azure_file: add namespace tests for InTree to CSI conversion

When translating InTree pv to CSI pv we use default secret namespace
when it's not found in the InTree pv.

Using the default is not ideal for several reasons:
1) it can result in failed pod creation after users migrate to cluster
with CSI enabled because the existing intree pvs might not have the
namespace defined. In that case the "default" is used and mount fails
because secret could not be found.

2) falling back to "default" namespace can result in referencing a
secret from different namespace which is a security risk

However, there is another object we can use to determine correct
namespace which presence can be safely assumed - ClaimRef. Mounting a
volume is done only through a PVC which is bound. Binding adds ClaimRef
to PV and finally the volume gets mounted which is where the
translation code is used.

staging/src/k8s.io/csi-translation-lib/plugins/azure_file_test.go

@@ -223,6 +223,25 @@ func TestTranslateAzureFileInTreePVToCSI(t *testing.T) {
 			volume: &corev1.PersistentVolume{},
 			expErr: true,
 		},
+		{
+			name: "return error if secret namespace could not be found",
+			volume: &corev1.PersistentVolume{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "uuid",
+					Annotations: map[string]string{resourceGroupAnnotation: "rg"},
+				},
+				Spec: corev1.PersistentVolumeSpec{
+					PersistentVolumeSource: corev1.PersistentVolumeSource{
+						AzureFile: &corev1.AzureFilePersistentVolumeSource{
+							ShareName:  "sharename",
+							SecretName: "secretname",
+							ReadOnly:   true,
+						},
+					},
+				},
+			},
+			expErr: true,
+		},
 		{
 			name: "azure file volume",
 			volume: &corev1.PersistentVolume{
@@ -299,6 +318,51 @@ func TestTranslateAzureFileInTreePVToCSI(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "get secret namespace from ClaimRef when it's missing in pv spec source",
+			volume: &corev1.PersistentVolume{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "uuid",
+					Annotations: map[string]string{resourceGroupAnnotation: "rg"},
+				},
+				Spec: corev1.PersistentVolumeSpec{
+					PersistentVolumeSource: corev1.PersistentVolumeSource{
+						AzureFile: &corev1.AzureFilePersistentVolumeSource{
+							ShareName:  "sharename",
+							SecretName: "secretname",
+							//SecretNamespace: &secretNamespace,
+							ReadOnly: true,
+						},
+					},
+					ClaimRef: &corev1.ObjectReference{
+						Namespace: secretNamespace,
+					},
+				},
+			},
+			expVol: &corev1.PersistentVolume{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "uuid",
+					Annotations: map[string]string{resourceGroupAnnotation: "rg"},
+				},
+				Spec: corev1.PersistentVolumeSpec{
+					PersistentVolumeSource: corev1.PersistentVolumeSource{
+						CSI: &corev1.CSIPersistentVolumeSource{
+							Driver:   "file.csi.azure.com",
+							ReadOnly: true,
+							NodeStageSecretRef: &corev1.SecretReference{
+								Name:      "secretname",
+								Namespace: secretNamespace,
+							},
+							VolumeAttributes: map[string]string{shareNameField: "sharename"},
+							VolumeHandle:     "rg#secretname#sharename#uuid#secretnamespace",
+						},
+					},
+					ClaimRef: &corev1.ObjectReference{
+						Namespace: secretNamespace,
+					},
+				},
+			},
+		},
 	}
 
 	for _, tc := range cases {