# Rook-Ceph (/docs/runtime/components/rook-ceph)



> **Technical preview**
> Rook-Ceph is available as a technical preview. It is deployed alongside MinIO during a phased migration, and the STS-based S3 access path (`rgw s3 auth use sts`) is staged but not yet active — current S3 access uses static RGW credentials. Behavior and configuration may change before general availability.

Component Category [#component-category]

Data and storage / object and file storage

Component Description [#component-description]

Rook-Ceph is the Rook operator running a Ceph cluster on Kubernetes. It provides CephFS for shared file storage and a RADOS Gateway (RGW) endpoint for S3-compatible object storage. In the platform it is being introduced as the successor to MinIO for S3-compatible object storage.

Why It Is Used [#why-it-is-used]

In BullSequana AI Runtime, Rook-Ceph provides a Kubernetes-native, scalable, and operator-managed storage layer that replaces MinIO for S3-compatible workloads while also exposing CephFS for shared file storage. It is deployed because the upstream MinIO open-source distribution has been deprecated, and the platform needs a long-term storage substrate that integrates with the existing identity, ingress, and certificate-management components.

Learn More [#learn-more]

* [Rook documentation](https://rook.io/docs/rook/latest/)
* [rook/rook on GitHub](https://github.com/rook/rook)
* [Ceph documentation](https://docs.ceph.com/)

S3 Access Model [#s3-access-model]

Two S3 access paths are configured on the RGW:

* **Static access keys** — the active path. A bootstrap job creates a dedicated RGW user and writes its access key and secret to the `rook-ceph-rgw-bootstrap` secret in the `rook-ceph` namespace. Workloads and operators consume those credentials directly.
* **STS / Keycloak-federated access** — staged but inactive (`sts=false`). The path is wired so it can be enabled once the federated flow is validated.

For the validation procedure used to confirm static-key access end to end, see [Rook-Ceph RGW S3 access](/docs/deployment/playbooks/rook-ceph-rgw-s3-access).

Dashboard Access [#dashboard-access]

The Ceph dashboard is exposed through NGINX ingress and protected by an `oauth2-proxy` instance that delegates authentication to Keycloak. A dedicated Keycloak client is created during deployment.

Operational Notes [#operational-notes]

* An orphan-cleaner cronjob runs in the `rook-ceph` namespace and removes pods that remain bound to non-existent nodes, which would otherwise block component startup after node turnover.
* CephFS is exposed through one or more Kubernetes `StorageClass` resources for dynamic `PersistentVolumeClaim` provisioning.
* TLS for RGW and dashboard endpoints is issued by cert-manager.

Interacts With [#interacts-with]

* `cert-manager`, which issues and renews TLS certificates for RGW and dashboard endpoints.
* `NGINX` and `External DNS`, which expose the RGW S3 endpoint and the Ceph dashboard.
* `Keycloak`, which authenticates dashboard access through `oauth2-proxy` and is the planned identity provider for the future STS-based S3 access path.
* `MinIO`, which it is progressively replacing as the platform's S3-compatible object storage.
* `Reflector`, which is used to propagate selected secrets across namespaces during deployment.