Skip to content

Commit

Permalink
Documentation updates for 20.04
Browse files Browse the repository at this point in the history
  • Loading branch information
balaramesh authored Apr 27, 2020
1 parent 21830c3 commit b72e614
Show file tree
Hide file tree
Showing 20 changed files with 1,693 additions and 501 deletions.
2 changes: 1 addition & 1 deletion docs/dag/kubernetes/concepts_and_definitions.rst
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ At a minimum, the PV must contain these parameters:
* Read Write Once (RWO) - Supported by all PVs
* Read Only Many (ROX) - Supported primarily by file and file-like protocols, e.g. NFS and CephFS. However, some block protocols are supported, such as iSCSI
* Read Write Many (RWX) - Supported by file and file-like protocols such as NFS and also supported by iSCSI raw block
devices
devices

* Protocol - Type of protocol (e.g. "iSCSI" or "NFS") to use and additional information needed to access the storage. For example, an NFS PV will need the NFS server and a mount path.
* Reclaim policy - It describes the Kubernetes action when the PV is released. Three reclaim policy options are available:
Expand Down
44 changes: 37 additions & 7 deletions docs/dag/kubernetes/deploying_trident.rst
Original file line number Diff line number Diff line change
Expand Up @@ -30,22 +30,52 @@ Three ways to install Trident are discussed in this chapter.

**Normal install mode**

Normal installation involves running the ``tridentctl install -n trident`` command which deploys the Trident pod on the Kubernetes cluster. Trident installation is quite a straightforward process. For more information on installation and provisioning of volumes, refer to the :ref:`Deploying documentation <Deploying>`.
Installing Trident on a Kubernetes cluster will result in the Trident
installer:

1. Fetching the container images over the Internet.

2. Creating a deployment and/or node daemonset which spin up Trident pods
on all eligible nodes in the Kubernetes cluster.

A standard installation such as this can be performed in two different
ways:

1. Using ``tridentctl install`` to install Trident.

2. Using the Trident Operator.

This mode of installing is the easiest way to install Trident and
works for most environments that do not impose network restrictions. The
:ref:`Deploying <Deploying>` guide will help you get started.

**Offline install mode**

In many organizations, production and development environments do not have access to public repositories for pulling and posting images as these environments are completely secured and restricted. Such environments only allow pulling images from trusted private repositories.

To perform an air-gapped installation of Trident, you can use the ``--image-registry`` flag
when invoking ``tridentctl install`` to point to a private image registry. This registry must
contain the Trident image (obtained `here <https://hub.docker.com/r/netapp/trident/>`_) and the
CSI sidecar images as required by your Kubernetes version. The
:ref:`Customized Installation <Customized Installation>` section talks about the options available
when invoking ``tridentctl install`` to point to a private image registry. If installing with
the Trident Operator, you can alternatively specify ``spec.imageRegistry`` in your
TridentProvisioner. This registry must contain the Trident image
(obtained `here <https://hub.docker.com/r/netapp/trident/>`_)
and the CSI sidecar images as required by your Kubernetes version.

To customize your installation further, you can use ``tridentctl`` to generate the manifests
for Trident's resources. This includes the deployment, daemonset, service account and the cluster
role that Trident creates as part of its installation.
The :ref:`Customized Installation <Customized Installation>` section talks about the options available
for performing a custom Trident install.

**Remote install mode**

Trident can be installed on a Kubernetes cluster from a remote machine. To do a remote install, install the appropriate version of ``kubectl`` on the remote machine from where you would be running the ``tridentctl install`` command. Copy the configuration files from the Kubernetes cluster and set the KUBECONFIG environment variable on the remote machine. Initiate a ``kubectl get nodes`` command to verify you can connect to the required Kubernetes cluster. Complete the Trident deployment from the remote machine using the normal installation steps.
Trident can be installed on a Kubernetes cluster from a remote machine.
To do a remote install, install the appropriate version of ``kubectl``
on the remote machine from where you would be installing Trident. Copy
the configuration files from the Kubernetes cluster and set the KUBECONFIG
environment variable on the remote machine. Initiate a ``kubectl get nodes``
command to verify you can connect to the required Kubernetes cluster.
Complete the Trident deployment from the remote machine using the normal
installation steps.

Trident Installation on Docker UCP 3.1
======================================
Expand All @@ -63,7 +93,7 @@ The Trident 19.10 release is built on a production-ready CSI 1.1 provisioner imp
Trident to absorb standardized features like snapshots, while still retaining its ability to innovate on the storage model.

To setup Trident as a CSI provisioner, refer to the :ref:`Deployment Guide <deploying-in-kubernetes>`. Ensure
that the required :ref:`Feature Gates <Feature Gates>` are enabled.
that the required :ref:`Feature Gates <Feature Requirements>` are enabled.
After deploying, you should consider :ref:`Upgrading existing PVs to CSI volumes <Upgrading legacy volumes to CSI volumes>`
if you would like to
use new features such as :ref:`On-demand snapshots <On-Demand Volume Snapshots>`.
Expand Down
1 change: 0 additions & 1 deletion docs/dag/kubernetes/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,3 @@ Design and Architecture Guide
integrating_trident
backup_disaster_recovery
security_recommendations
frequently_asked_questions
43 changes: 22 additions & 21 deletions docs/dag/kubernetes/integrating_trident.rst
Original file line number Diff line number Diff line change
Expand Up @@ -31,15 +31,15 @@ Note that, in the tables below, not all of the capabilities are exposed through
.. table:: ONTAP NAS driver capabilities
:align: left

+-----------------------------+---------------+-----------------+--------------+---------------+--------+---------------+
| ONTAP NFS Drivers | Snapshots | Clones | Multi-attach | QoS | Resize | Replication |
+=============================+===============+=================+==============+===============+========+===============+
| ``ontap-nas`` | Yes | Yes | Yes | Yes\ :sup:`1` | Yes | Yes\ :sup:`1` |
+-----------------------------+---------------+-----------------+--------------+---------------+--------+---------------+
| ``ontap-nas-economy`` | Yes\ :sup:`12`| Yes\ :sup:`12` | Yes | Yes\ :sup:`12`| Yes | Yes\ :sup:`12`|
+-----------------------------+---------------+-----------------+--------------+---------------+--------+---------------+
| ``ontap-nas-flexgroup`` | Yes\ :sup:`1` | No | Yes | Yes\ :sup:`1` | Yes | Yes\ :sup:`1` |
+-----------------------------+---------------+-----------------+--------------+---------------+--------+---------------+
+-----------------------------+---------------+-----------------+-------------------------+--------------+---------------+--------+---------------+
| ONTAP NFS Drivers | Snapshots | Clones | Dynamic Export Policies | Multi-attach | QoS | Resize | Replication |
+=============================+===============+=================+=========================+==============+===============+========+===============+
| ``ontap-nas`` | Yes | Yes | Yes\ :sup:`4` | Yes | Yes\ :sup:`1` | Yes | Yes\ :sup:`1` |
+-----------------------------+---------------+-----------------+-------------------------+--------------+---------------+--------+---------------+
| ``ontap-nas-economy`` | Yes\ :sup:`12`| Yes\ :sup:`12` | Yes\ :sup:`4` | Yes | Yes\ :sup:`12`| Yes | Yes\ :sup:`12`|
+-----------------------------+---------------+-----------------+-------------------------+--------------+---------------+--------+---------------+
| ``ontap-nas-flexgroup`` | Yes\ :sup:`1` | No | Yes\ :sup:`4` | Yes | Yes\ :sup:`1` | Yes | Yes\ :sup:`1` |
+-----------------------------+---------------+-----------------+-------------------------+--------------+---------------+--------+---------------+


Trident offers 2 SAN drivers for ONTAP, whose capabilities are shown below.
Expand All @@ -48,19 +48,20 @@ Trident offers 2 SAN drivers for ONTAP, whose capabilities are shown below.
:align: left


+-----------------------------+-----------+--------+--------------+---------------+---------------+---------------+
| ONTAP SAN Driver | Snapshots | Clones | Multi-attach | QoS | Resize | Replication |
+=============================+===========+========+==============+===============+===============+===============+
| ``ontap-san`` | Yes | Yes | Yes\ :sup:`3`| Yes\ :sup:`1` | Yes | Yes\ :sup:`1` |
+-----------------------------+-----------+--------+--------------+---------------+---------------+---------------+
| ``ontap-san-economy`` | Yes | Yes | Yes\ :sup:`3`| Yes\ :sup:`12`| Yes\ :sup:`1` | Yes\ :sup:`12`|
+-----------------------------+-----------+--------+--------------+---------------+---------------+---------------+
+-----------------------------+-----------+--------+--------------+--------------------+---------------+---------------+---------------+
| ONTAP SAN Driver | Snapshots | Clones | Multi-attach | Bidirectional CHAP | QoS | Resize | Replication |
+=============================+===========+========+==============+====================+===============+===============+===============+
| ``ontap-san`` | Yes | Yes | Yes\ :sup:`3`| Yes | Yes\ :sup:`1` | Yes | Yes\ :sup:`1` |
+-----------------------------+-----------+--------+--------------+--------------------+---------------+---------------+---------------+
| ``ontap-san-economy`` | Yes | Yes | Yes\ :sup:`3`| Yes | Yes\ :sup:`12`| Yes\ :sup:`1` | Yes\ :sup:`12`|
+-----------------------------+-----------+--------+--------------+--------------------+---------------+---------------+---------------+

| Footnote for the above tables:
| Yes\ :sup:`1` : Not Trident managed
| Yes\ :sup:`2` : Trident managed, but not PV granular
| Yes\ :sup:`12`: Not Trident managed and not PV granular
| Yes\ :sup:`3` : Supported for raw-block volumes
| Yes\ :sup:`4` : Supported by CSI Trident

The features that are not PV granular are applied to the entire FlexVolume and all of the PVs (i.e. qtrees or LUNs in shared FlexVols) will share a common schedule.
Expand All @@ -81,11 +82,11 @@ The ``solidfire-san`` driver used with the HCI/SolidFire platforms, helps the ad
.. table:: SolidFire SAN driver capabilities
:align: left

+-------------------+----------------+--------+--------------+------+--------+---------------+
| SolidFire Driver | Snapshots | Clones | Multi-attach | QoS | Resize | Replication |
+===================+================+========+==============+======+========+===============+
| ``solidfire-san`` | Yes | Yes | Yes\ :sup:`2`| Yes | Yes | Yes\ :sup:`1` |
+-------------------+----------------+--------+--------------+------+--------+---------------+
+-------------------+----------------+--------+--------------+------+------+--------+---------------+
| SolidFire Driver | Snapshots | Clones | Multi-attach | CHAP | QoS | Resize | Replication |
+===================+================+========+==============+======+======+========+===============+
| ``solidfire-san`` | Yes | Yes | Yes\ :sup:`2`| Yes | Yes | Yes | Yes\ :sup:`1` |
+-------------------+----------------+--------+--------------+------+------+--------+---------------+

| Footnote:
| Yes\ :sup:`1`: Not Trident managed
Expand Down
28 changes: 25 additions & 3 deletions docs/dag/kubernetes/security_recommendations.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Security Recommendations
*************************

Run Trident in its own namespace
---------------------------------
================================

It is important to prevent applications, application admins, users, and
management applications from accessing Trident object definitions or the
Expand All @@ -20,11 +20,33 @@ in the namespaced CRD objects. Allow only administrators access to the
Trident namespace and thus access to `tridentctl` application.

CHAP authentication
-------------------
===================

Trident supports CHAP-based authentication for HCI/SolidFire backends and
ONTAP SAN workloads (using the ``ontap-san`` and ``ontap-san-economy``
drivers). NetApp recommends using bidirectional CHAP with Trident for
authentication between a host and the storage backend.

CHAP with ONTAP SAN backends
----------------------------

For ONTAP backends that use the SAN storage drivers, Trident can set up
bidirectional CHAP and manage CHAP usernames and secrets through ``tridentctl``.
Refer to :ref:`Using CHAP with ONTAP SAN drivers <Using CHAP with ONTAP SAN drivers>`
to understand how Trident configures CHAP on ONTAP backends.

.. note::

CHAP support for ONTAP backends is available with Trident 20.04 and above.

CHAP with HCI/SolidFire backends
--------------------------------

.. note::

Trident will only use CHAP when installed as a CSI Provisioner.
For HCI/SolidFire backends, CSI Trident will use CHAP to authenticate
connections. The volumes that are created by CSI Trident will not be
associated with any Volume Access Group.

NetApp recommends deploying bi-directional CHAP to ensure authentication
between a host and the HCI/SolidFire backend. Trident uses a secret
Expand Down
35 changes: 29 additions & 6 deletions docs/dag/kubernetes/storage_configuration_trident.rst
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,17 @@ To configure the maximum size for volumes that can be created by Trident, use th

In addition to controlling the volume size at the storage array, Kubernetes capabilities should also be leveraged as explained in the next chapter.

Configure Trident to use bidirectional CHAP
-------------------------------------------

You can specify the CHAP initiator and target usernames and passwords in
your backend definition and have Trident enable CHAP on the SVM.
Using the ``useCHAP`` parameter in your backend configuration, Trident
will authenticate iSCSI connections for ONTAP backends with CHAP.
Bidirectional CHAP support is available with Trident 20.04 and above. Refer to the
:ref:`Using CHAP with ONTAP SAN drivers <Using CHAP with ONTAP SAN drivers>` section
to get started.

Create and use an SVM QoS policy
--------------------------------

Expand Down Expand Up @@ -128,12 +139,24 @@ For volumes where access is desired from both Kubernetes and external hosts, the

For deployments which have dedicated infrastructure nodes (e.g. OpenShift), or other nodes which are not schedulable for user applications, separate export policies should be used to further limit access to storage resources. This includes creating an export policy for services which are deployed to those infrastructure nodes, such as, the OpenShift Metrics and Logging services, and standard applications which are deployed to non-infrastructure nodes.

Create an export policy
-----------------------

Create appropriate export policies for Storage Virtual Machines. Allow only Kubernetes nodes access to the NFS volumes.

Export policies contain one or more export rules that process each node access request. Use the ``vserver export-policy create`` ONTAP CLI to create the export policy. Add rules to the export policy using the ``vserver export-policy rule create`` ONTAP CLI command. Performing the above commands enables you to restrict which Kubernetes nodes have access to data.
Use a dedicated export policy
-----------------------------

It is important to ensure that an export policy exists for each backend
that only allows access to the nodes present in the Kubernetes cluster.
Trident can automatically create and manage export policies from the
``20.04`` release. This is covered in detail in the
:ref:`Dynamic Export Policies <Dynamic Export Policies with ONTAP NAS>`
section of the documentation. This way, Trident limits access to the
volumes it provisions to the nodes in the Kubernetes cluster and simplifies
the addition/deletion of nodes.

Alternatively, you can also create an export policy manually and populate it
with one or more export rules that process each node access request.
Use the ``vserver export-policy create`` ONTAP CLI to create the export policy.
Add rules to the export policy using the ``vserver export-policy rule create``
ONTAP CLI command. Performing the above commands enables you to restrict which
Kubernetes nodes have access to data.

Disable ``showmount`` for the application SVM
---------------------------------------------
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ This section covers Trident Installation on a Kubernetes cluster.
What are the supported versions of etcd?
----------------------------------------

Trident v19.10 does not require an etcd. It uses CRDs to maintain
From the 19.07 release, Trident no longer needs an etcd. It uses CRDs to maintain
state.


Expand Down Expand Up @@ -112,7 +112,7 @@ What versions of Kubernetes support Trident as an enhanced CSI Provisioner?
---------------------------------------------------------------------------

Kubernetes versions ``1.13`` and above support running Trident as a CSI Provisioner. Before installing
Trident, ensure the required :ref:`feature gates <Feature Gates>` are enabled.
Trident, ensure the required :ref:`feature gates <Feature Requirements>` are enabled.

Refer to :ref:`Requirements <Supported frontends (orchestrators)>` for a list
of supported orchestrators.
Expand All @@ -130,7 +130,7 @@ How do I install Trident to work as a CSI Provisioner?
------------------------------------------------------

The installation procedure is detailed under the :ref:`Deployment <deploying-in-kubernetes>` section.
Ensure that the :ref:`feature gates <Feature Gates>` are enabled.
Ensure that the :ref:`feature gates <Feature Requirements>` are enabled.

How does Trident maintain state if it doesn't use etcd?
-------------------------------------------------------
Expand Down Expand Up @@ -160,6 +160,25 @@ absolutely mandatory.

Refer to :ref:`ONTAP (AFF/FAS/Select/Cloud)` for more information on backend definition files.

Can Trident configure CHAP for ONTAP backends?
----------------------------------------------

Yes. Beginning with Trident 20.04, Trident supports bidirectional CHAP for ONTAP backends. This
requires setting ``useCHAP=true`` in your backend configuration. Refer to the
:ref:`Using CHAP with ONTAP SAN drivers <Using CHAP with ONTAP SAN drivers>` section
to understand how it works.

How do I manage export policies with Trident?
---------------------------------------------

Trident can dynamically create and manage export policies from 20.04 onwards.
This enables the storage admin to provide one or more CIDR blocks in their
backend config and have Trident add node IPs that fall within these ranges
to an export policy it creates. In this manner, Trident automatically
manages the addition and deletion of rules for nodes with IPs within the
given CIDRs. This feature requires CSI Trident. Refer to
:ref:`Dynamic Export Policies with ONTAP NAS <Dynamic Export Policies with ONTAP NAS>` for more
information.

Can we specify a port in the DataLIF?
-------------------------------------
Expand Down
10 changes: 8 additions & 2 deletions docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,22 @@ Storage Orchestrator for Containers
:target: https://goreportcard.com/report/github.com/netapp/trident

.. toctree::
:caption: Introduction
:caption: Introduction

introduction
introduction

.. toctree::
:caption: Kubernetes

kubernetes/index
dag/kubernetes/index

.. toctree::
:maxdepth: 2
:caption: Frequently Asked Questions

frequently_asked_questions

.. toctree::
:caption: Docker

Expand Down
Loading

0 comments on commit b72e614

Please sign in to comment.