From 2285c68f1e94d3642aaed8e76aaeecce1681b822 Mon Sep 17 00:00:00 2001 From: Ravind Kumar Date: Mon, 9 Sep 2024 13:19:58 -0400 Subject: [PATCH] Catchup to 6.0.3 release --- source/includes/k8s/ext-tenant-crd.md | 815 +++++++++++++++-------- source/includes/k8s/operator-values.yaml | 209 ++---- source/includes/k8s/tenant-values.yaml | 127 ++-- 3 files changed, 655 insertions(+), 496 deletions(-) diff --git a/source/includes/k8s/ext-tenant-crd.md b/source/includes/k8s/ext-tenant-crd.md index 242c5635..97852e73 100644 --- a/source/includes/k8s/ext-tenant-crd.md +++ b/source/includes/k8s/ext-tenant-crd.md @@ -76,8 +76,9 @@ Operator as part of tenant creation. These fields have no effect if style="text-align: left;">

commonName string

Optional
-The CommonName or CN attribute to associate to -automatically generated TLS certificates.
+

+

The CommonName or CN attribute to associate +to automatically generated TLS certificates.

@@ -85,7 +86,8 @@ automatically generated TLS certificates.
style="text-align: left;">

organizationName string array

Optional
-Specify one or more OrganizationName or O +

+

Specify one or more OrganizationName or O attributes to associate to automatically generated TLS certificates.

@@ -94,10 +96,11 @@ certificates.

dnsNames string array

Optional
-Specify one or more x.509 Subject Alternative Names (SAN) to associate -to automatically generated TLS certificates. MinIO Server pods use SNI -to determine which certificate to respond with based on the requested -hostname.

+

+

Specify one or more x.509 Subject Alternative Names (SAN) to +associate to automatically generated TLS certificates. MinIO Server pods +use SNI to determine which certificate to respond with based on the +requested hostname.

@@ -140,6 +143,75 @@ certificates manually added to the Operator.

+## CustomCertificateConfig + +CustomCertificateConfig (`customCertificateConfig`) provides attributes +associated of the TLS certificates manually added to the Operator as +part of tenant creation. These fields contain no data if there are no +custom TLS certificates. + +- [CustomCertificates](#customcertificates) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription

certName +string

Optional
+

+

Output one or more CertName attributes associated with +the manually provided TLS certificates.
+

domains +string array

Optional
+

+

Output one or more Domains attributes associated with +the manually provided TLS certificates.
+

expiry +string

Optional
+

+

Output one or more Expiry attributes associated with the +manually provided TLS certificates.
+

expiresIn +string

Optional
+

+

Output one or more ExpiresIn attributes associated with +the manually provided TLS certificates.
+

serialNo +string

Optional
+

+

Output one or more SerialNo attributes associated with +the manually provided TLS certificates.
+

+ ## CustomCertificates CustomCertificates (`customCertificates`) provides groupings of the TLS @@ -166,7 +238,8 @@ These fields contain no data if there are no custom TLS certificates. href="#customcertificateconfig">CustomCertificateConfig array

Optional
-Client

+

+

Client

minio @@ -174,7 +247,8 @@ Client

href="#customcertificateconfig">CustomCertificateConfig array

Optional
-Minio

+

+

Minio

minioCAs @@ -182,7 +256,8 @@ Minio

href="#customcertificateconfig">CustomCertificateConfig array

Optional
-Certificate Authorities

+

+

Certificate Authorities

@@ -210,16 +285,18 @@ object storage and Console services.

minio boolean

Optional
-Directs the Operator to expose the MinIO service. Defaults to -true.
+

+

Directs the Operator to expose the MinIO service. Defaults to +false.

console boolean

Optional
-Directs the Operator to expose the MinIO Console service. Defaults to -true.
+

+

Directs the Operator to expose the MinIO Console service. Defaults to +false.

@@ -248,23 +325,27 @@ enable/disable in the MinIO Tenant.

bucketDNS boolean

Optional
-Specify true to allow clients to access buckets using the -DNS path <bucket>.minio.default.svc.cluster.local. -Defaults to false.

+

+

Specify true to allow clients to access buckets using +the DNS path +<bucket>.minio.default.svc.cluster.local. Defaults to +false.

domains TenantDomains

Optional
-Specify a list of domains used to access MinIO and Console.

+

+

Specify a list of domains used to access MinIO and Console.

enableSFTP boolean

Optional
-Starts minio server with SFTP support

+

+

Starts minio server with SFTP support

@@ -301,8 +382,9 @@ using an external Key Management Service (KMS).

replicas integer

Optional
-Specify the number of replica KES pods to deploy in the tenant. Defaults -to 2.

+

+

Specify the number of replica KES pods to deploy in the tenant. +Defaults to 2.

image @@ -316,12 +398,19 @@ style="text-align: left;">

imagePullPolicy PullPolicy

Optional
-The pull policy for the MinIO Docker image. Specify one of the +

+

The pull policy for the MinIO Docker image. Specify one of the following:
-* Always
-* Never
-* IfNotPresent (Default)
-Refer to the Kubernetes documentation for details +

+

Refer to the Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images

@@ -329,7 +418,8 @@ href="https://kubernetes.io/docs/concepts/containers/images#updating-images">htt style="text-align: left;">

serviceAccountName string

Optional
-The +

The Kubernetes Service Account to use for running MinIO KES pods created as part of the Tenant.
@@ -340,11 +430,13 @@ the Tenant.
LocalObjectReference

Required
-Specify a +

Specify a Kubernetes opaque secret which contains environment variables to use for setting up the MinIO KES service.
-See the +

See the MinIO Operator console-secret.yaml for an example.

@@ -354,21 +446,30 @@ style="text-align: left;">

externalCertSecret LocalCertificateReference

Optional
-Enables TLS with SNI support on each MinIO KES pod in the tenant. If +

+

Enables TLS with SNI support on each MinIO KES pod in the tenant. If externalCertSecret is omitted and spec.requestAutoCert is set to false, MinIO KES pods deploy without TLS enabled.
-Specify a +

Specify a Kubernetes TLS secret. The MinIO Operator copies the specified certificate to every MinIO pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName.
-Specify an object containing the following fields:
-* - name - The name of the Kubernetes secret containing the -TLS certificate.
-* - type - Specify kubernetes.io/tls
-See the +

Specify an object containing the following fields:
+

+ +

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

@@ -379,53 +480,63 @@ style="text-align: left;">

clientCertSecret LocalCertificateReference

Optional
-Specify a a +

Specify a a Kubernetes TLS secret containing a custom root Certificate Authority and x.509 certificate to use for performing mTLS authentication with an external Key Management Service, such as Hashicorp Vault.
-Specify an object containing the following fields:
-* - name - The name of the Kubernetes secret containing the -Certificate Authority and x.509 Certificate.
-* - type - Specify kubernetes.io/tls
-

+

+

Specify an object containing the following fields:
+

+

gcpCredentialSecretName string

Optional
-Specify the GCP default credentials to be used for KES to authenticate -to GCP key store

+

+
Specify the GCP default credentials to be used for KES to authenticate to GCP key store

gcpWorkloadIdentityPool string

Optional
-Specify the name of the workload identity pool (This is required for -generating service account token)

+

+
Specify the name of the workload identity pool (This is required for generating service account token)

annotations object (keys:string, values:string)

Optional
-If provided, use these annotations for KES Object Meta +

+

If provided, use these annotations for KES Object Meta annotations

labels object (keys:string, values:string)

Optional
-If provided, use these labels for KES Object Meta labels

+

+

If provided, use these labels for KES Object Meta labels

resources ResourceRequirements

Optional
-Object specification for specifying CPU and memory +

Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.

@@ -435,10 +546,12 @@ allocations or limits in the MinIO tenant.
style="text-align: left;">

nodeSelector object (keys:string, values:string)

Optional
-The filter for the Operator to apply when selecting which nodes on which -to deploy MinIO KES pods. The Operator only selects those nodes whose -labels match the specified selector.
-See the Kubernetes documentation on +

The filter for the Operator to apply when selecting which nodes on +which to deploy MinIO KES pods. The Operator only selects those nodes +whose labels match the specified selector.
+

+

See the Kubernetes documentation on Assigning Pods to Nodes for more information.

@@ -449,7 +562,8 @@ style="text-align: left;">

tolerations href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#toleration-v1-core">Toleration array

Optional
-Specify one or more +

Specify one or more Kubernetes tolerations to apply to MinIO KES pods.

@@ -458,8 +572,9 @@ tolerations to apply to MinIO KES pods.

Affinity

Optional
-Specify node affinity, pod affinity, and pod anti-affinity for the KES -pods.
+

+

Specify node affinity, pod affinity, and pod anti-affinity for the +KES pods.

@@ -469,7 +584,8 @@ style="text-align: left;">

topologySpreadConstraintsTopologySpreadConstraint array

Optional
-Specify one or more +

Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.

@@ -478,8 +594,9 @@ pool.

keyName string

Optional
-If provided, use this as the name of the key that KES creates on the KMS -backend

+

+

If provided, use this as the name of the key that KES creates on the +KMS backend

Security Context of MinIO KES pods. The Operator supports only the following pod security fields:
-* fsGroup
-* fsGroupChangePolicy
-* runAsGroup
-* runAsNonRoot
-* runAsUser
-* seLinuxOptions
-

+

+ +

containerSecurityContext +SecurityContext

+

Specify the Security +Context of MinIO KES pods.

+ +

env EnvVar array

Optional
-If provided, the MinIO Operator adds the specified environment variables -when deploying the KES resource.

+

+

If provided, the MinIO Operator adds the specified environment +variables when deploying the KES resource.

@@ -537,7 +672,8 @@ enabling TLS in the MinIO Tenant.

name string

Required
-The name of the Kubernetes secret containing the TLS certificate or +

+

The name of the Kubernetes secret containing the TLS certificate or Certificate Authority file.

@@ -545,7 +681,8 @@ Certificate Authority file.

type string

Required
-The type of Kubernetes secret. Specify +

+

The type of Kubernetes secret. Specify kubernetes.io/tls

@@ -595,6 +732,7 @@ consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant. + See the [MinIO Operator CRD](https://min.io/docs/minio/kubernetes/upstream/operations/install-deploy-manage/deploy-minio-tenant.html#procedure-command-line) reference for the `pools` object for examples and more complete @@ -617,17 +755,18 @@ documentation.

name string

-

Optional
-Specify the name of the pool. The Operator automatically generates the -pool name if this field is omitted.

+

Required Specify the +name of the pool. The Operator automatically generates the pool name if +this field is omitted.

servers integer

-

Required The number of -MinIO server pods to deploy in the pool. The minimum value is -2. The MinIO Operator requires a minimum of 4 -volumes per pool. Specifically, the result of +

Required

+

The number of MinIO server pods to deploy in the pool. The minimum +value is 2.

+

The MinIO Operator requires a minimum of 4 volumes per +pool. Specifically, the result of pools.servers X pools.volumesPerServer must be greater than 4.

@@ -637,9 +776,11 @@ volumes per pool. Specifically, the result of style="text-align: left;">

volumesPerServer integer

Required
-The number of Persistent Volume Claims to generate for each MinIO server -pod in the pool.
-The MinIO Operator requires a minimum of 4 volumes per +

+

The number of Persistent Volume Claims to generate for each MinIO +server pod in the pool.
+

+

The MinIO Operator requires a minimum of 4 volumes per pool. Specifically, the result of pools.servers X pools.volumesPerServer must be greater than 4.
@@ -651,7 +792,8 @@ style="text-align: left;">

volumeClaimTemplate PersistentVolumeClaim

Required
-Specify the configuration options for the MinIO Operator to use when +

+

Specify the configuration options for the MinIO Operator to use when generating Persistent Volume Claims for the MinIO tenant.

@@ -660,7 +802,8 @@ generating Persistent Volume Claims for the MinIO tenant.
ResourceRequirements

Optional
-Object specification for specifying CPU and memory +

Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.

@@ -670,10 +813,12 @@ allocations or limits in the MinIO tenant.
style="text-align: left;">

nodeSelector object (keys:string, values:string)

Optional
-The filter for the Operator to apply when selecting which nodes on which -to deploy pods in the pool. The Operator only selects those nodes whose -labels match the specified selector.
-See the Kubernetes documentation on +

The filter for the Operator to apply when selecting which nodes on +which to deploy pods in the pool. The Operator only selects those nodes +whose labels match the specified selector.
+

+

See the Kubernetes documentation on Assigning Pods to Nodes for more information.

@@ -682,8 +827,9 @@ Pods to Nodes for more information.

Affinity

Optional
-Specify node affinity, pod affinity, and pod anti-affinity for pods in -the MinIO pool.
+

+

Specify node affinity, pod affinity, and pod anti-affinity for pods +in the MinIO pool.

@@ -693,7 +839,8 @@ style="text-align: left;">

tolerations href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#toleration-v1-core">Toleration array

Optional
-Specify one or more +

Specify one or more Kubernetes tolerations to apply to pods deployed in the MinIO pool.

@@ -704,7 +851,8 @@ style="text-align: left;">

topologySpreadConstraintsTopologySpreadConstraint array

Optional
-Specify one or more +

Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.

@@ -715,16 +863,24 @@ style="text-align: left;">

securityContext PodSecurityContext

Optional
-Specify the +

Specify the Security Context of pods in the pool. The Operator supports only the following pod security fields:
-* fsGroup
-* fsGroupChangePolicy
-* runAsGroup
-* runAsNonRoot
-* runAsUser
-

+

+
    +

  • fsGroup
    +

    • +

  • fsGroupChangePolicy
    +

    • +

  • runAsGroup
    +

    • +

  • runAsNonRoot
    +

    • +

  • runAsUser
    +

    • +
Security Context of containers in the pool. The Operator supports only the following container security fields:
-* runAsGroup
-* runAsNonRoot
-* runAsUser
-

+

+
    +

  • runAsGroup
    +

    • +

  • runAsNonRoot
    +

    • +

  • runAsUser
    +

    • +

annotations object (keys:string, values:string)

Optional
-Specify custom labels and annotations to append to the Pool. +

+

Specify custom labels and annotations to append to the Pool. Optional
-If provided, use these annotations for the Pool Objects Meta annotations -(Statefulset and Pod template)

+

+

If provided, use these annotations for the Pool Objects Meta +annotations (Statefulset and Pod template)

labels object (keys:string, values:string)

Optional
-If provided, use these labels for the Pool Objects Meta annotations +

+

If provided, use these labels for the Pool Objects Meta annotations (Statefulset and Pod template)

@@ -762,17 +926,11 @@ If provided, use these labels for the Pool Objects Meta annotations style="text-align: left;">

runtimeClassName string

Optional
-If provided, each pod on the Statefulset will run with the specified +

+

If provided, each pod on the Statefulset will run with the specified RuntimeClassName, for more info https://kubernetes.io/docs/concepts/containers/runtime-class/

- -

reclaimStorage -boolean

-

Optional
-If true. Will delete the storage when tenant has been deleted.

- @@ -848,28 +1006,32 @@ service. style="text-align: left;">

minioServiceLabels object (keys:string, values:string)

Optional
-If provided, append these labels to the MinIO service

+

+

If provided, append these labels to the MinIO service

minioServiceAnnotations object (keys:string, values:string)

Optional
-If provided, append these annotations to the MinIO service

+

+

If provided, append these annotations to the MinIO service

consoleServiceLabels object (keys:string, values:string)

Optional
-If provided, append these labels to the Console service

+

+

If provided, append these labels to the Console service

consoleServiceAnnotations object (keys:string, values:string)

Optional
-If provided, append these annotations to the Console service

+

+

If provided, append these annotations to the Console service

@@ -900,7 +1062,8 @@ style="text-align: left;">

containers href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core">Container array

Optional
-List of containers to run inside the Pod

+

+

List of containers to run inside the Pod

volumeClaimTemplates href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#persistentvolumeclaim-v1-core">PersistentVolumeClaim array

Optional
-volumeClaimTemplates is a list of claims that pods are allowed to +

+

volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) @@ -923,8 +1087,9 @@ name.

href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#volume-v1-core">Volume array

Optional
-List of volumes that can be mounted by containers belonging to the pod. -More info: +

List of volumes that can be mounted by containers belonging to the +pod. More info: https://kubernetes.io/docs/concepts/storage/volumes

@@ -932,7 +1097,8 @@ href="https://kubernetes.io/docs/concepts/storage/volumes">https://kubernetes.io ResourceRequirements

Optional
-sidecar’s Resource, initcontainer will use that if set.

+

+

sidecar’s Resource, initcontainer will use that if set.

@@ -986,7 +1152,8 @@ href="#tenantscheduler">TenantScheduler

TenantSpec

Required
-The root field for the MinIO Tenant object.

+

+

The root field for the MinIO Tenant object.

@@ -1055,7 +1222,8 @@ to use for deploying the MinIO Tenant.

name string

Optional
-Specify the name of the +

Specify the name of the Kubernetes scheduler to be used to schedule Tenant pods

@@ -1066,8 +1234,10 @@ scheduler to be used to schedule Tenant pods

TenantSpec (`spec`) defines the configuration of a MinIO Tenant object. + The following parameters are specific to the `Operator CRD v2 Reference` MinIO CRD API `spec` definition added as part of the MinIO Operator v4.0.0. + For more complete documentation on this object, see the [MinIO Kubernetes Documentation](https://min.io/docs/minio/kubernetes/upstream/operations/installation.html). @@ -1092,15 +1262,19 @@ Documentation](https://min.io/docs/minio/kubernetes/upstream/operations/installa href="#pool">Pool array

Required
-An array of objects describing each MinIO server pool deployed in the +

+

An array of objects describing each MinIO server pool deployed in the MinIO Tenant. Each pool consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant.
-The MinIO Tenant spec must have at least -one element in the pools array.
-See the +

The MinIO Tenant spec must have at +least one element in the pools +array.
+

+

See the MinIO Operator CRD reference for the pools object for examples and more complete documentation.

@@ -1117,8 +1291,9 @@ style="text-align: left;">

imagePullSecret LocalObjectReference

Optional
-Specify the secret key to use for pulling images from a private Docker -repository.
+

+

Specify the secret key to use for pulling images from a private +Docker repository.

@@ -1127,180 +1302,227 @@ style="text-align: left;">

podManagementPolicy PodManagementPolicyType

Optional
-Pod Management Policy for pod created by StatefulSet

+

+

Pod Management Policy for pod created by StatefulSet

-

credsSecret -LocalObjectReference

-

optional
-Specify a Kubernetes -opaque secret to use for setting the MinIO root access key and -secret key. Specify the secret as name: <secret>. The -Kubernetes secret must contain the following fields:
-* data.accesskey - The access key for the root -credentials
-* data.secretkey - The secret key for the root -credentials
-

- -

env EnvVar array

Optional
-If provided, the MinIO Operator adds the specified environment variables -when deploying the Tenant resource.

+

+

If provided, the MinIO Operator adds the specified environment +variables when deploying the Tenant resource.

- +

externalCertSecret LocalCertificateReference array

Optional
-Enables TLS with SNI support on each MinIO pod in the tenant. If +

+

Enables TLS with SNI support on each MinIO pod in the tenant. If externalCertSecret is omitted and requestAutoCert is set to false, the MinIO Tenant deploys without TLS enabled.
-Specify an array of +

Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName.
-Each element in the externalCertSecret array is an object -containing the following fields:
-* - name - The name of the Kubernetes secret containing the -TLS certificate.
-* - type - Specify kubernetes.io/tls
-See the +

Each element in the externalCertSecret array is an +object containing the following fields:
+

+
    +

  • - name - The name of the Kubernetes secret +containing the TLS certificate.
    +

    • +

  • - type - Specify +kubernetes.io/tls
    +

    • +
+

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

- +

externalCaCertSecret LocalCertificateReference array

Optional
-Allows MinIO server pods to verify client TLS certificates signed by a -Certificate Authority not in the pod’s trust store.
-Specify an array of +

Allows MinIO server pods to verify client TLS certificates signed by +a Certificate Authority not in the pod’s trust store.
+

+

Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant.
-Each element in the externalCertSecret array is an object -containing the following fields:
-* - name - The name of the Kubernetes secret containing the -Certificate Authority.
-* - type - Specify kubernetes.io/tls.
-See the MinIO -Operator CRD reference for examples and more complete documentation -on configuring TLS for MinIO Tenants.

