Authorization

Installing Authorization via Dell CSM Operator

The CSM Authorization karavictl CLI is no longer actively maintained or supported. It will be deprecated in CSM 2.0.

Install CSM Authorization via Dell CSM Operator

The CSM Authorization module for supported Dell CSI Drivers can be installed via the Dell CSM Operator. To deploy the Operator, follow the instructions available here.

Prerequisite

Execute kubectl create namespace authorization to create the authorization namespace (if not already present). Note that the namespace can be any user-defined name, in this example, we assume that the namespace is ‘authorization’.

Install cert-manager CRDs

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml

Prepare samples/authorization/config.yaml which contains the JWT signing secret. The following table lists the configuration parameters.

Parameter Description Required Default

web.jwtsigningsecret String used to sign JSON Web Tokens true secret

Example:
```
web:
  jwtsigningsecret: randomString123
```
After editing the file, run this command to create a secret called karavi-config-secret:
```
kubectl create secret generic karavi-config-secret -n authorization --from-file=config.yaml=samples/authorization/config.yaml
```
Use this command to replace or update the secret:
```
kubectl create secret generic karavi-config-secret -n authorization --from-file=config.yaml=samples/authorization/config.yaml -o yaml --dry-run=client | kubectl replace -f -
```
Create the karavi-storage-secret to store storage system credentials.

Use this command to create the secret:
```
kubectl create -f samples/authorization/karavi-storage-secret.yaml
```

Parameter	Description	Required	Default
web.jwtsigningsecret	String used to sign JSON Web Tokens	true	secret

Note:

If you are installing CSM Authorization in a different namespace than authorization, edit the namespace field in this file to your namespace.

Install CSM Authorization Proxy Server

Follow all the prerequisites.
Create a CR (Custom Resource) for Authorization from a sample manifest. This file can be modified to use custom parameters if needed.

Users should configure the parameters in the CR. This table lists the primary configurable parameters of the Authorization Proxy Server and their default values:

Parameter	Description	Required	Default
openshift	For OpenShift Container Platform only: Enable/Disable use of the OpenShift Ingress Controller. Set to false if you already have an Ingress Controller installed.	No	False
nginx	This section configures the enablement of the NGINX Ingress Controller.	-	-
enabled	For Kubernetes Container Platform only: Enable/Disable deployment of the NGINX Ingress Controller. Set to false if you already have an Ingress Controller installed.	No	true
cert-manager	This section configures the enablement of cert-manager.	-	-
enabled	Enable/Disable deployment of cert-manager. Set to false if you already have cert-manager installed.	No	true
authorization	This section configures the CSM-Authorization components.	-	-
certificate	The base64-encoded certificate for the certificate/private-key to configure the proxy-service Ingress. Leave empty to use self-signed certificate.	No	-
privateKey	The base64-encoded private key for the certificate/private-key to configure the proxy-service Ingress. Leave empty to use self-signed certificate.	No	-
hostname	The hostname to configure the self-signed certificate (if applicable), and the proxy service Ingress.	No	csm-authorization.com
proxyServerIngress.ingressClassName	The ingressClassName of the proxy-service Ingress.	Yes	nginx
proxyServerIngress.hosts	Additional host rules to be applied to the proxy-service Ingress.	No	-
proxyServerIngress.annotations	Additional annotations for the proxy-service Ingress.	No	-
redis	This section configures the Redis components.	-	-
storageclass	The storage class for Redis to use for persistence. If not supplied, a locally provisioned volume is used.	No	-

Note:

If you are installing CSM Authorization in a different namespace than authorization, edit the namespace fields in this file to your namespace.

If you specify storageclass, the storage class must NOT be provisioned by the Dell CSI Driver to be configured with this installation of CSM Authorization.

Optional: To enable reporting of trace data with Zipkin, use the csm-config-params configMap in the sample CR or dynamically by editing the configMap.

Add the Zipkin values to the configMap where ZIPKIN_ADDRESS is the IP address or hostname of the Zipkin server.

ZIPKIN_URI: "http://ZIPKIN_ADDRESS:9411/api/v2/spans"
ZIPKIN_PROBABILITY: "1.0"

Execute this command to create the Authorization CR:
```
kubectl create -f <SAMPLE FILE>
```

Note:

This command will deploy the Authorization Proxy Server in the namespace specified in the input YAML file.

Verify Installation of the CSM Authorization Proxy Server

Once the Authorization CR is created, you can verify the installation as mentioned below:

kubectl describe csm/<name-of-custom-resource> -n authorization

Install Karavictl

Follow the instructions available in CSM Authorization for Installing karavictl.

Configure the CSM Authorization Proxy Server

Authorization v1.x GA

Follow the instructions available in CSM Authorization for Configuring the CSM Authorization Proxy Server.

Configure a Dell CSI Driver with CSM Authorization

Authorization v1.x GA

Follow the instructions available in CSM Authorization for Configuring a Dell CSI Driver with CSM for Authorization.

Upgrade CSM Authorization

This section outlines the upgrade steps for Container Storage Modules (CSM) for Authorization. The upgrade of CSM for Authorization is handled in 2 parts:

Upgrading the Authorization proxy server
Upgrading CSI Driver, Authorization sidecar with Authorization module enabled

Upgrading the Authorization Proxy Server

Modifying the existing Authorization Proxy Server installation directly via kubectl edit
```
kubectl get csm -n <module-namespace>
```
For example - If the Authorization Proxy Server is installed in authorization namespace then run this command to get the object name
```
kubectl get csm -n authorization
```
use the object name in kubectl edit command.
```
kubectl edit csm <object-name> -n <module-namespace>
```
For example - If the object name is authorization then use the name as authorization and if the namespace is authorization, then run this command to edit the object
```
kubectl edit csm authorization -n authorization
```
Modify the installation
- Update the CSM Authorization Proxy Server configVersion
- Update the images for proxyService, tenantService, roleService and storageService

Upgrading CSI Driver, Authorization sidecar with Authorization module enabled

Modifying the existing driver and module installation directly via kubectl edit
```
kubectl get csm -n <driver-namespace>
```
For example - If the CSI PowerFlex driver is installed in vxflexos namepace then run this command to get the object name
```
kubectl get csm -n vxflexos
```
use the object name in kubectl edit command.
```
kubectl edit csm <object-name> -n <driver-namespace>
```
For example - If the object name is vxflexos then use the name as vxflexos and if the driver is installed in vxflexos namespace, then run this command to edit the object
```
kubectl edit csm vxflexos -n vxflexos
```
Modify the installation
- Update the driver config version and image tag
- Update the Authorization config version and karavi-authorization-proxy image.

Note:

In Authorization module upgrade, only n-1 to n upgrade is supported, e.g. if the current observability version is v1.8.x, it can be upgraded to 1.9.x.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.