Bug 2029416 - Alibaba Disk CSI driver does not use credentials provided by CCO / ccoctl
Summary: Alibaba Disk CSI driver does not use credentials provided by CCO / ccoctl
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.10.0
Assignee: Jan Safranek
QA Contact: Rohit Patil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-12-06 13:03 UTC by Jan Safranek
Modified: 2022-03-10 16:32 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:32:18 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift alibaba-cloud-csi-driver pull 7 0 None Merged Bug 2029416: UPSTREAM: 572: User credentials provided by CredentialsOperator 2022-01-21 17:38:49 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:32:33 UTC

Description Jan Safranek 2021-12-06 13:03:36 UTC
Alibaba Disk CSI driver operator gives the CSI driver env. variable ALIBABA_CLOUD_CREDENTIALS_FILE, pointing to a Secret file provided by CCO / ccoctl with this content:

[default]
type = access_key
access_key_id: xxxxxxx
access_key_secret: yyyyy


The CSI driver ignores this file and loads some credentials from the cloud instance metadata:

time="2021-11-30T19:24:09Z" level=info msg="Get AK: use STS"
time="2021-11-30T19:24:09Z" level=info msg="Starting csi-plugin with sts"

These metadata credentials seem to be enough for the driver to work (provision + attach + mount volumes), still, the CSI driver should use credentials provided by CCO.

This is tracked upstream as https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver/issues/557.

Comment 1 Jan Safranek 2021-12-13 16:13:35 UTC
I tested the upstream PR, it works well. It needs to be merged upstream before we can use it.

It will be painful to backport, but that's our job.

Comment 2 Jan Safranek 2022-01-04 09:41:29 UTC
Assigning to Bo Teng, as Jiao Wang (our storage contact in Alibaba) does not have Bugzilla account yet.

The upstream PR https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pull/572 needs to be reviewed and merged and then we need either Alibaba to do a new release of the driver or Red Hat to backport the patch to 1.1.4, which is quite old.

Comment 3 Jan Safranek 2022-01-04 09:42:14 UTC
Note that this is a blocker and it must be fixed before code freeze!

Comment 5 Brian Lu 2022-01-17 07:06:57 UTC
The upstream PR https://github.com/kubernetes-sigs/alibaba-cloud-csi-driver/pull/572 has been merged.

Comment 11 errata-xmlrpc 2022-03-10 16:32:18 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.