PowerFlex

Docker Hub images are discontinued. All deployments will be using images from quay.io.

Configuring PowerFlex CSI Driver with Container Storage Modules for Authorization

Given a setup where Kubernetes, a storage system, and the Authorization Proxy Server are deployed, follow these steps to configure the CSI Drivers to work with the Authorization sidecar:

Apply the secret containing the tenant token data into the driver namespace. It’s assumed that the Kubernetes administrator has the token secret manifest, generated by your storage administrator via Generate a Token, saved in /tmp/token.yaml.
```
 kubectl apply -f /tmp/token.yaml -n vxflexos
```
This takes the assumption that Powerflex will be installed in the vxflexos namespace.
Edit these parameters in samples/secret/karavi-authorization-config.json file in the CSI PowerFlex driver and update/add connection information for one or more backend storage arrays. In an instance where multiple CSI drivers are configured on the same Kubernetes cluster, the port range in the endpoint parameter must be different for each driver.

Purpose of this secret: The karavi-authorization-config secret tells the Authorization sidecar proxy which localhost endpoint to listen on and where the actual storage array is located. The CSI driver sends requests to the localhost endpoint; the sidecar intercepts them, attaches the tenant token, and forwards them to the CSM Authorization Proxy Server, which then proxies to the actual storage array.

Parameters

Parameter	Description	Required	Default
username	Username for connecting to the backend storage array. This parameter is ignored when Authorization is enabled (credentials are managed via Vault).	No	-
password	Password for connecting to the backend storage array. This parameter is ignored when Authorization is enabled (credentials are managed via Vault).	No	-
intendedEndpoint	HTTPS REST API endpoint of the backend storage array. This is the actual endpoint the Proxy Server will forward requests to.	Yes	-
endpoint	HTTPS localhost endpoint that the authorization sidecar will listen on. The CSI driver is configured to send requests here instead of directly to the storage array.	Yes	https://localhost:9400
systemID	System ID of the backend storage array.	Yes	" "
skipCertificateValidation	A boolean that enables/disables certificate validation of the backend storage array. This parameter is not used by the sidecar (certificate validation to the array is handled by the Proxy Server).	No	true
isDefault	A boolean that indicates if the array is the default array. This parameter is not used by the sidecar.	No	default value from values.yaml

Sample karavi-authorization-config.json:

{
  "storageArrays": [
    {
      "username": "ignored",
      "password": "ignored",
      "intendedEndpoint": "https://10.0.0.1",
      "endpoint": "https://localhost:9400",
      "systemID": "1000000000000000",
      "skipCertificateValidation": true,
      "isDefault": true
    }
  ]
}

Create the karavi-authorization-config secret using this command:

  kubectl -n vxflexos create secret generic karavi-authorization-config --from-file=config=samples/secret/karavi-authorization-config.json -o yaml --dry-run=client | kubectl apply -f -

Create the proxy-server-root-certificate secret.

Purpose: This secret contains the Root CA certificate used to establish secure TLS communication between the Authorization sidecar (running alongside the CSI driver) and the CSM Authorization Proxy Server (exposed via Ingress). It is not related to the TLS certificate of the backend storage array.

Where to get rootCertificate.pem:
- If CSM Authorization was installed with a self-signed certificate (via cert-manager), extract the CA certificate from the cert-manager CA secret (e.g., karavi-selfsigned-tls) in the authorization namespace.
- If CSM Authorization was installed with your own certificate, provide the Root CA certificate that signed it (the root of the certificate chain that the Proxy Server’s TLS certificate was issued from).
- If running in insecure mode (not recommended for production), create the secret with empty data and set skipCertificateValidation to true in the driver configuration.
Relationship with skipCertificateValidation:
- When SKIP_CERTIFICATE_VALIDATION is set to true in the Authorization sidecar configuration (Step 5), the sidecar skips TLS verification of the Proxy Server, and this secret can be empty.
- When SKIP_CERTIFICATE_VALIDATION is set to false, this secret must contain a valid Root CA certificate.
If running in insecure mode, create the secret with empty data:
```
kubectl -n vxflexos create secret generic proxy-server-root-certificate --from-literal=rootCertificate.pem= -o yaml --dry-run=client | kubectl apply -f -
```
Otherwise, create the proxy-server-root-certificate secret with the appropriate file:
```
kubectl -n vxflexos create secret generic proxy-server-root-certificate --from-file=rootCertificate.pem=/path/to/rootCA -o yaml --dry-run=client | kubectl apply -f -
```
Prepare the driver configuration secret, applicable to your driver installation method, to communicate with the Container Storage Modules Authorization sidecar.

Operator

Refer to the Create Secret section to prepare secret.yaml to configure the driver to communicate with the Authorization sidecar.
- Update endpoint to match the localhost endpoint in samples/secret/karavi-authorization-config.json.
- Update skipCertificateValidation to true.
- The username and password can be any value since they will be ignored.
Example:
```
- username: "ignored"
  password: "ignored"
  systemID: "ID2"
  endpoint: "https://localhost:9400"
  skipCertificateValidation: true
  isDefault: true
  mdm: "10.0.0.3,10.0.0.4"
```
Helm

Refer to the Install the Driver section to edit the parameters in samples/config.yaml to configure the driver to communicate with Authorization sidecar.
- Update endpoint to match the localhost endpoint in samples/secret/karavi-authorization-config.json.
- Update skipCertificateValidation to true.
- The username and password can be any value since they will be ignored.
Example:
```
- username: "ignored"
  password: "ignored"
  systemID: "ID2"
  endpoint: "https://localhost:9400"
  skipCertificateValidation: true
  isDefault: true
  mdm: "10.0.0.3,10.0.0.4"
```
Enable Container Storage Modules Authorization in the driver installation applicable to your installation method. Alternatively, you can use the minimal sample files provided in respective CSM versions folder under samples here and install the module using default value.

Operator

Refer to the Install Driver section to edit the parameters in the Custom Resource to enable Authorization.

Under modules, enable the module named authorization:
- Update the enabled field to true.
- Update the image to the image of Authorization sidecar. In most cases, you can leave the default value.
- Update the PROXY_HOST environment value to the hostname of Authorization Proxy Server. csm-authorization.com is a placeholder for the proxyHost. See the administrator of Authorization for the correct value.
- Update the SKIP_CERTIFICATE_VALIDATION environment value to true or false depending on if you want to disable or enable certificate validation of Authorization Proxy Server.
- Do not update the configVersion. You will notice in the example that it is set to v2.3.0. This ensures that Operator checks on version support do not prevent deployment of the latest version of authorization.
Example:
```
modules:
  # Authorization: enable csm-authorization for RBAC
  - name: authorization
    # enable: Enable/Disable csm-authorization
    enabled: true
    configVersion: v2.3.0
    components:
    - name: karavi-authorization-proxy
      image: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.3.0
      envs:
        # proxyHost: hostname of the csm-authorization server
        - name: "PROXY_HOST"
          value: "csm-authorization.com"

        # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server
        - name: "SKIP_CERTIFICATE_VALIDATION"
          value: "true"
```
Helm

Refer to the Install the Driver section to edit the parameters in myvalues.yaml to enable Authorization.
- Update authorization.enabled to true.
- Update images.authorization to the image of Authorization sidecar. In most cases, you can leave the default value.
- Update authorization.proxyHost to the hostname of Authorization Proxy Server. csm-authorization.com is a placeholder for the proxyHost. See the administrator of Authorization for the correct value.
- Update authorization.skipCertificateValidation to true or false depending on if you want to disable or enable certificate validation of Authorization Proxy Server.
Example:
```
authorization:
  enabled: true

  # sidecarProxyImage: the container image used for the csm-authorization-sidecar.
  # Default value: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.3.0
  sidecarProxyImage: quay.io/dell/container-storage-modules/csm-authorization-sidecar:v2.3.0

  # proxyHost: hostname of the csm-authorization server
  # Default value: None
  proxyHost: csm-authorization.com

  # skipCertificateValidation: certificate validation of the csm-authorization server
  # Allowed Values:
  #   "true" - TLS certificate verification will be skipped
  #   "false" - TLS certificate will be verified
  # Default value: "true"
  skipCertificateValidation: true
```
Install the CSI PowerFlex driver following the appropriate documentation for your installation method.