Skip to content

Ceph Operator Helm Chart

Installs rook to create, configure, and manage Ceph clusters on Kubernetes.

Introduction

This chart bootstraps a rook-ceph-operator deployment on a Kubernetes cluster using the Helm package manager.

Prerequisites

  • Kubernetes 1.22+
  • Helm 3.x

See the Helm support matrix for more details.

Installing

The Ceph Operator helm chart will install the basic components necessary to create a storage platform for your Kubernetes cluster.

  1. Install the Helm chart
  2. Create a Rook cluster.

The helm install command deploys rook on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. It is recommended that the rook operator be installed into the rook-ceph namespace (you will install your clusters into separate namespaces).

Rook currently publishes builds of the Ceph operator to the release and master channels.

Release

The release channel is the most recent release of Rook that is considered stable for the community.

helm repo add rook-release https://charts.rook.io/release
helm install --create-namespace --namespace rook-ceph rook-ceph rook-release/rook-ceph -f values.yaml

For example settings, see the next section or values.yaml

Configuration

The following table lists the configurable parameters of the rook-operator chart and their default values.

Parameter Description Default
allowLoopDevices If true, loop devices are allowed to be used for osds in test clusters false
annotations Pod annotations {}
cephCommandsTimeoutSeconds The timeout for ceph commands in seconds "15"
containerSecurityContext Set the container security context for the operator {"capabilities":{"drop":["ALL"]},"runAsGroup":2016,"runAsNonRoot":true,"runAsUser":2016}
crds.enabled Whether the helm chart should create and update the CRDs. If false, the CRDs must be managed independently with deploy/examples/crds.yaml. WARNING Only set during first deployment. If later disabled the cluster may be DESTROYED. If the CRDs are deleted in this case, see the disaster recovery guide to restore them. true
csi.attacher.repository Kubernetes CSI Attacher image repository "registry.k8s.io/sig-storage/csi-attacher"
csi.attacher.tag Attacher image tag "v4.6.1"
csi.cephFSAttachRequired Whether to skip any attach operation altogether for CephFS PVCs. See more details here. If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation of pods using the CephFS PVC fast. WARNING It's highly discouraged to use this for CephFS RWO volumes. Refer to this issue for more details. true
csi.cephFSFSGroupPolicy Policy for modifying a volume's ownership or permissions when the CephFS PVC is being mounted. supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html "File"
csi.cephFSKernelMountOptions Set CephFS Kernel mount options to use https://docs.ceph.com/en/latest/man/8/mount.ceph/#options. Set to "ms_mode=secure" when connections.encrypted is enabled in CephCluster CR nil
csi.cephFSPluginUpdateStrategy CSI CephFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate RollingUpdate
csi.cephFSPluginUpdateStrategyMaxUnavailable A maxUnavailable parameter of CSI cephFS plugin daemonset update strategy. 1
csi.cephcsi.repository Ceph CSI image repository "quay.io/cephcsi/cephcsi"
csi.cephcsi.tag Ceph CSI image tag "v3.12.2"
csi.cephfsLivenessMetricsPort CSI CephFS driver metrics port 9081
csi.cephfsPodLabels Labels to add to the CSI CephFS Deployments and DaemonSets Pods nil
csi.clusterName Cluster name identifier to set as metadata on the CephFS subvolume and RBD images. This will be useful in cases like for example, when two container orchestrator clusters (Kubernetes/OCP) are using a single ceph cluster nil
csi.csiAddons.enabled Enable CSIAddons false
csi.csiAddons.repository CSIAddons sidecar image repository "quay.io/csiaddons/k8s-sidecar"
csi.csiAddons.tag CSIAddons sidecar image tag "v0.9.1"
csi.csiAddonsPort CSI Addons server port 9070
csi.csiCephFSPluginResource CEPH CSI CephFS plugin resource requirement list see values.yaml
csi.csiCephFSPluginVolume The volume of the CephCSI CephFS plugin DaemonSet nil
csi.csiCephFSPluginVolumeMount The volume mounts of the CephCSI CephFS plugin DaemonSet nil
csi.csiCephFSProvisionerResource CEPH CSI CephFS provisioner resource requirement list see values.yaml
csi.csiDriverNamePrefix CSI driver name prefix for cephfs, rbd and nfs. namespace name where rook-ceph operator is deployed
csi.csiLeaderElectionLeaseDuration Duration in seconds that non-leader candidates will wait to force acquire leadership. 137s
csi.csiLeaderElectionRenewDeadline Deadline in seconds that the acting leader will retry refreshing leadership before giving up. 107s
csi.csiLeaderElectionRetryPeriod Retry period in seconds the LeaderElector clients should wait between tries of actions. 26s
csi.csiNFSPluginResource CEPH CSI NFS plugin resource requirement list see values.yaml
csi.csiNFSProvisionerResource CEPH CSI NFS provisioner resource requirement list see values.yaml
csi.csiRBDPluginResource CEPH CSI RBD plugin resource requirement list see values.yaml
csi.csiRBDPluginVolume The volume of the CephCSI RBD plugin DaemonSet nil
csi.csiRBDPluginVolumeMount The volume mounts of the CephCSI RBD plugin DaemonSet nil
csi.csiRBDProvisionerResource CEPH CSI RBD provisioner resource requirement list csi-omap-generator resources will be applied only if enableOMAPGenerator is set to true see values.yaml
csi.disableCsiDriver Disable the CSI driver. "false"
csi.disableHolderPods Deprecation note: Rook uses "holder" pods to allow CSI to connect to the multus public network without needing hosts to the network. Holder pods are being removed. See issue for details: https://github.com/rook/rook/issues/13055. New Rook deployments should set this to "true". true
csi.enableCSIEncryption Enable Ceph CSI PVC encryption support false
csi.enableCSIHostNetwork Enable host networking for CSI CephFS and RBD nodeplugins. This may be necessary in some network configurations where the SDN does not provide access to an external cluster or there is significant drop in read/write performance true
csi.enableCephfsDriver Enable Ceph CSI CephFS driver true
csi.enableCephfsSnapshotter Enable Snapshotter in CephFS provisioner pod true
csi.enableLiveness Enable Ceph CSI Liveness sidecar deployment false
csi.enableMetadata Enable adding volume metadata on the CephFS subvolumes and RBD images. Not all users might be interested in getting volume/snapshot details as metadata on CephFS subvolume and RBD images. Hence enable metadata is false by default false
csi.enableNFSSnapshotter Enable Snapshotter in NFS provisioner pod true
csi.enableOMAPGenerator OMAP generator generates the omap mapping between the PV name and the RBD image which helps CSI to identify the rbd images for CSI operations. CSI_ENABLE_OMAP_GENERATOR needs to be enabled when we are using rbd mirroring feature. By default OMAP generator is disabled and when enabled, it will be deployed as a sidecar with CSI provisioner pod, to enable set it to true. false
csi.enablePluginSelinuxHostMount Enable Host mount for /etc/selinux directory for Ceph CSI nodeplugins false
csi.enableRBDSnapshotter Enable Snapshotter in RBD provisioner pod true
csi.enableRbdDriver Enable Ceph CSI RBD driver true
csi.enableVolumeGroupSnapshot Enable volume group snapshot feature. This feature is enabled by default as long as the necessary CRDs are available in the cluster. true
csi.forceCephFSKernelClient Enable Ceph Kernel clients on kernel < 4.17. If your kernel does not support quotas for CephFS you may want to disable this setting. However, this will cause an issue during upgrades with the FUSE client. See the upgrade guide true
csi.grpcTimeoutInSeconds Set GRPC timeout for csi containers (in seconds). It should be >= 120. If this value is not set or is invalid, it defaults to 150 150
csi.imagePullPolicy Image pull policy "IfNotPresent"
csi.kubeApiBurst Burst to use while communicating with the kubernetes apiserver. nil
csi.kubeApiQPS QPS to use while communicating with the kubernetes apiserver. nil
csi.kubeletDirPath Kubelet root directory path (if the Kubelet uses a different path for the --root-dir flag) /var/lib/kubelet
csi.logLevel Set logging level for cephCSI containers maintained by the cephCSI. Supported values from 0 to 5. 0 for general useful logs, 5 for trace level verbosity. 0
csi.nfs.enabled Enable the nfs csi driver false
csi.nfsAttachRequired Whether to skip any attach operation altogether for NFS PVCs. See more details here. If cephFSAttachRequired is set to false it skips the volume attachments and makes the creation of pods using the NFS PVC fast. WARNING It's highly discouraged to use this for NFS RWO volumes. Refer to this issue for more details. true
csi.nfsFSGroupPolicy Policy for modifying a volume's ownership or permissions when the NFS PVC is being mounted. supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html "File"
csi.nfsPluginUpdateStrategy CSI NFS plugin daemonset update strategy, supported values are OnDelete and RollingUpdate RollingUpdate
csi.nfsPodLabels Labels to add to the CSI NFS Deployments and DaemonSets Pods nil
csi.pluginNodeAffinity The node labels for affinity of the CephCSI RBD plugin DaemonSet 1 nil
csi.pluginPriorityClassName PriorityClassName to be set on csi driver plugin pods "system-node-critical"
csi.pluginTolerations Array of tolerations in YAML format which will be added to CephCSI plugin DaemonSet nil
csi.provisioner.repository Kubernetes CSI provisioner image repository "registry.k8s.io/sig-storage/csi-provisioner"
csi.provisioner.tag Provisioner image tag "v5.0.1"
csi.provisionerNodeAffinity The node labels for affinity of the CSI provisioner deployment 1 nil
csi.provisionerPriorityClassName PriorityClassName to be set on csi driver provisioner pods "system-cluster-critical"
csi.provisionerReplicas Set replicas for csi provisioner deployment 2
csi.provisionerTolerations Array of tolerations in YAML format which will be added to CSI provisioner deployment nil
csi.rbdAttachRequired Whether to skip any attach operation altogether for RBD PVCs. See more details here. If set to false it skips the volume attachments and makes the creation of pods using the RBD PVC fast. WARNING It's highly discouraged to use this for RWO volumes as it can cause data corruption. csi-addons operations like Reclaimspace and PVC Keyrotation will also not be supported if set to false since we'll have no VolumeAttachments to determine which node the PVC is mounted on. Refer to this issue for more details. true
csi.rbdFSGroupPolicy Policy for modifying a volume's ownership or permissions when the RBD PVC is being mounted. supported values are documented at https://kubernetes-csi.github.io/docs/support-fsgroup.html "File"
csi.rbdLivenessMetricsPort Ceph CSI RBD driver metrics port 8080
csi.rbdPluginUpdateStrategy CSI RBD plugin daemonset update strategy, supported values are OnDelete and RollingUpdate RollingUpdate
csi.rbdPluginUpdateStrategyMaxUnavailable A maxUnavailable parameter of CSI RBD plugin daemonset update strategy. 1
csi.rbdPodLabels Labels to add to the CSI RBD Deployments and DaemonSets Pods nil
csi.registrar.repository Kubernetes CSI registrar image repository "registry.k8s.io/sig-storage/csi-node-driver-registrar"
csi.registrar.tag Registrar image tag "v2.11.1"
csi.resizer.repository Kubernetes CSI resizer image repository "registry.k8s.io/sig-storage/csi-resizer"
csi.resizer.tag Resizer image tag "v1.11.1"
csi.serviceMonitor.enabled Enable ServiceMonitor for Ceph CSI drivers false
csi.serviceMonitor.interval Service monitor scrape interval "10s"
csi.serviceMonitor.labels ServiceMonitor additional labels {}
csi.serviceMonitor.namespace Use a different namespace for the ServiceMonitor nil
csi.sidecarLogLevel Set logging level for Kubernetes-csi sidecar containers. Supported values from 0 to 5. 0 for general useful logs (the default), 5 for trace level verbosity. 0
csi.snapshotter.repository Kubernetes CSI snapshotter image repository "registry.k8s.io/sig-storage/csi-snapshotter"
csi.snapshotter.tag Snapshotter image tag "v8.0.1"
csi.topology.domainLabels domainLabels define which node labels to use as domains for CSI nodeplugins to advertise their domains nil
csi.topology.enabled Enable topology based provisioning false
currentNamespaceOnly Whether the operator should watch cluster CRD in its own namespace or not false
disableDeviceHotplug Disable automatic orchestration when new devices are discovered. false
discover.nodeAffinity The node labels for affinity of discover-agent 1 nil
discover.podLabels Labels to add to the discover pods nil
discover.resources Add resources to discover daemon pods nil
discover.toleration Toleration for the discover pods. Options: NoSchedule, PreferNoSchedule or NoExecute nil
discover.tolerationKey The specific key of the taint to tolerate nil
discover.tolerations Array of tolerations in YAML format which will be added to discover deployment nil
discoverDaemonUdev Blacklist certain disks according to the regex provided. nil
discoveryDaemonInterval Set the discovery daemon device discovery interval (default to 60m) "60m"
enableDiscoveryDaemon Enable discovery daemon false
enableOBCWatchOperatorNamespace Whether the OBC provisioner should watch on the operator namespace or not, if not the namespace of the cluster will be used true
enforceHostNetwork Whether to create all Rook pods to run on the host network, for example in environments where a CNI is not enabled false
hostpathRequiresPrivileged Runs Ceph Pods as privileged to be able to write to hostPaths in OpenShift with SELinux restrictions. false
image.pullPolicy Image pull policy "IfNotPresent"
image.repository Image "docker.io/rook/ceph"
image.tag Image tag master
imagePullSecrets imagePullSecrets option allow to pull docker images from private docker registry. Option will be passed to all service accounts. nil
logLevel Global log level for the operator. Options: ERROR, WARNING, INFO, DEBUG "INFO"
monitoring.enabled Enable monitoring. Requires Prometheus to be pre-installed. Enabling will also create RBAC rules to allow Operator to create ServiceMonitors false
nodeSelector Kubernetes nodeSelector to add to the Deployment. {}
obcProvisionerNamePrefix Specify the prefix for the OBC provisioner in place of the cluster namespace ceph cluster namespace
priorityClassName Set the priority class for the rook operator deployment if desired nil
pspEnable If true, create & use PSP resources false
rbacAggregate.enableOBCs If true, create a ClusterRole aggregated to user facing roles for objectbucketclaims false
rbacEnable If true, create & use RBAC resources true
resources Pod resource requests & limits {"limits":{"memory":"512Mi"},"requests":{"cpu":"200m","memory":"128Mi"}}
revisionHistoryLimit The revision history limit for all pods created by Rook. If blank, the K8s default is 10. nil
scaleDownOperator If true, scale down the rook operator. This is useful for administrative actions where the rook operator must be scaled down, while using gitops style tooling to deploy your helm charts. false
tolerations List of Kubernetes tolerations to add to the Deployment. []
unreachableNodeTolerationSeconds Delay to use for the node.kubernetes.io/unreachable pod failure toleration to override the Kubernetes default of 5 minutes 5
useOperatorHostNetwork If true, run rook operator on the host network nil

Development Build

To deploy from a local build from your development environment:

  1. Build the Rook docker image: make
  2. Copy the image to your K8s cluster, such as with the docker save then the docker load commands
  3. Install the helm chart:
cd deploy/charts/rook-ceph
helm install --create-namespace --namespace rook-ceph rook-ceph .

Uninstalling the Chart

To see the currently installed Rook chart:

helm ls --namespace rook-ceph

To uninstall/delete the rook-ceph deployment:

helm delete --namespace rook-ceph rook-ceph

The command removes all the Kubernetes components associated with the chart and deletes the release.

After uninstalling you may want to clean up the CRDs as described on the teardown documentation.


  1. nodeAffinity and *NodeAffinity options should have the format "role=storage,rook; storage=ceph" or storage;role=rook-example or storage; (checks only for presence of key