Tenant Helm Charts
MinIO 发布Helm Charts对于Helm Operator Charts和Helm Tenant Charts您可以使用这些图表通过 Helm 部署 MinIO Operator 和管理租户。
以下页面记录了values.yamlMinIO Tenant 的图表。
有关 MinIO Operator 图表的文档,请参阅Operator Helm Charts
MinIO Tenant Chart
- 租户
- 名称
租户名称
将其更改为您首选的 MinIO 租户名称。
- 图像
指定用于部署的 Operator 容器镜像。
image.tag例如,以下设置图像为quay.io/minio/operatorrepo 和 v7.0.0 标签。 如果镜像尚未存在,容器会自动拉取镜像:image: repository: quay.io/minio/minio tag: RELEASE.2024-11-07T00-52-20Z pullPolicy: IfNotPresent
该图表还支持基于摘要值指定镜像:
image: repository: quay.io/minio/minio@sha256 digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 pullPolicy: IfNotPresent
- imagePullSecret
用于从私有仓库拉取镜像的 Kubernetes secrets 数组
image.repository目前仅支持一个数组元素。- initContainers
指定initContainers在主租户 Pod 启动前执行设置或配置任务。
等待身份提供者在启动 MinIO 租户前可达的初始化容器示例:
initContainers: - name: wait-for-idp image: busybox command: - sh - -c - | URL="https://idp-url" echo "Checking IdP reachability (${URL})" until $(wget -q -O "/dev/null" ${URL}) ; do echo "IdP (${URL}) not reachable. Waiting to be reachable..." sleep 5 done echo "IdP (${URL}) reachable. Starting MinIO..."
- 调度器
Kubernetes调度器用于调度租户 Pod。
指定一个空字典
{}使用默认调度器来调度 Pod。- 配置
包含 MinIO 环境变量配置的 Kubernetes secret 名称。 该 secret 应包含名为 config.env 的键,其中包含环境变量导出配置。
- configSecret
Root key for dynamically creating a secret for use with configuring root MinIO User 指定用于动态创建密钥的根密钥,以配置根MinIO用户
name然后是一个环境变量列表。重要
请勿在生产环境中使用此功能。 此字段仅用于快速开发或测试。
例如:
name: myminio-env-configuration accessKey: minio secretKey: minio123
- poolsMetadata
- 池子
- 服务器
此池中的 MinIO 租户 Pod/服务器数量。 单机模式下请填写 1。分布式模式下请填写 4 或更多。 请注意,Operator 不支持从单机模式升级到分布式模式。
- 名称
池的自定义名称
- volumesPerServer
每个 MinIO 租户 Pod / 服务器附加的卷数量。
- 尺寸
每个 MinIO 租户 Pod 请求的每卷容量。
- storageAnnotations
指定storageAnnotations关联到 PVC。
- storageLabels
指定storageLabels关联到 PVC。
- 注释
指定注释关联到租户 Pod。
- 标签
指定标签关联到租户 Pod。
- 容忍度
一个数组容忍标签关联到租户 Pod。
这些设置决定了 Pod 在工作节点间的分布方式。
- nodeSelector
任何节点选择器应用于租户 Pod。
Kubernetes调度器使用这些选择器来确定可以将租户Pod部署到哪些工作节点上。
如果没有工作节点匹配指定的选择器,租户部署将会失败。
- 亲和性
The亲和性应用于租户 Pod 的反亲和性设置。
这些设置决定了 Pod 在工作节点间的分布方式,可帮助防止或允许将 Pod 调度到同一工作节点上。
- 资源
TheRequests 或 Limits用于关联到租户 Pod 的资源。
这些设置可以控制每个 Pod 请求的最小和最大资源。 如果没有工作节点能够满足指定的请求,Operator 可能无法部署。
- securityContext
KubernetesSecurityContext用于部署租户资源。
您可能需要修改这些值以满足集群的安全性和访问设置。
我们建议通过设置禁用递归权限更改
fsGroupChangePolicytoOnRootMismatch因为这些操作对于某些工作负载来说可能成本很高(例如包含大量小文件的大容量卷)。- containerSecurityContext
KubernetesSecurityContext用于部署租户容器。 您可能需要修改这些值以满足集群的安全性和访问设置。
- topologySpreadConstraints
一个数组Topology Spread Constraints与 Operator Console pod 关联。
这些设置决定了 Pod 在工作节点间的分布方式。
用于配置此租户中 MinIO 池的顶级键。
看Operator CRD: Pools有关所有子字段的更多信息。
- mountPath
持久化卷在租户容器内的挂载路径。
- subPath
挂载路径内的子路径,MinIO 在此存储数据。
警告
对待
mountPath和subPath在部署租户后,应将相关值视为不可变。 如果在部署后更改这些值,可能会导致新数据和现有数据使用不同路径。 这将大幅增加运维复杂度,并可能导致不可预测的数据状态。- 指标
在指定端口配置一个与 Prometheus 兼容的抓取端点。
- 证书
- externalCaCertSecret
指定一个Kubernetes TLS密钥数组,其中每个条目对应包含TLS私钥和公钥证书对的密钥。
这是 MinIO 用来验证使用这些 CA 的客户端 TLS 连接的 如果省略此项,并且客户端使用由外部 CA 签发的 TLS 证书,这些连接可能会因证书验证警告而失败。 参见Operator CRD: TenantSpec.
