feat: support mount smb file share with workload identity token#2902
feat: support mount smb file share with workload identity token#2902andyzhangx merged 3 commits intomasterfrom
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
approved
There was a problem hiding this comment.
Pull request overview
This PR adds support for mounting Azure SMB file shares using workload identity tokens instead of storage account keys. This enhances security by allowing Kubernetes workloads to authenticate using federated identity credentials rather than long-lived secrets.
- Introduces
mountWithWITokenFieldparameter to enable workload identity token-based authentication - Extends
GetAccountInfoto returntenantIDandtokenFilePathfor workload identity flows - Adds token parsing, validation, and file-based caching for service account tokens
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 19 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/azurefile/azurefile.go | Core implementation: adds workload identity token handling in GetAccountInfo, including token parsing, validation, and file-based storage; extends return signature with tenantID and tokenFilePath |
| pkg/azurefile/utils.go | Updates setCredentialCache to support both managed identity and workload identity modes via azfilesauthmanager; adds isValidTokenFileName helper for token file validation |
| pkg/azurefile/nodeserver.go | Implements workload identity logic in NodeStageVolume and NodePublishVolume; adds useWorkloadIdentity helper to determine authentication method; configures Kerberos mount options for workload identity |
| pkg/azurefile/controllerserver.go | Handles mountWithWITokenField parameter in CreateVolume; maps to IsSmbOAuthEnabled flag; updates GetAccountInfo call sites for new signature |
| pkg/azurefile/azurefile_test.go | Adds test case for invalid mountWithWITokenField value validation |
| pkg/azurefile/utils_test.go | Updates TestSetCredentialCache for new parameter handling; adds TestIsValidTokenFileName with comprehensive validation cases |
| pkg/azurefile/nodeserver_test.go | Adds TestUseWorkloadIdentity to verify workload identity detection logic |
| pkg/azurefile/controllerserver_test.go | Adds test for invalid mountWithWIToken parameter; includes mountWithWITokenField in comprehensive parameter test |
| pkg/azurefileplugin/Dockerfile | Installs azfilesauth package for Kerberos authentication support via azfilesauthmanager |
| deploy/csi-azurefile-driver.yaml | Enables requiresRepublish and configures token requests with 1-hour expiration for workload identity |
| test/e2e/testsuites/*.go | Updates e2e tests for GetAccountInfo signature changes (adds tenantID and tokenFilePath return values) |
Comments suppressed due to low confidence (2)
pkg/azurefile/utils_test.go:1398
- The TestSetCredentialCache test only covers error cases and doesn't test the successful execution paths. It should include test cases for: (1) successful call with clientID but no token (managed identity mode), and (2) successful call with both clientID and tokenFile (workload identity mode). These tests would verify that the correct command arguments are constructed for each authentication method.
func TestSetCredentialCache(t *testing.T) {
tests := []struct {
desc string
server string
clientID string
token string
expectedError string
}{
{
desc: "empty server",
server: "",
clientID: "test-client-id",
expectedError: "server must be provided",
},
{
desc: "empty clientID and token",
server: "test.file.core.windows.net",
clientID: "",
token: "",
expectedError: "either clientID or tokenFile must be provided",
},
{
desc: "both empty",
server: "",
clientID: "",
expectedError: "server must be provided",
},
}
for _, test := range tests {
_, err := setCredentialCache(test.server, test.clientID, "", test.token)
if test.expectedError != "" {
if err == nil {
t.Errorf("test[%s]: expected error containing %q, got nil", test.desc, test.expectedError)
} else if !strings.Contains(err.Error(), test.expectedError) {
t.Errorf("test[%s]: expected error containing %q, got %v", test.desc, test.expectedError, err)
}
}
}
}
pkg/azurefileplugin/Dockerfile:26
- The azfilesauth.deb package is being downloaded from a personal GitHub repository (andyzhangx/demo) instead of an official release or trusted package repository. This creates security and reliability risks: the package could be modified or become unavailable, and there's no verification of its integrity. Consider hosting this package in an official location with proper versioning and checksums, or building it from source in the Dockerfile.
&& curl -Lso /tmp/azfilesauth.deb https://raw.githubusercontent.com/andyzhangx/demo/refs/heads/master/aks/azfilesauth_1.0-8_amd64.deb \
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.
Comments suppressed due to low confidence (2)
pkg/azurefile/utils_test.go:1398
- The test only covers error cases for
setCredentialCache, but doesn't test any success scenarios. Add test cases for: (1) successful call with clientID only (for managed identity), and (2) successful call with tokenFile path (for workload identity). While these might require mocking the command execution, at minimum verify that the function constructs the correct arguments without returning an error when valid inputs are provided.
func TestSetCredentialCache(t *testing.T) {
tests := []struct {
desc string
server string
clientID string
token string
expectedError string
}{
{
desc: "empty server",
server: "",
clientID: "test-client-id",
expectedError: "server must be provided",
},
{
desc: "empty clientID and token",
server: "test.file.core.windows.net",
clientID: "",
token: "",
expectedError: "either clientID or tokenFile must be provided",
},
{
desc: "both empty",
server: "",
clientID: "",
expectedError: "server must be provided",
},
}
for _, test := range tests {
_, err := setCredentialCache(test.server, test.clientID, "", test.token)
if test.expectedError != "" {
if err == nil {
t.Errorf("test[%s]: expected error containing %q, got nil", test.desc, test.expectedError)
} else if !strings.Contains(err.Error(), test.expectedError) {
t.Errorf("test[%s]: expected error containing %q, got %v", test.desc, test.expectedError, err)
}
}
}
}
pkg/azurefileplugin/Dockerfile:26
- This Dockerfile downloads a .deb package from a personal GitHub repository (andyzhangx/demo) rather than from an official or verified source. This poses security and reliability risks: the package could be modified, deleted, or become unavailable, causing build failures in production. Consider hosting this package in an official repository, using a checksum verification, or at minimum using a specific commit hash rather than the branch reference "refs/heads/master" to ensure build reproducibility.
&& curl -Lso /tmp/azfilesauth.deb https://raw.githubusercontent.com/andyzhangx/demo/refs/heads/master/aks/azfilesauth_1.0-8_amd64.deb \
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
/retest |
andyzhangx
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@andyzhangx I've opened a new pull request, #2919, to work on those changes. Once the pull request is ready, I'll request review from you. |
fix workload idenitty token setting getToken from service account token feat: use new azfilesauth version fix fix ut add check add token file name check fix refresh WI token set expirationSeconds: 3600 fix arm64 image build break
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 7 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
k8s-ci-robot
added
size/XL
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pkg/azurefile/nodeserver.go
Outdated
| return false | ||
| } | ||
|
|
||
| // shouldUseServiceAccountToken determines whether a service account token |
There was a problem hiding this comment.
The function documentation is incomplete. It should fully describe what the function does. The comment should be: "shouldUseServiceAccountToken determines whether a service account token should be used for authentication based on the volume context attributes."
| // shouldUseServiceAccountToken determines whether a service account token | |
| // shouldUseServiceAccountToken determines whether a service account token should be used for authentication based on the volume context attributes. |
fix fix: copilot comments fix
mittachaitu
left a comment
mittachaitu
left a comment
There was a problem hiding this comment.
Are we going to add e2e test in different PR?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, mittachaitu The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Can we add README on how to use |
@mittachaitu can you explore how to add such e2e test in aks RP? |
What type of PR is this?
/kind feature
What this PR does / why we need it:
feat: support mount smb file share with workload identity token
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: