iSCSI CHAP support #43396
iSCSI CHAP support #43396
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
needs-rebase
k8s-github-robot
removed
the
needs-rebase
|
@kubernetes/sig-storage-misc |
|
/assign @jsafrane |
rootfs
force-pushed
the
iscsi-chap
branch
2 times, most recently
from
e0c259c
to
5c4c306
Compare
pkg/api/types.go
Outdated
| // Optional: whether support iSCSI Session CHAP authentication | ||
| // +optional | ||
| SessionCHAPAuth bool | ||
| // Optional: CHAP secret for iSCSI target and initiator authentication |
There was a problem hiding this comment.
Please add a note when this parameter is required.
pkg/api/validation/validation.go
Outdated
| @@ -580,6 +580,9 @@ func validateISCSIVolumeSource(iscsi *api.ISCSIVolumeSource, fldPath *field.Path | |||
| if iscsi.Lun < 0 || iscsi.Lun > 255 { | |||
| allErrs = append(allErrs, field.Invalid(fldPath.Child("lun"), iscsi.Lun, validation.InclusiveRangeError(0, 255))) | |||
| } | |||
| if iscsi.DiscoveryCHAPAuth == true && iscsi.SessionCHAPAuth == true && iscsi.SecretRef == nil { | |||
There was a problem hiding this comment.
the unit test below expects (iscsi.DiscoveryCHAPAuth == true || iscsi.SessionCHAPAuth == true) && iscsi.SecretRef == nil. And checking for boolVariable == true looks weird...
pkg/volume/iscsi/iscsi_util.go
Outdated
| } | ||
|
|
||
| } | ||
| for _, k := range chap_st { |
There was a problem hiding this comment.
do we want to fill the username/secret when b.chap_discovery is false?
pkg/volume/iscsi/iscsi_util.go
Outdated
| } | ||
|
|
||
| } | ||
| for _, k := range chap_sess { |
There was a problem hiding this comment.
do we want to fill the username/secret when b.chap_session is false?
| // build discoverydb and discover iscsi target | ||
| b.plugin.execCommand("iscsiadm", []string{"-m", "discoverydb", "-t", "sendtargets", "-p", tp, "-I", b.iface, "-o", "new"}) | ||
| // update discoverydb with CHAP secret | ||
| err = updateISCSIDiscoverydb(b, tp) |
There was a problem hiding this comment.
You should clear username/password on error
pkg/volume/iscsi/iscsi_util.go
Outdated
| last_err = fmt.Errorf("iscsi: failed to sendtargets to portal %s output: %s, err %v", tp, string(out), err) | ||
| continue | ||
| } | ||
| err = updateISCSINode(b, tp) |
There was a problem hiding this comment.
You should clear username/password on error
pkg/volume/iscsi/iscsi_util.go
Outdated
| // update discoverydb with CHAP secret | ||
| err = updateISCSIDiscoverydb(b, tp) | ||
| if err != nil { | ||
| last_err = fmt.Errorf("iscsi: failed to update discoverydb to portal %s error: %v", tp, err) |
There was a problem hiding this comment.
IMO you should log the errors here (and everywhere where last_err is used), maybe as warnings or info, so we can see all the errors and not only the last one in the logs.
| @@ -133,16 +188,28 @@ func (util *ISCSIUtil) AttachDisk(b iscsiDiskMounter) error { | |||
| } | |||
| exist := waitForPathToExist(devicePath, 1, iscsiTransport) | |||
There was a problem hiding this comment.
Can this waitForPathToExist ever succeed if we know that CHAP is enabled and we did not set username / password? IMO it adds unnecessary 1 second delay.
There was a problem hiding this comment.
this is to detect if the devices are already created. 1 is retry.
pkg/volume/iscsi/iscsi_util.go
Outdated
| @@ -307,6 +307,13 @@ func (util *ISCSIUtil) DetachDisk(c iscsiDiskUnmounter, mntPath string) error { | |||
| glog.Errorf("iscsi: failed to detach disk Error: %s", string(out)) | |||
| } | |||
| } | |||
| // delete the node record from database | |||
There was a problem hiding this comment.
this does not look like README change
| // whether support iSCSI Discovery CHAP authentication | ||
| // +optional | ||
| optional bool chapAuthDiscovery = 8; | ||
|
|
There was a problem hiding this comment.
@rootfs did we deliberately left "9" or Am I missing something here?
