Merge pull request #7 from travisghansen/next

CHAP

Author: travisghansen

README.md

@@ -121,6 +121,12 @@ FreeNAS side. In case of issue, follow the provisioner's logs using:
 kubectl -n kube-system logs -f freenas-iscsi-provisioner-<id>
 ```
 
+## CHAP settings
+
+You should create a secret which holds CHAP authentication credentials based on `deploy/freenas-iscsi-chap.yaml`.
+- If you have authentication enabled for the portal (discovery) then set `discovery*` parameters in the secret, and in StorageClass you should set `targetDiscoveryCHAPAuth` to `true`.
+- If you want authentication for the targets, then set `node*` parameters in the secret, and in StorageClass you should set `targetGroupAuthtype` and `targetGroupAuthgroup` accordingly, and also set `targetSessionCHAPAuth` to `true`.
+
 # Performance
 
 100 10MiB PVCs
@@ -177,7 +183,7 @@ make fmt
 - volume resizing - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/grow-volume-size.md
 - volume snapshots - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/volume-snapshotting.md
 - mount options - https://github.com/kubernetes/community/blob/master/contributors/design-proposals/storage/mount-options.md
-- CHAP
+- ~~CHAP~~
 - fsType
 - properly handle `zvol` API differences with `volsize` getting sent as string and returned as int
 - loop GetBy<foo> requests that require `limit` param

deploy/class.yaml

@@ -6,6 +6,8 @@ metadata:
 #  annotations:
 #    storageclass.kubernetes.io/is-default-class: "true"
 provisioner: freenas.org/iscsi
+# Delete|Retain
+reclaimPolicy: Delete
 allowVolumeExpansion: false
 parameters:
   # set the default filesystem
@@ -77,6 +79,28 @@ parameters:
   # default:
   #targetGroupAuthgroup:
 
+  # Whether portal discovery authentication is employed
+  # default: false
+  #targetDiscoveryCHAPAuth:
+
+  # Whether session authentication is employed
+  # default: false
+  #targetSessionCHAPAuth:
+
+  # If either of the two settings above are true, then iSCSI
+  # secretRef will be filled according to the following settings
+  #
+  # Note: once volumes have been provisioned you should NOT change
+  # the secret name or namespace settings
+  #
+  # Namespace of secret which holds iscsi credentials
+  # default: kube-system
+  #authSecretNamespace:
+
+  # Name of secret which holds iscsi credentials
+  # default: freenas-iscsi-chap
+  #authSecretName:
+
   # compression setting on the zvol
   # options: "" (inherit), lz4, gzip-9, etc
   # default: (inherit)

deploy/freenas-iscsi-chap.yaml

@@ -0,0 +1,16 @@
+kind: Secret
+apiVersion: v1
+type: kubernetes.io/iscsi-chap
+metadata:
+  namespace: kube-system
+  name: freenas-iscsi-chap
+stringData:
+  # Set the relevant auth credentials here
+  discovery.sendtargets.auth.username: ""
+  discovery.sendtargets.auth.password: ""
+  discovery.sendtargets.auth.username_in: ""
+  discovery.sendtargets.auth.password_in: ""
+  node.session.auth.username: ""
+  node.session.auth.password: ""
+  node.session.auth.username_in: ""
+  node.session.auth.password_in: ""

provisioner/provisioner.go

@@ -22,7 +22,8 @@ var (
 
 type freenasProvisionerConfig struct {
 	// common params
-	FSType string
+	FSType        string
+	ReclaimPolicy *v1.PersistentVolumeReclaimPolicy
 
 	// Provisioner options
 	ProvisionerRollbackPartialFailures bool
@@ -41,6 +42,11 @@ type freenasProvisionerConfig struct {
 	TargetGroupInitiatorgroup int
 	TargetGroupPortalgroup    int
 
+	// Authentication options
+	DiscoveryCHAPAuth bool
+	SessionCHAPAuth   bool
+	AuthSecretRef     *v1.SecretReference
+
 	// Zvol options
 	ZvolCompression string
 	ZvolDedup       string
@@ -93,6 +99,13 @@ func (p *freenasProvisioner) GetConfig(storageClassName string) (*freenasProvisi
 	var targetGroupInitiatorgroup int
