add sas token e2e test

Author: cvvz

go.mod

@@ -37,6 +37,7 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1
 	k8s.io/apiserver v0.24.3
 )
 

go.sum

@@ -53,6 +53,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.0.0 h1:lMW1lD/
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0 h1:Jc2KcpCDMu7wJfkrzn7fs/53QMDXH78GuqnH4HOd7zs=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0/go.mod h1:PFVgFsclKzPqYRT/BiwpfUN22cab0C7FlgXR3iWpwMo=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1 h1:QSdcrd/UFJv6Bp/CfoVf2SrENpFn9P6Yh8yb+xNhYMM=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1/go.mod h1:eZ4g6GUvXiGulfIbbhh1Xr4XwUYaYaWMqzGD/284wCA=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=

test/e2e/pre_provisioning_test.go

@@ -290,6 +290,46 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 		}
 		test.Run(cs, ns)
 	})
+
+	ginkgo.It("should use SAS token", func() {
+		req := makeCreateVolumeReq("pre-provisioned-sas-token", ns.Name)
+		resp, err := blobDriver.CreateVolume(context.Background(), req)
+		if err != nil {
+			ginkgo.Fail(fmt.Sprintf("create volume error: %v", err))
+		}
+		volumeID = resp.Volume.VolumeId
+		ginkgo.By(fmt.Sprintf("Successfully provisioned blob volume: %q\n", volumeID))
+
+		volumeSize := fmt.Sprintf("%dGi", defaultVolumeSize)
+		reclaimPolicy := v1.PersistentVolumeReclaimRetain
+		volumeBindingMode := storagev1.VolumeBindingImmediate
+
+		pods := []testsuites.PodDetails{
+			{
+				Cmd: "echo 'hello world' > /mnt/test-1/data && grep 'hello world' /mnt/test-1/data",
+				Volumes: []testsuites.VolumeDetails{
+					{
+						VolumeID:          volumeID,
+						FSType:            "ext4",
+						ClaimSize:         volumeSize,
+						ReclaimPolicy:     &reclaimPolicy,
+						VolumeBindingMode: &volumeBindingMode,
+						VolumeMount: testsuites.VolumeMountDetails{
+							NameGenerate:      "test-volume-",
+							MountPathGenerate: "/mnt/test-",
+						},
+					},
+				},
+			},
+		}
+
+		test := testsuites.PreProvisionedSASTokenTest{
+			CSIDriver: testDriver,
+			Pods:      pods,
+			Driver:    blobDriver,
+		}
+		test.Run(cs, ns)
+	})
 })
 
 func makeCreateVolumeReq(volumeName, secretNamespace string) *csi.CreateVolumeRequest {

test/e2e/testsuites/pre_provisioned_sastoken_tester.go

@@ -0,0 +1,109 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package testsuites
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
+	"github.com/onsi/ginkgo"
+	v1 "k8s.io/api/core/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	"k8s.io/kubernetes/test/e2e/framework"
+	"sigs.k8s.io/blob-csi-driver/pkg/blob"
+	"sigs.k8s.io/blob-csi-driver/test/e2e/driver"
+	"sigs.k8s.io/blob-csi-driver/test/utils/azure"
+)
+
+// PreProvisionedSASTokenTest will provision required PV(s), PVC(s) and Pod(s)
+// Testing that the Pod(s) can be created successfully with provided Key Vault
+// which is used to store storage SAS token
+type PreProvisionedSASTokenTest struct {
+	CSIDriver driver.PreProvisionedVolumeTestDriver
+	Pods      []PodDetails
+	Driver    *blob.Driver
+}
+
+func (t *PreProvisionedSASTokenTest) Run(client clientset.Interface, namespace *v1.Namespace) {
+	keyVaultClient, err := azure.NewKeyVaultClient()
+	framework.ExpectNoError(err)
+
+	for _, pod := range t.Pods {
+		for n, volume := range pod.Volumes {
+			// In the method GetStorageAccountAndContainer, we can get an account key of the blob volume
+			// by calling azure API, but not the sas token...
+			accountName, accountKey, _, containerName, err := t.Driver.GetStorageAccountAndContainer(context.TODO(), volume.VolumeID, nil, nil)
+			framework.ExpectNoError(err, fmt.Sprintf("Error GetStorageAccountAndContainer from volumeID(%s): %v", volume.VolumeID, err))
+
+			ginkgo.By("creating KeyVault...")
+			vault, err := keyVaultClient.CreateVault(context.TODO())
+			framework.ExpectNoError(err)
+			defer func() {
+				err := keyVaultClient.CleanVault(context.TODO())
+				framework.ExpectNoError(err)
+			}()
+
+			ginkgo.By("generating SAS token...")
+			sasToken := generateSASToken(accountName, accountKey)
+
+			ginkgo.By("creating secret for SAS token...")
+			accountSASSecret, err := keyVaultClient.CreateSecret(context.TODO(), accountName+"-sas", sasToken)
+			framework.ExpectNoError(err)
+
+			pod.Volumes[n].ContainerName = containerName
+			pod.Volumes[n].StorageAccountname = accountName
+			pod.Volumes[n].KeyVaultURL = *vault.Properties.VaultURI
+			pod.Volumes[n].KeyVaultSecretName = *accountSASSecret.Name
+
+			tpod, cleanup := pod.SetupWithPreProvisionedVolumes(client, namespace, t.CSIDriver)
+			// defer must be called here for resources not get removed before using them
+			for i := range cleanup {
+				defer cleanup[i]()
+			}
+
+			ginkgo.By("deploying the pod")
+			tpod.Create()
+			defer tpod.Cleanup()
+
+			ginkgo.By("checking that the pods command exits with no error")
+			tpod.WaitForSuccess()
+		}
+	}
+}
+
+func generateSASToken(accountName, accountKey string) string {
+	credential, err := azblob.NewSharedKeyCredential(accountName, accountKey)
+	framework.ExpectNoError(err)
+	serviceClient, err := azblob.NewServiceClientWithSharedKey(fmt.Sprintf("https://%s.blob.core.windows.net/", accountName), credential, nil)
+	framework.ExpectNoError(err)
+	sasURL, err := serviceClient.GetSASURL(
+		azblob.AccountSASResourceTypes{Object: true, Service: true, Container: true},
+		azblob.AccountSASPermissions{Read: true, List: true, Write: true, Delete: true, Add: true, Create: true, Update: true},
+		time.Now().Add(-12*time.Hour), time.Now().Add(12*time.Hour))
+	framework.ExpectNoError(err)
+	ginkgo.By("SAS URL: " + sasURL)
+	u, err := url.Parse(sasURL)
+	framework.ExpectNoError(err)
+	queryUnescape, err := url.QueryUnescape(u.RawQuery)
+	framework.ExpectNoError(err)
+	sasToken := "?" + queryUnescape
+	ginkgo.By("SAS Token: " + sasToken)
+	return sasToken
+}