Merge pull request #1988 from andyzhangx/add-mountWithWIToken

andyzhangx · web-flow · commit 596b5ef3fca8 · 2025-05-07T04:40:34.000+03:00
fix: add mountWithWorkloadIdentityToken parameter
diff --git a/docs/workload-identity-static-pv-mount.md b/docs/workload-identity-static-pv-mount.md
@@ -3,7 +3,7 @@
 
 ### Note
  - This feature is not supported for NFS mount since NFS mount does not need credentials.
- - This feature no longer retrieves storage account key using federated(workload) identity credentials starting from v1.25.4 or v1.26.1 and later versions, while it requires `Storage Blob Data Contributor` role on the account instead of `Storage Account Contributor` role.
+ - This feature would retrieve storage account key using federated identity credentials.
 
 ## Prerequisites
 ### 1. Create a cluster with oidc-issuer enabled and get the credential
@@ -33,7 +33,7 @@ export IDENTITY_TENANT=$(az aks show --name $CLUSTER_NAME --resource-group $RESO
 export ACCOUNT_SCOPE=$(az storage account show --name $ACCOUNT --query id -o tsv)
 
 # please retry if you meet `Cannot find user or service principal in graph database` error, it may take a while for the identity to propagate
-az role assignment create --role "Storage Blob Data Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE
+az role assignment create --role "Storage Account Contributor" --assignee $USER_ASSIGNED_CLIENT_ID --scope $ACCOUNT_SCOPE
 ```
 
 ### 4. Create service account on AKS
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -100,6 +100,7 @@ const (
 	podNamespaceField              = "csi.storage.k8s.io/pod.namespace"
 	serviceAccountTokenField       = "csi.storage.k8s.io/serviceAccount.tokens"
 	clientIDField                  = "clientid"
+	mountWithWITokenField          = "mountwithworkloadidentitytoken"
 	tenantIDField                  = "tenantid"
 	mountOptionsField              = "mountoptions"
 	falseValue                     = "false"
@@ -490,6 +491,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		getAccountKeyFromSecret bool
 		getLatestAccountKey     bool
 		clientID                string
+		mountWithWIToken        bool
 		tenantID                string
 		serviceAccountToken     string
 	)
@@ -543,6 +545,10 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			}
 		case clientIDField:
 			clientID = v
+		case mountWithWITokenField:
+			if mountWithWIToken, err = strconv.ParseBool(v); err != nil {
+				return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("invalid %s: %s in volume context", mountWithWITokenField, v)
+			}
 		case tenantIDField:
 			tenantID = v
 		case strings.ToLower(serviceAccountTokenField):
@@ -572,21 +578,29 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		tenantID = d.cloud.TenantID
 	}
 
-	// if client id is specified, we only use workload identity for blobfuse auth
 	if clientID != "" {
-		klog.V(2).Infof("clientID(%s) is specified, use workload identity for blobfuse auth", clientID)
+		if mountWithWIToken {
+			klog.V(2).Infof("clientID(%s) is specified, use workload identity for blobfuse auth", clientID)
+
+			workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
+			if err != nil {
+				return rgName, accountName, accountKey, containerName, authEnv, err
+			}
+
+			authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
+			if tenantID != "" {
+				authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
+			}
+			authEnv = append(authEnv, "WORKLOAD_IDENTITY_TOKEN="+workloadIdentityToken)
 
-		workloadIdentityToken, err := parseServiceAccountToken(serviceAccountToken)
-		if err != nil {
 			return rgName, accountName, accountKey, containerName, authEnv, err
 		}
-
-		authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
-		if tenantID != "" {
-			authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
+		klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
+		if subsID == "" {
+			subsID = d.cloud.SubscriptionID
 		}
-		authEnv = append(authEnv, "WORKLOAD_IDENTITY_TOKEN="+workloadIdentityToken)
-
+		accountKey, err := d.cloud.GetStorageAccesskeyFromServiceAccountToken(ctx, subsID, accountName, rgName, clientID, tenantID, serviceAccountToken)
+		authEnv = append(authEnv, "AZURE_STORAGE_ACCESS_KEY="+accountKey)
 		return rgName, accountName, accountKey, containerName, authEnv, err
 	}
 
diff --git a/pkg/blob/blob_test.go b/pkg/blob/blob_test.go
@@ -550,7 +550,23 @@ func TestGetAuthEnv(t *testing.T) {
 			name: "valid request",
 			testFunc: func(t *testing.T) {
 				d := NewFakeDriver()
-				attrib := make(map[string]string)
+				attrib := map[string]string{
+					subscriptionIDField:          "subID",
+					resourceGroupField:           "rg",
+					storageAccountField:          "accountname",
+					storageAccountNameField:      "accountname",
+					secretNameField:              "secretName",
+					secretNamespaceField:         "sNS",
+					containerNameField:           "containername",
+					mountWithWITokenField:        "false",
+					pvcNamespaceKey:              "pvcNSKey",
+					getAccountKeyFromSecretField: "false",
+					storageAuthTypeField:         "key",
+					msiEndpointField:             "msiEndpoint",
+					getLatestAccountKeyField:     "true",
+					tenantIDField:                "tenantID",
+					serviceAccountTokenField:     "serviceAccountToken",
+				}
 				secret := make(map[string]string)
 				volumeID := "rg#f5713de20cde511e8ba4900#pvc-fuse-dynamic-17e43f84-f474-11e8-acd0-000d3a00df41"
 				d.cloud = &storage.AccountRepo{}
@@ -580,23 +596,29 @@ func TestGetAuthEnv(t *testing.T) {
 				}
 				secret := make(map[string]string)
 				volumeID := "rg#f5713de20cde511e8ba4900#pvc-fuse-dynamic-17e43f84-f474-11e8-acd0-000d3a00df41"
-				d.cloud = &storage.AccountRepo{}
-				ctrl := gomock.NewController(t)
-				defer ctrl.Finish()
-				mockStorageAccountsClient := mock_accountclient.NewMockInterface(ctrl)
-				d.cloud.ComputeClientFactory = mock_azclient.NewMockClientFactory(ctrl)
-				d.cloud.ComputeClientFactory.(*mock_azclient.MockClientFactory).EXPECT().GetAccountClient().Return(mockStorageAccountsClient).AnyTimes()
-				s := "unit-test"
-				accountkey := armstorage.AccountKey{Value: &s}
-				list := []*armstorage.AccountKey{&accountkey}
-				mockStorageAccountsClient.EXPECT().ListKeys(gomock.Any(), gomock.Any(), gomock.Any()).Return(list, nil).AnyTimes()
 				_, _, _, _, _, err := d.GetAuthEnv(context.TODO(), volumeID, "", attrib, secret)
 				expectedErr := fmt.Errorf("invalid getlatestaccountkey: %s in volume context", "invalid")
 				if !reflect.DeepEqual(err, expectedErr) {
 					t.Errorf("actualErr: (%v), expectedErr: (%v)", err, expectedErr)
 				}
 			},
 		},
+		{
+			name: "invalid mountWithWIToken value",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				attrib := map[string]string{
+					mountWithWITokenField: "invalid",
+				}
+				secret := make(map[string]string)
+				volumeID := "rg#f5713de20cde511e8ba4900#pvc-fuse-dynamic-17e43f84-f474-11e8-acd0-000d3a00df41"
+				_, _, _, _, _, err := d.GetAuthEnv(context.TODO(), volumeID, "", attrib, secret)
+				expectedErr := fmt.Errorf("invalid %s: %s in volume context", mountWithWITokenField, "invalid")
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("actualErr: (%v), expectedErr: (%v)", err, expectedErr)
+				}
+			},
+		},
 		{
 			name: "secret not empty",
 			testFunc: func(t *testing.T) {
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -189,6 +189,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 		case storageIdentityObjectIDField:
 		case storageIdentityResourceIDField:
 		case clientIDField:
+		case mountWithWITokenField:
 		case tenantIDField:
 		case msiEndpointField:
 		case storageAADEndpointField:
diff --git a/pkg/blob/controllerserver_test.go b/pkg/blob/controllerserver_test.go
@@ -440,6 +440,7 @@ func TestCreateVolume(t *testing.T) {
 				mp[storageAuthTypeField] = "msi"
 				mp[storageIdentityClientIDField] = "msi"
 				mp[clientIDField] = "clientID"
+				mp[mountWithWITokenField] = "true"
 				mp[tenantIDField] = "tenantID"
 				mp[storageIdentityObjectIDField] = "msi"
 				mp[storageIdentityResourceIDField] = "msi"
diff --git a/pkg/blob/nodeserver_test.go b/pkg/blob/nodeserver_test.go
@@ -249,6 +249,7 @@ func TestNodePublishVolume(t *testing.T) {
 				StagingTargetPath: sourceTest,
 				VolumeContext: map[string]string{
 					serviceAccountTokenField: `{"api://AzureADTokenExchange":{"token":"test-token","expirationTimestamp":"2023-01-01T00:00:00Z"}}`,
+					mountWithWITokenField:    "true",
 					clientIDField:            "client-id-value",
 				},
 			},
