nfs: add support for clients in the StorageClass

The clients parameter in the storage class is used to limit access to the export to the set of hostnames, networks or ip addresses specified. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
ceph · Jun 9, 2023 · c024ef9 · c024ef9
1 parent 64aa038
commit c024ef9
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/e2e/nfs.go b/e2e/nfs.go
@@ -440,6 +440,23 @@ var _ = Describe("nfs", func() {
 				}
 			})
 
+			By("create a storageclass with a list of clients allowed to mount it and a PVC then bind it to an app", func() {
+				err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
+					"clients": "192.168.1.29,10.0.0.0/24",
+				})
+				if err != nil {
+					framework.Failf("failed to create NFS storageclass: %v", err)
+				}
+				err = validatePVCAndAppBinding(pvcPath, appPath, f)
+				if err != nil {
+					framework.Failf("failed to validate NFS pvc and application binding: %v", err)
+				}
+				err = deleteResource(nfsExamplePath + "storageclass.yaml")
+				if err != nil {
+					framework.Failf("failed to delete NFS storageclass: %v", err)
+				}
+			})
+
 			By("create a PVC and bind it to an app", func() {
 				err := createNFSStorageClass(f.ClientSet, f, false, nil)
 				if err != nil {

diff --git a/examples/nfs/storageclass.yaml b/examples/nfs/storageclass.yaml
@@ -51,5 +51,10 @@ parameters:
   # This option is available with Ceph v17.2.6 and newer.
   # secTypes: <sectype-list>
 
+  # (optional) List of IP addresses, hostnames or IPv4 network addresses that
+  # that these export permissions apply to. The <client-list> is a comma
+  # delimited string, for example: "192.168.0.10,192.168.1.0/8"
+  # clients: <client-list>
+
 reclaimPolicy: Delete
 allowVolumeExpansion: true
diff --git a/internal/nfs/controller/volume.go b/internal/nfs/controller/volume.go
@@ -132,6 +132,7 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 	nfsCluster := backend.VolumeContext["nfsCluster"]
 	path := backend.VolumeContext["subvolumePath"]
 	secTypes := backend.VolumeContext["secTypes"]
+	clients := backend.VolumeContext["clients"]
 
 	err := nv.setNFSCluster(nfsCluster)
 	if err != nil {
@@ -157,6 +158,10 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 		}
 	}
 
+	if clients != "" {
+		export.ClientAddr = strings.Split(clients, ",")
+	}
+
 	_, err = nfsa.CreateCephFSExport(export)
 	switch {
 	case err == nil: