Prepare to configure an Azure NetApp Files backend

Contributors juliantap

Before you can configure your ANF backend, you need to ensure the following requirements are met.

If you are using Azure NetApp Files for the first time or in a new location, some initial configuration is required.

Requirements

To configure and use an Azure NetApp Files backend, you need the following:

  • subscriptionID from an Azure subscription with Azure NetApp Files enabled.

  • tenantID, clientID, and clientSecret from an App Registration in Azure Active Directory with sufficient permissions to the Azure NetApp Files service. The App Registration should use either:

    • The Owner or Contributor role predefined by Azure

    • A custom Contributor role at the subscription level (assignableScopes) with the following permissions that are limited to only what Astra Trident requires. After creating the custom role, assign the role using the Azure portal.

      {
          "id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>",
          "properties": {
              "roleName": "custom-role-with-limited-perms",
              "description": "custom role providing limited permissions",
              "assignableScopes": [
                  "/subscriptions/<subscription-id>"
              ],
              "permissions": [
                  {
                      "actions": [
                          "Microsoft.NetApp/netAppAccounts/capacityPools/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/subvolumes/GetMetadata/action",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/MountTargets/read",
                          "Microsoft.Network/virtualNetworks/read",
                          "Microsoft.Network/virtualNetworks/subnets/read",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/read",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/write",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/delete",
                          "Microsoft.Features/features/read",
                          "Microsoft.Features/operations/read",
                          "Microsoft.Features/providers/features/read",
                          "Microsoft.Features/providers/features/register/action",
                          "Microsoft.Features/providers/features/unregister/action",
                          "Microsoft.Features/subscriptionFeatureRegistrations/read"
                      ],
                      "notActions": [],
                      "dataActions": [],
                      "notDataActions": []
                  }
              ]
          }
      }
  • The Azure location that contains at least one delegated subnet. As of Trident 22.01, the location parameter is a required field at the top level of the backend configuration file. Location values specified in virtual pools are ignored.

Additional requirements for SMB volumes

  • A Kubernetes cluster with a Linux controller node and at least one Windows worker node running Windows Server 2019. Astra Trident supports SMB volumes mounted to pods running on Windows nodes only.

  • At least one Astra Trident secret containing your Active Directory credentials so ANF can authenticate to Active Directory. To generate secret smbcreds:

    kubectl create secret generic smbcreds --from-literal username=user --from-literal password='pw'
  • A CSI proxy configured as a Windows service. To configure a csi-proxy, refer to GitHub: CSI Proxy or GitHub: CSI Proxy for Windows for Kubernetes nodes running on Windows.