feat: support mount blob storage directory in another subscription

andyzhangx · andyzhangx · commit 126a41d77d6b · 2022-04-06T07:48:46.000Z
diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -19,6 +19,7 @@ allowBlobPublicAccess | Allow or disallow public access to all blobs or containe
 storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net` | No | if empty, driver will use default storage endpoint suffix according to cloud environment, e.g. `core.windows.net`
 tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | ""
 --- | **Following parameters are only for blobfuse** | --- | --- |
+subscriptionID | specify Azure subscription ID in which blob storage directory will be created | Azure subscription ID | No | if not empty, `resourceGroup` must be provided
 storeAccountKey | whether store account key to k8s secret <br><br> Note:  <br> `false` means driver would leverage kubelet identity to get account key | `true`,`false` | No | `true`
 secretName | specify secret name to store account key | | No |
 secretNamespace | specify the namespace of secret to store account key | `default`,`kube-system`, etc | No | pvc namespace
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -58,6 +58,7 @@ const (
 	storageAccountField          = "storageaccount"
 	storageAccountTypeField      = "storageaccounttype"
 	skuNameField                 = "skuname"
+	subscriptionIDField          = "subscriptionid"
 	resourceGroupField           = "resourcegroup"
 	locationField                = "location"
 	secretNameField              = "secretname"
@@ -306,6 +307,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 	}
 
 	var (
+		subsID                  string
 		accountKey              string
 		accountSasToken         string
 		secretName              string
@@ -321,6 +323,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 
 	for k, v := range attrib {
 		switch strings.ToLower(k) {
+		case subscriptionIDField:
+			subsID = v
 		case containerNameField:
 			containerName = v
 		case keyVaultURLField:
@@ -404,7 +408,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 				if err != nil && !getAccountKeyFromSecret {
 					klog.V(2).Infof("get account(%s) key from secret(%s, %s) failed with error: %v, use cluster identity to get account key instead",
 						accountName, secretNamespace, secretName, err)
-					accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountName, rgName)
+					accountKey, err = d.cloud.GetStorageAccesskey(ctx, subsID, accountName, rgName)
 					if err != nil {
 						return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %w", accountName, rgName, err)
 					}
@@ -453,6 +457,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 // only for e2e testing
 func (d *Driver) GetStorageAccountAndContainer(ctx context.Context, volumeID string, attrib, secrets map[string]string) (string, string, string, string, error) {
 	var (
+		subsID                string
 		accountName           string
 		accountKey            string
 		accountSasToken       string
@@ -465,6 +470,8 @@ func (d *Driver) GetStorageAccountAndContainer(ctx context.Context, volumeID str
 
 	for k, v := range attrib {
 		switch strings.ToLower(k) {
+		case subscriptionIDField:
+			subsID = v
 		case containerNameField:
 			containerName = v
 		case keyVaultURLField:
@@ -505,7 +512,7 @@ func (d *Driver) GetStorageAccountAndContainer(ctx context.Context, volumeID str
 				rgName = d.cloud.ResourceGroup
 			}
 
-			accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountName, rgName)
+			accountKey, err = d.cloud.GetStorageAccesskey(ctx, subsID, accountName, rgName)
 			if err != nil {
 				return "", "", "", "", fmt.Errorf("no key for storage account(%s) under resource group(%s), err %w", accountName, rgName, err)
 			}
@@ -626,7 +633,7 @@ func (d *Driver) GetStorageAccesskey(ctx context.Context, accountOptions *azure.
 	_, accountKey, err := d.GetStorageAccountFromSecret(secretName, secretNamespace)
 	if err != nil {
 		klog.V(2).Infof("could not get account(%s) key from secret(%s) namespace(%s), error: %v, use cluster identity to get account key instead", accountOptions.Name, secretName, secretNamespace, err)
-		accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountOptions.Name, accountOptions.ResourceGroup)
+		accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountOptions.SubscriptionID, accountOptions.Name, accountOptions.ResourceGroup)
 	}
 	return accountOptions.Name, accountKey, err
 }
diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -460,7 +460,7 @@ func TestGetAuthEnv(t *testing.T) {
 				rerr := &retry.Error{
 					RawError: fmt.Errorf("test"),
 				}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
 				_, _, _, _, _, err := d.GetAuthEnv(context.TODO(), volumeID, "", attrib, secret)
 				expectedErr := fmt.Errorf("no key for storage account(storageaccountname) under resource group(rg), err Retriable: false, RetryAfter: 0s, HTTPStatusCode: 0, RawError: test")
 				if !strings.EqualFold(err.Error(), expectedErr.Error()) {
@@ -489,7 +489,7 @@ func TestGetAuthEnv(t *testing.T) {
 				list := storage.AccountListKeysResult{
 					Keys: &accountkeylist,
 				}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
 				_, _, _, _, _, err := d.GetAuthEnv(context.TODO(), volumeID, "", attrib, secret)
 				expectedErr := error(nil)
 				if !reflect.DeepEqual(err, expectedErr) {
@@ -573,7 +573,7 @@ func TestGetStorageAccountAndContainer(t *testing.T) {
 				rerr := &retry.Error{
 					RawError: fmt.Errorf("test"),
 				}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
 				_, _, _, _, err := d.GetStorageAccountAndContainer(context.TODO(), volumeID, attrib, secret)
 				expectedErr := fmt.Errorf("no key for storage account(f5713de20cde511e8ba4900) under resource group(rg), err Retriable: false, RetryAfter: 0s, HTTPStatusCode: 0, RawError: test")
 				if !strings.EqualFold(err.Error(), expectedErr.Error()) {
@@ -602,7 +602,7 @@ func TestGetStorageAccountAndContainer(t *testing.T) {
 				list := storage.AccountListKeysResult{
 					Keys: &accountkeylist,
 				}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
 				_, _, _, _, err := d.GetStorageAccountAndContainer(context.TODO(), volumeID, attrib, secret)
 				expectedErr := error(nil)
 				if !reflect.DeepEqual(err, expectedErr) {
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -67,7 +67,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	if parameters == nil {
 		parameters = make(map[string]string)
 	}
-	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, secretName, secretNamespace, pvcNamespace string
+	var storageAccountType, subsID, resourceGroup, location, account, containerName, protocol, customTags, secretName, secretNamespace, pvcNamespace string
 	var isHnsEnabled *bool
 	var vnetResourceGroup, vnetName, subnetName string
 	// set allowBlobPublicAccess as false by default
@@ -88,6 +88,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			location = v
 		case storageAccountField:
 			account = v
+		case subscriptionIDField:
+			subsID = v
 		case resourceGroupField:
 			resourceGroup = v
 		case containerNameField:
@@ -140,6 +142,15 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		}
 	}
 
