Merge pull request #234 from andyzhangx/bring-key

andyzhangx · web-flow · commit 4df5f9393279 · 2020-09-07T10:32:44.000+08:00
feat: bring your own account key for dynamic provisioning
diff --git a/deploy/example/storageclass-blob-secret.yaml b/deploy/example/storageclass-blob-secret.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: blob
+provisioner: blob.csi.azure.com
+parameters:
+  csi.storage.k8s.io/provisioner-secret-name: azure-secret
+  csi.storage.k8s.io/provisioner-secret-namespace: default
+  csi.storage.k8s.io/node-stage-secret-name: azure-secret
+  csi.storage.k8s.io/node-stage-secret-namespace: default
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -433,3 +433,34 @@ func isSupportedProtocol(protocol string) bool {
 	}
 	return false
 }
+
+// get storage account from secrets map
+func getStorageAccount(secrets map[string]string) (string, string, error) {
+	if secrets == nil {
+		return "", "", fmt.Errorf("unexpected: getStorageAccount secrets is nil")
+	}
+
+	var accountName, accountKey string
+	for k, v := range secrets {
+		switch strings.ToLower(k) {
+		case "accountname":
+			accountName = v
+		case "azurestorageaccountname": // for compatibility with built-in azurefile plugin
+			accountName = v
+		case "accountkey":
+			accountKey = v
+		case "azurestorageaccountkey": // for compatibility with built-in azurefile plugin
+			accountKey = v
+		}
+	}
+
+	if accountName == "" {
+		return "", "", fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", secrets)
+	}
+	if accountKey == "" {
+		return "", "", fmt.Errorf("could not find accountkey or azurestorageaccountkey field in secrets(%v)", secrets)
+	}
+
+	klog.V(4).Infof("got storage account(%s) from secret", accountName)
+	return accountName, accountKey, nil
+}
diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -21,11 +21,12 @@ import (
 	"errors"
 	"fmt"
 	"io/ioutil"
-	"k8s.io/legacy-cloud-providers/azure/retry"
 	"os"
 	"reflect"
 	"testing"
 
