Skip to main content

Use Astra Trident with Amazon FSx for NetApp ONTAP

Contributors juliantap netapp-aruldeepa gnarl

Amazon FSx for NetApp ONTAP is a fully managed AWS service that enables customers to launch and run file systems powered by the NetApp ONTAP storage operating system. FSx for ONTAP enables you to leverage NetApp features, performance, and administrative capabilities you are familiar with, while taking advantage of the simplicity, agility, security, and scalability of storing data on AWS. FSx for ONTAP supports ONTAP file system features and administration APIs.

Overview

A file system is the primary resource in Amazon FSx, analogous to an ONTAP cluster on premises. Within each SVM you can create one or multiple volumes, which are data containers that store the files and folders in your file system. With Amazon FSx for NetApp ONTAP, Data ONTAP will be provided as a managed file system in the cloud. The new file system type is called NetApp ONTAP.

Using Astra Trident with Amazon FSx for NetApp ONTAP, you can ensure Kubernetes clusters running in Amazon Elastic Kubernetes Service (EKS) can provision block and file persistent volumes backed by ONTAP.

Considerations

  • SMB volumes:

    • SMB volumes are supported using the ontap-nas driver only.

    • SMB volumes are not supported with Astra Trident EKS add-on.

    • Astra Trident supports SMB volumes mounted to pods running on Windows nodes only.

  • Prior to Astra Trident 24.02, volumes created on Amazon FSx file systems that have automatic backups enabled, could not be deleted by Trident. To prevent this issue in Astra Trident 24.02 or later, specify the fsxFilesystemID, AWS apiRegion, AWS apikey, and AWS secretKey in the backend configuration file for AWS FSx for ONTAP.

    Note If you are specifying an IAM role to Astra Trident, then you can omit specifying the apiRegion, apiKey, and secretKey fields to Astra Trident explicitly. For more information, refer to FSx for ONTAP configuration options and examples.

FSx for ONTAP driver details

You can integrate Astra Trident with Amazon FSx for NetApp ONTAP using the following drivers:

  • ontap-san: Each PV provisioned is a LUN within its own Amazon FSx for NetApp ONTAP volume.

  • ontap-san-economy: Each PV provisioned is a LUN with a configurable number of LUNs per Amazon FSx for NetApp ONTAP volume.

  • ontap-nas: Each PV provisioned is a full Amazon FSx for NetApp ONTAP volume.

  • ontap-nas-economy: Each PV provisioned is a qtree, with a configurable number of qtrees per Amazon FSx for NetApp ONTAP volume.

  • ontap-nas-flexgroup: Each PV provisioned is a full Amazon FSx for NetApp ONTAP FlexGroup volume.

For driver details, refer to NAS drivers and SAN drivers.

Authentication

Astra Trident offers two modes of authentication.

  • Certificate-based: Astra Trident will communicate with the SVM on your FSx file system using a certificate installed on your SVM.

  • Credential-based: You can use the fsxadmin user for your file system or the vsadmin user configured for your SVM.

    Warning Astra Trident expects to be run as a vsadmin SVM user or as a user with a different name that has the same role. Amazon FSx for NetApp ONTAP has an fsxadmin user that is a limited replacement of the ONTAP admin cluster user. We strongly recommend using vsadmin with Astra Trident.

You can update backends to move between credential-based and certificate-based methods. However, if you attempt to provide credentials and certificates, backend creation will fail. To switch to a different authentication method, you must remove the existing method from the backend configuration.

For details on enabling authentication, refer to the authentication for your driver type:

Cloud identity for EKS

Cloud identity enables Kubernetes pods to access AWS resources by authenticating as an AWS IAM role instead of by providing explicit AWS credentials.

To take advantage of cloud identity in AWS, you must have:

  • A Kubernetes cluster deployed using EKS

  • Astra Trident installed that includes the cloudProvider specifying "AWS" and cloudIdentity specifying AWS IAM role.

    Trident operator

    To install Astra Trident using the Trident operator, edit tridentorchestrator_cr.yaml to set cloudProvider to "AWS" and set cloudIdentity to AWS IAM role.

    For example:

    apiVersion: trident.netapp.io/v1
    kind: TridentOrchestrator
    metadata:
      name: trident
    spec:
      debug: true
      namespace: trident
      imagePullPolicy: IfNotPresent
      cloudProvider: "AWS"
      cloudIdentity: "'eks.amazonaws.com/role-arn: arn:aws:iam::123456:role/astratrident-role'"
    Helm

    Set the values for cloud provider and cloud identity flags using the following environment variables:

    export CP="AWS"
    export CI="'eks.amazonaws.com/role-arn: arn:aws:iam::123456:role/astratrident-role'"

    The following example installs Astra Trident and sets cloudProvider to AWS using the environment variable $CP and sets the 'cloudIdentity' using the environment variable $CI:

    helm install trident trident-operator-100.2402.0.tgz --set cloudProvider=$CP --set cloudIdentity=$CI
    tridentctl

    Set the values for cloud provider and cloud identity flags using the following environment variables:

    export CP="AWS"
    export CI="'eks.amazonaws.com/role-arn: arn:aws:iam::123456:role/astratrident-role'"

    The following example installs Astra Trident and sets the cloud-provider flag to $CP, and cloud-identity to $CI:

    tridentctl install --cloud-provider=$CP --cloud-identity="$CI" -n trident