diff --git a/README.md b/README.md index 35b9f32c58408b8a21fa12c1d9f663da7054e7cf..514f7ec3497288f8fedc2f03d086198a69c84880 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Project [here](https://github.com/minio/minio-operator). MinIO is a high performance, distributed object storage system. It is software-defined, runs on industry standard hardware and is 100% open source under the Apache V2 license. -App Version: Operator 1.0.7, instance 1.0.7 +App Version: Operator 2.0.8, instance 2.0.8 Plugins: Additional docs for using and its plugins can be found at $URL The containers being used are maintained in the public/apps/minio registry. These containers ahve not been hardened, but have been retagged. When available hardened containers will be implemented. diff --git a/deployment/manifests/README.md b/deployment/manifests/README.md new file mode 100644 index 0000000000000000000000000000000000000000..e8b0775fb6a16d2913e5b86aa08ce23c67290653 --- /dev/null +++ b/deployment/manifests/README.md @@ -0,0 +1,6 @@ +# NOTES +This is unmodified manifest code version 2.0.9 from +https://github.com/minio/operator/tree/2.0.9 +Any needed changes are made in kustomize overlays. + +This is an older version but it must match the latest IronBank hardened image version as close as possible. \ No newline at end of file diff --git a/deployment/manifests/instance/kustomization.yaml b/deployment/manifests/instance/kustomization.yaml deleted file mode 100644 index f9b18ec10aa2e6027b0159fb1806cf727e1c68ea..0000000000000000000000000000000000000000 --- a/deployment/manifests/instance/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -namespace: minio - -resources: - - namespace.yaml - - instance.yaml diff --git a/deployment/manifests/minio-instance/kustomization.yaml b/deployment/manifests/minio-instance/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..4bbb18650b02d8dfb43048a503b6e19463f4688d --- /dev/null +++ b/deployment/manifests/minio-instance/kustomization.yaml @@ -0,0 +1,9 @@ +namespace: minio + +resources: + - namespace.yaml + - upstream/minioinstance.yaml + +patchesStrategicMerge: + # use IronBank hardened image + - patches/image-patch.yaml diff --git a/deployment/manifests/instance/namespace.yaml b/deployment/manifests/minio-instance/namespace.yaml similarity index 100% rename from deployment/manifests/instance/namespace.yaml rename to deployment/manifests/minio-instance/namespace.yaml diff --git a/deployment/manifests/minio-instance/patches/image-patch.yaml b/deployment/manifests/minio-instance/patches/image-patch.yaml new file mode 100644 index 0000000000000000000000000000000000000000..6b70b6fe5fed713710c9ca6373b98effdba8678c --- /dev/null +++ b/deployment/manifests/minio-instance/patches/image-patch.yaml @@ -0,0 +1,7 @@ +apiVersion: operator.min.io/v1 +kind: MinIOInstance +metadata: + name: minio +spec: + # use IronBank hardened image + image: registry.dsop.io/platform-one/apps/minio/instance:RELEASE.2020-07-02T00-15-09Z diff --git a/deployment/manifests/instance/instance.yaml b/deployment/manifests/minio-instance/upstream/minioinstance.yaml similarity index 62% rename from deployment/manifests/instance/instance.yaml rename to deployment/manifests/minio-instance/upstream/minioinstance.yaml index 7da851aa4cb4a952efd19eaebc9d9d8bb257363b..136cf00d7d5a3f765987563a1e6f480252e97e60 100644 --- a/deployment/manifests/instance/instance.yaml +++ b/deployment/manifests/minio-instance/upstream/minioinstance.yaml @@ -3,12 +3,27 @@ kind: Secret metadata: name: minio-creds-secret type: Opaque -# srtm: IA-5(1)(c) cryptographically stored authenticator data: accesskey: bWluaW8= # base 64 encoded "minio" (echo -n 'minio' | base64) secretkey: bWluaW8xMjM= # based 64 encoded "minio123" (echo -n 'minio123' | base64) --- -apiVersion: miniocontroller.min.io/v1beta1 +apiVersion: v1 +kind: Service +metadata: + name: minio-service +spec: + type: ClusterIP + ports: + - port: 9000 + targetPort: 9000 + protocol: TCP + # Optional field + # By default and for convenience, the Kubernetes control plane will allocate a port from a range (default: 30000-32767) + # nodePort: 30007 + selector: + app: minio +--- +apiVersion: operator.min.io/v1 kind: MinIOInstance metadata: name: minio @@ -17,8 +32,9 @@ metadata: # scheduler: # name: my-custom-scheduler spec: - ## Add metadata to the pods created by the StatefulSet + ## Add metadata to the all pods created by the StatefulSet metadata: + ## Optionally pass labels to be applied to the statefulset pods labels: app: minio annotations: @@ -26,31 +42,54 @@ spec: prometheus.io/port: "9000" prometheus.io/scrape: "true" ## Registry location and Tag to download MinIO Server image - image: registry.dsop.io/platform-one/apps/minio/instance:RELEASE.2020-01-03T19-12-21Z - # Commented to pull from P1 reg - image: minio/minio:RELEASE.2020-01-03T19-12-21Z + image: minio/minio:RELEASE.2020-07-13T18-09-56Z + ## A ClusterIP Service will be created with the given name + serviceName: minio-internal-service + zones: + - name: "zone-0" + ## Number of MinIO servers/pods in this zone. + ## For standalone mode, supply 1. For distributed mode, supply 4 or more. + ## Note that the operator does not support upgrading from standalone to distributed mode. + servers: 4 + ## Supply number of volumes to be mounted per MinIO server instance. + volumesPerServer: 4 + ## Mount path where PV will be mounted inside container(s). Defaults to "/export". + mountPath: /export + ## Sub path inside Mount path where MinIO starts. Defaults to "". + # subPath: /data + ## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO cluster. + ## Please do not change the volumeClaimTemplate field while expanding the cluster, this may + ## lead to unbound PVCs and missing data + volumeClaimTemplate: + metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Ti ## Secret with credentials to be used by MinIO instance. credsSecret: name: minio-creds-secret - ## Supply number of replicas. - ## For standalone mode, supply 1. For distributed mode, supply 4 or more (should be even). - ## Note that the operator does not support upgrading from standalone to distributed mode. - replicas: 4 ## PodManagement policy for pods created by StatefulSet. Can be "OrderedReady" or "Parallel" ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy ## for details. Defaults to "Parallel" - ## If set to "OrderedReady", then disable Readiness checks below. Readiness check will only - ## work if PodManagementPolicy is set to "Parallel". podManagementPolicy: Parallel + ## Secret with certificates to configure TLS for MinIO certs. Create secrets as explained + ## here: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret + # externalCertSecret: + # name: tls-ssl-minio ## Enable Kubernetes based certificate generation and signing as explained in ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster requestAutoCert: false ## Used when "requestAutoCert" is set to true. Set CommonName for the auto-generated certificate. ## Internal DNS name for the pod will be used if CommonName is not provided. + ## DNS name format is minio-{0...3}.minio.default.svc.cluster.local certConfig: commonName: "" organizationName: [] dnsNames: [] - ## Used to specify a toleration for a pod # tolerations: # - effect: NoSchedule @@ -58,36 +97,22 @@ spec: # operator: Equal # value: storage ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) - env: - - name: MINIO_BROWSER - value: "on" - # - name: MINIO_STORAGE_CLASS_RRS + # env: + # - name: MINIO_BROWSER + # value: "off" # to turn-off browser + # - name: MINIO_STORAGE_CLASS_STANDARD # value: "EC:2" ## Configure resource requests and limits for MinIO containers - resources: - requests: - memory: 512Mi - cpu: 250m + # resources: + # requests: + # memory: 20Gi ## Liveness probe detects situations where MinIO server instance ## is not working properly and needs restart. Kubernetes automatically ## restarts the pods if liveness checks fail. liveness: - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 120 - periodSeconds: 20 - ## Readiness probe detects situations when MinIO server instance - ## is not ready to accept traffic. Kubernetes doesn't forward - ## traffic to the pod while readiness checks fail. - ## Readiness check will only work if PodManagementPolicy is set to "Parallel". - ## Disable this check if you're setting PodManagementPolicy to "OrderedReady". - readiness: - httpGet: - path: /minio/health/ready - port: 9000 - initialDelaySeconds: 120 - periodSeconds: 20 + initialDelaySeconds: 10 + periodSeconds: 1 + timeoutSeconds: 1 ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be ## eligible to run on a node, the node must have each of the ## indicated key-value pairs as labels. @@ -97,20 +122,3 @@ spec: ## Affinity settings for MinIO pods. Read more about affinity ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity. # affinity: - ## Secret with certificates to configure TLS for MinIO certs. Create secrets as explained - ## here: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret - # externalCertSecret: - # name: tls-ssl-minio - ## Mountpath where PV will be mounted inside container(s). Defaults to "/export". - # mountPath: /export - ## Subpath inside Mountpath where MinIO starts. Defaults to "". - # subPath: /data - volumeClaimTemplate: - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi diff --git a/deployment/manifests/minio-operator/kustomization.yaml b/deployment/manifests/minio-operator/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c64cbeb128f07cd7eeb68c5ca8b781e7c23f6642 --- /dev/null +++ b/deployment/manifests/minio-operator/kustomization.yaml @@ -0,0 +1,63 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minio-operator + +# Configure number of MinIO Operator Deployment Replicas +replicas: + - name: minio-operator + count: 1 + +# use IronBank hardened image +images: + - name: minio/k8s-operator + newName: registry.dsop.io/platform-one/apps/minio/operator + newTag: 2.0.9 + +# Configure the Cluster Domain and NameSpace to Watch +configMapGenerator: + - name: operator-env + literals: + - CLUSTER_DOMAIN="cluster.local" + - WATCHED_NAMESPACE="minio" + +# Configure the Namespace and ServiceAccount name +patchesJson6902: + - target: + version: v1 + kind: ServiceAccount + name: minio-operator + patch: |- + - op: replace + path: /metadata/name + value: "minio-operator" + - target: + version: v1 + kind: Namespace + name: minio-operator + patch: |- + - op: replace + path: /metadata/name + value: "minio-operator" + +vars: + - name: CLUSTER_DOMAIN + objref: + kind: ConfigMap + name: operator-env + apiVersion: v1 + fieldref: + fieldpath: data.CLUSTER_DOMAIN + - name: WATCHED_NAMESPACE + objref: + kind: ConfigMap + name: operator-env + apiVersion: v1 + fieldref: + fieldpath: data.WATCHED_NAMESPACE + +resources: + - upstream/namespace.yaml + - upstream/service-account.yaml + - upstream/crd.yaml + - upstream/rbac.yaml + - upstream/deployment.yaml diff --git a/deployment/manifests/minio-operator/upstream/crd.yaml b/deployment/manifests/minio-operator/upstream/crd.yaml new file mode 100644 index 0000000000000000000000000000000000000000..c5254f01a5b908f1c9c98d02129299f8f26f3a21 --- /dev/null +++ b/deployment/manifests/minio-operator/upstream/crd.yaml @@ -0,0 +1,91 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: minioinstances.operator.min.io +spec: + group: operator.min.io + scope: Namespaced + names: + kind: MinIOInstance + singular: minioinstance + plural: minioinstances + versions: + - name: v1 + served: true + storage: true + schema: + # openAPIV3Schema is the schema for validating custom objects. + # Refer https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#specifying-a-structural-schema + # for more details + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + replicas: + type: integer + minimum: 1 + maximum: 32 + image: + type: string + serviceName: + type: string + volumesPerServer: + type: integer + mountPath: + type: string + podManagementPolicy: + type: string + enum: [Parallel,OrderedReady] + default: Parallel + requestAutoCert: + type: boolean + default: false + version: + type: string + mountpath: + type: string + subpath: + type: string + mcs: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + image: + type: string + replicas: + type: integer + default: 2 + mcsSecret: + type: object + properties: + name: + type: string + kes: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + image: + type: string + replicas: + type: integer + default: 2 + kesSecret: + type: object + properties: + name: + type: string + status: + type: object + properties: + currentState: + type: string + subresources: + # status enables the status subresource. + status: {} + additionalPrinterColumns: + - name: Current State + type: string + jsonPath: ".status.currentState" diff --git a/deployment/manifests/minio-operator/upstream/deployment.yaml b/deployment/manifests/minio-operator/upstream/deployment.yaml new file mode 100644 index 0000000000000000000000000000000000000000..48fe5c7d34678e5bc24f51e3b6acf60babc107c2 --- /dev/null +++ b/deployment/manifests/minio-operator/upstream/deployment.yaml @@ -0,0 +1,25 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio-operator + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + name: minio-operator + template: + metadata: + labels: + name: minio-operator + spec: + serviceAccountName: minio-operator + containers: + - name: minio-operator + image: minio/k8s-operator:2.0.6 + imagePullPolicy: IfNotPresent + env: + - name: CLUSTER_DOMAIN + value: $(CLUSTER_DOMAIN) + - name: WATCHED_NAMESPACE + value: $(WATCHED_NAMESPACE) diff --git a/deployment/manifests/minio-operator/upstream/kustomization.yaml b/deployment/manifests/minio-operator/upstream/kustomization.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d0c15a9a7ff3360a88b97c58e36f8c91c85e0b6a --- /dev/null +++ b/deployment/manifests/minio-operator/upstream/kustomization.yaml @@ -0,0 +1,63 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: minio-operator + +# Configure number of MinIO Operator Deployment Replicas +replicas: + - name: minio-operator + count: 1 + +# Configure repo and tag of MinIO Operator Image +images: + - name: minio/k8s-operator + newName: minio/k8s-operator + newTag: 2.0.6 + +# Configure the Cluster Domain and NameSpace to Watch +configMapGenerator: + - name: operator-env + literals: + - CLUSTER_DOMAIN="cluster.local" + - WATCHED_NAMESPACE="default" + +# Configure the Namespace and ServiceAccount name +patchesJson6902: + - target: + version: v1 + kind: ServiceAccount + name: minio-operator + patch: |- + - op: replace + path: /metadata/name + value: "minio-operator" + - target: + version: v1 + kind: Namespace + name: minio-operator + patch: |- + - op: replace + path: /metadata/name + value: "minio-operator" + +vars: + - name: CLUSTER_DOMAIN + objref: + kind: ConfigMap + name: operator-env + apiVersion: v1 + fieldref: + fieldpath: data.CLUSTER_DOMAIN + - name: WATCHED_NAMESPACE + objref: + kind: ConfigMap + name: operator-env + apiVersion: v1 + fieldref: + fieldpath: data.WATCHED_NAMESPACE + +resources: + - namespace.yaml + - service-account.yaml + - crd.yaml + - rbac.yaml + - deployment.yaml diff --git a/deployment/manifests/minio-operator/upstream/namespace.yaml b/deployment/manifests/minio-operator/upstream/namespace.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1002072f374a6e6530e7b8ce8081ecd915acbd26 --- /dev/null +++ b/deployment/manifests/minio-operator/upstream/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: minio-operator diff --git a/deployment/manifests/minio-operator/upstream/rbac.yaml b/deployment/manifests/minio-operator/upstream/rbac.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ea3a7961cdc1adefb108adc9a2e73aa36c087956 --- /dev/null +++ b/deployment/manifests/minio-operator/upstream/rbac.yaml @@ -0,0 +1,80 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: minio-operator-role +rules: +- apiGroups: + - "" + resources: + - namespaces + - secrets + - pods + - services + - events + verbs: + - get + - watch + - create + - list + - delete +- apiGroups: + - apps + resources: + - statefulsets + - deployments + verbs: + - get + - create + - list + - patch + - watch + - update + - delete +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - create + - list + - patch + - watch + - update + - delete +- apiGroups: + - "certificates.k8s.io" + resources: + - "certificatesigningrequests" + - "certificatesigningrequests/approval" + - "certificatesigningrequests/status" + verbs: + - update + - create + - get + - delete +- apiGroups: + - operator.min.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - min.io + resources: + - "*" + verbs: + - "*" +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: minio-operator-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: minio-operator-role +subjects: +- kind: ServiceAccount + name: minio-operator + namespace: default diff --git a/deployment/manifests/minio-operator/upstream/service-account.yaml b/deployment/manifests/minio-operator/upstream/service-account.yaml new file mode 100644 index 0000000000000000000000000000000000000000..04b7c1f059218606c038c81624b35922041bc7aa --- /dev/null +++ b/deployment/manifests/minio-operator/upstream/service-account.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: minio-operator + namespace: default diff --git a/deployment/manifests/operator/kustomization.yaml b/deployment/manifests/operator/kustomization.yaml deleted file mode 100644 index 1647d370e70780140f65a7609bf90b76ee96cb41..0000000000000000000000000000000000000000 --- a/deployment/manifests/operator/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -namespace: minio-operator - -resources: - - operator.yaml diff --git a/deployment/manifests/operator/operator.yaml b/deployment/manifests/operator/operator.yaml deleted file mode 100644 index 694d3d076d2c02a03ec5e22d82de3e48aec086ba..0000000000000000000000000000000000000000 --- a/deployment/manifests/operator/operator.yaml +++ /dev/null @@ -1,136 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: minio-operator ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - name: minioinstances.miniocontroller.min.io -spec: - group: miniocontroller.min.io - version: v1beta1 - scope: Namespaced - names: - kind: MinIOInstance - singular: minioinstance - plural: minioinstances - preserveUnknownFields: true - validation: - # openAPIV3Schema is the schema for validating custom objects. - # Refer https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#specifying-a-structural-schema - # for more details - openAPIV3Schema: - type: object - properties: - spec: - type: object - properties: - replicas: - type: integer - minimum: 1 - maximum: 32 - version: - type: string - mountpath: - type: string - subpath: - type: string - additionalPrinterColumns: - - name: Replicas - type: integer - JSONPath: ".spec.replicas" ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: minio-operator-role -rules: -- apiGroups: - - "" - resources: - - namespaces - - secrets - - pods - - services - - events - verbs: - - get - - watch - - create - - list - - patch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - create - - list - - patch - - watch - - update -- apiGroups: - - "certificates.k8s.io" - resources: - - "certificatesigningrequests" - - "certificatesigningrequests/approval" - - "certificatesigningrequests/status" - verbs: - - update - - create - - get -- apiGroups: - - miniocontroller.min.io - resources: - - "*" - verbs: - - "*" -- apiGroups: - - min.io - resources: - - "*" - verbs: - - "*" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: minio-operator-sa - namespace: minio-operator ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: minio-operator-binding - namespace: minio-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: minio-operator-role -subjects: -- kind: ServiceAccount - name: minio-operator-sa - namespace: minio-operator ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: minio-operator - namespace: minio-operator -spec: - replicas: 1 - selector: - matchLabels: - name: minio-operator - template: - metadata: - labels: - name: minio-operator - spec: - serviceAccountName: minio-operator-sa - containers: - - name: minio-operator - image: registry.dsop.io/platform-one/apps/minio/operator:1.0.7 - imagePullPolicy: IfNotPresent