Configuring Fusion Data Foundation in provider mode

Configure Fusion Data Foundation Storage in IBM Fusion HCI for provider mode.

1. Go to the Storage > Local storage page.
2. Wait for the discovery of compute nodes to complete.
   After the discovery process completes, the Configure storage button is enabled.
3. Click Configure storage.
4. In the Storage nodes section, select a minimum of six nodes from the node table based on the recommendation. They are candidate nodes to be selected as Fusion Data Foundation storage nodes. Both compute and control nodes with available SSD/NVMe disks can be viewed as candidate nodes and they get displayed in the table.
   The table includes Name, Disks, Disk size (TiB), vCPUs, and Memory (GB) details about the node. The table includes the Rack column for High Availability Multi Rack.
   Based on your selection, the Summary section includes the usable capacity. The usable capacity includes Raw capacity, Nodes, CPUs, and Memory. For example, the recommendation can be to select a minimum of six nodes with with usable capacity of 48 TiB.

   When you configure storage on a High-Availability Multi Rack, select the same number of nodes from each rack. In this rack, even one rack is down, the Fusion Data Foundation cluster continues to work.

5. Click Next.
6. In the Specify encryption for the storage configuration page, enter the following details:
   • In the Encryption settings section, select a
     • Store the encryption key as a secret in the cluster
     • Store the encryption key in an external KMS
     • None
     If you select Store the encryption key in an external KMS option, then enter the following connection settings:

     • Enter the Hostname/ IP address of your KMS server.
     • Enter the value of Port of your KMS server.
     • Select a Provider type. It can be Vault or Thales CipherTrust Manager.

       Table 1. Provider type options

       Provider type	Procedure
       Vault	For Vault, enter the following details. Select an Authentication method. It can be Token or Kubernetes. Token method If you select the method as Token, then enter value for token. For more information on how to create token in vault server, see Enabling encryption with the token authentication using HashiCorp Vault(manual part) in Preparing to connect to an external KMS server in Fusion Data Foundation. Kubernetes method If you select the method as Kubernetes, then enter value for role. After you click Configure in the next step, manually do the steps that are defined in the Enabling encryption with the Kubernetes authentication using HashiCorp Vault (manual part). The role will be generated with rook-ceph-system, rook-ceph-osd,noobaa as bound_service_account_names in the Vault by the manual steps. Enter the Backend path that you defined in step 1 in Enabling encryption with the token authentication using HashiCorp Vault(manual part) or step 3.b that defined in Enabling encryption with the Kubernetes authentication using HashiCorp Vault (manual part). Optionally, enter the CA certificate, Client certificate, Client private key (optional) in pem format. Note: Client certificate and client private key need to be provided as a pair, or neither of them. Only providing one of them is invalid. Optionally, enter TLS server name Optionally, if authentication method is Token, enter the Vault enterprise namespace. Optionally, if authentication method is Kubernetes, enter Authentication path. To get more information about each of these fields, see Enabling encryption with the token authentication using HashiCorp Vault(manual part). For more information about TLS server name, Vault enterprise namespace, and Authentication path. See https://developer.hashicorp.com/vault/docs. Note: In case you need to enable key rotation for Vault KMS, run the following command in the OpenShift web console after the storage cluster is created: oc patch storagecluster ocs-storagecluster -n openshift-storage --type=json -p '[{"op": "add", "path":"/spec/encryption/keyRotation/enable", "value": true}]'
       Thales CipherTrust Manager	For Thales CipherTrust Manager, enter the following details: Enter the CA certificate generated in step 6 in Enabling encryption using Thales CipherTrust Manager (manual part). Enter the Client certificate and the private key generated in step 4 of Enabling encryption using Thales CipherTrust Manager (manual part). Optionally, enter TLS server name.

7. Click Configure.
   The Data Foundation page displays Usable capacity, Health, and Storage nodes. After the configuration is complete, the Health section displays the health of the Storage cluster and Data resiliency.

   Note: Note that setting up local storage may take around 45-50 minutes.
8. To validate the configuration, do the following steps:
   1. Log in to OpenShift Container Platform console.
   2. In the menu, go to Storage > StorageClasses.
   3. In the StorageClasses page, check whether you see the following storage classes:
      • ocs-storagecluster-cephfs for Fusion Data Foundation storage file system
      • ocs-storagecluster-ceph-rbd for Ceph's RADOS Block Devices (RBD) storage class. It is the default storage class.
      • openshift-storage.noobaa.io storage class is for object storage. You can use it for MCG so that it gets generated either for the installation of Fusion Data Foundation or for Global Data Platform with Fusion Data Foundation MCG only mode.