diff --git a/stacks/_templates/minio-tls/rendered-chart.yaml b/stacks/_templates/minio-tls/rendered-chart.yaml index 87a7bfab..21741bc5 100644 --- a/stacks/_templates/minio-tls/rendered-chart.yaml +++ b/stacks/_templates/minio-tls/rendered-chart.yaml @@ -135,7 +135,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -223,7 +223,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -291,7 +291,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -372,7 +372,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -418,7 +418,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme --- # Source: minio/templates/pvc.yaml @@ -452,7 +452,7 @@ spec: type: NodePort externalTrafficPolicy: "Cluster" ports: - - name: http + - name: https port: 9001 protocol: TCP targetPort: 9001 @@ -475,7 +475,7 @@ spec: type: NodePort externalTrafficPolicy: "Cluster" ports: - - name: http + - name: https port: 9000 protocol: TCP targetPort: 9000 @@ -514,7 +514,7 @@ spec: stackable.tech/vendor: Stackable annotations: checksum/secrets: fa63e34a92c817c84057e2d452fa683e66462a57b0529388fb96a57e05f38e57 - checksum/config: 2b1e6b6d0485236a84032ab7e9eeee4a7bac29d2b63d3b0260bde76e84626730 + checksum/config: ebea49cc4c1bfbd1b156a58bf770a776ff87fe199f642d31c2816b5515112e72 spec: securityContext: @@ -549,9 +549,9 @@ spec: - mountPath: /etc/minio/certs name: certs ports: - - name: http + - name: https containerPort: 9000 - - name: http-console + - name: https-console containerPort: 9001 env: - name: MINIO_ROOT_USER @@ -579,7 +579,7 @@ spec: - name: minio-user secret: secretName: minio - + - ephemeral: volumeClaimTemplate: metadata: @@ -633,12 +633,38 @@ spec: name: minio - secret: name: minio + - ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls + secrets.stackable.tech/scope: service=minio + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1 + storageClassName: secrets.stackable.tech + name: tls + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: certs serviceAccountName: minio-sa containers: - name: minio-make-bucket image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z" imagePullPolicy: IfNotPresent - command: [ "/bin/sh", "/config/initialize" ] + command: + - "/bin/sh" + - "-ce" + - | + # Copy the CA cert from the "tls" SecretClass + # mkdir -p /etc/minio/mc/certs/CAs + cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt + + . /config/initialize env: - name: MINIO_ENDPOINT value: minio @@ -651,13 +677,25 @@ spec: mountPath: /tmp - name: minio-configuration mountPath: /config + - name: tls + mountPath: /etc/minio/mc/original_certs + - name: certs + mountPath: /etc/minio/mc/certs/CAs resources: requests: memory: 128Mi - name: minio-make-user image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z" imagePullPolicy: IfNotPresent - command: [ "/bin/sh", "/config/add-user" ] + command: + - "/bin/sh" + - "-ce" + - | + # Copy the CA cert from the "tls" SecretClass + # mkdir -p /etc/minio/mc/certs/CAs + cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt + + . /config/add-user env: - name: MINIO_ENDPOINT value: minio @@ -670,6 +708,10 @@ spec: mountPath: /tmp - name: minio-configuration mountPath: /config + - name: tls + mountPath: /etc/minio/mc/original_certs + - name: certs + mountPath: /etc/minio/mc/certs/CAs resources: requests: memory: 128Mi diff --git a/stacks/_templates/minio-tls/values.yaml b/stacks/_templates/minio-tls/values.yaml index bff4111a..208de321 100644 --- a/stacks/_templates/minio-tls/values.yaml +++ b/stacks/_templates/minio-tls/values.yaml @@ -20,6 +20,8 @@ service: consoleService: type: NodePort nodePort: null +tls: + enabled: true extraVolumes: # Request a TLS certificate from the secret-operator - name: tls @@ -49,3 +51,35 @@ extraVolumeMounts: # On startup, we will rename the certs and move them here: - mountPath: /etc/minio/certs name: certs + +customCommandJob: + extraVolumes: + # Request a TLS certificate from the secret-operator + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls + secrets.stackable.tech/scope: |- + service=minio + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1 + # Create an in-memory emptyDir to copy the certs to (to avoid permission errors) + - name: certs + emptyDir: + sizeLimit: 5Mi + medium: Memory + # WARNING: this is currently only used by the custom-scripts job container. Other containers do not mount these. + extraVolumeMounts: + # Mount the certificate generated by the secret-operator + - name: tls + mountPath: /etc/minio/mc/original_certs + # On startup, we will rename the certs and move them here: + - mountPath: /etc/minio/mc/certs/CAs + name: certs