[stable/minio] Add support for securityContext runAsUser and runAsGroup #17393
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: simonwgill The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
helm-bot
added
the
size/M
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @simonwgill. Thanks for your PR. I'm waiting for a helm member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
simonwgill
force-pushed
the
simonwgill-patch-1
branch
from
ddbc804
to
ebef169
Compare
helm-bot
added
the
Contribution Allowed
|
/assign @nitisht for approval |
|
@simonwgill: GitHub didn't allow me to assign the following users: for, approval. Note that only helm members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Should I be keeping track of the head branch, or should I wait for some level of approval of the branch as it was? |
|
Please fix the conflicts @simonwgill |
Only added User and Group Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
simonwgill
force-pushed
the
simonwgill-patch-1
branch
from
ebef169
to
ab0c6d2
Compare
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
and removed
needs-ok-to-test
|
can you confirm if you have deployed this locally and it works @simonwgill |
|
@nitisht I had to go back and double check, but yes, it's happily running locally on my setup. |
|
Thank you for checking again! :) |
stable/minio/README.md
Outdated
| @@ -108,8 +108,8 @@ The following table lists the configurable parameters of the MinIO chart and the | |||
| | `existingSecret` | Name of existing secret with access and secret key. | `""` | | |||
| | `accessKey` | Default access key (5 to 20 characters) | `AKIAIOSFODNN7EXAMPLE` | | |||
| | `secretKey` | Default secret key (8 to 40 characters) | `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` | | |||
| | `configPath` | Default config file location | `~/.minio` | | |||
| | `configPathmc` | Default config file location for MinIO client - mc | `~/.mc` | | |||
| | `configPath` | Default config file location | `/etc/minio` | | |||
There was a problem hiding this comment.
--config-dir has been deprecated from MinIO server as of minio/minio#7033, can you please remove this option completely?
There was a problem hiding this comment.
I've removed the option. Haven't implemented the certs-dir functionality at this point though.
Are you expecting --certs-dir to be implemented under this ticket? That seems out of scope for what I was updating and I'm not sure how to set up any tests to handle it. Doesn't look like anyone raised the deprecation as an issue either.
stable/minio/values.yaml
Outdated
| @@ -48,11 +48,18 @@ priorityClassName: "" | |||
| existingSecret: "" | |||
| accessKey: "AKIAIOSFODNN7EXAMPLE" | |||
| secretKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | |||
| configPath: "/root/.minio/" | |||
| configPathmc: "/root/.mc/" | |||
| configPath: "/etc/minio/" | |||
There was a problem hiding this comment.
--config-dir has been deprecated from MinIO server as of minio/minio#7033, can you please remove this option completely?
helm-bot
removed
the
Contribution Allowed
Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk>
…on by minio. Signed-off-by: Simon W. Gill <simon.gill@citizensadvice.org.uk> fix(stable/minio): Removed configDir references
simonwgill
force-pushed
the
simonwgill-patch-1
branch
from
5448855
to
3b212dd
Compare
helm-bot
added
the
Contribution Allowed
|
Does the --cert-dir option need support adding in this PR? That seems out of scope for the original issue. |
|
Just ran into this myself -- what do we need to do to get the ball rolling @nitisht / @simonwgill ? -- looks like there are a couple of conflicts -- is anything else required? |
|
I wasn't sure if adding --cert-dir was in scope for this PR, and I've been waiting on an answer to that question from someone. Haven't looked at what's been integrated since I last rebased though. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions. |
stale
bot
added
the
lifecycle/stale
|
This issue is being automatically closed due to inactivity. |
FAO @acaleph, @minio
What this PR does / why we need it:
When the podSecurityContext does not allow runAsRoot, there was no method to configure minio to function. This PR allows consumers to use minio in this situation.
Is this a new chart?
No
Which issue this PR fixes
Special notes for your reviewer:
The configPath and configPathmc variables have been changed to use a default that doesn't rely on the active user being root.
Checklist
[Place an '[x]' (no spaces) in all applicable fields. Please remove unrelated fields.]
[stable/chart])