AWS EFS

Set up Amazon Elastic File System (EFS) for Satellite clusters by creating a storage configuration in your location. When you assign a storage configuration to your clusters, the storage drivers of the selected storage provider are installed in your cluster.

To use AWS EFS storage for your apps, your Satellite hosts must reside in AWS. Only static provisioning is supported with this storage template. You must manually provision an AWS EFS file system on AWS before you create your Satellite storage configuration. Make sure that the EFS device is in the same VPC and subnet that you used for your AWS hosts, and that your hosts and EFS device use the same security group.

Before you can deploy storage templates to clusters in your location, make sure you set up Satellite Config by selecting the Enable cluster admin access for Satellite Config option in the console or including the --enable-config-admin option when you create your cluster.

You cannot scope Satellite storage service to resource groups. However, if you are scoping other resources such as location and cluster to resource groups, you need to add Satellite reader and link administrator role for all resources in the account.

Prerequisites for using AWS EFS

To use the AWS EFS storage template, complete the following tasks:

Create a Satellite location.
Create a Satellite cluster that runs on compute hosts in Amazon Web Services (AWS). Make sure that you select the Enable cluster admin access for Satellite Config option when you create the cluster. If you don't enable Administrator (admin) access for Satellite Config when creating your cluster, you must re-create your cluster and enable admin access before you can deploy storage. For more information about how to add hosts from AWS to your Satellite location so that you can assign them to a cluster, see Adding AWS hosts to Satellite.
Manually provision an AWS EFS file system in your AWS account. Make sure that the EFS device is in the same VPC and subnet that you used for your AWS hosts, and that your hosts and EFS device use the same security group.

Creating and assigning a configuration in the console

Review the parameter reference.
From the Locations console, select the location where you want to create a storage configuration.
Select Storage > Create storage configuration
Enter a name for your configuration.
Select the Storage type.
Select the Version and click Next
If the Storage type that you selected accepts custom parameters, enter them on the Parameters tab.
If the Storage type that you selected requires secrets, enter them on the Secrets tab.
On the Storage classes tab, review the storage classes that are deployed by the configuration or create a custom storage class. For AWS EFS configurations, you must add a storage class before continuing.
On the Assign to service tab, select the service that you want to assign your configuration to.
Click Complete to assign your storage configuration.

Creating a configuration in the CLI

Review the parameter reference for the template version that you want to use.
Log in to the IBM Cloud CLI.
```
ibmcloud login
```
List your Satellite locations and note the Managed from column.
```
ibmcloud sat location ls
```
Target the Managed from region of your Satellite location. For example, for wdc target us-east. For more information, see Satellite regions.
```
ibmcloud target -r us-east
```
If you use a resource group other than default, target it.
```
ibmcloud target -g <resource-group>
```

Copy one of the following example command for the template version that you want to use. For more information about the command, see ibmcloud sat storage config create in the command reference.

Example command to create a version 1.3.1 configuration.

ibmcloud sat storage config create --location LOCATION --name NAME --template-name aws-efs-csi-driver --template-version 1.3.1 --param "aws-access-key=AWS-ACCESS-KEY"  --param "aws-secret-access-key=AWS-SECRET-ACCESS-KEY"

Example command to create a version 1.3.7 configuration.

ibmcloud sat storage config create --location LOCATION --name NAME --template-name aws-efs-csi-driver --template-version 1.3.7 --param "aws-access-key=AWS-ACCESS-KEY"  --param "aws-secret-access-key=AWS-SECRET-ACCESS-KEY"

Example command to create a version 1.4.2 configuration.

ibmcloud sat storage config create --location LOCATION --name NAME --template-name aws-efs-csi-driver --template-version 1.4.2 --param "aws-access-key=AWS-ACCESS-KEY"  --param "aws-secret-access-key=AWS-SECRET-ACCESS-KEY"

Customize the command based on the settings that you want to use.
Run the command to create a configuration.

