add unit tests to validate mount options

Author: Sneha-at

pkg/csi_driver/node.go

@@ -140,35 +140,23 @@ func (s *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublish
 	gcsFuseSidecarImage := gcsFuseSidecarContainerImage(pod)
 	enableSidecarBucketAccessCheckForSidecarVersion := s.driver.config.EnableSidecarBucketAccessCheck && gcsFuseSidecarImage != "" && isSidecarVersionSupportedForGivenFeature(gcsFuseSidecarImage, SidecarBucketAccessCheckMinVersion)
 	identityProvider := ""
-	if s.shouldPopulateIdentityProvider(pod, optInHostnetworkKSA, userSpecifiedIdentityProvider != "") {
+	shouldPopulateIdentityProviderForHnwKSA := s.shouldPopulateIdentityProvider(pod, optInHostnetworkKSA, userSpecifiedIdentityProvider != "")
+	if shouldPopulateIdentityProviderForHnwKSA {
 		if userSpecifiedIdentityProvider != "" {
 			identityProvider = userSpecifiedIdentityProvider
 		} else {
 			identityProvider = s.driver.config.TokenManager.GetIdentityProvider()
 		}
-		klog.V(6).Infof("NodePublishVolume populating identity provider %q in mount options", identityProvider)
-		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.OptInHnw + "=true", util.TokenServerIdentityProviderConst + "=" + identityProvider})
 	} else if enableSidecarBucketAccessCheckForSidecarVersion {
-		//Enable sidecar bucket access check only for Workload Identity workloads. This feature consumes additional quota for Host Network pods as we do not have token caching.
-		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.EnableSidecarBucketAccessCheckConst + "=" + strconv.FormatBool(s.driver.config.EnableSidecarBucketAccessCheck)})
-	}
-
-	if enableSidecarBucketAccessCheckForSidecarVersion {
-		if identityProvider == "" {
-			identityProvider = s.driver.config.TokenManager.GetIdentityProvider()
-			fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.TokenServerIdentityProviderConst + "=" + identityProvider})
-		}
-		klog.Infof("Got identity provider %s", identityProvider)
-
-		identityPool := s.driver.config.TokenManager.GetIdentityPool()
-		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{
-			util.PodNamespaceConst + "=" + vc[VolumeContextKeyPodNamespace],
-			util.ServiceAccountNameConst + "=" + vc[VolumeContextKeyServiceAccountName],
-			util.TokenServerIdentityPoolConst + "=" + identityPool})
+		// As host network and sidecar bucket access check are exclusive the below assignment doesn't overwrite any of host network settings.
+		identityProvider = s.driver.config.TokenManager.GetIdentityProvider()
 	}
 
-	if enableCloudProfilerForSidecar && gcsFuseSidecarImage != "" && isSidecarVersionSupportedForGivenFeature(gcsFuseSidecarImage, SidecarCloudProfilerMinVersion) {
-		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.EnableCloudProfilerForSidecarConst + "=" + strconv.FormatBool(enableCloudProfilerForSidecar)})
+	enableCloudProfilerForVersion := enableCloudProfilerForSidecar && gcsFuseSidecarImage != "" && isSidecarVersionSupportedForGivenFeature(gcsFuseSidecarImage, SidecarCloudProfilerMinVersion)
+	identityPool := s.driver.config.TokenManager.GetIdentityPool()
+	fuseMountOptions, err = addFuseMountOptions(identityProvider, identityPool, fuseMountOptions, vc, shouldPopulateIdentityProviderForHnwKSA, enableSidecarBucketAccessCheckForSidecarVersion, enableCloudProfilerForVersion)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "failed to prepare sidecar fuse mount options: %v", err)
 	}
 
 	node, err := s.k8sClients.GetNode(s.driver.config.NodeID)
@@ -213,7 +201,7 @@ func (s *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublish
 		}
 	}
 
-	// Only pass mountOptions flags for defaulting if sidecar container is managed and satisifies min version requirement
+	// Only pass mountOptions flags for defaulting if sidecar container is managed and satisfies min version requirement
 	if gcsFuseSidecarImage != "" && isSidecarVersionSupportedForGivenFeature(gcsFuseSidecarImage, MachineTypeAutoConfigSidecarMinVersion) {
 		shouldDisableAutoConfig := s.driver.config.DisableAutoconfig
 		machineType, ok := node.Labels[clientset.MachineTypeKey]
@@ -396,3 +384,27 @@ func gcsFuseSidecarContainerImage(pod *corev1.Pod) string {
 	}
 	return ""
 }
+
+func addFuseMountOptions(identityProvider string, identityPool string, fuseMountOptions []string, vc map[string]string, hostNetworkEnabled bool, enableSidecarBucketAccessCheckForSidecarVersion bool, enableCloudProfilerForVersion bool) ([]string, error) {
+	if hostNetworkEnabled {
+		// Identity Provider is populated separately for host network enabled workloads.
+		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.OptInHnw + "=true", util.TokenServerIdentityProviderConst + "=" + identityProvider})
+	} else if enableSidecarBucketAccessCheckForSidecarVersion {
+		if identityPool == "" || identityProvider == "" {
+			// Identity pool and provider details are used in sidecar mounter to create the metadata service
+			return nil, fmt.Errorf("failed to get either of identity pool %q or identity provider %q", identityPool, identityProvider)
+		}
+		// Enable sidecar bucket access check only for Workload Identity workloads. This feature consumes additional quota for Host Network pods as we do not have token caching.
+		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{
+			util.PodNamespaceConst + "=" + vc[VolumeContextKeyPodNamespace],
+			util.ServiceAccountNameConst + "=" + vc[VolumeContextKeyServiceAccountName],
+			util.TokenServerIdentityPoolConst + "=" + identityPool,
+			util.TokenServerIdentityProviderConst + "=" + identityProvider,
+			util.EnableSidecarBucketAccessCheckConst + "=" + strconv.FormatBool(enableSidecarBucketAccessCheckForSidecarVersion)})
+	}
+	klog.V(6).Infof("NodePublishVolume populating identity provider %q in mount options", identityProvider)
+	if enableCloudProfilerForVersion {
+		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{util.EnableCloudProfilerForSidecarConst + "=" + strconv.FormatBool(enableCloudProfilerForVersion)})
+	}
+	return fuseMountOptions, nil
+}

pkg/csi_driver/node_test.go

@@ -458,3 +458,125 @@ func TestNodePublishVolumeWILabelCheck(t *testing.T) {
 		}
 	}
 }
+
+func TestAddFuseMountOptions(t *testing.T) {
+	t.Parallel()
+
+	vc := map[string]string{
+		VolumeContextKeyPodNamespace:       "sample-namespace",
+		VolumeContextKeyServiceAccountName: "sample-service-account",
+	}
+	sampleIdentityPool := "sample-identity-pool"
+	sampleIdentityProvider := "sample-identity-provider"
+	cases := []struct {
+		name                                     string
+		inputFuseMountOptions                    []string
+		expectedFuseMountOptions                 []string
+		identityProvider                         string
+		volumeContextParams                      map[string]string
+		enableSidecarBucketAccessCheckForVersion bool
+		enableCloudProfilerForVersion            bool
+		hostNetworkEnabled                       bool
+		identityPool                             string
+		expectErr                                bool
+	}{
+		{
+			name:                                     "validate fuse mount options for host network workloads",
+			enableSidecarBucketAccessCheckForVersion: false,
+			hostNetworkEnabled:                       true,
+			identityProvider:                         sampleIdentityProvider,
+			identityPool:                             sampleIdentityPool,
+			inputFuseMountOptions:                    []string{},
+			expectedFuseMountOptions: []string{
+				util.OptInHnw + "=true",
+				util.TokenServerIdentityProviderConst + "=" + sampleIdentityProvider,
+			},
+		},
+		{
+			name:                                     "validate sidecar bucket access check is disabled when host network is enabled",
+			enableSidecarBucketAccessCheckForVersion: true,
+			hostNetworkEnabled:                       true,
+			identityProvider:                         sampleIdentityProvider,
+			identityPool:                             sampleIdentityPool,
+			inputFuseMountOptions:                    []string{},
+			expectedFuseMountOptions: []string{
+				util.OptInHnw + "=true",
+				util.TokenServerIdentityProviderConst + "=" + sampleIdentityProvider,
+			},
+		},
+		{
+			name:                                     "enable sidecar bucket access check on non-host network and validate fuse mount options are correctly set",
+			volumeContextParams:                      vc,
+			enableSidecarBucketAccessCheckForVersion: true,
+			identityProvider:                         sampleIdentityProvider,
+			identityPool:                             sampleIdentityPool,
+			inputFuseMountOptions:                    []string{},
+			expectedFuseMountOptions: []string{
+				util.PodNamespaceConst + "=" + vc[VolumeContextKeyPodNamespace],
+				util.ServiceAccountNameConst + "=" + vc[VolumeContextKeyServiceAccountName],
+				util.TokenServerIdentityPoolConst + "=" + sampleIdentityPool,
+				util.TokenServerIdentityProviderConst + "=" + sampleIdentityProvider,
+				util.EnableSidecarBucketAccessCheckConst + "=true",
+			},
+		},
+		{
+			name:                                     "verify sidecar bucket access disabled does not set fuse mount options",
+			volumeContextParams:                      vc,
+			enableSidecarBucketAccessCheckForVersion: false,
+			identityProvider:                         sampleIdentityProvider,
+			identityPool:                             sampleIdentityPool,
+			inputFuseMountOptions:                    []string{},
+			expectedFuseMountOptions:                 []string{},
+		},
+		{
+			name:                          "validate cloud profiler flag is correctly set",
+			enableCloudProfilerForVersion: true,
+			inputFuseMountOptions:         []string{},
+			expectedFuseMountOptions: []string{
+				util.EnableCloudProfilerForSidecarConst + "=true",
+			},
+		},
+		{
+			name:                                     "validate sidecar bucket access check when identity provider is not set",
+			volumeContextParams:                      vc,
+			enableSidecarBucketAccessCheckForVersion: true,
+			identityProvider:                         "",
+			identityPool:                             sampleIdentityPool,
+			expectedFuseMountOptions:                 nil,
+			expectErr:                                true,
+		},
+		{
+			name:                                     "validate sidecar bucket access check when identity pool is not set",
+			volumeContextParams:                      vc,
+			enableSidecarBucketAccessCheckForVersion: true,
+			identityProvider:                         sampleIdentityProvider,
+			identityPool:                             "",
+			expectedFuseMountOptions:                 nil,
+			expectErr:                                true,
+		},
+		{
+			name:                          "validate cloud profiler with host network",
+			hostNetworkEnabled:            true,
+			enableCloudProfilerForVersion: true,
+			identityProvider:              sampleIdentityProvider,
+			expectedFuseMountOptions: []string{
+				util.EnableCloudProfilerForSidecarConst + "=true",
+				util.OptInHnw + "=true",
+				util.TokenServerIdentityProviderConst + "=" + sampleIdentityProvider,
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			gotFuseMountOption, err := addFuseMountOptions(tc.identityProvider, tc.identityPool, tc.inputFuseMountOptions, tc.volumeContextParams, tc.hostNetworkEnabled, tc.enableSidecarBucketAccessCheckForVersion, tc.enableCloudProfilerForVersion)
+			if (err != nil) != tc.expectErr {
+				t.Errorf("for test case %q, got error: %v, but expectErr: %v", tc.name, err, tc.expectErr)
+			}
+			less := func(a, b string) bool { return a < b }
+			if diff := cmp.Diff(tc.expectedFuseMountOptions, gotFuseMountOption, cmpopts.SortSlices(less)); diff != "" {
+				t.Errorf("got unexpected options args for testcase %s (-got, +want)\n%s", tc.name, diff)
+			}
+		})
+	}
+}