[internal] Add RPC-with-TLS

.werf/release.yaml

@@ -1,7 +1,8 @@
 # Release image, stored in your.registry.io/modules/<module-name>/release:<semver>
 ---
-artifact: release-channel-version-artifact
+image: release-channel-version-artifact
 from: registry.deckhouse.io/base_images/alpine:3.16.3
+final: false
 shell:
   beforeInstall:
     - apk add --no-cache curl
@@ -14,7 +15,7 @@ shell:
 image: release-channel-version
 from: registry.deckhouse.io/base_images/scratch@sha256:b054705fcc9f2205777d80a558d920c0b4209efdc3163c22b5bfcb5dda1db5fc
 import:
-  - artifact: release-channel-version-artifact
+  - image: release-channel-version-artifact
     add: /
     to: /
     after: install

api/v1alpha1/nfs_storage_class.go

@@ -43,6 +43,8 @@ type NFSStorageClassConnection struct {
 	Host       string `json:"host"`
 	Share      string `json:"share"`
 	NFSVersion string `json:"nfsVersion"`
+	Tls        bool   `json:"tls"`
+	Mtls       bool   `json:"mtls"`
 }
 
 type NFSStorageClassMountOptions struct {

crds/doc-ru-nfsstorageclass.yaml

@@ -23,6 +23,12 @@ spec:
                     nfsVersion:
                       description: |
                         Версия NFS сервера
+                    tls:
+                      description: |
+                        Использовать ли tls для подключения.
+                    mtls:
+                      description: |
+                        Использовать ли mtls; требует, чтобы tls был включён.
                 mountOptions:
                   description: |
                     Опции монтирования

crds/nfsstorageclass.yaml

@@ -29,6 +29,9 @@ spec:
             - spec
           properties:
             spec:
+              x-kubernetes-validations:
+                - rule: "!(self.connection.mtls == true) || (self.connection.tls == true)"
+                  message: "If mtls is true, tls must also be true."
               type: object
               description: |
                 Defines a Kubernetes Storage class configuration.
@@ -76,6 +79,22 @@ spec:
                         - "3"
                         - "4.1"
                         - "4.2"
+                    tls:
+                      type: boolean
+                      x-kubernetes-validations:
+                        - rule: self == oldSelf
+                          message: Value is immutable.
+                      description: |
+                        Whether to use tls for connection.
+                      default: false
+                    mtls:
+                      type: boolean
+                      x-kubernetes-validations:
+                        - rule: self == oldSelf
+                          message: Value is immutable.
+                      description: |
+                        Whether to use mtls; requires tls to be enabled.
+                      default: false
                 mountOptions:
                   type: object
                   description: |

docs/EXAMPLES.md

@@ -0,0 +1,40 @@
+---
+title: "The csi-nfs module: examples"
+description: examples of configuring the CSI NFS
+---
+
+## Configuration of the module with RPC-with-TLS support
+
+```yaml
+apiVersion: deckhouse.io/v1alpha1
+kind: ModuleConfig
+metadata:
+  name: csi-nfs
+spec:
+  enabled: true
+  version: 1
+  settings:
+    tlsParameters:
+      ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZFVENDQXZtZ...
+      mtls:
+        clientCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J...
+        clientKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQ...
+```
+
+## Creating a StorageClass with RPC-with-TLS support
+
+```yaml
+apiVersion: storage.deckhouse.io/v1alpha1
+kind: NFSStorageClass
+metadata:
+  name: nfs-storage-class
+spec:
+  connection:
+    host: nfs-server-name.io
+    share: /
+    nfsVersion: "4.1"
+    tls: true
+    mtls: true
+  reclaimPolicy: Delete
+  volumeBindingMode: WaitForFirstConsumer
+```

docs/EXAMPLES_RU.md

@@ -0,0 +1,40 @@
+---
+title: "Модуль csi-nfs: примеры"
+description: примеры конфигурации CSI NFS
+---
+
+## Конфигурация модуля с поддержкой RPC-with-TLS
+
+```yaml
+apiVersion: deckhouse.io/v1alpha1
+kind: ModuleConfig
+metadata:
+  name: csi-nfs
+spec:
+  enabled: true
+  version: 1
+  settings:
+    tlsParameters:
+      ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZFVENDQXZtZ...
+      mtls:
+        clientCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1J...
+        clientKey: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQ...
+```
+
+## Создание StorageClass с поддержкой RPC-with-TLS
+
+```yaml
+apiVersion: storage.deckhouse.io/v1alpha1
+kind: NFSStorageClass
+metadata:
+  name: nfs-storage-class
+spec:
+  connection:
+    host: nfs-server-name.io
+    share: /
+    nfsVersion: "4.1"
+    tls: true
+    mtls: true
+  reclaimPolicy: Delete
+  volumeBindingMode: WaitForFirstConsumer
+```

docs/FAQ.md

@@ -66,3 +66,11 @@ kubectl get volumesnapshot
 ```
 
 This command will display a list of all snapshots and their current status.
+
+## Why are PVs created in a StorageClass with RPC-with-TLS support not being deleted, along with their `<PV name>` directories on the NFS server?
+
+If the resource [NFSStorageClass](./cr.html#nfsstorageclass) was created with RPC-with-TLS support,
+a situation may arise where a `PV` cannot be deleted.
+This happens because the secret (e.g., after the `NFSStorageClass` was deleted) storing the mount options was removed.
+As a result, the controller cannot mount the NFS folder to delete the `<PV name>` directory inside it.
+

docs/FAQ_RU.md

@@ -65,3 +65,11 @@ kubectl get volumesnapshot
 ```
 
 Эта команда покажет список всех снимков и их текущее состояние.
+
+## Почему не удаляются `PV` созданные в StorageClass с поддержкой RPC-with-TLS, а вместе с ними и каталоги `<имя PV>` на NFS сервере?
+
+Если ресурс [NFSStorageClass](./cr.html#nfsstorageclass) был создан с поддержкой RPC-with-TLS,
+то может произойти ситуация при которой `PV` не удалится. Это происходит из-за того,
+что был удален секрет (например удалили `NFSStorageClass`), который хранит опции монтирования.
+Поэтому контроллер не может смонтировать NFS папку, чтобы удалить в ней папку `<имя PV>`.
+

docs/README.md

@@ -13,6 +13,18 @@ This module provides CSI that manages volumes based on `NFS`. The module allows
 ### Requirements
 - Stock kernels shipped with the [supported distributions](https://deckhouse.io/documentation/v1/supported_versions.html#linux).
 - Presence of a deployed and configured NFS server.
+- Enabling RPC-with-TLS requires the Linux kernel to have `CONFIG_TLS` and `CONFIG_NET_HANDSHAKE` options enabled.
+
+### Recommendations
+
+- For the module pods to restart when the `tlsParameters` parameter in the module settings is changed,
+the [pod-reloader](https://deckhouse.io/products/kubernetes-platform/documentation/v1/modules/pod-reloader) module must be enabled (enabled by default).
+
+## Limitations of RPC-with-TLS
+
+- Only a single CA is supported.
+- For the `mtls` security policy, only one client certificate is supported.
+- A single `NFS` server cannot simultaneously use different security policies such as `tls`, `mtls`, and the standard (no TLS) mode.
 
 ## Quickstart guide
 

docs/README_RU.md

@@ -14,6 +14,18 @@ moduleStatus: experimental
 
 - Использование стоковых ядер, поставляемых вместе с [поддерживаемыми дистрибутивами](https://deckhouse.ru/documentation/v1/supported_versions.html#linux);
 - Наличие развернутого и настроенного `NFS` сервера.
+- Для поддержки RPC-with-TLS необходимо чтобы в ядре Linux были включены две опции `CONFIG_TLS` и `CONFIG_NET_HANDSHAKE`.
+
+### Рекомендации
+
+- Для того чтобы поды модуля перезапускались при изменении `tlsParameters` параметра в настройках модуля,
+необходим включенный модуль [pod-reloader](https://deckhouse.ru/products/kubernetes-platform/documentation/v1/modules/pod-reloader) (включен по умолчанию).
+
+## Ограничения режима RPC-with-TLS
+
+- Поддерживается только один центр сертификации (CA).
+- Для политики безопасности `mtls` поддерживается только один сертификат клиента.
+- Один `NFS` сервер не может одновременно использовать разные политики безопасности `tls`, `mtls` и стандартный режим (без TLS).
 
 ## Быстрый старт
 

images/controller/src/cmd/main.go

@@ -23,10 +23,11 @@ import (
 	"d8-controller/pkg/kubutils"
 	"d8-controller/pkg/logger"
 	"fmt"
-	cn "github.com/deckhouse/csi-nfs/api/v1alpha1"
 	"os"
 	goruntime "runtime"
 
+	cn "github.com/deckhouse/csi-nfs/api/v1alpha1"
+
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 
 	v1 "k8s.io/api/core/v1"

images/controller/src/go.mod

@@ -3,7 +3,7 @@ module d8-controller
 go 1.22.2
 
 require (
-	github.com/deckhouse/csi-nfs/api v0.0.0-20240803013516-738ee1ca87bc
+	github.com/deckhouse/csi-nfs/api v0.0.0-20241202135517-c84cb4afb179
 	github.com/go-logr/logr v1.4.1
 	github.com/onsi/ginkgo/v2 v2.15.0
 	github.com/onsi/gomega v1.31.0
@@ -70,3 +70,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace github.com/deckhouse/csi-nfs/api => ../../../api

images/controller/src/go.sum

@@ -9,8 +9,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deckhouse/csi-nfs/api v0.0.0-20240803013516-738ee1ca87bc h1:FRil0A1OjAHQl5Hkf2eVcU6/jrtLKMVfIOo5RDQf5NM=
-github.com/deckhouse/csi-nfs/api v0.0.0-20240803013516-738ee1ca87bc/go.mod h1:/vXhdSgMvU4dP2MvOHOFZua9MvJoAPLM/hk6p7rE+Jc=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=

images/controller/src/pkg/controller/nfs_storage_class_watcher.go

@@ -22,10 +22,11 @@ import (
 	"d8-controller/pkg/logger"
 	"errors"
 	"fmt"
-	v1alpha1 "github.com/deckhouse/csi-nfs/api/v1alpha1"
 	"reflect"
 	"time"
 
+	v1alpha1 "github.com/deckhouse/csi-nfs/api/v1alpha1"
+
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/storage/v1"
 	k8serr "k8s.io/apimachinery/pkg/api/errors"
@@ -102,6 +103,8 @@ func RunNFSStorageClassWatcherController(
 				return reconcile.Result{}, nil
 			}
 
+			// TODO added validateNFSStorageClass
+
 			scList := &v1.StorageClassList{}
 			err = cl.List(ctx, scList)
 			if err != nil {

images/controller/src/pkg/controller/nfs_storage_class_watcher_func.go

@@ -21,11 +21,12 @@ import (
 	"d8-controller/pkg/logger"
 	"errors"
 	"fmt"
-	v1alpha1 "github.com/deckhouse/csi-nfs/api/v1alpha1"
 	"reflect"
 	"strconv"
 	"strings"
 
+	v1alpha1 "github.com/deckhouse/csi-nfs/api/v1alpha1"
+
 	"slices"
 
 	corev1 "k8s.io/api/core/v1"
@@ -592,6 +593,12 @@ func GetSCMountOptions(nsc *v1alpha1.NFSStorageClass) []string {
 		mountOptions = append(mountOptions, "nfsvers="+nsc.Spec.Connection.NFSVersion)
 	}
 
+	if nsc.Spec.Connection.Mtls {
+		mountOptions = append(mountOptions, "xprtsec=mtls")
+	} else if nsc.Spec.Connection.Tls {
+		mountOptions = append(mountOptions, "xprtsec=tls")
+	}
+
 	if nsc.Spec.MountOptions != nil {
 
 		if nsc.Spec.MountOptions.MountMode != "" {

images/controller/werf.inc.yaml

@@ -8,7 +8,12 @@ final: false
 
 git:
   - add: /images/controller/src
-    to: /src
+    to: /csi-nfs/images/controller/src
+    stageDependencies:
+      setup:
+        - "**/*"
+  - add: /api
+    to: /csi-nfs/api
     stageDependencies:
       setup:
         - "**/*"
@@ -17,7 +22,7 @@ mount:
     to: /go/pkg
 shell:
   setup:
-    - cd /src/cmd
+    - cd /csi-nfs/images/controller/src/cmd
     - GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="-s -w" -o controller
     - mv controller /controller
     - chmod +x /controller