feat: support inline volume

fix: add secretName field

add example

fix lint

update chart file

Author: andyzhangx

charts/latest/blob-csi-driver-v1.2.0.tgz

@@ -6,3 +6,6 @@ metadata:
 spec:
   attachRequired: false
   podInfoOnMount: true
+  volumeLifecycleModes:
+    - Persistent
+    - Ephemeral

charts/latest/blob-csi-driver/templates/csi-blob-driver.yaml

@@ -6,3 +6,6 @@ metadata:
 spec:
   attachRequired: false
   podInfoOnMount: true
+  volumeLifecycleModes:
+    - Persistent
+    - Ephemeral

deploy/csi-blob-driver.yaml

@@ -0,0 +1,26 @@
+---
+kind: Pod
+apiVersion: v1
+metadata:
+  name: nginx-blobfuse-inline-volume
+spec:
+  nodeSelector:
+    "kubernetes.io/os": linux
+  containers:
+    - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
+      name: nginx-blobfuse
+      command:
+        - "/bin/bash"
+        - "-c"
+        - set -euo pipefail; while true; do echo $(date) >> /mnt/blobfuse/outfile; sleep 1; done
+      volumeMounts:
+        - name: persistent-storage
+          mountPath: "/mnt/blobfuse"
+  volumes:
+    - name: persistent-storage
+      csi:
+        driver: blob.csi.azure.com
+        volumeAttributes:
+          containerName: EXISTING_CONTAINER_NAME
+          secretName: azure-secret
+          secretNamespace: default  # optional, if it's empty, use pod.Namespace by default

deploy/example/nginx-blobfuse-inline-volume.yaml

@@ -57,6 +57,7 @@ const (
 	skuNameField               = "skuname"
 	resourceGroupField         = "resourcegroup"
 	locationField              = "location"
+	secretNameField            = "secretname"
 	secretNamespaceField       = "secretnamespace"
 	containerNameField         = "containername"
 	storeAccountKeyField       = "storeaccountkey"
@@ -236,6 +237,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 	var (
 		accountKey            string
 		accountSasToken       string
+		secretName            string
+		secretNamespace       string
 		keyVaultURL           string
 		keyVaultSecretName    string
 		keyVaultSecretVersion string
@@ -256,6 +259,10 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			accountName = v
 		case storageAccountNameField: // for compatibility
 			accountName = v
+		case secretNameField:
+			secretName = v
+		case secretNamespaceField:
+			secretNamespace = v
 		case "azurestorageauthtype":
 			authEnv = append(authEnv, "AZURE_STORAGE_AUTH_TYPE="+v)
 		case "azurestorageidentityclientid":
@@ -297,7 +304,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 	} else {
 		if len(secrets) == 0 {
 			// read from k8s secret first
-			accountKey, err = d.GetStorageAccesskeyFromSecret(accountName, attrib[secretNamespaceField])
+			var name string
+			name, accountKey, err = d.GetStorageAccountFromSecret(secretName, secretNamespace)
 			if err != nil {
 				klog.V(2).Infof("could not get account(%s) key from secret, error: %v, use cluster identity to get account key instead", accountName, err)
 				if rgName == "" {
@@ -308,6 +316,9 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 					return accountName, containerName, authEnv, fmt.Errorf("no key for storage account(%s) under resource group(%s), err %v", accountName, rgName, err)
 				}
 			}
+			if name != "" {
+				accountName = name
+			}
 		} else {
 			for k, v := range secrets {
 				switch strings.ToLower(k) {
@@ -516,30 +527,27 @@ func (d *Driver) GetStorageAccesskey(accountOptions *azure.AccountOptions, secre
 	}
 
 	// read from k8s secret first
-	accountKey, err := d.GetStorageAccesskeyFromSecret(accountOptions.Name, secretNamespace)
+	_, accountKey, err := d.GetStorageAccountFromSecret(accountOptions.Name, secretNamespace)
 	if err != nil {
 		klog.V(2).Infof("could not get account(%s) key from secret, error: %v, use cluster identity to get account key instead", accountOptions.Name, err)
 		accountKey, err = d.cloud.GetStorageAccesskey(accountOptions.Name, accountOptions.ResourceGroup)
 	}
 	return accountOptions.Name, accountKey, err
 }
 
