Authorization
The CSM Authorization karavictl CLI is no longer actively maintained or supported. It will be deprecated in CSM 2.0.
Install CSM Authorization via Dell CSM Operator
The CSM Authorization module for supported Dell CSI Drivers can be installed via the Dell CSM Operator. To deploy the Operator, follow the instructions available here.
Prerequisite
-
Execute
kubectl create namespace authorization
to create the authorization namespace (if not already present). Note that the namespace can be any user-defined name, in this example, we assume that the namespace is ‘authorization’. -
Install cert-manager CRDs
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
-
Prepare samples/authorization/config.yaml which contains the JWT signing secret. The following table lists the configuration parameters.
Parameter Description Required Default web.jwtsigningsecret String used to sign JSON Web Tokens true secret Example:
web: jwtsigningsecret: randomString123
After editing the file, run this command to create a secret called
karavi-config-secret
:kubectl create secret generic karavi-config-secret -n authorization --from-file=config.yaml=samples/authorization/config.yaml
Use this command to replace or update the secret:
kubectl create secret generic karavi-config-secret -n authorization --from-file=config.yaml=samples/authorization/config.yaml -o yaml --dry-run=client | kubectl replace -f -
-
Create the karavi-storage-secret to store storage system credentials.
Use this command to create the secret:
kubectl create -f samples/authorization/karavi-storage-secret.yaml
Note:
- If you are installing CSM Authorization in a different namespace than
authorization
, edit thenamespace
field in this file to your namespace.
Install CSM Authorization Proxy Server
-
Follow all the prerequisites.
-
Create a CR (Custom Resource) for Authorization from a sample manifest. This file can be modified to use custom parameters if needed.
-
Users should configure the parameters in the CR. This table lists the primary configurable parameters of the Authorization Proxy Server and their default values:
Parameter Description Required Default openshift For OpenShift Container Platform only: Enable/Disable use of the OpenShift Ingress Controller. Set to false if you already have an Ingress Controller installed. No False nginx This section configures the enablement of the NGINX Ingress Controller. - - enabled For Kubernetes Container Platform only: Enable/Disable deployment of the NGINX Ingress Controller. Set to false if you already have an Ingress Controller installed. No true cert-manager This section configures the enablement of cert-manager. - - enabled Enable/Disable deployment of cert-manager. Set to false if you already have cert-manager installed. No true authorization This section configures the CSM-Authorization components. - - certificate The base64-encoded certificate for the certificate/private-key to configure the proxy-service Ingress. Leave empty to use self-signed certificate. No - privateKey The base64-encoded private key for the certificate/private-key to configure the proxy-service Ingress. Leave empty to use self-signed certificate. No - hostname The hostname to configure the self-signed certificate (if applicable), and the proxy service Ingress. No csm-authorization.com proxyServerIngress.ingressClassName The ingressClassName of the proxy-service Ingress. Yes nginx proxyServerIngress.hosts Additional host rules to be applied to the proxy-service Ingress. No - proxyServerIngress.annotations Additional annotations for the proxy-service Ingress. No - redis This section configures the Redis components. - - storageclass The storage class for Redis to use for persistence. If not supplied, a locally provisioned volume is used. No -
Note:
- If you are installing CSM Authorization in a different namespace than
authorization
, edit thenamespace
fields in this file to your namespace.- If you specify
storageclass
, the storage class must NOT be provisioned by the Dell CSI Driver to be configured with this installation of CSM Authorization.
Optional:
To enable reporting of trace data with Zipkin, use the csm-config-params
configMap in the sample CR or dynamically by editing the configMap.
Add the Zipkin values to the configMap where ZIPKIN_ADDRESS
is the IP address or hostname of the Zipkin server.
ZIPKIN_URI: "http://ZIPKIN_ADDRESS:9411/api/v2/spans"
ZIPKIN_PROBABILITY: "1.0"
-
Execute this command to create the Authorization CR:
kubectl create -f <SAMPLE FILE>
Note:
- This command will deploy the Authorization Proxy Server in the namespace specified in the input YAML file.
Verify Installation of the CSM Authorization Proxy Server
Once the Authorization CR is created, you can verify the installation as mentioned below:
kubectl describe csm/<name-of-custom-resource> -n authorization
Install Karavictl
Follow the instructions available in CSM Authorization for Installing karavictl.
Configure the CSM Authorization Proxy Server
Authorization v1.x GA
Follow the instructions available in CSM Authorization for Configuring the CSM Authorization Proxy Server.
Configure a Dell CSI Driver with CSM Authorization
Authorization v1.x GA
Follow the instructions available in CSM Authorization for Configuring a Dell CSI Driver with CSM for Authorization.
Upgrade CSM Authorization
This section outlines the upgrade steps for Container Storage Modules (CSM) for Authorization. The upgrade of CSM for Authorization is handled in 2 parts:
- Upgrading the Authorization proxy server
- Upgrading CSI Driver, Authorization sidecar with Authorization module enabled
Upgrading the Authorization Proxy Server
-
Modifying the existing Authorization Proxy Server installation directly via
kubectl edit
kubectl get csm -n <module-namespace>
For example - If the Authorization Proxy Server is installed in authorization namespace then run this command to get the object name
kubectl get csm -n authorization
use the object name in
kubectl edit
command.kubectl edit csm <object-name> -n <module-namespace>
For example - If the object name is authorization then use the name as authorization and if the namespace is authorization, then run this command to edit the object
kubectl edit csm authorization -n authorization
-
Modify the installation
- Update the CSM Authorization Proxy Server configVersion
- Update the images for proxyService, tenantService, roleService and storageService
Upgrading CSI Driver, Authorization sidecar with Authorization module enabled
-
Modifying the existing driver and module installation directly via
kubectl edit
kubectl get csm -n <driver-namespace>
For example - If the CSI PowerFlex driver is installed in vxflexos namepace then run this command to get the object name
kubectl get csm -n vxflexos
use the object name in
kubectl edit
command.kubectl edit csm <object-name> -n <driver-namespace>
For example - If the object name is vxflexos then use the name as vxflexos and if the driver is installed in vxflexos namespace, then run this command to edit the object
kubectl edit csm vxflexos -n vxflexos
-
Modify the installation
- Update the driver config version and image tag
- Update the Authorization config version and karavi-authorization-proxy image.
Note:
- In Authorization module upgrade, only
n-1
ton
upgrade is supported, e.g. if the current observability version isv1.8.x
, it can be upgraded to1.9.x
.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.