Skip to content

Commit d789137

Browse files
tumidotumido
authored
feat(ceph): Export credentials into a secret (#250)
1 parent 35a6f6b commit d789137

File tree

4 files changed

+122
-44
lines changed

4 files changed

+122
-44
lines changed

ceph/README.md

+13-13
Original file line numberDiff line numberDiff line change
@@ -31,19 +31,19 @@ To install Ceph Object Storage add the following to the `kfctl` yaml file.
3131

3232
* Deployment of `ceph-nano` will create a route to a `ceph-nano-dashboard` that provides a S3 web portal for the in pod object storage.
3333

34-
* The ACCESS_KEY and SECRET_KEY created for this deployment can be retrieved from the `ceph-nano-0` pod under `/nano_user_details`
34+
* The ACCESS_KEY and SECRET_KEY created for this deployment can be found in `ceph-nano-credentials` secret.
3535
```
36-
# While logged in to the cluster and in the Open Data Hub namespace
37-
# Output the ceph-nano radosgw settings
38-
$ oc exec ceph-nano-0 -- cat /nano_user_details | jq '.keys'
39-
...
40-
"keys": [
41-
{
42-
"user": "cn",
43-
"access_key": "ABCDEFGHIJKL01234567",
44-
"secret_key": "mnOPQRSTUVWXYZV6oSrx2MDtfEUK8R0ETagp5A9X"
45-
}
46-
],
47-
... ],
36+
oc describe secrets/ceph-nano-credentials
37+
38+
Name: ceph-nano-credentials
39+
Namespace: odh-ceph
40+
Labels: <none>
41+
Annotations:
42+
Type: Opaque
43+
44+
Data
45+
====
46+
AWS_ACCESS_KEY_ID: 20 bytes
47+
AWS_SECRET_ACCESS_KEY: 40 bytes
4848
```
4949
***NOTE***: The ACCESS_KEY and SECRET_KEY will change EVERY time the pod starts

ceph/object-storage/nano/base/kustomization.yaml

+3
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ resources:
55
- service-account.yaml
66
- service.yaml
77
- statefulset.yaml
8+
- secret-rbac.yaml
89

910
commonLabels:
1011
opendatahub.io/component: "true"
@@ -14,3 +15,5 @@ images:
1415
- name: ceph/daemon
1516
newTag: v0.7
1617
newName: quay.io/ceph/cn-core
18+
- name: oc
19+
newName: quay.io/openshift/origin-cli

ceph/object-storage/nano/base/secret-rbac.yaml

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
---
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
kind: Role
4+
metadata:
5+
name: ceph-nano-secrets
6+
rules:
7+
- apiGroups:
8+
- ""
9+
resources:
10+
- secrets
11+
verbs:
12+
- create
13+
- get
14+
- list
15+
- patch
16+
- update
17+
---
18+
apiVersion: rbac.authorization.k8s.io/v1
19+
kind: RoleBinding
20+
metadata:
21+
name: ceph-nano-secrets
22+
roleRef:
23+
apiGroup: rbac.authorization.k8s.io
24+
kind: Role
25+
name: ceph-nano-secrets
26+
subjects:
27+
- kind: ServiceAccount
28+
name: ceph-nano

ceph/object-storage/nano/base/statefulset.yaml

+78-31
Original file line numberDiff line numberDiff line change
@@ -20,35 +20,82 @@ spec:
2020
daemon: nano
2121
spec:
2222
serviceAccountName: ceph-nano
23+
initContainers:
24+
- name: ceph-nano-init
25+
image: ceph/daemon
26+
command: ["/bin/bash", "-c", "--"]
27+
args: ["cp /opt/ceph-container/tmp/* /mnt"]
28+
imagePullPolicy: Always
29+
volumeMounts:
30+
- mountPath: /mnt
31+
name: user-details
2332
containers:
24-
- image: ceph/daemon
25-
imagePullPolicy: Always
26-
name: ceph-nano
27-
ports:
28-
- containerPort: 8000
29-
name: cn-s3
30-
protocol: TCP
31-
resources:
32-
limits:
33-
cpu: "1"
34-
memory: 2G
35-
requests:
36-
cpu: "1"
37-
memory: 512M
38-
env:
39-
- name: NETWORK_AUTO_DETECT
40-
value: "4"
41-
- name: RGW_FRONTEND_PORT
42-
value: "8000"
43-
# Keep this for backward compatiblity, the option is gone since https://github.com/ceph/ceph-container/pull/1356
44-
- name: RGW_CIVETWEB_PORT
45-
value: "8000"
46-
- name: SREE_PORT
47-
value: "5001"
48-
- name: CEPH_DEMO_UID
49-
value: "nano"
50-
# Enable all of the ceph daemons to run
51-
- name: CEPH_DAEMON
52-
value: "demo"
53-
- name: DEBUG
54-
value: "verbose"
33+
- image: ceph/daemon
34+
imagePullPolicy: Always
35+
name: ceph-nano
36+
ports:
37+
- containerPort: 8000
38+
protocol: TCP
39+
resources:
40+
limits:
41+
cpu: "1"
42+
memory: 2G
43+
requests:
44+
cpu: "1"
45+
memory: 512M
46+
env:
47+
- name: NETWORK_AUTO_DETECT
48+
value: "4"
49+
- name: RGW_FRONTEND_PORT
50+
value: "8000"
51+
# Keep this for backward compatiblity, the option is gone since https://github.com/ceph/ceph-container/pull/1356
52+
- name: RGW_CIVETWEB_PORT
53+
value: "8000"
54+
- name: SREE_PORT
55+
value: "5001"
56+
- name: CEPH_DEMO_UID
57+
value: "nano"
58+
# Enable all of the ceph daemons to run
59+
- name: CEPH_DAEMON
60+
value: "demo"
61+
- name: DEBUG
62+
value: "verbose"
63+
volumeMounts:
64+
- mountPath: /opt/ceph-container/tmp
65+
name: user-details
66+
- image: oc
67+
name: credentials-exporter
68+
command: ["/bin/bash", "-c", "--"]
69+
args:
70+
- |
71+
until [ -f /mnt/cn_user_details ]; do echo "waiting for user details file..."; sleep 10; done
72+
73+
oc login --token=TOKEN --server=https://openshift.default.svc.cluster.local --insecure-skip-tls-verify
74+
TOKEN="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
75+
ACCESS_KEY=$(cat /mnt/cn_user_details | python -c "import sys, json; print(json.load(sys.stdin)['keys'][0]['access_key'])")
76+
SECRET_KEY=$(cat /mnt/cn_user_details | python -c "import sys, json; print(json.load(sys.stdin)['keys'][0]['secret_key'])")
77+
78+
if [ -z "$ACCESS_KEY" ] || [ -z "$SECRET_KEY" ]; then
79+
echo "Unable to parse credentials from user details!"
80+
exit 1
81+
fi
82+
83+
cat <<EOF | oc apply -f -
84+
apiVersion: v1
85+
kind: Secret
86+
metadata:
87+
name: ceph-nano-credentials
88+
type: Opaque
89+
stringData:
90+
AWS_ACCESS_KEY_ID: $ACCESS_KEY
91+
AWS_SECRET_ACCESS_KEY: $SECRET_KEY
92+
EOF
93+
94+
echo "waiting for ceph-nano to finish"
95+
while true; do sleep 10; done;
96+
volumeMounts:
97+
- mountPath: /mnt
98+
name: user-details
99+
volumes:
100+
- name: user-details
101+
emptyDir: {}

0 commit comments

Comments
 (0)