fix: only read secret for inline volume

Author: andyzhangx

pkg/blob/blob.go

@@ -41,35 +41,37 @@ import (
 
 const (
 	// DriverName holds the name of the csi-driver
-	DriverName                 = "blob.csi.azure.com"
-	blobCSIDriverName          = "blob_csi_driver"
-	separator                  = "#"
-	volumeIDTemplate           = "%s#%s#%s"
-	secretNameTemplate         = "azure-storage-account-%s-secret"
-	serverNameField            = "server"
-	storageEndpointSuffixField = "storageendpointsuffix"
-	tagsField                  = "tags"
-	protocolField              = "protocol"
-	accountNameField           = "accountname"
-	accountKeyField            = "accountkey"
-	storageAccountField        = "storageaccount"
-	storageAccountTypeField    = "storageaccounttype"
-	skuNameField               = "skuname"
-	resourceGroupField         = "resourcegroup"
-	locationField              = "location"
-	secretNameField            = "secretname"
-	secretNamespaceField       = "secretnamespace"
-	containerNameField         = "containername"
-	storeAccountKeyField       = "storeaccountkey"
-	keyVaultURLField           = "keyvaulturl"
-	keyVaultSecretNameField    = "keyvaultsecretname"
-	keyVaultSecretVersionField = "keyvaultsecretversion"
-	storageAccountNameField    = "storageaccountname"
-	storeAccountKeyFalse       = "false"
-	defaultSecretAccountName   = "azurestorageaccountname"
-	defaultSecretAccountKey    = "azurestorageaccountkey"
-	fuse                       = "fuse"
-	nfs                        = "nfs"
+	DriverName                   = "blob.csi.azure.com"
+	blobCSIDriverName            = "blob_csi_driver"
+	separator                    = "#"
+	volumeIDTemplate             = "%s#%s#%s"
+	secretNameTemplate           = "azure-storage-account-%s-secret"
+	serverNameField              = "server"
+	storageEndpointSuffixField   = "storageendpointsuffix"
+	tagsField                    = "tags"
+	protocolField                = "protocol"
+	accountNameField             = "accountname"
+	accountKeyField              = "accountkey"
+	storageAccountField          = "storageaccount"
+	storageAccountTypeField      = "storageaccounttype"
+	skuNameField                 = "skuname"
+	resourceGroupField           = "resourcegroup"
+	locationField                = "location"
+	secretNameField              = "secretname"
+	secretNamespaceField         = "secretnamespace"
+	containerNameField           = "containername"
+	storeAccountKeyField         = "storeaccountkey"
+	getAccountKeyFromSecretField = "getaccountkeyfromsecret"
+	keyVaultURLField             = "keyvaulturl"
+	keyVaultSecretNameField      = "keyvaultsecretname"
+	keyVaultSecretVersionField   = "keyvaultsecretversion"
+	storageAccountNameField      = "storageaccountname"
+	falseValue                   = "false"
+	trueValue                    = "true"
+	defaultSecretAccountName     = "azurestorageaccountname"
+	defaultSecretAccountKey      = "azurestorageaccountkey"
+	fuse                         = "fuse"
+	nfs                          = "nfs"
 
 	// See https://docs.microsoft.com/en-us/rest/api/storageservices/naming-and-referencing-containers--blobs--and-metadata#container-names
 	containerNameMinLength = 3
@@ -238,14 +240,15 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 	}
 
 	var (
-		accountKey            string
-		accountSasToken       string
-		secretName            string
-		secretNamespace       string
-		keyVaultURL           string
-		keyVaultSecretName    string
-		keyVaultSecretVersion string
-		authEnv               []string
+		accountKey              string
+		accountSasToken         string
+		secretName              string
+		secretNamespace         string
+		keyVaultURL             string
+		keyVaultSecretName      string
+		keyVaultSecretVersion   string
+		authEnv                 []string
+		getAccountKeyFromSecret bool
 	)
 
 	for k, v := range attrib {
@@ -266,6 +269,10 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			secretName = v
 		case secretNamespaceField:
 			secretNamespace = v
+		case getAccountKeyFromSecretField:
+			if v == trueValue {
+				getAccountKeyFromSecret = true
+			}
 		case "azurestorageauthtype":
 			authEnv = append(authEnv, "AZURE_STORAGE_AUTH_TYPE="+v)
 		case "azurestorageidentityclientid":
@@ -314,7 +321,10 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			// read from k8s secret first
 			var name string
 			name, accountKey, err = d.GetStorageAccountFromSecret(secretName, secretNamespace)
-			if err != nil {
+			if name != "" {
+				accountName = name
+			}
+			if err != nil && !getAccountKeyFromSecret {
 				klog.V(2).Infof("could not get account(%s) key from secret, error: %v, use cluster identity to get account key instead", accountName, err)
 				if rgName == "" {
 					rgName = d.cloud.ResourceGroup

pkg/blob/controllerserver.go

@@ -65,7 +65,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	if parameters == nil {
 		parameters = make(map[string]string)
 	}
-	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, storeAccountKey, secretNamespace string
+	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, secretNamespace string
+
+	// store account key to k8s secret by default
+	storeAccountKey := true
 
 	// Apply ProvisionerParameters (case-insensitive). We leave validation of
 	// the values to the cloud provider.
@@ -90,7 +93,9 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case secretNamespaceField:
 			secretNamespace = v
 		case storeAccountKeyField:
-			storeAccountKey = v
+			if v == falseValue {
+				storeAccountKey = false
+			}
 		case pvcNamespaceKey:
 			if secretNamespace == "" {
 				// respect `secretNamespace` field as first priority
@@ -136,7 +141,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			return nil, status.Errorf(codes.Internal, "update service endpoints failed with error: %v", err)
 		}
 		// NFS protocol does not need account key
-		storeAccountKey = storeAccountKeyFalse
+		storeAccountKey = false
 	}
 
 	if strings.HasPrefix(strings.ToLower(storageAccountType), "premium") {
@@ -218,7 +223,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		return nil, fmt.Errorf("failed to create container(%s) on account(%s) type(%s) rg(%s) location(%s) size(%d), error: %v", validContainerName, accountName, storageAccountType, resourceGroup, location, requestGiB, err)
 	}
 
-	if storeAccountKey != storeAccountKeyFalse && len(req.GetSecrets()) == 0 {
+	if storeAccountKey && len(req.GetSecrets()) == 0 {
 		secretName, err := setAzureCredentials(d.cloud.KubeClient, accountName, accountKey, secretNamespace)
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "failed to store storage account key: %v", err)

pkg/blob/nodeserver.go

@@ -69,8 +69,11 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	}
 
 	context := req.GetVolumeContext()
-	if context != nil && context["csi.storage.k8s.io/ephemeral"] == "true" {
+	if context != nil && context["csi.storage.k8s.io/ephemeral"] == trueValue {
 		context[secretNamespaceField] = context["csi.storage.k8s.io/pod.namespace"]
+		// only get storage account from secret
+		context[getAccountKeyFromSecretField] = trueValue
+		context[storageAccountField] = ""
 		klog.V(2).Infof("NodePublishVolume: ephemeral volume(%s) mount on %s, VolumeContext: %v", volumeID, target, context)
 		_, err := d.NodeStageVolume(ctx, &csi.NodeStageVolumeRequest{
 			StagingTargetPath: target,