fix: harden jindo multi-oss acceptance coverage

CAICAIIs · CAICAIIs · commit 7fea76423a17 · 2026-04-21T20:51:44.000+08:00
Signed-off-by: CAICAIIs &lt;3360776475@qq.com&gt;
diff --git a/pkg/ddc/jindocache/transform.go b/pkg/ddc/jindocache/transform.go
@@ -584,30 +584,29 @@ func (e *JindoCacheEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, m
 				e.Log.Error(err, "invalid encryptOption secret reference", "key", key, "mountPoint", mount.MountPoint)
 				return err
 			}
-			if mountType == "oss" && ossBucketName != "" {
-				if secretMountSupport {
-					secretURI := buildBucketSecretURI(ossBucketName)
-					if value.BucketSecretPaths == nil {
-						value.BucketSecretPaths = map[string]string{}
-					}
-					value.BucketSecretPaths[ossBucketName] = secretURI
-
-					itemPath := ""
-					switch key {
-					case "fs.oss.accessKeyId":
-						itemPath = ossBucketName + "/AccessKeyId"
-					case "fs.oss.accessKeySecret":
-						itemPath = ossBucketName + "/AccessKeySecret"
-					}
-					if itemPath != "" {
-						value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
-						if err != nil {
-							return err
+				if mountType == "oss" && ossBucketName != "" {
+					if secretMountSupport {
+						itemPath := ""
+						switch key {
+						case "fs.oss.accessKeyId":
+							itemPath = ossBucketName + "/AccessKeyId"
+						case "fs.oss.accessKeySecret":
+							itemPath = ossBucketName + "/AccessKeySecret"
 						}
+						if itemPath != "" {
+							secretURI := buildBucketSecretURI(ossBucketName)
+							if value.BucketSecretPaths == nil {
+								value.BucketSecretPaths = map[string]string{}
+							}
+							value.BucketSecretPaths[ossBucketName] = secretURI
+							value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
+							if err != nil {
+								return err
+							}
+							e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
+						}
+						continue
 					}
-					e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
-					continue
-				}
 
 				secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
 				if err != nil {
diff --git a/pkg/ddc/jindocache/transform_test.go b/pkg/ddc/jindocache/transform_test.go
@@ -1899,7 +1899,7 @@ func TestJindoCacheEngine_transformMasterRejectsConflictingSameBucketSecretProje
 	}
 }
 
-func TestJindoCacheEngine_transformMasterPreservesInlineOSSCredentials(t *testing.T) {
+func TestJindoCacheEngine_transformMasterSupportsInlineOSSCredentialsCompatibility(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
 	_ = corev1.AddToScheme(s)
@@ -1949,6 +1949,54 @@ func TestJindoCacheEngine_transformMasterPreservesInlineOSSCredentials(t *testin
 	}
 }
 
+func TestJindoCacheEngine_transformMasterIgnoresNonOSSCredentialEncryptOptionForBucketSecretProjection(t *testing.T) {
+	s := runtime.NewScheme()
+	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
+	_ = corev1.AddToScheme(s)
+
+	engine := JindoCacheEngine{
+		name:      "test",
+		namespace: "fluid",
+		Client:    fake.NewFakeClientWithScheme(s),
+		Log:       fake.NullLogger(),
+		runtime: &datav1alpha1.JindoRuntime{
+			Spec: datav1alpha1.JindoRuntimeSpec{
+				Fuse: datav1alpha1.JindoFuseSpec{},
+			},
+		},
+	}
+
+	dataset := &datav1alpha1.Dataset{
+		Spec: datav1alpha1.DatasetSpec{
+			Mounts: []datav1alpha1.Mount{{
+				MountPoint: "oss://bucket-a/data",
+				Name:       "mount-a",
+				Options: map[string]string{
+					"fs.oss.endpoint": "oss-cn-shanghai.aliyuncs.com",
+				},
+				EncryptOptions: []datav1alpha1.EncryptOption{{
+					Name: "fs.oss.sessionToken",
+					ValueFrom: datav1alpha1.EncryptOptionSource{
+						SecretKeyRef: datav1alpha1.SecretKeySelector{Name: "secret-a", Key: "token"},
+					},
+				}},
+			}},
+		},
+	}
+
+	value := &Jindo{}
+	if err := engine.transformMaster(engine.runtime, "/test", value, dataset, true); err != nil {
+		t.Fatalf("transformMaster() error = %v", err)
+	}
+
+	if len(value.SecretProjections) != 0 {
+		t.Fatalf("expected no secret projections for non-AK/SK encryptOptions, got %d", len(value.SecretProjections))
+	}
+	if len(value.BucketSecretPaths) != 0 {
+		t.Fatalf("expected no bucket secret paths for non-AK/SK encryptOptions, got %#v", value.BucketSecretPaths)
+	}
+}
+
 func TestJindoCacheEngine_transformMasterReturnsErrorWhenReferencedSecretMissing(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
diff --git a/pkg/ddc/jindofsx/transform.go b/pkg/ddc/jindofsx/transform.go
@@ -491,30 +491,29 @@ func (e *JindoFSxEngine) transformMaster(runtime *datav1alpha1.JindoRuntime, met
 				e.Log.Error(err, "invalid encryptOption secret reference", "key", key, "mountPoint", mount.MountPoint)
 				return err
 			}
-			if mountType == "oss" && ossBucketName != "" {
-				if secretMountSupport {
-					secretURI := buildBucketSecretURI(ossBucketName)
-					if value.BucketSecretPaths == nil {
-						value.BucketSecretPaths = map[string]string{}
-					}
-					value.BucketSecretPaths[ossBucketName] = secretURI
-
-					itemPath := ""
-					switch key {
-					case "fs.oss.accessKeyId":
-						itemPath = ossBucketName + "/AccessKeyId"
-					case "fs.oss.accessKeySecret":
-						itemPath = ossBucketName + "/AccessKeySecret"
-					}
-					if itemPath != "" {
-						value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
-						if err != nil {
-							return err
+				if mountType == "oss" && ossBucketName != "" {
+					if secretMountSupport {
+						itemPath := ""
+						switch key {
+						case "fs.oss.accessKeyId":
+							itemPath = ossBucketName + "/AccessKeyId"
+						case "fs.oss.accessKeySecret":
+							itemPath = ossBucketName + "/AccessKeySecret"
+						}
+						if itemPath != "" {
+							secretURI := buildBucketSecretURI(ossBucketName)
+							if value.BucketSecretPaths == nil {
+								value.BucketSecretPaths = map[string]string{}
+							}
+							value.BucketSecretPaths[ossBucketName] = secretURI
+							value.SecretProjections, err = appendSecretProjection(value.SecretProjections, secretKeyRef.Name, secretKeyRef.Key, itemPath)
+							if err != nil {
+								return err
+							}
+							e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
 						}
+						continue
 					}
-					e.Log.Info("Configure OSS bucket credential projection", "bucket", ossBucketName, "secretName", secretKeyRef.Name, "key", key)
-					continue
-				}
 
 				secret, err := kubeclient.GetSecret(e.Client, secretKeyRef.Name, e.namespace)
 				if err != nil {
diff --git a/pkg/ddc/jindofsx/transform_master_test.go b/pkg/ddc/jindofsx/transform_master_test.go
@@ -387,7 +387,7 @@ func TestJindoFSxEngine_transformMasterRejectsConflictingSameBucketSecretProject
 	}
 }
 
-func TestJindoFSxEngine_transformMasterPreservesInlineOSSCredentials(t *testing.T) {
+func TestJindoFSxEngine_transformMasterSupportsInlineOSSCredentialsCompatibility(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
 	_ = corev1.AddToScheme(s)
@@ -437,6 +437,54 @@ func TestJindoFSxEngine_transformMasterPreservesInlineOSSCredentials(t *testing.
 	}
 }
 
+func TestJindoFSxEngine_transformMasterIgnoresNonOSSCredentialEncryptOptionForBucketSecretProjection(t *testing.T) {
+	s := runtime.NewScheme()
+	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
+	_ = corev1.AddToScheme(s)
+
+	engine := JindoFSxEngine{
+		name:      "test",
+		namespace: "fluid",
+		Client:    fake.NewFakeClientWithScheme(s),
+		Log:       fake.NullLogger(),
+		runtime: &datav1alpha1.JindoRuntime{
+			Spec: datav1alpha1.JindoRuntimeSpec{
+				Fuse: datav1alpha1.JindoFuseSpec{},
+			},
+		},
+	}
+
+	dataset := &datav1alpha1.Dataset{
+		Spec: datav1alpha1.DatasetSpec{
+			Mounts: []datav1alpha1.Mount{{
+				MountPoint: "oss://bucket-a/data",
+				Name:       "mount-a",
+				Options: map[string]string{
+					"fs.oss.endpoint": "oss-cn-shanghai.aliyuncs.com",
+				},
+				EncryptOptions: []datav1alpha1.EncryptOption{{
+					Name: "fs.oss.sessionToken",
+					ValueFrom: datav1alpha1.EncryptOptionSource{
+						SecretKeyRef: datav1alpha1.SecretKeySelector{Name: "secret-a", Key: "token"},
+					},
+				}},
+			}},
+		},
+	}
+
+	value := &Jindo{}
+	if err := engine.transformMaster(engine.runtime, "/test", value, dataset, true); err != nil {
+		t.Fatalf("transformMaster() error = %v", err)
+	}
+
+	if len(value.SecretProjections) != 0 {
+		t.Fatalf("expected no secret projections for non-AK/SK encryptOptions, got %d", len(value.SecretProjections))
+	}
+	if len(value.BucketSecretPaths) != 0 {
+		t.Fatalf("expected no bucket secret paths for non-AK/SK encryptOptions, got %#v", value.BucketSecretPaths)
+	}
+}
+
 func TestJindoFSxEngine_transformMasterUsesReferencedSecretKeysForNonOSSMounts(t *testing.T) {
 	s := runtime.NewScheme()
 	s.AddKnownTypes(datav1alpha1.GroupVersion, &datav1alpha1.JindoRuntime{}, &datav1alpha1.Dataset{})
diff --git a/test/gha-e2e/jindo/multi-oss-job.yaml b/test/gha-e2e/jindo/multi-oss-job.yaml
@@ -12,7 +12,13 @@ spec:
           image: registry-cn-hongkong.ack.aliyuncs.com/acs/smartdata:6.9.1-202509151826
           imagePullPolicy: IfNotPresent
           resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+              ephemeral-storage: "1Gi"
             limits:
+              cpu: "500m"
+              memory: "256Mi"
               ephemeral-storage: "5Gi"
           command: ["/bin/sh"]
           args:
diff --git a/test/gha-e2e/jindo/oss-emulator.yaml b/test/gha-e2e/jindo/oss-emulator.yaml
@@ -39,6 +39,13 @@ spec:
         - name: emulator
           image: fluidcloudnative/oss-emulator:e2e
           imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              cpu: "250m"
+              memory: "128Mi"
           env:
             - name: BUCKET_NAME
               value: bucket-a
@@ -91,6 +98,13 @@ spec:
         - name: emulator
           image: fluidcloudnative/oss-emulator:e2e
           imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              cpu: "250m"
+              memory: "128Mi"
           env:
             - name: BUCKET_NAME
               value: bucket-b
