gitea_admin/application
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add helm charts

Browse Source
This commit is contained in:
Ybehrooz
2025-11-09 13:22:40 +03:30
parent 282c3e52d0
commit 38e4d749ad
1352 changed files with 190457 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
backing-services/minio/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,81 @@
CHART NAME: {{ .Chart.Name }}
CHART VERSION: {{ .Chart.Version }}
APP VERSION: {{ .Chart.AppVersion }}
Did you know there are enterprise versions of the Bitnami catalog? For enhanced secure software supply chain features, unlimited pulls from Docker, LTS support, or application customization, see Bitnami Premium or Tanzu Application Catalog. See https://www.arrow.com/globalecs/na/vendors/bitnami for more information.
** Please be patient while the chart is being deployed **
MinIO® can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
To get your credentials run:
export ROOT_USER=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "minio.secretName" . }} -o jsonpath="{.data.{{ include "minio.rootUserKey" . }}}" | base64 -d)
export ROOT_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "minio.secretName" . }} -o jsonpath="{.data.{{ include "minio.rootPasswordKey" . }}}" | base64 -d)
To connect to your MinIO® server using a client:
- Run a MinIO® Client pod and append the desired command (e.g. 'admin info'):
kubectl run --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-client \
--rm --tty -i --restart='Never' \
--env MINIO_SERVER_ROOT_USER=$ROOT_USER \
--env MINIO_SERVER_ROOT_PASSWORD=$ROOT_PASSWORD \
--env MINIO_SERVER_HOST={{ include "common.names.fullname" . }} \
{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
--labels="{{ include "common.names.fullname" . }}-client=true" \
{{- end }}
--image {{ template "minio.clientImage" . }} -- admin info minio
{{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
NOTE: Since NetworkPolicy is enabled, only pods with label
"{{ template "common.names.fullname" . }}-client=true" will be able to connect to MinIO®.
{{- end }}
{{- if (not .Values.disableWebUI) }}
To access the MinIO® web UI:
- Get the MinIO® URL:
{{- if .Values.ingress.enabled }}
You should be able to access your new MinIO® web UI through
{{ if .Values.ingress.tls }}https{{ else }}http{{ end }}://{{ .Values.ingress.hostname }}/minio/
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}'
{{- $port:=.Values.service.ports.console | toString }}
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
echo "MinIO® web URL: http://$SERVICE_IP{{- if ne $port "80" }}:{{ .Values.service.ports.console }}{{ end }}/minio"
{{- else if contains "ClusterIP" .Values.service.type }}
echo "MinIO® web URL: http://127.0.0.1:{{ .Values.containerPorts.console }}/minio"
kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} {{ .Values.containerPorts.console }}:{{ .Values.service.ports.console }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo "MinIO® web URL: http://$NODE_IP:$NODE_PORT/minio"
{{- end }}
{{- else }}
WARN: MinIO® Web UI is disabled.
{{- end }}
{{- include "common.warnings.rollingTag" .Values.image }}
{{- include "common.warnings.rollingTag" .Values.clientImage }}
{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }}
{{- include "minio.validateValues" . }}
{{- include "common.warnings.resources" (dict "sections" (list "provisioning" "" "volumePermissions") "context" $) }}
{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.image .Values.clientImage .Values.volumePermissions.image) "context" $) }}
{{- include "common.errors.insecureImages" (dict "images" (list .Values.image .Values.clientImage .Values.volumePermissions.image) "context" $) }}

260
backing-services/minio/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,260 @@
{{/*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*
Return the proper MinIO® image name
*/}}
{{- define "minio.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper MinIO® Client image name
*/}}
{{- define "minio.clientImage" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.clientImage "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper image name (for the init container volume-permissions image)
*/}}
{{- define "minio.volumePermissions.image" -}}
{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "minio.imagePullSecrets" -}}
{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.clientImage .Values.volumePermissions.image) "context" $) -}}
{{- end -}}
{{/*
Get the user to use to access MinIO®
*/}}
{{- define "minio.secret.userValue" -}}
{{- if (and (empty .Values.auth.rootUser) .Values.auth.forcePassword) }}
{{ required "A root username is required!" .Values.auth.rootUser }}
{{- else -}}
{{- include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "root-user" "providedValues" (list "auth.rootUser") "context" $) -}}
{{- end -}}
{{- end -}}
{{/*
Get the password to use to access MinIO®
*/}}
{{- define "minio.secret.passwordValue" -}}
{{- if (and (empty .Values.auth.rootPassword) .Values.auth.forcePassword) }}
{{ required "A root password is required!" .Values.auth.rootPassword }}
{{- else -}}
{{- include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "root-password" "providedValues" (list "auth.rootPassword") "context" $) -}}
{{- end -}}
{{- end -}}
{{/*
Get the credentials secret.
*/}}
{{- define "minio.secretName" -}}
{{- if .Values.auth.existingSecret -}}
{{- printf "%s" (tpl .Values.auth.existingSecret $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Get the root user key.
*/}}
{{- define "minio.rootUserKey" -}}
{{- if and (.Values.auth.existingSecret) (.Values.auth.rootUserSecretKey) -}}
{{- printf "%s" (tpl .Values.auth.rootUserSecretKey $) -}}
{{- else -}}
{{- "root-user" -}}
{{- end -}}
{{- end -}}
{{/*
Get the root password key.
*/}}
{{- define "minio.rootPasswordKey" -}}
{{- if and (.Values.auth.existingSecret) (.Values.auth.rootPasswordSecretKey) -}}
{{- printf "%s" (tpl .Values.auth.rootPasswordSecretKey $) -}}
{{- else -}}
{{- "root-password" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a secret object should be created
*/}}
{{- define "minio.createSecret" -}}
{{- if and (not .Values.auth.existingSecret) .Values.auth.useSecret -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a PVC object should be created (only in standalone mode)
*/}}
{{- define "minio.createPVC" -}}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.mode "standalone") }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Return the PVC name (only in standalone mode)
*/}}
{{- define "minio.claimName" -}}
{{- if and .Values.persistence.existingClaim }}
{{- printf "%s" (tpl .Values.persistence.existingClaim $) -}}
{{- else -}}
{{- printf "%s" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Returns the proper service account name depending if an explicit service account name is set
in the values file. If the name is not set it will default to either common.names.fullname if serviceAccount.create
is true or default otherwise.
*/}}
{{- define "minio.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "common.names.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Compile all warnings into a single message, and call fail.
*/}}
{{- define "minio.validateValues" -}}
{{- $messages := list -}}
{{- $messages := append $messages (include "minio.validateValues.mode" .) -}}
{{- $messages := append $messages (include "minio.validateValues.totalDrives" .) -}}
{{- $messages := append $messages (include "minio.validateValues.tls" .) -}}
{{- $messages := append $messages (include "minio.validateValues.defaultBuckets" .) -}}
{{- $messages := without $messages "" -}}
{{- $message := join "\n" $messages -}}
{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}
{{/*
Validate values of MinIO® - must provide a valid mode ("distributed" or "standalone")
*/}}
{{- define "minio.validateValues.mode" -}}
{{- $allowedValues := list "distributed" "standalone" }}
{{- if not (has .Values.mode $allowedValues) -}}
minio: mode
Invalid mode selected. Valid values are "distributed" and
"standalone". Please set a valid mode (--set mode="xxxx")
{{- end -}}
{{- end -}}
{{/*
Validate values of MinIO® - total number of drives should be greater than 4
*/}}
{{- define "minio.validateValues.totalDrives" -}}
{{- $replicaCount := int .Values.statefulset.replicaCount }}
{{- $drivesPerNode := int .Values.statefulset.drivesPerNode }}
{{- $zones := int .Values.statefulset.zones }}
{{- $totalDrives := mul $replicaCount $zones $drivesPerNode }}
{{- if and (eq .Values.mode "distributed") (lt $totalDrives 4) -}}
minio: total drives
The total number of drives should be greater than 4 to guarantee erasure coding!
Please set a combination of nodes, and drives per node that match this condition.
For instance (--set statefulset.replicaCount=2 --set statefulset.drivesPerNode=2)
{{- end -}}
{{- end -}}
{{/*
Validate values of MinIO® - TLS secret must provided if TLS is enabled
*/}}
{{- define "minio.validateValues.tls" -}}
{{- if and .Values.tls.enabled (not .Values.tls.existingSecret) (not .Values.tls.autoGenerated) }}
minio: tls.existingSecret, tls.autoGenerated
In order to enable TLS, you also need to provide
an existing secret containing the TLS certificates or
enable auto-generated certificates.
{{- end -}}
{{- end -}}
{{/*
Validate values of MinIO® - defaultBuckets does not work in distributed mode
*/}}
{{- define "minio.validateValues.defaultBuckets" -}}
{{- if and (eq .Values.mode "distributed") (not (empty .Values.defaultBuckets)) }}
minio: defaultBuckets
defaultBuckets does not work in distributed mode.
Use a provisioning job instead.
{{- end -}}
{{- end -}}
{{/*
Return the secret containing MinIO TLS certificates
*/}}
{{- define "minio.tlsSecretName" -}}
{{- if .Values.tls.existingSecret -}}
{{- printf "%s" (tpl .Values.tls.existingSecret $) -}}
{{- else -}}
{{- printf "%s-crt" (include "common.names.fullname" .) -}}
{{- end -}}
{{- end -}}
{{/*
Return true if a TLS secret object should be created
*/}}
{{- define "minio.createTlsSecret" -}}
{{- if and .Values.tls.enabled .Values.tls.autoGenerated (not .Values.tls.existingSecret) }}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Provisioning job labels (exclude matchLabels from standard labels)
*/}}
{{- define "minio.labels.provisioning" -}}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.provisioning.podLabels .Values.commonLabels ) "context" . ) }}
{{- $provisioningLabels := (include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | fromYaml ) -}}
{{- range (include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | fromYaml | keys ) -}}
{{- $_ := unset $provisioningLabels . -}}
{{- end -}}
{{- print ($provisioningLabels | toYaml) -}}
{{- end -}}
{{/*
Return the ingress anotation
*/}}
{{- define "minio.ingress.annotations" -}}
{{ .Values.ingress.annotations | toYaml }}
{{- end -}}
{{/*
Return the api ingress anotation
*/}}
{{- define "minio.apiIngress.annotations" -}}
{{ .Values.apiIngress.annotations | toYaml }}
{{- end -}}
{{/*
Return the ingress hostname
*/}}
{{- define "minio.ingress.hostname" -}}
{{- tpl .Values.ingress.hostname $ -}}
{{- end -}}
{{/*
Return the api ingress hostname
*/}}
{{- define "minio.apiIngress.hostname" -}}
{{- tpl .Values.apiIngress.hostname $ -}}
{{- end -}}

60
backing-services/minio/templates/api-ingress.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.apiIngress.enabled -}}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "common.names.fullname" . }}-api
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list (include "minio.apiIngress.annotations" . | fromYaml) .Values.commonAnnotations ) "context" . ) }}
{{- if $annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.apiIngress.ingressClassName (include "common.ingress.supportsIngressClassname" .) }}
ingressClassName: {{ .Values.apiIngress.ingressClassName | quote }}
{{- end }}
rules:
{{- if (include "minio.apiIngress.hostname" .) }}
- host: {{ include "minio.apiIngress.hostname" . }}
http:
paths:
{{- if .Values.apiIngress.extraPaths }}
{{- toYaml .Values.apiIngress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.apiIngress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.apiIngress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "minio-api" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.apiIngress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "minio-api" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.apiIngress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.apiIngress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- $annotationsMap := include "common.tplvalues.render" (dict "value" $annotations "context" $) | fromYaml }}
{{- if or (and .Values.apiIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" $annotationsMap )) .Values.apiIngress.selfSigned)) .Values.apiIngress.extraTls }}
tls:
{{- if and .Values.apiIngress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" $annotationsMap )) .Values.apiIngress.selfSigned) }}
- hosts:
- {{ include "minio.apiIngress.hostname" . }}
secretName: {{ printf "%s-tls" (include "minio.apiIngress.hostname" .) }}
{{- end }}
{{- if .Values.apiIngress.extraTls }}
{{- include "common.tplvalues.render" ( dict "value" .Values.apiIngress.extraTls "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

30
backing-services/minio/templates/distributed/headless-svc.yaml Normal file
View File

@@ -0,0 +1,30 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (eq .Values.mode "distributed") }}
apiVersion: v1
kind: Service
metadata:
name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.service.headless.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
- name: minio-api
port: {{ .Values.service.ports.api }}
targetPort: minio-api
- name: minio-console
port: {{ .Values.service.ports.console }}
targetPort: minio-console
publishNotReadyAddresses: true
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
{{- end }}

367
backing-services/minio/templates/distributed/statefulset.yaml Normal file
View File

@@ -0,0 +1,367 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (eq .Values.mode "distributed") }}
{{- $fullname := include "common.names.fullname" . }}
{{- $headlessService := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 }}
{{- $releaseNamespace := include "common.names.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $apiPort := toString .Values.containerPorts.api }}
{{- $replicaCount := int .Values.statefulset.replicaCount }}
{{- $zoneCount := int .Values.statefulset.zones }}
{{- $drivesPerNode := int .Values.statefulset.drivesPerNode }}
{{- $mountPath := .Values.persistence.mountPath }}
apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ $fullname }}
namespace: {{ $releaseNamespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
serviceName: {{ $headlessService }}
replicas: {{ mul $zoneCount $replicaCount }}
podManagementPolicy: {{ .Values.statefulset.podManagementPolicy }}
{{- if .Values.statefulset.updateStrategy }}
updateStrategy: {{- toYaml .Values.statefulset.updateStrategy | nindent 4 }}
{{- end }}
template:
metadata:
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
{{- if or .Values.podAnnotations (include "minio.createSecret" .) }}
annotations:
{{- if (include "minio.createSecret" .) }}
checksum/credentials-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "minio.imagePullSecrets" . | nindent 6 }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
serviceAccountName: {{ template "minio.serviceAccountName" . }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: {{ .Values.runtimeClassName | quote }}
{{- end}}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) }}
initContainers:
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ template "minio.volumePermissions.image" . }}
imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
{{- if and .Values.persistence.enabled (gt $drivesPerNode 1) }}
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ range $diskId := until $drivesPerNode }}{{ $mountPath }}-{{ $diskId }} {{ end }}
{{- else }}
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $mountPath }}
{{- end }}
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if and .Values.persistence.enabled (gt $drivesPerNode 1) }}
{{- range $diskId := until $drivesPerNode }}
- name: data-{{ $diskId }}
mountPath: {{ $mountPath }}-{{ $diskId }}
{{- end }}
{{- else }}
- name: data
mountPath: {{ $mountPath }}
{{- end }}
{{- end }}
{{- end }}
containers:
- name: minio
image: {{ include "minio.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: MINIO_DISTRIBUTED_MODE_ENABLED
value: "yes"
- name: MINIO_DISTRIBUTED_NODES
{{- $clusters := list }}
{{- range $i := until $zoneCount }}
{{- $factor := mul $i $replicaCount }}
{{- $endIndex := sub (add $factor $replicaCount) 1 }}
{{- $beginIndex := mul $i $replicaCount }}
{{- $bucket := ternary (printf "%s-{0...%d}" $mountPath (sub $drivesPerNode 1)) $mountPath (gt $drivesPerNode 1) }}
{{- $clusters = append $clusters (printf "%s-{%d...%d}.%s.%s.svc.%s:%s%s" $fullname $beginIndex $endIndex $headlessService $releaseNamespace $clusterDomain $apiPort $bucket) }}
{{- end }}
value: {{ join "," $clusters | quote }}
- name: MINIO_SCHEME
value: {{ ternary "https" "http" .Values.tls.enabled | quote }}
- name: MINIO_FORCE_NEW_KEYS
value: {{ ternary "yes" "no" .Values.auth.forceNewKeys | quote }}
{{- if .Values.auth.useCredentialsFiles }}
- name: MINIO_ROOT_USER_FILE
value: "/opt/bitnami/minio/secrets/root-user"
- name: MINIO_ROOT_PASSWORD_FILE
value: "/opt/bitnami/minio/secrets/root-password"
{{- else }}
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: {{ include "minio.rootUserKey" . }}
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: {{ include "minio.rootPasswordKey" . }}
{{- end }}
- name: MINIO_SKIP_CLIENT
value: {{ ternary "yes" "no" (empty .Values.defaultBuckets) | quote }}
{{- if .Values.defaultBuckets }}
- name: MINIO_DEFAULT_BUCKETS
value: {{ .Values.defaultBuckets }}
{{- end }}
- name: MINIO_BROWSER
value: {{ ternary "off" "on" .Values.disableWebUI | quote }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: {{ .Values.metrics.prometheusAuthType | quote }}
{{- if .Values.tls.mountPath }}
- name: MINIO_CERTS_DIR
value: {{ .Values.tls.mountPath | quote }}
{{- end }}
- name: MINIO_CONSOLE_PORT_NUMBER
value: {{ .Values.containerPorts.console | quote }}
- name: MINIO_API_PORT_NUMBER
value: {{ .Values.containerPorts.api | quote }}
- name: MINIO_DATA_DIR
value: {{ ternary (printf "%s-0" $mountPath) $mountPath (gt $drivesPerNode 1) | quote }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- name: minio-api
containerPort: {{ .Values.containerPorts.api }}
protocol: TCP
- name: minio-console
containerPort: {{ .Values.containerPorts.console }}
protocol: TCP
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /minio/health/live
port: minio-api
scheme: {{ ternary "HTTPS" "HTTP" .Values.tls.enabled | quote }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: minio-api
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe:
tcpSocket:
port: minio-api
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/minio/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /.mc
subPath: app-mc-dir
{{- if .Values.auth.useCredentialsFiles }}
- name: minio-credentials
mountPath: /opt/bitnami/minio/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: minio-certs
mountPath: {{ default "/certs" .Values.tls.mountPath }}
{{- end }}
{{- if gt $drivesPerNode 1 }}
{{- range $diskId := until $drivesPerNode }}
- name: data-{{ $diskId }}
mountPath: {{ $mountPath }}-{{ $diskId }}
{{- end }}
{{- else }}
- name: data
mountPath: {{ $mountPath }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if .Values.auth.useCredentialsFiles }}
- name: minio-credentials
secret:
secretName: {{ include "minio.secretName" . }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: minio-certs
secret:
secretName: {{ include "minio.tlsSecretName" . }}
items:
- key: tls.crt
path: public.crt
- key: tls.key
path: private.key
- key: ca.crt
path: CAs/public.crt
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- if and (not .Values.persistence.enabled) (gt $drivesPerNode 1) }}
{{- range $diskId := until $drivesPerNode }}
- name: data-{{ $diskId }}
emptyDir: {}
{{- end }}
{{- else if not .Values.persistence.enabled }}
- name: data
emptyDir: {}
{{- else }}
volumeClaimTemplates:
{{- if gt $drivesPerNode 1 }}
{{- range $diskId := until $drivesPerNode }}
- metadata:
name: data-{{ $diskId }}
labels: {{- include "common.labels.matchLabels" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 10 }}
{{- if $.Values.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range $.Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ $.Values.persistence.size | quote }}
{{- if $.Values.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }}
{{- end }}
{{- include "common.storage.class" (dict "persistence" $.Values.persistence "global" $.Values.global) | nindent 8 }}
{{- end }}
{{- else }}
- metadata:
name: data
labels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 10 }}
{{- if .Values.persistence.annotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.persistence.annotations "context" $) | nindent 10 }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.selector }}
selector: {{- include "common.tplvalues.render" (dict "value" .Values.persistence.selector "context" $) | nindent 10 }}
{{- end }}
{{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}

9
backing-services/minio/templates/extra-list.yaml Normal file
View File

@@ -0,0 +1,9 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- range .Values.extraDeploy }}
---
{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
{{- end }}

60
backing-services/minio/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,60 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.ingress.enabled (not .Values.disableWebUI ) -}}
apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list (include "minio.ingress.annotations" . | fromYaml) .Values.commonAnnotations ) "context" . ) }}
{{- if $annotations }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.ingressClassName (include "common.ingress.supportsIngressClassname" .) }}
ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
{{- end }}
rules:
{{- if (include "minio.ingress.hostname" .) }}
- host: {{ include "minio.ingress.hostname" . }}
http:
paths:
{{- if .Values.ingress.extraPaths }}
{{- toYaml .Values.ingress.extraPaths | nindent 10 }}
{{- end }}
- path: {{ .Values.ingress.path }}
{{- if eq "true" (include "common.ingress.supportsPathType" .) }}
pathType: {{ .Values.ingress.pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" .) "servicePort" "minio-console" "context" $) | nindent 14 }}
{{- end }}
{{- range .Values.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default "/" .path }}
{{- if eq "true" (include "common.ingress.supportsPathType" $) }}
pathType: {{ default "ImplementationSpecific" .pathType }}
{{- end }}
backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "minio-console" "context" $) | nindent 14 }}
{{- end }}
{{- if .Values.ingress.extraRules }}
{{- include "common.tplvalues.render" (dict "value" .Values.ingress.extraRules "context" $) | nindent 4 }}
{{- end }}
{{- $annotationsMap := include "common.tplvalues.render" (dict "value" $annotations "context" $) | fromYaml }}
{{- if or (and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" $annotationsMap )) .Values.ingress.selfSigned)) .Values.ingress.extraTls }}
tls:
{{- if and .Values.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" $annotationsMap )) .Values.ingress.selfSigned) }}
- hosts:
- {{ include "minio.ingress.hostname" . }}
secretName: {{ printf "%s-tls" (include "minio.ingress.hostname" .) }}
{{- end }}
{{- if .Values.ingress.extraTls }}
{{- include "common.tplvalues.render" ( dict "value" .Values.ingress.extraTls "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

83
backing-services/minio/templates/networkpolicy.yaml Normal file
View File

@@ -0,0 +1,83 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
policyTypes:
- Ingress
- Egress
{{- if .Values.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.api }}
- port: {{ .Values.containerPorts.console }}
- port: {{ .Values.service.ports.api }}
- port: {{ .Values.service.ports.console }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
{{- if .Values.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
# Allow inbound connections
- ports:
- port: {{ .Values.containerPorts.console }}
- port: {{ .Values.containerPorts.api }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ include "common.names.fullname" . }}-client: "true"
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
{{- if or .Values.networkPolicy.ingressNSMatchLabels .Values.networkPolicy.ingressNSPodMatchLabels }}
- namespaceSelector:
matchLabels:
{{- if .Values.networkPolicy.ingressNSMatchLabels }}
{{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{ else }}
{}
{{- end }}
{{- if .Values.networkPolicy.ingressNSPodMatchLabels }}
podSelector:
matchLabels:
{{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- $extraIngress := coalesce .Values.networkPolicy.extraIngress .Values.networkPolicy.extraFromClauses }}
{{- if $extraIngress }}
{{- toYaml $extraIngress | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

26
backing-services/minio/templates/pdb.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.pdb.create }}
apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.pdb.minAvailable }}
minAvailable: {{ .Values.pdb.minAvailable }}
{{- end }}
{{- if or .Values.pdb.maxUnavailable ( not .Values.pdb.minAvailable ) }}
maxUnavailable: {{ .Values.pdb.maxUnavailable | default 1 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- end }}

25
backing-services/minio/templates/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }}
{{- $releaseNamespace := default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ $releaseNamespace | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: metrics
{{- if .Values.metrics.prometheusRule.additionalLabels }}
{{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $ ) | nindent 4 }}
{{- end }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
groups:
- name: {{ include "common.names.fullname" . }}
rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 6 }}
{{- end }}

76
backing-services/minio/templates/provisioning-configmap.yaml Normal file
View File

@@ -0,0 +1,76 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.provisioning.enabled }}
{{- $fullname := printf "%s-provisioning" (include "common.names.fullname" .) }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $fullname }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: minio-provisioning
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
data:
{{- range $bucket := .Values.provisioning.buckets }}
{{- if $bucket.lifecycle }}
bucket-{{ $bucket.name }}.json: |
{
"Rules": [
{{- range $idx, $lifecycle := $bucket.lifecycle }}
{{- if not (eq $idx 0) }}
,
{{- end }}
{
"ID": "{{ $lifecycle.id }}",
"Status": "{{ ternary "Disabled" "Enabled" (and (not (empty $lifecycle.disabled)) $lifecycle.disabled) }}",
{{- if $lifecycle.expiry }}
"Expiration": {
{{- with $lifecycle.expiry.date }}
"Date": "{{ . }}"
{{- end }}
{{- with $lifecycle.expiry.days }}
"Days": {{ . }}
{{- end }}
}
{{- with $lifecycle.expiry.nonconcurrentDays }}
,
"NoncurrentVersionExpiration": {
"NoncurrentDays": {{ . }}
}
{{- end }}
{{- with $lifecycle.prefix }}
,
"Filter": {
"Prefix": "{{ . }}"
}
{{- end }}
}
{{- end }}
{{- end }}
]
}
{{- end }}
{{- end }}
{{- range $policy := .Values.provisioning.policies }}
policy-{{ $policy.name }}.json: |
{{- $statementsLength := sub (len $policy.statements) 1 }}
{
"Version": "2012-10-17",
"Statement": [
{{- range $i, $statement := $policy.statements }}
{
"Effect": "{{ default "Deny" $statement.effect }}"{{ if $statement.actions }},
"Action": {{ toJson $statement.actions }}{{end}}{{ if $statement.resources }},
"Resource": {{ toJson $statement.resources }}{{end}}{{ if $statement.condition }},
"Condition": {{ toJson $statement.condition }}{{end}}
}{{ if lt $i $statementsLength }},{{end }}
{{- end }}
]
}
{{- end }}
{{- end }}

370
backing-services/minio/templates/provisioning-job.yaml Normal file
View File

@@ -0,0 +1,370 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.provisioning.enabled }}
{{- $fullname := printf "%s-provisioning" (include "common.names.fullname" .) }}
{{- $minioAlias := "provisioning" }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ $fullname }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
app.kubernetes.io/component: minio-provisioning
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation
{{- if .Values.commonAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- if .Values.provisioning.cleanupAfterFinished.enabled }}
ttlSecondsAfterFinished: {{ .Values.provisioning.cleanupAfterFinished.seconds }}
{{- end }}
parallelism: 1
template:
metadata:
labels: {{- include "minio.labels.provisioning" . | nindent 8 }}
app.kubernetes.io/component: minio-provisioning
{{- if .Values.provisioning.podAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.provisioning.podAnnotations "context" $) | nindent 8 }}
{{- end }}
spec:
{{- include "minio.imagePullSecrets" . | nindent 6 }}
{{- if .Values.provisioning.schedulerName }}
schedulerName: {{ .Values.provisioning.schedulerName }}
{{- end }}
restartPolicy: OnFailure
terminationGracePeriodSeconds: 0
{{- if .Values.provisioning.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.provisioning.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
serviceAccountName: {{ template "minio.serviceAccountName" . }}
initContainers:
- name: wait-for-available-minio
image: {{ include "minio.volumePermissions.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.provisioning.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.provisioning.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
command:
- /bin/bash
- -c
- |-
set -e;
echo "Waiting for Minio";
wait-for-port \
--host={{ include "common.names.fullname" . }} \
--state=inuse \
--timeout=120 \
{{ .Values.service.ports.api | int64 }};
echo "Minio is available";
{{- if .Values.provisioning.resources }}
resources: {{- toYaml .Values.provisioning.resources | nindent 12 }}
{{- else if ne .Values.provisioning.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.provisioning.resourcesPreset) | nindent 12 }}
{{- end }}
containers:
- name: minio
image: {{ include "minio.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.provisioning.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.provisioning.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.provisioning.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.provisioning.command "context" $) | nindent 12 }}
{{- else }}
command:
- /bin/bash
- -c
- |-
set -e;
echo "Start Minio provisioning";
retry_while() {
local -r cmd="${1:?cmd is missing}"
local -r retries="${2:-12}"
local -r sleep_time="${3:-5}"
local return_value=1
read -r -a command <<< "$cmd"
for ((i = 1 ; i <= retries ; i+=1 )); do
"${command[@]}" && return_value=0 && break
sleep "$sleep_time"
done
return $return_value
}
function attachPolicy() {
local tmp=$(mc admin $1 info {{ $minioAlias }} $2 | sed -n -e 's/^Policy.*: \(.*\)$/\1/p');
IFS=',' read -r -a CURRENT_POLICIES <<< "$tmp";
if [[ ! "${CURRENT_POLICIES[*]}" =~ "$3" ]]; then
mc admin policy attach {{ $minioAlias }} $3 --$1=$2;
fi;
};
function detachDanglingPolicies() {
local tmp=$(mc admin $1 info {{ $minioAlias }} $2 | sed -n -e 's/^Policy.*: \(.*\)$/\1/p');
IFS=',' read -r -a CURRENT_POLICIES <<< "$tmp";
IFS=',' read -r -a DESIRED_POLICIES <<< "$3";
for current in "${CURRENT_POLICIES[@]}"; do
if [[ ! "${DESIRED_POLICIES[*]}" =~ "${current}" ]]; then
mc admin policy detach {{ $minioAlias }} $current --$1=$2;
fi;
done;
}
function addUsersFromFile() {
local username=$(grep -oP '^username=\K.+' $1);
local password=$(grep -oP '^password=\K.+' $1);
local disabled=$(grep -oP '^disabled=\K.+' $1);
local policies_list=$(grep -oP '^policies=\K.+' $1);
local set_policies=$(grep -oP '^setPolicies=\K.+' $1);
mc admin user add {{ $minioAlias }} "${username}" "${password}";
IFS=',' read -r -a POLICIES <<< "${policies_list}";
for policy in "${POLICIES[@]}"; do
attachPolicy user "${username}" "${policy}";
done;
if [ "${set_policies}" == "true" ]; then
detachDanglingPolicies user "${username}" "${policies_list}";
fi;
local user_status="enable";
if [[ "${disabled}" != "" && "${disabled,,}" == "true" ]]; then
user_status="disable";
fi;
mc admin user "${user_status}" {{ $minioAlias }} "${username}";
};
{{- $minioUrl := printf "$MINIO_SCHEME://%s:%d" (include "common.names.fullname" .) (.Values.service.ports.api | int) }}
{{- $minioRootUser := ternary ("$(<$MINIO_ROOT_USER_FILE)") ("$MINIO_ROOT_USER") (.Values.auth.useCredentialsFiles) }}
{{- $minioRootPassword := ternary ("$(<$MINIO_ROOT_PASSWORD_FILE)") ("$MINIO_ROOT_PASSWORD") (.Values.auth.useCredentialsFiles) }}
mc alias set {{ $minioAlias }} {{ $minioUrl }} {{ $minioRootUser }} {{ $minioRootPassword }};
{{- range $config := .Values.provisioning.config }}
{{- $options := list }}
{{- range $name, $value := $config.options }}
{{- $options = (printf "%s=%s" $name $value) | append $options }}
{{- end }}
{{- $options := join " " $options }}
mc admin config set {{ $minioAlias }} {{ $config.name }} {{ $options }};
{{- end }}
mc admin service restart {{ $minioAlias }} --wait --json;
# Adding a sleep to ensure that the check below does not cause
# a race condition. We check for the MinIO port because the
# "mc admin service restart --wait" command is not working as expected
sleep {{ .Values.provisioning.sleepTime | default 5 }};
echo "Waiting for Minio to be available after restart";
if ! retry_while "mc admin info {{ $minioAlias }}"; then
echo "Error connecting to Minio"
exit 1
fi
echo "Minio is available. Executing provisioning commands";
{{- range $policy := .Values.provisioning.policies }}
mc admin policy create {{ $minioAlias }} {{ $policy.name }} /etc/ilm/policy-{{ $policy.name }}.json;
{{- end }}
{{- range $user := .Values.provisioning.users }}
mc admin user add {{ $minioAlias }} {{ $user.username }} {{ $user.password }};
{{- range $policy := $user.policies }}
attachPolicy user {{ $user.username }} {{ $policy }};
{{- end }}
{{- if $user.setPolicies }}
detachDanglingPolicies user {{ $user.username }} "{{ join "," $user.policies }}";
{{- end }}
{{- $userStatus := ternary ("disable") ("enable") (and (not (empty $user.disabled)) $user.disabled) }}
mc admin user {{ $userStatus }} {{ $minioAlias }} {{ $user.username }};
{{- end }}
{{- if gt (len .Values.provisioning.usersExistingSecrets) 0 }}
while read -d '' configFile; do
addUsersFromFile "${configFile}";
done < <(find "/opt/bitnami/minio/users/" -type l -not -name '..data' -print0);
{{- end }}
{{- range $group := .Values.provisioning.groups }}
mc admin group add {{ $minioAlias }} {{ $group.name }} {{ join " " $group.members }};
{{- range $policy := $group.policies }}
attachPolicy group {{ $group.name }} {{ $policy }};
{{- end }}
{{- if $group.setPolicies }}
detachDanglingPolicies group {{ $group.name }} "{{ join "," $group.policies }}";
{{- end }}
{{- $groupStatus := ternary ("disable") ("enable") (and (not (empty $group.disabled)) $group.disabled) }}
mc admin group {{ $groupStatus }} {{ $minioAlias }} {{ $group.name }};
{{- end }}
{{- range $bucket := .Values.provisioning.buckets }}
{{- $target := printf "%s/%s" $minioAlias $bucket.name }}
{{- $region := ternary (printf "--region=%s" $bucket.region) ("") (not (empty $bucket.region)) }}
{{- $withLock := ternary ("--with-lock") ("") (and (not (empty $bucket.withLock)) $bucket.withLock) }}
mc mb {{ $target }} --ignore-existing {{ $region }} {{ $withLock }};
{{- if $bucket.lifecycle }}
mc ilm import {{ $minioAlias }}/{{ $bucket.name }} < /etc/ilm/bucket-{{ $bucket.name }}.json;
{{- end }}
{{- with $bucket.quota }}
{{- if eq .type "hard" }}
mc quota set {{ $minioAlias }}/{{ $bucket.name }} {{ if .size }}--size {{ .size }}{{ end }};
{{- else }}
mc quota {{ .type }} {{ $minioAlias }}/{{ $bucket.name }} {{ if .size }}--size {{ .size }}{{ end }};
{{- end }}
{{- end }}
{{- if (or ((empty $bucket.withLock)) (not $bucket.withLock)) }}
{{- $versioning := default "Suspended" $bucket.versioning }}
{{- if kindIs "bool" $bucket.versioning }}
{{- $versioning = ternary "Versioned" "Suspended" $bucket.versioning }}
{{- end }}
{{- if eq $versioning "Versioned" }}
mc version enable {{ $minioAlias }}/{{ $bucket.name }};
{{- else if eq $versioning "Suspended" }}
mc version suspend {{ $minioAlias }}/{{ $bucket.name }};
{{- else if ne $versioning "Unchanged" }}
{{- fail (printf "Invalid value '%s' for versioning of bucket '%s'" $versioning $bucket.name) }}
{{- end }}
{{- end }}
{{- if $bucket.tags }}
{{- $target := printf "%s/%s" $minioAlias $bucket.name }}
{{- $tags := list }}
{{- range $name, $value := $bucket.tags }}
{{- $tags = (printf "%s=%s" $name $value) | append $tags }}
{{- end }}
{{- $tags = join "&" $tags | quote }}
mc tag set {{ $target }} {{ $tags }};
{{- end }}
{{- end }}
{{- if .Values.provisioning.extraCommands }}
{{ join ";" .Values.provisioning.extraCommands | nindent 14 }};
{{- end }}
echo "End Minio provisioning";
{{- end }}
{{- if .Values.provisioning.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.provisioning.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: MINIO_SCHEME
value: {{ ternary "https" "http" .Values.tls.enabled | quote }}
{{- if .Values.auth.useCredentialsFiles }}
- name: MINIO_ROOT_USER_FILE
value: "/opt/bitnami/minio/secrets/root-user"
- name: MINIO_ROOT_PASSWORD_FILE
value: "/opt/bitnami/minio/secrets/root-password"
{{- else }}
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: {{ include "minio.rootUserKey" . }}
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: {{ include "minio.rootPasswordKey" . }}
{{- end }}
{{- if .Values.tls.mountPath }}
- name: MINIO_CERTS_DIR
value: {{ .Values.tls.mountPath | quote }}
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
{{- if .Values.provisioning.resources }}
resources: {{- toYaml .Values.provisioning.resources | nindent 12 }}
{{- else if ne .Values.provisioning.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.provisioning.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /.mc
subPath: app-mc-dir
- name: empty-dir
mountPath: /opt/bitnami/minio/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
{{- if .Values.provisioning.enabled }}
- name: minio-provisioning
mountPath: /etc/ilm
{{- end }}
{{- if .Values.auth.useCredentialsFiles }}
- name: minio-credentials
mountPath: /opt/bitnami/minio/secrets/
{{- end }}
{{- if .Values.tls.enabled }}
- name: minio-certs
mountPath: {{ default "/certs" .Values.tls.mountPath }}
- name: minio-client-certs
mountPath: /.mc/certs
{{- end }}
{{- range $idx, $_ := .Values.provisioning.usersExistingSecrets }}
- name: {{ printf "users-secret-%d" $idx }}
mountPath: /opt/bitnami/minio/users/{{ $idx }}/
{{- end }}
{{- if .Values.provisioning.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.provisioning.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.provisioning.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.provisioning.nodeSelector "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if .Values.provisioning.enabled }}
- name: minio-provisioning
configMap:
name: {{ $fullname }}
{{- end }}
{{- if .Values.auth.useCredentialsFiles }}
- name: minio-credentials
secret:
secretName: {{ include "minio.secretName" . }}
{{- end }}
{{- range $idx, $userSecret := .Values.provisioning.usersExistingSecrets }}
- name: {{ printf "users-secret-%d" $idx }}
secret:
secretName: {{ $userSecret }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: minio-certs
secret:
secretName: {{ include "minio.tlsSecretName" . }}
items:
- key: tls.crt
path: public.crt
- key: tls.key
path: private.key
- key: ca.crt
path: CAs/public.crt
- name: minio-client-certs
secret:
secretName: {{ include "minio.tlsSecretName" . }}
items:
- key: ca.crt
path: CAs/public.crt
{{- end }}
{{- if .Values.provisioning.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.provisioning.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

50
backing-services/minio/templates/provisioning-networkpolicy.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if and .Values.provisioning.enabled .Values.provisioning.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
metadata:
name: {{ printf "%s-provisioning" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
podSelector:
matchLabels:
app.kubernetes.io/component: minio-provisioning
policyTypes:
- Ingress
- Egress
{{- if .Values.provisioning.networkPolicy.allowExternalEgress }}
egress:
- {}
{{- else }}
egress:
# Allow dns resolution
- ports:
- port: 53
protocol: UDP
# Allow outbound connections to other cluster pods
- ports:
- port: {{ .Values.containerPorts.api }}
- port: {{ .Values.containerPorts.console }}
- port: {{ .Values.service.ports.api }}
- port: {{ .Values.service.ports.console }}
to:
- podSelector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }}
{{- if .Values.provisioning.networkPolicy.extraEgress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.dataCoord.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}
ingress:
{{- if .Values.provisioning.networkPolicy.extraIngress }}
{{- include "common.tplvalues.render" ( dict "value" .Values.initJob.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
{{- end }}
{{- end }}

26
backing-services/minio/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,26 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "minio.createPVC" .) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.persistence.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.persistence.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
accessModes:
{{- range .Values.persistence.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- include "common.storage.class" (dict "persistence" .Values.persistence "global" .Values.global) | nindent 2 }}
{{- end }}

20
backing-services/minio/templates/secrets.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (include "minio.createSecret" .) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: Opaque
data:
root-user: {{ include "minio.secret.userValue" . }}
root-password: {{ include "minio.secret.passwordValue" . }}
{{- end }}

51
backing-services/minio/templates/service.yaml Normal file
View File

@@ -0,0 +1,51 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.service.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- if or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort") }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{- toYaml .Values.service.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- if and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP)) }}
loadBalancerIP: {{ .Values.service.loadBalancerIP }}
{{- end }}
ports:
- name: minio-api
port: {{ .Values.service.ports.api }}
targetPort: minio-api
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.api)) }}
nodePort: {{ .Values.service.nodePorts.api }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
- name: minio-console
port: {{ .Values.service.ports.console }}
targetPort: minio-console
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePorts.console)) }}
nodePort: {{ .Values.service.nodePorts.console }}
{{- else if eq .Values.service.type "ClusterIP" }}
nodePort: null
{{- end }}
{{- if .Values.service.extraPorts }}
{{- include "common.tplvalues.render" (dict "value" .Values.service.extraPorts "context" $) | nindent 4 }}
{{- end }}
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}

20
backing-services/minio/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "minio.serviceAccountName" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }}
{{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
annotations: {{- include "common.tplvalues.render" (dict "value" $annotations "context" $) | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
secrets:
- name: {{ include "common.names.fullname" . }}
{{- end }}

66
backing-services/minio/templates/servicemonitor.yaml Normal file
View File

@@ -0,0 +1,66 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- /* TODO: On major version upgrade, add .Values.metrics.enabled to that check */}}
{{- if .Values.metrics.serviceMonitor.enabled }}
{{- $releaseNamespace := default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace }}
apiVersion: {{ default "monitoring.coreos.com/v1" .Values.metrics.serviceMonitor.apiVersion }}
kind: ServiceMonitor
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ $releaseNamespace | quote }}
{{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- /* Backward Compatibility for .Values.metrics.serviceMonitor.path */}}
{{- $paths := list }}
{{- if (.Values.metrics.serviceMonitor.paths | empty | not) }}
{{- $paths = .Values.metrics.serviceMonitor.paths }}
{{- end }}
{{- if (.Values.metrics.serviceMonitor.path | empty | not) }}
{{- $paths = prepend $paths .Values.metrics.serviceMonitor.path }}
{{- end }}
{{- range $idx, $path := ($paths | uniq) }}
{{- with $ }}
- port: minio-api
path: {{ $path }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.honorLabels }}
honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelings }}
relabelings: {{- toYaml .Values.metrics.serviceMonitor.relabelings | nindent 8 }}
{{- end }}
{{- if .Values.tls.enabled }}
scheme: https
{{- end }}
{{- if .Values.metrics.serviceMonitor.tlsConfig }}
tlsConfig: {{- toYaml .Values.metrics.serviceMonitor.tlsConfig | nindent 8 }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.jobLabel }}
jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "common.names.namespace" . | quote }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
{{- if .Values.metrics.serviceMonitor.selector }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }}
{{- end }}
{{- end }}

280
backing-services/minio/templates/standalone/deployment.yaml Normal file
View File

@@ -0,0 +1,280 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if (eq .Values.mode "standalone") }}
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "common.names.fullname" . }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
spec:
{{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }}
selector:
matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
{{- if .Values.deployment.updateStrategy }}
strategy: {{- toYaml .Values.deployment.updateStrategy | nindent 4 }}
{{- end }}
template:
metadata:
labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
{{- if or .Values.podAnnotations (include "minio.createSecret" .) }}
annotations:
{{- if (include "minio.createSecret" .) }}
checksum/credentials-secret: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- include "common.tplvalues.render" ( dict "value" .Values.podAnnotations "context" $) | nindent 8 }}
{{- end }}
{{- end }}
spec:
{{- include "minio.imagePullSecrets" . | nindent 6 }}
{{- if .Values.schedulerName }}
schedulerName: {{ .Values.schedulerName }}
{{- end }}
serviceAccountName: {{ template "minio.serviceAccountName" . }}
{{- if .Values.affinity }}
affinity: {{- include "common.tplvalues.render" (dict "value" .Values.affinity "context" $) | nindent 8 }}
{{- else }}
affinity:
podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.podAntiAffinityPreset "customLabels" $podLabels "context" $) | nindent 10 }}
nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.nodeAffinityPreset.type "key" .Values.nodeAffinityPreset.key "values" .Values.nodeAffinityPreset.values) | nindent 10 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.nodeSelector "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.topologySpreadConstraints "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName | quote }}
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: {{ .Values.runtimeClassName | quote }}
{{- end}}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- if .Values.hostAliases }}
hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.podSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
{{- end }}
{{- if .Values.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
{{- end }}
{{- if or .Values.initContainers (and .Values.volumePermissions.enabled .Values.persistence.enabled) }}
initContainers:
{{- if .Values.initContainers }}
{{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
{{- end }}
{{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
- name: volume-permissions
image: {{ template "minio.volumePermissions.image" . }}
imagePullPolicy: {{ default "" .Values.volumePermissions.image.pullPolicy | quote }}
command:
- /bin/bash
- -ec
- |
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ .Values.persistence.mountPath }}
securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }}
{{- if .Values.volumePermissions.resources }}
resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
{{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: data
mountPath: {{ .Values.persistence.mountPath }}
{{- end }}
{{- end }}
containers:
- name: minio
image: {{ include "minio.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if .Values.containerSecurityContext.enabled }}
securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.command }}
command: {{- include "common.tplvalues.render" (dict "value" .Values.command "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.args }}
args: {{- include "common.tplvalues.render" (dict "value" .Values.args "context" $) | nindent 12 }}
{{- end }}
env:
- name: BITNAMI_DEBUG
value: {{ ternary "true" "false" .Values.image.debug | quote }}
- name: MINIO_SCHEME
value: {{ ternary "https" "http" .Values.tls.enabled | quote }}
- name: MINIO_FORCE_NEW_KEYS
value: {{ ternary "yes" "no" .Values.auth.forceNewKeys | quote }}
- name: MINIO_API_PORT_NUMBER
value: {{ .Values.containerPorts.api | quote }}
{{- if .Values.auth.useCredentialsFiles }}
- name: MINIO_ROOT_USER_FILE
value: "/opt/bitnami/minio/secrets/root-user"
- name: MINIO_ROOT_PASSWORD_FILE
value: "/opt/bitnami/minio/secrets/root-password"
{{- else }}
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: {{ include "minio.rootUserKey" . }}
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ include "minio.secretName" . }}
key: {{ include "minio.rootPasswordKey" . }}
{{- end }}
{{- if .Values.defaultBuckets }}
- name: MINIO_DEFAULT_BUCKETS
value: {{ .Values.defaultBuckets }}
{{- end }}
- name: MINIO_BROWSER
value: {{ ternary "off" "on" .Values.disableWebUI | quote }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: {{ .Values.metrics.prometheusAuthType | quote }}
- name: MINIO_CONSOLE_PORT_NUMBER
value: {{ .Values.containerPorts.console | quote }}
{{- if .Values.tls.mountPath }}
- name: MINIO_CERTS_DIR
value: {{ .Values.tls.mountPath | quote }}
{{- end }}
{{- if .Values.persistence.mountPath }}
- name: MINIO_DATA_DIR
value: {{ .Values.persistence.mountPath | quote }}
{{- end }}
{{- if .Values.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
envFrom:
{{- if .Values.extraEnvVarsCM }}
- configMapRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsCM "context" $) }}
{{- end }}
{{- if .Values.extraEnvVarsSecret }}
- secretRef:
name: {{ include "common.tplvalues.render" (dict "value" .Values.extraEnvVarsSecret "context" $) }}
{{- end }}
ports:
- name: minio-api
containerPort: {{ .Values.containerPorts.api }}
protocol: TCP
- name: minio-console
containerPort: {{ .Values.containerPorts.console }}
protocol: TCP
{{- if .Values.customLivenessProbe }}
livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
{{- else if .Values.livenessProbe.enabled }}
livenessProbe:
httpGet:
path: /minio/health/live
port: minio-api
scheme: {{ ternary "HTTPS" "HTTP" .Values.tls.enabled | quote }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.customReadinessProbe }}
readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
{{- else if .Values.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: minio-api
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
{{- end }}
{{- if .Values.customStartupProbe }}
startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
{{- else if .Values.startupProbe.enabled }}
startupProbe:
tcpSocket:
port: minio-console
initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.startupProbe.successThreshold }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
{{- end }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- else if ne .Values.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.resourcesPreset) | nindent 12 }}
{{- end }}
{{- if .Values.lifecycleHooks }}
lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.lifecycleHooks "context" $) | nindent 12 }}
{{- end }}
volumeMounts:
- name: empty-dir
mountPath: /tmp
subPath: tmp-dir
- name: empty-dir
mountPath: /opt/bitnami/minio/tmp
subPath: app-tmp-dir
- name: empty-dir
mountPath: /.mc
subPath: app-mc-dir
{{- if and .Values.auth.useSecret .Values.auth.useCredentialsFiles }}
- name: minio-credentials
mountPath: /opt/bitnami/minio/secrets/
{{- end }}
- name: data
mountPath: {{ .Values.persistence.mountPath }}
{{- if .Values.tls.enabled }}
- name: minio-certs
mountPath: {{ default "/certs" .Values.tls.mountPath }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
{{- if .Values.sidecars }}
{{- include "common.tplvalues.render" (dict "value" .Values.sidecars "context" $) | nindent 8 }}
{{- end }}
volumes:
- name: empty-dir
emptyDir: {}
{{- if and .Values.auth.useSecret .Values.auth.useCredentialsFiles }}
- name: minio-credentials
secret:
secretName: {{ include "minio.secretName" . }}
{{- end }}
- name: data
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ include "minio.claimName" . }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.tls.enabled }}
- name: minio-certs
secret:
secretName: {{ include "minio.tlsSecretName" . }}
items:
- key: tls.crt
path: public.crt
- key: tls.key
path: private.key
- key: ca.crt
path: CAs/public.crt
{{- end }}
{{- if .Values.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
{{- end }}
{{- end }}

69
backing-services/minio/templates/tls-secrets.yaml Normal file
View File

@@ -0,0 +1,69 @@
{{- /*
Copyright Broadcom, Inc. All Rights Reserved.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{- if .Values.ingress.enabled }}
{{- if .Values.ingress.secrets }}
{{- range .Values.ingress.secrets }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .name }}
namespace: {{ include "common.names.namespace" $ | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
{{- if $.Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .certificate | b64enc }}
tls.key: {{ .key | b64enc }}
---
{{- end }}
{{- end }}
{{- if and .Values.ingress.tls .Values.ingress.selfSigned }}
{{- $secretName := printf "%s-tls" .Values.ingress.hostname }}
{{- $ca := genCA "minio-ca" 365 }}
{{- $cert := genSignedCert .Values.ingress.hostname nil (list .Values.ingress.hostname) 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
namespace: {{ include "common.names.namespace" . | quote }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}
{{- end }}
{{- if (include "minio.createTlsSecret" .) }}
{{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }}
{{- $ca := genCA "minio-ca" 365 }}
{{- $releaseNamespace := include "common.names.namespace" . }}
{{- $clusterDomain := .Values.clusterDomain }}
{{- $fullname := include "common.names.fullname" . }}
{{- $serviceName := include "common.names.fullname" . }}
{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }}
{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) "127.0.0.1" "localhost" $fullname }}
{{- $cert := genSignedCert $fullname nil $altNames 365 $ca }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
{{- if .Values.commonAnnotations }}
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "common.secrets.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}