Merge "Add ceph as an application on top of kubernetes"
diff --git a/apps/ceph/kubespray/playbooks/install.yml b/apps/ceph/kubespray/playbooks/install.yml
new file mode 100644
index 0000000..a6604e4
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/install.yml
@@ -0,0 +1,43 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+- hosts: baremetal
+ gather_facts: true
+ become: yes
+ vars_files:
+ - "{{ engine_path }}/engine/var/versions.yml"
+ - "{{ engine_path }}/engine/var/global.yml"
+
+ roles:
+ - role: common
+ - role: prepare
+
+- hosts: jumphost
+ gather_facts: true
+ become: no
+ vars_files:
+ - "{{ engine_path }}/engine/var/versions.yml"
+ - "{{ engine_path }}/engine/var/global.yml"
+
+ roles:
+ - role: common
+ - role: install
+
+
+# vim: set ts=2 sw=2 expandtab:
diff --git a/apps/ceph/kubespray/playbooks/roles/common/vars/main.yml b/apps/ceph/kubespray/playbooks/roles/common/vars/main.yml
new file mode 100644
index 0000000..f22557e
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/common/vars/main.yml
@@ -0,0 +1,31 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+rook_data_dir_path: "/var/lib/rook"
+rook_storage_dir_path: "/rook/storage-dir"
+
+rook_namespace: "rook-ceph"
+
+rook_use_host_network: "false"
+rook_node_device_filter: "vdb"
+
+rook_block_pool_name: "block-pool"
+rook_block_pool_replicas: 1
+
+rook_block_storage_name: "block-storage"
+rook_block_storage_fs: "xfs"
diff --git a/apps/ceph/kubespray/playbooks/roles/install/tasks/main.yml b/apps/ceph/kubespray/playbooks/roles/install/tasks/main.yml
new file mode 100644
index 0000000..c339e3e
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/tasks/main.yml
@@ -0,0 +1,159 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+- name: Delete existing rook cluster if any
+ k8s:
+ definition: "{{ lookup('template', config_file) }}"
+ state: absent
+ with_items:
+ - external-dashboard-https.yaml.j2
+ - pool.yaml.j2
+ - storageclass.yaml.j2
+ - toolbox.yaml.j2
+ - cluster.yaml.j2
+ loop_control:
+ loop_var: config_file
+ ignore_errors: yes
+ tags: reset
+
+- name: Delete existing rook cluster CRD if any
+ k8s:
+ api_version: apiextensions.k8s.io/v1beta1
+ state: absent
+ kind: CustomResourceDefinition
+ name: cephclusters.ceph.rook.io
+ ignore_errors: yes
+ tags: reset
+
+- name: Delete existing rook operator if any
+ k8s:
+ definition: "{{ lookup('template', config_file) }}"
+ state: absent
+ with_items:
+ - operator.yaml.j2
+ - common.yaml.j2
+ loop_control:
+ loop_var: config_file
+ ignore_errors: yes
+ tags: reset
+
+- name: Wait until rook namespace is deleted
+ k8s_facts:
+ kind: Namespace
+ name: "{{ rook_namespace }}"
+ register: result
+ until: not result.resources
+ retries: 10
+ delay: 5
+ tags: reset
+
+- name: Create rook operator
+ k8s:
+ state: present
+ definition: "{{ lookup('template', config_file) }}"
+ with_items:
+ - common.yaml.j2
+ - operator.yaml.j2
+ loop_control:
+ loop_var: config_file
+
+- name: Wait until OPERATOR pod is available
+ k8s_facts:
+ kind: Pod
+ namespace: "{{ rook_namespace }}"
+ label_selectors:
+ - app = rook-ceph-operator
+ field_selectors:
+ - status.phase=Running
+ register: rook_mgr_status
+ until:
+ - rook_mgr_status.resources is defined
+ - rook_mgr_status.resources
+ retries: 10
+ delay: 5
+
+- name: Create rook cluster
+ k8s:
+ state: present
+ definition: "{{ lookup('template', config_file) }}"
+ with_items:
+ - cluster.yaml.j2
+ - toolbox.yaml.j2
+ loop_control:
+ loop_var: config_file
+
+- name: Wait until rook cluster deployment is complete
+ k8s_facts:
+ kind: CephCluster
+ name: rook-ceph
+ namespace: "{{ rook_namespace }}"
+ field_selectors:
+ - status.state = "Created"
+ register: rook_cluster_status
+ until:
+ - rook_cluster_status.resources
+ retries: 10
+ delay: 5
+
+- name: Wait until MGR pods are available
+ k8s_facts:
+ kind: Pod
+ namespace: "{{ rook_namespace }}"
+ label_selectors:
+ - app = rook-ceph-mgr
+ field_selectors:
+ - status.phase=Running
+ register: rook_mgr_status
+ until:
+ - rook_mgr_status.resources is defined
+ - rook_mgr_status.resources
+ retries: 30
+ delay: 10
+
+- name: Wait until OSD pods are available
+ k8s_facts:
+ kind: Pod
+ namespace: "{{ rook_namespace }}"
+ label_selectors:
+ - app = rook-ceph-osd
+ field_selectors:
+ - status.phase=Running
+ register: rook_osd_status
+ until:
+ - rook_osd_status.resources is defined
+ - rook_osd_status.resources
+ retries: 30
+ delay: 10
+
+- name: Create rook block storage
+ k8s:
+ state: present
+ definition: "{{ lookup('template', config_file) }}"
+ with_items:
+ - pool.yaml.j2
+ - storageclass.yaml.j2
+ loop_control:
+ loop_var: config_file
+
+- name: Create rook external dashboard
+ k8s:
+ state: present
+ definition: "{{ lookup('template', 'external-dashboard-https.yaml.j2') }}"
+
+# vim: set ts=2 sw=2 expandtab:
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/cluster.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/cluster.yaml.j2
new file mode 100644
index 0000000..5aba2c1
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/cluster.yaml.j2
@@ -0,0 +1,173 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: ceph.rook.io/v1
+kind: CephCluster
+metadata:
+ name: rook-ceph
+ namespace: "{{ rook_namespace }}"
+spec:
+ cephVersion:
+ # The container image used to launch the Ceph daemon pods (mon, mgr, osd, mds, rgw).
+ # v12 is luminous, v13 is mimic, and v14 is nautilus.
+ # RECOMMENDATION: In production, use a specific version tag instead of the general v13 flag, which pulls the latest release and could result in different
+ # versions running within the cluster. See tags available at https://hub.docker.com/r/ceph/ceph/tags/.
+ image: "ceph/ceph:{{ ceph_version}}"
+ # Whether to allow unsupported versions of Ceph. Currently only luminous and mimic are supported.
+ # After nautilus is released, Rook will be updated to support nautilus.
+ # Do not set to true in production.
+ allowUnsupported: false
+ # The path on the host where configuration files will be persisted. If not specified, a kubernetes emptyDir will be created (not recommended).
+ # Important: if you reinstall the cluster, make sure you delete this directory from each host or else the mons will fail to start on the new cluster.
+ # In Minikube, the '/data' directory is configured to persist across reboots. Use "/data/rook" in Minikube environment.
