Proxy Server
Configuring the CSM for Authorization Proxy Server
The storage administrator must first configure the proxy server with the following:
- Storage systems
- Tenants
- Roles
- Bind roles to tenants
Note:
- The
RPM deployment
will use the address and port of the server (i.e. grpc.:443). - The
Helm deployment
will use the address and port of the Ingress hosts for the storage, tenant, and role services.
Configuring Storage
A storage
entity in CSM Authorization consists of the storage type (PowerFlex, PowerMax, PowerScale), the system ID, the API endpoint, and the credentials. For example, to create PowerFlex storage:
# RPM Deployment
karavictl storage create --type powerflex --endpoint ${powerflexIP} --system-id ${systemID} --user ${user} --password ${password} --array-insecure
# Helm Deployment
karavictl storage create --type powerflex --endpoint ${powerflexIP} --system-id ${systemID} --user ${user} --password ${password} --insecure --array-insecure --addr storage.csm-authorization.com:<ingress-nginx-controller-port>
Note:
- The
insecure
flag specifies to skip certificate validation when connecting to the CSM Authorization storage service.- The
array-insecure
flag specifies to skip certificate validation when proxy-service connects to the backend storage array. Runkaravictl storage create --help
for help.- The
powerflexIP
is the endpoint to your powerflex machine. You can find thesystemID
at thehttps://<your_powerflex_ip_address>/dashboard/performance
near theSystem
title.- The
user
andpassword
arguments are credentials to the powerflex UI.
Configuring Tenants
A tenant
is a Kubernetes cluster that a role will be bound to. For example, to create a tenant named Finance
:
# RPM Deployment
karavictl tenant create --name Finance --insecure --addr grpc.<DNS-hostname>:443
# Helm Deployment
karavictl tenant create --name Finance --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
Note:
- The
insecure
flag specifies to skip certificate validation when connecting to the tenant service. Runkaravictl tenant create --help
for help.DNS-hostname
refers to the hostname of the system in which the CSM for Authorization server will be installed. This hostname can be found by runningnslookup <IP_address>
- For the Powerflex Pre-approved Guid feature, the
approvesdc
boolean flag istrue
by default. If theapprovesdc
flag is false for a tenant, the proxy server will deny the requests to approve SDC if the SDCs are already in not-approved state. Inorder to change this flag for an already created tenant, seetenant update
command in CLI section.
# RPM Deployment
karavictl tenant create --name Finance --approvesdc=false --insecure --addr grpc.DNS-hostname:443
# Helm Deployment
karavictl tenant create --name Finance --approvesdc=false --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
Configuring Roles
A role
consists of a name, the storage to use, and the quota limit for the storage pool to be used. For example, to create a role named FinanceRole
using the PowerFlex storage created above with a quota limit of 100GB in storage pool myStoragePool
:
# RPM Deployment
karavictl role create --role=FinanceRole=powerflex=${systemID}=myStoragePool=100GB
# Helm Deployment
karavictl role create --insecure --addr role.csm-authorization.com:30016 --role=FinanceRole=powerflex=${systemID}=myStoragePool=100GB
Note:
- The
insecure
flag specifies to skip certificate validation when connecting to the role service. Runkaravictl role create --help
for help.
Configuring Role Bindings
A role binding
binds a role to a tenant. For example, to bind the FinanceRole
to the Finance
tenant:
# RPM Deployment
karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr grpc.<DNS-hostname>:443
# Helm Deployment
karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
Note:
- The
insecure
flag specifies to skip certificate validation when connecting to the tenant service. Runkaravictl rolebinding create --help
for help.
Generate a Token
RPM
After creating the role bindings, the next logical step is to generate the access token. The storage admin is responsible for generating and sending the token to the Kubernetes tenant admin.
Note:
- The
--insecure
flag is required if certificates were not provided in$HOME/.karavi/config.json
.- This sample copies the token directly to the Kubernetes cluster master node. The requirement here is that the token must be copied and/or stored in any location accessible to the Kubernetes tenant admin.
echo === Generating token ===
karavictl generate token --tenant ${tenantName} --insecure --addr grpc.<DNS-hostname>:443 | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g' > token.yaml
echo === Copy token to Driver Host ===
sshpass -p ${DriverHostPassword} scp token.yaml ${DriverHostVMUser}@{DriverHostVMIP}:/tmp/token.yaml
Helm
Now that the tenant is bound to a role, a JSON Web Token can be generated for the tenant. For example, to generate a token for the Finance
tenant:
karavictl generate token --tenant Finance --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port>
{
"Token": "\napiVersion: v1\nkind: Secret\nmetadata:\n name: proxy-authz-tokens\ntype: Opaque\ndata:\n access: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKcllYSmhkbWtpTENKbGVIQWlPakUyTlRNek1qUXhPRFlzSW1keWIzVndJam9pWm05dklpd2lhWE56SWpvaVkyOXRMbVJsYkd3dWEyRnlZWFpwSWl3aWNtOXNaWE1pT2lKaVlYSWlMQ0p6ZFdJaU9pSnJZWEpoZG1rdGRHVnVZVzUwSW4wLmJIODN1TldmaHoxc1FVaDcweVlfMlF3N1NTVnEyRzRKeGlyVHFMWVlEMkU=\n refresh: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKcllYSmhkbWtpTENKbGVIQWlPakUyTlRVNU1UWXhNallzSW1keWIzVndJam9pWm05dklpd2lhWE56SWpvaVkyOXRMbVJsYkd3dWEyRnlZWFpwSWl3aWNtOXNaWE1pT2lKaVlYSWlMQ0p6ZFdJaU9pSnJZWEpoZG1rdGRHVnVZVzUwSW4wLkxNbWVUSkZlX2dveXR0V0lUUDc5QWVaTy1kdmN5SHAwNUwyNXAtUm9ZZnM=\n"
}
Process the above response to filter the secret manifest. For example using sed you can run the following:
karavictl generate token --tenant Finance --insecure --addr tenant.csm-authorization.com:<ingress-nginx-controller-port> | sed -e 's/"Token": //' -e 's/[{}"]//g' -e 's/\\n/\n/g'
apiVersion: v1
kind: Secret
metadata:
name: proxy-authz-tokens
type: Opaque
data:
access: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKcllYSmhkbWtpTENKbGVIQWlPakUyTlRNek1qUTFOekVzSW1keWIzVndJam9pWm05dklpd2lhWE56SWpvaVkyOXRMbVJsYkd3dWEyRnlZWFpwSWl3aWNtOXNaWE1pT2lKaVlYSWlMQ0p6ZFdJaU9pSnJZWEpoZG1rdGRHVnVZVzUwSW4wLk4tNE42Q1pPbUptcVQtRDF5ZkNGdEZqSmRDRjcxNlh1SXlNVFVyckNOS1U=
refresh: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKcllYSmhkbWtpTENKbGVIQWlPakUyTlRVNU1UWTFNVEVzSW1keWIzVndJam9pWm05dklpd2lhWE56SWpvaVkyOXRMbVJsYkd3dWEyRnlZWFpwSWl3aWNtOXNaWE1pT2lKaVlYSWlMQ0p6ZFdJaU9pSnJZWEpoZG1rdGRHVnVZVzUwSW4wLkVxb3lXNld5ZEFLdU9mSmtkMkZaMk9TVThZMzlKUFc0YmhfNHc5R05ZNmM=
This secret must be applied in the driver namespace.