Merge pull request #385 from sijeesh/chap_with_env

Chap with env

helm/charts/hpe-csi-driver/README.md

@@ -38,6 +38,7 @@ The following table lists the configurable parameters of the chart and their def
 | disableNodeConfiguration  | Disables node conformance and configuration.`*`                        | false            |
 | disableNodeGetVolumeStats | Disable NodeGetVolumeStats call to CSI driver.                         | false            |
 | imagePullPolicy           | Image pull policy (`Always`, `IfNotPresent`, `Never`).                 | IfNotPresent     |
+| iscsi.chapSecretName      | Secret containing chapUser and chapPassword for iSCSI                  | ""               |
 | logLevel                  | Log level. Can be one of `info`, `debug`, `trace`, `warn` and `error`. | info             |
 | kubeletRootDir            | The kubelet root directory path.                                       | /var/lib/kubelet |
 | controller.labels         | Additional labels for HPE CSI Driver controller Pods.                  | {}               |

helm/charts/hpe-csi-driver/templates/_helpers.tpl

@@ -30,3 +30,38 @@ Create chart name and version as used by the chart label.
 {{- define "hpe-csi-storage.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+CHAP secret validation
+*/}}
+{{- define "hpe-csi-storage.chapSecretValidation" -}}
+{{- if not (empty .Values.iscsi.chapSecretName) }}
+  {{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.iscsi.chapSecretName }}
+  {{- if not $secret }}
+    {{- fail (printf "Secret %s not found in namespace %s" .Values.iscsi.chapSecretName .Release.Namespace) }}
+  {{- end }}
+
+  {{- $username := index $secret.data "chapUser" | b64dec }}
+  {{- $password := index $secret.data "chapPassword" | b64dec }}
+
+  {{- if or (empty $username) (empty $password) }}
+    {{- fail "Username or password cannot be empty." }}
+  {{- end }}
+
+  {{- $chapUserValidationPattern := "^[a-zA-Z0-9][a-zA-Z0-9\\-:.]{0,63}$" }}
+  {{- $chapPasswordValidationPattern := "^[a-zA-Z0-9!#$%()*+,-./:<>?@_{}|~]{12,16}$" }}
+
+   {{- if not (regexMatch $chapUserValidationPattern $username) }}
+    {{- fail (printf "Username does not match the required pattern: %s" $chapUserValidationPattern) }}
+  {{- end }}
+
+  {{- if not (regexMatch $chapPasswordValidationPattern $password) }}
+    {{- fail (printf "Password does not match the required pattern: %s" $chapPasswordValidationPattern) }}
+  {{- end }}
+
+{{- end }}
+{{- end -}}
+
+{{- define "empty" -}}
+{{- eq . "" -}}
+{{- end -}}

helm/charts/hpe-csi-driver/templates/hpe-csi-controller.yaml

@@ -110,6 +110,12 @@ spec:
               value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
             - name: LOG_LEVEL
               value: {{ .Values.logLevel }}
+            {{- if .Values.iscsi.chapSecretName }}
+            - name: CHAP_SECRET_NAME
+              value: {{ .Values.iscsi.chapSecretName }}
+            - name: CHAP_SECRET_NAMESPACE
+              value: {{ .Release.Namespace }}
+            {{- end }}
           imagePullPolicy: {{ .Values.imagePullPolicy | quote }}
           volumeMounts:
             - name: socket-dir

helm/charts/hpe-csi-driver/templates/hpe-csi-node.yaml

@@ -116,6 +116,12 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            {{- if .Values.iscsi.chapSecretName }}
+            - name: CHAP_SECRET_NAME
+              value: {{ .Values.iscsi.chapSecretName }}
+            - name: CHAP_SECRET_NAMESPACE
+              value: {{ .Release.Namespace }}
+            {{- end }}
             {{ if .Values.disableNodeConformance -}}
             - name: DISABLE_NODE_CONFORMANCE
               value: "true"

helm/charts/hpe-csi-driver/templates/pre-install-hook.yaml

@@ -0,0 +1,26 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ .Release.Name }}-pre-install"
+  labels:
+    app.kubernetes.io/name: "{{ .Release.Name }}"
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  template:
+    metadata:
+      name: "{{ .Release.Name }}-pre-install"
+      labels:
+        app.kubernetes.io/name: "{{ .Release.Name }}"
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: pre-install
+        image: busybox
+        command: ["/bin/sh", "-c"]
+        args:
+          - |
+            echo "Validating Secret..."
+            {{ include "hpe-csi-storage.chapSecretValidation" . }}
+            echo "Validation successful."

