From ee6db0590bf845cd43a47776283f6cc6a6d31809 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Fri, 15 Apr 2022 07:30:25 +0000 Subject: [PATCH 1/2] fix: disable match tags by default in account search when creating file share --- go.mod | 4 ++-- go.sum | 8 ++++---- .../Azure/azure-sdk-for-go/version/version.go | 2 +- vendor/modules.txt | 6 +++--- .../cloud-provider-azure/pkg/consts/consts.go | 2 +- .../pkg/provider/azure_standard.go | 6 ++++++ .../pkg/provider/azure_storageaccount.go | 16 ++++++++++++---- 7 files changed, 29 insertions(+), 15 deletions(-) diff --git a/go.mod b/go.mod index 0b4930cdd..b6ee540c5 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module sigs.k8s.io/blob-csi-driver go 1.17 require ( - github.com/Azure/azure-sdk-for-go v63.1.0+incompatible + github.com/Azure/azure-sdk-for-go v63.2.0+incompatible github.com/Azure/go-autorest/autorest v0.11.25 github.com/Azure/go-autorest/autorest/adal v0.9.18 github.com/Azure/go-autorest/autorest/to v0.4.0 @@ -145,5 +145,5 @@ replace ( k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.3 k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.23.3 k8s.io/sample-controller => k8s.io/sample-controller v0.23.3 - sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220406062855-4f3bab6bc8b2 + sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220415032100-325969906b39 ) diff --git a/go.sum b/go.sum index db47664d2..dc186f316 100644 --- a/go.sum +++ b/go.sum @@ -41,8 +41,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= dmitri.shuralyov.com/gpu/mtl v0.0.0-20201218220906-28db891af037/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/Azure/azure-sdk-for-go v55.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go v63.1.0+incompatible h1:yNC7qlSUWVF8p0TzxdmWW1FJ3DdIA+0Pge41IU/2+9U= -github.com/Azure/azure-sdk-for-go v63.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v63.2.0+incompatible h1:OIqkK/zTGqVUuzpEvY0B1YSYDRAFC/j+y0w2GovCggI= +github.com/Azure/azure-sdk-for-go v63.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8= github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= @@ -1204,8 +1204,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27 h1:KQOkVzXrLNb0EP6W0FD6u3CCPAwgXFYwZitbj7K0P0Y= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4= -sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220406062855-4f3bab6bc8b2 h1:d5k/54npFCwuvcAMAqS6ROjQwwNTfCWbHjT2ivQ2vGA= -sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220406062855-4f3bab6bc8b2/go.mod h1:QP8vTdPEAKK2W+sIgCDQIr15Ivc+tYMRMrJS+Clv85I= +sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220415032100-325969906b39 h1:R4ccCIcWH35eFgLm/gemTXKG9sfjRFIvHU9RTQ8E19Q= +sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220415032100-325969906b39/go.mod h1:k/vjhynZDcDyV8Z1Pfpmel/SfoNC6mKHU9K9Nmf85i4= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 h1:fD1pz4yfdADVNfFmcP2aBEtudwUQ1AlLnRBALr33v3s= sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNzagwnNoseA6OxSUutVw05NhYDRs= sigs.k8s.io/kustomize/api v0.10.1/go.mod h1:2FigT1QN6xKdcnGS2Ppp1uIWrtWN28Ms8A3OZUZhwr8= diff --git a/vendor/github.com/Azure/azure-sdk-for-go/version/version.go b/vendor/github.com/Azure/azure-sdk-for-go/version/version.go index 24c87e2e3..fd750c3bf 100644 --- a/vendor/github.com/Azure/azure-sdk-for-go/version/version.go +++ b/vendor/github.com/Azure/azure-sdk-for-go/version/version.go @@ -4,4 +4,4 @@ package version // Licensed under the MIT License. See License.txt in the project root for license information. // Number contains the semantic version of this SDK. -const Number = "v63.1.0" +const Number = "v63.2.0" diff --git a/vendor/modules.txt b/vendor/modules.txt index 97e54ee6f..4012a166d 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/Azure/azure-sdk-for-go v63.1.0+incompatible +# github.com/Azure/azure-sdk-for-go v63.2.0+incompatible ## explicit github.com/Azure/azure-sdk-for-go/services/compute/mgmt/2021-07-01/compute github.com/Azure/azure-sdk-for-go/services/containerservice/mgmt/2020-04-01/containerservice @@ -1082,7 +1082,7 @@ k8s.io/utils/trace ## explicit; go 1.17 sigs.k8s.io/apiserver-network-proxy/konnectivity-client/pkg/client sigs.k8s.io/apiserver-network-proxy/konnectivity-client/proto/client -# sigs.k8s.io/cloud-provider-azure v0.7.4 => sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220406062855-4f3bab6bc8b2 +# sigs.k8s.io/cloud-provider-azure v0.7.4 => sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220415032100-325969906b39 ## explicit; go 1.17 sigs.k8s.io/cloud-provider-azure/pkg/auth sigs.k8s.io/cloud-provider-azure/pkg/azureclients @@ -1176,4 +1176,4 @@ sigs.k8s.io/yaml # k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.3 # k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.23.3 # k8s.io/sample-controller => k8s.io/sample-controller v0.23.3 -# sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220406062855-4f3bab6bc8b2 +# sigs.k8s.io/cloud-provider-azure => sigs.k8s.io/cloud-provider-azure v0.7.4-0.20220415032100-325969906b39 diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/consts/consts.