From ab4a8636f653d0b44c0ffdbfaad89dbe8b232145 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Thu, 30 Oct 2025 20:39:49 -0400 Subject: [PATCH 01/24] refactor: update Dockerfile to install `krb5-user` to facilitate kerberos authentication --- Dockerfile | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8ffbc85ca..a33db4c88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,6 +18,14 @@ ARG ARCH ARG binary=./bin/${ARCH}/nfsplugin COPY ${binary} /nfsplugin -RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates mount nfs-common netbase +RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates mount nfs-common netbase krb5-user + +RUN cat > /etc/default/nfs-common < Date: Thu, 30 Oct 2025 20:42:42 -0400 Subject: [PATCH 02/24] refactor: add storageClass parameters for kerberos auth --- pkg/nfs/controllerserver.go | 2 ++ pkg/nfs/nfs.go | 26 +++++++++++++++----------- pkg/nfs/nodeserver.go | 7 +++++++ 3 files changed, 24 insertions(+), 11 deletions(-) diff --git a/pkg/nfs/controllerserver.go b/pkg/nfs/controllerserver.go index b9eb4f27d..47dce0de1 100644 --- a/pkg/nfs/controllerserver.go +++ b/pkg/nfs/controllerserver.go @@ -140,6 +140,8 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol case pvcNamespaceKey: case pvcNameKey: case pvNameKey: + case paramKrbPrincipal: + case paramKrbPasswordSecret: // no op case mountPermissionsField: if v != "" { diff --git a/pkg/nfs/nfs.go b/pkg/nfs/nfs.go index 919d078d1..aac6c8540 100644 --- a/pkg/nfs/nfs.go +++ b/pkg/nfs/nfs.go @@ -73,17 +73,21 @@ const ( // The base directory must be a direct child of the root directory. // The root directory is omitted from the string, for example: // "base" instead of "/base" - paramShare = "share" - paramSubDir = "subdir" - paramOnDelete = "ondelete" - mountOptionsField = "mountoptions" - mountPermissionsField = "mountpermissions" - pvcNameKey = "csi.storage.k8s.io/pvc/name" - pvcNamespaceKey = "csi.storage.k8s.io/pvc/namespace" - pvNameKey = "csi.storage.k8s.io/pv/name" - pvcNameMetadata = "${pvc.metadata.name}" - pvcNamespaceMetadata = "${pvc.metadata.namespace}" - pvNameMetadata = "${pv.metadata.name}" + paramShare = "share" + paramSubDir = "subdir" + // Kerberos principal to use when mounting with `-o sec=krb5*` + paramKrbPrincipal = "authprincipal" + // name of a secret containing the Kerberos password to use when authenticating + paramKrbPasswordSecret = "authpasswordsecret" + paramOnDelete = "ondelete" + mountOptionsField = "mountoptions" + mountPermissionsField = "mountpermissions" + pvcNameKey = "csi.storage.k8s.io/pvc/name" + pvcNamespaceKey = "csi.storage.k8s.io/pvc/namespace" + pvNameKey = "csi.storage.k8s.io/pv/name" + pvcNameMetadata = "${pvc.metadata.name}" + pvcNamespaceMetadata = "${pvc.metadata.namespace}" + pvNameMetadata = "${pv.metadata.name}" ) func NewDriver(options *DriverOptions) *Driver { diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index ac28dd22e..c3347090a 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -68,6 +68,7 @@ func (ns *NodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV } var server, baseDir, subDir string + var krbPwd, krbPrinc string subDirReplaceMap := map[string]string{} mountPermissions := ns.Driver.mountPermissions @@ -79,6 +80,12 @@ func (ns *NodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishV baseDir = v case paramSubDir: subDir = v + case paramKrbPrincipal: + krbPrinc = v + case paramKrbPasswordSecret: + if v != "" { + krbPwd = req.GetSecrets()[v] + } case pvcNamespaceKey: subDirReplaceMap[pvcNamespaceMetadata] = v case pvcNameKey: From dd802252f9ea64a4d04d21903f55ded9aff33969 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Fri, 31 Oct 2025 23:51:23 -0400 Subject: [PATCH 03/24] refactor: add `secrets` parameter to `internalMount` func this will allow the authentication password to be passed to `kinit` --- pkg/nfs/controllerserver.go | 21 +++++++++++---------- pkg/nfs/nodeserver.go | 2 +- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/pkg/nfs/controllerserver.go b/pkg/nfs/controllerserver.go index 47dce0de1..96a9ea7ea 100644 --- a/pkg/nfs/controllerserver.go +++ b/pkg/nfs/controllerserver.go @@ -170,7 +170,7 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol volCap = req.GetVolumeCapabilities()[0] } // Mount nfs base share so we can create a subdirectory - if err = cs.internalMount(ctx, nfsVol, parameters, volCap); err != nil { + if err = cs.internalMount(ctx, nfsVol, parameters, volCap, req.GetSecrets()); err != nil { return nil, status.Errorf(codes.Internal, "failed to mount nfs server: %v", err) } defer func() { @@ -243,7 +243,7 @@ func (cs *ControllerServer) DeleteVolume(ctx context.Context, req *csi.DeleteVol } // mount nfs base share so we can delete the subdirectory volCap := getVolumeCapabilityFromSecret(volumeID, req.GetSecrets()) - if err = cs.internalMount(ctx, nfsVol, nil, volCap); err != nil { + if err = cs.internalMount(ctx, nfsVol, nil, volCap, req.GetSecrets()); err != nil { return nil, status.Errorf(codes.Internal, "failed to mount nfs server: %v", err) } defer func() { @@ -367,7 +367,7 @@ func (cs *ControllerServer) CreateSnapshot(ctx context.Context, req *csi.CreateS } snapVol := volumeFromSnapshot(snapshot) volCap := getVolumeCapabilityFromSecret(req.GetSourceVolumeId(), req.GetSecrets()) - if err = cs.internalMount(ctx, snapVol, req.GetParameters(), volCap); err != nil { + if err = cs.internalMount(ctx, snapVol, req.GetParameters(), volCap, req.GetSecrets()); err != nil { return nil, status.Errorf(codes.Internal, "failed to mount snapshot nfs server: %v", err) } defer func() { @@ -383,7 +383,7 @@ func (cs *ControllerServer) CreateSnapshot(ctx context.Context, req *csi.CreateS return nil, err } - if err = cs.internalMount(ctx, srcVol, req.GetParameters(), volCap); err != nil { + if err = cs.internalMount(ctx, srcVol, req.GetParameters(), volCap, req.GetSecrets()); err != nil { return nil, status.Errorf(codes.Internal, "failed to mount src nfs server: %v", err) } defer func() { @@ -438,7 +438,7 @@ func (cs *ControllerServer) DeleteSnapshot(ctx context.Context, req *csi.DeleteS volCap := getVolumeCapabilityFromSecret(req.SnapshotId, req.GetSecrets()) vol := volumeFromSnapshot(snap) - if err = cs.internalMount(ctx, vol, nil, volCap); err != nil { + if err = cs.internalMount(ctx, vol, nil, volCap, req.GetSecrets()); err != nil { return nil, status.Errorf(codes.Internal, "failed to mount nfs server for snapshot deletion: %v", err) } defer func() { @@ -477,7 +477,7 @@ func (cs *ControllerServer) ControllerExpandVolume(_ context.Context, req *csi.C } // Mount nfs server at base-dir -func (cs *ControllerServer) internalMount(ctx context.Context, vol *nfsVolume, volumeContext map[string]string, volCap *csi.VolumeCapability) error { +func (cs *ControllerServer) internalMount(ctx context.Context, vol *nfsVolume, volumeContext map[string]string, volCap *csi.VolumeCapability, secrets map[string]string) error { if volCap == nil { volCap = &csi.VolumeCapability{ AccessType: &csi.VolumeCapability_Mount{ @@ -506,6 +506,7 @@ func (cs *ControllerServer) internalMount(ctx context.Context, vol *nfsVolume, v VolumeContext: volContext, VolumeCapability: volCap, VolumeId: vol.id, + Secrets: secrets, }) return err } @@ -535,7 +536,7 @@ func (cs *ControllerServer) copyFromSnapshot(ctx context.Context, req *csi.Creat volCap = req.GetVolumeCapabilities()[0] } - if err = cs.internalMount(ctx, snapVol, nil, volCap); err != nil { + if err = cs.internalMount(ctx, snapVol, nil, volCap, req.GetSecrets()); err != nil { return status.Errorf(codes.Internal, "failed to mount src nfs server for snapshot volume copy: %v", err) } defer func() { @@ -543,7 +544,7 @@ func (cs *ControllerServer) copyFromSnapshot(ctx context.Context, req *csi.Creat klog.Warningf("failed to unmount src nfs server after snapshot volume copy: %v", err) } }() - if err = cs.internalMount(ctx, dstVol, nil, volCap); err != nil { + if err = cs.internalMount(ctx, dstVol, nil, volCap, req.GetSecrets()); err != nil { return status.Errorf(codes.Internal, "failed to mount dst nfs server for snapshot volume copy: %v", err) } defer func() { @@ -584,7 +585,7 @@ func (cs *ControllerServer) copyFromVolume(ctx context.Context, req *csi.CreateV if len(req.GetVolumeCapabilities()) > 0 { volCap = req.GetVolumeCapabilities()[0] } - if err = cs.internalMount(ctx, srcVol, nil, volCap); err != nil { + if err = cs.internalMount(ctx, srcVol, nil, volCap, req.GetSecrets()); err != nil { return status.Errorf(codes.Internal, "failed to mount src nfs server: %v", err) } defer func() { @@ -592,7 +593,7 @@ func (cs *ControllerServer) copyFromVolume(ctx context.Context, req *csi.CreateV klog.Warningf("failed to unmount nfs server: %v", err) } }() - if err = cs.internalMount(ctx, dstVol, nil, volCap); err != nil { + if err = cs.internalMount(ctx, dstVol, nil, volCap, req.GetSecrets()); err != nil { return status.Errorf(codes.Internal, "failed to mount dst nfs server: %v", err) } defer func() { diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index c3347090a..78d110716 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -42,7 +42,7 @@ type NodeServer struct { } // NodePublishVolume mount the volume -func (ns *NodeServer) NodePublishVolume(_ context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) { +func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublishVolumeRequest) (*csi.NodePublishVolumeResponse, error) { volCap := req.GetVolumeCapability() if volCap == nil { return nil, status.Error(codes.InvalidArgument, "Volume capability missing in request") From 41ead104bdbf2344ce0c775cbb7c48c4380fe0f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Sat, 1 Nov 2025 00:13:14 -0400 Subject: [PATCH 04/24] refactor: modify `NodePublishVolume` to invoke `kinit` if kerberos credentials are provided --- pkg/nfs/nodeserver.go | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 78d110716..298dfd05e 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -17,8 +17,10 @@ limitations under the License. package nfs import ( + "bytes" "fmt" "os" + "os/exec" "strconv" "strings" "time" @@ -139,6 +141,34 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis klog.V(2).Infof("NodePublishVolume: volumeID(%v) source(%s) targetPath(%s) mountflags(%v)", volumeID, source, targetPath, mountOptions) execFunc := func() error { + if krbPrinc != "" && krbPwd != "" { + klog.V(3).Infof("Setting up kerberos auth with principal '%s' and password '%s'", krbPrinc, krbPwd) + _, err := os.Stat("/etc/krb5.keytab") + // initialize keytab if it doesn't exist + if err != nil && os.IsNotExist(err) { + cmd := exec.CommandContext(ctx, "ktutil") + cmd.Stdin = bytes.NewBufferString(fmt.Sprintf("addent -p %s -password -k 1 -f\n%s\nwkt /etc/krb5.keytab", krbPrinc, krbPwd)) + if err := cmd.Run(); err != nil { + return err + } + } + // obtain kerberos TGT + cmd := exec.CommandContext(ctx, "kinit", krbPrinc) + cmd.Stdin = bytes.NewBufferString(krbPwd + "\n") + if err := cmd.Run(); err != nil { + return err + } + // initialize credentials from keytab + cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) + stderr, err := cmd.StderrPipe() + if err != nil { + return err + } + if err := cmd.Run(); err != nil { + klog.Errorf("%+v", err) + return err + } + } return ns.mounter.Mount(source, targetPath, "nfs", mountOptions) } timeoutFunc := func() error { return fmt.Errorf("time out") } From 8a474caac116e9b09a3aee1a0b01a92f62f639d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 3 Nov 2025 18:57:58 -0500 Subject: [PATCH 05/24] refactor: update dockerfile - change base image to `debian:stable-slim` justification: services cannot be started due to missing file `/lib/lsb/init-functions` - invoke a script (`entry.sh`) that then invokes `/nfsplugin` with any passed args. justification: this is so we can start necessary services (`rpcbind` and `nfs-common`) if and only if we're in the controller pod. - set `entry.sh` as the entrypoint --- Dockerfile | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a33db4c88..070b39c6d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,13 +12,13 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM registry.k8s.io/build-image/debian-base:bookworm-v1.0.6 +FROM debian:stable-slim ARG ARCH ARG binary=./bin/${ARCH}/nfsplugin COPY ${binary} /nfsplugin -RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && clean-install ca-certificates mount nfs-common netbase krb5-user +RUN apt update && apt upgrade -y && apt-mark unhold libcap2 && apt-get install -y --reinstall --purge ca-certificates mount nfs-common netbase krb5-user lsb-base bash RUN cat > /etc/default/nfs-common < /usr/local/bin/entry.sh <<'EOF' +#!/bin/sh +set -x + +if [ "$1" = "true" ]; then + shift 1 + service rpcbind start + service nfs-common start +fi + +/nfsplugin $@ +EOF +RUN chmod +x /usr/local/bin/entry.sh + +ENTRYPOINT ["entry.sh"] From ae1b082acbc84ce62f052f1ae7a5e7192c44409f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 3 Nov 2025 19:00:10 -0500 Subject: [PATCH 06/24] refactor(examples): add deployment example for an nfs server with kerberos auth --- .../nfs-provisioner/nfs-krb-server.yaml | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 deploy/example/nfs-provisioner/nfs-krb-server.yaml diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml new file mode 100644 index 000000000..e36138ede --- /dev/null +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -0,0 +1,82 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: nfs-krb-server + namespace: default + labels: + app: nfs-krb-server +spec: + type: ClusterIP # use "LoadBalancer" to get a public ip + selector: + app: nfs-krb-server + ports: + - name: tcp-2049 + port: 2049 + protocol: TCP + - name: udp-111 + port: 111 + protocol: UDP + - name: tcp-88 + port: 88 + protocol: TCP + - name: tcp-749 + port: 749 + protocol: TCP +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + name: nfs-krb-server + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: nfs-krb-server + template: + metadata: + name: nfs-krb-server + labels: + app: nfs-krb-server + spec: + nodeSelector: + "kubernetes.io/os": linux + containers: + - name: nfs-krb-server + image: docker.io/thealmightydrawingtablet/nfs-krb:alpine + env: + - name: SHARED_DIRECTORY + value: "/srv/shared" + - name: NFS_KRB_REALM + value: NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL + - name: NFS_KRB_PRINC + value: nfs/nfs-krb-server.default.svc.cluster.local + - name: NFS_KRB_PWD + valueFrom: + secretKeyRef: + name: krb-pwd + key: value + volumeMounts: + - mountPath: /srv/shared + name: nfs-vol + securityContext: + privileged: true + ports: + - name: tcp-2049 + containerPort: 2049 + protocol: TCP + - name: udp-111 + containerPort: 111 + protocol: UDP + - name: tcp-88 + containerPort: 88 + protocol: TCP + - name: tcp-749 + containerPort: 749 + protocol: TCP + volumes: + - name: nfs-vol + hostPath: + path: /srv/nfs-krb-vol # modify this to specify another path to store nfs share data + type: DirectoryOrCreate From c377d73bcba09df8cf69b5b2b4b8ce419c646fd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 3 Nov 2025 19:06:18 -0500 Subject: [PATCH 07/24] refactor(charts): invoke controller pod's entrypoint with `true` as the first argument this is to tell the script that we're running as a controller, so the necessary services can be started --- charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml | 1 + deploy/csi-nfs-controller.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml index f4b9dd7c7..bf7ce9158 100644 --- a/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml +++ b/charts/latest/csi-driver-nfs/templates/csi-nfs-controller.yaml @@ -174,6 +174,7 @@ spec: allowPrivilegeEscalation: true imagePullPolicy: {{ .Values.image.nfs.pullPolicy }} args: + - 'true' # needed to distinguish controller from node - "--v={{ .Values.controller.logLevel }}" - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" diff --git a/deploy/csi-nfs-controller.yaml b/deploy/csi-nfs-controller.yaml index 234970d3c..79d43c6a7 100644 --- a/deploy/csi-nfs-controller.yaml +++ b/deploy/csi-nfs-controller.yaml @@ -157,6 +157,7 @@ spec: allowPrivilegeEscalation: true imagePullPolicy: IfNotPresent args: + - "true" - "-v=5" - "--nodeid=$(NODE_ID)" - "--endpoint=$(CSI_ENDPOINT)" From c466707f8addcc05b183d9af6780bfe2cd5124e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 3 Nov 2025 19:11:24 -0500 Subject: [PATCH 08/24] test: add tests for mounting shares with kerberos auth --- test/e2e/dynamic_provisioning_test.go | 23 ++++++++++ test/e2e/e2e_suite_test.go | 10 ++++ ...dynamically_provisioned_krb_auth_volume.go | 46 +++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 test/e2e/testsuites/dynamically_provisioned_krb_auth_volume.go diff --git a/test/e2e/dynamic_provisioning_test.go b/test/e2e/dynamic_provisioning_test.go index 542e449d1..c91752f70 100644 --- a/test/e2e/dynamic_provisioning_test.go +++ b/test/e2e/dynamic_provisioning_test.go @@ -52,6 +52,29 @@ var _ = ginkgo.Describe("Dynamic Provisioning", func() { }) testDriver = driver.InitNFSDriver() + ginkgo.It("should create a volume with kerberos auth", func(ctx ginkgo.SpecContext) { + pods := []testsuites.PodDetails{ + { + Cmd: "echo 'hello world' > /mnt/test-1/data && grep 'hello world' /mnt/test-1/data", + Volumes: []testsuites.VolumeDetails{ + { + ClaimSize: "1Gi", + VolumeMount: testsuites.VolumeMountDetails{ + NameGenerate: "test-volume-", + MountPathGenerate: "/mnt/test-", + }, + MountOptions: []string{"sec=krb5", "noresvport", "nfsvers=4"}, + }, + }, + }, + } + test := testsuites.DynamicallyProvisionedVolumeWithKerberosAuth{ + Pods: pods, + StorageClassParameters: krbStorageClassParameters, + Driver: testDriver, + } + test.Run(ctx, cs, ns) + }) ginkgo.It("should create a volume on demand with mount options", func(ctx ginkgo.SpecContext) { pods := []testsuites.PodDetails{ { diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go index 906320270..122eb7309 100644 --- a/test/e2e/e2e_suite_test.go +++ b/test/e2e/e2e_suite_test.go @@ -92,6 +92,16 @@ var ( "mountPermissions": "0755", "onDelete": "archive", } + krbStorageClassParameters = map[string]string{ + "server": "nfs-krb-server.default.svc.cluster.local", + "share": "/srv/shared", + "csi.storage.k8s.io/provisioner-secret-namespace": "default", + "csi.storage.k8s.io/provisioner-secret-name": "mount-options", + "mountPermissions": "0755", + "authPasswordSecret": "krb-pwd", + "authPrincipal": "nfs/nfs-krb-server.default.svc.cluster.local@NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL", + } + controllerServer *nfs.ControllerServer ) diff --git a/test/e2e/testsuites/dynamically_provisioned_krb_auth_volume.go b/test/e2e/testsuites/dynamically_provisioned_krb_auth_volume.go new file mode 100644 index 000000000..aa03fa493 --- /dev/null +++ b/test/e2e/testsuites/dynamically_provisioned_krb_auth_volume.go @@ -0,0 +1,46 @@ +/* +Copyright 2025 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package testsuites + +import ( + "context" + + "github.com/kubernetes-csi/csi-driver-nfs/test/e2e/driver" + "github.com/onsi/ginkgo/v2" + v1 "k8s.io/api/core/v1" + clientset "k8s.io/client-go/kubernetes" +) + +type DynamicallyProvisionedVolumeWithKerberosAuth struct { + Driver driver.DynamicPVTestDriver + Pods []PodDetails + StorageClassParameters map[string]string +} + +func (t *DynamicallyProvisionedVolumeWithKerberosAuth) Run(ctx context.Context, client clientset.Interface, namespace *v1.Namespace) { + for _, pod := range t.Pods { + tpod, cleanup := pod.SetupWithDynamicVolumes(ctx, client, namespace, t.Driver, t.StorageClassParameters) + for i := range cleanup { + defer cleanup[i](ctx) + } + ginkgo.By("deploying the pod") + tpod.Create(ctx) + defer tpod.Cleanup(ctx) + ginkgo.By("checking that the pods command exits with no error") + tpod.WaitForSuccess(ctx) + } +} From f63481829d10f266f2324087015c4b02e07aba23 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 3 Nov 2025 19:15:03 -0500 Subject: [PATCH 09/24] chore: update `install-nfs-server` makefile goal - apply the kerberos nfs server deployment with `kubectl` - add a `krb-pwd` key to the `mount-options` secret, which will be used to authenticate with the share in tests --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index de5708af4..10a471c57 100644 --- a/Makefile +++ b/Makefile @@ -131,8 +131,9 @@ endif .PHONY: install-nfs-server install-nfs-server: kubectl apply -f ./deploy/example/nfs-provisioner/nfs-server.yaml + kubectl apply -f ./deploy/example/nfs-provisioner/nfs-krb-server.yaml kubectl delete secret mount-options -n default --ignore-not-found - kubectl create secret generic mount-options --from-literal mountOptions="nfsvers=4.1" -n default + kubectl create secret generic mount-options --from-literal mountOptions="nfsvers=4.1" --from-literal krb-pwd='password!' -n default .PHONY: install-helm install-helm: From 903cfea45b84fd6545aafba3262c23cf2ececac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Tue, 4 Nov 2025 20:55:28 -0500 Subject: [PATCH 10/24] refactor: add `authKrbConf` mount parameter allows an end user to specify a secret which contains contents of a kerberos 5 configuration file that specifies how to connect to one or more realms --- Makefile | 2 +- pkg/nfs/controllerserver.go | 3 ++- pkg/nfs/nfs.go | 3 +++ pkg/nfs/nodeserver.go | 11 +++++++++-- test/e2e/e2e_suite_test.go | 1 + test/krb5.conf | 13 +++++++++++++ 6 files changed, 29 insertions(+), 4 deletions(-) create mode 100644 test/krb5.conf diff --git a/Makefile b/Makefile index 10a471c57..3956f6820 100644 --- a/Makefile +++ b/Makefile @@ -133,7 +133,7 @@ install-nfs-server: kubectl apply -f ./deploy/example/nfs-provisioner/nfs-server.yaml kubectl apply -f ./deploy/example/nfs-provisioner/nfs-krb-server.yaml kubectl delete secret mount-options -n default --ignore-not-found - kubectl create secret generic mount-options --from-literal mountOptions="nfsvers=4.1" --from-literal krb-pwd='password!' -n default + kubectl create secret generic mount-options --from-literal mountOptions="nfsvers=4.1" --from-literal krb-pwd='password!' --from-file=krb5.conf=./test/krb5.conf -n default .PHONY: install-helm install-helm: diff --git a/pkg/nfs/controllerserver.go b/pkg/nfs/controllerserver.go index 96a9ea7ea..808bead1b 100644 --- a/pkg/nfs/controllerserver.go +++ b/pkg/nfs/controllerserver.go @@ -142,6 +142,7 @@ func (cs *ControllerServer) CreateVolume(ctx context.Context, req *csi.CreateVol case pvNameKey: case paramKrbPrincipal: case paramKrbPasswordSecret: + case paramKrbConf: // no op case mountPermissionsField: if v != "" { @@ -506,7 +507,7 @@ func (cs *ControllerServer) internalMount(ctx context.Context, vol *nfsVolume, v VolumeContext: volContext, VolumeCapability: volCap, VolumeId: vol.id, - Secrets: secrets, + Secrets: secrets, }) return err } diff --git a/pkg/nfs/nfs.go b/pkg/nfs/nfs.go index aac6c8540..473d379a7 100644 --- a/pkg/nfs/nfs.go +++ b/pkg/nfs/nfs.go @@ -79,6 +79,9 @@ const ( paramKrbPrincipal = "authprincipal" // name of a secret containing the Kerberos password to use when authenticating paramKrbPasswordSecret = "authpasswordsecret" + // name of a secret containing the contents of a krb5.conf file with + // realm and/or KDC information + paramKrbConf = "authkrbconf" paramOnDelete = "ondelete" mountOptionsField = "mountoptions" mountPermissionsField = "mountpermissions" diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 298dfd05e..4342fb312 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -70,7 +70,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis } var server, baseDir, subDir string - var krbPwd, krbPrinc string + var krbPwd, krbPrinc, krbConf string subDirReplaceMap := map[string]string{} mountPermissions := ns.Driver.mountPermissions @@ -88,6 +88,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis if v != "" { krbPwd = req.GetSecrets()[v] } + case paramKrbConf: + if v != "" { + krbConf = req.GetSecrets()[v] + } case pvcNamespaceKey: subDirReplaceMap[pvcNamespaceMetadata] = v case pvcNameKey: @@ -138,7 +142,10 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis if !notMnt { return &csi.NodePublishVolumeResponse{}, nil } - + + if krbConf != "" { + os.WriteFile("/etc/krb5.conf", []byte(krbConf), 0775) + } klog.V(2).Infof("NodePublishVolume: volumeID(%v) source(%s) targetPath(%s) mountflags(%v)", volumeID, source, targetPath, mountOptions) execFunc := func() error { if krbPrinc != "" && krbPwd != "" { diff --git a/test/e2e/e2e_suite_test.go b/test/e2e/e2e_suite_test.go index 122eb7309..056f1e9cf 100644 --- a/test/e2e/e2e_suite_test.go +++ b/test/e2e/e2e_suite_test.go @@ -98,6 +98,7 @@ var ( "csi.storage.k8s.io/provisioner-secret-namespace": "default", "csi.storage.k8s.io/provisioner-secret-name": "mount-options", "mountPermissions": "0755", + "authKrbConf": "krb5.conf", "authPasswordSecret": "krb-pwd", "authPrincipal": "nfs/nfs-krb-server.default.svc.cluster.local@NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL", } diff --git a/test/krb5.conf b/test/krb5.conf new file mode 100644 index 000000000..609cd63fd --- /dev/null +++ b/test/krb5.conf @@ -0,0 +1,13 @@ +[libdefaults] +default_realm = NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL + +[realms] +NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL = { + tkdc = nfs-krb-server.default.svc.cluster.local + tadmin_server = nfs-krb-server.default.svc.cluster.local +} + +[logging] +kdc = FILE:/var/log/krb5kdc.log +admin_server = FILE:/var/log/kadmin.log +default = FILE:/var/log/krb5lib.log From 250ff6d4372cd2865cffe745402dae385e60c1cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Wed, 5 Nov 2025 13:18:08 -0500 Subject: [PATCH 11/24] fix: unused variable error --- pkg/nfs/nodeserver.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 4342fb312..e4f055afa 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -167,7 +167,6 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis } // initialize credentials from keytab cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) - stderr, err := cmd.StderrPipe() if err != nil { return err } From 714dfa5bfeda4fc2571f26a926eb8e33eaabca8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Wed, 5 Nov 2025 13:38:52 -0500 Subject: [PATCH 12/24] style: run gofmt --- pkg/nfs/nfs.go | 18 +++++++++--------- pkg/nfs/nodeserver.go | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/nfs/nfs.go b/pkg/nfs/nfs.go index 473d379a7..ef2dc3a72 100644 --- a/pkg/nfs/nfs.go +++ b/pkg/nfs/nfs.go @@ -82,15 +82,15 @@ const ( // name of a secret containing the contents of a krb5.conf file with // realm and/or KDC information paramKrbConf = "authkrbconf" - paramOnDelete = "ondelete" - mountOptionsField = "mountoptions" - mountPermissionsField = "mountpermissions" - pvcNameKey = "csi.storage.k8s.io/pvc/name" - pvcNamespaceKey = "csi.storage.k8s.io/pvc/namespace" - pvNameKey = "csi.storage.k8s.io/pv/name" - pvcNameMetadata = "${pvc.metadata.name}" - pvcNamespaceMetadata = "${pvc.metadata.namespace}" - pvNameMetadata = "${pv.metadata.name}" + paramOnDelete = "ondelete" + mountOptionsField = "mountoptions" + mountPermissionsField = "mountpermissions" + pvcNameKey = "csi.storage.k8s.io/pvc/name" + pvcNamespaceKey = "csi.storage.k8s.io/pvc/namespace" + pvNameKey = "csi.storage.k8s.io/pv/name" + pvcNameMetadata = "${pvc.metadata.name}" + pvcNamespaceMetadata = "${pvc.metadata.namespace}" + pvNameMetadata = "${pv.metadata.name}" ) func NewDriver(options *DriverOptions) *Driver { diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index e4f055afa..0c1ab6a21 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -142,7 +142,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis if !notMnt { return &csi.NodePublishVolumeResponse{}, nil } - + if krbConf != "" { os.WriteFile("/etc/krb5.conf", []byte(krbConf), 0775) } From ed9596aee232536ac0084ca4658a185e597d5b12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Wed, 5 Nov 2025 17:29:33 -0500 Subject: [PATCH 13/24] chore: fix invalid krb5.conf --- test/krb5.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/krb5.conf b/test/krb5.conf index 609cd63fd..1f0cd43de 100644 --- a/test/krb5.conf +++ b/test/krb5.conf @@ -3,8 +3,8 @@ default_realm = NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL [realms] NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL = { - tkdc = nfs-krb-server.default.svc.cluster.local - tadmin_server = nfs-krb-server.default.svc.cluster.local + kdc = nfs-krb-server.default.svc.cluster.local + admin_server = nfs-krb-server.default.svc.cluster.local } [logging] From afbbd54d3112becba85ad1c3be3acc81bba68e56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Wed, 5 Nov 2025 18:34:42 -0500 Subject: [PATCH 14/24] fix: add `sleep 5` to Dockerfile ensure that `nfs-common` daemons have been started properly --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 070b39c6d..050a3d733 100644 --- a/Dockerfile +++ b/Dockerfile @@ -36,6 +36,7 @@ if [ "$1" = "true" ]; then shift 1 service rpcbind start service nfs-common start + sleep 5 fi /nfsplugin $@ From 530c840591dc38ae5dc01cb012ccced240aa5e2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Wed, 5 Nov 2025 19:45:07 -0500 Subject: [PATCH 15/24] fix: update `deploy/example/nfs-provisioner/nfs-krb-server.yaml` fix reference to secret that doesn't exist in CI environment --- deploy/example/nfs-provisioner/nfs-krb-server.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml index e36138ede..7ad92ffd6 100644 --- a/deploy/example/nfs-provisioner/nfs-krb-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -55,8 +55,8 @@ spec: - name: NFS_KRB_PWD valueFrom: secretKeyRef: - name: krb-pwd - key: value + name: mount-options + key: krb-pwd volumeMounts: - mountPath: /srv/shared name: nfs-vol From c72a7fe9a2f4de0d3bd70f8881c9d9ade371025b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Thu, 6 Nov 2025 17:18:43 -0500 Subject: [PATCH 16/24] refactor: handle error returned by `os.WriteFile` --- pkg/nfs/nodeserver.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 0c1ab6a21..b358ba01a 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -144,7 +144,9 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis } if krbConf != "" { - os.WriteFile("/etc/krb5.conf", []byte(krbConf), 0775) + if err = os.WriteFile("/etc/krb5.conf", []byte(krbConf), 0775); err != nil { + return nil, status.Error(codes.Internal, err.Error()) + } } klog.V(2).Infof("NodePublishVolume: volumeID(%v) source(%s) targetPath(%s) mountflags(%v)", volumeID, source, targetPath, mountOptions) execFunc := func() error { From f9351ae439543023c54d0bdc3ae626fd11fd5ced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Thu, 6 Nov 2025 21:37:02 -0500 Subject: [PATCH 17/24] refactor: update nodeserver.go add more detailed error logging during kerberos auth phase --- pkg/nfs/nodeserver.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index b358ba01a..20c766033 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -158,6 +158,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis cmd := exec.CommandContext(ctx, "ktutil") cmd.Stdin = bytes.NewBufferString(fmt.Sprintf("addent -p %s -password -k 1 -f\n%s\nwkt /etc/krb5.keytab", krbPrinc, krbPwd)) if err := cmd.Run(); err != nil { + klog.Errorf("error running 'ktutil': %+v", err) return err } } @@ -165,15 +166,13 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis cmd := exec.CommandContext(ctx, "kinit", krbPrinc) cmd.Stdin = bytes.NewBufferString(krbPwd + "\n") if err := cmd.Run(); err != nil { + klog.Errorf("error running 'kinit': %+v", err) return err } // initialize credentials from keytab - cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) - if err != nil { - return err - } + cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) if err := cmd.Run(); err != nil { - klog.Errorf("%+v", err) + klog.Errorf("error running 'kinit -k': %+v", err) return err } } From 8c629801cdbd0a05feaa2e80b23cd9ae36e529a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Thu, 6 Nov 2025 22:21:53 -0500 Subject: [PATCH 18/24] style: run gofmt --- pkg/nfs/nodeserver.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index 20c766033..a1b6d140b 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -170,7 +170,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis return err } // initialize credentials from keytab - cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) + cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) if err := cmd.Run(); err != nil { klog.Errorf("error running 'kinit -k': %+v", err) return err From f29f24c908fdc0d8d72514aa38e456a50c7f3102 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 10 Nov 2025 14:50:36 -0500 Subject: [PATCH 19/24] fix: update `nfs-krb-server` example deployment open/expose tcp port 111 --- deploy/example/nfs-provisioner/nfs-krb-server.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml index 7ad92ffd6..0ec0c4c18 100644 --- a/deploy/example/nfs-provisioner/nfs-krb-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -69,6 +69,9 @@ spec: - name: udp-111 containerPort: 111 protocol: UDP + - name: tcp-111 + containerPort: 111 + protocol: TCP - name: tcp-88 containerPort: 88 protocol: TCP From 2a4e0cdefbafa9aa7c1d192f4efdef8ec4fcead9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 10 Nov 2025 21:49:41 -0500 Subject: [PATCH 20/24] refactor: output more logs on the kerberos server pod --- deploy/example/nfs-provisioner/nfs-krb-server.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml index 0ec0c4c18..a3cc20e39 100644 --- a/deploy/example/nfs-provisioner/nfs-krb-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -45,6 +45,10 @@ spec: containers: - name: nfs-krb-server image: docker.io/thealmightydrawingtablet/nfs-krb:alpine + command: + - bash + - -c + - "./init.sh & sleep 10; tail -f /var/log/messages /var/log/rpc-gssd.log /var/log/gssd.log" env: - name: SHARED_DIRECTORY value: "/srv/shared" From d615d7f0911f33cfec6bc72fc8e51b1d9ca7af1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 10 Nov 2025 22:35:53 -0500 Subject: [PATCH 21/24] style: appease yaml linter --- deploy/example/nfs-provisioner/nfs-krb-server.yaml | 11 ++++++----- deploy/example/nfs-provisioner/nfs-server.yaml | 4 ++-- deploy/example/nfs-provisioner/nginx-pod.yaml | 11 ++++------- 3 files changed, 12 insertions(+), 14 deletions(-) diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml index a3cc20e39..37dc72e08 100644 --- a/deploy/example/nfs-provisioner/nfs-krb-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -22,7 +22,7 @@ spec: protocol: TCP - name: tcp-749 port: 749 - protocol: TCP + protocol: TCP --- kind: Deployment apiVersion: apps/v1 @@ -41,17 +41,18 @@ spec: app: nfs-krb-server spec: nodeSelector: - "kubernetes.io/os": linux + kubernetes.io/os: linux containers: - name: nfs-krb-server image: docker.io/thealmightydrawingtablet/nfs-krb:alpine