diff --git a/Makefile b/Makefile index 5c9017cb..d007d505 100644 --- a/Makefile +++ b/Makefile @@ -188,6 +188,9 @@ sync-operator-version: ;; \ esac + @echo "Updating Helm Charts" +# @$(shell curl --retry 10 -Ls -o source/includes/k8s/operator-values.yaml https://raw.githubusercontent.com/minio/operator/v${OPERATOR}/helm/operator/values.yaml) + sync-kes-version: @echo "Retrieving latest stable KES version" @$(eval KES = $(shell curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/minio/kes/releases/latest | sed "s/https:\/\/github.com\/minio\/kes\/releases\/tag\///")) diff --git a/README.md b/README.md index 42aa5e36..4eb0591a 100644 --- a/README.md +++ b/README.md @@ -84,11 +84,17 @@ Run make sync-operator-crd ``` -This downloads and converts the `tenant-crd.adoc` from the MinIO Operator github repository. -It converts it to XML, then to markdown. +This script does three things: + +- Downloads and converts the `tenant-crd.adoc` from the MinIO Operator Github repository +- Downloads the Operator Helm `values.yaml` from the Operator Github repository +- Downloads the Tenant Helm `values.yaml` from the Operator Github repository + +For the the `tenant-crd.adoc` , it converts the asciidoc to XML, then to markdown. Finally, it does some `sed` find/replace to tidy up the file for Sphinx ingest. You can run this when we have a new Operator release being documented, assuming there are changes to the CRD as part of that release. +It should make it somewhat easier to periodically sync these docs instead of pulling them down every single build, when we do not expect or need to doc changes in latest stable. # License diff --git a/requirements.txt b/requirements.txt index 1a18a3e0..65822b21 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,6 +7,7 @@ Sphinx-Substitution-Extensions == 2020.9.30.0 sphinx-sitemap == 2.5.0 sphinx-togglebutton === 0.3.2 sphinxcontrib-images === 0.9.4 +sphinxcontrib-autoyaml === 1.1.1 sphinx_reredirects === 0.1.2 myst-parser === 1.0.0 linkify === 1.4 diff --git a/source/default-conf.py b/source/default-conf.py index a3344853..ee223282 100644 --- a/source/default-conf.py +++ b/source/default-conf.py @@ -44,6 +44,7 @@ 'sphinx_design', 'sphinx.ext.intersphinx', 'sphinx_reredirects', + 'sphinxcontrib.autoyaml', ] # -- External Links @@ -204,6 +205,10 @@ } +# sphinxcontrib-autoyaml customization + +autoyaml_level = 5 + # -- Options for HTML output ------------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for diff --git a/source/includes/k8s/deploy-operator.rst b/source/includes/k8s/deploy-operator.rst index 46faa67a..1f363fe1 100644 --- a/source/includes/k8s/deploy-operator.rst +++ b/source/includes/k8s/deploy-operator.rst @@ -67,6 +67,10 @@ Prerequisites Kubernetes Version 1.19.0 ~~~~~~~~~~~~~~~~~~~~~~~~~ +.. important:: + + MinIO **strongly recommends** upgrading Production clusters running `End-Of-Life `__ Kubernetes APIs. + Starting with v4.0.0, the MinIO Operator and MinIO Kubernetes Plugin **require** Kubernetes 1.19.0 and later. The Kubernetes infrastructure *and* the ``kubectl`` CLI tool must have the same version of 1.19.0+. @@ -155,52 +159,6 @@ The output of the example command above may differ from the output in your termi Alternatively, you can generate x.509 TLS certificates signed by a known and trusted CA and pass those certificates to MinIO Tenants. See :ref:`minio-tls` for more complete documentation. -Configure MinIO Operator to Trust Custom Certificates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you use custom certificates for your deployment, add the certificate so that MinIO Operator trusts it. - -This procedure assumes you have an existing custom certificate. - -1. Use the following command to generate a secret from the certificate: - - .. code-block:: shell - :class: copyable - - kubectl create secret generic MY-CUSTOM-TLS -n MY-CLUSTER-NAMESPACE --from-file= - - Replace the following placeholders in the above command: - - ``MY-CUSTOM-TLS`` with the name of your secrets file - - ``MY-CLUSTER-NAMESPACE`` with your cluster's namespace - - ```` with the relative path to the public certificate to use to create the secret - -2. Add a volume to the yaml for your cluster under ``.spec.template.spec`` - - .. code-block:: yaml - :class: copyable - - volumes: - - name: tls-certificates - projected: - defaultMode: 420 - sources: - - secret: - items: - - key: public.crt - path: CAs/custom-public.crt - name: MY-CUSTOM-TLS - - - replace ``MY-CUSTOM-TLS`` with the name of your secrets file. - -3. Add a ``volumeMount`` to the yaml for your cluster under ``.spec.template.spec.container[0]`` - - .. code-block:: yaml - :class: copyable - - volumeMounts: - - mountPath: /tmp/certs - name: tls-certificates - Procedure --------- diff --git a/source/includes/k8s/operator-values.yaml b/source/includes/k8s/operator-values.yaml new file mode 100644 index 00000000..d4de44ab --- /dev/null +++ b/source/includes/k8s/operator-values.yaml @@ -0,0 +1,307 @@ +### +# Root key for Operator Helm Chart +operator: + ### + # An array of environment variables to pass to the Operator deployment. + # Pass an empty array to start Operator with defaults. + # + # For example: + # + # .. code-block:: yaml + # + # env: + # - name: MINIO_OPERATOR_DEPLOYMENT_NAME + # valueFrom: + # fieldRef: + # fieldPath: metadata.labels['app.kubernetes.io/name'] + # - name: MINIO_CONSOLE_TLS_ENABLE + # value: "off" + # - name: CLUSTER_DOMAIN + # value: "cluster.domain" + # - name: WATCHED_NAMESPACE + # value: "" + # - name: MINIO_OPERATOR_RUNTIME + # value: "OpenShift" + # + # See `Operator environment variables `__ for a list of all supported values. + env: + - name: OPERATOR_STS_ENABLED + value: "on" + ### + # Specify the Operator container image to use for the deployment. + # ``image.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.10 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator + # tag: v5.0.10 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator@sha256 + # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 + # pullPolicy: IfNotPresent + # + image: + repository: quay.io/minio/operator + tag: v5.0.10 + pullPolicy: IfNotPresent + ### + # + # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. + # Only one array element is supported at this time. + imagePullSecrets: [ ] + ### + # + # The name of a custom `Container Runtime `__ to use for the Operator pods. + runtimeClassName: ~ + ### + # An array of `initContainers `__ to start up before the Operator pods. + # Exercise care as ``initContainer`` failures prevent Operator pods from starting. + # Pass an empty array to start the Operator normally. + initContainers: [ ] + ### + # The number of Operator pods to deploy. + # Higher values increase availability in the event of worker node failures. + # + # The cluster must have sufficient number of available worker nodes to fulfill the request. + # Operator pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. + replicaCount: 2 + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator resources. + # + # You may need to modify these values to meet your cluster's security and access settings. + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + fsGroup: 1000 + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator containers. + # You may need to modify these values to meet your cluster's security and access settings. + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + ### + # An array of `Volumes `__ which the Operator can mount to pods. + # + # The volumes must exist *and* be accessible to the Operator pods. + volumes: [ ] + ### + # An array of volume mount points associated to each Operator container. + # + # Specify each item in the array as follows: + # + # .. code-block:: yaml + # + # volumeMounts: + # - name: volumename + # mountPath: /path/to/mount + # + # The ``name`` field must correspond to an entry in the ``volumes`` array. + volumeMounts: [ ] + ### + # Any `Node Selectors `__ to apply to Operator pods. + # + # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Operator pods. + # + # If no worker nodes match the specified selectors, the Operator deployment will fail. + nodeSelector: { } + ### + # + # The `Pod Priority `__ to assign to Operator pods. + priorityClassName: "" + ### + # + # The `affinity `__ or anti-affinity settings to apply to Operator pods. + # + # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - minio-operator + topologyKey: kubernetes.io/hostname + ### + # + # An array of `Toleration labels `__ to associate to Operator pods. + # + # These settings determine the distribution of pods across worker nodes. + tolerations: [ ] + ### + # + # An array of `Topology Spread Constraints `__ to associate to Operator pods. + # + # These settings determine the distribution of pods across worker nodes. + topologySpreadConstraints: [ ] + ### + # + # The `Requests or Limits `__ for resources to associate to Operator pods. + # + # These settings can control the minimum and maximum resources requested for each pod. + # If no worker nodes can meet the specified requests, the Operator may fail to deploy. + resources: + requests: + cpu: 200m + memory: 256Mi + ephemeral-storage: 500Mi + +### +# Root key for Operator Console +console: + ### + # Specify ``false`` to disable the Operator Console. + # + # If the Operator Console is disabled, all management of Operator Tenants must be done through the Kubernetes API. + enabled: true + ### + # Specify the Operator Console container image to use for the deployment. + # ``image.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.10 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator + # tag: v5.0.10 + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/operator@sha256 + # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 + # pullPolicy: IfNotPresent + # + # The specified values should match that of ``operator.image`` to ensure predictable operations. + image: + repository: quay.io/minio/operator + tag: v5.0.10 + pullPolicy: IfNotPresent + ### + # An array of environment variables to pass to the Operator Console deployment. + # Pass an empty array to start Operator Console with defaults. + env: [ ] + ### + # + # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. + imagePullSecrets: [ ] + ### + # + # The name of a custom `Container Runtime `__ to use for the Operator Console pods. + runtimeClassName: ~ + ### + # An array of `initContainers `__ to start up before the Operator Console pods. + # Exercise care as ``initContainer`` failures prevent Console pods from starting. + # Pass an empty array to start the Console normally. + initContainers: [ ] + ### + # The number of Operator Console pods to deploy. + # Higher values increase availability in the event of worker node failures. + # + # The cluster must have sufficient number of available worker nodes to fulfill the request. + # Console pods deploy with pod anti-affinity by default, preventing Kubernetes from scheduling multiple pods onto a single Worker node. + replicaCount: 1 + ### + # Any `Node Selectors `__ to apply to Operator Console pods. + # + # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Console pods. + # + # If no worker nodes match the specified selectors, the Console deployment will fail. + nodeSelector: { } + ### + # + # The `affinity `__ or anti-affinity settings to apply to Operator Console pods. + # + # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: name + operator: In + values: + - minio-operator + topologyKey: kubernetes.io/hostname + ### + # + # An array of `Toleration labels `__ to associate to Operator Console pods. + # + # These settings determine the distribution of pods across worker nodes. + tolerations: [ ] + ### + # + # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. + # + # These settings determine the distribution of pods across worker nodes. + topologySpreadConstraints: [ ] + ### + # + # The `Requests or Limits `__ for resources to associate to Operator Console pods. + # + # These settings can control the minimum and maximum resources requested for each pod. + # If no worker nodes can meet the specified requests, the Console may fail to deploy. + resources: + requests: + cpu: 0.25 + memory: 512Mi + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator Console resources. + # + # You may need to modify these values to meet your cluster's security and access settings. + securityContext: + runAsUser: 1000 + runAsNonRoot: true + ### + # The Kubernetes `SecurityContext `__ to use for deploying Operator Console containers. + # You may need to modify these values to meet your cluster's security and access settings. + containerSecurityContext: + runAsUser: 1000 + runAsNonRoot: true + ### + # Configures `Ingress `__ for the Operator Console. + # + # Set the keys to conform to the Ingress controller and configuration of your choice. + ingress: + enabled: false + ingressClassName: "" + labels: { } + annotations: { } + tls: [ ] + host: console.local + path: / + pathType: Prefix + ### + # An array of `Volumes `__ which the Operator Console can mount to pods. + # + # The volumes must exist *and* be accessible to the Console pods. + volumes: [ ] + ### + # An array of volume mount points associated to each Operator Console container. + # + # Specify each item in the array as follows: + # + # .. code-block:: yaml + # + # volumeMounts: + # - name: volumename + # mountPath: /path/to/mount + # + # The ``name`` field must correspond to an entry in the ``volumes`` array. + volumeMounts: [ ] diff --git a/source/includes/k8s/tenant-values.yaml b/source/includes/k8s/tenant-values.yaml new file mode 100644 index 00000000..0b7152e5 --- /dev/null +++ b/source/includes/k8s/tenant-values.yaml @@ -0,0 +1,457 @@ +### +# Root key for dynamically creating a secret for use with configuring root MinIO User +# Specify the ``name`` and then a list of environment variables. +# +# .. important:: +# +# Do not use this in production environments. +# This field is intended for use with rapid development or testing only. +# +# For example: +# +# .. code-block:: yaml +# +# name: myminio-env-configuration +# accessKey: minio +# secretKey: minio123 +# +secrets: + name: myminio-env-configuration + accessKey: minio + secretKey: minio123 +### +# The name of an existing Kubernetes secret to import to the MinIO Tenant +# The secret must contain a key ``config.env``. +# The values should be a series of export statements to set environment variables for the Tenant. +# For example: +# +# .. code-block:: shell +# +# stringData: +# config.env: | - +# export MINIO_ROOT_USER=ROOTUSERNAME +# export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD +# +existingSecret: + name: myminio-env-configuration +### +# Root key for MinIO Tenant Chart +tenant: + ### + # The Tenant name + # + # Change this to match your preferred MinIO Tenant name. + name: myminio + ### + # Specify the Operator container image to use for the deployment. + # ``image.tag`` + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.10 tag. + # The container pulls the image if not already present: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/minio + # tag: RELEASE.2023-10-07T15-07-38Z + # pullPolicy: IfNotPresent + # + # The chart also supports specifying an image based on digest value: + # + # .. code-block:: yaml + # + # image: + # repository: quay.io/minio/minio@sha256 + # digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983 + # pullPolicy: IfNotPresent + # + # + image: + repository: quay.io/minio/minio + tag: RELEASE.2023-10-07T15-07-38Z + pullPolicy: IfNotPresent + ### + # + # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``. + # Only one array element is supported at this time. + imagePullSecret: { } + ### + # The Kubernetes `Scheduler `__ to use for dispatching Tenant pods. + # + # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler. + scheduler: { } + ### + # The Kubernetes secret name that contains MinIO environment variable configurations. + # The secret is expected to have a key named config.env containing environment variables exports. + configuration: + name: myminio-env-configuration + ### + # Top level key for configuring MinIO Pool(s) in this Tenant. + # + # See `Operator CRD: Pools `__ for more information on all subfields. + pools: + ### + # The number of MinIO Tenant Pods / Servers in this pool. + # For standalone mode, supply 1. For distributed mode, supply 4 or more. + # Note that the operator does not support upgrading from standalone to distributed mode. + - servers: 4 + ### + # Custom name for the pool + name: pool-0 + ### + # The number of volumes attached per MinIO Tenant Pod / Server. + volumesPerServer: 4 + ### + # The capacity per volume requested per MinIO Tenant Pod. + size: 10Gi + ### + # The `storageClass `__ to associate with volumes generated for this pool. + # + # If using Amazon Elastic Block Store (EBS) CSI driver + # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters. + # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md + storageClassName: standard + ### + # Specify `annotations `__ to associate to Tenant pods. + annotations: { } + ### + # Specify `labels `__ to associate to Tenant pods. + labels: { } + ### + # + # An array of `Toleration labels `__ to associate to Tenant pods. + # + # These settings determine the distribution of pods across worker nodes. + tolerations: [ ] + ### + # Any `Node Selectors `__ to apply to Tenant pods. + # + # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods. + # + # If no worker nodes match the specified selectors, the Tenant deployment will fail. + nodeSelector: { } + ### + # + # The `affinity `__ or anti-affinity settings to apply to Tenant pods. + # + # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. + affinity: { } + ### + # + # The `Requests or Limits `__ for resources to associate to Tenant pods. + # + # These settings can control the minimum and maximum resources requested for each pod. + # If no worker nodes can meet the specified requests, the Operator may fail to deploy. + resources: { } + ### + # The Kubernetes `SecurityContext `__ to use for deploying Tenant resources. + # + # You may need to modify these values to meet your cluster's security and access settings. + # + # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files). + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true + ### + # The Kubernetes `SecurityContext `__ to use for deploying Tenant containers. + # You may need to modify these values to meet your cluster's security and access settings. + containerSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + ### + # + # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. + # + # These settings determine the distribution of pods across worker nodes. + topologySpreadConstraints: [ ] + ### + # + # The name of a custom `Container Runtime `__ to use for the Operator Console pods. + # runtimeClassName: "" + ### + # The mount path where Persistent Volumes are mounted inside Tenant container(s). + mountPath: /export + ### + # The Sub path inside Mount path where MinIO stores data. + # + # .. warning:: + # + # Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant. + # If you change these values post-deployment, then you may have different paths for new and pre-existing data. + # This can vastly increase operational complexity and may result in unpredictable data states. + subPath: /data + ### + # Configures a Prometheus-compatible scraping endpoint at the specified port. + metrics: + enabled: false + port: 9000 + protocol: http + ### + # Configures external certificate settings for the Tenant. + certificate: + ### + # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair. + # + # This is used by MinIO to verify TLS connections from clients using those CAs + # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification. + # See `Operator CRD: TenantSpec `__. + externalCaCertSecret: [ ] + ### + # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair. + # + # Omit this to use only the MinIO Operator autogenerated certificates. + # + # If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS. + # + # See `Operator CRD: TenantSpec `__. + # + # .. important:: + # + # The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates. + # + # You can pass the CA to the Operator to allow it to trust that cert. + # See `Self-Signed, Internal, and Private Certificates `__ for more information. + # This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust. + externalCertSecret: [ ] + ### + # Enable automatic Kubernetes based `certificate generation and signing `__ + requestAutoCert: true + ### + # This field is used only when ``requestAutoCert: true``. + # Use this field to set CommonName for the auto-generated certificate. + # MinIO defaults to using the internal Kubernetes DNS name for the pod + # The default DNS name format is typically ``*.minio.default.svc.cluster.local``. + # + # See `Operator CRD: CertificateConfig `__ + certConfig: { } + ### + # MinIO features to enable or disable in the MinIO Tenant + # See `Operator CRD: Features `__. + features: + bucketDNS: false + domains: { } + enableSFTP: false + ### + # Array of objects describing one or more buckets to create during tenant provisioning. + # Example: + # + # .. code-block:: yaml + # + # - name: my-minio-bucket + # objectLock: false # optional + # region: us-east-1 # optional + buckets: [ ] + ### + # Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning. + # + # Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user. + users: [ ] + ### + # The `PodManagement `__ policy for MinIO Tenant Pods. + # Can be "OrderedReady" or "Parallel" + podManagementPolicy: Parallel + # The `Liveness Probe `__ for monitoring Tenant pod liveness. + # Tenant pods will be restarted if the probe fails. + liveness: { } + ### + # `Readiness Probe `__ for monitoring Tenant container readiness. + # Tenant pods will be removed from service endpoints if the probe fails. + readiness: { } + ### + # `Startup Probe `__ for monitoring container startup. + # Tenant pods will be restarted if the probe fails. + # Refer + startup: { } + ### + # Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects. + # + # If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically. + # + # - Specify ``minio: true`` to expose the MinIO S3 API. + # - Specify ``console: true`` to expose the Console. + # + # Both fields default to ``false``. + exposeServices: { } + ### + # The `Kubernetes Service Account `__ associated with the Tenant. + serviceAccountName: "" + ### + # Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator. + prometheusOperator: false + ### + # Configure pod logging configuration for the MinIO Tenant. + # + # - Specify ``json`` for JSON-formatted logs. + # - Specify ``anonymous`` for anonymized logs. + # - Specify ``quiet`` to supress logging. + # + # An example of JSON-formatted logs is as follows: + # + # .. code-block:: shell + # + # $ k logs myminio-pool-0-0 -n default + # {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"} + logging: { } + ### + # serviceMetadata allows passing additional labels and annotations to MinIO and Console specific + # services created by the operator. + serviceMetadata: { } + ### + # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) + env: [ ] + ### + # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. + # This is applied to MinIO pods only. + # Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ + priorityClassName: "" + ### + # An array of `Volumes `__ which the Operator can mount to Tenant pods. + # + # The volumes must exist *and* be accessible to the Tenant pods. + additionalVolumes: [ ] + ### + # An array of volume mount points associated to each Tenant container. + # + # Specify each item in the array as follows: + # + # .. code-block:: yaml + # + # volumeMounts: + # - name: volumename + # mountPath: /path/to/mount + # + # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array. + additionalVolumeMounts: [ ] + # Define configuration for KES (stateless and distributed key-management system) + # Refer https://github.com/minio/kes + #kes: + # ## Image field: + # # Image from tag (original behavior), for example: + # # image: + # # repository: quay.io/minio/kes + # # tag: 2023-10-03T00-48-37Z + # # Image from digest (added after original behavior), for example: + # # image: + # # repository: quay.io/minio/kes@sha256 + # # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b + # image: + # repository: quay.io/minio/kes + # tag: 2023-10-03T00-48-37Z + # pullPolicy: IfNotPresent + # env: [ ] + # replicas: 2 + # configuration: |- + # address: :7373 + # root: _ # Effectively disabled since no root identity necessary. + # tls: + # key: /tmp/kes/server.key # Path to the TLS private key + # cert: /tmp/kes/server.crt # Path to the TLS certificate + # proxy: + # identities: [] + # header: + # cert: X-Tls-Client-Cert + # policy: + # my-policy: + # paths: + # - /v1/key/create/* + # - /v1/key/generate/* + # - /v1/key/decrypt/* + # identities: + # - ${MINIO_KES_IDENTITY} + # cache: + # expiry: + # any: 5m0s + # unused: 20s + # log: + # error: on + # audit: off + # keys: + # # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended + # # use a real KMS + # # fs: + # # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production. + # vault: + # endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint + # namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html + # prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix. + # approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html + # id: "" # Your AppRole Role ID + # secret: "" # Your AppRole Secret ID + # retry: 15s # Duration until the server tries to re-authenticate after connection loss. + # tls: # The Vault client TLS configuration for mTLS authentication and certificate verification + # key: "" # Path to the TLS client private key for mTLS authentication to Vault + # cert: "" # Path to the TLS client certificate for mTLS authentication to Vault + # ca: "" # Path to one or multiple PEM root CA certificates + # status: # Vault status configuration. The server will periodically reach out to Vault to check its status. + # ping: 10s # Duration until the server checks Vault's status again. + # # aws: + # # # The AWS SecretsManager key store. The server will store + # # # secret keys at the AWS SecretsManager encrypted with + # # # AWS-KMS. See: https://aws.amazon.com/secrets-manager + # # secretsmanager: + # # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com + # # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2 + # # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used. + # # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager. + # # accesskey: "" # Your AWS Access Key + # # secretkey: "" # Your AWS Secret Key + # # token: "" # Your AWS session token (usually optional) + # imagePullPolicy: "IfNotPresent" + # externalCertSecret: null + # clientCertSecret: null + # # Key name to be created on the KMS, default is "my-minio-key" + # keyName: "" + # resources: { } + # nodeSelector: { } + # affinity: + # nodeAffinity: { } + # podAffinity: { } + # podAntiAffinity: { } + # tolerations: [ ] + # annotations: { } + # labels: { } + # serviceAccountName: "" + # securityContext: + # runAsUser: 1000 + # runAsGroup: 1000 + # runAsNonRoot: true + # fsGroup: 1000 +### +# Configures `Ingress `__ for the Tenant S3 API and Console. +# +# Set the keys to conform to the Ingress controller and configuration of your choice. +ingress: + api: + enabled: false + ingressClassName: "" + labels: { } + annotations: { } + tls: [ ] + host: minio.local + path: / + pathType: Prefix + console: + enabled: false + ingressClassName: "" + labels: { } + annotations: { } + tls: [ ] + host: minio-console.local + path: / + pathType: Prefix +# Use an extraResources template section to include additional Kubernetes resources +# with the Helm deployment. +#extraResources: +# - | +# apiVersion: v1 +# kind: Secret +# type: Opaque +# metadata: +# name: {{ dig "secrets" "existingSecret" "" (.Values | merge (dict)) }} +# stringData: +# config.env: |- +# export MINIO_ROOT_USER='minio' +# export MINIO_ROOT_PASSWORD='minio123' diff --git a/source/index.rst b/source/index.rst index 962596b0..6cf651e9 100644 --- a/source/index.rst +++ b/source/index.rst @@ -211,6 +211,7 @@ For more about connecting to ``play``, see :ref:`MinIO Console play Login /reference/kubectl-minio-plugin /reference/operator-crd + /reference/operator-chart-values .. toctree:: :titlesonly: diff --git a/source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst b/source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst new file mode 100644 index 00000000..5eecdb8b --- /dev/null +++ b/source/operations/install-deploy-manage/deploy-minio-tenant-helm.rst @@ -0,0 +1,244 @@ +.. _deploy-tenant-helm: + +====================================== +Deploy a MinIO Tenant with Helm Charts +====================================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +Overview +-------- + +Helm is a tool for automating the deployment of applications to Kubernetes clusters. +A `Helm chart `__ is a set of YAML files, templates, and other files that define the deployment details. +The following procedure uses a Helm Chart to deploy a Tenant managed by the MinIO Operator. + +This procedure requires the Kubernetes cluster have a valid :ref:`Operator ` deployment. +You cannot use the MinIO Operator Tenant chart to deploy a Tenant independent of the Operator. + +.. important:: + + + The MinIO Operator Tenant Chart is *distinct* from the community-managed :minio-git:`MinIO Chart `. + + The Community Helm Chart is community built, maintained, and supported. + MinIO does not guarantee support for any given bug, feature request, or update referencing that chart. + + The Operator Tenant Chart is officially maintained and supported by MinIO. + MinIO strongly recommends the official Helm Chart for Operator and Tenants for production environments. + +Prerequisites +------------- + +You must meet the following requirements to install a MinIO Tenant with Helm: + +- An existing Kubernetes cluster +- The ``kubectl`` CLI tool on your local host with version matching the cluster. +- `Helm `__ version 3.8 or greater. +- `yq `__ version 4.18.1 or greater. +- An existing :ref:`MinIO Operator installation `. + +This procedure assumes your Kubernetes cluster access grants you broad administrative permissions. + +For more about Tenant installation requirements, including supported Kubernetes versions and TLS certificates, see the :ref:`Tenant deployment prerequisites `. + +This procedure assumes familiarity the with referenced Kubernetes concepts and utilities. +While this documentation may provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. + +.. _deploy-tenant-helm-repo: + +Deploy a MinIO Tenant using Helm Charts +--------------------------------------- + +The following procedure deploys a MinIO Tenant using the MinIO Operator Chart Repository. +This method supports a simplified installation path compared to the :ref:`local chart installation `. +You can modify the Operator deployment after installation. + +.. important:: + + Do not use the ``kubectl krew`` or similar methods to update or manage the MinIO Tenant installation. + If you use Helm charts to deploy the Tenant, you must use Helm to manage that deployment. + +#. Validate the Operator Repository Contents + + Use ``helm search`` to check the latest available chart version in the Operator Repo: + + .. code-block:: shell + :class: copyable + + helm search repo minio-operator + + The response should resemble the following: + + .. code-block:: shell + :class: copyable + + NAME CHART VERSION APP VERSION DESCRIPTION + minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator + minio-operator/operator 5.0.10 v5.0.10 A Helm chart for MinIO Operator + minio-operator/tenant 5.0.10 v5.0.10 A Helm chart for MinIO Operator + + The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances. + + If your ``minio-operator/operator`` version is behind the latest available chart, upgrade the operator *first*. + +#. Deploy the Helm Chart + + Use the ``helm install`` command to deploy the Tenant Chart. + + If you need to override values in the default :ref:`values ` file, you can use the ``--set`` operation for any single key-value. + Alternatively, specify your own ``values.yaml`` using the ``--f`` parameter to override multiple values at once: + + .. code-block:: shell + :class: copyable + + helm install \ + --namespace MINIO_TENANT_NAMESPACE \ + --create-namespace \ + MINIO_TENANT_NAME minio-operator/tenant + +#. Validate the Tenant installation + + Check the contents of the specified namespace to ensure all pods and services have started successfully. + + .. code-block:: shell + :class: copyable + + kubectl get all -n MINIO_TENANT_NAMESPACE + + All pods and services should have a READY state before proceeding. + +#. Expose the Tenant Console port + + Use ``kubectl port-forward`` to temporarily forward traffic from the MinIO pod to your local machine: + + .. code-block:: shell + :class: copyable + + kubectl --namespace MINIO_TENANT_NAMESPACE port-forward svc/MINIO_TENANT_NAME-console 9443:9443 + + .. note:: + + To configure long term access to the pod, configure :kube-docs:`Ingress ` or similar network control components within Kubernetes to route traffic to and from the pod. + Configuring Ingress is out of the scope for this documentation. + +#. Login to the MinIO Console + + Access the Tenant's :ref:`minio-console` by navigating to ``http://localhost:9443`` in a browser. + Log in to the Console with the default credentials ``myminio | minio123``. + If you modified these credentials in the ``values.yaml`` specify those values instead. + +#. Expose the Tenant MinIO S3 API port + + To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias. + + * Forward the Tenant's MinIO port: + + .. code-block:: shell + :class: copyable + + kubectl port-forward svc/minio 9000 -n MINIO_TENANT_NAMESPACE + + * Create an alias for the Tenant service: + + .. code-block:: shell + :class: copyable + + mc alias set myminio https://localhost:9000 minio minio123 --insecure + + You can use :mc:`mc mb` to create a bucket on the Tenant: + + .. code-block:: shell + :class: copyable + + mc mb myminio/mybucket --insecure + + If you deployed your MinIO Tenant using TLS certificates minted by a trusted Certificate Authority (CA) you can omit the ``--insecure`` flag. + +.. _deploy-tenant-helm-local: + +Deploy a Tenant using a Local Helm Chart +---------------------------------------- + +The following procedure deploys a Tenant using a local copy of the Helm Charts. +This method may support easier pre-configuration of the Tenant compared to the :ref:`repo-based installation ` + +#. Download the Helm charts + + On your local host, download the Tenant Helm charts to a convenient directory: + + .. code-block:: shell + :class: copyable + :substitutions: + + curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/tenant-|operator-version-stable|.tgz + + Each chart contains a ``values.yaml`` file you can customize to suit your needs. + For example, you may wish to change the MinIO root user credentials or the Tenant name. + For more about customizations, see `Helm Charts `__. + +#. The following Helm command creates a MinIO Tenant using the standard chart: + + .. code-block:: shell + :class: copyable + :substitutions: + + helm install \ + --namespace MINIO_TENANT_NAMESPACE \ + --create-namespace \ + MINIO_TENANT_NAME tenant-|operator-version-stable|.tgz + + To deploy more than one Tenant, create a Helm chart with the details of the new Tenant and repeat the deployment steps. + Redeploying the same chart updates the previously deployed Tenant. + +#. Expose the Tenant Console port + + Use ``kubectl port-forward`` to temporarily forward traffic from the MinIO pod to your local machine: + + .. code-block:: shell + :class: copyable + + kubectl --namespace MINIO_TENANT_NAMESPACE port-forward svc/myminio-console 9443:9443 + + .. note:: + + To configure long term access to the pod, configure :kube-docs:`Ingress ` or similar network control components within Kubernetes to route traffic to and from the pod. + Configuring Ingress is out of the scope for this documentation. + +#. Login to the MinIO Console + + Access the Tenant's :ref:`minio-console` by navigating to ``http://localhost:9443`` in a browser. + Log in to the Console with the default credentials ``myminio | minio123``. + +#. Expose the Tenant MinIO port + + To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias. + + * Forward the Tenant's MinIO port: + + .. code-block:: shell + :class: copyable + + kubectl port-forward svc/myminio-hl 9000 -n MINIO_TENANT_NAMESPACE + + * Create an alias for the Tenant service: + + .. code-block:: shell + :class: copyable + + mc alias set myminio https://localhost:9000 minio minio123 --insecure + + This example uses the non-TLS ``myminio-hl`` service, which requires :std:option:`--insecure `. + + If you have a TLS cert configured, omit ``--insecure`` and use ``svc/minio`` instead. + + You can use :mc:`mc mb` to create a bucket on the Tenant: + + .. code-block:: shell + :class: copyable + + mc mb myminio/mybucket --insecure \ No newline at end of file diff --git a/source/operations/install-deploy-manage/deploy-minio-tenant.rst b/source/operations/install-deploy-manage/deploy-minio-tenant.rst index 89be25d9..d8ebaa79 100644 --- a/source/operations/install-deploy-manage/deploy-minio-tenant.rst +++ b/source/operations/install-deploy-manage/deploy-minio-tenant.rst @@ -774,3 +774,9 @@ Kubernetes provides multiple options for configuring