Authorization - v2 Migration guide

Container Storage Module for Authorization v2 has significant architectural changes that prevent a user from upgrading Authorization v1 to Authorization v2. This page provides a reference guide for migrating v1 to v2 using Powerflex as an example.

Before migration please note following points

  • Container Storage Module for Authorization v2 calculates the actual usage of capacity provisioned by syncing with the array.
  • Volumes belonging to a tenant are identified using the Volume Prefix configured in csmtenant custom resource.
  • Volumes without the Volume Prefix will not be accounted for in usage capacity calculation as ownership of the volume is unknown without the volume prefix.
  • User should rename all volumes that are needed to be accounted for with the Volume Prefix before migration to v2. See the Prerequisites.

Prerequisites

On the storage array, rename the volumes owned by each tenant with a tenant prefix.

Use dellctl to list the volumes owned by the tenant.

# dellctl volume get --proxy <csm-authorization-proxy-address> --namespace <driver-namespace>
NAME             VOLUME ID          SIZE       POOL    SYSTEM ID          PV NAME          PV STATUS   STORAGE CLASS   PVC NAME                NAMESPACE            SNAPSHOT COUNT
k8s-4cfa97ba5d   c6cfdfe000000229   8.000000   pool1   3000000000011111   k8s-4cfa97ba5d   Bound       vxflexos        vol-create-test-vndq8   test                 0
k8s-519bb230c5   c6cfdfe20000022b   8.000000   pool1   3000000000011111   k8s-519bb230c5   Bound       vxflexos        vol-create-test-wc45j   test                 0
k8s-ecc8381e08   c6cfdfe300000231   8.000000   pool1   3000000000011111   k8s-ecc8381e08   Bound       vxflexos        vol-create-test-r8ptv   test                 0
k8s-cc47d7a61e   c6cfdfe10000022a   8.000000   pool1   3000000000011111   k8s-cc47d7a61e   Bound       vxflexos        vol-create-test-k8szc   test                 0
k8s-76914ae62b   c6cfdfdf00000223   8.000000   pool1   3000000000011111   k8s-76914ae62b   Bound       vxflexos        vol-create-test-8sbtl   test                 0

On the storage array, rename each volume with your chosen tenant prefix. For example, if you’ve chosen the prefix tn1, volume k8s-4cfa97ba5d should be renamed to tn1-k8s-4cfa97ba5d.

Storage Systems

Authorization v1 setup, list the storage to get all the storage systems configured in the environment. Example:

karavictl storage list --admin-token admintoken.yaml --addr csm-authorization.host.com

{
  "storage": {
    "powerflex": {
      "3000000000011111": {
        "Endpoint": "https://1.1.1.1",
        "Insecure": true,
        "Password": "(omitted)",
        "User": "admin"
      }
    }
  }
}

Authorization v2, storage is created using custom resources. For each Storage in a v1 environment, create using the CR, example:

kubectl create -f controller/config/samples/csm-authorization_v1_storage.yaml
apiVersion: csm-authorization.storage.dell.com/v1
kind: Storage
metadata:
  name: powerflex
spec:
  # Type of the storage system. Example: powerflex, powermax, powerscale
  type: powerflex
  endpoint: https://1.1.1.1
  # System ID of the backend storage array
  systemID: 3000000000011111
  # Vault is the credential manager for storage arrays
  vault:
    identifier: vault0
    kvEngine: secret
    path: csm-authorization/powerflex/3000000000011111
  # SkipCertificateValidation is the flag to skip certificate validation
  skipCertificateValidation: true
  # PollInterval is the polling frequency to test the storage connectivity
  pollInterval: 30s

Role and Role Binding

Authorization v2, role creation is simpler. User will not be required to bind the role, only thing user needs to do is create roles that are needed.

List all the roles that are created in Container Storage Modules for Authorization v1 setup. Example:

karavictl role list --admin-token admintoken.yaml --addr csm-authorization.host.com
{
  "CSIGold": [
    {
      "storage_system_id": "3000000000011111",
      "pool_quotas": [
        {
          "pool": "mypool",
          "quota": 32000000
        }
      ]
    }
  ],
  "CSISilver": [
    {
      "storage_system_id": "3000000000011111",
      "pool_quotas": [
        {
          "pool": "mypool",
          "quota": 16000000
        }
      ]
    }
  ]
}

Authorization v2, roles are created using custom resources. For each role in a v1 environment, create using the CR, example:

kubectl create -f controller/config/samples/csm-authorization_v1_csmrole.yaml
apiVersion: csm-authorization.storage.dell.com/v1
kind: CSMRole
metadata:
  name: CSIGold
spec:
  quota: 3200GiB
  systemID: 3000000000011111
  systemType: powerflex
  pool: pool1
apiVersion: csm-authorization.storage.dell.com/v1
kind: CSMRole
metadata:
  name: CSISilver
spec:
  quota: 1600GiB
  systemID: 3000000000011111
  systemType: powerflex
  pool: pool2

Tenant

List all the tenants in v1 setup and all those tenants should be created in v2 setup. List tenants in v1 setup, example:

karavictl tenant list --admin-token admintoken.yaml --addr csm-authorization.host.com
{
  "tenants": [
    {
      "name": "Alice"
    }
  ]
}

Get detail of each tenant, example:

karavictl tenant get --name Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
{
  "name": "Alice"
  "roles": "CSIGold,CSISilver"
  "approvesdc": true
}

Authorization v2, tenants are created using custom resources. The spec.volumePrefix field must be the prefix used in the prerequisite step of renaming the storage array volumes. For each tenant in a v1 environment, create using the CR, example:

kubectl create -f controller/config/samples/csm-authorization_v1_csmtenant.yaml

csm-authorization_v1_csmtenant.yaml file will look like following example:

apiVersion: csm-authorization.storage.dell.com/v1
kind: CSMTenant
metadata:
  name: Alice
spec:
  # Roles defines a comma separated list of Roles for this tenant
  roles: CSIGold,CSISilver
  approveSdc: true
  revoke: false
  volumePrefix: tn1