Support refresh of SAS token (re-reading it from KeyVault, updating the mount)

[calohmn]

Is your feature request related to a problem?/Why is this needed When mounting a storage container using a SAS token, the recommended kind of SAS to use would be a user delegation SAS. Because of the limited validity period of such tokens, they have to be re-created periodically. The updated token (in an updated KeyVault Secret) then needs to be applied to the blobfuse volume mount.

Currently, the only way to apply an updated SAS token seems to be to restart the pod which contains the (inline) volume for the storage container mount. For tokens that have a short validity period (of say 1 hour), this doesn't look practical, restarting pods every hour. It would be better for the blob CSI driver (blobfuseproxy) to support this kind of scenario, applying the updated SAS automatically.

Describe the solution you'd like in detail Ideally, changes to the K8s secret containing the SAS token would be detected (via Kubernetes "watch"), and the corresponding mount would be updated. As far as I've seen, such a mount update would be possible when mounting using a config file - as noted in https://github.com/Azure/azure-storage-fuse/issues/1246 and https://github.com/Azure/azure-storage-fuse/issues/1301#issuecomment-1871728939.