From 604889f982472ba76c69c820f5f35250d0b1f5a9 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 18 Mar 2025 14:13:52 +0100 Subject: [PATCH 1/3] fix(stack/minio-tls): Enable tls This adds a bunch of settings, but also breaks the configuration. The next commit will remove the broken part --- .../_templates/minio-tls/rendered-chart.yaml | 74 ++++++++++++++----- stacks/_templates/minio-tls/values.yaml | 34 +++++++++ 2 files changed, 91 insertions(+), 17 deletions(-) diff --git a/stacks/_templates/minio-tls/rendered-chart.yaml b/stacks/_templates/minio-tls/rendered-chart.yaml index 87a7bfab..73d23d32 100644 --- a/stacks/_templates/minio-tls/rendered-chart.yaml +++ b/stacks/_templates/minio-tls/rendered-chart.yaml @@ -135,7 +135,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -223,7 +223,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -291,7 +291,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -372,7 +372,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme @@ -418,7 +418,7 @@ data: } # Try connecting to MinIO instance - scheme=http + scheme=https connectToMinio $scheme --- # Source: minio/templates/pvc.yaml @@ -452,7 +452,7 @@ spec: type: NodePort externalTrafficPolicy: "Cluster" ports: - - name: http + - name: https port: 9001 protocol: TCP targetPort: 9001 @@ -475,7 +475,7 @@ spec: type: NodePort externalTrafficPolicy: "Cluster" ports: - - name: http + - name: https port: 9000 protocol: TCP targetPort: 9000 @@ -514,7 +514,7 @@ spec: stackable.tech/vendor: Stackable annotations: checksum/secrets: fa63e34a92c817c84057e2d452fa683e66462a57b0529388fb96a57e05f38e57 - checksum/config: 2b1e6b6d0485236a84032ab7e9eeee4a7bac29d2b63d3b0260bde76e84626730 + checksum/config: ebea49cc4c1bfbd1b156a58bf770a776ff87fe199f642d31c2816b5515112e72 spec: securityContext: @@ -531,27 +531,25 @@ spec: command: - "/bin/sh" - "-ce" - - | - # minio requires the TLS key pair to be specially named - # mkdir -p /etc/minio/certs - cp -v /etc/minio/original_certs/tls.crt /etc/minio/certs/public.crt - cp -v /etc/minio/original_certs/tls.key /etc/minio/certs/private.key - - /usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001 + - "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" volumeMounts: - name: minio-user mountPath: "/tmp/credentials" readOnly: true - name: export mountPath: /export + - name: cert-secret-volume + mountPath: /etc/minio/certs/ + - name: trusted-cert-secret-volume + mountPath: /etc/minio/certs/CAs - mountPath: /etc/minio/original_certs name: tls - mountPath: /etc/minio/certs name: certs ports: - - name: http + - name: https containerPort: 9000 - - name: http-console + - name: https-console containerPort: 9001 env: - name: MINIO_ROOT_USER @@ -579,6 +577,20 @@ spec: - name: minio-user secret: secretName: minio + - name: cert-secret-volume + secret: + secretName: + items: + - key: public.crt + path: public.crt + - key: private.key + path: private.key + - name: trusted-cert-secret-volume + secret: + secretName: + items: + - key: public.crt + path: public.crt - ephemeral: volumeClaimTemplate: @@ -633,6 +645,30 @@ spec: name: minio - secret: name: minio + - name: cert-secret-volume-mc + secret: + secretName: + items: + - key: public.crt + path: CAs/public.crt + - ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls + secrets.stackable.tech/scope: service=minio + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1 + storageClassName: secrets.stackable.tech + name: tls + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: certs serviceAccountName: minio-sa containers: - name: minio-make-bucket @@ -651,6 +687,8 @@ spec: mountPath: /tmp - name: minio-configuration mountPath: /config + - name: cert-secret-volume-mc + mountPath: /etc/minio/mc/certs resources: requests: memory: 128Mi @@ -670,6 +708,8 @@ spec: mountPath: /tmp - name: minio-configuration mountPath: /config + - name: cert-secret-volume-mc + mountPath: /etc/minio/mc/certs resources: requests: memory: 128Mi diff --git a/stacks/_templates/minio-tls/values.yaml b/stacks/_templates/minio-tls/values.yaml index bff4111a..208de321 100644 --- a/stacks/_templates/minio-tls/values.yaml +++ b/stacks/_templates/minio-tls/values.yaml @@ -20,6 +20,8 @@ service: consoleService: type: NodePort nodePort: null +tls: + enabled: true extraVolumes: # Request a TLS certificate from the secret-operator - name: tls @@ -49,3 +51,35 @@ extraVolumeMounts: # On startup, we will rename the certs and move them here: - mountPath: /etc/minio/certs name: certs + +customCommandJob: + extraVolumes: + # Request a TLS certificate from the secret-operator + - name: tls + ephemeral: + volumeClaimTemplate: + metadata: + annotations: + secrets.stackable.tech/class: tls + secrets.stackable.tech/scope: |- + service=minio + spec: + storageClassName: secrets.stackable.tech + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1 + # Create an in-memory emptyDir to copy the certs to (to avoid permission errors) + - name: certs + emptyDir: + sizeLimit: 5Mi + medium: Memory + # WARNING: this is currently only used by the custom-scripts job container. Other containers do not mount these. + extraVolumeMounts: + # Mount the certificate generated by the secret-operator + - name: tls + mountPath: /etc/minio/mc/original_certs + # On startup, we will rename the certs and move them here: + - mountPath: /etc/minio/mc/certs/CAs + name: certs From 86d8d8eb8b92d92560d2288c5127c89e1f7e3e10 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 18 Mar 2025 09:29:12 +0100 Subject: [PATCH 2/3] chore(stack/minio-tls): Override command to copy certs to the correct names --- stacks/_templates/minio-tls/rendered-chart.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/stacks/_templates/minio-tls/rendered-chart.yaml b/stacks/_templates/minio-tls/rendered-chart.yaml index 73d23d32..4719fbc2 100644 --- a/stacks/_templates/minio-tls/rendered-chart.yaml +++ b/stacks/_templates/minio-tls/rendered-chart.yaml @@ -531,7 +531,13 @@ spec: command: - "/bin/sh" - "-ce" - - "/usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001" + - | + # minio requires the TLS key pair to be specially named + # mkdir -p /etc/minio/certs + cp -v /etc/minio/original_certs/tls.crt /etc/minio/certs/public.crt + cp -v /etc/minio/original_certs/tls.key /etc/minio/certs/private.key + + /usr/bin/docker-entrypoint.sh minio server /export -S /etc/minio/certs/ --address :9000 --console-address :9001 volumeMounts: - name: minio-user mountPath: "/tmp/credentials" From da7817e949f8ba21ed4806e61612348f375b10d5 Mon Sep 17 00:00:00 2001 From: Nick Larsen Date: Tue, 18 Mar 2025 14:43:24 +0100 Subject: [PATCH 3/3] fix(stack/minio-tls): Manually mount certs - Remove the invalid Secret mount - Add mounts for secret-operator to store certs - Override Job commands to place CA certs in the right place --- .../_templates/minio-tls/rendered-chart.yaml | 58 +++++++++---------- 1 file changed, 27 insertions(+), 31 deletions(-) diff --git a/stacks/_templates/minio-tls/rendered-chart.yaml b/stacks/_templates/minio-tls/rendered-chart.yaml index 4719fbc2..21741bc5 100644 --- a/stacks/_templates/minio-tls/rendered-chart.yaml +++ b/stacks/_templates/minio-tls/rendered-chart.yaml @@ -544,10 +544,6 @@ spec: readOnly: true - name: export mountPath: /export - - name: cert-secret-volume - mountPath: /etc/minio/certs/ - - name: trusted-cert-secret-volume - mountPath: /etc/minio/certs/CAs - mountPath: /etc/minio/original_certs name: tls - mountPath: /etc/minio/certs @@ -583,21 +579,7 @@ spec: - name: minio-user secret: secretName: minio - - name: cert-secret-volume - secret: - secretName: - items: - - key: public.crt - path: public.crt - - key: private.key - path: private.key - - name: trusted-cert-secret-volume - secret: - secretName: - items: - - key: public.crt - path: public.crt - + - ephemeral: volumeClaimTemplate: metadata: @@ -651,12 +633,6 @@ spec: name: minio - secret: name: minio - - name: cert-secret-volume-mc - secret: - secretName: - items: - - key: public.crt - path: CAs/public.crt - ephemeral: volumeClaimTemplate: metadata: @@ -680,7 +656,15 @@ spec: - name: minio-make-bucket image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z" imagePullPolicy: IfNotPresent - command: [ "/bin/sh", "/config/initialize" ] + command: + - "/bin/sh" + - "-ce" + - | + # Copy the CA cert from the "tls" SecretClass + # mkdir -p /etc/minio/mc/certs/CAs + cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt + + . /config/initialize env: - name: MINIO_ENDPOINT value: minio @@ -693,15 +677,25 @@ spec: mountPath: /tmp - name: minio-configuration mountPath: /config - - name: cert-secret-volume-mc - mountPath: /etc/minio/mc/certs + - name: tls + mountPath: /etc/minio/mc/original_certs + - name: certs + mountPath: /etc/minio/mc/certs/CAs resources: requests: memory: 128Mi - name: minio-make-user image: "quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z" imagePullPolicy: IfNotPresent - command: [ "/bin/sh", "/config/add-user" ] + command: + - "/bin/sh" + - "-ce" + - | + # Copy the CA cert from the "tls" SecretClass + # mkdir -p /etc/minio/mc/certs/CAs + cp -v /etc/minio/mc/original_certs/ca.crt /etc/minio/mc/certs/CAs/public.crt + + . /config/add-user env: - name: MINIO_ENDPOINT value: minio @@ -714,8 +708,10 @@ spec: mountPath: /tmp - name: minio-configuration mountPath: /config - - name: cert-secret-volume-mc - mountPath: /etc/minio/mc/certs + - name: tls + mountPath: /etc/minio/mc/original_certs + - name: certs + mountPath: /etc/minio/mc/certs/CAs resources: requests: memory: 128Mi