PowerScale
Starting with CSM 1.12, all deployments will use images from quay.io by default. New release images will be available on Docker Hub until CSM 1.14 (May 2025), and existing releases will remain on Docker Hub.
Configuring PowerScale CSI Driver with CSM for Authorization
Given a setup where Kubernetes, a storage system, and the CSM for Authorization Proxy Server are deployed, follow these steps to configure the CSI Drivers to work with the Authorization sidecar:
-
Apply the secret containing the token data into the driver namespace. It’s assumed that the Kubernetes administrator has the token secret manifest, generated by your storage administrator via Generate a Token, saved in
/tmp/token.yaml
.kubectl apply -f /tmp/token.yaml -n isilon
This takes the assumption that PowerScale will be installed in the
isilon
namespace. -
Edit these parameters in
samples/secret/karavi-authorization-config.json
file in CSI PowerScale driver and update/add connection information for one or more backend storage arrays. In an instance where multiple CSI drivers are configured on the same Kubernetes cluster, the port range in the endpoint parameter must be different for each driver.
Parameter | Description | Required | Default |
---|---|---|---|
username | Username for connecting to the backend storage array. This parameter is ignored. | No | - |
password | Password for connecting to to the backend storage array. This parameter is ignored. | No | - |
intendedEndpoint | HTTPS REST API endpoint of the backend storage array. | Yes | - |
endpoint | HTTPS localhost endpoint that the authorization sidecar will listen on. | Yes | https://localhost:9400 |
systemID | Cluster name of the backend storage array. | Yes | " " |
skipCertificateValidation | A boolean that enables/disables certificate validation of the backend storage array. This parameter is not used. | No | true |
isDefault | A boolean that indicates if the array is the default array. This parameter is not used. | No | default value from values.yaml |
Create the karavi-authorization-config secret using this command:
kubectl -n isilon create secret generic karavi-authorization-config --from-file=config=samples/secret/karavi-authorization-config.json -o yaml --dry-run=client | kubectl apply -f -
-
Create the proxy-server-root-certificate secret.
If running in insecure mode, create the secret with empty data:
kubectl -n isilon create secret generic proxy-server-root-certificate --from-literal=rootCertificate.pem= -o yaml --dry-run=client | kubectl apply -f -
Otherwise, create the proxy-server-root-certificate secret with the appropriate file:
kubectl -n isilon create secret generic proxy-server-root-certificate --from-file=rootCertificate.pem=/path/to/rootCA -o yaml --dry-run=client | kubectl apply -f -
-
Prepare the driver configuration secret, applicable to your driver installation method, to communicate with the CSM Authorization sidecar.
Operator
Refer to the Prerequisite section to prepare the
secret.yaml
file to configure the driver to communicate with the CSM Authorization sidecar.-
Update
endpoint
to match the localhost endpoint insamples/secret/karavi-authorization-config.json
. -
Update
mountEndpoint
to the PowerScale OneFS API server. For example, 10.0.0.1. -
Update
skipCertificateValidation
totrue
. -
The
username
andpassword
can be any value since they will be ignored.
Example:
isilonClusters: - clusterName: "cluster1" username: "ignored" password: "ignored" isDefault: true endpoint: localhost endpointPort: 9400 mountEndpoint: 10.0.0.1 skipCertificateValidation: true
Helm
Refer to the Install the Driver section to edit the parameters to prepare the
samples/secret/secret.yaml
file to configure the driver to communicate with the CSM Authorization sidecar.-
Update
endpoint
to match the localhost endpoint insamples/secret/karavi-authorization-config.json
. -
Update
mountEndpoint
to the PowerScale OneFS API server. For example, 10.0.0.1. -
Update
skipCertificateValidation
totrue
. -
The
username
andpassword
can be any value since they will be ignored.
Example:
isilonClusters: - clusterName: "cluster1" username: "ignored" password: "ignored" isDefault: true endpoint: localhost endpointPort: 9400 mountEndpoint: 10.0.0.1 skipCertificateValidation: true
-
-
Enable CSM Authorization in the driver installation applicable to your installation method.
Operator
Refer to the Install Driver section to edit the parameters in the Custom Resource to enable CSM Authorization.
Under
modules
, enable the module namedauthorization
:-
Update the
enabled
field totrue.
-
Update the
image
to the image of the CSM Authorization sidecar. In most cases, you can leave the default value. -
Update the
PROXY_HOST
environment value to the hostname of the CSM Authorization Proxy Server.csm-authorization.com
is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value. -
Update the
SKIP_CERTIFICATE_VALIDATION
environment value totrue
orfalse
depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server. -
Do not update the
configVersion
. You will notice in the example that it is set to v1.12.0, this ensures that Operator checks on version support do not prevent deployment of the v2.0.0 version of authorization.
modules: # Authorization: enable csm-authorization for RBAC - name: authorization # enable: Enable/Disable csm-authorization enabled: true configVersion: v1.12.0 components: - name: karavi-authorization-proxy image: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.0.0 envs: # proxyHost: hostname of the csm-authorization server - name: "PROXY_HOST" value: "csm-authorization.com" # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server - name: "SKIP_CERTIFICATE_VALIDATION" value: "true"
Helm
Refer to the Install the Driver section to edit the parameters in
my-isilon-settings.yaml
file to enable CSM Authorization.-
Update
authorization.enabled
totrue
. -
Update
images.authorization
to the image of the CSM Authorization sidecar. In most cases, you can leave the default value. -
Update
authorization.proxyHost
to the hostname of the CSM Authorization Proxy Server.csm-authorization.com
is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value. -
Update
authorization.skipCertificateValidation
totrue
orfalse
depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
Example:
authorization: enabled: true # sidecarProxyImage: the container image used for the csm-authorization-sidecar. sidecarProxyImage: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.0.0 # proxyHost: hostname of the csm-authorization server # Default value: None proxyHost: csm-authorization.com # skipCertificateValidation: certificate validation of the csm-authorization server # Allowed Values: # "true" - TLS certificate verification will be skipped # "false" - TLS certificate will be verified # Default value: "true" skipCertificateValidation: true
-
-
Install the Dell CSI PowerScale driver following the appropriate documenation for your installation method.