Edit

Share via

Alternate: Key-based authentication configuration for Cloud Ingest Edge Volumes

  • Article

This article describes an alternate configuration for Cloud Ingest Edge Volumes (blob upload with local purge) with key-based authentication.

This configuration is an alternative option for use with key-based authentication methods. You should review the recommended configuration using system-assigned managed identities in Cloud Ingest Edge Volumes configuration.

Prerequisites

  1. Create a storage account following these instructions.

    Note

    When you create a storage account, it's recommended that you create it under the same resource group and region/location as your Kubernetes cluster.

  2. Create a container in the storage account that you created in the previous step, following these instructions.

Create a Kubernetes secret

Edge Volumes supports the following three authentication methods:

  • Shared Access Signature (SAS) Authentication (recommended)
  • Connection String Authentication
  • Storage Key Authentication

After you complete authentication for one of these methods, proceed to the Create a Cloud Ingest Persistent Volume Claim (PVC) section.

Create a Kubernetes secret using Shared Access Signature (SAS) authentication

You can configure SAS authentication using YAML and kubectl, or by using the Azure CLI.

To find your storageaccountsas, perform the following procedure:

  1. Navigate to your storage account in the Azure portal.
  2. Expand Security + networking on the left blade and then select Shared access signature.
  3. Under Allowed resource types, select Service > Container > Object.
  4. Under Allowed permissions, unselect Immutable storage and Permanent delete.
  5. Under Start and expiry date/time, choose your desired end date and time.
  6. At the bottom, select Generate SAS and connection string.
  7. The values listed under SAS token are used for the storageaccountsas variables in the next section.

Shared Access Signature (SAS) authentication using YAML and kubectl

  1. Create a file named sas.yaml with the following contents. Replace metadata::name, metadata::namespace, and storageaccountconnectionstring with your own values.

    Note

    Use only lowercase letters and dashes. For more information, see the Kubernetes object naming documentation.

    apiVersion: v1
kind: Secret
metadata:
  ### This name should look similar to "kharrisStorageAccount-secret" where "kharrisStorageAccount" is replaced with your storage account name
  name: <your-storage-acct-name-secret>
  # Use a namespace that matches your intended consuming pod, or "default" 
  namespace: <your-intended-consuming-pod-or-default>
stringData:
  authType: SAS
  # Container level SAS (must have ? prefixed)
  storageaccountsas: "?..."
type: Opaque

  2. To apply sas.yaml, run:

    kubectl apply -f "sas.yaml"

Shared Access Signature (SAS) authentication using CLI

  • If you want to scope SAS authentication at the container level, use the following commands. You must update YOUR_CONTAINER_NAME from the first command and YOUR_NAMESPACE, YOUR_STORAGE_ACCT_NAME, and YOUR_SECRET from the second command:

    az storage container generate-sas [OPTIONAL auth via --connection-string "..."] --name YOUR_CONTAINER_NAME --permissions acdrw --expiry '2025-02-02T01:01:01Z'
kubectl create secret generic -n "YOUR_NAMESPACE" "YOUR_STORAGE_ACCT_NAME"-secret --from-literal=storageaccountsas="YOUR_SAS"

Create a Cloud Ingest Persistent Volume Claim (PVC)

  1. Create a file named cloudIngestPVC.yaml with the following contents. You must edit the metadata::name value, and add a name for your Persistent Volume Claim. This name is referenced on the last line of deploymentExample.yaml in the next step. You must also update the metadata::namespace value with your intended consuming pod. If you don't have an intended consuming pod, the metadata::namespace value is default:

    Note

    Use only lowercase letters and dashes. For more information, see the Kubernetes object naming documentation.

    kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  ### Create a name for the PVC ###
  name: <your-storage-acct-name-secret>
  ### Use a namespace that matches your intended consuming pod, or "default" ###
  namespace: <your-intended-consuming-pod-or-default>
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 2Gi
  storageClassName: cloud-backed-sc

  2. To apply cloudIngestPVC.yaml, run:

    kubectl apply -f "cloudIngestPVC.yaml"

Attach sub-volume to Edge Volume

  1. Get the name of your Edge Volume using the following command:

    kubectl get edgevolumes

  2. Create a file named edgeSubvolume.yaml and copy the following contents. Update the variables with your information:

    Note

    Use only lowercase letters and dashes. For more information, see the Kubernetes object naming documentation.

    • metadata::name: Create a name for your sub-volume.
    • spec::edgevolume: This name was retrieved from the previous step using kubectl get edgevolumes.
    • spec::path: Create your own subdirectory name under the mount path. Note that the following example already contains an example name (exampleSubDir). If you change this path name, line 33 in deploymentExample.yaml must be updated with the new path name. If you choose to rename the path, don't use a preceding slash.
    • spec::auth::authType: Depends on what authentication method you used in the previous steps. Accepted inputs include sas, connection_string, and key.
    • spec::auth::secretName: If you used storage key authentication, your secretName is {your_storage_account_name}-secret. If you used connection string or SAS authentication, your secretName was specified by you.
    • spec::auth::secretNamespace: Matches your intended consuming pod, or default.
    • spec::container: The container name in your storage account.
    • spec::storageaccountendpoint: Navigate to your storage account in the Azure portal. On the Overview page, near the top right of the screen, select JSON View. You can find the storageaccountendpoint link under properties::primaryEndpoints::blob. Copy the entire link (for example, https://mytest.blob.core.windows.net/).
    apiVersion: "arccontainerstorage.azure.net/v1"
kind: EdgeSubvolume
metadata:
  name: <create-a-subvolume-name-here>
spec:
  edgevolume: <your-edge-volume-name-here>
  path: exampleSubDir # If you change this path, line 33 in deploymentExample.yaml must be updated. Don't use a preceding slash.
  auth:
    authType: MANAGED_IDENTITY
    secretName: <your-secret-name>
    secretNamespace: <your_namespace>
  storageaccountendpoint: <your_storage_account_endpoint>
  container: <your-blob-storage-account-container-name>
  ingestPolicy: edgeingestpolicy-default # Optional: See the following instructions if you want to update the ingestPolicy with your own configuration

  3. To apply edgeSubvolume.yaml, run:

    kubectl apply -f "edgeSubvolume.yaml"

Optional: Modify the ingestPolicy from the default

  1. If you want to change the ingestPolicy from the default edgeingestpolicy-default, create a file named myedgeingest-policy.yaml with the following contents. Update the following variables with your preferences.

    Note

    Use only lowercase letters and dashes. For more information, see the Kubernetes object naming documentation.

    • metadata::name: Create a name for your ingestPolicy. This name must be updated and referenced in the spec::ingestPolicy section of your edgeSubvolume.yaml.
    • spec::ingest::order: The order in which dirty files are uploaded. This is best effort, not a guarantee (defaults to oldest-first). Options for order are: oldest-first or newest-first.
    • spec::ingest::minDelaySec: The minimum number of seconds before a dirty file is eligible for ingest (defaults to 60). This number can range between 0 and 31536000.
    • spec::eviction::order: How files are evicted (defaults to unordered). Options for eviction order are: unordered or never.
    • spec::eviction::minDelaySec: The number of seconds before a clean file is eligible for eviction (defaults to 300). This number can range between 0 and 31536000.
    apiVersion: arccontainerstorage.azure.net/v1
kind: EdgeIngestPolicy
metadata:
  name: <create-a-policy-name-here> # This will need to be updated and referenced in the spec::ingestPolicy section of the edgeSubvolume.yaml
spec:
  ingest:
    order: <your-ingest-order>
    minDelaySec: <your-min-delay-sec>
  eviction:
    order: <your-eviction-order>
    minDelaySec: <your-min-delay-sec>

  2. To apply myedgeingest-policy.yaml, run:

    kubectl apply -f "myedgeingest-policy.yaml"

Attach your app (Kubernetes native application)

  1. To configure a generic single pod (Kubernetes native application) against the Persistent Volume Claim (PVC), create a file named deploymentExample.yaml with the following contents. Replace containers::name and volumes::persistentVolumeClaim::claimName with your values. If you updated the path name from edgeSubvolume.yaml, exampleSubDir on line 33 must be updated with your new path name.

    Note

    Use only lowercase letters and dashes. For more information, see the Kubernetes object naming documentation.

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: cloudingestedgevol-deployment ### This will need to be unique for every volume you choose to create
spec:
  replicas: 2
  selector:
    matchLabels:
      name: wyvern-testclientdeployment
  template:
    metadata:
      name: wyvern-testclientdeployment
      labels:
        name: wyvern-testclientdeployment
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchExpressions:
              - key: app
                operator: In
                values:
                - wyvern-testclientdeployment
            topologyKey: kubernetes.io/hostname
      containers:
        ### Specify the container in which to launch the busy box. ###
        - name: <create-a-container-name-here>
          image: mcr.microsoft.com/azure-cli:2.57.0@sha256:c7c8a97f2dec87539983f9ded34cd40397986dcbed23ddbb5964a18edae9cd09
          command:
            - "/bin/sh"
            - "-c"
            - "dd if=/dev/urandom of=/data/exampleSubDir/esaingesttestfile count=16 bs=1M && while true; do ls /data &>/dev/null || break; sleep 1; done"
          volumeMounts:
            ### This name must match the following volumes::name attribute ###
            - name: wyvern-volume
              ### This mountPath is where the PVC will be attached to the pod's filesystem ###
              mountPath: "/data"
      volumes:
         ### User-defined 'name' that is used to link the volumeMounts. This name must match volumeMounts::name as previously specified. ###
        - name: wyvern-volume
          persistentVolumeClaim:
            ### This claimName must refer to your PVC metadata::name
            claimName: <your-pvc-metadata-name-from-line-5-of-pvc-yaml>

  2. To apply deploymentExample.yaml, run:

    kubectl apply -f "deploymentExample.yaml"

  3. Use kubectl get pods to find the name of your pod. Copy this name; you use it in the next step.

    Note

    Because spec::replicas from deploymentExample.yaml was specified as 2, two pods will appear using kubectl get pods. You can choose either pod name to use for the next step.

  4. Run the following command and replace POD_NAME_HERE with your copied value from the last step:

    kubectl exec -it pod_name_here -- sh

  5. Change directories (cd) into the /data mount path as specified in your deploymentExample.yaml.

  6. You should see a directory with the name you specified as your path in Step 2 of the Attach sub-volume to Edge Volume section. Now, cd into /your_path_name_here, and replace your_path_name_here with your respective details.

  7. As an example, create a file named file1.txt and write to it using echo "Hello World" > file1.txt.

  8. In the Azure portal, navigate to your storage account and find the container specified from Step 2 of Attach sub-volume to Edge Volume. When you select your container, you should see file1.txt populated within the container. If the file hasn't yet appeared, wait approximately 1 minute; Edge Volumes waits a minute before uploading.

Next steps

After completing these steps, begin monitoring your deployment using Azure Monitor and Kubernetes Monitoring, or 3rd party monitoring with Prometheus and Grafana.

Monitor your deployment