Home > Storage > PowerFlex > White Papers > Container Storage Modules for Dell PowerFlex : Authorization Module > Configuring the Proxy Server
To complete the CSM authorization module installation, the configurations are performed using the karavictl command to connect to the proxy server. In the following section, detailed steps are provided to complete the configuration.
$ kubectl -n authorization get ingress
NAME CLASS HOSTS ADDRESSPORTS AGE
proxy-server nginx authorization.dell.labs 80 443 13d
$ kubectl -n authorization get service
NAME PORT(S) AGE
authorization-cert-manager 9402/TCP 13d
authorization-cert-manager-webhook 443/TCP 13d
authorization-ingress- 80:32120/TCP,
nginx-controller 443:30601/TCP 13d
authorization-ingress-nginx-
controller-admission 443/TCP 13d
proxy-server 8080/TCP 13d
redis 6379/TCP 13d
redis-commander 8081/TCP 13d
role-service 50051/TCP 13d
storage-service 50051/TCP 13d
tenant-service 50051/TCP 13d
Make a note of the authorization- ingress-nginx-controller ports, as these will be used later while configuring the proxy server.
<master_node_ip> authorization.dell.labs
For configuring authorization, the following parameters must be configured using karavictl.
To configure the admin token, run the following command from the server where karavictl is installed.
$ karavictl admin token --name admin --jwt-signing-secret supersecret --access-token-expiration 30s --refresh-token-expiration 120m > admintoken.yaml
The signing secret to be used above is the same secret key that was updated during the installation of the Authorization module in Step 4.
To add PowerFlex as the storage system, run the following command:
$ karavictl storage create --type powerflex --endpoint https://192.168.105.205/ --system-id cf786ba3109e8e0f --user admin --password Dellam123! --array-insecure --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml
Note: The endpoint to be used is the PowerFlex Manager IP address. In addr we can choose to add any of the node port number for 80/443.
To list the storage systems added, run the following command:
$ karavictl storage get --type powerflex --insecure --admin-token admintoken.yaml --system-id cf786ba3109e8e0f --addr authorization.dell.labs:30601
{
"Endpoint": "https://192.168.105.205/",
"Insecure": true,
"Password": "(omitted)",
"User": "admin"
}
To create a tenant, run the following command:
$ karavictl tenant create --name Tenant01 --approvesdc=false --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml
To list the tenants created, run the following command:
$ karavictl tenant get --name Tenant01 --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml
{
"name": "Tenant01",
"roles": "Role_Tenant01",
"approvesdc": false
}
Roles consists of a name for the role to be bound to a tenant, the storage to use, and the quota limit for the storage pool to be used.
To create a role, run the following command:
$ karavictl role create --role=Role_Tenant01=powerflex=cf786ba3109e8e0f=CSM-Auth=550Gi --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml
Note: Role=Role Name, PowerFlex=PowerFlex System ID, Storage Pool=CSM-Auth, Quota-Size in Gi/GB.
To list the created roles, run the following command:
$ karavictl role get --name Role_Tenant01 --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml
{
"Role_Tenant01": {
"system_types": {
"powerflex": {
"system_ids": {
"cf786ba3109e8e0f": {
"pool_quotas": {
"CSM-Auth": 590558003
}
}
}
To bind the role to a tenant, run the following command:
$ karavictl rolebinding create --tenant Tenant01 --role Role_Tenant01 --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml
A fresh token needs to be generated once the role binding is completed; the token that is generated will be used to create a secret that will be used during the deployment of CSI drivers. Run the following command to generate a fresh token:
$ karavictl generate token --tenant Tenant01 --insecure --addr authorization.dell.labs:30601 --admin-token admintoken.yaml > Tenant01.yaml
It is required to create a new token for every new tenant, the token is consumed as the secret for the CSI driver deployment.