7. Deploying Trident

The guidelines in this section provide recommendations for Trident installation with various Kubernetes configurations and considerations. As with all the other recommendations in this guide, each of these suggestions should be carefully considered to determine if it’s appropriate and will provide benefit to your deployment.

7.1. Supported Kubernetes cluster architectures

Trident is supported with the following Kubernetes architectures.

Kubernetes Cluster Architectures Supported Default Install
Single master, compute Yes Yes
Multiple master, compute Yes Yes
Master, etcd, compute Yes Yes
Master, infrastructure, compute Yes Yes

7.2. Trident installation modes

Three ways to install Trident are discussed in this chapter.

Normal install mode

Installing Trident on a Kubernetes cluster will result in the Trident installer:

  1. Fetching the container images over the Internet.
  2. Creating a deployment and/or node daemonset which spin up Trident pods on all eligible nodes in the Kubernetes cluster.

A standard installation such as this can be performed in two different ways:

  1. Using tridentctl install to install Trident.
  2. Using the Trident Operator. You can deploy Trident Operator either manually or by using Helm.

This mode of installing is the easiest way to install Trident and works for most environments that do not impose network restrictions. The Deploying guide will help you get started.

Offline install mode

In many organizations, production and development environments do not have access to public repositories for pulling and posting images as these environments are completely secured and restricted. Such environments only allow pulling images from trusted private repositories.

To perform an air-gapped installation of Trident:

  • The --image-registry flag can be used when invoking tridentctl  install to point to a private image registry that contains the required CSI sidecar images. Additionally, --autosupport-image and --trident-image must point to the Trident Autosupport and Trident container image paths, respectively.

    # Install Trident from a private image registry for Kubernetes 1.17
    
    $ docker image ls
    REPOSITORY                                                          TAG                                        IMAGE ID       CREATED         SIZE
    registry.internal-domain.com/sig-storage/csi-provisioner            v2.1.1                                     93d588bf66c4   6 hours ago     51.7MB
    registry.internal-domain.com/sig-storage/csi-attacher               v3.1.0                                     03ce9595bf92   6 hours ago     49.2MB
    registry.internal-domain.com/sig-storage/csi-resizer                v1.1.0                                     a8fe79377034   6 hours ago     49.2MB
    registry.internal-domain.com/sig-storage/csi-snapshotter            v3.0.3                                     000846ee5335   6 hours ago     47.8MB
    registry.internal-domain.com/sig-storage/csi-node-driver-registrar  v2.1.0                                     ef2b13b2a066   6 hours ago     19.7MB
    registry.internal-domain.com/netapp/trident                         21.07.0                                    0de972eb1c6f   6 hours ago     93.1MB
    registry.internal-domain.com/netapp/trident-autosupport             21.01                                      8122afeecc7a   5 months ago    40.2MB
    
    $ tridentctl install --image-registry=registry.internal-domain.com --trident-image=registry.internal-domain.com/netapp/trident:21.07.0 --autosupport-image=registry.internal-domain.com/netapp/trident-autosupport:21.01
    
  • If installing with the Trident Operator, specify spec.imageRegistry, spec.tridentImage, and spec.autosupportImage as follows:

    • imageRegistry should point to the private image registry that contains the CSI sidecar container images.
    • tridentImage should be set to the path of the Trident container image hosted on the private registry.
    • autosupportImage should be set to the path of the Trident Autosupport image hosted on the private registry.
    # List the container images present in the private image registry
    
    $ docker image ls
    REPOSITORY                                                          TAG                                        IMAGE ID       CREATED         SIZE
    registry.internal-domain.com/sig-storage/csi-provisioner            v2.1.1                                     93d588bf66c4   6 hours ago     51.7MB
    registry.internal-domain.com/sig-storage/csi-attacher               v3.1.0                                     03ce9595bf92   6 hours ago     49.2MB
    registry.internal-domain.com/sig-storage/csi-resizer                v1.1.0                                     a8fe79377034   6 hours ago     49.2MB
    registry.internal-domain.com/sig-storage/csi-snapshotter            v3.0.3                                     000846ee5335   6 hours ago     47.8MB
    registry.internal-domain.com/sig-storage/csi-node-driver-registrar  v2.1.0                                     ef2b13b2a066   6 hours ago     19.7MB
    registry.internal-domain.com/netapp/trident                         21.07.0                                    0de972eb1c6f   6 hours ago     93.1MB
    registry.internal-domain.com/netapp/trident-autosupport             21.01                                      8122afeecc7a   5 months ago    40.2MB
    
    # Examine the contents of TridentOrchestrator
    
    $ cat tridentorchestrator_cr.yaml
    apiVersion: trident.netapp.io/v1
    kind: TridentOrchestrator
    metadata:
      name: trident
    spec:
      imageRegistry: registry.internal-domain.com
      tridentImage: registry.internal-domain.com/netapp/trident:21.07.0
      autosupportImage: registry.internal-domain.com/netapp/trident-autosupport:21.01
      namespace: trident
    
    $ kubectl create -f tridentorchestrator_cr.yaml -n trident
    tridentorchestrator.trident.netapp.io/trident created
    

To customize your installation further, you can use tridentctl to generate the manifests for Trident’s resources. This includes the deployment, daemonset, service account and the cluster role that Trident creates as part of its installation. The Customized Installation section talks about the options available for performing a custom Trident install.

Remote install mode

Trident can be installed on a Kubernetes cluster from a remote machine. To do a remote install, install the appropriate version of kubectl on the remote machine from where you would be installing Trident. Copy the configuration files from the Kubernetes cluster and set the KUBECONFIG environment variable on the remote machine. Initiate a kubectl get nodes command to verify you can connect to the required Kubernetes cluster. Complete the Trident deployment from the remote machine using the normal installation steps.

7.3. CRDs for maintaining Trident’s state

The 19.07 release of Trident introduces a set of Custom Resource Definitions(CRDs) for maintaining Trident’s stateful information. CRDs are a Kubernetes construct used to group a set of similar objects together and classify them as user-defined resources. This translates to Trident no longer needing a dedicated etcd and a PV that it needs to use on the backend storage. All stateful objects used by Trident will be CRD objects that are present in the Kubernetes cluster’s etcd.

7.3.1. Things to keep in mind about Trident’s CRDs

  1. When Trident is installed, a set of CRDs are created and can be used like any other resource type.
  2. When upgrading from a previous version of Trident (one that used etcd to maintain state), the Trident installer will migrate data from the etcd key-value data store and create corresponding CRD objects.
  3. Downgrading to a previous Trident version is not recommended.
  4. When uninstalling Trident using the tridentctl uninstall command, Trident pods are deleted but the created CRDs will not be cleaned up. Refer to the Uninstalling Guide to understand how Trident can be completely removed and reconfigured from scratch.
  5. Since the CRD objects that are used by Trident are stored in the Kubernetes cluster’s etcd, Trident disaster recovery workflows will be different when compared to previous versions of Trident.

7.4. Trident Upgrade/Downgrade Process

7.4.1. Upgrading Trident

If you are looking to upgrade to the latest version of Trident, the Upgrade section provides a complete overview of the upgrade process.

7.4.2. Downgrading Trident

Downgrading to a previous release is not recommended. If you choose to downgrade, ensure that the PV used by the previous Trident installation is available.

Refer to the Troubleshooting section to understand what happens when a downgrade is attempted.

7.5. Recommendations for all deployments

7.5.1. Deploy Trident to a dedicated namespace

Namespaces provide administrative separation between different applications and are a barrier for resource sharing, for example, a PVC from one namespace cannot be consumed from another. Trident provides PV resources to all namespaces in the Kubernetes cluster and consequently leverages a service account which has elevated privileges.

Additionally, access to the Trident pod may enable a user to access storage system credentials and other sensitive information. It is important to ensure that application users and management applications do not have the ability to access the Trident object definitions or the pods themselves.

7.5.2. Use quotas and range limits to control storage consumption

Kubernetes has two features which, when combined, provide a powerful mechanism for limiting the resource consumption by applications. The storage quota mechanism allows the administrator to implement global, and storage class specific, capacity and object count consumption limits on a per-namespace basis. Further, using a range limit will ensure that the PVC requests must be within both a minimum and maximum value before the request is forwarded to the provisioner.

These values are defined on a per-namespace basis, which means that each namespace will need to have values defined which fall in line with their resource requirements. An example of how to leverage quotas can be found on netapp.io.