external access to services .. cond:: k8s and not (openshift or eks) .. include:: /includes/k8s/steps-deploy-tenant-cli.rst + +.. toctree:: + :titlesonly: + :hidden: + + /operations/install-deploy-manage/deploy-minio-tenant-helm \ No newline at end of file diff --git a/source/operations/install-deploy-manage/deploy-operator-helm.rst b/source/operations/install-deploy-manage/deploy-operator-helm.rst index 909399f2..f9d9ef9c 100644 --- a/source/operations/install-deploy-manage/deploy-operator-helm.rst +++ b/source/operations/install-deploy-manage/deploy-operator-helm.rst @@ -18,7 +18,6 @@ Helm is a tool for automating the deployment of applications to Kubernetes clust A `Helm chart `__ is a set of YAML files, templates, and other files that define the deployment details. The following procedure uses a Helm Chart to install the :ref:`MinIO Kubernetes Operator ` to a Kubernetes cluster. - Prerequisites ------------- @@ -35,27 +34,172 @@ For more about Operator installation requirements, including supported Kubernete This procedure assumes familiarity the with referenced Kubernetes concepts and utilities. While this documentation may provide guidance for configuring or deploying Kubernetes-related resources on a best-effort basis, it is not a replacement for the official :kube-docs:`Kubernetes Documentation <>`. +.. _minio-k8s-deploy-operator-helm-repo: + +Install the MinIO Operator using Helm Charts +-------------------------------------------- + +The following procedure installs the Operator using the MinIO Operator Chart Repository. +This method supports a simplified installation path compared to the :ref:`local chart installation `. +You can modify the Operator deployment after installation. + +.. important:: + + Do not use ``kubectl krew`` or similar methods to update or manage the MinIO Operator installation. + If you use Helm charts to install the Operator, you must use Helm to manage that installation. + +#. Add the MinIO Operator Repo to Helm + + MinIO maintains a Helm-compatible repository at https://operator.min.io. + Add this repository to Helm: + + .. code-block:: shell + :class: copyable + + helm repo add minio-operator https://operator.min.io + + You can validate the repo contents using ``helm search``: + + .. code-block:: shell + :class: copyable + + helm search repo minio-operator + + The response should resemble the following: + + .. code-block:: shell + :class: copyable + + NAME CHART VERSION APP VERSION DESCRIPTION + minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator + minio-operator/operator 5.0.10 v5.0.10 A Helm chart for MinIO Operator + minio-operator/tenant 5.0.10 v5.0.10 A Helm chart for MinIO Operator -Procedure ---------- + The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances. + +#. Install the Operator + + Run the ``helm install`` command to install the Operator: + + .. code-block:: shell + :class: copyable + + helm install + --namespace minio-operator \ + --create-namespace \ + operator minio-operator/operator + +#. Verify the Operator installation + + Check the contents of the specified namespace (``minio-operator``) to ensure all pods and services have started successfully. + + .. code-block:: shell + :class: copyable + + kubectl get all -n minio-operator + + The response should resemble the following: + + .. code-block:: shell + + NAME READY STATUS RESTARTS AGE + pod/console-68d955874d-vxlzm 1/1 Running 0 25h + pod/minio-operator-699f797b8b-th5bk 1/1 Running 0 25h + pod/minio-operator-699f797b8b-nkrn9 1/1 Running 0 25h + + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/console ClusterIP 10.43.195.224 9090/TCP,9443/TCP 25h + service/operator ClusterIP 10.43.44.204 4221/TCP 25h + service/sts ClusterIP 10.43.70.4 4223/TCP 25h + + NAME READY UP-TO-DATE AVAILABLE AGE + deployment.apps/console 1/1 1 1 25h + deployment.apps/minio-operator 2/2 2 2 25h + + NAME DESIRED CURRENT READY AGE + replicaset.apps/console-68d955874d 1 1 1 25h + replicaset.apps/minio-operator-699f797b8b 2 2 2 25h + +#. (Optional) Enable NodePort Access to the Console + + You can enable :kube-docs:`Node Port ` access to the ``service/console`` service to allow simplified access to the MinIO Operator. + You can skip this step if you intend to configure the Operator Console service to use a Kubernetes Load Balancer, ingress, or similar control plane component that enables external access. + + Edit the ``service/console`` and set the ``spec.ports[0].nodePort`` and ``spec.type`` fields as follows: + + .. code-block:: yaml + + spec: + ports: + - name: http + port: 9090 + protocol: TCP + targetPort: 9090 + nodePort: 39090 + type: NodePort + + You can attempt to connect to the MinIO Operator Console by specifying port ``39090`` on any of the worker nodes in the deployment. + +#. Retrieve the Console Access Token + + The MinIO Operator uses a JSON Web Token (JWT) saved as a Kubernetes Secret for controlling access to the Operator Console. + + Use the following command to retrieve the JWT for login. + You must have permission within the Kubernetes cluster to read secrets: + + .. code-block:: shell + :class: copyable + kubectl get secret/console-sa-secret -n minio-operator -o json | jq -r ".data.token" | base64 -d -Install Operator -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + The output should resemble the following: + + .. code-block:: shell + + eyJhbGciOiJSUzI1NiIsImtpZCI6IlRtV2x3Z1RILVREaThhQm9iemFfLW95NHFHT0ZZOHFBRjlZalBRcWZiSDgifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJtaW5pby1vcGVyYXRvciIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJjb25zb2xlLXNhLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJjb25zb2xlLXNhIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiY2M1ZjEwYzktYzU1ZC00MjNiLTgxM2MtNmU5ZDY2ZGI5NDYyIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Om1pbmlvLW9wZXJhdG9yOmNvbnNvbGUtc2EifQ.F-Pt5nU9xaugjRksWAOTShBW_eNTf8UwXvLfGxEK6l3_41NYsLgvTg5m0hYLUiYr6v2HwkEu0XzqTJbPoeSrFds8BOjeiCoP2Lmw4tRPo9tSXhAq-_elWt83YpJl-zjUpna5nVSWJWXKgj1Iga-9gw-Q63UygEcyTJ9_AwCNU9T0HdPzqccS9XrEUdsXFQxR9RwZY4TGC8K7cD9sc_OmfEiuyilRgyC_gFRvtCQfFv1DP0GKyjMGo2ffu-2Tq2U7zK5epWdqmNSvbIa0ZRoPlPedZ6nYY935lNgTIIW1oykRYrgwZZiv4CzfTH2gPswjtPc5ICtDDRUjYEhdTq3gtw + + If the output includes a trailing ``%`` make sure to omit it from the result. + +#. Log into the MinIO Operator Console + + If you configured the ``svc/console`` service for access through ingress, a cluster load balancer, you can access the Console using the configured hostname and port. + + If you configured the service for access through NodePorts, specify the hostname of any worker node in the cluster with that port as ``HOSTNAME:NODEPORT`` to access the Console. + + Alternatively, you can use ``kubectl port forward`` to temporary forward ports for the Console: + + .. code-block:: shell + :class: copyable + + kubectl port-forward svc/console -n minio-operator 9090:9090 + + You can then use ``http://localhost:9090`` to access the MinIO Operator Console. + + Once you access the Console, use the Console JWT to log in. + +You can now :ref:`deploy and manage MinIO Tenants using the Operator Console `. + +You can also :ref:`deploy a tenant using Helm Charts `. + +.. _minio-k8s-deploy-operator-helm-local: + +Install the MinIO Operator using Local Helm Charts +-------------------------------------------------- + +The following procedure installs the Operator using a local copy of the Helm Charts. +This method may support easier pre-configuration of the Operator compared to the :ref:`repo-based installation ` #. Download the Helm charts - On your local host, download the Operator and Tenant Helm charts to a convenient directory: + On your local host, download the Operator Helm charts to a convenient directory: .. code-block:: shell :class: copyable :substitutions: curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/operator-|operator-version-stable|.tgz - curl -O https://raw.githubusercontent.com/minio/operator/master/helm-releases/tenant-|operator-version-stable|.tgz - Each chart contains a ``values.yaml`` file you can customize to suit your needs. - For example, you may wish to change the MinIO root user credentials or the Tenant name. + The chart contains a ``values.yaml`` file you can customize to suit your needs. For more about customizations, see `Helm Charts `__. #. Deploy Operator @@ -375,73 +519,6 @@ Install Operator Append the ``nodePort`` value to the externally-accessible IP address of a worker node in your Kubernetes cluster. +You can now :ref:`deploy and manage MinIO Tenants using the Operator Console `. -Deploy a Tenant -~~~~~~~~~~~~~~~ - -You can deploy a MinIO Tenant using either the :ref:`Operator Console ` or Helm. -To deploy a Tenant with the Console, see :ref:`Deploy and Manage MinIO Tenants `. - -To deploy a Tenant with Helm: - -#. The following Helm command creates a MinIO Tenant using the standard chart: - - .. code-block:: shell - :class: copyable - :substitutions: - - helm install \ - --namespace tenant-ns \ - --create-namespace \ - tenant-ns tenant-|operator-version-stable|.tgz - - To deploy more than one Tenant, create a Helm chart with the details of the new Tenant and repeat the deployment steps. - Redeploying the same chart updates the previously deployed Tenant. - -#. Expose the Tenant Console port - - Use ``kubectl port-forward`` to temporarily forward traffic from the MinIO pod to your local machine: - - .. code-block:: shell - :class: copyable - - kubectl --namespace tenant-ns port-forward svc/myminio-console 9443:9443 - - .. note:: - - To configure long term access to the pod, configure :kube-docs:`Ingress ` or similar network control components within Kubernetes to route traffic to and from the pod. - Configuring Ingress is out of the scope for this documentation. - -#. Login to the MinIO Console - - Access the Tenant's :ref:`minio-console` by navigating to ``http://localhost:9443`` in a browser. - Log in to the Console with the default credentials ``myminio | minio123``. - -#. Expose the Tenant MinIO port - - To test the MinIO Client :mc:`mc` from your local machine, forward the MinIO port and create an alias. - - * Forward the Tenant's MinIO port: - - .. code-block:: shell - :class: copyable - - kubectl port-forward svc/myminio-hl 9000 -n tenant-ns - - * Create an alias for the Tenant service: - - .. code-block:: shell - :class: copyable - - mc alias set myminio https://localhost:9000 minio minio123 --insecure - - This example uses the non-TLS ``myminio-hl`` service, which requires :std:option:`--insecure `. - - If you have a TLS cert configured, omit ``--insecure`` and use ``svc/minio`` instead. - - You can use :mc:`mc mb` to create a bucket on the Tenant: - - .. code-block:: shell - :class: copyable - - mc mb myminio/mybucket --insecure +You can also :ref:`deploy a tenant using Helm Charts `. diff --git a/source/operations/install-deploy-manage/upgrade-minio-operator.rst b/source/operations/install-deploy-manage/upgrade-minio-operator.rst index a82ebcb7..8a60a0dc 100644 --- a/source/operations/install-deploy-manage/upgrade-minio-operator.rst +++ b/source/operations/install-deploy-manage/upgrade-minio-operator.rst @@ -134,59 +134,151 @@ The following steps back up the existing yaml files, perform some clean up, and Upgrade Operator to |operator-version-stable| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -1. *(Optional)* Update each MinIO Tenant to the latest stable MinIO Version. - - Upgrading MinIO regularly ensures your Tenants have the latest features and performance improvements. - Test upgrades in a lower environment such as a Dev or QA Tenant, before applying to your production Tenants. - See :ref:`minio-k8s-upgrade-minio-tenant` for a procedure on upgrading MinIO Tenants. +.. tab-set:: -2. Verify the existing Operator installation. - Use ``kubectl get all -n minio-operator`` to verify the health and status of all Operator pods and services. - - If you installed the Operator to a custom namespace, specify that namespace as ``-n ``. + .. tab-item:: Upgrade using MinIO Kubernetes Plugin - You can verify the currently installed Operator version by retrieving the object specification for an operator pod in the namespace. - The following example uses the ``jq`` tool to filter the necessary information from ``kubectl``: + The following procedure upgrades the MinIO Operator using the :mc:`kubectl minio ` plugin. - .. code-block:: shell - :class: copyable + If you installed the Operator using :ref:`Helm `, use the :guilabel:`Upgrade using Helm` instructions instead. - kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers' - - The output resembles the following: - - .. code-block:: json - :emphasize-lines: 8-10 + 1. *(Optional)* Update each MinIO Tenant to the latest stable MinIO Version. + + Upgrading MinIO regularly ensures your Tenants have the latest features and performance improvements. + Test upgrades in a lower environment such as a Dev or QA Tenant, before applying to your production Tenants. + See :ref:`minio-k8s-upgrade-minio-tenant` for a procedure on upgrading MinIO Tenants. + + 2. Verify the existing Operator installation. + Use ``kubectl get all -n minio-operator`` to verify the health and status of all Operator pods and services. + + If you installed the Operator to a custom namespace, specify that namespace as ``-n ``. + + You can verify the currently installed Operator version by retrieving the object specification for an operator pod in the namespace. + The following example uses the ``jq`` tool to filter the necessary information from ``kubectl``: + + .. code-block:: shell + :class: copyable + + kubectl get pod -l 'name=minio-operator' -n minio-operator -o json | jq '.items[0].spec.containers' + + The output resembles the following: + + .. code-block:: json + :emphasize-lines: 8-10 + :substitutions: - { - "env": [ { - "name": "CLUSTER_DOMAIN", - "value": "cluster.local" + "env": [ + { + "name": "CLUSTER_DOMAIN", + "value": "cluster.local" + } + ], + "image": "minio/operator:v|operator-version-stable|", + "imagePullPolicy": "IfNotPresent", + "name": "minio-operator" } - ], - "image": "minio/operator:v4.5.8", - "imagePullPolicy": "IfNotPresent", - "name": "minio-operator" - } -3. Download the latest stable version of the MinIO Kubernetes Plugin + 3. Download the latest stable version of the MinIO Kubernetes Plugin - .. include:: /includes/k8s/install-minio-kubectl-plugin.rst + .. include:: /includes/k8s/install-minio-kubectl-plugin.rst -4. Run the initialization command to upgrade the Operator + 4. Run the initialization command to upgrade the Operator - Use the :mc-cmd:`kubectl minio init` command to upgrade the existing MinIO Operator installation + Use the :mc-cmd:`kubectl minio init` command to upgrade the existing MinIO Operator installation: - .. code-block:: shell - :class: copyable + .. code-block:: shell + :class: copyable - kubectl minio init + kubectl minio init -5. Validate the Operator upgrade + 5. Validate the Operator upgrade + + You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step. + + .. include:: /includes/common/common-k8s-connect-operator-console.rst + + .. tab-item:: Upgrade using Helm + + The following procedure upgrades an existing MinIO Operator Installation using Helm. + + If you installed the Operator using :ref:`the MinIO Kubernetes Plugin `, use the :guilabel:`Upgrade using MinIO Kubernetes Plugin` instructions instead. + + 1. *(Optional)* Update each MinIO Tenant to the latest stable MinIO Version. + + Upgrading MinIO regularly ensures your Tenants have the latest features and performance improvements. + Test upgrades in a lower environment such as a Dev or QA Tenant, before applying to your production Tenants. + See :ref:`minio-k8s-upgrade-minio-tenant` for a procedure on upgrading MinIO Tenants. + + #. Verify the existing Operator installation. + + Use ``kubectl get all -n minio-operator`` to verify the health and status of all Operator pods and services. + + If you installed the Operator to a custom namespace, specify that namespace as ``-n ``. + + Use the ``helm list`` command to view the installed charts in the namespace: + + .. code-block:: shell + :class: copyable + + helm list -n minio-operator + + The result should resemble the following: + + .. code-block:: shell + :class: copyable + + NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION + operator minio-operator 1 2023-11-01 15:49:54.539724775 -0400 EDT deployed operator-5.0.x v5.0.x + + #. Update the Operator Repository + + Use ``helm repo update minio-operator`` to update the MinIO Operator repo. + If you set a different alias for the MinIO Operator repository, specify that to the command. + You can use ``helm repo list`` to review your installed repositories. + + Use ``helm search`` to check the latest available chart version after updating the Operator Repo: + + .. code-block:: shell + :class: copyable + + helm search repo minio-operator + + The response should resemble the following: + + .. code-block:: shell + :class: copyable + :substitutions: + + NAME CHART VERSION APP VERSION DESCRIPTION + minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator + minio-operator/operator |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator + minio-operator/tenant |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator + + The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances. + + #. Run ``helm upgrade`` + + Helm uses the latest chart to upgrade the MinIO Operator: + + .. code-block:: shell + :class: copyable + + helm upgrade -n minio-operator \ + operator minio-operator/operator + + If you installed the MinIO Operator to a different namespace, specify that to the ``-n`` argument. + + If you used a different installation name from ``operator``, replace the value above with the installation name. + + The command results should return success with a bump in the ``REVISION`` value. + + #. Validate the Operator upgrade + + You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step. + + .. include:: /includes/common/common-k8s-connect-operator-console.rst - You can check the Operator version by reviewing the object specification for an Operator Pod using a previous step. - .. include:: /includes/common/common-k8s-connect-operator-console.rst Upgrade MinIO Operator 4.2.3 through 4.5.7 to 4.5.8 --------------------------------------------------- diff --git a/source/operations/install-deploy-manage/upgrade-minio-tenant.rst b/source/operations/install-deploy-manage/upgrade-minio-tenant.rst index 4308f956..ada06976 100644 --- a/source/operations/install-deploy-manage/upgrade-minio-tenant.rst +++ b/source/operations/install-deploy-manage/upgrade-minio-tenant.rst @@ -10,27 +10,21 @@ Upgrade a MinIO Tenant :local: :depth: 1 -Prerequisites -------------- +.. _minio-upgrade-tenant-plugin: -MinIO Kubernetes Operator and Plugin -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Upgrade the Tenant using the MinIO Kubernetes Plugin +---------------------------------------------------- -This procedures on this page *requires* a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator. -This procedure assumes the latest stable Operator and Plugin, version |operator-version-stable|. +The following procedure upgrades the MinIO Operator using the :mc:`kubectl minio tenant upgrade` command. -See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator. +If you deployed the Tenant using :ref:`Helm `, use the :ref:`minio-upgrade-tenant-helm` procedure instead. -Install the Plugin -~~~~~~~~~~~~~~~~~~ +This procedure *requires* a valid installation of the MinIO Kubernetes Operator and assumes the local host has a matching installation of the MinIO Kubernetes Operator and plugin. +This procedure assumes the latest stable Operator version |operator-version-stable|. .. include:: /includes/k8s/install-minio-kubectl-plugin.rst - -Procedure (CLI) ---------------- - -This procedure documents upgrading pods running on a MinIO Tenant. +See :ref:`deploy-operator-kubernetes` for complete documentation on deploying the MinIO Operator. .. important:: @@ -76,3 +70,73 @@ This may result in downtime until the upgrade process completes. - Replace ``TENANT_NAMESPACE`` with the namespace of the Tenant. See MinIO's `DockerHub Repository `__ for a list of available release tags. + +.. _minio-upgrade-tenant-helm: + +Upgrade the Tenant using the MinIO Helm Chart +--------------------------------------------- + +This procedure upgrades an existing MinIO Tenant using Helm Charts. + +If you deployed the Tenant using the :ref:`MinIO Kubernetes Plugin `, use the :ref:`minio-upgrade-tenant-plugin` procedure instead. + +1. Verify the existing MinIO Tenant installation. + + Use ``kubectl get all -n TENANT_NAMESPACE`` to verify the health and status of all Tenant pods and services. + + Use the ``helm list`` command to view the installed charts in the namespace: + + .. code-block:: shell + :class: copyable + + helm list -n TENANT_NAMESPACE + + The result should resemble the following: + + .. code-block:: shell + + + NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION + CHART_NAME TENANT_NAMESPACE 1 2023-11-01 15:49:58.810412732 -0400 EDT deployed tenant-5.0.x v5.0.x + +#. Update the Operator Repository + + Use ``helm repo update minio-operator`` to update the MinIO Operator repo. + If you set a different alias for the MinIO Operator repository, specify that to the command. + You can use ``helm repo list`` to review your installed repositories. + + Use ``helm search`` to check the latest available chart version after updating the Operator Repo: + + .. code-block:: shell + :class: copyable + + helm search repo minio-operator + + The response should resemble the following: + + .. code-block:: shell + :class: copyable + :substitutions: + + NAME CHART VERSION APP VERSION DESCRIPTION + minio-operator/minio-operator 4.3.7 v4.3.7 A Helm chart for MinIO Operator + minio-operator/operator |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator + minio-operator/tenant |operator-version-stable| v|operator-version-stable| A Helm chart for MinIO Operator + + The ``minio-operator/minio-operator`` is a legacy chart and should **not** be installed under normal circumstances. + +#. Run ``helm upgrade`` + + Helm uses the latest chart to upgrade the Tenant: + + .. code-block:: shell + :class: copyable + + helm upgrade -n minio-tenant \ + CHART_NAME minio-operator/tenant + + The command results should return success with a bump in the ``REVISION`` value. + +#. Validate the Tenant Upgrade + + Check that all services and pods are online and functioning normally. diff --git a/source/operations/network-encryption.rst b/source/operations/network-encryption.rst index f79a3b72..3f54d71e 100644 --- a/source/operations/network-encryption.rst +++ b/source/operations/network-encryption.rst @@ -67,17 +67,36 @@ Enabling TLS .. cond:: linux - By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory: + The MinIO Server searches for TLS keys and certificates for each node and uses those credentials for enabling TLS. + The search location depends on your MinIO configuration: - .. code-block:: shell + .. tab-set:: - ${HOME}/.minio/certs + .. tab-item:: Default Path - Where ``${HOME}`` is the home directory of the user running the MinIO Server process. - You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. + By default, the MinIO server looks for the TLS keys and certificates for each node in the following directory: + + .. code-block:: shell + + ${HOME}/.minio/certs + + Where ``${HOME}`` is the home directory of the user running the MinIO Server process. + You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. + + For ``systemd`` managed deployments this must correspond to the ``USER`` running the MinIO process. + If that user has no home directory, use the :guilabel:`Custom Path` option instead. - For deployments using :mc-cmd:`minio server --certs-dir` to set a custom TLS directory, use that directory instead of the default. - Also, if the user running the process does not have a home directory, you **must** specify a directory with ``--certs-dir``. + .. tab-item:: Custom Path + + You can specify a path for the MinIO server to search for certificates using the :mc-cmd:`minio server --certs-dir` or ``-S`` parameter. + + For example, the following command fragment directs the MinIO process to use the ``/opt/minio/certs`` directory for TLS certificates. + + .. code-block:: shell + + minio server --certs-dir /opt/minio/certs ... + + The user running the MinIO service *must* have read and write permissions to this directory. Place the TLS certificates for the default domain (e.g. ``minio.example.net``) in the ``/certs`` directory, with the private key as ``private.key`` and public certificate as ``public.crt``. @@ -85,7 +104,7 @@ Enabling TLS .. code-block:: shell - ${HOME}/.minio/certs + /path/to/certs private.key public.crt @@ -96,13 +115,12 @@ Enabling TLS certgen -host "localhost,minio-*.example.net" - Place the generated ``public.crt`` and ``private.key`` into the ``/.minio/certs`` directory to enable TLS for the MinIO deployment. + Place the generated ``public.crt`` and ``private.key`` into the ``/path/to/certs`` directory to enable TLS for the MinIO deployment. Applications can use the ``public.crt`` as a trusted Certificate Authority to allow connections to the MinIO deployment without disabling certificate validation. If you are reconfiguring an existing deployment that did not previously have TLS enabled, update :envvar:`MINIO_VOLUMES` to specify ``https`` instead of ``http``. You may also need to update URLs used by applications or clients. - .. cond:: container Start the MinIO container with the :mc-cmd:`minio/minio:latest server --certs-dir ` parameter and specify the path to a directory in which MinIO searches for certificates. @@ -229,23 +247,44 @@ Multiple Domain-Based TLS Certificates - ``https://s3.example.net`` - ``https://minio.internal-example.net`` - Create a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates. + + Place the certificates in the ``/certs`` folder, creating a subfolder in ``/certs`` for each additional domain for which MinIO should present TLS certificates. While MinIO has no requirements for folder names, consider creating subfolders whose name matches the domain to improve human readability. Place the TLS private and public key for that domain in the subfolder. + + The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``). - For example: + .. tab-set:: - .. code-block:: shell + .. tab-item:: Default Certificate Path - ${HOME}/.minio/certs - private.key - public.crt - s3-example.net/ - private.key - public.crt - internal-example.net/ - private.key - public.crt + .. code-block:: shell + + ${HOME}/.minio/certs + private.key + public.crt + s3-example.net/ + private.key + public.crt + internal-example.net/ + private.key + public.crt + + .. tab-item:: Custom Certificate Path + + The following example assumes the MinIO Server was started with ``--certs dir | -S /opt/minio/certs``: + + .. code-block:: shell + + /opt/minio/certs + private.key + public.crt + s3-example.net/ + private.key + public.crt + internal-example.net/ + private.key + public.crt While you can have a single TLS certificate that covers all hostnames with multiple Subject Alternative Names (SANs), this would reveal the ``internal-example.net`` and ``s3-example.net`` hostnames to any client which inspects the server certificate. Using a TLS certificate per hostname better protects each individual hostname from discovery. @@ -412,16 +451,24 @@ Third-Party Certificate Authorities The MinIO Server validates the TLS certificate presented by each connecting client against the host system's trusted root certificate store. - You can place additional trusted Certificate Authority files in the following directory: + Place the CA certificates in the ``/certs/CAs`` folder. + The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``) - .. code-block:: shell + .. tab-set:: - ${HOME}/.minio/certs/CAs + .. tab-item:: Default Certificate Path - Where ``${HOME}`` is the home directory of the user running the MinIO Server process. - You may need to create the ``${HOME}/.minio/certs`` directory if it does not exist. + .. code-block:: shell - For deployments started with a custom TLS directory :mc-cmd:`minio server --certs-dir`, the server searches in the ``/CAs`` path at that specified directory. + mv myCA.crt ${HOME}/certs/CAs + + .. tab-item:: Custom Certificate Path + + The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``: + + .. code-block:: shell + + mv myCA.crt /opt/minio/certs/CAs/ Place the certificate file for each CA into the ``/CAs`` subdirectory. Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. @@ -484,48 +531,70 @@ Third-Party Certificate Authorities Ensure all hosts in the MinIO deployment have a consistent set of trusted CAs in that directory. If the MinIO Server cannot match an incoming client's TLS certificate issuer against any of the available CAs, the server rejects the connection as invalid. -Self-signed, Internal, and Private Certificates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Self-signed, Internal, Private Certificates, and Public CAs with Intermediate Certificates +------------------------------------------------------------------------------------------ .. cond:: not k8s - For certificates signed by a non-global Certificate Authority, place the appropriate `X.509 `__ CA certificate in a ``{HOME}/.minio/CAs`` directory: + If using Certificates signed by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the MinIO Server. + If the MinIO server does not have the necessary CAs, it may return warnings or errors related to TLS validation when connecting to other services. - .. code-block:: shell + Place the CA certificates in the ``/certs/CAs`` folder. + The root path for this folder depends on whether you use the default certificate path *or* a custom certificate path (:mc-cmd:`minio server --certs-dir` or ``-S``) + + .. tab-set:: + + .. tab-item:: Default Certificate Path - ${HOME}/.minio/CAs - myCA.crt + .. code-block:: shell + + mv myCA.crt ${HOME}/certs/CAs + + .. tab-item:: Custom Certificate Path + + The following example assumes the MinIO Server was started with ``--certs dir /opt/minio/certs``: + + .. code-block:: shell + + mv myCA.crt /opt/minio/certs/CAs/ For a self-signed certificate, the Certificate Authority is typically the private key used to sign the cert. For certificates signed by an internal, private, or other non-global Certificate Authority, use the same CA that signed the cert. A non-global CA must include the full chain of trust from the intermediate certificate to the root. - If the provided file is not an X.509 cert, MinIO ignores the file and does not enable TLS. + If the provided file is not an X.509 certificate, MinIO ignores it and may return errors for validating certificates signed by that CA. .. cond:: k8s - To use certificates generated by a private Certificate Authority, configure MinIO Operator to trust the TLS connections to the tenants: + If deploying MinIO Tenants with certificates minted by a non-global or non-public Certificate Authority, *or* if using a global CA that requires the use of intermediate certificates, you must provide those CAs to the Operator to ensure it can trust those certificates. + + The Operator may log warnings related to TLS cert validation for Tenants deployed with untrusted certificates. + + The following procedure attaches a secret containing the ``public.crt`` of the Certificate Authority to the MinIO Operator. + You can specify multiple CAs in a single certificate, as long as you maintain the ``BEGIN`` and ``END`` delimiters as-is. + + 1. Create the ``operator-ca-tls`` secret - #. Create a secret named ``operator-ca-tls`` in the ``minio-operator`` namespace if one does not already exist. - #. Add a ``ca.crt`` key to this secret with the public certificate for your internal CA. - If ``operator-ca-tls`` already contains external CAs, append the new CA to the existing secret. - #. Add the secret in an ``externalCaCertSecret`` property in the :ref:`Tenant YAML configuration `: + The following creates a Kubernetes secret in the MinIO Operator namespace (``minio-operator``). .. code-block:: shell + :class: copyable - spec: - externalCaCertSecret: - - name: operator-ca-tls - type: kubernetes.io/tls + kubectl create secret generic operator-ca-tls \ + --from-file=public.crt -n minio-operator + + The ``public.crt`` file must correspond to a valid TLS certificate containing one or more CA definitions. + + 2. Restart the Operator + + Once created, you must restart the Operator to load the new CAs: + + .. code-block:: shell + :class: copyable + + kubectl rollout restart deployments.apps/minio-operator -n minio-operator - Once the secret is created, Operator creates a copy in each tenant namespace and mounts its certificates in the tenant pods at ``/tmp/certs/CAs/``. - - If the ``operator-ca-tls`` secret is updated, Operator replicates the new secret to the corresponding copies in the tenant namespaces. - Operator replicates changes in the following files: - - ``public.crt`` - - ``tls.crt`` - - ``ca.crt`` diff --git a/source/reference/operator-chart-values.rst b/source/reference/operator-chart-values.rst new file mode 100644 index 00000000..f6c91ef6 --- /dev/null +++ b/source/reference/operator-chart-values.rst @@ -0,0 +1,46 @@ +.. _minio-operator-chart-values: + +=============================== +Operator and Tenant Helm Charts +=============================== + +.. default-domain:: minio + +.. contents:: Table of Contents + :local: + :depth: 1 + +MinIO publishes `Helm Charts `__ for the MinIO Operator and Tenants. +You can use these charts to deploy the MinIO Operator and managed Tenants through Helm. + +The following page documents the ``values.yaml`` for each chart. + +.. _minio-operator-chart-operator-values: + +MinIO Operator Chart +-------------------- + +.. tab-set:: + + .. tab-item:: Reference + + .. autoyaml:: /source/includes/k8s/operator-values.yaml + + .. tab-item:: YAML + + .. literalinclude:: /includes/k8s/operator-values.yaml + +.. _minio-operator-chart-tenant-values: + +MinIO Tenant Chart +------------------ + +.. tab-set:: + + .. tab-item:: Reference + + .. autoyaml:: /source/includes/k8s/tenant-values.yaml + + .. tab-item:: YAML + + .. literalinclude:: /includes/k8s/tenant-values.yaml \ No newline at end of file diff --git a/source/url-excludes.yaml b/source/url-excludes.yaml index 65470b85..8e3e3e21 100644 --- a/source/url-excludes.yaml +++ b/source/url-excludes.yaml @@ -8,6 +8,7 @@ excludes: - 'operations/install-deploy-manage/upgrade-minio-operator.rst' - 'operations/install-deploy-manage/delete-minio-tenant.rst' - 'operations/install-deploy-manage/minio-operator-console.rst' +- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' - 'operations/deploy-manage-tenants.rst' - 'developers/sts-for-operator.rst' - 'reference/kubectl-minio-plugin.rst' @@ -24,6 +25,7 @@ excludes: - 'reference/kubectl-minio-plugin/kubectl-minio-tenant.rst' - 'reference/kubectl-minio-plugin/kubectl-minio-version.rst' - 'reference/operator-crd.rst' +- 'reference/operator-chart-values.rst' --- tag: macos excludes: @@ -35,12 +37,14 @@ excludes: - 'operations/install-deploy-manage/upgrade-minio-operator.rst' - 'operations/install-deploy-manage/delete-minio-tenant.rst' - 'operations/install-deploy-manage/minio-operator-console.rst' +- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' - 'operations/deploy-manage-tenants.rst' - 'reference/kubectl-minio-plugin*' - 'reference/minio-server*' - 'reference/minio-mc*' - 'reference/deprecated/*' - 'reference/operator-crd.rst' +- 'reference/operator-chart-values.rst' - 'developers/*' - 'integrations/*' --- @@ -64,12 +68,14 @@ excludes: - 'operations/install-deploy-manage/upgrade-minio-operator.rst' - 'operations/install-deploy-manage/delete-minio-tenant.rst' - 'operations/install-deploy-manage/minio-operator-console.rst' +- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' - 'operations/deploy-manage-tenants.rst' - 'reference/kubectl-minio-plugin*' - 'reference/minio-server*' - 'reference/minio-mc*' - 'reference/deprecated/*' - 'reference/operator-crd.rst' +- 'reference/operator-chart-values.rst' - 'developers/*' - 'integrations/*' --- @@ -88,11 +94,13 @@ excludes: - 'operations/install-deploy-manage/decommission-server-pool.rst' - 'operations/install-deploy-manage/expand-minio-deployment.rst' - 'operations/deploy-manage-tenants.rst' +- 'operations/install-deploy-manage/deploy-minio-tenant-helm.rst' - 'reference/kubectl-minio-plugin*' - 'reference/minio-server*' - 'reference/minio-mc*' - 'reference/deprecated/*' - 'reference/operator-crd.rst' +- 'reference/operator-chart-values.rst' - 'developers/*' - 'integrations/*' --- diff --git a/sync-minio-operator-crd.sh b/sync-minio-operator-crd.sh index ee03a4c0..e6109045 100755 --- a/sync-minio-operator-crd.sh +++ b/sync-minio-operator-crd.sh @@ -7,6 +7,9 @@ function main() { curl --retry 10 -Ls https://raw.githubusercontent.com/minio/operator/v${OPERATOR}/docs/tenant_crd.adoc | asciidoc -b docbook - | pandoc -f docbook -t markdown_strict - -o source/includes/k8s/ext-tenant-crd.md + curl --retry 10 -Ls https://raw.githubusercontent.com/minio/operator/v${OPERATOR}/helm/operator/values.yaml -o source/includes/k8s/operator-values.yaml + curl --retry 10 -Ls https://raw.githubusercontent.com/minio/operator/v${OPERATOR}/helm/tenant/values.yaml -o source/includes/k8s/tenant-values.yaml + # To make the include nicer, this strips out the top H1 and reorders all headers thereafter KNAME=$(uname -s) @@ -24,4 +27,4 @@ function main() { esac } -main \ No newline at end of file +main