Configure the Storage Backend
ONTAP SAN and NAS driver integration
You can create a backend file using the SVM credentials (username and password) stored in AWS Secret Manager as shown in this example:
apiVersion: trident.netapp.io/v1 kind: TridentBackendConfig metadata: name: backend-tbc-ontap-nas spec: version: 1 storageDriverName: ontap-nas backendName: tbc-ontap-nas svm: svm-name aws: fsxFilesystemID: fs-xxxxxxxxxx credentials: name: "arn:aws:secretsmanager:us-west-2:xxxxxxxx:secret:secret-name" type: awsarn
{ "apiVersion": "trident.netapp.io/v1", "kind": "TridentBackendConfig", "metadata": { "name": "backend-tbc-ontap-nas" }, "spec": { "version": 1, "storageDriverName": "ontap-nas", "backendName": "tbc-ontap-nas", "svm": "svm-name", "aws": { "fsxFilesystemID": "fs-xxxxxxxxxx" }, "managementLIF": null, "credentials": { "name": "arn:aws:secretsmanager:us-west-2:xxxxxxxx:secret:secret-name", "type": "awsarn" } } }
For information about creating backends, refer to these pages:
FSx for ONTAP driver details
You can integrate Trident with Amazon FSx for NetApp ONTAP using the following drivers:
-
ontap-san
: Each PV provisioned is a LUN within its own Amazon FSx for NetApp ONTAP volume. Recommended for block storage. -
ontap-nas
: Each PV provisioned is a full Amazon FSx for NetApp ONTAP volume. Recommended for NFS and SMB. -
ontap-san-economy
: Each PV provisioned is a LUN with a configurable number of LUNs per Amazon FSx for NetApp ONTAP volume. -
ontap-nas-economy
: Each PV provisioned is a qtree, with a configurable number of qtrees per Amazon FSx for NetApp ONTAP volume. -
ontap-nas-flexgroup
: Each PV provisioned is a full Amazon FSx for NetApp ONTAP FlexGroup volume.
For driver details, refer to NAS drivers and SAN drivers.
Example configurations
Configuration for AWS FSx for ONTAP with secret manager
apiVersion: trident.netapp.io/v1 kind: TridentBackendConfig metadata: name: backend-tbc-ontap-nas spec: version: 1 storageDriverName: ontap-nas backendName: tbc-ontap-nas svm: svm-name aws: fsxFilesystemID: fs-xxxxxxxxxx managementLIF: credentials: name: "arn:aws:secretsmanager:us-west-2:xxxxxxxx:secret:secret-name" type: awsarn
Configuration of storage class for SMB volumes
Using nasType
, node-stage-secret-name
, and node-stage-secret-namespace
, you can specify an SMB volume and provide the required Active Directory credentials. SMB volumes are supported using the ontap-nas
driver only.
apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: nas-smb-sc provisioner: csi.trident.netapp.io parameters: backendType: "ontap-nas" trident.netapp.io/nasType: "smb" csi.storage.k8s.io/node-stage-secret-name: "smbcreds" csi.storage.k8s.io/node-stage-secret-namespace: "default"
Backend advanced configuration and examples
See the following table for the backend configuration options:
Parameter | Description | Example |
---|---|---|
|
Always 1 |
|
|
Name of the storage driver |
|
|
Custom name or the storage backend |
Driver name + “_” + dataLIF |
|
IP address of a cluster or SVM management LIF |
“10.0.0.1”, “[2001:1234:abcd::fefe]” |
|
IP address of protocol LIF. |
|
|
Enable automatic export policy creation and updating [Boolean]. |
|
|
List of CIDRs to filter Kubernetes' node IPs against when |
"[“0.0.0.0/0”, “::/0”]" |
|
Set of arbitrary JSON-formatted labels to apply on volumes |
"" |
|
Base64-encoded value of client certificate. Used for certificate-based auth |
"" |
|
Base64-encoded value of client private key. Used for certificate-based auth |
"" |
|
Base64-encoded value of trusted CA certificate. Optional. Used for certificate-based authentication. |
"" |
|
Username to connect to the cluster or SVM. Used for credential-based authentication. For example, vsadmin. |
|
|
Password to connect to the cluster or SVM. Used for credential-based authentication. |
|
|
Storage virtual machine to use |
Derived if an SVM managementLIF is specified. |
|
Prefix used when provisioning new volumes in the SVM. |
|
|
Do not specify for Amazon FSx for NetApp ONTAP. |
Do not use. |
|
Fail provisioning if requested volume size is above this value. |
“” (not enforced by default) |
|
Maximum LUNs per Flexvol, must be in range [50, 200]. |
“100” |
|
Debug flags to use when troubleshooting. Example, {“api”:false, “method”:true} |
null |
|
Comma-separated list of NFS mount options. |
"" |
|
Configure NFS or SMB volumes creation. |
|
|
Maximum Qtrees per FlexVol, must be in range [50, 300] |
|
|
You can specify one of the following: the name of an SMB share created using the Microsoft Management Console or ONTAP CLI or a name to allow Trident to create the SMB share. |
|
|
Boolean parameter to use ONTAP REST APIs. Tech preview |
|
|
You can specify the following in the configuration file for AWS FSx for ONTAP: |
|
|
Specify the FSx SVM credentials to store in AWS Secret Manager. |
Backend configuration options for provisioning volumes
You can control default provisioning using these options in the defaults
section of the configuration. For an example, see the configuration examples below.
Parameter | Description | Default |
---|---|---|
|
Space-allocation for LUNs |
|
|
Space reservation mode; “none” (thin) or “volume” (thick) |
|
|
Snapshot policy to use |
|
|
QoS policy group to assign for volumes created. Choose one of qosPolicy or adaptiveQosPolicy per storage pool or backend. |
“” |
|
Adaptive QoS policy group to assign for volumes created. Choose one of qosPolicy or adaptiveQosPolicy per storage pool or backend. |
“” |
|
Percentage of volume reserved for snapshots “0” |
If |
|
Split a clone from its parent upon creation |
|
|
Enable NetApp Volume Encryption (NVE) on the new volume; defaults to |
|
|
Enable LUKS encryption. Refer to Use Linux Unified Key Setup (LUKS). |
"" |
|
Tiering policy to use |
|
|
Mode for new volumes. |
“" |
|
Security style for new volumes. |
NFS default is |
Prepare to provision SMB volumes
You can provision SMB volumes using the ontap-nas
driver. Before you complete ONTAP SAN and NAS driver integration complete the following steps.
Before you can provision SMB volumes using the ontap-nas
driver, you must have the following.
-
A Kubernetes cluster with a Linux controller node and at least one Windows worker node running Windows Server 2019. Trident supports SMB volumes mounted to pods running on Windows nodes only.
-
At least one Trident secret containing your Active Directory credentials. To generate secret
smbcreds
:kubectl create secret generic smbcreds --from-literal username=user --from-literal password='password'
-
A CSI proxy configured as a Windows service. To configure a
csi-proxy
, refer to GitHub: CSI Proxy or GitHub: CSI Proxy for Windows for Kubernetes nodes running on Windows.
-
Create SMB shares. You can create the SMB admin shares in one of two ways either using the Microsoft Management Console Shared Folders snap-in or using the ONTAP CLI. To create the SMB shares using the ONTAP CLI:
-
If necessary, create the directory path structure for the share.
The
vserver cifs share create
command checks the path specified in the -path option during share creation. If the specified path does not exist, the command fails. -
Create an SMB share associated with the specified SVM:
vserver cifs share create -vserver vserver_name -share-name share_name -path path [-share-properties share_properties,...] [other_attributes] [-comment text]
-
Verify that the share was created:
vserver cifs share show -share-name share_name
Refer to Create an SMB share for full details.
-
-
When creating the backend, you must configure the following to specify SMB volumes. For all FSx for ONTAP backend configuration options, refer to FSx for ONTAP configuration options and examples.
Parameter Description Example smbShare
You can specify one of the following: the name of an SMB share created using the Microsoft Management Console or ONTAP CLI or a name to allow Trident to create the SMB share.
This parameter is required for Amazon FSx for ONTAP backends.smb-share
nasType
Must set to
smb
. If null, defaults tonfs
.smb
securityStyle
Security style for new volumes.
Must be set tontfs
ormixed
for SMB volumes.ntfs
ormixed
for SMB volumesunixPermissions
Mode for new volumes. Must be left empty for SMB volumes.
""