Install Portworx on Azure Kubernetes Service (AKS)
This topic explains how to install Portworx on Azure Kubernetes Service (AKS). Follow the steps in this topic in order.
If you have a compute load that can elastically increase or decrease based on workload demand, you might want to learn how to install Portworx in disaggregated mode.
Prerequisites
- An AKS cluster that meets the Portworx prerequisites
- The Azure CLI must be installed
- Supported disk types
- Portworx recommends that you set max number of storage nodes. When specified Portworx will ensure the desired number of storage nodes exist in the zone.
- For production environments Portworx, Inc. recommends 3 Availability Zones (AZs) with one node per zone.
- Portworx recommends you set Max storage nodes per availability zone, Portworx will ensure that many storage nodes exist in the zone.
- For existing clusters, name of "AKS cluster Infrastructure Resource Group" or initial Resource Group name used to create the cluster and cluster name.
- If you're using Azure Cloud Drive encryption using your own key, you must have an Azure KeyVault instance created in the same region as the AKS cluster.
Prepare your AKS platform
To set up the Azure Kubernetes Service (AKS) to use Portworx, follow the steps below.
-
Log in to Azure and save your
az login
subscription ID ("id"
) for future reference:az login
[
{
"cloudName": "AzureCloud",
"homeTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
"isDefault": true,
"managedByTenants": [],
"name": "Example name",
"state": "Enabled",
"tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
"user": {
"name": "user@example.com",
"type": "user"
}
}
] -
Set the subscription:
az account set --subscription <Your-Azure-Subscription-UUID>
-
Get the Azure locations using the Azure CLI command:
az account list-locations
-
Create an Azure Resource Group by specifying its name and the location in which you will be deploying your AKS cluster:
az group create --name <resource-group-name> --location <location>
-
Create the AKS cluster in the above Resource Group using either the Azure CLI or the Azure Portal. If you have already deployed an AKS cluster, then create the Service Principal for the Resource Group in which your AKS cluster is present.
- If you want to use Azure ultra disks, add the
--enable-ultra-ssd
parameter to theaz aks create
command while creating the AKS cluster. For more information, see the Azure documentation.
- If you want to use Azure ultra disks, add the
-
Create a custom role for Portworx. Enter the subscription ID using the subscription ID value you saved in step 1, also specify a role name:
az role definition create --role-definition '{
"Name": "<your-role-name>",
"Description": "",
"AssignableScopes": [
"/subscriptions/<your-subscription-id>"
],
"Actions": [
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": []
}'
Create a Service Principal and secret in Azure AD
-
Find the AKS cluster Infrastructure Resource Group, the following command shows the Infrastructure Resource Group for a given cluster name and AKS resource group:
az aks show -n <aks-cluster-name> -g <aks-resource-group> | jq -r '.nodeResourceGroup'
-
Create a service principal for Portworx custom role and replace the following with your cluster's values:
- Your AKS cluster name
- Your subscription ID
- The name of the custom role that you created in the previous section
az ad sp create-for-rbac --role=<your-role-name> --scopes="/subscriptions/<your-subscription-id>/resourceGroups/<aks-infrastructure-resource-group>"
{
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
"displayName": "azure-cli-2020-10-10-10-10-10",
"name": "http://azure-cli-2020-10-10-10-10-10",
"password": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
"tenant": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab"
} -
Create a secret called
px-azure
to give Portworx access to Azure APIs. Take the following fields from the previous output and use them in the following command:- Set
AZURE_TENANT_ID
to the value fortenant
- Set
AZURE_CLIENT_ID
to the value forappId
- Set
AZURE_CLIENT_SECRET
to the value forpassword
kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_TENANT_ID=<tenant> \
--from-literal=AZURE_CLIENT_ID=<appId> \
--from-literal=AZURE_CLIENT_SECRET=<password>secret/px-azure created
- Set
Now that you've created the secret, you're ready to create the spec and deploy Portworx. The spec generator automatically incorporates the secret that you created, and Portworx will fetch the secret to authenticate. Proceed to the next section to install Portworx.
Install Portworx on AKS using the Operator
Generate the specs
To install Portworx with Kubernetes, navigate to Portworx Central and log in, or create an account, then follow the process to generate the specs.
For deploying Portworx on an Azure Sovereign cloud, click Customize at the bottom of the Summary section. Navigate to the Customize page and specify the value of the AZURE_ENVIRONMENT
variable under Environment Variables.
Deploy the Operator
To deploy the Operator, run the command that Portworx Central provided, which looks similar to the following:
kubectl apply -f 'https://install.portworx.com/<version-number>?comp=pxoperator'
serviceaccount/portworx-operator created
podsecuritypolicy.policy/px-operator created
clusterrole.rbac.authorization.k8s.io/portworx-operator created
clusterrolebinding.rbac.authorization.k8s.io/portworx-operator created
deployment.apps/portworx-operator created
Verify the Operator is running.
kubectl get pods -A | grep "portworx"
kube-system portworx-operator-584ccd74c7-7bhkt 1/1 Running 0 3m48s
Deploy the StorageCluster
To deploy the StorageCluster, use one of the following methods.
-
If you are not enabling cloud drive encryption using your own key, run the command that Portworx Central provided, which looks similar to the following:
kubectl apply -f 'https://install.portworx.com/<version-number>?operator=true&mc=false&kbver=&b=true&kd=type%3DPremium_LRS%2Csize%3D150&s=%22type%3DPremium_LRS%2Csize%3D150%22&c=px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3aefe978ab64&aks=true&stork=true&csi=true&mon=true&tel=false&st=k8s&promop=true'
storagecluster.core.libopenstorage.org/px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-8dfd338e915b created
-
If you want to enable Azure cloud drive encryption using your own key, perform the following steps:
-
Download the spec that you generated in Portworx Central.
-
Create a Disk Encryption Set ID by using the instructions on Enable Customer Managed Keys page in the Microsoft documentation.
-
Append the
diskEncryptionSetID
value from the previous step to theStorageCluster
spec you downloaded as follows:cloudStorage:
deviceSpecs:
- type=Premium_LRS,size=50,diskEncryptionSetID=<disk-encryption-set-id>Where
<disk-encryption-set-id>
is in the following format:/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Compute/diskEncryptionSets/<disk-encryption-set-name>
-
Apply the modified spec:
kubectl apply -f <spec-file.yaml>
storagecluster.core.libopenstorage.org/px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-8dfd338e915b created
-
Verify your Portworx installation
Once you've installed Portworx, you can perform the following tasks to verify that Portworx has installed correctly.
Verify if all pods are running
Enter the following kubectl get pods
command to list and filter the results for Portworx pods:
kubectl get pods -n <px-namespace> -o wide | grep -e portworx -e px
portworx-api-774c2 1/1 Running 0 2m55s 192.168.121.196 username-k8s1-node0 <none> <none>
portworx-api-t4lf9 1/1 Running 0 2m55s 192.168.121.99 username-k8s1-node1 <none> <none>
portworx-api-dvw64 1/1 Running 0 2m55s 192.168.121.99 username-k8s1-node2 <none> <none>
portworx-kvdb-94bpk 1/1 Running 0 4s 192.168.121.196 username-k8s1-node0 <none> <none>
portworx-kvdb-8b67l 1/1 Running 0 10s 192.168.121.196 username-k8s1-node1 <none> <none>
portworx-kvdb-fj72p 1/1 Running 0 30s 192.168.121.196 username-k8s1-node2 <none> <none>
portworx-operator-58967ddd6d-kmz6c 1/1 Running 0 4m1s 10.244.1.99 username-k8s1-node0 <none> <none>
prometheus-px-prometheus-0 2/2 Running 0 2m41s 10.244.1.105 username-k8s1-node0 <none> <none>
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d-9gs79 2/2 Running 0 2m55s 192.168.121.196 username-k8s1-node0 <none> <none>
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d-vpptx 2/2 Running 0 2m55s 192.168.121.99 username-k8s1-node1 <none> <none>
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d-bxmpn 2/2 Running 0 2m55s 192.168.121.191 username-k8s1-node2 <none> <none>
px-csi-ext-868fcb9fc6-54bmc 4/4 Running 0 3m5s 10.244.1.103 username-k8s1-node0 <none> <none>
px-csi-ext-868fcb9fc6-8tk79 4/4 Running 0 3m5s 10.244.1.102 username-k8s1-node2 <none> <none>
px-csi-ext-868fcb9fc6-vbqzk 4/4 Running 0 3m5s 10.244.3.107 username-k8s1-node1 <none> <none>
px-prometheus-operator-59b98b5897-9nwfv 1/1 Running 0 3m3s 10.244.1.104 username-k8s1-node0 <none> <none>
Note the name of one of your px-cluster
pods. You'll run pxctl
commands from these pods in following steps.
