add dynamic provisioning

Author: umagnus

deploy/example/mountstorage/README.md

@@ -23,7 +23,7 @@ You can also use a different managed-identity for different persistent volumes (
     az storage container create -n mycontainer --account-name "$storageaccountname" --public-access off
     ```
 
-## option#1: grant kubelet identity access to storage account
+## Option#1: grant kubelet identity access to storage account
 
 1. Give kubelet identity access to storage account
     ```bash
@@ -38,7 +38,7 @@ You can also use a different managed-identity for different persistent volumes (
     az identity list -g "$resourcegroup" --query "[?name == 'aks-fuseblob-mi-agentpool'].clientId" -o tsv
     ```
 
-## option#2: grant a dedicated user-assigned managed identity access to storage account
+## Option#2: grant a dedicated user-assigned managed identity access to storage account
 You can use a dedicated user-assigned managed identity to mount the storage.
 
 1. Create user-assigned managed identity and give access to storage account
@@ -154,12 +154,56 @@ You can use a dedicated user-assigned managed identity to mount the storage.
     kubectl get pv
     kubectl get pvc
 
-    # create deployment and service
+    # create deployment
     kubectl apply -f deployment.yaml
     # check pod
     kubectl get pods
     ```
 
+# dynamic provisioning in an existing resource group
+
+1. Grant cluster system assigned identity `Contributor` to resource group, if mount in an existing storage account, then should also grant identity to storage account
+
+1. Grant kubelet identity `Storage Blob Data Owner` to resource group to mount blob storage, if mount in an existing storage account, then should also grant identity to storage account
+
+1. Create a storage class and give an existing resource group, CSI will create a new storage account when `storageAccount` is not provided.
+    ```yml
+    apiVersion: storage.k8s.io/v1
+    kind: StorageClass
+    metadata:
+      name: blob-fuse
+    provisioner: blob.csi.azure.com
+    parameters:
+      skuName: Premium_LRS 
+      protocol: fuse
+      resourceGroup: EXISTING_RESOURCE_GROUP_NAME
+      storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, if use existing storage account
+      containerName: EXISTING_CONTAINER_NAME # optional, if use existing container
+      AzureStorageAuthType: MSI
+      AzureStorageIdentityClientID: "92926dfd-e61b-4730-85ab-5be73b374e82"
+    reclaimPolicy: Delete
+    volumeBindingMode: Immediate
+    allowVolumeExpansion: true
+    mountOptions:
+      - -o allow_other
+      - --file-cache-timeout-in-seconds=120
+      - --use-attr-cache=true
+      - --cancel-list-on-mount-seconds=10  # prevent billing charges on mounting
+      - -o attr_timeout=120
+      - -o entry_timeout=120
+      - -o negative_timeout=120
+      - --log-level=LOG_WARNING  # LOG_WARNING, LOG_INFO, LOG_DEBUG
+      - --cache-size-mb=1000  # Default will be 80% of available memory, eviction will happen beyond that.
+    ```
+
+1. Using dynamic provisioning
+    ```console
+    # create pvc and deployment
+    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/deployment.yaml
+    # check pod
+    kubectl get pods
+    ```
+
 # how to add another pv with a dedicated user-assigned identity?
 
 1. Create another user-assigned managed identity and give access to storage account

deploy/example/mountstorage/storageclass-blobfuse-resourcegroup.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: blob-fuse
+provisioner: blob.csi.azure.com
+parameters:
+  skuName: Premium_LRS 
+  protocol: fuse
+  resourceGroup: EXISTING_RESOURCE_GROUP_NAME
+  storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, if use existing storage account
+  containerName: EXISTING_CONTAINER_NAME # optional, if use existing container
+  AzureStorageAuthType: MSI
+  AzureStorageIdentityClientID: "92926dfd-e61b-4730-85ab-5be73b374e82"
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
+mountOptions:
+  - -o allow_other
+  - --file-cache-timeout-in-seconds=120
+  - --use-attr-cache=true
+  - --cancel-list-on-mount-seconds=10  # prevent billing charges on mounting
+  - -o attr_timeout=120
+  - -o entry_timeout=120
+  - -o negative_timeout=120
+  - --log-level=LOG_WARNING  # LOG_WARNING, LOG_INFO, LOG_DEBUG
+  - --cache-size-mb=1000  # Default will be 80% of available memory, eviction will happen beyond that.