rook: Ceph key user secret must be added in every namespace that is accessible to Rook clusters
In order for the Kubernetes to attach/detach rook block images, a secret must be present containing the user ceph key in the namespace of the pod consuming the block image. Rook operator should watch for namespaces and create a ceph key secret for every namespace.
Currently, rook-operator creates an user and an associated secret for the default namespace. We should do the same for every namespace.
The rook-operator should create a ceph user and a equivalent secret for that user on that namespace.
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 15 (11 by maintainers)
Commits related to this issue
- Ceph User controller [#475] Additonal contorller monitors PVC events across all namespaces. On CREATE events: Ceph user is created within a cluster and a secret is placed on PVC namespace. - Ceph cr... — committed to paha/rook by paha 7 years ago
- [#475] addressing some issues in PR comments - linting and typo fixes - Refactoring of cechUser, removed some fields in cephUser type - Moved struct definitions to the top - License for cech_user.go ... — committed to paha/rook by paha 7 years ago
- [#475] go linting and copyright update — committed to paha/rook by paha 7 years ago
- [#475] Fix order of params in newCredsController, remove unused vars and functions — committed to paha/rook by paha 7 years ago
- [#475] Removed tests with Secret creation, updated tests are pending — committed to paha/rook by paha 7 years ago
- Merge pull request #475 from parth-gr/backport-downstream-underscore external: add alias rbd pool name to support . pools name — committed to sp98/rook by travisn a year ago
With #882, this is no longer needed
@calvix yes, with the ongoing work on the Rook volume plugin, there will no longer be a need to copy secrets to other namespaces. You can read about the design here: https://github.com/rook/rook/blob/master/design/local-node-agent.md#improvements-over-rooks-current-support-for-persistent-volumes
The pull request for the code implementation (work in progress) can be found here: https://github.com/rook/rook/pull/882
https://github.com/kubernetes/kubernetes/pull/49502 allows putting ceph secrets for provisioned PVs in a namespace separate from the PVC namespaces and will be in kube 1.8