-
Notifications
You must be signed in to change notification settings - Fork 440
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add kustomize support for MinIOInstance (#168)
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
- Loading branch information
Showing
21 changed files
with
280 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: kes-config | ||
type: Opaque | ||
stringData: | ||
server-config.yaml: |- | ||
address: 0.0.0.0:7373 | ||
root: _ # Effectively disabled since no root identity necessary. | ||
tls: | ||
key: /home/server.key # Path to the TLS private key | ||
cert: /home/server.crt # Path to the TLS certificate | ||
proxy: | ||
identities: [] | ||
header: | ||
cert: X-Tls-Client-Cert | ||
policy: | ||
my-policy: | ||
paths: | ||
- /v1/key/create/* | ||
- /v1/key/generate/* | ||
- /v1/key/decrypt/* | ||
identities: | ||
- ${MINIO_ID} | ||
cache: | ||
expiry: | ||
any: 5m0s | ||
unused: 20s | ||
log: | ||
error: on | ||
audit: off | ||
keys: | ||
fs: | ||
path: "/kes" # Path to directory. Keys will be stored as files. Not Recommended for Production. | ||
# vault: | ||
# endpoint: "" # The Vault endpoint - e.g. https://127.0.0.1:8200 | ||
# namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html | ||
# prefix: "" # An optional K/V prefix. The server will store keys under this prefix. | ||
# approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html | ||
# id: "" # Your AppRole Role ID | ||
# secret: "" # Your AppRole Secret ID | ||
# retry: 15s # Duration until the server tries to re-authenticate after connection loss. | ||
# tls: # The Vault client TLS configuration for mTLS authentication and certificate verification | ||
# key: "" # Path to the TLS client private key for mTLS authentication to Vault | ||
# cert: "" # Path to the TLS client certificate for mTLS authentication to Vailt | ||
# ca: "" # Path to one or multiple PEM root CA certificates | ||
# status: # Vault status configuration. The server will periodically reach out to Vault to check its status. | ||
# ping: 10s # Duration until the server checks Vault's status again. | ||
# aws: | ||
# # The AWS SecretsManager key store. The server will store | ||
# # secret keys at the AWS SecretsManager encrypted with | ||
# # AWS-KMS. See: https://aws.amazon.com/secrets-manager | ||
# secretsmanager: | ||
# endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com | ||
# region: "" # The AWS region of the SecretsManager - e.g.: us-east-2 | ||
# kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used. | ||
# credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager. | ||
# accesskey: "" # Your AWS Access Key | ||
# secretkey: "" # Your AWS Secret Key | ||
# token: "" # Your AWS session token (usually optional) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
namespace: minio | ||
configurations: | ||
- kustomizeconfig/minioinstance.yaml | ||
|
||
# Configure tenant name, volumes per server, capacity per volume and storage class | ||
configMapGenerator: | ||
- name: minio-storage | ||
literals: | ||
- tenant="minio-tenant1" | ||
- volumesPerServer=4 | ||
- capacity="5Ti" | ||
- storageClass="" | ||
- zones="rack1:4" | ||
|
||
# Configure repo and tag of MinIO, MCS & KES Image | ||
images: | ||
- name: minio/minio | ||
newName: minio/minio | ||
newTag: RELEASE.2020-07-14T19-14-30Z | ||
- name: minio/mcs | ||
newName: minio/mcs | ||
newTag: v0.2.0 | ||
- name: minio/kes | ||
newName: minio/kes | ||
newTag: v0.10.1 | ||
|
||
# Configure the Namespace | ||
patchesJson6902: | ||
- target: | ||
version: v1 | ||
kind: Namespace | ||
name: minio | ||
patch: |- | ||
- op: replace | ||
path: /metadata/name | ||
value: "minio" | ||
vars: | ||
- name: NAME | ||
objref: | ||
kind: ConfigMap | ||
name: minio-storage | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: data.tenant | ||
- name: ZONES | ||
objref: | ||
kind: ConfigMap | ||
name: minio-storage | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: data.zones | ||
- name: VOLUMES_PER_SERVER | ||
objref: | ||
kind: ConfigMap | ||
name: minio-storage | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: data.volumesPerServer | ||
- name: CAPACITY | ||
objref: | ||
kind: ConfigMap | ||
name: minio-storage | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: data.capacity | ||
- name: STORAGE_CLASS | ||
objref: | ||
kind: ConfigMap | ||
name: minio-storage | ||
apiVersion: v1 | ||
fieldref: | ||
fieldpath: data.storageClass | ||
|
||
|
||
resources: | ||
- namespace.yaml | ||
- mcs-secret.yaml | ||
- kes-secret.yaml | ||
- minio-secret.yaml | ||
- minio-service.yaml | ||
- minio-tenant.yaml |
19 changes: 19 additions & 0 deletions
19
minioinstance-kustomize/kustomizeconfig/minioinstance.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
images: | ||
- path: spec/mcs/image | ||
kind: MinIOInstance | ||
- path: spec/kes/image | ||
kind: MinIOInstance | ||
- path: spec/image | ||
kind: MinIOInstance | ||
|
||
varReference: | ||
- path: metadata/name | ||
kind: MinIOInstance | ||
- path: spec/volumesPerServer | ||
kind: MinIOInstance | ||
- path: spec/volumeClaimTemplate/spec/resources/requests/storage | ||
kind: MinIOInstance | ||
- path: spec/volumeClaimTemplate/spec/storageClassName | ||
kind: MinIOInstance | ||
- path: spec/zones | ||
kind: MinIOInstance |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: mcs-secret | ||
type: Opaque | ||
data: | ||
MCS_HMAC_JWT_SECRET: WU9VUkpXVFNJR05JTkdTRUNSRVQ= # base 64 encoded "YOURJWTSIGNINGSECRET" (echo -n 'YOURJWTSIGNINGSECRET' | base64) | ||
MCS_PBKDF_PASSPHRASE: U0VDUkVU # base 64 encoded "SECRET" (echo -n 'SECRET' | base64) | ||
MCS_PBKDF_SALT: U0VDUkVU # base 64 encoded "SECRET" (echo -n 'SECRET' | base64) | ||
MCS_ACCESS_KEY: WU9VUk1DU0FDQ0VTUw== # base 64 encoded "YOURMCSACCESS" (echo -n 'YOURMCSACCESS' | base64) | ||
MCS_SECRET_KEY: WU9VUk1DU1NFQ1JFVA== # base 64 encoded "YOURMCSSECRET" (echo -n 'YOURMCSSECRET' | base64) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: minio-creds-secret | ||
type: Opaque | ||
data: | ||
accesskey: bWluaW8= # base 64 encoded "minio" (echo -n 'minio' | base64) | ||
secretkey: bWluaW8xMjM= # based 64 encoded "minio123" (echo -n 'minio123' | base64) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: minio-service | ||
spec: | ||
type: ClusterIP | ||
ports: | ||
- port: 9000 | ||
targetPort: 9000 | ||
protocol: TCP | ||
# Optional field | ||
# By default and for convenience, the Kubernetes control plane will allocate a port from a range (default: 30000-32767) | ||
# nodePort: 30007 | ||
selector: | ||
app: minio |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
apiVersion: operator.min.io/v1 | ||
kind: MinIOInstance | ||
metadata: | ||
name: $(NAME) | ||
namespace: minio | ||
spec: | ||
metadata: | ||
labels: | ||
app: minio | ||
annotations: | ||
prometheus.io/path: /minio/prometheus/metrics | ||
prometheus.io/port: "9000" | ||
prometheus.io/scrape: "true" | ||
image: minio/minio:RELEASE.2020-07-14T19-14-30Z | ||
serviceName: minio-internal-service | ||
credsSecret: | ||
name: minio-creds-secret | ||
zones: $(ZONES) | ||
volumesPerServer: $(VOLUMES_PER_SERVER) | ||
mountPath: /export | ||
volumeClaimTemplate: | ||
metadata: | ||
name: data | ||
spec: | ||
accessModes: | ||
- ReadWriteOnce | ||
storageClassName: $(STORAGE_CLASS) | ||
resources: | ||
requests: | ||
storage: $(CAPACITY) | ||
mcs: | ||
image: minio/mcs:v0.2.0 | ||
replicas: 2 | ||
mcsSecret: | ||
name: mcs-secret | ||
metadata: | ||
labels: | ||
app: mcs | ||
kes: | ||
image: minio/kes:v0.10.1 | ||
replicas: 2 | ||
kesSecret: | ||
name: kes-config | ||
metadata: | ||
labels: | ||
app: kes | ||
requestAutoCert: true | ||
podManagementPolicy: Parallel | ||
certConfig: | ||
commonName: "" | ||
organizationName: [] | ||
dnsNames: [] | ||
liveness: | ||
initialDelaySeconds: 120 | ||
periodSeconds: 60 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: minio |
Oops, something went wrong.