Skip to content

fix: check if Azure file share exists before calling Create to allow read-only permissions for existing shares#3042

Open
Copilot wants to merge 8 commits intomasterfrom
copilot/check-azure-file-share-existence
Open

fix: check if Azure file share exists before calling Create to allow read-only permissions for existing shares#3042
Copilot wants to merge 8 commits intomasterfrom
copilot/check-azure-file-share-existence

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 24, 2026
edited
Loading

CreateFileShare unconditionally calls the Create API even for pre-existing shares, requiring write permissions in all cases. This prevents scenarios where an existing share should only need read access.

Changes

  • pkg/azurefile/azurefile.go: Before calling fileClient.CreateFileShare, call GetFileShareQuota (a read-only operation) to check existence. If the share already exists, skip Create entirely.
// Before: always called Create
if err = fileClient.CreateFileShare(ctx, shareOptions); err != nil { ... }

// After: skip Create if share already exists
if _, err := fileClient.GetFileShareQuota(ctx, shareOptions.Name); err == nil {
    klog.V(2).Infof("file share(%s) already exists, skip creating", shareOptions.Name)
    return true, nil
}
if err = fileClient.CreateFileShare(ctx, shareOptions); err != nil { ... }
  • pkg/azurefile/azurefile_test.go: Added TestDriverCreateFileShare covering three cases: share exists (Create skipped), share absent (Create called), GetFileShareQuota error (Create called as fallback).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • test.file.ut
    • Triggering command: /tmp/go-build2833821331/b001/azurefile.test /tmp/go-build2833821331/b001/azurefile.test -test.testlogfile=/tmp/go-build2833821331/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.run=TestDriverCreateFileShare|TestGetFileShareQuota -test.v=true driver/azurefile-ifaceassert ux-amd64/pkg/tool/linux_amd64/vet ibrary-for-go/ap/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/too-buildtags .io/otel/attribu-atomic mpile ux-amd64/pkg/too-buildtags -o driver/azurefile-errorsas .cfg ux-amd64/pkg/tool/linux_amd64/vet /virtualnetworkl/home/REDACTED/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.0.linux-amd64/pkg/too-buildtags /virtualnetworkl-atomic mpile ux-amd64/pkg/too-buildtags (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Check if Azure file share exists before calling Create to allow read-only permission for existing shares</issue_title>
<issue_description>## Problem

The current implementation in pkg/azurefile/azurefile.go always calls the Create interface for Azure File share operations, regardless of whether the file share already exists. This can cause problems with permissions: even if the share already exists, the code requires write permissions to call Create, when in theory, only read permissions should be needed for existing file shares.

Suggestion

Before calling the Create interface for a file share, the code should first check if the share exists. If it does, then skip calling Create. This would allow scenarios where for existing file shares, only read permission is needed instead of write permissions.

Benefit

  • Reduces the required permissions for applications that only consume existing file shares
  • Improves security by following the principle of least privilege

Additional Context

Reference problematic code section (current implementation requires write permissions in all cases):
azurefile.go#L1085-L1089

Request: Please consider updating the logic so that it checks if the share exists before attempting to create it, allowing read-only permissions to suffice when no creation is needed.</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 24, 2026
@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Mar 24, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 24, 2026

Hi @copilot. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 24, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Mar 24, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Copilot
Once this PR has been reviewed and has the lgtm label, please ask for approval from andyzhangx. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Mar 24, 2026
Copilot AI changed the title [WIP] Check if Azure file share exists before calling Create Check if Azure file share exists before calling Create to allow read-only permissions for existing shares Mar 24, 2026
Copilot AI requested a review from andyzhangx March 24, 2026 03:39
@andyzhangx andyzhangx marked this pull request as ready for review March 24, 2026 04:06
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 24, 2026
@k8s-ci-robot k8s-ci-robot requested a review from gnufied March 24, 2026 04:06
@andyzhangx
Copy link
Copy Markdown
Member

andyzhangx commented Mar 24, 2026

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 24, 2026
@andyzhangx andyzhangx changed the title Check if Azure file share exists before calling Create to allow read-only permissions for existing shares fix: check if Azure file share exists before calling Create to allow read-only permissions for existing shares Mar 24, 2026
@andyzhangx
Fix TestAzurefile: Account limit exceeded mock should return 404 on Get
c492e0b 
The new GetFileShareQuota check before CreateFileShare calls Get() on
the file share client. In the 'Account limit exceeded' test, the Get
mock was returning success (share exists), causing CreateFileShare to
short-circuit and skip the Create call. This left the Create mock
expectations unsatisfied.

Fix by returning 404 NotFound from the Get mock, simulating the file
share not existing yet, so the code proceeds to call Create as
expected.
@andyzhangx
Copy link
Copy Markdown
Member

andyzhangx commented Mar 24, 2026

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 24, 2026
@andyzhangx andyzhangx requested a review from Copilot March 31, 2026 07:29
Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Azure File share creation flow to avoid calling the write-requiring Create operation when a share already exists, enabling read-only permissions for pre-provisioned shares.

Changes:

  • Added a pre-check in Driver.CreateFileShare to detect existing shares (via a quota read) and skip creation when present.
  • Updated controller-server unit tests to account for the new pre-check behavior.
  • Added a dedicated unit test for Driver.CreateFileShare covering “exists / absent / quota-check-error” paths.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
pkg/azurefile/azurefile.go Adds an existence check before attempting share creation to reduce required permissions for existing shares.
pkg/azurefile/controllerserver_test.go Adjusts mocked share GET behavior to align with the new pre-check in CreateFileShare.
pkg/azurefile/azurefile_test.go Adds tests validating CreateFileShare behavior when the share exists, does not exist, or the existence check errors.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@linux-foundation-easycla
Copy link
Copy Markdown

linux-foundation-easycla bot commented Mar 31, 2026
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 31, 2026
@andyzhangx
fix: handle non-404 and retriable errors in file share existence check
e06a7ae 
- For 404 errors: proceed to CreateFileShare as before
- For retriable errors (throttling/5xx): retry via backoff instead of
  falling through to unnecessary CreateFileShare
- For other non-404 errors (e.g., ShareQuota nil but share exists):
  assume share exists and skip creation to avoid requiring write perms

Signed-off-by: andyzhangx <xiazhang@microsoft.com>
@andyzhangx andyzhangx force-pushed the copilot/check-azure-file-share-existence branch from 325dd36 to e06a7ae Compare March 31, 2026 11:07
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Mar 31, 2026
@andyzhangx
fix: address lint and test issues in file share existence check
4ba9c8a 
- Fix indent-error-flow: flatten if/else after early return
- Fix empty-block: add log message for 404 case instead of empty block
- Fix TestDriverCreateFileShare: non-404 error now skips creation
  (assumes share exists) instead of proceeding to create

Signed-off-by: andyzhangx <xiazhang@microsoft.com>
@andyzhangx
fix: fall through to Create on non-404 GetFileShareQuota errors
19ffa92 
Instead of assuming the share exists when GetFileShareQuota returns
a non-404, non-retriable error (e.g. 403 Forbidden), proceed to call
Create. This avoids silently skipping share creation when the check
itself fails due to insufficient permissions or other transient issues.
@andyzhangx
simplify: always fall through to Create on any GetFileShareQuota error
feadfaa 
Remove special handling for 404, retriable, and non-retriable errors.
Any error from GetFileShareQuota simply falls through to CreateFileShare,
keeping the logic minimal and letting Create handle all error scenarios.
@andyzhangx andyzhangx requested a review from Copilot April 4, 2026 15:13
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andyzhangx andyzhangx Awaiting requested review from andyzhangx

@gnufied gnufied Awaiting requested review from gnufied

Assignees

@andyzhangx andyzhangx

Copilot code review Copilot

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Check if Azure file share exists before calling Create to allow read-only permission for existing shares

4 participants

@k8s-ci-robot @andyzhangx