- externalCertSecret
指定一个Kubernetes密钥数组,其中每个条目对应一个包含TLS私钥和公钥证书对的密钥。
省略此项以仅使用 MinIO Operator 自动生成的证书。
如果您省略此字段和设置
requestAutoCert为 false 时,租户将不使用 TLS 启动。重要
MinIO Operator 如果无法信任签发自定义证书的证书颁发机构(CA),可能会输出 TLS 连接错误。
您可以将CA传递给Operator,使其信任该证书。 请参阅自签名、内部和私有证书for more information. 对于全球信任的CA,此步骤也可能是必需的,您必须向Operator提供中间证书以帮助构建完整的信任链。
- requestAutoCert
启用基于 Kubernetes 的自动化证书生成与签名
- certConfig
该字段仅在以下情况下使用:
requestAutoCert: true使用此字段设置自动生成证书的通用名称。 MinIO 默认使用 Kubernetes 内部为 Pod 分配的 DNS 名称 默认 DNS 名称格式通常为*.minio.default.svc.cluster.local.
配置租户的外部证书设置。
- 功能特性
MinIO features to enable or disable in the MinIO Tenant 查看Operator CRD: 功能特性.
- 存储桶
描述在租户配置期间要创建的一个或多个存储桶的对象数组。 示例:
- name: my-minio-bucket objectLock: false # optional region: us-east-1 # optional
- 用户
在租户配置期间,Operator 用于生成 MinIO 用户的 Kubernetes secrets 数组。
每个密钥都应指定
CONSOLE_ACCESS_KEY和CONSOLE_SECRET_KEY作为该用户的访问密钥和密钥。- podManagementPolicy
ThePod管理MinIO 租户 Pod 的策略。 可选值为 "OrderedReady" 或 "Parallel"
- 就绪状态
就绪探针用于监控租户容器就绪状态。 如果探针失败,租户 Pod 将从服务端点中移除。
- 初创公司
启动探针用于监控容器启动。 如果探针失败,租户 Pod 将被重启。 参考
- 生命周期
The生命周期钩子用于容器。
- exposeServices
指示 Operator 将 MinIO S3 API 和 Console 服务部署为 LoadBalancer 对象。
如果Kubernetes集群配置了LoadBalancer,它可以自动尝试将流量路由到这些服务。
指定
minio: true以暴露 MinIO S3 API。指定
console: true要暴露控制台。
两个字段都默认为
false.- serviceAccountName
TheKubernetes Service Account与租户相关联。
- prometheusOperator
指示 Operator 将租户的指标抓取配置添加到由 Prometheus Operator 管理的现有 Kubernetes Prometheus 部署中。
- 日志记录
配置 MinIO 租户的 Pod 日志记录配置。
指定
json对于JSON格式的日志。指定
anonymous用于匿名化日志。指定
quietto supress logging.
JSON格式日志的示例如下:
$ k logs myminio-pool-0-0 -n default {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
- serviceMetadata
serviceMetadata 允许向由 Operator 创建的 MinIO 和 Console 特定服务传递额外的标签和注解。
- env
添加要在 MinIO 容器中设置的环境变量(https://github.com/minio/minio/tree/master/docs/config)
- priorityClassName
PriorityClassName 表示 Pod 优先级,从而表示一个 Pod 相对于其他 Pod 的重要性。 这仅适用于 MinIO Pod。 有关详细信息,请参阅 Kubernetes 文档。https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
- additionalVolumes
一个数组VolumesOperator 可以挂载到租户 Pod 的
卷必须存在和可供租户 Pod 访问。
- additionalVolumeMounts
与每个租户容器关联的卷挂载点数组。
将数组中的每个项目指定如下:
volumeMounts: - name: volumename mountPath: /path/to/mount
The
name字段必须对应于一个条目在additionalVolumes数组。
- 入口
配置Ingress对于租户 S3 API 和控制台。
根据您选择的 Ingress 控制器和配置设置相应的密钥。
# Root key for MinIO Tenant Chart
tenant:
###
# The Tenant name
#
# Change this to match your preferred MinIO Tenant name.
name: myminio
###
# Specify the Operator container image to use for the deployment.
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v7.0.0 tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/minio
# tag: RELEASE.2024-11-07T00-52-20Z
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/minio@sha256
# digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
# pullPolicy: IfNotPresent
#
#
image:
repository: quay.io/minio/minio
tag: RELEASE.2024-11-07T00-52-20Z
pullPolicy: IfNotPresent
###
#
# An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
# Only one array element is supported at this time.
imagePullSecret: { }
###
#
# Specify `initContainers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to perform setup or configuration tasks before the main Tenant pods starts.
#
# Example of init container which waits for idenity provider to be reachable before starting MinIO Tenant:
#
# .. code-block:: yaml
#
# initContainers:
# - name: wait-for-idp
# image: busybox
# command:
# - sh
# - -c
# - |
# URL="https://idp-url"
# echo "Checking IdP reachability (${URL})"
# until $(wget -q -O "/dev/null" ${URL}) ; do
# echo "IdP (${URL}) not reachable. Waiting to be reachable..."
# sleep 5
# done
# echo "IdP (${URL}) reachable. Starting MinIO..."
#
initContainers: [ ]
###
# The Kubernetes `Scheduler <https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Tenant pods.
#
# Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler.
scheduler: { }
###
# The Kubernetes secret name that contains MinIO environment variable configurations.
# The secret is expected to have a key named config.env containing environment variables exports.
configuration:
name: myminio-env-configuration
###
# Root key for dynamically creating a secret for use with configuring root MinIO User
# Specify the ``name`` and then a list of environment variables.
#
# .. important::
#
# Do not use this in production environments.
# This field is intended for use with rapid development or testing only.
#
# For example:
#
# .. code-block:: yaml
#
# name: myminio-env-configuration
# accessKey: minio
# secretKey: minio123
#
configSecret:
name: myminio-env-configuration
accessKey: minio
secretKey: minio123
#existingSecret: true
###
# Metadata that will be added to the statefulset and pods of all pools
poolsMetadata:
###
# Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to Tenant pods.
annotations: { }
###
# Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to Tenant pods.
labels: { }
###
# If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Tenant.
# The existing Kubernetes secret name must be placed under .tenant.configuration.name e.g. existing-minio-env-configuration
# The secret must contain a key ``config.env``.
# The values should be a series of export statements to set environment variables for the Tenant.
# For example:
#
# .. code-block:: shell
#
# stringData:
# config.env: |-
# export MINIO_ROOT_USER=ROOTUSERNAME
# export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD
#
# existingSecret: false
###
# Top level key for configuring MinIO Pool(s) in this Tenant.
#
# See `Operator CRD: Pools <https://docs.min.io/community/minio-object-store/reference/operator-crd.html#pool>`__ for more information on all subfields.
pools:
###
# The number of MinIO Tenant Pods / Servers in this pool.
# For standalone mode, supply 1. For distributed mode, supply 4 or more.
# Note that the operator does not support upgrading from standalone to distributed mode.
- servers: 4
###
# Custom name for the pool
name: pool-0
###
# The number of volumes attached per MinIO Tenant Pod / Server.
volumesPerServer: 4
###
# The capacity per volume requested per MinIO Tenant Pod.
size: 10Gi
###
# The `storageClass <https://kubernetes.io/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool.
#
# If using Amazon Elastic Block Store (EBS) CSI driver
# Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters.
# Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
# storageClassName: standard
###
# Specify `storageAnnotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to PVCs.
storageAnnotations: { }
###
# Specify `storageLabels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to PVCs.
storageLabels: { }
###
# Specify `annotations <https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to Tenant pods.
annotations: { }
###
# Specify `labels <https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/>`__ to associate to Tenant pods.
labels: { }
###
#
# An array of `Toleration labels <https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to Tenant pods.
#
# These settings determine the distribution of pods across worker nodes.
tolerations: [ ]
###
# Any `Node Selectors <https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to Tenant pods.
#
# The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods.
#
# If no worker nodes match the specified selectors, the Tenant deployment will fail.
nodeSelector: { }
###
#
# The `affinity <https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to Tenant pods.
#
# These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
affinity: { }
###
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Tenant pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
# If no worker nodes can meet the specified requests, the Operator may fail to deploy.
resources: { }
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant resources.
#
# You may need to modify these values to meet your cluster's security and access settings.
#
# We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files).
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
runAsNonRoot: true
###
# The Kubernetes `SecurityContext <https://kubernetes.io/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant containers.
# You may need to modify these values to meet your cluster's security and access settings.
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
###
#
# An array of `Topology Spread Constraints <https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods.
#
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: [ ]
###
#
# The name of a custom `Container Runtime <https://kubernetes.io/docs/concepts/containers/runtime-class/>`__ to use for the Operator Console pods.
# runtimeClassName: ""
###
# The mount path where Persistent Volumes are mounted inside Tenant container(s).
mountPath: /export
###
# The Sub path inside Mount path where MinIO stores data.
#
# .. warning::
#
# Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant.
# If you change these values post-deployment, then you may have different paths for new and pre-existing data.
# This can vastly increase operational complexity and may result in unpredictable data states.
subPath: /data
###
# Configures a Prometheus-compatible scraping endpoint at the specified port.
metrics:
enabled: false
port: 9000
protocol: http
###
# Configures external certificate settings for the Tenant.
certificate:
###
# Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair.
#
# This is used by MinIO to verify TLS connections from clients using those CAs
# If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification.
# See `Operator CRD: TenantSpec <https://docs.min.io/community/minio-object-store/reference/operator-crd.html#tenantspec>`__.
externalCaCertSecret: [ ]
###
# Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair.
#
# Omit this to use only the MinIO Operator autogenerated certificates.
#
# If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS.
#
# See `Operator CRD: TenantSpec <https://docs.min.io/community/minio-object-store/reference/operator-crd.html#tenantspec>`__.
#
# .. important::
#
# The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates.
#
# You can pass the CA to the Operator to allow it to trust that cert.
# See `Self-Signed, Internal, and Private Certificates <https://docs.min.io/community/minio-object-store/operations/network-encryption.html#self-signed-internal-private-certificates-and-public-cas-with-intermediate-certificates>`__ for more information.
# This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust.
externalCertSecret: [ ]
###
# Enable automatic Kubernetes based `certificate generation and signing <https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster>`__
requestAutoCert: true
###
# The minimum number of days to expiry before an alert for an expiring certificate is fired.
# In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
# certExpiryAlertThreshold: 1
###
# This field is used only when ``requestAutoCert: true``.
# Use this field to set CommonName for the auto-generated certificate.
# MinIO defaults to using the internal Kubernetes DNS name for the pod
# The default DNS name format is typically ``*.minio.default.svc.cluster.local``.
#
# See `Operator CRD: CertificateConfig <https://docs.min.io/community/minio-object-store/reference/operator-crd.html#certificateconfig>`__
certConfig: { }
###
# MinIO features to enable or disable in the MinIO Tenant
# See `Operator CRD: Features <https://docs.min.io/community/minio-object-store/reference/operator-crd.html#features>`__.
features:
bucketDNS: false
domains: { }
enableSFTP: false
###
# Array of objects describing one or more buckets to create during tenant provisioning.
# Example:
#
# .. code-block:: yaml
#
# - name: my-minio-bucket
# objectLock: false # optional
# region: us-east-1 # optional
buckets: [ ]
###
# Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning.
#
# Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user.
users: [ ]
###
# The `PodManagement <https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for MinIO Tenant Pods.
# Can be "OrderedReady" or "Parallel"
podManagementPolicy: Parallel
# The `Liveness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Tenant pod liveness.
# Tenant pods will be restarted if the probe fails.
liveness: { }
###
# `Readiness Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Tenant container readiness.
# Tenant pods will be removed from service endpoints if the probe fails.
readiness: { }
###
# `Startup Probe <https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup.
# Tenant pods will be restarted if the probe fails.
# Refer
startup: { }
###
# The `Lifecycle hooks <https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/>`__ for container.
lifecycle: { }
###
# Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects.
#
# If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically.
#
# - Specify ``minio: true`` to expose the MinIO S3 API.
# - Specify ``console: true`` to expose the Console.
#
# Both fields default to ``false``.
exposeServices: { }
###
# The `Kubernetes Service Account <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Tenant.
serviceAccountName: ""
###
# Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator.
prometheusOperator: false
###
# Configure pod logging configuration for the MinIO Tenant.
#
# - Specify ``json`` for JSON-formatted logs.
# - Specify ``anonymous`` for anonymized logs.
# - Specify ``quiet`` to supress logging.
#
# An example of JSON-formatted logs is as follows:
#
# .. code-block:: shell
#
# $ k logs myminio-pool-0-0 -n default
# {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
logging: { }
###
# serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
# services created by the operator.
serviceMetadata: { }
###
# Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
env: [ ]
###
# PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
# This is applied to MinIO pods only.
# Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
priorityClassName: ""
###
# An array of `Volumes <https://kubernetes.io/docs/concepts/storage/volumes/>`__ which the Operator can mount to Tenant pods.
#
# The volumes must exist *and* be accessible to the Tenant pods.
additionalVolumes: [ ]
###
# An array of volume mount points associated to each Tenant container.
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
#
# volumeMounts:
# - name: volumename
# mountPath: /path/to/mount
#
# The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
additionalVolumeMounts: [ ]
# Define configuration for KES (stateless and distributed key-management system)
# Refer https://github.com/minio/kes
#kes:
# ## Image field:
# # Image from tag (original behavior), for example:
# # image:
# # repository: quay.io/minio/kes
# # tag: 2024-11-25T13-44-31Z
# # Image from digest (added after original behavior), for example:
# # image:
# # repository: quay.io/minio/kes@sha256
# # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b
# image:
# repository: quay.io/minio/kes
# tag: 2024-11-25T13-44-31Z
# pullPolicy: IfNotPresent
# env: [ ]
# replicas: 2
# configuration: |-
# address: :7373
# tls:
# key: /tmp/kes/server.key # Path to the TLS private key
# cert: /tmp/kes/server.crt # Path to the TLS certificate
# proxy:
# identities: []
# header:
# cert: X-Tls-Client-Cert
# admin:
# identity: ${MINIO_KES_IDENTITY}
# cache:
# expiry:
# any: 5m0s
# unused: 20s
# log:
# error: on
# audit: off
# keystore:
# # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended
# # use a real KMS
# # fs:
# # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production.
# vault:
# endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint
# namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
# prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix.
# approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
# id: "<YOUR APPROLE ID HERE>" # Your AppRole Role ID
# secret: "<YOUR APPROLE SECRET ID HERE>" # Your AppRole Secret ID
# retry: 15s # Duration until the server tries to re-authenticate after connection loss.
# tls: # The Vault client TLS configuration for mTLS authentication and certificate verification
# key: "" # Path to the TLS client private key for mTLS authentication to Vault
# cert: "" # Path to the TLS client certificate for mTLS authentication to Vault
# ca: "" # Path to one or multiple PEM root CA certificates
# status: # Vault status configuration. The server will periodically reach out to Vault to check its status.
# ping: 10s # Duration until the server checks Vault's status again.
# # aws:
# # # The AWS SecretsManager key store. The server will store
# # # secret keys at the AWS SecretsManager encrypted with
# # # AWS-KMS. See: https://aws.amazon.com/secrets-manager
# # secretsmanager:
# # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com
# # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2
# # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
# # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager.
# # accesskey: "" # Your AWS Access Key
# # secretkey: "" # Your AWS Secret Key
# # token: "" # Your AWS session token (usually optional)
# imagePullPolicy: "IfNotPresent"
# externalCertSecret: null
# clientCertSecret: null
# # Key name to be created on the KMS, default is "my-minio-key"
# keyName: ""
# resources: { }
# nodeSelector: { }
# affinity:
# nodeAffinity: { }
# podAffinity: { }
# podAntiAffinity: { }
# tolerations: [ ]
# annotations: { }
# labels: { }
# serviceAccountName: ""
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# fsGroup: 1000
# containerSecurityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# seccompProfile:
# type: RuntimeDefault
###
# Configures `Ingress <https://kubernetes.io/docs/concepts/services-networking/ingress/>`__ for the Tenant S3 API and Console.
#
# Set the keys to conform to the Ingress controller and configuration of your choice.
ingress:
api:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
host: minio.local
path: /
pathType: Prefix
console:
enabled: false
ingressClassName: ""
labels: { }
annotations: { }
tls: [ ]
host: minio-console.local
path: /
pathType: Prefix
# Use an extraResources template section to include additional Kubernetes resources
# with the Helm deployment.
#extraResources:
# - |
# apiVersion: v1
# kind: Secret
# type: Opaque
# metadata:
# name: {{ dig "tenant" "configSecret" "name" "" (.Values | merge (dict)) }}
# stringData:
# config.env: |-
# export MINIO_ROOT_USER='minio'
# export MINIO_ROOT_PASSWORD='minio123'
本作品采用知识共享 署名 4.0 国际许可协议2020年至今,MinIO公司
