From 2540e1878fd14901ba09bbfa51d99d93a3d81368 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Thu, 14 Dec 2023 14:17:06 +0000 Subject: [PATCH] feat: customize kerberos settings --- charts/README.md | 2 ++ charts/latest/csi-driver-smb-v0.0.0.tgz | Bin 4788 -> 4873 bytes .../templates/csi-smb-node.yaml | 2 ++ charts/latest/csi-driver-smb/values.yaml | 2 ++ cmd/smbplugin/main.go | 4 +++ pkg/smb/nodeserver.go | 32 +++++++++--------- pkg/smb/nodeserver_test.go | 4 ++- pkg/smb/smb.go | 8 +++-- 8 files changed, 35 insertions(+), 19 deletions(-) diff --git a/charts/README.md b/charts/README.md index a01fa5173ec..6dc0a3d85d4 100644 --- a/charts/README.md +++ b/charts/README.md @@ -102,6 +102,8 @@ The following table lists the configurable parameters of the latest SMB CSI Driv | `linux.dsName` | name of driver daemonset on linux | `csi-smb-node` | | `linux.dnsPolicy` | dnsPolicy of driver node daemonset, available values: `Default`, `ClusterFirstWithHostNet`, `ClusterFirst` | `ClusterFirstWithHostNet` | | `linux.kubelet` | configure kubelet directory path on Linux agent node node | `/var/lib/kubelet` | +| `linux.krb5CacheDirectory` | directory for kerberos cache on Linux agent node node | `/var/lib/kubelet/kerberos/` | +| `linux.krb5Prefix` | prefix for kerberos cache on Linux agent node node | `krb5cc_` | | `linux.resources.livenessProbe.limits.memory` | liveness-probe memory limits | `100Mi` | | `linux.resources.livenessProbe.requests.cpu` | liveness-probe cpu requests limits | `10m` | | `linux.resources.livenessProbe.requests.memory` | liveness-probe memory requests limits | `20Mi` | diff --git a/charts/latest/csi-driver-smb-v0.0.0.tgz b/charts/latest/csi-driver-smb-v0.0.0.tgz index 74e6d05cc257a790c725700e56a4f85c1da29e83..29e89a4dfd5e1b86c38d3009cdbef51e7f24977f 100644 GIT binary patch delta 4741 zcmV;05_;{lC5a}GJAXZEZ`(Mw^VvZE1K|#^vwJJQ^60F9d}x!*OflOeh|^gNHj99k zj&0sZqL!rGcr*F$7ktQiQMUX@+TJmNHnv2bLmr+N&mn1#6US#{2F&5%sCzoaOmyZr z48Gf4>GgWOM+e8py|?{-|GQrQuzxoge202F>_cryxWMeY z-qyIvgZoAbj>&JpIH8e?X8jh9P5n>QiP6TCh7fn1S zYu^9J9WL;ML=z|1s>{Ps93&GGsfGeiT;$;hv$^^nCqZyU1LDnH^kIBK#T5e%k!T^Q zO0F245vf3cRq-zAYFBc0oHfo+&kj1roxv*90hvJroPS?2I)e2ur%hwoG>3Q4>GwOm zRfr?%gI2HC8VBBB;1WnG*DM87=*r(a{RY&J8GV>r=6h-;e4+d0d~?-}&m{8cXP(mk zVV*4oI<2Nzd@!h!n!g?pGgp)5tt^v zGEj4xbbrtg1QHaDaliqQv3!U=<48SBILPk|(a%vw;-isZGzfrcW5&aglRa}dHnWty zRpjQl)nX&;mAfo!E5j(QVM|Ynn}68xI5891YK;Mlgei`L2#*5z8N_ciNJ1D2EVu#L z%Jp#ps@m6Zd`%1+bq8T zt^yoE_9~#0f4~d^7ag?_`b^n9i6$Qx#N0)X zPevMs5P&BrGmiuffMMx18n6z!hq;T|N>&&Rpp$72sY^mN;cbJF#^?z(- zbBi!od7`ADUQ}n)`W@e_nrazWq`=tP19*)-MFDWG`~Vy0*A_jZQaZ9qo1=HXuyJA`xw!;kMj z;y5PJVDa)PED@o2tI8So3J3Nj%(!HMd0he5`3u6rJk|d!`&E zebtoxOeM*1+Wj3R0)==k9o_}Eq7X+34uUzt0jCOho+TB|I({tjk~S6<>w%=d%(TbZ zzPLf}KHdCsdHvz$_uJdy@57t(kL|^rEsTsILc79@ZaTPD%S*VR;Xm*Q0)LJB^=ou0 zy;x6n2hlOYQACCAoOIi<@2fvSfW#C~Onu&pssApkWd{=|6iXl!`ykD&Tvs8Ct{9<= zi1}%NxdH$YPncOe$kvD_Y({3VkQT(JlnFcmEi8qco1kJ zdnyM`qKc7hNZjAb%kkpWz8T?PG~s zms0#sKp3mIZ};Nz=6u)@4`O>9tK$C$hX7q$$vg*V2;C$9XV;^I4*fK5>f>SdU|Rj$N7wfH{C0VWu;dB@1_vM zz<5W*+ol3m$bbLnxL=b03RJHP3S zldO3;1ICCC=nv`NMjkpoP#;M+OvZAV-F7ly5c%q}?waxGc52%#608cFrtP~$ z9@jLJRO#?(SAR`bp{f~-lRZgW{-J`$QXRMdr;XZoZ39bElZ+Qrmv`KeA~q8AcN_-x z8h;=X`49;-P~_L(!BE%Fm?hU+mGHXCDoM2EXRd0* za5RCX?c`Eh&zdA&egO85vO8Z|;7g@e{}&dEYWcZwQh#`b{y*rwE$RP3@342g*Z(h3 zO43mm>3Vv4)w(B<@1ipmG#G+-)ynT3!EwyHv;M1A2m%0F@Ki67*vA5ff?)xZxq5^Uqd`ET$tU&BJgbJ> zb6r=_w147z(`|&z`ZNzxzDWI613r}Qs0l8l2yq;*L7-GTQ-B$*8&KtV(cSeCBV?#4 z`QLbH5>l*yYAr~+9rX&SK0(QpyN zTa)&d2vd$)mA5%6r4W>Y$#Z7GK-aKmX5@2|>g3Ygifpe^+djoyCudN*+b&w{jKSM2{A^xhto{lBB$!QTISiQ+g;>e#7RUkH(~Id+*} zXLIXvOcH6Qp_w<=)S1)1ob;$tCob=Hf!=LZ*z9EQT>4&jkQdTZdGD;oIkOIP;gc0z zvZfwctwUx-mb0mu)4oVqrEAU7@;iI~2Y-rk2EPC=w^S{H&gIjxHn~)sYgzD@nibrP z{K9zQSXMom-0*Y$Oxc~O_h!myEbf|lp4+=(C;y^C2CKM9vEmpNU*}+D5Q_QHWy3Ey zhwBVkhurfSR~MsC`*iSWI<4N3g$5*e7fh$(FYqE$OLm?m)MhR z3rqsOh?BYtGJkyk!|CwD-TB4Y)#Zna8=Da|CtnuAt4_UkdafO9?wpJrvkuNIcDWb` z`f0i_v@|oPU>qeJQfO+1T{0QjIpdJlebaQ&O zNjHk*wPH3^8e+EYd)8%)NsutOnKIy08ueYt2j<&xhdA$mcFP=oRW1o3MD@FTRd}5$f9;*Lq)h_P4uWNkkspZnw^8E!CVcBQp}f zBzFWQD~;6ZGkIvG#!ZFEia><%_WmCaM>Xb2kKeK&vknZxSj^QqxyPqUi)v2`)xUJ` za$mMCD}Uqv#?owaBfzTtzk@+}|L@!5efG`!Swt%h3{~Zkmhvod= z+k?Zs{J%u0+5ffJ_Ep~XwSI0e1-aNy^h~M2(tj>5%O<{&qw5Qkxi4Zdn<_6GV=+DX{)e;c z55JvX-(8>od^fy2{q^qZ-OVq5Z5GXh2klnni$}u{M}GOS>_`2rV;y(^OM~q?oTWTn19RG)r@jn`8j%GnSQ#vVRA} zKl%QLqEMGBswAjf5IYkPj+PyV3oLlPSLXJ@j_v9~`{?u?M=I15>RXN+UtM$LB>JAC z6N`#ldNI;=In1?u%+0cw`yAqKt>trAqtd&?cB;rx4CAE?0;;zWfg^#{7rDkcBLk-k(dGpB@P^628at11Zk|o zHwVbW7z;8Y0TJ^zvc>!_3{b+=^=)}zGz#X@D5?t&s1MRQ8i?}I2n0sv@O^q0!s+k> z$}YWaLRSf83*uIrFQxGM*fg2T?bdZmHpo`5U_y1kQ+B$jj@IMIrrfwDvVRh5?u;#W z#FFc<<2Gb2!di3=Vty{O?PYQX)zn4%=n+ zR|DMVe(kh)uFP*0lP-UTgMXtt$@9t~NLg zUn13Qsr=QXxmShtkD3JTH#&N~Wm;S7kSyZRH4%qyZNy=-^WVEo9e;0dT6L4ead)G% zaak?zlg9g`@!IEH>+;4{sLzl%zGtH&NBzK(v-lmSld9gR{3g^AX!_Tj>_7~M?{mw= zm)~w~d9}IvTJy@=d&g+`QQH?jL0hr#R(r>2j3-$C4E1}WMV`3q3$?|N_ihB`vnHqYI{$^46UH0_x zFAW7Ww<8?NHvc^hU^!wWFy4aeDVOfZ8;Y(P0Pnm4E&*P&ZI zERPc@8#^7)R&D@2N|{fhyiC||D5-rOqFHC(q=YQ^{;h<&DzxuOGNDYq)u%;{R^a@;1$RVpL1#HuQ~&D9%POyUwU=QQ@0HsAZQFZ;4D T8<+nJ00960If-8-0FD3v*6BXH delta 4655 zcmV+~64335CbT7xJAZxoZ`(Nbcz-s~|ABA^nA!bSzH)R{Kz?YG%uF$x193Ww!Ddm= z(zDHPB~eRKZoFy!_YZi;x+q&dlD4}h(8iX?_sGY0@ja6EIB|SNX22XCj=HB)%tU97 z!{Ej4O0U=J9UmU5zr9|s{I}OX9=zxu9t{o-`n~?a;fr4Xuz%Mdyg7Tv;J%ZBWAXp`#?4Wbp8LUDbkQqe4`F}N|BUle}+BB9;b9e`xe!tUO zg*c)yotSfW$nFIkEfob9^ z12v~f2Y(GgAVJX>2OJO?%ZKPQj?}}1gZ$1A{Ty{9J{k!|g8-N|W;`4@*)xY@GfUZ9 zMQ)B;EjGelxy!P)GK|t1w)CX9`G*~k6El&m))=rznBq8y@F;*^LHt33B!r>Bf*X*n zTpt&ps(o##X$y#lxr^j{`w>s6ei|fP0Q-e7E`R<(#Pm1H#U%)YULicgB#^j~wg)ac zgE3A5@w%>6@kI-v5CkJ0zotyMXz;h=!$Z4FO#ugDnpKnB!IJ1Iy1){gt7j~Ic&bNs z9pDJER{@>;9cB=?=%|IzXUaa2XmTML;*2mCwYwsW+lmyNCd>n_QQMS@>|;m-Pru25 zgnx?V4|=@|VxBVicLF?L%Zn2i^?PBZ*&uCY8GAjl{+7rVO1d7!U@H`OJSGtla~C~4 z8fh3p0G^=CJQ6ejhNahNz&hv?%w5!0vchNpolJX3T@tDZZySs>maQeU_W3>Gf~PNF zJO)p=sC`L?-W2>KfOaGJMk->-J5P?q*?$5}OX(IVL-_tfw2(zDz(rnfAW#PlW~&vD zD7nv6j=xY`KEEue7TFZNLOzC&MjV9FJkP0DB((z&F6z!O>jq@hHBam;XQg~e4?L@6 z)>`-PRvEO6!7s3nwzIF$hbREfm9@nI1MJVy6#J5$kn#->iMYT)0RC%a;B->Aqkm(d zohZ9cxat{U;Mee_^gL|5xnP+ePu;s2W_JM@-I<3!Ds~9z42Bo)E^r)^XmXY?5=}lt zq4GacNm#1SN=kt8O%=>mta-H2BpziLI@UBOiY{!0JyVX79%0IUrjleh?PQJ; zfkHf&ZsmeoQHY}i2f-ZSfKvrL&wr8%XB|Hlc}c6}ijGFoD`ncRYhT`?w;yhQySjOQ z`{&)=@Xz7x`9*s%XA4zsh|sPuqni${)$$T9X!v(Lfc7ou*}((~#S#d`K1ib`S1$;oYepy|VtyK6u73bP#1m#* zblDp5gw4nd7Se+Flrn)Qz$GXKV;4<@h`HPC7HQ#Ak4qEnK`hjVF_|QKCb}{8o!Fpu zVg?YZm{+$I=li4Qn9sR@(DAfway&)^@o*rq55Y@hZMBMkdx0jhr*hyljwus~oMbsF zmPD!!CJ``%If`h+C>3ZlM}HiIAkhS2#0|Jp4NYPg%@N$=Fb)8@@_VU@iykEGxBLT_ z{&T!Zh(r4k3vqhWl_=$J_N;z7(~aM4W?2@-;_%#Y}CAF=x{E~WUNfG}2Z-|pqr z?fI}H?#1>vR>l7h4i8H4zoVo6(LVn79OZTjDxg2Sc$WtC2}cv7e}8<413Cw#zm@tm z8n4r8-BRRD!TVHhtrfJuBH^!5902AZ)sfpWo|q>B@fdq>^6-EdAo!`ee@|7nLRHmw&FVf$7iEd9ErKb>mDUc#I67)|T2KE|X5Q%(<1R5yv zYjAQltrHt3L4P1URR%&&@4{uSnOfOksOx9UlIyKXcwJ|eB--*bS2bcdn!wU_2stM7 zE{T^Pfc>NF&esu7G627jk{6F2s<`%w` z>V-sJkoYBC-pOkgS&_%!sa_r5x~}4U#rLM$ z2$_|09;AGc`mF|hDBV#L_DB)pI9`K5sd%OUGg>#G%JHJR>mx?UP*d{DXCkKc?Q+4b z9Kw9a>wjh5L}dN@*-US$Hq)l%&_y-|gZnB@;i5&EQZB9;^?;j{Y5wIRJaV~`Khr22 z`hxzQP@z^PDX6K=QGBNCQxQiYD%XT&`35PIHz803vSQLSl$fL8BD%OH?Jcpd9JMNM zb5u$pC=(J^cEQH z5*3=JTVl}TW96M4tXp4C;E8mf43Ps4O?$B=rowbC5MAfCU(`d&Hfa>t!;xRUw&B{B zos^~iUvV?Z#tz_${eOero1?P-clhRD@BckVaU3Ug>{P5Tgh<#NyUee%xpg@viL}$u z%zv9}>da|hPI^?S6PI_pK<~CHY<9ADE`6^%$P0%vsNE$t-%jJMh?RVOzcFe1C1@ zQ|F!chQ9lba2BN+A4%;0PF*E zz-;4KU86xB&jJMQ1;dUu+D>XP)h@4mWr$|w0cyT711P*hdPkv)q~9w4bvX4tt-I>U zQ@^nG$pM97-qia9!tn{q2P78TzHAz!;J}!QrS9gm zNPkf5a9Jl6dc^?yS5Yv(p;Y`r0?