Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dynamic secrets configuration for root #1693

Closed
wants to merge 12 commits into from
Next Next commit
Removed configuration.name. Changed to dynamic reference of secrets.n…
…ame or secrets.existingSecret
  • Loading branch information
D1StrX committed Jul 20, 2023
commit e119d2ed2ec2c901fbc25d2570e191af02b3f10f
156 changes: 78 additions & 78 deletions helm/tenant/templates/tenant.yaml
Original file line number Diff line number Diff line change
@@ -1,35 +1,35 @@
{{- with .Values.tenant }}
{{- with .Values }}
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: {{ .name }}
name: {{ .tenant.name }}
## Optionally pass labels to be applied to the statefulset pods
labels:
app: minio
{{- if dig "metrics" "enabled" false . }}
{{- if dig "metrics" "enabled" false .tenant }}
## Annotations for MinIO Tenant Pods
annotations:
prometheus.io/path: /minio/v2/metrics/cluster
prometheus.io/port: {{ dig "metrics" "port" 9000 . | quote }}
prometheus.io/port: {{ dig "metrics" "port" 9000 .tenant | quote }}
prometheus.io/scrape: "true"
prometheus.io/scheme: {{ dig "metrics" "protocol" "http" . | quote }}
prometheus.io/scheme: {{ dig "metrics" "protocol" "http" .tenant | quote }}
{{- end }}
{{- if dig "scheduler" "name" "" . }}
{{- if dig "scheduler" "name" "" .tenant }}
scheduler:
name: {{ dig "scheduler" "name" "" . }}
name: {{ dig "scheduler" "name" "" .tenant }}
{{- end }}
spec:
image: {{ dig "image" "repository" "minio/minio" . }}:{{ dig "image" "tag" "RELEASE.2022-01-08T03-11-54Z" . }}
imagePullPolicy: {{ dig "image" "pullPolicy" "IfNotPresent" . }}
{{- if dig "imagePullSecret" "name" "" . }}
image: {{ dig "image" "repository" "minio/minio" .tenant }}:{{ dig "image" "tag" "RELEASE.2022-01-08T03-11-54Z" .tenant }}
imagePullPolicy: {{ dig "image" "pullPolicy" "IfNotPresent" .tenant }}
{{- if dig "imagePullSecret" "name" "" .tenant }}
imagePullSecret:
name: {{ dig "imagePullSecret" "name" "" . }}
name: {{ dig "imagePullSecret" "name" "" .tenant }}
{{- end }}
## Secret with default environment variable configurations
configuration:
name: {{ .configuration.name }}
name: {{ .secrets.existingSecret | default .secrets.name }}
jiuker marked this conversation as resolved.
Show resolved Hide resolved
pools:
{{- range (dig "pools" (list) .) }}
{{- range (dig "pools" (list) .tenant) }}
- servers: {{ dig "servers" 4 . }}
name: {{ dig "name" "" . }}
volumesPerServer: {{ dig "volumesPerServer" 4 . }}
Expand All @@ -47,129 +47,129 @@ spec:
requests:
storage: {{ dig "size" "10Gi" . }}
{{- with (dig "annotations" (dict) .) }}
annotations: {{- toYaml . | nindent 8 }}
annotations: {{- toYaml .tenant | nindent 8 }}
D1StrX marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
{{- with (dig "labels" (dict) .) }}
labels: {{- toYaml . | nindent 8 }}
labels: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "tolerations" (list) .) }}
tolerations: {{- toYaml . | nindent 8 }}
tolerations: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "nodeSelector" (dict) .) }}
nodeSelector: {{- toYaml . | nindent 8 }}
nodeSelector: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "affinity" (dict) .) }}
affinity: {{- toYaml . | nindent 8 }}
affinity: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "resources" (dict) .) }}
resources: {{- toYaml . | nindent 8 }}
resources: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "securityContext" (dict) .) }}
securityContext: {{- toYaml . | nindent 8 }}
securityContext: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "containerSecurityContext" (dict) .) }}
containerSecurityContext: {{- toYaml . | nindent 8 }}
containerSecurityContext: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- with (dig "topologySpreadConstraints" (list) .) }}
topologySpreadConstraints: {{- toYaml . | nindent 8 }}
topologySpreadConstraints: {{- toYaml .tenant | nindent 8 }}
{{- end }}
{{- end }}
mountPath: {{ dig "mountPath" "/export" . }}
subPath: {{ dig "subPath" "/data" . }}
{{- with (dig "certificate" "externalCaCertSecret" (list) .) }}
externalCaCertSecret: {{- toYaml . | nindent 6 }}
mountPath: {{ dig "mountPath" "/export" .tenant }}
subPath: {{ dig "subPath" "/data" .tenant }}
{{- with (dig "certificate" "externalCaCertSecret" (list) .tenant) }}
externalCaCertSecret: {{- toYaml .tenant | nindent 6 }}
{{- end }}
{{- with (dig "certificate" "externalCertSecret" (list) .) }}
externalCertSecret: {{- toYaml . | nindent 6 }}
{{- with (dig "certificate" "externalCertSecret" (list) .tenant) }}
externalCertSecret: {{- toYaml .tenant | nindent 6 }}
{{- end }}
requestAutoCert: {{ dig "certificate" "requestAutoCert" false . }}
{{- if dig "s3" "bucketDNS" false . }}
requestAutoCert: {{ dig "certificate" "requestAutoCert" false .tenant }}
{{- if dig "s3" "bucketDNS" false .tenant }}
{{- fail "Value 'tenant.s3.bucketDNS' is deprecated since Operator v4.3.2, use 'tenant.features.bucketDNS' instead" }}
{{- end }}
features:
bucketDNS: {{ dig "features" "bucketDNS" false . }}
{{- with (dig "features" "domains" (dict) .) }}
domains: {{- toYaml . | nindent 6 }}
bucketDNS: {{ dig "features" "bucketDNS" false .tenant }}
{{- with (dig "features" "domains" (dict) .tenant) }}
domains: {{- toYaml .tenant | nindent 6 }}
{{- end }}
enableSFTP: {{ dig "features" "enableSFTP" false . }}
{{- with (dig "buckets" (list) .) }}
buckets: {{- toYaml . | nindent 4 }}
enableSFTP: {{ dig "features" "enableSFTP" false .tenant }}
{{- with (dig "buckets" (list) .tenant) }}
buckets: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "users" (list) .) }}
users: {{- toYaml . | nindent 4 }}
{{- with (dig "users" (list) .tenant) }}
users: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "certificate" "certConfig" (dict) .) }}
certConfig: {{- toYaml . | nindent 4 }}
{{- with (dig "certificate" "certConfig" (dict) .tenant) }}
certConfig: {{- toYaml .tenant | nindent 4 }}
{{- end }}
podManagementPolicy: {{ dig "podManagementPolicy" "Parallel" . }}
{{- with (dig "readiness" (dict) .) }}
readiness: {{- toYaml . | nindent 4 }}
podManagementPolicy: {{ dig "podManagementPolicy" "Parallel" .tenant }}
{{- with (dig "readiness" (dict) .tenant) }}
readiness: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "liveness" (dict) .) }}
liveness: {{- toYaml . | nindent 4 }}
{{- with (dig "liveness" (dict) .tenant) }}
liveness: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "startup" (dict) .) }}
startup: {{- toYaml . | nindent 4 }}
{{- with (dig "startup" (dict) .tenant) }}
startup: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "exposeServices" (dict) .) }}
exposeServices: {{- toYaml . | nindent 4 }}
{{- with (dig "exposeServices" (dict) .tenant) }}
exposeServices: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- if dig "serviceAccountName" "" . }}
serviceAccountName: {{ dig "serviceAccountName" "" . }}
{{- if dig "serviceAccountName" "" .tenant }}
serviceAccountName: {{ dig "serviceAccountName" "" .tenant }}
{{- end }}
prometheusOperator: {{ dig "prometheusOperator" "false" . }}
{{- with (dig "logging" (dict) .) }}
logging: {{- toYaml . | nindent 4 }}
prometheusOperator: {{ dig "prometheusOperator" "false" .tenant }}
{{- with (dig "logging" (dict) .tenant) }}
logging: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "serviceMetadata" (dict) .) }}
serviceMetadata: {{- toYaml . | nindent 4 }}
{{- with (dig "serviceMetadata" (dict) .tenant) }}
serviceMetadata: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "env" (list) .) }}
env: {{- toYaml . | nindent 4 }}
{{- with (dig "env" (list) .tenant) }}
env: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- if dig "priorityClassName" "" . }}
priorityClassName: {{ dig "priorityClassName" "" . }}
{{- if dig "priorityClassName" "" .tenant }}
priorityClassName: {{ dig "priorityClassName" "" .tenant }}
{{- end }}
{{- if dig "kes" "configuration" false . }}
{{- if dig "kes" "configuration" false .tenant }}
kes:
image: {{ .kes.image | quote }}
{{- with (dig "kes" "env" (list) .) }}
env: {{- toYaml . | nindent 4 }}
image: {{ .tenant.kes.image | quote }}
{{- with (dig "kes" "env" (list) .tenant) }}
env: {{- toYaml .tenant | nindent 4 }}
{{- end }}
replicas: {{ .kes.replicas | int }}
replicas: {{ .tenant.kes.replicas | int }}
kesSecret:
name: "kes-configuration"
imagePullPolicy: {{ .kes.imagePullPolicy | quote }}
imagePullPolicy: {{ .tenant.kes.imagePullPolicy | quote }}
{{- with (dig "kes" "externalCertSecret" (dict) .) }}
externalCertSecret: {{- toYaml . | nindent 6 }}
externalCertSecret: {{- toYaml .tenant | nindent 6 }}
D1StrX marked this conversation as resolved.
Show resolved Hide resolved
{{- end }}
{{- with (dig "kes" "clientCertSecret" (dict) .) }}
clientCertSecret: {{- toYaml . | nindent 6 }}
clientCertSecret: {{- toYaml .tenant | nindent 6 }}
{{- end }}
## Key name to be created on the KMS, default is "my-minio-key"
keyName: {{ .kes.keyName | quote }}
{{- with (dig "resources" (dict) .) }}
keyName: {{ .tenant.kes.keyName | quote }}
{{- with (dig "resources" (dict) .tenant) }}
resources: {{- toYaml . | nindent 4 }}
{{- end }}
{{- with (dig "nodeSelector" (dict) .) }}
nodeSelector: {{- toYaml . | nindent 4 }}
nodeSelector: {{- toYaml .tenant | nindent 4 }}
{{- end }}
affinity:
nodeAffinity: {}
podAffinity: {}
podAntiAffinity: {}
tolerations: []
{{- with (dig "annotations" (dict) .) }}
annotations: {{- toYaml . | nindent 4 }}
annotations: {{- toYaml .tenant | nindent 4 }}
{{- end }}
{{- with (dig "labels" (dict) .) }}
labels: {{- toYaml . | nindent 4 }}
labels: {{- toYaml .tenant | nindent 4 }}
{{- end }}
serviceAccountName: {{ .kes.serviceAccountName | quote }}
serviceAccountName: {{ .tenant.kes.serviceAccountName | quote }}
securityContext:
runAsUser: {{ .kes.securityContext.runAsUser | int }}
runAsGroup: {{ .kes.securityContext.runAsGroup | int }}
runAsNonRoot: {{ .kes.securityContext.runAsNonRoot }}
fsGroup: {{ .kes.securityContext.fsGroup | int }}
runAsUser: {{ .tenant.kes.securityContext.runAsUser | int }}
runAsGroup: {{ .tenant.kes.securityContext.runAsGroup | int }}
runAsNonRoot: {{ .tenant.kes.securityContext.runAsNonRoot }}
fsGroup: {{ .tenant.kes.securityContext.fsGroup | int }}
{{- end }}
{{- end }}
59 changes: 29 additions & 30 deletions helm/tenant/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,14 @@ tenant:
pullPolicy: IfNotPresent
## Customize any private registry image pull secret.
## currently only one secret registry is supported
imagePullSecret: { }
imagePullSecret: {}
## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
## If not specified, the Tenant pods will be dispatched by default scheduler.
scheduler: { }
scheduler: {}
## Secret name that contains additional environment variable configurations.
## The secret is expected to have a key named config.env containing environment variables exports.
configuration:
name: myminio-env-configuration
jiuker marked this conversation as resolved.
Show resolved Hide resolved
# configuration:
# name: "{{ .Values.secrets.existingSecret }}"
## Specification for MinIO Pool(s) in this Tenant.
pools:
## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
Expand All @@ -41,21 +41,21 @@ tenant:
## storageClass specifies the storage class name to be used for this pool
storageClassName: standard
## Used to specify annotations for pods
annotations: { }
annotations: {}
## Used to specify labels for pods
labels: { }
labels: {}
## Used to specify a toleration for a pod
tolerations: [ ]
tolerations: []
## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
## eligible to run on a node, the node must have each of the
## indicated key-value pairs as labels.
## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: { }
nodeSelector: {}
## Affinity settings for MinIO pods. Read more about affinity
## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
affinity: { }
affinity: {}
## Configure resource requests and limits for MinIO containers
resources: { }
resources: {}
## Configure security context
securityContext:
runAsUser: 1000
Expand All @@ -68,7 +68,7 @@ tenant:
runAsGroup: 1000
runAsNonRoot: true
## Configure topology constraints
topologySpreadConstraints: [ ]
topologySpreadConstraints: []
## Configure Runtime Class
# runtimeClassName: ""
## Mount path where PV will be mounted inside container(s).
Expand All @@ -90,48 +90,47 @@ tenant:
## Use this field to provide one or more external CA certificates. This is used by MinIO
## to verify TLS connections with other applications:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
externalCaCertSecret: [ ]
externalCaCertSecret: []
## Use this field to provide a list of Secrets with external certificates. This can be used to configure
## TLS for MinIO Tenant pods. Create secrets as explained here:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
externalCertSecret: [ ]
externalCertSecret: []
## Enable automatic Kubernetes based certificate generation and signing as explained in
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: true
## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
## not provided. DNS name format is *.minio.default.svc.cluster.local
certConfig: { }
certConfig: {}
## MinIO features to enable or disable in the MinIO Tenant
## https://github.com/minio/operator/blob/master/docs/tenant_crd.adoc#features
features:
bucketDNS: false
domains: { }
enableSFTP: false
domains: {}
## List of bucket definitions to create during tenant provisioning.
## Example:
# - name: my-minio-bucket
# objectLock: false # optional
# region: us-east-1 # optional
buckets: [ ]
buckets: []
## List of secret names to use for generating MinIO users during tenant provisioning
users: [ ]
users: []
## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel"
## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
## for details.
podManagementPolicy: Parallel
# Liveness Probe for container liveness. Container will be restarted if the probe fails.
# Refer https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes.
liveness: { }
liveness: {}
# Readiness Probe for container readiness. Container will be removed from service endpoints if the probe fails.
# Refer https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
readiness: { }
readiness: {}
# Startup Probe for container startup. Container will be restarted if the probe fails.
# Refer https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
startup: { }
startup: {}
## exposeServices defines the exposure of the MinIO object storage and Console services.
## service is exposed as a loadbalancer in k8s service.
exposeServices: { }
exposeServices: {}
# kubernetes service account associated with a specific tenant
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccountName: ""
Expand All @@ -149,9 +148,9 @@ tenant:
quiet: true
## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
## services created by the operator.
serviceMetadata: { }
serviceMetadata: {}
## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
env: [ ]
env: []
## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
## This is applied to MinIO pods only.
## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
Expand Down Expand Up @@ -243,18 +242,18 @@ ingress:
api:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
labels: {}
annotations: {}
tls: []
host: minio.local
path: /
pathType: Prefix
console:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
labels: {}
annotations: {}
tls: []
host: minio-console.local
path: /
pathType: Prefix