--- # Source: minio/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: name: "minio-sa" --- # Source: minio/templates/secrets.yaml apiVersion: v1 kind: Secret metadata: name: minio labels: app: minio chart: minio-5.4.0 release: minio heritage: Helm type: Opaque data: rootUser: "YWRtaW4=" rootPassword: "YWRtaW5hZG1pbg==" --- # Source: minio/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: minio labels: app: minio chart: minio-5.4.0 release: minio heritage: Helm data: initialize: |- #!/bin/sh set -e # Have script exit in the event of a failed command. MC_CONFIG_DIR="/etc/minio/mc/" MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" # connectToMinio # Use a check-sleep-check loop to wait for MinIO service to be available connectToMinio() { SCHEME=$1 ATTEMPTS=0 LIMIT=29 # Allow 30 attempts set -e # fail if we can't read the keys. ACCESS=$(cat /config/rootUser) SECRET=$(cat /config/rootPassword) set +e # The connections to minio are allowed to fail. echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" $MC_COMMAND STATUS=$? until [ $STATUS = 0 ]; do ATTEMPTS=$(expr $ATTEMPTS + 1) echo \"Failed attempts: $ATTEMPTS\" if [ $ATTEMPTS -gt $LIMIT ]; then exit 1 fi sleep 2 # 1 second intervals between attempts $MC_COMMAND STATUS=$? done set -e # reset `e` as active return 0 } # checkBucketExists ($bucket) # Check if the bucket exists, by using the exit code of `mc ls` checkBucketExists() { BUCKET=$1 CMD=$(${MC} stat myminio/$BUCKET >/dev/null 2>&1) return $? } # createBucket ($bucket, $policy, $purge) # Ensure bucket exists, purging if asked to createBucket() { BUCKET=$1 POLICY=$2 PURGE=$3 VERSIONING=$4 OBJECTLOCKING=$5 # Purge the bucket, if set & exists # Since PURGE is user input, check explicitly for `true` if [ $PURGE = true ]; then if checkBucketExists $BUCKET; then echo "Purging bucket '$BUCKET'." set +e # don't exit if this fails ${MC} rm -r --force myminio/$BUCKET set -e # reset `e` as active else echo "Bucket '$BUCKET' does not exist, skipping purge." fi fi # Create the bucket if it does not exist and set objectlocking if enabled (NOTE: versioning will be not changed if OBJECTLOCKING is set because it enables versioning to the Buckets created) if ! checkBucketExists $BUCKET; then if [ ! -z $OBJECTLOCKING ]; then if [ $OBJECTLOCKING = true ]; then echo "Creating bucket with OBJECTLOCKING '$BUCKET'" ${MC} mb --with-lock myminio/$BUCKET elif [ $OBJECTLOCKING = false ]; then echo "Creating bucket '$BUCKET'" ${MC} mb myminio/$BUCKET fi elif [ -z $OBJECTLOCKING ]; then echo "Creating bucket '$BUCKET'" ${MC} mb myminio/$BUCKET else echo "Bucket '$BUCKET' already exists." fi fi # set versioning for bucket if objectlocking is disabled or not set if [ $OBJECTLOCKING = false ]; then if [ ! -z $VERSIONING ]; then if [ $VERSIONING = true ]; then echo "Enabling versioning for '$BUCKET'" ${MC} version enable myminio/$BUCKET elif [ $VERSIONING = false ]; then echo "Suspending versioning for '$BUCKET'" ${MC} version suspend myminio/$BUCKET fi fi else echo "Bucket '$BUCKET' versioning unchanged." fi # At this point, the bucket should exist, skip checking for existence # Set policy on the bucket echo "Setting policy of bucket '$BUCKET' to '$POLICY'." ${MC} anonymous set $POLICY myminio/$BUCKET } # Try connecting to MinIO instance scheme=https connectToMinio $scheme # Create the buckets createBucket demo "public" false false false add-user: |- #!/bin/sh set -e ; # Have script exit in the event of a failed command. MC_CONFIG_DIR="/etc/minio/mc/" MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" # AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters. # Special characters for example : ',",<,>,{,} MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_tmp" # connectToMinio # Use a check-sleep-check loop to wait for MinIO service to be available connectToMinio() { SCHEME=$1 ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts set -e ; # fail if we can't read the keys. ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; set +e ; # The connections to minio are allowed to fail. echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; $MC_COMMAND ; STATUS=$? ; until [ $STATUS = 0 ] do ATTEMPTS=`expr $ATTEMPTS + 1` ; echo \"Failed attempts: $ATTEMPTS\" ; if [ $ATTEMPTS -gt $LIMIT ]; then exit 1 ; fi ; sleep 2 ; # 1 second intervals between attempts $MC_COMMAND ; STATUS=$? ; done ; set -e ; # reset `e` as active return 0 } # checkUserExists () # Check if the user exists, by using the exit code of `mc admin user info` checkUserExists() { CMD=$(${MC} admin user info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1) return $? } # createUser ($policy) createUser() { POLICY=$1 #check accessKey_and_secretKey_tmp file if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then echo "credentials file does not exist" return 1 fi if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then echo "credentials file is invalid" rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP return 1 fi USER=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) # Create the user if it does not exist if ! checkUserExists ; then echo "Creating user '$USER'" cat $MINIO_ACCESSKEY_SECRETKEY_TMP | ${MC} admin user add myminio else echo "User '$USER' already exists." fi #clean up credentials files. rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP # set policy for user if [ ! -z $POLICY -a $POLICY != " " ] ; then echo "Adding policy '$POLICY' for '$USER'" set +e ; # policy already attach errors out, allow it. ${MC} admin policy attach myminio $POLICY --user=$USER set -e else echo "User '$USER' has no policy attached." fi } # Try connecting to MinIO instance scheme=https connectToMinio $scheme # Create the users echo console > $MINIO_ACCESSKEY_SECRETKEY_TMP echo console123 >> $MINIO_ACCESSKEY_SECRETKEY_TMP createUser consoleAdmin add-policy: |- #!/bin/sh set -e ; # Have script exit in the event of a failed command. MC_CONFIG_DIR="/etc/minio/mc/" MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" # connectToMinio # Use a check-sleep-check loop to wait for MinIO service to be available connectToMinio() { SCHEME=$1 ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts set -e ; # fail if we can't read the keys. ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; set +e ; # The connections to minio are allowed to fail. echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; $MC_COMMAND ; STATUS=$? ; until [ $STATUS = 0 ] do ATTEMPTS=`expr $ATTEMPTS + 1` ; echo \"Failed attempts: $ATTEMPTS\" ; if [ $ATTEMPTS -gt $LIMIT ]; then exit 1 ; fi ; sleep 2 ; # 1 second intervals between attempts $MC_COMMAND ; STATUS=$? ; done ; set -e ; # reset `e` as active return 0 } # checkPolicyExists ($policy) # Check if the policy exists, by using the exit code of `mc admin policy info` checkPolicyExists() { POLICY=$1 CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1) return $? } # createPolicy($name, $filename) createPolicy () { NAME=$1 FILENAME=$2 # Create the name if it does not exist echo "Checking policy: $NAME (in /config/$FILENAME.json)" if ! checkPolicyExists $NAME ; then echo "Creating policy '$NAME'" else echo "Policy '$NAME' already exists." fi ${MC} admin policy create myminio $NAME /config/$FILENAME.json } # Try connecting to MinIO instance scheme=https connectToMinio $scheme add-svcacct: |- #!/bin/sh set -e ; # Have script exit in the event of a failed command. MC_CONFIG_DIR="/etc/minio/mc/" MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" # AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters. # Special characters for example : ',",<,>,{,} MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_svcacct_tmp" # connectToMinio # Use a check-sleep-check loop to wait for MinIO service to be available connectToMinio() { SCHEME=$1 ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts set -e ; # fail if we can't read the keys. ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; set +e ; # The connections to minio are allowed to fail. echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; $MC_COMMAND ; STATUS=$? ; until [ $STATUS = 0 ] do ATTEMPTS=`expr $ATTEMPTS + 1` ; echo \"Failed attempts: $ATTEMPTS\" ; if [ $ATTEMPTS -gt $LIMIT ]; then exit 1 ; fi ; sleep 2 ; # 2 second intervals between attempts $MC_COMMAND ; STATUS=$? ; done ; set -e ; # reset `e` as active return 0 } # checkSvcacctExists () # Check if the svcacct exists, by using the exit code of `mc admin user svcacct info` checkSvcacctExists() { CMD=$(${MC} admin user svcacct info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1) return $? } # createSvcacct ($user) createSvcacct () { USER=$1 FILENAME=$2 #check accessKey_and_secretKey_tmp file if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then echo "credentials file does not exist" return 1 fi if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then echo "credentials file is invalid" rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP return 1 fi SVCACCT=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) # Create the svcacct if it does not exist if ! checkSvcacctExists ; then echo "Creating svcacct '$SVCACCT'" # Check if policy file is define if [ -z $FILENAME ]; then ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER else ${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --policy /config/$FILENAME.json myminio $USER fi else echo "Svcacct '$SVCACCT' already exists." fi #clean up credentials files. rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP } # Try connecting to MinIO instance scheme=https connectToMinio $scheme custom-command: |- #!/bin/sh set -e ; # Have script exit in the event of a failed command. MC_CONFIG_DIR="/etc/minio/mc/" MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}" # connectToMinio # Use a check-sleep-check loop to wait for MinIO service to be available connectToMinio() { SCHEME=$1 ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts set -e ; # fail if we can't read the keys. ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ; set +e ; # The connections to minio are allowed to fail. echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ; MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ; $MC_COMMAND ; STATUS=$? ; until [ $STATUS = 0 ] do ATTEMPTS=`expr $ATTEMPTS + 1` ; echo \"Failed attempts: $ATTEMPTS\" ; if [ $ATTEMPTS -gt $LIMIT ]; then exit 1 ; fi ; sleep 2 ; # 1 second intervals between attempts $MC_COMMAND ; STATUS=$? ; done ; set -e ; # reset `e` as active return 0 } # runCommand ($@) # Run custom mc command runCommand() { ${MC} "$@" return $? } # Try connecting to MinIO instance scheme=https connectToMinio $scheme --- # Source: minio/templates/pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: minio labels: app: minio chart: minio-5.4.0 release: minio heritage: Helm spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "10Gi" --- # Source: minio/templates/console-service.yaml apiVersion: v1 kind: Service metadata: name: minio-console labels: app: minio chart: minio-5.4.0 release: minio heritage: Helm spec: type: NodePort externalTrafficPolicy: "Cluster" ports: - name: https port: 9001 protocol: TCP targetPort: 9001 selector: app: minio release: minio --- # Source: minio/templates/service.yaml apiVersion: v1 kind: Service metadata: name: minio labels: app: minio chart: minio-5.4.0 release: minio heritage: Helm monitoring: "true" spec: type: NodePort externalTrafficPolicy: "Cluster" ports: - name: https port: 9000 protocol: TCP targetPort: 9000 selector: app: minio release: minio --- # Source: minio/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: minio labels: app: minio chart: minio-5.4.0 release: minio heritage: Helm stackable.tech/vendor: Stackable spec: strategy: type: RollingUpdate rollingUpdate: maxSurge: 100% maxUnavailable: 0 replicas: 1 selector: matchLabels: app: minio release: minio template: metadata: name: minio labels: app: minio release: minio stackable.tech/vendor: Stackable annotations: checksum/secrets: fa63e34a92c817c84057e2d452fa683e66462a57b0529388fb96a57e05f38e57 checksum/config: ebea49cc4c1bfbd1b156a58bf770a776ff87fe199f642d31c2816b5515112e72 spec: securityContext: fsGroup: 1000 fsGroupChangePolicy: OnRootMismatch runAsGroup: 1000 runAsUser: 1000 serviceAccountName: minio-sa containers: - name: minio image: "quay.io/minio/minio:RELEASE.2024-12-18T13-15-44Z" imagePullPolicy: IfNotPresent command: - "/bin/sh" - "-ce" - | # minio requires the TLS key pair to be specially named # mkdir -p /etc/minio/certs cp -v /etc/minio/original_certs/tls.crt /etc/minio/certs/public.crt cp -v /etc/minio/original_certs/tls.key /etc/minio/certs/private.key /usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001 volumeMounts: - name: minio-user mountPath: "/tmp/credentials" readOnly: true - name: export mountPath: /export - mountPath: /etc/minio/original_certs name: tls - mountPath: /etc/minio/certs name: certs ports: - name: https containerPort: 9000 - name: https-console containerPort: 9001 env: - name: MINIO_ROOT_USER valueFrom: secretKeyRef: name: minio key: rootUser - name: MINIO_ROOT_PASSWORD valueFrom: secretKeyRef: name: minio key: rootPassword - name: MINIO_PROMETHEUS_AUTH_TYPE value: "public" resources: requests: cpu: 1 memory: 2Gi securityContext: readOnlyRootFilesystem: false volumes: - name: export persistentVolumeClaim: claimName: minio - name: minio-user secret: secretName: minio - ephemeral: volumeClaimTemplate: metadata: annotations: secrets.stackable.tech/class: tls secrets.stackable.tech/scope: service=minio spec: accessModes: - ReadWriteOnce resources: requests: storage: 1 storageClassName: secrets.stackable.tech name: tls - emptyDir: medium: Memory sizeLimit: 5Mi name: certs --- # Source: minio/templates/post-job.yaml apiVersion: batch/v1 kind: Job metadata: name: minio-post-job labels: app: minio-post-job chart: minio-5.4.0 release: minio heritage: Helm annotations: "helm.sh/hook": post-install,post-upgrade "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation spec: template: metadata: labels: app: minio-job release: minio stackable.tech/vendor: Stackable spec: restartPolicy: OnFailure volumes: - name: etc-path emptyDir: {} - name: tmp emptyDir: {} - name: minio-configuration projected: sources: - configMap: name: minio - secret: name: minio - ephemeral: volumeClaimTemplate: metadata: annotations: secrets.stackable.tech/class: tls secrets.stackable.tech/scope: service=minio spec: accessModes: - ReadWriteOnce resources: requests: storage: 1 storageClassName: secrets.stackable.tech name: tls - emptyDir: medium: Memory sizeLimit: 5Mi name: certs serviceAccountName: minio-sa containers: - name: minio-make-bucket image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z" imagePullPolicy: IfNotPresent command: - "/bin/sh" - "-ce" - | # Copy the CA cert from the "tls" SecretClass # mkdir -p /etc/minio/mc/certs/CAs cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt . /config/initialize env: - name: MINIO_ENDPOINT value: minio - name: MINIO_PORT value: "9000" volumeMounts: - name: etc-path mountPath: /etc/minio/mc - name: tmp mountPath: /tmp - name: minio-configuration mountPath: /config - name: tls mountPath: /etc/minio/mc/original_certs - name: certs mountPath: /etc/minio/mc/certs/CAs resources: requests: memory: 128Mi - name: minio-make-user image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z" imagePullPolicy: IfNotPresent command: - "/bin/sh" - "-ce" - | # Copy the CA cert from the "tls" SecretClass # mkdir -p /etc/minio/mc/certs/CAs cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt . /config/add-user env: - name: MINIO_ENDPOINT value: minio - name: MINIO_PORT value: "9000" volumeMounts: - name: etc-path mountPath: /etc/minio/mc - name: tmp mountPath: /tmp - name: minio-configuration mountPath: /config - name: tls mountPath: /etc/minio/mc/original_certs - name: certs mountPath: /etc/minio/mc/certs/CAs resources: requests: memory: 128Mi