Merge pull request #636 from andyzhangx/namespace-issue

andyzhangx · web-flow · commit be9720ba122e · 2022-03-30T13:44:30.000+08:00
fix: default secretNamespace should be pvc namespace
diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -21,7 +21,7 @@ tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/mana
 --- | **Following parameters are only for blobfuse** | --- | --- |
 storeAccountKey | whether store account key to k8s secret <br><br> Note:  <br> `false` means driver would leverage kubelet identity to get account key | `true`,`false` | No | `true`
 secretName | specify secret name to store account key | | No |
-secretNamespace | specify the namespace of secret to store account key | `default`,`kube-system`, etc | No | `default`
+secretNamespace | specify the namespace of secret to store account key | `default`,`kube-system`, etc | No | pvc namespace
 isHnsEnabled | enable `Hierarchical namespace` for Azure DataLake storage account | `true`,`false` | No | `false`
 --- | **Following parameters are only for NFS protocol** | --- | --- |
 mountPermissions | mounted folder permissions | `0777` | No |
@@ -61,7 +61,7 @@ volumeAttributes.containerName | existing container name | existing container na
 volumeAttributes.protocol | specify blobfuse mount or NFSv3 mount | `fuse`, `nfs` | No | `fuse`
 --- | **Following parameters are only for blobfuse** | --- | --- |
 volumeAttributes.secretName | secret name that stores storage account name and key(only applies for SMB) | | No |
-volumeAttributes.secretNamespace | secret namespace | `default`,`kube-system`, etc | No | `default`
+volumeAttributes.secretNamespace | secret namespace | `default`,`kube-system`, etc | No | pvc namespace
 nodeStageSecretRef.name | secret name that stores(check below examples):<br>`azurestorageaccountkey`<br>`azurestorageaccountsastoken`<br>`msisecret`<br>`azurestoragespnclientsecret` | existing Kubernetes secret name |  No  |
 nodeStageSecretRef.namespace | secret namespace | k8s namespace  |  Yes  |
 --- | **Following parameters are only for NFS protocol** | --- | --- |
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -310,6 +310,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		accountSasToken         string
 		secretName              string
 		secretNamespace         string
+		pvcNamespace            string
 		keyVaultURL             string
 		keyVaultSecretName      string
 		keyVaultSecretVersion   string
@@ -337,10 +338,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		case secretNamespaceField:
 			secretNamespace = v
 		case pvcNamespaceKey:
-			if secretNamespace == "" {
-				// respect `secretNamespace` field as first priority
-				secretNamespace = v
-			}
+			pvcNamespace = v
 		case getAccountKeyFromSecretField:
 			getAccountKeyFromSecret = strings.EqualFold(v, trueValue)
 		case "azurestorageauthtype":
@@ -369,9 +367,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		return rgName, accountName, accountKey, containerName, authEnv, err
 	}
 
-	// backward compatibility, old CSI driver PV does not have secretNamespace field
 	if secretNamespace == "" {
-		secretNamespace = "default"
+		secretNamespace = pvcNamespace
 	}
 
 	if rgName == "" {
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -67,7 +67,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	if parameters == nil {
 		parameters = make(map[string]string)
 	}
-	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, secretName, secretNamespace string
+	var storageAccountType, resourceGroup, location, account, containerName, protocol, customTags, secretName, secretNamespace, pvcNamespace string
 	var isHnsEnabled *bool
 	var vnetResourceGroup, vnetName, subnetName string
 	// set allowBlobPublicAccess as false by default
@@ -113,10 +113,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 				allowBlobPublicAccess = to.BoolPtr(true)
 			}
 		case pvcNamespaceKey:
-			if secretNamespace == "" {
-				// respect `secretNamespace` field as first priority
-				secretNamespace = v
-			}
+			pvcNamespace = v
 		case pvcNameKey:
 			// no op
 		case pvNameKey:
@@ -147,6 +144,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		resourceGroup = d.cloud.ResourceGroup
 	}
 
+	if secretNamespace == "" {
+		secretNamespace = pvcNamespace
+	}
+
 	if protocol == "" {
 		protocol = fuse
 	}
