dell · shanmydell · Feb 2, 2024 · Jan 25, 2024 · Jan 25, 2024 · Jan 30, 2024
@@ -75,9 +75,9 @@ deployment.apps/proxy-server restarted
 
 ## Tenants, Quota, and Volume ownership
 
-Redis is used to store application data regarding [tenants, quota, and volume ownership](../../design#quota--volume-ownership) with the Storage Class specified in the `redis.storageClass` parameter in the values file, or with the default Storage Class if that parameter was not specified. 
+Redis is used to store application data regarding [tenants, quota, and volume ownership](../../design#quota--volume-ownership) with the Storage Class `csm-authorization-local-storage` or the one specified in the `redis.storageClass` parameter in the values file. 
 
-The Persistent Volume for Redis is dynamically provisioned by this Storage Class with the `redis-primary-pv-claim` Persistent Volume Claim. See the example.
+The Persistent Volume for Redis is provisioned by the above Storage Class with the `redis-primary-pv-claim` Persistent Volume Claim. See the example.
 
 ```bash
 kubectl get persistentvolume

@@ -55,7 +55,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Helm**
 
-    Refer to the [Install the Driver](../../../csidriver/installation/helm/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
 
     - Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
 
@@ -78,7 +78,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Operator**
 
-    Refer to the [Create Secret](../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+    Refer to the [Create Secret](../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
 
     - Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
 
@@ -102,13 +102,13 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     **Helm**
 
-    Refer to the [Install the Driver](../../../csidriver/installation/helm/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
+    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
 
     - Update `authorization.enabled` to `true`.
 
     - Update `images.authorization` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
 
-    - Update `authorization.proxyHost` to the hostname of the CSM Authorization Proxy Server.
+    - Update `authorization.proxyHost` to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
 
     - Update `authorization.skipCertificateValidation` to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
 
@@ -144,7 +144,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
 
     - Update the `image` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
 
-    - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server.
+    - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
 
     - Update the `SKIP_CERTIFICATE_VALIDATION` environment value to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
 

@@ -51,13 +51,21 @@ Create the karavi-authorization-config secret using this command:
       kubectl -n powermax create secret generic proxy-server-root-certificate --from-file=rootCertificate.pem=/path/to/rootCA -o yaml --dry-run=client | kubectl apply -f -
       ```
 
-4. Enable CSM Authorization in the driver installation applicable to your installation method.
+4. Prepare the driver configuration secret, applicable to your driver installation method, to communicate with the CSM Authorization sidecar.
 
     **Helm**
 
-    In [Install the Driver](../../../csidriver/installation/helm/powermax/#install-the-driver) where you edit `samples/secret/secret.yaml` with the credentials of the PowerMax, you can leave these with the default values as they will be ignored.
+    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powermax/#install-the-driver) section where you edit `samples/secret/secret.yaml` with the credentials of the PowerMax. Leave `username` and `password` with the default values as they will be ignored.
 
-    Refer to the [Install the Driver](../../../csidriver/installation/helm/powermax/#install-the-driver) section to edit the parameters in `my-powermax-settings.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
+    **Operator**
+
+    Refer to the [Install the Driver](../../../deployment/csmoperator/drivers/powermax/#install-driver) section to prepare `powermax-creds.yaml`. Leave `username` and `password` with the default values as they will be ignored.
+
+5. Enable CSM Authorization in the driver installation applicable to your installation method.
+
+    **Helm**
+
+    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powermax/#install-the-driver) section to edit the parameters in `my-powermax-settings.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
 
     - Update `global.storageArrays.endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
 
@@ -67,7 +75,7 @@ Create the karavi-authorization-config secret using this command:
 
     - Update `images.authorization` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
 
-    - Update `authorization.proxyHost` to the hostname of the CSM Authorization Proxy Server.
+    - Update `authorization.proxyHost` to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
 
     - Update `authorization.skipCertificateValidation` to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
 
@@ -110,7 +118,7 @@ Create the karavi-authorization-config secret using this command:
 
     - Update the `image` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
 
-    - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server.
+    - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
 
     - Update the `SKIP_CERTIFICATE_VALIDATION` environment value to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
 

@@ -56,7 +56,7 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
 
     **Helm**
 
-    Refer to the [Install the Driver](../../../csidriver/installation/helm/isilon/#install-the-driver) section to edit the parameters in `samples/secret/secret.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
+    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/isilon/#install-the-driver) section to edit the parameters to prepare the `samples/secret/secret.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
 
     - Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
 
@@ -110,13 +110,13 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
 
     **Helm**
 
-    Refer to the [Install the Driver](../../../csidriver/installation/helm/isilon/#install-the-driver) section to edit the parameters in `my-isilon-settings.yaml` file to enable CSM Authorization.
+    Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/isilon/#install-the-driver) section to edit the parameters in `my-isilon-settings.yaml` file to enable CSM Authorization.
 
     - Update `authorization.enabled` to `true`.
 
     - Update `images.authorization` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
 
-    - Update `authorization.proxyHost` to the hostname of the CSM Authorization Proxy Server.
+    - Update `authorization.proxyHost` to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
 
     - Update `authorization.skipCertificateValidation` to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
 
@@ -152,7 +152,7 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
 
     - Update the `image` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
 
-    - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server.
+    - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
 
     - Update the `SKIP_CERTIFICATE_VALIDATION` environment value to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
 

@@ -14,9 +14,23 @@ The storage administrator must first configure Authorization with the following
 - Roles
 - Role bindings
 
+The address of the Authorization proxy-server must be specified when executing `karavictl`.
+
+For the `RPM deployment`, the address is the DNS-hostname of the machine where the RPM is installed.
+
+For the `Helm/Operator deployment`, the address is exposed via LoadBalancer/NodePort by the Ingress Controller consuming the proxy-server Ingress. By default, this is the NGINX Ingress Controller.
+
+```
+# kubectl -n authorization get ingress
+NAME           CLASS   HOSTS                                 ADDRESS   PORTS     AGE
+proxy-server   nginx   csm-authorization.com,<other hosts>             00, 000   2m35s
+# kubectl -n authorization get service
+NAME                                               TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                      AGE
+authorization-ingress-nginx-controller             LoadBalancer   00.000.000.000    <pending>     00:00000/TCP,000:00000/TCP   30s
+```
+
 >__Note__:
-> - The address of the Authorization proxy-server must be specified when executing `karavictl`. For the `RPM deployment`, the address is the DNS-hostname of the machine where the RPM
-is installed. For the `Helm/Operator deployment`, the address is the Ingress host of the `proxy-server` with the port of the exposed Ingress Controller.
+In clusters where there is no integrated LoadBalancer, the `EXTERNAL-IP` field is `<pending>`, so you must use the NodePort address.
 
 ### Configuring Admin Token
 
@@ -53,12 +67,12 @@ $ cat admintoken.yaml
 
 A `storage` entity in CSM Authorization consists of the storage type (PowerFlex, PowerMax, PowerScale), the system ID, the API endpoint, and the credentials. For example, to create PowerFlex storage:
 
-#RPM Deployment
+#### RPM Deployment
 ```bash
 
