", "set", "https://"+server, "--imds-client-id", clientID)
+	cmd.Env = append(os.Environ(), cmd.Env...)
+	klog.V(2).Infof("Executing command: %q", cmd.String())
 	return cmd.CombinedOutput()
 }

pkg/azurefileplugin/Dockerfile

@@ -34,7 +34,7 @@ ARG binary=./_output/${ARCH}/azurefileplugin
 COPY ${binary} /azurefileplugin
 COPY --from=builder --chown=root:root /usr/local/bin/azcopy /usr/local/bin/azcopy
 
-RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates cifs-utils util-linux e2fsprogs mount udev xfsprogs nfs-common netbase curl sudo python3-requests
+RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates cifs-utils util-linux e2fsprogs mount udev xfsprogs nfs-common netbase curl python3-requests
 
 COPY ./pkg/azurefile-proxy/init.sh /azurefile-proxy/
 COPY ./pkg/azurefile-proxy/install-proxy.sh /azurefile-proxy/