131 lines
4.2 KiB
YAML
131 lines
4.2 KiB
YAML
|
apiVersion: apps/v1
|
||
|
|
kind: Deployment
|
||
|
|
metadata:
|
||
|
|
name: rook-ceph-tools
|
||
|
|
namespace: rook-ceph # namespace:cluster
|
||
|
|
labels:
|
||
|
|
app: rook-ceph-tools
|
||
|
|
spec:
|
||
|
|
replicas: 1
|
||
|
|
selector:
|
||
|
|
matchLabels:
|
||
|
|
app: rook-ceph-tools
|
||
|
|
template:
|
||
|
|
metadata:
|
||
|
|
labels:
|
||
|
|
app: rook-ceph-tools
|
||
|
|
spec:
|
||
|
|
dnsPolicy: ClusterFirstWithHostNet
|
||
|
|
containers:
|
||
|
|
- name: rook-ceph-tools
|
||
|
|
image: quay.io/ceph/ceph:v17.2.6
|
||
|
|
command:
|
||
|
|
- /bin/bash
|
||
|
|
- -c
|
||
|
|
- |
|
||
|
|
# Replicate the script from toolbox.sh inline so the ceph image
|
||
|
|
# can be run directly, instead of requiring the rook toolbox
|
||
|
|
CEPH_CONFIG="/etc/ceph/ceph.conf"
|
||
|
|
MON_CONFIG="/etc/rook/mon-endpoints"
|
||
|
|
KEYRING_FILE="/etc/ceph/keyring"
|
||
|
|
|
||
|
|
# create a ceph config file in its default location so ceph/rados tools can be used
|
||
|
|
# without specifying any arguments
|
||
|
|
write_endpoints() {
|
||
|
|
endpoints=$(cat ${MON_CONFIG})
|
||
|
|
|
||
|
|
# filter out the mon names
|
||
|
|
# external cluster can have numbers or hyphens in mon names, handling them in regex
|
||
|
|
# shellcheck disable=SC2001
|
||
|
|
mon_endpoints=$(echo "${endpoints}"| sed 's/[a-z0-9_-]\+=//g')
|
||
|
|
|
||
|
|
DATE=$(date)
|
||
|
|
echo "$DATE writing mon endpoints to ${CEPH_CONFIG}: ${endpoints}"
|
||
|
|
cat <<EOF > ${CEPH_CONFIG}
|
||
|
|
[global]
|
||
|
|
mon_host = ${mon_endpoints}
|
||
|
|
|
||
|
|
[client.admin]
|
||
|
|
keyring = ${KEYRING_FILE}
|
||
|
|
EOF
|
||
|
|
}
|
||
|
|
|
||
|
|
# watch the endpoints config file and update if the mon endpoints ever change
|
||
|
|
watch_endpoints() {
|
||
|
|
# get the timestamp for the target of the soft link
|
||
|
|
real_path=$(realpath ${MON_CONFIG})
|
||
|
|
initial_time=$(stat -c %Z "${real_path}")
|
||
|
|
while true; do
|
||
|
|
real_path=$(realpath ${MON_CONFIG})
|
||
|
|
latest_time=$(stat -c %Z "${real_path}")
|
||
|
|
|
||
|
|
if [[ "${latest_time}" != "${initial_time}" ]]; then
|
||
|
|
write_endpoints
|
||
|
|
initial_time=${latest_time}
|
||
|
|
fi
|
||
|
|
|
||
|
|
sleep 10
|
||
|
|
done
|
||
|
|
}
|
||
|
|
|
||
|
|
# read the secret from an env var (for backward compatibility), or from the secret file
|
||
|
|
ceph_secret=${ROOK_CEPH_SECRET}
|
||
|
|
if [[ "$ceph_secret" == "" ]]; then
|
||
|
|
ceph_secret=$(cat /var/lib/rook-ceph-mon/secret.keyring)
|
||
|
|
fi
|
||
|
|
|
||
|
|
# create the keyring file
|
||
|
|
cat <<EOF > ${KEYRING_FILE}
|
||
|
|
[${ROOK_CEPH_USERNAME}]
|
||
|
|
key = ${ceph_secret}
|
||
|
|
EOF
|
||
|
|
|
||
|
|
# write the initial config file
|
||
|
|
write_endpoints
|
||
|
|
|
||
|
|
# continuously update the mon endpoints if they fail over
|
||
|
|
watch_endpoints
|
||
|
|
imagePullPolicy: IfNotPresent
|
||
|
|
tty: true
|
||
|
|
securityContext:
|
||
|
|
runAsNonRoot: true
|
||
|
|
runAsUser: 2016
|
||
|
|
runAsGroup: 2016
|
||
|
|
capabilities:
|
||
|
|
drop: ["ALL"]
|
||
|
|
env:
|
||
|
|
- name: ROOK_CEPH_USERNAME
|
||
|
|
valueFrom:
|
||
|
|
secretKeyRef:
|
||
|
|
name: rook-ceph-mon
|
||
|
|
key: ceph-username
|
||
|
|
volumeMounts:
|
||
|
|
- mountPath: /etc/ceph
|
||
|
|
name: ceph-config
|
||
|
|
- name: mon-endpoint-volume
|
||
|
|
mountPath: /etc/rook
|
||
|
|
- name: ceph-admin-secret
|
||
|
|
mountPath: /var/lib/rook-ceph-mon
|
||
|
|
readOnly: true
|
||
|
|
volumes:
|
||
|
|
- name: ceph-admin-secret
|
||
|
|
secret:
|
||
|
|
secretName: rook-ceph-mon
|
||
|
|
optional: false
|
||
|
|
items:
|
||
|
|
- key: ceph-secret
|
||
|
|
path: secret.keyring
|
||
|
|
- name: mon-endpoint-volume
|
||
|
|
configMap:
|
||
|
|
name: rook-ceph-mon-endpoints
|
||
|
|
items:
|
||
|
|
- key: data
|
||
|
|
path: mon-endpoints
|
||
|
|
- name: ceph-config
|
||
|
|
emptyDir: {}
|
||
|
|
tolerations:
|
||
|
|
- key: "node.kubernetes.io/unreachable"
|
||
|
|
operator: "Exists"
|
||
|
|
effect: "NoExecute"
|
||
|
|
tolerationSeconds: 5
|