OSDOCS-13459#Add cross-subscription support for Azure File

Lisa Pettyjohn · Lisa Pettyjohn · commit 7f626d4abf80 · 2025-04-11T14:05:00.000-04:00
diff --git a/modules/persistent-storage-csi-azure-file-cross-sub-dynamic-pre-provisioning-pv-pvc-procedure.adoc b/modules/persistent-storage-csi-azure-file-cross-sub-dynamic-pre-provisioning-pv-pvc-procedure.adoc
@@ -0,0 +1,86 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent_storage-csi-azure-file.adoc
+//
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-azure-file-cross-sub-dynamic-pre-provisioning-pv-pvc-procedure_{context}"]
+= Pre-provisioning across subscriptions for Azure File by creating a PV and PVC:
+
+.Prerequisites
+* Installed Azure cluster with the service principal or managed identity as Azure identity
+
+* Access to another subscription in the tenant with the cluster  
+
+* Logged in to the Azure CLI
+
+.Procedure
+. For the desired existing Azure File share, record the resource group, storage account, storage account key, and Azure File name. These values are used for the next steps.
+
+. Create a secret for the persistent volume parameter `spec.csi.nodeStageSecretRef.name` by running the following command:
++
+[source, terminal]
+----
+$ oc create secret generic azure-storage-account-{storageaccount-name}-secret --from-literal=azurestorageaccountname="<azure-storage-account-name>" --from-literal azurestorageaccountkey="<azure-storage-account-key>" --type=Opaque <1>
+----
+<1> Where `<azure-storage-account-name>` and `<azure-storage-account-key>` are the Azure storage account name and key respectively that you recorded in Step 1.
+
+. Create a persistent volume (PV) using a similar configuration to the following example file:
++
+.Example PV YAML file
+[source, terminal]
+----
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  annotations:
+    pv.kubernetes.io/provisioned-by: file.csi.azure.com
+  name: <pv-name> <1>
+spec:
+  capacity:
+    storage: 10Gi <2>
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain  
+  storageClassName: azurefile-csi-manual
+  mountOptions:
+    - cache=strict
+    - nosharesock
+    - actimeo=30
+    - nobrl 
+  csi:
+    driver: file.csi.azure.com
+    volumeHandle: "{resource-group-name}#{storage-account-name}#{file-share-name}" <3>
+    volumeAttributes:
+      shareName: <existing-file-share-name> <4>
+    nodeStageSecretRef:
+      name: <secret-name>  <5>
+      namespace: <secret-namespace>  <6>
+----
+<1> <pv-name> is the PV name.
+<2> The size of the PV.
+<3> Ensure that `volumeHandle` is unique for every identical share in the cluster.
+<4> For `<existing-file-share-name>, use only the file share name and not the full path.
+<5> <secret-name> is the secret name created in the previous step.
+<6> <secret-namespace> is the namespace where the secret resides.
+
+. Create a persistent value claim (PVC) specifying the existing Azure File share referenced in Step 1 using a similar configuration to the following:
++
+.Example PVC YAML file
+[source, yaml]
+----
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: <pvc-name> <1>
+spec:
+  storageClassName: <sc-name-cross-sub> <2>
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+----
+<1> `<pvc-name>` is the name of the PVC.
+<2> `<sc-name-cross-sub>` is the name of the storage class.
+
+
diff --git a/modules/persistent-storage-csi-azure-file-cross-sub-dynamic-provisioning-procedure.adoc b/modules/persistent-storage-csi-azure-file-cross-sub-dynamic-provisioning-procedure.adoc
@@ -0,0 +1,106 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent_storage-csi-azure-file.adoc
+//
+:_mod-docs-content-type: PROCEDURE
+[id="persistent-storage-csi-azure-file-cross-sub-dynamic-provisioning-procedure_{context}"]
+= Dynamic provisioning across subscriptions for Azure File
+
+.Prerequisites
+* Installed Azure cluster with the service principal or managed identity as Azure identity
+
+* Access to another subscription in the tenant with the cluster  
+
+* Logged in to the Azure CLI
+
+.Procedure
+To use Azure File dynamic provisioning across subscriptions:
+
+. Record the Azure identity (service principal or managed identity) by running the following applicable commands. The Azure identity is needed in the next step:
++
+* If using the _service principal_ as Azure identity when installing the cluster:
++
+[source,terminal]
+====
+$ sp_id=$(oc -n openshift-cluster-csi-drivers get secret azure-file-credentials -o jsonpath='{.data.azure_client_id}' | base64 --decode)
+
+$ az ad sp show --id ${sp_id} --query displayName --output tsv
+====
++
+* If using the _managed identity_ as Azure identity when installing the cluster:
++
+[source,terminal]
+====
+$ mi_id=$(oc -n openshift-cluster-csi-drivers get secret azure-file-credentials -o jsonpath='{.data.azure_client_id}' | base64 --decode)
+
+$ az identity list --query "[?clientId=='${mi_id}'].{Name:name}" --output tsv
+====
+
+. Obtain the Azure identity (service principal or managed identity) permission to access the resource group in another subscription where you want to provision the Azure File share:
+
+.. Log in to the Azure portal and on the left-hand menu, click *Resource groups*.
+
+.. Choose the resource group to which you want to assign a role by clicking *resource group* > *Access control (IAM)* > *Role assignments* tab to view current assignments, and then click *Add* > *Add role assignment*.
+
+.. On the *Role* tab, choose the contributor role to assign, and then click *Next*. You can also create and choose your own role with required permission.
+
+.. On the *Members* tab, choose an assignee by selecting the type of assignee: “User, group, or service principal” (Or “Managed identity”), click *Select members*, search for and then select the desired service principal or managed identity, and then click *Select* to confirm.
+
+.. On the *Review + assign* tab, review the settings.
+
+.. To finish the role assignment, click *Review + assign*.
++
+[NOTE]
+====
+If you just want to use a specific storage account to provision the Azure File share, you can also obtain the Azure identity (service principal or managed identity) permission to access the storage account only with the similar steps.
+====
+
+. Create an Azure File storage class using a similar configuration to the following:
++
+.Example Azure File storage class YAML file
+[source, yaml]
+----
+allowVolumeExpansion: true
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: <sc-name-cross-sub> <1>
+mount options:
+  - mfsymlinks
+  - cache=strict
+  - nosharesock
+  - actimeo=30
+parameters:
+  subscriptionID: <xxxx-xxxx-xxxx-xxxx-xxxx> <2>
+  resourceGroup: <resource group name> <3>
+  storageAccount: <storage account> <4> 
+  skuName: <skuName> <5>
+provisioner: file.csi.azure.com
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+----
+<1> Name of the storage class
+<2> The cross account subscription ID
+<3> The resource group name in cross account subscription
+<4> Storage account name, if you want to specify your own
+<5> Name of the SKU type
+
+. Create a persistent volume claim (PVC) specifying the Azure File storage class that you created in the previous step using a similar configuration to the following:
++
+.Example PVC YAML file
+[source, yaml]
+----
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: <pvc-name> <1>
+spec:
+  storageClassName: <sc-name-cross-sub> <2>
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+----
+<1> `<pvc-name>` is the name of the PVC.
+<2> `<sc-name-cross-sub>` is the name of the storage class that you created in the previous step.
diff --git a/modules/persistent-storage-csi-azure-file-cross-sub-overview.adoc b/modules/persistent-storage-csi-azure-file-cross-sub-overview.adoc
@@ -0,0 +1,15 @@
+// Module included in the following assemblies:
+//
+// * storage/container_storage_interface/persistent_storage-csi-azure-file.adoc
+//
+
+:_mod-docs-content-type: CONCEPT
+[id="persistent-storage-csi-azure-file-cross-sub-overview_{context}"]
+= Azure File cross-subscription support
+
+Cross-subscription support allows you to have an {product-title} cluster in one Azure subscription and mount your Azure file share in another Azure subscription using the Azure File Container Storage Interface (CSI) driver.
+
+[IMPORTANT]
+====
+Both the {product-title} cluster and the Azure File share (pre-provisioning or to be provisioned) should be inside the same tenant.
+====
diff --git a/storage/container_storage_interface/persistent-storage-csi-azure-file.adoc b/storage/container_storage_interface/persistent-storage-csi-azure-file.adoc
@@ -25,9 +25,15 @@ Azure File CSI Driver Operator does _not_ support:
 
 For more information about supported features, see xref:../../storage/container_storage_interface/persistent-storage-csi.adoc#csi-drivers-supported_persistent-storage-csi[Supported CSI drivers and features].
 
+include::modules/persistent-storage-csi-about.adoc[leveloffset=+1]
+
 include::modules/persistent-storage-csi-azure-file-nfs.adoc[leveloffset=+1]
 
-include::modules/persistent-storage-csi-about.adoc[leveloffset=+1]
+include::modules/persistent-storage-csi-azure-file-cross-sub-overview.adoc[leveloffset=+1]
+
+include::modules/persistent-storage-csi-azure-file-cross-sub-dynamic-provisioning-procedure.adoc[leveloffset=+2]
+
+include::modules/persistent-storage-csi-azure-file-cross-sub-dynamic-pre-provisioning-pv-pvc-procedure.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