+ dataDirHostPath: "{{ rook_data_dir_path }}"
+ # Whether or not upgrade should continue even if a check fails
+ # This means Ceph's status could be degraded and we don't recommend upgrading but you might decide otherwise
+ # Use at your OWN risk
+ # To understand Rook's upgrade process of Ceph, read https://rook.io/docs/rook/master/ceph-upgrade.html#ceph-version-upgrades
+ skipUpgradeChecks: false
+ # set the amount of mons to be started
+ mon:
+ count: 3
+ allowMultiplePerNode: true
+ mgr:
+ modules:
+ # Several modules should not need to be included in this list. The "dashboard" and "monitoring" modules
+ # are already enabled by other settings in the cluster CR and the "rook" module is always enabled.
+ # - name: pg_autoscaler
+ # enabled: true
+ # enable the ceph dashboard for viewing cluster status
+ dashboard:
+ enabled: true
+ # serve the dashboard under a subpath (useful when you are accessing the dashboard via a reverse proxy)
+ # urlPrefix: /ceph-dashboard
+ # serve the dashboard at the given port.
+ # port: 8443
+ # serve the dashboard using SSL
+ ssl: true
+ monitoring:
+ # requires Prometheus to be pre-installed
+ enabled: false
+ # namespace to deploy prometheusRule in. If empty, namespace of the cluster will be used.
+ # Recommended:
+ # If you have a single rook-ceph cluster, set the rulesNamespace to the same namespace as the cluster or keep it empty.
+ # If you have multiple rook-ceph clusters in the same k8s cluster, choose the same namespace (ideally, namespace with prometheus
+ # deployed) to set rulesNamespace for all the clusters. Otherwise, you will get duplicate alerts with multiple alert definitions.
+ rulesNamespace: {{ rook_namespace }}
+ network:
+ # toggle to use hostNetwork
+ hostNetwork: {{ rook_use_host_network }}
+ rbdMirroring:
+ # The number of daemons that will perform the rbd mirroring.
+ # rbd mirroring must be configured with "rbd mirror" from the rook toolbox.
+ workers: 0
+ # To control where various services will be scheduled by kubernetes, use the placement configuration sections below.
+ # The example under 'all' would have all services scheduled on kubernetes nodes labeled with 'role=storage-node' and
+ # tolerate taints with a key of 'storage-node'.
+# placement:
+# all:
+# nodeAffinity:
+# requiredDuringSchedulingIgnoredDuringExecution:
+# nodeSelectorTerms:
+# - matchExpressions:
+# - key: role
+# operator: In
+# values:
+# - storage-node
+# podAffinity:
+# podAntiAffinity:
+# tolerations:
+# - key: storage-node
+# operator: Exists
+# The above placement information can also be specified for mon, osd, and mgr components
+# mon:
+# Monitor deployments may contain an anti-affinity rule for avoiding monitor
+# collocation on the same node. This is a required rule when host network is used
+# or when AllowMultiplePerNode is false. Otherwise this anti-affinity rule is a
+# preferred rule with weight: 50.
+# osd:
+# mgr:
+ annotations:
+# all:
+# mon:
+# osd:
+# If no mgr annotations are set, prometheus scrape annotations will be set by default.
+# mgr:
+ resources:
+# The requests and limits set here, allow the mgr pod to use half of one CPU core and 1 gigabyte of memory
+# mgr:
+# limits:
+# cpu: "500m"
+# memory: "1024Mi"
+# requests:
+# cpu: "500m"
+# memory: "1024Mi"
+# The above example requests/limits can also be added to the mon and osd components
+# mon:
+# osd:
+ storage: # cluster level storage configuration and selection
+ useAllNodes: true
+ useAllDevices: false
+ location:
+ config:
+ # The default and recommended storeType is dynamically set to bluestore for devices and filestore for directories.
+ # Set the storeType explicitly only if it is required not to use the default.
+ # storeType: bluestore
+ databaseSizeMB: "1024" # this value can be removed for environments with normal sized disks (100 GB or larger)
+ journalSizeMB: "1024" # this value can be removed for environments with normal sized disks (20 GB or larger)
+ osdsPerDevice: "1" # this value can be overridden at the node or device level
+# Cluster level list of directories to use for storage. These values will be set for all nodes that have no `directories` set.
+ directories:
+ - path: "{{ rook_storage_dir_path }}"
+# Individual nodes and their config can be specified as well, but 'useAllNodes' above must be set to false. Then, only the named
+# nodes below will be used as storage resources. Each node's 'name' field should match their 'kubernetes.io/hostname' label.
+# nodes:
+# - name: "172.17.4.101"
+# directories: # specific directories to use for storage can be specified for each node
+# - path: "/rook/storage-dir"
+# resources:
+# limits:
+# cpu: "500m"
+# memory: "1024Mi"
+# requests:
+# cpu: "500m"
+# memory: "1024Mi"
+# - name: "172.17.4.201"
+# devices: # specific devices to use for storage can be specified for each node
+# - name: "sdb"
+# - name: "nvme01" # multiple osds can be created on high performance devices
+# config:
+# osdsPerDevice: "5"
+# config: # configuration can be specified at the node level which overrides the cluster level config
+# storeType: filestore
+# - name: "172.17.4.301"
+# deviceFilter: ^vdb
+ # The section for configuring management of daemon disruptions during upgrade or fencing.
+ disruptionManagement:
+ # If true, the operator will create and manage PodDisruptionBudgets for OSD, Mon, RGW, and MDS daemons. OSD PDBs are managed dynamically
+ # via the strategy outlined in the [design](https://github.com/rook/rook/blob/master/design/ceph-managed-disruptionbudgets.md). The operator will
+ # block eviction of OSDs by default and unblock them safely when drains are detected.
+ managePodBudgets: false
+ # A duration in minutes that determines how long an entire failureDomain like `region/zone/host` will be held in `noout` (in addition to the
+ # default DOWN/OUT interval) when it is draining. This is only relevant when `managePodBudgets` is `true`. The default value is `30` minutes.
+ osdMaintenanceTimeout: 30
+ # If true, the operator will create and manage MachineDisruptionBudgets to ensure OSDs are only fenced when the cluster is healthy.
+ # Only available on OpenShift.
+ manageMachineDisruptionBudgets: false
+ # Namespace in which to watch for the MachineDisruptionBudgets.
+ machineDisruptionBudgetNamespace: openshift-machine-api
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2
new file mode 100644
index 0000000..d8b7412
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/common.yaml.j2
@@ -0,0 +1,1592 @@
+###################################################################################################################
+# Create the common resources that are necessary to start the operator and the ceph cluster.
+# These resources *must* be created before the operator.yaml and cluster.yaml or their variants.
+# The samples all assume that a single operator will manage a single cluster crd in the same "rook-ceph" namespace.
+#
+# If the operator needs to manage multiple clusters (in different namespaces), see the section below
+# for "cluster-specific resources". The resources below that section will need to be created for each namespace
+# where the operator needs to manage the cluster. The resources above that section do not be created again.
