Enable Configuration for net-permissions

addons/controllers/csi/vspherecsiconfig_datavalues.go

@@ -22,25 +22,32 @@ type DataValuesVSpherePVCSI struct {
 }
 
 type DataValuesVSphereCSI struct {
-	TLSThumbprint         string `yaml:"tlsThumbprint"`
-	Namespace             string `yaml:"namespace"`
-	ClusterName           string `yaml:"clusterName"`
-	Server                string `yaml:"server"`
-	Datacenter            string `yaml:"datacenter"`
-	PublicNetwork         string `yaml:"publicNetwork"`
-	Username              string `yaml:"username"`
-	Password              string `yaml:"password"`
-	Region                string `yaml:"region"`
-	Zone                  string `yaml:"zone"`
-	InsecureFlag          bool   `yaml:"insecureFlag"`
-	UseTopologyCategories bool   `yaml:"useTopologyCategories"`
-	ProvisionTimeout      string `yaml:"provisionTimeout"`
-	AttachTimeout         string `yaml:"attachTimeout"`
-	ResizerTimeout        string `yaml:"resizerTimeout"`
-	VSphereVersion        string `yaml:"vSphereVersion"`
-	HTTPProxy             string `yaml:"http_proxy"`
-	HTTPSProxy            string `yaml:"https_proxy"`
-	NoProxy               string `yaml:"no_proxy"`
-	DeploymentReplicas    int32  `yaml:"deployment_replicas"`
-	WindowsSupport        bool   `yaml:"windows_support"`
+	TLSThumbprint         string                          `yaml:"tlsThumbprint"`
+	Namespace             string                          `yaml:"namespace"`
+	ClusterName           string                          `yaml:"clusterName"`
+	Server                string                          `yaml:"server"`
+	Datacenter            string                          `yaml:"datacenter"`
+	PublicNetwork         string                          `yaml:"publicNetwork"`
+	Username              string                          `yaml:"username"`
+	Password              string                          `yaml:"password"`
+	Region                string                          `yaml:"region"`
+	Zone                  string                          `yaml:"zone"`
+	InsecureFlag          bool                            `yaml:"insecureFlag"`
+	UseTopologyCategories bool                            `yaml:"useTopologyCategories"`
+	ProvisionTimeout      string                          `yaml:"provisionTimeout"`
+	AttachTimeout         string                          `yaml:"attachTimeout"`
+	ResizerTimeout        string                          `yaml:"resizerTimeout"`
+	VSphereVersion        string                          `yaml:"vSphereVersion"`
+	HTTPProxy             string                          `yaml:"http_proxy"`
+	HTTPSProxy            string                          `yaml:"https_proxy"`
+	NoProxy               string                          `yaml:"no_proxy"`
+	DeploymentReplicas    int32                           `yaml:"deployment_replicas"`
+	WindowsSupport        bool                            `yaml:"windows_support"`
+	NetPermissions        map[string]*NetPermissionConfig `yaml:"netpermissions"`
+}
+
+type NetPermissionConfig struct {
+	Ips         string `yaml:"ips"`
+	Permissions string `yaml:"permissions"`
+	RootSquash  bool   `yaml:"rootsquash"`
 }

addons/controllers/csi/vspherecsiconfig_utils.go

@@ -295,6 +295,7 @@ func (r *VSphereCSIConfigReconciler) overrideDerivedValues(ctx context.Context,
 	r.overrideTopologyValues(ctx, dvscsi, vcsiConfig)
 	r.overrideClusterValues(dvscsi, vcsiConfig)
 	r.overrideMiscValues(dvscsi, vcsiConfig)
+	r.overrideNetPermissionsValues(dvscsi, vcsiConfig)
 
 	return r.overrideCredentialValues(ctx, dvscsi, vcsiConfig)
 }
@@ -407,6 +408,27 @@ func (r *VSphereCSIConfigReconciler) overrideMiscValues(dvscsi *DataValuesVSpher
 	}
 }
 
+func (r *VSphereCSIConfigReconciler) overrideNetPermissionsValues(dvscsi *DataValuesVSphereCSI,
+	vcsiConfig *csiv1alpha1.VSphereCSIConfig) {
+
+	config := vcsiConfig.Spec.VSphereCSI.NonParavirtualConfig
+	if config.NetPermissions != nil {
+		netPermisions := make(map[string]*NetPermissionConfig)
+		for permKey, permConfig := range config.NetPermissions {
+			netPermisionConfig := &NetPermissionConfig{}
+			if permConfig.Ips != "" {
+				netPermisionConfig.Ips = permConfig.Ips
+			}
+			if permConfig.Permissions != "" {
+				netPermisionConfig.Permissions = permConfig.Permissions
+			}
+			netPermisionConfig.RootSquash = permConfig.RootSquash
+			netPermisions[permKey] = netPermisionConfig
+		}
+		dvscsi.NetPermissions = netPermisions
+	}
+}
+
 func (r *VSphereCSIConfigReconciler) constrainNumberOfDeploymentReplicas(ctx context.Context, proposedCount int32) int32 {
 	logger := log.FromContext(ctx)
 	if proposedCount < VSphereCSIMinDeploymentReplicas {

addons/controllers/testdata/test-vsphere-csi-non-paravirtual.yaml

@@ -130,4 +130,9 @@ spec:
       vSphereCredentialLocalObjRef:
         kind: Secret
         name: csi-vsphere-credential
+      netPermissions:
+        A:
+          ips: "*"
+          permissions: READ_WRITE
+          rootsquash: false
 

addons/controllers/vspherecsiconfig_controller_test.go

@@ -127,6 +127,10 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() {
 					Expect(*config.Spec.VSphereCSI.NonParavirtualConfig.DeploymentReplicas).Should(Equal(int32(3)))
 					Expect(config.Spec.VSphereCSI.NonParavirtualConfig.WindowsSupport).NotTo(BeZero())
 					Expect(*config.Spec.VSphereCSI.NonParavirtualConfig.WindowsSupport).Should(Equal(true))
+					Expect(config.Spec.VSphereCSI.NonParavirtualConfig.NetPermissions).NotTo(BeZero())
+					Expect(config.Spec.VSphereCSI.NonParavirtualConfig.NetPermissions["A"].Ips).Should(Equal("*"))
+					Expect(config.Spec.VSphereCSI.NonParavirtualConfig.NetPermissions["A"].Permissions).Should(Equal("READ_WRITE"))
+					Expect(config.Spec.VSphereCSI.NonParavirtualConfig.NetPermissions["A"].RootSquash).Should(Equal(false))
 
 					if len(config.OwnerReferences) == 0 {
 						return fmt.Errorf("OwnerReferences not yet set")
@@ -171,7 +175,10 @@ var _ = Describe("VSphereCSIConfig Reconciler", func() {
 					Expect(strings.Contains(secretData, "no_proxy: 3.3.3.3")).Should(BeTrue())
 					Expect(strings.Contains(secretData, "deployment_replicas: 3")).Should(BeTrue())
 					Expect(strings.Contains(secretData, "windows_support: true")).Should(BeTrue())
-
+					Expect(strings.Contains(secretData, "netpermissions:")).Should(BeTrue())
+					Expect(strings.Contains(secretData, "ips: '*'")).Should(BeTrue())
+					Expect(strings.Contains(secretData, "permissions: READ_WRITE")).Should(BeTrue())
+					Expect(strings.Contains(secretData, "rootsquash: false")).Should(BeTrue())
 					return nil
 				}, waitTimeout, pollingInterval).Should(Succeed())
 

apis/addonconfigs/config/crd/bases/csi.tanzu.vmware.com_vspherecsiconfigs.yaml

@@ -58,6 +58,26 @@ spec:
                         description: The namespace csi components are to be deployed
                           in
                         type: string
+                      netPermissions:
+                        additionalProperties:
+                          description: NetPermissionConfig consists of information
+                            used to restrict the network permissions set on file share
+                            volumes
+                          properties:
+                            ips:
+                              description: 'Client IP address, IP range or IP subnet.
+                                Example: "10.20.30.0/24"; defaults to "*" if not specified'
+                              type: string
+                            permissions:
+                              description: Is it READ_ONLY, READ_WRITE or NO_ACCESS.
+                                Defaults to "READ_WRITE" if not specified
+                              type: string
+                            rootsquash:
+                              description: Disallow root access for this IP range.
+                                Defaults to "false" if not specified
+                              type: boolean
+                          type: object
+                        type: object
                       noProxy:
                         type: string
                       provisionTimeout:

apis/addonconfigs/csi/v1alpha1/vspherecsiconfig_types.go

@@ -116,6 +116,20 @@ type NonParavirtualConfig struct {
 
 	// +kubebuilder:validation:Optional
 	WindowsSupport *bool `json:"windowsSupport,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	NetPermissions map[string]*NetPermissionConfig `json:"netPermissions,omitempty"`
+}
+
+// NetPermissionConfig consists of information used to restrict the
+// network permissions set on file share volumes
+type NetPermissionConfig struct {
+	// Client IP address, IP range or IP subnet. Example: "10.20.30.0/24"; defaults to "*" if not specified
+	Ips string `json:"ips,omitempty"`
+	// Is it READ_ONLY, READ_WRITE or NO_ACCESS. Defaults to "READ_WRITE" if not specified
+	Permissions string `json:"permissions,omitempty"`
+	// Disallow root access for this IP range. Defaults to "false" if not specified
+	RootSquash bool `json:"rootsquash,omitempty"`
 }
 
 func init() {

packages/addons-manager/bundle/config/upstream/addonconfigscrds/csi.tanzu.vmware.com_vspherecsiconfigs.yaml

@@ -58,6 +58,26 @@ spec:
                         description: The namespace csi components are to be deployed
                           in
                         type: string
+                      netPermissions:
+                        additionalProperties:
+                          description: NetPermissionConfig consists of information
+                            used to restrict the network permissions set on file share
+                            volumes
+                          properties:
+                            ips:
+                              description: 'Client IP address, IP range or IP subnet.
+                                Example: "10.20.30.0/24"; defaults to "*" if not specified'
+                              type: string
+                            permissions:
+                              description: Is it READ_ONLY, READ_WRITE or NO_ACCESS.
+                                Defaults to "READ_WRITE" if not specified
+                              type: string
+                            rootsquash:
+                              description: Disallow root access for this IP range.
+                                Defaults to "false" if not specified
+                              type: boolean
+                          type: object
+                        type: object
                       noProxy:
                         type: string
                       provisionTimeout:

tkg/manifest/server/zz_generated.bindata.go

@@ -1438,11 +1438,9 @@ func bindataTkgWebDistTkgkickstartuiWelcomeintro92f405173016654f68c9Svg() (*asse
 	return a, nil
 }
 
-//
 // Asset loads and returns the asset for the given name.
 // It returns an error if the asset could not be found or
 // could not be loaded.
-//
 func Asset(name string) ([]byte, error) {
 	cannonicalName := strings.Replace(name, "\\", "/", -1)
 	if f, ok := _bindata[cannonicalName]; ok {
@@ -1455,11 +1453,9 @@ func Asset(name string) ([]byte, error) {
 	return nil, &os.PathError{Op: "open", Path: name, Err: os.ErrNotExist}
 }
 
-//
 // MustAsset is like Asset but panics when Asset would return an error.
 // It simplifies safe initialization of global variables.
 // nolint: deadcode
-//
 func MustAsset(name string) []byte {
 	a, err := Asset(name)
 	if err != nil {
@@ -1469,10 +1465,8 @@ func MustAsset(name string) []byte {
 	return a
 }
 
-//
 // AssetInfo loads and returns the asset info for the given name.
 // It returns an error if the asset could not be found or could not be loaded.
-//
 func AssetInfo(name string) (os.FileInfo, error) {
 	cannonicalName := strings.Replace(name, "\\", "/", -1)
 	if f, ok := _bindata[cannonicalName]; ok {
@@ -1485,10 +1479,8 @@ func AssetInfo(name string) (os.FileInfo, error) {
 	return nil, &os.PathError{Op: "open", Path: name, Err: os.ErrNotExist}
 }
 
-//
 // AssetNames returns the names of the assets.
 // nolint: deadcode
-//
 func AssetNames() []string {
 	names := make([]string, 0, len(_bindata))
 	for name := range _bindata {
@@ -1497,9 +1489,7 @@ func AssetNames() []string {
 	return names
 }
 
-//
 // _bindata is a table, holding each asset generator, mapped to its name.
-//
 var _bindata = map[string]func() (*asset, error){
 	"tkg/web/dist/tkg-kickstart-ui/175-es2015.d46a578ff1b6cad5d45a.js":       bindataTkgWebDistTkgkickstartui175es2015D46a578ff1b6cad5d45aJs,
 	"tkg/web/dist/tkg-kickstart-ui/175-es5.d46a578ff1b6cad5d45a.js":          bindataTkgWebDistTkgkickstartui175es5D46a578ff1b6cad5d45aJs,
@@ -1550,21 +1540,21 @@ var _bindata = map[string]func() (*asset, error){
 	"tkg/web/dist/tkg-kickstart-ui/welcome-intro.92f405173016654f68c9.svg":   bindataTkgWebDistTkgkickstartuiWelcomeintro92f405173016654f68c9Svg,
 }
 
-//
 // AssetDir returns the file names below a certain
 // directory embedded in the file by go-bindata.
 // For example if you run go-bindata on data/... and data contains the
 // following hierarchy:
-//     data/
-//       foo.txt
-//       img/
-//         a.png
-//         b.png
+//
+//	data/
+//	  foo.txt
+//	  img/
+//	    a.png
+//	    b.png
+//
 // then AssetDir("data") would return []string{"foo.txt", "img"}
 // AssetDir("data/img") would return []string{"a.png", "b.png"}
 // AssetDir("foo.txt") and AssetDir("notexist") would return an error
 // AssetDir("") will return []string{"data"}.
-//
 func AssetDir(name string) ([]string, error) {
 	node := _bintree
 	if len(name) != 0 {