cscott/minio
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
Conan Scott
2025-12-09 15:29:12 +11:00
commit c8a9829eb8
29 changed files with 2951 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
templates/NOTES.txt Normal file
View File

@@ -0,0 +1,43 @@
{{- if eq .Values.service.type "ClusterIP" "NodePort" }}
MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.{{ .Values.clusterDomain }}
To access MinIO from localhost, run the below commands:
1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }}
Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/
You can now access MinIO server on http://localhost:9000. Follow the below steps to connect to MinIO server with mc client:
1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@localhost:{{ .Values.service.port }}
3. mc ls {{ template "minio.fullname" . }}-local
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
MinIO can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by:
kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }}
Note that the public IP may take a couple of minutes to be available.
You can now access MinIO server on http://<External-IP>:9000. Follow the below steps to connect to MinIO server with mc client:
1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret {{ template "minio.secretName" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@<External-IP>:{{ .Values.service.port }}
3. mc ls {{ template "minio.fullname" . }}
Alternately, you can use your browser or the MinIO SDK to access the server - https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
{{- end }}
{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label
{{ template "minio.fullname" . }}-client=true"
will be able to connect to this minio cluster.
{{- end }}

122
templates/_helper_create_bucket.txt Normal file
View File

@@ -0,0 +1,122 @@
#!/bin/sh
set -e # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0
LIMIT=29 # Allow 30 attempts
set -e # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser)
SECRET=$(cat /config/rootPassword)
set +e # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT"
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET"
$MC_COMMAND
STATUS=$?
until [ $STATUS = 0 ]; do
ATTEMPTS=$(expr $ATTEMPTS + 1)
echo \"Failed attempts: $ATTEMPTS\"
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1
fi
sleep 2 # 1 second intervals between attempts
$MC_COMMAND
STATUS=$?
done
set -e # reset `e` as active
return 0
}
# checkBucketExists ($bucket)
# Check if the bucket exists, by using the exit code of `mc ls`
checkBucketExists() {
BUCKET=$1
CMD=$(${MC} stat myminio/$BUCKET >/dev/null 2>&1)
return $?
}
# createBucket ($bucket, $policy, $purge)
# Ensure bucket exists, purging if asked to
createBucket() {
BUCKET=$1
POLICY=$2
PURGE=$3
VERSIONING=$4
OBJECTLOCKING=$5
# Purge the bucket, if set & exists
# Since PURGE is user input, check explicitly for `true`
if [ $PURGE = true ]; then
if checkBucketExists $BUCKET; then
echo "Purging bucket '$BUCKET'."
set +e # don't exit if this fails
${MC} rm -r --force myminio/$BUCKET
set -e # reset `e` as active
else
echo "Bucket '$BUCKET' does not exist, skipping purge."
fi
fi
# Create the bucket if it does not exist and set objectlocking if enabled (NOTE: versioning will be not changed if OBJECTLOCKING is set because it enables versioning to the Buckets created)
if ! checkBucketExists $BUCKET; then
if [ ! -z $OBJECTLOCKING ]; then
if [ $OBJECTLOCKING = true ]; then
echo "Creating bucket with OBJECTLOCKING '$BUCKET'"
${MC} mb --with-lock myminio/$BUCKET
elif [ $OBJECTLOCKING = false ]; then
echo "Creating bucket '$BUCKET'"
${MC} mb myminio/$BUCKET
fi
elif [ -z $OBJECTLOCKING ]; then
echo "Creating bucket '$BUCKET'"
${MC} mb myminio/$BUCKET
else
echo "Bucket '$BUCKET' already exists."
fi
fi
# set versioning for bucket if objectlocking is disabled or not set
if [ $OBJECTLOCKING = false ]; then
if [ ! -z $VERSIONING ]; then
if [ $VERSIONING = true ]; then
echo "Enabling versioning for '$BUCKET'"
${MC} version enable myminio/$BUCKET
elif [ $VERSIONING = false ]; then
echo "Suspending versioning for '$BUCKET'"
${MC} version suspend myminio/$BUCKET
fi
fi
else
echo "Bucket '$BUCKET' versioning unchanged."
fi
# At this point, the bucket should exist, skip checking for existence
# Set policy on the bucket
echo "Setting policy of bucket '$BUCKET' to '$POLICY'."
${MC} anonymous set $POLICY myminio/$BUCKET
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.buckets }}
{{ $global := . }}
# Create the buckets
{{- range .Values.buckets }}
createBucket {{ tpl .name $global }} {{ .policy | default "none" | quote }} {{ .purge | default false }} {{ .versioning | default false }} {{ .objectlocking | default false }}
{{- end }}
{{- end }}

75
templates/_helper_create_policy.txt Normal file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkPolicyExists ($policy)
# Check if the policy exists, by using the exit code of `mc admin policy info`
checkPolicyExists() {
POLICY=$1
CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1)
return $?
}
# createPolicy($name, $filename)
createPolicy () {
NAME=$1
FILENAME=$2
# Create the name if it does not exist
echo "Checking policy: $NAME (in /config/$FILENAME.json)"
if ! checkPolicyExists $NAME ; then
echo "Creating policy '$NAME'"
else
echo "Policy '$NAME' already exists."
fi
${MC} admin policy create myminio $NAME /config/$FILENAME.json
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.policies }}
# Create the policies
{{- range $idx, $policy := .Values.policies }}
createPolicy {{ $policy.name }} policy_{{ $idx }}
{{- end }}
{{- end }}

106
templates/_helper_create_svcacct.txt Normal file
View File

@@ -0,0 +1,106 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_svcacct_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 2 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkSvcacctExists ()
# Check if the svcacct exists, by using the exit code of `mc admin user svcacct info`
checkSvcacctExists() {
CMD=$(${MC} admin user svcacct info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createSvcacct ($user)
createSvcacct () {
USER=$1
FILENAME=$2
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
SVCACCT=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the svcacct if it does not exist
if ! checkSvcacctExists ; then
echo "Creating svcacct '$SVCACCT'"
# Check if policy file is define
if [ -z $FILENAME ]; then
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER
else
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --policy /config/$FILENAME.json myminio $USER
fi
else
echo "Svcacct '$SVCACCT' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.svcaccts }}
{{ $global := . }}
# Create the svcaccts
{{- range $idx, $svc := .Values.svcaccts }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets-svc/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
echo >> $MINIO_ACCESSKEY_SECRETKEY_TMP
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- end }}
{{- if $svc.policy}}
createSvcacct {{ .user }} svc_policy_{{ $idx }}
{{ else }}
createSvcacct {{ .user }}
{{- end }}
{{- end }}
{{- end }}

107
templates/_helper_create_user.txt Normal file
View File

@@ -0,0 +1,107 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkUserExists ()
# Check if the user exists, by using the exit code of `mc admin user info`
checkUserExists() {
CMD=$(${MC} admin user info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createUser ($policy)
createUser() {
POLICY=$1
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
USER=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the user if it does not exist
if ! checkUserExists ; then
echo "Creating user '$USER'"
cat $MINIO_ACCESSKEY_SECRETKEY_TMP | ${MC} admin user add myminio
else
echo "User '$USER' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
# set policy for user
if [ ! -z $POLICY -a $POLICY != " " ] ; then
echo "Adding policy '$POLICY' for '$USER'"
set +e ; # policy already attach errors out, allow it.
${MC} admin policy attach myminio $POLICY --user=$USER
set -e
else
echo "User '$USER' has no policy attached."
fi
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.users }}
{{ $global := . }}
# Create the users
{{- range .Values.users }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
echo >> $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }}
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }}
{{- end }}
{{- end }}
{{- end }}

58
templates/_helper_custom_command.txt Normal file
View File

@@ -0,0 +1,58 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# runCommand ($@)
# Run custom mc command
runCommand() {
${MC} "$@"
return $?
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.customCommands }}
# Run custom commands
{{- range .Values.customCommands }}
runCommand {{ .command }}
{{- end }}
{{- end }}

28
templates/_helper_policy.tpl Normal file
View File

@@ -0,0 +1,28 @@
{{- $statements_length := len .statements -}}
{{- $statements_length := sub $statements_length 1 -}}
{
"Version": "2012-10-17",
"Statement": [
{{- range $i, $statement := .statements }}
{
"Effect": "{{ $statement.effect | default "Allow" }}",
"Action": [
"{{ $statement.actions | join "\",\n\"" }}"
]{{ if $statement.resources }},
"Resource": [
"{{ $statement.resources | join "\",\n\"" }}"
]{{ end }}
{{- if $statement.conditions }}
{{- $condition_len := len $statement.conditions }}
{{- $condition_len := sub $condition_len 1 }}
,
"Condition": {
{{- range $k,$v := $statement.conditions }}
{{- range $operator,$object := $v }}
"{{ $operator }}": { {{ $object }} }{{- if lt $k $condition_len }},{{- end }}
{{- end }}{{- end }}
}{{- end }}
}{{ if lt $i $statements_length }},{{end }}
{{- end }}
]
}

218
templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,218 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "minio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "minio.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "minio.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "minio.networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.Version -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare ">=1.7-0, <1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else if semverCompare "^1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "minio.deployment.apiVersion" -}}
{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "minio.statefulset.apiVersion" -}}
{{- if semverCompare "<1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "minio.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for console ingress.
*/}}
{{- define "minio.consoleIngress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Determine secret name.
*/}}
{{- define "minio.secretName" -}}
{{- if .Values.existingSecret -}}
{{- .Values.existingSecret }}
{{- else -}}
{{- include "minio.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Determine name for scc role and rolebinding
*/}}
{{- define "minio.sccRoleName" -}}
{{- printf "%s-%s" "scc" (include "minio.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Properly format optional additional arguments to MinIO binary
*/}}
{{- define "minio.extraArgs" -}}
{{- range .Values.extraArgs -}}
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "minio.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets }}
{{- end -}}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets }}
{{- end -}}
{{- end -}}
{{/*
Formats volumeMount for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolumeMount" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
mountPath: {{ .Values.certsPath }}
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
- name: trusted-cert-secret-volume
mountPath: {{ $casPath }}
{{- end }}
{{- end -}}
{{/*
Formats volume for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolume" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
secret:
secretName: {{ tpl .Values.tls.certSecret $ }}
items:
- key: {{ .Values.tls.publicCrt }}
path: public.crt
- key: {{ .Values.tls.privateKey }}
path: private.key
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }}
{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }}
- name: trusted-cert-secret-volume
secret:
secretName: {{ $certSecret }}
{{- if ne $publicCrt "" }}
items:
- key: {{ $publicCrt }}
path: public.crt
{{- end }}
{{- end }}
{{- end -}}
{{/*
Returns the available value for certain key in an existing secret (if it exists),
otherwise it generates a random value.
*/}}
{{- define "minio.getValueFromSecret" }}
{{- $len := (default 16 .Length) | int -}}
{{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}}
{{- if $obj }}
{{- index $obj .Key | b64dec -}}
{{- else -}}
{{- randAlphaNum $len -}}
{{- end -}}
{{- end }}
{{- define "minio.root.username" -}}
{{- if .Values.rootUser }}
{{- .Values.rootUser | toString }}
{{- else }}
{{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 20 "Key" "rootUser") }}
{{- end }}
{{- end -}}
{{- define "minio.root.password" -}}
{{- if .Values.rootPassword }}
{{- .Values.rootPassword | toString }}
{{- else }}
{{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 40 "Key" "rootPassword") }}
{{- end }}
{{- end -}}

33
templates/ciliumnetworkpolicy.yaml Normal file
View File

@@ -0,0 +1,33 @@
{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "cilium") }}
kind: CiliumNetworkPolicy
apiVersion: cilium.io/v2
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
endpointSelector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
ingress:
- toPorts:
- ports:
- port: "{{ .Values.minioAPIPort }}"
protocol: TCP
- port: "{{ .Values.minioConsolePort }}"
protocol: TCP
{{- if not .Values.networkPolicy.allowExternal }}
fromEndpoints:
- matchLabels:
{{ template "minio.name" . }}-client: "true"
{{- end }}
egress:
{{- range $entity := .Values.networkPolicy.egressEntities }}
- toEntities:
- {{ $entity }}
{{- end }}
{{- end }}

32
templates/configmap.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
initialize: |-
{{- include (print $.Template.BasePath "/_helper_create_bucket.txt") . | nindent 4 }}
add-user: |-
{{- include (print $.Template.BasePath "/_helper_create_user.txt") . | nindent 4 }}
add-policy: |-
{{- include (print $.Template.BasePath "/_helper_create_policy.txt") . | nindent 4 }}
{{- range $idx, $policy := .Values.policies }}
# Policy: {{ $policy.name }}
policy_{{ $idx }}.json: |-
{{- include (print $.Template.BasePath "/_helper_policy.tpl") . | nindent 4 }}
{{ end }}
{{- range $idx, $svc := .Values.svcaccts }}
{{- if $svc.policy }}
# SVC: {{ $svc.accessKey }}
svc_policy_{{ $idx }}.json: |-
{{- include (print $.Template.BasePath "/_helper_policy.tpl") .policy | nindent 4 }}
{{- end }}
{{- end }}
add-svcacct: |-
{{- include (print $.Template.BasePath "/_helper_create_svcacct.txt") . | nindent 4 }}
custom-command: |-
{{- include (print $.Template.BasePath "/_helper_custom_command.txt") . | nindent 4 }}

55
templates/console-ingress.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- if .Values.consoleIngress.enabled -}}
{{- $fullName := printf "%s-console" (include "minio.fullname" .) -}}
{{- $servicePort := .Values.consoleService.port -}}
{{- $ingressPath := .Values.consoleIngress.path -}}
apiVersion: {{ template "minio.consoleIngress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.consoleIngress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.consoleIngress.annotations }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.consoleIngress.ingressClassName }}
ingressClassName: {{ .Values.consoleIngress.ingressClassName }}
{{- end }}
{{- if .Values.consoleIngress.tls }}
tls:
{{- range .Values.consoleIngress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.consoleIngress.hosts }}
- http:
paths:
- path: {{ $ingressPath }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $servicePort }}
{{- else }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- if . }}
host: {{ tpl . $ | quote }}
{{- end }}
{{- end }}
{{- end }}

45
templates/console-service.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}-console
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.consoleService.annotations }}
annotations: {{- toYaml .Values.consoleService.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.consoleService.type }}
{{- if and (eq .Values.consoleService.type "ClusterIP") .Values.consoleService.clusterIP }}
clusterIP: {{ .Values.consoleService.clusterIP }}
{{- end }}
{{- if or (eq .Values.consoleService.type "LoadBalancer") (eq .Values.consoleService.type "NodePort") }}
externalTrafficPolicy: {{ .Values.consoleService.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.consoleService.type "LoadBalancer") .Values.consoleService.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ .Values.consoleService.loadBalancerSourceRanges }}
{{ end }}
{{- if and (eq .Values.consoleService.type "LoadBalancer") (not (empty .Values.consoleService.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.consoleService.loadBalancerIP }}
{{- end }}
ports:
- name: {{ $scheme }}
port: {{ .Values.consoleService.port }}
protocol: TCP
{{- if (and (eq .Values.consoleService.type "NodePort") ( .Values.consoleService.nodePort)) }}
nodePort: {{ .Values.consoleService.nodePort }}
{{- else }}
targetPort: {{ .Values.minioConsolePort }}
{{- end }}
{{- if .Values.consoleService.externalIPs }}
externalIPs:
{{- range $i , $ip := .Values.consoleService.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}

213
templates/deployment.yaml Normal file
View File

@@ -0,0 +1,213 @@
{{- if eq .Values.mode "standalone" }}
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
apiVersion: {{ template "minio.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.additionalLabels }}
{{- toYaml .Values.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations: {{- toYaml .Values.additionalAnnotations | nindent 4 }}
{{- end }}
spec:
strategy:
type: {{ .Values.deploymentUpdate.type }}
{{- if eq .Values.deploymentUpdate.type "RollingUpdate" }}
rollingUpdate:
maxSurge: {{ .Values.deploymentUpdate.maxSurge }}
maxUnavailable: {{ .Values.deploymentUpdate.maxUnavailable }}
{{- end }}
replicas: 1
selector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
annotations:
{{- if not .Values.ignoreChartChecksums }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | trimSuffix "\n" | nindent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: "{{ .Values.runtimeClassName }}"
{{- end }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
{{ omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{ if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/bin/sh"
- "-ce"
- "/usr/bin/docker-entrypoint.sh minio server {{ $bucketRoot }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }}"
volumeMounts:
- name: minio-user
mountPath: "/tmp/credentials"
readOnly: true
- name: export
mountPath: {{ .Values.mountPath }}
{{- if and .Values.persistence.enabled .Values.persistence.subPath }}
subPath: "{{ .Values.persistence.subPath }}"
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
mountPath: "/tmp/minio-config-env"
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: {{ $scheme }}
containerPort: {{ .Values.minioAPIPort }}
- name: {{ $scheme }}-console
containerPort: {{ .Values.minioConsolePort }}
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootUser
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootPassword
{{- if .Values.extraSecret }}
- name: MINIO_CONFIG_ENV_FILE
value: "/tmp/minio-config-env/config.env"
{{- end }}
{{- if .Values.metrics.serviceMonitor.public }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
{{- end }}
{{- if .Values.oidc.enabled }}
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: {{ .Values.oidc.configUrl }}
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
{{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientIdKey }}
valueFrom:
secretKeyRef:
name: {{ .Values.oidc.existingClientSecretName }}
key: {{ .Values.oidc.existingClientIdKey }}
{{- else }}
value: {{ .Values.oidc.clientId }}
{{- end }}
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
{{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientSecretKey }}
valueFrom:
secretKeyRef:
name: {{ .Values.oidc.existingClientSecretName }}
key: {{ .Values.oidc.existingClientSecretKey }}
{{- else }}
value: {{ .Values.oidc.clientSecret }}
{{- end }}
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: {{ .Values.oidc.claimName }}
- name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
value: {{ .Values.oidc.claimPrefix }}
- name: MINIO_IDENTITY_OPENID_SCOPES
value: {{ .Values.oidc.scopes }}
- name: MINIO_IDENTITY_OPENID_COMMENT
value: {{ .Values.oidc.comment }}
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: {{ .Values.oidc.redirectUri }}
- name: MINIO_IDENTITY_OPENID_DISPLAY_NAME
value: {{ .Values.oidc.displayName }}
{{- end }}
{{- if .Values.etcd.endpoints }}
- name: MINIO_ETCD_ENDPOINTS
value: {{ join "," .Values.etcd.endpoints | quote }}
{{- if .Values.etcd.clientCert }}
- name: MINIO_ETCD_CLIENT_CERT
value: "/tmp/credentials/etcd_client_cert.pem"
{{- end }}
{{- if .Values.etcd.clientCertKey }}
- name: MINIO_ETCD_CLIENT_CERT_KEY
value: "/tmp/credentials/etcd_client_cert_key.pem"
{{- end }}
{{- if .Values.etcd.pathPrefix }}
- name: MINIO_ETCD_PATH_PREFIX
value: {{ .Values.etcd.pathPrefix }}
{{- end }}
{{- if .Values.etcd.corednsPathPrefix }}
- name: MINIO_ETCD_COREDNS_PATH
value: {{ .Values.etcd.corednsPathPrefix }}
{{- end }}
{{- end }}
{{- range $key, $val := .Values.environment }}
- name: {{ $key }}
value: {{ tpl $val $ | quote }}
{{- end }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
{{- with .Values.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12}}
{{- end }}
{{- end }}
{{- with .Values.extraContainers }}
{{- if eq (typeOf .) "string" }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- with .Values.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: export
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
secret:
secretName: {{ .Values.extraSecret }}
{{- end }}
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}
{{- if .Values.extraVolumes }}
{{ toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

55
templates/ingress.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "minio.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: {{ template "minio.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.ingress.annotations }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- http:
paths:
- path: {{ $ingressPath }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $servicePort }}
{{- else }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- if . }}
host: {{ tpl . $ | quote }}
{{- end }}
{{- end }}
{{- end }}

26
templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- if and (.Values.networkPolicy.enabled) (eq .Values.networkPolicy.flavor "kubernetes") }}
kind: NetworkPolicy
apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
podSelector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
ingress:
- ports:
- port: {{ .Values.minioAPIPort }}
- port: {{ .Values.minioConsolePort }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "minio.name" . }}-client: "true"
{{- end }}
{{- end }}

17
templates/poddisruptionbudget.yaml Normal file
View File

@@ -0,0 +1,17 @@
{{- if .Values.podDisruptionBudget.enabled }}
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" }}
apiVersion: policy/v1beta1
{{- else }}
apiVersion: policy/v1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: minio
labels:
app: {{ template "minio.name" . }}
spec:
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
{{- end }}

258
templates/post-job.yaml Normal file
View File

@@ -0,0 +1,258 @@
{{- if or .Values.buckets .Values.users .Values.policies .Values.customCommands .Values.svcaccts }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "minio.fullname" . }}-post-job
labels:
app: {{ template "minio.name" . }}-post-job
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- with .Values.postJob.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app: {{ template "minio.name" . }}-job
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- if .Values.postJob.podAnnotations }}
annotations: {{- toYaml .Values.postJob.podAnnotations | nindent 8 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- toYaml .Values.postJob.nodeSelector | nindent 8 }}
{{- end }}
{{- with .Values.postJob.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.postJob.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.postJob.securityContext.enabled }}
securityContext: {{ omit .Values.postJob.securityContext "enabled" | toYaml | nindent 12 }}
{{- end }}
volumes:
- name: etc-path
emptyDir: {}
- name: tmp
emptyDir: {}
- name: minio-configuration
projected:
sources:
- configMap:
name: {{ template "minio.fullname" . }}
- secret:
name: {{ template "minio.secretName" . }}
{{- range (concat .Values.users (default (list) .Values.svcaccts)) }}
{{- if .existingSecret }}
- secret:
name: {{ tpl .existingSecret $ }}
items:
- key: {{ .existingSecretKey }}
path: secrets/{{ tpl .existingSecret $ }}/{{ tpl .existingSecretKey $ }}
{{- end }}
{{- end }}
{{- range ( default list .Values.svcaccts ) }}
{{- if .existingSecret }}
- secret:
name: {{ tpl .existingSecret $ }}
items:
- key: {{ .existingSecretKey }}
path: secrets-svc/{{ tpl .existingSecret $ }}/{{ tpl .existingSecretKey $ }}
{{- end }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
secret:
secretName: {{ .Values.tls.certSecret }}
items:
- key: {{ .Values.tls.publicCrt }}
path: CAs/public.crt
{{- end }}
{{- if .Values.customCommandJob.extraVolumes }}
{{- toYaml .Values.customCommandJob.extraVolumes | nindent 8 }}
{{- end }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
{{- if .Values.policies }}
initContainers:
- name: minio-make-policy
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makePolicyJob.securityContext.enabled }}
{{- with .Values.makePolicyJob.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makePolicyJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/add-policy; EV=$?; {{ .Values.makePolicyJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/add-policy" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makePolicyJob.resources | nindent 12 }}
{{- end }}
containers:
{{- if .Values.buckets }}
- name: minio-make-bucket
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeBucketJob.securityContext.enabled }}
{{- with .Values.makeBucketJob.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeBucketJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/initialize; EV=$?; {{ .Values.makeBucketJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/initialize" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makeBucketJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.users }}
- name: minio-make-user
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeUserJob.securityContext.enabled }}
{{- with .Values.makeUserJob.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeUserJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/add-user; EV=$?; {{ .Values.makeUserJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/add-user" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makeUserJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.customCommands }}
- name: minio-custom-command
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.customCommandJob.securityContext.enabled }}
{{- with .Values.customCommandJob.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.customCommandJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/custom-command; EV=$?; {{ .Values.customCommandJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/custom-command" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
{{- if .Values.customCommandJob.extraVolumeMounts }}
{{- toYaml .Values.customCommandJob.extraVolumeMounts | nindent 12 }}
{{- end }}
resources: {{- toYaml .Values.customCommandJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.svcaccts }}
- name: minio-make-svcacct
image: "{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeServiceAccountJob.securityContext.enabled }}
{{- with .Values.makeServiceAccountJob.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12 }}
{{- end }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeServiceAccountJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: ["/bin/sh /config/add-svcacct; EV=$?; {{ .Values.makeServiceAccountJob.exitCommand }} && exit $EV" ]
{{- else }}
command: ["/bin/sh", "/config/add-svcacct"]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makeServiceAccountJob.resources | nindent 12 }}
{{- end }}
{{- end }}

32
templates/pvc.yaml Normal file
View File

@@ -0,0 +1,32 @@
{{- if eq .Values.mode "standalone" }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.persistence.annotations }}
annotations: {{- toYaml .Values.persistence.annotations | nindent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- if .Values.persistence.volumeName }}
volumeName: "{{ .Values.persistence.volumeName }}"
{{- end }}
{{- end }}
{{- end }}

21
templates/secrets.yaml Normal file
View File

@@ -0,0 +1,21 @@
{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "minio.secretName" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
rootUser: {{ include "minio.root.username" . | b64enc | quote }}
rootPassword: {{ include "minio.root.password" . | b64enc | quote }}
{{- if .Values.etcd.clientCert }}
etcd_client.crt: {{ .Values.etcd.clientCert | toString | b64enc | quote }}
{{- end }}
{{- if .Values.etcd.clientCertKey }}
etcd_client.key: {{ .Values.etcd.clientCertKey | toString | b64enc | quote }}
{{- end }}
{{- end }}

45
templates/securitycontextconstraints.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: []
readOnlyRootFilesystem: false
defaultAddCapabilities: []
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
fsGroup:
type: MustRunAs
ranges:
- max: {{ .Values.securityContext.fsGroup }}
min: {{ .Values.securityContext.fsGroup }}
runAsUser:
type: MustRunAs
uid: {{ .Values.securityContext.runAsUser }}
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
{{- end }}

46
templates/service.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
monitoring: "true"
{{- if .Values.service.annotations }}
annotations: {{- toYaml .Values.service.annotations | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
{{ end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
loadBalancerIP: {{ default "" .Values.service.loadBalancerIP | quote }}
{{- end }}
ports:
- name: {{ $scheme }}
port: {{ .Values.service.port }}
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- else }}
targetPort: {{ .Values.minioAPIPort }}
{{- end }}
{{- if .Values.service.externalIPs }}
externalIPs:
{{- range $i , $ip := .Values.service.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}

6
templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,6 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name | quote }}
{{- end }}

112
templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,112 @@
{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.serviceMonitor.includeNode }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "minio.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.annotations }}
annotations: {{- toYaml .Values.metrics.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- if .Values.tls.enabled }}
- port: https
scheme: https
tlsConfig:
ca:
secret:
name: {{ .Values.tls.certSecret }}
key: {{ .Values.tls.publicCrt }}
serverName: {{ template "minio.fullname" . }}
{{- else }}
- port: http
scheme: http
{{- end }}
path: /minio/v2/metrics/node
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelConfigs }}
{{- toYaml .Values.metrics.serviceMonitor.relabelConfigs | nindent 6 }}
{{- end }}
{{- if not .Values.metrics.serviceMonitor.public }}
bearerTokenSecret:
name: {{ template "minio.fullname" . }}-prometheus
key: token
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels:
app: {{ include "minio.name" . }}
release: {{ .Release.Name }}
monitoring: "true"
{{- end }}
{{- if .Values.metrics.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: Probe
metadata:
name: {{ template "minio.fullname" . }}-cluster
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
spec:
jobName: {{ template "minio.fullname" . }}
{{- if .Values.tls.enabled }}
tlsConfig:
ca:
secret:
name: {{ .Values.tls.certSecret }}
key: {{ .Values.tls.publicCrt }}
serverName: {{ template "minio.fullname" . }}
{{- end }}
prober:
url: {{ template "minio.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}
path: /minio/v2/metrics/cluster
{{- if .Values.tls.enabled }}
scheme: https
{{- else }}
scheme: http
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelConfigsCluster }}
{{- toYaml .Values.metrics.serviceMonitor.relabelConfigsCluster | nindent 2 }}
{{- end }}
targets:
staticConfig:
static:
- {{ template "minio.fullname" . }}.{{ .Release.Namespace }}
{{- if not .Values.metrics.serviceMonitor.public }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
bearerTokenSecret:
name: {{ template "minio.fullname" . }}-prometheus
key: token
{{- end }}
{{- end }}

