PowerScale

Configuring PowerScale CSI Driver with CSM for Authorization

Given a setup where Kubernetes, a storage system, and the CSM for Authorization Proxy Server are deployed, follow these steps to configure the CSI Drivers to work with the Authorization sidecar:

  1. Apply the secret containing the token data into the driver namespace. It’s assumed that the Kubernetes administrator has the token secret manifest, generated by your storage administrator via Generate a Token, saved in /tmp/token.yaml.

    #It is assumed that array type powerscale has the namespace “isilon”.

    kubectl apply -f /tmp/token.yaml -n isilon
    
  2. Edit these parameters in samples/secret/karavi-authorization-config.json file in CSI PowerScale driver and update/add connection information for one or more backend storage arrays. In an instance where multiple CSI drivers are configured on the same Kubernetes cluster, the port range in the endpoint parameter must be different for each driver.

Parameter Description Required Default
username Username for connecting to the backend storage array. This parameter is ignored. No -
password Password for connecting to to the backend storage array. This parameter is ignored. No -
intendedEndpoint HTTPS REST API endpoint of the backend storage array. Yes -
endpoint HTTPS localhost endpoint that the authorization sidecar will listen on. Yes https://localhost:9400
systemID Cluster name of the backend storage array. Yes " "
skipCertificateValidation A boolean that enables/disables certificate validation of the backend storage array. This parameter is not used. No true
isDefault A boolean that indicates if the array is the default array. This parameter is not used. No default value from values.yaml

Create the karavi-authorization-config secret using this command:


kubectl -n isilon create secret generic karavi-authorization-config --from-file=config=samples/secret/karavi-authorization-config.json -o yaml --dry-run=client | kubectl apply -f -
  1. Create the proxy-server-root-certificate secret.

    If running in insecure mode, create the secret with empty data:

    
    kubectl -n isilon create secret generic proxy-server-root-certificate --from-literal=rootCertificate.pem= -o yaml --dry-run=client | kubectl apply -f -
    

    Otherwise, create the proxy-server-root-certificate secret with the appropriate file:

    
    kubectl -n isilon create secret generic proxy-server-root-certificate --from-file=rootCertificate.pem=/path/to/rootCA -o yaml --dry-run=client | kubectl apply -f -
    
  2. Prepare the driver configuration secret, applicable to your driver installation method, to communicate with the CSM Authorization sidecar.

    Helm

    Refer to the Install the Driver section to edit the parameters to prepare the samples/secret/secret.yaml file to configure the driver to communicate with the CSM Authorization sidecar.

    • Update endpoint to match the localhost endpoint in samples/secret/karavi-authorization-config.json.

    • Update mountEndpoint to the PowerScale OneFS API server. For example, 10.0.0.1.

    • Update skipCertificateValidation to true.

    • The username and password can be any value since they will be ignored.

    Example:

    isilonClusters:
      - clusterName: "cluster1"
        username: "ignored"
        password: "ignored"
        isDefault: true
        endpoint: localhost
        endpointPort: 9400
        mountEndpoint: 10.0.0.1
        skipCertificateValidation: true
    

    Operator

    Refer to the Prerequisite section to prepare the secret.yaml file to configure the driver to communicate with the CSM Authorization sidecar.

    • Update endpoint to match the localhost endpoint in samples/secret/karavi-authorization-config.json.

    • Update mountEndpoint to the PowerScale OneFS API server. For example, 10.0.0.1.

    • Update skipCertificateValidation to true.

    • The username and password can be any value since they will be ignored.

    Example:

    isilonClusters:
      - clusterName: "cluster1"
        username: "ignored"
        password: "ignored"
        isDefault: true
        endpoint: localhost
        endpointPort: 9400
        mountEndpoint: 10.0.0.1
        skipCertificateValidation: true
    
  3. Enable CSM Authorization in the driver installation applicable to your installation method.

    Helm

    Refer to the Install the Driver section to edit the parameters in my-isilon-settings.yaml file to enable CSM Authorization.

    • Update authorization.enabled to true.

    • Update images.authorization to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.

    • Update authorization.proxyHost to the hostname of the CSM Authorization Proxy Server. csm-authorization.com is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.

    • Update authorization.skipCertificateValidation to true or false depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.

    Example:

    authorization:
      enabled: true
    
      # sidecarProxyImage: the container image used for the csm-authorization-sidecar.
      # Default value: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v1.12.0
      sidecarProxyImage: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v1.12.0
    
      # proxyHost: hostname of the csm-authorization server
      # Default value: None
      proxyHost: csm-authorization.com
    
      # skipCertificateValidation: certificate validation of the csm-authorization server
      # Allowed Values:
      #   "true" - TLS certificate verification will be skipped
      #   "false" - TLS certificate will be verified 
      # Default value: "true" 
      skipCertificateValidation: true
    

    Operator

    Refer to the Install Driver section to edit the parameters in the Custom Resource to enable CSM Authorization.

    Under modules, enable the module named authorization:

    • Update the enabled field to true.

    • Update the image to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.

    • Update the PROXY_HOST environment value to the hostname of the CSM Authorization Proxy Server. csm-authorization.com is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.

    • Update the SKIP_CERTIFICATE_VALIDATION environment value to true or false depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.

    modules:
      # Authorization: enable csm-authorization for RBAC
      - name: authorization
        # enable: Enable/Disable csm-authorization
        enabled: true
        configVersion: v1.12.0
        components:
        - name: karavi-authorization-proxy
          image: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v1.12.0
          envs:
            # proxyHost: hostname of the csm-authorization server
            - name: "PROXY_HOST"
              value: "csm-authorization.com"
    
            # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server       
            - name: "SKIP_CERTIFICATE_VALIDATION"
              value: "true"
    

    Alternatively, you can use the minimal sample files provided here and install the module using default values

  4. Install the Dell CSI PowerScale driver following the appropriate documenation for your installation method.

  5. (Optional) Install dellctl to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the dellctl documentation page for the installation steps and command list.