| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131 |
- apiVersion: apps/v1
- kind: Deployment
- metadata:
- name: rook-ceph-tools
- labels:
- app: rook-ceph-tools
- spec:
- replicas: 1
- selector:
- matchLabels:
- app: rook-ceph-tools
- template:
- metadata:
- labels:
- app: rook-ceph-tools
- spec:
- dnsPolicy: ClusterFirstWithHostNet
- containers:
- - name: rook-ceph-tools
- image: quay.io/ceph/ceph:v17.2.6
- command:
- - /bin/bash
- - -c
- - |
- # Replicate the script from toolbox.sh inline so the ceph image
- # can be run directly, instead of requiring the rook toolbox
- CEPH_CONFIG="/etc/ceph/ceph.conf"
- MON_CONFIG="/etc/rook/mon-endpoints"
- KEYRING_FILE="/etc/ceph/keyring"
- # create a ceph config file in its default location so ceph/rados tools can be used
- # without specifying any arguments
- write_endpoints() {
- endpoints=$(cat ${MON_CONFIG})
- # filter out the mon names
- # external cluster can have numbers or hyphens in mon names, handling them in regex
- # shellcheck disable=SC2001
- mon_endpoints=$(echo "${endpoints}"| sed 's/[a-z0-9_-]\+=//g')
- DATE=$(date)
- echo "$DATE writing mon endpoints to ${CEPH_CONFIG}: ${endpoints}"
- cat <<EOF > ${CEPH_CONFIG}
- [global]
- mon_host = ${mon_endpoints}
- [client.admin]
- keyring = ${KEYRING_FILE}
- EOF
- }
- # watch the endpoints config file and update if the mon endpoints ever change
- watch_endpoints() {
- # get the timestamp for the target of the soft link
- real_path=$(realpath ${MON_CONFIG})
- initial_time=$(stat -c %Z "${real_path}")
- while true; do
- real_path=$(realpath ${MON_CONFIG})
- latest_time=$(stat -c %Z "${real_path}")
- if [[ "${latest_time}" != "${initial_time}" ]]; then
- write_endpoints
- initial_time=${latest_time}
- fi
- sleep 10
- done
- }
- # read the secret from an env var (for backward compatibility), or from the secret file
- ceph_secret=${ROOK_CEPH_SECRET}
- if [[ "$ceph_secret" == "" ]]; then
- ceph_secret=$(cat /var/lib/rook-ceph-mon/secret.keyring)
- fi
- # create the keyring file
- cat <<EOF > ${KEYRING_FILE}
- [${ROOK_CEPH_USERNAME}]
- key = ${ceph_secret}
- EOF
- # write the initial config file
- write_endpoints
- # continuously update the mon endpoints if they fail over
- watch_endpoints
- imagePullPolicy: IfNotPresent
- tty: true
- securityContext:
- seccompProfile:
- type: RuntimeDefault
- runAsNonRoot: false
- runAsUser: 0
- runAsGroup: 0
- capabilities:
- drop: ["ALL"]
- env:
- - name: ROOK_CEPH_USERNAME
- valueFrom:
- secretKeyRef:
- name: rook-ceph-mon
- key: ceph-username
- volumeMounts:
- - mountPath: /etc/ceph
- name: ceph-config
- - name: mon-endpoint-volume
- mountPath: /etc/rook
- - name: ceph-admin-secret
- mountPath: /var/lib/rook-ceph-mon
- readOnly: true
- volumes:
- - name: ceph-admin-secret
- secret:
- secretName: rook-ceph-mon
- optional: false
- items:
- - key: ceph-secret
- path: secret.keyring
- - name: mon-endpoint-volume
- configMap:
- name: rook-ceph-mon-endpoints
- items:
- - key: data
- path: mon-endpoints
- - name: ceph-config
- emptyDir: {}
- tolerations:
- - key: "node.kubernetes.io/unreachable"
- operator: "Exists"
- effect: "NoExecute"
- tolerationSeconds: 5
|
