nas/bmcpfs: switch to new credential implementation

pkg/bmcpfs/controllerserver.go

@@ -27,11 +27,12 @@ import (
 	efloclient "github.com/alibabacloud-go/eflo-controller-20221215/v2/client"
 	nasclient "github.com/alibabacloud-go/nas-20170626/v4/client"
 	"github.com/alibabacloud-go/tea/tea"
+	alicred_old "github.com/aliyun/credentials-go/credentials"
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/bmcpfs/internal"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/common"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/cloud"
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/version"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -191,11 +192,11 @@ func newEfloClient(region string) (*efloclient.Client, error) {
 			},
 		})
 	// set credential
-	cred, err := utils.GetCredentialV2()
+	provider, err := credentials.NewProvider()
 	if err != nil {
-		return nil, fmt.Errorf("init credential: %w", err)
+		return nil, fmt.Errorf("failed to fetch credential: %w", err)
 	}
-	config = config.SetCredential(cred)
+	config = config.SetCredential(alicred_old.FromCredentialsProvider(provider.GetProviderName(), provider))
 	// set endpoint
 	ep := os.Getenv("EFLO_CONTROLLER_ENDPOINT")
 	if ep != "" {

pkg/nas/cloud/nas_client_v1.go

@@ -9,8 +9,8 @@ import (
 	aliyunep "github.com/aliyun/alibaba-cloud-sdk-go/sdk/endpoints"
 	sdkerrors "github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors"
 	nassdk "github.com/aliyun/alibaba-cloud-sdk-go/services/nas"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/interfaces"
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	utilshttp "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/http"
 )
 
@@ -25,14 +25,13 @@ func newNasClientV1(region string) (interfaces.NasV1Interface, error) {
 		_ = aliyunep.AddEndpointMapping(region, "Nas", ep)
 	}
 
-	ac := utils.GetAccessControl()
-	if ac.Credential == nil {
-		return nil, errors.New("failed to fetch credential")
-	}
-	config := ac.Config
-	if config == nil {
-		config = sdk.NewConfig()
+	provider, err := credentials.NewProvider()
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch credential: %w", err)
 	}
+	credential := credentials.V1ProviderAdaptor(provider)
+
+	config := sdk.NewConfig()
 	scheme := "HTTPS"
 	if e := os.Getenv("ALICLOUD_CLIENT_SCHEME"); e != "" {
 		scheme = e
@@ -42,7 +41,7 @@ func newNasClientV1(region string) (interfaces.NasV1Interface, error) {
 	if len(headers) > 0 {
 		config.Transport = utilshttp.RoundTripperWithHeader(config.Transport, headers)
 	}
-	client, err := nassdk.NewClientWithOptions(region, config, ac.Credential)
+	client, err := nassdk.NewClientWithOptions(region, config, credential)
 	return client, err
 }
 

pkg/nas/cloud/nas_client_v2.go

@@ -8,8 +8,9 @@ import (
 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
 	sdk "github.com/alibabacloud-go/nas-20170626/v4/client"
 	"github.com/alibabacloud-go/tea/tea"
+	alicred_old "github.com/aliyun/credentials-go/credentials"
+	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/credentials"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/nas/interfaces"
-	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils"
 	utilshttp "github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/http"
 	"go.uber.org/ratelimit"
 	"k8s.io/klog/v2"
@@ -36,11 +37,11 @@ func NewNasClientV2(region string) (*sdk.Client, error) {
 			Headers: headersV2,
 		})
 	// set credential
-	cred, err := utils.GetCredentialV2()
+	provider, err := credentials.NewProvider()
 	if err != nil {
-		return nil, fmt.Errorf("init credential: %w", err)
+		return nil, fmt.Errorf("failed to fetch credential: %w", err)
 	}
-	config = config.SetCredential(cred)
+	config = config.SetCredential(alicred_old.FromCredentialsProvider(provider.GetProviderName(), provider))
 	// set endpoint
 	ep := os.Getenv("NAS_ENDPOINT")
 	if ep == "" {

pkg/utils/auth.go

@@ -21,15 +21,12 @@ import (
 	"fmt"
 	"os"
 	"strings"
-	"sync"
 	"time"
 
