namespace: add new CRD

This introduces a new CRD to add the ability
to create rados namespace for a given
ceph block pool. Typically the name of the pool
is the name of the blockpool created by rook.

Closes: #7035

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>

.commitlintrc.json

@@ -30,6 +30,7 @@
         "rgw",
         "security",
         "subvolumegroup",
+	"namespace",
         "test"
       ]
     ],

.github/workflows/canary-integration-test.yml

@@ -92,6 +92,13 @@ jobs:
         toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
         timeout 60 sh -c "until kubectl -n rook-ceph exec $toolbox -- ceph fs subvolumegroup ls myfs|jq .[0].name|grep -q "group-a"; do sleep 1 && echo 'waiting for the subvolumegroup to be created'; done"
 
+    - name: test rados namespace
+      run: |
+        kubectl create -f deploy/examples/radosnamespace.yaml
+        toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')
+        timeout 60 sh -c "until kubectl -n rook-ceph exec $toolbox -- rbd namespace ls replicapool --format=json|jq .[0].name|grep -q "namespace-a"; do sleep 1 && echo 'waiting for the rados namespace to be created'; done"
+        kubectl delete -f deploy/examples/radosnamespace.yaml
+
     - name: test external script with restricted_auth_permission flag and without having cephfs_filesystem flag
       run: |
         toolbox=$(kubectl get pod -l app=rook-ceph-tools -n rook-ceph -o jsonpath='{.items[*].metadata.name}')

Documentation/ceph-pool-radosnamespace.md

@@ -0,0 +1,57 @@
+---
+title: CephBlockPoolRadosNamespace CRD
+weight: 3610
+indent: true
+---
+
+{% include_relative branch.liquid %}
+
+This guide assumes you have created a Rook cluster as explained in the main [Quickstart guide](quickstart.md)
+
+# CephBlockPoolRadosNamespace CRD
+
+RADOS currently uses pools both for data distribution (pools are shared into
+PGs, which map to OSDs) and as the granularity for security (capabilities can
+restrict access by pool).  Overloading pools for both purposes makes it hard to
+do multi-tenancy because it not a good idea to have a very large number of
+pools.
+
+A namespace would be a division of a pool into separate logical namespaces. For
+more information about BlockPool and namespace refer to the [Ceph
+docs](https://docs.ceph.com/en/latest/man/8/rbd/)
+
+Having multiple namespaces in a pool would allow multiple Kubernetes clusters
+to share one unique ceph cluster without creating a pool per kubernetes cluster
+and it will also allow to have tenant isolation between multiple tenenats in a
+single Kubernetes cluster without creating multiple pools for tenants.
+
+Rook allows creation of Ceph BlockPool
+[RadosNamespaces](https://docs.ceph.com/en/latest/man/8/rbd/) through the
+custom resource definitions (CRDs).
+
+## Example
+
+To get you started, here is a simple example of a CR to create a CephBlockPoolRadosNamespace on the CephBlockPool "replicapool".
+
+```yaml
+apiVersion: ceph.rook.io/v1
+kind: CephBlockPoolRadosNamespace
+metadata:
+  name: namespace-a
+  namespace: rook-ceph # namespace:cluster
+spec:
+  # The name of the CephBlockPool CR where the namespace is created.
+  blockPoolName: replicapool
+```
+
+## Settings
+
+If any setting is unspecified, a suitable default will be used automatically.
+
+### Metadata
+
+- `name`: The name that will be used for the Ceph BlockPool rados namespace.
+
+### Spec
+
+- `blockPoolName`: The metadata name of the CephBlockPool CR where the rados namespace will be created.

PendingReleaseNotes.md

@@ -16,3 +16,4 @@
 * Network compression is configurable with settings in the CephCluster CR. Requires Ceph Quincy (v17) or newer.
 * Add support for custom ceph.conf for csi pods. See #9567
 * Added and updated many Ceph prometheus rules, picked up from the ceph repo
+* Add support for rados namespace in a ceph blockpool. See #9733

deploy/charts/rook-ceph/templates/clusterrole.yaml

@@ -136,6 +136,7 @@ rules:
   - cephrbdmirrors
   - cephfilesystemmirrors
   - cephfilesystemsubvolumegroups
+  - cephblockpoolradosnamespaces
   verbs:
   - get
   - list
@@ -160,6 +161,7 @@ rules:
   - cephrbdmirrors/status
   - cephfilesystemmirrors/status
   - cephfilesystemsubvolumegroups/status
+  - cephblockpoolradosnamespaces/status
   verbs: ["update"]
 # The "*/finalizers" permission may need to be strictly given for K8s clusters where
 # OwnerReferencesPermissionEnforcement is enabled so that Rook can set blockOwnerDeletion on
@@ -182,6 +184,7 @@ rules:
   - cephrbdmirrors/finalizers
   - cephfilesystemmirrors/finalizers
   - cephfilesystemsubvolumegroups/finalizers
+  - cephblockpoolradosnamespaces/finalizers
   verbs: ["update"]
 - apiGroups:
   - policy

deploy/charts/rook-ceph/templates/resources.yaml

@@ -1,6 +1,73 @@
 {{- if .Values.crds.enabled }}
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.1-0.20210420220833-f284e2e8098c
+    helm.sh/resource-policy: keep
+  creationTimestamp: null
+  name: cephblockpoolradosnamespaces.ceph.rook.io
+spec:
+  group: ceph.rook.io
+  names:
+    kind: CephBlockPoolRadosNamespace
+    listKind: CephBlockPoolRadosNamespaceList
+    plural: cephblockpoolradosnamespaces
+    singular: cephblockpoolradosnamespace
+  scope: Namespaced
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: CephBlockPoolRadosNamespace represents a Ceph BlockPool Rados Namespace
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: Spec represents the specification of a Ceph BlockPool Rados Namespace
+              properties:
+                blockPoolName:
+                  description: BlockPoolName is the name of Ceph BlockPool. Typically it's the name of the CephBlockPool CR.
+                  type: string
+              required:
+                - blockPoolName
+              type: object
+            status:
+              description: Status represents the status of a CephBlockPool Rados Namespace
+              properties:
+                info:
+                  additionalProperties:
+                    type: string
+                  nullable: true
+                  type: object
+                phase:
+                  description: ConditionType represent a resource's status
+                  type: string
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.5.1-0.20210420220833-f284e2e8098c
@@ -205,6 +272,28 @@ spec:
             status:
               description: CephBlockPoolStatus represents the mirroring status of Ceph Storage Pool
               properties:
+                conditions:
+                  items:
+                    description: Condition represents a status condition on any Rook-Ceph Custom Resource.
+                    properties:
+                      lastHeartbeatTime:
+                        format: date-time
+                        type: string
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        description: ConditionReason is a reason for a condition
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        description: ConditionType represent a resource's status
+                        type: string
+                    type: object
+                  type: array
                 info:
                   additionalProperties:
                     type: string

deploy/examples/common.yaml

@@ -312,6 +312,7 @@ rules:
       - cephrbdmirrors
       - cephfilesystemmirrors
       - cephfilesystemsubvolumegroups
+      - cephblockpoolradosnamespaces
     verbs:
       - get
       - list
@@ -336,6 +337,7 @@ rules:
       - cephrbdmirrors/status
       - cephfilesystemmirrors/status
       - cephfilesystemsubvolumegroups/status
+      - cephblockpoolradosnamespaces/status
     verbs: ["update"]
   # The "*/finalizers" permission may need to be strictly given for K8s clusters where
   # OwnerReferencesPermissionEnforcement is enabled so that Rook can set blockOwnerDeletion on
@@ -358,6 +360,7 @@ rules:
       - cephrbdmirrors/finalizers
       - cephfilesystemmirrors/finalizers
       - cephfilesystemsubvolumegroups/finalizers
+      - cephblockpoolradosnamespaces/finalizers
     verbs: ["update"]
   - apiGroups:
       - policy

deploy/examples/crds.yaml

@@ -5,6 +5,72 @@
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.5.1-0.20210420220833-f284e2e8098c
+  creationTimestamp: null
+  name: cephblockpoolradosnamespaces.ceph.rook.io
+spec:
+  group: ceph.rook.io
+  names:
+    kind: CephBlockPoolRadosNamespace
+    listKind: CephBlockPoolRadosNamespaceList
+    plural: cephblockpoolradosnamespaces
+    singular: cephblockpoolradosnamespace
+  scope: Namespaced
+  versions:
+    - name: v1
+      schema:
+        openAPIV3Schema:
+          description: CephBlockPoolRadosNamespace represents a Ceph BlockPool Rados Namespace
+          properties:
+            apiVersion:
+              description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+              type: string
+            kind:
+              description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+              type: string
+            metadata:
+              type: object
+            spec:
+              description: Spec represents the specification of a Ceph BlockPool Rados Namespace
+              properties:
+                blockPoolName:
+                  description: BlockPoolName is the name of Ceph BlockPool. Typically it's the name of the CephBlockPool CR.
+                  type: string
+              required:
+                - blockPoolName
+              type: object
+            status:
+              description: Status represents the status of a CephBlockPool Rados Namespace
+              properties:
+                info:
+                  additionalProperties:
+                    type: string
+                  nullable: true
+                  type: object
+                phase:
+                  description: ConditionType represent a resource's status
+                  type: string
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          required:
+            - metadata
+            - spec
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
 metadata:
   annotations:
     controller-gen.kubebuilder.io/version: v0.5.1-0.20210420220833-f284e2e8098c
@@ -208,6 +274,28 @@ spec:
             status:
               description: CephBlockPoolStatus represents the mirroring status of Ceph Storage Pool
               properties:
+                conditions:
+                  items:
+                    description: Condition represents a status condition on any Rook-Ceph Custom Resource.
+                    properties:
+                      lastHeartbeatTime:
+                        format: date-time
+                        type: string
+                      lastTransitionTime:
+                        format: date-time
+                        type: string
+                      message:
+                        type: string
+                      reason:
+                        description: ConditionReason is a reason for a condition
+                        type: string
+                      status:
+                        type: string
+                      type:
+                        description: ConditionType represent a resource's status
+                        type: string
+                    type: object
+                  type: array
                 info:
                   additionalProperties:
                     type: string

deploy/examples/radosnamespace.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: ceph.rook.io/v1
+kind: CephBlockPoolRadosNamespace
+metadata:
+  name: namespace-a
+  namespace: rook-ceph # namespace:cluster
+spec:
+  # blockPoolName is the name of the CephBlockPool CR where the namespace will be created.
+  blockPoolName: replicapool

deploy/olm/assemble/metadata-common.yaml

@@ -168,6 +168,11 @@ spec:
         version: v1
         displayName: Ceph Filesystem SubVolumeGroup
         description: Represents a Ceph Filesystem SubVolumeGroup.
+      - kind: CephBlockPoolRadosNamespace
+        name: cephblockpoolradosnamespaces.ceph.rook.io
+        version: v1
+        displayName: Ceph BlockPool Rados Namespace
+        description: Represents a Ceph BlockPool Rados Namespace.
   displayName: Rook-Ceph
   description: |
 

pkg/apis/ceph.rook.io/v1/pool.go

@@ -118,6 +118,10 @@ func (p *CephBlockPool) ValidateDelete() error {
 	return nil
 }
 
+func (p *CephBlockPool) GetStatusConditions() *[]Condition {
+	return &p.Status.Conditions
+}
+
 // SnapshotSchedulesEnabled returns whether snapshot schedules are desired
 func (p *MirroringSpec) SnapshotSchedulesEnabled() bool {
 	return len(p.SnapshotSchedules) > 0

pkg/apis/ceph.rook.io/v1/register.go

@@ -85,6 +85,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&CephFilesystemMirrorList{},
 		&CephFilesystemSubVolumeGroup{},
 		&CephFilesystemSubVolumeGroupList{},
+		&CephBlockPoolRadosNamespace{},
+		&CephBlockPoolRadosNamespaceList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	scheme.AddKnownTypes(bktv1alpha1.SchemeGroupVersion,