Remove tls configuration from minio chart for now
This commit is contained in:
parent
ac0cfab7b7
commit
440ed29531
|
@ -52,44 +52,6 @@ By default a pre-generated access and secret key will be used. To override the d
|
|||
$ helm install --set accessKey=myaccesskey,secretKey=mysecretkey --generate-name minio/minio
|
||||
```
|
||||
|
||||
### Updating MinIO configuration via Helm
|
||||
|
||||
[ConfigMap](https://kubernetes.io/docs/user-guide/configmap/) allows injecting containers with configuration data even while a Helm release is deployed.
|
||||
|
||||
To update your MinIO server configuration while it is deployed in a release, you need to
|
||||
|
||||
1. Check all the configurable values in the MinIO chart using `helm inspect values minio/minio`.
|
||||
2. Override the `minio_server_config` settings in a YAML formatted file, and then pass that file like this `helm upgrade -f config.yaml minio/minio`.
|
||||
3. Restart the MinIO server(s) for the changes to take effect.
|
||||
|
||||
You can also check the history of upgrades to a release using `helm history my-release`. Replace `my-release` with the actual release name.
|
||||
|
||||
### Installing certificates from third party CAs
|
||||
|
||||
MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include Minio's own certificate with key `public.crt`, if it also needs to be trusted.
|
||||
|
||||
For instance, given that TLS is enabled and you need to add trust for Minio's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`:
|
||||
|
||||
```
|
||||
kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
|
||||
```
|
||||
|
||||
If TLS is not enabled, you would need only the third party CA:
|
||||
|
||||
```
|
||||
kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
|
||||
```
|
||||
|
||||
The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter:
|
||||
|
||||
```
|
||||
trustedCertsSecret: "minio-trusted-certs"
|
||||
|
||||
or
|
||||
|
||||
--set trustedCertsSecret=minio-trusted-certs
|
||||
```
|
||||
|
||||
Uninstalling the Chart
|
||||
----------------------
|
||||
|
||||
|
@ -134,11 +96,9 @@ The following table lists the configurable parameters of the MinIO chart and the
|
|||
| `image.repository` | Image repository | `minio/minio` |
|
||||
| `image.tag` | MinIO image tag. Possible values listed [here](https://hub.docker.com/r/minio/minio/tags/). | `RELEASE.2020-11-06T23-17-07Z` |
|
||||
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
|
||||
| `trustedCertsSecret` | Kubernetes secret with trusted certificates to be mounted on `{{ .Values.certsPath }}/CAs` | `""` |
|
||||
| `extraArgs` | Additional command line arguments to pass to the MinIO server | `[]` |
|
||||
| `accessKey` | Default access key (5 to 20 characters) | random 20 chars |
|
||||
| `secretKey` | Default secret key (8 to 40 characters) | random 40 chars |
|
||||
| `certsPath` | Default certs path location | `/etc/minio/certs` |
|
||||
| `mountPath` | Default mount location for persistent drive | `/export` |
|
||||
| `bucketRoot` | Directory from where minio should serve buckets. | Value of `.mountPath` |
|
||||
| `persistence.enabled` | Use persistent volume to store data | `true` |
|
||||
|
@ -147,8 +107,6 @@ The following table lists the configurable parameters of the MinIO chart and the
|
|||
| `persistence.storageClass` | Storage class name of PVC | `nil` |
|
||||
| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
|
||||
| `persistence.subPath` | Mount a sub directory of the persistent volume if set | `""` |
|
||||
| `tls.enabled` | Enable TLS for MinIO server | `false` |
|
||||
| `tls.certSecret` | Kubernetes Secret with `public.crt` and `private.key` files. | `""` |
|
||||
| `environment` | Set MinIO server relevant environment variables in `values.yaml` file. MinIO containers will be passed these variables when they start. | `MINIO_STORAGE_CLASS_STANDARD: EC:4"` |
|
||||
|
||||
Some of the parameters above map to the env variables defined in the [MinIO DockerHub image](https://hub.docker.com/r/minio/minio/).
|
||||
|
|
|
@ -82,46 +82,3 @@ Properly format optional additional arguments to Minio binary
|
|||
{{ " " }}{{ . }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Formats volumeMount for Minio tls keys and trusted certs
|
||||
*/}}
|
||||
{{- define "minio.tlsKeysVolumeMount" -}}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: cert-secret-volume
|
||||
mountPath: {{ .Values.certsPath }}
|
||||
{{- end }}
|
||||
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
|
||||
{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
|
||||
- name: trusted-cert-secret-volume
|
||||
mountPath: {{ $casPath }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Formats volume for Minio tls keys and trusted certs
|
||||
*/}}
|
||||
{{- define "minio.tlsKeysVolume" -}}
|
||||
{{- if .Values.tls.enabled }}
|
||||
- name: cert-secret-volume
|
||||
secret:
|
||||
secretName: {{ .Values.tls.certSecret }}
|
||||
items:
|
||||
- key: {{ .Values.tls.publicCrt }}
|
||||
path: public.crt
|
||||
- key: {{ .Values.tls.privateKey }}
|
||||
path: private.key
|
||||
{{- end }}
|
||||
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
|
||||
{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }}
|
||||
{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }}
|
||||
- name: trusted-cert-secret-volume
|
||||
secret:
|
||||
secretName: {{ $certSecret }}
|
||||
{{- if ne $publicCrt "" }}
|
||||
items:
|
||||
- key: {{ $publicCrt }}
|
||||
path: public.crt
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
{{ $scheme := "http" }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{ $scheme = "https" }}
|
||||
{{ end }}
|
||||
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
|
||||
apiVersion: {{ template "minio.deployment.apiVersion" . }}
|
||||
kind: Deployment
|
||||
|
@ -14,12 +11,7 @@ metadata:
|
|||
heritage: {{ .Release.Service }}
|
||||
spec:
|
||||
strategy:
|
||||
type: {{ .Values.DeploymentUpdate.type }}
|
||||
{{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }}
|
||||
rollingUpdate:
|
||||
maxSurge: {{ .Values.DeploymentUpdate.maxSurge }}
|
||||
maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }}
|
||||
{{- end}}
|
||||
type: {{ .Values.updateStrategy }}
|
||||
selector:
|
||||
matchLabels:
|
||||
app: {{ template "minio.name" . }}
|
||||
|
@ -42,7 +34,7 @@ spec:
|
|||
command:
|
||||
- "/bin/sh"
|
||||
- "-ce"
|
||||
- "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}"
|
||||
- "/usr/bin/docker-entrypoint.sh minio -S server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}"
|
||||
volumeMounts:
|
||||
{{- if .Values.persistence.enabled }}
|
||||
- name: export
|
||||
|
@ -51,7 +43,6 @@ spec:
|
|||
subPath: "{{ .Values.persistence.subPath }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
|
||||
ports:
|
||||
- name: {{ $scheme }}
|
||||
containerPort: 9000
|
||||
|
@ -81,4 +72,3 @@ spec:
|
|||
- name: minio-user
|
||||
secret:
|
||||
secretName: {{ template "minio.secretName" . }}
|
||||
{{- include "minio.tlsKeysVolume" . | indent 8 }}
|
||||
|
|
|
@ -1,7 +1,4 @@
|
|||
{{ $scheme := "http" }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
{{ $scheme = "https" }}
|
||||
{{ end }}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
|
|
|
@ -5,14 +5,6 @@ image:
|
|||
tag: RELEASE.2020-11-19T23-48-16Z
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
|
||||
## client used to create a default bucket).
|
||||
##
|
||||
mcImage:
|
||||
repository: minio/mc
|
||||
tag: RELEASE.2020-11-17T00-39-14Z
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
## Set default image, imageTag, and imagePullPolicy for the `jq` (the JSON
|
||||
## process used to create secret for prometheus ServiceMonitor).
|
||||
##
|
||||
|
@ -24,15 +16,7 @@ helmKubectlJqImage:
|
|||
## Additional arguments to pass to minio binary
|
||||
extraArgs: []
|
||||
|
||||
## Update strategy for Deployments
|
||||
DeploymentUpdate:
|
||||
type: RollingUpdate
|
||||
maxUnavailable: 0
|
||||
maxSurge: 100%
|
||||
|
||||
## Update strategy for StatefulSets
|
||||
StatefulSetUpdate:
|
||||
updateStrategy: RollingUpdate
|
||||
updateStrategy: RollingUpdate
|
||||
|
||||
## Set default accesskey, secretkey, Minio config file path, volume mount path and
|
||||
## number of nodes (only used for Minio distributed mode)
|
||||
|
@ -41,7 +25,6 @@ StatefulSetUpdate:
|
|||
##
|
||||
accessKey: ""
|
||||
secretKey: ""
|
||||
certsPath: "/etc/minio/certs/"
|
||||
mountPath: "/export"
|
||||
|
||||
## Override the root directory which the minio server should serve from.
|
||||
|
@ -49,20 +32,6 @@ mountPath: "/export"
|
|||
## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
|
||||
bucketRoot: ""
|
||||
|
||||
## TLS Settings for Minio
|
||||
tls:
|
||||
enabled: false
|
||||
## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
|
||||
certSecret: ""
|
||||
publicCrt: public.crt
|
||||
privateKey: private.key
|
||||
|
||||
## Trusted Certificates Settings for Minio. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas
|
||||
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
|
||||
## When using self-signed certificates, remember to include Minio's own certificate in the bundle with key public.crt.
|
||||
## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
|
||||
trustedCertsSecret: ""
|
||||
|
||||
## Enable persistence using Persistent Volume Claims
|
||||
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
||||
##
|
||||
|
|
Loading…
Reference in New Issue