helm/charts/hpe-csi-driver/templates/primera-3par-csp.yaml

@@ -91,6 +91,12 @@ spec:
               value: "35"
             - name: CRD_CLIENT_CONFIG_BURST
               value: "20"
+            {{- if .Values.iscsi.chapSecretName }}
+            - name: CHAP_SECRET_NAME
+              value: {{ .Values.iscsi.chapSecretName }}
+            - name: CHAP_SECRET_NAMESPACE
+              value: {{ .Release.Namespace }}
+            {{- end }}
           ports:
             - containerPort: 8080
           volumeMounts:

helm/charts/hpe-csi-driver/values.schema.json

@@ -15,6 +15,9 @@
             "disableNodeConformance": false,
             "disableNodeConfiguration": false,
             "imagePullPolicy": "IfNotPresent",
+            "iscsi": {
+                "chapSecretName": ""
+            },
             "logLevel": "info",
             "kubeletRootDir": "/var/lib/kubelet/",
             "disableNodeGetVolumeStats": false,
@@ -46,6 +49,7 @@
         "disableNodeConformance",
         "disableNodeConfiguration",
         "imagePullPolicy",
+        "iscsi",
         "logLevel",
         "kubeletRootDir",
         "disableNodeGetVolumeStats",
@@ -130,6 +134,27 @@
             "default": "IfNotPresent",
             "enum": [ "Always", "IfNotPresent", "Never" ]
         },
+        "iscsi": {
+            "$id": "#/properties/iscsi",
+            "title": "iSCSI CHAP secret name",
+            "type": "object",
+            "default":
+                {
+                    "chapSecretName": ""
+                },
+            "required": [
+                "chapSecretName"
+            ],
+            "properties": {
+                "chapSecretName": {
+                    "$id": "#/properties/iscsi/properties/chapSecretName",
+                    "title": "CHAP secret name",
+                    "type": "string",
+                    "default": ""
+                }
+            },
+            "additionalProperties": false
+        },
         "logLevel": {
             "$id": "#/properties/logLevel",
             "title": "Set the log level of the HPE CSI Driver images",

helm/charts/hpe-csi-driver/values.yaml

@@ -19,6 +19,10 @@ disableNodeConfiguration: false
 # imagePullPolicy applied for all hpe-csi-driver images
 imagePullPolicy: "IfNotPresent"
 
+# Cluster wide values for CHAP authentication
+iscsi:
+  chapSecretName: ""
+
 # Log level for all hpe-csi-driver components
 logLevel: "info"
 

operators/hpe-csi-operator/sources/hpe-csi-operator.csv.yaml

@@ -157,6 +157,14 @@ spec:
               - "urn:alm:descriptor:com.tectonic.ui:booleanSwitch"
             x-descriptors:
               - "urn:alm:descriptor:com.tectonic.ui:text"
+          - displayName: iSCSI Configuration
+            description: "Configuration for iSCSI CHAP authenticaton"
+            path: iscsi
+          - displayName: iSCSI CHAP Secret Name
+            description: "Name of the secret containing chapUser and chapPassword for iSCSI"
+            path: iscsi.chapSecretName
+            x-descriptors:
+              - "urn:alm:descriptor:io.kubernetes:Secret"
           - displayName: Kubelet root dir
             description: "The kubelet root directory path."
             path: kubeletRootDir

operators/hpe-csi-operator/sources/hpecsidrivers.storage.hpe.com.crd.yaml

@@ -68,6 +68,14 @@ spec:
               imagePullPolicy:
                 description: Image Pull Policy for HPE CSI driver images
                 type: string
+              iscsi:
+                description: iSCSI parameters to be configured
+                properties:
+                  chapSecretName:
+                    type: string
+                required:
+                - chapSecretName
+                type: object
               images:
                 description: HPE CSI Operator Images
                 properties:

yaml/csi-driver/edge/3par-primera-csp.yaml

@@ -60,6 +60,10 @@ spec:
             value: "35"
           - name: CRD_CLIENT_CONFIG_BURST
             value: "20"
+          - name: CHAP_SECRET_NAME
+            value: ""
+          - name: CHAP_SECRET_NAMESPACE
+            value: hpe-storage
           ports:
           - containerPort: 8080
           volumeMounts:

yaml/csi-driver/edge/hpe-csi-k8s-1.30.yaml

@@ -752,6 +752,10 @@ spec:
               value: unix:///var/lib/csi/sockets/pluginproxy/csi.sock
             - name: LOG_LEVEL
               value: trace
+            - name: CHAP_SECRET_NAME
+              value: ""
+            - name: CHAP_SECRET_NAMESPACE
+              value: hpe-storage
           imagePullPolicy: "IfNotPresent"
           volumeMounts:
             - name: socket-dir
@@ -990,6 +994,10 @@ spec:
               value: "false"
             - name: DISABLE_NODE_CONFIGURATION
               value: "false"
+            - name: CHAP_SECRET_NAME
+              value: ""
+            - name: CHAP_SECRET_NAMESPACE
+              value: hpe-storage
           imagePullPolicy: "IfNotPresent"
           securityContext:
             privileged: true