diff --git a/content/docs/authorization/_index.md b/content/docs/authorization/_index.md
index 04dc1f89d4..a1b5c26051 100644
--- a/content/docs/authorization/_index.md
+++ b/content/docs/authorization/_index.md
@@ -6,7 +6,7 @@ Description: >
Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization
---
-[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products.
+[Container Storage Modules](https://github.com/dell/csm) (CSM) for Authorization is part of the open-source suite of Kubernetes storage enablers for Dell products.
CSM for Authorization provides storage and Kubernetes administrators the ability to apply RBAC for Dell CSI Drivers. It does this by deploying a proxy between the CSI driver and the storage system to enforce role-based access and usage rules.
@@ -14,55 +14,4 @@ Storage administrators of compatible storage platforms will be able to apply quo
Kubernetes administrators will have an interface to create, delete, and manage roles/groups that storage rules may be applied. Administrators and/or users may then generate authentication tokens that may be used by tenants to use storage with proper access policies being automatically enforced.
-The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
-
-
-
-## CSM for Authorization Capabilities
-{{}}
-| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
-| - | - | - | - | - | - |
-| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
-| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
-| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
-{{
}}
-
-**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).
-
-## Authorization Components Support Matrix
-CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.
-
-**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
-To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.
-
-## Roles and Responsibilities
-
-The CSM for Authorization CLI can be executed in the context of the following roles:
-- Storage Administrators
-- Kubernetes Tenant Administrators
-
-### Storage Administrators
-
-Storage Administrators can perform the following operations within CSM for Authorization
-
-- Tenant Management (create, get, list, delete, bind roles, unbind roles)
-- Token Management (generate, revoke)
-- Storage System Management (create, get, list, update, delete)
-- Storage Access Roles Management (assign to a storage system with an optional quota)
-
-### Tenant Administrators
-
-Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
-
-### Workflow
-
-1) Tenant Admin requests storage from a Storage Admin.
-2) Storage Admin uses CSM Authorization CLI to:
- a) Create a tenant resource.
- b) Create a role permitting desired storage access.
- c) Assign the role to the tenant and generate a token.
-3) Storage Admin returns a token to the Tenant Admin.
-4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
-5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.
-
-
+Currently, we have two versions of Authorization, **v1.x GA** and **v2.0 Tech Preview**.
\ No newline at end of file
diff --git a/content/docs/authorization/Backup and Restore/_index.md b/content/docs/authorization/v1.x GA/Backup and Restore/_index.md
similarity index 100%
rename from content/docs/authorization/Backup and Restore/_index.md
rename to content/docs/authorization/v1.x GA/Backup and Restore/_index.md
diff --git a/content/docs/authorization/Backup and Restore/helm/_index.md b/content/docs/authorization/v1.x GA/Backup and Restore/helm/_index.md
similarity index 100%
rename from content/docs/authorization/Backup and Restore/helm/_index.md
rename to content/docs/authorization/v1.x GA/Backup and Restore/helm/_index.md
diff --git a/content/docs/authorization/Backup and Restore/rpm/_index.md b/content/docs/authorization/v1.x GA/Backup and Restore/rpm/_index.md
similarity index 100%
rename from content/docs/authorization/Backup and Restore/rpm/_index.md
rename to content/docs/authorization/v1.x GA/Backup and Restore/rpm/_index.md
diff --git a/content/docs/authorization/v1.x GA/_index.md b/content/docs/authorization/v1.x GA/_index.md
new file mode 100644
index 0000000000..21d8e269ef
--- /dev/null
+++ b/content/docs/authorization/v1.x GA/_index.md
@@ -0,0 +1,62 @@
+---
+title: Authorization - v1.x GA
+linktitle: v1.x GA
+weight: 4
+Description: >
+ Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization v1.x GA.
+tags:
+ - csm-authorization
+---
+
+The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
+
+
+
+## CSM for Authorization Capabilities
+{{}}
+| Feature | PowerFlex | PowerMax | PowerScale | Unity XT | PowerStore |
+| - | - | - | - | - | - |
+| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No (natively supported) | No | No |
+| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No (natively supported) | No | No |
+| Ability to shield storage credentials from Kubernetes administrators ensuring credentials are only handled by storage admins | Yes | Yes | Yes | No | No |
+{{
}}
+
+**NOTE:** PowerScale OneFS implements its own form of Role-Based Access Control (RBAC). CSM for Authorization does not enforce any role-based restrictions for PowerScale. To configure RBAC for PowerScale, refer to the PowerScale OneFS [documentation](https://www.dell.com/support/home/en-us/product-support/product/isilon-onefs/docs).
+
+## Authorization Components Support Matrix
+CSM for Authorization consists of 2 components - The authorization sidecar, bundled with the driver, communicates with the Authorization proxy server to validate access to Storage platforms. The authorization sidecar is backward compatible with older Authorization proxy server versions. However, it is highly recommended to have the Authorization proxy server and sidecar installed from the same release of CSM.
+
+**NOTE:** If the deployed CSI driver has a number of controller pods equal to the number of schedulable nodes in your cluster, CSM for Authorization may not be able to inject properly into the driver's controller pod.
+To resolve this, please refer to our [troubleshooting guide](./troubleshooting) on the topic.
+
+## Roles and Responsibilities
+
+The CSM for Authorization CLI can be executed in the context of the following roles:
+- Storage Administrators
+- Kubernetes Tenant Administrators
+
+### Storage Administrators
+
+Storage Administrators can perform the following operations within CSM for Authorization
+
+- Tenant Management (create, get, list, delete, bind roles, unbind roles)
+- Token Management (generate, revoke)
+- Storage System Management (create, get, list, update, delete)
+- Storage Access Roles Management (assign to a storage system with an optional quota)
+
+### Tenant Administrators
+
+Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
+
+### Workflow
+
+1) Tenant Admin requests storage from a Storage Admin.
+2) Storage Admin uses CSM Authorization CLI to:
+ a) Create a tenant resource.
+ b) Create a role permitting desired storage access.
+ c) Assign the role to the tenant and generate a token.
+3) Storage Admin returns a token to the Tenant Admin.
+4) Tenant Admin inputs the Token into their Kubernetes cluster as a Secret.
+5) Tenant Admin updates CSI driver with CSM Authorization sidecar module.
+
+
diff --git a/content/docs/authorization/cli.md b/content/docs/authorization/v1.x GA/cli.md
similarity index 100%
rename from content/docs/authorization/cli.md
rename to content/docs/authorization/v1.x GA/cli.md
diff --git a/content/docs/authorization/configuration/_index.md b/content/docs/authorization/v1.x GA/configuration/_index.md
similarity index 100%
rename from content/docs/authorization/configuration/_index.md
rename to content/docs/authorization/v1.x GA/configuration/_index.md
diff --git a/content/docs/authorization/configuration/powerflex/_index.md b/content/docs/authorization/v1.x GA/configuration/powerflex/_index.md
similarity index 86%
rename from content/docs/authorization/configuration/powerflex/_index.md
rename to content/docs/authorization/v1.x GA/configuration/powerflex/_index.md
index 8a94fbe346..dd24f52ca4 100644
--- a/content/docs/authorization/configuration/powerflex/_index.md
+++ b/content/docs/authorization/v1.x GA/configuration/powerflex/_index.md
@@ -55,7 +55,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
**Helm**
- Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+ Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `samples/config.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
- Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
@@ -78,7 +78,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
**Operator**
- Refer to the [Create Secret](../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+ Refer to the [Create Secret](../../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
- Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
@@ -102,7 +102,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
**Helm**
- Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
+ Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powerflex/#install-the-driver) section to edit the parameters in `myvalues.yaml` to enable CSM Authorization.
- Update `authorization.enabled` to `true`.
@@ -136,7 +136,7 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
**Operator**
- Refer to the [Install Driver](../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
+ Refer to the [Install Driver](../../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
Under `modules`, enable the module named `authorization`:
@@ -172,4 +172,4 @@ Given a setup where Kubernetes, a storage system, and the CSM for Authorization
6. Install the Dell CSI PowerFlex driver following the appropriate documenation for your installation method.
-7. (Optional) Install [dellctl](../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../support/cli) for the installation steps and command list.
\ No newline at end of file
+7. (Optional) Install [dellctl](../../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../../support/cli) for the installation steps and command list.
diff --git a/content/docs/authorization/configuration/powermax/_index.md b/content/docs/authorization/v1.x GA/configuration/powermax/_index.md
similarity index 83%
rename from content/docs/authorization/configuration/powermax/_index.md
rename to content/docs/authorization/v1.x GA/configuration/powermax/_index.md
index ee70004f3c..cdcb91e4a2 100644
--- a/content/docs/authorization/configuration/powermax/_index.md
+++ b/content/docs/authorization/v1.x GA/configuration/powermax/_index.md
@@ -55,17 +55,17 @@ Create the karavi-authorization-config secret using this command:
**Helm**
- Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powermax/#install-the-driver) section where you edit `samples/secret/secret.yaml` with the credentials of the PowerMax. Leave `username` and `password` with the default values as they will be ignored.
+ Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powermax/#install-the-driver) section where you edit `samples/secret/secret.yaml` with the credentials of the PowerMax. Leave `username` and `password` with the default values as they will be ignored.
**Operator**
- Refer to the [Install the Driver](../../../deployment/csmoperator/drivers/powermax/#install-driver) section to prepare `powermax-creds.yaml`. Leave `username` and `password` with the default values as they will be ignored.
+ Refer to the [Install the Driver](../../../../deployment/csmoperator/drivers/powermax/#install-driver) section to prepare `powermax-creds.yaml`. Leave `username` and `password` with the default values as they will be ignored.
5. Enable CSM Authorization in the driver installation applicable to your installation method.
**Helm**
- Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/powermax/#install-the-driver) section to edit the parameters in `my-powermax-settings.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
+ Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/powermax/#install-the-driver) section to edit the parameters in `my-powermax-settings.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
- Update `global.storageArrays.endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
@@ -110,7 +110,7 @@ Create the karavi-authorization-config secret using this command:
**Operator**
- Refer to the [Install Driver](../../../deployment/csmoperator/drivers/powermax/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
+ Refer to the [Install Driver](../../../../deployment/csmoperator/drivers/powermax/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
Under `modules`, enable the module named `authorization`:
@@ -146,4 +146,4 @@ Create the karavi-authorization-config secret using this command:
5. Install the Dell CSI PowerMax driver following the appropriate documenation for your installation method.
-6. (Optional) Install [dellctl](../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../support/cli) for the installation steps and command list.
\ No newline at end of file
+6. (Optional) Install [dellctl](../../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../../support/cli) for the installation steps and command list.
diff --git a/content/docs/authorization/configuration/powerscale/_index.md b/content/docs/authorization/v1.x GA/configuration/powerscale/_index.md
similarity index 86%
rename from content/docs/authorization/configuration/powerscale/_index.md
rename to content/docs/authorization/v1.x GA/configuration/powerscale/_index.md
index b6bcb41c60..914e09a1cc 100644
--- a/content/docs/authorization/configuration/powerscale/_index.md
+++ b/content/docs/authorization/v1.x GA/configuration/powerscale/_index.md
@@ -56,7 +56,7 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
**Helm**
- Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/isilon/#install-the-driver) section to edit the parameters to prepare the `samples/secret/secret.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
+ Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/isilon/#install-the-driver) section to edit the parameters to prepare the `samples/secret/secret.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
- Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
@@ -82,7 +82,7 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
**Operator**
- Refer to the [Prerequisite](../../../deployment/csmoperator/drivers/powerscale/#prerequisite) section to prepare the `secret.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
+ Refer to the [Prerequisite](../../../../deployment/csmoperator/drivers/powerscale/#prerequisite) section to prepare the `secret.yaml` file to configure the driver to communicate with the CSM Authorization sidecar.
- Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
@@ -110,7 +110,7 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
**Helm**
- Refer to the [Install the Driver](../../../deployment/helm/drivers/installation/isilon/#install-the-driver) section to edit the parameters in `my-isilon-settings.yaml` file to enable CSM Authorization.
+ Refer to the [Install the Driver](../../../../deployment/helm/drivers/installation/isilon/#install-the-driver) section to edit the parameters in `my-isilon-settings.yaml` file to enable CSM Authorization.
- Update `authorization.enabled` to `true`.
@@ -144,7 +144,7 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
**Operator**
- Refer to the [Install Driver](../../../deployment/csmoperator/drivers/powerscale/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
+ Refer to the [Install Driver](../../../../deployment/csmoperator/drivers/powerscale/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
Under `modules`, enable the module named `authorization`:
@@ -178,4 +178,4 @@ kubectl -n isilon create secret generic karavi-authorization-config --from-file=
6. Install the Dell CSI PowerScale driver following the appropriate documenation for your installation method.
-7. (Optional) Install [dellctl](../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../support/cli) for the installation steps and command list.
\ No newline at end of file
+7. (Optional) Install [dellctl](../../../../support/cli/#installation-instructions) to perform Kubernetes administrator commands for additional capabilities (e.g., list volumes). Please refer to the [dellctl documentation page](../../../../support/cli) for the installation steps and command list.
diff --git a/content/docs/authorization/configuration/proxy-server/_index.md b/content/docs/authorization/v1.x GA/configuration/proxy-server/_index.md
similarity index 100%
rename from content/docs/authorization/configuration/proxy-server/_index.md
rename to content/docs/authorization/v1.x GA/configuration/proxy-server/_index.md
diff --git a/content/docs/authorization/design.md b/content/docs/authorization/v1.x GA/design.md
similarity index 100%
rename from content/docs/authorization/design.md
rename to content/docs/authorization/v1.x GA/design.md
diff --git a/content/docs/authorization/design1.png b/content/docs/authorization/v1.x GA/design1.png
similarity index 100%
rename from content/docs/authorization/design1.png
rename to content/docs/authorization/v1.x GA/design1.png
diff --git a/content/docs/authorization/design2.png b/content/docs/authorization/v1.x GA/design2.png
similarity index 100%
rename from content/docs/authorization/design2.png
rename to content/docs/authorization/v1.x GA/design2.png
diff --git a/content/docs/authorization/karavi-authorization-example.png b/content/docs/authorization/v1.x GA/karavi-authorization-example.png
similarity index 100%
rename from content/docs/authorization/karavi-authorization-example.png
rename to content/docs/authorization/v1.x GA/karavi-authorization-example.png
diff --git a/content/docs/authorization/release/_index.md b/content/docs/authorization/v1.x GA/release/_index.md
similarity index 100%
rename from content/docs/authorization/release/_index.md
rename to content/docs/authorization/v1.x GA/release/_index.md
diff --git a/content/docs/authorization/troubleshooting.md b/content/docs/authorization/v1.x GA/troubleshooting.md
similarity index 100%
rename from content/docs/authorization/troubleshooting.md
rename to content/docs/authorization/v1.x GA/troubleshooting.md
diff --git a/content/docs/authorization/v2.0 Tech Preview/_index.md b/content/docs/authorization/v2.0 Tech Preview/_index.md
new file mode 100644
index 0000000000..895f5e024a
--- /dev/null
+++ b/content/docs/authorization/v2.0 Tech Preview/_index.md
@@ -0,0 +1,53 @@
+---
+title: Authorization - v2.0 Tech Preview
+linktitle: v2.0 Tech Preview
+weight: 4
+Description: >
+ Dell Technologies (Dell) Container Storage Modules (CSM) for Authorization v2.0 Tech Preview.
+tags:
+ - csm-authorization
+---
+
+>> NOTE: This tech-preview release is not intended for use in production environment.
+
+>> NOTE: Only supported on PowerFlex.
+
+The following diagram shows a high-level overview of CSM for Authorization with a `tenant-app` that is using a CSI driver to perform storage operations through the CSM for Authorization `proxy-server` to access the a Dell storage system. All requests from the CSI driver will contain the token for the given tenant that was granted by the Storage Administrator.
+
+
+
+This is the introduction to a Stateless Architecture for Authorization. The creation of storage, roles, and tenants is done through Custom Resources (CRs) which are tracked and contained within CSM Authorization. The underlying communication is consistent with the previous architecture which makes the creation of volumes and snapshots seamless.
+
+## CSM for Authorization Capabilities
+{{}}
+| Feature | PowerFlex | PowerMax | PowerScale |
+| ----------------------------------------------------------------------------------------------------------------------------- | --------- | -------- | ---------- |
+| Ability to set storage quota limits to ensure k8s tenants are not overconsuming storage | Yes | Yes | No |
+| Ability to create access control policies to ensure k8s tenant clusters are not accessing storage that does not belong to them | Yes | Yes | No |
+| Ability to shield storage credentials from Kubernetes administrators by storing them in vault | Yes | No | No |
+| Ability to create snapshots from owned volumes that consume the storage quota | Yes | No | No |
+| Ability to periodically query storage array to keep quota consumption in sync | Yes | No | No |
+{{
}}
+
+## Roles and Responsibilities
+
+The Stateless CSM Authorization contains the following roles:
+- Storage Administrators
+- Kubernetes Tenant Administrators
+
+### Storage Administrators
+
+Storage Administrators perform the following:
+
+- Storage System Management (create, get, delete)
+- Role Management (create, get, delete)
+- Tenant Management (create, get, delete)
+- Token Management (create, revoke)
+
+For more information on the configuration of the above, see the configuration of the [Proxy Server](../v2.0-tech-preview/configuration/proxy-server/#configuring-storage).
+
+### Tenant Administrators
+
+Tenants of CSM for Authorization can use the token provided by the Storage Administrators in their storage requests.
+
+For more information on how to use the token and configuration, see configuration for the [PowerFlex driver](../v2.0-tech-preview/configuration/powerflex).
\ No newline at end of file
diff --git a/content/docs/authorization/v2.0 Tech Preview/authorization-ha-example.png b/content/docs/authorization/v2.0 Tech Preview/authorization-ha-example.png
new file mode 100644
index 0000000000..5b8efc09e4
Binary files /dev/null and b/content/docs/authorization/v2.0 Tech Preview/authorization-ha-example.png differ
diff --git a/content/docs/authorization/v2.0 Tech Preview/configuration/_index.md b/content/docs/authorization/v2.0 Tech Preview/configuration/_index.md
new file mode 100644
index 0000000000..ce03f60cec
--- /dev/null
+++ b/content/docs/authorization/v2.0 Tech Preview/configuration/_index.md
@@ -0,0 +1,8 @@
+---
+title: Configuration
+linktitle: Configuration
+weight: 2
+description: Configure CSM Authorization
+---
+
+This section provides the details and instructions on how to configure CSM Authorization.
\ No newline at end of file
diff --git a/content/docs/authorization/v2.0 Tech Preview/configuration/powerflex/_index.md b/content/docs/authorization/v2.0 Tech Preview/configuration/powerflex/_index.md
new file mode 100644
index 0000000000..a42ee87564
--- /dev/null
+++ b/content/docs/authorization/v2.0 Tech Preview/configuration/powerflex/_index.md
@@ -0,0 +1,117 @@
+---
+title: PowerFlex
+linktitle: PowerFlex
+description: >
+ Enabling CSM Authorization for PowerFlex CSI Driver
+---
+
+## Configuring PowerFlex CSI Driver with CSM for Authorization
+
+Given a setup where Kubernetes, a storage system, and the CSM for Authorization Proxy Server are deployed, follow these steps to configure the CSI Drivers to work with the Authorization sidecar:
+
+1. Apply the secret containing the tenant token data into the driver namespace. It's assumed that the Kubernetes administrator has the token secret manifest, generated by your storage administrator via [Generate a Token](../proxy-server/#generate-a-token), saved in `/tmp/token.yaml`.
+
+ ```bash
+ kubectl apply -f /tmp/token.yaml -n vxflexos
+ ```
+
+ This takes the assumption that Powerflex will be installed in the `vxflexos` namespace.
+
+2. Edit these parameters in `samples/secret/karavi-authorization-config.json` file in the [CSI PowerFlex](https://github.com/dell/csi-powerflex/tree/main/samples) driver and update/add connection information for one or more backend storage arrays. In an instance where multiple CSI drivers are configured on the same Kubernetes cluster, the port range in the *endpoint* parameter must be different for each driver.
+
+ | Parameter | Description | Required | Default |
+ | --------- | ----------- | -------- |-------- |
+ | username | Username for connecting to the backend storage array. This parameter is ignored. | No | - |
+ | password | Password for connecting to to the backend storage array. This parameter is ignored. | No | - |
+ | intendedEndpoint | HTTPS REST API endpoint of the backend storage array. | Yes | - |
+ | endpoint | HTTPS localhost endpoint that the authorization sidecar will listen on. | Yes | https://localhost:9400 |
+ | systemID | System ID of the backend storage array. | Yes | " " |
+ | skipCertificateValidation | A boolean that enables/disables certificate validation of the backend storage array. This parameter is not used. | No | true |
+ | isDefault | A boolean that indicates if the array is the default array. This parameter is not used. | No | default value from values.yaml |
+
+ Create the karavi-authorization-config secret using this command:
+
+ ```bash
+
+ kubectl -n vxflexos create secret generic karavi-authorization-config --from-file=config=samples/secret/karavi-authorization-config.json -o yaml --dry-run=client | kubectl apply -f -
+ ```
+
+3. Create the proxy-server-root-certificate secret.
+
+ If running in *insecure* mode, create the secret with empty data:
+
+ ```bash
+
+ kubectl -n vxflexos create secret generic proxy-server-root-certificate --from-literal=rootCertificate.pem= -o yaml --dry-run=client | kubectl apply -f -
+ ```
+
+ Otherwise, create the proxy-server-root-certificate secret with the appropriate file:
+
+ ```bash
+
+ kubectl -n vxflexos create secret generic proxy-server-root-certificate --from-file=rootCertificate.pem=/path/to/rootCA -o yaml --dry-run=client | kubectl apply -f -
+ ```
+
+4. Prepare the driver configuration secret, applicable to your driver installation method, to communicate with the CSM Authorization sidecar.
+
+ **Operator**
+
+ Refer to the [Create Secret](../../../../deployment/csmoperator/drivers/powerflex/#create-secret) section to prepare `secret.yaml` to configure the driver to communicate with the CSM Authorization sidecar.
+
+ - Update `endpoint` to match the localhost endpoint in `samples/secret/karavi-authorization-config.json`.
+
+ - Update `skipCertificateValidation` to `true`.
+
+ - The `username` and `password` can be any value since they will be ignored.
+
+ Example:
+
+ ```yaml
+ - username: "ignored"
+ password: "ignored"
+ systemID: "ID2"
+ endpoint: "https://localhost:9400"
+ skipCertificateValidation: true
+ isDefault: true
+ mdm: "10.0.0.3,10.0.0.4"
+ ```
+
+5. Enable CSM Authorization in the driver installation applicable to your installation method.
+
+ **Operator**
+
+ Refer to the [Install Driver](../../../../deployment/csmoperator/drivers/powerflex/#install-driver) section to edit the parameters in the Custom Resource to enable CSM Authorization.
+
+ Under `modules`, enable the module named `authorization`:
+
+ - Update the `enabled` field to `true.`
+
+ - Update the `image` to the image of the CSM Authorization sidecar. In most cases, you can leave the default value.
+
+ - Update the `PROXY_HOST` environment value to the hostname of the CSM Authorization Proxy Server. `csm-authorization.com` is a placeholder for the proxyHost. See the administrator of CSM for Authorization for the correct value.
+
+ - Update the `SKIP_CERTIFICATE_VALIDATION` environment value to `true` or `false` depending on if you want to disable or enable certificate validation of the CSM Authorization Proxy Server.
+
+ Example:
+
+ ```yaml
+ modules:
+ # Authorization: enable csm-authorization for RBAC
+ - name: authorization
+ # enable: Enable/Disable csm-authorization
+ enabled: true
+ configVersion: v2.0.0-alpha
+ components:
+ - name: karavi-authorization-proxy
+ image: dellemc/csm-authorization-sidecar:v2.0.0-alpha
+ envs:
+ # proxyHost: hostname of the csm-authorization server
+ - name: "PROXY_HOST"
+ value: "csm-authorization.com"
+
+ # skipCertificateValidation: Enable/Disable certificate validation of the csm-authorization server
+ - name: "SKIP_CERTIFICATE_VALIDATION"
+ value: "true"
+ ```
+
+6. Install the Dell CSI PowerFlex driver following the appropriate documenation for your installation method.
diff --git a/content/docs/authorization/v2.0 Tech Preview/configuration/proxy-server/_index.md b/content/docs/authorization/v2.0 Tech Preview/configuration/proxy-server/_index.md
new file mode 100644
index 0000000000..3cb168e297
--- /dev/null
+++ b/content/docs/authorization/v2.0 Tech Preview/configuration/proxy-server/_index.md
@@ -0,0 +1,154 @@
+---
+title: Proxy Server
+linktitle: Proxy Server
+description: >
+ Configuring the CSM for Authorization Proxy Server
+---
+
+## Configuring the CSM for Authorization Proxy Server
+
+Run `kubectl -n authorization get ingress` and `kubectl -n authorization get service` to see the Ingress rules for these services and the exposed port for accessing these services via the LoadBalancer. For example:
+
+```bash
+kubectl -n authorization get ingress
+```
+```
+NAME CLASS HOSTS ADDRESS PORTS AGE
+proxy-server nginx csm-authorization.com 00, 000 86s
+```
+```bash
+kubectl -n authorization get service
+```
+```
+NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
+authorization-cert-manager ClusterIP 00.000.000.000 000/TCP 28s
+authorization-cert-manager-webhook ClusterIP 00.000.000.000 000/TCP 27s
+authorization-ingress-nginx-controller LoadBalancer 00.000.000.000 00:00000/TCP,000:00000/TCP 27s
+authorization-ingress-nginx-controller-admission ClusterIP 00.000.000.000 000/TCP 27s
+proxy-server ClusterIP 00.000.000.000 000/TCP 28s
+redis-csm ClusterIP 00.000.000.000 000/TCP 28s
+rediscommander ClusterIP 00.000.000.000 000/TCP 27s
+role-service ClusterIP 00.000.000.000 000/TCP 27s
+sentinel ClusterIP 00.000.000.000 000/TCP 27s
+storage-service ClusterIP 00.000.000.000 000/TCP 27s
+tenant-service ClusterIP 00.000.000.000 000/TCP 28s
+```
+
+On the machine running `dellctl`, if the Ingress host is left default (`csm-authorization.com`) during installation or any of the hostnames don't resolve, the hostnames needs to be add to the `/etc/hosts` file. For example:
+
+```bash
+ csm-authorization.com
+```
+
+Afterwards, the storage administrator can configure Authorization with the following via Customer Resources (CRs):
+- Storage systems
+- Tenants
+- Roles
+
+### Configuring Storage
+
+A `storage` entity in CSM Authorization consists of the storage type (PowerFlex), the system ID, the API endpoint, and the vault credentials path. For example, to create PowerFlex storage:
+
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1alpha1
+kind: Storage
+metadata:
+ name: powerflex
+spec:
+ type: powerflex
+ endpoint: https://10.0.0.1
+ systemID: 1000000000000000
+ credentialStore: vault
+ credentialPath: storage/powerflex
+ skipCertificateValidation: true
+ pollInterval: 30s
+```
+
+>__Note__:
+> - The `credentialStore` is the way that credentials for the storage array are stored.
+> - The `credentialPath` is the location within the store that the credentials for the array are stored.
+
+### Configuring Roles
+
+A `role` consists of a name, the storage array to use, and the quota limit for the storage pool to be used. For example, to create a role named `role1` using the PowerFlex storage created above with a quota limit of 128GB in storage pool `myStoragePool`:
+
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1alpha1
+kind: CSMRole
+metadata:
+ labels:
+ app.kubernetes.io/name: role
+ app.kubernetes.io/instance: role-sample
+ app.kubernetes.io/part-of: csm-authorization
+ app.kubernetes.io/managed-by: kustomize
+ app.kubernetes.io/created-by: csm-authorization
+ name: role1
+spec:
+ quota: 128GB
+ systemID: 1000000000000000
+ systemType: powerflex
+ pool: myStoragePool
+```
+
+>__Note__:
+> - The `name` is the name of the role that will be used to bind with the tenant.