+#
+# Most of the sections are prefixed with a 'OLM' keyword which is used to build our CSV for an OLM (Operator Life Cycle manager)
+###################################################################################################################
+
+# Namespace where the operator and other rook resources are created
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: "{{ rook_namespace }}"
+# OLM: BEGIN CEPH CRD
+# The CRD declarations
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: cephclusters.ceph.rook.io
+spec:
+ group: ceph.rook.io
+ names:
+ kind: CephCluster
+ listKind: CephClusterList
+ plural: cephclusters
+ singular: cephcluster
+ scope: Namespaced
+ version: v1
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ annotations: {}
+ cephVersion:
+ properties:
+ allowUnsupported:
+ type: boolean
+ image:
+ type: string
+ dashboard:
+ properties:
+ enabled:
+ type: boolean
+ urlPrefix:
+ type: string
+ port:
+ type: integer
+ minimum: 0
+ maximum: 65535
+ ssl:
+ type: boolean
+ dataDirHostPath:
+ pattern: ^/(\S+)
+ type: string
+ skipUpgradeChecks:
+ type: boolean
+ mon:
+ properties:
+ allowMultiplePerNode:
+ type: boolean
+ count:
+ maximum: 9
+ minimum: 0
+ type: integer
+ mgr:
+ properties:
+ modules:
+ items:
+ properties:
+ name:
+ type: string
+ enabled:
+ type: boolean
+ network:
+ properties:
+ hostNetwork:
+ type: boolean
+ storage:
+ properties:
+ disruptionManagement:
+ properties:
+ managePodBudgets:
+ type: boolean
+ osdMaintenanceTimeout:
+ type: integer
+ manageMachineDisruptionBudgets:
+ type: boolean
+ useAllNodes:
+ type: boolean
+ nodes:
+ items:
+ properties:
+ name:
+ type: string
+ config:
+ properties:
+ metadataDevice:
+ type: string
+ storeType:
+ type: string
+ pattern: ^(filestore|bluestore)$
+ databaseSizeMB:
+ type: string
+ walSizeMB:
+ type: string
+ journalSizeMB:
+ type: string
+ osdsPerDevice:
+ type: string
+ encryptedDevice:
+ type: string
+ pattern: ^(true|false)$
+ useAllDevices:
+ type: boolean
+ deviceFilter: {}
+ directories:
+ type: array
+ items:
+ properties:
+ path:
+ type: string
+ devices:
+ type: array
+ items:
+ properties:
+ name:
+ type: string
+ config: {}
+ location: {}
+ resources: {}
+ type: array
+ useAllDevices:
+ type: boolean
+ deviceFilter: {}
+ location: {}
+ directories:
+ type: array
+ items:
+ properties:
+ path:
+ type: string
+ config: {}
+ topologyAware:
+ type: boolean
+ monitoring:
+ properties:
+ enabled:
+ type: boolean
+ rulesNamespace:
+ type: string
+ rbdMirroring:
+ properties:
+ workers:
+ type: integer
+ placement: {}
+ resources: {}
+ additionalPrinterColumns:
+ - name: DataDirHostPath
+ type: string
+ description: Directory used on the K8s nodes
+ JSONPath: .spec.dataDirHostPath
+ - name: MonCount
+ type: string
+ description: Number of MONs
+ JSONPath: .spec.mon.count
+ - name: Age
+ type: date
+ JSONPath: .metadata.creationTimestamp
+ - name: State
+ type: string
+ description: Current State
+ JSONPath: .status.state
+ - name: Health
+ type: string
+ description: Ceph Health
+ JSONPath: .status.ceph.health
+# OLM: END CEPH CRD
+# OLM: BEGIN CEPH FS CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: cephfilesystems.ceph.rook.io
+spec:
+ group: ceph.rook.io
+ names:
+ kind: CephFilesystem
+ listKind: CephFilesystemList
+ plural: cephfilesystems
+ singular: cephfilesystem
+ scope: Namespaced
+ version: v1
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ metadataServer:
+ properties:
+ activeCount:
+ minimum: 1
+ maximum: 10
+ type: integer
+ activeStandby:
+ type: boolean
+ annotations: {}
+ placement: {}
+ resources: {}
+ metadataPool:
+ properties:
+ failureDomain:
+ type: string
+ replicated:
+ properties:
+ size:
+ minimum: 1
+ maximum: 10
+ type: integer
+ erasureCoded:
+ properties:
+ dataChunks:
+ type: integer
+ codingChunks:
+ type: integer
+ dataPools:
+ type: array
+ items:
+ properties:
+ failureDomain:
+ type: string
+ replicated:
+ properties:
+ size:
+ minimum: 1
+ maximum: 10
+ type: integer
+ erasureCoded:
+ properties:
+ dataChunks:
+ type: integer
+ codingChunks:
+ type: integer
+ additionalPrinterColumns:
+ - name: ActiveMDS
+ type: string
+ description: Number of desired active MDS daemons
+ JSONPath: .spec.metadataServer.activeCount
+ - name: Age
+ type: date
+ JSONPath: .metadata.creationTimestamp
+# OLM: END CEPH FS CRD
+# OLM: BEGIN CEPH NFS CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: cephnfses.ceph.rook.io
+spec:
+ group: ceph.rook.io
+ names:
+ kind: CephNFS
+ listKind: CephNFSList
+ plural: cephnfses
+ singular: cephnfs
+ shortNames:
+ - nfs
+ scope: Namespaced
+ version: v1
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ rados:
+ properties:
+ pool:
+ type: string
+ namespace:
+ type: string
+ server:
+ properties:
+ active:
+ type: integer
+ annotations: {}
+ placement: {}
+ resources: {}
+
+# OLM: END CEPH NFS CRD
+# OLM: BEGIN CEPH OBJECT STORE CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: cephobjectstores.ceph.rook.io
+spec:
+ group: ceph.rook.io
+ names:
+ kind: CephObjectStore
+ listKind: CephObjectStoreList
+ plural: cephobjectstores
+ singular: cephobjectstore
+ scope: Namespaced
+ version: v1
+ validation:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ gateway:
+ properties:
+ type:
+ type: string
+ sslCertificateRef: {}
+ port:
+ type: integer
+ securePort: {}
+ instances:
+ type: integer
+ annotations: {}
+ placement: {}
+ resources: {}
+ metadataPool:
+ properties:
+ failureDomain:
+ type: string
+ replicated:
+ properties:
+ size:
+ type: integer
+ erasureCoded:
+ properties:
+ dataChunks:
+ type: integer
+ codingChunks:
+ type: integer
+ dataPool:
+ properties:
+ failureDomain:
+ type: string
+ replicated:
+ properties:
+ size:
+ type: integer
+ erasureCoded:
+ properties:
+ dataChunks:
+ type: integer
+ codingChunks:
+ type: integer
+# OLM: END CEPH OBJECT STORE CRD
+# OLM: BEGIN CEPH OBJECT STORE USERS CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: cephobjectstoreusers.ceph.rook.io
+spec:
+ group: ceph.rook.io
+ names:
+ kind: CephObjectStoreUser
+ listKind: CephObjectStoreUserList
+ plural: cephobjectstoreusers
+ singular: cephobjectstoreuser
+ scope: Namespaced
+ version: v1
+# OLM: END CEPH OBJECT STORE USERS CRD
+# OLM: BEGIN CEPH BLOCK POOL CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: cephblockpools.ceph.rook.io
+spec:
+ group: ceph.rook.io
+ names:
+ kind: CephBlockPool
+ listKind: CephBlockPoolList
+ plural: cephblockpools
+ singular: cephblockpool
+ scope: Namespaced
+ version: v1
+# OLM: END CEPH BLOCK POOL CRD
+# OLM: BEGIN CEPH VOLUME POOL CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: volumes.rook.io
