Prepare to configure a backend with ONTAP NAS drivers
Understand the requirements, authentication options, and export policies for configuring an ONTAP backend with ONTAP NAS drivers.
Requirements
-
For all ONTAP backends, Astra Trident requires at least one aggregate assigned to the SVM.
-
You can run more than one driver, and create storage classes that point to one or the other. For example, you could configure a Gold class that uses the
ontap-nas
driver and a Bronze class that uses theontap-nas-economy
one. -
All your Kubernetes worker nodes must have the appropriate NFS tools installed. See here for more details.
-
Astra Trident supports SMB volumes mounted to pods running on Windows nodes only. Refer to Prepare to provision SMB volumes for details.
Authenticate the ONTAP backend
Astra Trident offers two modes of authenticating an ONTAP backend.
-
Credential-based: The username and password to an ONTAP user with the required permissions. It is recommended to use a pre-defined security login role, such as
admin
orvsadmin
to ensure maximum compatibility with ONTAP versions. -
Certificate-based: Astra Trident can also communicate with an ONTAP cluster using a certificate installed on the backend. Here, the backend definition must contain Base64-encoded values of the client certificate, key, and the trusted CA certificate if used (recommended).
You can update existing backends to move between credential-based and certificate-based methods. However, only one authentication method is supported at a time. To switch to a different authentication method, you must remove the existing method from the backend configuration.
If you attempt to provide both credentials and certificates, backend creation will fail with an error that more than one authentication method was provided in the configuration file. |
Enable credential-based authentication
Astra Trident requires the credentials to an SVM-scoped/cluster-scoped admin to communicate with the ONTAP backend. It is recommended to make use of standard, pre-defined roles such as admin
or vsadmin
. This ensures forward compatibility with future ONTAP releases that might expose feature APIs to be used by future Astra Trident releases. A custom security login role can be created and used with Astra Trident, but is not recommended.
A sample backend definition will look like this:
--- version: 1 backendName: ExampleBackend storageDriverName: ontap-nas managementLIF: 10.0.0.1 dataLIF: 10.0.0.2 svm: svm_nfs username: vsadmin password: password
{ "version": 1, "backendName": "ExampleBackend", "storageDriverName": "ontap-nas", "managementLIF": "10.0.0.1", "dataLIF": "10.0.0.2", "svm": "svm_nfs", "username": "vsadmin", "password": "password" }
Keep in mind that the backend definition is the only place the credentials are stored in plain text. After the backend is created, usernames/passwords are encoded with Base64 and stored as Kubernetes secrets. The creation/updation of a backend is the only step that requires knowledge of the credentials. As such, it is an admin-only operation, to be performed by the Kubernetes/storage administrator.
Enable certificate-based Authentication
New and existing backends can use a certificate and communicate with the ONTAP backend. Three parameters are required in the backend definition.
-
clientCertificate: Base64-encoded value of client certificate.
-
clientPrivateKey: Base64-encoded value of associated private key.
-
trustedCACertificate: Base64-encoded value of trusted CA certificate. If using a trusted CA, this parameter must be provided. This can be ignored if no trusted CA is used.
A typical workflow involves the following steps.
-
Generate a client certificate and key. When generating, set Common Name (CN) to the ONTAP user to authenticate as.
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout k8senv.key -out k8senv.pem -subj "/C=US/ST=NC/L=RTP/O=NetApp/CN=vsadmin"
-
Add trusted CA certificate to the ONTAP cluster. This might be already handled by the storage administrator. Ignore if no trusted CA is used.
security certificate install -type server -cert-name <trusted-ca-cert-name> -vserver <vserver-name> ssl modify -vserver <vserver-name> -server-enabled true -client-enabled true -common-name <common-name> -serial <SN-from-trusted-CA-cert> -ca <cert-authority>
-
Install the client certificate and key (from step 1) on the ONTAP cluster.
security certificate install -type client-ca -cert-name <certificate-name> -vserver <vserver-name> security ssl modify -vserver <vserver-name> -client-enabled true
-
Confirm the ONTAP security login role supports
cert
authentication method.security login create -user-or-group-name vsadmin -application ontapi -authentication-method cert -vserver <vserver-name> security login create -user-or-group-name vsadmin -application http -authentication-method cert -vserver <vserver-name>
-
Test authentication using certificate generated. Replace <ONTAP Management LIF> and <vserver name> with Management LIF IP and SVM name. You must ensure the LIF has its service policy set to
default-data-management
.curl -X POST -Lk https://<ONTAP-Management-LIF>/servlets/netapp.servlets.admin.XMLrequest_filer --key k8senv.key --cert ~/k8senv.pem -d '<?xml version="1.0" encoding="UTF-8"?><netapp xmlns="http://www.netapp.com/filer/admin" version="1.21" vfiler="<vserver-name>"><vserver-get></vserver-get></netapp>'
-
Encode certificate, key and trusted CA certificate with Base64.
base64 -w 0 k8senv.pem >> cert_base64 base64 -w 0 k8senv.key >> key_base64 base64 -w 0 trustedca.pem >> trustedca_base64
-
Create backend using the values obtained from the previous step.
cat cert-backend-updated.json { "version": 1, "storageDriverName": "ontap-nas", "backendName": "NasBackend", "managementLIF": "1.2.3.4", "dataLIF": "1.2.3.8", "svm": "vserver_test", "clientCertificate": "Faaaakkkkeeee...Vaaalllluuuueeee", "clientPrivateKey": "LS0tFaKE...0VaLuES0tLS0K", "storagePrefix": "myPrefix_" } #Update backend with tridentctl tridentctl update backend NasBackend -f cert-backend-updated.json -n trident +------------+----------------+--------------------------------------+--------+---------+ | NAME | STORAGE DRIVER | UUID | STATE | VOLUMES | +------------+----------------+--------------------------------------+--------+---------+ | NasBackend | ontap-nas | 98e19b74-aec7-4a3d-8dcf-128e5033b214 | online | 9 | +------------+----------------+--------------------------------------+--------+---------+
Update authentication methods or rotate credentials
You can update an existing backend to use a different authentication method or to rotate their credentials. This works both ways: backends that make use of username/password can be updated to use certificates; backends that utilize certificates can be updated to username/password based. To do this, you must remove the existing authentication method and add the new authentication method. Then use the updated backend.json file containing the required parameters to execute tridentctl update backend
.
cat cert-backend-updated.json { "version": 1, "storageDriverName": "ontap-nas", "backendName": "NasBackend", "managementLIF": "1.2.3.4", "dataLIF": "1.2.3.8", "svm": "vserver_test", "username": "vsadmin", "password": "password", "storagePrefix": "myPrefix_" } #Update backend with tridentctl tridentctl update backend NasBackend -f cert-backend-updated.json -n trident +------------+----------------+--------------------------------------+--------+---------+ | NAME | STORAGE DRIVER | UUID | STATE | VOLUMES | +------------+----------------+--------------------------------------+--------+---------+ | NasBackend | ontap-nas | 98e19b74-aec7-4a3d-8dcf-128e5033b214 | online | 9 | +------------+----------------+--------------------------------------+--------+---------+
When rotating passwords, the storage administrator must first update the password for the user on ONTAP. This is followed by a backend update. When rotating certificates, multiple certificates can be added to the user. The backend is then updated to use the new certificate, following which the old certificate can be deleted from the ONTAP cluster. |
Updating a backend does not disrupt access to volumes that have already been created, nor impact volume connections made after. A successful backend update indicates that Astra Trident can communicate with the ONTAP backend and handle future volume operations.
Manage NFS export policies
Astra Trident uses NFS export policies to control access to the volumes that it provisions.
Astra Trident provides two options when working with export policies:
-
Astra Trident can dynamically manage the export policy itself; in this mode of operation, the storage administrator specifies a list of CIDR blocks that represent admissible IP addresses. Astra Trident adds node IPs that fall in these ranges to the export policy automatically. Alternatively, when no CIDRs are specified, any global-scoped unicast IP found on the nodes will be added to the export policy.
-
Storage administrators can create an export policy and add rules manually. Astra Trident uses the default export policy unless a different export policy name is specified in the configuration.
Dynamically manage export policies
The 20.04 release of CSI Trident provides the ability to dynamically manage export policies for ONTAP backends. This provides the storage administrator the ability to specify a permissible address space for worker node IPs, rather than defining explicit rules manually. It greatly simplifies export policy management; modifications to the export policy no longer require manual intervention on the storage cluster. Moreover, this helps restrict access to the storage cluster only to worker nodes that have IPs in the range specified, supporting a fine-grained and automated management.
The dynamic management of export policies is only available for CSI Trident. It is important to ensure that the worker nodes are not being NATed. |
Example
There are two configuration options that must be used. Here’s an example backend definition:
--- version: 1 storageDriverName: ontap-nas backendName: ontap_nas_auto_export managementLIF: 192.168.0.135 svm: svm1 username: vsadmin password: password autoExportCIDRs: - 192.168.0.0/24 autoExportPolicy: true
When using this feature, you must ensure that the root junction in your SVM has a previously created export policy with an export rule that permits the node CIDR block (such as the default export policy). Always follow NetApp’s recommended best practice of dedicating a SVM for Astra Trident. |
Here is an explanation of how this feature works using the example above:
-
autoExportPolicy
is set totrue
. This indicates that Astra Trident will create an export policy for thesvm1
SVM and handle the addition and deletion of rules usingautoExportCIDRs
address blocks. For example, a backend with UUID 403b5326-8482-40db-96d0-d83fb3f4daec andautoExportPolicy
set totrue
creates an export policy namedtrident-403b5326-8482-40db-96d0-d83fb3f4daec
on the SVM. -
autoExportCIDRs
contains a list of address blocks. This field is optional and it defaults to ["0.0.0.0/0", "::/0"]. If not defined, Astra Trident adds all globally-scoped unicast addresses found on the worker nodes.
In this example, the 192.168.0.0/24
address space is provided. This indicates that Kubernetes node IPs that fall within this address range will be added to the export policy that Astra Trident creates. When Astra Trident registers a node it runs on, it retrieves the IP addresses of the node and checks them against the address blocks provided in autoExportCIDRs
. After filtering the IPs, Astra Trident creates export policy rules for the client IPs it discovers, with one rule for each node it identifies.
You can update autoExportPolicy
and autoExportCIDRs
for backends after you create them. You can append new CIDRs for a backend that is automatically managed or delete existing CIDRs. Exercise care when deleting CIDRs to ensure that existing connections are not dropped. You can also choose to disable autoExportPolicy
for a backend and fall back to a manually created export policy. This will require setting the exportPolicy
parameter in your backend config.
After Astra Trident creates or updates a backend, you can check the backend using tridentctl
or the corresponding tridentbackend
CRD:
./tridentctl get backends ontap_nas_auto_export -n trident -o yaml items: - backendUUID: 403b5326-8482-40db-96d0-d83fb3f4daec config: aggregate: "" autoExportCIDRs: - 192.168.0.0/24 autoExportPolicy: true backendName: ontap_nas_auto_export chapInitiatorSecret: "" chapTargetInitiatorSecret: "" chapTargetUsername: "" chapUsername: "" dataLIF: 192.168.0.135 debug: false debugTraceFlags: null defaults: encryption: "false" exportPolicy: <automatic> fileSystemType: ext4
As nodes are added to a Kubernetes cluster and registered with the Astra Trident controller, export policies of existing backends are updated (provided they fall in the address range specified in autoExportCIDRs
for the backend).
When a node is removed, Astra Trident checks all backends that are online to remove the access rule for the node. By removing this node IP from the export policies of managed backends, Astra Trident prevents rogue mounts, unless this IP is reused by a new node in the cluster.
For previously existing backends, updating the backend with tridentctl update backend
will ensure that Astra Trident manages the export policies automatically. This will create a new export policy named after the backend’s UUID and volumes that are present on the backend will use the newly created export policy when they are mounted again.
Deleting a backend with auto-managed export policies will delete the dynamically created export policy. If the backend is re-created, it is treated as a new backend and will result in the creation of a new export policy. |
If the IP address of a live node is updated, you must restart the Astra Trident pod on the node. Astra Trident will then update the export policy for backends it manages to reflect this IP change.
Prepare to provision SMB volumes
With a little additional preparation, you can provision SMB volumes using ontap-nas
drivers.
You must configure both NFS and SMB/CIFS protocols on the SVM to create an ontap-nas-economy SMB volume for ONTAP on-premises. Failure to configure either of these protocols will cause SMB volume creation to fail.
|
Before you can provision SMB volumes, you must have the following.
-
A Kubernetes cluster with a Linux controller node and at least one Windows worker node running Windows Server 2019. Astra Trident supports SMB volumes mounted to pods running on Windows nodes only.
-
At least one Astra Trident secret containing your Active Directory credentials. To generate secret
smbcreds
:kubectl create secret generic smbcreds --from-literal username=user --from-literal password='password'
-
A CSI proxy configured as a Windows service. To configure a
csi-proxy
, refer to GitHub: CSI Proxy or GitHub: CSI Proxy for Windows for Kubernetes nodes running on Windows.
-
For on-premises ONTAP, you can optionally create an SMB share or Astra Trident can create one for you.
SMB shares are required for Amazon FSx for ONTAP. You can create the SMB admin shares in one of two ways either using the Microsoft Management Console Shared Folders snap-in or using the ONTAP CLI. To create the SMB shares using the ONTAP CLI:
-
If necessary, create the directory path structure for the share.
The
vserver cifs share create
command checks the path specified in the -path option during share creation. If the specified path does not exist, the command fails. -
Create an SMB share associated with the specified SVM:
vserver cifs share create -vserver vserver_name -share-name share_name -path path [-share-properties share_properties,...] [other_attributes] [-comment text]
-
Verify that the share was created:
vserver cifs share show -share-name share_name
Refer to Create an SMB share for full details.
-
-
When creating the backend, you must configure the following to specify SMB volumes. For all FSx for ONTAP backend configuration options, refer to FSx for ONTAP configuration options and examples.
Parameter Description Example smbShare
You can specify one of the following: the name of an SMB share created using the Microsoft Management Console or ONTAP CLI; a name to allow Astra Trident to create the SMB share; or you can leave the parameter blank to prevent common share access to volumes.
This parameter is optional for on-premises ONTAP.
This parameter is required for Amazon FSx for ONTAP backends and cannot be blank.smb-share
nasType
Must set to
smb
. If null, defaults tonfs
.smb
securityStyle
Security style for new volumes.
Must be set tontfs
ormixed
for SMB volumes.ntfs
ormixed
for SMB volumesunixPermissions