Merge pull request #1180 from AlbeeSo/feat/ossfs-1.91.4-sigv4

oss: ossfs bump to 1.91.4 and support OSS signature v4
kubernetes-sigs · Oct 12, 2024 · 2bd02bb · 2bd02bb
2 parents bce2441 + fe10c89
commit 2bd02bb
Show file tree

Hide file tree

Showing 7 changed files with 310 additions and 228 deletions.
diff --git a/build/mount-proxy/Dockerfile b/build/mount-proxy/Dockerfile
@@ -11,7 +11,7 @@ RUN --mount=type=bind,target=. \
 
 FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/alinux:3-update as oss
 ARG TARGETPLATFORM
-ARG OSSFS_VERSION=v1.91.3.ack.3
+ARG OSSFS_VERSION=v1.91.4.ack.1
 
 # install ossfs
 RUN set -ex; \

diff --git a/deploy/chart/values.yaml b/deploy/chart/values.yaml
@@ -110,4 +110,4 @@ images:
     tag: "v2.9.0-d48d2e0-aliyun"
   ossfs:
     repo: acs/csi-ossfs
-    tag: "v1.91.3.ack.3-7ebc8cd-aliyun"
+    tag: "v1.91.4.ack.1-69cc774-aliyun"
diff --git a/pkg/mounter/ossfs.go b/pkg/mounter/ossfs.go
@@ -24,7 +24,7 @@ import (
 )
 
 var defaultOssfsImageTag = "v1.88.4-d9f3917-aliyun"
-var defaultOssfsUpdatedImageTag = "v1.91.3.ack.3-7ebc8cd-aliyun"
+var defaultOssfsUpdatedImageTag = "v1.91.4.ack.1-69cc774-aliyun"
 
 const (
 	hostPrefix                = "/host"

diff --git a/pkg/oss/controllerserver.go b/pkg/oss/controllerserver.go
@@ -19,8 +19,6 @@ package oss
 import (
 	"context"
 	"fmt"
-	"strconv"
-	"strings"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/cloud/metadata"
@@ -59,73 +57,6 @@ func (*controllerServer) ControllerGetCapabilities(context.Context, *csi.Control
 	}, nil
 }
 
-func getOssVolumeOptions(req *csi.CreateVolumeRequest) *Options {
-	ossVolArgs := &Options{}
-	volOptions := req.GetParameters()
-	secret := req.GetSecrets()
-	volCaps := req.GetVolumeCapabilities()
-	ossVolArgs.Path = "/"
-	for k, v := range volOptions {
-		key := strings.TrimSpace(strings.ToLower(k))
-		value := strings.TrimSpace(v)
-		switch key {
-		case "bucket":
-			ossVolArgs.Bucket = value
-		case "url":
-			ossVolArgs.URL = value
-		case "otheropts":
-			ossVolArgs.OtherOpts = value
-		case "secretref":
-			ossVolArgs.SecretRef = value
-		case "path":
-			ossVolArgs.Path = value
-		case "usesharedpath":
-			if res, err := strconv.ParseBool(value); err == nil {
-				ossVolArgs.UseSharedPath = res
-			} else {
-				klog.Warning(WrapOssError(ParamError, "the value(%q) of %q is invalid", v, k).Error())
-			}
-		case "authtype":
-			ossVolArgs.AuthType = value
-		case "rolename", "ramrole":
-			ossVolArgs.RoleName = value
-		case "rolearn":
-			ossVolArgs.RoleArn = value
-		case "oidcproviderarn":
-			ossVolArgs.OidcProviderArn = value
-		case "serviceaccountname":
-			ossVolArgs.ServiceAccountName = value
-		case "secretproviderclass":
-			ossVolArgs.SecretProviderClass = value
-		case "encrypted":
-			ossVolArgs.Encrypted = value
-		case "kmskeyid":
-			ossVolArgs.KmsKeyId = value
-		default:
-			klog.Warning(WrapOssError(ParamError, "the key(%q) is unknown", k).Error())
-		}
-	}
-	for k, v := range secret {
-		key := strings.TrimSpace(strings.ToLower(k))
-		value := strings.TrimSpace(v)
-		switch key {
-		case "akid":
-			ossVolArgs.AkID = value
-		case "aksecret":
-			ossVolArgs.AkSecret = value
-		default:
-			klog.Warning(WrapOssError(AuthError, "the key(%q) is unknown", k).Error())
-		}
-	}
-	ossVolArgs.ReadOnly = true
-	for _, c := range volCaps {
-		switch c.AccessMode.GetMode() {
-		case csi.VolumeCapability_AccessMode_SINGLE_NODE_WRITER, csi.VolumeCapability_AccessMode_MULTI_NODE_SINGLE_WRITER, csi.VolumeCapability_AccessMode_MULTI_NODE_MULTI_WRITER:
-			ossVolArgs.ReadOnly = false
-		}
-	}
-	return ossVolArgs
-}
 func validateCreateVolumeRequest(req *csi.CreateVolumeRequest) error {
 	klog.Infof("Starting oss validate create volume request: %s, %v", req.Name, req)
 	valid, err := utils.CheckRequestArgs(req.GetParameters())
@@ -141,7 +72,8 @@ func (cs *controllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol
 	if err := validateCreateVolumeRequest(req); err != nil {
 		return nil, err
 	}
-	ossVol := getOssVolumeOptions(req)
+	region, _ := cs.metadata.Get(metadata.RegionID)
+	ossVol := parseOptions(req.GetParameters(), req.GetSecrets(), req.GetVolumeCapabilities(), false, region)
 	csiTargetVolume := &csi.Volume{}
 	volumeContext := req.GetParameters()
 	if volumeContext == nil {
@@ -201,7 +133,7 @@ func (cs *controllerServer) ControllerPublishVolume(ctx context.Context, req *cs
 	// parse options
 	nodeName := req.NodeId
 	region, _ := cs.metadata.Get(metadata.RegionID)
-	opts := parseOptions(req, region)
+	opts := parseOptions(req.GetVolumeContext(), req.GetSecrets(), []*csi.VolumeCapability{req.GetVolumeCapability()}, req.GetReadonly(), region)
 	if err := setCNFSOptions(ctx, cs.cnfsGetter, opts); err != nil {
 		return nil, err
 	}

diff --git a/pkg/oss/nodeserver.go b/pkg/oss/nodeserver.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"fmt"
 	"path/filepath"
-	"strconv"
 	"strings"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
@@ -49,45 +48,6 @@ type nodeServer struct {
 	skipAttach bool
 }
 
-// Options contains options for target oss
-type Options struct {
-	directAssigned bool
-	CNFSName       string
-
-	// oss options
-	Bucket string `json:"bucket"`
-	URL    string `json:"url"`
-	Path   string `json:"path"`
-
-	// authorization options
-	// accesskey
-	AkID      string `json:"akId"`
-	AkSecret  string `json:"akSecret"`
-	SecretRef string `json:"secretRef"`
-	// RRSA
-	RoleName           string `json:"roleName"` // also for STS
-	RoleArn            string `json:"roleArn"`
-	OidcProviderArn    string `json:"oidcProviderArn"`
-	ServiceAccountName string `json:"serviceAccountName"`
-	// assume role
-	AssumeRoleArn string `json:"assumeRoleArn"`
-	ExternalId    string `json:"externalId"`
-	// csi secret store
-	SecretProviderClass string `json:"secretProviderClass"`
-
-	// ossfs options
-	OtherOpts  string `json:"otherOpts"`
-	MetricsTop string `json:"metricsTop"`
-	Encrypted  string `json:"encrypted"`
-	KmsKeyId   string `json:"kmsKeyId"`
-
-	// mount options
-	UseSharedPath bool   `json:"useSharedPath"`
-	AuthType      string `json:"authType"`
-	FuseType      string `json:"fuseType"`
-	ReadOnly      bool   `json:"readOnly"`
-}
-
 const (
 	// OssfsCredentialFile is the path of oss ak credential file
 	OssfsCredentialFile = "/host/etc/passwd-ossfs"
@@ -153,7 +113,7 @@ func (ns *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 
 	// parse options
 	region, _ := ns.metadata.Get(metadata.RegionID)
-	opts := parseOptions(req, region)
+	opts := parseOptions(req.GetVolumeContext(), req.GetSecrets(), []*csi.VolumeCapability{req.GetVolumeCapability()}, req.GetReadonly(), region)
 	if err := setCNFSOptions(ctx, ns.cnfsGetter, opts); err != nil {
 		return nil, err
 	}
@@ -386,120 +346,9 @@ type publishRequest interface {
 	GetSecrets() map[string]string
 }
 
-func parseOptions(req publishRequest, region string) *Options {
-	opts := &Options{
-		UseSharedPath: true,
-		FuseType:      OssFsType,
-		Path:          "/",
-		AkID:          strings.TrimSpace(req.GetSecrets()[AkID]),
-		AkSecret:      strings.TrimSpace(req.GetSecrets()[AkSecret]),
-	}
-	for k, v := range req.GetVolumeContext() {
-		key := strings.TrimSpace(strings.ToLower(k))
-		value := strings.TrimSpace(v)
-		if value == "" {
-			continue
-		}
-		switch key {
-		case "bucket":
-			opts.Bucket = value
-		case "url":
-			opts.URL = value
-		case "otheropts":
-			opts.OtherOpts = value
-		case "akid":
-			opts.AkID = value
-		case "aksecret":
-			opts.AkSecret = value
-		case "secretref":
-			opts.SecretRef = value
-		case "path":
-			opts.Path = value
-		case "usesharedpath":
-			if res, err := strconv.ParseBool(value); err == nil {
-				opts.UseSharedPath = res
-			} else {
-				klog.Warning(WrapOssError(ParamError, "the value(%q) of %q is invalid", v, k).Error())
-			}
-		case "authtype":
-			opts.AuthType = strings.ToLower(value)
-		case "rolename", "ramrole":
-			opts.RoleName = value
-		case "rolearn":
-			opts.RoleArn = value
-		case "oidcproviderarn":
-			opts.OidcProviderArn = value
-		case "serviceaccountname":
-			opts.ServiceAccountName = value
-		case "secretproviderclass":
-			opts.SecretProviderClass = value
-		case "fusetype":
-			opts.FuseType = strings.ToLower(value)
-		case "metricstop":
-			opts.MetricsTop = strings.ToLower(value)
-		case "containernetworkfilesystem":
-			opts.CNFSName = value
-		case optDirectAssigned:
-			if res, err := strconv.ParseBool(value); err == nil {
-				opts.directAssigned = res
-			} else {
-				klog.Warning(WrapOssError(ParamError, "the value(%q) of %q is invalid", v, k).Error())
-			}
-		case "encrypted":
-			opts.Encrypted = strings.ToLower(value)
-		case "kmskeyid":
-			opts.KmsKeyId = value
-		case "assumerolearn":
-			opts.AssumeRoleArn = value
-		case "externalid":
-			opts.ExternalId = value
-		}
-	}
-	if req.GetReadonly() {
-		opts.ReadOnly = true
-	} else if capability := req.GetVolumeCapability(); capability != nil {
-		switch capability.AccessMode.GetMode() {
-		case csi.VolumeCapability_AccessMode_SINGLE_NODE_WRITER, csi.VolumeCapability_AccessMode_MULTI_NODE_SINGLE_WRITER, csi.VolumeCapability_AccessMode_MULTI_NODE_MULTI_WRITER:
-			opts.ReadOnly = false
-		default:
-			opts.ReadOnly = true
-		}
-	}
-
-	url := opts.URL
-	if region != "" {
-		url, _ = setNetworkType(url, region)
-	}
-
-	url, _ = setTransmissionProtocol(url)
-	if url != opts.URL {
-		klog.Infof("Changed oss URL from %s to %s", opts.URL, url)
-		opts.URL = url
-	}
-
-	if opts.MetricsTop != "" {
-		opts.MetricsTop = defaultMetricsTop
-	}
-	return opts
-}
-
-func setCNFSOptions(ctx context.Context, cnfsGetter cnfsv1beta1.CNFSGetter, opts *Options) error {
-	if opts.CNFSName == "" {
-		return nil
-	}
-	cnfs, err := cnfsGetter.GetCNFS(ctx, opts.CNFSName)
-	if err != nil {
-		return err
-	}
-	if cnfs.Status.FsAttributes.EndPoint == nil {
-		return fmt.Errorf("missing endpoint in status of CNFS %s", opts.CNFSName)
-	}
-	opts.Bucket = cnfs.Status.FsAttributes.BucketName
-	opts.URL = cnfs.Status.FsAttributes.EndPoint.Internal
-	return nil
-}
-
 func (o *Options) MakeMountOptionsAndAuthConfig(m metadata.MetadataProvider, volumeCapability *csi.VolumeCapability) ([]string, *mounter.AuthConfig, error) {
+	region, _ := m.Get(metadata.RegionID)
+
 	mountOptions, err := parseOtherOpts(o.OtherOpts)
 	if err != nil {
 		return nil, nil, status.Error(codes.InvalidArgument, err.Error())
@@ -529,6 +378,17 @@ func (o *Options) MakeMountOptionsAndAuthConfig(m metadata.MetadataProvider, vol
 		mountOptions = append(mountOptions, fmt.Sprintf("metrics_top=%s", o.MetricsTop))
 	}
 
+	switch o.SigVersion {
+	case SigV1:
+		mountOptions = append(mountOptions, "sigv1")
+	case SigV4:
+		if region == "" {
+			return nil, nil, status.Errorf(codes.Internal, "SigV4 is not supported without region")
+		}
+		mountOptions = append(mountOptions, "sigv4")
+		mountOptions = append(mountOptions, fmt.Sprintf("region=%s", region))
+	}
+
 	mountOptions = append(mountOptions, fmt.Sprintf("url=%s", o.URL))
 
 	authCfg := &mounter.AuthConfig{AuthType: o.AuthType}