remove secrets from truenas storage provisioners

2023-11-01 09:49:26 -04:00
parent 3410213913
commit 053661c08c
4 changed files with 210 additions and 14 deletions
--- a/README.md
+++ b/README.md
@@ -292,35 +292,46 @@ sudo ls
 sudo zfs list
 ```

-Copy `truenas-iscsi-enc0-stable.yaml` to `secrets/` and populate the secrets. Then
-run the following to install it.
+Next you'll need an API key. Save it to a file called `secrets/truenas-api-key`:
+
+```bash
+echo 'api-key-here' > secrets/truenas-api-key
+```
+
+Now we can proceed with the install

 ```bash
 helm repo add democratic-csi https://democratic-csi.github.io/charts/
 helm repo update

-# enc0 stable storage (iscsi)
+# enc0 storage (iscsi)
 helm upgrade \
 --install \
--values secrets/truenas-iscsi-enc0-stable.yaml \
+--values truenas-iscsi-enc0.yaml \
 --namespace democratic-csi \
 --create-namespace \
+--set-file driver.config.sshConnection.privateKey=secrets/democratic_rsa \
+--set-file driver.config.httpConnection.apiKey=secrets/truenas-api-key \
 zfs-iscsi-enc0 democratic-csi/democratic-csi

-# enc1 stable storage (iscsi)
+# enc1 storage (iscsi)
 helm upgrade \
 --install \
--values secrets/truenas-iscsi-enc1-stable.yaml \
+--values truenas-iscsi-enc1.yaml \
 --namespace democratic-csi \
 --create-namespace \
+--set-file driver.config.sshConnection.privateKey=secrets/democratic_rsa \
+--set-file driver.config.httpConnection.apiKey=secrets/truenas-api-key \
 zfs-iscsi-enc1 democratic-csi/democratic-csi

