add dynamic provisioning

umagnus · umagnus · commit 2e2b0402fe72 · 2024-07-11T02:40:38.000Z
diff --git a/deploy/example/mountstorage/README.md b/deploy/example/mountstorage/README.md
@@ -17,28 +17,28 @@ You can also use a different managed-identity for different persistent volumes (
 
 - Create a storage account container, e.g.
     ```bash
-    resourcegroup="aks-fuseblob-mi"
+    resourcegroup="blobfuse-mi"
     storageaccountname="myaksblob"
     az storage account create -g "$resourcegroup" -n "$storageaccountname" --access-tier Hot  --sku Standard_LRS
     az storage container create -n mycontainer --account-name "$storageaccountname" --public-access off
     ```
 
-## option#1: grant kubelet identity access to storage account
+## Option#1: grant kubelet identity access to storage account
 
 1. Give kubelet identity access to storage account
     ```bash
     aksnprg="$(az aks list -g "$resourcegroup" --query "[?name == '$aksname'].nodeResourceGroup" -o tsv)"
-    kloid="$(az identity list -g "$aksnprg" --query "[?name == 'aks-fuseblob-mi-agentpool'].principalId" -o tsv)"
+    kloid="$(az identity list -g "$aksnprg" --query "[?name == 'blobfuse-mi-agentpool'].principalId" -o tsv)"
     said="$(az storage account list -g "$resourcegroup" --query "[?name == '$storageaccountname'].id" -o tsv)"
     az role assignment create --assignee-object-id "$kloid" --role "Storage Blob Data Owner" --scope "$said"
     ```
 
 1. Get the clientID of kubelet identity
     ```bash
-    az identity list -g "$resourcegroup" --query "[?name == 'aks-fuseblob-mi-agentpool'].clientId" -o tsv
+    az identity list -g "$resourcegroup" --query "[?name == 'blobfuse-mi-agentpool'].clientId" -o tsv
     ```
 
-## option#2: grant a dedicated user-assigned managed identity access to storage account
+## Option#2: grant a dedicated user-assigned managed identity access to storage account
 You can use a dedicated user-assigned managed identity to mount the storage.
 
 1. Create user-assigned managed identity and give access to storage account
@@ -89,7 +89,7 @@ You can use a dedicated user-assigned managed identity to mount the storage.
         volumeHandle: pv-blob1
         volumeAttributes:
           protocol: fuse
-          resourceGroup: aks-fuseblob-mi
+          resourceGroup: blobfuse-mi
           storageAccount: myaksblob
           containerName: mycontainer
           AzureStorageAuthType: MSI
@@ -117,33 +117,41 @@ You can use a dedicated user-assigned managed identity to mount the storage.
     kind: Deployment
     metadata:
       labels:
-        app: nginx-app1
-      name: nginx-app1
+        app: nginx
+      name: deployment-blob
     spec:
       replicas: 1
       selector:
         matchLabels:
-          app: nginx-app1
+          app: nginx
       template:
         metadata:
           labels:
-            app: nginx-app1
+            app: nginx
+          name: deployment-blob
         spec:
+          nodeSelector:
+            "kubernetes.io/os": linux
           containers:
-          - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-            name: webapp
-            imagePullPolicy: Always
-            resources: {}
-            ports:
-              - containerPort: 80
-            volumeMounts:
-              - name: pvc-blob1
-                mountPath: /usr/share/nginx/html
-          volumes: 
-            - name: pvc-blob1 
-              persistentVolumeClaim: 
-                claimName:  pvc-blob1
-    status: {}
+            - name: deployment-blob
+              image: mcr.microsoft.com/oss/nginx/nginx:1.17.3-alpine
+              command:
+                - "/bin/sh"
+                - "-c"
+                - while true; do echo $(date) >> /mnt/blob/outfile; sleep 1; done
+              volumeMounts:
+                - name: blob
+                  mountPath: "/mnt/blob"
+                  readOnly: false
+          volumes:
+            - name: blob
+              persistentVolumeClaim:
+                claimName: pvc-blob1
+      strategy:
+        rollingUpdate:
+          maxSurge: 0
+          maxUnavailable: 1
+        type: RollingUpdate
     ```
 
 1. Apply the yaml files
@@ -154,12 +162,56 @@ You can use a dedicated user-assigned managed identity to mount the storage.
     kubectl get pv
     kubectl get pvc
 
-    # create deployment and service
+    # create deployment
     kubectl apply -f deployment.yaml
     # check pod
     kubectl get pods
     ```
 
