keyring

package
v1.18.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 24, 2026 License: Apache-2.0 Imports: 14 Imported by: 128

Documentation

Overview

Package keyring provides methods for accessing keyrings for Ceph daemons stored securely in Kubernetes secrets. It also provides methods for creating keyrings with desired permissions which are stored persistently and a special subset of methods for the Ceph admin keyring.

Index

Constants

View Source 
const CephxKeyIdentifierAnnotation = "cephx-key-identifier"

CephxKeyIdentifierAnnotation is the annotation that should be applied to pod specs to ensure that pods restart after keys are rotated (and not restarted when keys are not rotated). The keyring secret resourceVersion is suggested but not always available.

View Source 
const (

	// KeyringAnnotation identifies a Kubernetes Secret as a cephx keyring file
	KeyringAnnotation = "cephx-keyring"
)

Variables

View Source 
var CephAuthMonRotateSupportedVersion = version.CephVersion{Major: 20, Minor: 3, Extra: 0} // v20.3.0 is unreleased tentacle vers

CephAuthMonRotateSupportedVersion identifies the first ceph release in which `ceph auth rotate` can be used to rotate the monitor CephX key.

View Source 
var CephAuthRotateSupportedVersion = version.CephVersion{Major: 19, Minor: 2, Extra: 3}

CephAuthRotateSupportedVersion identifies the first ceph release in which the `ceph auth rotate` command is present, thus allowing CephX key rotation.

Functions

func ApplyClusterMetadataToSecret added in v1.8.3 

func ApplyClusterMetadataToSecret(c *cephclient.ClusterInfo, secretName string, context *clusterd.Context, annotation v1.AnnotationsSpec) error

func CephVersionToCephxStatusVersion added in v1.18.0 

func CephVersionToCephxStatusVersion(v version.CephVersion) string

CephVersionToCephxStatusVersion renders a CephVersion struct into status.KeyCephVersion format. This is expected to be the same format used by CephCluster.status.version.version.

func ShouldRotateCephxKeys added in v1.18.0 

func ShouldRotateCephxKeys(cfg v1.CephxConfig, runningCephVersion, desiredCephVersion version.CephVersion, status v1.CephxStatus) (bool, error)

ShouldRotateCephxKeys determines whether CephX keys should be rotated based on the CephX key rotation config, the version of Ceph present in the image being deployed (desiredCephVersion), and the last-reconciled CephX key status. runningCephVersion is used to determine if the cluster is capable of rotating CephX keys. Intended to use running/desired ceph version from CurrentAndDesiredCephVersion().

func UninitializedCephxStatus added in v1.18.0 

func UninitializedCephxStatus() v1.CephxStatus

UninitializedCephxStatus provides the initial status that indicates CephX keys haven't been initialized. This should be applied when a resource status is first set to a non-nil status. Together with UpdatedCephxStatus() below, this helps ensure that Rook only applies key generation and ceph version info to the status when a resource is first being provisioned. Resources that were provisioned before CephX key rotation and version tracking were implemented will be identified by KeyCephVersion="", the empty string.

func UpdatedCephxStatus added in v1.18.0 

func UpdatedCephxStatus(didRotate bool, cfg v1.CephxConfig, runningCephVersion version.CephVersion, status v1.CephxStatus) v1.CephxStatus

UpdatedCephxStatus returns the updated CephxStatus based on rotation config and status from before rotation occurred.

Types

type AdminStore 

type AdminStore struct {
	// contains filtered or unexported fields
}

An AdminStore is a specialized derivative of the SecretStore helper for storing the Ceph cluster admin keyring as a Kubernetes secret.

func (*AdminStore) CreateOrUpdate 

func (a *AdminStore) CreateOrUpdate(c *cephclient.ClusterInfo, context *clusterd.Context, annotation v1.AnnotationsSpec) error

CreateOrUpdate creates or updates the admin keyring secret with cluster information.

type SecretStore 

type SecretStore struct {
	// contains filtered or unexported fields
}

SecretStore is a helper to store Ceph daemon keyrings as Kubernetes secrets.

func GetSecretStore 

func GetSecretStore(context *clusterd.Context, clusterInfo *client.ClusterInfo, ownerInfo *k8sutil.OwnerInfo) *SecretStore

GetSecretStore returns a new SecretStore struct.

func (*SecretStore) Admin 

func (s *SecretStore) Admin() *AdminStore

Admin returns the special Admin keyring store type.

func (*SecretStore) CreateOrUpdate 

func (k *SecretStore) CreateOrUpdate(resourceName string, keyring string) (string, error)

CreateOrUpdate creates or updates the keyring secret for the resource with the keyring specified. Returns the secret resource version. WARNING: Do not use "rook-ceph-admin" as the resource name; conflicts with the AdminStore.

func (*SecretStore) CreateSecret added in v1.1.3 

func (k *SecretStore) CreateSecret(secret *v1.Secret) (string, error)

CreateSecret creates or update a kubernetes secret. Returns the resource version of the secret.

func (*SecretStore) Delete 

func (k *SecretStore) Delete(resourceName string) error

Delete deletes the keyring secret for the resource.

func (*SecretStore) GenerateKey 

func (k *SecretStore) GenerateKey(user string, access []string) (string, error)

GenerateKey generates a key for a Ceph user with the given access permissions. It returns the key generated on success. Ceph will always return the most up-to-date key for a daemon, and the key usually does not change.

func (*SecretStore) GetKeyringFromSecret added in v1.18.2 

func (k *SecretStore) GetKeyringFromSecret(resourceName string) (string, error)

GetKeyringFromSecret returns the keyring present in a keyring secret

func (*SecretStore) RotateKey added in v1.18.0 

func (k *SecretStore) RotateKey(user string) (string, error)

RotateKey rotates a key for a Ceph user without modifying permissions. It returns the new key on success.

type VolumeBuilder 

type VolumeBuilder struct{}

VolumeBuilder is a helper for creating Kubernetes pod volumes with content sourced by keyrings stored in the SecretStore.

func Volume 

func Volume() *VolumeBuilder

Volume returns a VolumeBuilder.

func (*VolumeBuilder) Admin 

func (v *VolumeBuilder) Admin() v1.Volume

Admin returns a kubernetes pod volume whose content is sourced by the SecretStore admin keyring.

func (*VolumeBuilder) CrashCollector added in v1.2.1 

func (v *VolumeBuilder) CrashCollector() v1.Volume

CrashCollector returns a kubernetes pod volume whose content is sourced by the SecretStore crash collector keyring.

func (*VolumeBuilder) Exporter added in v1.13.0 

func (v *VolumeBuilder) Exporter() v1.Volume

Exporter returns a kubernetes pod volume whose content is sourced by the SecretStore exporter keyring.

func (*VolumeBuilder) Resource 

func (v *VolumeBuilder) Resource(resourceName string) v1.Volume

Resource returns a Kubernetes pod volume whose content is sourced by the keyring created for the resource using a SecretStore.

type VolumeMountBuilder 

type VolumeMountBuilder struct{}

VolumeMountBuilder is a helper for creating Kubernetes container volume mounts that mount the keyring content from VolumeBuilder volumes.

func VolumeMount 

func VolumeMount() *VolumeMountBuilder

VolumeMount returns a VolumeMountBuilder.

func (*VolumeMountBuilder) Admin 

func (*VolumeMountBuilder) Admin() v1.VolumeMount

Admin returns a Kubernetes container volume mount that mounts the content from the matching VolumeBuilder Admin volume.

func (*VolumeMountBuilder) AdminKeyringFilePath 

func (*VolumeMountBuilder) AdminKeyringFilePath() string

AdminKeyringFilePath returns the full path to the admin keyring file within a container.

func (*VolumeMountBuilder) CrashCollector added in v1.2.1 

func (*VolumeMountBuilder) CrashCollector() v1.VolumeMount

CrashCollector returns a Kubernetes container volume mount that mounts the content from the matching VolumeBuilder Crash Collector volume.

func (*VolumeMountBuilder) CrashCollectorKeyringFilePath added in v1.2.1 

func (*VolumeMountBuilder) CrashCollectorKeyringFilePath() string

CrashCollectorKeyringFilePath returns the full path to the admin keyring file within a container.

func (*VolumeMountBuilder) Exporter added in v1.13.0 

func (*VolumeMountBuilder) Exporter() v1.VolumeMount

Exporter returns a Kubernetes container volume mount that mounts the content from the matching VolumeBuilder Exporter volume.

func (*VolumeMountBuilder) ExporterKeyringFilePath added in v1.13.0 

func (*VolumeMountBuilder) ExporterKeyringFilePath() string

ExporterKeyringFilePath returns the full path to the admin keyring file within a container.

func (*VolumeMountBuilder) KeyringFilePath 

func (*VolumeMountBuilder) KeyringFilePath() string

KeyringFilePath returns the full path to the regular keyring file within a container.

func (*VolumeMountBuilder) Resource 

func (*VolumeMountBuilder) Resource(resourceName string) v1.VolumeMount

Resource returns a Kubernetes container volume mount that mounts the content from the matching VolumeBuilder Resource volume for the same resource.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.