From 8ab9b8d5f0bf914fc96d67366d5defda37d42185 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Mon, 25 Aug 2025 13:40:58 +0530 Subject: [PATCH 01/18] update versions Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 2 +- go.mod | 9 +++++---- go.sum | 18 ++++++++++-------- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 8842a963..2e8d8f76 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-08-25T02:32:44Z", + "generated_at": "2025-08-25T07:30:02Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/go.mod b/go.mod index 44f116c6..a38714ef 100644 --- a/go.mod +++ b/go.mod @@ -14,8 +14,8 @@ require ( github.com/google/uuid v1.6.0 github.com/kubernetes-csi/csi-test/v5 v5.3.1 github.com/mitchellh/go-ps v1.0.0 - github.com/onsi/ginkgo/v2 v2.24.0 - github.com/onsi/gomega v1.38.0 + github.com/onsi/ginkgo/v2 v2.25.1 + github.com/onsi/gomega v1.38.1 github.com/prometheus/client_golang v1.23.0 github.com/stretchr/testify v1.10.0 go.uber.org/zap v1.27.0 @@ -35,7 +35,7 @@ require ( github.com/BurntSushi/toml v1.0.0 // indirect github.com/IBM/secret-utils-lib v1.1.14 // indirect github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab // indirect - github.com/Masterminds/semver/v3 v3.3.1 // indirect + github.com/Masterminds/semver/v3 v3.4.0 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/antlr4-go/antlr/v4 v4.13.0 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect @@ -85,7 +85,7 @@ require ( github.com/google/cel-go v0.23.2 // indirect github.com/google/gnostic-models v0.6.9 // indirect github.com/google/go-cmp v0.7.0 // indirect - github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 // indirect + github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect @@ -142,6 +142,7 @@ require ( go.opentelemetry.io/proto/otlp v1.4.0 // indirect go.uber.org/automaxprocs v1.6.0 // indirect go.uber.org/multierr v1.11.0 // indirect + go.yaml.in/yaml/v3 v3.0.4 // indirect golang.org/x/arch v0.8.0 // indirect golang.org/x/crypto v0.41.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect diff --git a/go.sum b/go.sum index 89701529..65990437 100644 --- a/go.sum +++ b/go.sum @@ -16,8 +16,8 @@ github.com/IBM/secret-utils-lib v1.1.14 h1:Gv5Ca2hZTQMr9+PkOq7AE2lUUnNEeQJ0uiKax github.com/IBM/secret-utils-lib v1.1.14/go.mod h1:wAAmS6JOrgcASOuyDkclmxWdKMcbVxshW5QWlMn21X8= github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab h1:UKkYhof1njT1/xq4SEg5z+VpTgjmNeHwPGRQl7takDI= github.com/JeffAshton/win_pdh v0.0.0-20161109143554-76bb4ee9f0ab/go.mod h1:3VYc5hodBMJ5+l/7J4xAyMeuM2PNuepvHlGs8yilUCA= -github.com/Masterminds/semver/v3 v3.3.1 h1:QtNSWtVZ3nBfk8mAOu/B6v7FMJ+NHTIgUPi7rj+4nv4= -github.com/Masterminds/semver/v3 v3.3.1/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= +github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0= +github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI= @@ -146,8 +146,8 @@ github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8= -github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA= +github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6 h1:EEHtgt9IwisQ2AZ4pIsMjahcegHh6rmhqxzIRQIyepY= +github.com/google/pprof v0.0.0-20250820193118-f64d9cf942d6/go.mod h1:I6V7YzU0XDpsHqbsyrghnFZLO1gwK6NPTNvmetQIk9U= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo= @@ -230,10 +230,10 @@ github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4= github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.24.0 h1:obZz8LAnHicNdbBqvG3ytAFx8fgza+i1IDpBVcHT2YE= -github.com/onsi/ginkgo/v2 v2.24.0/go.mod h1:ppTWQ1dh9KM/F1XgpeRqelR+zHVwV81DGRSDnFxK7Sk= -github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY= -github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o= +github.com/onsi/ginkgo/v2 v2.25.1 h1:Fwp6crTREKM+oA6Cz4MsO8RhKQzs2/gOIVOUscMAfZY= +github.com/onsi/ginkgo/v2 v2.25.1/go.mod h1:ppTWQ1dh9KM/F1XgpeRqelR+zHVwV81DGRSDnFxK7Sk= +github.com/onsi/gomega v1.38.1 h1:FaLA8GlcpXDwsb7m0h2A9ew2aTk3vnZMlzFgg5tz/pk= +github.com/onsi/gomega v1.38.1/go.mod h1:LfcV8wZLvwcYRwPiJysphKAEsmcFnLMK/9c+PjvlX8g= github.com/opencontainers/cgroups v0.0.1 h1:MXjMkkFpKv6kpuirUa4USFBas573sSAY082B4CiHEVA= github.com/opencontainers/cgroups v0.0.1/go.mod h1:s8lktyhlGUqM7OSRL5P7eAW6Wb+kWPNvt4qvVfzA5vs= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -327,6 +327,8 @@ go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= +go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc= +go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8= golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc= golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys= From da5f6b81d1107ec4b585fdf3dad1d02ef2b7d995 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Mon, 1 Sep 2025 11:11:28 +0530 Subject: [PATCH 02/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 4 +-- pkg/driver/nodeserver.go | 5 ++++ pkg/driver/s3-driver.go | 13 ++++----- pkg/driver/s3-driver_test.go | 39 +++++++++++++++++++++------ pkg/utils/driver_utils.go | 48 +++++++++++++++++++++++++++------- pkg/utils/fake_driver_utils.go | 8 +++--- 6 files changed, 87 insertions(+), 30 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 2e8d8f76..dcba9465 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-08-25T07:30:02Z", + "generated_at": "2025-09-01T05:40:36Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -270,7 +270,7 @@ { "hashed_secret": "c7c6508b19455e3e8040e60e9833fbede92e5d8e", "is_verified": false, - "line_number": 368, + "line_number": 382, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go index 16169a23..a787bb76 100644 --- a/pkg/driver/nodeserver.go +++ b/pkg/driver/nodeserver.go @@ -39,6 +39,7 @@ type NodeServerConfig struct { Region string Zone string NodeID string + CipherSuites string } func (ns *nodeServer) NodeStageVolume(_ context.Context, req *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) { @@ -145,6 +146,10 @@ func (ns *nodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV secretMap["iamEndpoint"] = ns.iamEndpoint } + if len(secretMap["cipher_suites"]) == 0 { + secretMap["cipher_suites"] = ns.CipherSuites + } + // If bucket name wasn't provided by user, we use temp bucket created for volume. if secretMap["bucketName"] == "" { tempBucketName, err := ns.Stats.GetBucketNameFromPV(volumeID) diff --git a/pkg/driver/s3-driver.go b/pkg/driver/s3-driver.go index 74b8d291..2c28fb0d 100644 --- a/pkg/driver/s3-driver.go +++ b/pkg/driver/s3-driver.go @@ -140,7 +140,7 @@ func newNodeServer(d *S3Driver, statsUtil pkgUtils.StatsUtils, nodeID string, mo return nil, fmt.Errorf("KUBE_NODE_NAME env variable not set") } - region, zone, err := statsUtil.GetRegionAndZone(nodeName) + data, err := statsUtil.GetNodeServerData(nodeName) if err != nil { return nil, err } @@ -158,11 +158,12 @@ func newNodeServer(d *S3Driver, statsUtil pkgUtils.StatsUtils, nodeID string, mo } return &nodeServer{ - S3Driver: d, - Stats: statsUtil, - NodeServerConfig: NodeServerConfig{MaxVolumesPerNode: maxVolumesPerNode, Region: region, Zone: zone, NodeID: nodeID}, - Mounter: mountObj, - MounterUtils: mounterUtil, + S3Driver: d, + Stats: statsUtil, + NodeServerConfig: NodeServerConfig{MaxVolumesPerNode: maxVolumesPerNode, Region: data.Region, Zone: data.Zone, + NodeID: nodeID, CipherSuites: data.CipherSuites}, + Mounter: mountObj, + MounterUtils: mounterUtil, }, nil } diff --git a/pkg/driver/s3-driver_test.go b/pkg/driver/s3-driver_test.go index 5c7e1eb6..4bcfee28 100644 --- a/pkg/driver/s3-driver_test.go +++ b/pkg/driver/s3-driver_test.go @@ -119,7 +119,12 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "10", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetRegionAndZoneFn: func(nodeName string) (string, string, error) { return testRegion, testZone, nil }, + GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + return &utils.NodeServerData{ + Region: testRegion, + Zone: testZone, + }, nil + }, }), verifyResult: func(t *testing.T, ns *nodeServer, err error) { assert.NoError(t, err) @@ -149,8 +154,8 