Skip to main content

Prepare to configure an Azure NetApp Files backend

Contributors juliantap netapp-aruldeepa

Before you can configure your Azure NetApp Files backend, you need to ensure the following requirements are met.

Prerequisites for NFS and SMB volumes

If you are using Azure NetApp Files for the first time or in a new location, some initial configuration is required to set up Azure NetApp files and create an NFS volume. Refer to Azure: Set up Azure NetApp Files and create an NFS volume.

To configure and use an Azure NetApp Files backend, you need the following:

Note
  • subscriptionID, tenantID, clientID, location, and clientSecret are optional when using managed identities on an AKS cluster.

  • tenantID, clientID, and clientSecret are optional when using a cloud identity on an AKS cluster.

  • A capacity pool. Refer to Microsoft: Create a capacity pool for Azure NetApp Files.

  • A subnet delegated to Azure NetApp Files. Refer to Microsoft: Delegate a subnet to Azure NetApp Files.

  • subscriptionID from an Azure subscription with Azure NetApp Files enabled.

  • tenantID, clientID, and clientSecret from an App Registration in Azure Active Directory with sufficient permissions to the Azure NetApp Files service. The App Registration should use either:

    • The Owner or Contributor role predefined by Azure.

    • A custom Contributor role at the subscription level (assignableScopes) with the following permissions that are limited to only what Trident requires. After creating the custom role, assign the role using the Azure portal.

      Custom contributor role
      {
          "id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>",
          "properties": {
              "roleName": "custom-role-with-limited-perms",
              "description": "custom role providing limited permissions",
              "assignableScopes": [
                  "/subscriptions/<subscription-id>"
              ],
              "permissions": [
                  {
                      "actions": [
                          "Microsoft.NetApp/netAppAccounts/capacityPools/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/read",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/write",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/snapshots/delete",
                          "Microsoft.NetApp/netAppAccounts/capacityPools/volumes/MountTargets/read",
                          "Microsoft.Network/virtualNetworks/read",
                          "Microsoft.Network/virtualNetworks/subnets/read",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/read",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/write",
                          "Microsoft.Features/featureProviders/subscriptionFeatureRegistrations/delete",
                          "Microsoft.Features/features/read",
                          "Microsoft.Features/operations/read",
                          "Microsoft.Features/providers/features/read",
                          "Microsoft.Features/providers/features/register/action",
                          "Microsoft.Features/providers/features/unregister/action",
                          "Microsoft.Features/subscriptionFeatureRegistrations/read"
                      ],
                      "notActions": [],
                      "dataActions": [],
                      "notDataActions": []
                  }
              ]
          }
      }
  • The Azure location that contains at least one delegated subnet. As of Trident 22.01, the location parameter is a required field at the top level of the backend configuration file. Location values specified in virtual pools are ignored.

  • To use Cloud Identity, get the client ID from a user-assigned managed identity and specify that ID in azure.workload.identity/client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx.

Additional requirements for SMB volumes

To create an SMB volume, you must have:

  • Active Directory configured and connected to Azure NetApp Files. Refer to Microsoft: Create and manage Active Directory connections for Azure NetApp Files.

  • A Kubernetes cluster with a Linux controller node and at least one Windows worker node running Windows Server 2022. Trident supports SMB volumes mounted to pods running on Windows nodes only.

  • At least one Trident secret containing your Active Directory credentials so Azure NetApp Files can authenticate to Active Directory. To generate secret smbcreds:

    kubectl create secret generic smbcreds --from-literal username=user --from-literal password='password'
  • A CSI proxy configured as a Windows service. To configure a csi-proxy, refer to GitHub: CSI Proxy or GitHub: CSI Proxy for Windows for Kubernetes nodes running on Windows.