文档

租户 Helm Chart

MinIO 发布了用于 Helm ChartHelm 运算符 ChartHelm 租户 Chart。您可以使用这些 Chart 通过 Helm 部署 MinIO 运算符和托管租户。

以下页面记录了 MinIO 租户的 values.yaml Chart。有关 MinIO 运算符 Chart 的文档,请参见 运算符 Helm Chart

MinIO 租户 Chart

租户
名称

租户名称

将其更改为与您首选的 MinIO 租户名称匹配。

镜像

指定要用于部署的运算符容器镜像。 image.tag 例如,以下内容将镜像设置为 quay.io/minio/operator 存储库和 v6.0.3 标记。如果容器不存在,则会提取镜像。

image:
   repository: quay.io/minio/minio
   tag: RELEASE.2024-08-17T01-24-54Z
   pullPolicy: IfNotPresent

该 Chart 还支持根据摘要值指定镜像

image:
   repository: quay.io/minio/minio@sha256
   digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
   pullPolicy: IfNotPresent
镜像拉取密钥

用于从私有 image.repository 拉取镜像的 Kubernetes 密钥数组。目前仅支持一个数组元素。

调度程序

要用于调度租户 Pod 的 Kubernetes 调度程序

指定一个空字典 {} 以使用默认调度程序调度 Pod。

配置

包含 MinIO 环境变量配置的 Kubernetes 密钥名称。预期密钥具有名为 config.env 的密钥,其中包含环境变量导出。

配置密钥

用于动态创建密钥以用于配置根 MinIO 用户的根密钥 指定 name,然后指定环境变量列表。

重要

不要在生产环境中使用此功能。此字段仅用于快速开发或测试。

例如

name: myminio-env-configuration
accessKey: minio
secretKey: minio123

用于在此租户中配置 MinIO 池的顶级密钥。

有关所有子字段的更多信息,请参见 运算符 CRD:池

服务器

此池中的 MinIO 租户 Pod/服务器数量。对于独立模式,提供 1。对于分布式模式,提供 4 或更多。请注意,运算符不支持从独立模式升级到分布式模式。

名称

池的自定义名称

每个服务器的卷数

每个 MinIO 租户 Pod/服务器附加的卷数。

大小

每个 MinIO 租户 Pod 请求的每个卷的容量。

存储注释

指定 存储注释 以关联到 PVC。

注释

指定 注释 以关联到租户 Pod。

标签

指定 标签 以关联到租户 Pod。

容忍度

要关联到租户 Pod 的 容忍度标签 数组。

这些设置确定 Pod 在工作节点上的分布。

节点选择器

要应用于租户 Pod 的任何 节点选择器

Kubernetes 调度程序使用这些选择器来确定可以将租户 Pod 部署到的工作节点。

如果没有任何工作节点与指定的选择器匹配,则租户部署将失败。

亲和性

要应用于租户 Pod 的 亲和性 或反亲和性设置。

这些设置确定 Pod 在工作节点上的分布,并且可以帮助防止或允许将 Pod 放在同一工作节点上。

资源

要关联到租户 Pod 的资源的 请求或限制

这些设置可以控制每个 Pod 请求的最小和最大资源。如果没有任何工作节点可以满足指定的请求,则运算符可能会无法部署。

安全上下文

用于部署租户资源的 Kubernetes 安全上下文

您可能需要修改这些值以满足集群的安全和访问设置。

我们建议通过将 fsGroupChangePolicy 设置为 OnRootMismatch 来禁用递归权限更改,因为这些操作对于某些工作负载(例如,包含许多小文件的较大量)来说可能代价很高。

containerSecurityContext

用于部署租户容器的 Kubernetes 安全上下文。您可能需要修改这些值以满足集群的安全和访问设置。

topologySpreadConstraints

要与 Operator 控制台 Pod 关联的一系列 拓扑传播约束

这些设置确定 Pod 在工作节点上的分布。

mountPath

在租户容器内挂载持久卷的挂载路径。

subPath

MinIO 在挂载路径内存储数据的子路径。

警告

在部署租户后,将 mountPathsubPath 值视为不可变。如果在部署后更改这些值,则新数据和现有数据可能具有不同的路径。这会大大增加操作复杂性,并可能导致不可预测的数据状态。

