Accesskey fixes (#96)

* Set access key on mount point

In Quobyte clusters where client host IP is not trusted
(configuration->security->trusted service n/w does not include
client IP) and tenant "accessible from network" list is empty,
the client cannot list volumes and access volumes. Therefore,
setting access key on volume mount path fails.

To get around the issue, client allows setting access key on the
mount path itself. Change CSI Driver to use mount path.

* Generate access key handle

Make access key handle unpredictable and generate new one
for each mount request.

* E2E test binary is no longer available.

..compile it from source.

kind-cluster/e2e

@@ -4,12 +4,26 @@ KUBECONFIG=${KUBECONFIG:-"/etc/kubernetes/admin.conf"}
 NODES=1
 # Note that you need to point kubeconfig correctly, otherwise kubectl cannot list sever version
 K8S_VERSION="$(kubectl version | grep 'Server Version:' -m1 | cut -d":" -f2 | tr -d " ")"
+TEST_RUN_DIR=$(pwd)
 STORAGE_CLASS=${STORAGE_CLASS:-$(pwd)/quobyte-csi/example/StorageClass.yaml}
 SNAPSHOT_CLASS=${SNAPSHOT_CLASS:-''}
 E2E_TEST_CONFIG_PATH='/tmp/quobyte-csi-driver.yaml'
 CSI_PROVISIONER_NAME=${CSI_PROVISIONER_NAME:-'csi.quobyte.com'}
 TESTS_LOGS_PATH='/tmp/test.txt'
 
+KUBERNETES_SRC_DIR="${KUBERNETES_SRC_DIR:-/tmp/kubernetes}"
+
+if [[ ! -d ${KUBERNETES_SRC_DIR} ]]; then
+git clone https://github.com/kubernetes/kubernetes.git $KUBERNETES_SRC_DIR
+fi
+
+cd $KUBERNETES_SRC_DIR
+git fetch --tags
+git checkout tags/$K8S_VERSION
+make WHAT=test/e2e/e2e.test
+go install github.com/onsi/ginkgo/v2/ginkgo@latest
+
+cd $TEST_RUN_DIR
 cd /tmp
 
 if [[ "$ENABLE_SNAPSHOTS" -eq 'true' && -z "$SNAPSHOT_CLASS" ]]; then
@@ -42,34 +56,13 @@ DriverInfo:
     RWX: true
 EOF
 
-if [[ -d kubernetes ]]; then
- rm -rf kubernetes
-fi
-
-K8S_TARBALL="kubernetes-test-linux-amd64.tar"
-K8S_ZIP="${K8S_TARBALL}.gz"
-
-if [[ -f ${K8S_ZIP} ]]; then
-  rm ${K8S_ZIP}
-fi
-
-if [[ -f "${K8S_TARBALL}" ]]; then 
-  rm "${K8S_TARBALL}"
-fi
-
-if [[ -f "$TESTS_LOGS_PATH" ]]; then
-  rm "$TESTS_LOGS_PATH"
-fi
-
 echo "Running E2E with test configuration $E2E_TEST_CONFIG_PATH"
 echo "E2E test results can be found at $TESTS_LOGS_PATH on test running host"
 
 echo -e "\e[33mNote:\e[0m If tests stuck, you need to check kind version and kind-cluster\n \
          base image compatibility. See ./run_test kindest/node:v1.... hash and kindest version\n \
          hash (kind requires exact hash specified in kind release). https://github.com/kubernetes-sigs/kind/releases"
 
-wget https://storage.googleapis.com/kubernetes-release/release/$K8S_VERSION/${K8S_ZIP} \
-&& gunzip kubernetes-test-linux-amd64.tar.gz && tar -xvf kubernetes-test-linux-amd64.tar --overwrite \
-&& kubernetes/test/bin/ginkgo -nodes=$NODES -focus='External.Storage.*csi.quobyte.com.*' \
+ginkgo -nodes=$NODES -focus='External.Storage.*csi.quobyte.com.*' \
 -skip='\[Disruptive\]' \
-kubernetes/test/bin/e2e.test -- -storage.testdriver="$E2E_TEST_CONFIG_PATH" -kubeconfig="${KUBECONFIG}" 2>&1 | tee "$TESTS_LOGS_PATH"
+$KUBERNETES_SRC_DIR/_output/local/go/bin/e2e.test -- -storage.testdriver="$E2E_TEST_CONFIG_PATH" -kubeconfig="${KUBECONFIG}" 2>&1 | tee "$TESTS_LOGS_PATH"

src/driver/node.go

@@ -9,6 +9,7 @@ import (
 	"golang.org/x/sys/unix"
 	"k8s.io/klog"
 
