Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly MCC). This means everything you need is in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Create Ceph Object Storage users¶

Warning

This procedure is valid for MOSK clusters that use the deprecated KaaSCephCluster custom resource (CR) instead of the MiraCeph CR that is available since MOSK 25.2 as a new Ceph configuration entrypoint. For the equivalent procedure with the MiraCeph CR, refer to the following section:

Create Ceph Object Storage users

Ceph Object Storage users can create Amazon S3 buckets and bucket policies that grant access to other users.

This section describes how to create two Ceph Object Storage users and configure their S3 credentials.

To create and configure Ceph Object Storage users:

Open the KaaSCephCluster CR:
```
kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> edit kaascephcluster
```
Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

In the cephClusterSpec section, add new Ceph Object Storage users.

Caution

For user name, apply the UUID format with no capital letters.

For example:

spec:
  cephClusterSpec:
    objectStorage:
      rgw:
        objectUsers:
        - name: user-b
          displayName: user-a
          capabilities:
            bucket: "*"
            user: read
        - name: user-t
          displayName: user-t
          capabilities:
            bucket: "*"
            user: read

Verify that rgwUserSecrets are created for both users:

kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml

Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

Example of a positive system response:

status:
  miraCephSecretsInfo:
    secretInfo:
      rgwUserSecrets:
      - name: user-a
        secretName: <user-aCredSecretName>
        secretNamespace: <user-aCredSecretNamespace>
      - name: user-t
        secretName: <user-tCredSecretName>
        secretNamespace: <user-tCredSecretNamespace>

Obtain S3 user credentials from the cluster secrets. Specify an access key and a secret key for both users:

kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
kubectl --kubeconfig <managedKubeconfig> -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
kubectl --kubeconfig <managedKubeconfig> -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d

Substitute <managementKubeconfig> with a management cluster kubeconfig and specify the corresponding secretNamespace and secretName for both users.

Obtain Ceph Object Storage public endpoint from the KaaSCephCluster status:
```
kubectl --kubeconfig <managementKubeconfig> -n <managedClusterProject> get kaascephcluster -o yaml | grep PublicEndpoint
```
Substitute <managementKubeconfig> with a management cluster kubeconfig file and <managedClusterProject> with a managed cluster project name.

Example of a positive system response:
```
objectStorePublicEndpoint: https://object-storage.mirantis.example.com
```

Obtain the CA certificate to use an HTTPS endpoint:

kubectl --kubeconfig <managedKubeconfig> -n rook-ceph get secret $(kubectl -n rook-ceph get ingress -o jsonpath='{.items[0].spec.tls[0].secretName}{"\n"}') -o jsonpath='{.data.ca\.crt}' | base64 -d; echo

Save the output to ca.crt.