-// GetStorageAccesskeyFromSecret get storage account key from k8s secret
-func (d *Driver) GetStorageAccesskeyFromSecret(accountName, secretNamespace string) (string, error) {
+// GetStorageAccountFromSecret get storage account key from k8s secret
+// return <accountName, accountKey, error>
+func (d *Driver) GetStorageAccountFromSecret(secretName, secretNamespace string) (string, string, error) {
 	if d.cloud.KubeClient == nil {
-		return "", fmt.Errorf("could not get account(%s) key from secret: KubeClient is nil", accountName)
+		return "", "", fmt.Errorf("could not get account key from secret(%s): KubeClient is nil", secretName)
 	}
 
-	secretName := fmt.Sprintf(secretNameTemplate, accountName)
-	if secretNamespace == "" {
-		secretNamespace = defaultSecretNamespace
-	}
 	secret, err := d.cloud.KubeClient.CoreV1().Secrets(secretNamespace).Get(context.TODO(), secretName, metav1.GetOptions{})
 	if err != nil {
-		return "", fmt.Errorf("could not get secret(%v): %v", secretName, err)
+		return "", "", fmt.Errorf("could not get secret(%v): %v", secretName, err)
 	}
 
-	return string(secret.Data[defaultSecretAccountKey][:]), nil
+	return string(secret.Data[defaultSecretAccountName][:]), string(secret.Data[defaultSecretAccountKey][:]), nil
 }
 
 // getSubnetResourceID get default subnet resource ID from cloud provider config

pkg/blob/blob.go

@@ -54,24 +54,46 @@ func NewMountClient(cc *grpc.ClientConn) *MountClient {
 
 // NodePublishVolume mount the volume from staging to target path
 func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) {
-	if req.GetVolumeCapability() == nil {
+	volCap := req.GetVolumeCapability()
+	if volCap == nil {
 		return nil, status.Error(codes.InvalidArgument, "Volume capability missing in request")
 	}
 	volumeID := req.GetVolumeId()
 	if len(req.GetVolumeId()) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Volume ID missing in request")
 	}
 
-	source := req.GetStagingTargetPath()
-	if len(source) == 0 {
-		return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
-	}
-
 	target := req.GetTargetPath()
 	if len(target) == 0 {
 		return nil, status.Error(codes.InvalidArgument, "Target path not provided")
 	}
 
+	context := req.GetVolumeContext()
+	if context != nil && context["csi.storage.k8s.io/ephemeral"] == "true" {
+		// if secretNamespace is not set, set same namespace as pod
+		secretNamespace := context["csi.storage.k8s.io/pod.namespace"]
+		for k, v := range context {
+			switch strings.ToLower(k) {
+			case secretNamespaceField:
+				secretNamespace = v
+			}
+		}
+		context[secretNamespaceField] = secretNamespace
+		klog.V(2).Infof("NodePublishVolume: ephemeral volume(%s) mount on %s, VolumeContext: %v", volumeID, target, context)
+		_, err := d.NodeStageVolume(ctx, &csi.NodeStageVolumeRequest{
+			StagingTargetPath: target,
+			VolumeContext:     context,
+			VolumeCapability:  volCap,
+			VolumeId:          volumeID,
+		})
+		return &csi.NodePublishVolumeResponse{}, err
+	}
+
+	source := req.GetStagingTargetPath()
+	if len(source) == 0 {
+		return nil, status.Error(codes.InvalidArgument, "Staging target not provided")
+	}
+
 	mountOptions := []string{"bind"}
 	if req.GetReadonly() {
 		mountOptions = append(mountOptions, "ro")

pkg/blob/nodeserver.go

@@ -172,7 +172,8 @@ func TestNodePublishVolume(t *testing.T) {
 		{
 			desc: "Stage path missing",
 			req: csi.NodePublishVolumeRequest{VolumeCapability: &csi.VolumeCapability{AccessMode: &volumeCap},
-				VolumeId: "vol_1"},
+				VolumeId:   "vol_1",
+				TargetPath: sourceTest},
 			expectedErr: status.Error(codes.InvalidArgument, "Staging target not provided"),
 		},
 		{