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetRegionAndZoneFn: func(nodeName string) (string, string, error) { - return "", "", errors.New("unable to load in-cluster configuration") + GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + return nil, errors.New("unable to load in-cluster configuration") }, }), verifyResult: func(t *testing.T, ns *nodeServer, err error) { @@ -165,8 +170,11 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "invalid", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetRegionAndZoneFn: func(nodeName string) (string, string, error) { - return testRegion, testZone, nil + GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + return &utils.NodeServerData{ + Region: testRegion, + Zone: testZone, + }, nil }, }), verifyResult: func(t *testing.T, ns *nodeServer, err error) { @@ -181,7 +189,12 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetRegionAndZoneFn: func(nodeName string) (string, string, error) { return testRegion, testZone, nil }, + GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + return &utils.NodeServerData{ + Region: testRegion, + Zone: testZone, + }, nil + }, }), verifyResult: func(t *testing.T, ns *nodeServer, err error) { assert.NoError(t, err) @@ -270,7 +283,12 @@ func TestNewS3CosDriver(t *testing.T) { GetEndpointsFn: func() (string, string, error) { return constants.PublicIAMEndpoint, "", nil }, - GetRegionAndZoneFn: func(nodeName string) (string, string, error) { return testRegion, testZone, nil }, + GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + return &utils.NodeServerData{ + Region: testRegion, + Zone: testZone, + }, nil + }, }), verifyResult: func(t *testing.T, driver *S3Driver, err error) { assert.NoError(t, err) @@ -287,7 +305,12 @@ func TestNewS3CosDriver(t *testing.T) { GetEndpointsFn: func() (string, string, error) { return constants.PublicIAMEndpoint, "", nil }, - GetRegionAndZoneFn: func(nodeName string) (string, string, error) { return testRegion, testZone, nil }, + GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + return &utils.NodeServerData{ + Region: testRegion, + Zone: testZone, + }, nil + }, }), verifyResult: func(t *testing.T, driver *S3Driver, err error) { assert.NoError(t, err) diff --git a/pkg/utils/driver_utils.go b/pkg/utils/driver_utils.go index a054704a..bc0378f9 100644 --- a/pkg/utils/driver_utils.go +++ b/pkg/utils/driver_utils.go @@ -29,7 +29,7 @@ type StatsUtils interface { GetTotalCapacityFromPV(volumeID string) (resource.Quantity, error) GetBucketUsage(volumeID string) (int64, error) GetBucketNameFromPV(volumeID string) (string, error) - GetRegionAndZone(nodeName string) (string, string, error) + GetNodeServerData(nodeName string) (*NodeServerData, error) GetEndpoints() (string, string, error) GetPVAttributes(volumeID string) (map[string]string, error) GetPVC(pvcName, pvcNamespace string) (*v1.PersistentVolumeClaim, error) @@ -40,15 +40,16 @@ type StatsUtils interface { type DriverStatsUtils struct { } -func (su *DriverStatsUtils) GetRegionAndZone(nodeName string) (region, zone string, err error) { - clientset, err := CreateK8sClient() - if err != nil { - return "", "", err - } +type NodeServerData struct { + Region string + Zone string + CipherSuites string +} - node, err := clientset.CoreV1().Nodes().Get(context.Background(), nodeName, metav1.GetOptions{}) +func (su *DriverStatsUtils) GetNodeServerData(nodeName string) (*NodeServerData, error) { + node, err := getNodeByName(nodeName) if err != nil { - return "", "", err + return nil, err } nodeLabels := node.Labels @@ -57,9 +58,22 @@ func (su *DriverStatsUtils) GetRegionAndZone(nodeName string) (region, zone stri if !regionExists || !zoneExists { errorMsg := fmt.Errorf("one or few required node label(s) is/are missing [%s, %s]. Node Labels Found = [#%v]", constants.NodeRegionLabel, constants.NodeZoneLabel, nodeLabels) //nolint:golint - return "", "", errorMsg + return nil, errorMsg + } + + ciphersuite := "default" + osImage := node.Status.NodeInfo.OSImage + if strings.Contains(strings.ToLower(osImage), "ubuntu") { + ciphersuite = "AESGCM" } - return region, zone, nil + + data := &NodeServerData{ + Region: region, + Zone: zone, + CipherSuites: ciphersuite, + } + + return data, nil } // GetEndpoints return IAMEndpoint, COSResourceConfigEndpoint, error @@ -375,3 +389,17 @@ func fetchSecretUsingPV(volumeID string, su *DriverStatsUtils) (*v1.Secret, erro klog.Info("secret details found. secretName: ", secret.Name) return secret, nil } + +func getNodeByName(nodeName string) (*v1.Node, error) { + clientset, err := CreateK8sClient() + if err != nil { + return nil, err + } + + node, err := clientset.CoreV1().Nodes().Get(context.Background(), nodeName, metav1.GetOptions{}) + if err != nil { + return nil, err + } + + return node, nil +} diff --git a/pkg/utils/fake_driver_utils.go b/pkg/utils/fake_driver_utils.go index 09324cb4..41d344d4 100644 --- a/pkg/utils/fake_driver_utils.go +++ b/pkg/utils/fake_driver_utils.go @@ -12,7 +12,7 @@ type FakeStatsUtilsFuncStruct struct { GetTotalCapacityFromPVFn func(volumeID string) (resource.Quantity, error) GetBucketUsageFn func(volumeID string) (int64, error) GetBucketNameFromPVFn func(volumeID string) (string, error) - GetRegionAndZoneFn func(nodeName string) (string, string, error) + GetNodeServerDataFn func(nodeName string) (*NodeServerData, error) GetEndpointsFn func() (string, string, error) GetPVAttributesFn func(volumeID string) (map[string]string, error) GetPVCFn func(pvcName, pvcNamespace string) (*v1.PersistentVolumeClaim, error) @@ -74,9 +74,9 @@ func (m *FakeStatsUtilsFuncStructImpl) GetBucketNameFromPV(volumeID string) (str panic("requested method should not be nil") } -func (m *FakeStatsUtilsFuncStructImpl) GetRegionAndZone(nodeName string) (string, string, error) { - if m.FuncStruct.GetRegionAndZoneFn != nil { - return m.FuncStruct.GetRegionAndZoneFn(nodeName) +func (m *FakeStatsUtilsFuncStructImpl) GetNodeServerData(nodeName string) (*NodeServerData, error) { + if m.FuncStruct.GetNodeServerDataFn != nil { + return m.FuncStruct.GetNodeServerDataFn(nodeName) } panic("requested method should not be nil") } From a277cd475019403f815e4a54f7bd66c348bc3ef1 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Mon, 1 Sep 2025 11:12:16 +0530 Subject: [PATCH 03/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 4 ++-- pkg/mounter/mounter-rclone.go | 9 +++++++++ pkg/mounter/mounter-s3fs.go | 10 ++++++++++ tests/sanity/sanity_test.go | 5 +++-- 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index dcba9465..f5f8f703 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-01T05:40:36Z", + "generated_at": "2025-09-01T05:42:09Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -190,7 +190,7 @@ "hashed_secret": "2ace62c1befa19e3ea37dd52be9f6d508c5163e6", "is_secret": false, "is_verified": false, - "line_number": 264, + "line_number": 273, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/mounter/mounter-rclone.go b/pkg/mounter/mounter-rclone.go index 91ad2c01..284a290b 100644 --- a/pkg/mounter/mounter-rclone.go +++ b/pkg/mounter/mounter-rclone.go @@ -145,6 +145,7 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin } lines := strings.Split(stringData, "\n") + isCipherSuitesInMO := false // Update map for _, line := range lines { @@ -156,9 +157,17 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin klog.Infof("Invalid mount option: %s\n", line) continue } + if mountOptsMap[strings.TrimSpace(opts[0])] == "cipher_suites" { + isCipherSuitesInMO = true + } mountOptsMap[strings.TrimSpace(opts[0])] = strings.TrimSpace(opts[1]) } + val, check := secretMap["cipher_suites"] + if !isCipherSuitesInMO && check { + mountOptsMap["cipher_suites"] = val + } + // Create array out of map updatedOptions := []string{} for k, v := range mountOptsMap { diff --git a/pkg/mounter/mounter-s3fs.go b/pkg/mounter/mounter-s3fs.go index f6ce3afc..1cb5b9de 100644 --- a/pkg/mounter/mounter-s3fs.go +++ b/pkg/mounter/mounter-s3fs.go @@ -242,6 +242,8 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string mountOptsMap["uid"] = secretMap["uid"] } + isCipherSuitesInMO := false + stringData, ok := secretMap["mountOptions"] if !ok { klog.Infof("No new mountOptions found. Using default mountOptions: %v", mountOptsMap) @@ -252,6 +254,9 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string if strings.TrimSpace(line) == "" { continue } + if strings.Contains(line, "cipher_suites") { + isCipherSuitesInMO = true + } opts := strings.Split(line, "=") if len(opts) == 2 { mountOptsMap[strings.TrimSpace(opts[0])] = strings.TrimSpace(opts[1]) @@ -263,6 +268,11 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string } } + val, check := secretMap["cipher_suites"] + if !isCipherSuitesInMO && check { + mountOptsMap["cipher_suites"] = val + } + // Create array out of map updatedOptions := []string{} for key, val := range mountOptsMap { diff --git a/tests/sanity/sanity_test.go b/tests/sanity/sanity_test.go index c2f80f00..b0cc2620 100644 --- a/tests/sanity/sanity_test.go +++ b/tests/sanity/sanity_test.go @@ -24,6 +24,7 @@ import ( csiDriver "github.com/IBM/ibm-object-csi-driver/pkg/driver" "github.com/IBM/ibm-object-csi-driver/pkg/mounter" "github.com/IBM/ibm-object-csi-driver/pkg/s3client" + "github.com/IBM/ibm-object-csi-driver/pkg/utils" "github.com/google/uuid" "github.com/kubernetes-csi/csi-test/v5/pkg/sanity" "go.uber.org/zap" @@ -256,8 +257,8 @@ func (su *FakeNewDriverStatsUtils) GetBucketNameFromPV(volumeID string) (string, return "", nil } -func (su *FakeNewDriverStatsUtils) GetRegionAndZone(nodeName string) (string, string, error) { - return "", "", nil +func (su *FakeNewDriverStatsUtils) GetNodeServerData(nodeName string) (*utils.NodeServerData, error) { + return &utils.NodeServerData{}, nil } func (su *FakeNewDriverStatsUtils) GetEndpoints() (string, string, error) { From c702caa83468b1bbee483aa9b6dfee0da52e176d Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Mon, 1 Sep 2025 11:34:04 +0530 Subject: [PATCH 04/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 4 ++-- pkg/mounter/mounter-rclone.go | 15 +++++---------- pkg/mounter/mounter-s3fs.go | 13 ++++--------- 3 files changed, 11 insertions(+), 21 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index f5f8f703..e50dc2bb 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-01T05:42:09Z", + "generated_at": "2025-09-01T06:03:58Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -190,7 +190,7 @@ "hashed_secret": "2ace62c1befa19e3ea37dd52be9f6d508c5163e6", "is_secret": false, "is_verified": false, - "line_number": 273, + "line_number": 268, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/mounter/mounter-rclone.go b/pkg/mounter/mounter-rclone.go index 284a290b..289fb248 100644 --- a/pkg/mounter/mounter-rclone.go +++ b/pkg/mounter/mounter-rclone.go @@ -137,15 +137,18 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin } } - stringData, ok := secretMap["mountOptions"] + val, check := secretMap["cipher_suites"] + if check { + mountOptsMap["cipher_suites"] = val + } + stringData, ok := secretMap["mountOptions"] if !ok { klog.Infof("No new mountOptions found. Using default mountOptions: %v", dafaultMountOptions) return dafaultMountOptions } lines := strings.Split(stringData, "\n") - isCipherSuitesInMO := false // Update map for _, line := range lines { @@ -157,17 +160,9 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin klog.Infof("Invalid mount option: %s\n", line) continue } - if mountOptsMap[strings.TrimSpace(opts[0])] == "cipher_suites" { - isCipherSuitesInMO = true - } mountOptsMap[strings.TrimSpace(opts[0])] = strings.TrimSpace(opts[1]) } - val, check := secretMap["cipher_suites"] - if !isCipherSuitesInMO && check { - mountOptsMap["cipher_suites"] = val - } - // Create array out of map updatedOptions := []string{} for k, v := range mountOptsMap { diff --git a/pkg/mounter/mounter-s3fs.go b/pkg/mounter/mounter-s3fs.go index 1cb5b9de..a0b5c4c7 100644 --- a/pkg/mounter/mounter-s3fs.go +++ b/pkg/mounter/mounter-s3fs.go @@ -242,7 +242,10 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string mountOptsMap["uid"] = secretMap["uid"] } - isCipherSuitesInMO := false + val, check := secretMap["cipher_suites"] + if check { + mountOptsMap["cipher_suites"] = val + } stringData, ok := secretMap["mountOptions"] if !ok { @@ -254,9 +257,6 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string if strings.TrimSpace(line) == "" { continue } - if strings.Contains(line, "cipher_suites") { - isCipherSuitesInMO = true - } opts := strings.Split(line, "=") if len(opts) == 2 { mountOptsMap[strings.TrimSpace(opts[0])] = strings.TrimSpace(opts[1]) @@ -268,11 +268,6 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string } } - val, check := secretMap["cipher_suites"] - if !isCipherSuitesInMO && check { - mountOptsMap["cipher_suites"] = val - } - // Create array out of map updatedOptions := []string{} for key, val := range mountOptsMap { From 50f7fddf56eb02393e51f21bec92e43b040d0bb9 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Mon, 1 Sep 2025 11:37:05 +0530 Subject: [PATCH 05/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 4 ++-- pkg/mounter/mounter-rclone_test.go | 1 + pkg/mounter/mounter-s3fs_test.go | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index e50dc2bb..273f6663 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-01T06:03:58Z", + "generated_at": "2025-09-01T06:07:00Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -199,7 +199,7 @@ { "hashed_secret": "2e7a7ee14caebf378fc32d6cf6f557f347c96773", "is_verified": false, - "line_number": 77, + "line_number": 78, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/mounter/mounter-rclone_test.go b/pkg/mounter/mounter-rclone_test.go index 839ec5d5..51978b6e 100644 --- a/pkg/mounter/mounter-rclone_test.go +++ b/pkg/mounter/mounter-rclone_test.go @@ -21,6 +21,7 @@ var ( "kpRootKeyCRN": "test-kp-root-key-crn", "gid": "fake-gid", "uid": "fake-uid", + "cipher_suites": "default", } mountOptionsRClone = []string{"opt1=val1", "opt2=val2"} diff --git a/pkg/mounter/mounter-s3fs_test.go b/pkg/mounter/mounter-s3fs_test.go index 9b78c178..fca642dc 100644 --- a/pkg/mounter/mounter-s3fs_test.go +++ b/pkg/mounter/mounter-s3fs_test.go @@ -20,6 +20,7 @@ var ( "apiKey": "test-api-key", "kpRootKeyCRN": "test-kp-root-key-crn", "uid": "test-uid", + "cipher_suites": "default", } mountOptions = []string{"opt1=val1", "opt2=val2", "opt3"} From 5a920f99d353164de5d2596c1a7d4f27e48626e9 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Mon, 1 Sep 2025 11:58:27 +0530 Subject: [PATCH 06/18] publish v0.9.2 Signed-off-by: Ashima-Ashima1 --- .github/workflows/release.yml | 10 +++++----- cos-csi-mounter/Makefile | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 07d20cd9..7279ccaf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ name: Release on: push: branches: - - main + - ciphersuites jobs: release: @@ -16,8 +16,8 @@ jobs: - cos-csi-mounter env: - IS_LATEST_RELEASE: 'true' - APP_VERSION: 1.0.3 + IS_LATEST_RELEASE: 'false' + APP_VERSION: 0.9.2 steps: - name: Checkout Code @@ -63,8 +63,8 @@ jobs: /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.deb.tar.gz.sha256 /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.rpm.tar.gz /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.rpm.tar.gz.sha256 - tag_name: v1.0.3 - name: v1.0.3 + tag_name: v0.9.2 + name: v0.9.2 ## body: prerelease: ${{ env.IS_LATEST_RELEASE != 'true' }} diff --git a/cos-csi-mounter/Makefile b/cos-csi-mounter/Makefile index d5490a7c..9f9b8506 100644 --- a/cos-csi-mounter/Makefile +++ b/cos-csi-mounter/Makefile @@ -1,5 +1,5 @@ NAME := cos-csi-mounter -APP_VERSION := 1.0.3 +APP_VERSION := 0.9.2 BUILD_DIR := $(NAME)-$(APP_VERSION) BIN_DIR := bin From d9b9633e54c3a08baa298761e2f0fac5f2915439 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Tue, 2 Sep 2025 12:34:08 +0530 Subject: [PATCH 07/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 6 +++--- pkg/constants/constants.go | 2 ++ pkg/driver/nodeserver.go | 4 ++-- pkg/mounter/mounter-rclone.go | 4 ++-- pkg/mounter/mounter-rclone_test.go | 23 ++++++++++++----------- pkg/mounter/mounter-s3fs.go | 6 +++--- pkg/mounter/mounter-s3fs_test.go | 21 +++++++++++---------- 7 files changed, 35 insertions(+), 31 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 273f6663..cc45eb24 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-01T06:07:00Z", + "generated_at": "2025-09-02T07:03:59Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -199,7 +199,7 @@ { "hashed_secret": "2e7a7ee14caebf378fc32d6cf6f557f347c96773", "is_verified": false, - "line_number": 78, + "line_number": 79, "type": "Secret Keyword", "verified_result": null } @@ -218,7 +218,7 @@ { "hashed_secret": "2e7a7ee14caebf378fc32d6cf6f557f347c96773", "is_verified": false, - "line_number": 20, + "line_number": 21, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 5dca6b6a..694bd140 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -48,6 +48,8 @@ const ( IsNodeServer = "IS_NODE_SERVER" KubeNodeName = "KUBE_NODE_NAME" MaxVolumesPerNodeEnv = "MAX_VOLUMES_PER_NODE" + + CipherSuitesMO = "cipher_suites" ) var ( diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go index a787bb76..aa85ec7c 100644 --- a/pkg/driver/nodeserver.go +++ b/pkg/driver/nodeserver.go @@ -146,8 +146,8 @@ func (ns *nodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV secretMap["iamEndpoint"] = ns.iamEndpoint } - if len(secretMap["cipher_suites"]) == 0 { - secretMap["cipher_suites"] = ns.CipherSuites + if len(secretMap[constants.CipherSuitesMO]) == 0 { + secretMap[constants.CipherSuitesMO] = ns.CipherSuites } // If bucket name wasn't provided by user, we use temp bucket created for volume. diff --git a/pkg/mounter/mounter-rclone.go b/pkg/mounter/mounter-rclone.go index 289fb248..f811dcf7 100644 --- a/pkg/mounter/mounter-rclone.go +++ b/pkg/mounter/mounter-rclone.go @@ -137,9 +137,9 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin } } - val, check := secretMap["cipher_suites"] + val, check := secretMap[constants.CipherSuitesMO] if check { - mountOptsMap["cipher_suites"] = val + mountOptsMap[constants.CipherSuitesMO] = val } stringData, ok := secretMap["mountOptions"] diff --git a/pkg/mounter/mounter-rclone_test.go b/pkg/mounter/mounter-rclone_test.go index 51978b6e..43279463 100644 --- a/pkg/mounter/mounter-rclone_test.go +++ b/pkg/mounter/mounter-rclone_test.go @@ -5,23 +5,24 @@ import ( "os" "testing" + "github.com/IBM/ibm-object-csi-driver/pkg/constants" mounterUtils "github.com/IBM/ibm-object-csi-driver/pkg/mounter/utils" "github.com/stretchr/testify/assert" ) var ( secretMapRClone = map[string]string{ - "cosEndpoint": "test-endpoint", - "locationConstraint": "test-loc-constraint", - "bucketName": "test-bucket-name", - "objPath": "test-obj-path", - "accessKey": "test-access-key", - "secretKey": "test-secret-key", - "apiKey": "test-api-key", - "kpRootKeyCRN": "test-kp-root-key-crn", - "gid": "fake-gid", - "uid": "fake-uid", - "cipher_suites": "default", + "cosEndpoint": "test-endpoint", + "locationConstraint": "test-loc-constraint", + "bucketName": "test-bucket-name", + "objPath": "test-obj-path", + "accessKey": "test-access-key", + "secretKey": "test-secret-key", + "apiKey": "test-api-key", + "kpRootKeyCRN": "test-kp-root-key-crn", + "gid": "fake-gid", + "uid": "fake-uid", + constants.CipherSuitesMO: "default", } mountOptionsRClone = []string{"opt1=val1", "opt2=val2"} diff --git a/pkg/mounter/mounter-s3fs.go b/pkg/mounter/mounter-s3fs.go index a0b5c4c7..07decbd1 100644 --- a/pkg/mounter/mounter-s3fs.go +++ b/pkg/mounter/mounter-s3fs.go @@ -242,9 +242,9 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string mountOptsMap["uid"] = secretMap["uid"] } - val, check := secretMap["cipher_suites"] + val, check := secretMap[constants.CipherSuitesMO] if check { - mountOptsMap["cipher_suites"] = val + mountOptsMap[constants.CipherSuitesMO] = val } stringData, ok := secretMap["mountOptions"] @@ -279,7 +279,7 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string option = val } - if newVal, check := secretMap[key]; check { + if newVal, check := secretMap[key]; check && key != constants.CipherSuitesMO { if isKeyValuePair { option = fmt.Sprintf("%s=%s", key, newVal) } else { diff --git a/pkg/mounter/mounter-s3fs_test.go b/pkg/mounter/mounter-s3fs_test.go index fca642dc..d2803adf 100644 --- a/pkg/mounter/mounter-s3fs_test.go +++ b/pkg/mounter/mounter-s3fs_test.go @@ -5,22 +5,23 @@ import ( "os" "testing" + "github.com/IBM/ibm-object-csi-driver/pkg/constants" mounterUtils "github.com/IBM/ibm-object-csi-driver/pkg/mounter/utils" "github.com/stretchr/testify/assert" ) var ( secretMap = map[string]string{ - "cosEndpoint": "test-endpoint", - "locationConstraint": "test-loc-constraint", - "bucketName": "test-bucket-name", - "objPath": "test-obj-path", - "accessKey": "test-access-key", - "secretKey": "test-secret-key", - "apiKey": "test-api-key", - "kpRootKeyCRN": "test-kp-root-key-crn", - "uid": "test-uid", - "cipher_suites": "default", + "cosEndpoint": "test-endpoint", + "locationConstraint": "test-loc-constraint", + "bucketName": "test-bucket-name", + "objPath": "test-obj-path", + "accessKey": "test-access-key", + "secretKey": "test-secret-key", + "apiKey": "test-api-key", + "kpRootKeyCRN": "test-kp-root-key-crn", + "uid": "test-uid", + constants.CipherSuitesMO: "default", } mountOptions = []string{"opt1=val1", "opt2=val2", "opt3"} From 6df7f69c7825d2145501658e585911e53027d810 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Tue, 2 Sep 2025 12:34:44 +0530 Subject: [PATCH 08/18] publish v0.9.6 Signed-off-by: Ashima-Ashima1 --- .github/workflows/release.yml | 6 +++--- cos-csi-mounter/Makefile | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7279ccaf..c8bc9033 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,7 +17,7 @@ jobs: env: IS_LATEST_RELEASE: 'false' - APP_VERSION: 0.9.2 + APP_VERSION: 0.9.6 steps: - name: Checkout Code @@ -63,8 +63,8 @@ jobs: /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.deb.tar.gz.sha256 /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.rpm.tar.gz /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.rpm.tar.gz.sha256 - tag_name: v0.9.2 - name: v0.9.2 + tag_name: v0.9.6 + name: v0.9.6 ## body: prerelease: ${{ env.IS_LATEST_RELEASE != 'true' }} diff --git a/cos-csi-mounter/Makefile b/cos-csi-mounter/Makefile index 9f9b8506..1d7499fe 100644 --- a/cos-csi-mounter/Makefile +++ b/cos-csi-mounter/Makefile @@ -1,5 +1,5 @@ NAME := cos-csi-mounter -APP_VERSION := 0.9.2 +APP_VERSION := 0.9.6 BUILD_DIR := $(NAME)-$(APP_VERSION) BIN_DIR := bin From d4d577bc69237e6319f431800b017d70763b4ca5 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Tue, 2 Sep 2025 16:28:58 +0530 Subject: [PATCH 09/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .github/workflows/release.yml | 10 +++++----- .secrets.baseline | 6 +++--- cos-csi-mounter/Makefile | 2 +- pkg/mounter/mounter-rclone.go | 5 ----- pkg/mounter/mounter-rclone_test.go | 22 ++++++++++------------ 5 files changed, 19 insertions(+), 26 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c8bc9033..07d20cd9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,7 +3,7 @@ name: Release on: push: branches: - - ciphersuites + - main jobs: release: @@ -16,8 +16,8 @@ jobs: - cos-csi-mounter env: - IS_LATEST_RELEASE: 'false' - APP_VERSION: 0.9.6 + IS_LATEST_RELEASE: 'true' + APP_VERSION: 1.0.3 steps: - name: Checkout Code @@ -63,8 +63,8 @@ jobs: /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.deb.tar.gz.sha256 /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.rpm.tar.gz /home/runner/work/ibm-object-csi-driver/ibm-object-csi-driver/cos-csi-mounter/cos-csi-mounter-${{ env.APP_VERSION }}.rpm.tar.gz.sha256 - tag_name: v0.9.6 - name: v0.9.6 + tag_name: v1.0.3 + name: v1.0.3 ## body: prerelease: ${{ env.IS_LATEST_RELEASE != 'true' }} diff --git a/.secrets.baseline b/.secrets.baseline index