+spec:
+ group: rook.io
+ names:
+ kind: Volume
+ listKind: VolumeList
+ plural: volumes
+ singular: volume
+ shortNames:
+ - rv
+ scope: Namespaced
+ version: v1alpha2
+# OLM: END CEPH VOLUME POOL CRD
+# OLM: BEGIN OBJECTBUCKET CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: objectbuckets.objectbucket.io
+spec:
+ group: objectbucket.io
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ names:
+ kind: ObjectBucket
+ listKind: ObjectBucketList
+ plural: objectbuckets
+ singular: objectbucket
+ shortNames:
+ - ob
+ - obs
+ scope: Cluster
+ subresources:
+ status: {}
+# OLM: END OBJECTBUCKET CRD
+# OLM: BEGIN OBJECTBUCKETCLAIM CRD
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+ name: objectbucketclaims.objectbucket.io
+spec:
+ versions:
+ - name: v1alpha1
+ served: true
+ storage: true
+ group: objectbucket.io
+ names:
+ kind: ObjectBucketClaim
+ listKind: ObjectBucketClaimList
+ plural: objectbucketclaims
+ singular: objectbucketclaim
+ shortNames:
+ - obc
+ - obcs
+ scope: Namespaced
+ subresources:
+ status: {}
+# OLM: END OBJECTBUCKETCLAIM CRD
+# OLM: BEGIN OBJECTBUCKET ROLEBINDING
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-object-bucket
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: rook-ceph-object-bucket
+subjects:
+ - kind: ServiceAccount
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+# OLM: END OBJECTBUCKET ROLEBINDING
+# OLM: BEGIN OPERATOR ROLE
+---
+# The cluster role for managing all the cluster-specific resources in a namespace
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: rook-ceph-cluster-mgmt
+ labels:
+ operator: rook
+ storage-backend: ceph
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: rook-ceph-cluster-mgmt-rules
+ labels:
+ operator: rook
+ storage-backend: ceph
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-cluster-mgmt: "true"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ - pods
+ - pods/log
+ - services
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - apps
+ resources:
+ - deployments
+ - daemonsets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+---
+# The role for the operator to manage resources in its own namespace
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+ labels:
+ operator: rook
+ storage-backend: ceph
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - statefulsets
+ - deployments
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+---
+# The cluster role for managing the Rook CRDs
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: rook-ceph-global
+ labels:
+ operator: rook
+ storage-backend: ceph
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
+rules: []
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+ name: rook-ceph-global-rules
+ labels:
+ operator: rook
+ storage-backend: ceph
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-global: "true"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ # Pod access is needed for fencing
+ - pods
+ # Node access is needed for determining nodes where mons should run
+ - nodes
+ - nodes/proxy
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ # PVs and PVCs are managed by the Rook provisioner
+ - persistentvolumes
+ - persistentvolumeclaims
+ - endpoints
+ verbs:
+ - get
+ - list
+ - watch
+ - patch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - storage.k8s.io
+ resources:
+ - storageclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - ceph.rook.io
+ resources:
+ - "*"
+ verbs:
+ - "*"
+- apiGroups:
+ - rook.io
+ resources:
+ - "*"
+ verbs:
+ - "*"
+- apiGroups:
+ - policy
+ - apps
+ resources:
+ #this is for the clusterdisruption controller
+ - poddisruptionbudgets
+ #this is for both clusterdisruption and nodedrain controllers
+ - deployments
+ verbs:
+ - "*"
+- apiGroups:
+ - healthchecking.openshift.io
+ resources:
+ - machinedisruptionbudgets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - machine.openshift.io
+ resources:
+ - machines
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+---
+# Aspects of ceph-mgr that require cluster-wide access
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr-cluster
+ labels:
+ operator: rook
+ storage-backend: ceph
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr-cluster-rules
+ labels:
+ operator: rook
+ storage-backend: ceph
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - nodes
+ - nodes/proxy
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - list
+ - get
+ - watch
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-object-bucket
+ labels:
+ operator: rook
+ storage-backend: ceph
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-cluster: "true"
+rules:
+- apiGroups:
+ - ""
+ verbs:
+ - "*"
+ resources:
+ - secrets
+ - configmaps
+- apiGroups:
+ - storage.k8s.io
+ resources:
+ - storageclasses
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - "objectbucket.io"
+ verbs:
+ - "*"
+ resources:
+ - "*"
+# OLM: END OPERATOR ROLE
+# OLM: BEGIN SERVICE ACCOUNT SYSTEM
+---
+# The rook system service account used by the operator, agent, and discovery pods
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+ labels:
+ operator: rook
+ storage-backend: ceph
+# imagePullSecrets:
+# - name: my-registry-secret
+
+# OLM: END SERVICE ACCOUNT SYSTEM
+# OLM: BEGIN OPERATOR ROLEBINDING
+---
+# Grant the operator, agent, and discovery agents access to resources in the namespace
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+ labels:
+ operator: rook
+ storage-backend: ceph
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: rook-ceph-system
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+---
+# Grant the rook system daemons cluster-wide access to manage the Rook CRDs, PVCs, and storage classes
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-global
+ namespace: "{{ rook_namespace }}"
+ labels:
+ operator: rook
+ storage-backend: ceph
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: rook-ceph-global
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+# OLM: END OPERATOR ROLEBINDING
+#################################################################################################################
+# Beginning of cluster-specific resources. The example will assume the cluster will be created in the "rook-ceph"
+# namespace. If you want to create the cluster in a different namespace, you will need to modify these roles
+# and bindings accordingly.
+#################################################################################################################
+# Service account for the Ceph OSDs. Must exist and cannot be renamed.
+# OLM: BEGIN SERVICE ACCOUNT OSD
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+# imagePullSecrets:
+# - name: my-registry-secret
+
+# OLM: END SERVICE ACCOUNT OSD
+# OLM: BEGIN SERVICE ACCOUNT MGR
+---
+# Service account for the Ceph Mgr. Must exist and cannot be renamed.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+# imagePullSecrets:
+# - name: my-registry-secret
+
+# OLM: END SERVICE ACCOUNT MGR
+# OLM: BEGIN CMD REPORTER SERVICE ACCOUNT
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-ceph-cmd-reporter
+ namespace: "{{ rook_namespace }}"
+# OLM: END CMD REPORTER SERVICE ACCOUNT
+# OLM: BEGIN CLUSTER ROLE
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: [ "get", "list", "watch", "create", "update", "delete" ]
+- apiGroups: ["ceph.rook.io"]
+ resources: ["cephclusters", "cephclusters/finalizers"]
+ verbs: [ "get", "list", "create", "update", "delete" ]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+---
+# Aspects of ceph-mgr that require access to the system namespace
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr-system
+ namespace: "{{ rook_namespace }}"
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr-system-rules
+ namespace: "{{ rook_namespace }}"
+ labels:
+ rbac.ceph.rook.io/aggregate-to-rook-ceph-mgr-system: "true"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+---
+# Aspects of ceph-mgr that operate within the cluster's namespace
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+- apiGroups:
+ - ceph.rook.io
+ resources:
+ - "*"
+ verbs:
+ - "*"
+# OLM: END CLUSTER ROLE
+# OLM: BEGIN CMD REPORTER ROLE
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-cmd-reporter
+ namespace: "{{ rook_namespace }}"
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - pods
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - delete
+# OLM: END CMD REPORTER ROLE
+# OLM: BEGIN CLUSTER ROLEBINDING
+---
+# Allow the operator to create resources in this cluster's namespace
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-cluster-mgmt
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: rook-ceph-cluster-mgmt
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+---
+# Allow the osd pods in this namespace to work with configmaps
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: rook-ceph-osd
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+---
+# Allow the ceph mgr to access the cluster-specific resources necessary for the mgr modules
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: rook-ceph-mgr
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+---
+# Allow the ceph mgr to access the rook system resources necessary for the mgr modules
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr-system
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: rook-ceph-mgr-system
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+---
+# Allow the ceph mgr to access cluster-wide resources necessary for the mgr modules
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-mgr-cluster
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: rook-ceph-mgr-cluster
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+
+---
+# Allow the ceph osd to access cluster-wide resources necessary for determining their topology location
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-osd
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: rook-ceph-osd
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+
+# OLM: END CLUSTER ROLEBINDING
+# OLM: BEGIN CMD REPORTER ROLEBINDING
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+ name: rook-ceph-cmd-reporter
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: rook-ceph-cmd-reporter
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-cmd-reporter
+ namespace: "{{ rook_namespace }}"
+# OLM: END CMD REPORTER ROLEBINDING
+#################################################################################################################
+# Beginning of pod security policy resources. The example will assume the cluster will be created in the
+# "rook-ceph" namespace. If you want to create the cluster in a different namespace, you will need to modify
+# the roles and bindings accordingly.
+#################################################################################################################
+# OLM: BEGIN CLUSTER POD SECURITY POLICY
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: rook-privileged
+spec:
+ privileged: true
+ allowedCapabilities:
+ # required by CSI
+ - SYS_ADMIN
+ # fsGroup - the flexVolume agent has fsGroup capabilities and could potentially be any group
+ fsGroup:
+ rule: RunAsAny
+ # runAsUser, supplementalGroups - Rook needs to run some pods as root
+ # Ceph pods could be run as the Ceph user, but that user isn't always known ahead of time
+ runAsUser:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: RunAsAny
+ # seLinux - seLinux context is unknown ahead of time; set if this is well-known
+ seLinux:
+ rule: RunAsAny
+ volumes:
+ # recommended minimum set
+ - configMap
+ - downwardAPI
+ - emptyDir
+ - persistentVolumeClaim
+ - secret
+ - projected
+ # required for Rook
+ - hostPath
+ - flexVolume
+ # allowedHostPaths can be set to Rook's known host volume mount points when they are fully-known
+ # directory-based OSDs make this hard to nail down
+ # allowedHostPaths:
+ # - pathPrefix: "/run/udev" # for OSD prep
+ # readOnly: false
+ # - pathPrefix: "/dev" # for OSD prep
+ # readOnly: false
+ # - pathPrefix: "/var/lib/rook" # or whatever the dataDirHostPath value is set to
+ # readOnly: false
+ # Ceph requires host IPC for setting up encrypted devices
+ hostIPC: true
+ # Ceph OSDs need to share the same PID namespace
+ hostPID: true
+ # hostNetwork can be set to 'false' if host networking isn't used
+ hostNetwork: true
+ hostPorts:
+ # Ceph messenger protocol v1
+ - min: 6789
+ max: 6790 # <- support old default port
+ # Ceph messenger protocol v2
+ - min: 3300
+ max: 3300
+ # Ceph RADOS ports for OSDs, MDSes
+ - min: 6800
+ max: 7300
+ # # Ceph dashboard port HTTP (not recommended)
+ # - min: 7000
+ # max: 7000
+ # Ceph dashboard port HTTPS
+ - min: 8443
+ max: 8443
+ # Ceph mgr Prometheus Metrics
+ - min: 9283
+ max: 9283
+# OLM: END CLUSTER POD SECURITY POLICY
+# OLM: BEGIN POD SECURITY POLICY BINDINGS
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: 'psp:rook'
+rules:
+ - apiGroups:
+ - policy
+ resources:
+ - podsecuritypolicies
+ resourceNames:
+ - rook-privileged
+ verbs:
+ - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rook-ceph-system-psp
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: 'psp:rook'
+subjects:
+ - kind: ServiceAccount
+ name: rook-ceph-system
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: rook-ceph-default-psp
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:rook
+subjects:
+- kind: ServiceAccount
+ name: default
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: rook-ceph-osd-psp
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:rook
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-osd
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: rook-ceph-mgr-psp
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:rook
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-mgr
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: rook-ceph-cmd-reporter-psp
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: psp:rook
+subjects:
+- kind: ServiceAccount
+ name: rook-ceph-cmd-reporter
+ namespace: "{{ rook_namespace }}"
+# OLM: END CLUSTER POD SECURITY POLICY BINDINGS
+# OLM: BEGIN CSI CEPHFS SERVICE ACCOUNT
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-csi-cephfs-plugin-sa
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-csi-cephfs-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+# OLM: END CSI CEPHFS SERVICE ACCOUNT
+# OLM: BEGIN CSI CEPHFS ROLE
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ namespace: "{{ rook_namespace }}"
+ name: cephfs-external-provisioner-cfg
+rules:
+ - apiGroups: [""]
+ resources: ["endpoints"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+# OLM: END CSI CEPHFS ROLE
+# OLM: BEGIN CSI CEPHFS ROLEBINDING
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-csi-provisioner-role-cfg
+ namespace: "{{ rook_namespace }}"
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-cephfs-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ kind: Role
+ name: cephfs-external-provisioner-cfg
+ apiGroup: rbac.authorization.k8s.io
+# OLM: END CSI CEPHFS ROLEBINDING
+# OLM: BEGIN CSI CEPHFS CLUSTER ROLE
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-csi-nodeplugin
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-csi-nodeplugin-rules
+ labels:
+ rbac.ceph.rook.io/aggregate-to-cephfs-csi-nodeplugin: "true"
+rules:
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "update"]
+ - apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["get", "list"]
+ - apiGroups: [""]
