From 682dccd7de593753831a79d0ed5a44f79d7c0aac Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 21 Nov 2024 14:52:58 -0700 Subject: [PATCH 1/8] (chonchon,elqui) migrate oods.cp vault from chonchon to elqui --- fleet/lib/external-secrets-conf/fleet.yaml | 10 +----- .../templates/cephobjectstoreuser-butler.yaml | 35 ------------------- .../templates/cephobjectstoreuser-latiss.yaml | 35 ------------------- .../cephobjectstoreuser-lsstcam.yaml | 35 ------------------- .../cephobjectstoreuser-oods-latiss.yaml | 33 ----------------- .../cephobjectstoreuser-oods-lsstcam.yaml | 33 ----------------- 6 files changed, 1 insertion(+), 180 deletions(-) delete mode 100644 fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-butler.yaml delete mode 100644 fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-latiss.yaml delete mode 100644 fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-lsstcam.yaml delete mode 100644 fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-latiss.yaml delete mode 100644 fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-lsstcam.yaml diff --git a/fleet/lib/external-secrets-conf/fleet.yaml b/fleet/lib/external-secrets-conf/fleet.yaml index a5dfeb9af..a2b462036 100644 --- a/fleet/lib/external-secrets-conf/fleet.yaml +++ b/fleet/lib/external-secrets-conf/fleet.yaml @@ -44,7 +44,7 @@ targetCustomizations: - key: management.cattle.io/cluster-display-name operator: In values: - - chonchon + - elqui - konkong - ruka helm: @@ -53,14 +53,6 @@ targetCustomizations: onepassword-oods: vaults: oods.${ .ClusterLabels.site }: 1 - - name: elqui # will replace chonchon - clusterName: elqui - helm: - values: - clusterSecretStores: - onepassword-oods: - vaults: - oods.elqui: 1 - name: pillan clusterName: pillan helm: diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-butler.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-butler.yaml deleted file mode 100644 index b7b635f4f..000000000 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-butler.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: ceph.rook.io/v1 -kind: CephObjectStoreUser -metadata: - name: butler - namespace: rook-ceph -spec: - store: lfa - clusterNamespace: rook-ceph - quotas: - maxBuckets: 2 ---- -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: rook-ceph-object-user-lfa-butler - namespace: rook-ceph -spec: - secretStoreRefs: - - kind: ClusterSecretStore - name: onepassword-oods - selector: - secret: - name: rook-ceph-object-user-lfa-butler - data: - - match: - secretKey: AccessKey - remoteRef: - remoteKey: butler - property: AWS_ACCESS_KEY_ID - - match: - secretKey: SecretKey - remoteRef: - remoteKey: butler - property: AWS_SECRET_ACCESS_KEY diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-latiss.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-latiss.yaml deleted file mode 100644 index 126e4e9ec..000000000 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-latiss.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: ceph.rook.io/v1 -kind: CephObjectStoreUser -metadata: - name: latiss - namespace: rook-ceph -spec: - store: lfa - clusterNamespace: rook-ceph - quotas: - maxBuckets: 1 ---- -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: rook-ceph-object-user-lfa-latiss - namespace: rook-ceph -spec: - secretStoreRefs: - - kind: ClusterSecretStore - name: onepassword-oods - selector: - secret: - name: rook-ceph-object-user-lfa-latiss - data: - - match: - secretKey: AccessKey - remoteRef: - remoteKey: latiss - property: AWS_ACCESS_KEY_ID - - match: - secretKey: SecretKey - remoteRef: - remoteKey: latiss - property: AWS_SECRET_ACCESS_KEY diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-lsstcam.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-lsstcam.yaml deleted file mode 100644 index a09e0ec6a..000000000 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-lsstcam.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: ceph.rook.io/v1 -kind: CephObjectStoreUser -metadata: - name: lsstcam - namespace: rook-ceph -spec: - store: lfa - clusterNamespace: rook-ceph - quotas: - maxBuckets: 1 ---- -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: rook-ceph-object-user-lfa-lsstcam - namespace: rook-ceph -spec: - secretStoreRefs: - - kind: ClusterSecretStore - name: onepassword-oods - selector: - secret: - name: rook-ceph-object-user-lfa-lsstcam - data: - - match: - secretKey: AccessKey - remoteRef: - remoteKey: lsstcam - property: AWS_ACCESS_KEY_ID - - match: - secretKey: SecretKey - remoteRef: - remoteKey: lsstcam - property: AWS_SECRET_ACCESS_KEY diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-latiss.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-latiss.yaml deleted file mode 100644 index c23ee2c1a..000000000 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-latiss.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: ceph.rook.io/v1 -kind: CephObjectStoreUser -metadata: - name: oods-latiss - namespace: rook-ceph -spec: - store: lfa - clusterNamespace: rook-ceph ---- -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: rook-ceph-object-user-lfa-oods-latiss - namespace: rook-ceph -spec: - secretStoreRefs: - - kind: ClusterSecretStore - name: onepassword-oods - selector: - secret: - name: rook-ceph-object-user-lfa-oods-latiss - data: - - match: - secretKey: AccessKey - remoteRef: - remoteKey: oods-latiss - property: AWS_ACCESS_KEY_ID - - match: - secretKey: SecretKey - remoteRef: - remoteKey: oods-latiss - property: AWS_SECRET_ACCESS_KEY diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-lsstcam.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-lsstcam.yaml deleted file mode 100644 index d605c47ad..000000000 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstoreuser-oods-lsstcam.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: ceph.rook.io/v1 -kind: CephObjectStoreUser -metadata: - name: oods-lsstcam - namespace: rook-ceph -spec: - store: lfa - clusterNamespace: rook-ceph ---- -apiVersion: external-secrets.io/v1alpha1 -kind: PushSecret -metadata: - name: rook-ceph-object-user-lfa-oods-lsstcam - namespace: rook-ceph -spec: - secretStoreRefs: - - kind: ClusterSecretStore - name: onepassword-oods - selector: - secret: - name: rook-ceph-object-user-lfa-oods-lsstcam - data: - - match: - secretKey: AccessKey - remoteRef: - remoteKey: oods-lsstcam - property: AWS_ACCESS_KEY_ID - - match: - secretKey: SecretKey - remoteRef: - remoteKey: oods-lsstcam - property: AWS_SECRET_ACCESS_KEY From b78a3c1a2d84e044951783eaee9997786ee19d7d Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 21 Nov 2024 14:54:59 -0700 Subject: [PATCH 2/8] (elqui) add lfa rubintv user --- .../cephobjectstoreuser-rubintv.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-rubintv.yaml diff --git a/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-rubintv.yaml b/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-rubintv.yaml new file mode 100644 index 000000000..29a517b3a --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-rubintv.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: ceph.rook.io/v1 +kind: CephObjectStoreUser +metadata: + name: rubintv + namespace: rook-ceph +spec: + store: lfa + clusterNamespace: rook-ceph + quotas: + maxBuckets: 1 +--- +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: rook-ceph-object-user-lfa-rubintv + namespace: rook-ceph +spec: + secretStoreRefs: + - kind: ClusterSecretStore + name: onepassword-oods + selector: + secret: + name: rook-ceph-object-user-lfa-rubintv + data: + - match: + secretKey: AccessKey + remoteRef: + remoteKey: rubintv + property: AWS_ACCESS_KEY_ID + - match: + secretKey: SecretKey + remoteRef: + remoteKey: rubintv + property: AWS_SECRET_ACCESS_KEY From 678ebe096b9c76d6a060bbc3bf2139272177f1e5 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 21 Nov 2024 14:57:49 -0700 Subject: [PATCH 3/8] (elqui) add lfa s3lhn user --- .../templates/cephobjectstoreuser-s3lhn.yaml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-s3lhn.yaml diff --git a/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-s3lhn.yaml b/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-s3lhn.yaml