cc45eb24..fd939c45 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-02T07:03:59Z", + "generated_at": "2025-09-02T10:58:50Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -190,7 +190,7 @@ "hashed_secret": "2ace62c1befa19e3ea37dd52be9f6d508c5163e6", "is_secret": false, "is_verified": false, - "line_number": 268, + "line_number": 263, "type": "Secret Keyword", "verified_result": null } @@ -199,7 +199,7 @@ { "hashed_secret": "2e7a7ee14caebf378fc32d6cf6f557f347c96773", "is_verified": false, - "line_number": 79, + "line_number": 77, "type": "Secret Keyword", "verified_result": null } diff --git a/cos-csi-mounter/Makefile b/cos-csi-mounter/Makefile index 1d7499fe..d5490a7c 100644 --- a/cos-csi-mounter/Makefile +++ b/cos-csi-mounter/Makefile @@ -1,5 +1,5 @@ NAME := cos-csi-mounter -APP_VERSION := 0.9.6 +APP_VERSION := 1.0.3 BUILD_DIR := $(NAME)-$(APP_VERSION) BIN_DIR := bin diff --git a/pkg/mounter/mounter-rclone.go b/pkg/mounter/mounter-rclone.go index f811dcf7..3d560853 100644 --- a/pkg/mounter/mounter-rclone.go +++ b/pkg/mounter/mounter-rclone.go @@ -137,11 +137,6 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin } } - val, check := secretMap[constants.CipherSuitesMO] - if check { - mountOptsMap[constants.CipherSuitesMO] = val - } - stringData, ok := secretMap["mountOptions"] if !ok { klog.Infof("No new mountOptions found. Using default mountOptions: %v", dafaultMountOptions) diff --git a/pkg/mounter/mounter-rclone_test.go b/pkg/mounter/mounter-rclone_test.go index 43279463..839ec5d5 100644 --- a/pkg/mounter/mounter-rclone_test.go +++ b/pkg/mounter/mounter-rclone_test.go @@ -5,24 +5,22 @@ import ( "os" "testing" - "github.com/IBM/ibm-object-csi-driver/pkg/constants" mounterUtils "github.com/IBM/ibm-object-csi-driver/pkg/mounter/utils" "github.com/stretchr/testify/assert" ) var ( secretMapRClone = map[string]string{ - "cosEndpoint": "test-endpoint", - "locationConstraint": "test-loc-constraint", - "bucketName": "test-bucket-name", - "objPath": "test-obj-path", - "accessKey": "test-access-key", - "secretKey": "test-secret-key", - "apiKey": "test-api-key", - "kpRootKeyCRN": "test-kp-root-key-crn", - "gid": "fake-gid", - "uid": "fake-uid", - constants.CipherSuitesMO: "default", + "cosEndpoint": "test-endpoint", + "locationConstraint": "test-loc-constraint", + "bucketName": "test-bucket-name", + "objPath": "test-obj-path", + "accessKey": "test-access-key", + "secretKey": "test-secret-key", + "apiKey": "test-api-key", + "kpRootKeyCRN": "test-kp-root-key-crn", + "gid": "fake-gid", + "uid": "fake-uid", } mountOptionsRClone = []string{"opt1=val1", "opt2=val2"} From a62cffaba1c4c5f10fdb38bea237b1c76821d8b9 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Tue, 2 Sep 2025 16:31:18 +0530 Subject: [PATCH 10/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 4 ++-- pkg/mounter/mounter-rclone.go | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index fd939c45..1fc01d21 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-02T10:58:50Z", + "generated_at": "2025-09-02T11:00:45Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -190,7 +190,7 @@ "hashed_secret": "2ace62c1befa19e3ea37dd52be9f6d508c5163e6", "is_secret": false, "is_verified": false, - "line_number": 263, + "line_number": 264, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/mounter/mounter-rclone.go b/pkg/mounter/mounter-rclone.go index 3d560853..91ad2c01 100644 --- a/pkg/mounter/mounter-rclone.go +++ b/pkg/mounter/mounter-rclone.go @@ -138,6 +138,7 @@ func updateMountOptions(dafaultMountOptions []string, secretMap map[string]strin } stringData, ok := secretMap["mountOptions"] + if !ok { klog.Infof("No new mountOptions found. Using default mountOptions: %v", dafaultMountOptions) return dafaultMountOptions From 21a139b7afdd59f15fb831a671fe3195b8fecd70 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 11:11:34 +0530 Subject: [PATCH 11/18] renaming Signed-off-by: Ashima-Ashima1 --- pkg/constants/constants.go | 2 +- pkg/driver/nodeserver.go | 6 +++--- pkg/driver/s3-driver.go | 2 +- pkg/mounter/mounter-s3fs.go | 6 +++--- pkg/mounter/mounter-s3fs_test.go | 20 ++++++++++---------- pkg/utils/driver_utils.go | 6 +++--- 6 files changed, 21 insertions(+), 21 deletions(-) diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index 694bd140..6dcd751e 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -49,7 +49,7 @@ const ( KubeNodeName = "KUBE_NODE_NAME" MaxVolumesPerNodeEnv = "MAX_VOLUMES_PER_NODE" - CipherSuitesMO = "cipher_suites" + CipherSuitesKey = "cipher_suites" ) var ( diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go index aa85ec7c..15761e4e 100644 --- a/pkg/driver/nodeserver.go +++ b/pkg/driver/nodeserver.go @@ -39,7 +39,7 @@ type NodeServerConfig struct { Region string Zone string NodeID string - CipherSuites string + TLSCipherSuite string } func (ns *nodeServer) NodeStageVolume(_ context.Context, req *csi.NodeStageVolumeRequest) (*csi.NodeStageVolumeResponse, error) { @@ -146,8 +146,8 @@ func (ns *nodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV secretMap["iamEndpoint"] = ns.iamEndpoint } - if len(secretMap[constants.CipherSuitesMO]) == 0 { - secretMap[constants.CipherSuitesMO] = ns.CipherSuites + if len(secretMap[constants.CipherSuitesKey]) == 0 { + secretMap[constants.CipherSuitesKey] = ns.TLSCipherSuite } // If bucket name wasn't provided by user, we use temp bucket created for volume. diff --git a/pkg/driver/s3-driver.go b/pkg/driver/s3-driver.go index 2c28fb0d..e4fe38ea 100644 --- a/pkg/driver/s3-driver.go +++ b/pkg/driver/s3-driver.go @@ -161,7 +161,7 @@ func newNodeServer(d *S3Driver, statsUtil pkgUtils.StatsUtils, nodeID string, mo S3Driver: d, Stats: statsUtil, NodeServerConfig: NodeServerConfig{MaxVolumesPerNode: maxVolumesPerNode, Region: data.Region, Zone: data.Zone, - NodeID: nodeID, CipherSuites: data.CipherSuites}, + NodeID: nodeID, TLSCipherSuite: data.CipherSuites}, Mounter: mountObj, MounterUtils: mounterUtil, }, nil diff --git a/pkg/mounter/mounter-s3fs.go b/pkg/mounter/mounter-s3fs.go index 07decbd1..9ddaf1bc 100644 --- a/pkg/mounter/mounter-s3fs.go +++ b/pkg/mounter/mounter-s3fs.go @@ -242,9 +242,9 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string mountOptsMap["uid"] = secretMap["uid"] } - val, check := secretMap[constants.CipherSuitesMO] + val, check := secretMap[constants.CipherSuitesKey] if check { - mountOptsMap[constants.CipherSuitesMO] = val + mountOptsMap[constants.CipherSuitesKey] = val } stringData, ok := secretMap["mountOptions"] @@ -279,7 +279,7 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string option = val } - if newVal, check := secretMap[key]; check && key != constants.CipherSuitesMO { + if newVal, check := secretMap[key]; check && key != constants.CipherSuitesKey { if isKeyValuePair { option = fmt.Sprintf("%s=%s", key, newVal) } else { diff --git a/pkg/mounter/mounter-s3fs_test.go b/pkg/mounter/mounter-s3fs_test.go index d2803adf..329f98c5 100644 --- a/pkg/mounter/mounter-s3fs_test.go +++ b/pkg/mounter/mounter-s3fs_test.go @@ -12,16 +12,16 @@ import ( var ( secretMap = map[string]string{ - "cosEndpoint": "test-endpoint", - "locationConstraint": "test-loc-constraint", - "bucketName": "test-bucket-name", - "objPath": "test-obj-path", - "accessKey": "test-access-key", - "secretKey": "test-secret-key", - "apiKey": "test-api-key", - "kpRootKeyCRN": "test-kp-root-key-crn", - "uid": "test-uid", - constants.CipherSuitesMO: "default", + "cosEndpoint": "test-endpoint", + "locationConstraint": "test-loc-constraint", + "bucketName": "test-bucket-name", + "objPath": "test-obj-path", + "accessKey": "test-access-key", + "secretKey": "test-secret-key", + "apiKey": "test-api-key", + "kpRootKeyCRN": "test-kp-root-key-crn", + "uid": "test-uid", + constants.CipherSuitesKey: "default", } mountOptions = []string{"opt1=val1", "opt2=val2", "opt3"} diff --git a/pkg/utils/driver_utils.go b/pkg/utils/driver_utils.go index bc0378f9..74e3370d 100644 --- a/pkg/utils/driver_utils.go +++ b/pkg/utils/driver_utils.go @@ -41,9 +41,9 @@ type DriverStatsUtils struct { } type NodeServerData struct { - Region string - Zone string - CipherSuites string + Region string + Zone string + OS string } func (su *DriverStatsUtils) GetNodeServerData(nodeName string) (*NodeServerData, error) { From b74a87bf856d76cf4aa56f8562a337f29936d24b Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 14:38:59 +0530 Subject: [PATCH 12/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 2 +- pkg/driver/nodeserver.go | 12 ++++++------ pkg/driver/s3-driver.go | 2 +- pkg/mounter/fake_mounter.go | 2 +- pkg/mounter/mounter.go | 8 ++++++-- pkg/utils/driver_utils.go | 6 +++--- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 1fc01d21..f667c510 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-02T11:00:45Z", + "generated_at": "2025-09-04T09:06:51Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/pkg/driver/nodeserver.go b/pkg/driver/nodeserver.go index 15761e4e..dd0f3003 100644 --- a/pkg/driver/nodeserver.go +++ b/pkg/driver/nodeserver.go @@ -146,10 +146,6 @@ func (ns *nodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV secretMap["iamEndpoint"] = ns.iamEndpoint } - if len(secretMap[constants.CipherSuitesKey]) == 0 { - secretMap[constants.CipherSuitesKey] = ns.TLSCipherSuite - } - // If bucket name wasn't provided by user, we use temp bucket created for volume. if secretMap["bucketName"] == "" { tempBucketName, err := ns.Stats.GetBucketNameFromPV(volumeID) @@ -166,7 +162,11 @@ func (ns *nodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV secretMap["bucketName"] = tempBucketName } - mounterObj := ns.Mounter.NewMounter(attrib, secretMap, mountFlags) + var defaultParamsMap = map[string]string{ + constants.CipherSuitesKey: ns.TLSCipherSuite, + } + + mounterObj := ns.Mounter.NewMounter(attrib, secretMap, mountFlags, defaultParamsMap) klog.Info("-NodePublishVolume-: Mount") if err = mounterObj.Mount("", targetPath); err != nil { @@ -197,7 +197,7 @@ func (ns *nodeServer) NodeUnpublishVolume(_ context.Context, req *csi.NodeUnpubl return nil, status.Error(codes.NotFound, "Failed to get PV details") } - mounterObj := ns.Mounter.NewMounter(attrib, nil, nil) + mounterObj := ns.Mounter.NewMounter(attrib, nil, nil, nil) klog.Info("-NodeUnpublishVolume-: Unmount") if err = mounterObj.Unmount(targetPath); err != nil { diff --git a/pkg/driver/s3-driver.go b/pkg/driver/s3-driver.go index e4fe38ea..f5db81ef 100644 --- a/pkg/driver/s3-driver.go +++ b/pkg/driver/s3-driver.go @@ -161,7 +161,7 @@ func newNodeServer(d *S3Driver, statsUtil pkgUtils.StatsUtils, nodeID string, mo S3Driver: d, Stats: statsUtil, NodeServerConfig: NodeServerConfig{MaxVolumesPerNode: maxVolumesPerNode, Region: data.Region, Zone: data.Zone, - NodeID: nodeID, TLSCipherSuite: data.CipherSuites}, + NodeID: nodeID, TLSCipherSuite: data.OS}, Mounter: mountObj, MounterUtils: mounterUtil, }, nil diff --git a/pkg/mounter/fake_mounter.go b/pkg/mounter/fake_mounter.go index 506f96a1..003bbcb9 100644 --- a/pkg/mounter/fake_mounter.go +++ b/pkg/mounter/fake_mounter.go @@ -17,7 +17,7 @@ type FakeMounterFactory struct { IsFailedUnmount bool } -func (f *FakeMounterFactory) NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string) Mounter { +func (f *FakeMounterFactory) NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string, defaultParams map[string]string) Mounter { switch f.Mounter { case constants.S3FS: return fakenewS3fsMounter(f.IsFailedMount, f.IsFailedUnmount) diff --git a/pkg/mounter/mounter.go b/pkg/mounter/mounter.go index f3e4e7f2..3d7d5bce 100644 --- a/pkg/mounter/mounter.go +++ b/pkg/mounter/mounter.go @@ -30,6 +30,10 @@ var ( RemoveAll = os.RemoveAll ) +// type struct{ +// TLSCipherSuite string +// } + type Mounter interface { Mount(source string, target string) error Unmount(target string) error @@ -38,14 +42,14 @@ type Mounter interface { type CSIMounterFactory struct{} type NewMounterFactory interface { - NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string) Mounter + NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string, defaultMOMap map[string]string) Mounter } func NewCSIMounterFactory() *CSIMounterFactory { return &CSIMounterFactory{} } -func (s *CSIMounterFactory) NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string) Mounter { +func (s *CSIMounterFactory) NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string, defaultMOMap map[string]string) Mounter { klog.Info("-NewMounter-") var mounter, val string var check bool diff --git a/pkg/utils/driver_utils.go b/pkg/utils/driver_utils.go index 74e3370d..96233e93 100644 --- a/pkg/utils/driver_utils.go +++ b/pkg/utils/driver_utils.go @@ -68,9 +68,9 @@ func (su *DriverStatsUtils) GetNodeServerData(nodeName string) (*NodeServerData, } data := &NodeServerData{ - Region: region, - Zone: zone, - CipherSuites: ciphersuite, + Region: region, + Zone: zone, + OS: ciphersuite, } return data, nil From 4598a109f235bffc2a45e96dd728bceca603ff77 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 14:48:23 +0530 Subject: [PATCH 13/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- pkg/driver/s3-driver.go | 2 +- pkg/driver/s3-driver_test.go | 22 +++++++++++----------- pkg/mounter/mounter.go | 4 ---- pkg/utils/driver_utils.go | 8 ++++---- pkg/utils/fake_driver_utils.go | 8 ++++---- tests/sanity/sanity_test.go | 4 ++-- 6 files changed, 22 insertions(+), 26 deletions(-) diff --git a/pkg/driver/s3-driver.go b/pkg/driver/s3-driver.go index f5db81ef..f7ec6e39 100644 --- a/pkg/driver/s3-driver.go +++ b/pkg/driver/s3-driver.go @@ -140,7 +140,7 @@ func newNodeServer(d *S3Driver, statsUtil pkgUtils.StatsUtils, nodeID string, mo return nil, fmt.Errorf("KUBE_NODE_NAME env variable not set") } - data, err := statsUtil.GetNodeServerData(nodeName) + data, err := statsUtil.GetClusterNodeData(nodeName) if err != nil { return nil, err } diff --git a/pkg/driver/s3-driver_test.go b/pkg/driver/s3-driver_test.go index 4bcfee28..b35bd2e8 100644 --- a/pkg/driver/s3-driver_test.go +++ b/pkg/driver/s3-driver_test.go @@ -119,8 +119,8 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "10", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { - return &utils.NodeServerData{ + GetClusterNodeDataFn: func(nodeName string) (*utils.ClusterNodeData, error) { + return &utils.ClusterNodeData{ Region: testRegion, Zone: testZone, }, nil @@ -154,7 +154,7 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { + GetClusterNodeDataFn: func(nodeName string) (*utils.ClusterNodeData, error) { return nil, errors.New("unable to load in-cluster configuration") }, }), @@ -170,8 +170,8 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "invalid", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { - return &utils.NodeServerData{ + GetClusterNodeDataFn: func(nodeName string) (*utils.ClusterNodeData, error) { + return &utils.ClusterNodeData{ Region: testRegion, Zone: testZone, }, nil @@ -189,8 +189,8 @@ func TestNewNodeServer(t *testing.T) { constants.MaxVolumesPerNodeEnv: "", }, statsUtils: utils.NewFakeStatsUtilsImpl(utils.FakeStatsUtilsFuncStruct{ - GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { - return &utils.NodeServerData{ + GetClusterNodeDataFn: func(nodeName string) (*utils.ClusterNodeData, error) { + return &utils.ClusterNodeData{ Region: testRegion, Zone: testZone, }, nil @@ -283,8 +283,8 @@ func TestNewS3CosDriver(t *testing.T) { GetEndpointsFn: func() (string, string, error) { return constants.PublicIAMEndpoint, "", nil }, - GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { - return &utils.NodeServerData{ + GetClusterNodeDataFn: func(nodeName string) (*utils.ClusterNodeData, error) { + return &utils.ClusterNodeData{ Region: testRegion, Zone: testZone, }, nil @@ -305,8 +305,8 @@ func TestNewS3CosDriver(t *testing.T) { GetEndpointsFn: func() (string, string, error) { return constants.PublicIAMEndpoint, "", nil }, - GetNodeServerDataFn: func(nodeName string) (*utils.NodeServerData, error) { - return &utils.NodeServerData{ + GetClusterNodeDataFn: func(nodeName string) (*utils.ClusterNodeData, error) { + return &utils.ClusterNodeData{ Region: testRegion, Zone: testZone, }, nil diff --git a/pkg/mounter/mounter.go b/pkg/mounter/mounter.go index 3d7d5bce..135c386c 100644 --- a/pkg/mounter/mounter.go +++ b/pkg/mounter/mounter.go @@ -30,10 +30,6 @@ var ( RemoveAll = os.RemoveAll ) -// type struct{ -// TLSCipherSuite string -// } - type Mounter interface { Mount(source string, target string) error Unmount(target string) error diff --git a/pkg/utils/driver_utils.go b/pkg/utils/driver_utils.go index 96233e93..5b9c3bfb 100644 --- a/pkg/utils/driver_utils.go +++ b/pkg/utils/driver_utils.go @@ -29,7 +29,7 @@ type StatsUtils interface { GetTotalCapacityFromPV(volumeID string) (resource.Quantity, error) GetBucketUsage(volumeID string) (int64, error) GetBucketNameFromPV(volumeID string) (string, error) - GetNodeServerData(nodeName string) (*NodeServerData, error) + GetClusterNodeData(nodeName string) (*ClusterNodeData, error) GetEndpoints() (string, string, error) GetPVAttributes(volumeID string) (map[string]string, error) GetPVC(pvcName, pvcNamespace string) (*v1.PersistentVolumeClaim, error) @@ -40,13 +40,13 @@ type StatsUtils interface { type DriverStatsUtils struct { } -type NodeServerData struct { +type ClusterNodeData struct { Region string Zone string OS string } -func (su *DriverStatsUtils) GetNodeServerData(nodeName string) (*NodeServerData, error) { +func (su *DriverStatsUtils) GetClusterNodeData(nodeName string) (*ClusterNodeData, error) { node, err := getNodeByName(nodeName) if err != nil { return nil, err @@ -67,7 +67,7 @@ func (su *DriverStatsUtils) GetNodeServerData(nodeName string) (*NodeServerData, ciphersuite = "AESGCM" } - data := &NodeServerData{ + data := &ClusterNodeData{ Region: region, Zone: zone, OS: ciphersuite, diff --git a/pkg/utils/fake_driver_utils.go b/pkg/utils/fake_driver_utils.go index 41d344d4..856cca57 100644 --- a/pkg/utils/fake_driver_utils.go +++ b/pkg/utils/fake_driver_utils.go @@ -12,7 +12,7 @@ type FakeStatsUtilsFuncStruct struct { GetTotalCapacityFromPVFn func(volumeID string) (resource.Quantity, error) GetBucketUsageFn func(volumeID string) (int64, error) GetBucketNameFromPVFn func(volumeID string) (string, error) - GetNodeServerDataFn func(nodeName string) (*NodeServerData, error) + GetClusterNodeDataFn func(nodeName string) (*ClusterNodeData, error) GetEndpointsFn func() (string, string, error) GetPVAttributesFn func(volumeID string) (map[string]string, error) GetPVCFn func(pvcName, pvcNamespace string) (*v1.PersistentVolumeClaim, error) @@ -74,9 +74,9 @@ func (m *FakeStatsUtilsFuncStructImpl) GetBucketNameFromPV(volumeID string) (str panic("requested method should not be nil") } -func (m *FakeStatsUtilsFuncStructImpl) GetNodeServerData(nodeName string) (*NodeServerData, error) { - if m.FuncStruct.GetNodeServerDataFn != nil { - return m.FuncStruct.GetNodeServerDataFn(nodeName) +func (m *FakeStatsUtilsFuncStructImpl) GetClusterNodeData(nodeName string) (*ClusterNodeData, error) { + if m.FuncStruct.GetClusterNodeDataFn != nil { + return m.FuncStruct.GetClusterNodeDataFn(nodeName) } panic("requested method should not be nil") } diff --git a/tests/sanity/sanity_test.go b/tests/sanity/sanity_test.go index b0cc2620..c59ec601 100644 --- a/tests/sanity/sanity_test.go +++ b/tests/sanity/sanity_test.go @@ -257,8 +257,8 @@ func (su *FakeNewDriverStatsUtils) GetBucketNameFromPV(volumeID string) (string, return "", nil } -func (su *FakeNewDriverStatsUtils) GetNodeServerData(nodeName string) (*utils.NodeServerData, error) { - return &utils.NodeServerData{}, nil +func (su *FakeNewDriverStatsUtils) GetClusterNodeData(nodeName string) (*utils.ClusterNodeData, error) { + return &utils.ClusterNodeData{}, nil } func (su *FakeNewDriverStatsUtils) GetEndpoints() (string, string, error) { From 7ecbf1457fd4284fa18c3e4c66c75d333c94e3ff Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 14:51:46 +0530 Subject: [PATCH 14/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- pkg/driver/s3-driver.go | 8 +++++++- pkg/mounter/mounter_test.go | 2 +- tests/sanity/sanity_test.go | 2 +- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/pkg/driver/s3-driver.go b/pkg/driver/s3-driver.go index f7ec6e39..d5b1362f 100644 --- a/pkg/driver/s3-driver.go +++ b/pkg/driver/s3-driver.go @@ -14,6 +14,7 @@ import ( "fmt" "os" "strconv" + "strings" "github.com/IBM/ibm-csi-common/pkg/utils" "github.com/IBM/ibm-object-csi-driver/pkg/constants" @@ -157,11 +158,16 @@ func newNodeServer(d *S3Driver, statsUtil pkgUtils.StatsUtils, nodeID string, mo maxVolumesPerNode = int64(constants.DefaultVolumesPerNode) } + ciphersuite := "default" + if strings.Contains(strings.ToLower(data.OS), "ubuntu") { + ciphersuite = "AESGCM" + } + return &nodeServer{ S3Driver: d, Stats: statsUtil, NodeServerConfig: NodeServerConfig{MaxVolumesPerNode: maxVolumesPerNode, Region: data.Region, Zone: data.Zone, - NodeID: nodeID, TLSCipherSuite: data.OS}, + NodeID: nodeID, TLSCipherSuite: ciphersuite}, Mounter: mountObj, MounterUtils: mounterUtil, }, nil diff --git a/pkg/mounter/mounter_test.go b/pkg/mounter/mounter_test.go index 7ca6b28c..ccf6aad6 100644 --- a/pkg/mounter/mounter_test.go +++ b/pkg/mounter/mounter_test.go @@ -107,7 +107,7 @@ func TestNewMounter(t *testing.T) { t.Run(test.name, func(t *testing.T) { factory := &CSIMounterFactory{} - result := factory.NewMounter(test.attrib, test.secretMap, test.mountOptions) + result := factory.NewMounter(test.attrib, test.secretMap, test.mountOptions, nil) assert.Equal(t, result, test.expected) diff --git a/tests/sanity/sanity_test.go b/tests/sanity/sanity_test.go index c59ec601..1c185e8f 100644 --- a/tests/sanity/sanity_test.go +++ b/tests/sanity/sanity_test.go @@ -180,7 +180,7 @@ func FakeNewS3fsMounterFactory() *FakeS3fsMounterFactory { type Fakes3fsMounter struct{} -func (s *FakeS3fsMounterFactory) NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string) mounter.Mounter { +func (s *FakeS3fsMounterFactory) NewMounter(attrib map[string]string, secretMap map[string]string, mountFlags []string, defaultMOMap map[string]string) mounter.Mounter { klog.Info("-New S3FS Fake Mounter-") return &Fakes3fsMounter{} } From a4eb94fb2c06f13b627fafa26239833224fb9ca3 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 14:52:15 +0530 Subject: [PATCH 15/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- .secrets.baseline | 4 ++-- pkg/utils/driver_utils.go | 8 +------- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index f667c510..917ace58 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "go.sum|^.secrets.baseline$", "lines": null }, - "generated_at": "2025-09-04T09:06:51Z", + "generated_at": "2025-09-04T09:22:05Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -270,7 +270,7 @@ { "hashed_secret": "c7c6508b19455e3e8040e60e9833fbede92e5d8e", "is_verified": false, - "line_number": 382, + "line_number": 376, "type": "Secret Keyword", "verified_result": null } diff --git a/pkg/utils/driver_utils.go b/pkg/utils/driver_utils.go index 5b9c3bfb..60d209e0 100644 --- a/pkg/utils/driver_utils.go +++ b/pkg/utils/driver_utils.go @@ -61,16 +61,10 @@ func (su *DriverStatsUtils) GetClusterNodeData(nodeName string) (*ClusterNodeDat return nil, errorMsg } - ciphersuite := "default" - osImage := node.Status.NodeInfo.OSImage - if strings.Contains(strings.ToLower(osImage), "ubuntu") { - ciphersuite = "AESGCM" - } - data := &ClusterNodeData{ Region: region, Zone: zone, - OS: ciphersuite, + OS: node.Status.NodeInfo.OSImage, } return data, nil From 9119859062014d5cde557cad2e3ecfd8299b3542 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 14:57:14 +0530 Subject: [PATCH 16/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- pkg/mounter/mounter-s3fs.go | 17 +++++++++-------- pkg/mounter/mounter-s3fs_test.go | 4 ++-- pkg/mounter/mounter.go | 4 ++-- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/pkg/mounter/mounter-s3fs.go b/pkg/mounter/mounter-s3fs.go index 9ddaf1bc..ae32d34c 100644 --- a/pkg/mounter/mounter-s3fs.go +++ b/pkg/mounter/mounter-s3fs.go @@ -50,7 +50,7 @@ var ( removeFile = removeS3FSCredFile ) -func NewS3fsMounter(secretMap map[string]string, mountOptions []string, mounterUtils utils.MounterUtils) Mounter { +func NewS3fsMounter(secretMap map[string]string, mountOptions []string, mounterUtils utils.MounterUtils, defaultParams map[string]string) Mounter { klog.Info("-newS3fsMounter-") var ( @@ -103,7 +103,7 @@ func NewS3fsMounter(secretMap map[string]string, mountOptions []string, mounterU klog.Infof("newS3fsMounter args:\n\tbucketName: [%s]\n\tobjPath: [%s]\n\tendPoint: [%s]\n\tlocationConstraint: [%s]\n\tauthType: [%s]\n\tkpRootKeyCrn: [%s]", mounter.BucketName, mounter.ObjPath, mounter.EndPoint, mounter.LocConstraint, mounter.AuthType, mounter.KpRootKeyCrn) - updatedOptions := updateS3FSMountOptions(mountOptions, secretMap) + updatedOptions := updateS3FSMountOptions(mountOptions, secretMap, defaultParams) mounter.MountOptions = updatedOptions mounter.MounterUtils = mounterUtils @@ -208,7 +208,7 @@ func (s3fs *S3fsMounter) Unmount(target string) error { return nil } -func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string) []string { +func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string, defaultParams map[string]string) []string { mountOptsMap := make(map[string]string) // Create map out of array @@ -242,11 +242,6 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string mountOptsMap["uid"] = secretMap["uid"] } - val, check := secretMap[constants.CipherSuitesKey] - if check { - mountOptsMap[constants.CipherSuitesKey] = val - } - stringData, ok := secretMap["mountOptions"] if !ok { klog.Infof("No new mountOptions found. Using default mountOptions: %v", mountOptsMap) @@ -290,6 +285,12 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string updatedOptions = append(updatedOptions, option) } + // Mount options which are not present in secret mountOptions and need to be set by nodeserver + if _, ok := mountOptsMap[constants.CipherSuitesKey]; !ok { + option := fmt.Sprintf("%s=%s", constants.CipherSuitesKey, defaultParams[constants.CipherSuitesKey]) + updatedOptions = append(updatedOptions, option) + } + klog.Infof("updated S3fsMounter Options: %v", updatedOptions) return updatedOptions } diff --git a/pkg/mounter/mounter-s3fs_test.go b/pkg/mounter/mounter-s3fs_test.go index 329f98c5..a6ae10d5 100644 --- a/pkg/mounter/mounter-s3fs_test.go +++ b/pkg/mounter/mounter-s3fs_test.go @@ -28,7 +28,7 @@ var ( ) func TestNewS3fsMounter_Success(t *testing.T) { - mounter := NewS3fsMounter(secretMap, mountOptions, mounterUtils.NewFakeMounterUtilsImpl(mounterUtils.FakeMounterUtilsFuncStruct{})) + mounter := NewS3fsMounter(secretMap, mountOptions, mounterUtils.NewFakeMounterUtilsImpl(mounterUtils.FakeMounterUtilsFuncStruct{}), map[string]string{constants.CipherSuitesKey: "default"}) s3fsMounter, ok := mounter.(*S3fsMounter) assert.True(t, ok) @@ -57,7 +57,7 @@ func TestNewS3fsMounter_Success_Hmac(t *testing.T) { mountOptions := []string{"opt1=val1", "opt2=val2", " ", "opt3"} - mounter := NewS3fsMounter(secretMap, mountOptions, mounterUtils.NewFakeMounterUtilsImpl(mounterUtils.FakeMounterUtilsFuncStruct{})) + mounter := NewS3fsMounter(secretMap, mountOptions, mounterUtils.NewFakeMounterUtilsImpl(mounterUtils.FakeMounterUtilsFuncStruct{}), nil) s3fsMounter, ok := mounter.(*S3fsMounter) assert.True(t, ok) diff --git a/pkg/mounter/mounter.go b/pkg/mounter/mounter.go index 135c386c..533e9eae 100644 --- a/pkg/mounter/mounter.go +++ b/pkg/mounter/mounter.go @@ -71,12 +71,12 @@ func (s *CSIMounterFactory) NewMounter(attrib map[string]string, secretMap map[s switch mounter { case constants.S3FS: - return NewS3fsMounter(secretMap, mountFlags, mounterUtils) + return NewS3fsMounter(secretMap, mountFlags, mounterUtils, defaultMOMap) case constants.RClone: return NewRcloneMounter(secretMap, mountFlags, mounterUtils) default: // default to s3fs - return NewS3fsMounter(secretMap, mountFlags, mounterUtils) + return NewS3fsMounter(secretMap, mountFlags, mounterUtils, defaultMOMap) } } From 83de57fcd42129251ed6ea368a84da35e6a1edcd Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 15:24:59 +0530 Subject: [PATCH 17/18] uts Signed-off-by: Ashima-Ashima1 --- pkg/driver/s3-driver_test.go | 1 + pkg/mounter/mounter_test.go | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/pkg/driver/s3-driver_test.go b/pkg/driver/s3-driver_test.go index b35bd2e8..46ad9cea 100644 --- a/pkg/driver/s3-driver_test.go +++ b/pkg/driver/s3-driver_test.go @@ -123,6 +123,7 @@ func TestNewNodeServer(t *testing.T) { return &utils.ClusterNodeData{ Region: testRegion, Zone: testZone, + OS: "ubuntu", }, nil }, }), diff --git a/pkg/mounter/mounter_test.go b/pkg/mounter/mounter_test.go index ccf6aad6..d34f9146 100644 --- a/pkg/mounter/mounter_test.go +++ b/pkg/mounter/mounter_test.go @@ -31,7 +31,7 @@ func TestNewMounter(t *testing.T) { "apiKey": "test-api-key", "kpRootKeyCRN": "test-kp-root-key-crn", }, - mountOptions: []string{"opt1=val1"}, + mountOptions: []string{"opt1=val1", "cipher_suites=default"}, expected: &S3fsMounter{ BucketName: "test-bucket-name", ObjPath: "test-obj-path", @@ -40,7 +40,7 @@ func TestNewMounter(t *testing.T) { AccessKeys: ":test-api-key", AuthType: "iam", KpRootKeyCrn: "test-kp-root-key-crn", - MountOptions: []string{"opt1=val1"}, + MountOptions: []string{"opt1=val1", "cipher_suites=default"}, MounterUtils: &(mounterUtils.MounterOptsUtils{}), }, expectedErr: nil, @@ -87,7 +87,7 @@ func TestNewMounter(t *testing.T) { "secretKey": "test-secret-key", "kpRootKeyCRN": "test-kp-root-key-crn", }, - mountOptions: []string{}, + mountOptions: []string{"cipher_suites=default"}, expected: &S3fsMounter{ BucketName: "test-bucket-name", ObjPath: "test-obj-path", @@ -96,7 +96,7 @@ func TestNewMounter(t *testing.T) { AccessKeys: "test-access-key:test-secret-key", AuthType: "hmac", KpRootKeyCrn: "test-kp-root-key-crn", - MountOptions: []string{}, + MountOptions: []string{"cipher_suites=default"}, MounterUtils: &(mounterUtils.MounterOptsUtils{}), }, expectedErr: nil, From d99f8ce92bfb395bfb784e247192e7b89337ea41 Mon Sep 17 00:00:00 2001 From: Ashima-Ashima1 Date: Thu, 4 Sep 2025 19:24:44 +0530 Subject: [PATCH 18/18] set cipher suites from secrets in mount options Signed-off-by: Ashima-Ashima1 --- pkg/mounter/mounter-s3fs.go | 2 +- pkg/mounter/mounter-s3fs_test.go | 19 +++++++++---------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/pkg/mounter/mounter-s3fs.go b/pkg/mounter/mounter-s3fs.go index ae32d34c..a3e0f8e8 100644 --- a/pkg/mounter/mounter-s3fs.go +++ b/pkg/mounter/mounter-s3fs.go @@ -274,7 +274,7 @@ func updateS3FSMountOptions(defaultMountOp []string, secretMap map[string]string option = val } - if newVal, check := secretMap[key]; check && key != constants.CipherSuitesKey { + if newVal, check := secretMap[key]; check { if isKeyValuePair { option = fmt.Sprintf("%s=%s", key, newVal) } else { diff --git a/pkg/mounter/mounter-s3fs_test.go b/pkg/mounter/mounter-s3fs_test.go index a6ae10d5..6af44da4 100644 --- a/pkg/mounter/mounter-s3fs_test.go +++ b/pkg/mounter/mounter-s3fs_test.go @@ -12,16 +12,15 @@ import ( var ( secretMap = map[string]string{ - "cosEndpoint": "test-endpoint", - "locationConstraint": "test-loc-constraint", - "bucketName": "test-bucket-name", - "objPath": "test-obj-path", - "accessKey": "test-access-key", - "secretKey": "test-secret-key", - "apiKey": "test-api-key", - "kpRootKeyCRN": "test-kp-root-key-crn", - "uid": "test-uid", - constants.CipherSuitesKey: "default", + "cosEndpoint": "test-endpoint", + "locationConstraint": "test-loc-constraint", + "bucketName": "test-bucket-name", + "objPath": "test-obj-path", + "accessKey": "test-access-key", + "secretKey": "test-secret-key", + "apiKey": "test-api-key", + "kpRootKeyCRN": "test-kp-root-key-crn", + "uid": "test-uid", } mountOptions = []string{"opt1=val1", "opt2=val2", "opt3"}