Verify Portworx cluster status
You can find the status of the Portworx cluster by running pxctl status
commands from a pod. Enter the following kubectl exec
command, specifying the pod name you retrieved in the previous section:
kubectl exec <pod-name> -n <px-namespace> -- /opt/pwx/bin/pxctl status
Defaulted container "portworx" out of: portworx, csi-node-driver-registrar
Status: PX is operational
Telemetry: Disabled or Unhealthy
Metering: Disabled or Unhealthy
License: Trial (expires in 31 days)
Node ID: xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e
IP: 192.168.121.99
Local Storage Pool: 1 pool
POOL IO_PRIORITY RAID_LEVEL USABLE USED STATUS ZONE REGION
0 HIGH raid0 3.0 TiB 10 GiB Online default default
Local Storage Devices: 3 devices
Device Path Media Type Size Last-Scan
0:1 /dev/vdb STORAGE_MEDIUM_MAGNETIC 1.0 TiB 14 Jul 22 22:03 UTC
0:2 /dev/vdc STORAGE_MEDIUM_MAGNETIC 1.0 TiB 14 Jul 22 22:03 UTC
0:3 /dev/vdd STORAGE_MEDIUM_MAGNETIC 1.0 TiB 14 Jul 22 22:03 UTC
* Internal kvdb on this node is sharing this storage device /dev/vdc to store its data.
total - 3.0 TiB
Cache Devices:
* No cache devices
Cluster Summary
Cluster ID: px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d
Cluster UUID: xxxxxxxx-xxxx-xxxx-xxxx-6f3fd5522eae
Scheduler: kubernetes
Nodes: 3 node(s) with storage (3 online)
IP ID SchedulerNodeName Auth StorageNode Used Capacity Status StorageStatus Version Kernel OS
192.168.121.196 xxxxxxxx-xxxx-xxxx-xxxx-fad8c65b8edc username-k8s1-node0 Disabled Yes 10 GiB 3.0 TiB Online Up 2.11.0-81faacc 3.10.0-1127.el7.x86_64 CentOS Linux 7 (Core)
192.168.121.99 xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e username-k8s1-node1 Disabled Yes 10 GiB 3.0 TiB Online Up (This node) 2.11.0-81faacc 3.10.0-1127.el7.x86_64 CentOS Linux 7 (Core)
192.168.121.191 xxxxxxxx-xxxx-xxxx-xxxx-19d45b4c541a username-k8s1-node2 Disabled Yes 10 GiB 3.0 TiB Online Up 2.11.0-81faacc 3.10.0-1127.el7.x86_64 CentOS Linux 7 (Core)
Global Storage Pool
Total Used : 30 GiB
Total Capacity : 9.0 TiB
The Portworx status will display PX is operational
if your cluster is running as intended.
Verify pxctl cluster provision status
-
Find the storage cluster, the status should show as
Online
:kubectl -n <px-namespace> get storagecluster
NAME CLUSTER UUID STATUS VERSION AGE
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d xxxxxxxx-xxxx-xxxx-xxxx-6f3fd5522eae Online 2.11.0 10m -
Find the storage nodes, the statuses should show as
Online
:kubectl -n <px-namespace> get storagenodes
NAME ID STATUS VERSION AGE
username-k8s1-node0 xxxxxxxx-xxxx-xxxx-xxxx-fad8c65b8edc Online 2.11.0-81faacc 11m
username-k8s1-node1 xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e Online 2.11.0-81faacc 11m
username-k8s1-node2 xxxxxxxx-xxxx-xxxx-xxxx-19d45b4c541a Online 2.11.0-81faacc 11m -
Verify the Portworx cluster provision status. Enter the following
kubectl exec
command, specifying the pod name you retrieved in the previous section:kubectl exec <pod-name> -n <px-namespace> -- /opt/pwx/bin/pxctl cluster provision-status
Defaulted container "portworx" out of: portworx, csi-node-driver-registrar
NODE NODE STATUS POOL POOL STATUS IO_PRIORITY SIZE AVAILABLE USED PROVISIONED ZONE REGION RACK
xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e Up 0 ( xxxxxxxx-xxxx-xxxx-xxxx-4d74ecc7e159 ) Online HIGH 3.0 TiB 3.0 TiB 10 GiB 0 B default default default
xxxxxxxx-xxxx-xxxx-xxxx-fad8c65b8edc Up 0 ( xxxxxxxx-xxxx-xxxx-xxxx-97e4359e57c0 ) Online HIGH 3.0 TiB 3.0 TiB 10 GiB 0 B default default default
xxxxxxxx-xxxx-xxxx-xxxx-19d45b4c541a Up 0 ( xxxxxxxx-xxxx-xxxx-xxxx-8904cab0e019 ) Online HIGH 3.0 TiB 3.0 TiB 10 GiB 0 B default default default
Create your first PVC
For your apps to use persistent volumes powered by Portworx, you must use a StorageClass that references Portworx as the provisioner. Portworx includes a number of default StorageClasses, which you can reference with PersistentVolumeClaims (PVCs) you create. For a more general overview of how storage works within Kubernetes, refer to the Persistent Volumes section of the Kubernetes documentation.
Perform the following steps to create a PVC:
-
Create a PVC referencing the
px-csi-db
default StorageClass and save the file:kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: px-check-pvc
spec:
storageClassName: px-csi-db
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi -
Run the
kubectl apply
command to create a PVC:kubectl apply -f <your-pvc-name>.yaml
persistentvolumeclaim/example-pvc created
Verify your StorageClass and PVC
-
Enter the
kubectl get storageclass
command:kubectl get storageclass
NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE ALLOWVOLUMEEXPANSION AGE
px-csi-db pxd.portworx.com Delete Immediate true 43d
px-csi-db-cloud-snapshot pxd.portworx.com Delete Immediate true 43d
px-csi-db-cloud-snapshot-encrypted pxd.portworx.com Delete Immediate true 43d
px-csi-db-encrypted pxd.portworx.com Delete Immediate true 43d
px-csi-db-local-snapshot pxd.portworx.com Delete Immediate true 43d
px-csi-db-local-snapshot-encrypted pxd.portworx.com Delete Immediate true 43d
px-csi-replicated pxd.portworx.com Delete Immediate true 43d
px-csi-replicated-encrypted pxd.portworx.com Delete Immediate true 43d
px-db kubernetes.io/portworx-volume Delete Immediate true 43d
px-db-cloud-snapshot kubernetes.io/portworx-volume Delete Immediate true 43d
px-db-cloud-snapshot-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d
px-db-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d
px-db-local-snapshot kubernetes.io/portworx-volume Delete Immediate true 43d
px-db-local-snapshot-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d
px-replicated kubernetes.io/portworx-volume Delete Immediate true 43d
px-replicated-encrypted kubernetes.io/portworx-volume Delete Immediate true 43d
stork-snapshot-sc stork-snapshot Delete Immediate true 43dkubectl
returns details about the StorageClasses available to you. Verify thatpx-csi-db
appears in the list. -
Enter the
kubectl get pvc
command. If this is the only StorageClass and PVC that you've created, you should see only one entry in the output:kubectl get pvc <your-pvc-name>
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
example-pvc Bound pvc-xxxxxxxx-xxxx-xxxx-xxxx-2377767c8ce0 2Gi RWO example-storageclass 3m7skubectl
returns details about your PVC if it was created correctly. Verify that the configuration details appear as you intended. -
Once the verification is done, you can ahead and delete the pvc which is created in the earlier steps.
kubectl delete pvc <your-pvc-name>
persistentvolumeclaim "px-check-pvc" deleted
-
That's it, now you're good to go.