Home > Workload Solutions > Container Platforms > Red Hat OpenShift Container Platform > Archive > Implementation Guide—Red Hat OpenShift Container Platform 4.10 on AMD-powered Dell Infrastructure > Overview
Dell Technologies Container Storage Modules (CSMs) are an extension to the traditional CSI drivers. CSMs enable simple and consistent integration for cloud-native stateful applications. As part of this validated design, the Dell OpenShift engineering team validated two of the CSMs—Authorization and Observability—on PowerMax and PowerStore servers respectively.
The following table shows the support matrix for Dell CSM and CSI drivers. For more information, see the Dell Technologies Container Storage Modules page.
CSM module | CSI PowerFlex v2.3.0 | CSI PowerScale v2.3.0 | CSI PowerStore v2.3.0 | CSI PowerMax v2.3.0 |
Authorization v1.3 | ✔️ | ✔️ | ❌ | ✔️ |
Observability v1.2 | ✔️ | ❌ | ✔️ | ❌ |
Replication v1.3 | ❌ | ✔️ | ✔️ | ✔️ |
Resiliency v1.2 | ✔️ | ✔️ | ❌ | ❌ |
This section describes how to deploy CSM Authorization and CSI drivers for PowerMax. A Helm-based approach is used for deployment of both the CSM and the CSI.
Note: Helm-based CSM Authorization deployment requires a persistent volume (PV) other than the PowerMax CSI that is deployed after the CSM. If a PV is not available, it is possible to deploy the CSM on another OpenShift cluster that has network connectivity to the primary cluster.
The high-level steps for CSM Authorization deployment are:
Ensure that:
To deploy CSM Authorization, perform the following steps on the CSAH node:
[core@csah-pri ~]$ git clone https://github.com/dell/helm-charts.git
[core@csah-pri ~]$ oc new-project authorization
[core@csah-pri helm-charts]$ oc create secret generic karavi-config-secret -n authorization --from-file=config.yaml=<config file>
[core@csah-pri helm-charts]$ helm -n authorization install authorization -f myvalues.yaml charts/csm-authorization
[core@csah-pri helm-charts]$ oc get svc authorization-ingress-nginx-controller -n authorization
authorization-ingress-nginx-controller LoadBalancer 172.30.32.204 <pending> 80:31305/TCP,443:30172/TCP 5d21h
From the output in the preceding example, the port is 30172.
The Karavictl CLI is required to create and manage CSM Authorization objects—Storage Systems, Tenants, Roles, and RoleBindings. The CLI can be installed on the CSAH node.
In the following commands, the authorization hostname is csm-authorization.dcws.lab and the ingress port is 30172. Set these values to the hostname that you configured while installing CSM and the port you assigned to authorization-ingress-nginx-controller service in Installing CSM Authorization using Helm.
[core@csah-pri helm-charts]$ karavictl storage create --type powermax --endpoint https://<PowerMax unisphere IP>:8443 --system-id <PowerMax id> --user <PowerMax unisphere user> --password <PowerMax unisphere user password> --insecure --array-insecure --addr "storage csm-authorization.dcws.lab:30172"
[core@csah-pri helm-charts]$ karavictl tenant create --name Finance --insecure --addr "tenant. csm-authorization.dcws.lab:30172"
[core@csah-pri helm-charts]$ karavictl role create --insecure --addr role.csm-authorization.dcws.lab:30172 --role=<role name>=powermax=<PowerMax id>=<PowerMax storage resource pool name>=<storage quota for the role>
[core@csah-pri helm-charts]$ karavictl rolebinding create --tenant <tenant name> --role <role name> --insecure --addr "tenant.csm-authorization.dcws.lab:30172"
[core@csah-pri helm-charts]$ karavictl generate token --tenant Finance --insecure --addr "tenant.csm-authorization.dcws.lab:30172" | jq -r '.Token' > token.yaml
This token is used to create the secret in the namespace where the CSI driver will be installed.
