Create an Azure Files storage class on Azure Red Hat OpenShift 4

In this article, you create a storage class for Azure Red Hat OpenShift 4 that dynamically provisions storage by using Azure Files. You learn how to:

  • Set up the prerequisites and install the necessary tools
  • Create an Azure Red Hat OpenShift 4 storage class with the Azure Files provisioner

If you choose to install and use the CLI locally, this tutorial requires the Azure CLI version 2.6.0 or later. To find the version, run the az --version command. If you need to install or upgrade, see Install the Azure CLI.

Before you begin

Deploy an Azure Red Hat OpenShift 4 cluster into your subscription. For more information, see Create an Azure Red Hat OpenShift 4 cluster.

Set up an Azure storage account

This step creates a resource group outside the Azure Red Hat OpenShift cluster's resource group. This resource group contains the Azure Files shares that created the Azure Red Hat OpenShift dynamic provisioner.

AZURE_FILES_RESOURCE_GROUP=aro_azure_files
LOCATION=eastus

az group create -l $LOCATION -n $AZURE_FILES_RESOURCE_GROUP

AZURE_STORAGE_ACCOUNT_NAME=aroazurefilessa

az storage account create \
  --name $AZURE_STORAGE_ACCOUNT_NAME \
  --resource-group $AZURE_FILES_RESOURCE_GROUP \
  --kind StorageV2 \
  --sku Standard_LRS

Set permissions

Set resource group permissions and set cluster permissions.

For resource group permissions, the service principal requires the listKeys permission on the new Azure storage account resource group. Assign the contributor role.

ARO_RESOURCE_GROUP=aro-rg
CLUSTER=cluster
ARO_SERVICE_PRINCIPAL_ID=$(az aro show -g $ARO_RESOURCE_GROUP -n $CLUSTER --query servicePrincipalProfile.clientId -o tsv)

az role assignment create --role Contributor --scope /subscriptions/mySubscriptionID/resourceGroups/$AZURE_FILES_RESOURCE_GROUP --assignee $ARO_SERVICE_PRINCIPAL_ID

For cluster permissions, the persistent volume binder service account requires the ability to read secrets. Create and assign a cluster role in Azure Red Hat OpenShift.

ARO_API_SERVER=$(az aro list --query "[?contains(name,'$CLUSTER')].[apiserverProfile.url]" -o tsv)

oc login -u kubeadmin -p $(az aro list-credentials -g $ARO_RESOURCE_GROUP -n $CLUSTER --query=kubeadminPassword -o tsv) $ARO_API_SERVER

oc create clusterrole azure-secret-reader \
  --verb=create,get \
  --resource=secrets

oc adm policy add-cluster-role-to-user azure-secret-reader system:serviceaccount:kube-system:persistent-volume-binder

Create a storage class with Azure Files provisioner

This step creates a storage class with an Azure Files provisioner. You must include the details of the storage account within the storage class manifest. With these details, the cluster knows to look at a storage account outside of the current resource group.

During storage provisioning, the secretName specification names a secret used for the mounting credentials. In a multitenant context, set the value for the secretNamespace parameter explicitly. Otherwise, other users might read the storage account credentials.

cat << EOF >> azure-storageclass-azure-file.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: azure-file
provisioner: file.csi.azure.com
mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=0
  - gid=0
  - mfsymlinks
  - cache=strict
  - actimeo=30
  - noperm
parameters:
  location: $LOCATION
  secretNamespace: kube-system
  skuName: Standard_LRS
  storageAccount: $AZURE_STORAGE_ACCOUNT_NAME
  resourceGroup: $AZURE_FILES_RESOURCE_GROUP
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF

oc create -f azure-storageclass-azure-file.yaml

Mount options for Azure Files generally depend on the workload that you're deploying and the requirements of the application. Specifically for Azure Files, consider using other parameters.

Mandatory parameters:

  • mfsymlinks to map symlinks to a form that the client can use.

  • noperm to disable permission checks on the client side.

Recommended parameters:

  • nossharesock to turn off reusing sockets if the client is already connected via an existing mount point.

  • actimeo=30 (or higher) to increase the time the Common Internet File System (CIFS) Protocol client caches file and directory attributes.

  • nobrl to turn off sending byte range lock requests to the server. This parameter is also recommended for applications that have challenges with locks in Portable Operating System Interface for Unix (POSIX).

Change the default storage class (optional)

The default storage class is called managed premium, and it uses the azure-disk provisioner. Change this setting by issuing patch commands against the storage class manifests.

oc patch storageclass managed-premium -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'

oc patch storageclass azure-file -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'

Verify the Azure Files storage class (optional)

Create a new application and assign storage to it.

Note

To use the httpd-example template, you must deploy your cluster with the pull secret enabled. For more information, see Get a Red Hat pull secret.

oc new-project azfiletest
oc new-app httpd-example

#Wait for the pod to become Ready
curl $(oc get route httpd-example -n azfiletest -o jsonpath={.spec.host})

#If you have set the storage class by default, you can omit the --claim-class parameter
oc set volume dc/httpd-example --add --name=v1 -t pvc --claim-size=1G -m /data --claim-class='azure-file'

#Wait for the new deployment to rollout
export POD=$(oc get pods --field-selector=status.phase==Running -o jsonpath={.items[].metadata.name})
oc exec $POD -- bash -c "echo 'azure file storage' >> /data/test.txt"

oc exec $POD -- bash -c "cat /data/test.txt"
azure file storage

You can see the test.txt file via the Storage Explorer in the Azure portal.