Ceph
- Rook
- Quickstart
- Prerequisites
- Authenticated Registries
- Pod Security Policies
- Ceph Storage
- Admission Controller
- Examples
- OpenShift
- Block Storage
- Object Storage
- Object Multisite
- Shared Filesystem
- Ceph Dashboard
- Prometheus Monitoring
- Cluster CRD
- Block Pool CRD
- Object Store CRD
- Object Multisite CRDs
- Object Bucket Claim
- Object Store User CRD
- Bucket Notifications
- Shared Filesystem CRD
- NFS CRD
- Ceph CSI
- RBD Mirroring
- Failover and Failback
- Volume clone
- Snapshots
- RBDMirror CRD
- Client CRD
- FilesystemMirror CRD
- SubVolumeGroup CRD
- Key Management System
- Configuration
- Upgrades
- Cleanup
- Helm Charts
- Common Issues
- Ceph Tools
- Contributing
PLEASE NOTE: This document applies to v1.8 version and not to the latest stable release v1.9
Authenticated docker registries
If you want to use an image from authenticated docker registry (e.g. for image cache/mirror), you’ll need to
add an imagePullSecret to all relevant service accounts. This way all pods created by the operator (for service account:
rook-ceph-system) or all new pods in the namespace (for service account: default) will have the imagePullSecret added
to their spec.
The whole process is described in the official kubernetes documentation.
Example setup for a ceph cluster
To get you started, here’s a quick rundown for the ceph example from the quickstart guide.
First, we’ll create the secret for our registry as described here:
# for namespace rook-ceph
$ kubectl -n rook-ceph create secret docker-registry my-registry-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
# and for namespace rook-ceph (cluster)
$ kubectl -n rook-ceph create secret docker-registry my-registry-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
Next we’ll add the following snippet to all relevant service accounts as described here:
imagePullSecrets:
- name: my-registry-secret
The service accounts are:
rook-ceph-system(namespace:rook-ceph): Will affect all pods created by the rook operator in therook-cephnamespace.default(namespace:rook-ceph): Will affect most pods in therook-cephnamespace.rook-ceph-mgr(namespace:rook-ceph): Will affect the MGR pods in therook-cephnamespace.rook-ceph-osd(namespace:rook-ceph): Will affect the OSD pods in therook-cephnamespace.
You can do it either via e.g. kubectl -n <namespace> edit serviceaccount default or by modifying the operator.yaml
and cluster.yaml before deploying them.
Since it’s the same procedure for all service accounts, here is just one example:
kubectl -n rook-ceph edit serviceaccount default
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: rook-ceph
secrets:
- name: default-token-12345
imagePullSecrets: # here are the new
- name: my-registry-secret # parts
After doing this for all service accounts all pods should be able to pull the image from your registry.