feat: add RRSA storage authentication support for on-demand CSI mounts#568
feat: add RRSA storage authentication support for on-demand CSI mounts#568BH4AWS wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #568 +/- ##
==========================================
- Coverage 79.76% 79.76% -0.01%
==========================================
Files 195 205 +10
Lines 14140 15376 +1236
==========================================
+ Hits 11279 12264 +985
- Misses 2457 2667 +210
- Partials 404 445 +41
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
02bfb40 to
080d6be
Compare
| } | ||
| // Allow enterprise implementations to extract additional security metadata | ||
| // (e.g., storage-auth annotations for RRSA-based credential scoping) via hook. | ||
| if ExtractStorageAuthMetadata != nil { |
There was a problem hiding this comment.
plz do not extract metadata here, pass the sandbox object to IssueToken of various token provider
Add credential provider fields (CredProviderName, RoleName) to CSIMountConfig and implement the full storage-auth annotation injection pipeline, enabling pod-level RRSA (RAM Roles for Service Accounts) authentication for CSI storage mounts without traditional Secrets. Key changes: - api/v1alpha1: add CredProviderName and RoleName fields to CSIMountConfig - pkg/identity: define AnnotationStorageAuth constant and StorageAuthItem type; propagate storage-auth annotation to sandbox token metadata - pkg/utils/csiutils: skip Secret lookup when volumeAttributes contains "authType: agent-identity"; add BuildStorageAuthItems() with pluggable StorageAuthItemEnricher hook for inner extension - pkg/controller/sandboxclaim/core: inject storage-auth annotation via Modifier closure in buildClaimOptions when CredProviderName is set - pkg/servers/e2b: inject storage-auth annotation via Modifier closure in createSandboxWithClaim when CredProviderName is set Tests: - storages_provider_test.go: 11 new cases covering BuildStorageAuthItems, agent-identity Secret skip, and CredProviderName passthrough - sandbox_token_helper_test.go: 5 new cases for storage-auth annotation propagation to token metadata - common_control_test.go: 2 new cases for Modifier injection behavior - create_test.go: 1 new case for CredProviderName request structure Signed-off-by: 基成 <jicheng.sk@alibaba-inc.com>
080d6be to
eea3e1c
Compare
Add credential provider fields (CredProviderName, RoleName) to CSIMountConfig and implement the full storage-auth annotation injection pipeline, enabling pod-level RRSA (RAM Roles for Service Accounts) authentication for CSI storage mounts without traditional Secrets.
Key changes:
Tests:
Ⅰ. Describe what this PR does
Ⅱ. Does this pull request fix one issue?
Ⅲ. Describe how to verify it
Ⅳ. Special notes for reviews