Create a Kubernetes Secret for vSphere Container Storage Plug-in

When preparing your native Kubernetes environment for installation of the vSphere Container Storage Plug-in, create a Kubernetes secret that contains configuration details to connect to vSphere.

Before installing the vSphere Container Storage Plug-in on a native Kubernetes cluster, create a configuration file that contains details to connect to vSphere. The default file for the configuration details is the csi-vsphere.conf file. If you prefer to use a file with another name, change the environment variable VSPHERE_CSI_CONFIG in the deployment YAMLs. For more information, see Install vSphere Container Storage Plug-in.

For information about topology-aware deployments, see Deploy vSphere Container Storage Plug-in with Topology.

Procedure

Create a vSphere configuration file for block volumes or file volumes.

Block volumes.

vSphere configuration file for block volumes includes the following sample entries.

$ cat /etc/kubernetes/csi-vsphere.conf
[Global]
cluster-id = "<cluster-id>"
cluster-distribution = "<cluster-distribution>"
ca-file = <ca file path> # optional, use with insecure-flag set to false
thumbprint = "<cert thumbprint>" # optional, use with insecure-flag set to false without providing ca-file

[VirtualCenter "<IP or FQDN>"]
insecure-flag = "<true or false>"
user = "<username>"
password = "<password>"
port = "<port>"
datacenters = "<datacenter1-path>, <datacenter2-path>, ..."

The entries have the following meanings.

Block Volume Parameter	Description
`cluster-id`	The unique cluster identifier. Each Kubernetes cluster must contain a unique cluster-id set in the configuration file. The cluster ID cannot not exceed 64 characters.
`cluster-distribution`	The distribution of the Kubernetes cluster. This parameter is optional. Examples are `Openshift`, `Anthos`, and `TKGI`. When you enter values for this parameter, keep in mind the following: vSphere Container Storage Plug-in controller goes into CrashLoopBackOff state when you enter values with special character `\r`. When you enter values exceeding 128 characters, the PVC creation might be struck in `Pending` state.
`VirtualCenter`	The section defines such parameters as the vCenter Server IP address and FQDN.
`insecure-flag`	Takes the following values: true indicates that you want to use self-signed certificate for login. false indicates that you use secure connection. For additional steps, see Use Secure Connection for vSphere Container Storage Plug-in.
`user`	The vCenter Server username. You must specify the username along with the domain name. For example, `user = "userName@domainName"` or `user = "domainName\\username"`. If you don't specify the domain name for active directory users, the vSphere Container Storage Plug-in will not function properly.
`password`	Password for a vCenter Server user.
`port`	vCenter Server port. The default is 443.
`ca-file`	The path to a CA certificate in PEM format. This is an optional parameter.
`Thumbprint`	The certificate thumbprint. It is an optional parameter. It is ignored when you are using an unsecured setup or when you provide `ca-file`.
`datacenters`	List of all comma separated datacenter paths where Kubernetes node VMs are present. Provide the name of the datacenter when it is located at the root. When it is placed in the folder, you need to specify the path as folder/datacenter-name. The datacenter name cannot contain a comma since it is used as a delimiter.

Note: To deploy the vSphere Container Storage Plug-in for block volumes in VMware Cloud environment, you must enter the cloud administrator username and password in the vSphere configuration file.

File volumes.

For file volumes, it is optional to add parameters that specify network permissions and placement of volumes. Otherwise, default values will be used. Use the following configuration file as an example.

$ cat /etc/kubernetes/csi-vsphere.conf
[Global]
cluster-id = "<cluster-id>"
cluster-distribution = "<cluster-distribution>"
ca-file = <ca file path> # optional, use with insecure-flag set to false

[NetPermissions "A"]
ips = "*"
permissions = "READ_WRITE"
rootsquash = false

[NetPermissions "B"]
ips = "10.20.20.0/24"
permissions = "READ_ONLY"
rootsquash = true

[NetPermissions "C"]
ips = "10.30.30.0/24"
permissions = "NO_ACCESS"

[NetPermissions "D"]
ips = "10.30.10.0/24"
rootsquash = true

[NetPermissions "E"]
ips = "10.30.1.0/24"

[VirtualCenter "<IP or FQDN>"]
insecure-flag = "<true or false>"
user = "<username>"
password = "<password>"
port = "<port>"
datacenters = "<datacenter1-path>, <datacenter2-path>, ..."
targetvSANFileShareDatastoreURLs = "ds:///vmfs/volumes/vsan:52635b9067079319-95a7473222c4c9cd/" # Optional

The entries have the following meanings.

File Volume Parameter Description

targetvSANFileShareDatastoreURLs This parameter is exclusive to file volumes and is optional. It is required when you have a vSAN environment with file service enabled and you want to limit the creation of file share volumes to selected vSAN datastores. This field contains a comma separated list of datastore URLs where you want to deploy the file share volumes.

File Volume Parameter	Description
`targetvSANFileShareDatastoreURLs`	This parameter is exclusive to file volumes and is optional. It is required when you have a vSAN environment with file service enabled and you want to limit the creation of file share volumes to selected vSAN datastores. This field contains a comma separated list of datastore URLs where you want to deploy the file share volumes.
`NetPermissions`	This parameter is exclusive to file volumes and is optional. In this sample vSphere configuration file, the set of parameters restricts the network capabilities of all file share volumes that are created. If you do not specify the complete set of `NetPermissions` for a given IP range or completely omit the section, the system uses default values. You can define as many `NetPermissions` sections as you want. Each section can include the following strings: `Ips`: Defines the IP range or IP subnet to which these restrictions apply. The default value for `Ips` is `*`, which means all IPs. `Permissions`: Defines the permissions level, such as `READ_WRITE`, `READ_ONLY` or `NO_ACCESS`. The default value for `Permissions` is `READ_WRITE` for the specified IP range. `RootSquash`: Defines the security access level for the file share volume. The default for `RootSquash` is `false`. It allows root access to all file share volumes that are created within the specified IP range.

NetPermissions

This parameter is exclusive to file volumes and is optional. In this sample vSphere configuration file, the set of parameters restricts the network capabilities of all file share volumes that are created. If you do not specify the complete set of NetPermissions for a given IP range or completely omit the section, the system uses default values. You can define as many NetPermissions sections as you want. Each section can include the following strings:

Ips: Defines the IP range or IP subnet to which these restrictions apply. The default value for Ips is *, which means all IPs.
Permissions: Defines the permissions level, such as READ_WRITE, READ_ONLY or NO_ACCESS. The default value for Permissions is READ_WRITE for the specified IP range.
RootSquash: Defines the security access level for the file share volume. The default for RootSquash is false. It allows root access to all file share volumes that are created within the specified IP range.

Create a Kubernetes secret for vSphere credentials.

Create the secret by running the following command.

kubectl create secret generic vsphere-config-secret --from-file=csi-vsphere.conf --namespace=vmware-system-csi

Verify that the credential secret is successfully created in the vmware-system-csi namespace.

$ kubectl get secret vsphere-config-secret --namespace=vmware-system-csi
NAME                    TYPE     DATA   AGE
vsphere-config-secret   Opaque   1      43s

Delete the configuration file for security purposes.
```
rm csi-vsphere.conf
```