diff --git a/pkg/bmcpfs/controllerserver.go b/pkg/bmcpfs/controllerserver.go index 98dbef4b4a..4b4a70b883 100644 --- a/pkg/bmcpfs/controllerserver.go +++ b/pkg/bmcpfs/controllerserver.go @@ -27,11 +27,12 @@ import ( efloclient "github.com/alibabacloud-go/eflo-controller-20221215/v2/client" nasclient "github.com/alibabacloud-go/nas-20170626/v4/client" "github.com/alibabacloud-go/tea/tea" + alicred_old "github.com/aliyun/credentials-go/credentials" "github.com/container-storage-interface/spec/lib/go/csi" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/bmcpfs/internal" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/common" + "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/cloud" - "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/version" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -191,11 +192,11 @@ func newEfloClient(region string) (*efloclient.Client, error) { }, }) // set credential - cred, err := utils.GetCredentialV2() + provider, err := credentials.NewProvider() if err != nil { - return nil, fmt.Errorf("init credential: %w", err) + return nil, fmt.Errorf("failed to fetch credential: %w", err) } - config = config.SetCredential(cred) + config = config.SetCredential(alicred_old.FromCredentialsProvider(provider.GetProviderName(), provider)) // set endpoint ep := os.Getenv("EFLO_CONTROLLER_ENDPOINT") if ep != "" { diff --git a/pkg/nas/cloud/nas_client_v1.go b/pkg/nas/cloud/nas_client_v1.go index 7448ad524a..8fb229aa81 100644 --- a/pkg/nas/cloud/nas_client_v1.go +++ b/pkg/nas/cloud/nas_client_v1.go @@ -9,8 +9,8 @@ import ( aliyunep "github.com/aliyun/alibaba-cloud-sdk-go/sdk/endpoints" sdkerrors "github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors" nassdk "github.com/aliyun/alibaba-cloud-sdk-go/services/nas" + "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/interfaces" - "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils" utilshttp "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/http" ) @@ -25,14 +25,13 @@ func newNasClientV1(region string) (interfaces.NasV1Interface, error) { _ = aliyunep.AddEndpointMapping(region, "Nas", ep) } - ac := utils.GetAccessControl() - if ac.Credential == nil { - return nil, errors.New("failed to fetch credential") - } - config := ac.Config - if config == nil { - config = sdk.NewConfig() + provider, err := credentials.NewProvider() + if err != nil { + return nil, fmt.Errorf("failed to fetch credential: %w", err) } + credential := credentials.V1ProviderAdaptor(provider) + + config := sdk.NewConfig() scheme := "HTTPS" if e := os.Getenv("ALICLOUD_CLIENT_SCHEME"); e != "" { scheme = e @@ -42,7 +41,7 @@ func newNasClientV1(region string) (interfaces.NasV1Interface, error) { if len(headers) > 0 { config.Transport = utilshttp.RoundTripperWithHeader(config.Transport, headers) } - client, err := nassdk.NewClientWithOptions(region, config, ac.Credential) + client, err := nassdk.NewClientWithOptions(region, config, credential) return client, err } diff --git a/pkg/nas/cloud/nas_client_v2.go b/pkg/nas/cloud/nas_client_v2.go index 7a796c5218..60ac108fe1 100644 --- a/pkg/nas/cloud/nas_client_v2.go +++ b/pkg/nas/cloud/nas_client_v2.go @@ -8,8 +8,9 @@ import ( openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client" sdk "github.com/alibabacloud-go/nas-20170626/v4/client" "github.com/alibabacloud-go/tea/tea" + alicred_old "github.com/aliyun/credentials-go/credentials" + "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/interfaces" - "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils" utilshttp "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/http" "go.uber.org/ratelimit" "k8s.io/klog/v2" @@ -36,11 +37,11 @@ func NewNasClientV2(region string) (*sdk.Client, error) { Headers: headersV2, }) // set credential - cred, err := utils.GetCredentialV2() + provider, err := credentials.NewProvider() if err != nil { - return nil, fmt.Errorf("init credential: %w", err) + return nil, fmt.Errorf("failed to fetch credential: %w", err) } - config = config.SetCredential(cred) + config = config.SetCredential(alicred_old.FromCredentialsProvider(provider.GetProviderName(), provider)) // set endpoint ep := os.Getenv("NAS_ENDPOINT") if ep == "" { diff --git a/pkg/utils/auth.go b/pkg/utils/auth.go index f31996836b..78e672a222 100644 --- a/pkg/utils/auth.go +++ b/pkg/utils/auth.go @@ -21,15 +21,12 @@ import ( "fmt" "os" "strings" - "sync" "time" - "github.com/alibabacloud-go/tea/tea" "github.com/aliyun/alibaba-cloud-sdk-go/sdk" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth" cre "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials" "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/provider" - crev2 "github.com/aliyun/credentials-go/credentials" "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/crypto" "k8s.io/klog/v2" ) @@ -208,96 +205,3 @@ func getCredentialAK() AccessControl { config := sdk.NewConfig().WithScheme(scheme) return AccessControl{Config: config, Credential: credential, UseMode: Credential} } - -type managedAddonTokenCredv2 struct { - sync.Mutex - token *ManageTokens - lastUpdateAt time.Time - scale float64 -} - -func newManagedAddonTokenCredv2() *managedAddonTokenCredv2 { - return &managedAddonTokenCredv2{ - scale: addonTokenExpirationScale, - } -} - -func (cred *managedAddonTokenCredv2) needUpdate() bool { - if cred.token == nil { - return true - } - duration := time.Since(cred.lastUpdateAt) - expiration := cred.token.ExpireAt.Sub(cred.lastUpdateAt) - return duration >= time.Duration(float64(expiration)*cred.scale) -} - -func (cred *managedAddonTokenCredv2) updateAndGet() ManageTokens { - cred.Lock() - defer cred.Unlock() - if cred.needUpdate() { - tokens := getManagedToken() - cred.token = &tokens - cred.lastUpdateAt = time.Now() - } - return *cred.token -} - -func (cred *managedAddonTokenCredv2) GetAccessKeyId() (*string, error) { - token := cred.updateAndGet() - return &token.AccessKeyID, nil -} - -func (cred *managedAddonTokenCredv2) GetAccessKeySecret() (*string, error) { - token := cred.updateAndGet() - return &token.AccessKeySecret, nil -} - -func (cred *managedAddonTokenCredv2) GetSecurityToken() (*string, error) { - token := cred.updateAndGet() - return &token.SecurityToken, nil -} - -func (cred *managedAddonTokenCredv2) GetCredential() (*crev2.CredentialModel, error) { - token := cred.updateAndGet() - return &crev2.CredentialModel{ - AccessKeyId: &token.AccessKeyID, - AccessKeySecret: &token.AccessKeySecret, - SecurityToken: &token.SecurityToken, - BearerToken: tea.String(""), - Type: tea.String("sts"), - }, nil -} - -func (cred *managedAddonTokenCredv2) GetBearerToken() *string { - return tea.String("") -} - -func (cred *managedAddonTokenCredv2) GetType() *string { - return tea.String("sts") -} - -func GetCredentialV2() (crev2.Credential, error) { - // env variable - acLocalAK := GetEnvAK() - if len(acLocalAK.AccessKeyID) != 0 && len(acLocalAK.AccessKeySecret) != 0 { - klog.Info("credential v2: using ak from env variables") - config := new(crev2.Config).SetType("access_key"). - SetAccessKeyId(acLocalAK.AccessKeyID). - SetAccessKeySecret(acLocalAK.AccessKeySecret) - return crev2.NewCredential(config) - } - - // managed addon token - _, err := os.Stat(ConfigPath) - if err == nil { - klog.Info("credential v2: using managed addon token") - return newManagedAddonTokenCredv2(), nil - } - if !os.IsNotExist(err) { - return nil, err - } - - // try default credential chain - klog.Info("credential v2: using default credential chain") - return crev2.NewCredential(nil) -}