feat(mount-proxy, oss): support RotateToken Method to rotate token for ossfs with republish

build/csi-agent/Dockerfile

@@ -15,8 +15,11 @@ RUN --mount=type=bind,target=. \
 FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/alinux:3-update
 
 ARG TARGETPLATFORM
-ARG OSSFS_VERSION=v1.91.7.ack.1
-ARG OSSFS2_VERSION=2.0.1beta
+# OSSFS and OSSFS2 client versions
+# Note: These are the versions of the OSS client RPMs included in the image.
+# When upgrading the image version, the client versions may remain unchanged.
+ARG OSSFS_VERSION=v1.91.7.ack.2
+ARG OSSFS2_VERSION=v2.0.2beta.ack.1
 ARG ALINAS_UTILS_VERSION=1.6-1.20241101165952.ce0ef4
 ARG EFC_VERSION=1.6-20241028201622.a31063
 RUN set -ex; \
@@ -30,7 +33,7 @@ RUN set -ex; \
     if [ "${ARCH}" = "x86_64" ]; then \
         yum install -y https://aliyun-alinas-eac.oss-cn-beijing.aliyuncs.com/aliyun-alinas-utils-${ALINAS_UTILS_VERSION}.al7.noarch.rpm; \
         yum install -y https://aliyun-alinas-eac.oss-cn-beijing.aliyuncs.com/alinas-efc-${EFC_VERSION}.release.${ARCH}.rpm; \
-        yum install -y https://gosspublic.alicdn.com/ossfs/ossfs2_${OSSFS2_VERSION}_linux_${ARCH}.rpm; \
+    yum install -y https://ack-csiplugin.oss-cn-hangzhou.aliyuncs.com/ossfs2/ossfs2_${OSSFS2_VERSION}_centos8.0_${ARCH}.rpm; \
     fi; \
     yum clean all
 

build/multi/Dockerfile.multi

@@ -17,7 +17,7 @@ RUN --mount=type=bind,target=. \
 
 FROM registry-cn-hangzhou.ack.aliyuncs.com/dev/ack-base/distroless/base-debian12:latest@sha256:cef75d12148305c54ef5769e6511a5ac3c820f39bf5c8a4fbfd5b76b4b8da843 as distroless-base
 LABEL maintainers="Alibaba Cloud Authors" description="Alibaba Cloud CSI Plugin"
-LABEL defaultOssfsImageTag="v1.91.7.ack.1-570be5f-aliyun" defaultOssfs2ImageTag="v2.0.2.ack.1-a76655f-aliyun"
+LABEL defaultOssfsImageTag="v1.91.7.ack.2-f04b152-aliyun" defaultOssfs2ImageTag="v2.0.2.ack.2-6ef4e9c-aliyun"
 
 FROM distroless-base as csi-base
 COPY --link --from=build /out/plugin.csi.alibabacloud.com /usr/bin/plugin.csi.alibabacloud.com

build/multi/Dockerfile.multi.asi

@@ -25,7 +25,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM registry.eu-west-1.aliyuncs.com/acs/alinux:3-update as base
 LABEL maintainers="Alibaba Cloud Authors" description="Alibaba Cloud CSI Plugin"
-LABEL defaultOssfsImageTag="v1.91.7.ack.1-570be5f-aliyun" defaultOssfs2ImageTag="v2.0.2.ack.1-a76655f-aliyun"
+LABEL defaultOssfsImageTag="v1.91.7.ack.2-f04b152-aliyun" defaultOssfs2ImageTag="v2.0.2.ack.2-6ef4e9c-aliyun"
 
 RUN yum install -y ca-certificates file tzdata nfs-utils xfsprogs e4fsprogs pciutils iputils strace util-linux nc telnet tar cpio lsof && \
     yum clean all

deploy/chart/values.yaml

@@ -137,7 +137,7 @@ images:
     tag: "v2.14.0-aliyun"
   ossfs:
     repo: acs/csi-ossfs
-    tag: "v1.91.7.ack.1-570be5f-aliyun"
+    tag: "v1.91.7.ack.2-f04b152-aliyun"
   ossfs2:
     repo: acs/csi-ossfs2
-    tag: "v2.0.2.ack.1-a76655f-aliyun"
+    tag: "v2.0.2.ack.2-6ef4e9c-aliyun"

pkg/mounter/cmd_mounter.go

@@ -5,9 +5,10 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"time"
 
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/mounter/utils"
+	"k8s.io/klog/v2"
 	"k8s.io/mount-utils"
 )
 
@@ -27,11 +28,19 @@ func NewOssCmdMounter(execPath, volumeId string, inner mount.Interface) Mounter
 	}
 }
 
+func (m *OssCmdMounter) Name() string {
+	return "cmd-mounter"
+}
+
+func (m *OssCmdMounter) RotateToken(target, fstype string, secrets map[string]string) error {
+	return ErrNotImplemented(m.Name(), fstype, "rotateToken")
+}
+
 func (m *OssCmdMounter) MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error {
 	ctx, cancel := context.WithDeadline(context.Background(), time.Now().Add(timeout))
 	defer cancel()
 
