nfs: add support for clients in the StorageClass

The clients parameter in the storage class is used to limit access to the export to the set of hostnames, networks or ip addresses specified. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
ceph · Jun 29, 2023 · d204379 · d204379
1 parent 37f1d72
commit d204379
Show file tree

Hide file tree

Showing 4 changed files with 123 additions and 0 deletions.
diff --git a/e2e/nfs.go b/e2e/nfs.go
@@ -440,6 +440,68 @@ var _ = Describe("nfs", func() {
 				}
 			})
 
+			By("create a storageclass with a restricted set of clients allowed to mount it", func() {
+				clientExample := "192.168.49.29"
+				err := createNFSStorageClass(f.ClientSet, f, false, map[string]string{
+					"clients": clientExample,
+				})
+				if err != nil {
+					framework.Failf("failed to create NFS storageclass: %v", err)
+				}
+				pvc, err := loadPVC(pvcPath)
+				if err == nil {
+					framework.Failf("Could not create PVC: %v", err)
+				}
+				pvc.Namespace = f.UniqueName
+				err = createPVCAndvalidatePV(f.ClientSet, pvc, deployTimeout)
+				if err != nil {
+					framework.Failf("failed to create PVC: %v", err)
+				}
+
+				exportList, err := listExports(f, "my-nfs")
+				if err != nil {
+					framework.Failf("failed to fetch list of exports: %v", err)
+				}
+
+				framework.Logf("exports %v", exportList)
+				found := false
+				for _, export := range exportList {
+					for _, client := range export.Clients {
+						for _, address := range client.Addresses {
+							if address == clientExample {
+								found = true
+								break
+							}
+						}
+						if found == true {
+							if client.AccessType != "rw" {
+								framework.Failf("Unexpected value for client AccessType: %s", client.AccessType)
+							}
+							break
+						}
+					}
+					if found == true {
+						if export.AccessType != "none" {
+							framework.Failf("Unexpected value for default AccessType: %s", export.AccessType)
+						}
+						break
+					}
+				}
+
+				if found == false {
+					framework.Failf("Could not find the configured clients in the list of exports")
+				}
+
+				err = deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
+				if err != nil {
+					framework.Failf("failed to delete PVC: %v", err)
+				}
+				err = deleteResource(nfsExamplePath + "storageclass.yaml")
+				if err != nil {
+					framework.Failf("failed to delete NFS storageclass: %v", err)
+				}
+			})
+
 			By("create a PVC and bind it to an app", func() {
 				err := createNFSStorageClass(f.ClientSet, f, false, nil)
 				if err != nil {

diff --git a/e2e/utils.go b/e2e/utils.go
@@ -129,6 +129,56 @@ func listCephFSFileSystems(f *framework.Framework) ([]cephfsFilesystem, error) {
 	return fsList, nil
 }
 
+type nfsExportsFSAL struct {
+	Name   string `json:"name"`
+	UserID string `json:"user_id"`
+	FSName string `json:"fs_name"`
+}
+
+type nfsExportsClients struct {
+	Addresses  []string `json:"addresses"`
+	AccessType string   `json:"access_type"`
+	Squash     string   `json:"squash"`
+}
+
+type cephNFSExport struct {
+	ExportID      string              `json:"export_id"`
+	Path          string              `json:"path"`
+	ClusterID     string              `json:"cluster_id"`
+	Pseudo        string              `json:"pseudo"`
+	AccessType    string              `json:"access_type"`
+	Squash        string              `json:"squash"`
+	SecurityLabel string              `json:"security_label"`
+	Protocols     []int               `json:"protocols"`
+	Transports    []string            `json:"transports"`
+	FSAL          nfsExportsFSAL      `json:"fsal"`
+	Clients       []nfsExportsClients `json:"clients"`
+	SecTypes      []string            `json:"secTypes"`
+}
+
+// Get list of exports for a cluster_id
+func listExports(f *framework.Framework, clusterID string) ([]cephNFSExport, error) {
+	var exportList []cephNFSExport
+
+	stdout, stdErr, err := execCommandInToolBoxPod(
+		f,
+		"ceph nfs export ls "+clusterID+" --detailed",
+		rookNamespace)
+	if err != nil {
+		return exportList, err
+	}
+	if stdErr != "" {
+		return exportList, fmt.Errorf("error listing exports in clusterID %v", stdErr)
+	}
+
+	err = json.Unmarshal([]byte(stdout), &exportList)
+	if err != nil {
+		return exportList, err
+	}
+
+	return exportList, nil
+}
+
 // getCephFSMetadataPoolName get CephFS pool name from filesystem name.
 func getCephFSMetadataPoolName(f *framework.Framework, filesystem string) (string, error) {
 	fsList, err := listCephFSFileSystems(f)

diff --git a/examples/nfs/storageclass.yaml b/examples/nfs/storageclass.yaml
@@ -51,5 +51,11 @@ parameters:
   # This option is available with Ceph v17.2.6 and newer.
   # secTypes: <sectype-list>
 
+  # (optional) The clients parameter in the storage class is used to limit
+  # access to the export to the set of hostnames, networks or ip addresses
+  # specified.  The <client-list> is a comma delimited string,
+  # for example: "192.168.0.10,192.168.1.0/8"
+  # clients: <client-list>
+
 reclaimPolicy: Delete
 allowVolumeExpansion: true
diff --git a/internal/nfs/controller/volume.go b/internal/nfs/controller/volume.go
@@ -132,6 +132,7 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 	nfsCluster := backend.VolumeContext["nfsCluster"]
 	path := backend.VolumeContext["subvolumePath"]
 	secTypes := backend.VolumeContext["secTypes"]
+	clients := backend.VolumeContext["clients"]
 
 	err := nv.setNFSCluster(nfsCluster)
 	if err != nil {
@@ -157,6 +158,10 @@ func (nv *NFSVolume) CreateExport(backend *csi.Volume) error {
 		}
 	}
 
+	if clients != "" {
+		export.ClientAddr = strings.Split(clients, ",")
+	}
+
 	_, err = nfsa.CreateCephFSExport(export)
 	switch {
 	case err == nil: