Configuration

Docker Hub images are discontinued. All deployments will be using images from quay.io.

This section provides the details and instructions on how to configure Container Storage Modules Authorization.

Configuring the Container Storage Modules for Authorization Proxy Server

Run kubectl -n authorization get ingress and kubectl -n authorization get service to see the Ingress rules for these services and the exposed port for accessing these services via the LoadBalancer. For example:

kubectl -n authorization get ingress

NAME              CLASS   HOSTS                           ADDRESS   PORTS     AGE
proxy-server      nginx   csm-authorization.com                     00, 000   86s

kubectl -n authorization get service

NAME                                               TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
authorization-cert-manager                         ClusterIP      00.000.000.000    <none>        000/TCP                     28s
authorization-cert-manager-webhook                 ClusterIP      00.000.000.000    <none>        000/TCP                     27s
authorization-ingress-nginx-controller             LoadBalancer   00.000.000.000    <pending>     00:00000/TCP,000:00000/TCP  27s
authorization-ingress-nginx-controller-admission   ClusterIP      00.000.000.000    <none>        000/TCP                     27s
proxy-server                                       ClusterIP      00.000.000.000    <none>        000/TCP                     28s
redis-csm                                          ClusterIP      00.000.000.000    <none>        000/TCP                     28s
rediscommander                                     ClusterIP      00.000.000.000    <none>        000/TCP                     27s
role-service                                       ClusterIP      00.000.000.000    <none>        000/TCP                     27s
sentinel                                           ClusterIP      00.000.000.000    <none>        000/TCP                     27s
storage-service                                    ClusterIP      00.000.000.000    <none>        000/TCP                     27s
tenant-service                                     ClusterIP      00.000.000.000    <none>        000/TCP                     28s

On the machine running dellctl, if the Ingress host is left default (csm-authorization.com) during installation or any of the hostnames don’t resolve, the hostnames needs to be add to the /etc/hosts file. For example:

<master_node_ip> csm-authorization.com

Afterwards, the storage administrator can configure Authorization with the following via Customer Resources (CRs):

Storage systems
Tenants
Roles

Configuring Storage

The storage types supported are powerflex, powermax, powerscale and powerstore. During the creation of a storage system and role, the storage type must be one of the supported types.

A storage entity in Container Storage Modules Authorization consists of the storage type (powerflex, powermax, powerscale or powerstore), the system ID, the API endpoint, and the storage system credentials.

Note:

You must specify exactly one option for the storageSystemCredentials field, e.g. secretProviderClass.

Edit these parameters in the manifest:

Parameter	Description	Required	Default
type	The type of the storage array.	Yes	-
endpoint	HTTPS REST API endpoint of the backend storage array.	Yes	-
systemID	System ID of the backend storage array.	Yes	-
storageSystemCredentials.secretProviderClass	The SecretProviderClass containing the storage system credentials.	Yes	-
storageSystemCredentials.secretProviderClass.name	The SecretProviderClass name.	Yes	-
storageSystemCredentials.secretProviderClass.usernameObjectName	The SecretProviderClass objectName (Vault) or secret path (Conjur) for the username.	Yes	-
storageSystemCredentials.secretProviderClass.passwordObjectName	The SecretProviderClass objectName (Vault) or secret path (Conjur) for the password.	Yes	-
storageSystemCredentials.secret	The Kubernetes Secret containing the storage system credentials	No	-
skipCertificateValidation	A boolean that enables/disables certificate validation of the backend storage array.	No	true
pollInterval	PollInterval is the polling frequency to test the storage connectivity.	No	30s

For example, create PowerFlex storage using a SecretProviderClass:

apiVersion: csm-authorization.storage.dell.com/v1
kind: Storage
metadata:
  name: powerflex
spec:
  type: powerflex
  endpoint: https://10.0.0.1
  systemID: 1000000000000000
  storageSystemCredentials:
    secretProviderClass:
      name: secret-class-name
      usernameObjectName: usr
      passwordObjectName: pwd
  skipCertificateValidation: true
  pollInterval: 30s

For example, create PowerFlex storage using a Kubernetes Secret:

apiVersion: csm-authorization.storage.dell.com/v1
kind: Storage
metadata:
  name: powerflex
spec:
  type: powerflex
  endpoint: https://10.0.0.1
  systemID: 1000000000000000
  storageSystemCredentials:
    secret: "secret-1"
  skipCertificateValidation: true
  pollInterval: 30s

Note:

The systemID can vary from storage type to storage type. Please contact the storage administrator for more details on how to obtain it.

Configuring Roles

A role consists of a name, the storage array to use, and the quota limit for the storage pool to be used. Edit these parameters in the manifest:

Parameter	Description	Required	Default
name	The name of the role that will be used to bind with the tenant.	Yes	-
quota	The amount of allocated space for the specified role.	Yes	-
systemID	System ID of the backend storage array.	Yes	-
systemType	The type of the storage array.	Yes	-
systemType	The type of the storage array.	Yes	-
pool	The storage pool name.	Yes	-

For example, to create a role named role1 using the PowerFlex storage created above with a quota limit of 128iB in storage pool myStoragePool:

apiVersion: csm-authorization.storage.dell.com/v1
kind: CSMRole
metadata:
  name: role1
spec:
  quota: 128GiB
  systemID: 1000000000000000
  systemType: powerflex
  pool: myStoragePool

Note:

The quota must be set with iB (TiB/GiB etc). Example: 10 TiB or 512 GiB. If it is not, the quota enforcement will be inaccurate

Configuring Tenants

A tenant is a Kubernetes cluster that a role will be bound to. Edit these parameters in the manifest:

Parameter	Description	Required	Default
roles	A comma separate list of roles that the tenant can be associated with.	Yes	-
approveSdc	ApproveSdc is used to enable an SDC to access the MDM while the SDC is in restricted access mode.	Yes	false
revoke	Revoke is a boolean to indicate whether tenant is revoked. Set to `true` to revoke the tenant but keep it in Auth.	Yes	false
volumePrefix	The prefix that all volumes and snapshots will contain to show association with the tenant. It should not exceed 3 characters.	Yes	-

For example, to create a tenant named csmtenant-sample:

apiVersion: csm-authorization.storage.dell.com/v1
kind: CSMTenant
metadata:
  name: csmtenant-sample
spec:
  roles: role1
  approveSdc: false
  revoke: false
  volumePrefix: tn1

Generate a Token

Once the tenant is created, an access/refresh token pair can be created for the tenant. The storage admin is responsible for generating and sending the token to the Kubernetes tenant admin.

Generate an administrator token:

dellctl admin token  -n <administrator-name> --access-token-expiration 1m30s --refresh-token-expiration 720h --jwt-signing-secret <secret> > admin.yaml

You can also pass in the jwt-signing-secret via terminal prompt by not supplying the --jwt-signing-secret argument:

dellctl admin token  -n <administrator-name> --access-token-expiration 1m30s --refresh-token-expiration 720h > admin.yaml

  dellctl generate token --admin-token admin.yaml --addr csm-authorization.com:<ingress-controller-port> --insecure true --tenant <tenant> --access-token-expiration 30m0s --refresh-token-expiration 1480h0m0s > token.yaml

token.yaml will have a Kubernetes secret manifest that looks like this:

apiVersion: v1
data:
  access: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKamMyMGlMQ0psZUhBaU9qRTNNVFkwTURRd016UXNJbWR5YjNWd0lqb2lZM050ZEdWdVlXNTBMWE5oYlhCc1pTSXNJbWx6Y3lJNkltTnZiUzVrWld4c0xtTnpiU0lzSW5KdmJHVnpJam9pY205c1pURWlMQ0p6ZFdJaU9pSmpjMjB0ZEdWdVlXNTBJbjAuRmtVTGotT01mSW9rN3ZWNmFKQURXR1dva1Bsd1huT2tZeWxSclZjN2F5Zw==
  refresh: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKamMyMGlMQ0psZUhBaU9qRTNNakUzTXpBeU16UXNJbWR5YjNWd0lqb2lZM050ZEdWdVlXNTBMWE5oYlhCc1pTSXNJbWx6Y3lJNkltTnZiUzVrWld4c0xtTnpiU0lzSW5KdmJHVnpJam9pY205c1pURWlMQ0p6ZFdJaU9pSmpjMjB0ZEdWdVlXNTBJbjAudWRYSFZ3MGg1dTdoTjZaVGJlNHgyYXRMWWhIamQta1ZtTFBVUHpXOHNIaw==
kind: Secret
metadata:
  creationTimestamp: null
  name: proxy-authz-tokens
type: Opaque

This secret must be applied in the driver namespace.

Note:

The insecure flag specifies to skip certificate validation when connecting to the Authorization proxy-server.

The addr flag is the address of the Authorization proxy-server.

The tenant flag specifies which tenant to generate the token for.