fix: support multi-mount OSS secret projections in jindo

Author: CAICAIIs

charts/jindocache/templates/_helpers.tpl

@@ -44,7 +44,32 @@ Distribute credential key and values with secret volume mounting on Jindo's pods
 Distribute credential key and values with secret volumes
 */}}
 {{- define "jindofs.cred.secret.volumes" -}}
-{{- if .Values.UseStsToken }}
+{{- if .Values.secretProjections }}
+- name: jindofs-secret-token
+  projected:
+    sources:
+    {{- if .Values.UseStsToken }}
+    - secret:
+        name: {{ .Values.secret }}
+    {{- else if .Values.secret }}
+    - secret:
+        name: {{ .Values.secret }}
+        items:
+        - key: {{ .Values.secretKey }}
+          path: AccessKeyId
+        - key: {{ .Values.secretValue }}
+          path: AccessKeySecret
+    {{- end }}
+    {{- range .Values.secretProjections }}
+    - secret:
+        name: {{ .name }}
+        items:
+        {{- range .items }}
+        - key: {{ .key }}
+          path: {{ .path }}
+        {{- end }}
+    {{- end }}
+{{- else if .Values.UseStsToken }}
 - name: jindofs-secret-token
   secret:
     secretName: {{ .Values.secret }}

charts/jindocache/templates/fuse/daemonset.yaml

@@ -150,7 +150,7 @@ spec:
               subPath: hdfs-site.xml
           {{- end }}
           {{- end }}
-          {{- if .Values.secret }}
+          {{- if or .Values.secret .Values.secretProjections }}
             {{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
           {{- end }}
           {{- if .Values.ufsVolumes }}
@@ -188,7 +188,7 @@ spec:
           hostPath:
             path: /dev/fuse
             type: CharDevice
-        {{- if .Values.secret }}
+        {{- if or .Values.secret .Values.secretProjections }}
         {{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
         {{- end }}
         {{- if .Values.ufsVolumes }}

charts/jindocache/templates/master/statefulset.yaml

@@ -175,7 +175,7 @@ spec:
               subPath: hdfs-site.xml
           {{- end }}
           {{- end }}
-          {{- if .Values.secret }}
+          {{- if or .Values.secret .Values.secretProjections }}
             {{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
           {{- end }}
           {{- if .Values.ufsVolumes }}
@@ -237,7 +237,7 @@ spec:
             name: {{ .Values.hadoopConfig.configMap }}
         {{- end }}
         {{- end }}
-        {{- if .Values.secret }}
+        {{- if or .Values.secret .Values.secretProjections }}
         {{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
         {{- end }}
         {{- if .Values.master.volumes }}

charts/jindocache/templates/worker/statefulset.yaml

@@ -159,7 +159,7 @@ spec:
               subPath: hdfs-site.xml
           {{- end }}
           {{- end }}
-          {{- if .Values.secret }}
+          {{- if or .Values.secret .Values.secretProjections }}
             {{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
           {{- end }}
           {{- if .Values.ufsVolumes }}
@@ -222,7 +222,7 @@ spec:
             name: {{ .Values.hadoopConfig.configMap }}
         {{- end }}
         {{- end }}
-        {{- if .Values.secret }}
+        {{- if or .Values.secret .Values.secretProjections }}
         {{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
         {{- end }}
         - name: bigboot-config

charts/jindofsx/templates/_helpers.tpl

@@ -44,7 +44,32 @@ Distribute credential key and values with secret volume mounting on Jindo's pods
 Distribute credential key and values with secret volumes
 */}}
 {{- define "jindofs.cred.secret.volumes" -}}
-{{- if .Values.UseStsToken }}
+{{- if .Values.secretProjections }}
+- name: jindofs-secret-token
+  projected:
+    sources:
+    {{- if .Values.UseStsToken }}
+    - secret:
+        name: {{ .Values.secret }}
+    {{- else if .Values.secret }}
+    - secret:
+        name: {{ .Values.secret }}
+        items:
+        - key: {{ .Values.secretKey }}
+          path: AccessKeyId
+        - key: {{ .Values.secretValue }}
+          path: AccessKeySecret
+    {{- end }}
+    {{- range .Values.secretProjections }}
+    - secret:
+        name: {{ .name }}
+        items:
+        {{- range .items }}
+        - key: {{ .key }}
+          path: {{ .path }}
+        {{- end }}
+    {{- end }}
+{{- else if .Values.UseStsToken }}
 - name: jindofs-secret-token
   secret:
     secretName: {{ .Values.secret }}

charts/jindofsx/templates/fuse/daemonset.yaml

@@ -162,7 +162,7 @@ spec:
               subPath: hdfs-site.xml
           {{- end }}
           {{- end }}
-          {{- if .Values.secret }}
+          {{- if or .Values.secret .Values.secretProjections }}
             {{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
           {{- end }}
           {{- if .Values.ufsVolumes }}
@@ -200,7 +200,7 @@ spec:
           hostPath:
             path: /dev/fuse
             type: CharDevice
-        {{- if .Values.secret }}
+        {{- if or .Values.secret .Values.secretProjections }}
         {{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
         {{- end }}
         {{- if .Values.ufsVolumes }}

charts/jindofsx/templates/master/statefulset.yaml

@@ -187,7 +187,7 @@ spec:
               subPath: hdfs-site.xml
           {{- end }}
           {{- end }}
-          {{- if .Values.secret }}
+          {{- if or .Values.secret .Values.secretProjections }}
             {{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
           {{- end }}
           {{- if .Values.ufsVolumes }}
@@ -249,7 +249,7 @@ spec:
             name: {{ .Values.hadoopConfig.configMap }}
         {{- end }}
         {{- end }}
-        {{- if .Values.secret }}
+        {{- if or .Values.secret .Values.secretProjections }}
         {{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
         {{- end }}
         {{- if .Values.master.volumes }}

charts/jindofsx/templates/worker/statefulset.yaml

@@ -171,7 +171,7 @@ spec:
               subPath: hdfs-site.xml
           {{- end }}
           {{- end }}
-          {{- if .Values.secret }}
+          {{- if or .Values.secret .Values.secretProjections }}
             {{ include "jindofs.cred.secret.volumeMounts" . | nindent 12 }}
           {{- end }}
           {{- if .Values.ufsVolumes }}
@@ -234,7 +234,7 @@ spec:
             name: {{ .Values.hadoopConfig.configMap }}
         {{- end }}
         {{- end }}
-        {{- if .Values.secret }}
+        {{- if or .Values.secret .Values.secretProjections }}
         {{ include "jindofs.cred.secret.volumes" . | nindent 8 }}
         {{- end }}
         - name: bigboot-config

pkg/ddc/jindocache/transform.go

@@ -46,6 +46,46 @@ type smartdataConfig struct {
 	dnsServer       string
 }
 
+const (
+	jindoOSSCredentialsProvider = "com.aliyun.jindodata.oss.auth.CustomCredentialsProvider"
+	jindoSecretProviderFormat   = "JSON"
+	jindoSecretMountPath        = "/token"
+)
+
+func buildBucketSecretURI(bucketName string) string {
+	return fmt.Sprintf("secrets://%s/%s/", jindoSecretMountPath, bucketName)
+}
+
+func appendSecretProjection(projections []corev1.SecretProjection, secretName, secretKey, itemPath string) ([]corev1.SecretProjection, error) {
+	for _, projection := range projections {
+		for _, item := range projection.Items {
+			if item.Path != itemPath {
+				continue
+			}
+			if projection.Name == secretName && item.Key == secretKey {
+				return projections, nil
+			}
+			return nil, fmt.Errorf("conflicting secret projection for %s", itemPath)
+		}
+	}
+
+	return append(projections, corev1.SecretProjection{
+		LocalObjectReference: corev1.LocalObjectReference{
+			Name: secretName,
+		},
+		Items: []corev1.KeyToPath{{
+			Key:  secretKey,
+			Path: itemPath,
+		}},
+	}), nil
+}
+
+func setBucketSecretProviderProperties(properties map[string]string, prefix, bucketName, secretURI string) {
+	properties[fmt.Sprintf("%s.oss.bucket.%s.credentials.provider", prefix, bucketName)] = jindoOSSCredentialsProvider
+	properties[fmt.Sprintf("%s.oss.bucket.%s.provider.endpoint", prefix, bucketName)] = secretURI
+	properties[fmt.Sprintf("%s.oss.bucket.%s.provider.format", prefix, bucketName)] = jindoSecretProviderFormat
+}
+
 func (e *JindoCacheEngine) transform(runtime *datav1alpha1.JindoRuntime) (value *Jindo, err error) {
 	if runtime == nil {
 		err = fmt.Errorf("the jindoRuntime is null")
@@ -409,6 +449,7 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 		}
 
 		mountType := "oss"
+		ossBucketName := ""
 		if strings.HasPrefix(mount.MountPoint, "oss://") {
 			var re = regexp.MustCompile(`(oss://(.*?))(/)`)
 			rm := re.FindStringSubmatch(mount.MountPoint)
@@ -417,23 +458,21 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 				e.Log.Error(err, "mount.MountPoint", mount.MountPoint)
 				return err
 			}
-			bucketName := rm[2]
+			ossBucketName = rm[2]
 			if mount.Options["fs.oss.endpoint"] == "" {
 				err = fmt.Errorf("oss endpoint can not be null, please check <fs.oss.endpoint> option")
 				e.Log.Error(err, "oss endpoint can not be null")
 				return err
 			}
-			propertiesFileStore["jindocache.oss.bucket."+bucketName+".endpoint"] = mount.Options["fs.oss.endpoint"]
+			propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".endpoint"] = mount.Options["fs.oss.endpoint"]
+			if mount.Options["fs.oss.accessKeyId"] != "" {
+				propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeyId"] = mount.Options["fs.oss.accessKeyId"]
+			}
+			if mount.Options["fs.oss.accessKeySecret"] != "" {
+				propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeySecret"] = mount.Options["fs.oss.accessKeySecret"]
+			}
 			if strings.Contains(mount.Options["fs.oss.endpoint"], "dls") {
-				propertiesFileStore["jindocache.oss.bucket."+bucketName+".data.lake.storage.enable"] = "true"
-				if os.Getenv("jindocache.internal.test") == "true" {
-					if mount.Options["fs.oss.accessKeyId"] != "" {
-						propertiesFileStore["jindocache.oss.bucket."+bucketName+".accessKeyId"] = mount.Options["fs.oss.accessKeyId"]
-					}
-					if mount.Options["fs.oss.accessKeySecret"] != "" {
-						propertiesFileStore["jindocache.oss.bucket."+bucketName+".accessKeySecret"] = mount.Options["fs.oss.accessKeySecret"]
-					}
-				}
+				propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".data.lake.storage.enable"] = "true"
 			}
 		}
 
@@ -487,6 +526,46 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 		for _, encryptOption := range mount.EncryptOptions {
 			key := encryptOption.Name
 			secretKeyRef := encryptOption.ValueFrom.SecretKeyRef
+			if mountType == "oss" && ossBucketName != "" {
+				if secretMountSupport {
+					secretURI := buildBucketSecretURI(ossBucketName)
+					if value.BucketSecretPaths == nil {
+						value.BucketSecretPaths = map[string]string{}
+					}
+					value.BucketSecretPaths[ossBucketName] = secretURI
+
+					itemPath := ""
+					if key == "fs.oss.accessKeyId" {
+						itemPath = ossBucketName + "/AccessKeyId"
+					}
+					if key == "fs.oss.accessKeySecret" {
+						itemPath = ossBucketName + "/AccessKeySecret"
+					}
+					if itemPath != "" {
+						value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
+						if err != nil {
+							return err
+						}
+					}
+					e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
+					continue
+				}
+
+				secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
+				if err != nil {
+					e.Log.Error(err, "can't get the input secret from dataset", "secretName", secretKeyRef.Name)
+					break
+				}
+				secretValue := string(secret.Data[secretKeyRef.Key])
+				if key == "fs.oss.accessKeyId" {
+					propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeyId"] = secretValue
+				}
+				if key == "fs.oss.accessKeySecret" {
+					propertiesFileStore["jindocache.oss.bucket."+ossBucketName+".accessKeySecret"] = secretValue
+				}
+				e.Log.Info("Get OSS bucket credential from Secret successfully", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
+				continue
+			}
 			if secretMountSupport {
 				value.Secret = secretKeyRef.Name
 				if key == "fs."+mountType+".accessKeyId" {
@@ -660,10 +739,14 @@ func (e *JindoCacheEngine) transformFuse(runtime *datav1alpha1.JindoRuntime, val
 	}
 	// set secret
 	if len(value.Secret) != 0 {
-		properties["fs."+value.MountType+".credentials.provider"] = "com.aliyun.jindodata.oss.auth.CustomCredentialsProvider"
+		properties["fs."+value.MountType+".credentials.provider"] = jindoOSSCredentialsProvider
 		properties["aliyun."+value.MountType+".provider.url"] = "secrets:///token/"
 		properties["fs."+value.MountType+".provider.endpoint"] = "secrets:///token/"
-		properties["fs."+value.MountType+".provider.format"] = "JSON"
+		properties["fs."+value.MountType+".provider.format"] = jindoSecretProviderFormat
+	}
+	for bucketName, secretURI := range value.BucketSecretPaths {
+		setBucketSecretProviderProperties(properties, "fs", bucketName, secretURI)
+		properties["aliyun.oss.bucket."+bucketName+".provider.url"] = secretURI
 	}
 
 	if len(runtime.Spec.Fuse.Properties) > 0 {
@@ -952,6 +1035,9 @@ func (e *JindoCacheEngine) transformToken(value *Jindo) {
 	} else {
 		properties["default.credential.provider"] = "none"
 	}
+	for bucketName, secretURI := range value.BucketSecretPaths {
+		setBucketSecretProviderProperties(properties, "jindocache", bucketName, secretURI)
+	}
 	value.Master.TokenProperties = properties
 }