nfs: add support for clients in the StorageClass
#3895
Conversation
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
From my own testing. Storage-Class: Test PVC created from The resulting exports block created by the CSI driver. |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
examples/nfs/storageclass.yaml
Outdated
| # (optional) List of IP addresses, hostnames or IPv4 network addresses that | ||
| # that these export permissions apply to. The <client-list> is a comma |
There was a problem hiding this comment.
Let's word it similar to the commit message and make it clear that only these clients will be able to access
the export ?
e2e/nfs.go
Outdated
| if err != nil { | ||
| framework.Failf("failed to create NFS storageclass: %v", err) | ||
| } | ||
| err = validatePVCAndAppBinding(pvcPath, appPath, f) |
There was a problem hiding this comment.
Do you expect this to fail, or succeed? I don't know what IP-address is used while testing, so using an IP-address that definitely won't be used might be best to check if mounting fails?
The test currently fails:
�[1mSTEP:�[0m create a storageclass with a list of clients allowed to mount it and a PVC then bind it to an app �[38;5;243m@ 06/12/23 10:55:40.376�[0m
Jun 12 10:55:40.380: INFO: ExecWithOptions {Command:[/bin/sh -c ceph fsid] Namespace:rook-ceph PodName:rook-ceph-tools-cbdbf594c-cwdfj ContainerName:rook-ceph-tools Stdin:<nil> CaptureStdout:true CaptureStderr:true PreserveWhitespace:true Quiet:false}
Jun 12 10:55:40.381: INFO: >>> kubeConfig: /root/.kube/config
Jun 12 10:55:40.381: INFO: ExecWithOptions: Clientset creation
Jun 12 10:55:40.381: INFO: ExecWithOptions: execute(POST https://192.168.49.2:8443/api/v1/namespaces/rook-ceph/pods/rook-ceph-tools-cbdbf594c-cwdfj/exec?command=%2Fbin%2Fsh&command=-c&command=ceph+fsid&container=rook-ceph-tools&container=rook-ceph-tools&stderr=true&stdout=true)
Jun 12 10:55:41.014: INFO: Waiting up to &PersistentVolumeClaim{ObjectMeta:{cephcsi-nfs-pvc nfs-9603 0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[] map[] [] [] []},Spec:PersistentVolumeClaimSpec{AccessModes:[ReadWriteMany],Resources:ResourceRequirements{Limits:ResourceList{},Requests:ResourceList{storage: {{1073741824 0} {<nil>} 1Gi BinarySI},},Claims:[]ResourceClaim{},},VolumeName:,Selector:nil,StorageClassName:*csi-nfs-sc,VolumeMode:nil,DataSource:nil,DataSourceRef:nil,},Status:PersistentVolumeClaimStatus{Phase:,AccessModes:[],Capacity:ResourceList{},Conditions:[]PersistentVolumeClaimCondition{},AllocatedResources:ResourceList{},ResizeStatus:nil,},} to be in Bound state
Jun 12 10:55:41.014: INFO: waiting for PVC cephcsi-nfs-pvc (0 seconds elapsed)
Jun 12 10:55:43.016: INFO: waiting for PVC cephcsi-nfs-pvc (2 seconds elapsed)
Jun 12 10:55:43.021: INFO: Waiting for PV pvc-c2f7bf8f-7300-4ade-959d-2198a50677d8 to bind to PVC cephcsi-nfs-pvc
Jun 12 10:55:43.021: INFO: Waiting up to timeout=10m0s for PersistentVolumeClaims [cephcsi-nfs-pvc] to have phase Bound
Jun 12 10:55:43.023: INFO: PersistentVolumeClaim cephcsi-nfs-pvc found and phase=Bound (1.967893ms)
Jun 12 10:55:43.023: INFO: Waiting up to 10m0s for PersistentVolume pvc-c2f7bf8f-7300-4ade-959d-2198a50677d8 to have phase Bound
Jun 12 10:55:43.025: INFO: PersistentVolume pvc-c2f7bf8f-7300-4ade-959d-2198a50677d8 found and phase=Bound (2.020311ms)
Jun 12 10:55:43.034: INFO: Waiting up to cephcsi-nfs-demo-pod to be in Running state
�[38;5;9m[FAILED]�[0m in [It] - /go/src/github.com/ceph/ceph-csi/e2e/nfs.go:452 �[38;5;243m@ 06/12/23 11:05:43.035�[0m
Jun 12 11:05:43.060: INFO: Logs of cephcsi-e2e-35924b08/csi-nfsplugin-provisioner-7cb7dbcffb-jrwt5:csi-provisioner on node minikubeThere was a problem hiding this comment.
I didn't realise that it actually mounts and tests it. I thought it simply built the exports file and attached it to confirm that the configuration file is build as expected and no errors were detected. I'll investigate this further.
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
1 similar comment
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
1 similar comment
|
/test ci/centos/mini-e2e/k8s-1.27 |
e2e/nfs.go
Outdated
| found := false | ||
| for _, export := range exportList { | ||
| for _, client := range export.Clients { | ||
| for _, address := range client.Addresses { | ||
| if address == clientExample { | ||
| found = true | ||
| break | ||
| } | ||
| } | ||
| if found == true { | ||
| if client.AccessType != "rw" { | ||
| framework.Failf("Unexpected value for client AccessType: %s", client.AccessType) | ||
| } | ||
| break | ||
| } | ||
| } | ||
| if found == true { | ||
| if export.AccessType != "none" { | ||
| framework.Failf("Unexpected value for default AccessType: %s", export.AccessType) | ||
| } | ||
| break | ||
| } | ||
| } |
There was a problem hiding this comment.
Move this to a helper function which does all the check and return error or nil
| pvc, err := loadPVC(pvcPath) | ||
| if err == nil { | ||
| framework.Failf("Could not create PVC: %v", err) | ||
| } |
There was a problem hiding this comment.
Dont we need to create PVC here and ensure its bound?
There was a problem hiding this comment.
Yes. You are right. I am still experimenting with this code and unfortunately the only easy way to test it is to send it to the PR. Thanks for the review but it isn't ready yet. I'll post it when the code is closer to being ready.
| # access to the export to the set of hostnames, networks or ip addresses | ||
| # specified. The <client-list> is a comma delimited string, | ||
| # for example: "192.168.0.10,192.168.1.0/8" | ||
| # clients: <client-list> |
There was a problem hiding this comment.
Is there a chance we need these IP's to be ever changed on the existing PVC?
There was a problem hiding this comment.
There could be requirements to change the ip addresses in the figure. There isn't an easy solution for that and will need users to use a new storageclass with the new set of ips. Unfortunately that is a limitation of this particular design.
There was a problem hiding this comment.
Is it possible to move this configuration to the configmap here https://github.com/ceph/ceph-csi/blob/devel/deploy/csi-config-map-sample.yaml#L68?
There was a problem hiding this comment.
Not sure how practical that is. Changing the client list after the fact is not something that can (easily) be done through Ceph Mgr once the NFS-export has been created. As the StorageClass parameters are immutable, it shows the right behavior (and difficulties for changing options).
The current design allows creation of different StorageClasses with different client-lists. It becomes ugly and more error prone if that is placed in a ConfigMap.
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
1 similar comment
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
I don't immediately see why the ci fails, it complains about |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
2 similar comments
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
@Mergifyio queue |
🛑 The pull request has been removed from the queue
|
|
@Mergifyio refresh |
✅ Pull request refreshed |
|
@Mergifyio rebase |
The clients parameter in the storage class is used to limit access to the export to the set of hostnames, networks or ip addresses specified. Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
✅ Branch has been successfully rebased |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/k8s-e2e-external-storage/1.26 |
|
/test ci/centos/k8s-e2e-external-storage/1.27 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.26 |
|
/test ci/centos/mini-e2e-helm/k8s-1.27 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.26 |
|
/test ci/centos/mini-e2e/k8s-1.27 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
|
/retest ci/centos/mini-e2e-helm/k8s-1.25 |
The clients parameter in the storage class is used to limit access to the export to the set of hostnames, networks or ip addresses specified.
Describe what this PR does
This PR addresses the requirements in Issue #3852 allowing users to specify hostname, networks and ip addresses allowed to access the NFS volume.
Related issues
Fixes: #3852
Future concerns
Users may want to add different access_types for different clients. However this is not supported by go-ceph at the moment. We may have to review this change once we can set this up with go-ceph.