nvmeof: DH-CHAP Authentication for NVMe-oF CSI Driver

[gadididi]

Describe the feature you'd like to have

Add DH-CHAP authentication to the NVMe-oF CSI driver for secure storage connections.

What is DH-CHAP?

DH-CHAP is NVMe's authentication protocol - like requiring a password before accessing storage, but cryptographically secure. It prevents unauthorized nodes from accessing volumes.

Modes

• Bidirectional: Host and storage both authenticate (recommended for production)
• Unidirectional: Only host authenticates to storage
• None: No authentication (default, backward compatible)

Required by PM.

Acceptance Criteria

Configuration

• Add dhchapMode parameter: none/unidirectional/bidirectional
• Backward compatible (existing env work without changes)

Key Management

• Auto-generate secure DH-CHAP keys per node-subsystem connection
• Store encrypted keys in Kubernetes Secrets (or Vault for production)
• Auto-cleanup when volumes/hosts removed

Volume Operations

• ControllerPublishVolume: Generate host key, pass to gateway AddHost
• NodeStageVolume: Retrieve key, connect with nvme connect --dhchap-secret
• ControllerUnpublishVolume: Cleanup keys when last volume detached
• Clear error messages on authentication failures

Security

• Keys never logged or exposed
• Unique keys per connection (no reuse)

Example Configuration

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: ceph-nvmeof-secure
provisioner: nvmeof.csi.ceph.com
parameters:
  subsystemNQN: "nqn.2024-01.io.ceph:csi"
  dhchapMode: "unidirectional"  # <-- NEW
  # ... other params

Future Work

• Key rotation support
• External KMS integration (Vault)

[nixpanic]

A single optional dhchap_mode option with values none (default), bidirectional, unidirectional is cleaner.

[Madhu-1]

got few question, i have noted down when started reading it, few might have been answered but noting here as well

1. Can this be enabled/disabled on the fly?
2. Can this be added to configmap instead of SC?
3. Store keys securely in Kubernetes Secrets?
   Instead of this can we use KMS or image metadata for it? Like we do for PV encryption as it will be more secure?
   4 One unique key per node-subsystem connection (isolation)
   is this Key is going to be per node or per PV?
   5 CreateVolume: Generate subsystem key (if bidirectional mode) and create subsystem with authentication
   what about the case where Key need to be rotated?
4. None: No authentication (backward compatibility)
   IMO we dont need to worry about backward as its still in development phase.
   7.Key Persistence: Keys are stored in Kubernetes Secrets and persist across pod restarts, ensuring consistent authentication without regenerating keys unnecessarily.
   IMO it would be good to consider external entity instead of we managing the keys. and also we need to
   think about key rotation in early phase and does current design make sense.

[gadididi]

@Madhu-1 Hi!

got few question, i have noted down when started reading it, few might have been answered but noting here as well

1. Can this be enabled/disabled on the fly?

Subsystem keys and Hosts keys can be added/removed/changed dynamically via change_subsystem_key_req and change_host_key_req. but if you change the key for subsystem\host, then your worker node restart you must reconnect with the new key. it is highly recommended to disconnect and reconnect again with the new keys.

if we would like to support the key modification option, I am not sure which CSI function can fit this?

Can this be added to configmap instead of SC?

It should be per subsystem. you may have subsystem with DHCHAP and some without. in the SC we declare the SubsystemNQN var, So I thought it should be placed there, why do you think to move it into configmap?

4 One unique key per node-subsystem connection (isolation)
is this Key is going to be per node or per PV?

There is 1 key per subsystem, and 1 key per host (worker node). So, per node-subsystem connection, NOT per PV

Instead of this can we use KMS or image metadata for it? Like we do for PV encryption as it will be more secure?

I thought to keep both keys encrypted somewhere, I need to learn and understand how it is working in k8s and other env like that.. also, where to keep the kek (the key we will encrypt with him both dhchap keys) .

5 CreateVolume: Generate subsystem key (if bidirectional mode) and create subsystem with authentication
what about the case where Key need to be rotated?

There is an option to update the keys. you are right, not keep same key forever and every X days\hours change that key..

IMO it would be good to consider external entity instead of we managing the keys.

do you have any suggestion for it? I will investigate too

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.

[gadididi]

feature merged.