Merge pull request #706 from lsst-it/IT-5771/migrate-chonchon-to-elqui

(chonchon,elqui) prepare to migrate s3.cp.lsst.org chonchon -> elqui

fleet/lib/external-secrets-conf/fleet.yaml

@@ -44,7 +44,7 @@ targetCustomizations:
         - key: management.cattle.io/cluster-display-name
           operator: In
           values:
-            - chonchon
+            - elqui
             - konkong
             - ruka
     helm:
@@ -53,14 +53,6 @@ targetCustomizations:
           onepassword-oods:
             vaults:
               oods.${ .ClusterLabels.site }: 1
-  - name: elqui  # will replace chonchon
-    clusterName: elqui
-    helm:
-      values:
-        clusterSecretStores:
-          onepassword-oods:
-            vaults:
-              oods.elqui: 1
   - name: pillan
     clusterName: pillan
     helm:
@@ -72,11 +64,3 @@ targetCustomizations:
           onepassword-ccs:
             vaults:
               ccs: 1
-  - name: ruka
-    clusterName: ruka
-    helm:
-      values:
-        clusterSecretStores:
-          onepassword-ruka:
-            vaults:
-              ruka.dev: 1

fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-lfa.yaml

@@ -60,6 +60,32 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
+metadata:
+  name: rook-ceph-rgw-ingress-lfa-chonchon
+  namespace: rook-ceph
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+spec:
+  tls:
+    - hosts:
+        - s3.chonchon.cp.lsst.org
+      secretName: rook-ceph-rgw-ingress-lfa-chonchon-tls
+  rules:
+    - host: s3.chonchon.cp.lsst.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: rook-ceph-rgw-lfa
+                port:
+                  number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
 metadata:
   name: rook-ceph-rgw-ingress-lfa-lhn
   namespace: rook-ceph

fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-rubintv.yaml

@@ -56,3 +56,29 @@ spec:
             name: rook-ceph-rgw-rubintv
             port:
               number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: rook-ceph-rgw-ingress-rubintv-chonchon
+  namespace: rook-ceph
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 1024m
+spec:
+  tls:
+  - hosts:
+    - s3.rubintv.chonchon.cp.lsst.org
+    secretName: rook-ceph-rgw-ingress-rubintv-chonchon-tls
+  rules:
+  - host: s3.rubintv.chonchon.cp.lsst.org
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: rook-ceph-rgw-rubintv
+            port:
+              number: 80

fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-latiss.yaml → fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-rubintv.yaml

@@ -2,7 +2,7 @@
 apiVersion: ceph.rook.io/v1
 kind: CephObjectStoreUser
 metadata:
-  name: latiss
+  name: rubintv
   namespace: rook-ceph
 spec:
   store: lfa
@@ -13,23 +13,23 @@ spec:
 apiVersion: external-secrets.io/v1alpha1
 kind: PushSecret
 metadata:
-  name: rook-ceph-object-user-lfa-latiss
+  name: rook-ceph-object-user-lfa-rubintv
   namespace: rook-ceph
 spec:
   secretStoreRefs:
     - kind: ClusterSecretStore
       name: onepassword-oods
   selector:
     secret:
-      name: rook-ceph-object-user-lfa-latiss
+      name: rook-ceph-object-user-lfa-rubintv
   data:
     - match:
         secretKey: AccessKey
         remoteRef:
-          remoteKey: latiss
+          remoteKey: rubintv
           property: AWS_ACCESS_KEY_ID
     - match:
         secretKey: SecretKey
         remoteRef:
-          remoteKey: latiss
+          remoteKey: rubintv
           property: AWS_SECRET_ACCESS_KEY

fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-butler.yaml → fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-s3lhn.yaml

@@ -1,35 +1,37 @@
 ---
+# XXX this user should be read-only. E.g.:
+# radosgw-admin user create --uid=s3lhn --display-name=s3lhn --max-buckets 0 --op-mask=read ...
 apiVersion: ceph.rook.io/v1
 kind: CephObjectStoreUser
 metadata:
-  name: butler
+  name: s3lhn
   namespace: rook-ceph
 spec:
   store: lfa
   clusterNamespace: rook-ceph
   quotas:
-    maxBuckets: 2
+    maxBuckets: 0
 ---
 apiVersion: external-secrets.io/v1alpha1
 kind: PushSecret
 metadata:
-  name: rook-ceph-object-user-lfa-butler
+  name: rook-ceph-object-user-lfa-s3lhn
   namespace: rook-ceph
 spec:
   secretStoreRefs:
     - kind: ClusterSecretStore
       name: onepassword-oods
   selector:
     secret:
-      name: rook-ceph-object-user-lfa-butler
+      name: rook-ceph-object-user-lfa-s3lhn
   data:
     - match:
         secretKey: AccessKey
         remoteRef:
-          remoteKey: butler
+          remoteKey: s3lhn
           property: AWS_ACCESS_KEY_ID
     - match:
         secretKey: SecretKey
         remoteRef:
-          remoteKey: butler
+          remoteKey: s3lhn
           property: AWS_SECRET_ACCESS_KEY

fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-lsstcam.yaml → fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-saluser.yaml

@@ -2,7 +2,7 @@
 apiVersion: ceph.rook.io/v1
 kind: CephObjectStoreUser
 metadata:
-  name: lsstcam
+  name: saluser
   namespace: rook-ceph
 spec:
   store: lfa
@@ -13,23 +13,23 @@ spec:
 apiVersion: external-secrets.io/v1alpha1
 kind: PushSecret
 metadata:
-  name: rook-ceph-object-user-lfa-lsstcam
+  name: rook-ceph-object-user-lfa-saluser
   namespace: rook-ceph
 spec:
   secretStoreRefs:
     - kind: ClusterSecretStore
       name: onepassword-oods
   selector:
     secret:
-      name: rook-ceph-object-user-lfa-lsstcam
+      name: rook-ceph-object-user-lfa-saluser
   data:
     - match:
         secretKey: AccessKey
         remoteRef:
-          remoteKey: lsstcam
+          remoteKey: saluser
           property: AWS_ACCESS_KEY_ID
     - match:
         secretKey: SecretKey
         remoteRef:
-          remoteKey: lsstcam
+          remoteKey: saluser
           property: AWS_SECRET_ACCESS_KEY

rke2/elqui/rook-ceph/s3/README.md

@@ -0,0 +1,15 @@
+# Lifecycle
+
+## Lifecycle Policy Configuration
+
+```bash
+aws s3api put-bucket-lifecycle-configuration --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org --lifecycle-configuration file://rubinobs-lfa-cp-lifecycle.json
+aws s3api get-bucket-lifecycle-configuration --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org
+```
+
+## Bucket Policy Configuration
+
+```bash
+aws s3api put-bucket-policy --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org --policy file://rubinobs-lfa-cp-policy.json
+aws s3api get-bucket-policy --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org
+```