dell · anandrajak1 · Nov 15, 2024 · Nov 15, 2024 · Nov 15, 2024
@@ -1,14 +1,25 @@
+
 ---
-title: "Documentation"
-linkTitle: "Documentation"
+title: "Container Storage Modules"
+linkTitle: "Container Storage Modules"
+weight: 20
+menu:
+  main:
+    weight: 20
+no_list: true
 ---
 
 {{% pageinfo color="primary" %}}
-This document version is no longer actively maintained. The site that you are currently viewing is an archived snapshot. For up-to-date documentation, see the [latest version](/csm-docs/)
-The CSM Authorization RPM will be deprecated in a future release. It is highly recommended that you use CSM Authorization Helm deployment or CSM Operator going forward.
+1. Dell CSM Volume Group Snapshotter will be deprecated in CSM 1.14 (May 2025) and will no longer be supported.
+
+2. <span><span/>{{< message text="1" >}}
+
+3. <span><span/>{{< message text="5" >}}
 {{% /pageinfo %}}
 
-The Dell Technologies (Dell) Container Storage Modules (CSM) enables simple and consistent integration and automation experiences, extending enterprise storage capabilities to Kubernetes for cloud-native stateful applications. It reduces management complexity so developers can independently consume enterprise storage with ease and automate daily operations such as provisioning, snapshotting, replication, observability, authorization, application mobility, encryption, and resiliency.
+
+
+The Dell Technologies (Dell) Container Storage Modules (CSM) enables simple and consistent integration and automation experiences, extending enterprise storage capabilities to Kubernetes for cloud-native stateful applications. It reduces management complexity so developers can independently consume enterprise storage with ease and automate daily operations such as provisioning, snapshotting, replication, observability, authorization, application mobility and resiliency.
 
 <img src="csm_hexagon.png" alt="CSM Hex Diagram" width="500"/>
 
@@ -41,22 +52,8 @@ CSM is made up of multiple components including modules (enterprise capabilities
   {{< /card >}}
 {{% /cardpane %}}
 {{% cardpane %}}
-{{< card header="[**Application Mobility**](applicationmobility/)"
-          footer="Supports [PowerFlex](csidriver/features/powerflex/) via Apex Navigator for Kubernetes">}}
+{{< card header="[**Application Mobility**](applicationmobility/)">}}
   Container Storage Modules for Application Mobility provide Kubernetes administrators the ability to clone their stateful application workloads and application data to other clusters in the cloud.
   [...Learn more](applicationmobility/)
   {{< /card >}}
-   {{< card header="[**Encryption**](secure/encryption)"
-          footer="Supports PowerScale">}}
-  Encryption provides the capability to encrypt user data residing on volumes created by Dell CSI Drivers.
-   [...Learn more](secure/encryption/)
-  {{< /card >}}
 {{% /cardpane %}}
-{{% cardpane %}}
-   {{< card header="[License](support/license/)"
-          footer="Required for [Encryption](secure/encryption/)">}}
-  The tech-preview releases of Encryption require a license.
-  Request a license using the [Container Storage Modules License Request](https://app.smartsheet.com/b/form/5e46fad643874d56b1f9cf4c9f3071fb) by providing the requested details.
-   [...Learn more](support/license/)
-  {{< /card >}}
-{{% /cardpane %}}
@@ -7,7 +7,7 @@ Description: >
 ---
 
 {{% pageinfo color="primary" %}}
-Application Mobility is available with [APEX Navigator for Kubernetes](https://www.dell.com/en-ca/dt/apex/storage/public-cloud/navigator.htm#kubernetes)
+We are pleased to announce that Application Mobility will be available with Container Storage Modules starting early next year (2025).
 {{% /pageinfo %}}
 
 Container Storage Modules for Application Mobility provide Kubernetes administrators the ability to clone their stateful application workloads and application data to other clusters, either on-premise or in the cloud.

@@ -6,21 +6,18 @@ Description: >
   Release Notes
 ---
 {{% pageinfo color="primary" %}}
-Application Mobility is available with [APEX Navigator for Kubernetes](https://www.dell.com/en-ca/dt/apex/storage/public-cloud/navigator.htm#kubernetes)
+We are pleased to announce that Application Mobility will be available with Container Storage Modules starting early next year (2025).
 {{% /pageinfo %}}
 
-## Release Notes - CSM Application Mobility v1.1.0
+## Release Notes - CSM Application Mobility v1.2.0
 
 
 ### New Features/Changes
 
-- [#1359 - [FEATURE]: Add Support for OpenShift Container Platform (OCP) 4.16 ](https://github.com/dell/csm/issues/1359)
-- [#1400 - [FEATURE]: Support for Kubernetes 1.30](https://github.com/dell/csm/issues/1400)
+- [#1472 - [FEATURE]: Support for Kubernetes 1.31](https://github.com/dell/csm/issues/1472)
 
 ### Fixed Issues
 
-- [#1299 - [BUG]: Images of application mobility velero plugin and controller is not setting the correct image to the latest ](https://github.com/dell/csm/issues/1299)
-
 ### Known Issues
 
 There are no known issues in this release.
@@ -0,0 +1,184 @@
+---
+title: Authorization - v2 Migration guide
+linktitle: Migration Guide From v1 to v2
+weight: 1
+description: >
+  CSM for Authorization v1 to v2 Migration Guide
+---
+CSM for Authorization v2 has significant architectural changes that prevent a user from upgradng CSM for Authorization v1 to CSM for Authorization v2. This page provides a reference guide for migrating v1 to v2 using Powerflex as an example.
+
+**Before migration please note following points**
+  - CSM for Authorization v2 calculates the actual usage of capacity provisioned by syncing with the array.
+  - Volumes belonging to a tenant are identified using the **Volume Prefix** configured in csmtenant custom resource.
+  - Volumes without the **Volume Prefix** will not be accounted for in usage capacity calculation as ownership of the volume is unknown without the volume prefix.
+  - User should rename all volumes that are needed to be accounted for with the **Volume Prefix** before migration to v2. See the [Prerequisites](#prerequisites).
+
+## Prerequisites
+### On the storage array, rename the volumes owned by each tenant with a tenant prefix.
+Use [dellctl](../../support/cli/) to list the volumes owned by the tenant. 
+```
+# dellctl volume get --proxy <csm-authorization-proxy-address> --namespace <driver-namespace>
+NAME             VOLUME ID          SIZE       POOL    SYSTEM ID          PV NAME          PV STATUS   STORAGE CLASS   PVC NAME                NAMESPACE            SNAPSHOT COUNT
+k8s-4cfa97ba5d   c6cfdfe000000229   8.000000   pool1   3000000000011111   k8s-4cfa97ba5d   Bound       vxflexos        vol-create-test-vndq8   test                 0
+k8s-519bb230c5   c6cfdfe20000022b   8.000000   pool1   3000000000011111   k8s-519bb230c5   Bound       vxflexos        vol-create-test-wc45j   test                 0
+k8s-ecc8381e08   c6cfdfe300000231   8.000000   pool1   3000000000011111   k8s-ecc8381e08   Bound       vxflexos        vol-create-test-r8ptv   test                 0
+k8s-cc47d7a61e   c6cfdfe10000022a   8.000000   pool1   3000000000011111   k8s-cc47d7a61e   Bound       vxflexos        vol-create-test-k8szc   test                 0
+k8s-76914ae62b   c6cfdfdf00000223   8.000000   pool1   3000000000011111   k8s-76914ae62b   Bound       vxflexos        vol-create-test-8sbtl   test                 0
+```
+
+On the storage array, rename each volume with your chosen tenant prefix. For example, if you've chosen the prefix `tn1`, volume `k8s-4cfa97ba5d` should be renamed to `tn1-k8s-4cfa97ba5d`.
+
+## Storage Systems
+
+In CSM for Authorization v1 setup, list the storage to get all the storage systems configured in the environment.
+Example:
+
+```
+karavictl storage list --admin-token admintoken.yaml --addr csm-authorization.host.com
+
+{
+  "storage": {
+    "powerflex": {
+      "3000000000011111": {
+        "Endpoint": "https://1.1.1.1",
+        "Insecure": true,
+        "Password": "(omitted)",
+        "User": "admin"
+      }
+    }
+  }
+}
+```
+In CSM for Authorization v2, storage is created using custom resources. For each Storage in a v1 environment, create using the CR, example:
+
+```
+kubectl create -f controller/config/samples/csm-authorization_v1_storage.yaml
+```
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1
+kind: Storage
+metadata:
+  name: powerflex
+spec:
+  # Type of the storage system. Example: powerflex, powermax, powerscale
+  type: powerflex
+  endpoint: https://1.1.1.1
+  # System ID of the backend storage array
+  systemID: 3000000000011111
+  # Vault is the credential manager for storage arrays
+  vault:
+    identifier: vault0
+    kvEngine: secret
+    path: csm-authorization/powerflex/3000000000011111
+  # SkipCertificateValidation is the flag to skip certificate validation
+  skipCertificateValidation: true
+  # PollInterval is the polling frequency to test the storage connectivity
+  pollInterval: 30s
+```
+
+## Role and Role Binding
+
+In CSM for Authorization v2, role creation is simpler. User will not be required to bind the role, only thing user needs to do is create roles that are needed.
+
+List all the roles that are created in CSM for Authorization v1 setup.
+Example:
+```
+karavictl role list --admin-token admintoken.yaml --addr csm-authorization.host.com
+```
+```
+{
+  "CSIGold": [
+    {
+      "storage_system_id": "3000000000011111",
+      "pool_quotas": [
+        {
+          "pool": "mypool",
+          "quota": 32000000
+        }
+      ]
+    }
+  ],
+  "CSISilver": [
+    {
+      "storage_system_id": "3000000000011111",
+      "pool_quotas": [
+        {
+          "pool": "mypool",
+          "quota": 16000000
+        }
+      ]
+    }
+  ]
+}
+```
+In CSM for Authorization v2, roles are created using custom resources. For each role in a v1 environment, create using the CR, example:
+```
+kubectl create -f controller/config/samples/csm-authorization_v1_csmrole.yaml
+```
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1
+kind: CSMRole
+metadata:
+  name: CSIGold
+spec:
+  quota: 3200GiB
+  systemID: 3000000000011111
+  systemType: powerflex
+  pool: pool1
+```
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1
+kind: CSMRole
+metadata:
+  name: CSISilver
+spec:
+  quota: 1600GiB
+  systemID: 3000000000011111
+  systemType: powerflex
+  pool: pool2
+```
+
+## Tenant
+
+List all the tenants in v1 setup and all those tenants should be created in v2 setup.
+List tenants in v1 setup, example:
+```
+karavictl tenant list --admin-token admintoken.yaml --addr csm-authorization.host.com
+```
+```
+{
+  "tenants": [
+    {
+      "name": "Alice"
+    }
+  ]
+}
+```
+Get detail of each tenant, example:
+```
+karavictl tenant get --name Alice --admin-token admintoken.yaml --addr csm-authorization.host.com
+```
+```
+{
+  "name": "Alice"
+  "roles": "CSIGold,CSISilver"
+  "approvesdc": true
+}
+```
+In CSM for Authorization v2, tenants are created using custom resources. The `spec.volumePrefix` field must be the prefix used in the prerequisite step of renaming the storage array volumes. For each tenant in a v1 environment, create using the CR, example:
+```
+kubectl create -f controller/config/samples/csm-authorization_v1_csmtenant.yaml
+```
+csm-authorization_v1_csmtenant.yaml file will look like following example:
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1
+kind: CSMTenant
+metadata:
+  name: Alice
+spec:
+  # Roles defines a comma separated list of Roles for this tenant
+  roles: CSIGold,CSISilver
+  approveSdc: true
+  revoke: false
+  volumePrefix: tn1
+```
@@ -6,12 +6,14 @@ Description: >
   Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization
 ---
 
-[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products. 
+[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products.
 
 CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. It does this by deploying a proxy between the CSI driver and the storage system to enforce role-based access and usage rules.
 
 Storage administrators of compatible storage platforms will be able to apply quota and RBAC rules that instantly and automatically restrict cluster tenants usage of storage resources. Users of storage through CSM for Authorization do not need to have storage admin root credentials to access the storage system.
 
 Kubernetes administrators will have an interface to create, delete, and manage roles/groups that storage rules may be applied. Administrators and/or users may then generate authentication tokens that may be used by tenants to use storage with proper access policies being automatically enforced.
 
-Currently, we have two versions of Authorization, **v1.x GA** and **v2.0 Tech Preview**.
+Currently, we have two versions of Authorization, **v1.x** and **v2.x**. **v2.x is not backward compatible with v1.x versions**.
+
+**Deprecation Notice Pre-Wire: Starting with CSM 1.13, Authorization v1.x will be deprecated and will be officially discontinued by CSM 1.15 in September 2025. Please migrate to Authorization v2.0 before then to avoid any issues using the v2 Migration guide linked below.**
@@ -4,6 +4,9 @@ linktitle: Helm
 description: >
   Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization Helm backup and restore
 ---
+{{% pageinfo color="primary" %}}
+{{< message text="5" >}}
+{{% /pageinfo %}}
 
 ## Roles
 
@@ -117,4 +120,4 @@ volumes:
     claimName: redis-backup
 ```
 
-Once saved, Redis will now use the backup volume. 
+Once saved, Redis will now use the backup volume. 
@@ -6,7 +6,7 @@ description: >
 ---
 
 {{% pageinfo color="primary" %}}
-The CSM Authorization RPM is no longer actively maintained or supported. It will be deprecated in a future release. It is highly recommended that you use CSM Authorization Helm deployment or CSM Operator going forward.
+{{< message text="5" >}}
 {{% /pageinfo %}}
 
 ## Roles

@@ -0,0 +1,66 @@
+---
+title: Authorization - v1.x
+linktitle: v1.x
+weight: 4
+Description: >
+  Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization v1.x.
+tags:
+ - csm-authorization
+---
+
+{{% pageinfo color="primary" %}}
+{{< message text="5" >}} 
+{{% /pageinfo %}}
+
+The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
+
+![CSM for Authorization](./karavi-authorization-example.png "CSM for Authorization")
+
+## CSM for Authorization Capabilities
+{{<table "table table-striped table-bordered table-sm">}}
+| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
+| - | - | - | - | - | - |
+| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
+| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
+| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
+{{</table>}}
+
+**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).
+
+## Authorization Components Support Matrix
+CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.
+
+**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
+To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.
+
+## Roles and Responsibilities
+
+The CSM for Authorization CLI can be executed in the context of the following roles:
+- Storage Administrators
+- Kubernetes Tenant Administrators
+
+### Storage Administrators
+
+Storage Administrators can perform the following operations within CSM for Authorization
+
+- Tenant Management (create, get, list, delete, bind roles, unbind roles)
+- Token Management (generate, revoke)
+- Storage System Management (create, get, list, update, delete)
+- Storage Access Roles Management (assign to a storage system with an optional quota)
+
+### Tenant Administrators
+
+Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
+
+### Workflow
+
+1) Tenant Admin requests storage from a Storage Admin.
+2) Storage Admin uses CSM Authorization CLI to:<br>
+    a) Create a tenant resource.<br>
+    b) Create a role permitting desired storage access.<br>
+    c) Assign the role to the tenant and generate a token.<br>
+3) Storage Admin returns a token to the Tenant Admin.
+4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
+5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.
+
+![CSM for Authorization Workflow](./design2.png "CSM for Authorization Workflow")