Remove tls configuration from minio chart for now

This commit is contained in:
Waqar Ahmed 2020-12-09 03:47:46 +05:00
parent ac0cfab7b7
commit 440ed29531
5 changed files with 3 additions and 132 deletions

View File

@ -52,44 +52,6 @@ By default a pre-generated access and secret key will be used. To override the d
$ helm install --set accessKey=myaccesskey,secretKey=mysecretkey --generate-name minio/minio
```
### Updating MinIO configuration via Helm
[ConfigMap](https://kubernetes.io/docs/user-guide/configmap/) allows injecting containers with configuration data even while a Helm release is deployed.
To update your MinIO server configuration while it is deployed in a release, you need to
1. Check all the configurable values in the MinIO chart using `helm inspect values minio/minio`.
2. Override the `minio_server_config` settings in a YAML formatted file, and then pass that file like this `helm upgrade -f config.yaml minio/minio`.
3. Restart the MinIO server(s) for the changes to take effect.
You can also check the history of upgrades to a release using `helm history my-release`. Replace `my-release` with the actual release name.
### Installing certificates from third party CAs
MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include Minio's own certificate with key `public.crt`, if it also needs to be trusted.
For instance, given that TLS is enabled and you need to add trust for Minio's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`:
```
kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
```
If TLS is not enabled, you would need only the third party CA:
```
kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
```
The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter:
```
trustedCertsSecret: "minio-trusted-certs"
or
--set trustedCertsSecret=minio-trusted-certs
```
Uninstalling the Chart
----------------------
@ -134,11 +96,9 @@ The following table lists the configurable parameters of the MinIO chart and the
| `image.repository` | Image repository | `minio/minio` |
| `image.tag` | MinIO image tag. Possible values listed [here](https://hub.docker.com/r/minio/minio/tags/). | `RELEASE.2020-11-06T23-17-07Z` |
| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
| `trustedCertsSecret` | Kubernetes secret with trusted certificates to be mounted on `{{ .Values.certsPath }}/CAs` | `""` |
| `extraArgs` | Additional command line arguments to pass to the MinIO server | `[]` |
| `accessKey` | Default access key (5 to 20 characters) | random 20 chars |
| `secretKey` | Default secret key (8 to 40 characters) | random 40 chars |
| `certsPath` | Default certs path location | `/etc/minio/certs` |
| `mountPath` | Default mount location for persistent drive | `/export` |
| `bucketRoot` | Directory from where minio should serve buckets. | Value of `.mountPath` |
| `persistence.enabled` | Use persistent volume to store data | `true` |
@ -147,8 +107,6 @@ The following table lists the configurable parameters of the MinIO chart and the
| `persistence.storageClass` | Storage class name of PVC | `nil` |
| `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` |
| `persistence.subPath` | Mount a sub directory of the persistent volume if set | `""` |
| `tls.enabled` | Enable TLS for MinIO server | `false` |
| `tls.certSecret` | Kubernetes Secret with `public.crt` and `private.key` files. | `""` |
| `environment` | Set MinIO server relevant environment variables in `values.yaml` file. MinIO containers will be passed these variables when they start. | `MINIO_STORAGE_CLASS_STANDARD: EC:4"` |
Some of the parameters above map to the env variables defined in the [MinIO DockerHub image](https://hub.docker.com/r/minio/minio/).

View File

@ -82,46 +82,3 @@ Properly format optional additional arguments to Minio binary
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{/*
Formats volumeMount for Minio tls keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolumeMount" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
mountPath: {{ .Values.certsPath }}
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
- name: trusted-cert-secret-volume
mountPath: {{ $casPath }}
{{- end }}
{{- end -}}
{{/*
Formats volume for Minio tls keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolume" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
secret:
secretName: {{ .Values.tls.certSecret }}
items:
- key: {{ .Values.tls.publicCrt }}
path: public.crt
- key: {{ .Values.tls.privateKey }}
path: private.key
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }}
{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }}
- name: trusted-cert-secret-volume
secret:
secretName: {{ $certSecret }}
{{- if ne $publicCrt "" }}
items:
- key: {{ $publicCrt }}
path: public.crt
{{- end }}
{{- end }}
{{- end -}}

View File

@ -1,7 +1,4 @@
{{ $scheme := "http" }}
{{- if .Values.tls.enabled }}
{{ $scheme = "https" }}
{{ end }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
apiVersion: {{ template "minio.deployment.apiVersion" . }}
kind: Deployment
@ -14,12 +11,7 @@ metadata:
heritage: {{ .Release.Service }}
spec:
strategy:
type: {{ .Values.DeploymentUpdate.type }}
{{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }}
rollingUpdate:
maxSurge: {{ .Values.DeploymentUpdate.maxSurge }}
maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }}
{{- end}}
type: {{ .Values.updateStrategy }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
@ -42,7 +34,7 @@ spec:
command:
- "/bin/sh"
- "-ce"
- "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}"
- "/usr/bin/docker-entrypoint.sh minio -S server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}"
volumeMounts:
{{- if .Values.persistence.enabled }}
- name: export
@ -51,7 +43,6 @@ spec:
subPath: "{{ .Values.persistence.subPath }}"
{{- end }}
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
ports:
- name: {{ $scheme }}
containerPort: 9000
@ -81,4 +72,3 @@ spec:
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}

View File

@ -1,7 +1,4 @@
{{ $scheme := "http" }}
{{- if .Values.tls.enabled }}
{{ $scheme = "https" }}
{{ end }}
apiVersion: v1
kind: Service
metadata:

View File

@ -5,14 +5,6 @@ image:
tag: RELEASE.2020-11-19T23-48-16Z
pullPolicy: IfNotPresent
## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
## client used to create a default bucket).
##
mcImage:
repository: minio/mc
tag: RELEASE.2020-11-17T00-39-14Z
pullPolicy: IfNotPresent
## Set default image, imageTag, and imagePullPolicy for the `jq` (the JSON
## process used to create secret for prometheus ServiceMonitor).
##
@ -24,15 +16,7 @@ helmKubectlJqImage:
## Additional arguments to pass to minio binary
extraArgs: []
## Update strategy for Deployments
DeploymentUpdate:
type: RollingUpdate
maxUnavailable: 0
maxSurge: 100%
## Update strategy for StatefulSets
StatefulSetUpdate:
updateStrategy: RollingUpdate
updateStrategy: RollingUpdate
## Set default accesskey, secretkey, Minio config file path, volume mount path and
## number of nodes (only used for Minio distributed mode)
@ -41,7 +25,6 @@ StatefulSetUpdate:
##
accessKey: ""
secretKey: ""
certsPath: "/etc/minio/certs/"
mountPath: "/export"
## Override the root directory which the minio server should serve from.
@ -49,20 +32,6 @@ mountPath: "/export"
## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
bucketRoot: ""
## TLS Settings for Minio
tls:
enabled: false
## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
certSecret: ""
publicCrt: public.crt
privateKey: private.key
## Trusted Certificates Settings for Minio. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
## When using self-signed certificates, remember to include Minio's own certificate in the bundle with key public.crt.
## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
trustedCertsSecret: ""
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##