Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nfs: add support for secTypes parameter in StorageClass #3434

Merged
merged 1 commit into from
May 4, 2023

Conversation

nixpanic
Copy link
Member

@nixpanic nixpanic commented Oct 13, 2022

CephNFS can enable different security flavours for exported volumes.
This can be configured in the optional secTypes parameter in the
StorageClass.

Depends-on: ceph/ceph#48531
Related: rook/rook#11869
Closes: #3387


Show available bot commands

These commands are normally not required, but in case of issues, leave any of
the following bot commands in an otherwise empty comment in this PR:

  • /retest ci/centos/<job-name>: retest the <job-name> after unrelated
    failure (please report the failure too!)
  • /retest all: run this in case the CentOS CI failed to start/report any test
    progress or results

@mergify mergify bot added the component/nfs Issues related to NFS label Oct 13, 2022
@mergify
Copy link
Contributor

mergify bot commented Oct 19, 2022

This pull request now has conflicts with the target branch. Could you please resolve conflicts and force push the corrected changes? 🙏

@nixpanic nixpanic force-pushed the nfs/provisioner/sectypes branch 2 times, most recently from a8d6bbf to 9a746d0 Compare November 3, 2022 13:53
@nixpanic
Copy link
Member Author

nixpanic commented Nov 3, 2022

/test ci/centos/mini-e2e-helm/k8s-1.25

@mergify
Copy link
Contributor

mergify bot commented Nov 8, 2022

This pull request now has conflicts with the target branch. Could you please resolve conflicts and force push the corrected changes? 🙏

@nixpanic
Copy link
Member Author

/test ci/centos/mini-e2e-helm/k8s-1.26

@github-actions
Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.

@github-actions
Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions.

@nixpanic
Copy link
Member Author

https://lists.ceph.io/hyperkitty/list/[email protected]/thread/F4BKECRD2MQ3D7DEQBLU7OPYZINDXAFG/ announces that Ceph 17.2.6 RC is available. Once the release is done, and the updated container-image is mirrored in the CI, this PR should can be rebased and tested.

@nixpanic nixpanic marked this pull request as ready for review March 31, 2023 09:40
@nixpanic nixpanic requested a review from a team March 31, 2023 09:41
@nixpanic
Copy link
Member Author

@spuiuk you are probably interested in this 😃

@nixpanic
Copy link
Member Author

v17.2.6 Quincy has been released, so this can finally be tested

@nixpanic
Copy link
Member Author

/test ci/centos/mini-e2e/k8s-1.27

@nixpanic nixpanic added the dependency/ceph depends on core Ceph functionality label Apr 20, 2023
@nixpanic
Copy link
Member Author

@Mergifyio rebase

@mergify
Copy link
Contributor

mergify bot commented Apr 21, 2023

rebase

✅ Branch has been successfully rebased

@Rakshith-R Rakshith-R self-requested a review May 2, 2023 05:02

By("create a storageclass with sys,krb5i security and a PVC then bind it to an app", func() {
err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
"secTypes": "sys,krb5i",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add validation to ensure the secTypes are set in the exported path?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that is difficult... Ceph Mgr generates a configuration snippet in json-like format for NFS-Ganesha, and stores it directly in some internal RADOS pool. We would need to fetch that configuration snippet and parse the NFS-Ganesha options. Possible, but difficult.

In the (hopefully) near future, we should be able to do a mount with Kerberos. Once that functionality lands, exporting with Kerberos will be automatically tested.

@@ -45,5 +45,10 @@ parameters:
# If omitted, defaults to "csi-vol-".
volumeNamePrefix: nfs-export-

# (optional) Security requirements for the NFS-export. Valid flavours
# include: none, sys, krb5, krb5i and krb5p. The <sectype-list> is a comma
# delimited string, for example "sys,krb5".
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to mention the supported ceph version for this option

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I can include that now the changes are included in Ceph.

CephNFS can enable different security flavours for exported volumes.
This can be configured in the optional `secTypes` parameter in the
StorageClass.

Signed-off-by: Niels de Vos <[email protected]>
@nixpanic nixpanic requested review from Madhu-1 and a team May 3, 2023 15:14
@Madhu-1 Madhu-1 requested a review from a team May 3, 2023 15:47
@nixpanic
Copy link
Member Author

nixpanic commented May 4, 2023

@Mergifyio rebase

@mergify
Copy link
Contributor

mergify bot commented May 4, 2023

rebase

✅ Nothing to do for rebase action

@nixpanic nixpanic added the ok-to-test Label to trigger E2E tests label May 4, 2023
@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/k8s-e2e-external-storage/1.24

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/k8s-e2e-external-storage/1.25

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/k8s-e2e-external-storage/1.26

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/k8s-e2e-external-storage/1.27

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e-helm/k8s-1.26

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e-helm/k8s-1.27

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e/k8s-1.26

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/mini-e2e/k8s-1.27

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

github-actions bot commented May 4, 2023

/test ci/centos/upgrade-tests-rbd

@github-actions github-actions bot removed the ok-to-test Label to trigger E2E tests label May 4, 2023
@nixpanic
Copy link
Member Author

nixpanic commented May 4, 2023

@Mergifyio queue

@mergify
Copy link
Contributor

mergify bot commented May 4, 2023

queue

✅ The pull request has been merged automatically

The pull request has been merged automatically at 8265abc

@mergify mergify bot merged commit 8265abc into ceph:devel May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
component/nfs Issues related to NFS dependency/ceph depends on core Ceph functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support creating NFS-volumes that requires clients to authenticate with Kerberos
3 participants