Allow users to specify client lists allowed to access a NFS share

[spuiuk]

NFS-Ganesha allows users to specify client lists which are allowed to access the nfs share.

These are specified in the EXPORTS{ CLIENT{}} block
https://manpages.ubuntu.com/manpages/bionic/man8/ganesha-export-config.8.html

What is the value to the end user? (why is it a priority?)

Can limit the hosts/networks which can access a NFS share.

How will we know we have a good solution? (acceptance criteria)

Allow users to add the CLIENT lists for a NFS share.

Additional context

https://manpages.ubuntu.com/manpages/bionic/man8/ganesha-export-config.8.html
EXPORT { CLIENT {} } section.

[spuiuk]

Testing with a simple patch
spuiuk@adf845a

The following storageclass yaml

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: rook-nfs
provisioner: rook-ceph.nfs.csi.ceph.com
parameters:
  nfsCluster: my-nfs
  server: rook-ceph-nfs-my-nfs-a
  clusterID: rook-ceph
  fsName: myfs
  pool: myfs-replicated
  csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
  csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph 
  csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
  csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph 
  csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
  csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph 
  secTypes: sys,krb5
  clients: 192.168.23.1/24, 192.168.1.1/24
reclaimPolicy: Delete
allowVolumeExpansion: true
mountOptions:

resulted in the following EXPORT{} block within nfs-ganesha

EXPORT {
    FSAL {
        name = "CEPH";
        user_id = "nfs.my-nfs.1";
        filesystem = "myfs";
        secret_access_key = "AQDLAYJkh0keFhAAgh+Sf+tINF4Ey6njPM1Q6Q==";
    }
    CLIENT {
        clients = 192.168.23.1/24,  192.168.1.1/24;
        access_type = "rw";
        squash = "none";
    }
    export_id = 1;
    path = "/volumes/csi/csi-vol-6de5150b-c0d5-4304-873b-1d9f8c948d4f/cefc8b50-1e63-4103-8ce8-d7b7c1ae0b77";
    pseudo = "/0001-0009-rook-ceph-0000000000000001-6de5150b-c0d5-4304-873b-1d9f8c948d4f";
    access_type = "none";
    squash = "none";
    attr_expiration_time = 0;
    security_label = true;
    protocols = 4;
    transports = "TCP";
    SecType = "sys", "krb5";
}

As can be seen, access_type is set to 'none' in the main block but the CLIENT {} created for the listed network addresses has access_type set to 'rw'. This results in access being blocked to all clients except for the ones listed within the CLIENT{} block.