command: - bash - -c - - "./init.sh & sleep 10; tail -f /var/log/messages /var/log/rpc-gssd.log /var/log/gssd.log" + - ./init.sh & sleep 10; tail -f /var/log/messages /var/log/rpc-gssd.log + /var/log/gssd.log env: - name: SHARED_DIRECTORY - value: "/srv/shared" + value: /srv/shared - name: NFS_KRB_REALM value: NFS-KRB-SERVER.DEFAULT.SVC.CLUSTER.LOCAL - name: NFS_KRB_PRINC @@ -59,7 +60,7 @@ spec: - name: NFS_KRB_PWD valueFrom: secretKeyRef: - name: mount-options + name: mount-options key: krb-pwd volumeMounts: - mountPath: /srv/shared diff --git a/deploy/example/nfs-provisioner/nfs-server.yaml b/deploy/example/nfs-provisioner/nfs-server.yaml index 54c16a036..a4629d565 100644 --- a/deploy/example/nfs-provisioner/nfs-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-server.yaml @@ -35,13 +35,13 @@ spec: app: nfs-server spec: nodeSelector: - "kubernetes.io/os": linux + kubernetes.io/os: linux containers: - name: nfs-server image: itsthenetwork/nfs-server-alpine:latest env: - name: SHARED_DIRECTORY - value: "/exports" + value: /exports volumeMounts: - mountPath: /exports name: nfs-vol diff --git a/deploy/example/nfs-provisioner/nginx-pod.yaml b/deploy/example/nfs-provisioner/nginx-pod.yaml index 6766ad060..71752aa55 100644 --- a/deploy/example/nfs-provisioner/nginx-pod.yaml +++ b/deploy/example/nfs-provisioner/nginx-pod.yaml @@ -9,11 +9,9 @@ metadata: spec: capacity: storage: 10Gi - accessModes: - - ReadWriteOnce + accessModes: [ReadWriteOnce] persistentVolumeReclaimPolicy: Delete - mountOptions: - - nfsvers=4.1 + mountOptions: [nfsvers=4.1] csi: driver: nfs.csi.k8s.io # volumeHandle format: {nfs-server-address}#{sub-dir-name}#{share-name} @@ -29,13 +27,12 @@ metadata: name: pvc-nginx namespace: default spec: - accessModes: - - ReadWriteOnce + accessModes: [ReadWriteOnce] resources: requests: storage: 10Gi volumeName: pv-nginx - storageClassName: "" + storageClassName: '' --- apiVersion: v1 kind: Pod From 13221c1916c2d348856d0f8947dfb07d78217e02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Mon, 10 Nov 2025 23:30:43 -0500 Subject: [PATCH 22/24] refactor: update `nfs-krb-server.yaml` use ubuntu nfs-krb image instead of alpine to maybe fix timeouts --- deploy/example/nfs-provisioner/nfs-krb-server.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml index 37dc72e08..c4a2bb8d8 100644 --- a/deploy/example/nfs-provisioner/nfs-krb-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -44,12 +44,11 @@ spec: kubernetes.io/os: linux containers: - name: nfs-krb-server - image: docker.io/thealmightydrawingtablet/nfs-krb:alpine + image: docker.io/thealmightydrawingtablet/nfs-krb:ubuntu command: - bash - -c - - ./init.sh & sleep 10; tail -f /var/log/messages /var/log/rpc-gssd.log - /var/log/gssd.log + - ./init.sh ubuntu & sleep 10; tail -f /var/log/syslog env: - name: SHARED_DIRECTORY value: /srv/shared From a6e1f3372958c1385391d53e471e1ca9a6701a6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Tue, 11 Nov 2025 05:44:41 -0500 Subject: [PATCH 23/24] update nfs-krb-server.yaml switch back to alpine nfs-krb image, open TCP port 111 --- deploy/example/nfs-provisioner/nfs-krb-server.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/deploy/example/nfs-provisioner/nfs-krb-server.yaml b/deploy/example/nfs-provisioner/nfs-krb-server.yaml index c4a2bb8d8..5ef6b8503 100644 --- a/deploy/example/nfs-provisioner/nfs-krb-server.yaml +++ b/deploy/example/nfs-provisioner/nfs-krb-server.yaml @@ -17,6 +17,9 @@ spec: - name: udp-111 port: 111 protocol: UDP + - name: tcp-111 + port: 111 + protocol: TCP - name: tcp-88 port: 88 protocol: TCP @@ -44,11 +47,12 @@ spec: kubernetes.io/os: linux containers: - name: nfs-krb-server - image: docker.io/thealmightydrawingtablet/nfs-krb:ubuntu + image: docker.io/thealmightydrawingtablet/nfs-krb:alpine + imagePullPolicy: Always command: - bash - -c - - ./init.sh ubuntu & sleep 10; tail -f /var/log/syslog + - ./init.sh & sleep 10; ls /var/log; tail -f /var/log/messages /var/log/rpc-gssd.log env: - name: SHARED_DIRECTORY value: /srv/shared From a3003d7dc1f8fd11b7f10a99344f51871c846e6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=98=99=E2=97=A6=20The=20Tablet=20=E2=9D=80=20GamerGirla?= =?UTF-8?q?ndCo=20=E2=97=A6=E2=9D=A7?= Date: Thu, 13 Nov 2025 15:40:01 -0500 Subject: [PATCH 24/24] refactor: try not to fail on `kinit -k` --- pkg/nfs/nodeserver.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/nfs/nodeserver.go b/pkg/nfs/nodeserver.go index a1b6d140b..329ff575d 100644 --- a/pkg/nfs/nodeserver.go +++ b/pkg/nfs/nodeserver.go @@ -172,8 +172,7 @@ func (ns *NodeServer) NodePublishVolume(ctx context.Context, req *csi.NodePublis // initialize credentials from keytab cmd = exec.CommandContext(ctx, "kinit", "-k", krbPrinc) if err := cmd.Run(); err != nil { - klog.Errorf("error running 'kinit -k': %+v", err) - return err + klog.Warningf("error running 'kinit -k', but soldiering on: %+v", err) } } return ns.mounter.Mount(source, targetPath, "nfs", mountOptions)