From 109d31b6b4fc61a1ef0817854da53b5e18439f2a Mon Sep 17 00:00:00 2001
From: Jeremiah Lott <jelott@microsoft.com>
Date: Fri, 12 Jan 2024 14:53:26 -0500
Subject: [PATCH] Workload Identity Fixes

- Always extract workload identity information from the environment, regardless of if config is loaded from secret or from file.
- Do not attempt to validate or fetch storage account keys if Workload Identity is chosen as authorization type.
---
 BLOB_CSI_VERSION                              |   2 +-
 charts/index.yaml                             |   9 +
 charts/v4.6.0/blob-csi-driver-v4.6.0.tgz      | Bin 0 -> 5868 bytes
 charts/v4.6.0/blob-csi-driver/Chart.yaml      |   5 +
 .../blob-csi-driver/templates/NOTES.txt       |   5 +
 .../blob-csi-driver/templates/_helpers.tpl    |  49 +++
 .../templates/csi-blob-controller.yaml        | 224 +++++++++++++
 .../templates/csi-blob-driver.yaml            |  14 +
 .../templates/csi-blob-node.yaml              | 296 ++++++++++++++++++
 .../templates/rbac-csi-blob-controller.yaml   | 121 +++++++
 .../templates/rbac-csi-blob-node.yaml         |  44 +++
 .../serviceaccount-csi-blob-controller.yaml   |  17 +
 .../serviceaccount-csi-blob-node.yaml         |  17 +
 charts/v4.6.0/blob-csi-driver/values.yaml     | 173 ++++++++++
 pkg/blob/azure.go                             |  22 +-
 pkg/blob/blob.go                              |   5 +-
 16 files changed, 990 insertions(+), 13 deletions(-)
 create mode 100644 charts/v4.6.0/blob-csi-driver-v4.6.0.tgz
 create mode 100644 charts/v4.6.0/blob-csi-driver/Chart.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/NOTES.txt
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/_helpers.tpl
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/csi-blob-controller.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/csi-blob-driver.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/csi-blob-node.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml
 create mode 100644 charts/v4.6.0/blob-csi-driver/values.yaml

diff --git a/BLOB_CSI_VERSION b/BLOB_CSI_VERSION
index 5f8ad4523..f63f06be9 100644
--- a/BLOB_CSI_VERSION
+++ b/BLOB_CSI_VERSION
@@ -1 +1 @@
-BLOB_CSI_VERSION=v4.5.0
+BLOB_CSI_VERSION=v4.6.0
diff --git a/charts/index.yaml b/charts/index.yaml
index 95c994326..3c13c1a12 100644
--- a/charts/index.yaml
+++ b/charts/index.yaml
@@ -361,6 +361,15 @@ entries:
     urls:
     - https://raw.githubusercontent.com/avoltz/blob-csi-driver/staging/charts/v4.5.0/blob-csi-driver-v4.5.0.tgz
     version: v4.5.0
+  - apiVersion: v1
+    appVersion: v4.6.0
+    created: "2024-01-12T20:20:15.553036749Z"
+    description: Azure Blob Storage CSI driver
+    digest: c78b006ff5897b590ed4b27b2f9d8ee8dae23f91e2e885eb5cea09dac9b4195f
+    name: blob-csi-driver
+    urls:
+    - https://raw.githubusercontent.com/avoltz/blob-csi-driver/staging/charts/v4.6.0/blob-csi-driver-v4.6.0.tgz
+    version: v4.6.0
   - apiVersion: v1
     appVersion: latest
     created: "2023-12-01T09:01:28.976577418Z"
diff --git a/charts/v4.6.0/blob-csi-driver-v4.6.0.tgz b/charts/v4.6.0/blob-csi-driver-v4.6.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..5a34c0b12902a3f1016d36ada40a20ddd4b84ae3
GIT binary patch
literal 5868
zcmV<I78B_oiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH<&bK5r3{j6VsQF_zfJ)vIwmY!z(!M2oC6I<3uPI~urIv$8z
zNjQ@L3xJAM*Z=()0HpY?H_J+{kC+d!$i?mg++8eo7vRWcBg+=VayXd*uU}0um$f<e
z-0yaFH5!e^*~y9iztL!9|8F$Uj=yW3oSrt0o9~*ZXWuoNC+Zez?2d)<D-aU%?;0<r
zmF?Vr$%TFL8Mq*fw$Q9u!M?xv>0${&RvZvEC%)A8F8&BOpi7sH&`>gtCxEVoU1Wr(
zLa_%elo6@QY=Qrzc2;XtzIK-nSK`X*{|vhUh}{~1<@(=joSnYQ>i@~{(Lw+BaS;zs
zpjAO=gar)1XD#H}yyg*`Gr`8PW;0Jcb=gQkA;iIFf=I^aEmVK_Nz`pY>X8&_2#F^P
z<Dq{0f$R2}OYC_Ib;ms>`y2#N_0Sfi&)JM9`vAOv028AA5R8CRkRTKZMbGl%Mls3R
zaqYC$SVht$GoT<upR*CHM=@&Rt0oD0N3~{SH9^W8Xlvyfz=R0N@dh1LjYHM6c+@<_
z!cVI?umu@_Ab)H!!rU}SkZP_bRk2+bIN>bO4@NGruhgAN<;@#3fH82OHXz9mqktGk
z9^-%n*c_x#w?}{i0S@{y1**vqIzd`Qg+jq$+(J_+ebK5Xn6434cbF~e5{m~>w;3Ii
zNx;GKnPb_EN=zv5y258^WR}m#3`>ZHbY8FM`~ARmhlZOL`t`TU8)P9fr+M@6<;_3B
z+<^432bGEdJ|i|<*ftBORO4%Nz!F+W@&M2q^o#0>`ui;kVG%aK0(~K_tNLu3IB3i`
znzNvWh9K2&jIk>Kk+HgozF?|v1_IP?j@TDkQ}h^>oVhOWmU`2c(Z$70OJMW{DP|EH
zqhZKG$Zt625q-w>@P|U1K&QoU3q%z@!gh906#9juphe?KacV0ML!ri$GKtkMEfd&r
z^nb34<P?z498vL^a}h(e(9?4sjf+R%F2iuG0Ze0LS?DSdl6jeSgi3}ykl4WzS8NTE
zXo%1o^zf6gu<z#`AH~x(%s{(I81*?}oXGi=i-pDyR48vszf8px5&@r)86XaV1>6QC
zri{yVrQc@M24BVsphu^!l)w*3TRsQyv@ch$_(^_x`i+RWkl<Oi8wd&9vN@5&#;&41
z1UpdBTHfGMqKV>EjVJSc#$`a&L&*>iC|W2T!U9o7Ib#xy=172)N~N(<dX4VNU{e%E
za|Dmr^IbqK^*aO7LQe|!h4>_ts5cvpCVH;qfu1Xsgi0)gtw1%DTq^T)rN=AQ>K4Mv
zfLZ#XnQNSKXyIcUT1dSR%Zy(IDOqD*I-ajachP1c{!=Do59Ald9~O2(PKj8IkIe$t
zQ3~Y{fk!Sl$_T`aBZq++SBV_(fjWp$bTjNm%_~SrEGM?;GcH@`=$~iDC&g3W6tF9&
zG1yT>PY*7!v1lRvE1<XZ1}k}J8G{tvyfXasT}&Z<<g$s9dAEg5H7+B`!jLPP?-gGj
zks|t~nD_MDblPa#knk>t-vbayDBBN|6nMF2M^USS{+1JKzK~e#A(hiOdLfPMME+Vs
zhsR^0)HyV9%K8sMnO4TbTavlJL+h)tSm*)fEmYMr1!peQ(iY0o5>yQ-GGDb;*s7gJ
zBBY2Oz<3O{Y@uq84ecp7feY2O@Q2FbD`9+fD%K0gRP@xEH%sdFS2IZZX_vZ$!e{0N
z9(;uPg>8cnzYsa?IzXishe*ji{P>CD878i>PA$}2&$=Av>;q7R;L>HIaUh`2*<*sr
zD0N$7BveT3x>18g2V&qw_@dgZozzaNMa_;1+8xCWk7|wDv1uqk-r&buALx7HLND+V
zExpWx>OalW&$J9J_b1=M655xGb`iZRY)_$&<+O$Bo_5o*uWb1p@n9&i=Xa?FX_JKA
z^^~vG2ksFejOWvM_wHTZ&hFLnl`e3;vax*`k*#cCfhnkr0n32vw=fnTI1Bt}?KA-F
z{KAQZTWW(+wD-fixep7q_yE#q<4|I?A~8}>G2Ue><wn<RL2BAagbQ}#sVZ0LVgghd
zAtjbU^m`bL$K<hvs<*?TH3ipGPj&kbY}o#Iy-?C>6}>?VO-Cj?q;CI6nbKwP_qV9s
zx%~9uE$a5(-@Zk^Tnu{M-iNoSGZ@?sl(VBe)=;xG6Y56%yW$cWJgVL(gXMy3q52H-
zx=Tj&@J>Z*ljN+092gNyD;4EBxePlC)1-|d0V=!gkjxwOE7P7Xc7H?Nv36B2F4{`X
zlzU^A33{EvEi43?P;iikDV`{IE5wV4@v{ik?S)$XNT6ydhK0Tr`pTN1RBJt<)@~Z4
z+eTlAoNBPmsD>oEZ6#(QF5Ru2$A7Z%KM9_%V>k8Q?OkVBlaKPnG*-p`kI#-W@xRlv
zv$I3|Zy(p4(u!q4eWd}Da9QGj@3J}Q)wEu<hQeQ~RPGqEr(i#<KxUS?63almMZODI
zfLctnDxv<{(nXd<BQNIs=?T>apy6r@-v&KDE0zp0%MzhkKCf~EnQMifpR35SzF=uj
z59x>0Rj&W{Q*eFYq9*+prUF*z|IzW;Nk;$AP7nFN{ajB^^?#rl@mhM`8WR`f+=p{d
z4U0X67Wzm1`MFZjV4X)FQ%6r{Gz<gk8BnK;HQdvag&Y_Y3aF~x5(QU9R{RJDu0%DH
zW!9=$`)o2!3i5UaoD&DopUPXNHaa`je-h95E2wJ4$bdTfZ_QifN(UGXFNQnCYM6Rd
zbG42ukLEGQCeT-_6f>?tVq!igRE|;gZ^HVUsHQt${tlN9=uaI#QC6z@KUGw{uWr*B
z=6Otc62`EJGA1Jc6Oc66u<vIUt;S1ydP0$Ir`}Bs6*kf<CTg38Sz}txvI(A+@#`k|
zR1XQY-M}g9O$lc<^L$3NPn(Ff=HYzIrNzb@_dImQtkFE(_bB2W@ji~;{KX<?UW{;&
z|5n&?P5wl`2TZ0$_4&D?T=JTj*0mTGbs?0`T9TbmlafJd^B76?Z|u2CAQpsEZ`P>2
zAGq!!Ni$|Vj_wLn{GR<dkCJ%VF^Ab?iz1v$!01LC(+MnXhZZ>+HM}LgNq6jP+uU#I
zDxd!g0_Izm1uUQcj~ZvE8UJ4`-5ZDbe;?Nap-v06wPWuAm6c>c5cYjhpEWB{{wt0-
zC|!$;Nh}^ToE{8R7>6u#;VUSdEllu4XV6xmMJPXQxQprHPech-OK5bWz=aPw_Za6h
ziqS{U4T)$LYK1XAX-}^cY_82{5v%zbE@t`6G>r5wB%c^~9qUSQvH>sa4%|<<Cb8Ad
z#$0Mqz$Mwn#GoS3S`^W!>tJnF@?a4*H~2&ATtae@rHw3jW+IE9FX=*J0!X7yq>$q_
ziR^Q$VCu{?`x7OpW;$d9P~FsFpn{ha1sN0Mqp)L=_Hr`0Q7fJ%)m1dfW_y@xohDxL
z>QX7qVu?(E#O)j^qHySy2`0QJT*zODoc?U!L%?*QMK5cG(vK5lV^XOQ?m|M+z8VuP
zqyv&=5}C9cab`3jamy26VQexrh~?s+C6>&%u0b-Dttz3sOgfVTmT@FkNn}B7LE>fQ
zo+iEE=yj*_`U}<t*lGpP=S(eD<NFAyg=-590xF3IZL`!|+P_2qKPH@t>Tl5F*eQ;A
zvJy$YWXW3inx|OwIq0Qey_(j)S~^o+i%YhW)-6=%7OEx&*R+qy`Ox!o?%6WjtyRzx
zPtfyo)eL|uU`>8@M>9QPAcXluB*j1td)1nqA60WVwWEt2hl3F3-~V{gZVx)c;ol1Y
zUBC`-3&MJ$)evjMEDMk*No9dNZyq&7!DD!o99yP#%8Gn}^YkRT0M_|l>=WyEU!0#d
zmO+dHF64Q$kpcob%MPQF-f);w&ydLkwNO1Q7_13qKV$`=pC}Yu^^W7B!u0E%=?vJ7
zE||;mXVRf2hZ<F%#+Tt<@deUy2v0nY)1|1ut4R5VAz+5xgul@|N-`V`T9kpcOws5X
z8lTG9?pEQKpw8=F8hA@}-xbAmls&E1Wddm+_1jpe-Lc34n34s{XI!2ayD@2Q;}VC0
zky$GLX*}DA{}KULSGjg<A^s_DS4zLG>|8_U^*UsyqMpZ?mp2WwrC@J|f4w=&nw5!M
zn2s-=M1VRzBUGM$|KruLd*A7``?uZRUD31_mIW@9rBT!WTE%1&MTEtaP0UEW@+9Nt
zZnOX`nuT@v(K0#k2~b(kI#a(;j3~xn2^~`}K$IzYDB(yKR++k4%Y-_uY_}2vQ&@Jj
z8RpnkSQGscFG5#uS>X9{o}yQRzOWQ5gIU?XoP;i1TvO5Y67z@_^Rt2YBlFDXOfs9f
zEp&I)--eB}>=sfELDr;PSW;!KF(z)n;cm)7OquJL(zf`TO6h+9*~(HfrnzJQbl-}e
z5lSS%ZW~-YAA-%OBU<RVk%9>)xW(gU`mqn3FsHb2xf}Sup9Y=#t3jvT>D_fNuJ7M>
zuRBFf;d{=!Y+v>IXiO$I*#8Lg0gUqi(Q64y9XU9bTHzJI=^9NndIis-lAlDKUbZ9s
z+xC6$;${Qh#{^ubglYZE%(9V(u1#Md>5rc-JA+>5t~1me4Eq;Xugr!v8-=_i=Za$A
zKA_~WRj-$ORN)LyA!~HwnlDtXX7w*(;OD!${_ws(xc%3^i|OZ$c>-?+Y2h@xg2Qzf
z+?>Bn*h}lyhuiyM`{Vuf?T7p8&gahcx>WOZdnLmFzsIIhnSNB&)jC6o?FT&<ln#Yq
zu+#h89o+VAI=wrs{r!u(pG%g7Ann8+mAYn8C_0*O?LUIi)dRHJiC&}|_qKG*HqLak
z5K(N>cKcR@aF_V}iZdbHx(!@rXE_eoxux#Bz)UXJqy)1%PFgdSnW#DjhjF}LRujlA
z{~`MlvjqGHQn#@sc_3t6hgNKvc_W(-%oa;2C9^A6P{}=*>xB!$ogq696&B(x4B17H
z+lL5WNNc@i*1AE!!Vuy<0)szTQ%oHfEMvedLIVL7aL)L-t^xny>xS*3vH#X%7BQ<O
z>Sh=%2-p|$rx#dyJH}I9UkgqAlnK+BwD-Mw;xMU<HsLz=GQZ`fylnxq)yz?BidXWO
zx69>u+f8PNov~9s3#>%8VoF$*Xw4+4%ClERBAabon88kP@H+J$Yt;XQUgq{kf~>0l
zKY5p}|7kQEhx-4$T$W{}N`8c?*{?nPWNH_i6;mN}HSC%_UdxMt(y_lxiO&|bJ6K9=
zPY3XOKsY$@MmV22T{>pBRL?RCXDzeAD#2K|3#*obFf5u`;F^rVp4%?mFb5VJy83Ed
zgf!=9s2d%B3LbFm{zdi?tfBvuIq;$bfmYQ2ogE!#_y4>*Jvp5JvzIHZ|HI%hI)p9C
z|Fm@MvhXj1a4WMB=v}u%$+3h<xOG^$hlEbdhTO;_$ZllL@{xWXaTHdXBoS^?IhgC|
zSE(5+;Nnm%_|>Wf3p=*og1!uKEguE@^wYI}{cby)g_oBGCZZ~@RQjj*-L~j2S1o3g
zWBWR|xSTU0t&m;h?wTFy%ExI3oX|;lUId|&?u4?%?am|Efj)^bwW3Kfcn91Q*$jbY
z%u(mj=MbJ8P>@3iPrs064|@KJcenSL?9xJ*aD#Z^Geu!WxD2ps#ap{$`O6AjvO2av
zozpO@RodM6b}JKge|A)pxUmkaLA+X0!Wf>QVMWJRSiWk1sPQNdKITGcnN#_q%VwU3
zsgsLS*3&~>S8u2$rpaJosVIhmJ|iwn)UqiP%Px%>wmX;Ii{AbF!ENuZ(`y&U4y%+=
zLM3o)OESxqA{tEH-tg|?`uhIz`u6hur(t21Gd=cNMpH+=)H27m6og6*v53h1=gwf*
zz3pv9EOUTNDY0zNj&{+tqm_L-+DYe*R`qV!xx2r)_}Beyztht>zWd&%o2^LZj?O8i
zsp!3kl(!z8c6WGjdEL4H)Nfzhb=sF((aN0blOeV`^sT%hD-g>9-wLFj1xd9BX|HOp
zKsG8;&s40&sP|FIxM4c>P)_^bT~4d@YTZgPg=cntw015?Bj2`iwfMl@HRP?}6s+A!
z-AV#^NhoTvr3AhP_06R*PS@tZ!Ue_RrRm(OkLC3I`ybnb?&r?ne$e@FKfJyAc;COc
z`#FyxEn`dS{opZPsYh3#7iTc9ILLXo9f`1b%z^V_R2lQWWkuoXI{xHVIq1ZMUC`ZP
zTnXVbiN~<(==r(syTOD|Q7=tX6fyBCIqbM`>WwT%kp$h=1{SE|p@x4CHT-6t+g0^`
zdO?_MxmW<{YQ?2Uz?p!J?I~DV$dXt(?GK%+i>seI_cynndUwmw=wL#IrCisGLk<P#
z6f|+pzyI;$r_0WL@3!611+qnyx7~EGMv1@X`8A6B%MmXr>;Lw)NvyNcz(nQN*kX_t
zqzTBV+(}3*#d$&Qw&+yM5=Qk=s@gFX5_`U7B;FxB&uZDJtHqd&()jTatT}|)Gg_Ao
zCDBLjMjd~ExrOzqyVe&XrxtNQ&CD{dSL>bE`?5V98~Nzl?dCY_sW|MZIP9q?_I=AH
z<F(M<Ya=Aev6nautC6QC{KJ-zwfNg+OGw%g+KoVGKK7OeNJzZ!!Pav?uT1d{n^s<9
z)5^9voqcR}S+>e9T)}eY;|VsO4!k6eu4mR$Ng)fmjb4nr-kzH@A}^JRiyND&IOPcL
zRw54@cE0fqJDIr2lC3(6y#pJk+Lz{nmX@q1L6_u%R+YUM#WSp>tzHyfOMB5Pb~Y?A
zN87Ww6$d5O=*0tdAAfXi8@5U#hszmz(RPz1Hg)acNTpI2A3sTpN2&2W>~}frcR5_I
zah2Eq^AWbKog4zZV*k(CS@!!MN6mN5L;e3=u8fAOmtHdm&gp}@!_7aYJa@ocNNo_%
z&^VA&#>pRgMoR1(TDogMw+#IQ3mzqKirwTHiTXUt?e`Dyz%^B<mRj`cEkB}#eyvu2
z)0h%Y;ICDGvBxL$=|Z3x@R0_XfULenRhJ0;zy6Gf`ooNq`pZ#sJm_{?5VT!PytS#C
zy$waQ(tEdxD2EWXi-lOTpKJCBW<cc@BNz7OEvouu<W_gf7DTxhJMGYm5Za7!htQ--
z6w%OoV|FrV70a?Jd2PKU)FE{88cLfv)6^P;q_*Gk7mWS`whXn_bY++-?XSc>;wC5m
zuCpacS(`9umN$7Xv0sr`EE)H*m-nisHauJ6zroC|VIp>HWnV<0Za#07CA4KPitXyl
z4C>yklalX!+os(J_+P*%Wd>qxgS1n7q~1vB+e&<^-qcX+&nShTwJ8zuP^Q;42h1r$
zw9pc*HhXueUQGcvd#(QuT!gLUd>xg1dU~C>$hzzQmmC7H>id63r>EKTKTb{#=YQ<w
zTCx7$>qMYyq`##p;J1pt_r`qkkU4-%3?F%ckouFp^W+Y2B$<Znf4<V+Nn4a!M#-WO
z8<A)NQbe#nsJ}Q1Ce!fF58@R(>euj^%R>?0?ELtZCc~s?e=E~qa-;lSCcpyy{+d(Y
z;aWQXhth(Lw7et}uwwpiHqNs1|4E~H`2OEsu3UyM?J38eK&E!A(CRE*p|5blH$OON
z1B<!o*);2&OOrbMWmz+W-XczFK$dc`iem{Bufwr{TS+>J?rGKcQxA6duXAl~|2JO=
zuC)KB?=trP==AjP{rA0GU(No<-si#cA1wdjI$VeAa2>8aU;h^X0RR7_#hx<&qyPXm
C<exwQ

literal 0
HcmV?d00001

diff --git a/charts/v4.6.0/blob-csi-driver/Chart.yaml b/charts/v4.6.0/blob-csi-driver/Chart.yaml
new file mode 100644
index 000000000..8bc1d2a87
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: latest
+description: Azure Blob Storage CSI driver
+name: blob-csi-driver
+version: v4.6.0
diff --git a/charts/v4.6.0/blob-csi-driver/templates/NOTES.txt b/charts/v4.6.0/blob-csi-driver/templates/NOTES.txt
new file mode 100644
index 000000000..9ad135dd4
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/NOTES.txt
@@ -0,0 +1,5 @@
+The Azure Blob Storage CSI driver is getting deployed to your cluster.
+
+To check Azure Blob Storage CSI driver pods status, please run:
+
+  kubectl --namespace={{ .Release.Namespace }} get pods --selector="release={{ .Release.Name }}" --watch
diff --git a/charts/v4.6.0/blob-csi-driver/templates/_helpers.tpl b/charts/v4.6.0/blob-csi-driver/templates/_helpers.tpl
new file mode 100644
index 000000000..d99392f32
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/_helpers.tpl
@@ -0,0 +1,49 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{/* Expand the name of the chart.*/}}
+{{- define "blob.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "blob.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common selectors.
+*/}}
+{{- define "blob.selectorLabels" -}}
+app.kubernetes.io/name: {{ template "blob.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Common labels.
+*/}}
+{{- define "blob.labels" -}}
+{{- include "blob.selectorLabels" . }}
+app.kubernetes.io/component: csi-driver
+app.kubernetes.io/part-of: {{ template "blob.name" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+helm.sh/chart: {{ template "blob.chart" . }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
+{{- end -}}
+
+
+{{/* pull secrets for containers */}}
+{{- define "blob.pullSecrets" -}}
+{{- if .Values.imagePullSecrets }}
+imagePullSecrets:
+{{- range .Values.imagePullSecrets }}
+  - name: {{ . }}
+{{- end }}
+{{- end }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/v4.6.0/blob-csi-driver/templates/csi-blob-controller.yaml b/charts/v4.6.0/blob-csi-driver/templates/csi-blob-controller.yaml
new file mode 100644
index 000000000..4d2353357
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/csi-blob-controller.yaml
@@ -0,0 +1,224 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ .Values.controller.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.controller.name }}
+    {{- include "blob.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.controller.replicas }}
+  selector:
+    matchLabels:
+      app: {{ .Values.controller.name }}
+      {{- include "blob.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.controller.name }}
+        {{- include "blob.labels" . | nindent 8 }}
+        {{- if .Values.workloadIdentity.clientID }}
+        azure.workload.identity/use: "true"
+        {{- end }}
+        {{- if .Values.podLabels }}
+{{- toYaml .Values.podLabels | nindent 8 }}
+        {{- end }}
+{{- if .Values.podAnnotations }}
+      annotations:
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+{{- with .Values.controller.affinity }}
+      affinity:
+{{ toYaml . | indent 8 }}
+{{- end }}
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+      {{- end }}
+      hostNetwork: {{ .Values.controller.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ .Values.serviceAccount.controller }}
+      nodeSelector:
+        kubernetes.io/os: linux
+        {{- if .Values.controller.runOnMaster}}
+        node-role.kubernetes.io/master: ""
+        {{- end}}
+        {{- if .Values.controller.runOnControlPlane}}
+        node-role.kubernetes.io/control-plane: ""
+        {{- end}}
+{{- with .Values.controller.nodeSelector }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+{{- with .Values.controller.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+{{- end }}
+      containers:
+        - name: csi-provisioner
+{{- if hasPrefix "/" .Values.image.csiProvisioner.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}"
+{{- else }}
+          image: "{{ .Values.image.csiProvisioner.repository }}:{{ .Values.image.csiProvisioner.tag }}"
+{{- end }}
+          args:
+            - "-v=2"
+            - "--csi-address=$(ADDRESS)"
+            - "--leader-election"
+            - "--leader-election-namespace={{ .Release.Namespace }}"
+            - "--timeout=120s"
+            - "--extra-create-metadata=true"
+            - "--kube-api-qps=50"
+            - "--kube-api-burst=100"
+          env:
+            - name: ADDRESS
+              value: /csi/csi.sock
+          imagePullPolicy: {{ .Values.image.csiProvisioner.pullPolicy }}
+          volumeMounts:
+            - mountPath: /csi
+              name: socket-dir
+          resources: {{- toYaml .Values.controller.resources.csiProvisioner | nindent 12 }}
+        - name: liveness-probe
+{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
+{{- else }}
+          image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
+{{- end }}
+          args:
+            - --csi-address=/csi/csi.sock
+            - --probe-timeout=3s
+            - --health-port={{ .Values.controller.livenessProbe.healthPort }}
+          imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+          resources: {{- toYaml .Values.controller.resources.livenessProbe | nindent 12 }}
+        - name: blob
+{{- if hasPrefix "/" .Values.image.blob.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
+{{- else }}
+          image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
+{{- end }}
+          args:
+            - "--v={{ .Values.controller.logLevel }}"
+            - "--endpoint=$(CSI_ENDPOINT)"
+            - "--metrics-address=0.0.0.0:{{ .Values.controller.metricsPort }}"
+            - "--drivername={{ .Values.driver.name }}"
+            - "--custom-user-agent={{ .Values.driver.customUserAgent }}"
+            - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}"
+            - "--cloud-config-secret-name={{ .Values.controller.cloudConfigSecretName }}"
+            - "--cloud-config-secret-namespace={{ .Values.controller.cloudConfigSecretNamespace }}"
+            - "--allow-empty-cloud-config={{ .Values.controller.allowEmptyCloudConfig }}"
+          ports:
+            - containerPort: {{ .Values.controller.livenessProbe.healthPort }}
+              name: healthz
+              protocol: TCP
+            - containerPort: {{ .Values.controller.metricsPort }}
+              name: metrics
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /healthz
+              port: healthz
+            initialDelaySeconds: 30
+            timeoutSeconds: 10
+            periodSeconds: 30
+          env:
+            - name: AZURE_CREDENTIAL_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: azure-cred-file
+                  key: path
+                  optional: true
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: KUBERNETES_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CSI_ENDPOINT
+              value: unix:///csi/csi.sock
+            {{- if ne .Values.driver.httpsProxy "" }}
+            - name: HTTPS_PROXY
+              value: {{ .Values.driver.httpsProxy }}
+            {{- end }}
+            {{- if ne .Values.driver.httpProxy "" }}
+            - name: HTTP_PROXY
+              value: {{ .Values.driver.httpProxy }}
+            {{- end }}
+            - name: AZURE_GO_SDK_LOG_LEVEL
+              value: {{ .Values.driver.azureGoSDKLogLevel }}
+            {{- if eq .Values.cloud "AzureStackCloud" }}
+            - name: AZURE_ENVIRONMENT_FILEPATH
+              value: /etc/kubernetes/azurestackcloud.json
+            {{- end }}
+          imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
+          volumeMounts:
+            - mountPath: /csi
+              name: socket-dir
+            - mountPath: /etc/kubernetes/
+              name: azure-cred
+            {{- if eq .Values.cloud "AzureStackCloud" }}
+            - name: ssl
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            {{- end }}
+            {{- if eq .Values.linux.distro "fedora" }}
+            - name: ssl
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            - name: ssl-pki
+              mountPath: /etc/pki/ca-trust/extracted
+              readOnly: true
+            {{- end }}
+          resources: {{- toYaml .Values.controller.resources.blob | nindent 12 }}
+        - name: csi-resizer
+{{- if hasPrefix "/" .Values.image.csiResizer.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
+{{- else }}
+          image: "{{ .Values.image.csiResizer.repository }}:{{ .Values.image.csiResizer.tag }}"
+{{- end }}
+          args:
+            - "-csi-address=$(ADDRESS)"
+            - "-v=2"
+            - "-leader-election"
+            - "--leader-election-namespace={{ .Release.Namespace }}"
+            - '-handle-volume-inuse-error=false'
+          env:
+            - name: ADDRESS
+              value: /csi/csi.sock
+          imagePullPolicy: {{ .Values.image.csiResizer.pullPolicy }}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+          resources: {{- toYaml .Values.controller.resources.csiResizer | nindent 12 }}
+      volumes:
+        - name: socket-dir
+          emptyDir: {}
+        - name: azure-cred
+          hostPath:
+            path: /etc/kubernetes/
+            type: DirectoryOrCreate
+        {{- if eq .Values.cloud "AzureStackCloud" }}
+        - name: ssl
+          hostPath:
+            path: /etc/ssl/certs
+        {{- end }}
+        {{- if eq .Values.linux.distro "fedora" }}
+        - name: ssl
+          hostPath:
+            path: /etc/ssl/certs
+        - name: ssl-pki
+          hostPath:
+            path: /etc/pki/ca-trust/extracted
+        {{- end }}
+      {{- if .Values.securityContext }}
+      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
diff --git a/charts/v4.6.0/blob-csi-driver/templates/csi-blob-driver.yaml b/charts/v4.6.0/blob-csi-driver/templates/csi-blob-driver.yaml
new file mode 100644
index 000000000..9a6aea64a
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/csi-blob-driver.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: {{ .Values.driver.name }}
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+spec:
+  attachRequired: false
+  podInfoOnMount: true
+  fsGroupPolicy: {{ .Values.feature.fsGroupPolicy }}
+  volumeLifecycleModes:
+    - Persistent
+    - Ephemeral
diff --git a/charts/v4.6.0/blob-csi-driver/templates/csi-blob-node.yaml b/charts/v4.6.0/blob-csi-driver/templates/csi-blob-node.yaml
new file mode 100644
index 000000000..91c02dda0
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/csi-blob-node.yaml
@@ -0,0 +1,296 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ .Values.node.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app: {{ .Values.node.name }}
+    {{- include "blob.labels" . | nindent 4 }}
+spec:
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: {{ .Values.node.maxUnavailable }}
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: {{ .Values.node.name }}
+      {{- include "blob.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app: {{ .Values.node.name }}
+        {{- include "blob.labels" . | nindent 8 }}
+        {{- if .Values.workloadIdentity.clientID }}
+        azure.workload.identity/use: "true"
+        {{- end }}
+        {{- if .Values.podLabels }}
+{{- toYaml .Values.podLabels | nindent 8 }}
+        {{- end }}
+{{- if .Values.podAnnotations }}
+      annotations:
+{{ toYaml .Values.podAnnotations | indent 8 }}
+{{- end }}
+    spec:
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+      {{- end }}
+{{- if .Values.node.enableBlobfuseProxy }}
+      hostPID: true
+{{- end }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      serviceAccountName: {{ .Values.serviceAccount.node }}
+      nodeSelector:
+        kubernetes.io/os: linux
+{{- with .Values.node.nodeSelector }}
+{{ toYaml . | indent 8 }}
+{{- end }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: type
+                    operator: NotIn
+                    values:
+                      - virtual-kubelet
+        {{- if .Values.node.affinity }}
+{{- toYaml .Values.node.affinity | nindent 8 }}
+        {{- end }}
+      priorityClassName: {{ .Values.priorityClassName | quote }}
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+{{- with .Values.node.tolerations }}
+      tolerations:
+{{ toYaml . | indent 8 }}
+{{- end }}
+{{- if .Values.node.enableBlobfuseProxy }}
+      initContainers:
+        - name: install-blobfuse-proxy
+{{- if hasPrefix "/" .Values.image.blob.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
+{{- else }}
+          image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
+{{- end }}
+          imagePullPolicy: IfNotPresent
+          command:
+            - "/blobfuse-proxy/init.sh"
+          securityContext:
+            privileged: true
+          env:
+            - name: DEBIAN_FRONTEND
+              value: "noninteractive"
+            - name: INSTALL_BLOBFUSE
+              value: "{{ .Values.node.blobfuseProxy.installBlobfuse }}"
+            - name: BLOBFUSE_VERSION
+              value: "{{ .Values.node.blobfuseProxy.blobfuseVersion }}"
+            - name: INSTALL_BLOBFUSE2
+              value: "{{ .Values.node.blobfuseProxy.installBlobfuse2 }}"
+            - name: BLOBFUSE2_VERSION
+              value: "{{ .Values.node.blobfuseProxy.blobfuse2Version }}"
+            - name: SET_MAX_OPEN_FILE_NUM
+              value: "{{ .Values.node.blobfuseProxy.setMaxOpenFileNum }}"
+            - name: MAX_FILE_NUM
+              value: "{{ .Values.node.blobfuseProxy.maxOpenFileNum }}"
+            - name: DISABLE_UPDATEDB
+              value: "{{ .Values.node.blobfuseProxy.disableUpdateDB }}"
+          volumeMounts:
+            - name: host-usr
+              mountPath: /host/usr
+            - name: host-etc
+              mountPath: /host/etc
+{{- end }}
+      containers:
+        - name: liveness-probe
+          imagePullPolicy: {{ .Values.image.livenessProbe.pullPolicy }}
+          volumeMounts:
+            - mountPath: /csi
+              name: socket-dir
+{{- if hasPrefix "/" .Values.image.livenessProbe.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
+{{- else }}
+          image: "{{ .Values.image.livenessProbe.repository }}:{{ .Values.image.livenessProbe.tag }}"
+{{- end }}
+          args:
+            - --csi-address=/csi/csi.sock
+            - --probe-timeout=3s
+            - --health-port={{ .Values.node.livenessProbe.healthPort }}
+            - --v=2
+          resources: {{- toYaml .Values.node.resources.livenessProbe | nindent 12 }}
+        - name: node-driver-registrar
+{{- if hasPrefix "/" .Values.image.nodeDriverRegistrar.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
+{{- else }}
+          image: "{{ .Values.image.nodeDriverRegistrar.repository }}:{{ .Values.image.nodeDriverRegistrar.tag }}"
+{{- end }}
+          args:
+            - --csi-address=$(ADDRESS)
+            - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
+            - --v=2
+          livenessProbe:
+            exec:
+              command:
+                - /csi-node-driver-registrar
+                - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
+                - --mode=kubelet-registration-probe
+            initialDelaySeconds: 30
+            timeoutSeconds: 15
+          env:
+            - name: ADDRESS
+              value: /csi/csi.sock
+            - name: DRIVER_REG_SOCK_PATH
+              value: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /csi
+            - name: registration-dir
+              mountPath: /registration
+          resources: {{- toYaml .Values.node.resources.nodeDriverRegistrar | nindent 12 }}
+        - name: blob
+{{- if hasPrefix "/" .Values.image.blob.repository }}
+          image: "{{ .Values.image.baseRepo }}{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
+{{- else }}
+          image: "{{ .Values.image.blob.repository }}:{{ .Values.image.blob.tag }}"
+{{- end }}
+          args:
+            - "--v={{ .Values.node.logLevel }}"
+            - "--endpoint=$(CSI_ENDPOINT)"
+            - "--blobfuse-proxy-endpoint=$(BLOBFUSE_PROXY_ENDPOINT)"
+            - "--edgecache-mount-endpoint=$(EDGECACHE_MOUNT_ENDPOINT)"
+            - "--enable-blobfuse-proxy={{ .Values.node.enableBlobfuseProxy }}"
+            - "--nodeid=$(KUBE_NODE_NAME)"
+            - "--drivername={{ .Values.driver.name }}"
+            - "--cloud-config-secret-name={{ .Values.node.cloudConfigSecretName }}"
+            - "--cloud-config-secret-namespace={{ .Values.node.cloudConfigSecretNamespace }}"
+            - "--custom-user-agent={{ .Values.driver.customUserAgent }}"
+            - "--user-agent-suffix={{ .Values.driver.userAgentSuffix }}"
+            - "--allow-empty-cloud-config={{ .Values.node.allowEmptyCloudConfig }}"
+            - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}"
+            - "--append-timestamp-cache-dir={{ .Values.node.appendTimeStampInCacheDir }}"
+            - "--mount-permissions={{ .Values.node.mountPermissions }}"
+            - "--allow-inline-volume-key-access-with-idenitity={{ .Values.node.allowInlineVolumeKeyAccessWithIdentity }}"
+          ports:
+            - containerPort: {{ .Values.node.livenessProbe.healthPort }}
+              name: healthz
+              protocol: TCP
+          livenessProbe:
+            failureThreshold: 5
+            httpGet:
+              path: /healthz
+              port: healthz
+            initialDelaySeconds: 30
+            timeoutSeconds: 10
+            periodSeconds: 30
+          env:
+            - name: AZURE_CREDENTIAL_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: azure-cred-file
+                  key: path
+                  optional: true
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: KUBERNETES_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: CSI_ENDPOINT
+              value: unix:///csi/csi.sock
+            - name: EDGECACHE_MOUNT_ENDPOINT
+              value: unix:///csi/csi_mounts.sock
+            - name: BLOBFUSE_PROXY_ENDPOINT
+              value: unix:///csi/blobfuse-proxy.sock
+            {{- if ne .Values.driver.httpsProxy "" }}
+            - name: HTTPS_PROXY
+              value: {{ .Values.driver.httpsProxy }}
+            {{- end }}
+            {{- if ne .Values.driver.httpProxy "" }}
+            - name: HTTP_PROXY
+              value: {{ .Values.driver.httpProxy }}
+            {{- end }}
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: AZURE_GO_SDK_LOG_LEVEL
+              value: {{ .Values.driver.azureGoSDKLogLevel }}
+            {{- if eq .Values.cloud "AzureStackCloud" }}
+            - name: AZURE_ENVIRONMENT_FILEPATH
+              value: /etc/kubernetes/azurestackcloud.json
+            {{- end }}
+          imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /csi
+              name: socket-dir
+            - mountPath: {{ .Values.linux.kubelet }}/
+              mountPropagation: Bidirectional
+              name: mountpoint-dir
+            - mountPath: /etc/kubernetes/
+              name: azure-cred
+            - mountPath: /mnt
+              name: blob-cache
+            {{- if eq .Values.cloud "AzureStackCloud" }}
+            - name: ssl
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            {{- end }}
+            {{- if eq .Values.linux.distro "fedora" }}
+            - name: ssl
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            - name: ssl-pki
+              mountPath: /etc/pki/ca-trust/extracted
+              readOnly: true
+            {{- end }}
+          resources: {{- toYaml .Values.node.resources.blob | nindent 12 }}
+      volumes:
+{{- if .Values.node.enableBlobfuseProxy }}
+        - name: host-usr
+          hostPath:
+            path: /usr
+        - name: host-etc
+          hostPath:
+            path: /etc
+{{- end }}
+        - hostPath:
+            path: {{ .Values.linux.kubelet }}/plugins/{{ .Values.driver.name }}
+            type: DirectoryOrCreate
+          name: socket-dir
+        - hostPath:
+            path: {{ .Values.linux.kubelet }}/
+            type: DirectoryOrCreate
+          name: mountpoint-dir
+        - hostPath:
+            path: {{ .Values.linux.kubelet }}/plugins_registry/
+            type: DirectoryOrCreate
+          name: registration-dir
+        - hostPath:
+            path: /etc/kubernetes/
+            type: DirectoryOrCreate
+          name: azure-cred
+        - hostPath:
+            path: {{ .Values.node.blobfuseCachePath }}
+          name: blob-cache
+        {{- if eq .Values.cloud "AzureStackCloud" }}
+        - name: ssl
+          hostPath:
+            path: /etc/ssl/certs
+        {{- end }}
+        {{- if eq .Values.linux.distro "fedora" }}
+        - name: ssl
+          hostPath:
+            path: /etc/ssl/certs
+        - name: ssl-pki
+          hostPath:
+            path: /etc/pki/ca-trust/extracted
+        {{- end }}
+      {{- if .Values.securityContext }}
+      securityContext: {{- toYaml .Values.securityContext | nindent 8 }}
+      {{- end }}
diff --git a/charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml b/charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml
new file mode 100644
index 000000000..f27935671
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-controller.yaml
@@ -0,0 +1,121 @@
+{{- if .Values.rbac.create -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.rbac.name }}-external-provisioner-role
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.rbac.name }}-csi-provisioner-binding
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.controller }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Values.rbac.name }}-external-provisioner-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.rbac.name }}-external-resizer-role
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Values.rbac.name }}-csi-resizer-role
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.controller }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Values.rbac.name }}-external-resizer-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-{{ .Values.rbac.name }}-controller-secret-role
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-{{ .Values.rbac.name }}-controller-secret-binding
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.controller }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-{{ .Values.rbac.name }}-controller-secret-role
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}
diff --git a/charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml b/charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml
new file mode 100644
index 000000000..6676656cf
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/rbac-csi-blob-node.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.rbac.create -}}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-{{ .Values.rbac.name }}-node-secret-role
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+
+    # the node plugin must apply annotations to the PVC for edgecache volumes
+    # it gets the PVC's through the PV's
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "update"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create"]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: csi-{{ .Values.rbac.name }}-node-secret-binding
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.serviceAccount.node }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: csi-{{ .Values.rbac.name }}-node-secret-role
+  apiGroup: rbac.authorization.k8s.io
+{{ end }}
diff --git a/charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml b/charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml
new file mode 100644
index 000000000..7433bccf1
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-controller.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.controller }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+{{- if .Values.workloadIdentity.clientID }}
+    azure.workload.identity/use: "true"
+  annotations:
+    azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }}
+{{- if .Values.workloadIdentity.tenantID }}
+    azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }}
+{{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml b/charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml
new file mode 100644
index 000000000..a25090e30
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/templates/serviceaccount-csi-blob-node.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount.node }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "blob.labels" . | nindent 4 }}
+{{- if .Values.workloadIdentity.clientID }}
+    azure.workload.identity/use: "true"
+  annotations:
+    azure.workload.identity/client-id: {{ .Values.workloadIdentity.clientID }}
+{{- if .Values.workloadIdentity.tenantID }}
+    azure.workload.identity/tenant-id: {{ .Values.workloadIdentity.tenantID }}
+{{- end }}
+{{- end }}
+{{- end -}}
diff --git a/charts/v4.6.0/blob-csi-driver/values.yaml b/charts/v4.6.0/blob-csi-driver/values.yaml
new file mode 100644
index 000000000..1ff9bbfaf
--- /dev/null
+++ b/charts/v4.6.0/blob-csi-driver/values.yaml
@@ -0,0 +1,173 @@
+image:
+  baseRepo: mcr.microsoft.com
+  blob:
+    repository: /k8s/csi/blob-csi
+    tag: latest
+    pullPolicy: IfNotPresent
+  csiProvisioner:
+    repository: /oss/kubernetes-csi/csi-provisioner
+    tag: v3.5.0
+    pullPolicy: IfNotPresent
+  livenessProbe:
+    repository: /oss/kubernetes-csi/livenessprobe
+    tag: v2.10.0
+    pullPolicy: IfNotPresent
+  nodeDriverRegistrar:
+    repository: /oss/kubernetes-csi/csi-node-driver-registrar
+    tag: v2.8.0
+    pullPolicy: IfNotPresent
+  csiResizer:
+    repository: /oss/kubernetes-csi/csi-resizer
+    tag: v1.8.0
+    pullPolicy: IfNotPresent
+
+cloud: AzurePublicCloud
+
+## Reference to one or more secrets to be used when pulling images
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# - name: myRegistryKeySecretName
+
+serviceAccount:
+  create: true # When true, service accounts will be created for you. Set to false if you want to use your own.
+  controller: csi-blob-controller-sa # Name of Service Account to be created or used
+  node: csi-blob-node-sa # Name of Service Account to be created or used
+
+rbac:
+  create: true
+  name: blob
+
+## Collection of annotations to add to all the pods
+podAnnotations: {}
+## Collection of labels to add to all the pods
+podLabels: {}
+# -- Custom labels to add into metadata
+customLabels: {}
+  # k8s-app: blob-csi-driver
+
+## Leverage a PriorityClass to ensure your pods survive resource shortages
+## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+priorityClassName: system-cluster-critical
+## Security context give the opportunity to run container as nonroot by setting a securityContext
+## by example :
+## securityContext: { runAsUser: 1001 }
+securityContext: {}
+
+controller:
+  name: csi-blob-controller
+  cloudConfigSecretName: azure-cloud-provider
+  cloudConfigSecretNamespace: kube-system
+  allowEmptyCloudConfig: true
+  hostNetwork: true # this setting could be disabled if controller does not depend on MSI setting
+  metricsPort: 29634
+  livenessProbe:
+    healthPort: 29632
+  replicas: 2
+  runOnMaster: false
+  runOnControlPlane: false
+  logLevel: 5
+  resources:
+    csiProvisioner:
+      limits:
+        memory: 500Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+    livenessProbe:
+      limits:
+        memory: 100Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+    blob:
+      limits:
+        memory: 200Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+    csiResizer:
+      limits:
+        memory: 500Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+  affinity: {}
+  nodeSelector: {}
+  tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node-role.kubernetes.io/controlplane"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node-role.kubernetes.io/control-plane"
+      operator: "Exists"
+      effect: "NoSchedule"
+
+node:
+  name: csi-blob-node
+  cloudConfigSecretName: azure-cloud-provider
+  cloudConfigSecretNamespace: kube-system
+  allowEmptyCloudConfig: true
+  allowInlineVolumeKeyAccessWithIdentity: false
+  maxUnavailable: 1
+  livenessProbe:
+    healthPort: 29633
+  logLevel: 5
+  enableBlobfuseProxy: false
+  blobfuseProxy:
+    installBlobfuse: true
+    blobfuseVersion: "1.4.5"
+    installBlobfuse2: true
+    blobfuse2Version: "2.0.3"
+    setMaxOpenFileNum: true
+    maxOpenFileNum: "9000000"
+    disableUpdateDB: true
+  blobfuseCachePath: /mnt
+  appendTimeStampInCacheDir: false
+  mountPermissions: 0777
+  resources:
+    livenessProbe:
+      limits:
+        memory: 100Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+    nodeDriverRegistrar:
+      limits:
+        memory: 100Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+    blob:
+      limits:
+        memory: 2100Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
+  affinity: {}
+  nodeSelector: {}
+  tolerations:
+    - operator: "Exists"
+
+feature:
+  fsGroupPolicy: ReadWriteOnceWithFSType
+  enableGetVolumeStats: false
+
+driver:
+  name: blob.csi.azure.com
+  customUserAgent: ""
+  userAgentSuffix: "OSS-helm"
+  azureGoSDKLogLevel: "" # available values: ""(no logs), DEBUG, INFO, WARNING, ERROR
+  httpsProxy: ""
+  httpProxy: ""
+
+linux:
+  kubelet: /var/lib/kubelet
+  distro: debian
+
+workloadIdentity:
+  clientID: ""
+  # [optional] If the AAD application or user-assigned managed identity is not in the same tenant as the cluster
+  # then set tenantID with the application or user-assigned managed identity tenant ID
+  tenantID: ""
diff --git a/pkg/blob/azure.go b/pkg/blob/azure.go
index 5a9a03c2f..7a9d364b6 100644
--- a/pkg/blob/azure.go
+++ b/pkg/blob/azure.go
@@ -88,17 +88,6 @@ func GetCloudProvider(ctx context.Context, kubeconfig, nodeID, secretName, secre
 		}, nil)
 		if err == nil && config != nil {
 			fromSecret = true
-
-			if tenantID := os.Getenv("AZURE_TENANT_ID"); tenantID != "" {
-				config.TenantID = tenantID
-			}
-			if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
-				config.AADClientID = clientID
-			}
-			if federatedTokenFile := os.Getenv("AZURE_FEDERATED_TOKEN_FILE"); federatedTokenFile != "" {
-				config.AADFederatedTokenFile = federatedTokenFile
-				config.UseFederatedWorkloadIdentityExtension = true
-			}
 		}
 		if err != nil {
 			klog.V(2).Infof("InitializeCloudFromSecret: failed to get cloud config from secret %s/%s: %v", secretNamespace, secretName, err)
@@ -130,6 +119,17 @@ func GetCloudProvider(ctx context.Context, kubeconfig, nodeID, secretName, secre
 			return az, fmt.Errorf("no cloud config provided, error: %w", err)
 		}
 	} else {
+		if tenantID := os.Getenv("AZURE_TENANT_ID"); tenantID != "" {
+			config.TenantID = tenantID
+		}
+		if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
+			config.AADClientID = clientID
+		}
+		if federatedTokenFile := os.Getenv("AZURE_FEDERATED_TOKEN_FILE"); federatedTokenFile != "" {
+			config.AADFederatedTokenFile = federatedTokenFile
+			config.UseFederatedWorkloadIdentityExtension = true
+		}
+
 		config.UserAgent = userAgent
 		config.CloudProviderBackoff = true
 		if err = az.InitializeCloudFromConfig(context.TODO(), config, fromSecret, false); err != nil {
diff --git a/pkg/blob/blob.go b/pkg/blob/blob.go
index 24b62602d..a4ab025f0 100644
--- a/pkg/blob/blob.go
+++ b/pkg/blob/blob.go
@@ -382,6 +382,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 		subsID                  string
 		accountKey              string
 		accountSasToken         string
+		ecStorageAuth           string
 		msiSecret               string
 		storageSPNClientSecret  string
 		storageSPNClientID      string
@@ -444,6 +445,8 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			if getLatestAccountKey, err = strconv.ParseBool(v); err != nil {
 				return rgName, accountName, accountKey, containerName, secretName, secretNamespace, authEnv, fmt.Errorf("invalid %s: %s in volume context", getLatestAccountKeyField, v)
 			}
+		case EcStrgAuthenticationField:
+			ecStorageAuth = v
 		}
 	}
 	klog.V(2).Infof("volumeID(%s) authEnv: %s", volumeID, authEnv)
@@ -479,7 +482,7 @@ func (d *Driver) GetAuthEnv(ctx context.Context, volumeID, protocol string, attr
 			accountKey = key
 		}
 	} else {
-		if len(secrets) == 0 {
+		if len(secrets) == 0 && ecStorageAuth != "WorkloadIdentity" {
 			if secretName == "" && accountName != "" {
 				secretName = fmt.Sprintf(secretNameTemplate, accountName)
 			}