PowerFlex

The CSI Driver for Dell PowerFlex can be deployed by using the provided Helm v3 charts and installation scripts on both Kubernetes and OpenShift platforms. For more detailed information on the installation scripts, review the script documentation.

The controller section of the Helm chart installs the following components in a Deployment in the specified namespace:

CSI Driver for Dell PowerFlex
Kubernetes External Provisioner, which provisions the volumes
Kubernetes External Attacher, which attaches the volumes to the containers
Kubernetes External Snapshotter, which provides snapshot support
Kubernetes External Resizer, which resizes the volume

The node section of the Helm chart installs the following component in a DaemonSet in the specified namespace:

CSI Driver for Dell PowerFlex
Kubernetes Node Registrar, which handles the driver registration

Prerequisites

The following are requirements that must be met before installing the CSI Driver for Dell PowerFlex:

Install Kubernetes or OpenShift (see supported versions)
Install Helm 3
Enable Zero Padding on PowerFlex
Mount propagation is enabled on container runtime that is being used
Install PowerFlex Storage Data Client
If using Snapshot feature, satisfy all Volume Snapshot requirements
A user must exist on the array with a role >= FrontEndConfigure
If enabling CSM for Authorization, please refer to the Authorization deployment steps first
If multipath is configured, ensure CSI-PowerFlex volumes are blacklisted by multipathd. See troubleshooting section for details

Install Helm 3.0

Install Helm 3.0 on the master node before you install the CSI Driver for Dell PowerFlex.

Steps

Run the curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash command to install Helm 3.0.

Enable Zero Padding on PowerFlex

Verify that zero padding is enabled on the PowerFlex storage pools that will be used. Use PowerFlex GUI or the PowerFlex CLI to check this setting. For more information to configure this setting, see Dell PowerFlex documentation.

Install PowerFlex Storage Data Client

The CSI Driver for PowerFlex requires you to have installed the PowerFlex Storage Data Client (SDC) on all Kubernetes nodes which run the node portion of the CSI driver. SDC could be installed automatically by CSI driver install on Kubernetes nodes with OS platform which support automatic SDC deployment; currently only Red Hat CoreOS (RHCOS). On Kubernetes nodes with OS version not supported by automatic install, you must perform the Manual SDC Deployment steps below. Refer to https://hub.docker.com/r/dellemc/sdc for supported OS versions.

Optional: For a typical install, you will pull SDC kernel modules from the Dell FTP site, which is set up by default. Some users might want to mirror this repository to a local location. The PowerFlex KB article has instructions on how to do this.

Manual SDC Deployment

For detailed PowerFlex installation procedure, see the Dell PowerFlex Deployment Guide. Install the PowerFlex SDC as follows:

Steps

Download the PowerFlex SDC from Dell Online support. The filename is EMC-ScaleIO-sdc-*.rpm, where * is the SDC name corresponding to the PowerFlex installation version.
Export the shell variable MDM_IP in a comma-separated list using export MDM_IP=xx.xxx.xx.xx,xx.xxx.xx.xx, where xxx represents the actual IP address in your environment. This list contains the IP addresses of the MDMs.
Install the SDC per the Dell PowerFlex Deployment Guide:
- For Red Hat Enterprise Linux and CentOS, run rpm -iv ./EMC-ScaleIO-sdc-*.x86_64.rpm, where * is the SDC name corresponding to the PowerFlex installation version.
To add more MDM_IP for multi-array support, run /opt/emc/scaleio/sdc/bin/drv_cfg --add_mdm --ip 10.xx.xx.xx.xx,10.xx.xx.xx

(Optional) Volume Snapshot Requirements

Applicable only if you decided to enable snapshot feature in values.yaml

controller:
  snapshot:
    enabled: true

Volume Snapshot CRD’s

The Kubernetes Volume Snapshot CRDs can be obtained and installed from the external-snapshotter project on Github. Manifests are available here: v6.0.x

Volume Snapshot Controller

The CSI external-snapshotter sidecar is split into two controllers:

A common snapshot controller
A CSI external-snapshotter sidecar

The common snapshot controller must be installed only once in the cluster irrespective of the number of CSI drivers installed in the cluster. On OpenShift clusters 4.4 and later, the common snapshot-controller is pre-installed. In the clusters where it is not present, it can be installed using kubectl and the manifests are available here: v6.0.x

NOTE:

The manifests available on GitHub install the snapshotter image:
- quay.io/k8scsi/csi-snapshotter:v4.0.x
The CSI external-snapshotter sidecar is still installed along with the driver and does not involve any extra configuration.

