From 053661c08cb5f1a49e3f31333fcccb82a500c78a Mon Sep 17 00:00:00 2001 From: ducoterra Date: Wed, 1 Nov 2023 09:49:26 -0400 Subject: [PATCH] remove secrets from truenas storage provisioners --- README.md | 27 +++-- ...nc0-stable.yaml => truenas-iscsi-enc0.yaml | 9 +- truenas-iscsi-enc1.yaml | 108 ++++++++++++++++++ truenas-nfs-enc1.yaml | 80 +++++++++++++ 4 files changed, 210 insertions(+), 14 deletions(-) rename examples/truenas-iscsi-enc0-stable.yaml => truenas-iscsi-enc0.yaml (94%) create mode 100644 truenas-iscsi-enc1.yaml create mode 100644 truenas-nfs-enc1.yaml diff --git a/README.md b/README.md index b35eca8..f6c38c5 100644 --- a/README.md +++ b/README.md @@ -292,35 +292,46 @@ sudo ls sudo zfs list ``` -Copy `truenas-iscsi-enc0-stable.yaml` to `secrets/` and populate the secrets. Then -run the following to install it. +Next you'll need an API key. Save it to a file called `secrets/truenas-api-key`: + +```bash +echo 'api-key-here' > secrets/truenas-api-key +``` + +Now we can proceed with the install ```bash helm repo add democratic-csi https://democratic-csi.github.io/charts/ helm repo update -# enc0 stable storage (iscsi) +# enc0 storage (iscsi) helm upgrade \ --install \ ---values secrets/truenas-iscsi-enc0-stable.yaml \ +--values truenas-iscsi-enc0.yaml \ --namespace democratic-csi \ --create-namespace \ +--set-file driver.config.sshConnection.privateKey=secrets/democratic_rsa \ +--set-file driver.config.httpConnection.apiKey=secrets/truenas-api-key \ zfs-iscsi-enc0 democratic-csi/democratic-csi -# enc1 stable storage (iscsi) +# enc1 storage (iscsi) helm upgrade \ --install \ ---values secrets/truenas-iscsi-enc1-stable.yaml \ +--values truenas-iscsi-enc1.yaml \ --namespace democratic-csi \ --create-namespace \ +--set-file driver.config.sshConnection.privateKey=secrets/democratic_rsa \ +--set-file driver.config.httpConnection.apiKey=secrets/truenas-api-key \ zfs-iscsi-enc1 democratic-csi/democratic-csi -# enc1 stable storage (nfs) +# enc1 storage (nfs) helm upgrade \ --install \ ---values secrets/truenas-nfs-enc1.yaml \ +--values truenas-nfs-enc1.yaml \ --namespace democratic-csi \ --create-namespace \ +--set-file driver.config.sshConnection.privateKey=secrets/democratic_rsa \ +--set-file driver.config.httpConnection.apiKey=secrets/truenas-api-key \ zfs-nfs-enc1 democratic-csi/democratic-csi ``` diff --git a/examples/truenas-iscsi-enc0-stable.yaml b/truenas-iscsi-enc0.yaml similarity index 94% rename from examples/truenas-iscsi-enc0-stable.yaml rename to truenas-iscsi-enc0.yaml index 9fa0442..b5ff158 100644 --- a/examples/truenas-iscsi-enc0-stable.yaml +++ b/truenas-iscsi-enc0.yaml @@ -34,7 +34,7 @@ driver: # use only 1 of apiKey or username/password # if both are present, apiKey is preferred # apiKey is only available starting in TrueNAS-12 - apiKey: + apiKey: "" # username: # password: # use apiVersion 2 for TrueNAS-12 and up (will work on 11.x in some scenarios as well) @@ -46,10 +46,7 @@ driver: username: democratic # use either password or key # password: "" - privateKey: | - -----BEGIN OPENSSH PRIVATE KEY----- - ... - -----END OPENSSH PRIVATE KEY----- + privateKey: "" zfs: cli: sudoEnabled: true @@ -76,7 +73,7 @@ driver: iscsi: targetPortal: "democratic-csi-server.reeselink.com" # for multipath - # targetPortals: [] # [ "server[:port]", "server[:port]", ... ] + targetPortals: [] # [ "server[:port]", "server[:port]", ... ] # leave empty to omit usage of -I with iscsiadm interface: diff --git a/truenas-iscsi-enc1.yaml b/truenas-iscsi-enc1.yaml new file mode 100644 index 0000000..5ca6bf0 --- /dev/null +++ b/truenas-iscsi-enc1.yaml @@ -0,0 +1,108 @@ +csiDriver: + name: "driveripper.zfs-iscsi-enc1" + +# add note here about volume expansion requirements +storageClasses: +- name: zfs-iscsi-enc1 + defaultClass: false + reclaimPolicy: Delete + volumeBindingMode: Immediate + allowVolumeExpansion: true + parameters: + # for block-based storage can be ext3, ext4, xfs + fsType: xfs + + mountOptions: [] + secrets: + provisioner-secret: + controller-publish-secret: + node-stage-secret: + node-publish-secret: + controller-expand-secret: + +volumeSnapshotClasses: [] + +driver: + config: + driver: freenas-iscsi + instance_id: + httpConnection: + protocol: https + host: driveripper.reeseapps.com + port: 8443 + allowInsecure: false + # use only 1 of apiKey or username/password + # if both are present, apiKey is preferred + # apiKey is only available starting in TrueNAS-12 + apiKey: "" + # username: + # password: + # use apiVersion 2 for TrueNAS-12 and up (will work on 11.x in some scenarios as well) + # leave unset for auto-detection + apiVersion: 2 + sshConnection: + host: democratic-csi-server.reeselink.com + port: 22 + username: democratic + # use either password or key + # password: "" + privateKey: "" + zfs: + cli: + sudoEnabled: true + paths: + zfs: /usr/sbin/zfs + zpool: /usr/sbin/zpool + sudo: /usr/bin/sudo + chroot: /usr/sbin/chroot + # can be used to set arbitrary values on the dataset/zvol + # can use handlebars templates with the parameters from the storage class/CO + datasetProperties: + "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" + + datasetParentName: enc1/dcsi/apps + # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap + # they may be siblings, but neither should be nested in the other + detachedSnapshotsDatasetParentName: enc1/dcsi/snaps + zvolCompression: + # "" (inherit), on, off, verify + zvolDedup: + zvolEnableReservation: false + # 512, 1K, 2K, 4K, 8K, 16K, 64K, 128K default is 16K + zvolBlocksize: + iscsi: + targetPortal: "democratic-csi-server.reeselink.com" + # for multipath + targetPortals: [] # [ "server[:port]", "server[:port]", ... ] + # leave empty to omit usage of -I with iscsiadm + interface: + + # MUST ensure uniqueness + # full iqn limit is 223 bytes, plan accordingly + # default is "{{ name }}" + nameTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}" + namePrefix: "dcsi-" + nameSuffix: "-enc1" + + # add as many as needed + targetGroups: + # get the correct ID from the "portal" section in the UI + - targetGroupPortalGroup: 7 + # get the correct ID from the "initiators" section in the UI + targetGroupInitiatorGroup: 1 + # None, CHAP, or CHAP Mutual + targetGroupAuthType: None + # get the correct ID from the "Authorized Access" section of the UI + # only required if using Chap + targetGroupAuthGroup: + + extentCommentTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" + extentInsecureTpc: true + extentXenCompat: false + extentDisablePhysicalBlocksize: true + # 512, 1024, 2048, or 4096, + extentBlocksize: 512 + # "" (let FreeNAS decide, currently defaults to SSD), Unknown, SSD, 5400, 7200, 10000, 15000 + extentRpm: "SSD" + # 0-100 (0 == ignore) + extentAvailThreshold: 0 diff --git a/truenas-nfs-enc1.yaml b/truenas-nfs-enc1.yaml new file mode 100644 index 0000000..36568ee --- /dev/null +++ b/truenas-nfs-enc1.yaml @@ -0,0 +1,80 @@ +csiDriver: + name: "driveripper.zfs-nfs-enc1" + +storageClasses: +- name: zfs-nfs-enc1 + defaultClass: false + reclaimPolicy: Delete + volumeBindingMode: Immediate + allowVolumeExpansion: true + parameters: + fsType: nfs + mountOptions: + - async + - noatime + secrets: + provisioner-secret: + controller-publish-secret: + node-stage-secret: + node-publish-secret: + controller-expand-secret: + +volumeSnapshotClasses: [] + +driver: + config: + driver: freenas-nfs + instance_id: + httpConnection: + protocol: https + host: driveripper.reeseapps.com + port: 8443 + allowInsecure: false + # use only 1 of apiKey or username/password + # if both are present, apiKey is preferred + # apiKey is only available starting in TrueNAS-12 + apiKey: "" + # username: + # password: + # use apiVersion 2 for TrueNAS-12 and up (will work on 11.x in some scenarios as well) + # leave unset for auto-detection + apiVersion: 2 + sshConnection: + host: democratic-csi-server.reeselink.com + port: 22 + username: democratic + # use either password or key + # password: "" + privateKey: "" + zfs: + cli: + sudoEnabled: true + paths: + zfs: /usr/sbin/zfs + zpool: /usr/sbin/zpool + sudo: /usr/bin/sudo + chroot: /usr/sbin/chroot + # can be used to set arbitrary values on the dataset/zvol + # can use handlebars templates with the parameters from the storage class/CO + datasetProperties: + "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}" + + datasetParentName: enc1/dcsi/nfs + # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap + # they may be siblings, but neither should be nested in the other + detachedSnapshotsDatasetParentName: enc1/dcsi/snaps + datasetEnableQuotas: true + datasetEnableReservation: false + datasetPermissionsMode: "0777" + datasetPermissionsUser: 0 + datasetPermissionsGroup: 0 + nfs: + shareCommentTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}" + shareHost: democratic-csi-server.reeselink.com + shareAlldirs: false + shareAllowedHosts: [] + shareAllowedNetworks: [] + shareMaprootUser: root + shareMaprootGroup: wheel + shareMapallUser: "" + shareMapallGroup: ""