+> - The `quota` is the amount of allocated space for the specified role.
+
+### Configuring Tenants
+
+A `tenant` is a Kubernetes cluster that a role will be bound to. For example, to create a tenant named `csmtenant-sample`:
+
+```yaml
+apiVersion: csm-authorization.storage.dell.com/v1alpha1
+kind: CSMTenant
+metadata:
+ labels:
+ app.kubernetes.io/name: csmtenant
+ app.kubernetes.io/instance: csmtenant-sample
+ app.kubernetes.io/part-of: csm-authorization
+ app.kubernetes.io/managed-by: kustomize
+ app.kubernetes.io/created-by: csm-authorization
+ name: csmtenant-sample
+spec:
+ roles: role1
+ approveSdc: false
+ revoke: false
+ # This prefix is added for each new volume provisioned by the tenant.
+ # It should not exceed 3 characters. Example: tn1
+ volumePrefix: tn1
+
+```
+
+>__Note__:
+> - The `roles` are a comma seperate list of roles that the tenant can be associated with.
+> - The `volumePrefix` is the prefix that all volumes and snapshots will contain to show association with the tenant.
+> - By creating a tenant, it will automatically bind with the roles for usage.
+
+### Generate a Token
+
+Once the tenant is created, an access/refresh token pair can be created for the tenant. The storage admin is responsible for generating and sending the token to the Kubernetes tenant admin.
+
+```bash
+ dellctl generate token --addr csm-authorization.com: --insecure true --tenant --access-token-expiration 30m0s --refresh-token-expiration 1480h0m0s > token.yaml
+```
+
+`token.yaml` will have a Kubernetes secret manifest that looks like this:
+
+```yaml
+apiVersion: v1
+data:
+ access: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKamMyMGlMQ0psZUhBaU9qRTNNVFkwTURRd016UXNJbWR5YjNWd0lqb2lZM050ZEdWdVlXNTBMWE5oYlhCc1pTSXNJbWx6Y3lJNkltTnZiUzVrWld4c0xtTnpiU0lzSW5KdmJHVnpJam9pY205c1pURWlMQ0p6ZFdJaU9pSmpjMjB0ZEdWdVlXNTBJbjAuRmtVTGotT01mSW9rN3ZWNmFKQURXR1dva1Bsd1huT2tZeWxSclZjN2F5Zw==
+ refresh: ZXlKaGJHY2lPaUpJVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SmhkV1FpT2lKamMyMGlMQ0psZUhBaU9qRTNNakUzTXpBeU16UXNJbWR5YjNWd0lqb2lZM050ZEdWdVlXNTBMWE5oYlhCc1pTSXNJbWx6Y3lJNkltTnZiUzVrWld4c0xtTnpiU0lzSW5KdmJHVnpJam9pY205c1pURWlMQ0p6ZFdJaU9pSmpjMjB0ZEdWdVlXNTBJbjAudWRYSFZ3MGg1dTdoTjZaVGJlNHgyYXRMWWhIamQta1ZtTFBVUHpXOHNIaw==
+kind: Secret
+metadata:
+ creationTimestamp: null
+ name: proxy-authz-tokens
+type: Opaque
+```
+
+This secret must be applied in the driver namespace.
+
+>__Note__:
+> - The `insecure` flag specifies to skip certificate validation when connecting to the Authorization proxy-server.
+> - The `addr` flag is the address of the Authorization proxy-server.
+> - The `tenant` flag specifies which tenant to generate the token for.
diff --git a/content/docs/authorization/v2.0 Tech Preview/use_cases.md b/content/docs/authorization/v2.0 Tech Preview/use_cases.md
new file mode 100644
index 0000000000..ae46846183
--- /dev/null
+++ b/content/docs/authorization/v2.0 Tech Preview/use_cases.md
@@ -0,0 +1,34 @@
+---
+title: Use Cases
+linktitle: Use Cases
+weight: 1
+description: >
+ Use cases for Stateless Authorization
+---
+
+After Authorization is installed and the PowerFlex driver has been configured with a valid tenant, similar to the the previous architecture, all volume creations will be verified to ensure that the volume fits within the tenants quota. In addition, the support of snapshots is introduced within this version of Authorization. This means that all snapshots created from a volume from the tenant will go through similar verification.
+
+## Snapshot Support
+
+As stated above, all snapshot requests that are associated with a volume that has been approved and created will go through a similar authorization processes ensuring that the snapshot fits within the allotted quota.
+
+```yaml
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshot
+metadata:
+ name: vol1-snapshot
+spec:
+ volumeSnapshotClassName: vxflexos-snapclass
+ source:
+ persistentVolumeClaimName: vol1
+```
+
+This will take a snapshot of the `persistent volume claim` named `vol1`. CSM Authorization will verify ownership with Redis to ensure that the tenant who is attempting to create the snapshot owns the `vol1` volume. If the tenant does own the volume, authorization will proceed to check to see if the snapshot fits within the allotted quota and add a record if it does.
+
+## Backend Storage Polling
+
+A configurable polling mechanism has been introduced to ensure that the tenant and Redis are always in sync with the backend storage configured. This is determined by the [volumePrefix](../configuration/proxy-server/#configuring-tenants) specified for the `tenant`. During polling, for each of the tenants and roles, the storage service will ensure that nothing has been removed or added by the storage admin which would lead to Redis being out of sync.
+
+If a volume is created with the matching `volumePrefix`, the new entry will be added to Redis and the available quota will be consumed accordingly. Similarly, if a snapshot is created from a volume that is owned by the tenant in the backend storage array, that will be added to Redis.
+
+Lastly, if there is any deletion on the backend storage array of a volume or snapshot that is owned by the tenant, that entry will be deleted from Redis and the available capacity will reflect accordingly.
\ No newline at end of file
diff --git a/content/docs/deployment/csmoperator/modules/authorization.md b/content/docs/deployment/csmoperator/modules/authorization.md
index c8b831286a..dadcd4548f 100644
--- a/content/docs/deployment/csmoperator/modules/authorization.md
+++ b/content/docs/deployment/csmoperator/modules/authorization.md
@@ -16,15 +16,16 @@ To deploy the Operator, follow the instructions available [here](../../#installa
### Prerequisite
-1. Execute `kubectl create namespace authorization` to create the authorization namespace (if not already present). Note that the namespace can be any user-defined name, in this example, we assume that the namespace is 'authorization'.
+1. [Install Vault or configure an existing Vault](#vault-server-installation).
-2. Install cert-manager CRDs
-```bash
+2. Execute `kubectl create namespace authorization` to create the authorization namespace (if not already present). Note that the namespace can be any user-defined name, in this example, we assume that the namespace is 'authorization'.
-kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
-```
+3. Install cert-manager CRDs
+ ```bash
+ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
+ ```
-3. Prepare [samples/authorization/config.yaml](https://github.com/dell/csm-operator/blob/main/samples/authorization/config.yaml) which contains the JWT signing secret. The following table lists the configuration parameters.