Ensure that:
The CSI driver is deployed along with the authorization sidecar containers to enable the CSM. To deploy the Dell CSI driver for PowerMax:
[core@csah-pri ~]$git clone -b v2.3.0 https://github.com/dell/csi-powermax.git
[core@csah-pri ~]$ oc new-project powermax
[core@csah-pri ~]$ oc apply -f token.yaml -n powermax
[core@csah-pri ~]$ oc -n powermax create secret generic karavi-authorization-config --from-file=config=karavi-authorization-config.json -o yaml --dry-run=client | oc apply -f -
[core@csah-pri ~]$ oc -n powermax create secret generic proxy-server-root-certificate --from-literal=rootCertificate.pem= -o yaml --dry-run=client | oc apply -f -
[core@csah-pri dell-csi-helm-installer]$ ./csi-install.sh --namespace powermax --skip-verify-node --values <PowerMax settings yaml file>
The PVC remains in a pending state and you will see an error message similar to the following snippet when the PVC is described:
csi-powermax.dellemc.com_powermax-controller-7b55954769-vztql_49f40103-71ca-4518-8f22-e1e02b374cb2 failed to provision volume with StorageClass "powermaxsc-iscsi": rpc error: code = Internal desc = Could not create volume: pmax-bd536f220d: couldn't create volume. error - request denied: no roles in [FinanceRole] allow the 115344000 Kb request on powermax/000297901797/SRP_1
The section describes how to deploy CSM Observability for PowerStore.
The high-level steps for CSM Observability deployment are:
Ensure that:
To deploy CSM Observability:
[core@csah-pri ~]$ git clone https://github.com/dell/karavi-observability.git
[core@csah-pri ~]$ cd karavi-observability/installer
[core@csah-pri installer]$ ./karavi-observability-install.sh install --namespace <namespace where observability will be installed> --values myvalues.yaml
[core@csah-pri installer]$ oc get pods -n <observability namespace>
NAME READY STATUS RESTARTS AGE
karavi-metrics-powerstore-7f64dddd55-8g59v 1/1 Running 0 20h
karavi-observability-cert-manager-74555ff9c8-s5nmm 1/1 Running 0 20h
karavi-observability-cert-manager-cainjector-7d4f86fbb7-4ln7z 1/1 Running 0 20h
karavi-observability-cert-manager-webhook-86f5f456fb-9sdfq 1/1 Running 0 20h
karavi-topology-54ff74c46f-86tbn 1/1 Running 0 20h
otel-collector-84879ff78c-vmw6g 2/2 Running 0 20h
CSM Observability requires the following components:
To deploy Prometheus:
[core@csah-pri installer]$ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
"prometheus-community" has been added to your repositories
[core@csah-pri installer]$ helm repo add stable https://charts.helm.sh/stable
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
"stable" has been added to your repositories
[core@csah-pri installer]$ helm repo update
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "dell" chart repository
...Successfully got an update from the "prometheus-community" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
[core@csah-pri installer]$ helm install prometheus prometheus-community/prometheus -n <observability namespace> -f prometheus-values.yaml
To deploy Grafana:
[core@csah-pri installer]$ helm repo add grafana https://grafana.github.io/helm-charts
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
"grafana" has been added to your repositories
[root@ocp10-csah installer]# helm repo update
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /root/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /root/.kube/config
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "dell" chart repository
...Successfully got an update from the "grafana" chart repository
...Successfully got an update from the "prometheus-community" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈
[core@csah-pri installer]$ helm install grafana grafana/grafana -n <observability namespace> -f grafana-values.yaml
[core@csah-pri installer]$ oc get pods
NAME READY STATUS RESTARTS AGE
grafana-65664685f9-vj4zc 3/3 Running 0 2h
karavi-metrics-powerscale-56569fc59d-k546l 1/1 Running 0 2h
karavi-metrics-powerstore-fc9f6657b-lghsx 1/1 Running 0 2h
karavi-observability-cert-manager-74555ff9c8-j29xd 1/1 Running 0 2h
karavi-observability-cert-manager-cainjector-7d4f86fbb7-k67cz 1/1 Running 0 2h
karavi-observability-cert-manager-webhook-ddb4f6b8-k2bbq 1/1 Running 0 2h
karavi-topology-779499b58d-qtkxl 1/1 Running 0 2h
otel-collector-596b74666c-4dkhl 2/2 Running 0 2h
prometheus-server-7dc7c7bffb-9d9v7 1/1 Running 0 2h
[core@csah-pri installer]$ oc get svc grafana
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
grafana NodePort 172.30.215.181 <none> 80:31472/TCP 2h
The output shows that the Grafana UI is accessible through port 31472.
The following figures show the Grafana dashboards:
Figure 25. PowerStore Filesystem I/O metrics
Figure 26. PowerStore Storage Class capacity
Figure 27. PowerStore CSI driver topology