There was a problem hiding this comment.
this is generated code
There was a problem hiding this comment.
ah.. yes. missed that part.
| if source.SecretRef != nil { | ||
| if secret, err = ioutil.GetSecretForPod(pod, source.SecretRef.Name, plugin.host.GetKubeClient()); err != nil { | ||
| glog.Errorf("Couldn't get secret from %v/%v", pod.Namespace, source.SecretRef) | ||
| return nil, err |
There was a problem hiding this comment.
@rootfs checking secret in pod's namespace is good enough ? or do we need to have an option for specifying a 'namespace' for this secret?
There was a problem hiding this comment.
This uses pod's namespace. Referencing across namespaces is not guaranteed to succeed.
k8s-github-robot
added
the
needs-rebase
|
@k8s-bot bazel test this |
k8s-github-robot
added
the
needs-rebase
|
LGTM. |
Signed-off-by: Huamin Chen <[email protected]>
Signed-off-by: Huamin Chen <[email protected]>
k8s-github-robot
removed
the
needs-rebase
|
@k8s-bot non-cri e2e test this |
|
/approve |
k8s-github-robot
added
the
approved
|
thank you @thockin |
|
@jsafrane PTAL, thanks! |
|
lgtm will defer final lgtm to @jsafrane |
pkg/volume/iscsi/iscsi_util.go
Outdated
| } | ||
| err = updateISCSINode(b, tp) | ||
| if err != nil { | ||
| last_err = fmt.Errorf("iscsi: failed to update iscsi node to portal %s error: %v", tp, err) |
There was a problem hiding this comment.
missing iscsiadm -m discoverydb .. -o delete?
There was a problem hiding this comment.
keep the discoverydb there in case there is another open session using the same sendtarget.
pkg/volume/iscsi/iscsi_util.go
Outdated
| glog.Errorf("iscsi: failed to attach disk:Error: %s (%v)", string(out), err) | ||
| // delete the node record from database | ||
| b.plugin.execCommand("iscsiadm", []string{"-m", "node", "-p", tp, "-I", b.iface, "-T", b.iqn, "-o", "delete"}) | ||
| last_err = fmt.Errorf("iscsi: failed to attach disk:Error: %s (%v)", string(out), err) |
There was a problem hiding this comment.
five lines below, there is "Could not attach disk: Timeout after 10s" error. Should it update last_err? Should it delete node records?
pkg/volume/iscsi/iscsi_util.go
Outdated
| @@ -105,6 +157,7 @@ func (util *ISCSIUtil) AttachDisk(b iscsiDiskMounter) error { | |||
| var devicePath string | |||
| var devicePaths []string | |||
| var iscsiTransport string | |||
| var last_err error | |||
examples/volumes/iscsi/README.md
Outdated
|
|
||
| ### CHAP Secret | ||
|
|
||
| As illustrated in [chap-secret.yaml](chap-secret.yaml), the secret consists of the following keys: |
There was a problem hiding this comment.
"must have type kubernetes.io/iscsi-chap and consists of the following keys"?
examples/volumes/iscsi/README.md
Outdated
|
|
||
| These keys map to those used by Open-iSCSI initiator. Detailed documents on these keys can be found at [Open-iSCSI](https://github.com/open-iscsi/open-iscsi/blob/master/etc/iscsid.conf) | ||
|
|
||
| Note, all user names and passwords must be base64 encoded in the secret. |
There was a problem hiding this comment.
That's IMO misleading. We use base64 to encode all secret values in the yaml just for easier transport, it's not something CHAP specific. E.g. on command line we use plaintext:
$ kubectl create secret generic my-secret --from-literal=discovery.sendtargets.auth.username=alibaba --from-literal=discovery.sendtargets.auth.password=opensesame -o yaml
kind: Secret
data:
discovery.sendtargets.auth.password: b3BlbnNlc2FtZQ==
discovery.sendtargets.auth.username: YWxpYmFiYQ==
It's not like RBD, where the passwords must be encoded into base64 twice.
rootfs
force-pushed
the
iscsi-chap
branch
2 times, most recently
from
73f8920
to
f9ee03a
Compare
Signed-off-by: Huamin Chen <[email protected]>
Signed-off-by: Huamin Chen <[email protected]>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jsafrane, rootfs, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
thanks @jsafrane great reviews! |
|
@k8s-bot non-cri e2e test this |
|
Automatic merge from submit-queue (batch tested with PRs 44119, 42538, 43802, 42336, 43396) |
What this PR does / why we need it:
To support CHAP authentication in a multi-tenant setup
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note: