Skip to content

Commit 768c713

Browse files
committed
fix: support multi-mount OSS secret projections in jindo
1 parent 9fe6aad commit 768c713

14 files changed

Lines changed: 567 additions & 34 deletions

File tree

charts/jindocache/templates/_helpers.tpl

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,32 @@ Distribute credential key and values with secret volume mounting on Jindo's pods
4444
Distribute credential key and values with secret volumes
4545
*/}}
4646
{{- define "jindofs.cred.secret.volumes" -}}
47-
{{- if .Values.UseStsToken }}
47+
{{- if .Values.secretProjections }}
48+
- name: jindofs-secret-token
49+
projected:
50+
sources:
51+
{{- if .Values.UseStsToken }}
52+
- secret:
53+
name: {{ .Values.secret }}
54+
{{- else if .Values.secret }}
55+
- secret:
56+
name: {{ .Values.secret }}
57+
items:
58+
- key: {{ .Values.secretKey }}
59+
path: AccessKeyId
60+
- key: {{ .Values.secretValue }}
61+
path: AccessKeySecret
62+
{{- end }}
63+
{{- range .Values.secretProjections }}
64+
- secret:
65+
name: {{ .name }}
66+
items:
67+
{{- range .items }}
68+
- key: {{ .key }}
69+
path: {{ .path }}
70+
{{- end }}
71+
{{- end }}
72+
{{- else if .Values.UseStsToken }}
4873
- name: jindofs-secret-token
4974
secret:
5075
secretName: {{ .Values.secret }}

charts/jindocache/templates/fuse/daemonset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,7 @@ spec:
150150
subPath: hdfs-site.xml
151151
{{- end }}
152152
{{- end }}
153-
{{- if .Values.secret }}
153+
{{- if or .Values.secret .Values.secretProjections }}
154154
{{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
155155
{{- end }}
156156
{{- if .Values.ufsVolumes }}
@@ -188,7 +188,7 @@ spec:
188188
hostPath:
189189
path: /dev/fuse
190190
type: CharDevice
191-
{{- if .Values.secret }}
191+
{{- if or .Values.secret .Values.secretProjections }}
192192
{{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
193193
{{- end }}
194194
{{- if .Values.ufsVolumes }}

charts/jindocache/templates/master/statefulset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -175,7 +175,7 @@ spec:
175175
subPath: hdfs-site.xml
176176
{{- end }}
177177
{{- end }}
178-
{{- if .Values.secret }}
178+
{{- if or .Values.secret .Values.secretProjections }}
179179
{{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
180180
{{- end }}
181181
{{- if .Values.ufsVolumes }}
@@ -237,7 +237,7 @@ spec:
237237
name: {{ .Values.hadoopConfig.configMap }}
238238
{{- end }}
239239
{{- end }}
240-
{{- if .Values.secret }}
240+
{{- if or .Values.secret .Values.secretProjections }}
241241
{{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
242242
{{- end }}
243243
{{- if .Values.master.volumes }}

charts/jindocache/templates/worker/statefulset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,7 @@ spec:
159159
subPath: hdfs-site.xml
160160
{{- end }}
161161
{{- end }}
162-
{{- if .Values.secret }}
162+
{{- if or .Values.secret .Values.secretProjections }}
163163
{{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
164164
{{- end }}
165165
{{- if .Values.ufsVolumes }}
@@ -222,7 +222,7 @@ spec:
222222
name: {{ .Values.hadoopConfig.configMap }}
223223
{{- end }}
224224
{{- end }}
225-
{{- if .Values.secret }}
225+
{{- if or .Values.secret .Values.secretProjections }}
226226
{{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
227227
{{- end }}
228228
- name: bigboot-config

charts/jindofsx/templates/_helpers.tpl

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,32 @@ Distribute credential key and values with secret volume mounting on Jindo's pods
4444
Distribute credential key and values with secret volumes
4545
*/}}
4646
{{- define "jindofs.cred.secret.volumes" -}}
47-
{{- if .Values.UseStsToken }}
47+
{{- if .Values.secretProjections }}
48+
- name: jindofs-secret-token
49+
projected:
50+
sources:
51+
{{- if .Values.UseStsToken }}
52+
- secret:
53+
name: {{ .Values.secret }}
54+
{{- else if .Values.secret }}
55+
- secret:
56+
name: {{ .Values.secret }}
57+
items:
58+
- key: {{ .Values.secretKey }}
59+
path: AccessKeyId
60+
- key: {{ .Values.secretValue }}
61+
path: AccessKeySecret
62+
{{- end }}
63+
{{- range .Values.secretProjections }}
64+
- secret:
65+
name: {{ .name }}
66+
items:
67+
{{- range .items }}
68+
- key: {{ .key }}
69+
path: {{ .path }}
70+
{{- end }}
71+
{{- end }}
72+
{{- else if .Values.UseStsToken }}
4873
- name: jindofs-secret-token
4974
secret:
5075
secretName: {{ .Values.secret }}

charts/jindofsx/templates/fuse/daemonset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,7 @@ spec:
162162
subPath: hdfs-site.xml
163163
{{- end }}
164164
{{- end }}
165-
{{- if .Values.secret }}
165+
{{- if or .Values.secret .Values.secretProjections }}
166166
{{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
167167
{{- end }}
168168
{{- if .Values.ufsVolumes }}
@@ -200,7 +200,7 @@ spec:
200200
hostPath:
201201
path: /dev/fuse
202202
type: CharDevice
203-
{{- if .Values.secret }}
203+
{{- if or .Values.secret .Values.secretProjections }}
204204
{{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
205205
{{- end }}
206206
{{- if .Values.ufsVolumes }}

charts/jindofsx/templates/master/statefulset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,7 @@ spec:
187187
subPath: hdfs-site.xml
188188
{{- end }}
189189
{{- end }}
190-
{{- if .Values.secret }}
190+
{{- if or .Values.secret .Values.secretProjections }}
191191
{{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
192192
{{- end }}
193193
{{- if .Values.ufsVolumes }}
@@ -249,7 +249,7 @@ spec:
249249
name: {{ .Values.hadoopConfig.configMap }}
250250
{{- end }}
251251
{{- end }}
252-
{{- if .Values.secret }}
252+
{{- if or .Values.secret .Values.secretProjections }}
253253
{{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
254254
{{- end }}
255255
{{- if .Values.master.volumes }}

charts/jindofsx/templates/worker/statefulset.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,7 @@ spec:
171171
subPath: hdfs-site.xml
172172
{{- end }}
173173
{{- end }}
174-
{{- if .Values.secret }}
174+
{{- if or .Values.secret .Values.secretProjections }}
175175
{{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
176176
{{- end }}
177177
{{- if .Values.ufsVolumes }}
@@ -234,7 +234,7 @@ spec:
234234
name: {{ .Values.hadoopConfig.configMap }}
235235
{{- end }}
236236
{{- end }}
237-
{{- if .Values.secret }}
237+
{{- if or .Values.secret .Values.secretProjections }}
238238
{{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
239239
{{- end }}
240240
- name: bigboot-config

pkg/ddc/jindocache/transform.go

Lines changed: 99 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,46 @@ type smartdataConfig struct {
4646
dnsServer string
4747
}
4848

49+
const (
50+
jindoOSSCredentialsProvider = "com.aliyun.jindodata.oss.auth.CustomCredentialsProvider"
51+
jindoSecretProviderFormat = "JSON"
52+
jindoSecretMountPath = "/token"
53+
)
54+
55+
func buildBucketSecretURI(bucketName string) string {
56+
return fmt.Sprintf("secrets://%s/%s/", jindoSecretMountPath, bucketName)
57+
}
58+
59+
func appendSecretProjection(projections []corev1.SecretProjection, secretName, secretKey, itemPath string) ([]corev1.SecretProjection, error) {
60+
for _, projection := range projections {
61+
for _, item := range projection.Items {
62+
if item.Path != itemPath {
63+
continue
64+
}
65+
if projection.Name == secretName && item.Key == secretKey {
66+
return projections, nil
67+
}
68+
return nil, fmt.Errorf("conflicting secret projection for %s", itemPath)
69+
}
70+
}
71+
72+
return append(projections, corev1.SecretProjection{
73+
LocalObjectReference: corev1.LocalObjectReference{
74+
Name: secretName,
75+
},
76+
Items: []corev1.KeyToPath{{
77+
Key: secretKey,
78+
Path: itemPath,
79+
}},
80+
}), nil
81+
}
82+
83+
func setBucketSecretProviderProperties(properties map[string]string, prefix, bucketName, secretURI string) {
84+
properties[fmt.Sprintf("%s.oss.bucket.%s.credentials.provider", prefix, bucketName)] = jindoOSSCredentialsProvider
85+
properties[fmt.Sprintf("%s.oss.bucket.%s.provider.endpoint", prefix, bucketName)] = secretURI
86+
properties[fmt.Sprintf("%s.oss.bucket.%s.provider.format", prefix, bucketName)] = jindoSecretProviderFormat
87+
}
88+
4989
func (e *JindoCacheEngine) transform(runtime *datav1alpha1.JindoRuntime) (value *Jindo, err error) {
5090
if runtime == nil {
5191
err = fmt.Errorf("the jindoRuntime is null")
@@ -409,6 +449,7 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
409449
}
410450

411451
mountType := "oss"
452+
ossBucketName := ""
412453
if strings.HasPrefix(mount.MountPoint, "oss://") {
413454
var re = regexp.MustCompile(`(oss://(.*?))(/)`)
414455
rm := re.FindStringSubmatch(mount.MountPoint)
@@ -417,23 +458,21 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
417458
e.Log.Error(err, "mount.MountPoint", mount.MountPoint)
418459
return err
419460
}
420-
bucketName := rm[2]
461+
ossBucketName = rm[2]
421462
if mount.Options["fs.oss.endpoint"] == "" {
422463
err = fmt.Errorf("oss endpoint can not be null, please check <fs.oss.endpoint> option")
423464
e.Log.Error(err, "oss endpoint can not be null")
424465
return err
425466
}
426-
propertiesFileStore["jindocache.oss.bucket."+bucketName+".endpoint"] = mount.Options["fs.oss.endpoint"]
467+
propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".endpoint"] = mount.Options["fs.oss.endpoint"]
468+
if mount.Options["fs.oss.accessKeyId"] != "" {
469+
propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeyId"] = mount.Options["fs.oss.accessKeyId"]
470+
}
471+
if mount.Options["fs.oss.accessKeySecret"] != "" {
472+
propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeySecret"] = mount.Options["fs.oss.accessKeySecret"]
473+
}
427474
if strings.Contains(mount.Options["fs.oss.endpoint"], "dls") {
428-
propertiesFileStore["jindocache.oss.bucket."+bucketName+".data.lake.storage.enable"] = "true"
429-
if os.Getenv("jindocache.internal.test") == "true" {
430-
if mount.Options["fs.oss.accessKeyId"] != "" {
431-
propertiesFileStore["jindocache.oss.bucket."+bucketName+".accessKeyId"] = mount.Options["fs.oss.accessKeyId"]
432-
}
433-
if mount.Options["fs.oss.accessKeySecret"] != "" {
434-
propertiesFileStore["jindocache.oss.bucket."+bucketName+".accessKeySecret"] = mount.Options["fs.oss.accessKeySecret"]
435-
}
436-
}
475+
propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".data.lake.storage.enable"] = "true"
437476
}
438477
}
439478

@@ -487,6 +526,46 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
487526
for _, encryptOption := range mount.EncryptOptions {
488527
key := encryptOption.Name
489528
secretKeyRef := encryptOption.ValueFrom.SecretKeyRef
529+
if mountType == "oss" && ossBucketName != "" {
530+
if secretMountSupport {
531+
secretURI := buildBucketSecretURI(ossBucketName)
532+
if value.BucketSecretPaths == nil {
533+
value.BucketSecretPaths = map[string]string{}
534+
}
535+
value.BucketSecretPaths[ossBucketName] = secretURI
536+
537+
itemPath := ""
538+
if key == "fs.oss.accessKeyId" {
539+
itemPath = ossBucketName + "/AccessKeyId"
540+
}
541+
if key == "fs.oss.accessKeySecret" {
542+
itemPath = ossBucketName + "/AccessKeySecret"
543+
}
544+
if itemPath != "" {
545+
value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
546+
if err != nil {
547+
return err
548+
}
549+
}
550+
e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
551+
continue
552+
}
553+
554+
secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
555+
if err != nil {
556+
e.Log.Error(err, "can't get the input secret from dataset", "secretName", secretKeyRef.Name)
557+
break
558+
}
559+
secretValue := string(secret.Data[secretKeyRef.Key])
560+
if key == "fs.oss.accessKeyId" {
561+
propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeyId"] = secretValue
562+
}
563+
if key == "fs.oss.accessKeySecret" {
564+
propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeySecret"] = secretValue
565+
}
566+
e.Log.Info("Get OSS bucket credential from Secret successfully", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
567+
continue
568+
}
490569
if secretMountSupport {
491570
value.Secret = secretKeyRef.Name
492571
if key == "fs."+mountType+".accessKeyId" {
@@ -660,10 +739,14 @@ func (e *JindoCacheEngine) transformFuse(runtime *datav1alpha1.JindoRuntime, val
660739
}
661740
// set secret
662741
if len(value.Secret) != 0 {
663-
properties["fs."+value.MountType+".credentials.provider"] = "com.aliyun.jindodata.oss.auth.CustomCredentialsProvider"
742+
properties["fs."+value.MountType+".credentials.provider"] = jindoOSSCredentialsProvider
664743
properties["aliyun."+value.MountType+".provider.url"] = "secrets:///token/"
665744
properties["fs."+value.MountType+".provider.endpoint"] = "secrets:///token/"
666-
properties["fs."+value.MountType+".provider.format"] = "JSON"
745+
properties["fs."+value.MountType+".provider.format"] = jindoSecretProviderFormat
746+
}
747+
for bucketName, secretURI := range value.BucketSecretPaths {
748+
setBucketSecretProviderProperties(properties, "fs", bucketName, secretURI)
749+
properties["aliyun.oss.bucket."+bucketName+".provider.url"] = secretURI
667750
}
668751

669752
if len(runtime.Spec.Fuse.Properties) > 0 {
@@ -952,6 +1035,9 @@ func (e *JindoCacheEngine) transformToken(value *Jindo) {
9521035
} else {
9531036
properties["default.credential.provider"] = "none"
9541037
}
1038+
for bucketName, secretURI := range value.BucketSecretPaths {
1039+
setBucketSecretProviderProperties(properties, "jindocache", bucketName, secretURI)
1040+
}
9551041
value.Master.TokenProperties = properties
9561042
}
9571043

0 commit comments

Comments
 (0)