Installation example

You can install CRDs and default snapshot controller by running following commands:

git clone https://github.com/kubernetes-csi/external-snapshotter/
cd ./external-snapshotter
git checkout release-<your-version>
kubectl kustomize client/config/crd | kubectl create -f -
kubectl -n kube-system kustomize deploy/kubernetes/snapshot-controller | kubectl create -f -

NOTE:

When using Kubernetes it is recommended to use 6.0.x version of snapshotter/snapshot-controller.
The CSI external-snapshotter sidecar is still installed along with the driver and does not involve any extra configuration.

Install the Driver

Steps

Run git clone -b v2.3.0 https://github.com/dell/csi-powerflex.git to clone the git repository.
Ensure that you have created a namespace where you want to install the driver. You can run kubectl create namespace vxflexos to create a new one.
Collect information from the PowerFlex SDC by executing the get_vxflexos_info.sh script located in the scripts directory. This script shows the VxFlex OS system ID and MDM IP addresses. Make a note of the values for these parameters as they must be entered into samples/config.yaml.

Prepare samples/config.yaml for driver configuration. The following table lists driver configuration parameters for multiple storage arrays.

Parameter	Description	Required	Default
username	Username for accessing PowerFlex system. If authorization is enabled, username will be ignored.	true	-
password	Password for accessing PowerFlex system. If authorization is enabled, password will be ignored.	true	-
systemID	System name/ID of PowerFlex system.	true	-
allSystemNames	List of previous names of powerflex array if used for PV create	false	-
endpoint	REST API gateway HTTPS endpoint for PowerFlex system. If authorization is enabled, endpoint should be the HTTPS localhost endpoint that the authorization sidecar will listen on	true	-
skipCertificateValidation	Determines if the driver is going to validate certs while connecting to PowerFlex REST API interface.	true	true
isDefault	An array having isDefault=true is for backward compatibility. This parameter should occur once in the list.	false	false
mdm	mdm defines the MDM(s) that SDC should register with on start. This should be a list of MDM IP addresses or hostnames separated by comma.	true	-

Example: samples/config.yaml

- username: "admin"
  password: "Password123"
  systemID: "ID2"
  endpoint: "https://127.0.0.2"
  skipCertificateValidation: true 
  isDefault: true 
  mdm: "10.0.0.3,10.0.0.4"

NOTE: To use multiple arrays, copy and paste section above for each array. Make sure isDefault is set to true for only one array.

After editing the file, run the below command to create a secret called vxflexos-config:

`kubectl create secret generic vxflexos-config -n vxflexos --from-file=config=samples/config.yaml`

Use the below command to replace or update the secret:

`kubectl create secret generic vxflexos-config -n vxflexos --from-file=config=samples/config.yaml -o yaml --dry-run=client | kubectl replace -f -`

NOTE:

The user needs to validate the YAML syntax and array-related key/values while replacing the vxflexos-creds secret.
If you want to create a new array or update the MDM values in the secret, you will need to reinstall the driver. If you change other details, such as login information, the secret will dynamically update – see dynamic-array-configuration for more details.
Old json format of the array configuration file is still supported in this release. If you already have your configuration in json format, you may continue to maintain it or you may transfer this configuration to yamlformat and replace/update the secret.
“insecure” parameter has been changed to “skipCertificateValidation” as insecure is deprecated and will be removed from use in config.yaml or secret.yaml in a future release. Users can continue to use any one of “insecure” or “skipCertificateValidation” for now. The driver would return an error if both parameters are used.
Please note that log configuration parameters from v1.5 will no longer work in v2.0 and higher. Please refer to the Dynamic Logging Configuration section in Features for more information.
If the user is using complex K8s version like “v1.21.3-mirantis-1”, use this kubeVersion check in helm/csi-unity/Chart.yaml file. kubeVersion: “>= 1.21.0-0 < 1.25.0-0”

Default logging options are set during Helm install. To see possible configuration options, see the Dynamic Logging Configuration section in Features.
If using automated SDC deployment:
- Check the SDC container image is the correct version for your version of PowerFlex.
Copy the default values.yaml file cd helm && cp csi-vxflexos/values.yaml myvalues.yaml
If you are using a custom image, check the version and driverRepository fields in myvalues.yaml to make sure that they are pointing to the correct image repository and driver version. These two fields are spliced together to form the image name, as shown here: <driverRepository>/csi-vxflexos:v<version>
Look over all the other fields myvalues.yaml and fill in/adjust any as needed. All the fields are described here:

Parameter	Description	Required	Default
version	Set to verify the values file version matches driver version and used to pull the image as part of the image name.	Yes	2.0.0
driverRepository	Set to give the repository containing the driver image (used as part of the image name).	Yes	dellemc
powerflexSdc	Set to give the location of the SDC image used if automatic SDC deployment is being utilized.	No	dellemc/sdc:3.6
certSecretCount	Represents the number of certificate secrets, which the user is going to create for SSL authentication.	No	0
logLevel	CSI driver log level. Allowed values: “error”, “warn”/“warning”, “info”, “debug”.	Yes	“debug”
logFormat	CSI driver log format. Allowed values: “TEXT” or “JSON”.	Yes	“TEXT”
kubeletConfigDir	kubelet config directory path. Ensure that the config.yaml file is present at this path.	Yes	/var/lib/kubelet
defaultFsType	Used to set the default FS type which will be used for mount volumes if FsType is not specified in the storage class. Allowed values: ext4, xfs.	Yes	ext4
fsGroupPolicy	Defines which FS Group policy mode to be used. Supported modes are`None, File, and ReadWriteOnceWithFSType.`	No	“ReadWriteOnceWithFSType”
imagePullPolicy	Policy to determine if the image should be pulled prior to starting the container. Allowed values: Always, IfNotPresent, Never.	Yes	IfNotPresent
enablesnapshotcgdelete	A boolean that, when enabled, will delete all snapshots in a consistency group everytime a snap in the group is deleted.	Yes	false
enablelistvolumesnapshot	A boolean that, when enabled, will allow list volume operation to include snapshots (since creating a volume from a snap actually results in a new snap). It is recommend this be false unless instructed otherwise.	Yes	false
allowRWOMultiPodAccess	Setting allowRWOMultiPodAccess to “true” will allow multiple pods on the same node to access the same RWO volume. This behavior conflicts with the CSI specification version 1.3. NodePublishVolume description that requires an error to be returned in this case. However, some other CSI drivers support this behavior and some customers desire this behavior. Customers use this option at their own risk.	Yes	false
controller	This section allows the configuration of controller-specific parameters. To maximize the number of available nodes for controller pods, see this section. For more details on the new controller pod configurations, see the Features section for Powerflex specifics.	-	-
volumeNamePrefix	Set so that volumes created by the driver have a default prefix. If one PowerFlex/VxFlex OS system is servicing several different Kubernetes installations or users, these prefixes help you distinguish them.	Yes	“k8s”
controllerCount	Set to deploy multiple controller instances. If the controller count is greater than the number of available nodes, excess pods remain in a pending state. It should be greater than 0. You can increase the number of available nodes by configuring the “controller” section in your values.yaml. For more details on the new controller pod configurations, see the Features section for Powerflex specifics.	Yes	2
snapshot.enabled	A boolean that enable/disable volume snapshot feature.	No	true
resizer.enabled	A boolean that enable/disable volume expansion feature.	No	true
nodeSelector	Defines what nodes would be selected for pods of controller deployment. Leave as blank to use all nodes. Uncomment this section to deploy on master nodes exclusively.	Yes	" "
tolerations	Defines tolerations that would be applied to controller deployment. Leave as blank to install the controller on worker nodes only. If deploying on master nodes is desired, uncomment out this section.	Yes	" "
healthMonitor	This section configures the optional deployment of the external health monitor sidecar, for controller side volume health monitoring.	-	-
enabled	Enable/Disable deployment of external health monitor sidecar.	No	false
volumeHealthMonitorInterval	Interval of monitoring volume health condition. Allowed values: Number followed by unit (s,m,h)	No	60s
node	This section allows the configuration of node-specific parameters.	-	-
healthMonitor.enabled	Enable/Disable health monitor of CSI volumes- volume usage, volume condition	No	false
nodeSelector	Defines what nodes would be selected for pods of node daemonset. Leave as blank to use all nodes.	Yes	" "
tolerations	Defines tolerations that would be applied to node daemonset. Leave as blank to install node driver only on worker nodes.	Yes	" "
monitor	This section allows the configuration of the SDC monitoring pod.	-	-
enabled	Set to enable the usage of the monitoring pod.	Yes	false
hostNetwork	Set whether the monitor pod should run on the host network or not.	Yes	true
hostPID	Set whether the monitor pod should run in the host namespace or not.	Yes	true
vgsnapshotter	This section allows the configuration of the volume group snapshotter(vgsnapshotter) pod.	-	-
enabled	A boolean that enable/disable vg snapshotter feature.	No	false
image	Image for vg snapshotter.	No	" "
podmon	Podmon is an optional feature to enable application pods to be resilient to node failure.	-	-
enabled	A boolean that enables/disables podmon feature.	No	false
image	image for podmon.	No	" "
authorization	Authorization is an optional feature to apply credential shielding of the backend PowerFlex.	-	-
enabled	A boolean that enables/disables authorization feature.	No	false
sidecarProxyImage	Image for csm-authorization-sidecar.	No	" "
proxyHost	Hostname of the csm-authorization server.	No	Empty
skipCertificateValidation	A boolean that enables/disables certificate validation of the csm-authorization server.	No	true

Install the driver using csi-install.sh bash script by running cd dell-csi-helm-installer && ./csi-install.sh --namespace vxflexos --values ../helm/myvalues.yaml. Alternatively, to do a helm install solely with Helm charts (without shell scripts), refer to helm/README.md.

NOTE:

For detailed instructions on how to run the install scripts, refer to the README.md in the dell-csi-helm-installer folder.
Install script will validate MDM IP(s) in vxflexos-config secret and creates a new field consumed by the init container and sdc-monitor container
This install script also runs the verify.sh script. You will be prompted to enter the credentials for each of the Kubernetes nodes. The verify.sh script needs the credentials to check if SDC has been configured on all nodes.
It is mandatory to run install script after changes to MDM configuration in vxflexos-config secret. Refer dynamic-array-configuration
If an extended Kubernetes version is being used (e.g. v1.21.3-mirantis-1) and is failing the version check in Helm even though it falls in the allowed range, then you must go into helm/csi-vxflexos/Chart.yaml and replace the standard kubeVersion check with the commented-out alternative. Please note that this will also allow the use of pre-release alpha and beta versions of Kubernetes, which is not supported.
(Optional) Enable additional Mount Options - A user is able to specify additional mount options as needed for the driver.
- Mount options are specified in storageclass yaml under mkfsFormatOption.
- WARNING: Before utilizing mount options, you must first be fully aware of the potential impact and understand your environment’s requirements for the specified option.

Certificate validation for PowerFlex Gateway REST API calls

This topic provides details about setting up the certificate for the CSI Driver for Dell PowerFlex.

Before you begin

As part of the CSI driver installation, the CSI driver requires a secret with the name vxflexos-certs-0 to vxflexos-certs-n based on the “.Values.certSecretCount” parameter present in the namespace vxflexos.

This secret contains the X509 certificates of the CA which signed PowerFlex gateway SSL certificate in PEM format.

The CSI driver exposes an install parameter in config.yaml, skipCertificateValidation, which determines if the driver performs client-side verification of the gateway certificates.

skipCertificateValidation parameter is set to true by default, and the driver does not verify the gateway certificates.

If skipCertificateValidation is set to false, then the secret vxflexos-certs-n must contain the CA certificate for the array gateway.

If this secret is an empty secret, then the validation of the certificate fails, and the driver fails to start.

If the gateway certificate is self-signed or if you are using an embedded gateway, then perform the following steps.

To fetch the certificate, run the following command.
```
  `openssl s_client -showcerts -connect <Gateway IP:Port> </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert_0.pem`
```
Example: openssl s_client -showcerts -connect 1.1.1.1:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > ca_cert_0.pem

Run the following command to create the cert secret with index ‘0’:

  `kubectl create secret generic vxflexos-certs-0 --from-file=cert-0=ca_cert_0.pem -n vxflexos`

Use the following command to replace the secret:

   `kubectl create secret generic vxflexos-certs-0 -n vxflexos --from-file=cert-0=ca_cert_0.pem -o yaml --dry-run | kubectl replace -f -`

Repeat step 1 and 2 to create multiple cert secrets with incremental index (example: vxflexos-certs-1, vxflexos-certs-2, etc)

Notes:

“vxflexos” is the namespace for Helm-based installation but namespace can be user-defined in operator-based installation.
User can add multiple certificates in the same secret. The certificate file should not exceed more than 1Mb due to Kubernetes secret size limitation.
Whenever certSecretCount parameter changes in myvalues.yaml user needs to uninstall and install the driver.
Updating vxflexos-certs-n secrets is a manual process, unlike vxflexos-config. Users have to re-install the driver in case of updating/adding the SSL certificates or changing the certSecretCount parameter.

Storage Classes

For CSI driver for PowerFlex version 1.4 and later, dell-csi-helm-installer does not create any storage classes as part of the driver installation. A wide set of annotated storage class manifests have been provided in the samples folder. Use these samples to create new storage classes to provision storage.

What happens to my existing storage classes?

Upgrading from an older version of the driver: The storage classes will be deleted if you upgrade the driver. If you wish to continue using those storage classes, you can patch them and apply the annotation “helm.sh/resource-policy”: keep before performing an upgrade.

Note: If you continue to use the old storage classes, you may not be able to take advantage of any new storage class parameter supported by the driver.

Steps to create storage class: There are samples storage class yaml files available under samples/storageclass. These can be copied and modified as needed.

Edit storageclass.yaml if you need ext4 filesystem and storageclass-xfs.yaml if you want xfs filesystem.
Replace <STORAGE_POOL> with the storage pool you have.
Replace <SYSTEM_ID> with the system ID you have. Note there are two appearances in the file.
Edit storageclass.kubernetes.io/is-default-class to true if you want to set it as default, otherwise false.
Save the file and create it by using kubectl create -f storageclass.yaml or kubectl create -f storageclass-xfs.yaml

NOTE:

At least one storage class is required for one array.
If you uninstall the driver and reinstall it, you can still face errors if any update in the values.yaml file leads to an update of the storage class(es):

    Error: cannot patch "<sc-name>" with kind StorageClass: StorageClass.storage.k8s.io "<sc-name>" is invalid: parameters: Forbidden: updates to parameters are forbidden

In case you want to make such updates, ensure to delete the existing storage classes using the kubectl delete storageclass command.
Deleting a storage class has no impact on a running Pod with mounted PVCs. You cannot provision new PVCs until at least one storage class is newly created.

Volume Snapshot Class

Starting CSI PowerFlex v1.5, dell-csi-helm-installer will not create any Volume Snapshot Class during the driver installation. There is a sample Volume Snapshot Class manifest present in the samples/ folder. Please use this sample to create a new Volume Snapshot Class to create Volume Snapshots.