fix: support multi-mount OSS secret projections in jindo

[CAICAIIs]

Ⅰ. Describe what this PR does

This PR fixes multi-mount OSS secret handling for Jindo when different mounts use different AK/SK pairs.

Before this change, if a Dataset contained multiple OSS mounts with different encryptOptions, only the last OSS secret could effectively take effect. This PR changes the secret handling to bucket-scoped secret projections, so each OSS bucket gets its own projected secret path and provider configuration.

The fix covers both jindocache and jindofsx, and updates the related Helm templates for master / worker / fuse.

Ⅱ. Does this pull request fix one issue?

fixes #4255

Ⅲ. List the added test cases (unit test/integration test) if any, please explain if no tests are needed.

Added unit tests:

• TestJindoCacheEngine_transformMasterWithMultipleOSSEncryptOptions
• TestJindoFSxEngine_transformMasterWithMultipleOSSEncryptOptions
• TestJindoCacheEngine_transformMasterDoesNotPersistInlineOSSCredentials

These tests cover:

• bucket-scoped secret projection generation
• bucket-scoped token/fuse provider configuration
• preventing inline OSS credentials from being persisted into generated values/configmaps

Ⅳ. Describe how to verify it

1. Create two OSS secrets with different AK/SK pairs.
2. Create a Dataset with two OSS mounts, for example:
   • oss://caicaiis-a/ -> /partA
   • oss://caicaiis-b/ -> /partB
3. Create the corresponding JindoRuntime.
4. Wait until the runtime is ready and the dataset is bound.
5. Create an application pod mounting the generated PVC.
6. Verify both mount paths are accessible from the application pod.

I also verified this with real OSS buckets:

• caicaiis-a
• caicaiis-b

After the fix:

• files under /data/partA can be read successfully
• files under /data/partB can be read successfully

Ⅴ. Special notes for reviews

• This PR is intentionally focused on multi-mount OSS secret projection behavior.
• It does not persist inline OSS credentials from mount options into generated values/configmaps.
• I also verified the fix with real buckets using different credentials.

[fluid-e2e-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign cheyang for approval by writing /assign @cheyang in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fluid-e2e-bot]

Hi @CAICAIIs. Thanks for your PR.

I'm waiting for a fluid-cloudnative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gemini-code-assist]

Code Review

This pull request introduces support for multiple OSS bucket credential projections in both the jindocache and jindofsx engines. It updates Helm templates to handle projected secret volumes and modifies the transformation logic to generate these projections from dataset mount options. The review feedback highlights a security inconsistency where jindofsx still persists inline credentials in plain text, suggests optimizing the grouping of secret projections to reduce pod spec verbosity, and identifies several bugs related to error messages and logging consistency.

[codecov]

Codecov Report

❌ Patch coverage is 70.83333% with 21 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.53%. Comparing base (9fe6aad) to head (7c6841e).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/ddc/jindocache/transform.go	70.83%	20 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5778      +/-   ##
==========================================
+ Coverage   60.47%   60.53%   +0.06%     
==========================================
  Files         465      465              
  Lines       31148    31209      +61     
==========================================
+ Hits        18837    18893      +56     
- Misses      10764    10767       +3     
- Partials     1547     1549       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Fixes Jindo multi-mount OSS secret handling so that different OSS mounts (buckets) can use different AK/SK pairs by switching from a single “last-one-wins” secret to bucket-scoped projected secrets and per-bucket provider configuration.

Changes:

• Introduces bucket-scoped secret projections and per-bucket secret URIs in both jindocache and jindofsx transforms.
• Updates Fuse/Token properties to configure OSS credentials provider per bucket (endpoint/format/provider), avoiding persisting inline credentials.
• Updates Helm templates to mount credential volumes when either a single secret or secretProjections are present, and adds projected-volume support.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/ddc/jindofsx/types.go	Adds fields to carry secret projections + bucket-to-secret URI mapping.
pkg/ddc/jindofsx/transform.go	Builds bucket-scoped projections/URIs and injects per-bucket provider properties (Fuse/Token).
pkg/ddc/jindofsx/transform_master_test.go	Adds unit tests for multi-mount OSS projections and non-persistence of inline creds.
pkg/ddc/jindocache/types.go	Adds fields to carry secret projections + bucket-to-secret URI mapping.
pkg/ddc/jindocache/transform.go	Builds bucket-scoped projections/URIs and injects per-bucket provider properties (Fuse/Token).
pkg/ddc/jindocache/transform_test.go	Adds unit tests for multi-mount OSS projections and non-persistence of inline creds.
charts/jindofsx/templates/worker/statefulset.yaml	Mounts secret volume when secret or secretProjections is set.
charts/jindofsx/templates/master/statefulset.yaml	Mounts secret volume when secret or secretProjections is set.
charts/jindofsx/templates/fuse/daemonset.yaml	Mounts secret volume when secret or secretProjections is set.
charts/jindofsx/templates/_helpers.tpl	Adds projected secret volume rendering supporting secretProjections.
charts/jindocache/templates/worker/statefulset.yaml	Mounts secret volume when secret or secretProjections is set.
charts/jindocache/templates/master/statefulset.yaml	Mounts secret volume when secret or secretProjections is set.
charts/jindocache/templates/fuse/daemonset.yaml	Mounts secret volume when secret or secretProjections is set.
charts/jindocache/templates/_helpers.tpl	Adds projected secret volume rendering supporting secretProjections.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
24 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
78.5% Duplication on New Code

See analysis details on SonarQube Cloud