feat: containerized ossfs auth enhanced

[AlbeeSo]

What type of PR is this?

/kind feature

What this PR does / why we need it:

support RRSA & csi-secret-store authType for containerized ossfs.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

additional rbac: serviceaccount/csi-fuse-ossfs get

Does this PR introduce a user-facing change?

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[huww98]

Is it possible to use OIDC in an non-ACK cluster? It is Open ID connect anyway.

[AlbeeSo]

Is it possible to use OIDC in an non-ACK cluster? It is Open ID connect anyway.

IMO, it is too customized and will bring extra params. if users have no strong demand on RRSA, why not use IBMIAM auth with ossfs mount options directly instead?

[huww98]

will bring extra params

I think we can just replace the clusterId parameter with full PROVIDER_ARN. We can still build this ARN for ACK user at installation.

[AlbeeSo]

will bring extra params

I think we can just replace the clusterId parameter with full PROVIDER_ARN. We can still build this ARN for ACK user at installation.

current version:

• get aliuid from env first, retryGetMetadata if missing
• get clusterid from env first, get cluster profile configmap if missing
• get provider name from env first, used "ack-rrsa-clusterid" if missing

[AlbeeSo]

/retest-required

[huww98]

I still would like this one to override the full ARN, and can be called "ALIBABA_CLOUD_OIDC_PROVIDER_ARN" for consistency. Can't a user potentially use a provider from others account?

And should this be a parameter in storage class? Maybe we can support multiple providers for different PV, or even different CSI drivers. Or CSI itself may gain OIDC capability in the future. Put it here can be ambiguous.

[AlbeeSo]

If role_arn or provider_arn does not conform to this fixed format, it means that the user is trying to access the OSS from other cloud vendor through RRSA. But ossfs itself does not have the ability to load external authentication libraries (for example, awscred-lib for IRSA). CSI can accept a full arn but it will still not work in ossfs.

And for multiple providers, I think supporting multiple roles is enough. @mowangdk PTAL

[huww98]

I mean the user may also want to override the account ID part of ARN. Consider that user A may want to access an OSS bucket from account B. User B then adds the ACK cluster in account A to his OIDC provider, then user A will need to specify the provider from account B.

[AlbeeSo]

sts will return error like "acs::ram::111111:oidc-provider/aaaa must be your AccountID, your AccountID is 2222"

[huww98]

I've tested that I can register ACK cluster in account A to OIDC provider in account B. Then everything else should only relate to account B. Which step (which OpenAPI) would fail?

[AlbeeSo]

could you please give a detailed test case and the AssumeRoleWithOIDC related logs of ossfs?

[huww98]

I don't know much about ossfs. But I've tried my proposed flow, it works and I got token from AssumeRoleWithOIDC.

1. Login account A, create an ACK cluster, enable RRSA, copy the provider URL
2. Create a Pod in above ACK cluster, mount this volume, and copy the token in it.

   - name: rrsa-oidc-token
     projected:
       defaultMode: 0600
       sources:
       - serviceAccountToken:
           audience: sts.aliyuncs.com
           expirationSeconds: 3600
           path: token

3. Login account B, go to https://ram.console.aliyun.com/providers/create/OIDC and register an OIDC provider with URL from step 1, copy the provider ARN
4. create a RAM role for OIDC, copy the role ARN
5. go to https://next.api.aliyun.com/api/Sts/2015-04-01/AssumeRoleWithOIDC, fill in token from step 2, and ARNs from step 3 and 4, I get RAM sts token.

These steps should naturally apply to ossfs.

[huww98]

Overvall it is OK.

Although I reserve my opinion about the RoleARN/Name. I think API should be minimal. To use only RoleARN and not RoleName as parameter:

pros:

• reduce the possibility of invalid input. simpler implementation, less surprise
• fewer things for user to understand. Especially for those who use both default and non-default provider.
• closer to our OIDC OpenAPI

cons:

• harder for users who just want to use OSS without AK. They should find and copy the ARN from the web console, instead of just typing in the role name.
• storage class yaml is a little harder to read if one don't know about role ARN.

[mowangdk]

/lgtm
/approve

[mowangdk]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: AlbeeSo, huww98, mowangdk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mowangdk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment