search

kubernetes-sigs / azurefile-csi-driver

Azure File CSI Driver
Apache License 2.0
154 stars 141 forks source link

Invalid parameter "clientID" in storage class #1926

Closed david-garcia-garcia closed 3 months ago

david-garcia-garcia commented 3 months ago

When trying to create a storage class using the azure-csi-driver (Bring Your Own File Share), if you specify a clientID in order to have federated credentials to authenticate to storage, the following error is shown:

Warning  ProvisioningFailed    4s (x3 over 7s)  file.csi.azure.com_csi-azurefile-controller-7b4bd556c9-rjrx7_bb43d │
│ bd3-479b-44d0-9b55-2e95d788cea2  failed to provision volume with StorageClass "sc-shared-fileshare-dgarcia": rpc err │
│ or: code = InvalidArgument desc = invalid parameter "clientID" in storage class

Although this parameter is not part of the inventory for the class:

https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/driver-parameters.md

The examples point to this being supported as part of Workload Identity integration:

https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/workload-identity-static-pv-mount.md

The version of the CSI driver I am using is: mcr.microsoft.com/oss/kubernetes-csi/azurefile-csi:v1.28.10

What I am trying to achieve is have storage classes that can be used only in some namespaces (using policies):

resource "kubernetes_storage_class" "sc_shared_fileshare" {
  metadata {
    name = "sc-shared-fileshare-${each.key}"
  }
  storage_provisioner = "file.csi.azure.com"
  parameters = {
    storageAccount = data.azurerm_storage_account.example.name
    resourceGroup  = data.azurerm_storage_account.example.resource_group_name
    shareName      = data.azurerm_storage_share.example.name
    clientID       = azurerm_user_assigned_identity.storage_identity.id
    folderName     = "myfolder"
    subscriptionID = var.sandboxes_subscription_id
  }

  mount_options = [
    "dir_mode=0777",
    "file_mode=0777",
    "uid=0",
    "gid=0",
    "mfsymlinks",
    "cache=strict",
    "nosharesock"
  ]

  reclaim_policy = "Retain" # Ensure PVs provisioned using this StorageClass are retained after deletion

  allow_volume_expansion = false

  volume_binding_mode = "Immediate"
}
david-garcia-garcia commented 3 months ago

According to docs this is only supported since version 1.30.1

supported from v1.30.1 (from AKS 1.29 with tokenRequests field support in CSIDriver)

https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/docs/workload-identity-deploy-csi-driver.md

workload identity is NOT supported on AKS managed Azure File CSI driver if you are using AKS, please disable the managed Azure File CSI driver by --disable-file-driver first

Looks my whole approach to this was completely wrong.