Merge pull request #1991 from andyzhangx/vnetlink-access-1.26

[release-1.26] feat: add VNetLinkName and PublicNetworkAccess in account creation

Author: andyzhangx

pkg/blob/blob.go

@@ -94,6 +94,7 @@ const (
 	storageAccountNameField        = "storageaccountname"
 	allowBlobPublicAccessField     = "allowblobpublicaccess"
 	allowSharedKeyAccessField      = "allowsharedkeyaccess"
+	publicNetworkAccessField       = "publicnetworkaccess"
 	requireInfraEncryptionField    = "requireinfraencryption"
 	ephemeralField                 = "csi.storage.k8s.io/ephemeral"
 	podNamespaceField              = "csi.storage.k8s.io/pod.namespace"
@@ -115,6 +116,7 @@ const (
 	NFSv3                          = "nfsv3"
 	vnetResourceGroupField         = "vnetresourcegroup"
 	vnetNameField                  = "vnetname"
+	vnetLinkNameField              = "vnetlinkname"
 	subnetNameField                = "subnetname"
 	accessTierField                = "accesstier"
 	networkEndpointTypeField       = "networkendpointtype"
@@ -813,6 +815,18 @@ func isSupportedAccessTier(accessTier string) bool {
 	return false
 }
 
+func isSupportedPublicNetworkAccess(publicNetworkAccess string) bool {
+	if publicNetworkAccess == "" {
+		return true
+	}
+	for _, tier := range armstorage.PossiblePublicNetworkAccessValues() {
+		if publicNetworkAccess == string(tier) {
+			return true
+		}
+	}
+	return false
+}
+
 // container names can contain only lowercase letters, numbers, and hyphens,
 // and must begin and end with a letter or a number
 func isSupportedContainerNamePrefix(prefix string) bool {

pkg/blob/blob_test.go

@@ -1966,3 +1966,34 @@ func TestParseServiceAccountToken(t *testing.T) {
 		t.Errorf("ParseServiceAccountToken(%s) = %s, want %s", saTokens, token, expectedToken)
 	}
 }
+
+func TestIsSupportedPublicNetworkAccess(t *testing.T) {
+	tests := []struct {
+		publicNetworkAccess string
+		expectedResult      bool
+	}{
+		{
+			publicNetworkAccess: "",
+			expectedResult:      true,
+		},
+		{
+			publicNetworkAccess: "Enabled",
+			expectedResult:      true,
+		},
+		{
+			publicNetworkAccess: "Disabled",
+			expectedResult:      true,
+		},
+		{
+			publicNetworkAccess: "InvalidValue",
+			expectedResult:      false,
+		},
+	}
+
+	for _, test := range tests {
+		result := isSupportedPublicNetworkAccess(test.publicNetworkAccess)
+		if result != test.expectedResult {
+			t.Errorf("isSupportedPublicNetworkAccess(%s) returned %v, expected %v", test.publicNetworkAccess, result, test.expectedResult)
+		}
+	}
+}

pkg/blob/controllerserver.go

@@ -91,7 +91,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 	var storageAccountType, subsID, resourceGroup, location, account, containerName, containerNamePrefix, protocol, customTags, secretName, secretNamespace, pvcNamespace, tagValueDelimiter string
 	var isHnsEnabled, requireInfraEncryption, enableBlobVersioning, createPrivateEndpoint, enableNfsV3, allowSharedKeyAccess *bool
-	var vnetResourceGroup, vnetName, subnetName, accessTier, networkEndpointType, storageEndpointSuffix, fsGroupChangePolicy, srcAccountName string
+	var vnetResourceGroup, vnetName, vnetLinkName, publicNetworkAccess, subnetName, accessTier, networkEndpointType, storageEndpointSuffix, fsGroupChangePolicy, srcAccountName string
 	var matchTags, useDataPlaneAPI, getLatestAccountKey bool
 	var softDeleteBlobs, softDeleteContainers int32
 	var vnetResourceIDs []string
@@ -164,6 +164,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			if strings.EqualFold(v, trueValue) {
 				allowBlobPublicAccess = ptr.To(true)
 			}
+		case publicNetworkAccessField:
+			publicNetworkAccess = v
 		case allowSharedKeyAccessField:
 			var boolValue bool
 			if boolValue, err = strconv.ParseBool(v); err != nil {
@@ -197,6 +199,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			vnetResourceGroup = v
 		case vnetNameField:
 			vnetName = v
+		case vnetLinkNameField:
+			vnetLinkName = v
 		case subnetNameField:
 			subnetName = v
 		case accessTierField:
@@ -256,6 +260,9 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	if !isSupportedAccessTier(accessTier) {
 		return nil, status.Errorf(codes.InvalidArgument, "accessTier(%s) is not supported, supported AccessTier list: %v", accessTier, armstorage.PossibleAccessTierValues())
 	}
+	if !isSupportedPublicNetworkAccess(publicNetworkAccess) {
+		return nil, status.Errorf(codes.InvalidArgument, "publicNetworkAccess(%s) is not supported, supported PublicNetworkAccess list: %v", publicNetworkAccess, armstorage.PossiblePublicNetworkAccessValues())
+	}
 
 	if containerName != "" && containerNamePrefix != "" {
 		return nil, status.Errorf(codes.InvalidArgument, "containerName(%s) and containerNamePrefix(%s) could not be specified together", containerName, containerNamePrefix)
@@ -342,10 +349,12 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		IsHnsEnabled:                    isHnsEnabled,
 		EnableNfsV3:                     enableNfsV3,
 		AllowBlobPublicAccess:           allowBlobPublicAccess,
+		PublicNetworkAccess:             publicNetworkAccess,
 		AllowSharedKeyAccess:            allowSharedKeyAccess,
 		RequireInfrastructureEncryption: requireInfraEncryption,
 		VNetResourceGroup:               vnetResourceGroup,
 		VNetName:                        vnetName,
+		VNetLinkName:                    vnetLinkName,
 		SubnetName:                      subnetName,
 		AccessTier:                      accessTier,
 		CreatePrivateEndpoint:           createPrivateEndpoint,

pkg/blob/controllerserver_test.go

@@ -655,6 +655,31 @@ func TestCreateVolume(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "Failed with invalid PublicNetworkAccess",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &storage.AccountRepo{}
+				d.cloud.SubscriptionID = "subID"
+
+				mp := make(map[string]string)
+				mp[publicNetworkAccessField] = "invalid"
+				req := &csi.CreateVolumeRequest{
+					Name:               "unit-test",
+					VolumeCapabilities: stdVolumeCapabilities,
+					Parameters:         mp,
+				}
+				d.Cap = []*csi.ControllerServiceCapability{
+					controllerServiceCapability,
+				}
+
+				expectedErr := status.Errorf(codes.InvalidArgument, "publicNetworkAccess(%s) is not supported, supported PublicNetworkAccess list: %v", "invalid", armstorage.PossiblePublicNetworkAccessValues())
+				_, err := d.CreateVolume(context.Background(), req)
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("Unexpected error: %v\nExpected error: %v", err, expectedErr)
+				}
+			},
+		},
 		{
 			name: "Failed with storeAccountKey is not supported for account with shared access key disabled",
 			testFunc: func(t *testing.T) {
@@ -724,6 +749,7 @@ func TestCreateVolume(t *testing.T) {
 				mp[resourceGroupField] = "unit-test"
 				mp[containerNameField] = "unit-test"
 				mp[mountPermissionsField] = "0750"
+				mp[vnetLinkNameField] = "vnetlink"
 				req := &csi.CreateVolumeRequest{
 					Name:               "unit-test",
 					VolumeCapabilities: stdVolumeCapabilities,

test/e2e/dynamic_provisioning_test.go

@@ -715,6 +715,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			StorageClassParameters: map[string]string{
 				"skuName":             "Standard_LRS",
 				"networkEndpointType": "privateEndpoint",
+				"publicNetworkAccess": "Disabled",
 			},
 		}
 		test.Run(ctx, cs, ns)