-	passwd, err := utils.SaveOssSecretsToFile(secrets)
+	passwd, err := saveOssSecretsToFile(secrets)
 	if err != nil {
 		return err
 	}
@@ -47,3 +56,21 @@ func (m *OssCmdMounter) MountWithSecrets(source, target, fstype string, options
 	}
 	return nil
 }
+
+func saveOssSecretsToFile(secrets map[string]string) (filePath string, err error) {
+	passwd := secrets["passwd-ossfs"]
+	if passwd == "" {
+		return
+	}
+
+	tmpDir, err := os.MkdirTemp("", "ossfs-")
+	if err != nil {
+		return "", err
+	}
+	filePath = filepath.Join(tmpDir, "passwd")
+	if err = os.WriteFile(filePath, []byte(passwd), 0o600); err != nil {
+		return "", err
+	}
+	klog.V(4).InfoS("created ossfs passwd file", "path", filePath)
+	return
+}

pkg/mounter/mounter.go

@@ -1,10 +1,26 @@
 package mounter
 
 import (
+	"fmt"
+	"strings"
+
 	mountutils "k8s.io/mount-utils"
 )
 
 type Mounter interface {
 	mountutils.Interface
+	Name() string
 	MountWithSecrets(source, target, fstype string, options []string, secrets map[string]string) error
+	RotateToken(target, fstype string, secrets map[string]string) error
+}
+
+func ErrNotImplemented(driver, mounterType, method string) error {
+	return fmt.Errorf("%s(%s): %s not implemented", mounterType, driver, method)
+}
+
+func IsNotImplementedErr(err error) bool {
+	if err == nil {
+		return false
+	}
+	return strings.Contains(err.Error(), "not implemented")
 }

pkg/mounter/oss/oss_fuse_manager.go

@@ -48,6 +48,17 @@ const (
 	AuthTypePublic = "public"
 )
 
+type AccessKey struct {
+	AkID     string `json:"akId"`
+	AkSecret string `json:"akSecret"`
+}
+type TokenSecret struct {
+	AccessKeyId     string `json:"AccessKeyId"`
+	AccessKeySecret string `json:"AccessKeySecret"`
+	Expiration      string `json:"Expiration"`
+	SecurityToken   string `json:"SecurityToken"`
+}
+
 // Options contains options for target oss
 type Options struct {
 	DirectAssigned bool
@@ -60,9 +71,10 @@ type Options struct {
 
 	// authorization options
 	// accesskey
-	AkID      string `json:"akId"`
-	AkSecret  string `json:"akSecret"`
-	SecretRef string `json:"secretRef"`
+	AccessKey   `json:",inline"`
+	TokenSecret `json:",inline"`
+	SecretRef   string `json:"secretRef"`
+
 	// RRSA
 	RoleName           string `json:"roleName"` // also for STS
 	RoleArn            string `json:"roleArn"`

pkg/mounter/oss/ossfs.go

@@ -20,7 +20,7 @@ import (
 )
 
 var defaultOssfsImageTag = "v1.88.4-80d165c-aliyun"
-var defaultOssfsUpdatedImageTag = "v1.91.7.ack.1-570be5f-aliyun"
+var defaultOssfsUpdatedImageTag = "v1.91.7.ack.2-f04b152-aliyun"
 var defaultOssfsDbglevel = utils.DebugLevelWarn
 
 const (
@@ -87,7 +87,15 @@ func (f *fuseOssfs) PrecheckAuthConfig(o *Options, onNode bool) error {
 		if features.FunctionalMutableFeatureGate.Enabled(features.RundCSIProtocol3) {
 			return nil
 		}
-		if o.SecretRef != "" {
+		// Token authentication:
+		// For runc scenarios, set the SecretRef parameter.
+		runc := o.SecretRef != ""
+		// For rund or eci scenarios, configure Token in nodePublishSecretRef or nodeStageSecretRef.
+		rund := o.AccessKeyId != "" && o.AccessKeySecret != "" && o.Expiration != "" && o.SecurityToken != ""
+		if runc && rund {
+			return fmt.Errorf("Token and secretRef cannot be set at the same time")
+		}
+		if rund || runc {
 			if o.AkID != "" || o.AkSecret != "" {
 				return fmt.Errorf("AK and secretRef cannot be set at the same time")
 			}
@@ -119,13 +127,26 @@ func (f *fuseOssfs) MakeAuthConfig(o *Options, m metadata.MetadataProvider) (*ut
 	case AuthTypeSTS:
 		authCfg.RoleName = o.RoleName
 	default:
-		if o.SecretRef != "" {
-			authCfg.SecretRef = o.SecretRef
-		} else {
+		// fixed AKSK
+		if o.AkID != "" && o.AkSecret != "" {
 			authCfg.Secrets = map[string]string{
 				utils.GetPasswdFileName(f.Name()): fmt.Sprintf("%s:%s:%s", o.Bucket, o.AkID, o.AkSecret),
 			}
+			return authCfg, nil
+		}
+		// secretRef for RunC
+		if o.SecretRef != "" {
+			authCfg.SecretRef = o.SecretRef
+			return authCfg, nil
+		}
+		// token secret for RunD
+		authCfg.Secrets = map[string]string{
+			KeyAccessKeyId:     o.AccessKeyId,
+			KeyAccessKeySecret: o.AccessKeySecret,
+			KeySecurityToken:   o.SecurityToken,
+			KeyExpiration:      o.Expiration,
 		}
+
 	}
 	return authCfg, nil
 }
@@ -289,11 +310,17 @@ func (f *fuseOssfs) getAuthOptions(o *Options, region string) (mountOptions []st
 			mountOptions = append(mountOptions, "ram_role="+o.RoleName)
 		}
 	default:
+		// fixed AKSK
+		if o.AkID != "" && o.AkSecret != "" {
+			// for aksk in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
+			return
+		}
+		// secretRef for runC or token secret for runD
 		if o.SecretRef != "" {
 			mountOptions = append(mountOptions, fmt.Sprintf("passwd_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType))))
-			mountOptions = append(mountOptions, "use_session_token")
 		}
-		// publishSecretRef will make option in mount-proxy server
+		// for token in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
+		mountOptions = append(mountOptions, "use_session_token")
 	}
 	return
 }

