feat: support workload identity token

[cvvz]

✅ What

Support provide workload identity token when authenticating rather than use the token file.

🤔 Why

Kubelet generate the token when mounting blob volume and we should pass the token to blobfuse2 rather than create a token file.

👩‍🔬 How to validate if applicable

I've already tested with blob-csi-driver

🔖 Related links

• Issues
• Team thread
• Documents
• [Email Subject]

[andyzhangx]

@vibhansa-msft this PR exposes WORKLOAD_IDENTITY_TOKEN as env variable, could you take a look? thanks.

[andyzhangx]

if we use WORKLOAD_IDENTITY_TOKEN env var, who is responsible for token refresh?

[cvvz]

The token was generated by kubelet when it try to mount volume, and it will be passed to csi driver and csi driver set it as WORKLOAD_IDENTITY_TOKEN env. Kubelet is responsible for updating the token ,but I think we should only use the token during mounting.

[vibhansa-msft]

Is this option something like where user is providing the token directly to blobfuse?
If so, what is the process to refresh the token or validation of token ?

[andyzhangx]

why do we need to save the token in a file? that's not safe

[vibhansa-msft]

My question was are we expecting a file name here in this env variable or directly the token. If directly token is what we expect then who will be responsible for the refresh. If its a file then re-reding the file (assuming the file now has the latest token) can work but giving directly the token will not work.

[cvvz]

The token was generated by kubelet when try to mount the blob volume and pass to blobfuse for authentication. I think we only need the token for mounting. Kubelet is responsible for updating the token ,but I think we only need the token during mounting.

[andyzhangx]

I think here the problem is when token is expired, whether blobfuse mount is still valid or not

[cvvz]

I created a blobfuse pod and the io was not impacted when the token expires.
If the token expired, kubelet will generate a new token when we try to mount again.

[vibhansa-msft]

If you remount then its fine as its a fresh start. Workflow we are discussing here is when Blobfuse remains mounted for a longer duration and in between the token expires. There will not be any remount in this case and newly generated token will not be forwarded to Blobfuse as well. In such case all storage REST call shall fail with 4xx errors. Can you validate this flow.

[cvvz]

I have tested that when the token expires, the blobfuse io won't be impacted. What kind of storage REST call do you mean? CSI driver does not have any storage REST call after volume mounted. Is there any REST call from blobfuse2 side? Can you show me the way to validate that?

[vibhansa-msft]

Blobfuse interacts with Azure Storage via REST call only. Lets assume you are trying to upload a 10GB file. Job starts and file is divided into block and each block is uploaded via a seperate REST call (few uploads going on in parallel). Now while the upload is in progress the token expires. As Blobfuse is not updated with the new token, it will continue using the expired token to upload the remaining chunks but the storage backend will fail these calls with Auth error as the token is expired. This is the part where you need to somehow convey Blobfuse to start using a new token. Generally MSI/SPN case Blobfuse acquires a token and 5 minute before its expiry it refreshes the token internally. Here as the token is provided as an input, its responsibility of the token provider to take care of the refresh and provide the updated token to Blobfuse while the job is going on. This is what Sourav pointed earlier in his comment that the function you have implemented shall take care of token update as well.

[vibhansa-msft]

If the token that you are sending it across to Blobfuse is not going to expire then its fine and I can approve the PR

[jainakanksha-msft]

@cvvz Please update PR description