automatically create autoExportCIDRs based on node labels

[phhutter]

Describe the solution you'd like Nowadays, we have to define an autoExportCIDRs for each TridentBackend [0]. To be more restrictive and therefore only allow a group of nodes with a specific label to mount volumes from a nas backend, we would like to have a possibility to automatically generate the values for autoExportCIDRs based on custom node labels which we can set in our TridentBackend config. This enhancement would improve security and automation.

e.g. volumes created on backend A can only be mounted on nodes with label A. volumes created on backend B can only be mounted on nodes with label B.

Describe alternatives you've considered We need to manually maintain the list and remove/add nodes if we scale in/out the cluster.

Additional context [0] https://github.com/NetApp/trident/blob/ed77e685f321fa96ea43eb61bfd63b9388caad2e/trident-installer/sample-input/backends-samples/ontap-nas/backend-tbc-ontap-nas-autoexport.yaml

[bswartz]

We recognize the weaknesses of the current export policy management of Trident, and we're working towards a much better model for managing export policies. The purpose of the autoExportPolicyCIDRs is merely to filter out bogus IPs that may exist on the worker nodes because the Trident node plugin doesn't have an easy way to tell which IPs are being using to access storage, and it reports all of them to the controller.

The issue of ensuring that volumes are not accessible to nodes that don't needs access to them requires a more complex solution, involving using more than one export policy and tracking state about which nodes volumes are being used at any given time. This solution has been designed and pieces of it will start to appear in the next few releases.