Merge branch 'minio-4' into 'main'

Update to Minio 4.0 See merge request !28

Merge branch 'minio-4' into 'main'
Update to Minio 4.0 See merge request !28
36c78e49 · Micah Nagel · dd8cdf9a · eb9934c4 · 36c78e49 · 36c78e49
Commit 36c78e49 authored May 17, 2021 by Micah Nagel 💰
6 changed files
--- a/chart/deps/minio/templates/tenant.yaml
+++ b/chart/deps/minio/templates/tenant.yaml
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: {{ include "minio.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+
+  ## Optionally pass labels to be applied to the statefulset pods
+  labels:
+    app: {{ template "minio.fullname" . }}
+    {{- include "minio.labels" . | nindent 4 }}
+  {{- if .Values.istio.virtualService.labels }}
+  {{ toYaml .Values.istio.virtualservice.labels | indent 4 }}
+  {{- end }}
+  {{- if .Values.istio.virtualService.annotations }}
+  ## Annotations for MinIO Tenant Pods
+  annotations:
+    prometheus.io/path: /minio/prometheus/metrics
+    prometheus.io/port: "9000"
+    prometheus.io/scrape: "true"
+    {{ toYaml .Values.istio.virtualService.annotations | indent 4 }}
+  {{- end }}
+
+## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
+## If not specified, the Tenant pods will be dispatched by default scheduler.
+  ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
+  ## If not specified, the Tenant pods will be dispatched by default scheduler.
+  ##scheduler:
+  ##  name:
+
+spec:
+  ## Registry location and Tag to download MinIO Server image
+  image: {{ .Values.tenants.image.repository }}:{{ .Values.tenants.image.tag }}
+  imagePullPolicy: {{ .Values.tenants.image.pullPolicy }}
+  imagePullSecret:
+    {{ toYaml .Values.tenants.imagePullSecret | indent 4 }}
+
+  ## Secret with credentials to be used by MinIO Tenant.
+  ## Refers to the secret object created above.
+  credsSecret:
+    name: {{ .Values.tenants.secrets.name }}
+
+  ## Specification for MinIO Pool(s) in this Tenant.
+  {{- range .Values.tenants.pools }}
+  pools:
+    ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
+    ## For standalone mode, supply 1. For distributed mode, supply 4 or more.
+    ## Note that the operator does not support upgrading from standalone to distributed mode.
+    - servers: {{ .servers }}
+
+      ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
+      volumesPerServer: {{ .volumesPerServer }}
+
+      ## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO Tenant in this
+      ## Pool.
+      volumeClaimTemplate:
+        metadata:
+          name: data
+        spec:
+          accessModes:
+            - ReadWriteOnce
+          resources:
+            requests:
+              storage: {{ .size }}
+
+      ## Used to specify a toleration for a pod
+      # tolerations:
+      #  - effect: NoSchedule
+      #    key: dedicated
+      #    operator: Equal
+      #    value: storage
+      {{- with .tolerations }}
+      tolerations:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+
+      ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
+      ## eligible to run on a node, the node must have each of the
+      ## indicated key-value pairs as labels.
+      ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+      # nodeSelector:
+      #   disktype: ssd
+      {{- with .nodeSelector }}
+      nodeSelector:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+
+      ## Affinity settings for MinIO pods. Read more about affinity
+      ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
+      # affinity:
+      #   nodeAffinity:
+      #     requiredDuringSchedulingIgnoredDuringExecution:
+      #       nodeSelectorTerms:
+      #       - matchExpressions:
+      #         - key: kubernetes.io/hostname
+      #           operator: In
+      #           values:
+      #           - hostname1
+      #           - hostname2
+      {{- with .affinity }}
+      affinity:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      #   podAntiAffinity:
+      #     requiredDuringSchedulingIgnoredDuringExecution:
+      #     - labelSelector:
+      #         matchExpressions:
+      #         - key: app
+      #           operator: In
+      #           values:
+      #           - store
+      #       topologyKey: "kubernetes.io/hostname"
+
+      ## Configure resource requests and limits for MinIO containers
+      # resources:
+      #   requests:
+      #     cpu: 250m
+      #     memory: 16Gi
+      #   limits:
+      #     cpu: 500m
+      #      memory: 16Gi
+      {{- with .resources }}
+      resources:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+
+      ## Configure security context
+      #securityContext:
+      #  runAsUser: 1000
+      #  runAsGroup: 1000
+      #  runAsNonRoot: true
+      {{- with .securityContext }}
+      securityContext:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+  {{ end }}
+
+  ## Mount path where PV will be mounted inside container(s).
+  mountPath: {{ .Values.tenants.mountPath }}
+
+  ## Sub path inside Mount path where MinIO stores data.
+  subPath: {{ .Values.tenants.subPath }}
+
+  ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure
+  ## TLS for MinIO Tenant pods. Create secrets as explained here:
+  ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
+  # externalCertSecret:
+  #   - name: tls-ssl-minio
+  #     type: kubernetes.io/tls
+  #{{- with .Values.tenants.certificate.externalCertSecret }}
+  #externalCertSecret:
+  #  {{ toYaml . | nindent 6 }}
+  #{{ end }}
+
+  ## Enable automatic Kubernetes based certificate generation and signing as explained in
+  ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
+  requestAutoCert: {{ .Values.tenants.certificate.requestAutoCert }}
+
+  ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
+  ## accessible as DNS entries of form `<bucketname>.minio.default.svc.cluster.local`
+  s3:
+    ## This feature is turned off by default
+    bucketDNS: {{ .Values.tenants.s3.bucketDNS }}
+
+  ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
+  ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
+  ## not provided. DNS name format is *.minio.default.svc.cluster.local
+  {{- with .Values.tenants.certificate.certConfig }}
+  certConfig:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+
+  ## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel"
+  ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
+  ## for details.
+  podManagementPolicy: {{ .Values.tenants.podManagementPolicy }}
+
+  ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
+  ## services created by the operator.
+  {{- with .Values.tenants.serviceMetadata }}
+  serviceMetadata:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .env }}
+  {{ toYaml . | nindent 4 }}
+  {{- end }}
+
+  ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
+  # env:
+  # - name: MINIO_BROWSER
+  #   value: "off" # to turn-off browser
+  # - name: MINIO_STORAGE_CLASS_STANDARD
+  #   value: "EC:2"
+  #   ## For secure env vars like passwords, create an opaque Kubernetes secret and specify the secret in
+  #   ## the `valueFrom` field. The `valueFrom` object must contain the following fields:
+  #   ## `name` - the secret from which MinIO extracts the password, `key` - the data field
+  #   ## within secret, whose value will be set to the env variable's value
+  # - name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: ldap-minio-secret
+  #       key: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
+
+  ## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
+  ## This is applied to MinIO pods only.
+  ## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
+  {{- if .Values.tenants.priorityClassName }}
+  priorityClassName: {{ .Values.tenants.priorityClassName }}
+  {{- end }}
+
+  ## Define configuration for Console (Graphical user interface for MinIO)
+  ## Refer https://github.com/minio/console
+  {{- if .Values.tenants.console.enabled }}
+  console:
+    image: {{ .Values.tenants.console.image.repository }}:{{ .Values.tenants.console.image.tag }}
+    replicas: {{ .Values.tenants.console.replicaCount }}
+    consoleSecret:
+      name: {{ .Values.tenants.console.secrets.name }}
+    {{- with .Values.tenants.securityContext }}
+    securityContext:
+      {{ toYaml . | nindent 6 }}
+    {{ end }}
+  {{- end }}
--- a/chart/deps/minio/values.yaml
+++ b/chart/deps/minio/values.yaml
@@ -3,33 +3,31 @@
 ## This is a YAML-formatted file.
 ## Declare variables to be passed into your templates.
 ## Configure number of MinIO Operator Deployment Replicas
-replicas:
-  count: 1
+#replicas:
+#  count: 1

 hostname: bigbang.dev
-nameOverride: ""
-fullnameOverride: ""
+#nameOverride: ""
+#fullnameOverride: ""

 # Configure repo and tag of MinIO Operator Image
-image:
-  name: registry1.dso.mil/ironbank/opensource/minio/minio
-  tag: RELEASE.2020-11-19T23-48-16Z
-  imagePullPolicy: IfNotPresent
+#image:
+#  name: registry1.dso.mil/ironbank/opensource/minio/minio
+#  tag: RELEASE.2020-11-19T23-48-16Z
+#  imagePullPolicy: IfNotPresent

-zones:
+#zones:
  # refer to documentation for number of servers versus volumes per server
  #  https://docs.min.io/docs/minio-server-limits-per-tenant.html
-  servers: 3       # scale to 3 for dev
+#  servers: 3       # scale to 3 for dev
+#volumesPerServer: 2  # 2 is minimum volumes with 3 servers

-volumesPerServer: 2  # 2 is minimum volumes with 3 servers
+#volumeClaimTemplate:
+#  accessModes: ReadWriteOnce
+#  storage: 1Gi  # scale down for dev

-volumeClaimTemplate:
-  accessModes: ReadWriteOnce
-  storage: 1Gi  # scale down for dev
-
-minioRootCreds: default-minio-creds-secret
-
-imagePullSecrets: [ ]
+imagePullSecrets:
+  - name: private-registry

 serviceAccount:
  # Specifies whether a service account should be created
@@ -67,4 +65,142 @@ monitoring:
  enabled: false
  namespace: monitoring

-mcImage: registry1.dso.mil/ironbank/opensource/minio/mc:RELEASE.2021-03-23T05-46-11Z
\ No newline at end of file
+
+## MinIO Tenant Definition
+tenants:
+  # Tenant name
+  name: minio
+    ## Registry location and Tag to download MinIO Server image
+# Configure repo and tag of MinIO Operator Image
+  image:
+    repository: registry1.dso.mil/ironbank/opensource/minio/minio
+    tag: RELEASE.2020-11-19T23-48-16Z
+    pullPolicy: "IfNotPresent"
+  imagePullSecret:
+    name: private-registry
+    ## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
+    ## If not specified, the Tenant pods will be dispatched by default scheduler.
+    ##scheduler:
+    ##  name:
+  scheduler: {}
+
+    ## Used to specify a toleration for a pod
+  tolerations: {}
+      ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
+    ## eligible to run on a node, the node must have each of the
+    ## indicated key-value pairs as labels.
+    ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  nodeSelector: {}
+    ## Affinity settings for MinIO pods. Read more about affinity
+    ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
+  affinity: {}
+    ## Configure resource requests and limits for MinIO containers
+  resources: {}
+    ## Configure security context
+    ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup
+  securityContext:
+    runAsUser: 1001
+    runAsGroup: 1001
+    fsGroup: 1001
+  secrets:
+    name: minio-creds-secret
+    accessKey: ThisIsAVeryLongPasswordForExample
+    secretKey: ThisIsAVeryLongPasswordForExample
+  metrics:
+    enabled: false
+    port: 9000
+    ## Specification for MinIO Pool(s) in this Tenant.
+  pools:
+      ## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
+      ## For standalone mode, supply 1. For distributed mode, supply 4 or more.
+      ## Note that the operator does not support upgrading from standalone to distributed mode.
+    - servers: 4
+        ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
+      volumesPerServer: 4
+        ## size specifies the capacity per volume
+      size: 1Gi
+        ## storageClass specifies the storage class name to be used for this pool
+      storageClassName: standard
+        ## Used to specify a toleration for a pod
+      tolerations: {}
+          ## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
+        ## eligible to run on a node, the node must have each of the
+        ## indicated key-value pairs as labels.
+        ## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+      nodeSelector: {}
+        ## Affinity settings for MinIO pods. Read more about affinity
+        ## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
+      affinity: {}
+        ## Configure resource requests and limits for MinIO containers
+      resources: {}
+        ## Configure security context
+        ## BB Note: Defaults for Ironbank image are 1001 for user, group, and fsGroup
+      securityContext:
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
+    ## Mount path where PV will be mounted inside container(s).
+  mountPath: /export
+    ## Sub path inside Mount path where MinIO stores data.
+  subPath: /data
+  certificate:
+      ## Use this field to provide a list of Secrets with external certificates. This can be used to to configure
+      ## TLS for MinIO Tenant pods. Create secrets as explained here:
+      ## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
+    externalCertSecret: {}
+      ## Enable automatic Kubernetes based certificate generation and signing as explained in
+      ## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
+      ## false = disabled TLS endpoints at the tenants
+    requestAutoCert: false
+      ## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
+      ## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
+      ## not provided. DNS name format is *.minio.default.svc.cluster.local
+      ##certConfig:
+      ## commonName: ""
+      ##  organizationName: []
+      ##  dnsNames: []
+    certConfig: {}
+    ## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
+    ## accessible as DNS entries of form `<bucketname>.minio.default.svc.cluster.local`
+  s3:
+      ## This feature is turned off by default
+    bucketDNS: false
+    ## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel"
+    ## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
+    ## for details.
+  podManagementPolicy: Parallel
+    ## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
+    ## services created by the operator.
+    ##serviceMetadata: {}
+  serviceMetadata:
+    minioServiceLabels:
+      label: minio-svc
+    minioServiceAnnotations:
+      v2.min.io: minio-svc
+    # consoleServiceLabels:
+    #   label: console-svc
+    # consoleServiceAnnotations:
+    #   v2.min.io: console-svc
+
+    ## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
+  env: {}
+    ## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
+    ## This is applied to MinIO pods only.
+    ## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
+    # e.g., priorityClassName: high-priority
+  priorityClassName : ""
+    ## Define configuration for Console (Graphical user interface for MinIO)
+    ## Refer https://github.com/minio/console
+  console:
+    enabled: false
+    image:
+      repository: minio/console
+      tag: v0.6.3
+      pullPolicy: IfNotPresent
+    replicaCount: 1
+    secrets:
+      name: minio-console-secret
+      passphrase: ThisIsAVeryLongConsolePasswordForExample
+      salt: ThisIsAVeryLongConsolePasswordForExample
+      accessKey: ThisIsAVeryLongConsolePasswordForExample
+      secretKey: ThisIsAVeryLongConsolePasswordForExample
--- a/chart/templates/mattermost.yaml
+++ b/chart/templates/mattermost.yaml
@@ -155,6 +155,6 @@ spec:

  fileStore:
    external:
-      url: {{ .Values.fileStore.url | default (printf "%s:9000" .Values.minio.service.nameOverride) }}
+      url: {{ .Values.fileStore.url | default "minio:80" }}
      bucket: {{ .Values.fileStore.bucket | default "mattermost" }}
-      secret: {{ .Values.fileStore.secret | default "mattermost-objstore-creds" }}
+      secret: {{ .Values.fileStore.secret | default .Values.minio.tenants.secrets.name }}
--- a/chart/templates/objectstorage-credentials.yaml
+++ b/chart/templates/objectstorage-credentials.yaml
-{{- if and (not .Values.fileStore.secret) .Values.minio.install }}
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: mattermost-objstore-creds
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{ include "mattermost.labels" . | nindent 4 }}
-    app.kubernetes.io/component: "objectstorage"
-data:
-  accesskey: {{ .Values.minio.accessKey | b64enc }}
-  secretkey: {{ .Values.minio.secretKey | b64enc }}
-{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -98,19 +98,11 @@ existingSecretEnvs: {}
 minio:
  install: false

-  # Override the minio service name for easier connection setup
-  service:
-    nameOverride: "minio-mattermost-service"
-
-  # Specify the secret to the Mattermost created secret
-  minioRootCreds: mattermost-objstore-creds
-
-  # Credentials to populate the secret with
-  accessKey: minio
-  secretKey: minio#123 # default key, change this!
-
-  imagePullSecrets:
-  - name: private-registry
+  tenants:
+    secrets:
+      name: "mattermost-objstore-creds"
+      accessKey: "minio"
+      secretKey: "minio#123" # default key, change this!

 postgresql:
  install: false

--- a/tests/dependencies.yaml
+++ b/tests/dependencies.yaml
 mattermostoperator:
  git: "https://repo1.dso.mil/platform-one/big-bang/apps/collaboration-tools/mattermost-operator.git"
  namespace: "mattermost-operator"
-  branch: "1.12.0-bb.0"
+  branch: "1.13.0-bb.2"

 miniooperator:
  git: "https://repo1.dso.mil/platform-one/big-bang/apps/application-utilities/minio-operator.git"
  namespace: "minio-operator"
-  branch: "2.0.9-bb.1"
+  branch: "4.0.4-bb.1"