+ resources: ["persistentvolumes"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-external-provisioner-runner
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-external-provisioner-runner-rules
+ labels:
+ rbac.ceph.rook.io/aggregate-to-cephfs-external-provisioner-runner: "true"
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list"]
+ - apiGroups: [""]
+ resources: ["persistentvolumes"]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
+ - apiGroups: [""]
+ resources: ["persistentvolumeclaims"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+# OLM: END CSI CEPHFS CLUSTER ROLE
+# OLM: BEGIN CSI CEPHFS CLUSTER ROLEBINDING
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rook-csi-cephfs-plugin-sa-psp
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: 'psp:rook'
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-cephfs-plugin-sa
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rook-csi-cephfs-provisioner-sa-psp
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: 'psp:rook'
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-cephfs-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-csi-nodeplugin
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-cephfs-plugin-sa
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ kind: ClusterRole
+ name: cephfs-csi-nodeplugin
+ apiGroup: rbac.authorization.k8s.io
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: cephfs-csi-provisioner-role
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-cephfs-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ kind: ClusterRole
+ name: cephfs-external-provisioner-runner
+ apiGroup: rbac.authorization.k8s.io
+# OLM: END CSI CEPHFS CLUSTER ROLEBINDING
+# OLM: BEGIN CSI RBD SERVICE ACCOUNT
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-csi-rbd-plugin-sa
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: rook-csi-rbd-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+# OLM: END CSI RBD SERVICE ACCOUNT
+# OLM: BEGIN CSI RBD ROLE
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ namespace: "{{ rook_namespace }}"
+ name: rbd-external-provisioner-cfg
+rules:
+ - apiGroups: [""]
+ resources: ["endpoints"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list", "watch", "create", "delete"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["get", "watch", "list", "delete", "update", "create"]
+# OLM: END CSI RBD ROLE
+# OLM: BEGIN CSI RBD ROLEBINDING
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-csi-provisioner-role-cfg
+ namespace: "{{ rook_namespace }}"
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-rbd-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ kind: Role
+ name: rbd-external-provisioner-cfg
+ apiGroup: rbac.authorization.k8s.io
+# OLM: END CSI RBD ROLEBINDING
+# OLM: BEGIN CSI RBD CLUSTER ROLE
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-csi-nodeplugin
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-csi-nodeplugin-rules
+ labels:
+ rbac.ceph.rook.io/aggregate-to-rbd-csi-nodeplugin: "true"
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "update"]
+ - apiGroups: [""]
+ resources: ["namespaces"]
+ verbs: ["get", "list"]
+ - apiGroups: [""]
+ resources: ["persistentvolumes"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get", "list"]
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-external-provisioner-runner
+aggregationRule:
+ clusterRoleSelectors:
+ - matchLabels:
+ rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true"
+rules: []
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-external-provisioner-runner-rules
+ labels:
+ rbac.ceph.rook.io/aggregate-to-rbd-external-provisioner-runner: "true"
+rules:
+ - apiGroups: [""]
+ resources: ["secrets"]
+ verbs: ["get", "list"]
+ - apiGroups: [""]
+ resources: ["persistentvolumes"]
+ verbs: ["get", "list", "watch", "create", "delete", "update"]
+ - apiGroups: [""]
+ resources: ["persistentvolumeclaims"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["volumeattachments"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["storage.k8s.io"]
+ resources: ["storageclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: [""]
+ resources: ["events"]
+ verbs: ["list", "watch", "create", "update", "patch"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshots"]
+ verbs: ["get", "list", "watch", "update"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotcontents"]
+ verbs: ["create", "get", "list", "watch", "update", "delete"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshotclasses"]
+ verbs: ["get", "list", "watch"]
+ - apiGroups: ["apiextensions.k8s.io"]
+ resources: ["customresourcedefinitions"]
+ verbs: ["create", "list", "watch", "delete", "get", "update"]
+ - apiGroups: ["snapshot.storage.k8s.io"]
+ resources: ["volumesnapshots/status"]
+ verbs: ["update"]
+# OLM: END CSI RBD CLUSTER ROLE
+# OLM: BEGIN CSI RBD CLUSTER ROLEBINDING
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rook-csi-rbd-plugin-sa-psp
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: 'psp:rook'
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-rbd-plugin-sa
+ namespace: "{{ rook_namespace }}"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: rook-csi-rbd-provisioner-sa-psp
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: 'psp:rook'
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-rbd-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-csi-nodeplugin
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-rbd-plugin-sa
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ kind: ClusterRole
+ name: rbd-csi-nodeplugin
+ apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: rbd-csi-provisioner-role
+subjects:
+ - kind: ServiceAccount
+ name: rook-csi-rbd-provisioner-sa
+ namespace: "{{ rook_namespace }}"
+roleRef:
+ kind: ClusterRole
+ name: rbd-external-provisioner-runner
+ apiGroup: rbac.authorization.k8s.io
+# OLM: END CSI RBD CLUSTER ROLEBINDING
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/external-dashboard-https.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/external-dashboard-https.yaml.j2
new file mode 100644
index 0000000..a15a040
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/external-dashboard-https.yaml.j2
@@ -0,0 +1,37 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: v1
+kind: Service
+metadata:
+ name: rook-ceph-mgr-dashboard-external-https
+ namespace: "{{ rook_namespace }}"
+ labels:
+ app: rook-ceph-mgr
+ rook_cluster: rook-ceph
+spec:
+ ports:
+ - name: dashboard
+ port: 8443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app: rook-ceph-mgr
+ rook_cluster: rook-ceph
+ sessionAffinity: None
+ type: NodePort
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/operator.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/operator.yaml.j2
new file mode 100644
index 0000000..e339026
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/operator.yaml.j2
@@ -0,0 +1,251 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+#################################################################################################################
+# The deployment for the rook operator
+# Contains the common settings for most Kubernetes deployments.
+# For example, to create the rook-ceph cluster:
+# kubectl create -f common.yaml
+# kubectl create -f operator.yaml
+# kubectl create -f cluster.yaml
+#
+# Also see other operator sample files for variations of operator.yaml:
+# - operator-openshift.yaml: Common settings for running in OpenShift
+#################################################################################################################
+# OLM: BEGIN OPERATOR DEPLOYMENT
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: rook-ceph-operator
+ namespace: "{{ rook_namespace }}"
+ labels:
+ operator: rook
+ storage-backend: ceph
+spec:
+ selector:
+ matchLabels:
+ app: rook-ceph-operator
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: rook-ceph-operator
+ spec:
+ serviceAccountName: rook-ceph-system
+ containers:
+ - name: rook-ceph-operator
+ image: "rook/ceph:{{ rook_version }}"
+ args: ["ceph", "operator"]
+ volumeMounts:
+ - mountPath: /var/lib/rook
+ name: rook-config
+ - mountPath: /etc/ceph
+ name: default-config-dir
+ env:
+ # If the operator should only watch for cluster CRDs in the same namespace, set this to "true".
+ # If this is not set to true, the operator will watch for cluster CRDs in all namespaces.
+ - name: ROOK_CURRENT_NAMESPACE_ONLY
+ value: "false"
+ # To disable RBAC, uncomment the following:
+ # - name: RBAC_ENABLED
+ # value: "false"
+ # Rook Agent toleration. Will tolerate all taints with all keys.
+ # Choose between NoSchedule, PreferNoSchedule and NoExecute:
+ # - name: AGENT_TOLERATION
+ # value: "NoSchedule"
+ # (Optional) Rook Agent toleration key. Set this to the key of the taint you want to tolerate
+ # - name: AGENT_TOLERATION_KEY
+ # value: "<KeyOfTheTaintToTolerate>"
+ # (Optional) Rook Agent tolerations list. Put here list of taints you want to tolerate in YAML format.
