Skip to content

[WIP] feat: support SMB mount with managed identity #2652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

[WIP] feat: support SMB mount with managed identity #2652

wants to merge 4 commits into from
+165 −22

Conversation

andyzhangx
Copy link
Member

@andyzhangx andyzhangx commented Jul 5, 2025
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
feat: support SMB mount with managed identity

Which issue(s) this PR fixes:

Fixes #

Requirements:

Special notes for your reviewer:

# k exec -it -n kube-system csi-azurefile-node-ls278 -c azurefile -- sh
# azfilesrefresh
Traceback (most recent call last):
  File "/usr/bin/azfilesrefresh", line 3, in <module>
    from azfilesauth import azfiles_set_oauth, get_oauth_token
ModuleNotFoundError: No module named 'azfilesauth'
# azfilesauthmanager

Usage:
        azfilesauthmanager list
        azfilesauthmanager set <file_endpoint_uri> <oauth_token>
        azfilesauthmanager set <file_endpoint_uri> --imds-client-id <client_id>
        azfilesauthmanager clear <file_endpoint_uri>

# ls -lt /usr/bin/azfile*
-rwxr-xr-x 1 root root 6862 May  3 12:00 /usr/bin/azfilesauthmanager
-rwxr-xr-x 1 root root 4649 May  3 12:00 /usr/bin/azfilesrefresh

Release note:

feat: support SMB mount with managed identity

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jul 5, 2025
@k8s-ci-robot k8s-ci-robot requested review from cvvz and ZeroMagic July 5, 2025 02:46
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 5, 2025
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 13, 2025
@andyzhangx
Copy link
Member Author

/retest

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 20, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 21, 2025
@andyzhangx andyzhangx force-pushed the mi branch 2 times, most recently from 08d98cd to 5564b5c Compare July 21, 2025 14:03
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 22, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 22, 2025
@andyzhangx andyzhangx mentioned this pull request Jul 24, 2025
Open
@andyzhangx
feat: support SMB mount with managed identity
99b17e9 
chore: add kubelet mount path

chore: mkdir kubeberos dir

fix

fix

install sudo curl

revert

fix mountOptions

support clientID

support clientID in sc

fix sh script golint error

fix

fix config file creation on host

add SETUP_MI_AUTH env var

fix azfilesauth_1.0 package

add azfilesrefresh sidecar

feat: mount with managed identity auth

fix
@andyzhangx
add /var/log/ mountPath
3108f45 
fix chart config
@andyzhangx
rename
8829136
@andyzhangx andyzhangx requested review from Copilot and removed request for ZeroMagic August 18, 2025 11:18
Copilot
Copilot AI reviewed Aug 18, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for SMB mount with managed identity authentication in the Azure File CSI driver. The changes enable using Azure managed identity for authentication instead of traditional storage account keys.

Key changes:

  • Adds a new mountwithmanagedidentity volume context parameter to enable managed identity authentication
  • Installs and integrates azfilesauthmanager tool for credential caching in the container images
  • Updates mount logic to use Kerberos authentication (sec=krb5) with managed identity when enabled

Reviewed Changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
pkg/azurefileplugin/Dockerfile Adds azfilesauth package installation and required dependencies for managed identity support
pkg/azurefile/utils.go Implements credential cache setup function using azfilesauthmanager
pkg/azurefile/nodeserver.go Updates mount logic to support managed identity authentication with Kerberos
pkg/azurefile/controllerserver.go Adds mountwithmanagedidentity field validation in CreateVolume
pkg/azurefile/azurefile.go Adds mountwithmanagedidentity constant and account info handling logic
pkg/azurefile-proxy/init.sh Sets up Kerberos configuration files for managed identity authentication
deploy/csi-azurefile-node.yaml Adds azfilesrefresh sidecar container and required volume mounts
charts/latest/azurefile-csi-driver/values.yaml Adds configuration option to enable managed identity authentication
charts/latest/azurefile-csi-driver/templates/csi-azurefile-node.yaml Updates Helm template with conditional azfilesrefresh container

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

pkg/azurefileplugin/Dockerfile
@@ -22,6 +22,7 @@ ARG ARCH

RUN apt update \
&& apt install -y curl \
&& curl -Lso /tmp/azfilesauth_amd64.deb https://raw.githubusercontent.com/andyzhangx/demo/refs/heads/master/aks/azfilesauth_1.0-4_${ARCH}.deb \
Copy link
Preview

Copilot AI Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downloading packages from a personal GitHub repository (andyzhangx/demo) poses a security risk. Consider hosting the package in an official repository or verified location.

