chore: support runtimeClassHandler parameter in storage class

Author: andyzhangx

pkg/azurefile/azurefile.go

@@ -163,6 +163,8 @@ const (
 	selectRandomMatchingAccountField  = "selectrandommatchingaccount"
 	accountQuotaField                 = "accountquota"
 	defaultKataCCLabel                = "kubernetes.azure.com/kata-cc-isolation"
+	runtimeClassHandlerField          = "runtimeclasshandler"
+	defaultRuntimeClassHandler        = "kata-cc"
 
 	accountNotProvisioned = "StorageAccountIsNotProvisioned"
 	// this is a workaround fix for 429 throttling issue, will update cloud provider for better fix later

pkg/azurefile/controllerserver.go

@@ -226,10 +226,9 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case pvNameKey:
 			fileShareNameReplaceMap[pvNameMetadata] = v
 		case serverNameField:
-			// no op, only used in NodeStageVolume
 		case folderNameField:
-			// no op, only used in NodeStageVolume
 		case clientIDField:
+		case runtimeClassHandlerField:
 			// no op, only used in NodeStageVolume
 		case fsGroupChangePolicyField:
 			fsGroupChangePolicy = v

pkg/azurefile/controllerserver_test.go

@@ -922,6 +922,7 @@ var _ = ginkgo.Describe("TestCreateVolume", func() {
 					clientIDField:             "client-id",
 					provisionedBandwidthField: "100",
 					provisionedIopsField:      "800",
+					runtimeClassHandlerField:  "runtime-handler",
 				}
 
 				req := &csi.CreateVolumeRequest{

pkg/azurefile/nodeserver.go

@@ -120,7 +120,11 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 				return nil, status.Errorf(codes.Internal, "failed to get runtime class for pod %s/%s: %v", context[podNamespaceField], context[podNameField], err)
 			}
 			klog.V(2).Infof("NodePublishVolume: volume(%s) mount on %s with runtimeClass %s", volumeID, target, runtimeClass)
-			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.kubeClient, runtimeClass)
+			runtimeClassHandler := getValueInMap(context, runtimeClassHandlerField)
+			if runtimeClassHandler == "" {
+				runtimeClassHandler = defaultRuntimeClassHandler
+			}
+			isConfidentialRuntimeClass, err := isConfidentialRuntimeClassFunc(ctx, d.kubeClient, runtimeClass, runtimeClassHandler)
 			if err != nil {
 				return nil, status.Errorf(codes.Internal, "failed to check if runtime class %s is confidential: %v", runtimeClass, err)
 			}

pkg/azurefile/nodeserver_test.go

@@ -117,7 +117,7 @@ func mockGetRuntimeClassForPod(_ context.Context, _ clientset.Interface, _, _ st
 	return "mockRuntimeClass", nil
 }
 
-func mockIsConfidentialRuntimeClass(_ context.Context, _ clientset.Interface, _ string) (bool, error) {
+func mockIsConfidentialRuntimeClass(_ context.Context, _ clientset.Interface, _ string, _ string) (bool, error) {
 	return true, nil
 }
 

pkg/azurefile/utils.go

@@ -319,10 +319,8 @@ func isReadOnlyFromCapability(vc *csi.VolumeCapability) bool {
 		mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY)
 }
 
-const confidentialRuntimeClassHandler = "kata-cc"
-
 // check if runtimeClass is confidential
-func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interface, runtimeClassName string) (bool, error) {
+func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interface, runtimeClassName, runtimeClassHandler string) (bool, error) {
 	// if runtimeClassName is empty, return false
 	if runtimeClassName == "" {
 		return false, nil
@@ -336,7 +334,7 @@ func isConfidentialRuntimeClass(ctx context.Context, kubeClient clientset.Interf
 		return false, err
 	}
 	klog.V(4).Infof("runtimeClass %s handler: %s", runtimeClassName, runtimeClass.Handler)
-	return runtimeClass.Handler == confidentialRuntimeClassHandler, nil
+	return runtimeClass.Handler == runtimeClassHandler, nil
 }
 
 // getBackOff returns a backoff object based on the config

pkg/azurefile/utils_test.go

@@ -806,7 +806,7 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 	ctx := context.TODO()
 
 	// Test the case where kubeClient is nil
-	_, err := isConfidentialRuntimeClass(ctx, nil, "test-runtime-class")
+	_, err := isConfidentialRuntimeClass(ctx, nil, "test-runtime-class", defaultRuntimeClassHandler)
 	if err == nil || err.Error() != "kubeClient is nil" {
 		t.Fatalf("expected error 'kubeClient is nil', got %v", err)
 	}
@@ -819,14 +819,14 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-runtime-class",
 		},
-		Handler: confidentialRuntimeClassHandler,
+		Handler: defaultRuntimeClassHandler,
 	}
 	_, err = clientset.NodeV1().RuntimeClasses().Create(ctx, runtimeClass, metav1.CreateOptions{})
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
 
-	isConfidential, err := isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class")
+	isConfidential, err := isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class", defaultRuntimeClassHandler)
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
@@ -847,7 +847,7 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 		t.Fatalf("expected no error, got %v", err)
 	}
 
-	isConfidential, err = isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class-non-confidential")
+	isConfidential, err = isConfidentialRuntimeClass(ctx, clientset, "test-runtime-class-non-confidential", defaultRuntimeClassHandler)
 	if err != nil {
 		t.Fatalf("expected no error, got %v", err)
 	}
@@ -857,7 +857,7 @@ func TestIsConfidentialRuntimeClass(t *testing.T) {
 	}
 
 	// Test the case where the runtime class does not exist
-	_, err = isConfidentialRuntimeClass(ctx, clientset, "nonexistent-runtime-class")
+	_, err = isConfidentialRuntimeClass(ctx, clientset, "nonexistent-runtime-class", defaultRuntimeClassHandler)
 	if err == nil {
 		t.Fatalf("expected an error, got nil")
 	}