Skip to content

fix(stack/minio-tls): Enable tls and remove broken config #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Mar 18, 2025
Merged

fix(stack/minio-tls): Enable tls and remove broken config #177

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
604889f
fix(stack/minio-tls): Enable tls
NickLarsenNZ Mar 18, 2025
86d8d8e
chore(stack/minio-tls): Override command to copy certs to the correct…
NickLarsenNZ Mar 18, 2025
da7817e
fix(stack/minio-tls): Manually mount certs
NickLarsenNZ Mar 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 55 additions & 13 deletions stacks/_templates/minio-tls/rendered-chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ data:
}

# Try connecting to MinIO instance
scheme=http
scheme=https
connectToMinio $scheme


Expand Down Expand Up @@ -223,7 +223,7 @@ data:
}

# Try connecting to MinIO instance
scheme=http
scheme=https
connectToMinio $scheme


Expand Down Expand Up @@ -291,7 +291,7 @@ data:
}

# Try connecting to MinIO instance
scheme=http
scheme=https
connectToMinio $scheme


Expand Down Expand Up @@ -372,7 +372,7 @@ data:
}

# Try connecting to MinIO instance
scheme=http
scheme=https
connectToMinio $scheme


Expand Down Expand Up @@ -418,7 +418,7 @@ data:
}

# Try connecting to MinIO instance
scheme=http
scheme=https
connectToMinio $scheme
---
# Source: minio/templates/pvc.yaml
Expand Down Expand Up @@ -452,7 +452,7 @@ spec:
type: NodePort
externalTrafficPolicy: "Cluster"
ports:
- name: http
- name: https
port: 9001
protocol: TCP
targetPort: 9001
Expand All @@ -475,7 +475,7 @@ spec:
type: NodePort
externalTrafficPolicy: "Cluster"
ports:
- name: http
- name: https
port: 9000
protocol: TCP
targetPort: 9000
Expand Down Expand Up @@ -514,7 +514,7 @@ spec:
stackable.tech/vendor: Stackable
annotations:
checksum/secrets: fa63e34a92c817c84057e2d452fa683e66462a57b0529388fb96a57e05f38e57
checksum/config: 2b1e6b6d0485236a84032ab7e9eeee4a7bac29d2b63d3b0260bde76e84626730
checksum/config: ebea49cc4c1bfbd1b156a58bf770a776ff87fe199f642d31c2816b5515112e72
spec:
securityContext:

Expand Down Expand Up @@ -549,9 +549,9 @@ spec:
- mountPath: /etc/minio/certs
name: certs
ports:
- name: http
- name: https
containerPort: 9000
- name: http-console
- name: https-console
containerPort: 9001
env:
- name: MINIO_ROOT_USER
Expand Down Expand Up @@ -579,7 +579,7 @@ spec:
- name: minio-user
secret:
secretName: minio

- ephemeral:
volumeClaimTemplate:
metadata:
Expand Down Expand Up @@ -633,12 +633,38 @@ spec:
name: minio
- secret:
name: minio
- ephemeral:
volumeClaimTemplate:
metadata:
annotations:
secrets.stackable.tech/class: tls
secrets.stackable.tech/scope: service=minio
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1
storageClassName: secrets.stackable.tech
name: tls
- emptyDir:
medium: Memory
sizeLimit: 5Mi
name: certs
serviceAccountName: minio-sa
containers:
- name: minio-make-bucket
image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z"
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "/config/initialize" ]
command:
- "/bin/sh"
- "-ce"
- |
# Copy the CA cert from the "tls" SecretClass
# mkdir -p /etc/minio/mc/certs/CAs
cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt

. /config/initialize
env:
- name: MINIO_ENDPOINT
value: minio
Expand All @@ -651,13 +677,25 @@ spec:
mountPath: /tmp
- name: minio-configuration
mountPath: /config
- name: tls
mountPath: /etc/minio/mc/original_certs
- name: certs
mountPath: /etc/minio/mc/certs/CAs
resources:
requests:
memory: 128Mi
- name: minio-make-user
image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z"
imagePullPolicy: IfNotPresent
command: [ "/bin/sh", "/config/add-user" ]
command:
- "/bin/sh"
- "-ce"
- |
# Copy the CA cert from the "tls" SecretClass
# mkdir -p /etc/minio/mc/certs/CAs
cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt

. /config/add-user
env:
- name: MINIO_ENDPOINT
value: minio
Expand All @@ -670,6 +708,10 @@ spec:
mountPath: /tmp
- name: minio-configuration
mountPath: /config
- name: tls
mountPath: /etc/minio/mc/original_certs
- name: certs
mountPath: /etc/minio/mc/certs/CAs
resources:
requests:
memory: 128Mi
34 changes: 34 additions & 0 deletions stacks/_templates/minio-tls/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ service:
consoleService:
type: NodePort
nodePort: null
tls:
enabled: true
extraVolumes:
# Request a TLS certificate from the secret-operator
- name: tls
Expand Down Expand Up @@ -49,3 +51,35 @@ extraVolumeMounts:
# On startup, we will rename the certs and move them here:
- mountPath: /etc/minio/certs
name: certs

customCommandJob:
extraVolumes:
# Request a TLS certificate from the secret-operator
- name: tls
ephemeral:
volumeClaimTemplate:
metadata:
annotations:
secrets.stackable.tech/class: tls
secrets.stackable.tech/scope: |-
service=minio
spec:
storageClassName: secrets.stackable.tech
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1
# Create an in-memory emptyDir to copy the certs to (to avoid permission errors)
- name: certs
emptyDir:
sizeLimit: 5Mi
medium: Memory
# WARNING: this is currently only used by the custom-scripts job container. Other containers do not mount these.
extraVolumeMounts:
# Mount the certificate generated by the secret-operator
- name: tls
mountPath: /etc/minio/mc/original_certs
# On startup, we will rename the certs and move them here:
- mountPath: /etc/minio/mc/certs/CAs
name: certs