Components

Rook-Ceph

Kubernetes-native CephFS and S3-compatible object storage component, deployed as a successor to MinIO.

Agentic Friendly

Technical preview Rook-Ceph is available as a technical preview. It is deployed alongside MinIO during a phased migration, and the STS-based S3 access path (rgw s3 auth use sts) is staged but not yet active — current S3 access uses static RGW credentials. Behavior and configuration may change before general availability.

Component Category

Data and storage / object and file storage

Component Description

Rook-Ceph is the Rook operator running a Ceph cluster on Kubernetes. It provides CephFS for shared file storage and a RADOS Gateway (RGW) endpoint for S3-compatible object storage. In the platform it is being introduced as the successor to MinIO for S3-compatible object storage.

Why It Is Used

In BullSequana AI Runtime, Rook-Ceph provides a Kubernetes-native, scalable, and operator-managed storage layer that replaces MinIO for S3-compatible workloads while also exposing CephFS for shared file storage. It is deployed because the upstream MinIO open-source distribution has been deprecated, and the platform needs a long-term storage substrate that integrates with the existing identity, ingress, and certificate-management components.

Learn More

S3 Access Model

Two S3 access paths are configured on the RGW:

  • Static access keys — the active path. A bootstrap job creates a dedicated RGW user and writes its access key and secret to the rook-ceph-rgw-bootstrap secret in the rook-ceph namespace. Workloads and operators consume those credentials directly.
  • STS / Keycloak-federated access — staged but inactive (sts=false). The path is wired so it can be enabled once the federated flow is validated.

For the validation procedure used to confirm static-key access end to end, see Rook-Ceph RGW S3 access.

Dashboard Access

The Ceph dashboard is exposed through NGINX ingress and protected by an oauth2-proxy instance that delegates authentication to Keycloak. A dedicated Keycloak client is created during deployment.

Operational Notes

  • An orphan-cleaner cronjob runs in the rook-ceph namespace and removes pods that remain bound to non-existent nodes, which would otherwise block component startup after node turnover.
  • CephFS is exposed through one or more Kubernetes StorageClass resources for dynamic PersistentVolumeClaim provisioning.
  • TLS for RGW and dashboard endpoints is issued by cert-manager.

Interacts With

  • cert-manager, which issues and renews TLS certificates for RGW and dashboard endpoints.
  • NGINX and External DNS, which expose the RGW S3 endpoint and the Ceph dashboard.
  • Keycloak, which authenticates dashboard access through oauth2-proxy and is the planned identity provider for the future STS-based S3 access path.
  • MinIO, which it is progressively replacing as the platform's S3-compatible object storage.
  • Reflector, which is used to propagate selected secrets across namespaces during deployment.

MinIO

S3-compatible object storage component for Runtime artifacts and data.

Grafana

Visualization and dashboarding component for Runtime observability.

On this page

Component CategoryComponent DescriptionWhy It Is UsedLearn MoreS3 Access ModelDashboard AccessOperational NotesInteracts With