Suggested change
&& curl -Lso /tmp/azfilesauth_amd64.deb https://raw.githubusercontent.com/andyzhangx/demo/refs/heads/master/aks/azfilesauth_1.0-4_${ARCH}.deb \
&& curl -Lso /tmp/azfilesauth_amd64.deb https://github.com/andyzhangx/demo/releases/download/v1.0-4/azfilesauth_1.0-4_${ARCH}.deb \

Copilot uses AI. Check for mistakes.

pkg/azurefileplugin/Dockerfile
RUN chmod +x /azurefile-proxy/*.sh && \
chmod +x /azurefile-proxy/azurefile-proxy.service && \
chmod +x /azurefile-proxy/azurefile-proxy

RUN if [ "$ARCH" = "amd64" ] ; then \
clean-install libcurl4-gnutls-dev \
&& apt update && apt install -y /azurefile-proxy/azfilesauth_amd64.deb; fi
Copy link
Preview

Copilot AI Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package installation is hardcoded to only work for amd64 architecture, but the download URL uses ${ARCH} variable. This creates an inconsistency where other architectures will download the package but not install it.

Suggested change
&& apt update && apt install -y /azurefile-proxy/azfilesauth_amd64.deb; fi
COPY --from=builder --chown=root:root /tmp/azfilesauth_${ARCH}.deb /azurefile-proxy/azfilesauth_${ARCH}.deb
RUN chmod +x /azurefile-proxy/*.sh && \
chmod +x /azurefile-proxy/azurefile-proxy.service && \
chmod +x /azurefile-proxy/azurefile-proxy
RUN clean-install libcurl4-gnutls-dev \
&& apt update && apt install -y /azurefile-proxy/azfilesauth_${ARCH}.deb

Copilot uses AI. Check for mistakes.

pkg/azurefile/nodeserver.go
clientID = d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID
}
sensitiveMountOptions = []string{"sec=krb5,cruid=0,upcall_target=mount", fmt.Sprintf("username=%s", clientID)}
klog.V(2).Infof("using managed identity %s for volume %s with mount options: %v", clientID, volumeID, sensitiveMountOptions)
} else {
Copy link
Preview

Copilot AI Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The nested if-else structure creates complex control flow. Consider restructuring to handle the different authentication methods (NFS, managed identity, traditional) in separate conditional blocks for better readability.

Copilot uses AI. Check for mistakes.

pkg/azurefile/nodeserver.go
@@ -313,7 +311,6 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
fileShareNameReplaceMap[pvNameMetadata] = v
case mountPermissionsField:
if v != "" {
var err error
var perm uint64
if perm, err = strconv.ParseUint(v, 8, 32); err != nil {
Copy link
Preview

Copilot AI Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The err variable is used without being declared. This will cause a compilation error since err was removed from the variable declaration on the previous lines.

Copilot uses AI. Check for mistakes.

pkg/azurefile/utils.go
cmd.Env = append(os.Environ(), cmd.Env...)
klog.V(2).Infof("Executing command: %q", cmd.String())
return cmd.CombinedOutput()
}
Copy link
Preview

Copilot AI Aug 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The clientID parameter should be validated before being passed to exec.Command to prevent command injection attacks, especially since it could come from user-provided volume context.

Copilot uses AI. Check for mistakes.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 20, 2025
@k8s-ci-robot
Copy link
Contributor

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@cvvz cvvz Awaiting requested review from cvvz

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@andyzhangx @k8s-ci-robot