Merge pull request #435 from andyzhangx/remove-default-secret-namespace

andyzhangx · web-flow · commit f22b3629dd1a · 2021-05-23T12:35:41.000+08:00
feat: store secret in pod.Namespace if not specified
diff --git a/charts/latest/blob-csi-driver-v1.2.0.tgz b/charts/latest/blob-csi-driver-v1.2.0.tgz
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml
@@ -60,6 +60,7 @@ spec:
             - "--csi-address=$(ADDRESS)"
             - "--leader-election"
             - "--timeout=60s"
+            - "--extra-create-metadata=true"
           env:
             - name: ADDRESS
               value: /csi/csi.sock
diff --git a/deploy/csi-blob-controller.yaml b/deploy/csi-blob-controller.yaml
@@ -36,6 +36,7 @@ spec:
             - "--csi-address=$(ADDRESS)"
             - "--leader-election"
             - "--timeout=60s"
+            - "--extra-create-metadata=true"
           env:
             - name: ADDRESS
               value: /csi/csi.sock
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -68,7 +68,6 @@ const (
 	storeAccountKeyFalse       = "false"
 	defaultSecretAccountName   = "azurestorageaccountname"
 	defaultSecretAccountKey    = "azurestorageaccountkey"
-	defaultSecretNamespace     = "default"
 	fuse                       = "fuse"
 	nfs                        = "nfs"
 
@@ -86,6 +85,10 @@ const (
 	containerMaxSize = 100 * util.TiB
 
 	subnetTemplate = "/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Network/virtualNetworks/%s/subnets/%s"
+
+	pvcNameKey      = "csi.storage.k8s.io/pvc/name"
+	pvcNamespaceKey = "csi.storage.k8s.io/pvc/namespace"
+	pvNameKey       = "csi.storage.k8s.io/pv/name"
 )
 
 var (
@@ -495,13 +498,10 @@ func setAzureCredentials(kubeClient kubernetes.Interface, accountName, accountKe
 	if accountName == "" || accountKey == "" {
 		return "", fmt.Errorf("the account info is not enough, accountName(%v), accountKey(%v)", accountName, accountKey)
 	}
-	if secretNamespace == "" {
-		secretNamespace = defaultSecretNamespace
-	}
 	secretName := fmt.Sprintf(secretNameTemplate, accountName)
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Namespace: defaultSecretNamespace,
+			Namespace: secretNamespace,
 			Name:      secretName,
 		},
 		Data: map[string][]byte{
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -91,6 +91,15 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 			secretNamespace = v
 		case storeAccountKeyField:
 			storeAccountKey = v
+		case pvcNamespaceKey:
+			if secretNamespace == "" {
+				// respect `secretNamespace` field as first priority
+				secretNamespace = v
+			}
+		case pvcNameKey:
+			// no op
+		case pvNameKey:
+			// no op
 		case serverNameField:
 			// no op, only used in NodeStageVolume
 		case storageEndpointSuffixField:
@@ -228,6 +237,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	klog.V(2).Infof("create container %s on storage account %s successfully", validContainerName, accountName)
 
 	isOperationSucceeded = true
+	// reset secretNamespace field in VolumeContext
+	parameters[secretNamespaceField] = secretNamespace
 	return &csi.CreateVolumeResponse{
 		Volume: &csi.Volume{
 			VolumeId:      volumeID,
diff --git a/test/e2e/dynamic_provisioning_test.go b/test/e2e/dynamic_provisioning_test.go
@@ -78,9 +78,12 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 			},
 		}
 		test := testsuites.DynamicallyProvisionedCmdVolumeTest{
-			CSIDriver:              testDriver,
-			Pods:                   pods,
-			StorageClassParameters: map[string]string{"skuName": "Standard_LRS"},
+			CSIDriver: testDriver,
+			Pods:      pods,
+			StorageClassParameters: map[string]string{
+				"skuName":         "Standard_LRS",
+				"secretNamespace": "default",
+			},
 		}
 		test.Run(cs, ns)
 	})
@@ -375,7 +378,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() {
 		accountName := segments[3]
 
