[stable/minio] Add support for securityContext runAsUser and runAsGroup #17393
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: simonwgill The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Hi @simonwgill. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
ddbc804
to
ebef169
Compare
/assign @nitisht for approval |
@simonwgill: GitHub didn't allow me to assign the following users: for, approval. Note that only helm members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Should I be keeping track of the head branch, or should I wait for some level of approval of the branch as it was? |
Please fix the conflicts @simonwgill |
Only added User and Group Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
ebef169
to
ab0c6d2
Compare
/ok-to-test |
can you confirm if you have deployed this locally and it works @simonwgill |
@nitisht I had to go back and double check, but yes, it's happily running locally on my setup. |
Thank you for checking again! :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few recommendations..
stable/minio/README.md
Outdated
@@ -108,8 +108,8 @@ The following table lists the configurable parameters of the MinIO chart and the | |||
| `existingSecret` | Name of existing secret with access and secret key. | `""` | | |||
| `accessKey` | Default access key (5 to 20 characters) | `AKIAIOSFODNN7EXAMPLE` | | |||
| `secretKey` | Default secret key (8 to 40 characters) | `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` | | |||
| `configPath` | Default config file location | `~/.minio` | | |||
| `configPathmc` | Default config file location for MinIO client - mc | `~/.mc` | | |||
| `configPath` | Default config file location | `/etc/minio` | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--config-dir
has been deprecated from MinIO server as of minio/minio#7033, can you please remove this option completely?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed the option. Haven't implemented the certs-dir functionality at this point though.
Are you expecting --certs-dir to be implemented under this ticket? That seems out of scope for what I was updating and I'm not sure how to set up any tests to handle it. Doesn't look like anyone raised the deprecation as an issue either.
stable/minio/values.yaml
Outdated
@@ -48,11 +48,18 @@ priorityClassName: "" | |||
existingSecret: "" | |||
accessKey: "AKIAIOSFODNN7EXAMPLE" | |||
secretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | |||
configPath: "/root/.minio/" | |||
configPathmc: "/root/.mc/" | |||
configPath: "/etc/minio/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--config-dir
has been deprecated from MinIO server as of minio/minio#7033, can you please remove this option completely?
Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
…on by minio. Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk> fix(stable/minio): Removed configDir references
5448855
to
3b212dd
Compare
Does the --cert-dir option need support adding in this PR? That seems out of scope for the original issue. |
Just ran into this myself -- what do we need to do to get the ball rolling @nitisht / @simonwgill ? -- looks like there are a couple of conflicts -- is anything else required? |
I wasn't sure if adding --cert-dir was in scope for this PR, and I've been waiting on an answer to that question from someone. Haven't looked at what's been integrated since I last rebased though. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
This issue is being automatically closed due to inactivity. |
FAO @acaleph, @minio
What this PR does / why we need it:
When the podSecurityContext does not allow runAsRoot, there was no method to configure minio to function. This PR allows consumers to use minio in this situation.
Is this a new chart?
No
Which issue this PR fixes
Special notes for your reviewer:
The configPath and configPathmc variables have been changed to use a default that doesn't rely on the active user being root.
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
[stable/chart]
)