PowerMax

Enabling Container Storage Module Authorization for PowerMax CSI Driver

Starting with Container Storage Module 1.12, all deployments will use images from quay.io by default. New release images will be available on Docker Hub until CSM 1.14 (May 2025), and existing releases will remain on Docker Hub.

Configuring PowerMax CSI Driver with CSM for Authorization

Given a setup where Kubernetes, a storage system, and the CSM for Authorization Proxy Server are deployed, follow these steps to configure the CSI Drivers to work with the Authorization sidecar:

  1. Apply the secret containing the tenant token data into the driver namespace. It’s assumed that the Kubernetes administrator has the token secret manifest, generated by your storage administrator via Generate a Token, saved in /tmp/token.yaml.

     kubectl apply -f /tmp/token.yaml -n powermax
    

    This takes the assumption that PowerMax will be installed in the powermax namespace.

  2. Edit these parameters in samples/secret/karavi-authorization-config.json file in the CSI PowerMax driver and update/add connection information for one or more backend storage arrays. In an instance where multiple CSI drivers are configured on the same Kubernetes cluster, the port range in the endpoint parameter must be different for each driver.

    Parameter Description Required Default
    username Username for connecting to the backend storage array. This parameter is ignored. No -
    password Password for connecting to to the backend storage array. This parameter is ignored. No -
    intendedEndpoint HTTPS REST API endpoint of the backend storage array. Yes -
    endpoint HTTPS localhost endpoint that the authorization sidecar will listen on. Yes https://localhost:9400
    systemID System ID of the backend storage array. Yes " "
    skipCertificateValidation A boolean that enables/disables certificate validation of the backend storage array. This parameter is not used. No true
    isDefault A boolean that indicates if the array is the default array. This parameter is not used. No default value from values.yaml

    Create the karavi-authorization-config secret using this command:

    
    kubectl -n powermax create secret generic karavi-authorization-config --from-file=config=samples/secret/karavi-authorization-config.json -o yaml --dry-run=client | kubectl apply -f -
    
  3. Create the proxy-server-root-certificate secret.

    If running in insecure mode, create the secret with empty data:

    
    kubectl -n powermax create secret generic proxy-server-root-certificate --from-literal=rootCertificate.pem= -o yaml --dry-run=client | kubectl apply -f -
    

    Otherwise, create the proxy-server-root-certificate secret with the appropriate file:

    
    kubectl -n powermax create secret generic proxy-server-root-certificate --from-file=rootCertificate.pem=/path/to/rootCA -o yaml --dry-run=client | kubectl apply -f -
    
  4. Prepare the driver configuration secret, applicable to your driver installation method, to communicate with the Authorization sidecar.

    Operator

    Refer to the Install Driver section to prepare powermax-creds.yaml to configure the driver to communicate with the Authorization sidecar.

    Leave username and password with the default values as they will be ignored.

    Helm

    Refer to the Install the Driver section where you edit samples/secret/secret.yaml with the credentials of the PowerMax.

    Leave username and password with the default values as they will be ignored.

  5. Operator Only: Prepare the reverse proxy configmap using sample here. Fill in the appropriate values for driver configuration. Example: config.yaml

     mode: StandAlone # Mode for the reverseproxy, should not be changed
     port: 2222
     logLevel: debug
     logFormat: text
     standAloneConfig:
     storageArrays:
         - storageArrayId: "000000000001" # arrayID
         primaryURL: "https://localhost:9400" # primary unisphere for arrayID
         proxyCredentialSecrets:
             - powermax-creds # credential secret for primary unisphere, e.g., powermax-creds
     managementServers:
         - url: "https://localhost:9400" # primary unisphere endpoint
         arrayCredentialSecret: powermax-creds # credential secret, e.g., powermax-creds
         skipCertificateValidation: true
    
  6. Enable Authorization in the driver installation applicable to your installation method. Alternatively, you can use the minimal sample files provided here and install the module using default values

    Operator

    Refer to the Install Driver section to edit the parameters in the Custom Resource to enable Authorization.

    Under modules, enable the module named authorization:

    • Update the enabled field to true.

