Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSM 1.11 Rebase #1180

Merged
merged 51 commits into from
Jul 17, 2024
Merged
Show file tree
Hide file tree
Changes from 47 commits
Commits
Show all changes
51 commits
Select commit Hold shift + click to select a range
108a5ec
Add notes about non-default namespace for Authorization and Operator …
atye Mar 29, 2024
0f40a4d
Snapshot ingestion procedure for CSI Unity Driver (#1043)
HarishH-DELL Mar 29, 2024
1c80ca6
Adding helm-charts-version flag (#1059)
boyamurthy Apr 5, 2024
9f81d88
Update helm-charts-version flag (#1061)
suryagupta4 Apr 8, 2024
4b16fc2
Adding a note for 'clusterName' for CSI-PowerScale (#1062)
KshitijaKakde Apr 10, 2024
fa9ac59
docs: add configurable export IP in csi-unity (#1054)
mdutka-dell Apr 18, 2024
787f1e0
Adding resiliency support for PowerMax in installationwizard (#1076)
boyamurthy Apr 24, 2024
0946a61
add podmon args in csm-1.11 template (#1079)
suryagupta4 Apr 25, 2024
b0cef36
Adding podmon entries for PowerStore (#1082)
boyamurthy Apr 26, 2024
98f66a7
update podmon arguments (#1086)
chimanjain Apr 30, 2024
433ccdd
Installation wizard changes (#1088)
KshitijaKakde May 3, 2024
3b4623a
updated docs for csm 1.11 (#1083)
rishabhatdell May 6, 2024
a756e33
Renamed templates of csm isilon, powermax and powerstore (#1091)
WilsonRadadia20 May 9, 2024
d4d7b4d
Added broken links check action (#1102)
gallacher May 22, 2024
e0ac7a0
Update broken-links.yaml (#1110)
gallacher May 27, 2024
509ac1c
Encryption Release notes (#1116)
HarishH-DELL May 28, 2024
dfd73c6
Bug 1289 dead links (#1115)
WilsonRadadia20 May 28, 2024
943c416
Add note for OCP support for CSM Authorization (#1104)
atye May 28, 2024
efa8d6c
Update _index.md (#1114)
gallacher May 28, 2024
b7a8f6b
Updated the release notes (#1128)
WilsonRadadia20 May 30, 2024
45cfcdb
Update Resiliency support for pmax in Helm and Operator (#1130)
delldubey Jun 3, 2024
9dbbc5f
Add observability upgrade support documentation (#1134)
chimanjain Jun 5, 2024
94ef14e
Updated templates for CSM 1.11 (#1129)
rishabhatdell Jun 7, 2024
c2f2d4f
Add observability and authorization upgrade support in documentation …
KshitijaKakde Jun 10, 2024
93a650a
update powerflex deployment guide link (#1140)
suryagupta4 Jun 13, 2024
5b33553
Update sidecar images to latest released version (#1143)
AkshaySainiDell Jun 18, 2024
991037e
Update CSM Operator version and images (#1142)
chimanjain Jun 19, 2024
1faef11
Update reference of powerflex sample to v2.11.0 (#1145)
AkshaySainiDell Jun 19, 2024
f418388
Create, Delete Role/Rolebindings to support ANK8s Neptune release (#1…
ashleyvjoy Jun 20, 2024
ea9284c
unity: allowdNetworks param update (#1149)
suryagupta4 Jun 20, 2024
27cf0c5
Update CSM Authorization note about OCP (#1151)
atye Jun 21, 2024
9321fed
Added doc for resource limits for CSM Operator (#1146)
rajendraindukuri Jun 25, 2024
23c29b6
Add note in prerequisites (#1155)
AkshaySainiDell Jun 25, 2024
734c038
Update documentation for NVMeTCP support for CSI Powermax (#1157)
delldubey Jun 25, 2024
1819283
Add documentation for Authorization 2.0 Tech Preview (#1159)
tdawe Jun 25, 2024
d0e78e0
Added note about configVersion for auth tech preview (#1160)
KerryKovacevic Jun 26, 2024
82de14e
Updates prereq for NVMe (#1162)
delldubey Jul 1, 2024
5a7aa81
Onyx support (#1164)
adarsh-dell Jul 3, 2024
e13de79
OCP 4.16 support (#1167)
adarsh-dell Jul 4, 2024
3e32e7b
Adding a note for NFS size (#1168)
adarsh-dell Jul 5, 2024
56297dd
Docs changes for SDC version Update (#1170)
rishabhatdell Jul 9, 2024
d4edadb
Secret naming (#1171)
adarsh-dell Jul 10, 2024
ef4ec43
Added powerscale topology (#1172)
HarishH-DELL Jul 11, 2024
4d9842e
Additional documentation on Authorization Tech-Preview (#1175)
alikdell Jul 11, 2024
49434ce
add reverseproxy for auth (#1176)
atye Jul 11, 2024
5a53fba
Merge `main` to `release-1.11.0` (#1173)
rishabhatdell Jul 15, 2024
12e2d25
Merge branch 'main' into csm1.11_rebase
rishabhatdell Jul 15, 2024
a1291ce
removed duplicates
rishabhatdell Jul 16, 2024
5bc7fa3
Unit tests updated in Installation Wizard (#1181)
niranjan-n1 Jul 16, 2024
3d401d4
Ephemeral suite ephemeral-config.properties format fix (#1182)
adarsh-dell Jul 17, 2024
8426ccf
Merge branch 'release-1.11.0' into csm1.11_rebase
rishabhatdell Jul 17, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
# Bharath Sreekanth (bharathsreekanth)
# Deepak Ghivari (Deepak-Ghivari)
# Sean Gallacher (gallacher)
# Marek Suski (mareksuski-dell)
# Małgorzata Dutka (mdutka-dell)
# Matt Schmaelzle (mjsdell)
# Mukesh Gandharva (mgandharva)
Expand All @@ -23,4 +22,4 @@
# Shayna Finocchiaro (shaynafinocchiaro)
# Shefali Malhotra (shefali-malhotra)

* @atye @bharathsreekanth @Deepak-Ghivari @gallacher @mareksuski-dell @mdutka-dell @mgandharva @mjsdell @prablr79 @rajendraindukuri @rajkumar-palani @rsedlock1958 @shanmydell @sharont58 @shaynafinocchiaro @shefali-malhotra
* @atye @bharathsreekanth @Deepak-Ghivari @gallacher @mdutka-dell @mgandharva @mjsdell @prablr79 @rajendraindukuri @rajkumar-palani @rsedlock1958 @shanmydell @sharont58 @shaynafinocchiaro @shefali-malhotra
8 changes: 4 additions & 4 deletions config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -172,19 +172,19 @@ enable = false
# icon = "fa fa-envelope"
# desc = "Discuss development issues around the project"
[[params.versions]]
version = "Current(v1.10.2)"
version = "Current(v1.11.0)"
url = "https://dell.github.io/csm-docs/docs/"

[[params.versions]]
version = "v1.9.4"
version = "v1.10.2"
url = "https://dell.github.io/csm-docs/v1"

[[params.versions]]
version = "v1.8.0"
version = "v1.9.4"
url = "https://dell.github.io/csm-docs/v2"

[[params.versions]]
version = "v1.7.1"
version = "v1.8.0"
url = "https://dell.github.io/csm-docs/v3"

[[menu.main]]
Expand Down
2 changes: 1 addition & 1 deletion content/docs/applicationmobility/release/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ Description: >
Release Notes
---

## Release Notes - CSM Application Mobility v1.0.2
## Release Notes - CSM Application Mobility v1.0.4

### New Features/Changes

Expand Down
55 changes: 2 additions & 53 deletions content/docs/authorization/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,63 +6,12 @@ Description: >
Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization
---

[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products.
[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products.

CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. It does this by deploying a proxy between the CSI driver and the storage system to enforce role-based access and usage rules.

Storage administrators of compatible storage platforms will be able to apply quota and RBAC rules that instantly and automatically restrict cluster tenants usage of storage resources. Users of storage through CSM for Authorization do not need to have storage admin root credentials to access the storage system.

Kubernetes administrators will have an interface to create, delete, and manage roles/groups that storage rules may be applied. Administrators and/or users may then generate authentication tokens that may be used by tenants to use storage with proper access policies being automatically enforced.

The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.

![CSM for Authorization](./karavi-authorization-example.png "CSM for Authorization")

## CSM for Authorization Capabilities
{{<table "table table-striped table-bordered table-sm">}}
| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
| - | - | - | - | - | - |
| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
{{</table>}}

**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).

## Authorization Components Support Matrix
CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.

**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.

## Roles and Responsibilities

The CSM for Authorization CLI can be executed in the context of the following roles:
- Storage Administrators
- Kubernetes Tenant Administrators

### Storage Administrators

Storage Administrators can perform the following operations within CSM for Authorization

- Tenant Management (create, get, list, delete, bind roles, unbind roles)
- Token Management (generate, revoke)
- Storage System Management (create, get, list, update, delete)
- Storage Access Roles Management (assign to a storage system with an optional quota)

### Tenant Administrators

Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.

### Workflow

1) Tenant Admin requests storage from a Storage Admin.
2) Storage Admin uses CSM Authorization CLI to:<br>
a) Create a tenant resource.<br>
b) Create a role permitting desired storage access.<br>
c) Assign the role to the tenant and generate a token.<br>
3) Storage Admin returns a token to the Tenant Admin.
4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.

![CSM for Authorization Workflow](./design2.png "CSM for Authorization Workflow")
Currently, we have two versions of Authorization, **v1.x GA** and **v2.0 Tech Preview**.
62 changes: 62 additions & 0 deletions content/docs/authorization/v1.x GA/_index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
---
title: Authorization - v1.x GA
linktitle: v1.x GA
weight: 4
Description: >
Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization v1.x GA.
tags:
- csm-authorization
---

The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.

![CSM for Authorization](./karavi-authorization-example.png "CSM for Authorization")

## CSM for Authorization Capabilities
{{<table "table table-striped table-bordered table-sm">}}
| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
| - | - | - | - | - | - |
| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
{{</table>}}

**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).

## Authorization Components Support Matrix
CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.

**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.

## Roles and Responsibilities

The CSM for Authorization CLI can be executed in the context of the following roles:
- Storage Administrators
- Kubernetes Tenant Administrators

### Storage Administrators

Storage Administrators can perform the following operations within CSM for Authorization

- Tenant Management (create, get, list, delete, bind roles, unbind roles)
- Token Management (generate, revoke)
- Storage System Management (create, get, list, update, delete)
- Storage Access Roles Management (assign to a storage system with an optional quota)

### Tenant Administrators

Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.

### Workflow

1) Tenant Admin requests storage from a Storage Admin.
2) Storage Admin uses CSM Authorization CLI to:<br>
a) Create a tenant resource.<br>
b) Create a role permitting desired storage access.<br>
c) Assign the role to the tenant and generate a token.<br>
3) Storage Admin returns a token to the Tenant Admin.
4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.

![CSM for Authorization Workflow](./design2.png "CSM for Authorization Workflow")
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization

**Helm**

Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.

- Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.

Expand All @@ -78,7 +78,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization

**Operator**

Refer to the [Create Secret](../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
Refer to the [Create Secret](../../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.

- Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.

Expand All @@ -102,7 +102,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization

**Helm**

Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.

- Update `authorization.enabled` to `true`.

Expand All @@ -119,8 +119,8 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
enabled: true

# sidecarProxyImage: the container image used for the csm-authorization-sidecar.
# Default value: dellemc/csm-authorization-sidecar:v1.10.0
sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.10.0
# Default value: dellemc/csm-authorization-sidecar:v1.11.0
sidecarProxyImage: dellemc/csm-authorization-sidecar:v1.11.0

# proxyHost: hostname of the csm-authorization server
# Default value: None
Expand All @@ -136,7 +136,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization

**Operator**

Refer to the [Install Driver](../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
Refer to the [Install Driver](../../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.

Under `modules`, enable the module named `authorization`:

Expand All @@ -156,10 +156,10 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
- name: authorization
# enable: Enable/Disable csm-authorization
enabled: true
configVersion: v1.10.0
configVersion: v1.11.0
components:
- name: karavi-authorization-proxy
image: dellemc/csm-authorization-sidecar:v1.10.0
image: dellemc/csm-authorization-sidecar:v1.11.0
envs:
# proxyHost: hostname of the csm-authorization server
- name: "PROXY_HOST"
Expand All @@ -172,4 +172,4 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization

6. Install the Dell CSI PowerFlex driver following the appropriate documenation for your installation method.

7. (Optional) Install [dellctl](../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../support/cli) for the installation steps and command list.
7. (Optional) Install [dellctl](../../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../../support/cli) for the installation steps and command list.
Loading
Loading