Only pass identity provider mountOption for managed sidecar version >= v1.12.2-gke.0

[siyanshen]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change

/kind bug

/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
This PR makes sure latest version of driver is compatible with custom or outdated sidecar images.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:
Tested:

1. e2e test shows version filter works as expected.

make e2e-test E2E_TEST_USE_GKE_MANAGED_DRIVER=false E2E_TEST_BUILD_DRIVER=true E2E_TEST_FOCUS=should.gcsfuse.process.succeed.without.missing.flag.error.for.hostnetwork.pods.using.custom.sidecar.container.image STAGINGVERSION=support2 REGISTRY=gcr.io/shensiyan-joonix

checked cloud logs
a. When min version is set as v1.12.2-gke.0, log shows the version was not supported.
b. When min version is set as v1.6.x-..., log shows the version was supported.

2. Confirmed official sidecar image can pass the filter to enjoy the feature: Locally updated webhook to set --shouldInjectSAVol=true, ran e2e test with a sidecar image of versioin v1.12.2-gke.0. Confirmed the test Pod and IO test bucket via our hostnetwork support feature.

3. Confirmed private sidecar can use this feature when user adds required mountOption in their pod.
   a. Locally updated webhook to set --shouldInjectSAVol=true.
   b. Installed onto my test cluster a custom driver and sidecar.
   c. Created a test pod from file

apiVersion: v1
kind: Pod
metadata:
  name: test-pv-pod-hnw
  namespace: ns1
  annotations:
    gke-gcsfuse/volumes: "true"
spec:
  serviceAccountName: test-ksa-ns1
  hostNetwork: true
  containers:
  - image: busybox
    name: busybox
    command:
      - sleep
      - "3600"
    volumeMounts:
    - name: gcs-fuse-csi-ephemeral
      mountPath: /dataEph
  volumes:
  - name: gcs-fuse-csi-ephemeral
    csi:
      driver: gcsfuse.csi.storage.gke.io
      volumeAttributes:
        bucketName: test-wi-host-network-2
        mountOptions: "implicit-dirs,token-server-identity-provider=https://container.googleapis.com/v1/projects/<my-project>/locations/us-central1/clusters/ssy-e2e"

d. Verified that we do not pass the mountOption from driver, but the user pod can successfully IO thanks to the mountOption specified in podSpec. https://screenshot.googleplex.com/9R6sFqrypUhbZ5W

Does this PR introduce a user-facing change?:

Only pass identity provider mountOptions for managed sidecar version >= v1.12.2-gke.0

[amacaskill]

Is there a way to test this works before we submit?

[siyanshen]

Is there a way to test this works before we submit?

Yeah, updated the PR description field to document my testing method

[amacaskill]

Can you please add an e2e test for setting "mountOptions:token-server-identity-provider=https://container.googleapis.com/v1/projects//locations/us-central1/clusters/ssy-e2e" + hostnetwork + private sidecar image works as expected

Also, what happens in our logic if the customer sets "token-server-identity-provider=https://container.googleapis.com/v1/projects//locations/us-central1/clusters/ssy-e2e" in mountOptions even though its not a private registry or without hostnetwork enabled. What happens in those cases?

[siyanshen]

Can you please add an e2e test for setting "mountOptions:token-server-identity-provider=https://container.googleapis.com/v1/projects//locations/us-central1/clusters/ssy-e2e" + hostnetwork + private sidecar image works as expected

I would rather not have this in e2e test. For one thing the functionality can only be verified during I/O, but the webhook feature flag is not enabled by default yet. For another, we only want to officially support the managed sidecar. Implementing tests for private images would add unnecessary complexity. We have to retrieve project id, cluster name, container endpoint information, etc. in the test environment. And the benefit is not that significant.

Also, what happens in our logic if the customer sets "token-server-identity-provider=https://container.googleapis.com/v1/projects//locations/us-central1/clusters/ssy-e2e" in mountOptions even though its not a private registry or without hostnetwork enabled. What happens in those cases?

If the sidecar detects a tokenServerIdentity is provided, it will start the token server.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[hime]

@siyanshen Would be good to have e2e test that @amacaskill mentioned if/when its feasible. We support GCSFuse on private nodes by using the custom sidecar feature. Maybe its also good to test everything on sandbox before cutting release.

Other than that, lgtm!