oss(credentials): support standard keys and

Author: AlbeeSo

pkg/oss/coco.go

@@ -85,6 +85,7 @@ func (ns *nodeServer) publishDirectVolume(ctx context.Context, req *csi.NodePubl
 		"targetPath":  req.GetTargetPath(),
 	}
 	if opt.AkSecret != "" && strings.HasPrefix(opt.AkSecret, sealedSecretPrefix) {
+		// `AkID` and `AkSecret` are fixed for the protocol
 		metadata[AkID] = opt.AkID
 		metadata[AkSecret] = opt.AkSecret
 	}

pkg/oss/nodeserver.go

@@ -50,10 +50,6 @@ type nodeServer struct {
 }
 
 const (
-	// AkID is Ak ID
-	AkID = "akId"
-	// AkSecret is Ak Secret
-	AkSecret = "akSecret"
 	// OssFsType is the oss filesystem type
 	OssFsType = "ossfs"
 	// OssFs2Type is the ossfs2 filesystem type

pkg/oss/utils.go

@@ -50,6 +50,28 @@ const (
 	VolumeAsSubpath VolumeAsType = "subpath"
 )
 
+const (
+	// AkID and AkSecret are the key names we have always supported.
+	// For compatibility with standard naming conventions, we also support customers configuring `accessKeyID` and `accessKeySecret`
+	AkID     = "akId"
+	AkSecret = "akSecret"
+	// AccessKeyID and AccessKeySecret are provided for compatibility with standard naming conventions.
+	AccessKeyID     = "accessKeyId"
+	AccessKeySecret = "accessKeySecret"
+)
+
+// parseCredentialsFromSecret retrieves long-term credentials from the `Secret` field in requset.
+// It prioritizes obtaining the credentials from `AkID` and `AkSecret`
+func parseCredentialsFromSecret(secrets map[string]string) (akID, akSecret string) {
+	akID = strings.TrimSpace(secrets[AkID])
+	akSecret = strings.TrimSpace(secrets[AkSecret])
+	if akID == "" && akSecret == "" {
+		akID = strings.TrimSpace(secrets[AccessKeyID])
+		akSecret = strings.TrimSpace(secrets[AccessKeySecret])
+	}
+	return
+}
+
 // get Options for CreateVolume and PublishVolume
 // volOptions: CreateVolumeRequest.GetParameters, PublishVolumeRequest.GetVolumeContext
 // secrets: CreateVolumeRequest / PublishVolumeRequest.GetSecrets
@@ -68,11 +90,13 @@ func parseOptions(volOptions, secrets map[string]string, volCaps []*csi.VolumeCa
 		secrets = map[string]string{}
 	}
 
+	// credientials
+	akId, akSecret := parseCredentialsFromSecret(secrets)
 	opts := &oss.Options{
 		UseSharedPath: true,
 		Path:          "/",
-		AkID:          strings.TrimSpace(secrets[AkID]),
-		AkSecret:      strings.TrimSpace(secrets[AkSecret]),
+		AkID:          akId,
+		AkSecret:      akSecret,
 	}
 
 	var volumeAsSubpath bool
@@ -89,10 +113,6 @@ func parseOptions(volOptions, secrets map[string]string, volCaps []*csi.VolumeCa
 			opts.URL = value
 		case "otheropts":
 			opts.OtherOpts = value
-		case "akid":
-			opts.AkID = value
-		case "aksecret":
-			opts.AkSecret = value
 		case "secretref":
 			opts.SecretRef = value
 		case "path":
@@ -161,6 +181,11 @@ func parseOptions(volOptions, secrets map[string]string, volCaps []*csi.VolumeCa
 				klog.Warning(WrapOssError(ParamError, "the value(%q) of %q is invalid, only support %v, %v, %v",
 					v, k, corev1.DNSClusterFirst, corev1.DNSClusterFirstWithHostNet, corev1.DNSDefault).Error())
 			}
+		// deprecated:
+		case "akid":
+			opts.AkID = value
+		case "aksecret":
+			opts.AkSecret = value
 		}
 	}
 	for _, c := range volCaps {

pkg/oss/utils_test.go

@@ -38,6 +38,194 @@ var m = metadata.FakeProvider{
 	},
 }
 
+func TestParseCredentialsFromSecret(t *testing.T) {
+	tests := []struct {
+		name     string
+		secrets  map[string]string
+		expected struct {
+			akID     string
+			akSecret string
+		}
+	}{
+		{
+			name: "Case 1: AkID and AkSecret have valid values",
+			secrets: map[string]string{
+				AkID:     " validAkID ",
+				AkSecret: " validAkSecret ",
+			},
+			expected: struct {
+				akID     string
+				akSecret string
+			}{
+				akID:     "validAkID",
+				akSecret: "validAkSecret",
+			},
+		},
+		{
+			name: "Case 2: AkID and AkSecret are empty, but AccessKeyID and AccessKeySecret have valid values",
+			secrets: map[string]string{
+				AkID:            "",
+				AkSecret:        "",
+				AccessKeyID:     " validAccessKeyID ",
+				AccessKeySecret: " validAccessKeySecret ",
+			},
+			expected: struct {
+				akID     string
+				akSecret string
+			}{
+				akID:     "validAccessKeyID",
+				akSecret: "validAccessKeySecret",
+			},
+		},
+		{
+			name: "Case 3: AkSecret is empty, but AccessKeyID and AccessKeySecret have valid values",
+			secrets: map[string]string{
+				AkID:            "",
+				AkSecret:        "AkSecret",
+				AccessKeyID:     " validAccessKeyID ",
+				AccessKeySecret: " validAccessKeySecret ",
+			},
+			expected: struct {
+				akID     string
+				akSecret string
+			}{
+				akID:     "",
+				akSecret: "AkSecret",
+			},
+		},
+		{
+			name: "Case 4: All fields are set, but AccessKeyID and AccessKeySecret have valid values",
+			secrets: map[string]string{
+				AkID:            "AkID",
+				AkSecret:        "AkSecret",
+				AccessKeyID:     " validAccessKeyID ",
+				AccessKeySecret: " validAccessKeySecret ",
+			},
+			expected: struct {
+				akID     string
+				akSecret string
+			}{
+				akID:     "AkID",
+				akSecret: "AkSecret",
+			},
+		},
+		{
+			name: "Case 5: All keys have empty values",
+			secrets: map[string]string{
+				AkID:            "",
+				AkSecret:        "",
+				AccessKeyID:     "",
+				AccessKeySecret: "",
+			},
+			expected: struct {
+				akID     string
+				akSecret string
+			}{
+				akID:     "",
+				akSecret: "",
+			},
+		},
+		{
+			name: "Case 6: Missing some keys, but others have valid values",
+			secrets: map[string]string{
+				AccessKeyID:     " validAccessKeyID ",
+				AccessKeySecret: " validAccessKeySecret ",
+			},
+			expected: struct {
+				akID     string
+				akSecret string
+			}{
+				akID:     "validAccessKeyID",
+				akSecret: "validAccessKeySecret",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			akID, akSecret := parseCredentialsFromSecret(tt.secrets)
+			assert.Equal(t, tt.expected.akID, akID)
+			assert.Equal(t, tt.expected.akSecret, akSecret)
+		})
+	}
+}
+
+func TestParseOptions_credentialsCompatibility(t *testing.T) {
+	tests := []struct {
+		name     string
+		options  map[string]string
+		secrets  map[string]string
+		akID     string
+		akSecret string
+	}{
+		{
+			name: "allows obtaining the credentials with the former way",
+			secrets: map[string]string{
+				AkID:     "validAkID",
+				AkSecret: "validAkSecret",
+			},
+			akID:     "validAkID",
+			akSecret: "validAkSecret",
+		},
+		{
+			name: "allows the secret is empty",
+		},
+		{
+			name: "prioritizes obtaining the credentials with the former way",
+			secrets: map[string]string{
+				AkID:            "validAkID",
+				AkSecret:        "validAkSecret",
+				AccessKeyID:     "validAccessKeyID",
+				AccessKeySecret: "validAccessKeySecret",
+			},
+			akID:     "validAkID",
+			akSecret: "validAkSecret",
+		},
+		{
+			name: "allows obtaining the credentials with the latter way",
+			secrets: map[string]string{
+				AccessKeyID:     "validAccessKeyID",
+				AccessKeySecret: "validAccessKeySecret",
+			},
+			akID:     "validAccessKeyID",
+			akSecret: "validAccessKeySecret",
+		},
+		{
+			name: "ignore invalid credentials",
+			secrets: map[string]string{
+				AkID:            "validAkID",
+				AccessKeySecret: "validAccessKeySecret",
+			},
+			akID:     "validAkID",
+			akSecret: "",
+		},
+		{
+			name: "options overwrite the credentials",
+			secrets: map[string]string{
+				AkID:            "validAkID",
+				AkSecret:        "validAkSecret",
+				AccessKeyID:     "validAccessKeyID",
+				AccessKeySecret: "validAccessKeySecret",
+			},
+			options: map[string]string{
+				AkID:     "optionsAkID",
+				AkSecret: "optionsAkSecret",
+			},
+			akID:     "optionsAkID",
+			akSecret: "optionsAkSecret",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotOptions := parseOptions(tt.options,
+				tt.secrets, []*csi.VolumeCapability{},
+				false, "", false, m)
+			assert.Equal(t, tt.akID, gotOptions.AkID)
+			assert.Equal(t, tt.akSecret, gotOptions.AkSecret)
+		})
+	}
+}
+
 func Test_parseOptions(t *testing.T) {
 	t.Setenv("ALIBABA_CLOUD_NETWORK_TYPE", "vpc")