Panfactum LogoPanfactum
Bootstrapping StackStorage Interfaces

Container Storage Interface (CSI) Drivers

Objective

Deploy the various CSI drivers used by the Panfactum stack.

Background

Compared to networking, storage in kubernetes is relatively straightforward. Storage is exposed to pods via two mechanisms:

The primary use case for CSI is for attaching storage managed by cloud providers (e.g., AWS EBS). That said, this interface is extremely flexible and can also be used by other utilities to directly mount files inside your pods.

Deploy AWS EBS CSI Driver

The AWS EBS CSI Driver allows you to provision EBS volumes for use in your pods. This is the recommended way to store stateful data (i.e., Database storage) within the Panfactum stack.

We provide the kube_aws_ebs_csi module to deploy the driver.

Let's deploy it now:

  1. Create a new directory adjacent to your aws_eks module called kube_aws_ebs_csi.

  2. Add a terragrunt.hcl to that directory that looks like this.

  3. For now, set vpa_enabled to false. We will enable it when we install the autoscalers.

  4. Add a module.yaml that enables the aws, kubernetes, random, and helm providers.

  5. Run terragrunt apply.

  6. Verify the pods deployed successfully:

    AWS EBS CSI launched successfully

Storage Classes

Note that there are now a few StorageClass resources in the cluster:

Storage classes in the cluster

The following classes were installed by the kube_aws_ebs_csi module:

  • ebs-standard: Uses gp3 volumes and deletes the volumes automatically when the utilizing resource is deleted (default)
  • ebs-standard-retained: Uses gp3 volumes but never deletes the underlying volumes (recommended for production databases)

Notice that there is also one named gp2. Unfortunately, EKS installs this automatically, but it uses legacy storage technology that is both more expensive and less performant. Even more unfortunately, this is set as the default storage class. To avoid accidentally using it, you should manually delete it now with the following command: kubectl delete storageclass gp2.

Deploy the Kubernetes Secrets Store CSI Driver

The Kubernetes Secrets Store CSI driver allows you to mount secrets files from third part sources such as AWS or Hashicorp Vault (which we will install in the next section).

We provide the kube_secrets_csi module to deploy the driver.

Let's deploy it now:

  1. Create a new directory adjacent to your aws_eks module called kube_secrets_csi.

  2. Add a terragrunt.hcl to that directory that looks like this.

  3. For now, set vpa_enabled to false. We will enable it when we install the autoscalers.

  4. Add a module.yaml that enables the aws, kubernetes, and helm providers.

  5. Run terragrunt apply.

  6. Verify the pods deployed successfully:

    Secrets CSI launched successfully

Next Steps

We will test the storage drivers in the next section where we deploy Vault (which needs persistent storage).

PreviousNext
Panfactum Bootstrapping Guide:
Step 10 /20

Footnotes

  1. This type of storage should be considered ephemeral (temporary) as it inherently linked to the lifetime of the underlying nodes. In the Panfactum stack, nodes can be replaced at any time.