+	"github.com/google/uuid"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -90,7 +91,7 @@ func (d *QuobyteDriver) NodePublishVolume(ctx context.Context, req *csi.NodePubl
 	}
 	var mountPath string
 	if d.QuobyteVersion >= 3 && d.IsQuobyteAccessKeyMountsEnabled {
-		podUUID := getSanitizedPodUUIDFromPath(targetPath)
+		accesskeyHandle := uuid.New().String()
 		accesskeyID, ok := secrets[accessKeyID]
 		if !ok {
 			return nil, fmt.Errorf("Mount secret should have '%s: <YOUR_ACCESS_KEY_ID>'", accessKeyID)
@@ -99,13 +100,12 @@ func (d *QuobyteDriver) NodePublishVolume(ctx context.Context, req *csi.NodePubl
 		if !ok {
 			return nil, fmt.Errorf("Mount secret should have '%s: <YOUR_ACCESS_KEY_SECRET>'", accessKeySecret)
 		}
-		accesskeyHandle := fmt.Sprintf("%s-%s", podUUID, accesskeyID)
 		XattrVal := getAccessKeyValStr(accesskeyID, accesskeySecret, accesskeyHandle)
 		// In case of setfattr failure:
 		// - Make sure Quobyte CSI driver is deployed with "enableAccessKeyMounts: true"
 		// - Quobyte clients are deployed with access key flags enabled - see "Requirements" section of
 		// https://github.com/quobyte/quobyte-csi-driver/blob/master/docs/quobyte_access_keys.md
-		err := setfattr(xattrKey, XattrVal, fmt.Sprintf("%s/%s", d.clientMountPoint, volUUID))
+		err := setfattr(xattrKey, XattrVal, d.clientMountPoint)
 		if err != nil {
 			return nil, err
 		}
@@ -196,7 +196,7 @@ func (d *QuobyteDriver) NodeExpandVolume(ctx context.Context, req *csi.NodeExpan
 
 func (d *QuobyteDriver) NodeGetVolumeStats(ctx context.Context, req *csi.NodeGetVolumeStatsRequest) (*csi.NodeGetVolumeStatsResponse, error) {
 	if !d.enabledVolumeMetrics {
-		return nil, fmt.Errorf("volume/PVC metrics export is disabled for the Quobyte CSI Driver %s", d.Name);
+		return nil, fmt.Errorf("volume/PVC metrics export is disabled for the Quobyte CSI Driver %s", d.Name)
 	}
 	volumePath := req.GetVolumePath()
 	if len(volumePath) <= 0 {

src/driver/utils.go

@@ -99,14 +99,6 @@ func contains(s []string, e string) bool {
 	return false
 }
 
-func getSanitizedPodUUIDFromPath(podVolPath string) string {
-	// Extracts the Pod UID from the given pod volume path. Path of pod volume is of the
-	// form /var/lib/kubelet/pods/<THE-POD-ID-HERE>/volumes/kubernetes.io~csi
-	pod_uid_start_index := strings.Index(podVolPath, POD_UUID_LOCATOR) + len(POD_UUID_LOCATOR)
-	pod_uid_end_index := strings.Index(podVolPath, POD_VOL_LOCATOR)
-	return strings.ReplaceAll(podVolPath[pod_uid_start_index:pod_uid_end_index], "-", "")
-}
-
 func parseLabels(labels string) ([]*quobyte.Label, error) {
 	labelKVs := strings.Split(labels, ",")
 	parsedLabels := make([]*quobyte.Label, 0)

src/driver/utils_test.go

@@ -5,17 +5,6 @@ import (
 	"testing"
 )
 
-func TestPodUIDParsing(t *testing.T) {
-	originalUID := "7d40536c818-4d7b70e4-dc3c27d9a-cc42b5b32d8e"
-	expectedUID := "7d40536c8184d7b70e4dc3c27d9acc42b5b32d8e"
-	path := fmt.Sprintf("/var/lib/kubelet/pods/%s/volumes/kubernetes.io~csi", originalUID)
-	resultUID := getSanitizedPodUUIDFromPath(path)
-
-	if resultUID != expectedUID {
-		t.Errorf("Expected UID: %s but got UID: %s", expectedUID, resultUID)
-	}
-}
-
 func TestGetVolUUIDFromErrorMSG(t *testing.T) {
 	expectedVolUUID := "7d40536c8184d7b70e4dc3c27d9acc42b5b32d8e"
 	errorMsg := fmt.Sprintf("Volume name volumeNameToCheck is already used by volume %s", expectedVolUUID)
@@ -52,7 +41,7 @@ func TestQuobyteApiClientSecretsCheck(t *testing.T) {
 
 	secrets = make(map[string]string)
 	secrets[accessKeyID] = "dummyAccessKeyId"
-	secrets[accessKeySecret] = "dummyAccessKeySecert"
+	secrets[accessKeySecret] = "dummyAccessKeySecret"
 
 	check = hasApiAccessKeyIdAndSecret(secrets)
 	if !check {

src/go.mod

@@ -5,6 +5,7 @@ go 1.22.2
 require (
 	github.com/container-storage-interface/spec v1.9.0
 	github.com/golang/protobuf v1.5.4
+	github.com/google/uuid v1.6.0
 	github.com/hashicorp/golang-lru v1.0.2
 	github.com/quobyte/api v1.3.0
 	github.com/stretchr/testify v1.9.0

src/go.sum

@@ -7,6 +7,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c=
 github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=