267
templates/statefulset.yaml Normal file
View File

@@ -0,0 +1,267 @@
{{- if eq .Values.mode "distributed" }}
{{ $poolCount := .Values.pools | int }}
{{ $nodeCount := .Values.replicas | int }}
{{ $replicas := mul $poolCount $nodeCount }}
{{ $drivesPerNode := .Values.drivesPerNode | int }}
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
{{ $mountPath := .Values.mountPath }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
{{ $subPath := .Values.persistence.subPath }}
{{ $penabled := .Values.persistence.enabled }}
{{ $accessMode := .Values.persistence.accessMode }}
{{ $storageClass := .Values.persistence.storageClass }}
{{ $psize := .Values.persistence.size }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}-svc
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
publishNotReadyAddresses: true
clusterIP: None
ports:
- name: {{ $scheme }}
port: {{ .Values.service.port }}
protocol: TCP
targetPort: {{ .Values.minioAPIPort }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
---
apiVersion: {{ template "minio.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.additionalLabels }}
{{- toYaml .Values.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations: {{- toYaml .Values.additionalAnnotations | nindent 4 }}
{{- end }}
spec:
updateStrategy:
type: {{ .Values.statefulSetUpdate.updateStrategy }}
podManagementPolicy: "Parallel"
serviceName: {{ template "minio.fullname" . }}-svc
replicas: {{ $replicas }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
annotations:
{{- if not .Values.ignoreChartChecksums }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: "{{ .Values.runtimeClassName }}"
{{- end }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
{{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: [
"/bin/sh",
"-ce",
"/usr/bin/docker-entrypoint.sh minio server {{- range $i := until $poolCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{ else }}{{ $bucketRoot }}{{end }}{{- end }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template `minio.extraArgs` . }}"
]
volumeMounts:
{{- if $penabled }}
{{- if (gt $drivesPerNode 1) }}
{{- range $i := until $drivesPerNode }}
- name: export-{{ $i }}
mountPath: {{ $mountPath }}-{{ $i }}
{{- if and $penabled $subPath }}
subPath: {{ $subPath }}
{{- end }}
{{- end }}
{{- else }}
- name: export
mountPath: {{ $mountPath }}
{{- if and $penabled $subPath }}
subPath: {{ $subPath }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
mountPath: "/tmp/minio-config-env"
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: {{ $scheme }}
containerPort: {{ .Values.minioAPIPort }}
- name: {{ $scheme }}-console
containerPort: {{ .Values.minioConsolePort }}
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootUser
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootPassword
{{- if .Values.extraSecret }}
- name: MINIO_CONFIG_ENV_FILE
value: "/tmp/minio-config-env/config.env"
{{- end }}
{{- if .Values.metrics.serviceMonitor.public }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
{{- end }}
{{- if .Values.oidc.enabled }}
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: {{ .Values.oidc.configUrl }}
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
{{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientIdKey }}
valueFrom:
secretKeyRef:
name: {{ .Values.oidc.existingClientSecretName }}
key: {{ .Values.oidc.existingClientIdKey }}
{{- else }}
value: {{ .Values.oidc.clientId }}
{{- end }}
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
{{- if and .Values.oidc.existingClientSecretName .Values.oidc.existingClientSecretKey }}
valueFrom:
secretKeyRef:
name: {{ .Values.oidc.existingClientSecretName }}
key: {{ .Values.oidc.existingClientSecretKey }}
{{- else }}
value: {{ .Values.oidc.clientSecret }}
{{- end }}
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: {{ .Values.oidc.claimName }}
- name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
value: {{ .Values.oidc.claimPrefix }}
- name: MINIO_IDENTITY_OPENID_SCOPES
value: {{ .Values.oidc.scopes }}
- name: MINIO_IDENTITY_OPENID_COMMENT
value: {{ .Values.oidc.comment }}
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: {{ .Values.oidc.redirectUri }}
- name: MINIO_IDENTITY_OPENID_DISPLAY_NAME
value: {{ .Values.oidc.displayName }}
{{- end }}
{{- range $key, $val := .Values.environment }}
- name: {{ $key }}
value: {{ tpl $val $ | quote }}
{{- end }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
{{- with .Values.containerSecurityContext }}
securityContext: {{ toYaml . | nindent 12}}
{{- end }}
{{- end }}
{{- with .Values.extraContainers }}
{{- if eq (typeOf .) "string" }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- with .Values.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
{{- if and (gt $replicas 1) (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "19") }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
volumes:
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- if .Values.extraSecret }}
- name: extra-secret
secret:
secretName: {{ .Values.extraSecret }}
{{- end }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
{{- if gt $drivesPerNode 1 }}
{{- range $diskId := until $drivesPerNode}}
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: export-{{ $diskId }}
{{- if $.Values.persistence.annotations }}
annotations: {{- toYaml $.Values.persistence.annotations | nindent 10 }}
{{- end }}
spec:
accessModes: [ {{ $accessMode | quote }} ]
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
resources:
requests:
storage: {{ $psize }}
{{- end }}
{{- else }}
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: export
{{- if $.Values.persistence.annotations }}
annotations: {{- toYaml $.Values.persistence.annotations | nindent 10 }}
{{- end }}
spec:
accessModes: [ {{ $accessMode | quote }} ]
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
resources:
requests:
storage: {{ $psize }}
{{- end }}
{{- end }}
{{- end }}