From 8265abc2c92e6109c3159323dfdf850066582a0f Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Thu, 13 Oct 2022 16:05:08 +0200
Subject: [PATCH] nfs: add support for `secTypes` parameter in StorageClass

CephNFS can enable different security flavours for exported volumes.
This can be configured in the optional `secTypes` parameter in the
StorageClass.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 e2e/nfs.go                        | 19 ++++++++++++++++++-
 examples/nfs/storageclass.yaml    |  6 ++++++
 internal/nfs/controller/volume.go | 14 ++++++++++++--
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/e2e/nfs.go b/e2e/nfs.go
index 1473b691e..c900d5638 100644
--- a/e2e/nfs.go
+++ b/e2e/nfs.go
@@ -408,7 +408,24 @@ var _ = Describe("nfs", func() {
 			})
 
 			By("create a storageclass with pool and a PVC then bind it to an app", func() {
-				err := createNFSStorageClass(f.ClientSet, f, false, nil)
+				err := createNFSStorageClass(f.ClientSet, f, true, nil)
+				if err != nil {
+					framework.Failf("failed to create NFS storageclass: %v", err)
+				}
+				err = validatePVCAndAppBinding(pvcPath, appPath, f)
+				if err != nil {
+					framework.Failf("failed to validate NFS pvc and application binding: %v", err)
+				}
+				err = deleteResource(nfsExamplePath + "storageclass.yaml")
+				if err != nil {
+					framework.Failf("failed to delete NFS storageclass: %v", err)
+				}
+			})
+
+			By("create a storageclass with sys,krb5i security and a PVC then bind it to an app", func() {
+				err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
+					"secTypes": "sys,krb5i",
+				})
 				if err != nil {
 					framework.Failf("failed to create NFS storageclass: %v", err)
 				}
diff --git a/examples/nfs/storageclass.yaml b/examples/nfs/storageclass.yaml
index 3e547b792..7bc21af15 100644
--- a/examples/nfs/storageclass.yaml
+++ b/examples/nfs/storageclass.yaml
@@ -45,5 +45,11 @@ parameters:
   # If omitted, defaults to "csi-vol-".
   volumeNamePrefix: nfs-export-
 
+  # (optional) Security requirements for the NFS-export. Valid flavours
+  # include: none, sys, krb5, krb5i and krb5p. The <sectype-list> is a comma
+  # delimited string, for example "sys,krb5".
+  # This option is available with Ceph v17.2.6 and newer.
+  # secTypes: <sectype-list>
+
 reclaimPolicy: Delete
 allowVolumeExpansion: true
diff --git a/internal/nfs/controller/volume.go b/internal/nfs/controller/volume.go
index 33f9a3fcd..4ceeb8c98 100644
--- a/internal/nfs/controller/volume.go
+++ b/internal/nfs/controller/volume.go
@@ -131,6 +131,7 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 	fs := backend.VolumeContext["fsName"]
 	nfsCluster := backend.VolumeContext["nfsCluster"]
 	path := backend.VolumeContext["subvolumePath"]
+	secTypes := backend.VolumeContext["secTypes"]
 
 	err := nv.setNFSCluster(nfsCluster)
 	if err != nil {
@@ -142,12 +143,21 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 		return fmt.Errorf("failed to get NFSAdmin: %w", err)
 	}
 
-	_, err = nfsa.CreateCephFSExport(nfs.CephFSExportSpec{
+	export := nfs.CephFSExportSpec{
 		FileSystemName: fs,
 		ClusterID:      nfsCluster,
 		PseudoPath:     nv.GetExportPath(),
 		Path:           path,
-	})
+	}
+
+	if secTypes != "" {
+		export.SecType = []nfs.SecType{}
+		for _, secType := range strings.Split(secTypes, ",") {
+			export.SecType = append(export.SecType, nfs.SecType(secType))
+		}
+	}
+
+	_, err = nfsa.CreateCephFSExport(export)
 	switch {
 	case err == nil:
 		return nil