-	"github.com/alibabacloud-go/tea/tea"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth"
 	cre "github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials"
 	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/auth/credentials/provider"
-	crev2 "github.com/aliyun/credentials-go/credentials"
 	"github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pkg/utils/crypto"
 	"k8s.io/klog/v2"
 )
@@ -208,96 +205,3 @@ func getCredentialAK() AccessControl {
 	config := sdk.NewConfig().WithScheme(scheme)
 	return AccessControl{Config: config, Credential: credential, UseMode: Credential}
 }
-
-type managedAddonTokenCredv2 struct {
-	sync.Mutex
-	token        *ManageTokens
-	lastUpdateAt time.Time
-	scale        float64
-}
-
-func newManagedAddonTokenCredv2() *managedAddonTokenCredv2 {
-	return &managedAddonTokenCredv2{
-		scale: addonTokenExpirationScale,
-	}
-}
-
-func (cred *managedAddonTokenCredv2) needUpdate() bool {
-	if cred.token == nil {
-		return true
-	}
-	duration := time.Since(cred.lastUpdateAt)
-	expiration := cred.token.ExpireAt.Sub(cred.lastUpdateAt)
-	return duration >= time.Duration(float64(expiration)*cred.scale)
-}
-
-func (cred *managedAddonTokenCredv2) updateAndGet() ManageTokens {
-	cred.Lock()
-	defer cred.Unlock()
-	if cred.needUpdate() {
-		tokens := getManagedToken()
-		cred.token = &tokens
-		cred.lastUpdateAt = time.Now()
-	}
-	return *cred.token
-}
-
-func (cred *managedAddonTokenCredv2) GetAccessKeyId() (*string, error) {
-	token := cred.updateAndGet()
-	return &token.AccessKeyID, nil
-}
-
-func (cred *managedAddonTokenCredv2) GetAccessKeySecret() (*string, error) {
-	token := cred.updateAndGet()
-	return &token.AccessKeySecret, nil
-}
-
-func (cred *managedAddonTokenCredv2) GetSecurityToken() (*string, error) {
-	token := cred.updateAndGet()
-	return &token.SecurityToken, nil
-}
-
-func (cred *managedAddonTokenCredv2) GetCredential() (*crev2.CredentialModel, error) {
-	token := cred.updateAndGet()
-	return &crev2.CredentialModel{
-		AccessKeyId:     &token.AccessKeyID,
-		AccessKeySecret: &token.AccessKeySecret,
-		SecurityToken:   &token.SecurityToken,
-		BearerToken:     tea.String(""),
-		Type:            tea.String("sts"),
-	}, nil
-}
-
-func (cred *managedAddonTokenCredv2) GetBearerToken() *string {
-	return tea.String("")
-}
-
-func (cred *managedAddonTokenCredv2) GetType() *string {
-	return tea.String("sts")
-}
-
-func GetCredentialV2() (crev2.Credential, error) {
-	// env variable
-	acLocalAK := GetEnvAK()
-	if len(acLocalAK.AccessKeyID) != 0 && len(acLocalAK.AccessKeySecret) != 0 {
-		klog.Info("credential v2: using ak from env variables")
-		config := new(crev2.Config).SetType("access_key").
-			SetAccessKeyId(acLocalAK.AccessKeyID).
-			SetAccessKeySecret(acLocalAK.AccessKeySecret)
-		return crev2.NewCredential(config)
-	}
-
-	// managed addon token
-	_, err := os.Stat(ConfigPath)
-	if err == nil {
-		klog.Info("credential v2: using managed addon token")
-		return newManagedAddonTokenCredv2(), nil
-	}
-	if !os.IsNotExist(err) {
-		return nil, err
-	}
-
-	// try default credential chain
-	klog.Info("credential v2: using default credential chain")
-	return crev2.NewCredential(nil)
-}