#CephObjectStore [cephobjectstores.ceph.rook.io/v1]

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

ObjectStoreSpec represent the spec of a pool

ObjectStoreStatus represents the status of a Ceph Object Store resource

The list of allowed namespaces in addition to the object store namespace where ceph object store users may be created. Specify "*" to allow all namespaces, otherwise list individual namespaces that are to be allowed. This is useful for applications that need object store credentials to be created in their own namespace, where neither OBCs nor COSI is being used to create buckets. The default is empty.

The authentication configuration

The data pool settings

Set this realm as the default in Ceph. Only one realm should be default. Do not set this true on more than one CephObjectStore. This may not be set when zone is also specified; in this case, the realm referenced by the zone's zonegroup should configure defaulting behavior.

The rgw pod info

The RGW health probes

Hosting settings for the object store. A common use case for hosting configuration is to inform Rook of endpoints that support DNS wildcards, which in turn allows virtual host-style bucket addressing.

The metadata pool settings

Preserve pools on object store deletion

The protocol specification

Security represents security settings

The pool information when configuring RADOS namespaces in existing pools.

The multisite info

The spec for Keystone

The roles requires to serve requests.

Create new users in their own tenants of the same name. Possible values are true, false, swift and s3. The latter have the effect of splitting the identity space such that only the indicated protocol will use implicit tenants.

The number of seconds between token revocation checks.

The name of the secret containing the credentials for the service user account used by RGW. It has to be in the same namespace as the object store resource.

The maximum number of entries in each Keystone token cache.

The URL for the Keystone server.

The application name to set on the pool. Only expected to be set for rgw pools.

DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) Do NOT set a default value for kubebuilder as this will override the Parameters

The root of the crush hierarchy utilized by the pool

The device class the OSD should set to for use in the pool

Allow rook operator to change the pool CRUSH tunables once the pool is created

EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool

The erasure code settings

The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map

The mirroring settings

Parameters is a list of properties to enable on a given pool

The quota settings

The replication settings

The mirroring statusCheck

The algorithm for erasure coding. If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile.

Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). This is the number of OSDs that can be lost simultaneously before data cannot be recovered.

Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). The number of chunks required to recover an object when any single OSD is lost is the same as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery.

Enabled whether this pool is mirrored or not

Mode is the mirroring mode: pool, image or init-only.

Peers represents the peers spec

SnapshotSchedules is the scheduling of snapshot for mirrored images/pools

SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers

Interval represent the periodicity of the snapshot.

Path is the path to snapshot, only valid for CephFS

StartTime indicates when to start the snapshot

MaxBytes represents the quota in bytes Deprecated in favor of MaxSize

MaxObjects represents the quota in objects

MaxSize represents the quota in bytes as a string

HybridStorage represents hybrid storage tier settings

ReplicasPerFailureDomain the number of replica in the specified failure domain

RequireSafeReplicaSize if false allows you to set replica 1

Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type)

SubFailureDomain the name of the sub-failure domain

TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity

PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD

SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs

HealthCheckSpec represents the health check of an object store bucket

Interval is the internal in second or minute for the health check to run like 60s for 60 seconds

AdditionalVolumeMounts allows additional volumes to be mounted to the RGW pod. The root directory for each additional volume mount is /var/rgw. Example: for an additional mount at subPath ldap, mounted from a secret that has key bindpass.secret, the file would reside at /var/rgw/ldap/bindpass.secret.

The annotations-related configuration to add/set on each Pod related object.

The name of the secret that stores custom ca-bundle with root and intermediate certificates.

Whether rgw dashboard is enabled for the rgw daemon. If not set, the rgw dashboard will be enabled.

DisableMultisiteSyncTraffic, when true, prevents this object store's gateways from transmitting multisite replication data. Note that this value does not affect whether gateways receive multisite replication traffic: see ObjectZone.spec.customEndpoints for that. If false or unset, this object store's gateways will be able to transmit multisite replication data.

ExternalRgwEndpoints points to external RGW endpoint(s). Multiple endpoints can be given, but for stability of ObjectBucketClaims, we highly recommend that users give only a single external RGW endpoint that is a load balancer that sends requests to the multiple RGWs.

Whether host networking is enabled for the rgw daemon. If not set, the network settings from the cluster CR will be applied.

The number of pods in the rgw replicaset.

The labels-related configuration to add/set on each Pod related object.

Enable enhanced operation Logs for S3 in a sidecar named ops-log

The port the rgw service will be listening on (http)

PriorityClassName sets priority classes on the rgw pods

ReadAffinity defines the RGW read affinity policy to optimize the read requests for the RGW clients Note: Only supported from Ceph Tentacle (v20)

The resource requirements for the rgw pods

RgwCommandFlags sets Ceph RGW config values for the gateway clients that serve this object store. Values are modified at RGW startup, resulting in RGW pod restarts. This feature is intended for advanced users. It allows breaking configurations to be easily applied. Use with caution.

RgwConfig sets Ceph RGW config values for the gateway clients that serve this object store. Values are modified at runtime without RGW restart. This feature is intended for advanced users. It allows breaking configurations to be easily applied. Use with caution.

RgwConfigFromSecret works exactly like RgwConfig but takes config value from Secret Key reference. Values are modified at runtime without RGW restart. This feature is intended for advanced users. It allows breaking configurations to be easily applied. Use with caution.

The port the rgw service will be listening on (https)

The configuration related to add/set on each rgw service.

The name of the secret that stores the ssl certificate for secure rgw connections

SubPath defines the sub-path (subdirectory) of the directory root where the volumeSource will be mounted. All files/keys in the volume source's volume will be mounted to the subdirectory. This is not the same as the Kubernetes subPath volume mount option. Each subPath definition must be unique and must not contain ':'.

The DNS-addressable Hostname of this endpoint. This field will be preferred over IP if both are given.

The IP of this endpoint. As a legacy behavior, this supports being given a DNS-addressable hostname as well.

Resources represents the way to specify resource requirements for the ops-log sidecar

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This field depends on the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

Type defines the RGW ReadAffinity type localize: read from the nearest OSD based on crush location of the RGW client balance: picks a random OSD from the PG's active set default: read from the primary OSD

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This field depends on the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

The annotations-related configuration to add/set on each rgw service. nullable optional

ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon

ProbeSpec is a wrapper around Probe so it can be enabled or disabled for a Ceph daemon

Disabled determines whether probe is disable or not

Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.

Exec specifies a command to execute in the container.

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

GRPC specifies a GRPC HealthCheckRequest.

HTTPGet specifies an HTTP GET request to perform.

Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

TCPSocket specifies a connection to a TCP port.

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

Port number of the gRPC service. Number must be in the range 1 to 65535.

Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

If this is not specified, the default behavior is defined by gRPC.

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

Custom headers to set in the request. HTTP allows repeated headers.

Path to access on the HTTP server.

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Scheme to use for connecting to the host. Defaults to HTTP.

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

The header field value

Optional: Host name to connect to, defaults to the pod IP.

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Disabled determines whether probe is disable or not

Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.

Exec specifies a command to execute in the container.

Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.

GRPC specifies a GRPC HealthCheckRequest.

HTTPGet specifies an HTTP GET request to perform.

Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.

Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.

TCPSocket specifies a connection to a TCP port.

Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes

Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.

Port number of the gRPC service. Number must be in the range 1 to 65535.

Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

If this is not specified, the default behavior is defined by gRPC.

Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead.

Custom headers to set in the request. HTTP allows repeated headers.

Path to access on the HTTP server.

Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

Scheme to use for connecting to the host. Defaults to HTTP.

The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header.

The header field value

Optional: Host name to connect to, defaults to the pod IP.

Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME.

AdvertiseEndpoint is the default endpoint Rook will return for resources dependent on this object store. This endpoint will be returned to CephObjectStoreUsers, Object Bucket Claims, and COSI Buckets/Accesses. By default, Rook returns the endpoint for the object store's Kubernetes service using HTTPS with gateway.securePort if it is defined (otherwise, HTTP with gateway.port).

A list of DNS host names on which object store gateways will accept client S3 connections. When specified, object store gateways will reject client S3 connections to hostnames that are not present in this list, so include all endpoints. The object store's advertiseEndpoint and Kubernetes service endpoint, plus CephObjectZone customEndpoints are automatically added to the list but may be set here again if desired. Each DNS name must be valid according RFC-1123. If the DNS name corresponds to an endpoint with DNS wildcard support, do not include the wildcard itself in the list of hostnames. E.g., use "mystore.example.com" instead of "*.mystore.example.com".

DnsName is the DNS name (in RFC-1123 format) of the endpoint. If the DNS name corresponds to an endpoint with DNS wildcard support, do not include the wildcard itself in the list of hostnames. E.g., use "mystore.example.com" instead of "*.mystore.example.com".

Port is the port on which S3 connections can be made for this endpoint.

UseTls defines whether the endpoint uses TLS (HTTPS) or not (HTTP).

The application name to set on the pool. Only expected to be set for rgw pools.

DEPRECATED: use Parameters instead, e.g., Parameters["compression_mode"] = "force" The inline compression mode in Bluestore OSD to set to (options are: none, passive, aggressive, force) Do NOT set a default value for kubebuilder as this will override the Parameters

The root of the crush hierarchy utilized by the pool

The device class the OSD should set to for use in the pool

Allow rook operator to change the pool CRUSH tunables once the pool is created

EnableRBDStats is used to enable gathering of statistics for all RBD images in the pool

The erasure code settings

The failure domain: osd/host/(region or zone if available) - technically also any type in the crush map

The mirroring settings

Parameters is a list of properties to enable on a given pool

The quota settings

The replication settings

The mirroring statusCheck

The algorithm for erasure coding. If absent, defaults to the plugin specified in osd_pool_default_erasure_code_profile.

Number of coding chunks per object in an erasure coded storage pool (required for erasure-coded pool type). This is the number of OSDs that can be lost simultaneously before data cannot be recovered.

Number of data chunks per object in an erasure coded storage pool (required for erasure-coded pool type). The number of chunks required to recover an object when any single OSD is lost is the same as dataChunks so be aware that the larger the number of data chunks, the higher the cost of recovery.

Enabled whether this pool is mirrored or not

Mode is the mirroring mode: pool, image or init-only.

Peers represents the peers spec

SnapshotSchedules is the scheduling of snapshot for mirrored images/pools

SecretNames represents the Kubernetes Secret names to add rbd-mirror or cephfs-mirror peers

Interval represent the periodicity of the snapshot.

Path is the path to snapshot, only valid for CephFS

StartTime indicates when to start the snapshot

MaxBytes represents the quota in bytes Deprecated in favor of MaxSize

MaxObjects represents the quota in objects

MaxSize represents the quota in bytes as a string

HybridStorage represents hybrid storage tier settings

ReplicasPerFailureDomain the number of replica in the specified failure domain

RequireSafeReplicaSize if false allows you to set replica 1

Size - Number of copies per object in a replicated storage pool, including the object itself (required for replicated pool type)

SubFailureDomain the name of the sub-failure domain

TargetSizeRatio gives a hint (%) to Ceph in terms of expected consumption of the total cluster capacity

PrimaryDeviceClass represents high performance tier (for example SSD or NVME) for Primary OSD

SecondaryDeviceClass represents low performance tier (for example HDDs) for remaining OSDs

HealthCheckSpec represents the health check of an object store bucket

Interval is the internal in second or minute for the health check to run like 60s for 60 seconds

Represents RGW 'rgw_enable_apis' config option. See: https://docs.ceph.com/en/reef/radosgw/config-ref/#confval-rgw_enable_apis If no value provided then all APIs will be enabled: s3, s3website, swift, swift_auth, admin, sts, iam, notifications If enabled APIs are set, all remaining APIs will be disabled. This option overrides S3.Enabled value.

The spec for S3

The spec for Swift

Whether to use Keystone for authentication. This option maps directly to the rgw_s3_auth_use_keystone option. Enabling it allows generating S3 credentials via an OpenStack API call, see the docs. If not given, the defaults of the corresponding RGW option apply.

Deprecated: use protocol.enableAPIs instead. Whether to enable S3. This defaults to true (even if protocols.s3 is not present in the CRD). This maintains backwards compatibility – by default S3 is enabled.

Whether or not the Swift account name should be included in the Swift API URL. If set to false (the default), then the Swift API will listen on a URL formed like http://host:port/<rgw_swift_url_prefix>/v1. If set to true, the Swift API URL will be http://host:port/<rgw_swift_url_prefix>/v1/AUTH_<account_name>. You must set this option to true (and update the Keystone service catalog) if you want radosgw to support publicly-readable containers and temporary URLs.

The URL prefix for the Swift API, to distinguish it from the S3 API endpoint. The default is swift, which makes the Swift API available at the URL http://host:port/swift/v1 (or http://host:port/swift/v1/AUTH_%(tenant_id)s if rgw swift account in url is enabled).

Enables the Object Versioning of OpenStack Object Storage API. This allows clients to put the X-Versions-Location attribute on containers that should be versioned.

KeyRotation defines options for Key Rotation.

KeyManagementService is the main Key Management option

The settings for supporting AWS-SSE:S3 with RGW

Enabled represents whether the key rotation is enabled.

Schedule represents the cron schedule for key rotation.

ConnectionDetails contains the KMS connection details (address, port etc)

TokenSecretName is the kubernetes secret containing the KMS token

ConnectionDetails contains the KMS connection details (address, port etc)

TokenSecretName is the kubernetes secret containing the KMS token

The data pool used for creating RADOS namespaces in the object store

The metadata pool used for creating RADOS namespaces in the object store

PoolPlacements control which Pools are associated with a particular RGW bucket. Once PoolPlacements are defined, RGW client will be able to associate pool with ObjectStore bucket by providing "" during s3 bucket creation or "X-Storage-Policy" header during swift container creation. See: https://docs.ceph.com/en/latest/radosgw/placement/#placement-targets PoolPlacement with name: "default" will be used as a default pool if no option is provided during bucket creation. If default placement is not provided, spec.sharedPools.dataPoolName and spec.sharedPools.MetadataPoolName will be used as default pools. If spec.sharedPools are also empty, then RGW pools (spec.dataPool and spec.metadataPool) will be used as defaults.

Whether the RADOS namespaces should be preserved on deletion of the object store

The data pool used to store ObjectStore data that cannot use erasure coding (ex: multi-part uploads). If dataPoolName is not erasure coded, then there is no need for dataNonECPoolName.

The data pool used to store ObjectStore objects data.

Sets given placement as default. Only one placement in the list can be marked as default. Default is false.

The metadata pool used to store ObjectStore bucket index.

Pool placement name. Name can be arbitrary. Placement with name "default" will be used as default.

StorageClasses can be selected by user to override dataPoolName during object creation. Each placement has default STANDARD StorageClass pointing to dataPoolName. This list allows defining additional StorageClasses on top of default STANDARD storage class.

DataPoolName is the data pool used to store ObjectStore objects data.

Name is the StorageClass name. Ceph allows arbitrary name for StorageClasses, however most clients/libs insist on AWS names so it is recommended to use one of the valid x-amz-storage-class values for better compatibility: REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE See AWS docs: https://aws.amazon.com/de/s3/storage-classes/

CephObjectStoreZone name this CephObjectStore is part of

ObservedGeneration is the latest generation observed by the controller.

ConditionType represent a resource's status

Daemon shows the CephX key status for local Ceph daemons associated with this resources.

KeyCephVersion reports the Ceph version that created the current generation's keys. This is same string format as reported by CephCluster.status.version.version to allow them to be compared. E.g., 20.2.0-0. For all newly-created resources, this field set to the version of Ceph that created the key. The special value "Uninitialized" indicates that keys are being created for the first time. An empty string indicates that the version is unknown, as expected in brownfield deployments.

KeyGeneration represents the CephX key generation for the last successful reconcile. For all newly-created resources, this field is set to 1. When keys are rotated due to any rotation policy, the generation is incremented or updated to the configured policy generation. Generation 0 indicates that keys existed prior to the implementation of key tracking.

ConditionReason is a reason for a condition

ConditionType represent a resource's status