Skip to content

Support NAS access point RAM authentication with AK/SK #1562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Support NAS access point RAM authentication with AK/SK #1562

wants to merge 5 commits into from
+564 −268

Conversation

@iltyty
Copy link
Contributor

@iltyty iltyty commented Nov 20, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

  • Add support for NAS access point RAM authentication with AK/SK.
  • Refactor pkg/mounter: extract shared mounting logic into reusable mount interceptors.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Primary Changes:

  1. Extract non-mounting logic from mounters into dedicated mount interceptors. For example, operations such as credential persistence and monitoring setup during OSS mounting are now handled by interceptors rather than embedded in the mounter implementations.
  2. Wrap all mounters with pkg/mounter.MounterWorkflow. This workflow orchestrates the mounting process as follows:
    • Invokes the BeforeMount method of all registered interceptors.
    • Performs the actual mount using the underlying mounter.
    • Invokes the AfterMount method of all interceptors.
  3. Introduce AliyunSecretInterceptor to support RAM-based authentication for NAS access points.

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 20, 2025
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 20, 2025
AlbeeSo
AlbeeSo reviewed Nov 20, 2025
View reviewed changes
pkg/oss/nodeserver.go
ossInterceptors[opts.FuseType]...,
)
} else {
ossfsMounter = mounter.NewProxyMounter(socketPath, ns.rawMounter)
Copy link
Member

@AlbeeSo AlbeeSo Nov 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here it looks a bit odd. Mounter is a relatively high-level abstraction that includes both CmdMounter and ProxyMounter. If we define a function like NewForMounter, it should be used to create any type of mounter, instead NewProxyMounter. Or we can still use the NewOssCmdMounter?

pkg/mounter/interceptors/ossfs_secret.go Outdated
}

func (i OssfsSecretInterceptor) BeforeMount(req *mounter.MountOperation) (*mounter.MountOperation, error) {
filePath, err := utils.SaveOssSecretsToFile(req.Secrets, req.FsType)
Copy link
Member

@AlbeeSo AlbeeSo Nov 20, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems that both ProxyMounter and CmdMounter rely on SaveOssSecretsToFile. Can we reuse the Interceptor for the former?

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 21, 2025
@iltyty iltyty force-pushed the nas-ap-authentication branch 2 times, most recently from 99f9de7 to 2cfc19d Compare November 24, 2025 09:31
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 24, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: iltyty
Once this PR has been reviewed and has the lgtm label, please assign albeeso for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@iltyty iltyty changed the title Supporting NAS access point RAM authentication with AK/SK Support NAS access point RAM authentication with AK/SK Nov 24, 2025
iltyty
iltyty commented Nov 25, 2025
View reviewed changes
pkg/mounter/interceptors/alinas_secret.go Outdated
return op, nil
}

tmpDir, err := os.MkdirTemp("", "alinas-")
Copy link
Contributor Author

@iltyty iltyty Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

os.TempDir

iltyty
iltyty commented Nov 25, 2025
View reviewed changes
pkg/mounter/interceptors/alinas_secret.go
}

klog.V(4).InfoS("Created alinas credential file", "path", credFilePath)
op.Options = append(op.Options, "ram_config_file="+credFilePath)
Copy link
Contributor Author

@iltyty iltyty Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test mounting two APs on the same node with different AK/SKs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@huww98 huww98 Awaiting requested review from huww98

@mowangdk mowangdk Awaiting requested review from mowangdk

1 more reviewer

@AlbeeSo AlbeeSo AlbeeSo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iltyty @k8s-ci-robot @AlbeeSo