trident Feature Request / Implementation of a variable in TridentBackendConfig to push extra custom client IPs with autoExportPolicy.

Describe the solution you'd like Improvement of autoExportPolicy to be able to add custom IPs/networks to export policies. This feature will fix the "problematic" autoExportPolicy when a Kubernetes cluster is behind an SNAT / Proxy and Node IPs are not relevant to traffic reaching the SVM.

Describe actions you've considered

Adds a custom variable for client IPs / Networks (CustomExportClientIPs) to TridentBackendConfig.
autoExportPolicy should be enabled to create/update/delete the CustomExportClientIPs to SVM together with nodeIPs found from autoExportPolicy functionality.
Add missing code for ReconcileVolumeNodeAccess , for volume policies when backend updates
Add extra variable enableCustomExportPolicySettings for enable/disable custom export policy settings (currently enables/disables only CustomExportClientIPs but may create more in future)
Adds function for ValidateIPs (like ValidateCIDRs)
autoExportPolicy should filter CustomExportClientIPs according to AutoExportCIDRs

New TridentBackendConfig Variables

  enableCustomExportPolicySettings: true
  customExportClientIPs:
  - 10.140.52.89
  autoExportPolicy: true

Additional context I am going to create a pull request with an implementation for it, but I may need support to make this work perfect and follow trident standards - if needed + testing.

PR: https://github.com/NetApp/trident/pull/1051

Aug 25 '25 07:08 nikos445

Hi, @nikos445. This is a feature we've discussed for a long time, as there are multiple valid use cases for it. One question is how to undo the config change if it is no longer wanted. That is, if you remove the IP or CIDR from the backend config, that wouldn't immediately remove it from all of the existing export policies, which I assume is OK. But there would not be a record of the extra address having been present, so Publish() & Unpublish() in the backend driver must move from a simple additive or subtractive process to one that computes the entire set of needed rules on the export policy based on existing volume publications and config options, and then removes any extraneous rules.

Aug 28 '25 15:08 clintonk

What is done:

I implemented all the cases you described above and tested Adding/Removing/Updating IPs in backend config and both backend policy and volume policy is getting the updates.

Please check the latest code I just posted... Its now tested (manually) and fully functional code.

Added code on functions that was missing ReconcileVolumeNodeAccess
Added backend.ReconcileVolumeNodeAccess(ctx, vol.Config, volResult.Nodes) in backend update func updateBackendVolumes to reconcile volumes when backend is updating.
Added extra enableCustomExportPolicySettings to enable/disable the Extra / Custom Export Config Policy Settings (Defaults false)
About removal for removeExportPolicyRules function:
- Updated the function to check if enableCustomExportPolicySettings is enabled, then to remove all rules and recreate it.

TODO for NetApp:

Fix tests and implement new tests to include: customExportClientIPs and enableCustomExportPolicySettings variables.

Aug 28 '25 18:08 nikos445

@nikos445 Have you filed the CCLA outlined here for us to take a look at your PR?

Sep 02 '25 20:09 torirevilla

Cant this be a contribution as individual? My contribution is not "Corporate"

Sep 02 '25 23:09 nikos445

@nikos445 you can use the ICLA (for individual contributors).

Oct 07 '25 13:10 sjpeeris

@nikos445 you can use the ICLA (for individual contributors).

ok, that was not described in contribution guidelines. There you have only CCLA, please write something about this there.

In the meantime I signed the ICLA. Please proceed with PR review. I did also a rebase to latest master branch. 😃

Oct 07 '25 17:10 nikos445