feat: storageclass CHAP support

Add support for enabling CHAP at the storageclass level. CHAP secrets
can be specified in a secrets object and are passed to NodePublishVolume

README.md

@@ -113,8 +113,8 @@ oc adm policy add-scc-to-user exos-x-csi-access -z csi-provisioner -n NAMESPACE
 #### Configure your release
 
 - Update `helm/csi-charts/values.yaml` to match your configuration settings.
-- Update `example/secret-example1.yaml` with your storage controller credentials.
-- Update `example/storageclass-example1.yaml` with your storage controller values.
+- Update `example/secret-example1.yaml` with your storage controller credentials. Use `example/secret-example2-CHAP.yaml` if you wish to specify CHAP credentials as well. 
+- Update `example/storageclass-example1.yaml` with your storage controller values. Use `example/storageclass-example2-CHAP.yaml` if you are using CHAP authentication
 - Update `example/testpod-example1.yaml` with any of you new values.
 
 ## Documentation

example/secret-example2-CHAP.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: seagate-exos-x-csi-secrets
+  namespace: default
+type: Opaque
+data:
+  apiAddress: aHR0cDovLzxpcGFkZHJlc3M+ # base64 encoded api address 'http://<ipaddress>'
+  username: dXNlcm5hbWU= # base64 encoded 'username'
+  password: cGFzc3dvcmQ= # base64 encoded 'password'
+  CHAPusername: ZXhhbXBsZVVzZXJuYW1l # base64 'exampleUsername'. The CHAP username
+  CHAPpassword: ZXhhbXBsZXNlY3JldA== # base64 'examplesecret'. The secret that the recipient uses to authenticate the originator. The secret is case sensitive and can include from 12 to 16 bytes. The value can include spaces and printable UTF-8 characters except: " <
+  CHAPusernameIn: aXFuLjE5OTItMDkuY29tLmV4YW1wbGU6MDEuYXJyYXkuMDAxMjM0YQ== # base64 'iqn.1992-09.com.example:01.array.001234a'. The target name, typically in IQN format. This value is optional, used for Mutual CHAP.
+  CHAPpasswordIn: bXV0dWFsc2VjcmV0 # base64 encoded 'mutualsecret'.  The secret is case sensitive, can include from 12 to 16 bytes, and must differ from the originator secret. This value is optional, used for Mutual CHAP

example/storageclass-example2-CHAP.yaml

@@ -0,0 +1,21 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+provisioner: csi-exos-x.seagate.com # Check pkg/driver.go, Required for the plugin to recognize this storage class as handled by itself.
+volumeBindingMode: WaitForFirstConsumer # Prefer this value to avoid unschedulable pods (https://kubernetes.io/docs/concepts/storage/storage-classes/#volume-binding-mode)
+allowVolumeExpansion: true
+metadata:
+  name: systems-storageclass # Choose the name that fits the best with your StorageClass.
+parameters:
+  # Secrets name and namespace, they can be the same for provisioner, controller-publish and controller-expand sections. node-publish secrets are for CHAP authentication
+  csi.storage.k8s.io/provisioner-secret-name: seagate-exos-x-csi-secrets
+  csi.storage.k8s.io/provisioner-secret-namespace: default
+  csi.storage.k8s.io/controller-publish-secret-name: seagate-exos-x-csi-secrets
+  csi.storage.k8s.io/controller-publish-secret-namespace: default
+  csi.storage.k8s.io/controller-expand-secret-name: seagate-exos-x-csi-secrets
+  csi.storage.k8s.io/controller-expand-secret-namespace: default
+  csi.storage.k8s.io/node-publish-secret-name:  seagate-exos-x-csi-secrets  # Secrets for CHAP authentication
+  csi.storage.k8s.io/node-publish-secret-namespace: default   # If you are not using CHAP authentication, these lines may be omitted. 
+  csi.storage.k8s.io/fstype: ext4 # Desired filesystem
+  pool: A # Pool to use on the IQN to provision volumes
+  volPrefix: csi # Desired prefix for volume naming. 3 chars max; an underscore will be appended.
+  storageProtocol: iscsi # The storage interface (iscsi, fc, sas) being used for storage i/o

pkg/common/driver.go

@@ -29,6 +29,10 @@ const (
 	APIAddressConfigKey       = "apiAddress"
 	UsernameSecretKey         = "username"
 	PasswordSecretKey         = "password"
+	CHAPUsernameKey           = "CHAPusername"
+	CHAPSecretKey             = "CHAPpassword"
+	CHAPUsernameInKey         = "CHAPusernameIn"
+	CHAPPasswordInKey         = "CHAPpasswordIn"
 	StorageClassAnnotationKey = "storageClass"
 	VolumePrefixKey           = "volPrefix"
 	WWNs                      = "wwns"

pkg/storage/iscsiNode.go

@@ -106,11 +106,39 @@ func (iscsi *iscsiStorage) NodePublishVolume(ctx context.Context, req *csi.NodeP
 			}
 		}
 	}
+
+	// If CHAP secrets have been specified, include them in the iscsilib Connector
+	doCHAPAuth := false
+	authType := ""
+	var iscsiSecrets iscsilib.Secrets
+	if reqSecrets := req.GetSecrets(); reqSecrets != nil {
+		CHAPusername := reqSecrets[common.CHAPUsernameKey]
+		CHAPpassword := reqSecrets[common.CHAPSecretKey]
+		CHAPusernameIn := reqSecrets[common.CHAPUsernameInKey]
+		CHAPpasswordIn := reqSecrets[common.CHAPPasswordInKey]
+		if CHAPusername != "" && CHAPpassword != "" {
+			doCHAPAuth = true
+			authType = "chap"
+			iscsiSecrets = iscsilib.Secrets{
+				SecretsType: "chap",
+				UserName:    CHAPusername,
+				Password:    CHAPpassword,
+				UserNameIn:  CHAPusernameIn,
+				PasswordIn:  CHAPpasswordIn,
+			}
+		}
+	}
+
+	klog.V(4).InfoS("iscsi connector setup", "AuthType", authType, "Targets", targets, "Lun", lun)
 	connector := iscsilib.Connector{
-		Targets:     targets,
-		Lun:         int32(lun),
-		DoDiscovery: true,
-		RetryCount:  20,
+		AuthType:         authType,
+		Targets:          targets,
+		Lun:              int32(lun),
+		DoDiscovery:      true,
+		DoCHAPDiscovery:  doCHAPAuth,
+		DiscoverySecrets: iscsiSecrets,
+		SessionSecrets:   iscsiSecrets,
+		RetryCount:       20,
 	}
 
 	path, err := iscsilib.Connect(&connector)