Verify your configuration was created.

ibmcloud sat storage config get --config CONFIG

Creating a configuration in the API

Generate an API key, then request a refresh token. For more information, see Generating an IBM Cloud IAM token by using an API key.
Review the parameter reference for the template version that you want to use.

Copy one of the following example requests and replace the variables that you want to use.

Example request to create a version 1.3.1 configuration.

curl -X POST "https://containers.cloud.ibm.com/global/v2/storage/satellite/createStorageConfigurationByController" -H "accept: application/json" -H "Authorization: TOKEN" -H "Content-Type: application/json" -d "{ \"config-name\": \"string\", \"controller\": \"string\", \"storage-class-parameters\": [ { \"additionalProp1\": \"string\", \"additionalProp2\": \"string\", \"additionalProp3\": \"string\" } ], \"storage-template-name\": \"aws-efs-csi-driver\", \"storage-template-version\": \"1.3.1\", \"update-assignments\": true, \"user-config-parameters\":\"user-secret-parameters\": { \"entry.name\": \"AWS-ACCESS-KEY\",{ \"entry.name\": \"AWS-SECRET-ACCESS-KEY\",}

Example request to create a version 1.3.7 configuration.

curl -X POST "https://containers.cloud.ibm.com/global/v2/storage/satellite/createStorageConfigurationByController" -H "accept: application/json" -H "Authorization: TOKEN" -H "Content-Type: application/json" -d "{ \"config-name\": \"string\", \"controller\": \"string\", \"storage-class-parameters\": [ { \"additionalProp1\": \"string\", \"additionalProp2\": \"string\", \"additionalProp3\": \"string\" } ], \"storage-template-name\": \"aws-efs-csi-driver\", \"storage-template-version\": \"1.3.7\", \"update-assignments\": true, \"user-config-parameters\":\"user-secret-parameters\": { \"entry.name\": \"AWS-ACCESS-KEY\",{ \"entry.name\": \"AWS-SECRET-ACCESS-KEY\",}

Example request to create a version 1.4.2 configuration.

curl -X POST "https://containers.cloud.ibm.com/global/v2/storage/satellite/createStorageConfigurationByController" -H "accept: application/json" -H "Authorization: TOKEN" -H "Content-Type: application/json" -d "{ \"config-name\": \"string\", \"controller\": \"string\", \"storage-class-parameters\": [ { \"additionalProp1\": \"string\", \"additionalProp2\": \"string\", \"additionalProp3\": \"string\" } ], \"storage-template-name\": \"aws-efs-csi-driver\", \"storage-template-version\": \"1.4.2\", \"update-assignments\": true, \"user-config-parameters\":\"user-secret-parameters\": { \"entry.name\": \"AWS-ACCESS-KEY\",{ \"entry.name\": \"AWS-SECRET-ACCESS-KEY\",}

Creating a storage assignment in the console

If you didn't assign your configuration to a cluster or service when you created it, you can create an assignment by completing the following steps.

Open the Satellite console in your browser.
Select the location where you created your storage configuration.
Click the Locations tab, then click Storage.
Click the storage configuration that you want to assign to a cluster group.
On the Configuration details page, click Create storage assignment.
In the Create an assignment pane, enter a name for your assignment.
From the Version drop-down list, select the storage configuration version that you want to assign.
Click Create to create the assignment.
Verify that your storage configuration is deployed to your cluster.
1. From the Satellite console, navigate to your Location and select Storage
2. Click the storage configuration that you created and review the Assignments tab.
3. Click the Assignment that you created and review the Rollout status for your configuration.

Creating an assignment in the CLI

List your storage configurations and make a note of the storage configuration that you want to assign to your clusters.
```
ibmcloud sat storage config ls
```
Get the ID of the cluster, cluster group, or service that you want to assign storage to.

To make sure that your cluster is registered with Satellite Config or to create groups, see Setting up clusters to use with Satellite Config.

Example command to list cluster groups.
```
ibmcloud sat group ls
```
Example command to list clusters.
```
ibmcloud oc cluster ls --provider satellite
```
Example command to list Satellite services.
```
ibmcloud sat service ls --location <location>
```
Assign your storage configuration to the cluster, group, or service that you retrieved earlier. For more information, see the ibmcloud sat storage assignment create command.

Example command to assign a configuration to a cluster group.
```
ibmcloud sat storage assignment create --group GROUP --config CONFIG --name NAME
```
Example command to assign a configuration to a cluster.
```
ibmcloud sat storage assignment create --cluster CLUSTER --config CONFIG --name NAME
```
Example command to assign a configuration to a service cluster.
```
ibmcloud sat storage assignment create --service-cluster-id CLUSTER --config CONFIG --name NAME
```

Verify that your assignment is created.

ibmcloud sat storage assignment ls (--cluster CLUSTER | --config CONFIG | --location LOCATION | --service-cluster-id CLUSTER)

Creating a storage assignment in the API

Copy one of the following example requests.

Example request to assign a configuration to a cluster.

curl -X POST "https://containers.cloud.ibm.com/global/v2/storage/satellite/createAssignmentByCluster" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{ \"channelName\": \"CONFIGURATION-NAME\", \"cluster\": \"CLUSTER-ID\", \"controller\": \"LOCATION-ID\", \"name\": \"ASSIGNMENT-NAME\"}"

Example request to assign configuration to a cluster group.

curl -X POST "https://containers.cloud.ibm.com/global/v2/storage/satellite/createAssignment" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{ \"channelName\": \"CONFIGURATION-NAME\", \"cluster\": \"string\", \"groups\": [ \"CLUSTER-GROUP\" ], \"name\": \"ASSIGNMENT-NAME\"}"

Replace the variables with your details and run the request.

Verify the assignment was created by listing your assignments.

curl -X GET "https://containers.cloud.ibm.com/global/v2/storage/satellite/getAssignments" -H "accept: application/json" -H "Authorization: Bearer TOKEN"

Updating storage assignments in the console

You can use the Satellite console to apply the latest patch updates to your assignments.

From the Locations page in the Satellite console, select your location.
Click the Storage tab to view your configurations.
Click the configuration you want to update.
Click information Information (i) icon to apply the latest revision or patch.
Optional: Enable automatic patch updates for your storage assignment. Enabling automatic patch updates ensures that your assignment always has the latest security fixes.

If you enable automatic patch updates, you must still apply major updates manually.

Manually upgrading assignments in the CLI

Upgrade an assignment to use the latest storage template revision.

List your Satellite storage assignments, make a note of the Satellite assignment you want to upgrade.
```
ibmcloud sat storage assignment ls
```
List the Satellite storage templates to see the latest available versions.
```
ibmcloud sat storage template ls
```
Upgrade the Satellite assignment.

Example command to upgrade an assignment.
```
ibmcloud sat storage assignment upgrade --assignment ASSIGNMENT
```

Enabling automatic patch updates for configurations and assignments in the CLI

You can use the sat storage assignment autopatch enable CLI to enable automatic patch updates for your assignments. Enabling automatic patch updates applies the latest storage template revisions (patches) automatically. You must still apply major updates manually.

List your Satellite storage configurations. Make a note of the configuration ID.
```
ibmcloud sat storage assignment ls
```
Run one of the following example commands to enable automatic patch updates for your configuration and its associated assignments. Enter the configuration ID that you retrieved in the previous step.

Example command to enable automatic patch updates for an assignment.
```
ibmcloud sat storage assignment autopatch enable --config CONFIG  (--all | --assignment ASSIGNMENT-ID [--assignment ASSIGNMENT-ID])
```
Example command to enable automatic patch updates for all storage assignments under a given configuration.
```
ibmcloud sat storage assignment autopatch enable --config CONFIG --all
```
Example command to disable automatic patch updates for all assignments under a specific configuration.
```
ibmcloud sat storage assignment autopatch disable --config CONFIG --all
```
Example command to disable automatic patch updates for an single assignment and a specific configuration.
```
ibmcloud sat storage assignment autopatch disable --config CONFIG --assignment ASSIGNMENT-ID
```
Example command to disable automatic patch updates for an multiple assignment and a specific configuration.
```
ibmcloud sat storage assignment autopatch disable --config CONFIG --assignment ASSIGNMENT-ID --assignment ASSIGNMENT-ID
```

Upgrading a configuration and assignments in the API

You can use the /v2/storage/satellite/updateAssignment API to update your assignments with new clusters or cluster groups. Set updateConfigVersion to true to apply the revision update.

Copy the following example request and replace the variables for the cluster groups and assignments that you want to update.

curl -X PATCH "https://containers.cloud.ibm.com/global/v2/storage/satellite/updateAssignment" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{ \"groups\": [ \"CLUSTER-GROUPS\" ], \"name\": \"ASSIGNMENT-NAME\", \"updateConfigVersion\": true, \"uuid\": \"ASSIGNMENT-ID\"}"

Run the request.

Get the details of you assignment to verify the update.

curl -X GET "https://containers.cloud.ibm.com/global/v2/storage/satellite/getAssignment?uuid=ASSIGNMENT-ID" -H "accept: application/json" -H "Authorization: Bearer TOKEN"

Enabling automatic patch updates for assignments in the API

You can use the /v2/storage/satellite/setAssignmentAutoupgrade API to enable automatic patch updates for your assignments. Enabling automatic patch updates applies the latest storage template revisions (patches) automatically. You must still apply major updates manually.

Copy the following example request and replace the variables for the cluster groups and assignments that you want to update.

curl -X PATCH "https://containers.cloud.ibm.com/global/v2/storage/satellite/setAssignmentAutoupgrade" -H "accept: application/json" -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d { "config": "string", "controller": "string", "autopatch": boolean,"assignment" : { "all": boolean, "uuid": ["string", "string", ...], } }

Run the request.

Get the details of you assignment to verify the upgrade.

curl -X GET "https://containers.cloud.ibm.com/global/v2/storage/satellite/getAssignment?uuid=ASSIGNMENT-ID" -H "accept: application/json" -H "Authorization: Bearer TOKEN"

Adding a custom AWS EFS storage class to your configuration

After you create a Satellite storage configuration, you can add a custom storage class by using the ibmcloud sat config sc add command.

You can't add storage classes to Satellite storage configurations after the configurations are assigned to clusters or cluster groups. Make sure to add storage classes before assigning your configuration.

List the storage class parameters for the template that you used to create your configuration and decide how you want to create your storage class.
```
ibmcloud sat storage template get --name aws-efs-csi-driver --version <version>
```
Create the storage class and pass in any custom parameters. Enter the name of the storage configuration you created earlier, the storage class name, and the custom parameters that you want to provide.
```
ibmcloud sat storage config sc add --config-name <config-name> --name <storage-class-name> --param "key=value"
```
basePath

Specify the BasePath. Base path is a path on the file system under which access point root directory is created.

directoryPerms

Specify directory permissions. Default: 700.

fileSystemId

Required. Specify the EFS file system ID.

gidRangeEnd

Specify the GID range end. gidRangeEnd is the ending range of the POSIX Group ID. Default: 7000000.

gidRangeStart

Specify the GID range start. gidRangeStart is the starting range of the POSIX Group ID to be applied onto the root directory of the access point. Default: 50000.

is-default-class

Specify true or false to make the created storage class the default class.

name

Required. The name of the storage class.

Example command to add a custom storage class to a configuration call my-config.
```
ibmcloud sat storage config sc add --config-name my-config --name my-sc --param "fileSystemID=<filesystemID>" --param "is-default-class=true"
```
Complete the following steps to assign your storage configuration to your clusters.

Deploying an app that uses AWS EFS storage

You can use the efs-csi-driver to statically provision AWS EFS storage for the apps in your clusters.

Before you begin, make sure that you created an AWS EFS instance in your AWS account.The EFS device must be in the same VPC and subnet that you used for your AWS hosts, and your hosts and EFS device must use the same security group.

From the AWS EFS console, find the file system that you want to use for your apps and note the file system ID.

Create a persistent volume (PV) that references the file system ID of your AWS EFS instance.

Create a YAML configuration file for your PV and enter the file system ID in the csi.volumeHandle field.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: efs
spec:
  capacity:
  storage: 5Gi
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: # Enter the name of the custom storage class that you created earlier
  csi:
  driver: efs.csi.aws.com
  volumeHandle: <aws_efs_fileshare_ID>

Create the PV in your cluster.
```
oc apply -f pv.yaml
```

Verify that the PV is created. Note that the PV remains in an Available status as no matching PVC is found yet.

oc get pv

Example output

NAME   CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS        CLAIM        STORAGECLASS           REASON   AGE
efs    5Gi        RWO            Retain           Available                  sat-aws-file-gold               34m

Create a persistent volume claim (PVC) that matches the PV that you created.

Create a YAML configuration file for your PVC. In order for the PVC to match the PV, you must use the same values for the storage class and the size of the storage.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: efs
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: # Enter the custom storage class that you created earlier.
  resources:
  requests:
    storage: 5Gi

Create the PVC in your cluster.
```
oc apply -f pvc.yaml
```

Verify that the PVC is created. Make sure that the PVC is in a Bound status and that the name of the PV that you created earlier is listed in the VOLUME column.

oc get pvc

Example output

NAME      STATUS        VOLUME     CAPACITY   ACCESS MODES   STORAGECLASS        AGE
efs       Bound         efs        5Gi        RWO            sat-aws-file-gold   36m

Create a YAML configuration file for a pod that mounts the PVC that you created. The following example creates an nginx pod that writes the current date and time to a test.txt file on your AWS EFS volume mount path.

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
   - name: app
  image: nginx
  command: ["/bin/sh"]
  args: ["-c", "while true; do echo $(date -u) >> /test/test.txt; sleep 5; done"]
  volumeMounts:
  - name: persistent-storage
    mountPath: /test
  volumes:
  - name: persistent-storage
  persistentVolumeClaim:
    claimName: efs

Create the pod in your cluster.
```
oc apply -f pod.yaml
```

Verify that the pod is deployed. Note that it might take a few minutes for your app to get into a Running state.

oc get pods

Example output

NAME                                READY   STATUS    RESTARTS   AGE
app                                 1/1     Running   0          2m58s

Verify that the app can write to your AWS EFS instance.

Display the contents of the test.txt file to confirm that your app can write data to your persistent storage.

cat /test/test.txt

Example output

Tue Mar 2 20:09:19 UTC 2021
Tue Mar 2 20:09:25 UTC 2021
Tue Mar 2 20:09:31 UTC 2021
Tue Mar 2 20:09:36 UTC 2021
Tue Mar 2 20:09:42 UTC 2021
Tue Mar 2 20:09:47 UTC 2021

Exit the pod.
```
exit
```

From the AWS EFS console, find the file system that you used and verify that the file system grows in size.

Removing AWS EFS storage from your apps

If you no longer need your AWS EFS instance, you can remove your PVC, PV, and the AWS EFS instance in your AWS account.

Removing your AWS EFS instance permanently removes all the data that is stored on this instance. This action cannot be undone. Make sure that you back up your data before you delete the AWS EFS instance.

List your PVCs and note the name of the PVC and the corresponding PV that you want to remove.
```
oc get pvc
```
Remove any pods that mount the PVC.
1. List all the pods that currently mount the PVC that you want to delete. If no pods are returned, you do not have any pods that currently use your PVC.
```
oc get pods --all-namespaces -o=jsonpath='{range .items[*]}{"\n"}{.metadata.name}{":\t"}{range .spec.volumes[*]}{.persistentVolumeClaim.claimName}{" "}{end}{end}' | grep "<pvc_name>"
```
  Example output
```
app    sat-aws-block-bronze
```
2. Remove the pod that uses the PVC. If the pod is part of a deployment, remove the deployment.
```
oc delete pod <pod_name>
```
```
oc delete deployment <deployment_name>
```
3. Verify that the pod or the deployment is removed.
```
oc get pods
```
```
oc get deployments
```
Delete the PVC. Because you statically provisioned the AWS EFS storage, deleting the PVC does not remove the PV or the AWS EFS instance in your AWS account.
```
oc delete pvc <pvc_name>
```
Delete the corresponding PV.
```
oc delete pv <pv_name>
```
From the AWS EFS console, select the file system that you want to delete and click Delete.

Removing the AWS EFS storage configuration from your cluster

If you no longer plan on using AWS EFS storage in your cluster, you can unassign your cluster from the storage configuration.

Note that if you remove the storage configuration, the driver is then uninstalled from all assigned clusters. from all assigned clusters. Your PVCs, PVs and data are not removed. However, you might not be able to access your data until you re-install the driver in your cluster again.

Removing the AWS EFS storage configuration from the console

Use the console to remove a storage configuration.

Note that you must delete your storage assignments before you can successfully delete your storage configuration.

From the Satellite storage dashboard, select the storage configuration you want to delete.
Select Actions > Delete
Enter the name of your storage configuration.
Select Delete.

Removing the AWS EFS storage configuration from the CLI

Use the CLI to remove a storage configuration.

Note that you must delete your storage assignments before you can successfully delete your storage configuration.

List your storage assignments and find the one that you used for your cluster.

ibmcloud sat storage assignment ls (--cluster CLUSTER | --config CONFIG | --location LOCATION | --service-cluster-id CLUSTER)

Remove the assignment. After the assignment is removed, the AWS EFS driver pods and storage class are removed from all clusters that were part of the storage assignment.
```
ibmcloud sat storage assignment rm --assignment <assignment_ID>
```
Verify that the AWS EFS driver is removed from your cluster.
1. List the storage classes in your cluster and verify that the AWS EFS storage class is removed.
```
oc get sc
```
2. List the pods in the kube-system namespace and verify that the AWS EFS storage driver pods are removed.
```
oc get pods -n kube-system
```
Optional: Remove the storage configuration.
1. List the storage configurations.
```
ibmcloud sat storage config ls
```
2. Remove the storage configuration.
```
ibmcloud sat storage config rm --config <config_name>
```

Parameter reference

1.3.1 parameter reference

Table 1. 1.3.1 parameter reference
Display name	CLI option	Type	Description	Required?	Default value
AWS Access Key ID	`aws-access-key`	Secret	AWS Access Key ID.	true	N/A
AWS Secret Access Key	`aws-secret-access-key`	Secret	AWS Secret Access key.	true	N/A

1.3.7 parameter reference

Table 2. 1.3.7 parameter reference
Display name	CLI option	Type	Description	Required?	Default value
AWS Access Key ID	`aws-access-key`	Secret	AWS Access Key ID.	true	N/A
AWS Secret Access Key	`aws-secret-access-key`	Secret	AWS Secret Access key.	true	N/A

1.4.2 parameter reference

Table 3. 1.4.2 parameter reference
Display name	CLI option	Type	Description	Required?	Default value
AWS Access Key ID	`aws-access-key`	Secret	AWS Access Key ID.	true	N/A
AWS Secret Access Key	`aws-secret-access-key`	Secret	AWS Secret Access key.	true	N/A

Getting help and support for AWS EFS

When you use AWS EFS Storage, try the following resources before you open a support case.

Review the FAQs in the AWS Knowledge Center.
Review the troubleshooting documentation to troubleshoot and resolve common issues.
Check the status of the IBM Cloud platform and resources by going to the Status page.
Review Stack Overflow to see whether other users experienced the same problem. Tag any questions with ibm-cloud and AWS-EFS.
Search the AWS Support Center for more in-depth support options.