feat: support NAS access point ram authentication

Author: iltyty

pkg/mounter/interceptors/alinas_secret.go

@@ -1,7 +1,12 @@
 package interceptors
 
 import (
+	"fmt"
+	"os"
+	"path"
+
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter"
+	"k8s.io/klog/v2"
 )
 
 type AlinasSecretInterceptor struct{}
@@ -12,6 +17,32 @@ func NewAlinasSecretInterceptor() mounter.MountInterceptor {
 	return AlinasSecretInterceptor{}
 }
 
-func (AlinasSecretInterceptor) BeforeMount(req *mounter.MountOperation) (*mounter.MountOperation, error) {
-	return req, nil
+func (AlinasSecretInterceptor) BeforeMount(op *mounter.MountOperation) (*mounter.MountOperation, error) {
+	if op == nil || op.Secrets == nil {
+		return op, nil
+	}
+
+	tmpDir, err := os.MkdirTemp("", "alinas-")
+	if err != nil {
+		return op, err
+	}
+
+	credFileContent := makeCredFileContent(op.Secrets)
+	credFilePath := path.Join(tmpDir, op.VolumeID+".credentials")
+	if err = os.WriteFile(credFilePath, credFileContent, 0o600); err != nil {
+		return op, err
+	}
+
+	klog.V(4).InfoS("Created alinas credential file", "path", credFilePath)
+	op.Options = append(op.Options, "ram_config_file="+credFilePath)
+	return op, nil
+}
+
+func makeCredFileContent(secrets map[string]string) []byte {
+	return fmt.Appendf(
+		nil,
+		"[NASCredentials]\naccessKeyID=%s\naccessKeySecret=%s",
+		secrets["akId"],
+		secrets["akSecret"],
+	)
 }

pkg/nas/mounter.go

@@ -1,6 +1,8 @@
 package nas
 
 import (
+	"context"
+
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter"
 	"k8s.io/klog/v2"
 	mountutils "k8s.io/mount-utils"
@@ -11,18 +13,20 @@ type NasMounter struct {
 	alinasMounter mountutils.Interface
 }
 
-func (m *NasMounter) Mount(source string, target string, fstype string, options []string) (err error) {
+var _ mounter.Mounter = &NasMounter{}
+
+func (m *NasMounter) ExtendedMount(ctx context.Context, op *mounter.MountOperation) (err error) {
 	logger := klog.Background().WithValues(
-		"source", source,
-		"target", target,
-		"options", options,
-		"fstype", fstype,
+		"source", op.Source,
+		"target", op.Target,
+		"options", op.Options,
+		"fstype", op.FsType,
 	)
-	switch fstype {
+	switch op.FsType {
 	case "alinas", "cpfs", "cpfs-nfs":
-		err = m.alinasMounter.Mount(source, target, fstype, options)
+		err = m.alinasMounter.Mount(op.Source, op.Target, op.FsType, op.Options)
 	default:
-		err = m.Interface.Mount(source, target, fstype, options)
+		err = m.Mount(op.Source, op.Target, op.FsType, op.Options)
 	}
 	if err != nil {
 		logger.Error(err, "failed to mount")
@@ -32,7 +36,7 @@ func (m *NasMounter) Mount(source string, target string, fstype string, options
 	return err
 }
 
-func newNasMounter(agentMode bool, socketPath string) mountutils.Interface {
+func newNasMounter(agentMode bool, socketPath string) mounter.Mounter {
 	inner := mountutils.NewWithoutSystemd("")
 	m := &NasMounter{
 		Interface:     inner,
@@ -41,7 +45,7 @@ func newNasMounter(agentMode bool, socketPath string) mountutils.Interface {
 	switch {
 	case socketPath != "":
 		m.alinasMounter = mounter.NewProxyMounter(socketPath, inner)
-	case !agentMode: // normal case, use connector mounter to ensure backward compatability
+	case !agentMode: // normal case, use connector mounter to ensure backward compatibility
 		m.alinasMounter = mounter.NewConnectorMounter(inner, "")
 	}
 	return m

pkg/nas/mounter_test.go

@@ -1,9 +1,11 @@
 package nas
 
 import (
+	"context"
 	"errors"
 	"testing"
 
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter"
 	"github.com/stretchr/testify/assert"
 	mountutils "k8s.io/mount-utils"
 )
@@ -34,7 +36,7 @@ func TestNasMounter_MountSuccess(t *testing.T) {
 		Interface:     &successMockMounter{},
 		alinasMounter: &successMockMounter{},
 	}
-	err := nasMounter.Mount("", "", "nas", []string{})
+	err := nasMounter.ExtendedMount(context.Background(), &mounter.MountOperation{})
 	assert.NoError(t, err)
 }
 
@@ -43,6 +45,8 @@ func TestNasMounter_FuseMountError(t *testing.T) {
 		Interface:     &errorMockMounter{},
 		alinasMounter: &errorMockMounter{},
 	}
-	err := nasMounter.Mount("", "", "cpfs", []string{})
+	err := nasMounter.ExtendedMount(context.Background(), &mounter.MountOperation{
+		FsType: "cpfs",
+	})
 	assert.Error(t, err)
 }

pkg/nas/nodeserver.go

@@ -34,6 +34,7 @@ import (
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/dadi"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/features"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/losetup"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/internal"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/rund/directvolume"
@@ -42,12 +43,11 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/record"
 	"k8s.io/klog/v2"
-	mountutils "k8s.io/mount-utils"
 )
 
 type nodeServer struct {
 	config   *internal.NodeConfig
-	mounter  mountutils.Interface
+	mounter  mounter.Mounter
 	locks    *utils.VolumeLocks
 	recorder record.EventRecorder
 	common.GenericNodeServer
@@ -91,6 +91,8 @@ type Options struct {
 	MountProtocol string `json:"mountProtocol"`
 	ClientType    string `json:"clientType"`
 	FSType        string `json:"fsType"`
+	AkID          string
+	AkSecret      string
 }
 
 // RunvNasOptions struct definition
@@ -246,6 +248,8 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 			opt.MountProtocol = strings.TrimSpace(value)
 		}
 	}
+	opt.AkID = req.Secrets[akIDKey]
+	opt.AkSecret = req.Secrets[akSecretKey]
 
 	if cnfsName != "" {
 		cnfs, err := ns.getCNFS(ctx, req, cnfsName)

pkg/nas/utils.go

@@ -17,6 +17,7 @@ limitations under the License.
 package nas
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -27,7 +28,8 @@ import (
 
 	"github.com/alibabacloud-go/tea/tea"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/losetup"
-	mounter "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter"
+	mounterutils "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/cloud"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/interfaces"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
@@ -52,6 +54,8 @@ const (
 	TcpSlotTableEntries      = "/proc/sys/sunrpc/tcp_slot_table_entries"
 	TcpSlotTableEntriesValue = "128\n"
 
+	akIDKey           = "akId"
+	akSecretKey       = "akSecret"
 	filesystemIDKey   = "fileSystemId"
 	filesystemTypeKey = "fileSystemType"
 )
@@ -66,11 +70,12 @@ type RoleAuth struct {
 	Code            string
 }
 
-func doMount(mounter mountutils.Interface, opt *Options, targetPath, volumeId, podUid string) error {
+func doMount(m mounter.Mounter, opt *Options, targetPath, volumeId, podUid string) error {
 	var (
 		mountFstype     string
 		source          string
 		combinedOptions []string
+		secrets         map[string]string
 		isPathNotFound  func(error) bool
 	)
 	if opt.Accesspoint != "" {
@@ -81,6 +86,12 @@ func doMount(mounter mountutils.Interface, opt *Options, targetPath, volumeId, p
 	if opt.Options != "" {
 		combinedOptions = append(combinedOptions, opt.Options)
 	}
+	if opt.AkID != "" && opt.AkSecret != "" {
+		secrets = map[string]string{
+			akIDKey:     opt.AkID,
+			akSecretKey: opt.AkSecret,
+		}
+	}
 
 	switch opt.ClientType {
 	case EFCClient:
@@ -127,7 +138,15 @@ func doMount(mounter mountutils.Interface, opt *Options, targetPath, volumeId, p
 			return strings.Contains(err.Error(), "reason given by server: No such file or directory") || strings.Contains(err.Error(), "access denied by server while mounting")
 		}
 	}
-	err := mounter.Mount(source, targetPath, mountFstype, combinedOptions)
+
+	err := m.ExtendedMount(context.Background(), &mounter.MountOperation{
+		Source:   source,
+		Target:   targetPath,
+		FsType:   mountFstype,
+		Options:  combinedOptions,
+		Secrets:  secrets,
+		VolumeID: volumeId,
+	})
 	if err == nil {
 		return nil
 	}
@@ -154,16 +173,30 @@ func doMount(mounter mountutils.Interface, opt *Options, targetPath, volumeId, p
 		return err
 	}
 	defer os.Remove(tmpPath)
-	if err := mounter.Mount(rootSource, tmpPath, mountFstype, combinedOptions); err != nil {
+	if err := m.ExtendedMount(context.Background(), &mounter.MountOperation{
+		Source:   rootSource,
+		Target:   tmpPath,
+		FsType:   mountFstype,
+		Options:  combinedOptions,
+		Secrets:  secrets,
+		VolumeID: volumeId,
+	}); err != nil {
 		return err
 	}
 	if err := os.MkdirAll(filepath.Join(tmpPath, relPath), os.ModePerm); err != nil {
 		return err
 	}
-	if err := cleanupMountpoint(mounter, tmpPath); err != nil {
+	if err := cleanupMountpoint(m, tmpPath); err != nil {
 		klog.Errorf("failed to cleanup tmp mountpoint %s: %v", tmpPath, err)
 	}
-	return mounter.Mount(source, targetPath, mountFstype, combinedOptions)
+	return m.ExtendedMount(context.Background(), &mounter.MountOperation{
+		Source:   source,
+		Target:   targetPath,
+		FsType:   mountFstype,
+		Options:  combinedOptions,
+		Secrets:  secrets,
+		VolumeID: volumeId,
+	})
 }
 
 // check system config,
@@ -181,7 +214,7 @@ func ParseMountFlags(mntOptions []string) (string, string) {
 	var vers string
 	var otherOptions []string
 	for _, options := range mntOptions {
-		for _, option := range mounter.SplitMountOptions(options) {
+		for _, option := range mounterutils.SplitMountOptions(options) {
 			if option == "" {
 				continue
 			}
@@ -201,7 +234,7 @@ func ParseMountFlags(mntOptions []string) (string, string) {
 
 func addTLSMountOptions(baseOptions []string) []string {
 	for _, options := range baseOptions {
-		for _, option := range mounter.SplitMountOptions(options) {
+		for _, option := range mounterutils.SplitMountOptions(options) {
 			if option == "" {
 				continue
 			}