apiVersion: apps/v1 kind: Deployment metadata: name: rook-ceph-tools namespace: rook-ceph # namespace:cluster labels: app: rook-ceph-tools spec: replicas: 1 selector: matchLabels: app: rook-ceph-tools template: metadata: labels: app: rook-ceph-tools spec: dnsPolicy: ClusterFirstWithHostNet containers: - name: rook-ceph-tools image: quay.io/ceph/ceph:v17.2.6 command: - /bin/bash - -c - | # Replicate the script from toolbox.sh inline so the ceph image # can be run directly, instead of requiring the rook toolbox CEPH_CONFIG="/etc/ceph/ceph.conf" MON_CONFIG="/etc/rook/mon-endpoints" KEYRING_FILE="/etc/ceph/keyring" # create a ceph config file in its default location so ceph/rados tools can be used # without specifying any arguments write_endpoints() { endpoints=$(cat ${MON_CONFIG}) # filter out the mon names # external cluster can have numbers or hyphens in mon names, handling them in regex # shellcheck disable=SC2001 mon_endpoints=$(echo "${endpoints}"| sed 's/[a-z0-9_-]\+=//g') DATE=$(date) echo "$DATE writing mon endpoints to ${CEPH_CONFIG}: ${endpoints}" cat < ${CEPH_CONFIG} [global] mon_host = ${mon_endpoints} [client.admin] keyring = ${KEYRING_FILE} EOF } # watch the endpoints config file and update if the mon endpoints ever change watch_endpoints() { # get the timestamp for the target of the soft link real_path=$(realpath ${MON_CONFIG}) initial_time=$(stat -c %Z "${real_path}") while true; do real_path=$(realpath ${MON_CONFIG}) latest_time=$(stat -c %Z "${real_path}") if [[ "${latest_time}" != "${initial_time}" ]]; then write_endpoints initial_time=${latest_time} fi sleep 10 done } # read the secret from an env var (for backward compatibility), or from the secret file ceph_secret=${ROOK_CEPH_SECRET} if [[ "$ceph_secret" == "" ]]; then ceph_secret=$(cat /var/lib/rook-ceph-mon/secret.keyring) fi # create the keyring file cat < ${KEYRING_FILE} [${ROOK_CEPH_USERNAME}] key = ${ceph_secret} EOF # write the initial config file write_endpoints # continuously update the mon endpoints if they fail over watch_endpoints imagePullPolicy: IfNotPresent tty: true securityContext: runAsNonRoot: true runAsUser: 2016 runAsGroup: 2016 capabilities: drop: ["ALL"] env: - name: ROOK_CEPH_USERNAME valueFrom: secretKeyRef: name: rook-ceph-mon key: ceph-username volumeMounts: - mountPath: /etc/ceph name: ceph-config - name: mon-endpoint-volume mountPath: /etc/rook - name: ceph-admin-secret mountPath: /var/lib/rook-ceph-mon readOnly: true volumes: - name: ceph-admin-secret secret: secretName: rook-ceph-mon optional: false items: - key: ceph-secret path: secret.keyring - name: mon-endpoint-volume configMap: name: rook-ceph-mon-endpoints items: - key: data path: mon-endpoints - name: ceph-config emptyDir: {} tolerations: - key: "node.kubernetes.io/unreachable" operator: "Exists" effect: "NoExecute" tolerationSeconds: 5