+ # - name: AGENT_TOLERATIONS
+ # value: |
+ # - effect: NoSchedule
+ # key: node-role.kubernetes.io/controlplane
+ # operator: Exists
+ # - effect: NoExecute
+ # key: node-role.kubernetes.io/etcd
+ # operator: Exists
+ # (Optional) Rook Agent NodeAffinity.
+ # - name: AGENT_NODE_AFFINITY
+ # value: "role=storage-node; storage=rook,ceph"
+ # (Optional) Rook Agent mount security mode. Can by `Any` or `Restricted`.
+ # `Any` uses Ceph admin credentials by default/fallback.
+ # For using `Restricted` you must have a Ceph secret in each namespace storage should be consumed from and
+ # set `mountUser` to the Ceph user, `mountSecret` to the Kubernetes secret name.
+ # to the namespace in which the `mountSecret` Kubernetes secret namespace.
+ # - name: AGENT_MOUNT_SECURITY_MODE
+ # value: "Any"
+ # Set the path where the Rook agent can find the flex volumes
+ # - name: FLEXVOLUME_DIR_PATH
+ # value: "<PathToFlexVolumes>"
+ # Set the path where kernel modules can be found
+ # - name: LIB_MODULES_DIR_PATH
+ # value: "<PathToLibModules>"
+ # Mount any extra directories into the agent container
+ # - name: AGENT_MOUNTS
+ # value: "somemount=/host/path:/container/path,someothermount=/host/path2:/container/path2"
+ # Rook Discover toleration. Will tolerate all taints with all keys.
+ # Choose between NoSchedule, PreferNoSchedule and NoExecute:
+ # - name: DISCOVER_TOLERATION
+ # value: "NoSchedule"
+ # (Optional) Rook Discover toleration key. Set this to the key of the taint you want to tolerate
+ # - name: DISCOVER_TOLERATION_KEY
+ # value: "<KeyOfTheTaintToTolerate>"
+ # (Optional) Rook Discover tolerations list. Put here list of taints you want to tolerate in YAML format.
+ # - name: DISCOVER_TOLERATIONS
+ # value: |
+ # - effect: NoSchedule
+ # key: node-role.kubernetes.io/controlplane
+ # operator: Exists
+ # - effect: NoExecute
+ # key: node-role.kubernetes.io/etcd
+ # operator: Exists
+ # (Optional) Discover Agent NodeAffinity.
+ # - name: DISCOVER_AGENT_NODE_AFFINITY
+ # value: "role=storage-node; storage=rook, ceph"
+ # Allow rook to create multiple file systems. Note: This is considered
+ # an experimental feature in Ceph as described at
+ # http://docs.ceph.com/docs/master/cephfs/experimental-features/#multiple-filesystems-within-a-ceph-cluster
+ # which might cause mons to crash as seen in https://github.com/rook/rook/issues/1027
+ - name: ROOK_ALLOW_MULTIPLE_FILESYSTEMS
+ value: "false"
+
+ # The logging level for the operator: INFO | DEBUG
+ - name: ROOK_LOG_LEVEL
+ value: "INFO"
+
+ # The interval to check the health of the ceph cluster and update the status in the custom resource.
+ - name: ROOK_CEPH_STATUS_CHECK_INTERVAL
+ value: "60s"
+
+ # The interval to check if every mon is in the quorum.
+ - name: ROOK_MON_HEALTHCHECK_INTERVAL
+ value: "45s"
+
+ # The duration to wait before trying to failover or remove/replace the
+ # current mon with a new mon (useful for compensating flapping network).
+ - name: ROOK_MON_OUT_TIMEOUT
+ value: "600s"
+
+ # The duration between discovering devices in the rook-discover daemonset.
+ - name: ROOK_DISCOVER_DEVICES_INTERVAL
+ value: "60m"
+
+ # Whether to start pods as privileged that mount a host path, which includes the Ceph mon and osd pods.
+ # This is necessary to workaround the anyuid issues when running on OpenShift.
+ # For more details see https://github.com/rook/rook/issues/1314#issuecomment-355799641
+ - name: ROOK_HOSTPATH_REQUIRES_PRIVILEGED
+ value: "false"
+
+ # In some situations SELinux relabelling breaks (times out) on large filesystems, and doesn't work with cephfs ReadWriteMany volumes (last relabel wins).
+ # Disable it here if you have similar issues.
+ # For more details see https://github.com/rook/rook/issues/2417
+ - name: ROOK_ENABLE_SELINUX_RELABELING
+ value: "true"
+
+ # In large volumes it will take some time to chown all the files. Disable it here if you have performance issues.
+ # For more details see https://github.com/rook/rook/issues/2254
+ - name: ROOK_ENABLE_FSGROUP
+ value: "true"
+
+ # Disable automatic orchestration when new devices are discovered
+ - name: ROOK_DISABLE_DEVICE_HOTPLUG
+ value: "false"
+
+ # Whether to enable the flex driver. By default it is enabled and is fully supported, but will be deprecated in some future release
+ # in favor of the CSI driver.
+ - name: ROOK_ENABLE_FLEX_DRIVER
+ value: "true"
+
+ # Whether to start the discovery daemon to watch for raw storage devices on nodes in the cluster.
+ # This daemon does not need to run if you are only going to create your OSDs based on StorageClassDeviceSets with PVCs.
+ - name: ROOK_ENABLE_DISCOVERY_DAEMON
+ value: "false"
+
+ # Enable the default version of the CSI CephFS driver. To start another version of the CSI driver, see image properties below.
+ - name: ROOK_CSI_ENABLE_CEPHFS
+ value: "true"
+
+ # Enable the default version of the CSI RBD driver. To start another version of the CSI driver, see image properties below.
+ - name: ROOK_CSI_ENABLE_RBD
+ value: "true"
+ - name: ROOK_CSI_ENABLE_GRPC_METRICS
+ value: "true"
+ # The default version of CSI supported by Rook will be started. To change the version
+ # of the CSI driver to something other than what is officially supported, change
+ # these images to the desired release of the CSI driver.
+ #- name: ROOK_CSI_CEPH_IMAGE
+ # value: "quay.io/cephcsi/cephcsi:v1.2.1"
+ #- name: ROOK_CSI_REGISTRAR_IMAGE
+ # value: "quay.io/k8scsi/csi-node-driver-registrar:v1.1.0"
+ #- name: ROOK_CSI_PROVISIONER_IMAGE
+ # value: "quay.io/k8scsi/csi-provisioner:v1.3.0"
+ #- name: ROOK_CSI_SNAPSHOTTER_IMAGE
+ # value: "quay.io/k8scsi/csi-snapshotter:v1.2.0"
+ #- name: ROOK_CSI_ATTACHER_IMAGE
+ # value: "quay.io/k8scsi/csi-attacher:v1.2.0"
+ # kubelet directory path, if kubelet configured to use other than /var/lib/kubelet path.
+ #- name: ROOK_CSI_KUBELET_DIR_PATH
+ # value: "/var/lib/kubelet"
+ # (Optional) Ceph Provisioner NodeAffinity.
+ # - name: CSI_PROVISIONER_NODE_AFFINITY
+ # value: "role=storage-node; storage=rook, ceph"
+ # (Optional) CEPH CSI provisioner tolerations list. Put here list of taints you want to tolerate in YAML format.
+ # CSI provisioner would be best to start on the same nodes as other ceph daemons.
+ # - name: CSI_PROVISIONER_TOLERATIONS
+ # value: |
+ # - effect: NoSchedule
+ # key: node-role.kubernetes.io/controlplane
+ # operator: Exists
+ # - effect: NoExecute
+ # key: node-role.kubernetes.io/etcd
+ # operator: Exists
+ # (Optional) Ceph CSI plugin NodeAffinity.
+ # - name: CSI_PLUGIN_NODE_AFFINITY
+ # value: "role=storage-node; storage=rook, ceph"
+ # (Optional) CEPH CSI plugin tolerations list. Put here list of taints you want to tolerate in YAML format.
+ # CSI plugins need to be started on all the nodes where the clients need to mount the storage.
+ # - name: CSI_PLUGIN_TOLERATIONS
+ # value: |
+ # - effect: NoSchedule
+ # key: node-role.kubernetes.io/controlplane
+ # operator: Exists
+ # - effect: NoExecute
+ # key: node-role.kubernetes.io/etcd
+ # operator: Exists
+ # The name of the node to pass with the downward API
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ # The pod name to pass with the downward API
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ # The pod namespace to pass with the downward API
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ volumes:
+ - name: rook-config
+ emptyDir: {}
+ - name: default-config-dir
+ emptyDir: {}
+# OLM: END OPERATOR DEPLOYMENT
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/pool.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/pool.yaml.j2
new file mode 100644
index 0000000..0db4c51
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/pool.yaml.j2
@@ -0,0 +1,32 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: ceph.rook.io/v1
+kind: CephBlockPool
+metadata:
+ name: "{{ rook_block_pool_name }}"
+ namespace: "{{ rook_namespace }}"
+spec:
+ # The failure domain will spread the replicas of the data across different failure zones
+ failureDomain: osd
+ # For a pool based on raw copies, specify the number of copies. A size of 1 indicates no redundancy.
+ replicated:
+ size: {{ rook_block_pool_replicas }}
+ # A key/value list of annotations
+ annotations:
+ # key: value
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/storageclass.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/storageclass.yaml.j2
new file mode 100644
index 0000000..21ada26
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/storageclass.yaml.j2
@@ -0,0 +1,40 @@
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+ name: "{{ rook_block_storage_name }}"
+ annotations:
+ storageclass.kubernetes.io/is-default-class: "true"
+provisioner: ceph.rook.io/block
+# Works for Kubernetes 1.14+
+allowVolumeExpansion: true
+parameters:
+ blockPool: "{{ rook_block_pool_name }}"
+ # Specify the namespace of the rook cluster from which to create volumes.
+ # If not specified, it will use `rook` as the default namespace of the cluster.
+ # This is also the namespace where the cluster will be
+ clusterNamespace: "{{ rook_namespace }}"
+ # Specify the filesystem type of the volume. If not specified, it will use `ext4`.
+ fstype: "{{ rook_block_storage_fs }}"
+ # (Optional) Specify an existing Ceph user that will be used for mounting storage with this StorageClass.
+ #mountUser: user1
+ # (Optional) Specify an existing Kubernetes secret name containing just one key holding the Ceph user secret.
+ # The secret must exist in each namespace(s) where the storage will be consumed.
+ #mountSecret: ceph-user1-secret
diff --git a/apps/ceph/kubespray/playbooks/roles/install/templates/toolbox.yaml.j2 b/apps/ceph/kubespray/playbooks/roles/install/templates/toolbox.yaml.j2
new file mode 100644
index 0000000..d828057
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/install/templates/toolbox.yaml.j2
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: rook-ceph-tools
+ namespace: "{{ rook_namespace }}"
+ labels:
+ app: rook-ceph-tools
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: rook-ceph-tools
+ template:
+ metadata:
+ labels:
+ app: rook-ceph-tools
+ spec:
+ dnsPolicy: ClusterFirstWithHostNet
+ containers:
+ - name: rook-ceph-tools
+ image: "rook/ceph:{{ rook_version }}"
+ command: ["/tini"]
+ args: ["-g", "--", "/usr/local/bin/toolbox.sh"]
+ imagePullPolicy: IfNotPresent
+ env:
+ - name: ROOK_ADMIN_SECRET
+ valueFrom:
+ secretKeyRef:
+ name: rook-ceph-mon
+ key: admin-secret
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - mountPath: /dev
+ name: dev
+ - mountPath: /sys/bus
+ name: sysbus
+ - mountPath: /lib/modules
+ name: libmodules
+ - name: mon-endpoint-volume
+ mountPath: /etc/rook
+ # if hostNetwork: false, the "rbd map" command hangs, see https://github.com/rook/rook/issues/2021
+ hostNetwork: true
+ volumes:
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: sysbus
+ hostPath:
+ path: /sys/bus
+ - name: libmodules
+ hostPath:
+ path: /lib/modules
+ - name: mon-endpoint-volume
+ configMap:
+ name: rook-ceph-mon-endpoints
+ items:
+ - key: data
+ path: mon-endpoints
diff --git a/apps/ceph/kubespray/playbooks/roles/prepare/files/clean-ceph-osd.sh b/apps/ceph/kubespray/playbooks/roles/prepare/files/clean-ceph-osd.sh
new file mode 100644
index 0000000..ed133fa
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/prepare/files/clean-ceph-osd.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+DISK="/dev/$1"
+# Zap the disk to a fresh, usable state (zap-all is important, b/c MBR has to be clean)
+# You will have to run this step for all disks.
+sgdisk --zap-all $DISK
+
+# These steps only have to be run once on each node
+# If rook sets up osds using ceph-volume, teardown leaves some devices mapped that lock the disks.
+ls /dev/mapper/ceph-* | xargs -I% -- dmsetup remove %
+# ceph-volume setup can leave ceph-<UUID> directories in /dev (unnecessary clutter)
+rm -rf /dev/ceph-*
diff --git a/apps/ceph/kubespray/playbooks/roles/prepare/tasks/main.yml b/apps/ceph/kubespray/playbooks/roles/prepare/tasks/main.yml
new file mode 100644
index 0000000..b56ec1e
--- /dev/null
+++ b/apps/ceph/kubespray/playbooks/roles/prepare/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+# ============LICENSE_START=======================================================
+# Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+- name: Install packages
+ action: >
+ {{ ansible_pkg_mgr }} name={{ item }} state=present update_cache=yes
+ with_items:
+ - "xfsprogs"
+ - "gdisk"
+
+- name: Remove existing rook data directories
+ file:
+ path: "{{ rook_data_dir_path }}"
+ state: absent
+ ignore_errors: yes
+ tags: reset
+
+- name: Remove existing rook storage directories
+ file:
+ path: "{{ rook_storage_dir_path }}"
+ state: absent
+ ignore_errors: yes
+ tags: reset
+
+- name: Remove existing rook ceph osds
+ script: "clean-ceph-osd.sh {{ rook_node_device_filter }}"
+ ignore_errors: yes
+ tags: reset
+
+# vim: set ts=2 sw=2 expandtab: