Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly MCC). This means everything you need is in one place. The separate MCC documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Create Ceph Object Storage users

Warning

This procedure is valid for MOSK clusters that use the MiraCeph custom resource (CR), which is available since MOSK 25.2 to replace the deprecated KaaSCephCluster. For the equivalent procedure with the KaaSCephCluster CR, refer to the following section:

Create Ceph Object Storage users

Ceph Object Storage users can create Amazon S3 buckets and bucket policies that grant access to other users.

This section describes how to create two Ceph Object Storage users and configure their S3 credentials.

To create and configure Ceph Object Storage users:

  1. Open the MiraCeph CR:

    kubectl -n ceph-lcm-mirantis edit miraceph

  2. In the objectStorage.rgw section, add new Ceph Object Storage users.

    Caution

    For user name, apply the UUID format with no capital letters.

    For example:

    spec:
  objectStorage:
    rgw:
      objectUsers:
      - name: user-b
        displayName: user-a
        capabilities:
          bucket: "*"
          user: read
      - name: user-t
        displayName: user-t
        capabilities:
          bucket: "*"
          user: read

  3. Verify that rgwUserSecrets are created for both users:

    kubectl -n ceph-lcm-mirantis get mcsecret -o yaml

    Example of a positive system response:

    status:
  secretInfo:
    rgwUserSecrets:
    - name: user-a
      secretName: <user-aCredSecretName>
      secretNamespace: <user-aCredSecretNamespace>
    - name: user-t
      secretName: <user-tCredSecretName>
      secretNamespace: <user-tCredSecretNamespace>

  4. Obtain S3 user credentials from the cluster secrets. Specify an access key and a secret key for both users:

    kubectl -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
kubectl -n <user-aCredSecretNamespace> get secret <user-aCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d
kubectl -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.AccessKey}' | base64 -d
kubectl -n <user-tCredSecretNamespace> get secret <user-tCredSecretName> -o jsonpath='{.data.SecretKey}' | base64 -d

    Substitute the corresponding secretNamespace and secretName for both users.

  5. Obtain Ceph Object Storage public endpoint from the MiraCephHealth status:

    kubectl -n ceph-lcm-mirantis get mchealth -o yaml | grep PublicEndpoint

    Example of a positive system response:

    objectStorePublicEndpoint: https://object-storage.mirantis.example.com

  6. Obtain the CA certificate to use an HTTPS endpoint:

    kubectl -n rook-ceph get secret $(kubectl -n rook-ceph get ingress -o jsonpath='{.items[0].spec.tls[0].secretName}{"\n"}') -o jsonpath='{.data.ca\.crt}' | base64 -d; echo

    Save the output to ca.crt.