metrics

在指定端口配置与 Prometheus 兼容的抓取端点。

certificate

配置租户的外部证书设置。

externalCaCertSecret

指定一系列 Kubernetes TLS 密钥,其中每个条目对应于包含 TLS 私钥和公钥证书对的密钥。

MinIO 使用此功能来验证来自使用这些 CA 的客户端的 TLS 连接。如果您省略此项并且客户端使用由外部 CA 颁发的 TLS 证书,则这些连接可能会失败,并出现有关证书验证的警告。请参阅 Operator CRD:TenantSpec

externalCertSecret

指定一系列 Kubernetes 密钥,其中每个条目对应于包含 TLS 私钥和公钥证书对的密钥。

省略此项以仅使用 MinIO Operator 自动生成的证书。

如果您省略此字段 *并且* 将 requestAutoCert 设置为 false,则租户将在没有 TLS 的情况下启动。

请参阅 Operator CRD:TenantSpec

重要

如果 MinIO Operator 无法信任为自定义证书颁发的证书颁发机构 (CA),则它可能会输出 TLS 连接错误。

您可以将 CA 传递给 Operator 以允许它信任该证书。有关更多信息,请参阅 自签名、内部和私有证书。对于全局可信的 CA,此步骤也可能是必需的,您必须向 Operator 提供中间证书以帮助构建完整的信任链。

requestAutoCert

启用基于 Kubernetes 的自动 证书生成和签名

certConfig

仅当 requestAutoCert: true 时使用此字段。使用此字段设置自动生成证书的通用名称。MinIO 默认使用 Pod 的内部 Kubernetes DNS 名称。默认 DNS 名称格式通常为 *.minio.default.svc.cluster.local

请参阅 Operator CRD:CertificateConfig

features

要在 MinIO 租户中启用或禁用的 MinIO 功能。请参阅 Operator CRD:Features

buckets

描述在租户预配期间要创建的一个或多个存储桶的对象数组。示例

- name: my-minio-bucket
     objectLock: false        # optional
     region: us-east-1        # optional
users

一系列 Kubernetes 密钥,Operator 在租户预配期间从中生成 MinIO 用户。

每个密钥应将 CONSOLE_ACCESS_KEYCONSOLE_SECRET_KEY 指定为该用户的访问密钥和密钥。

podManagementPolicy

MinIO 租户 Pod 的 Pod 管理 策略。可以是“OrderedReady”或“Parallel”

readiness

用于监视租户容器就绪状态的 就绪探针。如果探针失败,租户 Pod 将从服务端点中移除。

startup

用于监视容器启动的 启动探针。如果探针失败,租户 Pod 将重新启动。参考

lifecycle

容器的 生命周期钩子

exposeServices

指示 Operator 将 MinIO S3 API 和控制台服务部署为 LoadBalancer 对象。

如果 Kubernetes 集群具有已配置的 LoadBalancer,则它可以尝试自动将流量路由到这些服务。

  • 指定 minio: true 以公开 MinIO S3 API。

  • 指定 console: true 以公开控制台。

这两个字段默认为 false

serviceAccountName

与租户关联的 Kubernetes 服务帐户

prometheusOperator

指示 Operator 将租户的指标抓取配置添加到由 Prometheus Operator 管理的现有 Kubernetes Prometheus 部署中。

logging

配置 MinIO 租户的 Pod 日志记录配置。

  • 指定 json 以获取 JSON 格式的日志。

  • 指定 anonymous 以获取匿名日志。

  • 指定 quiet 以禁止日志记录。

JSON 格式日志的示例如下所示

$ k logs myminio-pool-0-0 -n default
{"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
serviceMetadata

serviceMetadata 允许将其他标签和注释传递到 operator 创建的 MinIO 和控制台特定服务。

env

添加要在 MinIO 容器中设置的环境变量 (https://github.com/minio/minio/tree/master/docs/config)

