feat: add vnet setting in storage class parmaters

fix trivy

Author: andyzhangx

.github/workflows/trivy.yaml

@@ -9,6 +9,12 @@ jobs:
     name: Build
     runs-on: ubuntu-18.04
     steps:
+      - name: Set up Go 1.x
+        uses: actions/setup-go@v2
+        with:
+          go-version: ^1.16
+        id: go
+
       - name: Checkout code
         uses: actions/checkout@v2
 

docs/driver-parameters.md

@@ -62,6 +62,10 @@ volumeAttributes.secretName | secret name that stores storage account name and k
 volumeAttributes.secretNamespace | secret namespace | `default`,`kube-system`, etc | No | `default`
 nodeStageSecretRef.name | secret name that stores(check below examples):<br>`azurestorageaccountkey`<br>`azurestorageaccountsastoken`<br>`msisecret`<br>`azurestoragespnclientsecret` | existing Kubernetes secret name |  No  |
 nodeStageSecretRef.namespace | secret namespace | k8s namespace  |  Yes  |
+--- | **Following parameters are only for NFS vnet setting** | --- | --- |
+vnetResourceGroup | specify vnet resource group where virtual network is | existing resource group name | No | if empty, driver will use the `vnetResourceGroup` value in azure cloud config file
+vnetName | virtual network name | existing virtual network name | No | if empty, driver will use the `vnetName` value in azure cloud config file
+subnetName | subnet name | existing subnet name of the agent node | No | if empty, driver will use the `subnetName` value in azure cloud config file
 --- | **Following parameters are only for feature: blobfuse [Managed Identity and Service Principal Name auth](https://github.com/Azure/azure-storage-fuse#environment-variables)** | --- | --- |
 volumeAttributes.AzureStorageAuthType | Authentication Type | `Key`, `SAS`, `MSI`, `SPN` | No | `Key`
 volumeAttributes.AzureStorageIdentityClientID | Identity Client ID |  | No |

pkg/blob/azure.go

@@ -182,29 +182,36 @@ func (d *Driver) getKeyvaultToken() (authorizer autorest.Authorizer, err error)
 	return authorizer, nil
 }
 
-func (d *Driver) updateSubnetServiceEndpoints(ctx context.Context) error {
+func (d *Driver) updateSubnetServiceEndpoints(ctx context.Context, vnetResourceGroup, vnetName, subnetName string) error {
 	if d.cloud.SubnetsClient == nil {
 		return fmt.Errorf("SubnetsClient is nil")
 	}
 
-	resourceGroup := d.cloud.ResourceGroup
-	if len(d.cloud.VnetResourceGroup) > 0 {
-		resourceGroup = d.cloud.VnetResourceGroup
+	if vnetResourceGroup == "" {
+		vnetResourceGroup = d.cloud.ResourceGroup
+		if len(d.cloud.VnetResourceGroup) > 0 {
+			vnetResourceGroup = d.cloud.VnetResourceGroup
+		}
 	}
+
 	location := d.cloud.Location
-	vnetName := d.cloud.VnetName
-	subnetName := d.cloud.SubnetName
+	if vnetName == "" {
+		vnetName = d.cloud.VnetName
+	}
+	if subnetName == "" {
+		subnetName = d.cloud.SubnetName
+	}
 
 	klog.V(2).Infof("updateSubnetServiceEndpoints on vnetName: %s, subnetName: %s, location: %s", vnetName, subnetName, location)
 	if subnetName == "" || vnetName == "" || location == "" {
 		return fmt.Errorf("value of subnetName, vnetName or location is empty")
 	}
 
-	lockKey := resourceGroup + vnetName + subnetName
+	lockKey := vnetResourceGroup + vnetName + subnetName
 	d.subnetLockMap.LockEntry(lockKey)
 	defer d.subnetLockMap.UnlockEntry(lockKey)
 
-	subnet, err := d.cloud.SubnetsClient.Get(ctx, resourceGroup, vnetName, subnetName, "")
+	subnet, err := d.cloud.SubnetsClient.Get(ctx, vnetResourceGroup, vnetName, subnetName, "")
 	if err != nil {
 		return fmt.Errorf("failed to get the subnet %s under vnet %s: %v", subnetName, vnetName, err)
 	}
@@ -233,7 +240,7 @@ func (d *Driver) updateSubnetServiceEndpoints(ctx context.Context) error {
 		serviceEndpoints = append(serviceEndpoints, storageServiceEndpoint)
 		subnet.SubnetPropertiesFormat.ServiceEndpoints = &serviceEndpoints
 
-		if err := d.cloud.SubnetsClient.CreateOrUpdate(ctx, resourceGroup, vnetName, subnetName, subnet); err != nil {
+		if err := d.cloud.SubnetsClient.CreateOrUpdate(ctx, vnetResourceGroup, vnetName, subnetName, subnet); err != nil {
 			return fmt.Errorf("failed to update the subnet %s under vnet %s: %v", subnetName, vnetName, err)
 		}
 		klog.V(2).Infof("serviceEndpoint(%s) is appended in subnet(%s)", storageService, subnetName)

pkg/blob/azure_test.go

@@ -285,7 +285,7 @@ func TestUpdateSubnetServiceEndpoints(t *testing.T) {
 				retErr := retry.NewError(false, fmt.Errorf("the subnet does not exist"))
 				mockSubnetClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(network.Subnet{}, retErr).Times(1)
 				expectedErr := fmt.Errorf("failed to get the subnet %s under vnet %s: %v", config.SubnetName, config.VnetName, retErr)
-				err := d.updateSubnetServiceEndpoints(ctx)
+				err := d.updateSubnetServiceEndpoints(ctx, "", "", "")
 				if !reflect.DeepEqual(err, expectedErr) {
 					t.Errorf("Unexpected error: %v", err)
 				}
@@ -297,7 +297,7 @@ func TestUpdateSubnetServiceEndpoints(t *testing.T) {
 				mockSubnetClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(network.Subnet{}, nil).Times(1)
 				mockSubnetClient.EXPECT().CreateOrUpdate(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).Times(1)
 
-				err := d.updateSubnetServiceEndpoints(ctx)
+				err := d.updateSubnetServiceEndpoints(ctx, "", "", "")
 				if !reflect.DeepEqual(err, nil) {
 					t.Errorf("Unexpected error: %v", err)
 				}
@@ -313,7 +313,7 @@ func TestUpdateSubnetServiceEndpoints(t *testing.T) {
 				mockSubnetClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(fakeSubnet, nil).Times(1)
 				mockSubnetClient.EXPECT().CreateOrUpdate(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).Times(1)
 
-				err := d.updateSubnetServiceEndpoints(ctx)
+				err := d.updateSubnetServiceEndpoints(ctx, "", "", "")
 				if !reflect.DeepEqual(err, nil) {
 					t.Errorf("Unexpected error: %v", err)
 				}
@@ -331,7 +331,7 @@ func TestUpdateSubnetServiceEndpoints(t *testing.T) {
 				mockSubnetClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(fakeSubnet, nil).Times(1)
 				mockSubnetClient.EXPECT().CreateOrUpdate(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(nil).Times(1)
 
-				err := d.updateSubnetServiceEndpoints(ctx)
+				err := d.updateSubnetServiceEndpoints(ctx, "", "", "")
 				if !reflect.DeepEqual(err, nil) {
 					t.Errorf("Unexpected error: %v", err)
 				}
@@ -352,7 +352,7 @@ func TestUpdateSubnetServiceEndpoints(t *testing.T) {
 
 				mockSubnetClient.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(fakeSubnet, nil).Times(1)
 
-				err := d.updateSubnetServiceEndpoints(ctx)
+				err := d.updateSubnetServiceEndpoints(ctx, "", "", "")
 				if !reflect.DeepEqual(err, nil) {
 					t.Errorf("Unexpected error: %v", err)
 				}
@@ -363,7 +363,7 @@ func TestUpdateSubnetServiceEndpoints(t *testing.T) {
 			testFunc: func(t *testing.T) {
 				d.cloud.SubnetsClient = nil
 				expectedErr := fmt.Errorf("SubnetsClient is nil")
-				err := d.updateSubnetServiceEndpoints(ctx)
+				err := d.updateSubnetServiceEndpoints(ctx, "", "", "")
 				if !reflect.DeepEqual(err, expectedErr) {
 					t.Errorf("Unexpected error: %v", err)
 				}

pkg/blob/blob.go

@@ -80,6 +80,9 @@ const (
 	defaultSecretAccountKey      = "azurestorageaccountkey"
 	fuse                         = "fuse"
 	nfs                          = "nfs"
+	vnetResourceGroupField       = "vnetresourcegroup"
+	vnetNameField                = "vnetname"
+	subnetNameField              = "subnetname"
 
 	// See https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names
 	containerNameMinLength = 3

pkg/blob/controllerserver.go

@@ -68,6 +68,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, secretName, secretNamespace string
 	var isHnsEnabled *bool
+	var vnetResourceGroup, vnetName, subnetName string
 	// set allowBlobPublicAccess as false by default
 	allowBlobPublicAccess := to.BoolPtr(false)
 
@@ -123,6 +124,12 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			// no op, only used in NodeStageVolume
 		case storageEndpointSuffixField:
 			// no op, only used in NodeStageVolume
+		case vnetResourceGroupField:
+			vnetResourceGroup = v
+		case vnetNameField:
+			vnetName = v
+		case subnetNameField:
+			subnetName = v
 		default:
 			return nil, fmt.Errorf("invalid parameter %s in storage class", k)
 		}
@@ -153,7 +160,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		vnetResourceID := d.getSubnetResourceID()
 		klog.V(2).Infof("set vnetResourceID(%s) for NFS protocol", vnetResourceID)
 		vnetResourceIDs = []string{vnetResourceID}
-		if err := d.updateSubnetServiceEndpoints(ctx); err != nil {
+		if err := d.updateSubnetServiceEndpoints(ctx, vnetResourceGroup, vnetName, subnetName); err != nil {
 			return nil, status.Errorf(codes.Internal, "update service endpoints failed with error: %v", err)
 		}
 		// NFS protocol does not need account key
@@ -187,6 +194,9 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		IsHnsEnabled:              isHnsEnabled,
 		EnableNfsV3:               enableNfsV3,
 		AllowBlobPublicAccess:     allowBlobPublicAccess,
+		VNetResourceGroup:         vnetResourceGroup,
+		VNetName:                  vnetName,
+		SubnetName:                subnetName,
 	}
 
 	var accountKey string