feat: add allowSharedKeyAccess parameter

specialforest · k8s-infra-cherrypick-robot · commit d9c2f3f936cc · 2024-07-14T07:11:53.000Z
diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md
@@ -31,6 +31,7 @@ containerNamePrefix | specify Azure storage directory prefix created by driver |
 server | specify Azure storage account server address | existing server address, e.g. `accountname.privatelink.blob.core.windows.net` | No | if empty, driver will use default `accountname.blob.core.windows.net` or other sovereign cloud account address
 accessTier | [Access tier for storage account](https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview) | Standard account can choose `Hot` or `Cool`, and Premium account can only choose `Premium` | No | empty(use default setting for different storage account types)
 allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `false`
+allowSharedKeyAccess | Allow or disallow shared key access for storage account created by driver | `true`,`false` | No | `true`
 requireInfraEncryption | specify whether or not the service applies a secondary layer of encryption with platform managed keys for data at rest for storage account created by driver | `true`,`false` | No | `false`
 storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net`, `core.chinacloudapi.cn`, etc | No | if empty, driver will use default storage endpoint suffix according to cloud environment
 tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | ""
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -94,6 +94,7 @@ const (
 	keyVaultSecretVersionField     = "keyvaultsecretversion"
 	storageAccountNameField        = "storageaccountname"
 	allowBlobPublicAccessField     = "allowblobpublicaccess"
+	allowSharedKeyAccessField      = "allowsharedkeyaccess"
 	requireInfraEncryptionField    = "requireinfraencryption"
 	ephemeralField                 = "csi.storage.k8s.io/ephemeral"
 	podNamespaceField              = "csi.storage.k8s.io/pod.namespace"
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -105,6 +105,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	var err error
 	// set allowBlobPublicAccess as false by default
 	allowBlobPublicAccess := pointer.Bool(false)
+	// set allowBlobPublicAccess as true by default
+	allowSharedKeyAccess := pointer.Bool(true)
 
 	containerNameReplaceMap := map[string]string{}
 
@@ -171,6 +173,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			if strings.EqualFold(v, trueValue) {
 				allowBlobPublicAccess = pointer.Bool(true)
 			}
+		case allowSharedKeyAccessField:
+			if strings.EqualFold(v, falseValue) {
+				allowSharedKeyAccess = pointer.Bool(false)
+			}
 		case requireInfraEncryptionField:
 			if strings.EqualFold(v, trueValue) {
 				requireInfraEncryption = pointer.Bool(true)
@@ -310,6 +316,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		storageEndpointSuffix = d.getStorageEndPointSuffix()
 	}
 
+	if storeAccountKey && !pointer.BoolDeref(allowSharedKeyAccess, false) {
+		return nil, status.Errorf(codes.InvalidArgument, "storeAccountKey is not supported for account with shared access key disabled")
+	}
+
 	accountOptions := &azure.AccountOptions{
 		Name:                            account,
 		Type:                            storageAccountType,
@@ -324,6 +334,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		IsHnsEnabled:                    isHnsEnabled,
 		EnableNfsV3:                     enableNfsV3,
 		AllowBlobPublicAccess:           allowBlobPublicAccess,
+		AllowSharedKeyAccess:            allowSharedKeyAccess,
 		RequireInfrastructureEncryption: requireInfraEncryption,
 		VNetResourceGroup:               vnetResourceGroup,
 		VNetName:                        vnetName,