+	if subsID != "" && subsID != d.cloud.SubscriptionID {
+		if protocol == nfs {
+			return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("NFS protocol is not supported in cross subscription(%s)", subsID))
+		}
+		if !storeAccountKey {
+			return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("storeAccountKey must set as true in cross subscription(%s)", subsID))
+		}
+	}
+
 	if resourceGroup == "" {
 		resourceGroup = d.cloud.ResourceGroup
 	}
@@ -195,6 +206,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		Name:                      account,
 		Type:                      storageAccountType,
 		Kind:                      accountKind,
+		SubscriptionID:            subsID,
 		ResourceGroup:             resourceGroup,
 		Location:                  location,
 		EnableHTTPSTrafficOnly:    enableHTTPSTrafficOnly,
@@ -402,7 +414,7 @@ func (d *Driver) ValidateVolumeCapabilities(ctx context.Context, req *csi.Valida
 
 	var accountKey string
 	if len(req.GetSecrets()) == 0 { // check whether account is provided by secret
-		accountKey, err = d.cloud.GetStorageAccesskey(ctx, accountName, resourceGroupName)
+		accountKey, err = d.cloud.GetStorageAccesskey(ctx, "", accountName, resourceGroupName)
 		if err != nil {
 			return nil, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %w", accountName, resourceGroupName, err)
 		}
diff --git a/pkg/blob/controllerserver_test.go b/pkg/blob/controllerserver_test.go
@@ -197,7 +197,7 @@ func TestCreateVolume(t *testing.T) {
 				rerr := &retry.Error{
 					RawError: fmt.Errorf("test"),
 				}
-				mockStorageAccountsClient.EXPECT().ListByResourceGroup(gomock.Any(), gomock.Any()).Return(nil, rerr).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListByResourceGroup(gomock.Any(), gomock.Any(), gomock.Any()).Return(nil, rerr).AnyTimes()
 				_, err := d.CreateVolume(context.Background(), req)
 				expectedErr := status.Errorf(codes.Internal, "ensure storage account failed with could not list storage accounts for account type : Retriable: false, RetryAfter: 0s, HTTPStatusCode: 0, RawError: test")
 				if !reflect.DeepEqual(err, expectedErr) {
@@ -338,7 +338,7 @@ func TestDeleteVolume(t *testing.T) {
 					RawError: fmt.Errorf("test"),
 				}
 				accountListKeysResult := storage.AccountListKeysResult{}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
 				expectedErr := fmt.Errorf("no key for storage account(test) under resource group(unit), err Retriable: false, RetryAfter: 0s, HTTPStatusCode: 0, RawError: test")
 				_, err := d.DeleteVolume(context.Background(), req)
 				if !strings.EqualFold(err.Error(), expectedErr.Error()) {
@@ -370,7 +370,7 @@ func TestDeleteVolume(t *testing.T) {
 				list := storage.AccountListKeysResult{
 					Keys: &accountkeylist,
 				}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
 				expectedErr := fmt.Errorf("azure: base storage service url required")
 				_, err := d.DeleteVolume(context.Background(), req)
 				if !reflect.DeepEqual(err, expectedErr) {
@@ -467,7 +467,7 @@ func TestValidateVolumeCapabilities(t *testing.T) {
 					RawError: fmt.Errorf("test"),
 				}
 				accountListKeysResult := storage.AccountListKeysResult{}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(accountListKeysResult, rerr).AnyTimes()
 				expectedErr := fmt.Errorf("no key for storage account(test) under resource group(unit), err Retriable: false, RetryAfter: 0s, HTTPStatusCode: 0, RawError: test")
 				_, err := d.ValidateVolumeCapabilities(context.Background(), req)
 				if !strings.EqualFold(err.Error(), expectedErr.Error()) {
@@ -500,7 +500,7 @@ func TestValidateVolumeCapabilities(t *testing.T) {
 				list := storage.AccountListKeysResult{
 					Keys: &accountkeylist,
 				}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
+				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
 				expectedErr := fmt.Errorf("azure: base storage service url required")
 				_, err := d.ValidateVolumeCapabilities(context.Background(), req)
 				if !reflect.DeepEqual(err, expectedErr) {
