kubernetes-sigs
diff --git a/‎pkg/mounter/cmd_mounter.go‎
Lines changed: 35 additions & 1 deletion b/‎pkg/mounter/cmd_mounter.go‎
Lines changed: 35 additions & 1 deletion
diff --git a/‎pkg/mounter/mounter.go‎
Lines changed: 8 additions & 0 deletions b/‎pkg/mounter/mounter.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎pkg/mounter/oss/oss_fuse_manager.go‎
Lines changed: 15 additions & 3 deletions b/‎pkg/mounter/oss/oss_fuse_manager.go‎
Lines changed: 15 additions & 3 deletions
diff --git a/‎pkg/mounter/oss/ossfs.go‎
Lines changed: 35 additions & 7 deletions b/‎pkg/mounter/oss/ossfs.go‎
Lines changed: 35 additions & 7 deletions
diff --git a/‎pkg/mounter/oss/ossfs2.go‎
Lines changed: 30 additions & 3 deletions b/‎pkg/mounter/oss/ossfs2.go‎
Lines changed: 30 additions & 3 deletions
@@ -5,9 +5,11 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"time"
 
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
+	"k8s.io/klog/v2"
 	"k8s.io/mount-utils"
 )
 
@@ -27,11 +29,19 @@ func NewOssCmdMounter(execPath, volumeId string, inner mount.Interface) Mounter
 	}
 }
 
+func (m *OssCmdMounter) Name() string {
+	return "cmd-mounter"
+}
+
+func (m *OssCmdMounter) RotateToken(target, fstype string, secrets map[string]string) error {
+	return ErrNotImplemented(m.Name(), fstype, "rotateToken")
+}
+
 func (m *OssCmdMounter) MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error {
 	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(timeout))
 	defer cancel()
 
-	passwd, err := utils.SaveOssSecretsToFile(secrets)
+	passwd, err := saveOssSecretsToFile(secrets)
 	if err != nil {
 		return err
 	}
@@ -47,3 +57,27 @@ func (m *OssCmdMounter) MountWithSecrets(source, target, fstype string, options
 	}
 	return nil
 }
+func saveOssSecretsToFileIfNeeded(authCfg *utils.AuthConfig) (string, error) {
+	if authCfg == nil || authCfg.Secrets == nil {
+		return "", nil
+	}
+	return saveOssSecretsToFile(authCfg.Secrets)
+}
+
+func saveOssSecretsToFile(secrets map[string]string) (filePath string, err error) {
+	passwd := secrets["passwd-ossfs"]
+	if passwd == "" {
+		return
+	}
+
+	tmpDir, err := os.MkdirTemp("", "ossfs-")
+	if err != nil {
+		return "", err
+	}
+	filePath = filepath.Join(tmpDir, "passwd")
+	if err = os.WriteFile(filePath, []byte(passwd), 0o600); err != nil {
+		return "", err
+	}
+	klog.V(4).InfoS("created ossfs passwd file", "path", filePath)
+	return
+}
@@ -1,10 +1,18 @@
 package mounter
 
 import (
+	"fmt"
+
 	mountutils "k8s.io/mount-utils"
 )
 
 type Mounter interface {
 	mountutils.Interface
+	Name() string
 	MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error
+	RotateToken(target, fstype string, secrets map[string]string) error
+}
+
+func ErrNotImplemented(driver, mounterType, method string) error {
+	return fmt.Errorf("%s(%s): %s not implemented", mounterType, driver, method)
 }
@@ -48,6 +48,17 @@ const (
 	AuthTypePublic = "public"
 )
 
+type AccessKey struct {
+	AkID     string `json:"akId"`
+	AkSecret string `json:"akSecret"`
+}
+type TokenSecret struct {
+	AccessKeyId     string `json:"AccessKeyId"`
+	AccessKeySecret string `json:"AccessKeySecret"`
+	Expiration      string `json:"Expiration"`
+	SecurityToken   string `json:"SecurityToken"`
+}
+
 // Options contains options for target oss
 type Options struct {
 	DirectAssigned bool
@@ -60,9 +71,10 @@ type Options struct {
 
 	// authorization options
 	// accesskey
-	AkID      string `json:"akId"`
-	AkSecret  string `json:"akSecret"`
-	SecretRef string `json:"secretRef"`
+	AccessKey   `json:",inline"`
+	TokenSecret `json:",inline"`
+	SecretRef   string `json:"secretRef"`
+
 	// RRSA
 	RoleName           string `json:"roleName"` // also for STS
 	RoleArn            string `json:"roleArn"`
 
