Use FlashBlade as Backend Storage

This section provides instructions for configuring your environment to use FlashBlade as backend storage for Kubernetes applications for single-tenant and multi-tenant setups.

Before you begin preparing your environment, ensure that all system requirements are met.

Set up user access in FlashBlade

To establish secure communication between PX-CSI and FlashBlade, create a user account and generate an API token. This token acts as an authentication key, allowing PX-CSI to interact with FlashBlade and perform storage operations on behalf of the authorized user.

FlashBlade without secure multi-tenancy

1. Create a user to access the FlashBlade array. For more information, see Creating a User section in the FlashBlade Administration Guide.

2. Generate an API token for the user. For more information, see Creating an API Token section in the FlashBlade Administration Guide.

Save the API token in a secure location. You need this token when creating the pure.json file in the next step.

FlashBlade with secure multi-tenancy

FlashBlade with secure multi-tenancy (using Realms) provides isolated credentials and resource boundaries. This feature requires PX-CSI 26.2.0 or later and Purity version 4.6.1 or later.

To configure FlashBlade for PX-CSI with secure multi-tenancy, perform the following steps by following the FlashBade Administration Guide.

1. Create a Realm.

2. Create a management access policy for the Realm.

3. Create an NFS server within the Realm.

4. (Optional) Create an NFS export policy. PX-CSI automatically creates NFS export policies when provisioning volumes. You can also pre-create the policy and use this policy in your StorageClass configuration. If you are pre-creating the policy, ensure that at least one NFS export rule exists in the policy.

   Default values when PX-CSI creates the policy

   • Client: * (all clients)

   • Access: root-squash

   You can override these values using pure_nfs_export_rules_client and pure_nfs_export_rules_access StorageClass parameters.

5. Create a realm user with the management access policy you created for the Realm.

6. Generate an API token for the realm user.

Save the API token in a secure location. You need this token when creating the pure.json file in the next step.

Create pure.json file

To integrate PX-CSI with FlashBlade, create a JSON configuration file (named pure.json) containing essential information about the FlashBlade environment. This file should include the management endpoints and the API token you generated.

• Management endpoints: These are URLs or IP addresses that PX-CSI uses to communicate with FlashBlade through API calls. To locate these, go to Settings > Network in your FlashBlade dashboard. Note the IP addresses or hostnames of your management interfaces, prefixed with vir, indicating virtual interfaces.
• API token: Generated in the previous section.
• NFSEndPoint: NFS endpoint of FlashBlade.

Add the FlashBlade configuration to the Kubernetes secret by following these steps:

Use the above information to create a JSON file. Below is a template for the configuration content, which you should populate with your specific information:

note

If you are configuring both FlashArray and FlashBlade, you can add FlashArray configuration information in the same file. Refer to the JSON file for more information.

FlashBlade without Secure multi-tenancy

  {
    "FlashBlades": [
      {
        "MgmtEndPoint": "<fb-management-endpoint>",
        "APIToken": "<fb-api-token>",
        "NFSEndPoint": "<fb-nfs-endpoint>"
      }
    ]
  }

FlashBlade with secure multi-tenancy

  {
    "FlashBlades": [
      {
        "MgmtEndPoint": "<fb-management-endpoint>",
        "APIToken": "<fb-api-token-for-realm-user>", # Use the API token generated for the realm user.
        "Realm": "<realm-name>", 
        "NFSEndPoint": "<fb-nfs-endpoint>"
      }
    ]
  }

(Optional) CSI topology feature

PX-CSI supports topology-aware storage provisioning for Kubernetes applications. By specifying topology information, such as node, zone, or region, you can control where volumes are provisioned. This ensures that storage aligns with your application's requirements for availability, performance, and fault tolerance. PX-CSI optimizes storage placement, improving efficiency and resilience in multi-zone or multi-region Kubernetes environments. For more information, see CSI topology.

To prepare your environment for using the topology-aware provisioning feature, follow these steps:

1. Edit the pure.json file created in the previous section to define the topology for each FlashBlade. For more information, refer to the pure.json with CSI topology.

2. Label your Kubernetes nodes with values that correspond to the labels defined in the pure.json file. For example:

   kubectl label node <nodeName> topology.portworx.io/zone=zone-0
   kubectl label node <nodeName> topology.portworx.io/region=region-0

Add FlashBlade Configuration to a Kubernetes Secret

To enable PX-CSI to access the FlashBlade configuration, add the pure.json file to a Kubernetes secret by running the following command to create a secret named px-pure-secret:

OpenShift Container Platform

oc create secret generic px-pure-secret --namespace <stc-namespace> --from-file=pure.json=<file path>

secret/px-pure-secret created

Other Kubernetes platforms

kubectl create secret generic px-pure-secret --namespace <stc-namespace> --from-file=pure.json=<file path>

secret/px-pure-secret created

important

The specific name px-pure-secret is required so that PX-CSI can correctly identify and access the Kubernetes secret upon startup. This secret securely stores the FlashBlade configuration details and allows PX-CSI to access this information within the Kubernetes environment.