nfs: add support for secTypes parameter in StorageClass

CephNFS can enable different security flavours for exported volumes.
This can be configured in the optional `secTypes` parameter in the
StorageClass.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos 2022-10-13 16:05:08 +02:00 committed by mergify[bot]
parent 3d6cdce353
commit 8265abc2c9
3 changed files with 36 additions and 3 deletions

View File

@ -408,7 +408,24 @@ var _ = Describe("nfs", func() {
})
By("create a storageclass with pool and a PVC then bind it to an app", func() {
err := createNFSStorageClass(f.ClientSet, f, false, nil)
err := createNFSStorageClass(f.ClientSet, f, true, nil)
if err != nil {
framework.Failf("failed to create NFS storageclass: %v", err)
}
err = validatePVCAndAppBinding(pvcPath, appPath, f)
if err != nil {
framework.Failf("failed to validate NFS pvc and application binding: %v", err)
}
err = deleteResource(nfsExamplePath + "storageclass.yaml")
if err != nil {
framework.Failf("failed to delete NFS storageclass: %v", err)
}
})
By("create a storageclass with sys,krb5i security and a PVC then bind it to an app", func() {
err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
"secTypes": "sys,krb5i",
})
if err != nil {
framework.Failf("failed to create NFS storageclass: %v", err)
}

View File

@ -45,5 +45,11 @@ parameters:
# If omitted, defaults to "csi-vol-".
volumeNamePrefix: nfs-export-
# (optional) Security requirements for the NFS-export. Valid flavours
# include: none, sys, krb5, krb5i and krb5p. The <sectype-list> is a comma
# delimited string, for example "sys,krb5".
# This option is available with Ceph v17.2.6 and newer.
# secTypes: <sectype-list>
reclaimPolicy: Delete
allowVolumeExpansion: true

View File

@ -131,6 +131,7 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
fs := backend.VolumeContext["fsName"]
nfsCluster := backend.VolumeContext["nfsCluster"]
path := backend.VolumeContext["subvolumePath"]
secTypes := backend.VolumeContext["secTypes"]
err := nv.setNFSCluster(nfsCluster)
if err != nil {
@ -142,12 +143,21 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
return fmt.Errorf("failed to get NFSAdmin: %w", err)
}
_, err = nfsa.CreateCephFSExport(nfs.CephFSExportSpec{
export := nfs.CephFSExportSpec{
FileSystemName: fs,
ClusterID: nfsCluster,
PseudoPath: nv.GetExportPath(),
Path: path,
})
}
if secTypes != "" {
export.SecType = []nfs.SecType{}
for _, secType := range strings.Split(secTypes, ",") {
export.SecType = append(export.SecType, nfs.SecType(secType))
}
}
_, err = nfsa.CreateCephFSExport(export)
switch {
case err == nil:
return nil