fix: Workload Identity token refresh issue

andyzhangx · andyzhangx · commit 0864993b3177 · 2025-07-12T03:42:15.000Z
fix

fix

fix

fix

fix
diff --git a/charts/latest/blob-csi-driver-v0.0.0.tgz b/charts/latest/blob-csi-driver-v0.0.0.tgz
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-driver.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-driver.yaml
@@ -12,5 +12,7 @@ spec:
   volumeLifecycleModes:
     - Persistent
     - Ephemeral
+  requiresRepublish: {{ .Values.feature.requiresRepublish }}
   tokenRequests:
     - audience: api://AzureADTokenExchange
+      expirationSeconds: 3600
diff --git a/charts/latest/blob-csi-driver/values.yaml b/charts/latest/blob-csi-driver/values.yaml
@@ -165,6 +165,7 @@ node:
 
 feature:
   fsGroupPolicy: ReadWriteOnceWithFSType
+  requiresRepublish: true
   enableGetVolumeStats: false
 
 driver:
diff --git a/deploy/csi-blob-driver.yaml b/deploy/csi-blob-driver.yaml
@@ -10,5 +10,7 @@ spec:
   volumeLifecycleModes:
     - Persistent
     - Ephemeral
+  requiresRepublish: true
   tokenRequests:
     - audience: api://AzureADTokenExchange
+      expirationSeconds: 3600
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
@@ -23,6 +23,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"sync"
@@ -160,7 +161,6 @@ const (
 	tagValueDelimiterField = "tagvaluedelimiter"
 
 	DefaultTokenAudience = "api://AzureADTokenExchange" //nolint:gosec // G101 ignore this!
-
 )
 
 var (
@@ -170,7 +170,8 @@ var (
 
 	// azcopyCloneVolumeOptions used in volume cloning between different storage account and --check-length to false because volume data may be in changing state, copy volume is not same as current source volume,
 	// set --s2s-preserve-access-tier=false to avoid BlobAccessTierNotSupportedForAccountType error in azcopy
-	azcopyCloneVolumeOptions = []string{"--recursive", "--check-length=false", "--s2s-preserve-access-tier=false", "--log-level=ERROR"}
+	azcopyCloneVolumeOptions  = []string{"--recursive", "--check-length=false", "--s2s-preserve-access-tier=false", "--log-level=ERROR"}
+	defaultAzureOAuthTokenDir = "/var/lib/kubelet/plugins/" + DefaultDriverName
 )
 
 // DriverOptions defines driver parameters specified in driver deployment
@@ -586,13 +587,17 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			if err != nil {
 				return rgName, accountName, accountKey, containerName, authEnv, err
 			}
+			azureOAuthTokenFile := filepath.Join(defaultAzureOAuthTokenDir, clientID+accountName)
+			if err := os.WriteFile(azureOAuthTokenFile, []byte(workloadIdentityToken), 0600); err != nil {
+				return rgName, accountName, accountKey, containerName, authEnv, fmt.Errorf("failed to write workload identity token file %s: %v", azureOAuthTokenFile, err)
+			}
 
 			authEnv = append(authEnv, "AZURE_STORAGE_SPN_CLIENT_ID="+clientID)
 			if tenantID != "" {
 				authEnv = append(authEnv, "AZURE_STORAGE_SPN_TENANT_ID="+tenantID)
 			}
-			authEnv = append(authEnv, "WORKLOAD_IDENTITY_TOKEN="+workloadIdentityToken)
-
+			authEnv = append(authEnv, "AZURE_OAUTH_TOKEN_FILE="+azureOAuthTokenFile)
+			klog.V(2).Infof("workload identity auth: %v", authEnv)
 			return rgName, accountName, accountKey, containerName, authEnv, err
 		}
 		klog.V(2).Infof("clientID(%s) is specified, use service account token to get account key", clientID)
diff --git a/pkg/blob/nodeserver.go b/pkg/blob/nodeserver.go
@@ -327,16 +327,17 @@ func (d *Driver) NodeStageVolume(ctx context.Context, req *csi.NodeStageVolumeRe
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "Could not mount target %q: %v", targetPath, err)
 	}
-	if mnt {
-		klog.V(2).Infof("NodeStageVolume: volume %s is already mounted on %s", volumeID, targetPath)
-		return &csi.NodeStageVolumeResponse{}, nil
-	}
 
 	_, accountName, _, containerName, authEnv, err := d.GetAuthEnv(ctx, volumeID, protocol, attrib, secrets)
-	if err != nil {
+	if err != nil && !mnt {
 		return nil, status.Errorf(codes.Internal, "%v", err)
 	}
 
+	if mnt {
+		klog.V(2).Infof("NodeStageVolume: volume %s is already mounted on %s", volumeID, targetPath)
+		return &csi.NodeStageVolumeResponse{}, nil
+	}
+
 	// replace pv/pvc name namespace metadata in subDir
 	containerName = replaceWithMap(containerName, containerNameReplaceMap)
 
diff --git a/pkg/blob/nodeserver_test.go b/pkg/blob/nodeserver_test.go
@@ -243,6 +243,12 @@ func TestNodePublishVolume(t *testing.T) {
 				// Mock NodeStageVolume to return success
 				d.cloud.ResourceGroup = "rg"
 				d.enableBlobMockMount = true
+				// Create the directory for token file
+				defaultAzureOAuthTokenDir = "./blob.csi.azure.com/"
+				_ = makeDir(defaultAzureOAuthTokenDir)
+			},
+			cleanup: func(_ *Driver) {
+				_ = os.RemoveAll(defaultAzureOAuthTokenDir)
 			},
 			req: &csi.NodePublishVolumeRequest{
 				VolumeCapability:  &csi.VolumeCapability{AccessMode: &volumeCap},
@@ -253,6 +259,7 @@ func TestNodePublishVolume(t *testing.T) {
 					serviceAccountTokenField: `{"api://AzureADTokenExchange":{"token":"test-token","expirationTimestamp":"2023-01-01T00:00:00Z"}}`,
 					mountWithWITokenField:    "true",
 					clientIDField:            "client-id-value",
+					storageAccountNameField:  "test-account",
 				},
 			},
 			expectedErr: nil,
