Configure external-snapshot-metadata sidecar container for RBD deployment - Developer Preview OpenShift Data Foundation 4.20

Updated

Important: A developer preview feature is subject to Developer preview support limitations. Developer preview features are not intended to be run in production environments. The clusters deployed with the developer preview features are considered to be development clusters and are not supported through the Red Hat Customer Portal case management system. Development Preview features are meant for customers who are willing to evaluate new products or releases of products in an early stage of product development. If you need assistance with developer preview features, reach out to the ocs-devpreview@redhat.com mailing list and a member of the Red Hat Development Team will assist you as quickly as possible based on availability and work schedules. To know more about the support scope refer to the This content is not included.KCS.

A new CSI API of OpenShift Container Platform enables identification of the changed blocks between snapshots of CSI volumes. These APIs help with efficient and incremental backups by allowing backup applications to retrieve only the data that has changed. For more information, see How to use Changed Block Tracking in OpenShift 4.20.

To support this feature, Ceph-CSI needs to include an external-snapshot-metadata sidecar in the RBD controller plugin.

This document outlines how the Ceph-CSI Operator manages the deployment of the RBD controller plugin with the external-snapshot-metadata sidecar.

Note: Only the RBD driver supports the SnapshotMetadata capability.

Deploying RBD controller plugin with the external-snapshot-metadata sidecar

  1. Enable the feature gate to install the SnapshotMetadataService CRD.
$ oc edit featuregates.config.openshift.io cluster

spec:
customNoUpgrade:
enabled:
- ExternalSnapshotMetadata
featureSet: CustomNoUpgrade

a. Verify that CRD is installed in the cluster.

    ```
    $ oc get crd | grep -i snapshotmetadataservice         
       snapshotmetadataservices.cbt.storage.k8s.io                       2025-09-02T08:51:40Z
    ```
  1. Create a service for the Ceph-CSI RBD deployment pod.
$ cat <<EOF | oc create -f -
apiVersion: v1
kind: Service
metadata:
  name: rbd-csi-ceph-com-metadata
  namespace: openshift-storage
spec:
  ports:
  - name: snapshot-metadata-port
    port: 6443
    protocol: TCP
    targetPort: 50051
  selector:
    app: openshift-storage.rbd.csi.ceph.com-ctrlplugin  # RBD controller plugin pod label
  type: ClusterIP
EOF

  1. Provision certs and secrets.

    • Generate TLS certificates using your preferred method (for example,cert-manager). The certificates must be valid for the service domain created in the previous step: rbd-csi-ceph-com-metadata.openshift-storage

    • Create a TLS secret with the generated certificates:

      oc create secret tls snapshot-metadata-tls \
--namespace=openshift-storage \
--cert=server-cert.pem \
--key=server-key.pem

Or, optionally, use the OCP Service Certificates. For more information, see Add a service certificate in OpenShift documentation. 

$ oc -n openshift-storage annotate service rbd-csi-ceph-com-metadata service.beta.openshift.io/serving-cert-secret-name=snapshot-metadata-tls

# For the CA Bundle Create ca-bundle configmap with service.beta.openshift.io/inject-cabundle=true annotation

$ cat <<EOF | oc create -f -               
apiVersion: v1 
kind: ConfigMap
metadata:        
  name: ca-bundle             
  namespace: openshift-storage
data:
EOF
configmap/ca-bundle created


$ oc -n openshift-storage annotate cm ca-bundle service.beta.openshift.io/inject-cabundle=true
configmap/ca-bundle annotate

$ oc -n openshift-storage get cm ca-bundle -oyaml
apiVersion: v1
data:
  service-ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
kind: ConfigMap
...

# get the base64 of the CA bundle
$ oc get cm -n openshift-storage ca-bundle -ojsonpath="{.data.service-ca\.crt}" | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVVENDQWptZ0F3SUJBZ0lJRGp....
  1. Create a SnapshotMetadataService CR for the RBD driver.
    Ensure that the name of this CR matches the RBD driver CR name.
    • address: Should point to the service created in step 2, replace , , and with your actual values from the earlier step.
    • audience: Recommended to use the CSI driver name for consistency
    • caCert: Base64-encoded CA certificate bundle (If you have used OpenShift certificates then the CA bundle should be available in the ConfigMap ca-bundle created in the previous step)
$ cat <<EOF | oc create -f -
apiVersion: cbt.storage.k8s.io/v1alpha1
kind: SnapshotMetadataService
metadata:
  name: openshift-storage.rbd.csi.ceph.com
spec:
  address: rbd-csi-ceph-com-metadata.openshift-storage:6443
  audience: openshift-storage.rbd.csi.ceph.com
  caCert: <ca-bundle>
EOF
  1. Provide the TLS secret required for the external-snapshot-metadata sidecar as a volume mount in the RBD driver CR.
$ oc -n openshift-storage edit driver openshift-storage.rbd.csi.ceph.com
apiVersion: csi.ceph.io/v1
kind: Driver
metadata:
  name: openshift-storage.rbd.csi.ceph.com
  namespace: openshift-storage
spec:
  controllerPlugin:
    volumes:
    - mount:
        mountPath: /tmp/certificates  # Must be /tmp/certificates - required by sidecar
        name: tls-key 
      volume:
        name: tls-key # Must be "tls-key"
        secret:
          secretName: snapshot-metadata-tls  # The TLS secret name created in Step 3
  1. Verify that the csi-snapshot-metadata container has started in RBD controller plugin pod.
$ oc logs openshift-storage.rbd.csi.ceph.com-ctrlplugin-846cdbd94d-ss5pk csi-snapshot-metadata
I1028 07:47:01.360523       1 sidecar.go:80] Version: v0.1.0
I1028 07:47:01.361215       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I1028 07:47:01.361235       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I1028 07:47:01.361241       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I1028 07:47:01.361247       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I1028 07:47:01.362563       1 connection.go:234] "Connecting" address="unix:///csi/csi.sock"
I1028 07:47:01.364699       1 connection.go:264] "GRPC call" method="/csi.v1.Identity/GetPluginInfo" request="{}"
I1028 07:47:01.366762       1 connection.go:270] "GRPC response" response="{\"name\":\"openshift-storage.rbd.csi.ceph.com\",\"vendor_version\":\"release-4.20\"}" err=null
I1028 07:47:01.366813       1 sidecar.go:88] CSI driver name: "openshift-storage.rbd.csi.ceph.com"
I1028 07:47:01.367767       1 sidecar.go:273] GRPC server started listening on port 50051
I1028 07:47:01.367828       1 common.go:143] "Probing CSI driver for readiness"
I1028 07:47:01.367931       1 connection.go:264] "GRPC call" method="/csi.v1.Identity/Probe" request="{}"
I1028 07:47:01.368694       1 connection.go:270] "GRPC response" response="{}" err=null
I1028 07:47:01.368752       1 connection.go:264] "GRPC call" method="/csi.v1.Identity/GetPluginCapabilities" request="{}"
I1028 07:47:01.369611       1 connection.go:270] "GRPC response" response="{\"capabilities\":[{\"service\":{\"type\":\"CONTROLLER_SERVICE\"}},{\"volume_expansion\":{\"type\":\"ONLINE\"}},{\"service\":{\"type\":\"VOLUME_ACCESSIBILITY_CONSTRAINTS\"}},{\"service\":{\"type\":\"GROUP_CONTROLLER_SERVICE\"}},{\"service\":{\"type\":\"SNAPSHOT_METADATA_SERVICE\"}}]}" err=null
I1028 07:47:01.369672       1 health.go:48] Setting status to SERVING
Article Type