docs: add the example of using key vault

Signed-off-by: ZeroMagic <[email protected]>

Author: ZeroMagic

deploy/example/keyvault/README.md

@@ -0,0 +1,51 @@
+# Use Blobfuse CSI Driver with Azure Key Vault
+
+> Attention: Currently, we just support use Key Vault in static provisioning scenario.
+
+## Prepare Key Vault
+
+1. Create a Key Vault in the [portal](https://ms.portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/Microsoft.KeyVault%2Fvaults).
+
+2. Store `storage account key` or `SAS token` in Key Vault's Secret.
+
+3. Ensure the service principal has all the required permissions to access content in your Azure key vault instance. If not, you can run the following using the Azure CLI:
+
+   ```console
+   # Assign Reader Role to the service principal for your keyvault
+   az role assignment create --role Reader --assignee <aadClientId> --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/<keyvaultname>
+   
+   az keyvault set-policy -n $KV_NAME --key-permissions get --spn <YOUR SPN CLIENT ID>
+   az keyvault set-policy -n $KV_NAME --secret-permissions get --spn <YOUR SPN CLIENT ID>
+   az keyvault set-policy -n $KV_NAME --certificate-permissions get --spn <YOUR CLIENT ID>
+   ```
+
+## Install Blobfuse CSI Driver
+
+### Option #1
+
+Use the [script](https://github.com/csi-driver/blobfuse-csi-driver/blob/master/deploy/install-driver.sh) to install.
+
+### Option #2
+
+Use [helm](https://github.com/csi-driver/blobfuse-csi-driver/blob/master/charts/README.md) to install.
+
+## Create PVC 
+
+Use default pvc file to create.
+
+```console
+kubectl apply -f pvc-blobfuse-csi-static-keyvault.yaml
+```
+
+## Create PV
+
+1. Replace your Key Vault infomation in the yaml.
+
+   `keyVaultURL`  and `keyVaultSecretName` are the required parameters.
+
+   `keyVaultSecretVersion` is the optional parameter. If not specified, it will be *current versoin*.
+2. Create pv 
+
+    ```console
+    kubectl apply -f pv-blobfuse-csi-static-keyvault.yaml
+    ```

deploy/example/keyvault/pv-blobfuse-csi-keyvault.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-blobfuse-keyvault
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain #If set as "Delete" container would be removed after pvc deletion
+  csi:
+    driver: blobfuse.csi.azure.com
+    readOnly: false
+    volumeHandle: arbitrary-volumeid
+    volumeAttributes:
+      containerName: EXISTING_CONTAINER_NAME
+      storageAccountName: EXISTING_STORAGE_ACCOUNT_NAME
+      keyVaultURL: xxx
+      keyVaultSecretName: xxx
+      keyVaultSecretVersion: xxx  # use "current versoin" if empty
+    nodePublishSecretRef:
+      name: azure-secret
+      namespace: default

deploy/example/keyvault/pvc-blobfuse-csi-static-keyvault.yaml

@@ -0,0 +1,12 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: pvc-blobfuse-keyvault
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  volumeName: pv-blobfuse-keyvault
+  storageClassName: ""

docs/driver-parameters.md

@@ -16,9 +16,16 @@ containerName | specify the existing container name where blob storage will be c
 
  - Static Provisioning(use existing storage container)
   > get a quick example [here](../deploy/example/pv-blobfuse-csi.yaml)
+  >
+  > get a key vault example [here](../deploy/example/keyvault/pv-blobfuse-csi-keyvault.yaml)
 
 Name | Meaning | Available Value | Mandatory | Default value
 --- | --- | --- | --- | ---
 volumeAttributes.containerName | existing container name | existing container name | Yes |
+volumeAttributes.storageAccountName | existing storage account name | existing storage account name | Yes |
+volumeAttributes.keyVaultURL | url of the key vault | the key vault which has been created | Yes |
+volumeAttributes.keyVaultSecretName | name of the secret in key vault | the secret which has been created | Yes |
+volumeAttributes.keyVaultSecretVersion | existing container name | existing container name | No |if empty, driver will use "current versoin"
 nodePublishSecretRef.name | secret name that stores storage account name and key | existing secret name |  Yes  | 
 nodePublishSecretRef.namespace | namespace where the secret is | k8s namespace  |  No  | `default`
+