 karavictl storage create --type powerflex --endpoint ${powerflexIP} --system-id ${systemID} --user ${user} --password ${password} --array-insecure --insecure --addr DNS-hostname --admin-token admintoken.yaml
 ```
-#Helm/Operator Deployment
+#### Helm/Operator Deployment
 ```bash
 
 karavictl storage create --type powerflex --endpoint ${powerflexIP} --system-id ${systemID} --user ${user} --password ${password} --array-insecure  --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
@@ -75,12 +89,12 @@ karavictl storage create --type powerflex --endpoint ${powerflexIP} --system-id
 ### Configuring Tenants
 
 A `tenant` is a Kubernetes cluster that a role will be bound to. For example, to create a tenant named `Finance`:
-#RPM Deployment
+#### RPM Deployment
 ```bash
 
 karavictl tenant create --name Finance --insecure --addr DNS-hostname --admin-token admintoken.yaml
 ```
-#Helm/Operator Deployment
+#### Helm/Operator Deployment
 ```bash
 
 karavictl tenant create --name Finance --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
@@ -93,12 +107,12 @@ karavictl tenant create --name Finance --insecure --addr csm-authorization.com:<
 
 > - For the Powerflex Pre-approved Guid feature, the `approvesdc` boolean flag is `true` by default. If the `approvesdc` flag is false for a tenant, the proxy server will deny the requests to approve SDC if the SDCs are already in not-approved state. Inorder to change this flag for an already created tenant, see `tenant update` command in CLI section.
 
-#RPM Deployment
+#### RPM Deployment
 ```bash
 
 karavictl tenant create --name Finance --approvesdc=false --insecure --addr DNS-hostname --admin-token admintoken.yaml
 ```
-#Helm/Operator Deployment
+#### Helm/Operator Deployment
 ```bash
 
 karavictl tenant create --name Finance --approvesdc=false --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
@@ -108,12 +122,12 @@ karavictl tenant create --name Finance --approvesdc=false --insecure --addr csm-
 
 A `role` consists of a name, the storage to use, and the quota limit for the storage pool to be used. For example, to create a role named `FinanceRole` using the PowerFlex storage created above with a quota limit of 100GB in storage pool `myStoragePool`:
 
-#RPM Deployment
+#### RPM Deployment
 ```bash
 
 karavictl role create --role=FinanceRole=powerflex=${systemID}=myStoragePool=100GB --insecure --addr DNS-hostname --admin-token admintoken.yaml
 ```
-#Helm/Operator Deployment
+#### Helm/Operator Deployment
 ```bash
 karavictl role create --role=FinanceRole=powerflex=${systemID}=myStoragePool=100GB --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
 ```
@@ -127,12 +141,12 @@ karavictl role create --role=FinanceRole=powerflex=${systemID}=myStoragePool=100
 
 A `role binding` binds a role to a tenant. For example, to bind the `FinanceRole` to the `Finance` tenant:
 
-#RPM Deployment
+#### RPM Deployment
 ```bash
 
 karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr DNS-hostname --admin-token admintoken.yaml
 ```
-#Helm/Operator Deployment
+#### Helm/Operator Deployment
 ```bash
 
 karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml
@@ -147,12 +161,12 @@ karavictl rolebinding create --tenant Finance --role FinanceRole --insecure --ad
 
 Once rolebindings are created, an access/refresh token pair can be created for the tenant. The storage admin is responsible for generating and sending the token to the Kubernetes tenant admin.
 
-#RPM Deployment
+#### RPM Deployment
 ```bash
 
 karavictl generate token --tenant Finance --insecure --addr DNS-hostname --admin-token admintoken.yaml > token.yaml
 ```
-#Helm/Operator Deployment
+#### Helm/Operator Deployment
 ```bash
 
 karavictl generate token --tenant Finance --insecure --addr csm-authorization.com:<ingress-controller-port> --admin-token admintoken.yaml > token.yaml