이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 6. Storage classes and storage pools
The OpenShift Data Foundation operator installs a default storage class depending on the platform in use. This default storage class is owned and controlled by the operator and it cannot be deleted or modified. However, you can create a custom storage class if you want the storage class to have a different behavior.
You can create multiple storage pools which map to storage classes that provide the following features:
- Enable applications with their own high availability to use persistent volumes with two replicas, potentially improving application performance.
- Save space for persistent volume claims using storage classes with compression enabled.
Multiple storage classes and multiple pools are not supported for external mode OpenShift Data Foundation clusters.
With a minimal cluster of a single device set, only two new storage classes can be created. Every storage cluster expansion allows two new additional storage classes.
6.1. Creating storage classes and pools
You can create a storage class using an existing pool or you can create a new pool for the storage class while creating it.
Prerequisites
-
Ensure that you are logged into the OpenShift Container Platform web console and OpenShift Data Foundation cluster is in
Ready
state.
Procedure
-
Click Storage
StorageClasses. - Click Create Storage Class.
- Enter the storage class Name and Description.
Reclaim Policy is set to
Delete
as the default option. Use this setting.If you change the reclaim policy to
Retain
in the storage class, the persistent volume (PV) remains inReleased
state even after deleting the persistent volume claim (PVC).Volume binding mode is set to
WaitForConsumer
as the default option.If you choose the
Immediate
option, then the PV gets created immediately when creating the PVC.-
Select
RBD
orCephFS
Provisioner as the plugin for provisioning the persistent volumes. - Choose a Storage system for your workloads.
Select an existing Storage Pool from the list or create a new pool.
NoteThe 2-way replication data protection policy is only supported for the non-default RBD pool. 2-way replication can be used by creating an additional pool. To know about Data Availability and Integrity considerations for replica 2 pools, see Knowledgebase Customer Solution Article.
- Create new pool
- Click Create New Pool.
- Enter Pool name.
- Choose 2-way-Replication or 3-way-Replication as the Data Protection Policy.
Select Enable compression if you need to compress the data.
Enabling compression can impact application performance and might prove ineffective when data to be written is already compressed or encrypted. Data written before enabling compression will not be compressed.
- Click Create to create the new storage pool.
- Click Finish after the pool is created.
- Optional: Select Enable Encryption checkbox.
- Click Create to create the storage class.
6.2. Creating a storage class for persistent volume encryption
Prerequisites
Based on your use case, you must ensure to configure access to KMS for one of the following:
-
Using
vaulttokens
: Ensure to configure access as described in Configuring access to KMS usingvaulttokens
-
Using
vaulttenantsa
(Technology Preview): Ensure to configure access as described in Configuring access to KMS usingvaulttenantsa
- Using Thales CipherTrust Manager (using KMIP): Ensure to configure access as described in Configuring access to KMS using Thales CipherTrust Manager
(For users on Azure platform only) Using Azure Vault [Technology preview]: Ensure to set up client authetication and fetch the client credentials from Azure using the following steps:
- Create Azure Vault. For more information, see Quickstart: Create a key vault using the Azure portal in Microsoft product documentation.
- Create Service Principal with certificate based authentication. For more information, see Create an Azure service principal with Azure CLI in Microsoft product documentation.
- Set Azure Key Vault role based access control (RBAC). For more information, see Enable Azure RBAC permissions on Key Vault.
Procedure
-
In the OpenShift Web Console, navigate to Storage
StorageClasses. - Click Create Storage Class.
- Enter the storage class Name and Description.
- Select either Delete or Retain for the Reclaim Policy. By default, Delete is selected.
- Select either Immediate or WaitForFirstConsumer as the Volume binding mode. WaitForConsumer is set as the default option.
-
Select RBD Provisioner
openshift-storage.rbd.csi.ceph.com
which is the plugin used for provisioning the persistent volumes. - Select Storage Pool where the volume data is stored from the list or create a new pool.
Select the Enable encryption checkbox.
Choose one of the following options to set the KMS connection details:
Choose existing KMS connection: Select an existing KMS connection from the drop-down list. The list is populated from the the connection details available in the
csi-kms-connection-details
ConfigMap.- Select the Provider from the drop down.
- Select the Key service for the given provider from the list.
Create new KMS connection: This is applicable for
vaulttokens
andThales CipherTrust Manager (using KMIP)
only.Select one of the following Key Management Service Provider and provide the required details.
Vault
- Enter a unique Connection Name, host Address of the Vault server ('https://<hostname or ip>'), Port number and Token.
Expand Advanced Settings to enter additional settings and certificate details based on your
Vault
configuration:- Enter the Key Value secret path in Backend Path that is dedicated and unique to OpenShift Data Foundation.
- Optional: Enter TLS Server Name and Vault Enterprise Namespace.
- Upload the respective PEM encoded certificate file to provide the CA Certificate, Client Certificate and Client Private Key .
- Click Save.
Thales CipherTrust Manager (using KMIP)
- Enter a unique Connection Name.
- In the Address and Port sections, enter the IP of Thales CipherTrust Manager and the port where the KMIP interface is enabled. For example, Address: 123.34.3.2, Port: 5696.
- Upload the Client Certificate, CA certificate, and Client Private Key.
- Enter the Unique Identifier for the key to be used for encryption and decryption, generated above.
-
The TLS Server field is optional and used when there is no DNS entry for the KMIP endpoint. For example,
kmip_all_<port>.ciphertrustmanager.local
.
Azure Key Vault (Technology preview) (Only for Azure users on Azure platform)
For information about setting up client authentication and fetching the client credentials, see the Prerequisites in Creating an OpenShift Data Foundation cluster section of the Deploying OpenShift Data Foundation using Microsoft Azure guide.
- Enter a unique Connection name for the key management service within the project.
- Enter Azure Vault URL.
- Enter Client ID.
- Enter Tenant ID.
-
Upload Certificate file in
.PEM
format and the certificate file must include a client certificate and a private key.
- Click Save.
- Click Create.
Edit the ConfigMap to add the
vaultBackend
parameter if the HashiCorp Vault setup does not allow automatic detection of the Key/Value (KV) secret engine API version used by the backend path.NotevaultBackend
is an optional parameters that is added to the configmap to specify the version of the KV secret engine API associated with the backend path. Ensure that the value matches the KV secret engine API version that is set for the backend path, otherwise it might result in a failure during persistent volume claim (PVC) creation.Identify the encryptionKMSID being used by the newly created storage class.
-
On the OpenShift Web Console, navigate to Storage
Storage Classes. -
Click the Storage class name
YAML tab. Capture the encryptionKMSID being used by the storage class.
Example:
encryptionKMSID: 1-vault
-
On the OpenShift Web Console, navigate to Storage
-
On the OpenShift Web Console, navigate to Workloads
ConfigMaps. - To view the KMS connection details, click csi-kms-connection-details.
Edit the ConfigMap.
-
Click Action menu (⋮)
Edit ConfigMap. Add the
vaultBackend
parameter depending on the backend that is configured for the previously identifiedencryptionKMSID
.You can assign
kv
for KV secret engine API, version 1 andkv-v2
for KV secret engine API, version 2.Example:
kind: ConfigMap apiVersion: v1 metadata: name: csi-kms-connection-details [...] data: 1-vault: |- { "encryptionKMSType": "vaulttokens", "kmsServiceName": "1-vault", [...] "vaultBackend": "kv-v2" } 2-vault: |- { "encryptionKMSType": "vaulttenantsa", [...] "vaultBackend": "kv" }
- Click Save
-
Click Action menu (⋮)
Next steps
The storage class can be used to create encrypted persistent volumes. For more information, see managing persistent volume claims.
ImportantRed Hat works with the technology partners to provide this documentation as a service to the customers. However, Red Hat does not provide support for the HashiCorp product. For technical assistance with this product, contact HashiCorp.