pkg/mounter/oss/ossfs2.go

@@ -17,7 +17,7 @@ import (
 	"k8s.io/utils/ptr"
 )
 
-var defaultOssfs2ImageTag = "v2.0.2.ack.1-a76655f-aliyun"
+var defaultOssfs2ImageTag = "v2.0.2.ack.2-6ef4e9c-aliyun"
 var defaultOssfs2Dbglevel = utils.DebugLevelInfo
 
 type fuseOssfs2 struct {
@@ -64,7 +64,16 @@ func (f *fuseOssfs2) PrecheckAuthConfig(o *Options, onNode bool) error {
 		if features.FunctionalMutableFeatureGate.Enabled(features.RundCSIProtocol3) {
 			return nil
 		}
-		if o.SecretRef != "" {
+		// Token authentication:
+		// For runc scenarios, set the SecretRef parameter.
+		runc := o.SecretRef != ""
+		// For rund or eci scenarios, configure Token in nodePublishSecretRef or nodeStageSecretRef.
+		// Expiration is not required for ossfs2.0
+		rund := o.AccessKeyId != "" && o.AccessKeySecret != "" && o.SecurityToken != ""
+		if runc && rund {
+			return fmt.Errorf("Token and secretRef cannot be set at the same time")
+		}
+		if rund || runc {
 			if o.AkID != "" || o.AkSecret != "" {
 				return fmt.Errorf("AK and secretRef cannot be set at the same time")
 			}
@@ -95,13 +104,25 @@ func (f *fuseOssfs2) MakeAuthConfig(o *Options, m metadata.MetadataProvider) (au
 	case AuthTypeSTS:
 		authCfg.RoleName = o.RoleName
 	case "":
+		// fixed AKSK
+		if o.AkID != "" && o.AkSecret != "" {
+			authCfg.Secrets = map[string]string{
+				utils.GetPasswdFileName(f.Name()): fmt.Sprintf("--oss_access_key_id=%s\n--oss_access_key_secret=%s", o.AkID, o.AkSecret),
+			}
+			return
+		}
+		// secretRef for RunC
 		if o.SecretRef != "" {
 			authCfg.SecretRef = o.SecretRef
 			return
 		}
+		// token secret for RunD
 		authCfg.Secrets = map[string]string{
-			utils.GetPasswdFileName(f.Name()): fmt.Sprintf("--oss_access_key_id=%s\n--oss_access_key_secret=%s", o.AkID, o.AkSecret),
+			KeyAccessKeyId:     o.AccessKeyId,
+			KeyAccessKeySecret: o.AccessKeySecret,
+			KeySecurityToken:   o.SecurityToken,
 		}
+
 	default:
 		return nil, fmt.Errorf("%s do not support authType: %s", f.Name(), o.AuthType)
 	}
@@ -162,14 +183,19 @@ func (f *fuseOssfs2) getAuthOptions(o *Options, region string) (mountOptions []s
 			mountOptions = append(mountOptions, "ram_role="+o.RoleName)
 		}
 	case "":
+		// fixed AKSK
+		if o.AkID != "" && o.AkSecret != "" {
+			// for aksk in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
+			return
+		}
 		if o.SecretRef != "" {
 			mountOptions = append(mountOptions,
 				fmt.Sprintf("oss_sts_multi_conf_ak_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType), KeyAccessKeyId)),
 				fmt.Sprintf("oss_sts_multi_conf_sk_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType), KeyAccessKeySecret)),
 				fmt.Sprintf("oss_sts_multi_conf_token_file=%s", filepath.Join(utils.GetConfigDir(o.FuseType), utils.GetPasswdFileName(o.FuseType), KeySecurityToken)),
 			)
 		}
-		// publishSecretRef will make option in mount-proxy server
+		// for token in secret, it will make passwd_file option in mount-proxy server as it's under a tempdir
 	default:
 		return nil
 	}