Components

Rook-Ceph

Kubernetes-native CephFS and S3-compatible object storage component, deployed as a successor to MinIO.

Agentic Friendly

Technical preview Rook-Ceph is available as a technical preview. It is deployed alongside MinIO during a phased migration, and the STS-based S3 access path (rgw s3 auth use sts) is staged but not yet active — current S3 access uses static RGW credentials. Behavior and configuration may change before general availability.

Component Category

Data and storage / object and file storage

Component Description

Rook-Ceph is the Rook operator running a Ceph cluster on Kubernetes. It provides CephFS for shared file storage and a RADOS Gateway (RGW) endpoint for S3-compatible object storage. In the platform it is being introduced as the successor to MinIO for S3-compatible object storage.

Why It Is Used

In BullSequana AI Runtime, Rook-Ceph provides a Kubernetes-native, scalable, and operator-managed storage layer that replaces MinIO for S3-compatible workloads while also exposing CephFS for shared file storage. It is deployed because the upstream MinIO open-source distribution has been deprecated, and the platform needs a long-term storage substrate that integrates with the existing identity, ingress, and certificate-management components.

Learn More

S3 Access Model

Two S3 access paths are configured on the RGW:

  • Static access keys — the active path. A bootstrap job creates a dedicated RGW user and writes its access key and secret to the rook-ceph-rgw-bootstrap secret in the rook-ceph namespace. Workloads and operators consume those credentials directly.
  • STS / Keycloak-federated access — staged but inactive (sts=false). The path is wired so it can be enabled once the federated flow is validated.

For the validation procedure used to confirm static-key access end to end, see Rook-Ceph RGW S3 access.

Dashboard Access

The Ceph dashboard is exposed through NGINX ingress and protected by an oauth2-proxy instance that delegates authentication to Keycloak. A dedicated Keycloak client is created during deployment.

Operational Notes

  • An orphan-cleaner cronjob runs in the rook-ceph namespace and removes pods that remain bound to non-existent nodes, which would otherwise block component startup after node turnover.
  • CephFS is exposed through one or more Kubernetes StorageClass resources for dynamic PersistentVolumeClaim provisioning.
  • TLS for RGW and dashboard endpoints is issued by cert-manager.

Interacts With

  • cert-manager, which issues and renews TLS certificates for RGW and dashboard endpoints.
  • NGINX and External DNS, which expose the RGW S3 endpoint and the Ceph dashboard.
  • Keycloak, which authenticates dashboard access through oauth2-proxy and is the planned identity provider for the future STS-based S3 access path.
  • MinIO, which it is progressively replacing as the platform's S3-compatible object storage.
  • Reflector, which is used to propagate selected secrets across namespaces during deployment.

On this page