@@ -87,7 +87,15 @@ func (f *fuseOssfs) PrecheckAuthConfig(o *Options, onNode bool) error {
 		if features.FunctionalMutableFeatureGate.Enabled(features.RundCSIProtocol3) {
 			return nil
 		}
-		if o.SecretRef != "" {
+		// Token authentication:
+		// For runc scenarios, set the SecretRef parameter.
+		runc := o.SecretRef != ""
+		// For rund or eci scenarios, configure Token in nodePublishSecretRef or nodeStageSecretRef.
+		rund := o.AccessKeyId != "" && o.AccessKeySecret != "" && o.Expiration != "" && o.SecurityToken != ""
+		if runc && rund {
+			return fmt.Errorf("Token and secretRef cannot be set at the same time")
+		}
+		if rund || runc {
 			if o.AkID != "" || o.AkSecret != "" {
 				return fmt.Errorf("AK and secretRef cannot be set at the same time")
 			}
@@ -119,13 +127,27 @@ func (f *fuseOssfs) MakeAuthConfig(o *Options, m metadata.MetadataProvider) (*ut
 	case AuthTypeSTS:
 		authCfg.RoleName = o.RoleName
 	default:
-		if o.SecretRef != "" {
-			authCfg.SecretRef = o.SecretRef
-		} else {
+		// fixed AKSK
+		passwdFile := utils.GetPasswdFileName(f.Name())
+		if o.AkID != "" && o.AkSecret != "" {
 			authCfg.Secrets = map[string]string{
-				utils.GetPasswdFileName(f.Name()): fmt.Sprintf("%s:%s:%s", o.Bucket, o.AkID, o.AkSecret),
+				passwdFile: fmt.Sprintf("%s:%s:%s", o.Bucket, o.AkID, o.AkSecret),
 			}
+			return authCfg, nil
+		}
+		// secretRef for RunC
+		if o.SecretRef != "" {
+			authCfg.SecretRef = o.SecretRef
+			return authCfg, nil
+		}
+		// token secret for RunD
+		authCfg.Secrets = map[string]string{
+			filepath.Join(passwdFile, KeyAccessKeyId):     o.AccessKeyId,
+			filepath.Join(passwdFile, KeyAccessKeySecret): o.AccessKeySecret,
+			filepath.Join(passwdFile, KeySecurityToken):   o.SecurityToken,
+			filepath.Join(passwdFile, KeyExpiration):      o.Expiration,
 		}
+
 	}
 	return authCfg, nil
 }
@@ -289,11 +311,17 @@ func (f *fuseOssfs) getAuthOptions(o *Options, region string) (mountOptions []st
 			mountOptions = append(mountOptions, "ram_role="+o.RoleName)
 		}
 	default:
+		// fixed AKSK
+		if o.AkID != "" && o.AkSecret != "" {
+			// for aksk in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
+			return
+		}
+		// secretRef for runC or token secret for runD
 		if o.SecretRef != "" {
 			mountOptions = append(mountOptions, fmt.Sprintf("passwd_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType))))
-			mountOptions = append(mountOptions, "use_session_token")
 		}
-		// publishSecretRef will make option in mount-proxy server
+		// for token in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
+		mountOptions = append(mountOptions, "use_session_token")
 	}
 	return
 }
 
@@ -64,7 +64,16 @@ func (f *fuseOssfs2) PrecheckAuthConfig(o *Options, onNode bool) error {
 		if features.FunctionalMutableFeatureGate.Enabled(features.RundCSIProtocol3) {
 			return nil
 		}
-		if o.SecretRef != "" {
+		// Token authentication:
+		// For runc scenarios, set the SecretRef parameter.
+		runc := o.SecretRef != ""
+		// For rund or eci scenarios, configure Token in nodePublishSecretRef or nodeStageSecretRef.
+		// Expiration is not required for ossfs2.0
+		rund := o.AccessKeyId != "" && o.AccessKeySecret != "" && o.SecurityToken != ""
+		if runc && rund {
+			return fmt.Errorf("Token and secretRef cannot be set at the same time")
+		}
+		if rund || runc {
 			if o.AkID != "" || o.AkSecret != "" {
 				return fmt.Errorf("AK and secretRef cannot be set at the same time")
 			}
@@ -95,13 +104,26 @@ func (f *fuseOssfs2) MakeAuthConfig(o *Options, m metadata.MetadataProvider) (au
 	case AuthTypeSTS:
 		authCfg.RoleName = o.RoleName
 	case "":
+		// fixed AKSK
+		passwdFile := utils.GetPasswdFileName(f.Name())
+		if o.AkID != "" && o.AkSecret != "" {
+			authCfg.Secrets = map[string]string{
+				utils.GetPasswdFileName(f.Name()): fmt.Sprintf("--oss_access_key_id=%s\n--oss_access_key_secret=%s", o.AkID, o.AkSecret),
+			}
+			return
+		}
+		// secretRef for RunC
 		if o.SecretRef != "" {
 			authCfg.SecretRef = o.SecretRef
 			return
 		}
+		// token secret for RunD
 		authCfg.Secrets = map[string]string{
-			utils.GetPasswdFileName(f.Name()): fmt.Sprintf("--oss_access_key_id=%s\n--oss_access_key_secret=%s", o.AkID, o.AkSecret),
+			filepath.Join(passwdFile, KeyAccessKeyId):     o.AccessKeyId,
+			filepath.Join(passwdFile, KeyAccessKeySecret): o.AccessKeySecret,
+			filepath.Join(passwdFile, KeySecurityToken):   o.SecurityToken,
 		}
+
 	default:
 		return nil, fmt.Errorf("%s do not support authType: %s", f.Name(), o.AuthType)
 	}
@@ -162,14 +184,19 @@ func (f *fuseOssfs2) getAuthOptions(o *Options, region string) (mountOptions []s
 			mountOptions = append(mountOptions, "ram_role="+o.RoleName)
 		}
 	case "":
+		// fixed AKSK
+		if o.AkID != "" && o.AkSecret != "" {
+			// for aksk in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
+			return
+		}
 		if o.SecretRef != "" {
 			mountOptions = append(mountOptions,
 				fmt.Sprintf("oss_sts_multi_conf_ak_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType), KeyAccessKeyId)),
 				fmt.Sprintf("oss_sts_multi_conf_sk_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType), KeyAccessKeySecret)),
 				fmt.Sprintf("oss_sts_multi_conf_token_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType), KeySecurityToken)),
 			)
 		}
-		// publishSecretRef will make option in mount-proxy server
+		// for token in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
 	default:
 		return nil
 	}