new file mode 100644 index 000000000..026a7923d --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-s3lhn.yaml @@ -0,0 +1,37 @@ +--- +# XXX this user should be read-only. E.g.: +# radosgw-admin user create --uid=s3lhn --display-name=s3lhn --max-buckets 0 --op-mask=read ... +apiVersion: ceph.rook.io/v1 +kind: CephObjectStoreUser +metadata: + name: s3lhn + namespace: rook-ceph +spec: + store: lfa + clusterNamespace: rook-ceph + quotas: + maxBuckets: 0 +--- +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: rook-ceph-object-user-lfa-s3lhn + namespace: rook-ceph +spec: + secretStoreRefs: + - kind: ClusterSecretStore + name: onepassword-oods + selector: + secret: + name: rook-ceph-object-user-lfa-s3lhn + data: + - match: + secretKey: AccessKey + remoteRef: + remoteKey: s3lhn + property: AWS_ACCESS_KEY_ID + - match: + secretKey: SecretKey + remoteRef: + remoteKey: s3lhn + property: AWS_SECRET_ACCESS_KEY From 9a2873971b258c64c2271c966dd5320645f5f8ec Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 21 Nov 2024 14:58:31 -0700 Subject: [PATCH 4/8] (elqui) add lfa saluser user --- .../cephobjectstoreuser-saluser.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-saluser.yaml diff --git a/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-saluser.yaml b/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-saluser.yaml new file mode 100644 index 000000000..220049328 --- /dev/null +++ b/fleet/lib/rook-ceph-conf/charts/elqui/templates/cephobjectstoreuser-saluser.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: ceph.rook.io/v1 +kind: CephObjectStoreUser +metadata: + name: saluser + namespace: rook-ceph +spec: + store: lfa + clusterNamespace: rook-ceph + quotas: + maxBuckets: 1 +--- +apiVersion: external-secrets.io/v1alpha1 +kind: PushSecret +metadata: + name: rook-ceph-object-user-lfa-saluser + namespace: rook-ceph +spec: + secretStoreRefs: + - kind: ClusterSecretStore + name: onepassword-oods + selector: + secret: + name: rook-ceph-object-user-lfa-saluser + data: + - match: + secretKey: AccessKey + remoteRef: + remoteKey: saluser + property: AWS_ACCESS_KEY_ID + - match: + secretKey: SecretKey + remoteRef: + remoteKey: saluser + property: AWS_SECRET_ACCESS_KEY From dd971f5d3ee2ab57ca3a027ded0a4d945abc0e1b Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 21 Nov 2024 15:05:18 -0700 Subject: [PATCH 5/8] (chonchon,elqui) migrate bucket policy to elqui --- chonchon/rook-ceph/s3/README.md | 13 ------------- rke2/elqui/rook-ceph/s3/README.md | 15 +++++++++++++++ .../rook-ceph/s3/rubinobs-lfa-cp-lifecycle.json | 0 .../rook-ceph/s3/rubinobs-lfa-cp-policy.json | 0 4 files changed, 15 insertions(+), 13 deletions(-) delete mode 100644 chonchon/rook-ceph/s3/README.md create mode 100644 rke2/elqui/rook-ceph/s3/README.md rename chonchon/rook-ceph/s3/lfa-cp-lifecycle.json => rke2/elqui/rook-ceph/s3/rubinobs-lfa-cp-lifecycle.json (100%) rename chonchon/rook-ceph/s3/ro-policy.json => rke2/elqui/rook-ceph/s3/rubinobs-lfa-cp-policy.json (100%) diff --git a/chonchon/rook-ceph/s3/README.md b/chonchon/rook-ceph/s3/README.md deleted file mode 100644 index 07a76b332..000000000 --- a/chonchon/rook-ceph/s3/README.md +++ /dev/null @@ -1,13 +0,0 @@ -# Lifecycle - -## Lifecycle Policy Configuration for Buckets - -```bash -aws s3api put-bucket-lifecycle-configuration --profile lfa-cp --no-verify-ssl --region lfa --bucket rubinobs-lfa-cp --lifecycle-configuration file://lfa-cp-lifecycle.json -``` - -## Check Current Policy - -```bash -aws s3api get-bucket-lifecycle-configuration --profile lfa-cp --no-verify-ssl --region lfa --bucket rubinobs-lfa-cp -``` diff --git a/rke2/elqui/rook-ceph/s3/README.md b/rke2/elqui/rook-ceph/s3/README.md new file mode 100644 index 000000000..a8181db5c --- /dev/null +++ b/rke2/elqui/rook-ceph/s3/README.md @@ -0,0 +1,15 @@ +# Lifecycle + +## Lifecycle Policy Configuration + +```bash +aws s3api put-bucket-lifecycle-configuration --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org --lifecycle-configuration file://rubinobs-lfa-cp-lifecycle.json +aws s3api get-bucket-lifecycle-configuration --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org +``` + +## Bucket Policy Configuration + +```bash +aws s3api put-bucket-policy --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org --policy file://rubinobs-lfa-cp-policy.json +aws s3api get-bucket-policy --region lfa --bucket rubinobs-lfa-cp --ca-bundle /etc/ssl/certs/ca-bundle.crt --endpoint-url https://s3.elqui.cp.lsst.org +``` diff --git a/chonchon/rook-ceph/s3/lfa-cp-lifecycle.json b/rke2/elqui/rook-ceph/s3/rubinobs-lfa-cp-lifecycle.json similarity index 100% rename from chonchon/rook-ceph/s3/lfa-cp-lifecycle.json rename to rke2/elqui/rook-ceph/s3/rubinobs-lfa-cp-lifecycle.json diff --git a/chonchon/rook-ceph/s3/ro-policy.json b/rke2/elqui/rook-ceph/s3/rubinobs-lfa-cp-policy.json similarity index 100% rename from chonchon/rook-ceph/s3/ro-policy.json rename to rke2/elqui/rook-ceph/s3/rubinobs-lfa-cp-policy.json From d6f71ada23bb07326d10a37d0eea080c646d5995 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Thu, 21 Nov 2024 16:02:26 -0700 Subject: [PATCH 6/8] (fleet/external-secrets-conf) rm unreachable ruka target The ruka cluster will match the oods-cluster target with higher precedence. --- fleet/lib/external-secrets-conf/fleet.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/fleet/lib/external-secrets-conf/fleet.yaml b/fleet/lib/external-secrets-conf/fleet.yaml index a2b462036..06ac620eb 100644 --- a/fleet/lib/external-secrets-conf/fleet.yaml +++ b/fleet/lib/external-secrets-conf/fleet.yaml @@ -64,11 +64,3 @@ targetCustomizations: onepassword-ccs: vaults: ccs: 1 - - name: ruka - clusterName: ruka - helm: - values: - clusterSecretStores: - onepassword-ruka: - vaults: - ruka.dev: 1 From cee700f36064489a0eb9cba9004028121dce55c3 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Fri, 22 Nov 2024 08:51:39 -0700 Subject: [PATCH 7/8] (chonchon) add ingress for s3.chonchon.cp.lsst.org --- .../templates/cephobjectstore-lfa.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-lfa.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-lfa.yaml index 0b41858b3..fb2862bd8 100644 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-lfa.yaml +++ b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-lfa.yaml @@ -60,6 +60,32 @@ spec: --- apiVersion: networking.k8s.io/v1 kind: Ingress +metadata: + name: rook-ceph-rgw-ingress-lfa-chonchon + namespace: rook-ceph + annotations: + cert-manager.io/cluster-issuer: letsencrypt + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: 1024m +spec: + tls: + - hosts: + - s3.chonchon.cp.lsst.org + secretName: rook-ceph-rgw-ingress-lfa-chonchon-tls + rules: + - host: s3.chonchon.cp.lsst.org + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: rook-ceph-rgw-lfa + port: + number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress metadata: name: rook-ceph-rgw-ingress-lfa-lhn namespace: rook-ceph From 4c510d392cb30dfa9f51db4ffcd2a65def783269 Mon Sep 17 00:00:00 2001 From: Joshua Hoblitt Date: Fri, 22 Nov 2024 08:58:31 -0700 Subject: [PATCH 8/8] (chonchon) add ingress for s3.rubintv.chonchon.cp.lsst.org --- .../templates/cephobjectstore-rubintv.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-rubintv.yaml b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-rubintv.yaml index c7bf24cfb..3445e818f 100644 --- a/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-rubintv.yaml +++ b/fleet/lib/rook-ceph-conf/charts/chonchon/templates/cephobjectstore-rubintv.yaml @@ -56,3 +56,29 @@ spec: name: rook-ceph-rgw-rubintv port: number: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: rook-ceph-rgw-ingress-rubintv-chonchon + namespace: rook-ceph + annotations: + cert-manager.io/cluster-issuer: letsencrypt + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/proxy-body-size: 1024m +spec: + tls: + - hosts: + - s3.rubintv.chonchon.cp.lsst.org + secretName: rook-ceph-rgw-ingress-rubintv-chonchon-tls + rules: + - host: s3.rubintv.chonchon.cp.lsst.org + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: rook-ceph-rgw-rubintv + port: + number: 80