 		containerName := "csi-inline-blobfuse-volume"
-		req := makeCreateVolumeReq(containerName)
+		req := makeCreateVolumeReq(containerName, ns.Name)
 		req.Parameters["storageAccount"] = accountName
 		resp, err := blobDriver.CreateVolume(context.Background(), req)
 		if err != nil {
diff --git a/test/e2e/pre_provisioning_test.go b/test/e2e/pre_provisioning_test.go
@@ -79,7 +79,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 
 	ginkgo.It("[env] should use a pre-provisioned volume and mount it as readOnly in a pod", func() {
-		req := makeCreateVolumeReq("pre-provisioned-readonly")
+		req := makeCreateVolumeReq("pre-provisioned-readonly", ns.Name)
 		resp, err := blobDriver.CreateVolume(context.Background(), req)
 		if err != nil {
 			ginkgo.Fail(fmt.Sprintf("create volume error: %v", err))
@@ -113,7 +113,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 
 	ginkgo.It(fmt.Sprintf("[env] should use a pre-provisioned volume and retain PV with reclaimPolicy %q", v1.PersistentVolumeReclaimRetain), func() {
-		req := makeCreateVolumeReq("pre-provisioned-retain-reclaimpolicy")
+		req := makeCreateVolumeReq("pre-provisioned-retain-reclaimpolicy", ns.Name)
 		resp, err := blobDriver.CreateVolume(context.Background(), req)
 		if err != nil {
 			ginkgo.Fail(fmt.Sprintf("create volume error: %v", err))
@@ -142,7 +142,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 		volumeSize := fmt.Sprintf("%dGi", defaultVolumeSize)
 		pods := []testsuites.PodDetails{}
 		for i := 1; i <= 6; i++ {
-			req := makeCreateVolumeReq(fmt.Sprintf("pre-provisioned-multiple-pods%d", time.Now().UnixNano()))
+			req := makeCreateVolumeReq(fmt.Sprintf("pre-provisioned-multiple-pods%d", time.Now().UnixNano()), ns.Name)
 			resp, err := blobDriver.CreateVolume(context.Background(), req)
 			if err != nil {
 				ginkgo.Fail(fmt.Sprintf("create volume error: %v", err))
@@ -174,7 +174,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 
 	ginkgo.It("should use existing credentials in k8s cluster", func() {
-		req := makeCreateVolumeReq("pre-provisioned-existing-credentials")
+		req := makeCreateVolumeReq("pre-provisioned-existing-credentials", ns.Name)
 		resp, err := blobDriver.CreateVolume(context.Background(), req)
 		if err != nil {
 			ginkgo.Fail(fmt.Sprintf("create volume error: %v", err))
@@ -212,7 +212,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 
 	ginkgo.It("should use provided credentials", func() {
-		req := makeCreateVolumeReq("pre-provisioned-provided-credentials")
+		req := makeCreateVolumeReq("pre-provisioned-provided-credentials", ns.Name)
 		resp, err := blobDriver.CreateVolume(context.Background(), req)
 		if err != nil {
 			ginkgo.Fail(fmt.Sprintf("create volume error: %v", err))
@@ -252,7 +252,7 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Pre-Provisioned", func() {
 	})
 })
 
-func makeCreateVolumeReq(volumeName string) *csi.CreateVolumeRequest {
+func makeCreateVolumeReq(volumeName, secretNamespace string) *csi.CreateVolumeRequest {
 	req := &csi.CreateVolumeRequest{
 		Name: volumeName,
 		VolumeCapabilities: []*csi.VolumeCapability{
@@ -270,8 +270,9 @@ func makeCreateVolumeReq(volumeName string) *csi.CreateVolumeRequest {
 			LimitBytes:    defaultVolumeSizeBytes,
 		},
 		Parameters: map[string]string{
-			"skuname":       "Standard_LRS",
-			"containerName": volumeName,
+			"skuname":         "Standard_LRS",
+			"containerName":   volumeName,
+			"secretNamespace": secretNamespace,
 		},
 	}
 
