diff --git a/modules/persistent-storage-csi-efs-one-zone-overview.adoc b/modules/persistent-storage-csi-efs-one-zone-overview.adoc new file mode 100644 index 0000000000..0436e96944 --- /dev/null +++ b/modules/persistent-storage-csi-efs-one-zone-overview.adoc @@ -0,0 +1,20 @@ +// Module included in the following assemblies: +// +// * storage/persistent_storage/persistent-storage-csi-aws-efs.adoc +// +:_mod-docs-content-type: CONCEPT +[id="efs-one-zone-overview_{context}"] += One Zone file systems overview + +{product-title} supports AWS Elastic File System (EFS) One Zone file system, which is an EFS storage option that stores data redundantly within a single Availability Zone (AZ). This contrasts with the default EFS storage option, which stores data redundantly across multiple AZs within a region. + +Clusters upgraded from {product-title} 4.19 are compatible with the regional EFS volumes. + +[NOTE] +==== +Dynamic provisioning of One Zone volumes is supported only in single-zone clusters. All nodes in the cluster must be in the same AZ as the EFS volume that is used for the dynamic provisioning. + +Manually provisioned One Zone volumes in regional clusters is supported, assuming that the persistent volumes (PVs) have correct `spec.nodeAffinity` that indicates the zone that the volume is in. +==== + +For Cloud Credential Operator (CCO) Mint mode or Passthrough, no extra configuration is required. However, for Security Token Service (STS), use the procedure in Section _Setting up One Zone file systems with STS_. \ No newline at end of file diff --git a/modules/persistent-storage-csi-efs-one-zone-procedure.adoc b/modules/persistent-storage-csi-efs-one-zone-procedure.adoc new file mode 100644 index 0000000000..05c07d0415 --- /dev/null +++ b/modules/persistent-storage-csi-efs-one-zone-procedure.adoc @@ -0,0 +1,84 @@ +// Module included in the following assemblies: +// +// * storage/persistent_storage/persistent-storage-csi-aws-efs.adoc +// +:_mod-docs-content-type: PROCEDURE +[id="efs-one-zone-procedure_{context}"] += Setting up One Zone file systems with STS + +The following procedure explains how to set up AWS One Zone file systems with Security Token Service (STS): + +.Prerequisites +* Access to the cluster as a user with the cluster-admin role. + +* AWS account credentials + +.Procedure + +To configure One Zone file systems with STS: + +. Create *two* `CredentialsRequests` in the `credrequests` directory following the procedure under Section _Obtaining a role Amazon Resource Name for Security Token Service_.: ++ +* For the *controller* `CredentialsRequest`, follow the procedure without any changes. + +* For the *driver node* `CredentialsRequest` use the following example file: ++ +.Example CredentialsRequest YAML file for driver node +[source,yaml] +---- +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + annotations: + credentials.openshift.io/role-arns-vars: NODE_ROLEARN <1> + name: openshift-aws-efs-csi-driver-node + namespace: openshift-cloud-credential-operator +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - elasticfilesystem:DescribeMountTargets + - ec2:DescribeAvailabilityZones + effect: Allow + resource: '*' + secretRef: + name: node-aws-efs-cloud-credentials + namespace: openshift-cluster-csi-drivers + serviceAccountNames: + - aws-efs-csi-driver-node-sa +---- +<1> Set `metadata.annotations.credentials.openshift.io/role-arns-vars` to `NODE_ROLEARN`. ++ +.Example `ccoctl` output +[source,terminal] +---- +2025/08/26 14:05:24 Role arn:aws:iam::269733383066:role/my-arn-1-blll6-openshift-cluster-csi-drivers-aws-efs-cloud-cre created <1> +2025/08/26 14:05:24 Saved credentials configuration to: /home/my-arn/project/go/src/github.com/openshift/myinst/aws-sts-compact-1/manifests/openshift-cluster-csi-drivers-aws-efs-cloud-credentials-credentials.yaml +2025/08/26 14:05:24 Updated Role policy for Role my-arn-1-blll6-openshift-cluster-csi-drivers-aws-efs-cloud-cre +2025/08/26 14:05:24 Role arn:aws:iam::269733383066:role/my-arn-1-blll6-openshift-cluster-csi-drivers-node-aws-efs-clou created <2> +2025/08/26 14:05:24 Saved credentials configuration to: manifests/openshift-cluster-csi-drivers-node-aws-efs-cloud-credentials-credentials.yaml +2025/08/26 14:05:24 Updated Role policy for Role my-arn-1-blll6-openshift-cluster-csi-drivers-node-aws-efs-clou +---- +<1> Controller Amazon Resource Name (ARN) +<2> Driver node ARN + +. Install the AWS EFS CSI driver using the controller ARN created earlier in this procedure. + +. Edit the operator's subscription and add `NODE_ROLEARN` with the driver node's ARN by running a command similar to the following: ++ +[source,terminal] +---- +$ oc -n openshift-cluster-csi-drivers edit subscription aws-efs-csi-driver-operator +... + config: + env: + - name: ROLEARN + value: arn:aws:iam::269733383066:role/my-arn-1-blll6-openshift-cluster-csi-drivers-aws-efs-cloud-cre <1> + - name: NODE_ROLEARN + value: arn:aws:iam::269733383066:role/my-arn-1-blll6-openshift-cluster-csi-drivers-node-aws-efs-clou <2> +... +---- +<1> Controller ARN. Already exists. +<2> Driver node ARN \ No newline at end of file diff --git a/modules/persistent-storage-csi-efs-sts.adoc b/modules/persistent-storage-csi-efs-sts.adoc index c1bc0008ab..0c524bc2d3 100644 --- a/modules/persistent-storage-csi-efs-sts.adoc +++ b/modules/persistent-storage-csi-efs-sts.adoc @@ -22,6 +22,11 @@ Perform this procedure before you install the AWS EFS CSI Driver Operator (see _ You can obtain the ARN role in multiple ways. The following procedure shows one method that uses the same concept and CCO utility (`ccoctl`) binary tool as cluster installation. +[NOTE] +==== +If you are using One Zone file system, you need to create two `CredentialRequests`, one for the controller and one for the driver node. For more information, see Section _Setting up One Zone file systems with STS_. +==== + To obtain a role ARN for configuring AWS EFS CSI Driver Operator using STS: . Extract the `ccoctl` from the {product-title} release image, which you used to install the cluster with STS. For more information, see "Configuring the Cloud Credential Operator utility". diff --git a/storage/container_storage_interface/persistent-storage-csi-aws-efs.adoc b/storage/container_storage_interface/persistent-storage-csi-aws-efs.adoc index 86d888aa4d..6f75895645 100644 --- a/storage/container_storage_interface/persistent-storage-csi-aws-efs.adoc +++ b/storage/container_storage_interface/persistent-storage-csi-aws-efs.adoc @@ -27,11 +27,6 @@ This eliminates the need for cluster administrators to pre-provision storage. * The _AWS EFS CSI driver_ enables you to create and mount AWS EFS PVs. -[NOTE] -==== -AWS EFS only supports regional volumes, not zonal volumes. -==== - include::modules/persistent-storage-csi-about.adoc[leveloffset=+1] :FeatureName: AWS EFS @@ -77,6 +72,12 @@ include::modules/persistent-storage-csi-efs-cross-account.adoc[leveloffset=+1] .Additional resources * link:https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-output-format.html[Setting the output format in the AWS CLI] +== One Zone file systems + +include::modules/persistent-storage-csi-efs-one-zone-overview.adoc[leveloffset=+2] + +include::modules/persistent-storage-csi-efs-one-zone-procedure.adoc[leveloffset=+2] + include::modules/persistent-storage-csi-dynamic-provisioning-aws-efs.adoc[leveloffset=+1] If you have problems setting up dynamic provisioning, see xref:../../storage/container_storage_interface/persistent-storage-csi-aws-efs.adoc#efs-troubleshooting_persistent-storage-csi-aws-efs[AWS EFS troubleshooting]. [role="_additional-resources"]