priorityClassName

PriorityClassName 指示 Pod 的优先级,以及相对于其他 Pod 的 Pod 重要性。这仅应用于 MinIO Pod。有关详细信息,请参阅 Kubernetes 文档 http://kubernetes.ac.cn/docs/concepts/configuration/pod-priority-preemption/#priorityclass/

additionalVolumes

Operator 可以挂载到租户 Pod 的 数组。

这些卷必须存在 *并且* 对租户 Pod 可访问。

additionalVolumeMounts

与每个租户容器关联的卷挂载点数组。

如下所示指定数组中的每个项目

volumeMounts:
- name: volumename
  mountPath: /path/to/mount

name 字段必须对应于 additionalVolumes 数组中的一个条目。

ingress

配置租户 S3 API 和控制台的 Ingress

设置键以符合您选择的 Ingress 控制器和配置。

# Root key for MinIO Tenant Chart
tenant:
  ###
  # The Tenant name
  #
  # Change this to match your preferred MinIO Tenant name.
  name: myminio
  ###
  # Specify the Operator container image to use for the deployment.
  # ``image.tag`` 
  # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v6.0.3 tag.
  # The container pulls the image if not already present:
  #
  # .. code-block:: yaml
  # 
  #    image:
  #       repository: quay.io/minio/minio
  #       tag: RELEASE.2024-08-17T01-24-54Z
  #       pullPolicy: IfNotPresent
  #
  # The chart also supports specifying an image based on digest value:
  # 
  # .. code-block:: yaml
  # 
  #    image:
  #       repository: quay.io/minio/minio@sha256
  #       digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
  #       pullPolicy: IfNotPresent
  #
  #
  image:
    repository: quay.io/minio/minio
    tag: RELEASE.2024-08-17T01-24-54Z
    pullPolicy: IfNotPresent
  ###
  #
  # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
  # Only one array element is supported at this time.
  imagePullSecret: { }
  ###
  # The Kubernetes `Scheduler <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Tenant pods.
  #
  # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler.
  scheduler: { }
  ###
  # The Kubernetes secret name that contains MinIO environment variable configurations.
  # The secret is expected to have a key named config.env containing environment variables exports.
  configuration:
    name: myminio-env-configuration
  ###
  # Root key for dynamically creating a secret for use with configuring root MinIO User
  # Specify the ``name`` and then a list of environment variables.
  #
  # .. important::
  #
  #    Do not use this in production environments.
  #    This field is intended for use with rapid development or testing only.
  #
  # For example:
  #
  # .. code-block:: yaml
  #
  #    name: myminio-env-configuration
  #    accessKey: minio
  #    secretKey: minio123
  #
  configSecret:
    name: myminio-env-configuration
    accessKey: minio
    secretKey: minio123
  ###
  # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Tenant.
  # The existing Kubernetes secret name must be placed under .tenant.configuration.name e.g. existing-minio-env-configuration
  # The secret must contain a key ``config.env``.
  # The values should be a series of export statements to set environment variables for the Tenant.
  # For example:
  #
  # .. code-block:: shell
  #
  #    stringData:
  #       config.env: |-
  #         export MINIO_ROOT_USER=ROOTUSERNAME
  #         export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD
  #
  #   existingSecret: false
  ###
  # Top level key for configuring MinIO Pool(s) in this Tenant.
  #
  # See `Operator CRD: Pools <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#pool>`__ for more information on all subfields.
  pools:
    ###
    # The number of MinIO Tenant Pods / Servers in this pool.
    # For standalone mode, supply 1. For distributed mode, supply 4 or more.
    # Note that the operator does not support upgrading from standalone to distributed mode.
    - servers: 4
      ###
      # Custom name for the pool
      name: pool-0
      ###
      # The number of volumes attached per MinIO Tenant Pod / Server.
      volumesPerServer: 4
      ###
      # The capacity per volume requested per MinIO Tenant Pod.
      size: 10Gi
      ###
      # The `storageClass <http://kubernetes.ac.cn/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool.
      #
      # If using Amazon Elastic Block Store (EBS) CSI driver
      # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters.
      # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
      # storageClassName: standard
      ###
      # Specify `storageAnnotations <http://kubernetes.ac.cn/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to PVCs.
      storageAnnotations: { }
      ###
      # Specify `annotations <http://kubernetes.ac.cn/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to Tenant pods.
      annotations: { }
      ###
      # Specify `labels <http://kubernetes.ac.cn/docs/concepts/overview/working-with-objects/labels/>`__ to associate to Tenant pods.
      labels: { }
      ###
      #
      # An array of `Toleration labels <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to Tenant pods.
      #
      # These settings determine the distribution of pods across worker nodes.
      tolerations: [ ]
      ###
      # Any `Node Selectors <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to Tenant pods.
      #
      # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods.
      #
      # If no worker nodes match the specified selectors, the Tenant deployment will fail.
      nodeSelector: { }
      ###
      #
      # The `affinity <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to Tenant pods.
      #
      # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
      affinity: { }
      ###
      # 
      # The `Requests or Limits <http://kubernetes.ac.cn/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Tenant pods.
      #
      # These settings can control the minimum and maximum resources requested for each pod.
      # If no worker nodes can meet the specified requests, the Operator may fail to deploy.
      resources: { }
      ###
      # The Kubernetes `SecurityContext <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant resources.
      #
      # You may need to modify these values to meet your cluster's security and access settings.
      #
      # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files).
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
      ###
      # The Kubernetes `SecurityContext <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant containers.
      # You may need to modify these values to meet your cluster's security and access settings.
      containerSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault
      ###
      #
      # An array of `Topology Spread Constraints <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods.
      #
      # These settings determine the distribution of pods across worker nodes.
      topologySpreadConstraints: [ ]
      ###
      #
      # The name of a custom `Container Runtime <http://kubernetes.ac.cn/docs/concepts/containers/runtime-class/>`__ to use for the Operator Console pods.
      # runtimeClassName: ""
  ###
  # The mount path where Persistent Volumes are mounted inside Tenant container(s).
  mountPath: /export
  ###
  # The Sub path inside Mount path where MinIO stores data.
  #
  # .. warning::
  #
  #    Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant.
  #    If you change these values post-deployment, then you may have different paths for new and pre-existing data.
  #    This can vastly increase operational complexity and may result in unpredictable data states.
  subPath: /data
  ###
  # Configures a Prometheus-compatible scraping endpoint at the specified port.
  metrics:
    enabled: false
    port: 9000
    protocol: http
  ###
  # Configures external certificate settings for the Tenant.
  certificate:
    ###
    # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair.
    #
    # This is used by MinIO to verify TLS connections from clients using those CAs
    # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification.
    # See `Operator CRD: TenantSpec <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#tenantspec>`__.
    externalCaCertSecret: [ ]
    ###
    # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair.
    #
    # Omit this to use only the MinIO Operator autogenerated certificates.
    # 
    # If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS.
    #
    # See `Operator CRD: TenantSpec <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#tenantspec>`__.
    #
    # .. important::
    #
    #    The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates.
    #
    #    You can pass the CA to the Operator to allow it to trust that cert.
    #    See `Self-Signed, Internal, and Private Certificates <http://min-io.cn/docs/minio/kubernetes/upstream/operations/network-encryption.html#self-signed-internal-and-private-certificates>`__ for more information.
    #    This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust.
    externalCertSecret: [ ]
    ###
    # Enable automatic Kubernetes based `certificate generation and signing <http://kubernetes.ac.cn/docs/tasks/tls/managing-tls-in-a-cluster>`__
    requestAutoCert: true
    ###
    # The minimum number of days to expiry before an alert for an expiring certificate is fired.
    # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
    # certExpiryAlertThreshold: 1
    ###
    # This field is used only when ``requestAutoCert: true``.
    # Use this field to set CommonName for the auto-generated certificate. 
    # MinIO defaults to using the internal Kubernetes DNS name for the pod
    # The default DNS name format is typically ``*.minio.default.svc.cluster.local``.
    #
    # See `Operator CRD: CertificateConfig <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#certificateconfig>`__
    certConfig: { }
  ###
  # MinIO features to enable or disable in the MinIO Tenant
  # See `Operator CRD: Features <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#features>`__.
  features:
    bucketDNS: false
    domains: { }
    enableSFTP: false
  ###
  # Array of objects describing one or more buckets to create during tenant provisioning.
  # Example:
  # 
  # .. code-block:: yaml
  #
  #    - name: my-minio-bucket
  #         objectLock: false        # optional
  #         region: us-east-1        # optional
  buckets: [ ]
  ###
  # Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning.
  #
  # Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user.
  users: [ ]
  ###
  # The `PodManagement <http://kubernetes.ac.cn/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for MinIO Tenant Pods. 
  # Can be "OrderedReady" or "Parallel"
  podManagementPolicy: Parallel
  # The `Liveness Probe <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Tenant pod liveness. 
  # Tenant pods will be restarted if the probe fails.
  liveness: { }
  ###
  # `Readiness Probe <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Tenant container readiness.
  # Tenant pods will be removed from service endpoints if the probe fails.
  readiness: { }
  ###
  # `Startup Probe <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup. 
  # Tenant pods will be restarted if the probe fails.
  # Refer 
  startup: { }
  ###
  # The `Lifecycle hooks <http://kubernetes.ac.cn/docs/concepts/containers/container-lifecycle-hooks/>`__ for container.
  lifecycle: { }
  ###
  # Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects.
  #
  # If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically.
  #
  # - Specify ``minio: true`` to expose the MinIO S3 API.
  # - Specify ``console: true`` to expose the Console.
  #
  # Both fields default to ``false``.
  exposeServices: { }
  ###
  # The `Kubernetes Service Account <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Tenant.
  serviceAccountName: ""
  ###
  # Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator.
  prometheusOperator: false
  ###
  # Configure pod logging configuration for the MinIO Tenant.
  #
  # - Specify ``json`` for JSON-formatted logs.
  # - Specify ``anonymous`` for anonymized logs.
  # - Specify ``quiet`` to supress logging.
  #
  # An example of JSON-formatted logs is as follows:
  #
  # .. code-block:: shell
  #
  #    $ k logs myminio-pool-0-0 -n default
  #    {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
  logging: { }
  ###
  # serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
  # services created by the operator.
  serviceMetadata: { }
  ###
  # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
  env: [ ]
  ###
  # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
  # This is applied to MinIO pods only.
  # Refer Kubernetes documentation for details http://kubernetes.ac.cn/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
  priorityClassName: ""
  ###
  # An array of `Volumes <http://kubernetes.ac.cn/docs/concepts/storage/volumes/>`__ which the Operator can mount to Tenant pods.
  #
  # The volumes must exist *and* be accessible to the Tenant pods.
  additionalVolumes: [ ]
  ###
  # An array of volume mount points associated to each Tenant container.
  # 
  # Specify each item in the array as follows:
  #
  # .. code-block:: yaml
  #
  #    volumeMounts:
  #    - name: volumename
  #      mountPath: /path/to/mount
  #
  # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
  additionalVolumeMounts: [ ]
  # Define configuration for KES (stateless and distributed key-management system)
  # Refer https://github.com/minio/kes
  #kes:
