Merge pull request #43396 from rootfs/iscsi-chap

Automatic merge from submit-queue (batch tested with PRs 44119, 42538, 43802, 42336, 43396)

iSCSI CHAP support

**What this PR does / why we need it**:
To support CHAP authentication in a multi-tenant setup
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:

```release-note
Support iSCSI CHAP authentication
```

examples/examples_test.go

@@ -201,7 +201,9 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"redis-slave-service":     &api.Service{},
 		},
 		"../examples/volumes/iscsi": {
-			"iscsi": &api.Pod{},
+			"chap-secret": &api.Secret{},
+			"iscsi":       &api.Pod{},
+			"iscsi-chap":  &api.Pod{},
 		},
 		"../examples/volumes/glusterfs": {
 			"glusterfs-pod":       &api.Pod{},
@@ -405,7 +407,7 @@ func TestReadme(t *testing.T) {
 		expectedType []runtime.Object
 	}{
 		{"../README.md", []runtime.Object{&api.Pod{}}},
-		{"../examples/volumes/iscsi/README.md", []runtime.Object{&api.Pod{}}},
+		{"../examples/volumes/iscsi/README.md", []runtime.Object{&api.Secret{}}},
 	}
 
 	for _, path := range paths {

examples/volumes/iscsi/README.md

@@ -5,6 +5,7 @@ Currently supported features are
   * Connecting to one portal
   * Mounting a device directly or via multipathd
   * Formatting and partitioning any new device connected
+  * CHAP authentication
 
 ## Prerequisites
 
@@ -26,6 +27,48 @@ If you want to use an iSCSI offload card or other open-iscsi transports besides
 may have partitioned the device, the iSCSI volume plugin does not
 currently support partitions so format the device as one partition or leave the device raw and Kubernetes will partition and format it one first mount.
 
+### CHAP Authentication
+
+To enable one-way or two-way CHAP authentication for discovery or session, following these steps.
+
+ * Set `chapAuthDiscovery` to `true` for discovery authentication.
+ * Set `chapAuthSession` to `true` for session authentication.
+ * Create a CHAP secret and set `secretRef` to reference the CHAP secret.
+
+
+Example can be found at [iscsi-chap.yaml](iscsi-chap.yaml)
+
+### CHAP Secret
+
+As illustrated in [chap-secret.yaml](chap-secret.yaml), the secret must have type `kubernetes.io/iscsi-chap` and consists of the following keys:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chap-secret
+type: "kubernetes.io/iscsi-chap"  
+data:
+  discovery.sendtargets.auth.username: 
+  discovery.sendtargets.auth.password: 
+  discovery.sendtargets.auth.username_in: 
+  discovery.sendtargets.auth.password_in: 
+  node.session.auth.username: 
+  node.session.auth.password: 
+  node.session.auth.username_in: 
+  node.session.auth.password_in: 
+```
+
+These keys map to those used by Open-iSCSI initiator. Detailed documents on these keys can be found at [Open-iSCSI](https://github.com/open-iscsi/open-iscsi/blob/master/etc/iscsid.conf)
+
+#### Create CHAP secret before creating iSCSI volumes and Pods
+
+```console
+# kubectl create -f examples/volumes/iscsi/chap-iscsi.yaml
+```
+
+
 
 Once the pod config is created, run it on the Kubernetes master:
 

examples/volumes/iscsi/chap-secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chap-secret
+type: "kubernetes.io/iscsi-chap"  
+data:
+  discovery.sendtargets.auth.username: dXNlcg==
+  discovery.sendtargets.auth.password: ZGVtbw==
+  discovery.sendtargets.auth.username_in: bXVzZXI=
+  discovery.sendtargets.auth.password_in: bXBhc3M=
+  node.session.auth.username: dXNlcm5hbWU=
+  node.session.auth.password: cGFzc3dvcmQ=
+  node.session.auth.username_in: bXVzZXIy
+  node.session.auth.password_in: bXBhc3My

examples/volumes/iscsi/iscsi-chap.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: iscsipd
+spec:
+  containers:
+  - name: iscsipd-ro
+    image: kubernetes/pause
+    volumeMounts:
+    - mountPath: "/mnt/iscsipd"
+      name: iscsivol
+  volumes:
+  - name: iscsivol
+    iscsi:
+      targetPortal: 127.0.0.1
+      iqn: iqn.2015-02.example.com:test
+      lun: 0
+      fsType: ext4
+      readOnly: true
+      chapAuthDiscovery: true
+      chapAuthSession: true
+      secretRef: 
+         name: chap-secret