+	"k8s.io/legacy-cloud-providers/azure/retry"
+
 	"github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2019-06-01/storage"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/assert"
@@ -600,3 +601,102 @@ func TestGetStorageAccountAndContainer(t *testing.T) {
 		t.Run(tc.name, tc.testFunc)
 	}
 }
+
+func TestGetStorageAccount(t *testing.T) {
+	emptyAccountKeyMap := map[string]string{
+		"accountname": "testaccount",
+		"accountkey":  "",
+	}
+
+	emptyAccountNameMap := map[string]string{
+		"azurestorageaccountname": "",
+		"azurestorageaccountkey":  "testkey",
+	}
+
+	emptyAzureAccountKeyMap := map[string]string{
+		"azurestorageaccountname": "testaccount",
+		"azurestorageaccountkey":  "",
+	}
+
+	emptyAzureAccountNameMap := map[string]string{
+		"azurestorageaccountname": "",
+		"azurestorageaccountkey":  "testkey",
+	}
+
+	tests := []struct {
+		options   map[string]string
+		expected1 string
+		expected2 string
+		expected3 error
+	}{
+		{
+			options: map[string]string{
+				"accountname": "testaccount",
+				"accountkey":  "testkey",
+			},
+			expected1: "testaccount",
+			expected2: "testkey",
+			expected3: nil,
+		},
+		{
+			options: map[string]string{
+				"azurestorageaccountname": "testaccount",
+				"azurestorageaccountkey":  "testkey",
+			},
+			expected1: "testaccount",
+			expected2: "testkey",
+			expected3: nil,
+		},
+		{
+			options: map[string]string{
+				"accountname": "",
+				"accountkey":  "",
+			},
+			expected1: "",
+			expected2: "",
+			expected3: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(map[accountname: accountkey:])"),
+		},
+		{
+			options:   emptyAccountKeyMap,
+			expected1: "",
+			expected2: "",
+			expected3: fmt.Errorf("could not find accountkey or azurestorageaccountkey field in secrets(%v)", emptyAccountKeyMap),
+		},
+		{
+			options:   emptyAccountNameMap,
+			expected1: "",
+			expected2: "",
+			expected3: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", emptyAccountNameMap),
+		},
+		{
+			options:   emptyAzureAccountKeyMap,
+			expected1: "",
+			expected2: "",
+			expected3: fmt.Errorf("could not find accountkey or azurestorageaccountkey field in secrets(%v)", emptyAzureAccountKeyMap),
+		},
+		{
+			options:   emptyAzureAccountNameMap,
+			expected1: "",
+			expected2: "",
+			expected3: fmt.Errorf("could not find accountname or azurestorageaccountname field secrets(%v)", emptyAzureAccountNameMap),
+		},
+		{
+			options:   nil,
+			expected1: "",
+			expected2: "",
+			expected3: fmt.Errorf("unexpected: getStorageAccount secrets is nil"),
+		},
+	}
+
+	for _, test := range tests {
+		result1, result2, result3 := getStorageAccount(test.options)
+		if !reflect.DeepEqual(result1, test.expected1) || !reflect.DeepEqual(result2, test.expected2) {
+			t.Errorf("input: %q, getStorageAccount result1: %q, expected1: %q, result2: %q, expected2: %q, result3: %q, expected3: %q", test.options, result1, test.expected1, result2, test.expected2,
+				result3, test.expected3)
+		} else {
+			if result1 == "" || result2 == "" {
+				assert.Error(t, result3)
+			}
+		}
+	}
+}
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -118,18 +118,24 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 
 	var accountName, accountKey string
-	err = wait.ExponentialBackoff(d.cloud.RequestBackoff(), func() (bool, error) {
-		var retErr error
-		accountName, accountKey, retErr = d.cloud.EnsureStorageAccount(accountOptions, protocol)
-		if isRetriableError(retErr) {
-			klog.Warningf("EnsureStorageAccount(%s) failed with error(%v), waiting for retrying", account, retErr)
-			return false, nil
+	if len(req.GetSecrets()) == 0 { // check whether account is provided by secret
+		err = wait.ExponentialBackoff(d.cloud.RequestBackoff(), func() (bool, error) {
+			var retErr error
+			accountName, accountKey, retErr = d.cloud.EnsureStorageAccount(accountOptions, protocol)
+			if isRetriableError(retErr) {
+				klog.Warningf("EnsureStorageAccount(%s) failed with error(%v), waiting for retrying", account, retErr)
+				return false, nil
+			}
+			return true, retErr
+		})
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to ensure storage account: %v", err)
+		}
+	} else {
+		accountName, accountKey, err = getStorageAccount(req.GetSecrets())
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get storage account from secrets: %v", err)
 		}
-		return true, retErr
-	})
-
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "failed to ensure storage account: %v", err)
 	}
 
 	if containerName == "" {
@@ -189,9 +195,17 @@ func (d *Driver) DeleteVolume(ctx context.Context, req *csi.DeleteVolumeRequest)
 		resourceGroupName = d.cloud.ResourceGroup
 	}
 
-	accountKey, err := d.cloud.GetStorageAccesskey(accountName, resourceGroupName)
-	if err != nil {
-		return nil, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %v", accountName, resourceGroupName, err)
+	var accountKey string
+	if len(req.GetSecrets()) == 0 { // check whether account is provided by secret
+		accountKey, err = d.cloud.GetStorageAccesskey(accountName, resourceGroupName)
+		if err != nil {
+			return nil, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %v", accountName, resourceGroupName, err)
+		}
+	} else {
+		accountName, accountKey, err = getStorageAccount(req.GetSecrets())
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get storage account from secrets: %v", err)
+		}
 	}
 
 	klog.V(2).Infof("deleting container(%s) rg(%s) account(%s) volumeID(%s)", containerName, resourceGroupName, accountName, volumeID)
@@ -238,9 +252,17 @@ func (d *Driver) ValidateVolumeCapabilities(ctx context.Context, req *csi.Valida
 		resourceGroupName = d.cloud.ResourceGroup
 	}
 
-	accountKey, err := d.cloud.GetStorageAccesskey(accountName, resourceGroupName)
-	if err != nil {
-		return nil, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %v", accountName, resourceGroupName, err)
+	var accountKey string
+	if len(req.GetSecrets()) == 0 { // check whether account is provided by secret
+		accountKey, err = d.cloud.GetStorageAccesskey(accountName, resourceGroupName)
+		if err != nil {
+			return nil, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %v", accountName, resourceGroupName, err)
+		}
+	} else {
+		accountName, accountKey, err = getStorageAccount(req.GetSecrets())
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get storage account from secrets: %v", err)
+		}
 	}
 
 	client, err := azstorage.NewBasicClientOnSovereignCloud(accountName, accountKey, d.cloud.Environment)