  #  ## Image field:
  #  # Image from tag (original behavior), for example:
  #  # image:
  #  #   repository: quay.io/minio/kes
  #  #   tag: 2024-08-16T14-39-28Z
  #  # Image from digest (added after original behavior), for example:
  #  # image:
  #  #   repository: quay.io/minio/kes@sha256
  #  #   digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b
  #  image:
  #    repository: quay.io/minio/kes
  #    tag: 2024-08-16T14-39-28Z
  #    pullPolicy: IfNotPresent
  #  env: [ ]
  #  replicas: 2
  #  configuration: |-
  #    address: :7373
  #    tls:
  #      key: /tmp/kes/server.key   # Path to the TLS private key
  #      cert: /tmp/kes/server.crt # Path to the TLS certificate
  #      proxy:
  #        identities: []
  #        header:
  #          cert: X-Tls-Client-Cert
  #    admin:
  #      identity: ${MINIO_KES_IDENTITY}
  #    cache:
  #      expiry:
  #        any: 5m0s
  #        unused: 20s
  #    log:
  #      error: on
  #      audit: off
  #    keystore:
  #      # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended
  #      # use a real KMS
  #      # fs:
  #      #   path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production.
  #      vault:
  #        endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint
  #        namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
  #        prefix: "my-minio"    # An optional K/V prefix. The server will store keys under this prefix.
  #        approle:    # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
  #          id: "<YOUR APPROLE ID HERE>"      # Your AppRole Role ID
  #          secret: "<YOUR APPROLE SECRET ID HERE>"  # Your AppRole Secret ID
  #          retry: 15s  # Duration until the server tries to re-authenticate after connection loss.
  #        tls:        # The Vault client TLS configuration for mTLS authentication and certificate verification
  #          key: ""     # Path to the TLS client private key for mTLS authentication to Vault
  #          cert: ""    # Path to the TLS client certificate for mTLS authentication to Vault
  #          ca: ""      # Path to one or multiple PEM root CA certificates
  #        status:     # Vault status configuration. The server will periodically reach out to Vault to check its status.
  #          ping: 10s   # Duration until the server checks Vault's status again.
  #      # aws:
  #      #   # The AWS SecretsManager key store. The server will store
  #      #   # secret keys at the AWS SecretsManager encrypted with
  #      #   # AWS-KMS. See: https://aws.amazon.com/secrets-manager
  #      #   secretsmanager:
  #      #     endpoint: ""   # The AWS SecretsManager endpoint      - e.g.: secretsmanager.us-east-2.amazonaws.com
  #      #     region: ""     # The AWS region of the SecretsManager - e.g.: us-east-2
  #      #     kmskey: ""     # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
  #      #     credentials:   # The AWS credentials for accessing secrets at the AWS SecretsManager.
  #      #       accesskey: ""  # Your AWS Access Key
  #      #       secretkey: ""  # Your AWS Secret Key
  #      #       token: ""      # Your AWS session token (usually optional)
  #  imagePullPolicy: "IfNotPresent"
  #  externalCertSecret: null
  #  clientCertSecret: null
  #  # Key name to be created on the KMS, default is "my-minio-key"
  #  keyName: ""
  #  resources: { }
  #  nodeSelector: { }
  #  affinity:
  #    nodeAffinity: { }
  #    podAffinity: { }
  #    podAntiAffinity: { }
  #  tolerations: [ ]
  #  annotations: { }
  #  labels: { }
  #  serviceAccountName: ""
  #  securityContext:
  #    runAsUser: 1000
  #    runAsGroup: 1000
  #    runAsNonRoot: true
  #    fsGroup: 1000
  #  containerSecurityContext:
  #    runAsUser: 1000
  #    runAsGroup: 1000
  #    runAsNonRoot: true
  #    allowPrivilegeEscalation: false
  #    capabilities:
  #      drop:
  #        - ALL
  #    seccompProfile:
  #      type: RuntimeDefault

###
# Configures `Ingress <http://kubernetes.ac.cn/docs/concepts/services-networking/ingress/>`__ for the Tenant S3 API and Console.
#
# Set the keys to conform to the Ingress controller and configuration of your choice.
ingress:
  api:
    enabled: false
    ingressClassName: ""
    labels: { }
    annotations: { }
    tls: [ ]
    host: minio.local
    path: /
    pathType: Prefix
  console:
    enabled: false
    ingressClassName: ""
    labels: { }
    annotations: { }
    tls: [ ]
    host: minio-console.local
    path: /
    pathType: Prefix
# Use an extraResources template section to include additional Kubernetes resources
# with the Helm deployment.
#extraResources:
#  - |
#    apiVersion: v1
#    kind: Secret
#    type: Opaque
#    metadata:
#      name: {{ dig "tenant" "configSecret" "name" "" (.Values | merge (dict)) }}
#    stringData:
#      config.env: |-
#        export MINIO_ROOT_USER='minio'
#        export MINIO_ROOT_PASSWORD='minio123'