Re: ceph pv

2017-01-09 Thread Philippe Lafoucrière 
On Mon, Jan 9, 2017 at 3:42 AM, James Eckersall 
wrote:

> Our use case would be utilisation of openshift clusters with untrusted
> clients in distinct projects, so we’re trying to ensure they can’t access
> each/others storage.


We are in the same situation, and we generally let our clients access their
projects without permissions for secrets :)
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Link to other files in yaml configuration

2017-01-09 Thread Philippe Lafoucrière 
On Mon, Jan 9, 2017 at 3:18 PM, Ben Parees  wrote:

> or references to secrets from within the DC?


Sorry, I meant routes, I mixed up two messages.
So no, I don't think I can use a secret in a route :)

Going with a template is probably the only way to achieve this.

Thanks!
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Link to other files in yaml configuration

2017-01-09 Thread Ben Parees 
or references to secrets from within the DC?


On Mon, Jan 9, 2017 at 3:00 PM, Jessica Forrester 
wrote:

> Any reason you can't do this using a Template with the certs as parameters?
>
> On Mon, Jan 9, 2017 at 2:55 PM, Jordan Liggitt 
> wrote:
>
>> Not in API object definitions, no.
>>
>> On Mon, Jan 9, 2017 at 2:52 PM, Philippe Lafoucrière <
>> philippe.lafoucri...@tech-angels.com> wrote:
>>
>>> Hi,
>>>
>>> Does anyone know if I can use external files in a yaml file?
>>> I'd like to keep out the certificate files (crt, CA and key) from my
>>> DeploymentConfig yaml file.
>>>
>>> Thanks!
>>> Philippe
>>>
>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>>
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>


-- 
Ben Parees | OpenShift
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Link to other files in yaml configuration

2017-01-09 Thread Jessica Forrester 
Any reason you can't do this using a Template with the certs as parameters?

On Mon, Jan 9, 2017 at 2:55 PM, Jordan Liggitt  wrote:

> Not in API object definitions, no.
>
> On Mon, Jan 9, 2017 at 2:52 PM, Philippe Lafoucrière <
> philippe.lafoucri...@tech-angels.com> wrote:
>
>> Hi,
>>
>> Does anyone know if I can use external files in a yaml file?
>> I'd like to keep out the certificate files (crt, CA and key) from my
>> DeploymentConfig yaml file.
>>
>> Thanks!
>> Philippe
>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>>
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Link to other files in yaml configuration

2017-01-09 Thread Philippe Lafoucrière 
Hi,

Does anyone know if I can use external files in a yaml file?
I'd like to keep out the certificate files (crt, CA and key) from my
DeploymentConfig yaml file.

Thanks!
Philippe
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Link to other files in yaml configuration

2017-01-09 Thread Jordan Liggitt 
Not in API object definitions, no.

On Mon, Jan 9, 2017 at 2:52 PM, Philippe Lafoucrière <
philippe.lafoucri...@tech-angels.com> wrote:

> Hi,
>
> Does anyone know if I can use external files in a yaml file?
> I'd like to keep out the certificate files (crt, CA and key) from my
> DeploymentConfig yaml file.
>
> Thanks!
> Philippe
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

ceph pv

2017-01-09 Thread James Eckersall 

Hi,

Looking for some feedback with regards to utilisation of RBD devices as 
PV’s in the area of a multi-tenanted openshift platform.


At present, it appears you need to define the secret as such within a PV 
declaration


apiVersion: v1

kind: PersistentVolume

metadata:

  name: ceph-pv

spec:

  capacity:

storage: 2Gi

  accessModes:

- ReadWriteOnce

  rbd:

monitors:

  - 192.168.122.133:6789 

pool: rbd

image: ceph-image

user: admin

secretRef:

  name: ceph-secret

fsType: ext4

readOnly: false

persistentVolumeReclaimPolicy: Recycle

This means the following (unless I’m missing something!)

o) ‘ceph-secret’ needs to exist within the correct project/name-space 
that wants to create a PVC against a RBD-backed-PV.  I can’t see a way 
to have a general secret (for example, located within the openshift 
namespace)


o) On this basis – it means the contents of ceph-secret can be read by 
any project that requires access to the storage system?  (And thus 
expose the required keys to mount any volumes within that pool space).  
Or is there a way to make it so only the openshift processes (and not 
the user) can read the contents of ceph-secret?


Our use case would be utilisation of openshift clusters with untrusted 
clients in distinct projects, so we’re trying to ensure they can’t 
access each/others storage.


Any input appreciated – cheers!

James.

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users