Merge pull request #211 from NetApp/add_trident_protect

Add trident protect

EKS/Backup-EKS-Applications-with-Trident-Protect/ebs-volume-storage-class.yaml

@@ -0,0 +1,6 @@
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+  name: ebs-csi-snapclass
+driver: ebs.csi.aws.com
+deletionPolicy: Delete

EKS/Backup-EKS-Applications-with-Trident-Protect/trident-application.yaml

@@ -0,0 +1,8 @@
+apiVersion: protect.trident.netapp.io/v1
+kind: Application
+metadata:
+  name: <APP NAME>
+  namespace: <APP NAMESPACE>
+spec:
+  includedNamespaces:
+    - namespace: <APP NAMESPACE>

EKS/Backup-EKS-Applications-with-Trident-Protect/trident-backup.yaml

@@ -0,0 +1,8 @@
+apiVersion: protect.trident.netapp.io/v1
+kind: Backup
+metadata:
+  namespace: <APP NAMESPACE>
+  name: <APP BACKUP NAME>
+spec:
+  applicationRef: <APP NAME> 
+  appVaultRef: <APP VAULT NAME>

EKS/Backup-EKS-Applications-with-Trident-Protect/trident-restore-diff-ns.yaml

@@ -0,0 +1,11 @@
+apiVersion: protect.trident.netapp.io/v1
+kind: BackupRestore
+metadata:
+  name: <APP RESTORE NAME>
+  namespace: <DESTINATION NAMESPACE>
+spec:
+  appArchivePath: <APP ARCHIVE PATH>
+  appVaultRef: <APP VAULT NAME>
+  namespaceMapping: 
+    - source: <SOURCE NAMESPACE>
+      destination: <DESTINATION NAMESPACE>

EKS/Backup-EKS-Applications-with-Trident-Protect/trident-restore-inplace.yaml

@@ -0,0 +1,8 @@
+apiVersion: protect.trident.netapp.io/v1
+kind: BackupInplaceRestore
+metadata:
+  name: <APP BACKUP RESTORE NAME>
+  namespace: <APP NAMESPACE>
+spec:
+  appArchivePath: <APP ARCHIVE PATH>
+  appVaultRef: <APP VAULT NAME>

EKS/Backup-EKS-Applications-with-Trident-Protect/trident-vault.yaml

@@ -0,0 +1,20 @@
+apiVersion: protect.trident.netapp.io/v1
+kind: AppVault
+metadata:
+  name: <APP VAULT NAME>
+  namespace: trident-protect
+spec:
+  providerType: AWS
+  providerConfig:
+    s3:
+      bucketName: <APP VAULT BUCKET NAME>
+      endpoint: <S3 ENDPOINT>
+  providerCredentials:
+    accessKeyID:
+      valueFromSecret:
+        key: accessKeyID
+        name: s3
+    secretAccessKey:
+      valueFromSecret:
+        key: secretAccessKey
+        name: s3

EKS/Backup-EKS-Applications-with-Trident-Protect/trident-volume-storage-class.yaml

@@ -0,0 +1,8 @@
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+  name: trident-csi-snapclass
+  annotations:
+    snapshot.storage.kubernetes.io/is-default-class: "true"
+driver: csi.trident.netapp.io
+deletionPolicy: Delete

EKS/FSxN-as-PVC-for-EKS/README.md

@@ -5,7 +5,7 @@
 * [Installation Overview](#Installation-Overview)
 * [Detailed Instructions](#Detailed-instructions)
   * [Clone the "NetApp/FSx-ONTAP-samples-scripts" repo from GitHub](#Clone-the-NetAppFSx-ONTAP-samples-scripts-repo-from-GitHub)
-  * [Make any desired changes to the variables.tf file](#Make-any-desired-changes-to-the-variablestf-file)
+  * [Make any desired changes to the configuration variables](#Make-any-desired-changes-to-the-configuration-variables)
   * [Initialize the Terraform environment](#Initialize-the-Terraform-environment)
   * [Deploy the resources](#Deploy-the-resources)
   * [SSH to the jump server to complete the setup](#SSH-to-the-jump-server-to-complete-the-setup)
@@ -78,21 +78,19 @@ terraform files are located:
 git clone https://github.com/NetApp/FSx-ONTAP-samples-scripts.git
 cd FSx-ONTAP-samples-scripts/EKS/FSxN-as-PVC-for-EKS/terraform
 ```
-### Make any desired changes to the variables.tf file.
-Variables that can be changed include:
+### Make any desired changes to the configuration variables
+To configure the deployment first copy the `terraform.tfvars.template` file to `terraform.tfvars`. Then, modify it to suit your needs. Here are the variables you can set:
 - aws_region - The AWS region where you want to deploy the resources.
 - aws_secrets_region - The region where the fsx password secret will be created.
 - fsx_name - The name you want applied to the FSx for NetApp ONTAP File System. Must not already exist.
-- secret_name_prefix - The base name of the AWS SecretsManager secrets that will be created that will hold the FSxN adminstrator, and SVM, passwords.
+- secret_name_prefix - The base name of the AWS SecretsManager secrets that will be created that will hold the FSxN administrator, and SVM, passwords.
 A random string will be appended to this name to ensure uniqueness.
-- fsx_storage_capacity - The storage capacity of the FSx for NetApp ONTAP File System.
-Read the "description" of the variable to see the valid range.
-- fsx_throughput_capacity - The throughput capacity of the FSx for NetApp ONTAP File System.
-Read the "description" of the variable to see valid values.
+- fsx_storage_capacity - The storage capacity of the FSx for NetApp ONTAP File System.  Read the "description" of the variable in the `variables.tf` file to see the valid range.
+- fsx_throughput_capacity - The throughput capacity of the FSx for NetApp ONTAP File System.  Read the "description" of the variable in the `varaibles.tf` file to see valid values.
 - key_pair_name - The name of the EC2 key pair to use to access the jump server.
 - secure_ips - The IP address ranges to allow SSH access to the jump server. The default is wide open.
 
-:warning: **NOTE:** You must change the key_pair_name variable, otherwise the deployment will not complete succesfully.
+:warning: **NOTE:** You must change the key_pair_name variable, otherwise the deployment will not complete successfully.
 ### Initialize the Terraform environment
 Run the following command to initialize the terraform environment.
 ```bash

EKS/FSxN-as-PVC-for-EKS/terraform/ec2.tf

@@ -26,6 +26,8 @@ resource "aws_instance" "eks_jump_server" {
   user_data       = <<EOF
 #!/bin/bash
 #
+ARCH=amd64
+#
 # Get the system up to date:
 apt update
 apt upgrade -y
@@ -41,12 +43,18 @@ unzip -q awscliv2.zip
 rm -rf awscliv2.zip aws
 #
 # Install kubectl:
-curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
+curl -sLO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/$ARCH/kubectl"
 install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
 #
 # Install helm:
 snap install helm --classic
 #
+# Install eksctl:
+PLATFORM=$(uname -s)_$ARCH
+curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
+tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
+sudo mv /tmp/eksctl /usr/local/bin
+#
 # Install the eks samples repo into the ubuntu home directory:
 cd /home/ubuntu
 git clone https://github.com/NetApp/FSx-ONTAP-samples-scripts.git

EKS/FSxN-as-PVC-for-EKS/terraform/eks-cluster.tf

@@ -1,6 +1,6 @@
 module "eks" {
   source          = "terraform-aws-modules/eks/aws"
-  version         = "~> 20.0.0"
+  version         = "~> 20.33"
   cluster_name    = local.cluster_name
   cluster_version = var.kubernetes_version
   subnet_ids      = module.vpc.private_subnets
@@ -43,6 +43,12 @@ resource "random_id" "id" {
 # Get access to the aws provider identity data to get account ID.
 data "aws_caller_identity" "current" {}
 #
+# Add pod-identity add-on to the EKS cluster.
+resource "aws_eks_addon" "pod_identity_agent" {
+  cluster_name = module.eks.cluster_name
+  addon_name   = "eks-pod-identity-agent"
+}
+#
 # Add Trident to the EKS cluster with a role that will allow it to read secrets
 # add manage the fsxn file system.
 resource "aws_eks_addon" "fsxn_csi_addon" {
@@ -109,8 +115,16 @@ resource "aws_iam_role" "trident_role" {
         }
     ]
   })
+}
 
-  managed_policy_arns = [aws_iam_policy.trident_policy.arn]
+resource "aws_iam_role_policy_attachment" "trident_policy_attachment" {
+  role       = aws_iam_role.trident_role.name
+  policy_arn = aws_iam_policy.trident_policy.arn
+}
+
+resource "aws_iam_role_policy_attachments_exclusive" "trident_policy_attachment_exclusive" {
+  role_name   = aws_iam_role.trident_role.name
+  policy_arns = [aws_iam_policy.trident_policy.arn]
 }
 
 data "cloudinit_config" "cloudinit" {
@@ -119,6 +133,19 @@ data "cloudinit_config" "cloudinit" {
 
   part {
     content_type = "text/x-shellscript"
-    content      = file("scripts/iscsi.sh")
+    content      = <<EOT
+#!/bin/bash
+sudo yum install -y lsscsi iscsi-initiator-utils sg3_utils device-mapper-multipath
+rpm -q iscsi-initiator-utils
+sudo sed -i 's/^\(node.session.scan\).*/\1 = manual/' /etc/iscsi/iscsid.conf
+cat /etc/iscsi/initiatorname.iscsi
+sudo mpathconf --enable --with_multipathd y --find_multipaths n
+#
+# Blacklist any EBS volume since they don't support them!
+sed -i -e '/^blacklist {/,/^}/{/^}/i\    device {\n        vendor "NVME"\n        product "Amazon Elastic Block Store"\n    }\n' -e '}' /etc/multipath.conf
+sudo systemctl restart multipathd
+sudo systemctl enable --now iscsid multipathd
+sudo systemctl enable --now iscsi
+EOT
   }
 }

EKS/FSxN-as-PVC-for-EKS/terraform/terraform.tfvars.template

@@ -0,0 +1,5 @@
+aws_region="us-west-2"
+aws_secrets_region="us-west-2"
+fsx_name="eks-poc-fsx"
+key_pair_name="MUST REPLACE WITH YOUR KEY PAIR NAME"
+secure_ips=["0.0.0.0/0"]

EKS/FSxN-as-PVC-for-EKS/terraform/variables.tf

@@ -1,13 +1,11 @@
 variable "aws_region" {
   description = "The AWS region where you want the resources deployed."
   type        = string
-  default     = "us-west-2"
 }
 
 variable "aws_secrets_region" {
   description = "The AWS region where you want the FSxN and SVM secrets stored within AWS Secrets Manager."
   type        = string
-  default     = "us-west-2"
 }
 
 variable "fsx_name" {
@@ -62,13 +60,13 @@ variable "secure_ips" {
 
 variable "trident_version" {
   description = "The version of Astra Trident to 'add-on' to the EKS cluster."
-  default     = "v24.2.0-eksbuild.1"
+  default     = "v24.10.0-eksbuild.1"
   type        = string
 }
 
 variable "kubernetes_version" {
   description = "kubernetes version"
-  default     = 1.29
+  default     = 1.31
   type        = string
 }