Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set will cover all product layers, including MOSK management (formerly MCC). This means everything you need will be in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Create Ceph Object Storage users

Ceph Object Storage users can create Amazon S3 buckets and bucket policies that grant access to other users.

This section describes how to create two Ceph Object Storage users and configure their S3 credentials.

To create and configure Ceph Object Storage users:

  1. Open the KaaSCephCluster CR:

    kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> edit kaascephcluster
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

  2. In the cephClusterSpec section, add new Ceph Object Storage users.

    Caution

    For user name, apply the UUID format with no capital letters.

    For example:

    spec:
      cephClusterSpec:
        objectStorage:
          rgw:
            objectUsers:
            - name: user-b
              displayName: user-a
              capabilities:
                bucket: "*"
                user: read
            - name: user-t
              displayName: user-t
              capabilities:
                bucket: "*"
                user: read
    
  3. Verify that rgwUserSecrets are created for both users:

    kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

    Example of a positive system response:

    status:
      miraCephSecretsInfo:
        secretInfo:
          rgwUserSecrets:
          - name: user-a
            secretName: <user-aCredSecretName>
            secretNamespace: <user-aCredSecretNamespace>
          - name: user-t
            secretName: <user-tCredSecretName>
            secretNamespace: <user-tCredSecretNamespace>
    
  4. Obtain S3 user credentials from the cluster secrets. Specify an access key and a secret key for both users:

    kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
    kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
    kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
    kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig and specify the corresponding secretNamespace and secretName for both users.

  5. Obtain Ceph Object Storage public endpoint from the KaaSCephCluster status:

    kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml | grep PublicEndpoint
    

    Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

    Example of a positive system response:

    objectStorePublicEndpoint: https://object-storage.mirantis.example.com
    
  6. Obtain the CA certificate to use an HTTPS endpoint:

    kubectl --kubeconfig <managedKubeconfig> -n rook-ceph get secret $(kubectl -n rook-ceph get ingress -o jsonpath='{.items[0].spec.tls[0].secretName}{"\n"}') -o jsonpath='{.data.ca\.crt}' | base64 -d; echo
    

    Save the output to ca.crt.