Enable Portworx Fusion Controller
This topic provides instructions on how to enable Portworx Fusion Controller.
After you enable Portworx Fusion Controller:
- The Fusion Controller uses the secret that contains the Fusion Coordinator endpoint and required LDAP credentials to connect to the Fusion Coordinator.
- The Fusion Controller automatically synchronizes Fusion presets and exposes them as Kubernetes
StorageClassobjects in your Portworx cluster. - You can reference these storage classes when provisioning volumes or creating virtual machines.
When you enable Portworx Fusion Controller, it automatically discovers FlashArray systems from the Fusion fleet and synchronizes presets into the Kubernetes cluster as FusionPreset resources. This allows you to reference preset configurations locally without using the Fusion console. If an array is configured both manually (for example, through pure.json) and discovered from the Fusion endpoint, Portworx replaces the manual entry with a token generated by the Fusion Controller. If the arrays are different, both configurations remain unchanged and are managed independently.
Add Fusion Coordinator access details as a secret
To enable Fusion integration, create a secret that contains the Fusion Coordinator endpoint and required LDAP credentials. Use either the Kubernetes or Vault tab below based on your configured secret store in the Secrets store type for Cloud Provider Credentials dropdown menu in Portworx Central.
For information on how to configure a secret provider, see Configure multiple secrets providers.
When you integrate Portworx with Fusion and update the secrets provider from Kubernetes Secrets to Vault, the behavior of backend storage credentials depends on whether the storage systems are part of the Fusion Fleet:
- If the storage systems are part of the Fusion Fleet, Fusion automatically manages the credentials and creates the Vault
pure.Jsonsecret with all required backend configurations. No manual action is required. - If some storage systems are not part of the Fusion Fleet and were manually configured, Fusion does not include them in the Vault
pure.Jsonsecret during updation. In this case, you must manually add those backend configurations to the Vaultpure.Jsonsecret to ensure continued access.
To avoid missing configurations, verify that all required storage systems are registered in the Fusion Fleet before updating the secrets provider.
- Kubernetes
- Vault
-
Create a Kubernetes secret in the same namespace where you deploy Portworx Operator.
This secret must include the Fusion Coordinator endpoint and the required LDAP credentials for authentication. Portworx Fusion Controller uses this secret to authenticate with the Fusion Coordinator and synchronize storage presets as KubernetesStorageClassobjects.apiVersion: v1
kind: Secret
metadata:
name: <fusion-auth-secret>
namespace: <namespace>
type: Opaque
data:
endpoint: <Fleet-coordinator-endpoint (base64 encoded)>
username: <LDAP Username (base64 encoded)>
password: <LDAP Password (base64 encoded)>Replace:
<fusion-auth-secret>with the name of the Kubernetes secret containing LDAP credentials for Fusion authentication. The default value ispure-fusion-cred.<namespace>with the name of the namespace where you installed Portworx.<Fleet-coordinator-endpoint (base64 encoded)>with the Fusion coordinator endpoint.<LDAP Username (base64 encoded)>with the username used to access the Fusion Coordinator.<LDAP Password (base64 encoded)>with the password used to access the Fusion Coordinator.
-
Apply the secret created in the previous step in your cluster.
kubectl apply -f <fusion-auth-secret> -n <namespace> -
Verify the secret to confirm that the secret exists in the Portworx namespace and contains the required fields.
Portworx reads this secret during deployment to initialize the Fusion Controller.kubectl get secret <fusion-auth-secret> -n <namespace>...
"endpoint": "aHR0cHM6XXXXXX==",
"password": "UGFXXXXXXXX",
"username": "cXXXXXXXXXXXI="
Vault is not supported when enabling the Portworx Fusion Controller with Portworx CSI (PX-CSI); use Kubernetes Secrets as the secret store instead.
-
Deploy Vault.
For more information, see Vault documentation. -
Create a secret in Vault with your Fusion Coordinator endpoint and the required LDAP credentials for authentication.
Store Fusion Coordinator credentials (username and password) as key-value pairs at the pathsecret/<fusion-auth-secret>. If you are not using a custom backend path, usesecretas shown.vault kv put secret/<fusion-auth-secret> endpoint=<fleet-coordinator-endpoint (base64 encoded)> username=<LDAP Username (base64 encoded)> password=<LDAP Password (base64 encoded)>Replace:
<fusion-auth-secret>with the name of the Vault secret containing LDAP credentials for Fusion authentication.<Fleet-coordinator-endpoint (base64 encoded)>with the Fusion coordinator endpoint.<LDAP Username (base64 encoded)>with the username used to access the Fusion Coordinator.<LDAP Password (base64 encoded)>with the password used to access the Fusion Coordinator.
If you are using a custom secret path, replace
secretwith your custom path. For example, if your custom secret path iscustomPath:vault kv put customPath/<fusion-auth-secret> endpoint=<fleet-coordinator-endpoint (base64 encoded)> username=<LDAP Username (base64 encoded)> password=<LDAP Password (base64 encoded)>Replace:
<fusion-auth-secret>with the name of the Vault secret containing LDAP credentials for Fusion authentication.<Fleet-coordinator-endpoint (base64 encoded)>with the Fusion coordinator endpoint.<LDAP Username (base64 encoded)>with the username used to access the Fusion Coordinator.<LDAP Password (base64 encoded)>with the password used to access the Fusion Coordinator.
-
Verify the secret to confirm that the secret exists in the Portworx namespace and contains the required fields.
Portworx reads this secret during deployment to initialize the Fusion Controller.vault kv get secret/<fusion-auth-secret>The command should return an output similar to the following:
========== Data ==========
Key Value
--- -----
endpoint <fleet-coordinator-endpoint>
username <LDAP Username>
password <LDAP Password>
Enable Fusion Controller
You can enable Fusion Controller by using one of the following methods:
- Through Portworx Central
- Through StorageCluster custom resource
To enable the Fusion Controller during Portworx installation, select the Enable Fusion Controller checkbox when generating the Kubernetes manifests in Portworx Central.
For more information, see Installation of Portworx with FlashArray using Portworx Central.
If Portworx is already installed in your cluster, you can manually enable Fusion Controller by editing the StorageCluster custom resource.
-
Locate your StorageCluster:
kubectl get storageclusters -A -
Edit the StorageCluster in the appropriate namespace:
kubectl edit storagecluster <storage-cluster-name> -n <namespace>For example, if your cluster is named
px-clusterand deployed in theportworxnamespace:kubectl edit storagecluster px-cluster -n portworx -
In the spec section of the StorageCluster resource, add the fusion configuration:
apiVersion: core.libopenstorage.org/v1
metadata:
name: px-cluster
namespace: portworx
spec:
purePlatform:
fusion:
enabled: true
fusionAuthSecret: <fusion-auth-secret>Replace
<fusion-auth-secret>with the name of the secret created in the Add Fusion Coordinator access details as a secret section. -
Verify the configuration to confirm that the Fusion integration is enabled:
kubectl get storagecluster <storage-cluster-name> -n <namespace> -o yaml | grep -A 2 fusionYou should see output similar to:
fusion:
enabled: true
What to do next
Create a Fusion preset that you want to use for your StorageClass. For more information, see Create a Fusion Preset.