Closed kumorikarasu closed 3 weeks ago
datamattsson
commented
1 year ago Hi, thanks for filing this issue. This is fixable for sure. We're a bit narrow-minded in storage assuming that iSCSI traffic is supposed to reside on a flat L2 network. This will most likely be implemented as a StorageClass parameter to use node based auth networks and not array based.
Or would you like to hardcode CIDR networks in the StorageClass?
kumorikarasu
commented
1 year ago I believe either solution would resolve the issue. Allowing to add a cidr directly is possibly the most flexible solution, as you never know what other weird network setups you may find.
enfyrneaux
commented
5 months ago +1 Hardcoded CIDR is also fine in my use case.
datamattsson
commented
5 months ago I took a look here and it was not as easy as I thought. For TrueNAS SCALE the auth_networks are set on the target during volume publication. This means that the StorageClass parameters are not available in this request.
The only way I can implement this without breaking all sorts of boundaries is to allow users to hardcode CIDRs in the Helm chart. The auth_networks are then "global" for the TrueNAS CSP running on the cluster. This should be fine in most cases as the data networks are usually somewhat uniform. It could however open up for other problems as you need to specify an entire subnet.
Since CHAP will most likely be introduced in the next version after v2.4.2 I think it would be safe enough to hardcode subnets in auth_networks during install and use CHAP for authorization.
Thoughts?
I am running truenas SCALE is on a different network then the k8s cluster. When this looks up the ip of truenas to generate the auth network, it doesn't take into account that cluster is elsewhere.
Would it be possible to add an argument to specify alternative auth networks?