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/consts/consts.go index 47fc7e70d..6bb5ebe0f 100644 --- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/consts/consts.go +++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/consts/consts.go @@ -353,7 +353,7 @@ const ( // metadata service const ( // ImdsInstanceAPIVersion is the imds instance api version - ImdsInstanceAPIVersion = "2019-03-11" + ImdsInstanceAPIVersion = "2021-10-01" // ImdsLoadBalancerAPIVersion is the imds load balancer api version ImdsLoadBalancerAPIVersion = "2020-10-01" // ImdsServer is the imds server endpoint diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_standard.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_standard.go index dc20c6936..69c53e1bf 100644 --- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_standard.go +++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_standard.go @@ -26,6 +26,7 @@ import ( "strings" "sync" "time" + "unicode" "sigs.k8s.io/cloud-provider-azure/pkg/consts" @@ -392,6 +393,11 @@ func (az *Cloud) getDefaultFrontendIPConfigName(service *v1.Service) string { // Azure lb front end configuration name must not exceed 80 characters if len(ipcName) > consts.FrontendIPConfigNameMaxLength { ipcName = ipcName[:consts.FrontendIPConfigNameMaxLength] + // Cutting the string may result in char like "-" as the string end. + // If the last char is not a letter or '_', replace it with "_". + if !unicode.IsLetter(rune(ipcName[len(ipcName)-1:][0])) && ipcName[len(ipcName)-1:] != "_" { + ipcName = ipcName[:len(ipcName)-1] + "_" + } } return ipcName } diff --git a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_storageaccount.go b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_storageaccount.go index 57d9cd2a6..278567821 100644 --- a/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_storageaccount.go +++ b/vendor/sigs.k8s.io/cloud-provider-azure/pkg/provider/azure_storageaccount.go @@ -57,6 +57,7 @@ type AccountOptions struct { VNetResourceGroup string VNetName string SubnetName string + MatchTags bool } type accountWithLocation struct { @@ -152,6 +153,12 @@ func (az *Cloud) EnsureStorageAccount(ctx context.Context, accountOptions *Accou subsID = accountOptions.SubscriptionID } + if len(accountOptions.Tags) == 0 { + accountOptions.Tags = make(map[string]string) + } + // set built-in tags + accountOptions.Tags[consts.CreatedByTag] = "azure" + var createNewAccount bool if len(accountName) == 0 { createNewAccount = true @@ -234,10 +241,6 @@ func (az *Cloud) EnsureStorageAccount(ctx context.Context, accountOptions *Accou if accountKind != "" { kind = storage.Kind(accountKind) } - if len(accountOptions.Tags) == 0 { - accountOptions.Tags = make(map[string]string) - } - accountOptions.Tags[consts.CreatedByTag] = "azure" tags := convertMapToMapPointer(accountOptions.Tags) klog.V(2).Infof("azure - no matching account found, begin to create a new account %s in resource group %s, location: %s, accountType: %s, accountKind: %s, tags: %+v", @@ -508,6 +511,11 @@ func isTaggedWithSkip(account storage.Account) bool { } func isTagsEqual(account storage.Account, accountOptions *AccountOptions) bool { + if !accountOptions.MatchTags { + // always return true when tags matching is false (by default) + return true + } + // nil and empty map should be regarded as equal if len(account.Tags) == 0 && len(accountOptions.Tags) == 0 { return true From 1be50c0abf4e1c641b61c43eca13031d1f4a1307 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Fri, 15 Apr 2022 09:46:40 +0000 Subject: [PATCH 2/2] feat: add matchTags parameter in storage class --- docs/driver-parameters.md | 3 ++- pkg/blob/blob.go | 1 + pkg/blob/controllerserver.go | 8 ++++++++ pkg/blob/controllerserver_test.go | 24 ++++++++++++++++++++++++ test/e2e/dynamic_provisioning_test.go | 9 ++++++--- 5 files changed, 41 insertions(+), 4 deletions(-) diff --git a/docs/driver-parameters.md b/docs/driver-parameters.md index 70178e0d2..18aac3d6d 100644 --- a/docs/driver-parameters.md +++ b/docs/driver-parameters.md @@ -17,8 +17,9 @@ containerName | specify the existing container(directory) name | existing contai containerNamePrefix | specify Azure storage directory prefix created by driver | can only contain lowercase letters, numbers, hyphens, and length should be less than 21 | No | server | specify Azure storage account server address | existing server address, e.g. `accountname.privatelink.blob.core.windows.net` | No | if empty, driver will use default `accountname.blob.core.windows.net` or other sovereign cloud account address allowBlobPublicAccess | Allow or disallow public access to all blobs or containers for storage