Create Ceph Object Storage users¶
Ceph Object Storage users can create Amazon S3 buckets and bucket policies that grant access to other users.
This section describes how to create two Ceph Object Storage users and configure their S3 credentials.
To create and configure Ceph Object Storage users:
Open the
KaaSCephCluster
CR:kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> edit kaascephcluster
Substitute
<managementKubeconfig>
with a management clusterkubeconfig
file and<managedClusterProject>
with a managed cluster project name.In the
cephClusterSpec
section, add new Ceph Object Storage users.Caution
For user
name
, apply the UUID format with no capital letters.For example:
spec: cephClusterSpec: objectStorage: rgw: objectUsers: - name: user-b displayName: user-a capabilities: bucket: "*" user: read - name: user-t displayName: user-t capabilities: bucket: "*" user: read
Verify that
rgwUserSecrets
are created for both users:kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml
Substitute
<managementKubeconfig>
with a management clusterkubeconfig
file and<managedClusterProject>
with a managed cluster project name.Example of a positive system response:
status: miraCephSecretsInfo: secretInfo: rgwUserSecrets: - name: user-a secretName: <user-aCredSecretName> secretNamespace: <user-aCredSecretNamespace> - name: user-t secretName: <user-tCredSecretName> secretNamespace: <user-tCredSecretNamespace>
Obtain S3 user credentials from the cluster secrets. Specify an access key and a secret key for both users:
kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
Substitute
<managementKubeconfig>
with a management clusterkubeconfig
and specify the correspondingsecretNamespace
andsecretName
for both users.Obtain Ceph Object Storage public endpoint from the
KaaSCephCluster
status:kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml | grep PublicEndpoint
Substitute
<managementKubeconfig>
with a management clusterkubeconfig
file and<managedClusterProject>
with a managed cluster project name.Example of a positive system response:
objectStorePublicEndpoint: https://object-storage.mirantis.example.com
Obtain the CA certificate to use an HTTPS endpoint:
kubectl --kubeconfig <managedKubeconfig> -n rook-ceph get secret $(kubectl -n rook-ceph get ingress -o jsonpath='{.items[0].spec.tls[0].secretName}{"\n"}') -o jsonpath='{.data.ca\.crt}' | base64 -d; echo
Save the output to
ca.crt
.