use cluster identity for azcopy

umagnus · umagnus · commit 94cce6a42c0a · 2023-12-15T04:20:52.000Z
diff --git a/pkg/blob/controllerserver.go b/pkg/blob/controllerserver.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"net/url"
+	"os"
 	"os/exec"
 	"strconv"
 	"strings"
@@ -50,6 +51,12 @@ import (
 const (
 	privateEndpoint = "privateendpoint"
 
+	azcopyAutoLoginType    = "AZCOPY_AUTO_LOGIN_TYPE"
+	azcopySPAApplicationID = "AZCOPY_SPA_APPLICATION_ID"
+	azcopySPAClientSecret  = "AZCOPY_SPA_CLIENT_SECRET"
+	azcopyTenantID         = "AZCOPY_TENANT_ID"
+	azcopyMSIClientID      = "AZCOPY_MSI_CLIENT_ID"
+
 	waitForCopyInterval = 5 * time.Second
 	waitForCopyTimeout  = 3 * time.Minute
 )
@@ -412,12 +419,11 @@ func (d *Driver) CreateVolume(ctx context.Context, req *csi.CreateVolumeRequest)
 	}
 
 	if req.GetVolumeContentSource() != nil {
-		if accountKey == "" {
-			if _, accountKey, err = d.GetStorageAccesskey(ctx, accountOptions, secrets, secretName, secretNamespace); err != nil {
-				return nil, status.Errorf(codes.Internal, "failed to GetStorageAccesskey on account(%s) rg(%s), error: %v", accountOptions.Name, accountOptions.ResourceGroup, err)
-			}
+		var accountSASToken string
+		if accountSASToken, err = d.useGenerateSASToken(ctx, accountName, accountKey, storageEndpointSuffix, accountOptions, secrets, secretName, secretNamespace); err != nil {
+			return nil, err
 		}
-		if err := d.copyVolume(ctx, req, accountKey, validContainerName, storageEndpointSuffix); err != nil {
+		if err := d.copyVolume(ctx, req, accountSASToken, validContainerName, storageEndpointSuffix); err != nil {
 			return nil, err
 		}
 	} else {
@@ -712,7 +718,7 @@ func (d *Driver) DeleteBlobContainer(ctx context.Context, subsID, resourceGroupN
 }
 
 // CopyBlobContainer copies a blob container in the same storage account
-func (d *Driver) copyBlobContainer(_ context.Context, req *csi.CreateVolumeRequest, accountKey, dstContainerName, storageEndpointSuffix string) error {
+func (d *Driver) copyBlobContainer(_ context.Context, req *csi.CreateVolumeRequest, accountSasToken, dstContainerName, storageEndpointSuffix string) error {
 	var sourceVolumeID string
 	if req.GetVolumeContentSource() != nil && req.GetVolumeContentSource().GetVolume() != nil {
 		sourceVolumeID = req.GetVolumeContentSource().GetVolume().GetVolumeId()
@@ -726,10 +732,11 @@ func (d *Driver) copyBlobContainer(_ context.Context, req *csi.CreateVolumeReque
 		return fmt.Errorf("srcContainerName(%s) or dstContainerName(%s) is empty", srcContainerName, dstContainerName)
 	}
 
-	klog.V(2).Infof("generate sas token for account(%s)", accountName)
-	accountSasToken, genErr := generateSASToken(accountName, accountKey, storageEndpointSuffix, d.sasTokenExpirationMinutes)
-	if genErr != nil {
-		return genErr
+	if accountSasToken == "" {
+		err = d.authorizeAzcopyBySecurityPrincipal()
+		if err != nil {
+			return err
+		}
 	}
 
 	timeAfter := time.After(waitForCopyTimeout)
@@ -768,18 +775,74 @@ func (d *Driver) copyBlobContainer(_ context.Context, req *csi.CreateVolumeReque
 }
 
 // copyVolume copies a volume form volume or snapshot, snapshot is not supported now
-func (d *Driver) copyVolume(ctx context.Context, req *csi.CreateVolumeRequest, accountKey, dstContainerName, storageEndpointSuffix string) error {
+func (d *Driver) copyVolume(ctx context.Context, req *csi.CreateVolumeRequest, accountSASToken, dstContainerName, storageEndpointSuffix string) error {
 	vs := req.VolumeContentSource
 	switch vs.Type.(type) {
 	case *csi.VolumeContentSource_Snapshot:
 		return status.Errorf(codes.InvalidArgument, "copy volume from volumeSnapshot is not supported")
 	case *csi.VolumeContentSource_Volume:
-		return d.copyBlobContainer(ctx, req, accountKey, dstContainerName, storageEndpointSuffix)
+		return d.copyBlobContainer(ctx, req, accountSASToken, dstContainerName, storageEndpointSuffix)
 	default:
 		return status.Errorf(codes.InvalidArgument, "%v is not a proper volume source", vs)
 	}
 }
 
+func (d *Driver) authorizeAzcopyBySecurityPrincipal() error {
+	if len(d.cloud.Config.AzureAuthConfig.AADClientSecret) > 0 {
+		klog.V(2).Infof("use service principal to authorize azcopy")
+		if err := os.Setenv(azcopyAutoLoginType, "SPN"); err != nil {
+			return err
+		}
+		if d.cloud.Config.AzureAuthConfig.AADClientID == "" {
+			return fmt.Errorf("AADClientID and AADClientSecret must be set when use service principal")
+		}
+		if err := os.Setenv(azcopySPAApplicationID, d.cloud.Config.AzureAuthConfig.AADClientID); err != nil {
+			return err
+		}
+		if err := os.Setenv(azcopySPAClientSecret, d.cloud.Config.AzureAuthConfig.AADClientSecret); err != nil {
+			return err
+		}
+		if d.cloud.Config.AzureAuthConfig.TenantID != "" {
+			if err := os.Setenv(azcopyTenantID, d.cloud.Config.AzureAuthConfig.TenantID); err != nil {
+				return err
+			}
+			klog.V(2).Infof(fmt.Sprintf("set AZCOPY_TENANT_ID=%s successfully", d.cloud.Config.AzureAuthConfig.TenantID))
+		}
+		return nil
+	}
+	if d.cloud.Config.AzureAuthConfig.UseManagedIdentityExtension {
+		if err := os.Setenv(azcopyAutoLoginType, "MSI"); err != nil {
+			return err
+		}
+		if len(d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID) > 0 {
+			klog.V(2).Infof("use user assigned managed identity to authorize azcopy")
+			err := os.Setenv(azcopyMSIClientID, d.cloud.Config.AzureAuthConfig.UserAssignedIdentityID)
+			return err
+		}
+		klog.V(2).Infof("use system-assigned managed identity to authorize azcopy")
+		return nil
+	}
+	return fmt.Errorf("AADClientSecret shouldn't be nil or useManagedIdentityExtension must be set to true")
+}
+
+func (d *Driver) useGenerateSASToken(ctx context.Context, accountName, accountKey, storageEndpointSuffix string, accountOptions *azure.AccountOptions, secrets map[string]string, secretName, secretNamespace string) (string, error) {
+	if len(secrets) > 0 && len(d.cloud.Config.AzureAuthConfig.AADClientSecret) == 0 && !d.cloud.Config.AzureAuthConfig.UseManagedIdentityExtension {
+		var err error
+		if accountKey == "" {
+			if _, accountKey, err = d.GetStorageAccesskey(ctx, accountOptions, secrets, secretName, secretNamespace); err != nil {
+				return "", status.Errorf(codes.Internal, "failed to GetStorageAccesskey on account(%s) rg(%s), error: %v", accountOptions.Name, accountOptions.ResourceGroup, err)
+			}
+		}
+		klog.V(2).Infof("generate sas token for account(%s)", accountName)
+		accountSASToken, err := generateSASToken(accountName, accountKey, storageEndpointSuffix, d.sasTokenExpirationMinutes)
+		if err != nil {
+			return "", err
+		}
+		return accountSASToken, nil
+	}
+	return "", nil
+}
+
 // isValidVolumeCapabilities validates the given VolumeCapability array is valid
 func isValidVolumeCapabilities(volCaps []*csi.VolumeCapability) error {
 	if len(volCaps) == 0 {
diff --git a/pkg/blob/controllerserver_test.go b/pkg/blob/controllerserver_test.go
@@ -33,9 +33,11 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/utils/pointer"
 	"sigs.k8s.io/blob-csi-driver/pkg/util"
+	"sigs.k8s.io/cloud-provider-azure/pkg/azclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azureclients/blobclient"
 	"sigs.k8s.io/cloud-provider-azure/pkg/azureclients/storageaccountclient/mockstorageaccountclient"
 	azure "sigs.k8s.io/cloud-provider-azure/pkg/provider"
+	"sigs.k8s.io/cloud-provider-azure/pkg/provider/config"
 	"sigs.k8s.io/cloud-provider-azure/pkg/retry"
 )
 
@@ -1780,3 +1782,119 @@ func Test_generateSASToken(t *testing.T) {
 		})
 	}
 }
+
+func Test_authorizeAzcopyBySecurityPrincipal(t *testing.T) {
+	testCases := []struct {
+		name     string
+		testFunc func(t *testing.T)
+	}{
+		{
+			name: "use service principal to authorize azcopy",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{
+					Config: azure.Config{
+						AzureAuthConfig: config.AzureAuthConfig{
+							ARMClientConfig: azclient.ARMClientConfig{
+								TenantID: "TenantID",
+							},
+							AzureAuthConfig: azclient.AzureAuthConfig{
+								AADClientID:     "AADClientID",
+								AADClientSecret: "AADClientSecret",
+							},
+						},
+					},
+				}
+				var expectedErr error
+				err := d.authorizeAzcopyBySecurityPrincipal()
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			},
+		},
+		{
+			name: "use service principal to authorize azcopy but client id is empty",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{
+					Config: azure.Config{
+						AzureAuthConfig: config.AzureAuthConfig{
+							ARMClientConfig: azclient.ARMClientConfig{
+								TenantID: "TenantID",
+							},
+							AzureAuthConfig: azclient.AzureAuthConfig{
+								AADClientSecret: "AADClientSecret",
+							},
+						},
+					},
+				}
+				expectedErr := fmt.Errorf("AADClientID and AADClientSecret must be set when use service principal")
+				err := d.authorizeAzcopyBySecurityPrincipal()
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			},
+		},
+		{
+			name: "use user assigned managed identity to authorize azcopy",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{
+					Config: azure.Config{
+						AzureAuthConfig: config.AzureAuthConfig{
+							AzureAuthConfig: azclient.AzureAuthConfig{
+								UseManagedIdentityExtension: true,
+								UserAssignedIdentityID:      "UserAssignedIdentityID",
+							},
+						},
+					},
+				}
+				var expectedErr error
+				err := d.authorizeAzcopyBySecurityPrincipal()
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			},
+		},
+		{
+			name: "use system assigned managed identity to authorize azcopy",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{
+					Config: azure.Config{
+						AzureAuthConfig: config.AzureAuthConfig{
+							AzureAuthConfig: azclient.AzureAuthConfig{
+								UseManagedIdentityExtension: true,
+							},
+						},
+					},
+				}
+				var expectedErr error
+				err := d.authorizeAzcopyBySecurityPrincipal()
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			},
+		},
+		{
+			name: "AADClientSecret be nil and useManagedIdentityExtension is false",
+			testFunc: func(t *testing.T) {
+				d := NewFakeDriver()
+				d.cloud = &azure.Cloud{
+					Config: azure.Config{
+						AzureAuthConfig: config.AzureAuthConfig{},
+					},
+				}
+				expectedErr := fmt.Errorf("AADClientSecret shouldn't be nil or useManagedIdentityExtension must be set to true")
+				err := d.authorizeAzcopyBySecurityPrincipal()
+				if !reflect.DeepEqual(err, expectedErr) {
+					t.Errorf("Unexpected error: %v", err)
+				}
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, tc.testFunc)
+	}
+}
