Skip to content

Commit

Permalink
Add documentation for using storageClass secrets (#544) (#47)
Browse files Browse the repository at this point in the history 
* Add documentation for using storageClass secrets

* comment fix

* Comment fixes
  • Loading branch information
@prankulmahajan
prankulmahajan authored Nov 22, 2021
1 parent aa1ed88 commit 417312d
Show file tree
Hide file tree
Showing 5 changed files with 69 additions and 29 deletions.
35 changes: 35 additions & 0 deletions examples/kubernetes/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,3 +53,38 @@ $ dd if=/dev/zero of=/dev/xvda bs=1024k count=100
100+0 records out
104857600 bytes (100.0MB) copied, 0.054862 seconds, 1.8GB/s
```

## StorageClass secret
We can use the storage class secret to overwrite the default values of storageClass parameters. The example below will show how to specify your PVC settings in a Kubernetes secret and reference this secret in a customized storage class. Then, use the customized storage class to create a PVC with the custom parameters that you set in your secret.

### Enabling every user to customize the default PVC settings

1. In your storage class YAML file [examples/kubernetes/my-storagesecretclass.yaml](./my-storagesecretclass.yaml), reference the Kubernetes secret in the `parameters` section as follows. Make sure to add the code as-is and not to change variables names.

```
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
```

Following parameters can be overwritten using the storageclass secret,

```
1. iops
2. zone
3. tags
4. encrypted
5. resourceGroup
6. encryptionKey
```

2. As the cluster user, create a Kubernetes secret like [examples/kubernetes/storageclass-secret.yaml](./storageclass-secret.yaml) which has all the possible parameters that can be overwritten.

3. Create your Kubernetes secret.

```
kubectl apply -f volume-secret.yaml
```

4. Create PVC like [examples/kubernetes/pvc-secret.yaml](./pvc-secret.yaml)

Make sure to create the PVC with the same name as used for storageclass-secret. Using the same name for the secret and the PVC triggers the storage provider to apply the settings of the secret in your PVC.
21 changes: 21 additions & 0 deletions examples/kubernetes/my-storagesecretclass.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: example-storageclass-secret
provisioner: vpc.block.csi.ibm.io
parameters:
profile: "custom" # The VPC Storage profile used.
# iopsPerGB: "5" # The IOPS per Gigabyte that is supported for this profile. This is just for the user info.
sizeRange: "[10-2000]GiB" # The size range in GiB that is supported. The user will specify a size on the PVC
csi.storage.k8s.io/fstype: "ext4" # ext4 is the default filesytem used. The user can override this default
billingType: "hourly" # The default billing policy used. The uer can override this default
encrypted: "false" # By default, all PVC using this class will only be provider managed encrypted. The user can override this default
encryptionKey: "" # If encrypted is true, then a user must specify the encryption key used associated KP instance
resourceGroup: "" # Use resource group if specified here. else use the one mentioned in storage-secrete-store
region: "" # (applicable only for dev/prestage/stage) By default, the storage vpc driver will select a region. The user can override this default
zone: "" # (applicable only for dev/prestage/stage) By default, the storage vpc driver will select a zone. The user can override this default
tags: "" # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user
classVersion: "1"
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
reclaimPolicy: "Retain"
2 changes: 1 addition & 1 deletion examples/kubernetes/pvc-with-tags.yaml → examples/kubernetes/pvc-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: volume-tags-secret
name: volume-secret
spec:
accessModes:
- ReadWriteOnce
Expand Down
32 changes: 12 additions & 20 deletions examples/kubernetes/storageclass-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,21 +1,13 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
apiVersion: v1
kind: Secret
metadata:
name: example-storageclass-secret
provisioner: vpc.block.csi.ibm.io
parameters:
profile: "5iops-tier" # The VPC Storage profile used.
# iopsPerGB: "5" # The IOPS per Gigabyte that is supported for this profile. This is just for the user info.
sizeRange: "[10-2000]GiB" # The size range in GiB that is supported. The user will specify a size on the PVC
csi.storage.k8s.io/fstype: "ext4" # ext4 is the default filesytem used. The user can override this default
billingType: "hourly" # The default billing policy used. The uer can override this default
encrypted: "false" # By default, all PVC using this class will only be provider managed encrypted. The user can override this default
encryptionKey: "" # If encrypted is true, then a user must specify the encryption key used associated KP instance
resourceGroup: "" # Use resource group if specified here. else use the one mentioned in storage-secrete-store
region: "" # (applicable only for dev/prestage/stage) By default, the storage vpc driver will select a region. The user can override this default
zone: "" # (applicable only for dev/prestage/stage) By default, the storage vpc driver will select a zone. The user can override this default
tags: "" # A list of tags "a, b, c" that will be created when the volume is created. This can be overidden by user
classVersion: "1"
csi.storage.k8s.io/provisioner-secret-name: ${pvc.name}
csi.storage.k8s.io/provisioner-secret-namespace: ${pvc.namespace}
reclaimPolicy: "Delete"
name: volume-secret
namespace: default
stringData:
iops: "<IOPS_value>" # Enter the IOPS as per the profile that you want to allow for your Block Storage instance. It must match the Block Storage for VPC tier that you plan to use.
zone: "<zone>" # Enter the VPC zone where you want to create the Block Storage instance. Make sure that you use a zone that your worker nodes are connected to.
tags: "<tags>" # Enter a comma-separated list of tags to use when the PVC is created. Tags can help you find your storage instance more easily after it is created.
encrypted: "<true_or_false>" # Enter true to create a secret that sets up encryption for Block Storage volumes. If set to true, you need to provider encryption key as well.
resourceGroup: "<resource_group>" # Enter the resource group that you want your Block Storage instance to get access to. By default gets the resource group of your cluster.
encryptionKey: "<encryption_key>" # If you entered true for encrypted stringData, then enter the root key CRN of your Key Protect service instance that you want to use to encrypt your Block Storage volumes.
type: vpc.block.csi.ibm.io
8 changes: 0 additions & 8 deletions examples/kubernetes/volume-tags-secret.yaml
View file

This file was deleted.

0 comments on commit 417312d

Please sign in to comment.