Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In this article, you create a storage class for Azure Red Hat OpenShift 4 that dynamically provisions storage by using Azure Files. You learn how to:
- Set up the prerequisites and install the necessary tools
- Create an Azure Red Hat OpenShift 4 storage class with the Azure Files provisioner
If you choose to install and use the CLI locally, this tutorial requires the Azure CLI version 2.6.0 or later. To find the version, run the az --version command. If you need to install or upgrade, see Install the Azure CLI.
Before you begin
Deploy an Azure Red Hat OpenShift 4 cluster into your subscription. For more information, see Create an Azure Red Hat OpenShift 4 cluster.
Set up an Azure storage account
This step creates a resource group outside the Azure Red Hat OpenShift cluster's resource group. This resource group contains the Azure Files shares that created the Azure Red Hat OpenShift dynamic provisioner.
AZURE_FILES_RESOURCE_GROUP=aro_azure_files
LOCATION=eastus
az group create -l $LOCATION -n $AZURE_FILES_RESOURCE_GROUP
AZURE_STORAGE_ACCOUNT_NAME=aroazurefilessa
az storage account create \
--name $AZURE_STORAGE_ACCOUNT_NAME \
--resource-group $AZURE_FILES_RESOURCE_GROUP \
--kind StorageV2 \
--sku Standard_LRS
Set permissions
Set resource group permissions and set cluster permissions.
For resource group permissions, the service principal requires the listKeys permission on the new Azure storage account resource group. Assign the contributor role.
ARO_RESOURCE_GROUP=aro-rg
CLUSTER=cluster
ARO_SERVICE_PRINCIPAL_ID=$(az aro show -g $ARO_RESOURCE_GROUP -n $CLUSTER --query servicePrincipalProfile.clientId -o tsv)
az role assignment create --role Contributor --scope /subscriptions/mySubscriptionID/resourceGroups/$AZURE_FILES_RESOURCE_GROUP --assignee $ARO_SERVICE_PRINCIPAL_ID
For cluster permissions, the persistent volume binder service account requires the ability to read secrets. Create and assign a cluster role in Azure Red Hat OpenShift.
ARO_API_SERVER=$(az aro list --query "[?contains(name,'$CLUSTER')].[apiserverProfile.url]" -o tsv)
oc login -u kubeadmin -p $(az aro list-credentials -g $ARO_RESOURCE_GROUP -n $CLUSTER --query=kubeadminPassword -o tsv) $ARO_API_SERVER
oc create clusterrole azure-secret-reader \
--verb=create,get \
--resource=secrets
oc adm policy add-cluster-role-to-user azure-secret-reader system:serviceaccount:kube-system:persistent-volume-binder
Create a storage class with Azure Files provisioner
This step creates a storage class with an Azure Files provisioner. You must include the details of the storage account within the storage class manifest. With these details, the cluster knows to look at a storage account outside of the current resource group.
During storage provisioning, the secretName specification names a secret used for the mounting credentials. In a multitenant context, set the value for the secretNamespace parameter explicitly. Otherwise, other users might read the storage account credentials.
cat << EOF >> azure-storageclass-azure-file.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: azure-file
provisioner: file.csi.azure.com
mountOptions:
- dir_mode=0777
- file_mode=0777
- uid=0
- gid=0
- mfsymlinks
- cache=strict
- actimeo=30
- noperm
parameters:
location: $LOCATION
secretNamespace: kube-system
skuName: Standard_LRS
storageAccount: $AZURE_STORAGE_ACCOUNT_NAME
resourceGroup: $AZURE_FILES_RESOURCE_GROUP
reclaimPolicy: Delete
volumeBindingMode: Immediate
EOF
oc create -f azure-storageclass-azure-file.yaml
Mount options for Azure Files generally depend on the workload that you're deploying and the requirements of the application. Specifically for Azure Files, consider using other parameters.
Mandatory parameters:
mfsymlinksto mapsymlinksto a form that the client can use.nopermto disable permission checks on the client side.
Recommended parameters:
nossharesockto turn off reusing sockets if the client is already connected via an existing mount point.actimeo=30(or higher) to increase the time the Common Internet File System (CIFS) Protocol client caches file and directory attributes.nobrlto turn off sending byte range lock requests to the server. This parameter is also recommended for applications that have challenges with locks in Portable Operating System Interface for Unix (POSIX).
Change the default storage class (optional)
The default storage class is called managed premium, and it uses the azure-disk provisioner. Change this setting by issuing patch commands against the storage class manifests.
oc patch storageclass managed-premium -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"false"}}}'
oc patch storageclass azure-file -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'
Verify the Azure Files storage class (optional)
Create a new application and assign storage to it.
Note
To use the httpd-example template, you must deploy your cluster with the pull secret enabled. For more information, see Get a Red Hat pull secret.
oc new-project azfiletest
oc new-app httpd-example
#Wait for the pod to become Ready
curl $(oc get route httpd-example -n azfiletest -o jsonpath={.spec.host})
#If you have set the storage class by default, you can omit the --claim-class parameter
oc set volume dc/httpd-example --add --name=v1 -t pvc --claim-size=1G -m /data --claim-class='azure-file'
#Wait for the new deployment to rollout
export POD=$(oc get pods --field-selector=status.phase==Running -o jsonpath={.items[].metadata.name})
oc exec $POD -- bash -c "echo 'azure file storage' >> /data/test.txt"
oc exec $POD -- bash -c "cat /data/test.txt"
azure file storage
You can see the test.txt file via the Storage Explorer in the Azure portal.