In a similar way to the key that has been generated for the ceph-csi-rbd plugin, we will need one for the cephfs plugin.
Description
Description
Details
Details
Related Changes in Gerrit:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Gehel | T327267 Create a DSE Kubernetes cluster with support for persistent storage from Ceph | |||
| Resolved | Gehel | T324660 Install Ceph Cluster for Data Platform Engineering | |||
| Resolved | None | T376401 Enable the cephfs services on the DPE Ceph cluster | |||
| Resolved | brouberol | T376407 Create cephx authentication keys for the ceph-csi-cephfs plugin |
Event Timeline
Comment Actions
Writing a tip here for later.
Most instructions will state that we should run something like:
sudo ceph auth get-or-create $keyname
This will actually create the key and store it in the user database.
For our purposes, it actually makes more sense to generate a key first and not have it stored to the database. We want to add it to puppet first, then puppet creates the authentication record.
When we create a user we want to add the key to the private puppet repository. The dummy version is here: https://gerrit.wikimedia.org/r/plugins/gitiles/labs/private/+/refs/heads/master/hieradata/role/common/ceph/server.yaml#37
In order to generate a suitable key, we can just use the command:
ceph-authtool --gen-print-key
This only generates a key that we can subsequently add to puppet.
It doesn't need sudo as it doesn't interact with the Ceph cluster at all. It just generates random keys each time it is executed.
e.g.
btullis@cephosd1001:~$ ceph-authtool --gen-print-key AQBw1P5m2qo7KBAAtWcppageOC0Xdf+yS0c4iQ== btullis@cephosd1001:~$ ceph-authtool --gen-print-key AQBy1P5mpcMNABAAXRAeNDy/EepIDO67WliEXw== btullis@cephosd1001:~$ ceph-authtool --gen-print-key AQBz1P5mVMPxBBAAWeqQ0bZ2K1K7+Em+vIO0Yw==
I'll try to find a place to document this on Wikitech, too.
Comment Actions
Change #1078401 had a related patch set uploaded (by Brouberol; author: Brouberol):
[labs/private@master] Provision dummy secrets for ceph-csi users
Comment Actions
Change #1078402 had a related patch set uploaded (by Brouberol; author: Brouberol):
[operations/puppet@production] ceph: provision the dse-k8s-csi-cephfs user capabilities
Comment Actions
Change #1078401 merged by Brouberol:
[labs/private@master] Provision dummy secrets for ceph-csi users
Comment Actions
Change #1078402 merged by Brouberol:
[operations/puppet@production] ceph: provision the dse-k8s-csi-cephfs user capabilities
Comment Actions
Change #1078926 had a related patch set uploaded (by Brouberol; author: Brouberol):
[operations/puppet@production] cephosd: fix syntax of the dse-k8s-csi-cephfs caps
Comment Actions
Change #1078926 merged by Brouberol:
[operations/puppet@production] cephosd: fix syntax of the dse-k8s-csi-cephfs caps
Comment Actions
What we ended up doing is running the following commands:
brouberol@cephosd1004:~$ sudo ceph fs authorize dpe client.dse-k8s-csi-cephfs / rw [client.dse-k8s-csi-cephfs] key = REDACTED brouberol@cephosd1004:~$ sudo ceph auth get client.dse-k8s-csi-cephfs [client.dse-k8s-csi-cephfs] key = REDACTED caps mds = "allow rw fsname=dpe" caps mon = "allow r fsname=dpe" caps osd = "allow rw tag cephfs data=dpe"
We then copied the key to the puppet private repo and added the caps to the public puppet repo.