    • Update the image to the image of the Authorization sidecar. In most cases, you can leave the default value.

    • Update the PROXY_HOST environment value to the hostname of the Authorization Proxy Server. csm-authorization.com is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.

    • Update the SKIP_CERTIFICATE_VALIDATION environment value to true or false depending on if you want to disable or enable certificate validation of the Authorization Proxy Server.

    • Do not update the configVersion. You will notice in the example that it is set to v1.12.0, this ensures that Operator checks on version support do not prevent deployment of the v2.0.0-alpha authorization tech preview.

    Example:

    modules:
      # CSI Powermax Reverseproxy is a mandatory module for Powermax
      - name: csireverseproxy
        # enabled: Always set to true
        enabled: true
        forceRemoveModule: true
        configVersion: v2.11.0
        components:
        - name: csipowermax-reverseproxy
        # image: Define the container images used for the reverse proxy
        # Default value: None
          image: quay.io/dell/container-storage-modules/csipowermax-reverseproxy:v2.11.0
          envs:
          # "tlsSecret" defines the TLS secret that is created with certificate
          # and its associated key
          # Default value: None
          # Example: "tls-secret"
          - name: X_CSI_REVPROXY_TLS_SECRET
              value: "csirevproxy-tls-secret"
          - name: X_CSI_REVPROXY_PORT
              value: "2222"
          - name: X_CSI_CONFIG_MAP_NAME
              value: "powermax-reverseproxy-config"
          # deployAsSidecar defines the way reversproxy is installed with the driver
          # set it true, if csm-auth is enabled / you want it as a sidecar container
          # set it false, if you want it as a deployment
          - name: "DeployAsSidecar"
              value: "true"
    
      # Authorization: enable csm-authorization for RBAC
      - name: authorization
        # enable: Enable/Disable csm-authorization
        enabled: true
        configVersion: v1.12.0
        components:
        - name: karavi-authorization-proxy
          image: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.0.0
          envs:
            # proxyHost: hostname of the csm-authorization server
            - name: "PROXY_HOST"
              value: "csm-authorization.com"
    
            # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server
            - name: "SKIP_CERTIFICATE_VALIDATION"
              value: "true"
    

    Helm

    Refer to the Install the Driver section to edit the parameters in my-powermax-settings.yaml file to configure the driver to communicate with the Authorization sidecar.

    • Update global.storageArrays.endpoint to match the localhost endpoint in samples/secret/karavi-authorization-config.json.

    • Update global.managementServers.endpoint to match the localhost endpoint in samples/secret/karavi-authorization-config.json.

    • Update authorization.enabled to true.

    • Update images.authorization to the image of the Authorization sidecar. In most cases, you can leave the default value.

    • Update authorization.proxyHost to the hostname of the Authorization Proxy Server. csm-authorization.com is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.

    • Update authorization.skipCertificateValidation to true or false depending on if you want to disable or enable certificate validation of the Authorization Proxy Server.

    • Update csireverseproxy.deployAsSidecar to true.

    Example:

    global:
      storageArrays:
        - storageArrayId: "123456789"
          endpoint: https://localhost:9400
      managementServers:
        - endpoint: https://localhost:9400
    csireverseproxy:
      # Set enabled to true if you want to deploy csireverseproxy as sidecar
      # Allowed values:
      #   "true"  - CSI reverse proxy will be deployed as a sidecar
      #   "false" - CSI reverse proxy will be deployed along with driver
      # Default value: "true"
      deployAsSidecar: true
    authorization:
      enabled: true
      # sidecarProxyImage: the container image used for the csm-authorization-sidecar.
      # Default value: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.0.0
      sidecarProxyImage: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.0.0
      # proxyHost: hostname of the csm-authorization server
      # Default value: None
      proxyHost: csm-authorization.com
      # skipCertificateValidation: certificate validation of the csm-authorization server
      # Allowed Values:
      #   "true" - TLS certificate verification will be skipped
      #   "false" - TLS certificate will be verified
      # Default value: "true"
      skipCertificateValidation: true
    
  7. Install the Dell CSI PowerMax driver following the appropriate documentation for your installation method.