Chapter 2. Deploy using dynamic storage devices

Procedure

1. Log in to the OpenShift Web Console.
2. Click Ecosystem Software Catalog.
3. Scroll or type OpenShift Data Foundation into the Filter by keyword box to find the OpenShift Data Foundation Operator.
4. Click Install.

5. Set the following options on the Install Operator page:

   1. Update Channel as stable-4.21.
   2. Installation Mode as A specific namespace on the cluster.
   3. Installed Namespace as Operator recommended namespace openshift-storage. If Namespace openshift-storage does not exist, it is created during the operator installation.

   4. Select Approval Strategy as Automatic or Manual.

      If you select Automatic updates, then the Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without any intervention.

      If you select Manual updates, then the OLM creates an update request. As a cluster administrator, you must then manually approve that update request to update the Operator to a newer version.

   5. Ensure that the Enable option is selected for the Console plugin.
   6. Click Install.

Procedure

1. Enable the Key/Value (KV) backend path in the vault.

   For vault KV secret engine API, version 1:

   $ vault secrets enable -path=odf kv

   For vault KV secret engine API, version 2:

   $ vault secrets enable -path=odf kv-v2

2. Create a policy to restrict the users to perform a write or delete operation on the secret:

   echo '
   path "odf/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
   }
   path "sys/mounts" {
   capabilities = ["read"]
   }'| vault policy write odf -

3. Create a token that matches the above policy:

   $ vault token create -policy=odf -format json

Procedure

1. Create a service account:

   $ oc -n openshift-storage create serviceaccount <serviceaccount_name>

   where, <serviceaccount_name> specifies the name of the service account.

   For example:

   $ oc -n openshift-storage create serviceaccount odf-vault-auth

2. Create clusterrolebindings and clusterroles:

   $ oc -n openshift-storage create clusterrolebinding vault-tokenreview-binding --clusterrole=system:auth-delegator --serviceaccount=openshift-storage:_<serviceaccount_name>_

   For example:

   $ oc -n openshift-storage create clusterrolebinding vault-tokenreview-binding --clusterrole=system:auth-delegator --serviceaccount=openshift-storage:odf-vault-auth

3. Create a secret for the serviceaccount token and CA certificate.

   $ cat <<EOF | oc create -f -
   apiVersion: v1
   kind: Secret
   metadata:
     name: odf-vault-auth-token
     namespace: openshift-storage
     annotations:
       kubernetes.io/service-account.name: <serviceaccount_name>
   type: kubernetes.io/service-account-token
   data: {}
   EOF

   where, <serviceaccount_name> is the service account created in the earlier step.

4. Get the token and the CA certificate from the secret.

   $ SA_JWT_TOKEN=$(oc -n openshift-storage get secret odf-vault-auth-token -o jsonpath="{.data['token']}" | base64 --decode; echo)
   $ SA_CA_CRT=$(oc -n openshift-storage get secret odf-vault-auth-token -o jsonpath="{.data['ca\.crt']}" | base64 --decode; echo)

5. Retrieve the OCP cluster endpoint.

   $ OCP_HOST=$(oc config view --minify --flatten -o jsonpath="{.clusters[0].cluster.server}")

6. Fetch the service account issuer:

   $ oc proxy &
   $ proxy_pid=$!
   $ issuer="$( curl --silent http://127.0.0.1:8001/.well-known/openid-configuration | jq -r .issuer)"
   $ AUDIENCE=$(echo '{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest"}' | kubectl create f --raw /api/v1/namespaces/default/serviceaccounts/default/token | jq -r '.spec.audiences' | jq -r .[0])
   $ kill $proxy_pid

   Or, for Vault version 1.21.0 and higher:

   $ oc proxy &
   $ proxy_pid=$!
   $ ISSUER=$(echo '{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest"}' \   | kubectl create f --raw /api/v1/namespaces/default/serviceaccounts/default/token \   | jq -r '.status.token' \   | cut -d . -f2 \   | base64 -d \   | jq '.iss')
   $ AUDIENCE=$(echo '{"apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest"}' | kubectl create f --raw /api/v1/namespaces/default/serviceaccounts/default/token | jq -r '.spec.audiences' | jq -r .[0])
   $ kill $proxy_pid

7. Use the information collected in the previous step to setup the Kubernetes authentication method in Vault:

   $ vault auth enable kubernetes

   $ vault write auth/kubernetes/config \
             token_reviewer_jwt="$SA_JWT_TOKEN" \
             kubernetes_host="$OCP_HOST" \
             kubernetes_ca_cert="$SA_CA_CRT" \
             issuer="$issuer"

   Or, for Vault version 1.21.0 and higher:

   $ oc exec -n vault -ti vault-0 – \
       vault write auth/kubernetes/config \
       token_reviewer_jwt="$SA_JWT_TOKEN" \
       kubernetes_host="$OCP_HOST" \
       kubernetes_ca_cert="$SA_CA_CRT" \
       issuer="$ISSUER"\
       token_audience="$AUDIENCE"

   Important

   To configure the Kubernetes authentication method in Vault when the issuer is empty:

   $ vault write auth/kubernetes/config \
             token_reviewer_jwt="$SA_JWT_TOKEN" \
             kubernetes_host="$OCP_HOST" \
             kubernetes_ca_cert="$SA_CA_CRT"

8. Enable the Key/Value (KV) backend path in Vault.

   For Vault KV secret engine API, version 1:

   $ vault secrets enable -path=odf kv

   For Vault KV secret engine API, version 2:

   $ vault secrets enable -path=odf kv-v2

9. Create a policy to restrict the users to perform a write or delete operation on the secret:

   echo '
   path "odf/*" {
     capabilities = ["create", "read", "update", "delete", "list"]
   }
   path "sys/mounts" {
   capabilities = ["read"]
   }'| vault policy write odf -

10. Generate the roles:

    $ vault write auth/kubernetes/role/odf-rook-ceph-op \
            bound_service_account_names=rook-ceph-system,rook-ceph-osd,noobaa \
            bound_service_account_namespaces=openshift-storage \
            policies=odf \
            ttl=1440h

    The role odf-rook-ceph-op is later used while you configure the KMS connection details during the creation of the storage system.

    $ vault write auth/kubernetes/role/odf-rook-ceph-osd \
            bound_service_account_names=rook-ceph-osd \
            bound_service_account_namespaces=openshift-storage \
            policies=odf \
            ttl=1440h

Procedure

1. In the OpenShift Web Console, click Storage Data Foundation Storage Systems Create StorageSystem.

2. In the Backing storage page, select the following:

   1. Select Full Deployment for the Deployment type option.
   2. Select the Use an existing StorageClass option.

   3. Select the Storage Class.

      By default, it is set to thin-csi. If you have created a storage class with zeroedthick or eagerzeroedthick disk format for thick-provisioned storage, then that storage class is listed in addition to the default, thin-csi storage class.

   4. Click Next.

3. In the Advanced Settings page, you can configure the following optional items:

   • Enable Network Files System

     Automatically enable NFS for the cluster

   • Use Ceph RBD as the default StorageClass

     Sets Ceph RBD as the default StorageClass, eliminating the need to manually annotate a StorageClass.

   • Set default StorageClass for virtualization

     Marks the RBD virtualization storage class as the default for KubeVirt VM disks (PVs) after installation.

   • Use external PostgreSQL [Technology preview]

     Enables the use of an external PostgreSQL instance. This provides a high-availability solution for the Multicloud Object Gateway, where the PostgreSQL pod is a single point of failure.

     Important

     OpenShift Data Foundation ships PostgreSQL images maintained by Red Hat, which are used to store metadata for the Multicloud Object Gateway. This PostgreSQL usage is at the application level.

     As a result, OpenShift Data Foundation does not perform database-level optimizations or in-depth insights.

     If you have well-maintained and optimized PostgreSQL instance, then it is recommended to use it. OpenShift Data Foundation supports external PostgreSQL instances.

     Any PostgreSQL-related issues requiring code changes or deep technical analysis may need to be addressed upstream. This could result in longer resolution times.

     1. Provide the following connection details:

        • Username
        • Password
        • Server name and Port
        • Database name
     2. Select Enable TLS/SSL checkbox to enable encryption for the Postgres server.

   • Enable automatic backup

     Allows automatic backup for the Multicloud Object Gateway metadata database.

     1. Select the backup frequency: Daily, Weekly, or Monthly.

     2. Specify the number of backups to retain.

        Note

        This option is disabled if the Use external PostgreSQL option is selected.

     3. Click Next.

4. In the Capacity and nodes page, provide the necessary information:

   1. Select a value for Requested Capacity from the dropdown list. It is set to 2 TiB by default.

      Note

      Once you select the initial storage capacity, cluster expansion is performed only using the selected usable capacity (three times of raw storage).

   2. In the Select Nodes section, select at least three available nodes.

   3. In the Configure performance section, select one of the following performance profiles:

      • Lean

        Use this in a resource constrained environment with minimum resources that are lower than the recommended. This profile minimizes resource consumption by allocating fewer CPUs and less memory.

      • Balanced (default)

        Use this when recommended resources are available. This profile provides a balance between resource consumption and performance for diverse workloads.

      • Performance

        Use this in an environment with sufficient resources to get the best performance. This profile is tailored for high performance by allocating ample memory and CPUs to ensure optimal execution of demanding workloads.

        Note

        You have the option to configure the performance profile even after the deployment using the Configure performance option from the options menu of the StorageSystems tab.

        Important

        Before selecting a resource profile, make sure to check the current availability of resources within the cluster. Opting for a higher resource profile in a cluster with insufficient resources might lead to installation failures.

        For more information about resource requirements, see Resource requirement for performance profiles.

   4. Optional: Select the Taint nodes checkbox to dedicate the selected nodes for OpenShift Data Foundation.

      Spread the worker nodes across three different physical nodes, racks, or failure domains for high availability.

      Use vCenter anti-affinity to align OpenShift Data Foundation rack labels with physical nodes and racks in the data center to avoid scheduling two worker nodes on the same physical chassis.

      If the nodes selected do not match the OpenShift Data Foundation cluster requirement of the aggregated 30 CPUs and 72 GiB of RAM, a minimal cluster is deployed. For minimum starting node requirements, see the Resource requirements section in the Planning guide.

      Select the Taint nodes checkbox to make selected nodes dedicated for OpenShift Data Foundation.

   5. Optional: Select the Enable automatic capacity scaling for your cluster checkbox.

      When automatic capacity scaling is enabled, additional raw capacity equivalent to the configured deployment size is automatically added to the cluster when used capacity reaches 70%. This ensures your deployment scales seamlessly to meet demand.

      This option is disabled in lean profile mode, LSO deployment, and external mode deployment.

      Important

      This may incur additional costs for the underlying storage.

      1. Set the cluster expansion limit from the dropdown. This is the maximum the cluster can expand in the cloud. Automatic scaling is suspended if this limit is exceeded.
   6. Click Next.

5. Optional: In the Security and network page, configure the following based on your requirements:

   1. To enable encryption, select Enable data encryption for block and file storage.

      1. Select either one or both the encryption levels:

         • Cluster-wide encryption

           Encrypts the entire cluster (block and file).

         • StorageClass encryption

           Creates encrypted persistent volume (block only) using encryption enabled storage class.

      2. Optional: Select the Connect to an external key management service checkbox. This is optional for cluster-wide encryption.

         1. From the Key Management Service Provider drop-down list, select one of the following providers and provide the necessary details:

            • Vault

              1. Select an Authentication Method.

                 • Using Token authentication method

                   • Enter a unique Connection Name, host Address of the Vault server ('https://<hostname or ip>'), Port number and Token.

                   • Expand Advanced Settings to enter additional settings and certificate details based on your Vault configuration:

                     • Enter the Key Value secret path in Backend Path that is dedicated and unique to OpenShift Data Foundation.
                   • Optional: Enter TLS Server Name, Authentication Path, and Vault Enterprise Namespace.
                   • Upload the respective PEM encoded certificate file to provide the CA Certificate, Client Certificate and Client Private Key.
                   • Click Save.

                 • Using Kubernetes authentication method

                   • Enter a unique Vault Connection Name, host Address of the Vault server ('https://<hostname or ip>'), Port number and Role name.

                   • Expand Advanced Settings to enter additional settings and certificate details based on your Vault configuration:

                     • Enter the Key Value secret path in Backend Path that is dedicated and unique to OpenShift Data Foundation.
                     • Optional: Enter TLS Server Name, Authentication Path, and Vault Enterprise Namespace if applicable.
                     • Upload the respective PEM encoded certificate file to provide the CA Certificate, Client Certificate and Client Private Key .

                   • Click Save.

                     Note

                     In case you need to enable key rotation for Vault KMS, run the following command in the OpenShift web console after the storage cluster is created:

                     $ oc patch storagecluster ocs-storagecluster -n openshift-storage --type=json -p '[{"op": "add", "path":"/spec/encryption/keyRotation/enable", "value": true}]'

            • Thales CipherTrust Manager (using KMIP)

              1. Enter a unique Connection Name for the Key Management service within the project.

              2. In the Address and Port sections, enter the IP of Thales CipherTrust Manager and the port where the KMIP interface is enabled. For example:

                 • Address: 123.34.3.2
                 • Port: 5696
              3. Upload the Client Certificate, CA certificate, and Client Private Key.
              4. If StorageClass encryption is enabled, enter the Unique Identifier to be used for encryption and decryption generated above.
              5. The TLS Server field is optional and used when there is no DNS entry for the KMIP endpoint. For example, kmip_all_<port>.ciphertrustmanager.local.

   2. To enable in-transit encryption, select In-transit encryption.

      1. Select a Network.
      2. Click Next.

6. In the Review and create page, review the configuration details.

   To modify any configuration settings, click Back.

7. Click Create StorageSystem.