Red Hat Summit4.4. Distributing Ceph secret keys across sites
When you deploy a distributed compute node (DCN) environment with multiple Red Hat Ceph Storage backends, you create a Ceph authentication key for each backend. Limiting key distribution to only necessary credentials minimizes security exposure at each location.
- Add the key for each Ceph backend to the secret for the default location.
- Add the key for the default Ceph backend, as well as the local ceph backend for each additional location.
For three locations, az0, az1, and az2, you must have three secrets. Locations az1 and az2 each have keys for the local backend as well as the keys for az0. Location az0 contains all Ceph back end keys.
You create the required secrets after Ceph has been deployed at each edge location, and the keyring and configuration file for each has been collected. Alternatively, you can deploy each Ceph backend as needed, and update secrets with each edge deployment.
Procedure
Create a secret for location
az0.If you have already deployed Red Hat Ceph Storage (RHCS) at all edge sites which require storage, create a secret for
az0which contains all keyrings andconffiles:oc create secret generic ceph-conf-az-0 \ --from-file=az0.client.openstack.keyring \ --from-file=az0.conf \ --from-file=az1.client.openstack.keyring \ --from-file=az1.conf \ --from-file=az2.client.openstack.keyring \ --from-file=az2.conf -n openstackIf you have not deployed RHCS at all edge sites, create a secret for
az0which contains the keyring andconffile foraz0:oc create secret generic ceph-conf-az-0 \ --from-file=az0.client.openstack.keyring \ --from-file=az0.conf -n openstack
When you deploy RHCS at the edge location at availability zone 1 (
az1), create a secret for locationaz1which contains keyrings andconffiles for the local backend, and the default backend:oc create secret generic ceph-conf-az-1 \ --from-file=az0.client.openstack.keyring \ --from-file=az0.conf \ --from-file=az1.client.openstack.keyring \ --from-file=az1.conf -n openstackIf needed, update the secret for the central location:
oc delete secret ceph-conf-az-0 -n openstack oc create secret generic ceph-conf-az-0 \ --from-file=az0.client.openstack.keyring \ --from-file=az0.conf \ --from-file=az1.client.openstack.keyring \ --from-file=az1.conf -n openstackWhen you deploy RHCS at the edge location at availability zone 2 (
az2) create a secret for locationaz2which contains keyrings andconffiles for the local backend, and the default backend:oc create secret generic ceph-conf-az-2 \ --from-file=az0.client.openstack.keyring \ --from-file=az0.conf \ --from-file=az2.client.openstack.keyring \ --from-file=az2.conf -n openstackIf needed, update the secret for the central location:
oc delete secret ceph-conf-az-0 -n openstack oc create secret generic ceph-conf-az-0 \ --from-file=az0.client.openstack.keyring \ --from-file=az0.conf \ --from-file=az1.client.openstack.keyring \ --from-file=az1.conf \ --from-file=az1.client.openstack.keyring \ --from-file=az1.conf \ --from-file=az2.client.openstack.keyring \ --from-file=az2.conf[Optional] When you have finished creating the necessary keys, you can verify that they show up in the
openstacknamespace:oc get secret -n openstack -o name | grep ceph-confExample output:
secret/ceph-conf-az-0 secret/ceph-conf-az-1 secret/ceph-conf-az-2When you create an
OpenStackDataPlaneNodeSet, use the appropriate key under theextraMountsfield:apiVersion: dataplane.openstack.org/v1beta1 kind: OpenStackDataPlaneNodeSet metadata: name: openstack-edpm-dcn-0 namespace: openstack spec: ... nodeTemplate: extraMounts: - extraVolType: Ceph volumes: - name: ceph secret: secretName: ceph-conf-az-0 mounts: - name: ceph mountPath: "/etc/ceph" readOnly: trueWhen you create a data plane NodeSet, you must also update the
OpenStackControlPlanecustom resource (CR) with the secret name:apiVersion: core.openstack.org/v1beta1 kind: OpenStackControlPlane spec: extraMounts: - name: v1 region: r1 extraVol: - propagation: - az0 - CinderBackup extraVolType: Ceph volumes: - name: ceph secret: name: ceph-conf-az-0 mounts: - name: ceph mountPath: "/etc/ceph" readOnly: true - propagation: - az1 extraVolType: Ceph volumes: - name: ceph secret: name: ceph-conf-az-1 mounts: - name: ceph mountPath: "/etc/ceph" readOnly: true ...참고If the
CinderBackupservice is a part of the deployment, then you must include it in the propagation list because it does not have the availability zone in its pod name.When you update the
glanceAPIsfield in theOpenStackControlPlaneCR, the Image service (glance) pod name matches theextraMounts propagationinstances:glanceAPIs: az0: customServiceConfig: | ... az1: customServiceConfig: | ...When you update the
cinderVolumesfield in theOpenStackControlPlaneCR, the Block Storage service (cinder) pod names must also match theextraMounts propagationinstances:kind: OpenStackControlPlane spec: <...> cinder <...> cinderVolumes: az0: <...> az1: <...>
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}