Skip to content

Commit 78001b6

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #1482 from umagnus/release-1.23-asa
[release-1.23] feat: add allowSharedKeyAccess parameter
2 parents 920e1c7 + a39bb69 commit 78001b6

File tree

4 files changed

+18
-4
lines changed

4 files changed

+18
-4
lines changed

docs/driver-parameters.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ containerNamePrefix | specify Azure storage directory prefix created by driver |
3131
server | specify Azure storage account server address | existing server address, e.g. `accountname.privatelink.blob.core.windows.net` | No | if empty, driver will use default `accountname.blob.core.windows.net` or other sovereign cloud account address
3232
accessTier | [Access tier for storage account](https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview) | Standard account can choose `Hot` or `Cool`, and Premium account can only choose `Premium` | No | empty(use default setting for different storage account types)
3333
allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `false`
34+
allowSharedKeyAccess | Allow or disallow shared key access for storage account created by driver | `true`,`false` | No | `true`
3435
requireInfraEncryption | specify whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest for storage account created by driver | `true`,`false` | No | `false`
3536
storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net`, `core.chinacloudapi.cn`, etc | No | if empty, driver will use default storage endpoint suffix according to cloud environment
3637
tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | ""

pkg/blob/blob.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ const (
9393
keyVaultSecretVersionField = "keyvaultsecretversion"
9494
storageAccountNameField = "storageaccountname"
9595
allowBlobPublicAccessField = "allowblobpublicaccess"
96+
allowSharedKeyAccessField = "allowsharedkeyaccess"
9697
requireInfraEncryptionField = "requireinfraencryption"
9798
ephemeralField = "csi.storage.k8s.io/ephemeral"
9899
podNamespaceField = "csi.storage.k8s.io/pod.namespace"

pkg/blob/controllerserver.go

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
9797
parameters = make(map[string]string)
9898
}
9999
var storageAccountType, subsID, resourceGroup, location, account, containerName, containerNamePrefix, protocol, customTags, secretName, secretNamespace, pvcNamespace string
100-
var isHnsEnabled, requireInfraEncryption, enableBlobVersioning, createPrivateEndpoint, enableNfsV3 *bool
100+
var isHnsEnabled, requireInfraEncryption, enableBlobVersioning, createPrivateEndpoint, enableNfsV3, allowSharedKeyAccess *bool
101101
var vnetResourceGroup, vnetName, subnetName, accessTier, networkEndpointType, storageEndpointSuffix string
102102
var matchTags, useDataPlaneAPI, getLatestAccountKey bool
103103
var softDeleteBlobs, softDeleteContainers int32
@@ -171,6 +171,12 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
171171
if strings.EqualFold(v, trueValue) {
172172
allowBlobPublicAccess = pointer.Bool(true)
173173
}
174+
case allowSharedKeyAccessField:
175+
var boolValue bool
176+
if boolValue, err = strconv.ParseBool(v); err != nil {
177+
return nil, status.Errorf(codes.InvalidArgument, "invalid %s: %s in volume context", allowSharedKeyAccessField, v)
178+
}
179+
allowSharedKeyAccess = pointer.Bool(boolValue)
174180
case requireInfraEncryptionField:
175181
if strings.EqualFold(v, trueValue) {
176182
requireInfraEncryption = pointer.Bool(true)
@@ -302,6 +308,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
302308
storageEndpointSuffix = d.getStorageEndPointSuffix()
303309
}
304310

311+
if storeAccountKey && !pointer.BoolDeref(allowSharedKeyAccess, true) {
312+
return nil, status.Errorf(codes.InvalidArgument, "storeAccountKey is not supported for account with shared access key disabled")
313+
}
314+
305315
accountOptions := &azure.AccountOptions{
306316
Name: account,
307317
Type: storageAccountType,
@@ -316,6 +326,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
316326
IsHnsEnabled: isHnsEnabled,
317327
EnableNfsV3: enableNfsV3,
318328
AllowBlobPublicAccess: allowBlobPublicAccess,
329+
AllowSharedKeyAccess: allowSharedKeyAccess,
319330
RequireInfrastructureEncryption: requireInfraEncryption,
320331
VNetResourceGroup: vnetResourceGroup,
321332
VNetName: vnetName,

test/e2e/dynamic_provisioning_test.go

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -580,9 +580,10 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
580580
CSIDriver: testDriver,
581581
Pods: pods,
582582
StorageClassParameters: map[string]string{
583-
"skuName": "Premium_LRS",
584-
"protocol": "nfs",
585-
"mountPermissions": "0",
583+
"skuName": "Premium_LRS",
584+
"protocol": "nfs",
585+
"mountPermissions": "0",
586+
"allowSharedKeyAccess": "false",
586587
},
587588
}
588589
test.Run(ctx, cs, ns)

0 commit comments

Comments
 (0)