Create backends with kubectl
A backend defines the relationship between Astra Trident and a storage system. It tells Astra Trident how to communicate with that storage system and how Astra Trident should provision volumes from it. After Astra Trident is installed, the next step is to create a backend. The TridentBackendConfig
Custom Resource Definition (CRD) enables you to create and manage Trident backends directly through the Kubernetes interface. You can do this by using kubectl
or the equivalent CLI tool for your Kubernetes distribution.
TridentBackendConfig
TridentBackendConfig
(tbc
, tbconfig
, tbackendconfig
) is a frontend, namespaced CRD that enables you to manage Astra Trident backends using kubectl
. Kubernetes and storage admins can now create and manage backends directly through the Kubernetes CLI without requiring a dedicated command-line utility (tridentctl
).
Upon the creation of a TridentBackendConfig
object, the following happens:
-
A backend is created automatically by Astra Trident based on the configuration you provide. This is represented internally as a
TridentBackend
(tbe
,tridentbackend
) CR. -
The
TridentBackendConfig
is uniquely bound to aTridentBackend
that was created by Astra Trident.
Each TridentBackendConfig
maintains a one-to-one mapping with a TridentBackend
. The former is the interface provided to the user to design and configure backends; the latter is how Trident represents the actual backend object.
TridentBackend CRs are created automatically by Astra Trident. You should not modify them. If you want to make updates to backends, do this by modifying the TridentBackendConfig object.
|
See the following example for the format of the TridentBackendConfig
CR:
apiVersion: trident.netapp.io/v1 kind: TridentBackendConfig metadata: name: backend-tbc-ontap-san spec: version: 1 backendName: ontap-san-backend storageDriverName: ontap-san managementLIF: 10.0.0.1 dataLIF: 10.0.0.2 svm: trident_svm credentials: name: backend-tbc-ontap-san-secret
You can also take a look at the examples in the trident-installer directory for sample configurations for the desired storage platform/service.
The spec
takes backend-specific configuration parameters. In this example, the backend uses the ontap-san
storage driver and uses the configuration parameters that are tabulated here. For the list of configuration options for your desired storage driver, see the backend configuration information for your storage driver.
The spec
section also includes credentials
and deletionPolicy
fields, which are newly introduced in the TridentBackendConfig
CR:
-
credentials
: This parameter is a required field and contains the credentials used to authenticate with the storage system/service. This is set to a user-created Kubernetes Secret. The credentials cannot be passed in plain text and will result in an error. -
deletionPolicy
: This field defines what should happen when theTridentBackendConfig
is deleted. It can take one of two possible values:-
delete
: This results in the deletion of bothTridentBackendConfig
CR and the associated backend. This is the default value. -
retain
: When aTridentBackendConfig
CR is deleted, the backend definition will still be present and can be managed withtridentctl
. Setting the deletion policy toretain
lets users downgrade to an earlier release (pre-21.04) and retain the created backends. The value for this field can be updated after aTridentBackendConfig
is created.
-
The name of a backend is set using spec.backendName . If unspecified, the name of the backend is set to the name of the TridentBackendConfig object (metadata.name). It is recommended to explicitly set backend names using spec.backendName .
|
Backends that were created with tridentctl do not have an associated TridentBackendConfig object. You can choose to manage such backends with kubectl by creating a TridentBackendConfig CR. Care must be taken to specify identical config parameters (such as spec.backendName , spec.storagePrefix , spec.storageDriverName , and so on). Astra Trident will automatically bind the newly-created TridentBackendConfig with the pre-existing backend.
|
Steps overview
To create a new backend by using kubectl
, you should do the following:
-
Create a Kubernetes Secret. The secret contains the credentials Astra Trident needs to communicate with the storage cluster/service.
-
Create a
TridentBackendConfig
object. This contains specifics about the storage cluster/service and references the secret created in the previous step.
After you create a backend, you can observe its status by using kubectl get tbc <tbc-name> -n <trident-namespace>
and gather additional details.
Step 1: Create a Kubernetes Secret
Create a Secret that contains the access credentials for the backend. This is unique to each storage service/platform. Here’s an example:
kubectl -n trident create -f backend-tbc-ontap-san-secret.yaml apiVersion: v1 kind: Secret metadata: name: backend-tbc-ontap-san-secret type: Opaque stringData: username: cluster-admin password: t@Ax@7q(>
This table summarizes the fields that must be included in the Secret for each storage platform:
Storage platform Secret Fields description | Secret | Fields description |
---|---|---|
Azure NetApp Files |
clientID |
The client ID from an app registration |
Cloud Volumes Service for GCP |
private_key_id |
ID of the private key. Part of API key for GCP Service Account with CVS admin role |
Cloud Volumes Service for GCP |
private_key |
Private key. Part of API key for GCP Service Account with CVS admin role |
Element (NetApp HCI/SolidFire) |
Endpoint |
MVIP for the SolidFire cluster with tenant credentials |
ONTAP |
username |
Username to connect to the cluster/SVM. Used for credential-based authentication |
ONTAP |
password |
Password to connect to the cluster/SVM. Used for credential-based authentication |
ONTAP |
clientPrivateKey |
Base64-encoded value of client private key. Used for certificate-based authentication |
ONTAP |
chapUsername |
Inbound username. Required if useCHAP=true. For |
ONTAP |
chapInitiatorSecret |
CHAP initiator secret. Required if useCHAP=true. For |
ONTAP |
chapTargetUsername |
Target username. Required if useCHAP=true. For |
ONTAP |
chapTargetInitiatorSecret |
CHAP target initiator secret. Required if useCHAP=true. For |
The Secret created in this step will be referenced in the spec.credentials
field of the TridentBackendConfig
object that is created in the next step.
Step 2: Create the TridentBackendConfig
CR
You are now ready to create your TridentBackendConfig
CR. In this example, a backend that uses the ontap-san
driver is created by using the TridentBackendConfig
object shown below:
kubectl -n trident create -f backend-tbc-ontap-san.yaml
apiVersion: trident.netapp.io/v1 kind: TridentBackendConfig metadata: name: backend-tbc-ontap-san spec: version: 1 backendName: ontap-san-backend storageDriverName: ontap-san managementLIF: 10.0.0.1 dataLIF: 10.0.0.2 svm: trident_svm credentials: name: backend-tbc-ontap-san-secret
Step 3: Verify the status of the TridentBackendConfig
CR
Now that you created the TridentBackendConfig
CR, you can verify the status. See the following example:
kubectl -n trident get tbc backend-tbc-ontap-san NAME BACKEND NAME BACKEND UUID PHASE STATUS backend-tbc-ontap-san ontap-san-backend 8d24fce7-6f60-4d4a-8ef6-bab2699e6ab8 Bound Success
A backend was successfully created and bound to the TridentBackendConfig
CR.
Phase can take one of the following values:
-
Bound
: TheTridentBackendConfig
CR is associated with a backend, and that backend containsconfigRef
set to theTridentBackendConfig
CR’s uid. -
Unbound
: Represented using""
. TheTridentBackendConfig
object is not bound to a backend. All newly createdTridentBackendConfig
CRs are in this phase by default. After the phase changes, it cannot revert to Unbound again. -
Deleting
: TheTridentBackendConfig
CR’sdeletionPolicy
was set to delete. When theTridentBackendConfig
CR is deleted, it transitions to the Deleting state.-
If no persistent volume claims (PVCs) exist on the backend, deleting the
TridentBackendConfig
will result in Astra Trident deleting the backend as well as theTridentBackendConfig
CR. -
If one or more PVCs are present on the backend, it goes to a deleting state. The
TridentBackendConfig
CR subsequently also enters deleting phase. The backend andTridentBackendConfig
are deleted only after all PVCs are deleted.
-
-
Lost
: The backend associated with theTridentBackendConfig
CR was accidentally or deliberately deleted and theTridentBackendConfig
CR still has a reference to the deleted backend. TheTridentBackendConfig
CR can still be deleted irrespective of thedeletionPolicy
value. -
Unknown
: Astra Trident is unable to determine the state or existence of the backend associated with theTridentBackendConfig
CR. For example, if the API server is not responding or if thetridentbackends.trident.netapp.io
CRD is missing. This might require the user’s intervention.
At this stage, a backend is successfully created! There are several operations that can additionally be handled, such as backend updates and backend deletions.
(Optional) Step 4: Get more details
You can run the following command to get more information about your backend:
kubectl -n trident get tbc backend-tbc-ontap-san -o wide
NAME BACKEND NAME BACKEND UUID PHASE STATUS STORAGE DRIVER DELETION POLICY backend-tbc-ontap-san ontap-san-backend 8d24fce7-6f60-4d4a-8ef6-bab2699e6ab8 Bound Success ontap-san delete
In addition, you can also obtain a YAML/JSON dump of TridentBackendConfig
.
kubectl -n trident get tbc backend-tbc-ontap-san -o yaml
apiVersion: trident.netapp.io/v1 kind: TridentBackendConfig metadata: creationTimestamp: "2021-04-21T20:45:11Z" finalizers: - trident.netapp.io generation: 1 name: backend-tbc-ontap-san namespace: trident resourceVersion: "947143" uid: 35b9d777-109f-43d5-8077-c74a4559d09c spec: backendName: ontap-san-backend credentials: name: backend-tbc-ontap-san-secret managementLIF: 10.0.0.1 dataLIF: 10.0.0.2 storageDriverName: ontap-san svm: trident_svm version: 1 status: backendInfo: backendName: ontap-san-backend backendUUID: 8d24fce7-6f60-4d4a-8ef6-bab2699e6ab8 deletionPolicy: delete lastOperationStatus: Success message: Backend 'ontap-san-backend' created phase: Bound
backendInfo
contains the backendName
and the backendUUID
of the backend that got created in response to the TridentBackendConfig
CR. The lastOperationStatus
field represents the status of the last operation of the TridentBackendConfig
CR, which can be user-triggered (for example, user changed something in spec
) or triggered by Astra Trident (for example, during Astra Trident restarts). It can either be Success or Failed. phase
represents the status of the relation between the TridentBackendConfig
CR and the backend. In the example above, phase
has the value Bound, which means that the TridentBackendConfig
CR is associated with the backend.
You can run the kubectl -n trident describe tbc <tbc-cr-name>
command to get details of the event logs.
You cannot update or delete a backend which contains an associated TridentBackendConfig object using tridentctl . To understand the steps involved in switching between tridentctl and TridentBackendConfig , see here.
|