+# dynamic provisioning in an existing resource group
+
+1. Grant cluster system assigned identity and kubelet identity `Contributor` role to resource group, if mount in an existing storage account, then should also grant identity to storage account
+
+1. Grant kubelet identity `Storage Blob Data Owner` role to resource group to mount blob storage, if mount in an existing storage account, then should also grant identity to storage account
+
+1. Create a storage class and give an existing resource group, CSI will create a new storage account when `storageAccount` is not provided.
+    ```yml
+    apiVersion: storage.k8s.io/v1
+    kind: StorageClass
+    metadata:
+      name: blob-fuse
+    provisioner: blob.csi.azure.com
+    parameters:
+      skuName: Premium_LRS 
+      protocol: fuse
+      resourceGroup: EXISTING_RESOURCE_GROUP_NAME
+      storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, if use existing storage account
+      containerName: EXISTING_CONTAINER_NAME # optional, if use existing container
+      AzureStorageAuthType: MSI
+      AzureStorageIdentityClientID: "xxxxx-xxxx-xxx-xxx-xxxxxxx"
+    reclaimPolicy: Delete
+    volumeBindingMode: Immediate
+    allowVolumeExpansion: true
+    mountOptions:
+      - -o allow_other
+      - --file-cache-timeout-in-seconds=120
+      - --use-attr-cache=true
+      - --cancel-list-on-mount-seconds=10  # prevent billing charges on mounting
+      - -o attr_timeout=120
+      - -o entry_timeout=120
+      - -o negative_timeout=120
+      - --log-level=LOG_WARNING  # LOG_WARNING, LOG_INFO, LOG_DEBUG
+      - --cache-size-mb=1000  # Default will be 80% of available memory, eviction will happen beyond that.
+    ```
+
+1. Using dynamic provisioning
+    ```console
+    # create pvc and deployment
+    kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/deploy/example/deployment.yaml
+    # check pod
+    kubectl get pods
+    ```
+
 # how to add another pv with a dedicated user-assigned identity?
 
 1. Create another user-assigned managed identity and give access to storage account
@@ -208,7 +260,7 @@ You can use a dedicated user-assigned managed identity to mount the storage.
         volumeHandle: pv-blob2
         volumeAttributes:
           protocol: fuse
-          resourceGroup: aks-fuseblob-mi
+          resourceGroup: blobfuse-mi
           storageAccount: myaksblob
           containerName: mycontainer
           AzureStorageAuthType: MSI
diff --git a/deploy/example/mountstorage/deployment.yaml b/deploy/example/mountstorage/deployment.yaml
@@ -2,46 +2,38 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   labels:
-    app: nginx-app1
-  name: nginx-app1
+    app: nginx
+  name: deployment-blob
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: nginx-app1
+      app: nginx
   template:
     metadata:
       labels:
-        app: nginx-app1
+        app: nginx
+      name: deployment-blob
     spec:
+      nodeSelector:
+        "kubernetes.io/os": linux
       containers:
-      - image: mcr.microsoft.com/oss/nginx/nginx:1.19.5
-        name: webapp
-        imagePullPolicy: Always
-        resources: {}
-        ports:
-          - containerPort: 80
-        volumeMounts:
-          - name: pvc-blob1
-            mountPath: /usr/share/nginx/html
-      volumes: 
-        - name: pvc-blob1 
-          persistentVolumeClaim: 
-            claimName:  pvc-blob1
-status: {}
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: nginx-app1
-  labels:
-    run: nginx-app1
-spec:
-  ports:
-  - port: 80
-    protocol: TCP
-  selector:
-    app: nginx-app1
-  type: LoadBalancer
+        - name: deployment-blob
+          image: mcr.microsoft.com/oss/nginx/nginx:1.17.3-alpine
+          command:
+            - "/bin/sh"
+            - "-c"
+            - while true; do echo $(date) >> /mnt/blob/outfile; sleep 1; done
+          volumeMounts:
+            - name: blob
+              mountPath: "/mnt/blob"
+              readOnly: false
+      volumes:
+        - name: blob
+          persistentVolumeClaim:
+            claimName: pvc-blob1
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+    type: RollingUpdate
diff --git a/deploy/example/mountstorage/storageclass-blobfuse-resourcegroup.yaml b/deploy/example/mountstorage/storageclass-blobfuse-resourcegroup.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: blob-fuse
+provisioner: blob.csi.azure.com
+parameters:
+  skuName: Premium_LRS 
+  protocol: fuse
+  resourceGroup: EXISTING_RESOURCE_GROUP_NAME
+  storageAccount: EXISTING_STORAGE_ACCOUNT_NAME # optional, if use existing storage account
+  containerName: EXISTING_CONTAINER_NAME # optional, if use existing container
+  AzureStorageAuthType: MSI
+  AzureStorageIdentityClientID: "92926dfd-e61b-4730-85ab-5be73b374e82"
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+allowVolumeExpansion: true
+mountOptions:
+  - -o allow_other
+  - --file-cache-timeout-in-seconds=120
+  - --use-attr-cache=true
+  - --cancel-list-on-mount-seconds=10  # prevent billing charges on mounting
+  - -o attr_timeout=120
+  - -o entry_timeout=120
+  - -o negative_timeout=120
+  - --log-level=LOG_WARNING  # LOG_WARNING, LOG_INFO, LOG_DEBUG
+  - --cache-size-mb=1000  # Default will be 80% of available memory, eviction will happen beyond that.
