Merge pull request #1477 from iltyty/fix-proxy-mount

Fix proxy mounter empty auth config issue

Author: k8s-ci-robot

pkg/mounter/cmd_mounter.go

@@ -2,13 +2,11 @@ package mounter
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"os"
 	"os/exec"
 	"time"
 
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud/metadata"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
 	"k8s.io/mount-utils"
 )
@@ -19,72 +17,33 @@ type OssCmdMounter struct {
 	mount.Interface
 	volumeId string
 	execPath string
-	metadata metadata.MetadataProvider
 }
 
-func NewOssCmdMounter(execPath, volumeId string, metadata metadata.MetadataProvider, inner mount.Interface) Mounter {
+func NewOssCmdMounter(execPath, volumeId string, inner mount.Interface) Mounter {
 	return &OssCmdMounter{
 		execPath:  execPath,
 		volumeId:  volumeId,
 		Interface: inner,
-		metadata:  metadata,
 	}
 }
 
-func (m *OssCmdMounter) MountWithSecrets(source, target, fstype string, options []string, authCfg *utils.AuthConfig) error {
-	if authCfg == nil {
-		return errors.New("empty auth config")
-	}
-
+func (m *OssCmdMounter) MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error {
 	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(timeout))
 	defer cancel()
 
-	options, err := m.appendAuthOptions(options, target, authCfg)
+	passwd, err := utils.SaveOssSecretsToFile(secrets)
 	if err != nil {
 		return err
 	}
+	options = append(options, "passwd_file="+passwd)
 
 	args := mount.MakeMountArgs(source, target, "", options)
 	cmd := exec.CommandContext(ctx, "ossfs", args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 
-	if err = cmd.Run(); err != nil {
+	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("failed to execute ossfs: %w", err)
 	}
 	return nil
 }
-
-func (m *OssCmdMounter) appendAuthOptions(options []string, target string, authCfg *utils.AuthConfig) ([]string, error) {
-	if authCfg == nil {
-		return options, nil
-	}
-
-	passwdFile, err := saveOssSecretsToFileIfNeeded(authCfg)
-	if err != nil {
-		return nil, err
-	}
-
-	switch authCfg.AuthType {
-	case "rrsa":
-		tokenFile, err := m.metadata.Get(metadata.RRSATokenFile)
-		if err != nil {
-			return nil, err
-		}
-		sessionName := utils.GetRoleSessionName(m.volumeId, target, "ossfs")
-		options = append(options, fmt.Sprintf("rrsa_oidc_provider_arn=%s", authCfg.RrsaConfig.OidcProviderArn))
-		options = append(options, fmt.Sprintf("rrsa_role_arn=%s", authCfg.RrsaConfig.RoleArn))
-		options = append(options, fmt.Sprintf("rrsa_role_session_name=%s", sessionName))
-		options = append(options, fmt.Sprintf("rrsa_token_file=%s", tokenFile))
-	default:
-		options = append(options, "passwd_file="+passwdFile)
-	}
-	return options, nil
-}
-
-func saveOssSecretsToFileIfNeeded(authCfg *utils.AuthConfig) (string, error) {
-	if authCfg == nil || authCfg.Secrets == nil {
-		return "", nil
-	}
-	return utils.SaveOssSecretsToFile(authCfg.Secrets)
-}

pkg/mounter/mounter.go

@@ -1,11 +1,10 @@
 package mounter
 
 import (
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
 	mountutils "k8s.io/mount-utils"
 )
 
 type Mounter interface {
 	mountutils.Interface
-	MountWithSecrets(source, target, fstype string, options []string, authCfg *utils.AuthConfig) error
+	MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error
 }

pkg/mounter/proxy_mounter.go

@@ -6,7 +6,6 @@ import (
 
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/proxy"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/proxy/client"
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
 	mountutils "k8s.io/mount-utils"
 )
 
@@ -22,18 +21,14 @@ func NewProxyMounter(socketPath string, inner mountutils.Interface) Mounter {
 	}
 }
 
-func (m *ProxyMounter) MountWithSecrets(source, target, fstype string, options []string, authCfg *utils.AuthConfig) error {
-	if authCfg == nil {
-		return errors.New("empty auth config")
-	}
-
+func (m *ProxyMounter) MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error {
 	dclient := client.NewClient(m.socketPath)
 	resp, err := dclient.Mount(&proxy.MountRequest{
 		Source:  source,
 		Target:  target,
 		Fstype:  fstype,
 		Options: options,
-		Secrets: authCfg.Secrets,
+		Secrets: secrets,
 	})
 	if err != nil {
 		return fmt.Errorf("call mounter daemon: %w", err)

pkg/mounter/utils/helper.go

@@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud/metadata"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -204,3 +205,22 @@ func GetConfigDir(fuseType string) string {
 func GetPasswdFileName(fuseType string) string {
 	return fmt.Sprintf("passwd-%s", fuseType)
 }
+
+func AppendRRSAAuthOptions(m metadata.MetadataProvider, options []string, volumeId, target string, authCfg *AuthConfig) ([]string, error) {
+	if authCfg == nil {
+		return options, nil
+	}
+
+	if authCfg.AuthType == "rrsa" {
+		tokenFile, err := m.Get(metadata.RRSATokenFile)
+		if err != nil {
+			return nil, err
+		}
+		sessionName := GetRoleSessionName(volumeId, target, "ossfs")
+		options = append(options, fmt.Sprintf("rrsa_oidc_provider_arn=%s", authCfg.RrsaConfig.OidcProviderArn))
+		options = append(options, fmt.Sprintf("rrsa_role_arn=%s", authCfg.RrsaConfig.RoleArn))
+		options = append(options, fmt.Sprintf("rrsa_role_session_name=%s", sessionName))
+		options = append(options, fmt.Sprintf("rrsa_token_file=%s", tokenFile))
+	}
+	return options, nil
+}

pkg/oss/nodeserver.go

@@ -141,6 +141,10 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		return nil, status.Error(codes.InvalidArgument, err.Error())
 	}
 	mountOptions = ns.fusePodManagers[opts.FuseType].AddDefaultMountOptions(mountOptions)
+	mountOptions, err = mounterutils.AppendRRSAAuthOptions(ns.metadata, mountOptions, req.VolumeId, targetPath, authCfg)
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
 
 	// rund 3.0 protocol
 	if features.FunctionalMutableFeatureGate.Enabled(features.RundCSIProtocol3) {
@@ -159,7 +163,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	// Note: In ACK and ACS GPU scenarios, the socket path is provided by publishContext.
 	var ossfsMounter mounter.Mounter
 	if socketPath == "" {
-		ossfsMounter = mounter.NewOssCmdMounter(ossfsExecPath, req.VolumeId, ns.metadata, ns.rawMounter)
+		ossfsMounter = mounter.NewOssCmdMounter(ossfsExecPath, req.VolumeId, ns.rawMounter)
 	} else {
 		ossfsMounter = mounter.NewProxyMounter(socketPath, ns.rawMounter)
 	}
@@ -169,7 +173,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 		if opts.FuseType == OssFsType {
 			utils.WriteMetricsInfo(metricsPathPrefix, req, opts.MetricsTop, OssFsType, "oss", opts.Bucket)
 		}
-		err := ossfsMounter.MountWithSecrets(mountSource, targetPath, opts.FuseType, mountOptions, authCfg)
+		err := ossfsMounter.MountWithSecrets(mountSource, targetPath, opts.FuseType, mountOptions, authCfg.Secrets)
 		if err != nil {
 			return nil, status.Error(codes.Internal, err.Error())
 		}
@@ -189,7 +193,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 			utils.WriteSharedMetricsInfo(metricsPathPrefix, req, OssFsType, "oss", opts.Bucket, attachPath)
 		}
 		err := ossfsMounter.MountWithSecrets(
-			mountSource, attachPath, opts.FuseType, mountOptions, authCfg)
+			mountSource, attachPath, opts.FuseType, mountOptions, authCfg.Secrets)
 		if err != nil {
 			return nil, status.Error(codes.Internal, err.Error())
 		}