 	var targetGroupPortalgroup int
 
+	// Authentication options
+	var targetDiscoveryCHAPAuth = false
+	var targetSessionCHAPAuth = false
+	var authSecretNamespace = "kube-system"
+	var authSecretName = "freenas-iscsi-chap"
+	var authSecretRef *v1.SecretReference
+
 	// zvol defaults
 	var zvolCompression string
 	var zvolDedup string
@@ -153,6 +166,16 @@ func (p *freenasProvisioner) GetConfig(storageClassName string) (*freenasProvisi
 		case "targetGroupPortalgroup":
 			targetGroupPortalgroup, _ = strconv.Atoi(v)
 
+		// Authentication options
+		case "targetDiscoveryCHAPAuth":
+			targetDiscoveryCHAPAuth, _ = strconv.ParseBool(v)
+		case "targetSessionCHAPAuth":
+			targetSessionCHAPAuth, _ = strconv.ParseBool(v)
+		case "authSecretNamespace":
+			authSecretNamespace = v
+		case "authSecretName":
+			authSecretName = v
+
 		// Zvol options
 		case "zvolCompression":
 			zvolCompression = v
@@ -216,8 +239,16 @@ func (p *freenasProvisioner) GetConfig(storageClassName string) (*freenasProvisi
 		provisionerTargetPortal = serverHost + ":3260"
 	}
 
+	if targetDiscoveryCHAPAuth || targetSessionCHAPAuth {
+		authSecretRef = &v1.SecretReference{
+			Namespace: authSecretNamespace,
+			Name:      authSecretName,
+		}
+	}
+
 	return &freenasProvisionerConfig{
-		FSType: fsType,
+		FSType:        fsType,
+		ReclaimPolicy: class.ReclaimPolicy,
 
 		// Provisioner options
 		ProvisionerRollbackPartialFailures: provisionerRollbackPartialFailures,
@@ -236,6 +267,11 @@ func (p *freenasProvisioner) GetConfig(storageClassName string) (*freenasProvisi
 		TargetGroupInitiatorgroup: targetGroupInitiatorgroup,
 		TargetGroupPortalgroup:    targetGroupPortalgroup,
 
+		// Authentication options
+		DiscoveryCHAPAuth: targetDiscoveryCHAPAuth,
+		SessionCHAPAuth:   targetSessionCHAPAuth,
+		AuthSecretRef:     authSecretRef,
+
 		// Zvol options
 		ZvolCompression: zvolCompression,
 		ZvolDedup:       zvolDedup,
@@ -554,7 +590,7 @@ func (p *freenasProvisioner) Provision(options controller.VolumeOptions) (*v1.Pe
 			},
 		},
 		Spec: v1.PersistentVolumeSpec{
-			PersistentVolumeReclaimPolicy: options.PersistentVolumeReclaimPolicy,
+			PersistentVolumeReclaimPolicy: *config.ReclaimPolicy,
 			AccessModes:                   options.PVC.Spec.AccessModes,
 			Capacity: v1.ResourceList{
 				v1.ResourceName(v1.ResourceStorage): options.PVC.Spec.Resources.Requests[v1.ResourceName(v1.ResourceStorage)],
@@ -563,16 +599,16 @@ func (p *freenasProvisioner) Provision(options controller.VolumeOptions) (*v1.Pe
 			VolumeMode: options.PVC.Spec.VolumeMode,
 			PersistentVolumeSource: v1.PersistentVolumeSource{
 				ISCSI: &v1.ISCSIPersistentVolumeSource{
-					TargetPortal:   config.ProvisionerTargetPortal,
-					Portals:        portals,
-					IQN:            iscsiConfig.Basename + ":" + iscsiName,
-					ISCSIInterface: config.ProvisionerISCSIInterface,
-					Lun:            int32(*targetToExtent.Lunid),
-					ReadOnly:       extent.Ro,
-					FSType:         config.FSType,
-					//DiscoveryCHAPAuth: false,
-					//SessionCHAPAuth:   false,
-					//SecretRef:         getSecretRef(getBool(options.Parameters["chapAuthDiscovery"]), getBool(options.Parameters["chapAuthSession"]), &v1.SecretReference{Name: viper.GetString("provisioner-name") + "-chap-secret"}),
+					TargetPortal:      config.ProvisionerTargetPortal,
+					Portals:           portals,
+					IQN:               iscsiConfig.Basename + ":" + iscsiName,
+					ISCSIInterface:    config.ProvisionerISCSIInterface,
+					Lun:               int32(*targetToExtent.Lunid),
+					ReadOnly:          extent.Ro,
+					FSType:            config.FSType,
+					DiscoveryCHAPAuth: config.DiscoveryCHAPAuth,
+					SessionCHAPAuth:   config.SessionCHAPAuth,
+					SecretRef:         config.AuthSecretRef,
 				},
 			},
 		},