update iSCSI README with CHAP instruction

Signed-off-by: Huamin Chen <hchen@redhat.com>

examples/examples_test.go

@@ -201,7 +201,9 @@ func TestExampleObjectSchemas(t *testing.T) {
 			"redis-slave-service":     &api.Service{},
 		},
 		"../examples/volumes/iscsi": {
-			"iscsi": &api.Pod{},
+			"chap-secret": &api.Secret{},
+			"iscsi":       &api.Pod{},
+			"iscsi-chap":  &api.Pod{},
 		},
 		"../examples/volumes/glusterfs": {
 			"glusterfs-pod":       &api.Pod{},
@@ -405,7 +407,7 @@ func TestReadme(t *testing.T) {
 		expectedType []runtime.Object
 	}{
 		{"../README.md", []runtime.Object{&api.Pod{}}},
-		{"../examples/volumes/iscsi/README.md", []runtime.Object{&api.Pod{}}},
+		{"../examples/volumes/iscsi/README.md", []runtime.Object{&api.Secret{}}},
 	}
 
 	for _, path := range paths {

examples/volumes/iscsi/README.md

@@ -5,6 +5,7 @@ Currently supported features are
   * Connecting to one portal
   * Mounting a device directly or via multipathd
   * Formatting and partitioning any new device connected
+  * CHAP authentication
 
 ## Prerequisites
 
@@ -26,6 +27,48 @@ If you want to use an iSCSI offload card or other open-iscsi transports besides
 may have partitioned the device, the iSCSI volume plugin does not
 currently support partitions so format the device as one partition or leave the device raw and Kubernetes will partition and format it one first mount.
 
+### CHAP Authentication
+
+To enable one-way or two-way CHAP authentication for discovery or session, following these steps.
+
+ * Set `chapAuthDiscovery` to `true` for discovery authentication.
+ * Set `chapAuthSession` to `true` for session authentication.
+ * Create a CHAP secret and set `secretRef` to reference the CHAP secret.
+
+
+Example can be found at [iscsi-chap.yaml](iscsi-chap.yaml)
+
+### CHAP Secret
+
+As illustrated in [chap-secret.yaml](chap-secret.yaml), the secret must have type `kubernetes.io/iscsi-chap` and consists of the following keys:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chap-secret
+type: "kubernetes.io/iscsi-chap"  
+data:
+  discovery.sendtargets.auth.username: 
+  discovery.sendtargets.auth.password: 
+  discovery.sendtargets.auth.username_in: 
+  discovery.sendtargets.auth.password_in: 
+  node.session.auth.username: 
+  node.session.auth.password: 
+  node.session.auth.username_in: 
+  node.session.auth.password_in: 
+```
+
+These keys map to those used by Open-iSCSI initiator. Detailed documents on these keys can be found at [Open-iSCSI](https://github.com/open-iscsi/open-iscsi/blob/master/etc/iscsid.conf)
+
+#### Create CHAP secret before creating iSCSI volumes and Pods
+
+```console
+# kubectl create -f examples/volumes/iscsi/chap-iscsi.yaml
+```
+
+
 
 Once the pod config is created, run it on the Kubernetes master:
 

examples/volumes/iscsi/chap-secret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chap-secret
+type: "kubernetes.io/iscsi-chap"  
+data:
+  discovery.sendtargets.auth.username: dXNlcg==
+  discovery.sendtargets.auth.password: ZGVtbw==
+  discovery.sendtargets.auth.username_in: bXVzZXI=
+  discovery.sendtargets.auth.password_in: bXBhc3M=
+  node.session.auth.username: dXNlcm5hbWU=
+  node.session.auth.password: cGFzc3dvcmQ=
+  node.session.auth.username_in: bXVzZXIy
+  node.session.auth.password_in: bXBhc3My

examples/volumes/iscsi/iscsi-chap.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: iscsipd
+spec:
+  containers:
+  - name: iscsipd-ro
+    image: kubernetes/pause
+    volumeMounts:
+    - mountPath: "/mnt/iscsipd"
+      name: iscsivol
+  volumes:
+  - name: iscsivol
+    iscsi:
+      targetPortal: 127.0.0.1
+      iqn: iqn.2015-02.example.com:test
+      lun: 0
+      fsType: ext4
+      readOnly: true
+      chapAuthDiscovery: true
+      chapAuthSession: true
+      secretRef: 
+         name: chap-secret

pkg/volume/iscsi/iscsi_util.go

@@ -17,7 +17,6 @@ limitations under the License.
 package iscsi
 
 import (
-	"errors"
 	"fmt"
 	"os"
 	"path"