minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-30 07:03:26 +03:00
Code Activity

DOCS-1021: Adding helm information (#1060)

Browse Source 
Closes #1021 
Closes #1055 
Closes #968 
Closes #943 


---------

Co-authored-by: Andrea Longo <feorlen@users.noreply.github.com>
Co-authored-by: Pedro Juarez <pjuarezd@users.noreply.github.com>
This commit is contained in:
Ravind Kumar
2023-11-16 12:56:20 -05:00
committed by GitHub
parent 09ce8edb48
commit c770ba9d76
17 changed files with 1577 additions and 230 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
source/default-conf.py
View File

@ -44,6 +44,7 @@ extensions = [
'sphinx_design',
'sphinx.ext.intersphinx',
'sphinx_reredirects',
'sphinxcontrib.autoyaml',
]
# -- External Links
@ -204,6 +205,10 @@ redirects = {
}
# sphinxcontrib-autoyaml customization
autoyaml_level = 5
# -- Options for HTML output -------------------------------------------------
# The theme to use for HTML and HTML Help pages. See the documentation for

50
source/includes/k8s/deploy-operator.rst
View File

@ -67,6 +67,10 @@ Prerequisites
Kubernetes Version 1.19.0
~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
MinIO **strongly recommends** upgrading Production clusters running `End-Of-Life <https://kubernetes.io/releases/patch-releases/#non-active-branch-history>`__ Kubernetes APIs.
Starting with v4.0.0, the MinIO Operator and MinIO Kubernetes Plugin **require** Kubernetes 1.19.0 and later.
The Kubernetes infrastructure *and* the ``kubectl`` CLI tool must have the same version of 1.19.0+.
@ -155,52 +159,6 @@ The output of the example command above may differ from the output in your termi
Alternatively, you can generate x.509 TLS certificates signed by a known and trusted CA and pass those certificates to MinIO Tenants.
See :ref:`minio-tls` for more complete documentation.
Configure MinIO Operator to Trust Custom Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you use custom certificates for your deployment, add the certificate so that MinIO Operator trusts it.
This procedure assumes you have an existing custom certificate.
1. Use the following command to generate a secret from the certificate:
.. code-block:: shell
:class: copyable
kubectl create secret generic MY-CUSTOM-TLS -n MY-CLUSTER-NAMESPACE --from-file=<path/to/public.crt>
Replace the following placeholders in the above command:
- ``MY-CUSTOM-TLS`` with the name of your secrets file
- ``MY-CLUSTER-NAMESPACE`` with your cluster's namespace
- ``<path/to/public.crt>`` with the relative path to the public certificate to use to create the secret
2. Add a volume to the yaml for your cluster under ``.spec.template.spec``
.. code-block:: yaml
:class: copyable
volumes:
- name: tls-certificates
projected:
defaultMode: 420
sources:
- secret:
items:
- key: public.crt
path: CAs/custom-public.crt
name: MY-CUSTOM-TLS
- replace ``MY-CUSTOM-TLS`` with the name of your secrets file.
3. Add a ``volumeMount`` to the yaml for your cluster under ``.spec.template.spec.container[0]``
.. code-block:: yaml
:class: copyable
volumeMounts:
- mountPath: /tmp/certs
name: tls-certificates
Procedure
---------

307
source/includes/k8s/operator-values.yaml Normal file
View File

@ -0,0 +1,307 @@
###
# Root key for Operator Helm Chart
operator:
###
# An array of environment variables to pass to the Operator deployment.
# Pass an empty array to start Operator with defaults.
#
# For example:
#
# .. code-block:: yaml
#
# env:
# - name: MINIO_OPERATOR_DEPLOYMENT_NAME
# valueFrom:
# fieldRef:
# fieldPath: metadata.labels['app.kubernetes.io/name']
# - name: MINIO_CONSOLE_TLS_ENABLE
# value: "off"
# - name: CLUSTER_DOMAIN
# value: "cluster.domain"
# - name: WATCHED_NAMESPACE
# value: ""
# - name: MINIO_OPERATOR_RUNTIME
# value: "OpenShift"
#
# See `Operator environment variables <https://github.com/minio/operator/blob/master/docs/env-variables.md>`__ for a list of all supported values.
env:
- name: OPERATOR_STS_ENABLED
value: "on"
###
# Specify the Operator container image to use for the deployment.
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.10 tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/operator
# tag: v5.0.10
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/operator@sha256
# digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
# pullPolicy: IfNotPresent
#
image:
repository: quay.io/minio/operator
tag: v5.0.10
pullPolicy: IfNotPresent
###
#
# An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
# Only one array element is supported at this time.
imagePullSecrets: [ ]
###
#
# The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the Operator pods.
runtimeClassName: ~
###
# An array of `initContainers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to start up before the Operator pods.
# Exercise care as ``initContainer`` failures prevent Operator pods from starting.
# Pass an empty array to start the Operator normally.
initContainers: [ ]
###
# The number of Operator pods to deploy.
# Higher values increase availability in the event of worker node failures.
#
# The cluster must have sufficient number of available worker nodes to fulfill the request.
# Operator pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node.
replicaCount: 2
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Operator resources.
#
# You may need to modify these values to meet your cluster's security and access settings.
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
fsGroup: 1000
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Operator containers.
# You may need to modify these values to meet your cluster's security and access settings.
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
###
# An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to pods.
#
# The volumes must exist *and* be accessible to the Operator pods.
volumes: [ ]
###
# An array of volume mount points associated to each Operator container.
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
#
# volumeMounts:
# - name: volumename
# mountPath: /path/to/mount
#
# The ``name`` field must correspond to an entry in the ``volumes`` array.
volumeMounts: [ ]
###
# Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to Operator pods.
#
# The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Operator pods.
#
# If no worker nodes match the specified selectors, the Operator deployment will fail.
nodeSelector: { }
###
#
# The `Pod Priority <https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/>`__ to assign to Operator pods.
priorityClassName: ""
###
#
# The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to Operator pods.
#
# These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: name
operator: In
values:
- minio-operator
topologyKey: kubernetes.io/hostname
###
#
# An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to Operator pods.
#
# These settings determine the distribution of pods across worker nodes.
tolerations: [ ]
###
#
# An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator pods.
#
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: [ ]
###
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Operator pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
# If no worker nodes can meet the specified requests, the Operator may fail to deploy.
resources:
requests:
cpu: 200m
memory: 256Mi
ephemeral-storage: 500Mi
###
# Root key for Operator Console
console:
###
# Specify ``false`` to disable the Operator Console.
#
# If the Operator Console is disabled, all management of Operator Tenants must be done through the Kubernetes API.
enabled: true
###
# Specify the Operator Console container image to use for the deployment.
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.10 tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/operator
# tag: v5.0.10
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/operator@sha256
# digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
# pullPolicy: IfNotPresent
#
# The specified values should match that of ``operator.image`` to ensure predictable operations.
image:
repository: quay.io/minio/operator
tag: v5.0.10
pullPolicy: IfNotPresent
###
# An array of environment variables to pass to the Operator Console deployment.
# Pass an empty array to start Operator Console with defaults.
env: [ ]
###
#
# An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
imagePullSecrets: [ ]
###
#
# The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the Operator Console pods.
runtimeClassName: ~
###
# An array of `initContainers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to start up before the Operator Console pods.
# Exercise care as ``initContainer`` failures prevent Console pods from starting.
# Pass an empty array to start the Console normally.
initContainers: [ ]
###
# The number of Operator Console pods to deploy.
# Higher values increase availability in the event of worker node failures.
#
# The cluster must have sufficient number of available worker nodes to fulfill the request.
# Console pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node.
replicaCount: 1
###
# Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to Operator Console pods.
#
# The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Console pods.
#
# If no worker nodes match the specified selectors, the Console deployment will fail.
nodeSelector: { }
###
#
# The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to Operator Console pods.
#
# These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: name
operator: In
values:
- minio-operator
topologyKey: kubernetes.io/hostname
###
#
# An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to Operator Console pods.
#
# These settings determine the distribution of pods across worker nodes.
tolerations: [ ]
###
#
# An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods.
#
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: [ ]
###
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Operator Console pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
# If no worker nodes can meet the specified requests, the Console may fail to deploy.
resources:
requests:
cpu: 0.25
memory: 512Mi
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Operator Console resources.
#
# You may need to modify these values to meet your cluster's security and access settings.
securityContext:
runAsUser: 1000
runAsNonRoot: true
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Operator Console containers.
# You may need to modify these values to meet your cluster's security and access settings.
containerSecurityContext:
runAsUser: 1000
runAsNonRoot: true
###
# Configures `Ingress <https://kubernetes.io/docs/concepts/services-networking/ingress/>`__ for the Operator Console.
#
# Set the keys to conform to the Ingress controller and configuration of your choice.
ingress:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
host: console.local
path: /
pathType: Prefix
###
# An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator Console can mount to pods.
#
# The volumes must exist *and* be accessible to the Console pods.
volumes: [ ]
###
# An array of volume mount points associated to each Operator Console container.
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
#
# volumeMounts:
# - name: volumename
# mountPath: /path/to/mount
#
# The ``name`` field must correspond to an entry in the ``volumes`` array.
volumeMounts: [ ]

457
source/includes/k8s/tenant-values.yaml Normal file
View File

@ -0,0 +1,457 @@
###
# Root key for dynamically creating a secret for use with configuring root MinIO User
# Specify the ``name`` and then a list of environment variables.
#
# .. important::
#
# Do not use this in production environments.
# This field is intended for use with rapid development or testing only.
#
# For example:
#
# .. code-block:: yaml
#
# name: myminio-env-configuration
# accessKey: minio
# secretKey: minio123
#
secrets:
name: myminio-env-configuration
accessKey: minio
secretKey: minio123
###
# The name of an existing Kubernetes secret to import to the MinIO Tenant
# The secret must contain a key ``config.env``.
# The values should be a series of export statements to set environment variables for the Tenant.
# For example:
#
# .. code-block:: shell
#
# stringData:
# config.env: | -
# export MINIO_ROOT_USER=ROOTUSERNAME
# export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD
#
existingSecret:
name: myminio-env-configuration
###
# Root key for MinIO Tenant Chart
tenant:
###
# The Tenant name
#
# Change this to match your preferred MinIO Tenant name.
name: myminio
###
# Specify the Operator container image to use for the deployment.
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.10 tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/minio
# tag: RELEASE.2023-10-07T15-07-38Z
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/minio@sha256
# digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
# pullPolicy: IfNotPresent
#
#
image:
repository: quay.io/minio/minio
tag: RELEASE.2023-10-07T15-07-38Z
pullPolicy: IfNotPresent
###
#
# An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
# Only one array element is supported at this time.
imagePullSecret: { }
###
# The Kubernetes `Scheduler <https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Tenant pods.
#
# Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler.
scheduler: { }
###
# The Kubernetes secret name that contains MinIO environment variable configurations.
# The secret is expected to have a key named config.env containing environment variables exports.
configuration:
name: myminio-env-configuration
###
# Top level key for configuring MinIO Pool(s) in this Tenant.
#
# See `Operator CRD: Pools <https://min.io/docs/minio/kubernetes/upstream/reference/operator-crd.html#pool>`__ for more information on all subfields.
pools:
###
# The number of MinIO Tenant Pods / Servers in this pool.
# For standalone mode, supply 1. For distributed mode, supply 4 or more.
# Note that the operator does not support upgrading from standalone to distributed mode.
- servers: 4
###
# Custom name for the pool
name: pool-0
###
# The number of volumes attached per MinIO Tenant Pod / Server.
volumesPerServer: 4
###
# The capacity per volume requested per MinIO Tenant Pod.
size: 10Gi
###
# The `storageClass <https://kubernetes.io/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool.
#
# If using Amazon Elastic Block Store (EBS) CSI driver
# Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters.
# Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
storageClassName: standard
###
# Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to Tenant pods.
annotations: { }
###
# Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to Tenant pods.
labels: { }
###
#
# An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to Tenant pods.
#
# These settings determine the distribution of pods across worker nodes.
tolerations: [ ]
###
# Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to Tenant pods.
#
# The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods.
#
# If no worker nodes match the specified selectors, the Tenant deployment will fail.
nodeSelector: { }
###
#
# The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to Tenant pods.
#
# These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
affinity: { }
###
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Tenant pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
# If no worker nodes can meet the specified requests, the Operator may fail to deploy.
resources: { }
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant resources.
#
# You may need to modify these values to meet your cluster's security and access settings.
#
# We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files).
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant containers.
# You may need to modify these values to meet your cluster's security and access settings.
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
###
#
# An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods.
#
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: [ ]
###
#
# The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the Operator Console pods.
# runtimeClassName: ""
###
# The mount path where Persistent Volumes are mounted inside Tenant container(s).
mountPath: /export
###
# The Sub path inside Mount path where MinIO stores data.
#
# .. warning::
#
# Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant.
# If you change these values post-deployment, then you may have different paths for new and pre-existing data.
# This can vastly increase operational complexity and may result in unpredictable data states.
subPath: /data
###
# Configures a Prometheus-compatible scraping endpoint at the specified port.
metrics:
enabled: false
port: 9000
protocol: http
###
# Configures external certificate settings for the Tenant.
certificate:
###
# Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair.
#
# This is used by MinIO to verify TLS connections from clients using those CAs
# If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification.
# See `Operator CRD: TenantSpec <https://min.io/docs/minio/kubernetes/upstream/reference/operator-crd.html#tenantspec>`__.
externalCaCertSecret: [ ]
###
# Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair.
#
# Omit this to use only the MinIO Operator autogenerated certificates.
#
# If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS.
#
# See `Operator CRD: TenantSpec <https://min.io/docs/minio/kubernetes/upstream/reference/operator-crd.html#tenantspec>`__.
#
# .. important::
#
# The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates.
#
# You can pass the CA to the Operator to allow it to trust that cert.
# See `Self-Signed, Internal, and Private Certificates <https://min.io/docs/minio/kubernetes/upstream/operations/network-encryption.html#self-signed-internal-and-private-certificates>`__ for more information.
# This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust.
externalCertSecret: [ ]
###
# Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__
requestAutoCert: true
###
# This field is used only when ``requestAutoCert: true``.
# Use this field to set CommonName for the auto-generated certificate.
# MinIO defaults to using the internal Kubernetes DNS name for the pod
# The default DNS name format is typically ``*.minio.default.svc.cluster.local``.
#
# See `Operator CRD: CertificateConfig <https://min.io/docs/minio/kubernetes/upstream/reference/operator-crd.html#certificateconfig>`__
certConfig: { }
###
# MinIO features to enable or disable in the MinIO Tenant
# See `Operator CRD: Features <https://min.io/docs/minio/kubernetes/upstream/reference/operator-crd.html#features>`__.
features:
bucketDNS: false
domains: { }
enableSFTP: false
###
# Array of objects describing one or more buckets to create during tenant provisioning.
# Example:
#
# .. code-block:: yaml
#
# - name: my-minio-bucket
# objectLock: false # optional
# region: us-east-1 # optional
buckets: [ ]
###
# Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning.
#
# Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user.
users: [ ]
###
# The `PodManagement <https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for MinIO Tenant Pods.
# Can be "OrderedReady" or "Parallel"
podManagementPolicy: Parallel
# The `Liveness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Tenant pod liveness.
# Tenant pods will be restarted if the probe fails.
liveness: { }
###
# `Readiness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Tenant container readiness.
# Tenant pods will be removed from service endpoints if the probe fails.
readiness: { }
###
# `Startup Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup.
# Tenant pods will be restarted if the probe fails.
# Refer
startup: { }
###
# Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects.
#
# If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically.
#
# - Specify ``minio: true`` to expose the MinIO S3 API.
# - Specify ``console: true`` to expose the Console.
#
# Both fields default to ``false``.
exposeServices: { }
###
# The `Kubernetes Service Account <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Tenant.
serviceAccountName: ""
###
# Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator.
prometheusOperator: false
###
# Configure pod logging configuration for the MinIO Tenant.
#
# - Specify ``json`` for JSON-formatted logs.
# - Specify ``anonymous`` for anonymized logs.
# - Specify ``quiet`` to supress logging.
#
# An example of JSON-formatted logs is as follows:
#
# .. code-block:: shell
#
# $ k logs myminio-pool-0-0 -n default
# {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
logging: { }
###
# serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
# services created by the operator.
serviceMetadata: { }
###
# Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
env: [ ]
###
# PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
# This is applied to MinIO pods only.
# Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
priorityClassName: ""
###
# An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to Tenant pods.
#
# The volumes must exist *and* be accessible to the Tenant pods.
additionalVolumes: [ ]
###
# An array of volume mount points associated to each Tenant container.
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
#
# volumeMounts:
# - name: volumename
# mountPath: /path/to/mount
#
# The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
additionalVolumeMounts: [ ]
# Define configuration for KES (stateless and distributed key-management system)
# Refer https://github.com/minio/kes
#kes:
# ## Image field:
# # Image from tag (original behavior), for example:
# # image:
# # repository: quay.io/minio/kes
# # tag: 2023-10-03T00-48-37Z
# # Image from digest (added after original behavior), for example:
# # image:
# # repository: quay.io/minio/kes@sha256
# # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b
# image:
# repository: quay.io/minio/kes
# tag: 2023-10-03T00-48-37Z
# pullPolicy: IfNotPresent
# env: [ ]
# replicas: 2
# configuration: |-
# address: :7373
# root: _ # Effectively disabled since no root identity necessary.
# tls:
# key: /tmp/kes/server.key # Path to the TLS private key
# cert: /tmp/kes/server.crt # Path to the TLS certificate
# proxy:
# identities: []
# header:
# cert: X-Tls-Client-Cert
# policy:
# my-policy:
# paths:
# - /v1/key/create/*
# - /v1/key/generate/*
# - /v1/key/decrypt/*
# identities:
# - ${MINIO_KES_IDENTITY}
# cache:
# expiry:
# any: 5m0s
# unused: 20s
# log:
# error: on
# audit: off
# keys:
# # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended
# # use a real KMS
# # fs:
# # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production.
# vault:
# endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint
# namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
# prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix.
# approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
# id: "<YOUR APPROLE ID HERE>" # Your AppRole Role ID
# secret: "<YOUR APPROLE SECRET ID HERE>" # Your AppRole Secret ID
# retry: 15s # Duration until the server tries to re-authenticate after connection loss.
# tls: # The Vault client TLS configuration for mTLS authentication and certificate verification
# key: "" # Path to the TLS client private key for mTLS authentication to Vault
# cert: "" # Path to the TLS client certificate for mTLS authentication to Vault
# ca: "" # Path to one or multiple PEM root CA certificates
# status: # Vault status configuration. The server will periodically reach out to Vault to check its status.
# ping: 10s # Duration until the server checks Vault's status again.
# # aws:
# # # The AWS SecretsManager key store. The server will store
# # # secret keys at the AWS SecretsManager encrypted with
# # # AWS-KMS. See: https://aws.amazon.com/secrets-manager
# # secretsmanager:
# # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com
# # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2
# # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
# # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager.
# # accesskey: "" # Your AWS Access Key
# # secretkey: "" # Your AWS Secret Key
# # token: "" # Your AWS session token (usually optional)
# imagePullPolicy: "IfNotPresent"
# externalCertSecret: null
# clientCertSecret: null
# # Key name to be created on the KMS, default is "my-minio-key"
# keyName: ""
# resources: { }
# nodeSelector: { }
# affinity:
# nodeAffinity: { }
# podAffinity: { }
# podAntiAffinity: { }
# tolerations: [ ]
# annotations: { }
# labels: { }
# serviceAccountName: ""
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# fsGroup: 1000
###
# Configures `Ingress <https://kubernetes.io/docs/concepts/services-networking/ingress/>`__ for the Tenant S3 API and Console.
#
# Set the keys to conform to the Ingress controller and configuration of your choice.
ingress:
api:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
host: minio.local
path: /
pathType: Prefix
console:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
host: minio-console.local
path: /
pathType: Prefix
# Use an extraResources template section to include additional Kubernetes resources
# with the Helm deployment.
#extraResources:
# - |
# apiVersion: v1
# kind: Secret
# type: Opaque
# metadata:
# name: {{ dig "secrets" "existingSecret" "" (.Values | merge (dict)) }}
# stringData:
# config.env: |-
# export MINIO_ROOT_USER='minio'
# export MINIO_ROOT_PASSWORD='minio123'

1
source/index.rst
View File

@ -211,6 +211,7 @@ For more about connecting to ``play``, see :ref:`MinIO Console play Login <minio
Integrations <https://min.io/docs/minio/linux/integrations/integrations.html?ref=docs>
/reference/kubectl-minio-plugin
/reference/operator-crd
/reference/operator-chart-values
.. toctree::
:titlesonly:

244
source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst Normal file
View File

@ -0,0 +1,244 @@
.. _deploy-tenant-helm:
======================================
Deploy a MinIO Tenant with Helm Charts
======================================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 1
Overview
--------
Helm is a tool for automating the deployment of applications to Kubernetes clusters.
A `Helm chart <https://helm.sh/docs/topics/charts/>`__ is a set of YAML files, templates, and other files that define the deployment details.
The following procedure uses a Helm Chart to deploy a Tenant managed by the MinIO Operator.
This procedure requires the Kubernetes cluster have a valid :ref:`Operator <deploy-operator-kubernetes>` deployment.
You cannot use the MinIO Operator Tenant chart to deploy a Tenant independent of the Operator.
.. important::
The MinIO Operator Tenant Chart is *distinct* from the community-managed :minio-git:`MinIO Chart <minio/tree/master/helm/minio>`.
The Community Helm Chart is community built, maintained, and supported.
MinIO does not guarantee support for any given bug, feature request, or update referencing that chart.
The Operator Tenant Chart is officially maintained and supported by MinIO.
MinIO strongly recommends the official Helm Chart for Operator and Tenants for production environments.
Prerequisites
-------------
You must meet the following requirements to install a MinIO Tenant with Helm:
- An existing Kubernetes cluster
- The ``kubectl`` CLI tool on your local host with version matching the cluster.
- `Helm <https://helm.sh/docs/intro/install/>`__ version 3.8 or greater.
- `yq <https://github.com/mikefarah/yq/#install>`__ version 4.18.1 or greater.
- An existing :ref:`MinIO Operator installation <deploy-operator-kubernetes>`.
This procedure assumes your Kubernetes cluster access grants you broad administrative permissions.
For more about Tenant installation requirements, including supported Kubernetes versions and TLS certificates, see the :ref:`Tenant deployment prerequisites <deploy-minio-distributed-prereqs-storage>`.
This procedure assumes familiarity the with referenced Kubernetes concepts and utilities.
While this documentation may provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`.
.. _deploy-tenant-helm-repo:
Deploy a MinIO Tenant using Helm Charts
---------------------------------------
The following procedure deploys a MinIO Tenant using the MinIO Operator Chart Repository.
This method supports a simplified installation path compared to the :ref:`local chart installation <deploy-tenant-helm-local>`.
You can modify the Operator deployment after installation.
.. important::
Do not use the ``kubectl krew`` or similar methods to update or manage the MinIO Tenant installation.
If you use Helm charts to deploy the Tenant, you must use Helm to manage that deployment.
#. Validate the Operator Repository Contents
Use ``helm search`` to check the latest available chart version in the Operator Repo:
.. code-block:: shell
:class: copyable
helm search repo minio-operator
The response should resemble the following:
.. code-block:: shell
:class: copyable
NAME CHART VERSION APP VERSION DESCRIPTION
minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator
minio-operator/operator 5.0.10 v5.0.10 A Helm chart for MinIO Operator
minio-operator/tenant 5.0.10 v5.0.10 A Helm chart for MinIO Operator
The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances.
If your ``minio-operator/operator`` version is behind the latest available chart, upgrade the operator *first*.
#. Deploy the Helm Chart
Use the ``helm install`` command to deploy the Tenant Chart.
If you need to override values in the default :ref:`values <minio-operator-chart-tenant-values>` file, you can use the ``--set`` operation for any single key-value.
Alternatively, specify your own ``values.yaml`` using the ``--f`` parameter to override multiple values at once:
.. code-block:: shell
:class: copyable
helm install \
--namespace MINIO_TENANT_NAMESPACE \
--create-namespace \
MINIO_TENANT_NAME minio-operator/tenant
#. Validate the Tenant installation
Check the contents of the specified namespace to ensure all pods and services have started successfully.
.. code-block:: shell
:class: copyable
kubectl get all -n MINIO_TENANT_NAMESPACE
All pods and services should have a READY state before proceeding.
#. Expose the Tenant Console port
Use ``kubectl port-forward`` to temporarily forward traffic from the MinIO pod to your local machine:
.. code-block:: shell
:class: copyable
kubectl --namespace MINIO_TENANT_NAMESPACE port-forward svc/MINIO_TENANT_NAME-console 9443:9443
.. note::
To configure long term access to the pod, configure :kube-docs:`Ingress <concepts/services-networking/ingress/>` or similar network control components within Kubernetes to route traffic to and from the pod.
Configuring Ingress is out of the scope for this documentation.
#. Login to the MinIO Console
Access the Tenant's :ref:`minio-console` by navigating to ``http://localhost:9443`` in a browser.
Log in to the Console with the default credentials ``myminio | minio123``.
If you modified these credentials in the ``values.yaml`` specify those values instead.
#. Expose the Tenant MinIO S3 API port
To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias.
* Forward the Tenant's MinIO port:
.. code-block:: shell
:class: copyable
kubectl port-forward svc/minio 9000 -n MINIO_TENANT_NAMESPACE
* Create an alias for the Tenant service:
.. code-block:: shell
:class: copyable
mc alias set myminio https://localhost:9000 minio minio123 --insecure
You can use :mc:`mc mb` to create a bucket on the Tenant:
.. code-block:: shell
:class: copyable
mc mb myminio/mybucket --insecure
If you deployed your MinIO Tenant using TLS certificates minted by a trusted Certificate Authority (CA) you can omit the ``--insecure`` flag.
.. _deploy-tenant-helm-local:
Deploy a Tenant using a Local Helm Chart
----------------------------------------
The following procedure deploys a Tenant using a local copy of the Helm Charts.
This method may support easier pre-configuration of the Tenant compared to the :ref:`repo-based installation <deploy-tenant-helm-repo>`
#. Download the Helm charts
On your local host, download the Tenant Helm charts to a convenient directory:
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/tenant-|operator-version-stable|.tgz
Each chart contains a ``values.yaml`` file you can customize to suit your needs.
For example, you may wish to change the MinIO root user credentials or the Tenant name.
For more about customizations, see `Helm Charts <https://helm.sh/docs/topics/charts/>`__.
#. The following Helm command creates a MinIO Tenant using the standard chart:
.. code-block:: shell
:class: copyable
:substitutions:
helm install \
--namespace MINIO_TENANT_NAMESPACE \
--create-namespace \
MINIO_TENANT_NAME tenant-|operator-version-stable|.tgz
To deploy more than one Tenant, create a Helm chart with the details of the new Tenant and repeat the deployment steps.
Redeploying the same chart updates the previously deployed Tenant.
#. Expose the Tenant Console port
Use ``kubectl port-forward`` to temporarily forward traffic from the MinIO pod to your local machine:
.. code-block:: shell
:class: copyable
kubectl --namespace MINIO_TENANT_NAMESPACE port-forward svc/myminio-console 9443:9443
.. note::
To configure long term access to the pod, configure :kube-docs:`Ingress <concepts/services-networking/ingress/>` or similar network control components within Kubernetes to route traffic to and from the pod.
Configuring Ingress is out of the scope for this documentation.
#. Login to the MinIO Console
Access the Tenant's :ref:`minio-console` by navigating to ``http://localhost:9443`` in a browser.
Log in to the Console with the default credentials ``myminio | minio123``.
#. Expose the Tenant MinIO port
To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias.
* Forward the Tenant's MinIO port:
.. code-block:: shell
:class: copyable
kubectl port-forward svc/myminio-hl 9000 -n MINIO_TENANT_NAMESPACE
* Create an alias for the Tenant service:
.. code-block:: shell
:class: copyable
mc alias set myminio https://localhost:9000 minio minio123 --insecure
This example uses the non-TLS ``myminio-hl`` service, which requires :std:option:`--insecure <mc.--insecure>`.
If you have a TLS cert configured, omit ``--insecure`` and use ``svc/minio`` instead.
You can use :mc:`mc mb` to create a bucket on the Tenant:
.. code-block:: shell
:class: copyable
mc mb myminio/mybucket --insecure

6
source/operations/install-deploy-manage/deploy-minio-tenant.rst
View File

@ -789,3 +789,9 @@ Kubernetes provides multiple options for configuring external access to services
.. cond:: k8s and not (openshift or eks)
.. include:: /includes/k8s/steps-deploy-tenant-cli.rst
.. toctree::
:titlesonly:
:hidden:
/operations/install-deploy-manage/deploy-minio-tenant-helm

233
source/operations/install-deploy-manage/deploy-operator-helm.rst
View File

@ -18,7 +18,6 @@ Helm is a tool for automating the deployment of applications to Kubernetes clust
A `Helm chart <https://helm.sh/docs/topics/charts/>`__ is a set of YAML files, templates, and other files that define the deployment details.
The following procedure uses a Helm Chart to install the :ref:`MinIO Kubernetes Operator <minio-operator-installation>` to a Kubernetes cluster.
Prerequisites
-------------
@ -35,27 +34,172 @@ For more about Operator installation requirements, including supported Kubernete
This procedure assumes familiarity the with referenced Kubernetes concepts and utilities.
While this documentation may provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`.
.. _minio-k8s-deploy-operator-helm-repo:
Procedure
---------
Install the MinIO Operator using Helm Charts
--------------------------------------------
The following procedure installs the Operator using the MinIO Operator Chart Repository.
This method supports a simplified installation path compared to the :ref:`local chart installation <minio-k8s-deploy-operator-helm-local>`.
You can modify the Operator deployment after installation.
Install Operator
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. important::
Do not use ``kubectl krew`` or similar methods to update or manage the MinIO Operator installation.
If you use Helm charts to install the Operator, you must use Helm to manage that installation.
#. Add the MinIO Operator Repo to Helm
MinIO maintains a Helm-compatible repository at https://operator.min.io.
Add this repository to Helm:
.. code-block:: shell
:class: copyable
helm repo add minio-operator https://operator.min.io
You can validate the repo contents using ``helm search``:
.. code-block:: shell
:class: copyable
helm search repo minio-operator
The response should resemble the following:
.. code-block:: shell
:class: copyable
NAME CHART VERSION APP VERSION DESCRIPTION
minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator
minio-operator/operator 5.0.10 v5.0.10 A Helm chart for MinIO Operator
minio-operator/tenant 5.0.10 v5.0.10 A Helm chart for MinIO Operator
The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances.
#. Install the Operator
Run the ``helm install`` command to install the Operator:
.. code-block:: shell
:class: copyable
helm install
--namespace minio-operator \
--create-namespace \
operator minio-operator/operator
#. Verify the Operator installation
Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully.
.. code-block:: shell
:class: copyable
kubectl get all -n minio-operator
The response should resemble the following:
.. code-block:: shell
NAME READY STATUS RESTARTS AGE
pod/console-68d955874d-vxlzm 1/1 Running 0 25h
pod/minio-operator-699f797b8b-th5bk 1/1 Running 0 25h
pod/minio-operator-699f797b8b-nkrn9 1/1 Running 0 25h
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/console ClusterIP 10.43.195.224 <none> 9090/TCP,9443/TCP 25h
service/operator ClusterIP 10.43.44.204 <none> 4221/TCP 25h
service/sts ClusterIP 10.43.70.4 <none> 4223/TCP 25h
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/console 1/1 1 1 25h
deployment.apps/minio-operator 2/2 2 2 25h
NAME DESIRED CURRENT READY AGE
replicaset.apps/console-68d955874d 1 1 1 25h
replicaset.apps/minio-operator-699f797b8b 2 2 2 25h
#. (Optional) Enable NodePort Access to the Console
You can enable :kube-docs:`Node Port <concepts/services-networking/service/#type-nodeport>` access to the ``service/console`` service to allow simplified access to the MinIO Operator.
You can skip this step if you intend to configure the Operator Console service to use a Kubernetes Load Balancer, ingress, or similar control plane component that enables external access.
Edit the ``service/console`` and set the ``spec.ports[0].nodePort`` and ``spec.type`` fields as follows:
.. code-block:: yaml
spec:
ports:
- name: http
port: 9090
protocol: TCP
targetPort: 9090
nodePort: 39090
type: NodePort
You can attempt to connect to the MinIO Operator Console by specifying port ``39090`` on any of the worker nodes in the deployment.
#. Retrieve the Console Access Token
The MinIO Operator uses a JSON Web Token (JWT) saved as a Kubernetes Secret for controlling access to the Operator Console.
Use the following command to retrieve the JWT for login.
You must have permission within the Kubernetes cluster to read secrets:
.. code-block:: shell
:class: copyable
kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r ".data.token" | base64 -d
The output should resemble the following:
.. code-block:: shell
eyJhbGciOiJSUzI1NiIsImtpZCI6IlRtV2x3Z1RILVREaThhQm9iemFfLW95NHFHT0ZZOHFBRjlZalBRcWZiSDgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtaW5pby1vcGVyYXRvciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjb25zb2xlLXNhLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjb25zb2xlLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiY2M1ZjEwYzktYzU1ZC00MjNiLTgxM2MtNmU5ZDY2ZGI5NDYyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om1pbmlvLW9wZXJhdG9yOmNvbnNvbGUtc2EifQ.F-Pt5nU9xaugjRksWAOTShBW_eNTf8UwXvLfGxEK6l3_41NYsLgvTg5m0hYLUiYr6v2HwkEu0XzqTJbPoeSrFds8BOjeiCoP2Lmw4tRPo9tSXhAq-_elWt83YpJl-zjUpna5nVSWJWXKgj1Iga-9gw-Q63UygEcyTJ9_AwCNU9T0HdPzqccS9XrEUdsXFQxR9RwZY4TGC8K7cD9sc_OmfEiuyilRgyC_gFRvtCQfFv1DP0GKyjMGo2ffu-2Tq2U7zK5epWdqmNSvbIa0ZRoPlPedZ6nYY935lNgTIIW1oykRYrgwZZiv4CzfTH2gPswjtPc5ICtDDRUjYEhdTq3gtw
If the output includes a trailing ``%`` make sure to omit it from the result.
#. Log into the MinIO Operator Console
If you configured the ``svc/console`` service for access through ingress, a cluster load balancer, you can access the Console using the configured hostname and port.
If you configured the service for access through NodePorts, specify the hostname of any worker node in the cluster with that port as ``HOSTNAME:NODEPORT`` to access the Console.
Alternatively, you can use ``kubectl port forward`` to temporary forward ports for the Console:
.. code-block:: shell
:class: copyable
kubectl port-forward svc/console -n minio-operator 9090:9090
You can then use ``http://localhost:9090`` to access the MinIO Operator Console.
Once you access the Console, use the Console JWT to log in.
You can now :ref:`deploy and manage MinIO Tenants using the Operator Console <deploy-minio-distributed>`.
You can also :ref:`deploy a tenant using Helm Charts <deploy-tenant-helm>`.
.. _minio-k8s-deploy-operator-helm-local:
Install the MinIO Operator using Local Helm Charts
--------------------------------------------------
The following procedure installs the Operator using a local copy of the Helm Charts.
This method may support easier pre-configuration of the Operator compared to the :ref:`repo-based installation <minio-k8s-deploy-operator-helm-repo>`
#. Download the Helm charts
On your local host, download the Operator and Tenant Helm charts to a convenient directory:
On your local host, download the Operator Helm charts to a convenient directory:
.. code-block:: shell
:class: copyable
:substitutions:
curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/operator-|operator-version-stable|.tgz
curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/tenant-|operator-version-stable|.tgz
Each chart contains a ``values.yaml`` file you can customize to suit your needs.
For example, you may wish to change the MinIO root user credentials or the Tenant name.
The chart contains a ``values.yaml`` file you can customize to suit your needs.
For more about customizations, see `Helm Charts <https://helm.sh/docs/topics/charts/>`__.
#. Deploy Operator
@ -375,73 +519,6 @@ Install Operator
Append the ``nodePort`` value to the externally-accessible IP address of a worker node in your Kubernetes cluster.
You can now :ref:`deploy and manage MinIO Tenants using the Operator Console <deploy-minio-distributed>`.
Deploy a Tenant
~~~~~~~~~~~~~~~
You can deploy a MinIO Tenant using either the :ref:`Operator Console <minio-operator-console>` or Helm.
To deploy a Tenant with the Console, see :ref:`Deploy and Manage MinIO Tenants <minio-installation>`.
To deploy a Tenant with Helm:
#. The following Helm command creates a MinIO Tenant using the standard chart:
.. code-block:: shell
:class: copyable
:substitutions:
helm install \
--namespace tenant-ns \
--create-namespace \
tenant-ns tenant-|operator-version-stable|.tgz
To deploy more than one Tenant, create a Helm chart with the details of the new Tenant and repeat the deployment steps.
Redeploying the same chart updates the previously deployed Tenant.
#. Expose the Tenant Console port
Use ``kubectl port-forward`` to temporarily forward traffic from the MinIO pod to your local machine:
.. code-block:: shell
:class: copyable
kubectl --namespace tenant-ns port-forward svc/myminio-console 9443:9443
.. note::
To configure long term access to the pod, configure :kube-docs:`Ingress <concepts/services-networking/ingress/>` or similar network control components within Kubernetes to route traffic to and from the pod.
Configuring Ingress is out of the scope for this documentation.
#. Login to the MinIO Console
Access the Tenant's :ref:`minio-console` by navigating to ``http://localhost:9443`` in a browser.
Log in to the Console with the default credentials ``myminio | minio123``.
#. Expose the Tenant MinIO port
To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias.
* Forward the Tenant's MinIO port:
.. code-block:: shell
:class: copyable
kubectl port-forward svc/myminio-hl 9000 -n tenant-ns
* Create an alias for the Tenant service:
.. code-block:: shell
:class: copyable
mc alias set myminio https://localhost:9000 minio minio123 --insecure
This example uses the non-TLS ``myminio-hl`` service, which requires :std:option:`--insecure <mc.--insecure>`.
If you have a TLS cert configured, omit ``--insecure`` and use ``svc/minio`` instead.
You can use :mc:`mc mb` to create a bucket on the Tenant:
.. code-block:: shell
:class: copyable
mc mb myminio/mybucket --insecure
You can also :ref:`deploy a tenant using Helm Charts <deploy-tenant-helm>`.

168
source/operations/install-deploy-manage/upgrade-minio-operator.rst
View File

@ -134,59 +134,151 @@ The following steps back up the existing yaml files, perform some clean up, and
Upgrade Operator to |operator-version-stable|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. *(Optional)* Update each MinIO Tenant to the latest stable MinIO Version.
Upgrading MinIO regularly ensures your Tenants have the latest features and performance improvements.
Test upgrades in a lower environment such as a Dev or QA Tenant, before applying to your production Tenants.
See :ref:`minio-k8s-upgrade-minio-tenant` for a procedure on upgrading MinIO Tenants.
.. tab-set::
2. Verify the existing Operator installation.
Use ``kubectl get all -n minio-operator`` to verify the health and status of all Operator pods and services.
If you installed the Operator to a custom namespace, specify that namespace as ``-n <NAMESPACE>``.
.. tab-item:: Upgrade using MinIO Kubernetes Plugin
You can verify the currently installed Operator version by retrieving the object specification for an operator pod in the namespace.
The following example uses the ``jq`` tool to filter the necessary information from ``kubectl``:
The following procedure upgrades the MinIO Operator using the :mc:`kubectl minio <kubectl minio init>` plugin.
.. code-block:: shell
:class: copyable
If you installed the Operator using :ref:`Helm <minio-k8s-deploy-operator-helm>`, use the :guilabel:`Upgrade using Helm` instructions instead.
kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers'
The output resembles the following:
.. code-block:: json
:emphasize-lines: 8-10
1. *(Optional)* Update each MinIO Tenant to the latest stable MinIO Version.
Upgrading MinIO regularly ensures your Tenants have the latest features and performance improvements.
Test upgrades in a lower environment such as a Dev or QA Tenant, before applying to your production Tenants.
See :ref:`minio-k8s-upgrade-minio-tenant` for a procedure on upgrading MinIO Tenants.
2. Verify the existing Operator installation.
Use ``kubectl get all -n minio-operator`` to verify the health and status of all Operator pods and services.
If you installed the Operator to a custom namespace, specify that namespace as ``-n <NAMESPACE>``.
You can verify the currently installed Operator version by retrieving the object specification for an operator pod in the namespace.
The following example uses the ``jq`` tool to filter the necessary information from ``kubectl``:
.. code-block:: shell
:class: copyable
kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers'
The output resembles the following:
.. code-block:: json
:emphasize-lines: 8-10
:substitutions:
{
"env": [
{
"name": "CLUSTER_DOMAIN",
"value": "cluster.local"
"env": [
{
"name": "CLUSTER_DOMAIN",
"value": "cluster.local"
}
],
"image": "minio/operator:v|operator-version-stable|",
"imagePullPolicy": "IfNotPresent",
"name": "minio-operator"
}
],
"image": "minio/operator:v4.5.8",
"imagePullPolicy": "IfNotPresent",
"name": "minio-operator"
}
3. Download the latest stable version of the MinIO Kubernetes Plugin
3. Download the latest stable version of the MinIO Kubernetes Plugin
.. include:: /includes/k8s/install-minio-kubectl-plugin.rst
.. include:: /includes/k8s/install-minio-kubectl-plugin.rst
4. Run the initialization command to upgrade the Operator
4. Run the initialization command to upgrade the Operator
Use the :mc-cmd:`kubectl minio init` command to upgrade the existing MinIO Operator installation
Use the :mc-cmd:`kubectl minio init` command to upgrade the existing MinIO Operator installation:
.. code-block:: shell
:class: copyable
.. code-block:: shell
:class: copyable
kubectl minio init
kubectl minio init
5. Validate the Operator upgrade
5. Validate the Operator upgrade
You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step.
.. include:: /includes/common/common-k8s-connect-operator-console.rst
.. tab-item:: Upgrade using Helm
The following procedure upgrades an existing MinIO Operator Installation using Helm.
If you installed the Operator using :ref:`the MinIO Kubernetes Plugin <deploy-operator-kubernetes>`, use the :guilabel:`Upgrade using MinIO Kubernetes Plugin` instructions instead.
1. *(Optional)* Update each MinIO Tenant to the latest stable MinIO Version.
Upgrading MinIO regularly ensures your Tenants have the latest features and performance improvements.
Test upgrades in a lower environment such as a Dev or QA Tenant, before applying to your production Tenants.
See :ref:`minio-k8s-upgrade-minio-tenant` for a procedure on upgrading MinIO Tenants.
#. Verify the existing Operator installation.
Use ``kubectl get all -n minio-operator`` to verify the health and status of all Operator pods and services.
If you installed the Operator to a custom namespace, specify that namespace as ``-n <NAMESPACE>``.
Use the ``helm list`` command to view the installed charts in the namespace:
.. code-block:: shell
:class: copyable
helm list -n minio-operator
The result should resemble the following:
.. code-block:: shell
:class: copyable
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
operator minio-operator 1 2023-11-01 15:49:54.539724775 -0400 EDT deployed operator-5.0.x v5.0.x
#. Update the Operator Repository
Use ``helm repo update minio-operator`` to update the MinIO Operator repo.
If you set a different alias for the MinIO Operator repository, specify that to the command.
You can use ``helm repo list`` to review your installed repositories.
Use ``helm search`` to check the latest available chart version after updating the Operator Repo:
.. code-block:: shell
:class: copyable
helm search repo minio-operator
The response should resemble the following:
.. code-block:: shell
:class: copyable
:substitutions:
NAME CHART VERSION APP VERSION DESCRIPTION
minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator
minio-operator/operator |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator
minio-operator/tenant |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator
The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances.
#. Run ``helm upgrade``
Helm uses the latest chart to upgrade the MinIO Operator:
.. code-block:: shell
:class: copyable
helm upgrade -n minio-operator \
operator minio-operator/operator
If you installed the MinIO Operator to a different namespace, specify that to the ``-n`` argument.
If you used a different installation name from ``operator``, replace the value above with the installation name.
The command results should return success with a bump in the ``REVISION`` value.
#. Validate the Operator upgrade
You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step.
.. include:: /includes/common/common-k8s-connect-operator-console.rst
You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step.
.. include:: /includes/common/common-k8s-connect-operator-console.rst
Upgrade MinIO Operator 4.2.3 through 4.5.7 to 4.5.8
---------------------------------------------------

92
source/operations/install-deploy-manage/upgrade-minio-tenant.rst
View File

@ -10,27 +10,21 @@ Upgrade a MinIO Tenant
:local:
:depth: 1
Prerequisites
-------------
.. _minio-upgrade-tenant-plugin:
MinIO Kubernetes Operator and Plugin
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Upgrade the Tenant using the MinIO Kubernetes Plugin
----------------------------------------------------
This procedures on this page *requires* a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator.
This procedure assumes the latest stable Operator and Plugin, version |operator-version-stable|.
The following procedure upgrades the MinIO Operator using the :mc:`kubectl minio tenant upgrade` command.
See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator.
If you deployed the Tenant using :ref:`Helm <deploy-tenant-helm>`, use the :ref:`minio-upgrade-tenant-helm` procedure instead.
Install the Plugin
~~~~~~~~~~~~~~~~~~
This procedure *requires* a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator and plugin.
This procedure assumes the latest stable Operator version |operator-version-stable|.
.. include:: /includes/k8s/install-minio-kubectl-plugin.rst
Procedure (CLI)
---------------
This procedure documents upgrading pods running on a MinIO Tenant.
See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator.
.. important::
@ -76,3 +70,73 @@ This may result in downtime until the upgrade process completes.
- Replace ``TENANT_NAMESPACE`` with the namespace of the Tenant.
See MinIO's `DockerHub Repository <https://hub.docker.com/r/minio/minio>`__ for a list of available release tags.
.. _minio-upgrade-tenant-helm:
Upgrade the Tenant using the MinIO Helm Chart
---------------------------------------------
This procedure upgrades an existing MinIO Tenant using Helm Charts.
If you deployed the Tenant using the :ref:`MinIO Kubernetes Plugin <minio-k8s-deploy-minio-tenant>`, use the :ref:`minio-upgrade-tenant-plugin` procedure instead.
1. Verify the existing MinIO Tenant installation.
Use ``kubectl get all -n TENANT_NAMESPACE`` to verify the health and status of all Tenant pods and services.
Use the ``helm list`` command to view the installed charts in the namespace:
.. code-block:: shell
:class: copyable
helm list -n TENANT_NAMESPACE
The result should resemble the following:
.. code-block:: shell
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
CHART_NAME TENANT_NAMESPACE 1 2023-11-01 15:49:58.810412732 -0400 EDT deployed tenant-5.0.x v5.0.x
#. Update the Operator Repository
Use ``helm repo update minio-operator`` to update the MinIO Operator repo.
If you set a different alias for the MinIO Operator repository, specify that to the command.
You can use ``helm repo list`` to review your installed repositories.
Use ``helm search`` to check the latest available chart version after updating the Operator Repo:
.. code-block:: shell
:class: copyable
helm search repo minio-operator
The response should resemble the following:
.. code-block:: shell
:class: copyable
:substitutions:
NAME CHART VERSION APP VERSION DESCRIPTION
minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator
minio-operator/operator |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator
minio-operator/tenant |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator
The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances.
#. Run ``helm upgrade``
Helm uses the latest chart to upgrade the Tenant:
.. code-block:: shell
:class: copyable
helm upgrade -n minio-tenant \
CHART_NAME minio-operator/tenant
The command results should return success with a bump in the ``REVISION`` value.
#. Validate the Tenant Upgrade
Check that all services and pods are online and functioning normally.

171
source/operations/network-encryption.rst
View File

@ -67,17 +67,36 @@ Enabling TLS
.. cond:: linux
By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory:
The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS.
The search location depends on your MinIO configuration:
.. code-block:: shell
.. tab-set::
${HOME}/.minio/certs
.. tab-item:: Default Path
Where ``${HOME}`` is the home directory of the user running the MinIO Server process.
You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist.
By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory:
For deployments using :mc-cmd:`minio server --certs-dir` to set a custom TLS directory, use that directory instead of the default.
Also, if the user running the process does not have a home directory, you **must** specify a directory with ``--certs-dir``.
.. code-block:: shell
${HOME}/.minio/certs
Where ``${HOME}`` is the home directory of the user running the MinIO Server process.
You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist.
For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process.
If that user has no home directory, use the :guilabel:`Custom Path` option instead.
.. tab-item:: Custom Path
You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter.
For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates.
.. code-block:: shell
minio server --certs-dir /opt/minio/certs ...
The user running the MinIO service *must* have read and write permissions to this directory.
Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``.
@ -85,7 +104,7 @@ Enabling TLS
.. code-block:: shell
${HOME}/.minio/certs
/path/to/certs
private.key
public.crt
@ -96,13 +115,12 @@ Enabling TLS
certgen -host "localhost,minio-*.example.net"
Place the generated ``public.crt`` and ``private.key`` into the ``/.minio/certs`` directory to enable TLS for the MinIO deployment.
Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment.
Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation.
If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``.
You may also need to update URLs used by applications or clients.
.. cond:: container
Start the MinIO container with the :mc-cmd:`minio/minio:latest server --certs-dir <minio server --certs-dir>` parameter and specify the path to a directory in which MinIO searches for certificates.
@ -250,23 +268,44 @@ Multiple Domain-Based TLS Certificates
- ``https://s3.example.net``
- ``https://minio.internal-example.net``
Create a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates.
Place the certificates in the ``/certs`` folder, creating a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates.
While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability.
Place the TLS private and public key for that domain in the subfolder.
The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``).
For example:
.. tab-set::
.. code-block:: shell
.. tab-item:: Default Certificate Path
${HOME}/.minio/certs
private.key
public.crt
s3-example.net/
private.key
public.crt
internal-example.net/
private.key
public.crt
.. code-block:: shell
${HOME}/.minio/certs
private.key
public.crt
s3-example.net/
private.key
public.crt
internal-example.net/
private.key
public.crt
.. tab-item:: Custom Certificate Path
The following example assumes the MinIO Server was started with ``--certs dir | -S /opt/minio/certs``:
.. code-block:: shell
/opt/minio/certs
private.key
public.crt
s3-example.net/
private.key
public.crt
internal-example.net/
private.key
public.crt
While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SANs), this would reveal the ``internal-example.net`` and ``s3-example.net`` hostnames to any client which inspects the server certificate.
Using a TLS certificate per hostname better protects each individual hostname from discovery.
@ -433,16 +472,24 @@ Third-Party Certificate Authorities
The MinIO Server validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store.
You can place additional trusted Certificate Authority files in the following directory:
Place the CA certificates in the ``/certs/CAs`` folder.
The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``)
.. code-block:: shell
.. tab-set::
${HOME}/.minio/certs/CAs
.. tab-item:: Default Certificate Path
Where ``${HOME}`` is the home directory of the user running the MinIO Server process.
You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist.
.. code-block:: shell
For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, the server searches in the ``/CAs`` path at that specified directory.
mv myCA.crt ${HOME}/certs/CAs
.. tab-item:: Custom Certificate Path
The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``:
.. code-block:: shell
mv myCA.crt /opt/minio/certs/CAs/
Place the certificate file for each CA into the ``/CAs`` subdirectory.
Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory.
@ -505,48 +552,70 @@ Third-Party Certificate Authorities
Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory.
If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid.
Self-signed, Internal, and Private Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Certificates
------------------------------------------------------------------------------------------
.. cond:: not k8s
For certificates signed by a non-global Certificate Authority, place the appropriate `X.509 <https://en.wikipedia.org/wiki/X.509>`__ CA certificate in a ``{HOME}/.minio/CAs`` directory:
If using Certificates signed by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the MinIO Server.
If the MinIO server does not have the necessary CAs, it may return warnings or errors related to TLS validation when connecting to other services.
.. code-block:: shell
Place the CA certificates in the ``/certs/CAs`` folder.
The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``)
${HOME}/.minio/CAs
myCA.crt
.. tab-set::
.. tab-item:: Default Certificate Path
.. code-block:: shell
mv myCA.crt ${HOME}/certs/CAs
.. tab-item:: Custom Certificate Path
The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``:
.. code-block:: shell
mv myCA.crt /opt/minio/certs/CAs/
For a self-signed certificate, the Certificate Authority is typically the private key used to sign the cert.
For certificates signed by an internal, private, or other non-global Certificate Authority, use the same CA that signed the cert.
A non-global CA must include the full chain of trust from the intermediate certificate to the root.
If the provided file is not an X.509 cert, MinIO ignores the file and does not enable TLS.
If the provided file is not an X.509 certificate, MinIO ignores it and may return errors for validating certificates signed by that CA.
.. cond:: k8s
To use certificates generated by a private Certificate Authority, configure MinIO Operator to trust the TLS connections to the tenants:
If deploying MinIO Tenants with certificates minted by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the Operator to ensure it can trust those certificates.
#. Create a secret named ``operator-ca-tls`` in the ``minio-operator`` namespace if one does not already exist.
#. Add a ``ca.crt`` key to this secret with the public certificate for your internal CA.
If ``operator-ca-tls`` already contains external CAs, append the new CA to the existing secret.
#. Add the secret in an ``externalCaCertSecret`` property in the :ref:`Tenant YAML configuration <create-tenant-cli-determine-additional-options>`:
The Operator may log warnings related to TLS cert validation for Tenants deployed with untrusted certificates.
The following procedure attaches a secret containing the ``public.crt`` of the Certificate Authority to the MinIO Operator.
You can specify multiple CAs in a single certificate, as long as you maintain the ``BEGIN`` and ``END`` delimiters as-is.
1. Create the ``operator-ca-tls`` secret
The following creates a Kubernetes secret in the MinIO Operator namespace (``minio-operator``).
.. code-block:: shell
:class: copyable
spec:
externalCaCertSecret:
- name: operator-ca-tls
type: kubernetes.io/tls
kubectl create secret generic operator-ca-tls \
--from-file=public.crt -n minio-operator
The ``public.crt`` file must correspond to a valid TLS certificate containing one or more CA definitions.
2. Restart the Operator
Once created, you must restart the Operator to load the new CAs:
.. code-block:: shell
:class: copyable
kubectl rollout restart deployments.apps/minio-operator -n minio-operator
Once the secret is created, Operator creates a copy in each tenant namespace and mounts its certificates in the tenant pods at ``/tmp/certs/CAs/``.
If the ``operator-ca-tls`` secret is updated, Operator replicates the new secret to the corresponding copies in the tenant namespaces.
Operator replicates changes in the following files:
- ``public.crt``
- ``tls.crt``
- ``ca.crt``

46
source/reference/operator-chart-values.rst Normal file
View File

@ -0,0 +1,46 @@
.. _minio-operator-chart-values:
===============================
Operator and Tenant Helm Charts
===============================
.. default-domain:: minio
.. contents:: Table of Contents
:local:
:depth: 1
MinIO publishes `Helm Charts <https://github.com/minio/operator/tree/v5.0.10/helm>`__ for the MinIO Operator and Tenants.
You can use these charts to deploy the MinIO Operator and managed Tenants through Helm.
The following page documents the ``values.yaml`` for each chart.
.. _minio-operator-chart-operator-values:
MinIO Operator Chart
--------------------
.. tab-set::
.. tab-item:: Reference
.. autoyaml:: /source/includes/k8s/operator-values.yaml
.. tab-item:: YAML
.. literalinclude:: /includes/k8s/operator-values.yaml
.. _minio-operator-chart-tenant-values:
MinIO Tenant Chart
------------------
.. tab-set::
.. tab-item:: Reference
.. autoyaml:: /source/includes/k8s/tenant-values.yaml
.. tab-item:: YAML
.. literalinclude:: /includes/k8s/tenant-values.yaml

8
source/url-excludes.yaml
View File

@ -8,6 +8,7 @@ excludes:
- 'operations/install-deploy-manage/upgrade-minio-operator.rst'
- 'operations/install-deploy-manage/delete-minio-tenant.rst'
- 'operations/install-deploy-manage/minio-operator-console.rst'
- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst'
- 'operations/deploy-manage-tenants.rst'
- 'developers/sts-for-operator.rst'
- 'reference/kubectl-minio-plugin.rst'
@ -24,6 +25,7 @@ excludes:
- 'reference/kubectl-minio-plugin/kubectl-minio-tenant.rst'
- 'reference/kubectl-minio-plugin/kubectl-minio-version.rst'
- 'reference/operator-crd.rst'
- 'reference/operator-chart-values.rst'
---
tag: macos
excludes:
@ -35,12 +37,14 @@ excludes:
- 'operations/install-deploy-manage/upgrade-minio-operator.rst'
- 'operations/install-deploy-manage/delete-minio-tenant.rst'
- 'operations/install-deploy-manage/minio-operator-console.rst'
- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst'
- 'operations/deploy-manage-tenants.rst'
- 'reference/kubectl-minio-plugin*'
- 'reference/minio-server*'
- 'reference/minio-mc*'
- 'reference/deprecated/*'
- 'reference/operator-crd.rst'
- 'reference/operator-chart-values.rst'
- 'developers/*'
- 'integrations/*'
---
@ -64,12 +68,14 @@ excludes:
- 'operations/install-deploy-manage/upgrade-minio-operator.rst'
- 'operations/install-deploy-manage/delete-minio-tenant.rst'
- 'operations/install-deploy-manage/minio-operator-console.rst'
- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst'
- 'operations/deploy-manage-tenants.rst'
- 'reference/kubectl-minio-plugin*'
- 'reference/minio-server*'
- 'reference/minio-mc*'
- 'reference/deprecated/*'
- 'reference/operator-crd.rst'
- 'reference/operator-chart-values.rst'
- 'developers/*'
- 'integrations/*'
---
@ -88,11 +94,13 @@ excludes:
- 'operations/install-deploy-manage/decommission-server-pool.rst'
- 'operations/install-deploy-manage/expand-minio-deployment.rst'
- 'operations/deploy-manage-tenants.rst'
- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst'
- 'reference/kubectl-minio-plugin*'
- 'reference/minio-server*'
- 'reference/minio-mc*'
- 'reference/deprecated/*'
- 'reference/operator-crd.rst'
- 'reference/operator-chart-values.rst'
- 'developers/*'
- 'integrations/*'
---