- - -

externalClientCertSecret -LocalCertificateReference

-

Optional
-Enables mTLS authentication between the MinIO Tenant pods and MinIO KES. -Required for enabling connectivity between the MinIO -Tenant and MinIO KES.
-Specify a Kubernetes -TLS secrets. The MinIO Operator copies the specified certificate to -every MinIO server pod in the tenant. The secret must -contain the following fields:
-* name - The name of the Kubernetes secret containing the -TLS certificate.
-* type - Specify kubernetes.io/tls
-The specified certificate must correspond to an -identity on the KES server. See the KES -Wiki for more information on KES identities.
-If deploying KES with the MinIO Operator, include the hash of the -certificate as part of the kes -object specification.
-See the +

Each element in the externalCertSecret array is an +object containing the following fields:
+

+
    +

  • - name - The name of the Kubernetes secret +containing the Certificate Authority.
    +

    • +

  • - type - Specify +kubernetes.io/tls.
    +

    • +
+

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

externalClientCertSecret +LocalCertificateReference

+

Optional
+

+

Enables mTLS authentication between the MinIO Tenant pods and MinIO KES. +Required for enabling connectivity between the MinIO +Tenant and MinIO KES.
+

+

Specify a Kubernetes +TLS secrets. The MinIO Operator copies the specified certificate to +every MinIO server pod in the tenant. The secret must +contain the following fields:
+

+
    +

  • name - The name of the Kubernetes secret containing +the TLS certificate.
    +

    • +

  • type - Specify kubernetes.io/tls
    +

    • +
+

The specified certificate must correspond to an +identity on the KES server. See the KES +Wiki for more information on KES identities.
+

+

If deploying KES with the MinIO Operator, include the hash of the +certificate as part of the kes +object specification.
+

+

See the MinIO +Operator CRD reference for examples and more complete documentation +on configuring TLS for MinIO Tenants.

+ + +

externalClientCertSecrets LocalCertificateReference array

Optional
-Provide support for mounting additional client certificate into MinIO +

+

Provide support for mounting additional client certificate into MinIO Tenant pods Multiple client certificates will be mounted using the following folder structure:
-* certs
-* * client-0
-* * * client.crt
-* * * client.key
-* * client-1
-* * * client.crt
-* * * client.key
-* * * client-2
-* * client.crt
-* * * client.key
-Specify a +

+

Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant that later can be referenced using environment variables. The secret must contain the following fields:
-* name - The name of the Kubernetes secret containing the -TLS certificate.
-* type - Specify kubernetes.io/tls
-

+

+
    +

  • name - The name of the Kubernetes secret containing +the TLS certificate.
    +

    • +

  • type - Specify kubernetes.io/tls
    +

    • +
- +

mountPath string

Optional
-Mount path for MinIO volume (PV). Defaults to +

+

Mount path for MinIO volume (PV). Defaults to /export

- +

subPath string

Optional
-Subpath inside mount path. This is the directory where MinIO stores +

+

Subpath inside mount path. This is the directory where MinIO stores data. Default to ""` (empty)

- +

requestAutoCert boolean

Optional
-Enables using +

Enables using Kubernetes-based TLS certificate generation and signing for pods and services in the MinIO Tenant.
-* Specify true to explicitly enable automatic certificate -generate (Default).
-* Specify false to disable automatic certificate +

+
    +

  • Specify true to explicitly enable automatic +certificate generate (Default).
    +

    • +

  • Specify false to disable automatic certificate generation.
    -If requestAutoCert is set to false +

    • +
+

If requestAutoCert is set to false and externalCertSecret is omitted, the -MinIO Tenant deploys without TLS enabled. See the without TLS enabled.

+

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

+ +

certExpiryAlertThreshold +integer

+

CertExpiryAlertThreshold is the minimum +number of days to expiry before an alert for an expiring certificate is +fired.

+

liveness +

lifecycle +Lifecycle

+

Lifecycle hooks for container.

+ +

features Features

S3 related features can be disabled or enabled such as bucketDNS etc.

- +

certConfig CertificateConfig

Optional
-Enables setting the CommonName, Organization, -and dnsName attributes for all TLS certificates -automatically generated by the Operator. Configuring this object has no -effect if requestAutoCert is false.
+

+

Enables setting the CommonName, +Organization, and dnsName attributes for all +TLS certificates automatically generated by the Operator. Configuring +this object has no effect if requestAutoCert is +false.

- +

kes KESConfig

Optional
-Directs the MinIO Operator to deploy the +

Directs the MinIO Operator to deploy the MinIO Key Encryption Service (KES) using the specified configuration. The MinIO KES supports performing server-side encryption of objects on the MiNIO Tenant.

- +

prometheusOperator boolean

Optional
-Directs the MinIO Operator to use prometheus operator.
-Tenant scrape configuration will be added to prometheus managed by the -prometheus-operator.

+

+

Directs the MinIO Operator to use prometheus operator.
+

+

Tenant scrape configuration will be added to prometheus managed by +the prometheus-operator.

- +

serviceAccountName string

Optional
-The +

The Kubernetes Service Account to use for running MinIO pods created as part of the Tenant.

- +

priorityClassName string

Optional
-Indicates the Pod priority and therefore importance of a Pod relative to -other Pods in the cluster. This is applied to MinIO pods only.
-Refer Kubernetes +

Indicates the Pod priority and therefore importance of a Pod relative +to other Pods in the cluster. This is applied to MinIO pods only.
+

+

Refer Kubernetes Priority Class documentation for more complete documentation.

- +

imagePullPolicy PullPolicy

Optional
-The pull policy for the MinIO Docker image. Specify one of the +

+

The pull policy for the MinIO Docker image. Specify one of the following:
-* Always
-* Never
-* IfNotPresent (Default)
-Refer Kubernetes documentation for details +

+

Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images

- +

sideCars SideCars

Optional
-A list of containers to run as sidecars along every MinIO Pod deployed -in the tenant.

+

+

A list of containers to run as sidecars along every MinIO Pod +deployed in the tenant.

- +

exposeServices ExposeServices

Optional
-Directs the Operator to expose the MinIO and/or Console services.
+

+

Directs the Operator to expose the MinIO and/or Console +services.

- +

serviceMetadata ServiceMetadata

Optional
-Specify custom labels and annotations to append to the MinIO service +

+

Specify custom labels and annotations to append to the MinIO service and/or Console service.

- +

users LocalObjectReference array

Optional
-An array of +

An array of Kubernetes opaque secrets to use for generating MinIO users during tenant provisioning.
-Each element in the array is an object consisting of a key-value pair +

+

Each element in the array is an object consisting of a key-value pair name: <string>, where the <string> references an opaque Kubernetes secret.
-Each referenced Kubernetes secret must include the following +

+

Each referenced Kubernetes secret must include the following fields:
-* CONSOLE_ACCESS_KEY - The "Username" for the MinIO +

+
    +

  • CONSOLE_ACCESS_KEY - The "Username" for the MinIO user
    -* CONSOLE_SECRET_KEY - The "Password" for the MinIO +

    • +

  • CONSOLE_SECRET_KEY - The "Password" for the MinIO user
    -The Operator creates each user with the consoleAdmin policy -by default. You can change the assigned policy after the Tenant +

    • +
+

The Operator creates each user with the consoleAdmin +policy by default. You can change the assigned policy after the Tenant starts.

- +

buckets Bucket array

Optional
-Create buckets when creating a new tenant. Skip if bucket with given +

+

Create buckets when creating a new tenant. Skip if bucket with given name already exists

- +

logging Logging

Optional
-Enable JSON, Anonymous logging for MinIO tenants.

+

+

Enable JSON, Anonymous logging for MinIO tenants.

- +

configuration LocalObjectReference

Optional
-Specify a secret that contains additional environment variable +

+

Specify a secret that contains additional environment variable configurations to be used for the MinIO pools. The secret is expected to have a key named config.env containing all exported environment variables for MinIO+

- +

initContainers Container array

Optional
-Add custom initContainers to StatefulSet

+

+

Add custom initContainers to StatefulSet

- +

additionalVolumes Volume array

Optional
-If provided, statefulset will add these volumes. You should set the +

+

If provided, statefulset will add these volumes. You should set the rules for the corresponding volumes and volume mounts. We will not test this rule, k8s will show the result.

- +

additionalVolumeMounts VolumeMount array

Optional
-If provided, statefulset will add these volumes. You should set the +

+

If provided, statefulset will add these volumes. You should set the rules for the corresponding volumes and volume mounts. We will not test this rule, k8s will show the result.

diff --git a/source/includes/k8s/operator-values.yaml b/source/includes/k8s/operator-values.yaml index 03f4850b..434d72e2 100644 --- a/source/includes/k8s/operator-values.yaml +++ b/source/includes/k8s/operator-values.yaml @@ -4,7 +4,7 @@ operator: ### # An array of environment variables to pass to the Operator deployment. # Pass an empty array to start Operator with defaults. - # + # # For example: # # .. code-block:: yaml @@ -14,34 +14,36 @@ operator: # valueFrom: # fieldRef: # fieldPath: metadata.labels['app.kubernetes.io/name'] - # - name: MINIO_CONSOLE_TLS_ENABLE - # value: "off" # - name: CLUSTER_DOMAIN # value: "cluster.domain" # - name: WATCHED_NAMESPACE # value: "" # - name: MINIO_OPERATOR_RUNTIME - # value: "OpenShift" + # value: "OpenShift" # # See `Operator environment variables `__ for a list of all supported values. env: - name: OPERATOR_STS_ENABLED value: "on" + # An array of additional annotations to be applied to the operator service account + serviceAccountAnnotations: [] + # additional labels to be applied to operator resources + additionalLabels: {} ### # Specify the Operator container image to use for the deployment. - # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. + # ``image.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v6.0.3 tag. # The container pulls the image if not already present: # # .. code-block:: yaml - # + # # image: # repository: quay.io/minio/operator - # tag: v5.0.11 + # tag: v6.0.3 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: - # + # # .. code-block:: yaml # # image: @@ -51,9 +53,33 @@ operator: # image: repository: quay.io/minio/operator - tag: v5.0.11 + tag: v6.0.3 pullPolicy: IfNotPresent ### + # Specify the sidecar container image to deploy on tenant pods for init container and sidecar. + # Only need to change this if want to use a different version that the default, or want to set a custom registry. + # ``sidecarImage.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator-sidecar`` repo and the v6.0.3 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # sidecarImage: + # repository: quay.io/minio/operator-sidecar + # tag: v6.0.3 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # sidecarImage: + # repository: quay.io/minio/operator-sidecar@sha256 + # digest: a11947a230b80fb1b0bffa97173147a505d4f1207958f722e348d11ab9e972c1 + # pullPolicy: IfNotPresent + # + sidecarImage: {} + ### # # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. # Only one array element is supported at this time. @@ -90,6 +116,12 @@ operator: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ### # An array of `Volumes `__ which the Operator can mount to pods. # @@ -97,7 +129,7 @@ operator: volumes: [ ] ### # An array of volume mount points associated to each Operator container. - # + # # Specify each item in the array as follows: # # .. code-block:: yaml @@ -147,7 +179,7 @@ operator: # These settings determine the distribution of pods across worker nodes. topologySpreadConstraints: [ ] ### - # + # # The `Requests or Limits `__ for resources to associate to Operator pods. # # These settings can control the minimum and maximum resources requested for each pod. @@ -157,156 +189,3 @@ operator: cpu: 200m memory: 256Mi ephemeral-storage: 500Mi - -### -# Root key for Operator Console -console: - ### - # Specify ``false`` to disable the Operator Console. - # - # If the Operator Console is disabled, all management of Operator Tenants must be done through the Kubernetes API. - enabled: true - ### - # Specify the Operator Console container image to use for the deployment. - # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. - # The container pulls the image if not already present: - # - # .. code-block:: yaml - # - # image: - # repository: quay.io/minio/operator - # tag: v5.0.11 - # pullPolicy: IfNotPresent - # - # The chart also supports specifying an image based on digest value: - # - # .. code-block:: yaml - # - # image: - # repository: quay.io/minio/operator@sha256 - # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 - # pullPolicy: IfNotPresent - # - # The specified values should match that of ``operator.image`` to ensure predictable operations. - image: - repository: quay.io/minio/operator - tag: v5.0.11 - pullPolicy: IfNotPresent - ### - # An array of environment variables to pass to the Operator Console deployment. - # Pass an empty array to start Operator Console with defaults. - env: [ ] - ### - # - # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. - imagePullSecrets: [ ] - ### - # - # The name of a custom `Container Runtime `__ to use for the Operator Console pods. - runtimeClassName: ~ - ### - # An array of `initContainers `__ to start up before the Operator Console pods. - # Exercise care as ``initContainer`` failures prevent Console pods from starting. - # Pass an empty array to start the Console normally. - initContainers: [ ] - ### - # The number of Operator Console pods to deploy. - # Higher values increase availability in the event of worker node failures. - # - # The cluster must have sufficient number of available worker nodes to fulfill the request. - # Console pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. - replicaCount: 1 - ### - # Any `Node Selectors `__ to apply to Operator Console pods. - # - # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Console pods. - # - # If no worker nodes match the specified selectors, the Console deployment will fail. - nodeSelector: { } - ### - # - # The `affinity `__ or anti-affinity settings to apply to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: name - operator: In - values: - - minio-operator - topologyKey: kubernetes.io/hostname - ### - # - # An array of `Toleration labels `__ to associate to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes. - tolerations: [ ] - ### - # - # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes. - topologySpreadConstraints: [ ] - ### - # - # The `Requests or Limits `__ for resources to associate to Operator Console pods. - # - # These settings can control the minimum and maximum resources requested for each pod. - # If no worker nodes can meet the specified requests, the Console may fail to deploy. - resources: - requests: - cpu: 0.25 - memory: 512Mi - ### - # The Kubernetes `SecurityContext `__ to use for deploying Operator Console resources. - # - # You may need to modify these values to meet your cluster's security and access settings. - securityContext: - runAsUser: 1000 - runAsNonRoot: true - ### - # The Kubernetes `SecurityContext `__ to use for deploying Operator Console containers. - # You may need to modify these values to meet your cluster's security and access settings. - containerSecurityContext: - runAsUser: 1000 - runAsNonRoot: true - ### - # Configures `Ingress `__ for the Operator Console. - # - # Set the keys to conform to the Ingress controller and configuration of your choice. - ingress: - enabled: false - ingressClassName: "" - labels: { } - annotations: { } - tls: [ ] - host: console.local - path: / - pathType: Prefix - ### - # An array of `Volumes `__ which the Operator Console can mount to pods. - # - # The volumes must exist *and* be accessible to the Console pods. - volumes: - - name: tmp - emptyDir: {} - ### - # An array of volume mount points associated to each Operator Console container. - # - # Specify each item in the array as follows: - # - # .. code-block:: yaml - # - # volumeMounts: - # - name: volumename - # mountPath: /path/to/mount - # - # The ``name`` field must correspond to an entry in the ``volumes`` array. - volumeMounts: - - name: tmp - readOnly: false - mountPath: /tmp/certs/CAs diff --git a/source/includes/k8s/tenant-values.yaml b/source/includes/k8s/tenant-values.yaml index 14a7e6de..d2ed2639 100644 --- a/source/includes/k8s/tenant-values.yaml +++ b/source/includes/k8s/tenant-values.yaml @@ -1,40 +1,3 @@ -### -# Root key for dynamically creating a secret for use with configuring root MinIO User -# Specify the ``name`` and then a list of environment variables. -# -# .. important:: -# -# Do not use this in production environments. -# This field is intended for use with rapid development or testing only. -# -# For example: -# -# .. code-block:: yaml -# -# name: myminio-env-configuration -# accessKey: minio -# secretKey: minio123 -# -secrets: - name: myminio-env-configuration - accessKey: minio - secretKey: minio123 -### -# The name of an existing Kubernetes secret to import to the MinIO Tenant -# The secret must contain a key ``config.env``. -# The values should be a series of export statements to set environment variables for the Tenant. -# For example: -# -# .. code-block:: shell -# -# stringData: -# config.env: | - -# export MINIO_ROOT_USER=ROOTUSERNAME -# export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD -# -existingSecret: - name: myminio-env-configuration -### # Root key for MinIO Tenant Chart tenant: ### @@ -45,14 +8,14 @@ tenant: ### # Specify the Operator container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v6.0.3 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/minio - # tag: RELEASE.2023-11-15T20-43-25Z + # tag: RELEASE.2024-08-17T01-24-54Z # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -67,7 +30,7 @@ tenant: # image: repository: quay.io/minio/minio - tag: RELEASE.2023-11-15T20-43-25Z + tag: RELEASE.2024-08-17T01-24-54Z pullPolicy: IfNotPresent ### # @@ -85,6 +48,42 @@ tenant: configuration: name: myminio-env-configuration ### + # Root key for dynamically creating a secret for use with configuring root MinIO User + # Specify the ``name`` and then a list of environment variables. + # + # .. important:: + # + # Do not use this in production environments. + # This field is intended for use with rapid development or testing only. + # + # For example: + # + # .. code-block:: yaml + # + # name: myminio-env-configuration + # accessKey: minio + # secretKey: minio123 + # + configSecret: + name: myminio-env-configuration + accessKey: minio + secretKey: minio123 + ### + # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Tenant. + # The existing Kubernetes secret name must be placed under .tenant.configuration.name e.g. existing-minio-env-configuration + # The secret must contain a key ``config.env``. + # The values should be a series of export statements to set environment variables for the Tenant. + # For example: + # + # .. code-block:: shell + # + # stringData: + # config.env: |- + # export MINIO_ROOT_USER=ROOTUSERNAME + # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD + # + # existingSecret: false + ### # Top level key for configuring MinIO Pool(s) in this Tenant. # # See `Operator CRD: Pools `__ for more information on all subfields. @@ -109,7 +108,10 @@ tenant: # If using Amazon Elastic Block Store (EBS) CSI driver # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters. # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md - storageClassName: standard + # storageClassName: standard + ### + # Specify `storageAnnotations `__ to associate to PVCs. + storageAnnotations: { } ### # Specify `annotations `__ to associate to Tenant pods. annotations: { } @@ -161,6 +163,12 @@ tenant: runAsUser: 1000 runAsGroup: 1000 runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault ### # # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. @@ -220,6 +228,10 @@ tenant: # Enable automatic Kubernetes based `certificate generation and signing `__ requestAutoCert: true ### + # The minimum number of days to expiry before an alert for an expiring certificate is fired. + # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry + # certExpiryAlertThreshold: 1 + ### # This field is used only when ``requestAutoCert: true``. # Use this field to set CommonName for the auto-generated certificate. # MinIO defaults to using the internal Kubernetes DNS name for the pod @@ -266,6 +278,9 @@ tenant: # Refer startup: { } ### + # The `Lifecycle hooks `__ for container. + lifecycle: { } + ### # Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects. # # If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically. @@ -332,20 +347,19 @@ tenant: # # Image from tag (original behavior), for example: # # image: # # repository: quay.io/minio/kes - # # tag: 2023-11-10T10-44-28Z + # # tag: 2024-08-16T14-39-28Z # # Image from digest (added after original behavior), for example: # # image: # # repository: quay.io/minio/kes@sha256 # # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b # image: # repository: quay.io/minio/kes - # tag: 2023-11-10T10-44-28Z + # tag: 2024-08-16T14-39-28Z # pullPolicy: IfNotPresent # env: [ ] # replicas: 2 # configuration: |- # address: :7373 - # root: _ # Effectively disabled since no root identity necessary. # tls: # key: /tmp/kes/server.key # Path to the TLS private key # cert: /tmp/kes/server.crt # Path to the TLS certificate @@ -353,14 +367,8 @@ tenant: # identities: [] # header: # cert: X-Tls-Client-Cert - # policy: - # my-policy: - # paths: - # - /v1/key/create/* - # - /v1/key/generate/* - # - /v1/key/decrypt/* - # identities: - # - ${MINIO_KES_IDENTITY} + # admin: + # identity: ${MINIO_KES_IDENTITY} # cache: # expiry: # any: 5m0s @@ -368,7 +376,7 @@ tenant: # log: # error: on # audit: off - # keys: + # keystore: # # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended # # use a real KMS # # fs: @@ -419,6 +427,17 @@ tenant: # runAsGroup: 1000 # runAsNonRoot: true # fsGroup: 1000 + # containerSecurityContext: + # runAsUser: 1000 + # runAsGroup: 1000 + # runAsNonRoot: true + # allowPrivilegeEscalation: false + # capabilities: + # drop: + # - ALL + # seccompProfile: + # type: RuntimeDefault + ### # Configures `Ingress `__ for the Tenant S3 API and Console. # @@ -450,7 +469,7 @@ ingress: # kind: Secret # type: Opaque # metadata: -# name: {{ dig "secrets" "existingSecret" "" (.Values | merge (dict)) }} +# name: {{ dig "tenant" "configSecret" "name" "" (.Values | merge (dict)) }} # stringData: # config.env: |- # export MINIO_ROOT_USER='minio'