refactor: add authKrbConf mount parameter

GamerGirlandCo · GamerGirlandCo · commit 2bafa2456f3f · 2025-11-05T13:22:30.000-05:00
allows an end user to specify a secret which contains contents of a kerberos 5 configuration file that specifies how to connect to one or more realms
diff --git a/Makefile b/Makefile
@@ -133,7 +133,7 @@ install-nfs-server:
 	kubectl apply -f ./deploy/example/nfs-provisioner/nfs-server.yaml
 	kubectl apply -f ./deploy/example/nfs-provisioner/nfs-krb-server.yaml
 	kubectl delete secret mount-options -n default --ignore-not-found
-	kubectl create secret generic mount-options --from-literal mountOptions="nfsvers=4.1" --from-literal krb-pwd='password!' -n default
+	kubectl create secret generic mount-options --from-literal mountOptions="nfsvers=4.1" --from-literal krb-pwd='password!' --from-file=krb5.conf=./test/krb5.conf -n default
 
 .PHONY: install-helm
 install-helm:
diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go
@@ -70,7 +70,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	}
 
 	var server, baseDir, subDir string
-	var krbPwd, krbPrinc string
+	var krbPwd, krbPrinc, krbConf string
 	subDirReplaceMap := map[string]string{}
 
 	mountPermissions := ns.Driver.mountPermissions
@@ -88,6 +88,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 			if v != "" {
 				krbPwd = req.GetSecrets()[v]
 			}
+		case paramKrbConf:
+			if v != "" {
+				krbConf = req.GetSecrets()[v]
+			}
 		case pvcNamespaceKey:
 			subDirReplaceMap[pvcNamespaceMetadata] = v
 		case pvcNameKey:
@@ -138,7 +142,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis
 	if !notMnt {
 		return &csi.NodePublishVolumeResponse{}, nil
 	}
-
+	
+	if krbConf != "" {
+		os.WriteFile("/etc/krb5.conf", []byte(krbConf), 0775)
+	}
 	klog.V(2).Infof("NodePublishVolume: volumeID(%v) source(%s) targetPath(%s) mountflags(%v)", volumeID, source, targetPath, mountOptions)
 	execFunc := func() error {
 		if krbPrinc != "" && krbPwd != "" {
diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go
@@ -98,6 +98,7 @@ var (
 		"csi.storage.k8s.io/provisioner-secret-namespace": "default",
 		"csi.storage.k8s.io/provisioner-secret-name":      "mount-options",
 		"mountPermissions":   "0755",
+		"authKrbConf":        "krb5.conf",
 		"authPasswordSecret": "krb-pwd",
 		"authPrincipal":      "nfs/nfs-krb-server.default.svc.cluster.local@NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL",
 	}
diff --git a/test/krb5.conf b/test/krb5.conf
@@ -0,0 +1,13 @@
+[libdefaults]
+default_realm = NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL
+
+[realms]
+NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL = {
+	tkdc = nfs-krb-server.default.svc.cluster.local
+	tadmin_server = nfs-krb-server.default.svc.cluster.local
+}
+
+[logging]
+kdc = FILE:/var/log/krb5kdc.log
+admin_server = FILE:/var/log/kadmin.log
+default = FILE:/var/log/krb5lib.log

Original file line number	Diff line number	Diff line change
`@@ -98,6 +98,7 @@ var (`
`98`	`98`	`"csi.storage.k8s.io/provisioner-secret-namespace": "default",`
`99`	`99`	`"csi.storage.k8s.io/provisioner-secret-name": "mount-options",`
`100`	`100`	`"mountPermissions": "0755",`
	`101`	`+ "authKrbConf": "krb5.conf",`
`101`	`102`	`"authPasswordSecret": "krb-pwd",`
`102`	`103`	`"authPrincipal": "nfs/nfs-krb-server.default.svc.cluster.local@NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL",`
`103`	`104`	`}`