feat: add requireInfraEncryption parameter in storage class

andyzhangx · andyzhangx · commit 25b7fe3be84a · 2022-08-22T12:08:12.000Z
diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -17,6 +17,7 @@ containerName | specify the existing container(directory) name | existing contai
 containerNamePrefix | specify Azure storage directory prefix created by driver | can only contain lowercase letters, numbers, hyphens, and length should be less than 21 | No |
 server | specify Azure storage account server address | existing server address, e.g. `accountname.privatelink.blob.core.windows.net` | No | if empty, driver will use default `accountname.blob.core.windows.net` or other sovereign cloud account address
 allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `false`
+requireInfraEncryption | specify whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest for storage account created by driver | `true`,`false` | No | `false`
 storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net`, `core.chinacloudapi.cn`, etc | No | if empty, driver will use default storage endpoint suffix according to cloud environment
 tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | ""
 matchTags | whether matching tags when driver tries to find a suitable storage account | `true`,`false` | No | `false`
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -76,6 +76,7 @@ const (
 	keyVaultSecretVersionField   = "keyvaultsecretversion"
 	storageAccountNameField      = "storageaccountname"
 	allowBlobPublicAccessField   = "allowblobpublicaccess"
+	requireInfraEncryptionField  = "requireinfraencryption"
 	ephemeralField               = "csi.storage.k8s.io/ephemeral"
 	podNamespaceField            = "csi.storage.k8s.io/pod.namespace"
 	mountOptionsField            = "mountoptions"
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -68,7 +68,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		parameters = make(map[string]string)
 	}
 	var storageAccountType, subsID, resourceGroup, location, account, containerName, containerNamePrefix, protocol, customTags, secretName, secretNamespace, pvcNamespace string
-	var isHnsEnabled *bool
+	var isHnsEnabled, requireInfraEncryption *bool
 	var vnetResourceGroup, vnetName, subnetName string
 	var matchTags, useDataPlaneAPI bool
 	// set allowBlobPublicAccess as false by default
@@ -121,6 +121,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			if strings.EqualFold(v, trueValue) {
 				allowBlobPublicAccess = to.BoolPtr(true)
 			}
+		case requireInfraEncryptionField:
+			if strings.EqualFold(v, trueValue) {
+				requireInfraEncryption = to.BoolPtr(true)
+			}
 		case pvcNamespaceKey:
 			pvcNamespace = v
 			containerNameReplaceMap[pvcNamespaceMetadata] = v
@@ -228,22 +232,23 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 
 	accountOptions := &azure.AccountOptions{
-		Name:                      account,
-		Type:                      storageAccountType,
-		Kind:                      accountKind,
-		SubscriptionID:            subsID,
-		ResourceGroup:             resourceGroup,
-		Location:                  location,
-		EnableHTTPSTrafficOnly:    enableHTTPSTrafficOnly,
-		VirtualNetworkResourceIDs: vnetResourceIDs,
-		Tags:                      tags,
-		MatchTags:                 matchTags,
-		IsHnsEnabled:              isHnsEnabled,
-		EnableNfsV3:               enableNfsV3,
-		AllowBlobPublicAccess:     allowBlobPublicAccess,
-		VNetResourceGroup:         vnetResourceGroup,
-		VNetName:                  vnetName,
-		SubnetName:                subnetName,
+		Name:                            account,
+		Type:                            storageAccountType,
+		Kind:                            accountKind,
+		SubscriptionID:                  subsID,
+		ResourceGroup:                   resourceGroup,
+		Location:                        location,
+		EnableHTTPSTrafficOnly:          enableHTTPSTrafficOnly,
+		VirtualNetworkResourceIDs:       vnetResourceIDs,
+		Tags:                            tags,
+		MatchTags:                       matchTags,
+		IsHnsEnabled:                    isHnsEnabled,
+		EnableNfsV3:                     enableNfsV3,
+		AllowBlobPublicAccess:           allowBlobPublicAccess,
+		RequireInfrastructureEncryption: requireInfraEncryption,
+		VNetResourceGroup:               vnetResourceGroup,
+		VNetName:                        vnetName,
+		SubnetName:                      subnetName,
 	}
 
 	var accountKey string
diff --git a/test/e2e/dynamic_provisioning_test.go b/test/e2e/dynamic_provisioning_test.go
@@ -85,7 +85,8 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 				"skuName":         "Standard_GRS",
 				"secretNamespace": "default",
 				// make sure this is the first test case due to storeAccountKey is set as false
-				"storeAccountKey": "false",
+				"storeAccountKey":        "false",
+				"requireInfraEncryption": "true",
 			},
 		}
 		test.Run(cs, ns)
