Merge pull request #1067 from andyzhangx/fix-readonly-publish

fix: propagate read-only mount from staging path and volume capability in NodePublishVolume

Author: andyzhangx

pkg/smb/nodeserver.go

@@ -79,7 +79,31 @@ func (d *Driver) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolu
 	}
 
 	mountOptions := []string{"bind"}
-	if req.GetReadonly() {
+	readOnly := req.GetReadonly()
+
+	// also check if the volume capability access mode is read-only
+	if !readOnly && volCap.GetAccessMode() != nil {
+		mode := volCap.GetAccessMode().GetMode()
+		if mode == csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY ||
+			mode == csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY {
+			readOnly = true
+		}
+	}
+
+	// also check if the volume mount flags contain "ro"
+	if !readOnly {
+		if m := volCap.GetMount(); m != nil {
+			for _, flag := range m.GetMountFlags() {
+				if flag == "ro" {
+					readOnly = true
+					klog.V(2).Infof("NodePublishVolume: mount flags contain 'ro', propagating to bind mount for volume %s on target %s", volumeID, target)
+					break
+				}
+			}
+		}
+	}
+
+	if readOnly {
 		mountOptions = append(mountOptions, "ro")
 	}
 

pkg/smb/nodeserver_test.go

@@ -476,6 +476,65 @@ func TestNodePublishVolume(t *testing.T) {
 				DefaultError: status.Error(codes.Internal, "Error getting username and password from secret  in namespace podnamespace: could not username and password from secret(): KubeClient is nil"),
 			},
 		},
+		{
+			desc: "[Success] Read-only from MULTI_NODE_READER_ONLY access mode",
+			req: &csi.NodePublishVolumeRequest{
+				VolumeCapability: &csi.VolumeCapability{
+					AccessMode: &csi.VolumeCapability_AccessMode{Mode: csi.VolumeCapability_AccessMode_MULTI_NODE_READER_ONLY},
+					AccessType: &csi.VolumeCapability_Mount{
+						Mount: &csi.VolumeCapability_MountVolume{},
+					},
+				},
+				VolumeId:          "vol_1",
+				TargetPath:        targetTest,
+				StagingTargetPath: sourceTest,
+				Readonly:          false},
+			expectedErr: testutil.TestError{},
+		},
+		{
+			desc: "[Success] Read-only from SINGLE_NODE_READER_ONLY access mode",
+			req: &csi.NodePublishVolumeRequest{
+				VolumeCapability: &csi.VolumeCapability{
+					AccessMode: &csi.VolumeCapability_AccessMode{Mode: csi.VolumeCapability_AccessMode_SINGLE_NODE_READER_ONLY},
+					AccessType: &csi.VolumeCapability_Mount{
+						Mount: &csi.VolumeCapability_MountVolume{},
+					},
+				},
+				VolumeId:          "vol_1",
+				TargetPath:        targetTest,
+				StagingTargetPath: sourceTest,
+				Readonly:          false},
+			expectedErr: testutil.TestError{},
+		},
+		{
+			desc: "[Success] Read-only from mount flags containing 'ro'",
+			req: &csi.NodePublishVolumeRequest{
+				VolumeCapability: &csi.VolumeCapability{
+					AccessMode: &volumeCap,
+					AccessType: &csi.VolumeCapability_Mount{
+						Mount: &csi.VolumeCapability_MountVolume{
+							MountFlags: []string{"ro"},
+						},
+					},
+				},
+				VolumeId:          "vol_1",
+				TargetPath:        targetTest,
+				StagingTargetPath: sourceTest,
+				Readonly:          false},
+			expectedErr: testutil.TestError{},
+		},
+		{
+			desc: "[Success] No nil panic when VolumeCapability has no Mount (block access type)",
+			req: &csi.NodePublishVolumeRequest{
+				VolumeCapability: &csi.VolumeCapability{
+					AccessMode: &volumeCap,
+				},
+				VolumeId:          "vol_1",
+				TargetPath:        targetTest,
+				StagingTargetPath: sourceTest,
+				Readonly:          false},
+			expectedErr: testutil.TestError{},
+		},
 	}
 
 	// Setup