Original source: https://input.scs.community/how-to-s3#; written by Friedrich Zahn.
Swift+S3 on Rook¶
The official "guide" contains various inaccuracies and there are various caveats when deploying this setup on Yaook.
The Ceph Operator will not always immediately propagate config changes. Make sure to delete the rgw ReplicaSet often!
Preparations¶
Keystone user credentials¶
Copy the keystone-admin Secret from the yaook namespace to the rook-ceph namespace.
You MUST add OS_IDENTITY_API_VERSION: Mw== (decoded value: 3), otherwise the rgw will fall back to Keystone API v2.0, which is deprecated since ca. forever.
Alternatively, you can create a KeystoneUser, but that is discouraged by the docs.
CA bundle¶
Get the keystone-ca-certificates-... ConfigMap. Extract the value (loooong cert chain) for ca-bundle.crt
Create (not apply! Annotation may exceed 256 kiB) a Secret keystone-ca-certificates in the rook-ceph namespace with that chain (base64 encoded!) under the key cabundle
TLS Certificates for endpoints¶
We need a ClusterIssuer and Certificate:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: ca-issuer
spec:
ca:
secretName: root-ca
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ceph-rgw-objectstorage
namespace: rook-ceph
spec:
commonName: ceph-rgw-objectstorage
dnsNames:
- rook-ceph-rgw-objectstorage.rook-ceph.svc
duration: 720h
issuerRef:
name: ca-issuer
kind: ClusterIssuer
renewBefore: 168h
revisionHistoryLimit: 3
secretName: ceph-rgw-objectstorage-certificate
subject:
organizations:
- yaook
This certificate is not recognized by the yaookctl openstack shell, thus all interaction with the endpoint has to be via http or with TLS verification disabled.
Roll-out¶
apiVersion: ceph.rook.io/v1
kind: CephObjectStore
metadata:
name: objectstorage
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 1
dataPool:
failureDomain: host
replicated:
size: 1
auth:
keystone:
acceptedRoles:
- admin
- member
- service
implicitTenants: "true"
revocationInterval: 1200
serviceUserSecretName: keystone-admin
tokenCacheSize: 1000
url: https://keystone.yaook.svc:5000
protocols:
swift:
accountInUrl: true
urlPrefix: swift
s3:
authUseKeystone: true
# note that s3 is enabled by default if protocols.s3.enabled is not explicitly set to false
preservePoolsOnDelete: true
gateway:
caBundleRef: keystone-ca-certificates
sslCertificateRef: ceph-rgw-objectstorage-certificate
port: 80
securePort: 443
instances: 1
OpenStack integration¶
::: warn openstackclient caches the catalog. Do not use interactive mode to check it.
:::
Using openstackclient to add the service and endpoints (guide has wrong URLs):
openstack service create --name swift object-store
openstack endpoint create swift internal "https://rook-ceph-rgw-objectstorage.rook-ceph.svc/swift/v1/AUTH_%(tenant_id)s" --region YaookRegion
openstack endpoint create swift admin "https://rook-ceph-rgw-objectstorage.rook-ceph.svc/swift/v1/AUTH_%(tenant_id)s" --region YaookRegion
Alternatively you can create a KeystoneEndpoint, although that is discouraged by the docs:
apiVersion: yaook.cloud/v1
kind: KeystoneEndpoint
metadata:
name: ceph-rgw-objectstorage-endpoint
namespace: yaook
spec:
description: OpenStack Object Storage
endpoints:
admin: https://rook-ceph-rgw-objectstorage.rook-ceph.svc/swift/v1/AUTH_%(tenant_id)s
internal: https://rook-ceph-rgw-objectstorage.rook-ceph.svc/swift/v1/AUTH_%(tenant_id)s
public: https://rook-ceph-rgw-objectstorage.rook-ceph.svc/swift/v1/AUTH_%(tenant_id)s
keystoneRef:
kind: KeystoneDeployment
name: keystone
region:
name: YaookRegion
servicename: swift
servicetype: object-store
Testing¶
E.g. on a yaookctl openstack shell :
openstack ec2 credentials create
pip install boto3
python
import boto3
s3 = boto3.client('s3', aws_access_key_id="<access>", aws_secret_access_key="<secret>", endpoint_url="https://rook-ceph-rgw-objectstorage.rook-ceph.svc", verify=False)
s3.create_bucket(Bucket="trollololol")
s3.list_buckets()
Findings¶
- the Rook/Ceph guide on swift emulation does not work as-is, there are wrong URLs, missing components, too little explanation
- it is way too easy to mess this up, and debugging is super painful due to the many layers of services and logs that are very verbose, but often contain very little actual information
- scs-check in the end still fails due to self-signed certificates