From 8eb6d6cfa7a74f27b5bf209fc82d2990e23eb707 Mon Sep 17 00:00:00 2001 From: Huamin Chen Date: Mon, 20 Mar 2017 13:53:06 -0400 Subject: [PATCH] update iSCSI README with CHAP instruction Signed-off-by: Huamin Chen --- examples/examples_test.go | 6 ++-- examples/volumes/iscsi/README.md | 43 +++++++++++++++++++++++++ examples/volumes/iscsi/chap-secret.yaml | 15 +++++++++ examples/volumes/iscsi/iscsi-chap.yaml | 24 ++++++++++++++ pkg/volume/iscsi/iscsi_util.go | 1 - 5 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 examples/volumes/iscsi/chap-secret.yaml create mode 100644 examples/volumes/iscsi/iscsi-chap.yaml diff --git a/examples/examples_test.go b/examples/examples_test.go index 6dfed34ca82..206c6fc00e5 100644 --- a/examples/examples_test.go +++ b/examples/examples_test.go @@ -201,7 +201,9 @@ func TestExampleObjectSchemas(t *testing.T) { "redis-slave-service": &api.Service{}, }, "../examples/volumes/iscsi": { - "iscsi": &api.Pod{}, + "chap-secret": &api.Secret{}, + "iscsi": &api.Pod{}, + "iscsi-chap": &api.Pod{}, }, "../examples/volumes/glusterfs": { "glusterfs-pod": &api.Pod{}, @@ -405,7 +407,7 @@ func TestReadme(t *testing.T) { expectedType []runtime.Object }{ {"../README.md", []runtime.Object{&api.Pod{}}}, - {"../examples/volumes/iscsi/README.md", []runtime.Object{&api.Pod{}}}, + {"../examples/volumes/iscsi/README.md", []runtime.Object{&api.Secret{}}}, } for _, path := range paths { diff --git a/examples/volumes/iscsi/README.md b/examples/volumes/iscsi/README.md index 268b34fe226..7f6090eff31 100644 --- a/examples/volumes/iscsi/README.md +++ b/examples/volumes/iscsi/README.md @@ -5,6 +5,7 @@ Currently supported features are * Connecting to one portal * Mounting a device directly or via multipathd * Formatting and partitioning any new device connected + * CHAP authentication ## Prerequisites @@ -26,6 +27,48 @@ If you want to use an iSCSI offload card or other open-iscsi transports besides may have partitioned the device, the iSCSI volume plugin does not currently support partitions so format the device as one partition or leave the device raw and Kubernetes will partition and format it one first mount. +### CHAP Authentication + +To enable one-way or two-way CHAP authentication for discovery or session, following these steps. + + * Set `chapAuthDiscovery` to `true` for discovery authentication. + * Set `chapAuthSession` to `true` for session authentication. + * Create a CHAP secret and set `secretRef` to reference the CHAP secret. + + +Example can be found at [iscsi-chap.yaml](iscsi-chap.yaml) + +### CHAP Secret + +As illustrated in [chap-secret.yaml](chap-secret.yaml), the secret must have type `kubernetes.io/iscsi-chap` and consists of the following keys: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: chap-secret +type: "kubernetes.io/iscsi-chap" +data: + discovery.sendtargets.auth.username: + discovery.sendtargets.auth.password: + discovery.sendtargets.auth.username_in: + discovery.sendtargets.auth.password_in: + node.session.auth.username: + node.session.auth.password: + node.session.auth.username_in: + node.session.auth.password_in: +``` + +These keys map to those used by Open-iSCSI initiator. Detailed documents on these keys can be found at [Open-iSCSI](https://github.com/open-iscsi/open-iscsi/blob/master/etc/iscsid.conf) + +#### Create CHAP secret before creating iSCSI volumes and Pods + +```console +# kubectl create -f examples/volumes/iscsi/chap-iscsi.yaml +``` + + Once the pod config is created, run it on the Kubernetes master: diff --git a/examples/volumes/iscsi/chap-secret.yaml b/examples/volumes/iscsi/chap-secret.yaml new file mode 100644 index 00000000000..5bc9cc8747e --- /dev/null +++ b/examples/volumes/iscsi/chap-secret.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: chap-secret +type: "kubernetes.io/iscsi-chap" +data: + discovery.sendtargets.auth.username: dXNlcg== + discovery.sendtargets.auth.password: ZGVtbw== + discovery.sendtargets.auth.username_in: bXVzZXI= + discovery.sendtargets.auth.password_in: bXBhc3M= + node.session.auth.username: dXNlcm5hbWU= + node.session.auth.password: cGFzc3dvcmQ= + node.session.auth.username_in: bXVzZXIy + node.session.auth.password_in: bXBhc3My diff --git a/examples/volumes/iscsi/iscsi-chap.yaml b/examples/volumes/iscsi/iscsi-chap.yaml new file mode 100644 index 00000000000..1ddc2f02cac --- /dev/null +++ b/examples/volumes/iscsi/iscsi-chap.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: iscsipd +spec: + containers: + - name: iscsipd-ro + image: kubernetes/pause + volumeMounts: + - mountPath: "/mnt/iscsipd" + name: iscsivol + volumes: + - name: iscsivol + iscsi: + targetPortal: 127.0.0.1 + iqn: iqn.2015-02.example.com:test + lun: 0 + fsType: ext4 + readOnly: true + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: chap-secret diff --git a/pkg/volume/iscsi/iscsi_util.go b/pkg/volume/iscsi/iscsi_util.go index 5df9cea8d3e..36c2a12d725 100755 --- a/pkg/volume/iscsi/iscsi_util.go +++ b/pkg/volume/iscsi/iscsi_util.go @@ -17,7 +17,6 @@ limitations under the License. package iscsi import ( - "errors" "fmt" "os" "path"