-><3g$5*e7YOW(FYqE$a7);+LNdYOaeZOllBWT zfBf*%>G1u>^UJgAtM`|;HX~|IzAS`SoqFx`Tszv_IT<@<9h_P0axoC}({y2IX=YBr zI7&FA(9{gObXukaOsb3u5f?t6K4h?+MoG=0uJNDJyO>cyJsP;^_Vjv_ZWPID#cZlH z#BAM>t;-mbAYpJjWx%I2@bwXmtW1T7e}9FNsz4~#nyZEYYHYT5a{Wtia0UUM55c36 z&s}uTE7UPIVez_Od>sQL)VDXT^}h1#Z+F3xh}^r~Zk^FusySmuW+Z?~?g&a&8mZMM z^3Y0+n+lT^fe7R6{XZU#YRr=!zhyyY9TGqzHD7qf5!if zrP=02fK~f{2ZQqd-#175`2X`1$8iebeshRCJy$;Ko9w{p@V(yPyF3w4^h*|Ddn^R@ zrZ?uaO?GlOrvCeAOs}Gg+*zxyO_KkqvQqxjlXY8c0b7y(I~oiQ%lW@IgTuZ2KS!zA z|FzimRo?Zrer_-Yx!6ziM5)2je=aY}Ca+ERc-3w3+9ZW&qsCKZ5N)_>^KEJ6ou(9Q z#}jQisq}cFeLvGi39yx0qqa#Ue%A@56!JP5Om*)6$udQyz;d?QXtoEsrq_*Ff2TvWUkuei zG%U9R>{dWlBB(O0t;vSM@)X#c2~Lqm*B2&plf_~-RbDp6VtVq!PiHsp|2V(-cys>i z$KloK?;o$<-v0KNX3vG>CZC>EURY3BUx3C5l0<5$N`wZmQ%Rp+EW@+wmlMG;e#w!y#DOEs0C7QrAdOY{<^XvZV?jnF zAY%SnwwV9O03}>qESCpHqhKzLqPp;a`XH^NfhZr1KwxAJ-=}vWoDSck?9$sNbd^xH zAa1q!QVOq+O_RCYZe6!zgKYH*CR7JJWv7ekXg!W>%8hFxe=D)(&e(ECEV&LlZbRlG zthM-ZBZAxUE%CyaVOg$q%?j#cdJlI|4eMON8DT19T_wC-?Qh$X?|*uhQc6Ur!(qG3{%U~x+^?M$ zPnG$tV$$V*f8pThPV&66MJqFn&5w;5%5QsOw3u&gnnu@0J9n5wH*Uc9ob9eqL(kAR zeR6W!e0YYR?Mo^$S@k?3D&>;{Eql4 zY)@!}18Wyl8>K(iI^SA0M{6Yu8)h!n_aYjlEgDS1=3U&V2Q_oBHK7)%uFbktacTAm zpKqenf98MK2z!o60zGN|r+0Ap=1nF4GuZ$B&$E6#dPj^1JNm!$Z1;C?`>*3@)1k^&Tf;N*Vc&Qmxf<+xiEaZfF3@hpJ#1 z)91jwkc)>Pe}A94g0bZVW8*R9Xhv#jWO${%=oHrb2 z!!f}OBC!GG%xGStc3g*U^{_lnq-^YTKwAOyC}lp0@-kt=p``X{h-RIAlM=Gv`AIh~O~)j0W{jQ&4(!brJQxn};~I+x=%QLa)MnblrZ(QU5Y l&|(sokU6KZzqa|_mwnlnec8DDUjP6A|NjI+*Vh1!008^nM27$X diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml index 13e8ef72797..22699356208 100755 --- a/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml +++ b/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml @@ -108,6 +108,8 @@ spec: - "--endpoint=$(CSI_ENDPOINT)" - "--nodeid=$(KUBE_NODE_NAME)" - "--enable-get-volume-stats={{ .Values.feature.enableGetVolumeStats }}" + - "--krb5-cache-directory={{ .Values.linux.krb5CacheDirectory }}" + - "--krb5-prefix={{ .Values.linux.krb5Prefix }}" ports: - containerPort: {{ .Values.node.livenessProbe.healthPort }} name: healthz diff --git a/charts/latest/csi-driver-smb/values.yaml b/charts/latest/csi-driver-smb/values.yaml index 35c35fd9054..6e720b64261 100755 --- a/charts/latest/csi-driver-smb/values.yaml +++ b/charts/latest/csi-driver-smb/values.yaml @@ -92,6 +92,8 @@ linux: dsName: csi-smb-node # daemonset name dnsPolicy: ClusterFirstWithHostNet # available values: Default, ClusterFirstWithHostNet, ClusterFirst kubelet: /var/lib/kubelet + krb5CacheDirectory: /var/lib/kubelet/kerberos/ # directory for kerberos credential cache + krb5Prefix: "krb5cc_" # prefix for kerberos credential cache tolerations: - operator: "Exists" resources: diff --git a/cmd/smbplugin/main.go b/cmd/smbplugin/main.go index 157cba6ee73..344281336e7 100644 --- a/cmd/smbplugin/main.go +++ b/cmd/smbplugin/main.go @@ -45,6 +45,8 @@ var ( removeSMBMappingDuringUnmount = flag.Bool("remove-smb-mapping-during-unmount", true, "remove SMBMapping during unmount on Windows node") workingMountDir = flag.String("working-mount-dir", "/tmp", "working directory for provisioner to mount smb shares temporarily") volStatsCacheExpireInMinutes = flag.Int("vol-stats-cache-expire-in-minutes", 10, "The cache expire time in minutes for volume stats cache") + krb5CacheDirectory = flag.String("krb5-cache-directory", "/var/lib/kubelet/kerberos/", "The directory for kerberos cache") + krb5Prefix = flag.String("krb5-prefix", "krb5cc_", "The prefix for kerberos cache") ) func main() { @@ -74,6 +76,8 @@ func handle() { RemoveSMBMappingDuringUnmount: *removeSMBMappingDuringUnmount, WorkingMountDir: *workingMountDir, VolStatsCacheExpireInMinutes: *volStatsCacheExpireInMinutes, + Krb5CacheDirectory: *krb5CacheDirectory, + Krb5Prefix: *krb5Prefix, } driver := smb.NewDriver(&driverOptions) driver.Run(*endpoint, *kubeconfig, false) diff --git a/pkg/smb/nodeserver.go b/pkg/smb/nodeserver.go index 3cf93359811..5bc75879cd7 100644 --- a/pkg/smb/nodeserver.go +++ b/pkg/smb/nodeserver.go @@ -186,7 +186,7 @@ func (d *Driver) NodeStageVolume(_ context.Context, req *csi.NodeStageVolumeRequ sensitiveMountOptions = []string{password} } } else { - var useKerberosCache, err = ensureKerberosCache(volumeID, mountFlags, secrets) + var useKerberosCache, err = ensureKerberosCache(d.krb5CacheDirectory, d.krb5Prefix, volumeID, mountFlags, secrets) if err != nil { return nil, status.Error(codes.Internal, fmt.Sprintf("Error writing kerberos cache: %v", err)) } @@ -264,7 +264,7 @@ func (d *Driver) NodeUnstageVolume(_ context.Context, req *csi.NodeUnstageVolume return nil, status.Errorf(codes.Internal, "failed to unmount staging target %q: %v", stagingTargetPath, err) } - if err := deleteKerberosCache(volumeID); err != nil { + if err := deleteKerberosCache(d.krb5CacheDirectory, volumeID); err != nil { return nil, status.Errorf(codes.Internal, "failed to delete kerberos cache: %v", err) } @@ -469,12 +469,12 @@ func getCredUID(mountFlags []string) (int, error) { return -1, fmt.Errorf("Can't find credUid in mount flags") } -func getKrb5CcacheName(credUID int) string { +func getKrb5CcacheName(krb5Prefix string, credUID int) string { return fmt.Sprintf("%s%d", krb5Prefix, credUID) } // returns absolute path for name of file inside krb5CacheDirectory -func getKerberosFilePath(fileName string) string { +func getKerberosFilePath(krb5CacheDirectory, fileName string) string { return fmt.Sprintf("%s%s", krb5CacheDirectory, fileName) } @@ -483,7 +483,7 @@ func volumeKerberosCacheName(volumeID string) string { return strings.ReplaceAll(strings.ReplaceAll(encoded, "/", "-"), "+", "_") } -func kerberosCacheDirectoryExists() (bool, error) { +func kerberosCacheDirectoryExists(krb5CacheDirectory string) (bool, error) { _, err := os.Stat(krb5CacheDirectory) if os.IsNotExist(err) { return false, status.Error(codes.Internal, fmt.Sprintf("Directory for kerberos caches must exist, it will not be created: %s: %v", krb5CacheDirectory, err)) @@ -493,8 +493,8 @@ func kerberosCacheDirectoryExists() (bool, error) { return true, nil } -func getKerberosCache(credUID int, secrets map[string]string) (string, []byte, error) { - var krb5CcacheName = getKrb5CcacheName(credUID) +func getKerberosCache(krb5CacheDirectory, krb5Prefix string, credUID int, secrets map[string]string) (string, []byte, error) { + var krb5CcacheName = getKrb5CcacheName(krb5Prefix, credUID) var krb5CcacheContent string for k, v := range secrets { switch strings.ToLower(k) { @@ -509,7 +509,7 @@ func getKerberosCache(credUID int, secrets map[string]string) (string, []byte, e if err != nil { return "", nil, status.Error(codes.InvalidArgument, fmt.Sprintf("Malformed kerberos cache in key %s, expected to be in base64 form: %v", krb5CcacheName, err)) } - var krb5CacheFileName = getKerberosFilePath(getKrb5CcacheName(credUID)) + var krb5CacheFileName = getKerberosFilePath(krb5CacheDirectory, getKrb5CcacheName(krb5Prefix, credUID)) return krb5CacheFileName, content, nil } @@ -517,10 +517,10 @@ func getKerberosCache(credUID int, secrets map[string]string) (string, []byte, e // Create kerberos cache in the file based on the VolumeID, so it can be cleaned up during unstage // At the same time, kerberos expects to find cache in file named "krb5cc_*", so creating symlink // will allow both clean up and serving proper cache to the kerberos. -func ensureKerberosCache(volumeID string, mountFlags []string, secrets map[string]string) (bool, error) { +func ensureKerberosCache(krb5CacheDirectory, krb5Prefix, volumeID string, mountFlags []string, secrets map[string]string) (bool, error) { var securityIsKerberos = hasKerberosMountOption(mountFlags) if securityIsKerberos { - _, err := kerberosCacheDirectoryExists() + _, err := kerberosCacheDirectoryExists(krb5CacheDirectory) if err != nil { return false, err } @@ -528,14 +528,14 @@ func ensureKerberosCache(volumeID string, mountFlags []string, secrets map[strin if err != nil { return false, err } - krb5CacheFileName, content, err := getKerberosCache(credUID, secrets) + krb5CacheFileName, content, err := getKerberosCache(krb5CacheDirectory, krb5Prefix, credUID, secrets) if err != nil { return false, err } // Write cache into volumeId-based filename, so it can be cleaned up later volumeIDCacheFileName := volumeKerberosCacheName(volumeID) - volumeIDCacheAbsolutePath := getKerberosFilePath(volumeIDCacheFileName) + volumeIDCacheAbsolutePath := getKerberosFilePath(krb5CacheDirectory, volumeIDCacheFileName) if err := os.WriteFile(volumeIDCacheAbsolutePath, content, os.FileMode(0700)); err != nil { return false, status.Error(codes.Internal, fmt.Sprintf("Couldn't write kerberos cache to file %s: %v", volumeIDCacheAbsolutePath, err)) } @@ -561,8 +561,8 @@ func ensureKerberosCache(volumeID string, mountFlags []string, secrets map[strin return false, nil } -func deleteKerberosCache(volumeID string) error { - exists, err := kerberosCacheDirectoryExists() +func deleteKerberosCache(krb5CacheDirectory, volumeID string) error { + exists, err := kerberosCacheDirectoryExists(krb5CacheDirectory) // If not supported, simply return if !exists { return nil @@ -573,7 +573,7 @@ func deleteKerberosCache(volumeID string) error { volumeIDCacheFileName := volumeKerberosCacheName(volumeID) - var volumeIDCacheAbsolutePath = getKerberosFilePath(volumeIDCacheFileName) + var volumeIDCacheAbsolutePath = getKerberosFilePath(krb5CacheDirectory, volumeIDCacheFileName) _, err = os.Stat(volumeIDCacheAbsolutePath) // Not created or already removed if os.IsNotExist(err) { @@ -585,7 +585,7 @@ func deleteKerberosCache(volumeID string) error { // If file with cache exists, full clean means removing symlinks to the file. dirEntries, _ := os.ReadDir(krb5CacheDirectory) for _, dirEntry := range dirEntries { - filePath := getKerberosFilePath(dirEntry.Name()) + filePath := getKerberosFilePath(krb5CacheDirectory, dirEntry.Name()) lStat, _ := os.Lstat(filePath) // If it's a symlink, checking if it's pointing to the volume file in question if lStat != nil { diff --git a/pkg/smb/nodeserver_test.go b/pkg/smb/nodeserver_test.go index fa857986675..c7531f29253 100644 --- a/pkg/smb/nodeserver_test.go +++ b/pkg/smb/nodeserver_test.go @@ -800,6 +800,8 @@ func TestGetKerberosCache(t *testing.T) { ticket := []byte{'G', 'O', 'L', 'A', 'N', 'G'} base64Ticket := base64.StdEncoding.EncodeToString(ticket) credUID := 1000 + krb5CacheDirectory := "/var/lib/kubelet/kerberos/" + krb5Prefix := "krb5cc_" goodFileName := fmt.Sprintf("%s%s%d", krb5CacheDirectory, krb5Prefix, credUID) krb5CcacheName := "krb5cc_1000" @@ -855,7 +857,7 @@ func TestGetKerberosCache(t *testing.T) { } for _, test := range tests { - fileName, content, err := getKerberosCache(test.credUID, test.secrets) + fileName, content, err := getKerberosCache(krb5CacheDirectory, krb5Prefix, test.credUID, test.secrets) if !reflect.DeepEqual(err, test.expectedErr) { t.Errorf("[%s]: Expected error : %v, Actual error: %v", test.desc, test.expectedErr, err) } else { diff --git a/pkg/smb/smb.go b/pkg/smb/smb.go index 0ca46171709..c768cd16b02 100644 --- a/pkg/smb/smb.go +++ b/pkg/smb/smb.go @@ -38,8 +38,6 @@ const ( sourceField = "source" subDirField = "subdir" domainField = "domain" - krb5Prefix = "krb5cc_" - krb5CacheDirectory = "/var/lib/kubelet/kerberos/" mountOptionsField = "mountoptions" defaultDomainName = "AZURE" pvcNameKey = "csi.storage.k8s.io/pvc/name" @@ -59,6 +57,8 @@ type DriverOptions struct { RemoveSMBMappingDuringUnmount bool WorkingMountDir string VolStatsCacheExpireInMinutes int + Krb5CacheDirectory string + Krb5Prefix string } // Driver implements all interfaces of CSI drivers @@ -74,6 +74,8 @@ type Driver struct { volStatsCache azcache.Resource // this only applies to Windows node removeSMBMappingDuringUnmount bool + krb5CacheDirectory string + krb5Prefix string } // NewDriver Creates a NewCSIDriver object. Assumes vendor version is equal to driver version & @@ -86,6 +88,8 @@ func NewDriver(options *DriverOptions) *Driver { driver.enableGetVolumeStats = options.EnableGetVolumeStats driver.removeSMBMappingDuringUnmount = options.RemoveSMBMappingDuringUnmount driver.workingMountDir = options.WorkingMountDir + driver.krb5CacheDirectory = options.Krb5CacheDirectory + driver.krb5Prefix = options.Krb5Prefix driver.volumeLocks = newVolumeLocks() if options.VolStatsCacheExpireInMinutes <= 0 {