From 440ed29531f7582792d0a089685fcd474388e061 Mon Sep 17 00:00:00 2001 From: Waqar Ahmed Date: Wed, 9 Dec 2020 03:47:46 +0500 Subject: [PATCH] Remove tls configuration from minio chart for now --- test/minio/8.0.5/README.md | 42 --------------------- test/minio/8.0.5/templates/_helpers.tpl | 43 ---------------------- test/minio/8.0.5/templates/deployment.yaml | 14 +------ test/minio/8.0.5/templates/service.yaml | 3 -- test/minio/8.0.5/values.yaml | 33 +---------------- 5 files changed, 3 insertions(+), 132 deletions(-) diff --git a/test/minio/8.0.5/README.md b/test/minio/8.0.5/README.md index 778db58b042..cce818f8185 100755 --- a/test/minio/8.0.5/README.md +++ b/test/minio/8.0.5/README.md @@ -52,44 +52,6 @@ By default a pre-generated access and secret key will be used. To override the d $ helm install --set accessKey=myaccesskey,secretKey=mysecretkey --generate-name minio/minio ``` -### Updating MinIO configuration via Helm - -[ConfigMap](https://kubernetes.io/docs/user-guide/configmap/) allows injecting containers with configuration data even while a Helm release is deployed. - -To update your MinIO server configuration while it is deployed in a release, you need to - -1. Check all the configurable values in the MinIO chart using `helm inspect values minio/minio`. -2. Override the `minio_server_config` settings in a YAML formatted file, and then pass that file like this `helm upgrade -f config.yaml minio/minio`. -3. Restart the MinIO server(s) for the changes to take effect. - -You can also check the history of upgrades to a release using `helm history my-release`. Replace `my-release` with the actual release name. - -### Installing certificates from third party CAs - -MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include Minio's own certificate with key `public.crt`, if it also needs to be trusted. - -For instance, given that TLS is enabled and you need to add trust for Minio's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`: - -``` -kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt -``` - -If TLS is not enabled, you would need only the third party CA: - -``` -kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt -``` - -The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter: - -``` -trustedCertsSecret: "minio-trusted-certs" - -or - ---set trustedCertsSecret=minio-trusted-certs -``` - Uninstalling the Chart ---------------------- @@ -134,11 +96,9 @@ The following table lists the configurable parameters of the MinIO chart and the | `image.repository` | Image repository | `minio/minio` | | `image.tag` | MinIO image tag. Possible values listed [here](https://hub.docker.com/r/minio/minio/tags/). | `RELEASE.2020-11-06T23-17-07Z` | | `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `trustedCertsSecret` | Kubernetes secret with trusted certificates to be mounted on `{{ .Values.certsPath }}/CAs` | `""` | | `extraArgs` | Additional command line arguments to pass to the MinIO server | `[]` | | `accessKey` | Default access key (5 to 20 characters) | random 20 chars | | `secretKey` | Default secret key (8 to 40 characters) | random 40 chars | -| `certsPath` | Default certs path location | `/etc/minio/certs` | | `mountPath` | Default mount location for persistent drive | `/export` | | `bucketRoot` | Directory from where minio should serve buckets. | Value of `.mountPath` | | `persistence.enabled` | Use persistent volume to store data | `true` | @@ -147,8 +107,6 @@ The following table lists the configurable parameters of the MinIO chart and the | `persistence.storageClass` | Storage class name of PVC | `nil` | | `persistence.accessMode` | ReadWriteOnce or ReadOnly | `ReadWriteOnce` | | `persistence.subPath` | Mount a sub directory of the persistent volume if set | `""` | -| `tls.enabled` | Enable TLS for MinIO server | `false` | -| `tls.certSecret` | Kubernetes Secret with `public.crt` and `private.key` files. | `""` | | `environment` | Set MinIO server relevant environment variables in `values.yaml` file. MinIO containers will be passed these variables when they start. | `MINIO_STORAGE_CLASS_STANDARD: EC:4"` | Some of the parameters above map to the env variables defined in the [MinIO DockerHub image](https://hub.docker.com/r/minio/minio/). diff --git a/test/minio/8.0.5/templates/_helpers.tpl b/test/minio/8.0.5/templates/_helpers.tpl index 08964efb9a6..aa82dc8b170 100644 --- a/test/minio/8.0.5/templates/_helpers.tpl +++ b/test/minio/8.0.5/templates/_helpers.tpl @@ -82,46 +82,3 @@ Properly format optional additional arguments to Minio binary {{ " " }}{{ . }} {{- end -}} {{- end -}} - -{{/* -Formats volumeMount for Minio tls keys and trusted certs -*/}} -{{- define "minio.tlsKeysVolumeMount" -}} -{{- if .Values.tls.enabled }} -- name: cert-secret-volume - mountPath: {{ .Values.certsPath }} -{{- end }} -{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} -{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }} -- name: trusted-cert-secret-volume - mountPath: {{ $casPath }} -{{- end }} -{{- end -}} - -{{/* -Formats volume for Minio tls keys and trusted certs -*/}} -{{- define "minio.tlsKeysVolume" -}} -{{- if .Values.tls.enabled }} -- name: cert-secret-volume - secret: - secretName: {{ .Values.tls.certSecret }} - items: - - key: {{ .Values.tls.publicCrt }} - path: public.crt - - key: {{ .Values.tls.privateKey }} - path: private.key -{{- end }} -{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }} -{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }} -{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }} -- name: trusted-cert-secret-volume - secret: - secretName: {{ $certSecret }} - {{- if ne $publicCrt "" }} - items: - - key: {{ $publicCrt }} - path: public.crt - {{- end }} -{{- end }} -{{- end -}} diff --git a/test/minio/8.0.5/templates/deployment.yaml b/test/minio/8.0.5/templates/deployment.yaml index ae6f888a82e..5e5f12f1e4f 100644 --- a/test/minio/8.0.5/templates/deployment.yaml +++ b/test/minio/8.0.5/templates/deployment.yaml @@ -1,7 +1,4 @@ {{ $scheme := "http" }} -{{- if .Values.tls.enabled }} -{{ $scheme = "https" }} -{{ end }} {{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }} apiVersion: {{ template "minio.deployment.apiVersion" . }} kind: Deployment @@ -14,12 +11,7 @@ metadata: heritage: {{ .Release.Service }} spec: strategy: - type: {{ .Values.DeploymentUpdate.type }} - {{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }} - rollingUpdate: - maxSurge: {{ .Values.DeploymentUpdate.maxSurge }} - maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }} - {{- end}} + type: {{ .Values.updateStrategy }} selector: matchLabels: app: {{ template "minio.name" . }} @@ -42,7 +34,7 @@ spec: command: - "/bin/sh" - "-ce" - - "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}" + - "/usr/bin/docker-entrypoint.sh minio -S server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}" volumeMounts: {{- if .Values.persistence.enabled }} - name: export @@ -51,7 +43,6 @@ spec: subPath: "{{ .Values.persistence.subPath }}" {{- end }} {{- end }} - {{- include "minio.tlsKeysVolumeMount" . | indent 12 }} ports: - name: {{ $scheme }} containerPort: 9000 @@ -81,4 +72,3 @@ spec: - name: minio-user secret: secretName: {{ template "minio.secretName" . }} - {{- include "minio.tlsKeysVolume" . | indent 8 }} diff --git a/test/minio/8.0.5/templates/service.yaml b/test/minio/8.0.5/templates/service.yaml index f2a6a30e6e6..3f0c68b9304 100644 --- a/test/minio/8.0.5/templates/service.yaml +++ b/test/minio/8.0.5/templates/service.yaml @@ -1,7 +1,4 @@ {{ $scheme := "http" }} -{{- if .Values.tls.enabled }} -{{ $scheme = "https" }} -{{ end }} apiVersion: v1 kind: Service metadata: diff --git a/test/minio/8.0.5/values.yaml b/test/minio/8.0.5/values.yaml index 405e945c5c7..c7a74f390cc 100644 --- a/test/minio/8.0.5/values.yaml +++ b/test/minio/8.0.5/values.yaml @@ -5,14 +5,6 @@ image: tag: RELEASE.2020-11-19T23-48-16Z pullPolicy: IfNotPresent -## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio -## client used to create a default bucket). -## -mcImage: - repository: minio/mc - tag: RELEASE.2020-11-17T00-39-14Z - pullPolicy: IfNotPresent - ## Set default image, imageTag, and imagePullPolicy for the `jq` (the JSON ## process used to create secret for prometheus ServiceMonitor). ## @@ -24,15 +16,7 @@ helmKubectlJqImage: ## Additional arguments to pass to minio binary extraArgs: [] -## Update strategy for Deployments -DeploymentUpdate: - type: RollingUpdate - maxUnavailable: 0 - maxSurge: 100% - -## Update strategy for StatefulSets -StatefulSetUpdate: - updateStrategy: RollingUpdate +updateStrategy: RollingUpdate ## Set default accesskey, secretkey, Minio config file path, volume mount path and ## number of nodes (only used for Minio distributed mode) @@ -41,7 +25,6 @@ StatefulSetUpdate: ## accessKey: "" secretKey: "" -certsPath: "/etc/minio/certs/" mountPath: "/export" ## Override the root directory which the minio server should serve from. @@ -49,20 +32,6 @@ mountPath: "/export" ## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }} bucketRoot: "" -## TLS Settings for Minio -tls: - enabled: false - ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret - certSecret: "" - publicCrt: public.crt - privateKey: private.key - -## Trusted Certificates Settings for Minio. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas -## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret -## When using self-signed certificates, remember to include Minio's own certificate in the bundle with key public.crt. -## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret. -trustedCertsSecret: "" - ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ##