Tyler Perkins
a198c93d0f
All checks were successful
continuous-integration/drone/push Build is passing
567 lines
19 KiB
YAML
567 lines
19 KiB
YAML
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: minio
|
|
namespace: minio-ns
|
|
annotations:
|
|
force-recreate: true
|
|
spec:
|
|
chart:
|
|
spec:
|
|
chart: minio
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: minio
|
|
namespace: flux-system
|
|
interval: 15m0s
|
|
timeout: 5m
|
|
releaseName: minio
|
|
values:
|
|
## Provide a name in place of minio for `app:` labels
|
|
##
|
|
nameOverride: ""
|
|
|
|
## Provide a name to substitute for the full names of resources
|
|
##
|
|
fullnameOverride: ""
|
|
|
|
## set kubernetes cluster domain where minio is running
|
|
##
|
|
clusterDomain: cluster.local
|
|
|
|
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
|
|
##
|
|
image:
|
|
repository: quay.io/minio/minio
|
|
tag: RELEASE.2023-09-30T07-02-29Z
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets: []
|
|
# - name: "image-pull-secret"
|
|
|
|
## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
|
|
## client used to create a default bucket).
|
|
##
|
|
mcImage:
|
|
repository: quay.io/minio/mc
|
|
tag: RELEASE.2023-09-29T16-41-22Z
|
|
pullPolicy: IfNotPresent
|
|
|
|
## minio mode, i.e. standalone or distributed
|
|
mode: standalone ## other supported values are "standalone"
|
|
|
|
## Additional labels to include with deployment or statefulset
|
|
additionalLabels: {}
|
|
|
|
## Additional annotations to include with deployment or statefulset
|
|
additionalAnnotations: {}
|
|
|
|
## Typically the deployment/statefulset includes checksums of secrets/config,
|
|
## So that when these change on a subsequent helm install, the deployment/statefulset
|
|
## is restarted. This can result in unnecessary restarts under GitOps tooling such as
|
|
## flux, so set to "true" to disable this behaviour.
|
|
ignoreChartChecksums: false
|
|
|
|
## Additional arguments to pass to minio binary
|
|
extraArgs: []
|
|
|
|
## Additional volumes to minio container
|
|
extraVolumes: []
|
|
|
|
## Additional volumeMounts to minio container
|
|
extraVolumeMounts: []
|
|
|
|
## Additional sidecar containers
|
|
extraContainers: []
|
|
|
|
## Internal port number for MinIO S3 API container
|
|
## Change service.port to change external port number
|
|
minioAPIPort: "9000"
|
|
|
|
## Internal port number for MinIO Browser Console container
|
|
## Change consoleService.port to change external port number
|
|
minioConsolePort: "9001"
|
|
|
|
## Update strategy for Deployments
|
|
deploymentUpdate:
|
|
type: RollingUpdate
|
|
maxUnavailable: 0
|
|
maxSurge: 100%
|
|
|
|
## Update strategy for StatefulSets
|
|
statefulSetUpdate:
|
|
updateStrategy: RollingUpdate
|
|
|
|
## Pod priority settings
|
|
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
|
##
|
|
priorityClassName: ""
|
|
|
|
## Pod runtime class name
|
|
## ref https://kubernetes.io/docs/concepts/containers/runtime-class/
|
|
##
|
|
runtimeClassName: ""
|
|
|
|
## Set default rootUser, rootPassword
|
|
## AccessKey and secretKey is generated when not set
|
|
## Distributed MinIO ref: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html
|
|
##
|
|
#rootUser: ""
|
|
#rootPassword: ""
|
|
#
|
|
|
|
## Use existing Secret that store following variables:
|
|
##
|
|
## | Chart var | .data.<key> in Secret |
|
|
## |:----------------------|:-------------------------|
|
|
## | rootUser | rootUser |
|
|
## | rootPassword | rootPassword |
|
|
##
|
|
## All mentioned variables will be ignored in values file.
|
|
## .data.rootUser and .data.rootPassword are mandatory,
|
|
## others depend on enabled status of corresponding sections.
|
|
existingSecret: "minio-default-credentials"
|
|
|
|
## Directory on the MinIO pof
|
|
certsPath: "/etc/minio/certs/"
|
|
configPathmc: "/etc/minio/mc/"
|
|
|
|
## Path where PV would be mounted on the MinIO Pod
|
|
mountPath: "/export"
|
|
## Override the root directory which the minio server should serve from.
|
|
## If left empty, it defaults to the value of {{ .Values.mountPath }}
|
|
## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
|
|
##
|
|
bucketRoot: ""
|
|
|
|
# Number of drives attached to a node
|
|
drivesPerNode: 1
|
|
# Number of MinIO containers running
|
|
replicas: 1
|
|
# Number of expanded MinIO clusters
|
|
pools: 1
|
|
|
|
## TLS Settings for MinIO
|
|
tls:
|
|
enabled: false
|
|
## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
|
|
certSecret: ""
|
|
publicCrt: public.crt
|
|
privateKey: private.key
|
|
|
|
## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities
|
|
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
|
|
## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt.
|
|
## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
|
|
trustedCertsSecret: ""
|
|
|
|
## Enable persistence using Persistent Volume Claims
|
|
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
|
|
##
|
|
persistence:
|
|
enabled: true
|
|
#annotations: {}
|
|
|
|
## A manually managed Persistent Volume and Claim
|
|
## Requires persistence.enabled: true
|
|
## If defined, PVC must be created manually before volume will be bound
|
|
#existingClaim: ""
|
|
|
|
## minio data Persistent Volume Storage Class
|
|
## If defined, storageClassName: <storageClass>
|
|
## If set to "-", storageClassName: "", which disables dynamic provisioning
|
|
## If undefined (the default) or set to null, no storageClassName spec is
|
|
## set, choosing the default provisioner. (gp2 on AWS, standard on
|
|
## GKE, AWS & OpenStack)
|
|
##
|
|
## Storage class of PV to bind. By default it looks for standard storage class.
|
|
## If the PV uses a different storage class, specify that here.
|
|
storageClass: "longhorn"
|
|
#volumeName: ""
|
|
accessMode: ReadWriteOnce
|
|
size: 30Gi
|
|
|
|
## If subPath is set mount a sub folder of a volume instead of the root of the volume.
|
|
## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs).
|
|
##
|
|
subPath: ""
|
|
|
|
## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service).
|
|
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
|
|
## ref: http://kubernetes.io/docs/user-guide/services/
|
|
##
|
|
service:
|
|
type: LoadBalancer
|
|
clusterIP: ~
|
|
port: "9000"
|
|
nodePort: 9000
|
|
loadBalancerIP: ~
|
|
externalIPs: []
|
|
annotations: {}
|
|
|
|
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
|
|
##
|
|
|
|
ingress:
|
|
enabled: false
|
|
ingressClassName: ~
|
|
labels: {}
|
|
# node-role.kubernetes.io/ingress: platform
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
# kubernetes.io/ingress.allow-http: "false"
|
|
# kubernetes.io/ingress.global-static-ip-name: ""
|
|
# nginx.ingress.kubernetes.io/secure-backends: "true"
|
|
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
|
|
path: /
|
|
hosts:
|
|
- minio-example.local
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
consoleService:
|
|
type: LoadBalancer
|
|
clusterIP: ~
|
|
port: "9001"
|
|
nodePort: 80
|
|
loadBalancerIP: ~
|
|
externalIPs: []
|
|
annotations: {}
|
|
|
|
consoleIngress:
|
|
enabled: false
|
|
ingressClassName: ~
|
|
labels: {}
|
|
# node-role.kubernetes.io/ingress: platform
|
|
annotations: {}
|
|
# kubernetes.io/ingress.class: nginx
|
|
# kubernetes.io/tls-acme: "true"
|
|
# kubernetes.io/ingress.allow-http: "false"
|
|
# kubernetes.io/ingress.global-static-ip-name: ""
|
|
# nginx.ingress.kubernetes.io/secure-backends: "true"
|
|
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
|
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
|
|
path: /
|
|
hosts:
|
|
- console.minio-example.local
|
|
tls: []
|
|
# - secretName: chart-example-tls
|
|
# hosts:
|
|
# - chart-example.local
|
|
|
|
## Node labels for pod assignment
|
|
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
|
|
##
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
topologySpreadConstraints: []
|
|
|
|
## Add stateful containers to have security context, if enabled MinIO will run as this
|
|
## user and group NOTE: securityContext is only enabled if persistence.enabled=true
|
|
securityContext:
|
|
enabled: true
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
fsGroupChangePolicy: "OnRootMismatch"
|
|
|
|
# Additational pod annotations
|
|
podAnnotations: {}
|
|
|
|
# Additional pod labels
|
|
podLabels: {}
|
|
|
|
## Configure resource requests and limits
|
|
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
|
##
|
|
resources:
|
|
requests:
|
|
memory: 16Gi
|
|
|
|
## List of policies to be created after minio install
|
|
##
|
|
## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
|
|
## you can define additional policies with custom supported actions and resources
|
|
policies: []
