Merge pull request #496 from siyanshen/automated-cherry-pick-of-#493-upstream-release-1.12

Add identity provider into mount options

Author: amacaskill

pkg/cloud_provider/auth/fake.go

@@ -31,6 +31,10 @@ func (tm *fakeTokenManager) GetTokenSourceFromK8sServiceAccount(saNamespace, saN
 	return &FakeGCPTokenSource{k8sSAName: saName, k8sSANamespace: saNamespace}
 }
 
+func (tm *fakeTokenManager) GetIdentityProvider() string {
+	return "fake.identity.provider"
+}
+
 type FakeGCPTokenSource struct {
 	k8sSAName      string
 	k8sSANamespace string

pkg/cloud_provider/auth/token_manager.go

@@ -31,6 +31,7 @@ const (
 
 type TokenManager interface {
 	GetTokenSourceFromK8sServiceAccount(saNamespace, saName, saToken string) oauth2.TokenSource
+	GetIdentityProvider() string
 }
 
 type tokenManager struct {
@@ -47,6 +48,10 @@ func NewTokenManager(meta metadata.Service, clientset clientset.Interface) Token
 	return &tm
 }
 
+func (tm *tokenManager) GetIdentityProvider() string {
+	return tm.meta.GetIdentityProvider()
+}
+
 func (tm *tokenManager) GetTokenSourceFromK8sServiceAccount(saNamespace, saName, saToken string) oauth2.TokenSource {
 	return &GCPTokenSource{
 		meta:           tm.meta,

pkg/csi_driver/node.go

@@ -20,7 +20,6 @@ package driver
 import (
 	"fmt"
 	"os"
-	"strconv"
 	"strings"
 	"time"
 
@@ -141,8 +140,9 @@ func (s *nodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublish
 		return nil, status.Errorf(codes.NotFound, "failed to get pod: %v", err)
 	}
 
-	if pod.Spec.HostNetwork {
-		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{"start-token-server=" + strconv.FormatBool(s.shouldStartTokenServer(pod))})
+	if s.shouldStartTokenServer(pod) && pod.Spec.HostNetwork {
+		identityProvider := s.driver.config.TokenManager.GetIdentityProvider()
+		fuseMountOptions = joinMountOptions(fuseMountOptions, []string{"token-server-identity-provider=" + identityProvider})
 	}
 
 	// Since the webhook mutating ordering is not definitive,
@@ -301,7 +301,7 @@ func (s *nodeServer) prepareStorageService(ctx context.Context, vc map[string]st
 func (s *nodeServer) shouldStartTokenServer(pod *corev1.Pod) bool {
 	for _, vol := range pod.Spec.Volumes {
 		if vol.Name == webhook.SidecarContainerSATokenVolumeName {
-			klog.Infof("Pod has sa vol injected")
+			klog.Infof("Service Account Token Injection feature is turned on.")
 
 			return true
 		}

pkg/sidecar_mounter/sidecar_mounter.go

@@ -26,10 +26,8 @@ import (
 	"io"
 	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"os/exec"
-	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -64,10 +62,10 @@ func New(mounterPath string) *Mounter {
 
 func (m *Mounter) Mount(ctx context.Context, mc *MountConfig) error {
 	// Start the token server for HostNetwork enabled pods.
-	if mc.PodShouldUseTokenServer {
+	if mc.TokenServerIdentityProvider != "" {
 		tp := filepath.Join(mc.TempDir, TokenFileName)
 		klog.Infof("Pod has hostNetwork enabled and token server feature is turned on. Starting Token Server on %s.", tp)
-		go StartTokenServer(ctx, tp)
+		go StartTokenServer(ctx, tp, mc.TokenServerIdentityProvider)
 	}
 
 	klog.Infof("start to mount bucket %q for volume %q", mc.BucketName, mc.VolumeName)
@@ -302,13 +300,13 @@ func getK8sTokenFromFile(tokenPath string) (string, error) {
 	return strings.TrimSpace(string(token)), nil
 }
 
-func fetchIdentityBindingToken(ctx context.Context, k8sSAToken string) (*oauth2.Token, error) {
+func fetchIdentityBindingToken(ctx context.Context, k8sSAToken string, identityProvider string) (*oauth2.Token, error) {
 	stsService, err := sts.NewService(ctx, option.WithHTTPClient(&http.Client{}))
 	if err != nil {
 		return nil, fmt.Errorf("new STS service error: %w", err)
 	}
 
-	audience, err := getAudienceFromContext(ctx)
+	audience, err := getAudienceFromContextAndIdentityProvider(ctx, identityProvider)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get audience from the context: %w", err)
 	}
@@ -334,39 +332,23 @@ func fetchIdentityBindingToken(ctx context.Context, k8sSAToken string) (*oauth2.
 	}, nil
 }
 
-func getAudienceFromContext(ctx context.Context) (string, error) {
+func getAudienceFromContextAndIdentityProvider(ctx context.Context, identityProvider string) (string, error) {
 	projectID, err := metadata.ProjectIDWithContext(ctx)
 	if err != nil {
 		return "", fmt.Errorf("failed to get project ID: %w", err)
 	}
-	// Get all instance metadata attributes
-	clusterLocation, err := metadata.InstanceAttributeValueWithContext(ctx, "cluster-location")
-	if err != nil {
-		return "", fmt.Errorf("failed to get clusterLocation: %w", err)
-	}
-	clusterName, err := metadata.InstanceAttributeValueWithContext(ctx, "cluster-name")
-	if err != nil {
-		return "", fmt.Errorf("failed to get clusterName: %w", err)
-	}
-
-	klog.Infof("projectID: %s, clusterName: %s, clusterLocation: %s", projectID, clusterName, clusterLocation)
-	onePlatformClusterResourceURL := &url.URL{
-		Scheme: "https",
-		Host:   "container.googleapis.com",
-		Path:   path.Join("v1", "projects", projectID, "locations", clusterLocation, "clusters", clusterName),
-	}
 
 	audience := fmt.Sprintf(
 		"identitynamespace:%s.svc.id.goog:%s",
 		projectID,
-		onePlatformClusterResourceURL,
+		identityProvider,
 	)
 	klog.Infof("audience: %s", audience)
 
 	return audience, nil
 }
 
-func StartTokenServer(ctx context.Context, tokenURLSocketPath string) {
+func StartTokenServer(ctx context.Context, tokenURLSocketPath string, identityProvider string) {
 	// Create a unix domain socket and listen for incoming connections.
 	tokenSocketListener, err := net.Listen("unix", tokenURLSocketPath)
 	if err != nil {
@@ -388,7 +370,7 @@ func StartTokenServer(ctx context.Context, tokenURLSocketPath string) {
 
 			return
 		}
-		stsToken, err = fetchIdentityBindingToken(ctx, k8stoken)
+		stsToken, err = fetchIdentityBindingToken(ctx, k8stoken, identityProvider)
 		if err != nil {
 			klog.Errorf("failed to get sts token from path %v", err)
 			w.WriteHeader(http.StatusInternalServerError)

pkg/sidecar_mounter/sidecar_mounter_config.go

@@ -35,27 +35,27 @@ import (
 )
 
 const (
-	GCSFuseAppName     = "gke-gcs-fuse-csi"
-	TempDir            = "/temp-dir"
-	unixSocketBasePath = "unix://"
-	TokenFileName      = "token.sock" // #nosec G101
-	tokenServerFlag    = "start-token-server"
+	GCSFuseAppName       = "gke-gcs-fuse-csi"
+	TempDir              = "/temp-dir"
+	unixSocketBasePath   = "unix://"
+	TokenFileName        = "token.sock" // #nosec G101
+	identityProviderFlag = "token-server-identity-provider"
 )
 
 // MountConfig contains the information gcsfuse needs.
 type MountConfig struct {
-	FileDescriptor          int                   `json:"-"`
-	VolumeName              string                `json:"volumeName,omitempty"`
-	BucketName              string                `json:"bucketName,omitempty"`
-	BufferDir               string                `json:"-"`
-	CacheDir                string                `json:"-"`
-	TempDir                 string                `json:"-"`
-	ConfigFile              string                `json:"-"`
-	Options                 []string              `json:"options,omitempty"`
-	ErrWriter               stderrWriterInterface `json:"-"`
-	FlagMap                 map[string]string     `json:"-"`
-	ConfigFileFlagMap       map[string]string     `json:"-"`
-	PodShouldUseTokenServer bool                  `json:"-"`
+	FileDescriptor              int                   `json:"-"`
+	VolumeName                  string                `json:"volumeName,omitempty"`
+	BucketName                  string                `json:"bucketName,omitempty"`
+	BufferDir                   string                `json:"-"`
+	CacheDir                    string                `json:"-"`
+	TempDir                     string                `json:"-"`
+	ConfigFile                  string                `json:"-"`
+	Options                     []string              `json:"options,omitempty"`
+	ErrWriter                   stderrWriterInterface `json:"-"`
+	FlagMap                     map[string]string     `json:"-"`
+	ConfigFileFlagMap           map[string]string     `json:"-"`
+	TokenServerIdentityProvider string                `json:"-"`
 }
 
 var prometheusPort = 62990
@@ -171,7 +171,7 @@ func (mc *MountConfig) prepareMountArgs() {
 	invalidArgs := []string{}
 
 	for _, arg := range mc.Options {
-		if strings.Contains(arg, ":") {
+		if strings.Contains(arg, ":") && !strings.Contains(arg, "https") {
 			i := strings.LastIndex(arg, ":")
 			f, v := arg[:i], arg[i+1:]
 
@@ -217,13 +217,8 @@ func (mc *MountConfig) prepareMountArgs() {
 			value = argPair[1]
 		}
 
-		if flag == tokenServerFlag {
-			val, err := strconv.ParseBool(value)
-			if err != nil {
-				klog.Errorf("failed to parse start-token-server flag value: %v", err)
-			} else {
-				mc.PodShouldUseTokenServer = val
-			}
+		if flag == identityProviderFlag {
+			mc.TokenServerIdentityProvider = value
 
 			continue
 		}
@@ -290,7 +285,7 @@ func (mc *MountConfig) prepareConfigFile() error {
 			}
 		}
 	}
-	if mc.PodShouldUseTokenServer {
+	if mc.TokenServerIdentityProvider != "" {
 		configMap["gcs-auth"] = map[string]interface{}{
 			"token-url": unixSocketBasePath + filepath.Join(mc.TempDir, TokenFileName),
 		}

pkg/sidecar_mounter/sidecar_mounter_config_test.go

@@ -88,7 +88,7 @@ func TestPrepareMountArgs(t *testing.T) {
 				BufferDir:  "test-buffer-dir",
 				CacheDir:   "test-cache-dir",
 				ConfigFile: "test-config-file",
-				Options:    []string{"uid=100", "gid=200", "debug_gcs", "max-conns-per-host=10", "implicit-dirs", "write:create-empty-file:false", "logging:severity:error", "write:create-empty-file:true"},
+				Options:    []string{"uid=100", "gid=200", "token-server-identity-provider=https://fakeresource", "debug_gcs", "max-conns-per-host=10", "implicit-dirs", "write:create-empty-file:false", "logging:severity:error", "write:create-empty-file:true"},
 			},
 			expectedArgs: map[string]string{
 				"implicit-dirs":      "",
@@ -327,7 +327,7 @@ func TestPrepareConfigFile(t *testing.T) {
 					"metadata-cache:type-cache-max-size-mb": "-1",
 					"cache-dir":                             "/gcsfuse-cache/.volumes/volume-name",
 				},
-				PodShouldUseTokenServer: true,
+				TokenServerIdentityProvider: "https://container.googleapis.com/v1/projects/fake-project/locations/us-central1/clusters/fake-cluster",
 			},
 			expectedConfig: map[string]interface{}{
 				"logging": map[string]interface{}{