Install Portworx on Azure Kubernetes Service (AKS)

This guide provides instructions for installing Portworx on Azure Kubernetes Service (AKS) using either PX-StoreV1 or PX-StoreV2.

PX-StoreV1 is the traditional storage backend for Portworx Enterprise. PX-StoreV2 focuses on volume management with optimized metadata handling and performance metrics, making it suitable for high-performance environments. For more information about these backends, refer to the PX-StoreV2 concept topic.

note

• For PX-StoreV2, the add-drive method is not supported for horizontally expanding the storage pool by adding drives.
  • only resize-disk or auto is supported.
• If you have a compute load that can elastically increase or decrease based on workload demand, you might want to learn how to install Portworx in disaggregated mode.

Prerequisites

• An AKS cluster that meets the Portworx prerequisites
• The Azure CLI must be installed
• Supported disk types
• Portworx recommends that you set max number of storage nodes. When specified Portworx will ensure the desired number of storage nodes exist in the zone.
• For production environments Portworx, Inc. recommends 3 Availability Zones (AZs) with one node per zone.
• For existing clusters, name of "AKS cluster Infrastructure Resource Group" or initial Resource Group name used to create the cluster and cluster name.
• If you're using Azure Cloud Drive encryption using your own key, you must have an Azure KeyVault instance created in the same region as the AKS cluster.

Prepare your AKS platform

To set up the Azure Kubernetes Service (AKS) to use Portworx, follow the steps below.

1. Log in to Azure and save your az login subscription ID ("id") for future reference:

   az login

   [
       {
           "cloudName": "AzureCloud",
           "homeTenantId": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
           "id": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
           "isDefault": true,
           "managedByTenants": [],
           "name": "Example name",
           "state": "Enabled",
           "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
           "user": {
           "name": "user@example.com",
           "type": "user"
           }
       }
   ]

2. Set the subscription:

   az account set --subscription <Your-Azure-Subscription-UUID>

3. Get the Azure locations using the Azure CLI command:

   az account list-locations

4. Create an Azure Resource Group by specifying its name and the location in which you will be deploying your AKS cluster:

   az group create --name <resource-group-name> --location <location>

5. Create the AKS cluster in the above Resource Group using either the Azure CLI or the Azure Portal. If you have already deployed an AKS cluster, then create the Service Principal for the Resource Group in which your AKS cluster is present.

   • If you want to use Azure ultra disks, add the --enable-ultra-ssd parameter to the az aks create command while creating the AKS cluster. For more information, see the Azure documentation.

6. Create a custom role for Portworx. Enter the subscription ID using the subscription ID value you saved in step 1, also specify a role name:

   az role definition create --role-definition '{
   "Name": "<your-role-name>",
   "Description": "",
   "AssignableScopes": [
       "/subscriptions/<your-subscription-id>"
   ],
   "Actions": [
       "Microsoft.ContainerService/managedClusters/agentPools/read",
       "Microsoft.Compute/disks/delete",
       "Microsoft.Compute/disks/write",
       "Microsoft.Compute/disks/read",
       "Microsoft.Compute/virtualMachines/write",
       "Microsoft.Compute/virtualMachines/read",
       "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
       "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read"
   ],
   "NotActions": [],
   "DataActions": [],
   "NotDataActions": []
   }'

Create a Service Principal and secret in Azure AD

1. Find the AKS cluster Infrastructure Resource Group, the following command shows the Infrastructure Resource Group for a given cluster name and AKS resource group:

   az aks show -n <aks-cluster-name> -g <aks-resource-group> | jq -r '.nodeResourceGroup'

2. Create a service principal for Portworx custom role and replace the following with your cluster's values:

   • Your AKS cluster name
   • Your subscription ID
   • The name of the custom role that you created in the previous section

   az ad sp create-for-rbac --role=<your-role-name> --scopes="/subscriptions/<your-subscription-id>/resourceGroups/<aks-infrastructure-resource-group>"

   {
     "appId": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
     "displayName": "azure-cli-2020-10-10-10-10-10",
     "name": "http://azure-cli-2020-10-10-10-10-10",
     "password": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab",
     "tenant": "xxxxxxxx-xxxx-xxxx-xxxx-1234567890ab"
   }

3. Create a secret called px-azure to give Portworx access to Azure APIs. Take the following fields from the previous output and use them in the following command:

   • Set AZURE_TENANT_ID to the value for tenant
   • Set AZURE_CLIENT_ID to the value for appId
   • Set AZURE_CLIENT_SECRET to the value for password

   kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_TENANT_ID=<tenant> \
                                                         --from-literal=AZURE_CLIENT_ID=<appId> \
                                                         --from-literal=AZURE_CLIENT_SECRET=<password>

   secret/px-azure created

Now that you've created the secret, you're ready to create the spec and deploy Portworx. The spec generator automatically incorporates the secret that you created, and Portworx will fetch the secret to authenticate. Proceed to the next section to install Portworx.

Install Portworx on AKS using the Operator

Generate the specs

PX-StoreV1

1. Sign in to the Portworx Central console.
   The system displays the Welcome to Portworx Central! page.

2. In the Portworx Enterprise section, select Generate Cluster Spec.
   The system displays the Generate Spec page.

3. From the Portworx Version dropdown menu, select the Portworx version to install.

4. For Platform, select your K8s Azure as your cloud environment.

5. For Distribution Name, select Azure Kubernetes Service (AKS).

6. Click Save Spec to generate the specs. You may customize the storage and network for your Portworx cluster if needed, by clicking on Customize.

PX-StoreV2

1. Sign in to the Portworx Central console.
   The system displays the Welcome to Portworx Central! page.

2. In the Portworx Enterprise section, select Generate Cluster Spec.
   The system displays the Generate Spec page.

3. From the Portworx Version dropdown menu, select the Portworx version to install.

4. For Platform, select your K8s Azure as your cloud environment.

5. For Distribution Name, select Azure Kubernetes Service (AKS) then click Customize at the bottom of the Summary section.

6. On the Basic page, ensure that the Use the Portworx Operator and Built-in ETCD options are selected. For Portworx version, select the same value from the dropdown that you have set as your Portworx version in the Configure your environment section and click Next.

7. In the Storage window, select PX-StoreV2 checkbox, and select volume type and size, rest keep the recommended default values and click Next.

8. Choose your network options and click Next.

9. Click Finish to generate the specs. You may customize the environment variable, registry, security, and advanced setting for your Portworx cluster if needed in Deployment window.

10. Save generated spec for future reference.

note

For deploying Portworx on an Azure Sovereign cloud, click Customize at the bottom of the Summary section. Navigate to the Customize page and specify the value of the AZURE_ENVIRONMENT variable under Environment Variables.

Deploy the Operator

To deploy the Operator, run the command that Portworx Central provided, which looks similar to the following:

kubectl apply -f 'https://install.portworx.com/<version-number>?comp=pxoperator'

serviceaccount/portworx-operator created
podsecuritypolicy.policy/px-operator created
clusterrole.rbac.authorization.k8s.io/portworx-operator created
clusterrolebinding.rbac.authorization.k8s.io/portworx-operator created
deployment.apps/portworx-operator created

Verify the Operator is running.

kubectl get pods -A | grep "portworx"

kube-system         portworx-operator-584ccd74c7-7bhkt                   1/1     Running   0              3m48s

Deploy the StorageCluster

To deploy the StorageCluster, use one of the following methods.

• If you are not enabling cloud drive encryption using your own key, run the command that Portworx Central provided, which looks similar to the following:

  kubectl apply -f 'https://install.portworx.com/<version-number>?operator=true&mc=false&kbver=&b=true&kd=type%3DPremium_LRS%2Csize%3D150&s=%22type%3DPremium_LRS%2Csize%3D150%22&c=px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3aefe978ab64&aks=true&stork=true&csi=true&mon=true&tel=false&st=k8s&promop=true'

  storagecluster.core.libopenstorage.org/px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-8dfd338e915b created

• If you want to enable Azure cloud drive encryption using your own key, perform the following steps:

  1. Download the spec that you generated in Portworx Central.

  2. Create a Disk Encryption Set ID by using the instructions on Enable Customer Managed Keys page in the Microsoft documentation.

  3. Append the diskEncryptionSetID value from the previous step to the StorageCluster spec you downloaded as follows:

     cloudStorage:
       deviceSpecs:
         - type=Premium_LRS,size=50,diskEncryptionSetID=<disk-encryption-set-id>

     Where <disk-encryption-set-id> is in the following format:

     /subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Compute/diskEncryptionSets/<disk-encryption-set-name>

  4. Apply the modified spec:

     kubectl apply -f <spec-file.yaml>

     storagecluster.core.libopenstorage.org/px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-8dfd338e915b created

Verify your Portworx installation

Once you've installed Portworx, you can perform the following tasks to verify that Portworx has installed correctly.

Verify if all pods are running

Enter the following kubectl get pods command to list and filter the results for Portworx pods:

kubectl get pods -n <px-namespace> -o wide | grep -e portworx -e px

portworx-api-774c2                                      1/1     Running   0                2m55s   192.168.121.196   username-k8s1-node0    <none>           <none>
portworx-api-t4lf9                                      1/1     Running   0                2m55s   192.168.121.99    username-k8s1-node1    <none>           <none>
portworx-api-dvw64                                      1/1     Running   0                2m55s   192.168.121.99    username-k8s1-node2    <none>           <none>
portworx-kvdb-94bpk                                     1/1     Running   0                4s      192.168.121.196   username-k8s1-node0    <none>           <none>
portworx-kvdb-8b67l                                     1/1     Running   0                10s     192.168.121.196   username-k8s1-node1    <none>           <none>
portworx-kvdb-fj72p                                     1/1     Running   0                30s     192.168.121.196   username-k8s1-node2    <none>           <none>
portworx-operator-58967ddd6d-kmz6c                      1/1     Running   0                4m1s    10.244.1.99       username-k8s1-node0    <none>           <none>
prometheus-px-prometheus-0                              2/2     Running   0                2m41s   10.244.1.105      username-k8s1-node0    <none>           <none>
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d-9gs79   2/2     Running   0                2m55s   192.168.121.196   username-k8s1-node0    <none>           <none>
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d-vpptx   2/2     Running   0                2m55s   192.168.121.99    username-k8s1-node1    <none>           <none>
px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d-bxmpn   2/2     Running   0                2m55s   192.168.121.191   username-k8s1-node2    <none>           <none>
px-csi-ext-868fcb9fc6-54bmc                             4/4     Running   0                3m5s    10.244.1.103      username-k8s1-node0    <none>           <none>
px-csi-ext-868fcb9fc6-8tk79                             4/4     Running   0                3m5s    10.244.1.102      username-k8s1-node2    <none>           <none>
px-csi-ext-868fcb9fc6-vbqzk                             4/4     Running   0                3m5s    10.244.3.107      username-k8s1-node1    <none>           <none>
px-prometheus-operator-59b98b5897-9nwfv                 1/1     Running   0                3m3s    10.244.1.104      username-k8s1-node0    <none>           <none>

Note the name of one of your px-cluster pods. You'll run pxctl commands from these pods in following steps.

Verify Portworx cluster status

You can find the status of the Portworx cluster by running pxctl status commands from a pod. Enter the following kubectl exec command, specifying the pod name you retrieved in the previous section:

kubectl exec <pod-name> -n <px-namespace> -- /opt/pwx/bin/pxctl status

Defaulted container "portworx" out of: portworx, csi-node-driver-registrar
Status: PX is operational
Telemetry: Disabled or Unhealthy
Metering: Disabled or Unhealthy
License: Trial (expires in 31 days)
Node ID: xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e
        IP: 192.168.121.99
        Local Storage Pool: 1 pool
        POOL    IO_PRIORITY     RAID_LEVEL      USABLE  USED    STATUS  ZONE    REGION
        0       HIGH            raid0           3.0 TiB 10 GiB  Online  default default
        Local Storage Devices: 3 devices
        Device  Path            Media Type              Size            Last-Scan
        0:1     /dev/vdb        STORAGE_MEDIUM_MAGNETIC 1.0 TiB         14 Jul 22 22:03 UTC
        0:2     /dev/vdc        STORAGE_MEDIUM_MAGNETIC 1.0 TiB         14 Jul 22 22:03 UTC
        0:3     /dev/vdd        STORAGE_MEDIUM_MAGNETIC 1.0 TiB         14 Jul 22 22:03 UTC
        * Internal kvdb on this node is sharing this storage device /dev/vdc  to store its data.
        total           -       3.0 TiB
        Cache Devices:
         * No cache devices
Cluster Summary
        Cluster ID: px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d
        Cluster UUID: xxxxxxxx-xxxx-xxxx-xxxx-6f3fd5522eae
        Scheduler: kubernetes
        Nodes: 3 node(s) with storage (3 online)
        IP              ID                                      SchedulerNodeName       Auth            StorageNode     Used    Capacity        Status  StorageStatus       Version         Kernel                  OS
        192.168.121.196 xxxxxxxx-xxxx-xxxx-xxxx-fad8c65b8edc    username-k8s1-node0      Disabled        Yes             10 GiB  3.0 TiB         Online  Up 2.11.0-81faacc   3.10.0-1127.el7.x86_64  CentOS Linux 7 (Core)
        192.168.121.99  xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e    username-k8s1-node1      Disabled        Yes             10 GiB  3.0 TiB         Online  Up (This node)      2.11.0-81faacc  3.10.0-1127.el7.x86_64  CentOS Linux 7 (Core)
        192.168.121.191 xxxxxxxx-xxxx-xxxx-xxxx-19d45b4c541a    username-k8s1-node2      Disabled        Yes             10 GiB  3.0 TiB         Online  Up  2.11.0-81faacc  3.10.0-1127.el7.x86_64  CentOS Linux 7 (Core)
Global Storage Pool
        Total Used      :  30 GiB
        Total Capacity  :  9.0 TiB

The Portworx status will display PX is operational if your cluster is running as intended.

Verify pxctl cluster provision status

• Find the storage cluster, the status should show as Online:

  kubectl -n <px-namespace> get storagecluster

  NAME                                              CLUSTER UUID                           STATUS   VERSION   AGE
  px-cluster-xxxxxxxx-xxxx-xxxx-xxxx-3e9bf3cd834d   xxxxxxxx-xxxx-xxxx-xxxx-6f3fd5522eae   Online   2.11.0    10m

• Find the storage nodes, the statuses should show as Online:

  kubectl -n <px-namespace> get storagenodes

  NAME                  ID                                     STATUS   VERSION          AGE
  username-k8s1-node0   xxxxxxxx-xxxx-xxxx-xxxx-fad8c65b8edc   Online   2.11.0-81faacc   11m
  username-k8s1-node1   xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e   Online   2.11.0-81faacc   11m
  username-k8s1-node2   xxxxxxxx-xxxx-xxxx-xxxx-19d45b4c541a   Online   2.11.0-81faacc   11m

• Verify the Portworx cluster provision status. Enter the following kubectl exec command, specifying the pod name you retrieved in the previous section:

  kubectl exec <pod-name> -n <px-namespace> -- /opt/pwx/bin/pxctl cluster provision-status

  Defaulted container "portworx" out of: portworx, csi-node-driver-registrar
  NODE                                    NODE STATUS     POOL                                            POOL STATUS     IO_PRIORITY     SIZE    AVAILABLE  USED     PROVISIONED     ZONE    REGION  RACK
  xxxxxxxx-xxxx-xxxx-xxxx-70c31d0f478e    Up              0 ( xxxxxxxx-xxxx-xxxx-xxxx-4d74ecc7e159 )      Online          HIGH            3.0 TiB 3.0 TiB    10 GiB   0 B             default default default
  xxxxxxxx-xxxx-xxxx-xxxx-fad8c65b8edc    Up              0 ( xxxxxxxx-xxxx-xxxx-xxxx-97e4359e57c0 )      Online          HIGH            3.0 TiB 3.0 TiB    10 GiB   0 B             default default default
  xxxxxxxx-xxxx-xxxx-xxxx-19d45b4c541a    Up              0 ( xxxxxxxx-xxxx-xxxx-xxxx-8904cab0e019 )      Online          HIGH            3.0 TiB 3.0 TiB    10 GiB   0 B             default default default

Create your first PVC

For your apps to use persistent volumes powered by Portworx, you must use a StorageClass that references Portworx as the provisioner. Portworx includes a number of default StorageClasses, which you can reference with PersistentVolumeClaims (PVCs) you create. For a more general overview of how storage works within Kubernetes, refer to the Persistent Volumes section of the Kubernetes documentation.

Perform the following steps to create a PVC:

1. Create a PVC referencing the px-csi-db default StorageClass and save the file:

   kind: PersistentVolumeClaim
   apiVersion: v1
   metadata:
     name: px-check-pvc
   spec:
     storageClassName: px-csi-db
     accessModes:
       - ReadWriteOnce
     resources:
       requests:
         storage: 2Gi

2. Run the kubectl apply command to create a PVC:

   kubectl apply -f <your-pvc-name>.yaml

   persistentvolumeclaim/example-pvc created

Verify your StorageClass and PVC

1. Enter the kubectl get storageclass command:

   kubectl get storageclass

   NAME                                 PROVISIONER                     RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
   px-csi-db                            pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-db-cloud-snapshot             pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-db-cloud-snapshot-encrypted   pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-db-encrypted                  pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-db-local-snapshot             pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-db-local-snapshot-encrypted   pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-replicated                    pxd.portworx.com                Delete          Immediate           true                   43d
   px-csi-replicated-encrypted          pxd.portworx.com                Delete          Immediate           true                   43d
   px-db                                kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-db-cloud-snapshot                 kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-db-cloud-snapshot-encrypted       kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-db-encrypted                      kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-db-local-snapshot                 kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-db-local-snapshot-encrypted       kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-replicated                        kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   px-replicated-encrypted              kubernetes.io/portworx-volume   Delete          Immediate           true                   43d
   stork-snapshot-sc                    stork-snapshot                  Delete          Immediate           true                   43d

   kubectl returns details about the StorageClasses available to you. Verify that px-csi-db appears in the list.

2. Enter the kubectl get pvc command. If this is the only StorageClass and PVC that you've created, you should see only one entry in the output:

   kubectl get pvc <your-pvc-name>

   NAME          STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS           AGE
   example-pvc   Bound    pvc-xxxxxxxx-xxxx-xxxx-xxxx-2377767c8ce0   2Gi        RWO            example-storageclass   3m7s

   kubectl returns details about your PVC if it was created correctly. Verify that the configuration details appear as you intended.

3. Once the verification is done, you can ahead and delete the pvc which is created in the earlier steps.

   kubectl delete pvc <your-pvc-name>

   persistentvolumeclaim "px-check-pvc" deleted

4. That's it, now you're good to go.