|
|
## writeexamplepolicy policy grants creation or deletion of buckets with name
|
|
## starting with example. In addition, grants objects write permissions on buckets starting with
|
|
## example.
|
|
# - name: writeexamplepolicy
|
|
# statements:
|
|
# - effect: Allow # this is the default
|
|
# resources:
|
|
# - 'arn:aws:s3:::example*/*'
|
|
# actions:
|
|
# - "s3:AbortMultipartUpload"
|
|
# - "s3:GetObject"
|
|
# - "s3:DeleteObject"
|
|
# - "s3:PutObject"
|
|
# - "s3:ListMultipartUploadParts"
|
|
# - resources:
|
|
# - 'arn:aws:s3:::example*'
|
|
# actions:
|
|
# - "s3:CreateBucket"
|
|
# - "s3:DeleteBucket"
|
|
# - "s3:GetBucketLocation"
|
|
# - "s3:ListBucket"
|
|
# - "s3:ListBucketMultipartUploads"
|
|
## readonlyexamplepolicy policy grants access to buckets with name starting with example.
|
|
## In addition, grants objects read permissions on buckets starting with example.
|
|
# - name: readonlyexamplepolicy
|
|
# statements:
|
|
# - resources:
|
|
# - 'arn:aws:s3:::example*/*'
|
|
# actions:
|
|
# - "s3:GetObject"
|
|
# - resources:
|
|
# - 'arn:aws:s3:::example*'
|
|
# actions:
|
|
# - "s3:GetBucketLocation"
|
|
# - "s3:ListBucket"
|
|
# - "s3:ListBucketMultipartUploads"
|
|
## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only
|
|
# - name: conditionsexample
|
|
# statements:
|
|
# - resources:
|
|
# - 'arn:aws:s3:::example/*'
|
|
# actions:
|
|
# - 's3:*'
|
|
# conditions:
|
|
# - StringEquals: '"aws:username": "johndoe"'
|
|
# - IpAddress: |
|
|
# "aws:SourceIp": [
|
|
# "10.0.0.0/8",
|
|
# "192.168.0.0/24"
|
|
# ]
|
|
#
|
|
## Additional Annotations for the Kubernetes Job makePolicyJob
|
|
makePolicyJob:
|
|
securityContext:
|
|
enabled: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
# Command to run after the main command on exit
|
|
exitCommand: ""
|
|
|
|
## List of users to be created after minio install
|
|
##
|
|
users:
|
|
## Username, password and policy to be assigned to the user
|
|
## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
|
|
## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management
|
|
## NOTE: this will fail if LDAP is enabled in your MinIO deployment
|
|
## make sure to disable this if you are using LDAP.
|
|
- accessKey: console
|
|
secretKey: console123
|
|
policy: consoleAdmin
|
|
# Or you can refer to specific secret
|
|
#- accessKey: externalSecret
|
|
# existingSecret: my-secret
|
|
# existingSecretKey: password
|
|
# policy: readonly
|
|
|
|
## Additional Annotations for the Kubernetes Job makeUserJob
|
|
makeUserJob:
|
|
securityContext:
|
|
enabled: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
# Command to run after the main command on exit
|
|
exitCommand: ""
|
|
|
|
## List of service accounts to be created after minio install
|
|
##
|
|
svcaccts: []
|
|
## accessKey, secretKey and parent user to be assigned to the service accounts
|
|
## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
|
|
# - accessKey: console-svcacct
|
|
# secretKey: console123
|
|
# user: console
|
|
## Or you can refer to specific secret
|
|
# - accessKey: externalSecret
|
|
# existingSecret: my-secret
|
|
# existingSecretKey: password
|
|
# user: console
|
|
## You also can pass custom policy
|
|
# - accessKey: console-svcacct
|
|
# secretKey: console123
|
|
# user: console
|
|
# policy:
|
|
# statements:
|
|
# - resources:
|
|
# - 'arn:aws:s3:::example*/*'
|
|
# actions:
|
|
# - "s3:AbortMultipartUpload"
|
|
# - "s3:GetObject"
|
|
# - "s3:DeleteObject"
|
|
# - "s3:PutObject"
|
|
# - "s3:ListMultipartUploadParts"
|
|
|
|
makeServiceAccountJob:
|
|
securityContext:
|
|
enabled: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
# Command to run after the main command on exit
|
|
exitCommand: ""
|
|
|
|
## List of buckets to be created after minio install
|
|
##
|
|
buckets: []
|
|
# # Name of the bucket
|
|
# - name: bucket1
|
|
# # Policy to be set on the
|
|
# # bucket [none|download|upload|public]
|
|
# policy: none
|
|
# # Purge if bucket exists already
|
|
# purge: false
|
|
# # set versioning for
|
|
# # bucket [true|false]
|
|
# versioning: false
|
|
# # set objectlocking for
|
|
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
|
|
# objectlocking: false
|
|
# - name: bucket2
|
|
# policy: none
|
|
# purge: false
|
|
# versioning: true
|
|
# # set objectlocking for
|
|
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
|
|
# objectlocking: false
|
|
|
|
## Additional Annotations for the Kubernetes Job makeBucketJob
|
|
makeBucketJob:
|
|
securityContext:
|
|
enabled: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
# Command to run after the main command on exit
|
|
exitCommand: ""
|
|
|
|
## List of command to run after minio install
|
|
## NOTE: the mc command TARGET is always "myminio"
|
|
customCommands:
|
|
# - command: "admin policy attach myminio consoleAdmin --group='cn=ops,cn=groups,dc=example,dc=com'"
|
|
|
|
## Additional Annotations for the Kubernetes Job customCommandJob
|
|
customCommandJob:
|
|
securityContext:
|
|
enabled: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
resources:
|
|
requests:
|
|
memory: 128Mi
|
|
# Command to run after the main command on exit
|
|
exitCommand: ""
|
|
|
|
## Merge jobs
|
|
postJob:
|
|
podAnnotations: {}
|
|
annotations: {}
|
|
securityContext:
|
|
enabled: false
|
|
runAsUser: 1000
|
|
runAsGroup: 1000
|
|
fsGroup: 1000
|
|
nodeSelector: {}
|
|
tolerations: []
|
|
affinity: {}
|
|
|
|
## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s)
|
|
## when Chart is deployed
|
|
environment:
|
|
## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
|
|
## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io"
|
|
## MINIO_BROWSER: "off"
|
|
|
|
## The name of a secret in the same kubernetes namespace which contain secret values
|
|
## This can be useful for LDAP password, etc
|
|
## The key in the secret must be 'config.env'
|
|
##
|
|
extraSecret: ~
|
|
|
|
## OpenID Identity Management
|
|
## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider.
|
|
## See https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html for a tutorial on using these variables.
|
|
oidc:
|
|
enabled: false
|
|
configUrl: "https://identity-provider-url/.well-known/openid-configuration"
|
|
clientId: "minio"
|
|
clientSecret: ""
|
|
# Provide existing client secret from the Kubernetes Secret resource, existing secret will have priority over `clientSecret`
|
|
existingClientSecretName: ""
|
|
existingClientSecretKey: ""
|
|
claimName: "policy"
|
|
scopes: "openid,profile,email"
|
|
redirectUri: "https://console-endpoint-url/oauth_callback"
|
|
# Can leave empty
|
|
claimPrefix: ""
|
|
comment: ""
|
|
|
|
networkPolicy:
|
|
enabled: false
|
|
allowExternal: true
|
|
|
|
## PodDisruptionBudget settings
|
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
|
|
##
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
maxUnavailable: 1
|
|
|
|
## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
|
|
## and 'name' is left unspecified, the account 'default' will be used.
|
|
serviceAccount:
|
|
create: true
|
|
## The name of the service account to use. If 'create' is 'true', a service account with that name
|
|
## will be created.
|
|
name: "minio-sa"
|
|
|
|
metrics:
|
|
serviceMonitor:
|
|
enabled: false
|
|
# scrape each node/pod individually for additional metrics
|
|
includeNode: false
|
|
public: true
|
|
additionalLabels: {}
|
|
annotations: {}
|
|
# for node metrics
|
|
relabelConfigs: {}
|
|
# for cluster metrics
|
|
relabelConfigsCluster: {}
|
|
# metricRelabelings:
|
|
# - regex: (server|pod)
|
|
# action: labeldrop
|
|
namespace: ~
|
|
# Scrape interval, for example `interval: 30s`
|
|
interval: ~
|
|
# Scrape timeout, for example `scrapeTimeout: 10s`
|
|
scrapeTimeout: ~
|
|
|
|
## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md
|
|
## Define endpoints to enable this section.
|
|
etcd:
|
|
endpoints: []
|
|
pathPrefix: ""
|
|
corednsPathPrefix: ""
|
|
clientCert: ""
|
|
clientCertKey: ""
|