+4. Prepare [samples/authorization/config.yaml](https://github.com/dell/csm-operator/blob/main/samples/authorization/config.yaml) which contains the JWT signing secret. The following table lists the configuration parameters.
| Parameter | Description | Required | Default |
| --------- | ------------------------------------------------------------ | -------- | ------- |
@@ -51,7 +52,7 @@ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/relea
kubectl create secret generic karavi-config-secret -n authorization --from-file=config.yaml=samples/authorization/config.yaml -o yaml --dry-run=client | kubectl replace -f -
```
-4. Create the [karavi-storage-secret](https://github.com/dell/csm-operator/blob/main/samples/authorization/karavi-storage-secret.yaml) to store storage system credentials.
+5. Create the [karavi-storage-secret](https://github.com/dell/csm-operator/blob/main/samples/authorization/karavi-storage-secret.yaml) to store storage system credentials.
Use this command to create the secret:
@@ -62,6 +63,7 @@ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/relea
>__Note__:
> - If you are installing CSM Authorization in a different namespace than `authorization`, edit the `namespace` field in this file to your namespace.
+> - Authorization v2.0 Tech Preview does not need the creation of the `karavi-storage-secret`.
### Install CSM Authorization Proxy Server
@@ -73,19 +75,41 @@ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/relea
| Parameter | Description | Required | Default |
| --------- | ----------- | -------- |-------- |
- | **authorization** | This section configures the CSM-Authorization components. | - | - |
- | PROXY_HOST | The hostname to configure the self-signed certificate (if applicable), and the proxy service Ingress. | Yes | csm-authorization.com |
- | PROXY_INGRESS_CLASSNAME | The ingressClassName of the proxy-service Ingress. | Yes | nginx |
- | PROXY_INGRESS_HOSTS | Additional host rules to be applied to the proxy-service Ingress. | No | authorization-ingress-nginx-controller.authorization.svc.cluster.local |
- | REDIS_STORAGE_CLASS | The storage class for Redis to use for persistence. If not supplied, a locally provisioned volume is used. | No | - |
- | **ingress-nginx** | This section configures the enablement of the NGINX Ingress Controller. | - | - |
- | enabled | Enable/Disable deployment of the NGINX Ingress Controller. Set to false if you already have an Ingress Controller installed. | No | true |
+ | openshift | For OpenShift Container Platform only: Enable/Disable use of the OpenShift Ingress Controller. Set to false if you already have an Ingress Controller installed. | No | False |
+ | **nginx** | This section configures the enablement of the NGINX Ingress Controller. | - | - |
+ | enabled | For Kubernetes Container Platform only: Enable/Disable deployment of the NGINX Ingress Controller. Set to false if you already have an Ingress Controller installed. | No | true |
| **cert-manager** | This section configures the enablement of cert-manager. | - | - |
| enabled | Enable/Disable deployment of cert-manager. Set to false if you already have cert-manager installed. | No | true |
+ | **authorization** | This section configures the CSM-Authorization components. | - | - |
+ | certificate | The base64-encoded certificate for the certificate/private-key to configure the proxy-service Ingress. Leave empty to use self-signed certificate. | No | - |
+ | privateKey | The base64-encoded private key for the certificate/private-key to configure the proxy-service Ingress. Leave empty to use self-signed certificate. | No | - |
+ | hostname | The hostname to configure the self-signed certificate (if applicable), and the proxy service Ingress. | No | csm-authorization.com |
+ | proxyServerIngress.ingressClassName | The ingressClassName of the proxy-service Ingress. | Yes | nginx |
+ | proxyServerIngress.hosts | Additional host rules to be applied to the proxy-service Ingress. | No | - |
+ | proxyServerIngress.annotations | Additional annotations for the proxy-service Ingress. | No | - |
+ | **redis** | This section configures the Redis components. | - | - |
+ | storageclass | The storage class for Redis to use for persistence. If not supplied, a locally provisioned volume is used. | No | - |
+
+ **Additional v2.0 Technical Preview Parameters:**
+ | Parameter | Description | Required | Default |
+ | --------- | ----------- | -------- |-------- |
+ | **redis** | This section configures the Redis components. | - | - |
+ | redisName | The prefix of the redis pods. The number of pods is determined by the number of replicas. | Yes | redis-csm |
+ | redisCommander | The prefix of the redis commander pod. | Yes | rediscommander |
+ | sentinel | The prefix of the redis sentinel pods. The number of pods is determined by the number of replicas. | Yes | sentinel |
+ | redisReplicas | The number of replicas for the sentinel and redis pods. | Yes | 5 |
+ | storageclass | The storage class for Redis to use for persistence. If not supplied, a locally provisioned volume is used. | No | - |
+ | **vault** | This section configures the vault components. | - | - |
+ | vaultAddress | The address where vault is hosted with the credentials to the array (`https://10.0.0.1:`). | Yes | - |
+ | vaultRole | The configured authentication role in vault. | Yes | csm-authorization |
+ | kvEnginePath | The vault path where the credentials are stored. | Yes | secret |
+ | certificate | The base64-encoded certificate for the certificate/private-key pair to connect to Vault. Leave empty to use self-signed certificate. | No | - |
+ | privateKey | The base64-encoded private key for the certificate/private-key pair to connect to Vault. Leave empty to use self-signed certificate. | No | - |
+ | certificateAuthority | The base64-encoded certificate authority for validating the Vault server. | No | - |
>__Note__:
-> - If you specify `REDIS_STORAGE_CLASS`, the storage class must NOT be provisioned by the Dell CSI Driver to be configured with this installation of CSM Authorization.
> - If you are installing CSM Authorization in a different namespace than `authorization`, edit the `namespace` fields in this file to your namespace.
+> - If you specify `storageclass`, the storage class must NOT be provisioned by the Dell CSI Driver to be configured with this installation of CSM Authorization.
**Optional:**
To enable reporting of trace data with [Zipkin](https://zipkin.io/), use the `csm-config-params` configMap in the sample CR or dynamically by editing the configMap.
@@ -106,26 +130,6 @@ To enable reporting of trace data with [Zipkin](https://zipkin.io/), use the `cs
>__Note__:
> - This command will deploy the Authorization Proxy Server in the namespace specified in the input YAML file.
-5. Create the `karavi-auth-tls` secret using your own certificate or by using a self-signed certificate generated via cert-manager.
-
- If using your own certificate that is valid for each Ingress hostname, use this command to create the `karavi-auth-tls` secret:
-
- ```bash
-
- kubectl create secret tls karavi-auth-tls -n authorization --key --cert
- ```
-
- If using a self-signed certificate, prepare a certificate file provided [here](https://github.com/dell/csm-operator/tree/main/samples/authorization). An entry for each hostname specified in the CR must be added under `dnsNames` for the certificate to be valid for each Ingress.
-
- Use this command to create the `karavi-auth-tls` secret:
-
- ```bash
- kubectl create -f
- ```
-
->__Note__:
-> - If you are installing CSM Authorization in a different namespace than `authorization`, edit the `namespace` field in this file to your namespace.
-
### Verify Installation of the CSM Authorization Proxy Server
Once the Authorization CR is created, you can verify the installation as mentioned below:
@@ -135,14 +139,24 @@ Once the Authorization CR is created, you can verify the installation as mention
### Install Karavictl
+>> NOTE: Authorization v2.0 Tech Preview does not use `karavictl` so installation is not necessary.
+
Follow the instructions available in CSM Authorization for [Installing karavictl](../../../helm/modules/installation/authorization/#install-karavictl).
### Configure the CSM Authorization Proxy Server
+**Authorization v1.x GA**
+
Follow the instructions available in CSM Authorization for [Configuring the CSM Authorization Proxy Server](../../../helm/modules/installation/authorization/#configuring-the-csm-authorization-proxy-server).
+**Authorization v2.0 Technical Preview**
+
+Follow the instructions available in CSM Authorization for [Configuring the CSM Authorization Proxy Server](../../../../authorization/v2.0-tech-preview/configuration/proxy-server/).
+
### Configure a Dell CSI Driver with CSM Authorization
+**Authorization v1.x GA**
+
Follow the instructions available in CSM Authorization for [Configuring a Dell CSI Driver with CSM for Authorization](../../../helm/modules/installation/authorization/#configuring-a-dell-csi-driver-with-csm-for-authorization).
### Upgrade CSM Authorization
@@ -218,3 +232,231 @@ This section outlines the upgrade steps for Container Storage Modules (CSM) for
>NOTE:
- In Authorization module upgrade, only `n-1` to `n` upgrade is supported, e.g. if the current observability version is `v1.8.x`, it can be upgraded to `1.9.x`.
+**Authorization v2.0 Technical Preview**
+
+Follow the instructions available in CSM Authorization for [Configuring PowerFlex with Authorization](../../../../authorization/v2.0-tech-preview/configuration/powerflex).
+
+## Vault Server Installation
+
+If there is already a Vault server available, skip to [Minimum Server Configuration](#minimum-server-configuration).
+
+If there is no Vault server available to use with CSM Authorization, it can be installed in many ways following [Hashicorp Vault documentation](https://www.vaultproject.io/docs).
+
+For testing environment, however, a simple deployment suggested in this section may suffice.
+It creates a standalone server with in-memory (non-persistent) storage, running in a Docker container.
+
+> **NOTE**: With in-memory storage, the data in Vault is permanently destroyed upon the server's termination.
+
+### Generate TLS certificates for server and client
+
+Create server CA private key and certificate:
+
+```shell
+openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -nodes \
+ -subj "/CN=Vault Root CA" \
+ -keyout server-ca.key \
+ -out server-ca.crt
+```
+
+Create server private key and CSR:
+
+```shell
+openssl req -newkey rsa:2048 -nodes \
+ -subj "/CN=vault-demo-server" \
+ -keyout server.key \
+ -out server.csr
+```
+
+Create server certificate signed by the CA:
+
+> Replace `` with an IP address by which CSM Authorization can reach the Vault server.
+This may be the address of the Docker host where the Vault server will be running.
+
+```shell
+cat > cert.ext <
+EOF
+
+openssl x509 -req \
+ -CA server-ca.crt -CAkey server-ca.key \
+ -in server.csr \
+ -out server.crt \
+ -days 365 \
+ -extfile cert.ext \
+ -CAcreateserial
+
+cat server-ca.crt >> server.crt
+```
+
+Create client CA private key and certificate:
+
+```shell
+openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -nodes \
+ -subj "/CN=Client Root CA" \
+ -keyout client-ca.key \
+ -out client-ca.crt
+```
+
+Create client private key and CSR:
+
+```shell
+openssl req -newkey rsa:2048 -nodes \
+ -subj "/CN=vault-client" \
+ -keyout client.key \
+ -out client.csr
+```
+
+Create client certificate signed by the CA:
+// todo check ip?
+```shell
+cat > cert.ext <> client.crt
+```
+
+### Create server hcl file
+
+```shell
+cat >server.hcl < Variable `CONF_DIR` below refers to the directory containing files *server.crt*, *server.key*, *client-ca.crt* and *server.hcl*.
+```shell
+VOL_DIR="$CONF_DIR"
+VOL_DIR_D="/var/vault"
+ROOT_TOKEN="DemoRootToken"
+VAULT_IMG="vault:1.13.3"
+
+docker run --rm -d \
+ --name="vault-server" \
+ -p 8200:8200 -p 8400:8400 \
+ -v $VOL_DIR:$VOL_DIR_D -w $VOL_DIR_D \
+ -e VAULT_DEV_ROOT_TOKEN_ID=$ROOT_TOKEN \
+ -e VAULT_ADDR="http://127.0.0.1:8200" \
+ -e VAULT_TOKEN=$ROOT_TOKEN \
+ $VAULT_IMG \
+ sh -c 'vault server -dev -dev-listen-address 0.0.0.0:8200 -config=server.hcl'
+```
+
+## Minimum Server Configuration
+
+> **NOTE:** this configuration is a bare minimum to support CSM Authorization and is not intended for use in production environment.
+Refer to the [Hashicorp Vault documentation](https://www.vaultproject.io/docs) for recommended configuration options.
+
+> If a [test instance of Vault](#vault-server-installation) is used, the `vault` commands below can be executed in the Vault server container shell.
+> To enter the shell, run `docker exec -it vault-server sh`. After completing the configuration process, exit the shell by typing `exit`.
+>
+> Alternatively, you can [download the vault binary](https://www.vaultproject.io/downloads) and run it anywhere.
+> It will require two environment variables to communicate with the Vault server:
+> - `VAULT_ADDR` - URL similar to `http://127.0.0.1:8200`. You may need to change the address in the URL to the address of
+the Docker host where the server is running.
+> - `VAULT_TOKEN` - Authentication token, e.g. the root token `DemoRootToken` used in the [test instance of Vault](#vault-server-installation).
+
+### Enable Key/Value secret engine
+
+```shell
+vault secrets enable -version=2 -path=csm-authorization/ kv
+```
+
+Key/Value secret engine is used to store array credentials.
+
+### Enable Kubernetes authentication
+
+```shell
+vault auth enable kubernetes
+```
+
+### Configure Kubernetes authentication
+
+```shell
+vault write auth/kubernetes/config kubernetes_host="$KUBERNETES_HOST" kubernetes_ca_cert="$KUBERNETES_CA_CERT"
+```
+
+### Create a policy
+
+```shell
+vault policy write csm-authorization - <
The CSM Authorization karavictl CLI is no longer actively maintained or supported. It will be deprecated in a future release.
{{% /pageinfo %}}
+>> NOTE: Authorization v2.0 Tech Preview is not supported through Helm.
+
CSM Authorization can be installed by using the provided Helm v3 charts on Kubernetes platforms.
The following CSM Authorization components are installed in the specified namespace:
@@ -142,7 +144,7 @@ mv ./karavictl ~/.local/bin/karavictl
# and then append (or prepend) ~/.local/bin to $PATH
```
-Karavictl commands and intended use can be found [here](../../../../../authorization/cli/).
+Karavictl commands and intended use can be found [here](../../../../../authorization/v1.x-ga/cli/).
## Configuring the CSM Authorization Proxy Server
@@ -160,7 +162,7 @@ NAME CLASS HOSTS ADDRESS PORTS AG
proxy-server nginx csm-authorization.com 00, 000 86s
```
```bash
-kubectl -n auth get service
+kubectl -n authorization get service
```
```
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
@@ -182,13 +184,13 @@ On the machine running `karavictl`, the `/etc/hosts` file needs to be updated wi
csm-authorization.com
```
-Please continue following the steps outlined in the [proxy server](../../../../../authorization/configuration/proxy-server) configuration.
+Please continue following the steps outlined in the [proxy server](../../../../../authorization/v1.x-ga/configuration/proxy-server) configuration.
## Configuring a Dell CSI Driver with CSM for Authorization
The second part of CSM for Authorization deployment is to configure one or more of the [supported](../../../../../authorization#supported-csi-drivers) CSI drivers. This is controlled by the Kubernetes tenant admin.
-Please continue following the configuration steps for a specific CSI Driver [here](../../../../../authorization/configuration/).
+Please continue following the configuration steps for a specific CSI Driver [here](../../../../../authorization/v1.x-ga/configuration/).
## Updating CSM for Authorization Proxy Server Configuration
diff --git a/content/docs/deployment/rpm/modules/installation/authorization/authorization.md b/content/docs/deployment/rpm/modules/installation/authorization/authorization.md
index e4e1a55af0..69d03ef543 100644
--- a/content/docs/deployment/rpm/modules/installation/authorization/authorization.md
+++ b/content/docs/deployment/rpm/modules/installation/authorization/authorization.md
@@ -123,19 +123,19 @@ A Storage Administrator can execute the shell script, install_karavi_auth.sh as
5. After installation, application data will be stored on the system under `/var/lib/rancher/k3s/storage/`.
-If errors occur during installation, review the [Troubleshooting](../../../../../../authorization/troubleshooting) section.
+If errors occur during installation, review the [Troubleshooting](../../../../../../authorization/v1.x-ga/troubleshooting) section.
## Configuring the CSM for Authorization Proxy Server
The first part of CSM for Authorization deployment is to configure the proxy server. This is controlled by the Storage Administrator.
-Please follow the steps outlined in the [proxy server](../../../../../../authorization/configuration/proxy-server) configuration.
+Please follow the steps outlined in the [proxy server](../../../../../../authorization/v1.x-ga/configuration/proxy-server) configuration.
## Configuring a Dell CSI Driver with CSM for Authorization
The second part of CSM for Authorization deployment is to configure one or more of the [supported](../../../../../../prerequisites/#supported-csm-modules) CSI drivers. This is controlled by the Kubernetes tenant administrator.
-Please follow the steps outlined in [PowerFlex](../../../../../../authorization/configuration/powerflex), [PowerMax](../../../../../../authorization/configuration/powermax), or [PowerScale](../../../../../../authorization/configuration/powerscale) to configure the CSI Driver to work with the Authorization sidecar.
+Please follow the steps outlined in [PowerFlex](../../../../../../authorization/v1.x-ga/configuration/powerflex), [PowerMax](../../../../../../authorization/v1.x-ga/configuration/powermax), or [PowerScale](../../../../../../authorization/v1.x-ga/configuration/powerscale) to configure the CSI Driver to work with the Authorization sidecar.
## Updating CSM for Authorization Proxy Server Configuration
diff --git a/content/docs/prerequisites/_index.md b/content/docs/prerequisites/_index.md
index 8978265a12..2f486d92c6 100644
--- a/content/docs/prerequisites/_index.md
+++ b/content/docs/prerequisites/_index.md
@@ -54,19 +54,22 @@ Container Storage Modules (CSM) does not officially support specific operating s
## Supported CSM Modules
{{}}
-| CSM Module | PowerMax | PowerFlex | Unity XT | PowerScale | PowerStore |
-|----------------------------------------|:--------:|:---------:|:--------:|:----------:|:----------:|
-| [CSM Authorization](../authorization/) | Yes | Yes | No | Yes | No |
-| [CSM Observability](../observability/) | Yes | Yes | No | Yes | Yes |
-| [CSM Replication](../replication/) | Yes | Yes | No | Yes | Yes |
-| [CSM Resiliency](../resiliency/) | Yes | Yes | Yes | Yes | Yes |
-| [CSM Encryption](../secure/encryption/)| No | No | No | Yes | No |
-| [CSM Application Mobility](../applicationmobility/) | Yes | Yes | Yes | Yes | Yes |
-| [Volume Group Snapshot](../snapshots/volume-group-snapshots/) | No | Yes | No | No | Yes |
+| CSM Module | PowerMax | PowerFlex | Unity XT | PowerScale | PowerStore |
+|---------------------------------------------------------------|:--------:|:---------:|:--------:|:----------:|:----------:|
+| [CSM Authorization - v1.x GA](../authorization/) | Yes | Yes | Yes | Yes | No |
+| [CSM Authorization - v2.0 Tech Preview](../authorization/) | No | Yes | No | No | No |
+| [CSM Observability](../observability/) | Yes | Yes | No | Yes | Yes |
+| [CSM Replication](../replication/) | Yes | Yes | No | Yes | Yes |
+| [CSM Resiliency](../resiliency/) | No | Yes | Yes | Yes | Yes |
+| [CSM Encryption](../secure/encryption/) | No | No | No | Yes | No |
+| [CSM Application Mobility](../applicationmobility/) | Yes | Yes | Yes | Yes | Yes |
+| [Volume Group Snapshot](../snapshots/volume-group-snapshots/) | No | Yes | No | No | Yes |
+
{{
}}
> Notes:
> * Encryption and Application Mobility are available as a Technical Preview only and are not officially supported.
+> * Authorization v2.0 is available as a Technical Preview only on PowerFlex.
## CSM Operator compatibility matrix
diff --git a/content/docs/support/release/_index.md b/content/docs/support/release/_index.md
index e17a6c86f0..22ee98c129 100644
--- a/content/docs/support/release/_index.md
+++ b/content/docs/support/release/_index.md
@@ -10,7 +10,7 @@ Release notes for Container Storage Modules:
[CSI Drivers](../../csidriver/release)
-[CSM for Authorization](../../authorization/release)
+[CSM for Authorization](../../authorization/v1.x-ga/release)
[CSM for Observability](../../observability/release)
diff --git a/content/docs/support/troubleshooting/_index.md b/content/docs/support/troubleshooting/_index.md
index c987433b32..ae40e2cfdf 100644
--- a/content/docs/support/troubleshooting/_index.md
+++ b/content/docs/support/troubleshooting/_index.md
@@ -10,7 +10,7 @@ Troubleshooting links for Container Storage Modules:
[CSI Drivers](../../csidriver/troubleshooting)
-[CSM for Authorization](../../authorization/troubleshooting)
+[CSM for Authorization](../../authorization/v1.x-ga/troubleshooting)
[CSM for Observability](../../observability/troubleshooting)