-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
rgw.go
367 lines (312 loc) · 13.5 KB
/
rgw.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
/*
Copyright 2016 The Rook Authors. All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package object for the Ceph object store.
package object
import (
"fmt"
"io/ioutil"
"net/http"
"reflect"
"syscall"
"github.com/banzaicloud/k8s-objectmatcher/patch"
"github.com/pkg/errors"
cephv1 "github.com/rook/rook/pkg/apis/ceph.rook.io/v1"
"github.com/rook/rook/pkg/clusterd"
cephclient "github.com/rook/rook/pkg/daemon/ceph/client"
"github.com/rook/rook/pkg/operator/ceph/cluster/mon"
"github.com/rook/rook/pkg/operator/ceph/config"
"github.com/rook/rook/pkg/operator/ceph/pool"
"github.com/rook/rook/pkg/operator/k8sutil"
"github.com/rook/rook/pkg/util/exec"
v1 "k8s.io/api/core/v1"
kerrors "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
)
type clusterConfig struct {
context *clusterd.Context
clusterInfo *cephclient.ClusterInfo
store *cephv1.CephObjectStore
rookVersion string
clusterSpec *cephv1.ClusterSpec
ownerInfo *k8sutil.OwnerInfo
DataPathMap *config.DataPathMap
client client.Client
}
type rgwConfig struct {
ResourceName string
DaemonID string
Realm string
ZoneGroup string
Zone string
}
var updateDeploymentAndWait = mon.UpdateCephDeploymentAndWait
func (c *clusterConfig) createOrUpdateStore(realmName, zoneGroupName, zoneName string) error {
logger.Infof("creating object store %q in namespace %q", c.store.Name, c.store.Namespace)
if err := c.startRGWPods(realmName, zoneGroupName, zoneName); err != nil {
return errors.Wrap(err, "failed to start rgw pods")
}
objContext := NewContext(c.context, c.clusterInfo, c.store.Namespace)
err := enableRGWDashboard(objContext)
if err != nil {
logger.Warningf("failed to enable dashboard for rgw. %v", err)
}
logger.Infof("created object store %q in namespace %q", c.store.Name, c.store.Namespace)
return nil
}
func (c *clusterConfig) startRGWPods(realmName, zoneGroupName, zoneName string) error {
// backward compatibility, triggered during updates
if c.store.Spec.Gateway.Instances < 1 {
// Set the minimum of at least one instance
logger.Warning("spec.gateway.instances must be set to at least 1")
c.store.Spec.Gateway.Instances = 1
}
// start a new deployment and scale up
desiredRgwInstances := int(c.store.Spec.Gateway.Instances)
// If running on Pacific we force a single deployment and later set the deployment replica to the "instances" value
if c.clusterInfo.CephVersion.IsAtLeastPacific() {
desiredRgwInstances = 1
}
for i := 0; i < desiredRgwInstances; i++ {
var err error
daemonLetterID := k8sutil.IndexToName(i)
// Each rgw is id'ed by <store_name>-<letterID>
daemonName := fmt.Sprintf("%s-%s", c.store.Name, daemonLetterID)
// resource name is rook-ceph-rgw-<store_name>-<daemon_name>
resourceName := fmt.Sprintf("%s-%s-%s", AppName, c.store.Name, daemonLetterID)
rgwConfig := &rgwConfig{
ResourceName: resourceName,
DaemonID: daemonName,
Realm: realmName,
ZoneGroup: zoneGroupName,
Zone: zoneName,
}
// We set the owner reference of the Secret to the Object controller instead of the replicaset
// because we watch for that resource and reconcile if anything happens to it
_, err = c.generateKeyring(rgwConfig)
if err != nil {
return errors.Wrap(err, "failed to create rgw keyring")
}
// Set the rgw config flags
// Previously we were checking if the deployment was present, if not we would set the config flags
// Which means that we would only set the flag on newly created CephObjectStore CR
// Unfortunately, on upgrade we would not set the flags which is not ideal for old clusters where we were no setting those flags
// The KV supports setting those flags even if the RGW is running
logger.Info("setting rgw config flags")
err = c.setDefaultFlagsMonConfigStore(rgwConfig.ResourceName)
if err != nil {
// Getting EPERM typically happens when the flag may not be modified at runtime
// This is fine to ignore
code, ok := exec.ExitStatus(err)
if ok && code != int(syscall.EPERM) {
return errors.Wrap(err, "failed to set default rgw config options")
}
}
// Create deployment
deployment, err := c.createDeployment(rgwConfig)
if err != nil {
return nil
}
logger.Infof("object store %q deployment %q created", c.store.Name, deployment.Name)
// Set owner ref to cephObjectStore object
err = c.ownerInfo.SetControllerReference(deployment)
if err != nil {
return errors.Wrapf(err, "failed to set owner reference for rgw deployment %q", deployment.Name)
}
// Set the deployment hash as an annotation
err = patch.DefaultAnnotator.SetLastAppliedAnnotation(deployment)
if err != nil {
return errors.Wrapf(err, "failed to set annotation for deployment %q", deployment.Name)
}
_, createErr := c.context.Clientset.AppsV1().Deployments(c.store.Namespace).Create(c.clusterInfo.Context, deployment, metav1.CreateOptions{})
if createErr != nil {
if !kerrors.IsAlreadyExists(createErr) {
return errors.Wrap(createErr, "failed to create rgw deployment")
}
logger.Infof("object store %q deployment %q already exists. updating if needed", c.store.Name, deployment.Name)
if err := updateDeploymentAndWait(c.context, c.clusterInfo, deployment, config.RgwType, daemonLetterID, c.clusterSpec.SkipUpgradeChecks, c.clusterSpec.ContinueUpgradeAfterChecksEvenIfNotHealthy); err != nil {
return errors.Wrapf(err, "failed to update object store %q deployment %q", c.store.Name, deployment.Name)
}
}
// Generate the mime.types file after the rep. controller as well for the same reason as keyring
if err := c.generateMimeTypes(); err != nil {
return errors.Wrap(err, "failed to generate the rgw mime.types config")
}
}
// scale down scenario
deps, err := k8sutil.GetDeployments(c.context.Clientset, c.store.Namespace, c.storeLabelSelector())
if err != nil {
logger.Warningf("could not get deployments for object store %q (matching label selector %q). %v", c.store.Name, c.storeLabelSelector(), err)
}
currentRgwInstances := int(len(deps.Items))
if currentRgwInstances > desiredRgwInstances {
logger.Infof("found more rgw deployments %d than desired %d in object store %q, scaling down", currentRgwInstances, c.store.Spec.Gateway.Instances, c.store.Name)
diffCount := currentRgwInstances - desiredRgwInstances
for i := 0; i < diffCount; {
depIDToRemove := currentRgwInstances - 1
depNameToRemove := fmt.Sprintf("%s-%s-%s", AppName, c.store.Name, k8sutil.IndexToName(depIDToRemove))
if err := k8sutil.DeleteDeployment(c.context.Clientset, c.store.Namespace, depNameToRemove); err != nil {
logger.Warningf("error during deletion of deployment %q resource. %v", depNameToRemove, err)
}
currentRgwInstances = currentRgwInstances - 1
i++
// Delete the Secret key
secretToRemove := c.generateSecretName(k8sutil.IndexToName(depIDToRemove))
err = c.context.Clientset.CoreV1().Secrets(c.store.Namespace).Delete(c.clusterInfo.Context, secretToRemove, metav1.DeleteOptions{})
if err != nil && !kerrors.IsNotFound(err) {
logger.Warningf("failed to delete rgw secret %q. %v", secretToRemove, err)
}
err := c.deleteRgwCephObjects(depNameToRemove)
if err != nil {
logger.Warningf("%v", err)
}
}
// verify scale down was successful
deps, err = k8sutil.GetDeployments(c.context.Clientset, c.store.Namespace, c.storeLabelSelector())
if err != nil {
logger.Warningf("could not get deployments for object store %q (matching label selector %q). %v", c.store.Name, c.storeLabelSelector(), err)
}
currentRgwInstances = len(deps.Items)
if currentRgwInstances == desiredRgwInstances {
logger.Infof("successfully scaled down rgw deployments to %d in object store %q", desiredRgwInstances, c.store.Name)
}
}
return nil
}
// Delete the object store.
// WARNING: This is a very destructive action that deletes all metadata and data pools.
func (c *clusterConfig) deleteStore() {
logger.Infof("deleting object store %q from namespace %q", c.store.Name, c.store.Namespace)
if !c.clusterSpec.External.Enable {
// Delete rgw CephX keys and configuration in centralized mon database
for i := 0; i < int(c.store.Spec.Gateway.Instances); i++ {
daemonLetterID := k8sutil.IndexToName(i)
depNameToRemove := fmt.Sprintf("%s-%s-%s", AppName, c.store.Name, daemonLetterID)
err := c.deleteRgwCephObjects(depNameToRemove)
if err != nil {
logger.Errorf("failed to delete rgw CephX keys and configuration. Error: %v", err)
}
}
// Delete the realm and pools
objContext, err := NewMultisiteContext(c.context, c.clusterInfo, c.store)
if err != nil {
logger.Errorf("failed to set multisite on object store %q. Error: %v", c.store.Name, err)
}
objContext.Endpoint = c.store.Status.Info["endpoint"]
go disableRGWDashboard(objContext)
err = deleteRealmAndPools(objContext, c.store.Spec)
if err != nil {
logger.Errorf("failed to delete the realm and pools. Error: %v", err)
}
}
logger.Infof("done deleting object store %q from namespace %q", c.store.Name, c.store.Namespace)
}
func (c *clusterConfig) deleteRgwCephObjects(depNameToRemove string) error {
logger.Infof("deleting rgw CephX key and configuration in centralized mon database for %q", depNameToRemove)
// Delete configuration in centralized mon database
err := c.deleteFlagsMonConfigStore(depNameToRemove)
if err != nil {
return err
}
err = cephclient.AuthDelete(c.context, c.clusterInfo, generateCephXUser(depNameToRemove))
if err != nil {
return err
}
logger.Infof("completed deleting rgw CephX key and configuration in centralized mon database for %q", depNameToRemove)
return nil
}
func instanceName(name string) string {
return fmt.Sprintf("%s-%s", AppName, name)
}
func (c *clusterConfig) storeLabelSelector() string {
return fmt.Sprintf("rook_object_store=%s", c.store.Name)
}
// Validate the object store arguments
func (r *ReconcileCephObjectStore) validateStore(s *cephv1.CephObjectStore) error {
if err := cephv1.ValidateObjectSpec(s); err != nil {
return err
}
// Validate the pool settings, but allow for empty pools specs in case they have already been created
// such as by the ceph mgr
if !emptyPool(s.Spec.MetadataPool) {
if err := pool.ValidatePoolSpec(r.context, r.clusterInfo, r.clusterSpec, &s.Spec.MetadataPool); err != nil {
return errors.Wrap(err, "invalid metadata pool spec")
}
}
if !emptyPool(s.Spec.DataPool) {
if err := pool.ValidatePoolSpec(r.context, r.clusterInfo, r.clusterSpec, &s.Spec.DataPool); err != nil {
return errors.Wrap(err, "invalid data pool spec")
}
}
return nil
}
func (c *clusterConfig) generateSecretName(id string) string {
return fmt.Sprintf("%s-%s-%s-keyring", AppName, c.store.Name, id)
}
func emptyPool(pool cephv1.PoolSpec) bool {
return reflect.DeepEqual(pool, cephv1.PoolSpec{})
}
// BuildDomainName build the dns name to reach out the service endpoint
func BuildDomainName(name, namespace string) string {
return fmt.Sprintf("%s-%s.%s.%s", AppName, name, namespace, svcDNSSuffix)
}
// BuildDNSEndpoint build the dns name to reach out the service endpoint
func BuildDNSEndpoint(domainName string, port int32, secure bool) string {
httpPrefix := "http"
if secure {
httpPrefix = "https"
}
return fmt.Sprintf("%s://%s:%d", httpPrefix, domainName, port)
}
// GetTLSCACert fetch cacert for internal RGW requests
func GetTlsCaCert(objContext *Context, objectStoreSpec *cephv1.ObjectStoreSpec) ([]byte, error) {
ctx := objContext.clusterInfo.Context
var (
tlsCert []byte
err error
)
if objectStoreSpec.Gateway.SSLCertificateRef != "" {
tlsSecretCert, err := objContext.Context.Clientset.CoreV1().Secrets(objContext.clusterInfo.Namespace).Get(ctx, objectStoreSpec.Gateway.SSLCertificateRef, metav1.GetOptions{})
if err != nil {
return nil, errors.Wrapf(err, "failed to get secret %s containing TLS certificate defined in %s", objectStoreSpec.Gateway.SSLCertificateRef, objContext.Name)
}
if tlsSecretCert.Type == v1.SecretTypeOpaque {
tlsCert = tlsSecretCert.Data[certKeyName]
} else if tlsSecretCert.Type == v1.SecretTypeTLS {
tlsCert = tlsSecretCert.Data[v1.TLSCertKey]
}
} else if objectStoreSpec.GetServiceServingCert() != "" {
tlsCert, err = ioutil.ReadFile(ServiceServingCertCAFile)
if err != nil {
return nil, errors.Wrapf(err, "failed to fetch TLS certificate from %q", ServiceServingCertCAFile)
}
}
return tlsCert, nil
}
// Allow overriding this function for unit tests to mock the admin ops api
var genObjectStoreHTTPClientFunc = genObjectStoreHTTPClient
func genObjectStoreHTTPClient(objContext *Context, spec *cephv1.ObjectStoreSpec) (*http.Client, []byte, error) {
nsName := fmt.Sprintf("%s/%s", objContext.clusterInfo.Namespace, objContext.Name)
c := &http.Client{}
tlsCert := []byte{}
if spec.IsTLSEnabled() {
var err error
tlsCert, err = GetTlsCaCert(objContext, spec)
if err != nil {
return nil, tlsCert, errors.Wrapf(err, "failed to fetch CA cert to establish TLS connection with object store %q", nsName)
}
insecure := false
c.Transport = BuildTransportTLS(tlsCert, insecure)
}
return c, tlsCert, nil
}