fix: harden jindo multi-oss acceptance coverage

CAICAIIs · CAICAIIs · commit 3114a48bde3f · 2026-04-21T20:53:22.000+08:00
Signed-off-by: CAICAIIs &lt;3360776475@qq.com&gt;
diff --git a/pkg/ddc/jindocache/transform.go b/pkg/ddc/jindocache/transform.go
@@ -586,12 +586,6 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 			}
 			if mountType == "oss" && ossBucketName != "" {
 				if secretMountSupport {
-					secretURI := buildBucketSecretURI(ossBucketName)
-					if value.BucketSecretPaths == nil {
-						value.BucketSecretPaths = map[string]string{}
-					}
-					value.BucketSecretPaths[ossBucketName] = secretURI
-
 					itemPath := ""
 					switch key {
 					case "fs.oss.accessKeyId":
@@ -600,12 +594,17 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 						itemPath = ossBucketName + "/AccessKeySecret"
 					}
 					if itemPath != "" {
+						secretURI := buildBucketSecretURI(ossBucketName)
+						if value.BucketSecretPaths == nil {
+							value.BucketSecretPaths = map[string]string{}
+						}
+						value.BucketSecretPaths[ossBucketName] = secretURI
 						value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
 						if err != nil {
 							return err
 						}
+						e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
 					}
-					e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
 					continue
 				}
 
diff --git a/pkg/ddc/jindocache/transform_test.go b/pkg/ddc/jindocache/transform_test.go
@@ -1899,7 +1899,7 @@ func TestJindoCacheEngine_transformMasterRejectsConflictingSameBucketSecretProje
 	}
 }
 
-func TestJindoCacheEngine_transformMasterPreservesInlineOSSCredentials(t *testing.T) {
+func TestJindoCacheEngine_transformMasterSupportsInlineOSSCredentialsCompatibility(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
 	_ = corev1.AddToScheme(s)
@@ -1949,6 +1949,54 @@ func TestJindoCacheEngine_transformMasterPreservesInlineOSSCredentials(t *testin
 	}
 }
 
+func TestJindoCacheEngine_transformMasterIgnoresNonOSSCredentialEncryptOptionForBucketSecretProjection(t *testing.T) {
+	s := runtime.NewScheme()
+	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
+	_ = corev1.AddToScheme(s)
+
+	engine := JindoCacheEngine{
+		name:      "test",
+		namespace: "fluid",
+		Client:    fake.NewFakeClientWithScheme(s),
+		Log:       fake.NullLogger(),
+		runtime: &datav1alpha1.JindoRuntime{
+			Spec: datav1alpha1.JindoRuntimeSpec{
+				Fuse: datav1alpha1.JindoFuseSpec{},
+			},
+		},
+	}
+
+	dataset := &datav1alpha1.Dataset{
+		Spec: datav1alpha1.DatasetSpec{
+			Mounts: []datav1alpha1.Mount{{
+				MountPoint: "oss://bucket-a/data",
+				Name:       "mount-a",
+				Options: map[string]string{
+					"fs.oss.endpoint": "oss-cn-shanghai.aliyuncs.com",
+				},
+				EncryptOptions: []datav1alpha1.EncryptOption{{
+					Name: "fs.oss.sessionToken",
+					ValueFrom: datav1alpha1.EncryptOptionSource{
+						SecretKeyRef: datav1alpha1.SecretKeySelector{Name: "secret-a", Key: "token"},
+					},
+				}},
+			}},
+		},
+	}
+
+	value := &Jindo{}
+	if err := engine.transformMaster(engine.runtime, "/test", value, dataset, true); err != nil {
+		t.Fatalf("transformMaster() error = %v", err)
+	}
+
+	if len(value.SecretProjections) != 0 {
+		t.Fatalf("expected no secret projections for non-AK/SK encryptOptions, got %d", len(value.SecretProjections))
+	}
+	if len(value.BucketSecretPaths) != 0 {
+		t.Fatalf("expected no bucket secret paths for non-AK/SK encryptOptions, got %#v", value.BucketSecretPaths)
+	}
+}
+
 func TestJindoCacheEngine_transformMasterReturnsErrorWhenReferencedSecretMissing(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
diff --git a/pkg/ddc/jindofsx/transform.go b/pkg/ddc/jindofsx/transform.go
@@ -493,12 +493,6 @@ func (e *JindoFSxEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, met
 			}
 			if mountType == "oss" && ossBucketName != "" {
 				if secretMountSupport {
-					secretURI := buildBucketSecretURI(ossBucketName)
-					if value.BucketSecretPaths == nil {
-						value.BucketSecretPaths = map[string]string{}
-					}
-					value.BucketSecretPaths[ossBucketName] = secretURI
-
 					itemPath := ""
 					switch key {
 					case "fs.oss.accessKeyId":
@@ -507,12 +501,17 @@ func (e *JindoFSxEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, met
 						itemPath = ossBucketName + "/AccessKeySecret"
 					}
 					if itemPath != "" {
+						secretURI := buildBucketSecretURI(ossBucketName)
+						if value.BucketSecretPaths == nil {
+							value.BucketSecretPaths = map[string]string{}
+						}
+						value.BucketSecretPaths[ossBucketName] = secretURI
 						value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
 						if err != nil {
 							return err
 						}
+						e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
 					}
-					e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
 					continue
 				}
 
diff --git a/pkg/ddc/jindofsx/transform_master_test.go b/pkg/ddc/jindofsx/transform_master_test.go
@@ -387,7 +387,7 @@ func TestJindoFSxEngine_transformMasterRejectsConflictingSameBucketSecretProject
 	}
 }
 
-func TestJindoFSxEngine_transformMasterPreservesInlineOSSCredentials(t *testing.T) {
+func TestJindoFSxEngine_transformMasterSupportsInlineOSSCredentialsCompatibility(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
 	_ = corev1.AddToScheme(s)
@@ -437,6 +437,54 @@ func TestJindoFSxEngine_transformMasterPreservesInlineOSSCredentials(t *testing.
 	}
 }
 
+func TestJindoFSxEngine_transformMasterIgnoresNonOSSCredentialEncryptOptionForBucketSecretProjection(t *testing.T) {
+	s := runtime.NewScheme()
+	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
+	_ = corev1.AddToScheme(s)
+
+	engine := JindoFSxEngine{
+		name:      "test",
+		namespace: "fluid",
+		Client:    fake.NewFakeClientWithScheme(s),
+		Log:       fake.NullLogger(),
+		runtime: &datav1alpha1.JindoRuntime{
+			Spec: datav1alpha1.JindoRuntimeSpec{
+				Fuse: datav1alpha1.JindoFuseSpec{},
+			},
+		},
+	}
+
+	dataset := &datav1alpha1.Dataset{
+		Spec: datav1alpha1.DatasetSpec{
+			Mounts: []datav1alpha1.Mount{{
+				MountPoint: "oss://bucket-a/data",
+				Name:       "mount-a",
+				Options: map[string]string{
+					"fs.oss.endpoint": "oss-cn-shanghai.aliyuncs.com",
+				},
+				EncryptOptions: []datav1alpha1.EncryptOption{{
+					Name: "fs.oss.sessionToken",
+					ValueFrom: datav1alpha1.EncryptOptionSource{
+						SecretKeyRef: datav1alpha1.SecretKeySelector{Name: "secret-a", Key: "token"},
+					},
+				}},
+			}},
+		},
+	}
+
+	value := &Jindo{}
+	if err := engine.transformMaster(engine.runtime, "/test", value, dataset, true); err != nil {
+		t.Fatalf("transformMaster() error = %v", err)
+	}
+
+	if len(value.SecretProjections) != 0 {
+		t.Fatalf("expected no secret projections for non-AK/SK encryptOptions, got %d", len(value.SecretProjections))
+	}
+	if len(value.BucketSecretPaths) != 0 {
+		t.Fatalf("expected no bucket secret paths for non-AK/SK encryptOptions, got %#v", value.BucketSecretPaths)
+	}
+}
+
 func TestJindoFSxEngine_transformMasterUsesReferencedSecretKeysForNonOSSMounts(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
diff --git a/test/gha-e2e/jindo/multi-oss-job.yaml b/test/gha-e2e/jindo/multi-oss-job.yaml
@@ -12,7 +12,13 @@ spec:
           image: registry-cn-hongkong.ack.aliyuncs.com/acs/smartdata:6.9.1-202509151826
           imagePullPolicy: IfNotPresent
           resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+              ephemeral-storage: "1Gi"
             limits:
+              cpu: "500m"
+              memory: "256Mi"
               ephemeral-storage: "5Gi"
           command: ["/bin/sh"]
           args:
diff --git a/test/gha-e2e/jindo/oss-emulator.yaml b/test/gha-e2e/jindo/oss-emulator.yaml
@@ -39,6 +39,13 @@ spec:
         - name: emulator
           image: fluidcloudnative/oss-emulator:e2e
           imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              cpu: "250m"
+              memory: "128Mi"
           env:
             - name: BUCKET_NAME
               value: bucket-a
@@ -91,6 +98,13 @@ spec:
         - name: emulator
           image: fluidcloudnative/oss-emulator:e2e
           imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              cpu: "250m"
+              memory: "128Mi"
           env:
             - name: BUCKET_NAME
               value: bucket-b
