Merge pull request #99429 from lpettyjo/OSDOCS-16211

OSDOCS-16211# For Manila, allow multiple CDIRs when creating NFS vols

Author: lpettyjo

modules/persistent-storage-csi-manila-dynamic-provisioning.adoc

@@ -14,7 +14,7 @@ You can use the same pod and persistent volume claim (PVC) definitions on-premis
 
 [IMPORTANT]
 ====
-By default the access-rule assigned to a volume is set to 0.0.0.0/0. To limit the clients that can mount the persistent volume (PV), create a new storage class with an IP or a subnet mask in the `nfs-shareClient` storage class parameter.
+By default, the access rule that is assigned to a volume is `0.0.0.0/0`, which allows access from all IPv4 clients. To limit client access, create custom storage classes that use specific client IP addresses or subnets. For more information, see Section _Customizing Manila share access rules_.
 ====
 
 [NOTE]

modules/persistent-storage-csi-manila-share-access-rules.adoc

@@ -0,0 +1,109 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent-storage-csi-manila.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-manila-share-access-rules_{context}"]
+= Customizing Manila share access rules
+
+By default, {product-title} creates Manila storage classes that provide access to all IPv4 clients. To limit client access, you can define custom storage classes that use specific client IP addresses or subnets by using the `nfs-ShareClient` parameter.
+
+[IMPORTANT]
+====
+When using custom storage classes with restricted access rules, ensure that:
+
+* The specified IP addresses or subnets include all {product-title} nodes that need to access the storage.
+
+* The Manila service in {rh-openstack} supports the share type specified in the storage class.
+
+* Network connectivity exists between the allowed clients and the Manila share servers.
+====
+
+.Prerequisites
+
+* {rh-openstack-first} is deployed with appropriate Manila share infrastructure.
+* Access to a cluster with administrator privileges.
+
+.Procedure
+
+. Create a YAML file for your custom storage class based on the following example:
++
+.Example custom storage class file
+[source,yaml]
+----
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: csi-manila-gold-restricted <1>
+provisioner: manila.csi.openstack.org
+parameters:
+  type: gold <2>
+  nfs-ShareClient: "10.0.0.0/24,192.168.1.100" <3>
+  csi.storage.k8s.io/provisioner-secret-name: manila-csi-secret
+  csi.storage.k8s.io/provisioner-secret-namespace: openshift-manila-csi-driver
+  csi.storage.k8s.io/controller-expand-secret-name: manila-csi-secret
+  csi.storage.k8s.io/controller-expand-secret-namespace: openshift-manila-csi-driver
+  csi.storage.k8s.io/node-stage-secret-name: manila-csi-secret
+  csi.storage.k8s.io/node-stage-secret-namespace: openshift-manila-csi-driver
+  csi.storage.k8s.io/node-publish-secret-name: manila-csi-secret
+  csi.storage.k8s.io/node-publish-secret-namespace: openshift-manila-csi-driver
+allowVolumeExpansion: true
+----
+<1> Descriptive name for your custom storage class.
+<2> The Manila share type. This type must match an existing share type in your {rh-openstack} environment.
+<3> Comma-separated list of IP addresses or CIDR subnets allowed to access the NFS shares. The `nfs-ShareClient` parameter accepts various formats:
++
+** Single IP address: `192.168.1.100`
+** CIDR subnet: `10.0.0.0/24`
+** Multiple entries: `10.0.0.0/24,192.168.1.100,172.16.0.0/16`
++
+Ensure that the specified IP addresses or subnets include the {product-title} cluster nodes to allow proper mounting of the persistent volumes.
++
+In this example, access is restricted to the `10.0.0.0/24` subnet, and the specific IP address is `192.168.1.100`.
+
+. Apply the storage class from the file by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f custom-manila-storageclass.yaml
+----
+
+. Verify that the storage class was created by running the following command:
++
+[source,terminal]
+----
+$ oc get storageclass csi-manila-gold-restricted
+----
++
+.Example output
+[source,terminal]
+----
+NAME                 		    PROVISIONER                RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
+csi-manila-gold-restricted	manila.csi.openstack.org   Delete          Immediate           true                   43m
+----
+
+. Create a persistent volume claim (PVC) that uses the custom storage class based on the following example:
++
+.Example PVC file
+[source,yaml]
+----
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pvc-manila-restricted
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: csi-manila-gold-restricted <1>
+----
+<1> The name of your custom storage class that has restricted access. In this example, the name is `csi-manila-gold-restricted`.
+
+. Apply the PVC from the file by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f pvc-manila-restricted.yaml
+----

storage/container_storage_interface/persistent-storage-csi-manila.adoc

@@ -24,6 +24,8 @@ include::modules/persistent-storage-csi-manila-limitations.adoc[leveloffset=+1]
 
 include::modules/persistent-storage-csi-manila-dynamic-provisioning.adoc[leveloffset=+1]
 
+include::modules/persistent-storage-csi-manila-share-access-rules.adoc[leveloffset=+1]
+
 [role="_additional-resources"]
 .Additional resources
 * xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#persistent-storage-csi[Configuring CSI volumes]