account created by driver | `true`,`false` | No | `false` -storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net` | No | if empty, driver will use default storage endpoint suffix according to cloud environment, e.g. `core.windows.net` +storageEndpointSuffix | specify Azure storage endpoint suffix | `core.windows.net`, `core.chinacloudapi.cn`, etc | No | if empty, driver will use default storage endpoint suffix according to cloud environment tags | [tags](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources) would be created in newly created storage account | tag format: 'foo=aaa,bar=bbb' | No | "" +matchTags | whether matching tags when driver tries to find a suitable storage account | `true`,`false` | No | `false` --- | **Following parameters are only for blobfuse** | --- | --- | subscriptionID | specify Azure subscription ID in which blob storage directory will be created | Azure subscription ID | No | if not empty, `resourceGroup` must be provided storeAccountKey | whether store account key to k8s secret

Note:
`false` means driver would leverage kubelet identity to get account key | `true`,`false` | No | `true` diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go index 1131f9482..638ac3f05 100644 --- a/pkg/blob/blob.go +++ b/pkg/blob/blob.go @@ -52,6 +52,7 @@ const ( serverNameField = "server" storageEndpointSuffixField = "storageendpointsuffix" tagsField = "tags" + matchTagsField = "matchtags" protocolField = "protocol" accountNameField = "accountname" accountKeyField = "accountkey" diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go index 94066a3f2..c74a8d4d1 100644 --- a/pkg/blob/controllerserver.go +++ b/pkg/blob/controllerserver.go @@ -70,6 +70,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) var storageAccountType, subsID, resourceGroup, location, account, containerName, containerNamePrefix, protocol, customTags, secretName, secretNamespace, pvcNamespace string var isHnsEnabled *bool var vnetResourceGroup, vnetName, subnetName string + var matchTags bool // set allowBlobPublicAccess as false by default allowBlobPublicAccess := to.BoolPtr(false) @@ -100,6 +101,8 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) protocol = v case tagsField: customTags = v + case matchTagsField: + matchTags = strings.EqualFold(v, trueValue) case secretNameField: secretName = v case secretNamespaceField: @@ -144,6 +147,10 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) } } + if matchTags && account != "" { + return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("matchTags must set as false when storageAccount(%s) is provided", account)) + } + if subsID != "" && subsID != d.cloud.SubscriptionID { if protocol == nfs { return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("NFS protocol is not supported in cross subscription(%s)", subsID)) @@ -225,6 +232,7 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest) EnableHTTPSTrafficOnly: enableHTTPSTrafficOnly, VirtualNetworkResourceIDs: vnetResourceIDs, Tags: tags, + MatchTags: matchTags, IsHnsEnabled: isHnsEnabled, EnableNfsV3: enableNfsV3, AllowBlobPublicAccess: allowBlobPublicAccess, diff --git a/pkg/blob/controllerserver_test.go b/pkg/blob/controllerserver_test.go index 317a266cd..388144135 100644 --- a/pkg/blob/controllerserver_test.go +++ b/pkg/blob/controllerserver_test.go @@ -171,6 +171,30 @@ func TestCreateVolume(t *testing.T) { } }, }, + { + name: "storageAccount and matchTags conflict", + testFunc: func(t *testing.T) { + d := NewFakeDriver() + d.cloud = &azure.Cloud{} + mp := map[string]string{ + storageAccountField: "abc", + matchTagsField: "true", + } + req := &csi.CreateVolumeRequest{ + Name: "unit-test", + VolumeCapabilities: stdVolumeCapabilities, + Parameters: mp, + } + d.Cap = []*csi.ControllerServiceCapability{ + controllerServiceCapability, + } + _, err := d.CreateVolume(context.Background(), req) + expectedErr := status.Errorf(codes.InvalidArgument, "matchTags must set as false when storageAccount(abc) is provided") + if !reflect.DeepEqual(err, expectedErr) { + t.Errorf("actualErr: (%v), expectedErr: (%v)", err, expectedErr) + } + }, + }, { name: "containerName and containerNamePrefix could not be specified together", testFunc: func(t *testing.T) { diff --git a/test/e2e/dynamic_provisioning_test.go b/test/e2e/dynamic_provisioning_test.go index 8cdc15a89..b24e42c5b 100644 --- a/test/e2e/dynamic_provisioning_test.go +++ b/test/e2e/dynamic_provisioning_test.go @@ -426,9 +426,12 @@ var _ = ginkgo.Describe("[blob-csi-e2e] Dynamic Provisioning", func() { }, } test := testsuites.DynamicallyProvisionedResizeVolumeTest{ - CSIDriver: testDriver, - Pods: pods, - StorageClassParameters: map[string]string{"skuName": "Standard_LRS"}, + CSIDriver: testDriver, + Pods: pods, + StorageClassParameters: map[string]string{ + "skuName": "Standard_LRS", + "matchTags": "true", + }, } test.Run(cs, ns) })