-# enc1 stable storage (nfs)
+# enc1 storage (nfs)
 helm upgrade \
 --install \
--values secrets/truenas-nfs-enc1.yaml \
+--values truenas-nfs-enc1.yaml \
 --namespace democratic-csi \
 --create-namespace \
+--set-file driver.config.sshConnection.privateKey=secrets/democratic_rsa \
+--set-file driver.config.httpConnection.apiKey=secrets/truenas-api-key \
 zfs-nfs-enc1 democratic-csi/democratic-csi
 ```

--- a/examples/truenas-iscsi-enc0-stable.yaml
+++ b/examples/truenas-iscsi-enc0-stable.yaml
@@ -34,7 +34,7 @@ driver:
      # use only 1 of apiKey or username/password
      # if both are present, apiKey is preferred
      # apiKey is only available starting in TrueNAS-12
-      apiKey: 
+      apiKey: ""
      # username:
      # password:
      # use apiVersion 2 for TrueNAS-12 and up (will work on 11.x in some scenarios as well)
@@ -46,10 +46,7 @@ driver:
      username: democratic
      # use either password or key
      # password: ""
-      privateKey: |
-        -----BEGIN OPENSSH PRIVATE KEY-----
-        ...
-        -----END OPENSSH PRIVATE KEY-----
+      privateKey: ""
    zfs:
      cli:
        sudoEnabled: true
@@ -76,7 +73,7 @@ driver:
    iscsi:
      targetPortal: "democratic-csi-server.reeselink.com"
      # for multipath
-      # targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
+      targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
      # leave empty to omit usage of -I with iscsiadm
      interface:

--- a/truenas-iscsi-enc1.yaml
+++ b/truenas-iscsi-enc1.yaml
@@ -0,0 +1,108 @@
+csiDriver:
+  name: "driveripper.zfs-iscsi-enc1"
+
+# add note here about volume expansion requirements
+storageClasses:
+- name: zfs-iscsi-enc1
+  defaultClass: false
+  reclaimPolicy: Delete
+  volumeBindingMode: Immediate
+  allowVolumeExpansion: true
+  parameters:
+    # for block-based storage can be ext3, ext4, xfs
+    fsType: xfs
+
+  mountOptions: []
+  secrets:
+    provisioner-secret:
+    controller-publish-secret:
+    node-stage-secret:
+    node-publish-secret:
+    controller-expand-secret:
+
+volumeSnapshotClasses: []
+
+driver:
+  config:
+    driver: freenas-iscsi
+    instance_id:
+    httpConnection:
+      protocol: https
+      host: driveripper.reeseapps.com
+      port: 8443
+      allowInsecure: false
+      # use only 1 of apiKey or username/password
+      # if both are present, apiKey is preferred
+      # apiKey is only available starting in TrueNAS-12
+      apiKey: ""
+      # username:
+      # password:
+      # use apiVersion 2 for TrueNAS-12 and up (will work on 11.x in some scenarios as well)
+      # leave unset for auto-detection
+      apiVersion: 2
+    sshConnection:
+      host: democratic-csi-server.reeselink.com
+      port: 22
+      username: democratic
+      # use either password or key
+      # password: ""
+      privateKey: ""
+    zfs:
+      cli:
+        sudoEnabled: true
+        paths:
+          zfs: /usr/sbin/zfs
+          zpool: /usr/sbin/zpool
+          sudo: /usr/bin/sudo
+          chroot: /usr/sbin/chroot
+      # can be used to set arbitrary values on the dataset/zvol
+      # can use handlebars templates with the parameters from the storage class/CO
+      datasetProperties:
+       "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
+
+      datasetParentName: enc1/dcsi/apps
+      # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap
+      # they may be siblings, but neither should be nested in the other
+      detachedSnapshotsDatasetParentName: enc1/dcsi/snaps
+      zvolCompression:
+      # "" (inherit), on, off, verify
+      zvolDedup:
+      zvolEnableReservation: false
+      # 512, 1K, 2K, 4K, 8K, 16K, 64K, 128K default is 16K
+      zvolBlocksize:
+    iscsi:
+      targetPortal: "democratic-csi-server.reeselink.com"
+      # for multipath
+      targetPortals: [] # [ "server[:port]", "server[:port]", ... ]
+      # leave empty to omit usage of -I with iscsiadm
+      interface:
+
+      # MUST ensure uniqueness
+      # full iqn limit is 223 bytes, plan accordingly
+      # default is "{{ name }}"
+      nameTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
+      namePrefix: "dcsi-"
+      nameSuffix: "-enc1"
+
+      # add as many as needed
+      targetGroups:
+        # get the correct ID from the "portal" section in the UI
+        - targetGroupPortalGroup: 7
+          # get the correct ID from the "initiators" section in the UI
+          targetGroupInitiatorGroup: 1
+          # None, CHAP, or CHAP Mutual
+          targetGroupAuthType: None
+          # get the correct ID from the "Authorized Access" section of the UI
+          # only required if using Chap
+          targetGroupAuthGroup:
+
+      extentCommentTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
+      extentInsecureTpc: true
+      extentXenCompat: false
+      extentDisablePhysicalBlocksize: true
+      # 512, 1024, 2048, or 4096,
+      extentBlocksize: 512
+      # "" (let FreeNAS decide, currently defaults to SSD), Unknown, SSD, 5400, 7200, 10000, 15000
+      extentRpm: "SSD"
+      # 0-100 (0 == ignore)
+      extentAvailThreshold: 0
--- a/truenas-nfs-enc1.yaml
+++ b/truenas-nfs-enc1.yaml
@@ -0,0 +1,80 @@
+csiDriver:
+  name: "driveripper.zfs-nfs-enc1"
+
+storageClasses:
+- name: zfs-nfs-enc1
+  defaultClass: false
+  reclaimPolicy: Delete
+  volumeBindingMode: Immediate
+  allowVolumeExpansion: true
+  parameters:
+    fsType: nfs
+  mountOptions:
+  - async
+  - noatime
+  secrets:
+    provisioner-secret:
+    controller-publish-secret:
+    node-stage-secret:
+    node-publish-secret:
+    controller-expand-secret:
+
+volumeSnapshotClasses: []
+
+driver:
+  config:
+    driver: freenas-nfs
+    instance_id:
+    httpConnection:
+      protocol: https
+      host: driveripper.reeseapps.com
+      port: 8443
+      allowInsecure: false
+      # use only 1 of apiKey or username/password
+      # if both are present, apiKey is preferred
+      # apiKey is only available starting in TrueNAS-12
+      apiKey: ""
+      # username:
+      # password:
+      # use apiVersion 2 for TrueNAS-12 and up (will work on 11.x in some scenarios as well)
+      # leave unset for auto-detection
+      apiVersion: 2
+    sshConnection:
+      host: democratic-csi-server.reeselink.com
+      port: 22
+      username: democratic
+      # use either password or key
+      # password: ""
+      privateKey: ""
+    zfs:
+      cli:
+        sudoEnabled: true
+        paths:
+          zfs: /usr/sbin/zfs
+          zpool: /usr/sbin/zpool
+          sudo: /usr/bin/sudo
+          chroot: /usr/sbin/chroot
+      # can be used to set arbitrary values on the dataset/zvol
+      # can use handlebars templates with the parameters from the storage class/CO
+      datasetProperties:
+       "org.freenas:description": "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}/{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
+
+      datasetParentName: enc1/dcsi/nfs
+      # do NOT make datasetParentName and detachedSnapshotsDatasetParentName overlap
+      # they may be siblings, but neither should be nested in the other
+      detachedSnapshotsDatasetParentName: enc1/dcsi/snaps
+      datasetEnableQuotas: true
+      datasetEnableReservation: false
+      datasetPermissionsMode: "0777"
+      datasetPermissionsUser: 0
+      datasetPermissionsGroup: 0
+    nfs:
+      shareCommentTemplate: "{{ parameters.[csi.storage.k8s.io/pvc/namespace] }}-{{ parameters.[csi.storage.k8s.io/pvc/name] }}"
+      shareHost: democratic-csi-server.reeselink.com
+      shareAlldirs: false
+      shareAllowedHosts: []
+      shareAllowedNetworks: []
+      shareMaprootUser: root
+      shareMaprootGroup: wheel
+      shareMapallUser: ""
+      shareMapallGroup: ""