文档

租户 Helm 图表

MinIO 发布了 Helm 图表,用于 Helm 运算符图表Helm 租户图表。您可以使用这些图表通过 Helm 部署 MinIO 运算符和受管租户。

以下页面记录了 MinIO 租户的 values.yaml 图表。有关 MinIO 运算符图表的文档,请参阅 运算符 Helm 图表

MinIO 租户图表

tenant
name

租户名称

将其更改为与您首选的 MinIO 租户名称匹配。

image

指定用于部署的运算符容器镜像。 image.tag 例如,以下将镜像设置为 quay.io/minio/operator 存储库和 v6.0.3 标签。如果镜像不存在,则容器会拉取镜像

image:
   repository: quay.io/minio/minio
   tag: RELEASE.2024-08-17T01-24-54Z
   pullPolicy: IfNotPresent

该图表还支持根据摘要值指定镜像

image:
   repository: quay.io/minio/minio@sha256
   digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
   pullPolicy: IfNotPresent
imagePullSecret

一个 Kubernetes 机密数组,用于从私有 image.repository 拉取镜像。目前仅支持一个数组元素。

scheduler

用于调度租户 Pod 的 Kubernetes 调度程序

指定一个空字典 {},以使用默认调度程序调度 Pod。

configuration

包含 MinIO 环境变量配置的 Kubernetes 机密名称。预计该机密将有一个名为 config.env 的键,其中包含环境变量导出。

configSecret

用于动态创建机密以用于配置根 MinIO 用户的根密钥,指定 name,然后指定环境变量列表。

重要

不要在生产环境中使用此功能。此字段仅供快速开发或测试使用。

例如

name: myminio-env-configuration
accessKey: minio
secretKey: minio123
pools

用于配置此租户中 MinIO 池(s)的顶级密钥。

有关所有子字段的更多信息,请参阅 运算符 CRD:池

servers

此池中的 MinIO 租户 Pod / 服务器数量。对于独立模式,请提供 1。对于分布式模式,请提供 4 或更多。请注意,运算符不支持从独立模式升级到分布式模式。

name

池的自定义名称

volumesPerServer

每个 MinIO 租户 Pod / 服务器附加的卷数。

size

每个 MinIO 租户 Pod 请求的每个卷的容量。

storageAnnotations

指定 storageAnnotations 与 PVC 关联。

annotations

指定 annotations 与租户 Pod 关联。

labels

指定 labels 与租户 Pod 关联。

tolerations

一个 容忍标签 数组,与租户 Pod 关联。

这些设置决定了 Pod 在工作节点上的分布。

nodeSelector

要应用于租户 Pod 的任何 节点选择器

Kubernetes 调度程序使用这些选择器来确定可以部署租户 Pod 的工作节点。

如果没有工作节点与指定的选择器匹配,则租户部署将失败。

affinity

要应用于租户 Pod 的 亲和性 或反亲和性设置。

这些设置决定了 Pod 在工作节点上的分布,可以帮助防止或允许将 Pod 放在同一个工作节点上。

资源

为与租户 Pod 关联的资源设置的 请求或限制

这些设置可以控制为每个 Pod 请求的最小和最大资源。如果没有任何工作节点能够满足指定的请求,则操作员可能无法部署。

安全上下文

用于部署租户资源的 Kubernetes 安全上下文

您可能需要修改这些值以满足群集的安全和访问设置。

我们建议通过将 fsGroupChangePolicy 设置为 OnRootMismatch 来禁用递归权限更改,因为这些操作对于某些工作负载(例如包含许多小文件的巨大卷)来说可能很昂贵。

容器安全上下文

用于部署租户容器的 Kubernetes 安全上下文。您可能需要修改这些值以满足群集的安全和访问设置。

拓扑扩散约束

与操作员控制台 Pod 关联的 拓扑扩散约束 数组。

这些设置决定了 Pod 在工作节点上的分布。

挂载路径

在租户容器内挂载持久卷的挂载路径。

子路径

MinIO 在挂载路径内存储数据的子路径。

警告

mountPathsubPath 值视为在部署租户后不可变。如果您在部署后更改这些值,则新数据和现有数据可能具有不同的路径。这会大大增加操作复杂性,并可能导致不可预测的数据状态。

指标

在指定端口配置与 Prometheus 兼容的抓取端点。

证书

为租户配置外部证书设置。

externalCaCertSecret

指定 Kubernetes TLS 密钥的数组,其中每个条目对应于一个密钥,该密钥包含 TLS 私钥和公钥证书对。

MinIO 使用它来验证来自使用这些 CA 的客户端的 TLS 连接。如果您省略此内容并且客户端使用外部 CA 签发的 TLS 证书,则这些连接可能会失败,并显示有关证书验证的警告。请参阅 操作员 CRD:TenantSpec

externalCertSecret

指定 Kubernetes 密钥的数组,其中每个条目对应于一个密钥,该密钥包含 TLS 私钥和公钥证书对。

省略此内容以仅使用 MinIO 操作员自动生成的证书。

如果您省略此字段 *并且* 将 requestAutoCert 设置为 false,则租户将在没有 TLS 的情况下启动。

请参阅 操作员 CRD:TenantSpec

重要

如果 MinIO 操作员无法信任签发自定义证书的证书颁发机构 (CA),则它可能会输出 TLS 连接错误。

您可以将 CA 传递给操作员以允许它信任该证书。请参阅 自签名、内部和私有证书 以获取更多信息。此步骤对于您必须向操作员提供中间证书以帮助构建完整的信任链的全局信任 CA 来说也可能很有必要。

requestAutoCert

启用基于 Kubernetes 的自动 证书生成和签名

certConfig

此字段仅在 requestAutoCert: true 时使用。使用此字段设置自动生成证书的通用名称。MinIO 默认使用 Pod 的内部 Kubernetes DNS 名称。默认 DNS 名称格式通常为 *.minio.default.svc.cluster.local

请参阅 操作员 CRD:CertificateConfig

功能

在 MinIO 租户中启用或禁用的 MinIO 功能 请参阅 操作员 CRD:Features

存储桶

描述在租户配置过程中创建的一个或多个存储桶的对象数组。示例

- name: my-minio-bucket
     objectLock: false        # optional
     region: us-east-1        # optional
用户

Kubernetes 密钥的数组,操作员将在租户配置过程中从中生成 MinIO 用户。

每个密钥都应该指定 CONSOLE_ACCESS_KEYCONSOLE_SECRET_KEY 作为该用户的访问密钥和密钥。

podManagementPolicy

MinIO 租户 Pod 的 Pod 管理 策略。可以是“OrderedReady”或“Parallel”。

就绪状态

就绪探测 用于监控租户容器的就绪状态。如果探测失败,租户 Pod 将从服务端点中删除。

启动

启动探测 用于监控容器启动。如果探测失败,租户 Pod 将重新启动。参考

生命周期

容器的 生命周期钩子

公开服务

指示操作员将 MinIO S3 API 和控制台服务部署为 LoadBalancer 对象。

如果 Kubernetes 集群具有已配置的 LoadBalancer,则它可以尝试自动将流量路由到这些服务。

  • 指定 minio: true 以公开 MinIO S3 API。

  • 指定 console: true 以公开控制台。

这两个字段都默认设置为 false

serviceAccountName

与租户关联的 Kubernetes 服务帐户

prometheusOperator

指示操作员将租户的指标抓取配置添加到由 Prometheus Operator 管理的现有 Kubernetes Prometheus 部署中。

日志记录

配置 MinIO 租户的 Pod 日志记录配置。

  • 指定 json 用于 JSON 格式的日志。

  • 指定 anonymous 用于匿名日志。

  • 指定 quiet 以抑制日志记录。

以下是一个 JSON 格式日志的示例

$ k logs myminio-pool-0-0 -n default
{"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
serviceMetadata

serviceMetadata 允许将其他标签和注释传递到操作员创建的特定于 MinIO 和控制台的服务。

env

添加要在 MinIO 容器中设置的环境变量 (https://github.com/minio/minio/tree/master/docs/config)

priorityClassName

PriorityClassName 指示 Pod 的优先级,以及 Pod 相对于其他 Pod 的重要性。这仅适用于 MinIO Pod。有关详细信息,请参考 Kubernetes 文档 http://kubernetes.ac.cn/docs/concepts/configuration/pod-priority-preemption/#priorityclass/

additionalVolumes

操作员可以挂载到租户 Pod 的 数组。

这些卷必须 *存在* 并且可供租户 Pod 访问。

additionalVolumeMounts

与每个租户容器关联的卷挂载点数组。

将数组中的每个项目指定如下

volumeMounts:
- name: volumename
  mountPath: /path/to/mount

name 字段必须与 additionalVolumes 数组中的条目相对应。

入口

为租户 S3 API 和控制台配置 入口

将键设置为符合您选择的入口控制器和配置。

# Root key for MinIO Tenant Chart
tenant:
  ###
  # The Tenant name
  #
  # Change this to match your preferred MinIO Tenant name.
  name: myminio
  ###
  # Specify the Operator container image to use for the deployment.
  # ``image.tag`` 
  # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v6.0.3 tag.
  # The container pulls the image if not already present:
  #
  # .. code-block:: yaml
  # 
  #    image:
  #       repository: quay.io/minio/minio
  #       tag: RELEASE.2024-08-17T01-24-54Z
  #       pullPolicy: IfNotPresent
  #
  # The chart also supports specifying an image based on digest value:
  # 
  # .. code-block:: yaml
  # 
  #    image:
  #       repository: quay.io/minio/minio@sha256
  #       digest: 28c80b379c75242c6fe793dfbf212f43c602140a0de5ebe3d9c2a3a7b9f9f983
  #       pullPolicy: IfNotPresent
  #
  #
  image:
    repository: quay.io/minio/minio
    tag: RELEASE.2024-08-17T01-24-54Z
    pullPolicy: IfNotPresent
  ###
  #
  # An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
  # Only one array element is supported at this time.
  imagePullSecret: { }
  ###
  # The Kubernetes `Scheduler <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/kube-scheduler/>`__ to use for dispatching Tenant pods.
  #
  # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler.
  scheduler: { }
  ###
  # The Kubernetes secret name that contains MinIO environment variable configurations.
  # The secret is expected to have a key named config.env containing environment variables exports.
  configuration:
    name: myminio-env-configuration
  ###
  # Root key for dynamically creating a secret for use with configuring root MinIO User
  # Specify the ``name`` and then a list of environment variables.
  #
  # .. important::
  #
  #    Do not use this in production environments.
  #    This field is intended for use with rapid development or testing only.
  #
  # For example:
  #
  # .. code-block:: yaml
  #
  #    name: myminio-env-configuration
  #    accessKey: minio
  #    secretKey: minio123
  #
  configSecret:
    name: myminio-env-configuration
    accessKey: minio
    secretKey: minio123
  ###
  # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Tenant.
  # The existing Kubernetes secret name must be placed under .tenant.configuration.name e.g. existing-minio-env-configuration
  # The secret must contain a key ``config.env``.
  # The values should be a series of export statements to set environment variables for the Tenant.
  # For example:
  #
  # .. code-block:: shell
  #
  #    stringData:
  #       config.env: |-
  #         export MINIO_ROOT_USER=ROOTUSERNAME
  #         export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD
  #
  #   existingSecret: false
  ###
  # Top level key for configuring MinIO Pool(s) in this Tenant.
  #
  # See `Operator CRD: Pools <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#pool>`__ for more information on all subfields.
  pools:
    ###
    # The number of MinIO Tenant Pods / Servers in this pool.
    # For standalone mode, supply 1. For distributed mode, supply 4 or more.
    # Note that the operator does not support upgrading from standalone to distributed mode.
    - servers: 4
      ###
      # Custom name for the pool
      name: pool-0
      ###
      # The number of volumes attached per MinIO Tenant Pod / Server.
      volumesPerServer: 4
      ###
      # The capacity per volume requested per MinIO Tenant Pod.
      size: 10Gi
      ###
      # The `storageClass <http://kubernetes.ac.cn/docs/concepts/storage/storage-classes/>`__ to associate with volumes generated for this pool.
      #
      # If using Amazon Elastic Block Store (EBS) CSI driver
      # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters.
      # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md
      # storageClassName: standard
      ###
      # Specify `storageAnnotations <http://kubernetes.ac.cn/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to PVCs.
      storageAnnotations: { }
      ###
      # Specify `annotations <http://kubernetes.ac.cn/docs/concepts/overview/working-with-objects/annotations/>`__ to associate to Tenant pods.
      annotations: { }
      ###
      # Specify `labels <http://kubernetes.ac.cn/docs/concepts/overview/working-with-objects/labels/>`__ to associate to Tenant pods.
      labels: { }
      ###
      #
      # An array of `Toleration labels <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/taint-and-toleration/>`__ to associate to Tenant pods.
      #
      # These settings determine the distribution of pods across worker nodes.
      tolerations: [ ]
      ###
      # Any `Node Selectors <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/assign-pod-node/>`__ to apply to Tenant pods.
      #
      # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods.
      #
      # If no worker nodes match the specified selectors, the Tenant deployment will fail.
      nodeSelector: { }
      ###
      #
      # The `affinity <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/>`__ or anti-affinity settings to apply to Tenant pods.
      #
      # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes.
      affinity: { }
      ###
      # 
      # The `Requests or Limits <http://kubernetes.ac.cn/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Tenant pods.
      #
      # These settings can control the minimum and maximum resources requested for each pod.
      # If no worker nodes can meet the specified requests, the Operator may fail to deploy.
      resources: { }
      ###
      # The Kubernetes `SecurityContext <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant resources.
      #
      # You may need to modify these values to meet your cluster's security and access settings.
      #
      # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files).
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        fsGroupChangePolicy: "OnRootMismatch"
        runAsNonRoot: true
      ###
      # The Kubernetes `SecurityContext <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/security-context/>`__ to use for deploying Tenant containers.
      # You may need to modify these values to meet your cluster's security and access settings.
      containerSecurityContext:
        runAsUser: 1000
        runAsGroup: 1000
        runAsNonRoot: true
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault
      ###
      #
      # An array of `Topology Spread Constraints <http://kubernetes.ac.cn/docs/concepts/scheduling-eviction/topology-spread-constraints/>`__ to associate to Operator Console pods.
      #
      # These settings determine the distribution of pods across worker nodes.
      topologySpreadConstraints: [ ]
      ###
      #
      # The name of a custom `Container Runtime <http://kubernetes.ac.cn/docs/concepts/containers/runtime-class/>`__ to use for the Operator Console pods.
      # runtimeClassName: ""
  ###
  # The mount path where Persistent Volumes are mounted inside Tenant container(s).
  mountPath: /export
  ###
  # The Sub path inside Mount path where MinIO stores data.
  #
  # .. warning::
  #
  #    Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant.
  #    If you change these values post-deployment, then you may have different paths for new and pre-existing data.
  #    This can vastly increase operational complexity and may result in unpredictable data states.
  subPath: /data
  ###
  # Configures a Prometheus-compatible scraping endpoint at the specified port.
  metrics:
    enabled: false
    port: 9000
    protocol: http
  ###
  # Configures external certificate settings for the Tenant.
  certificate:
    ###
    # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair.
    #
    # This is used by MinIO to verify TLS connections from clients using those CAs
    # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification.
    # See `Operator CRD: TenantSpec <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#tenantspec>`__.
    externalCaCertSecret: [ ]
    ###
    # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair.
    #
    # Omit this to use only the MinIO Operator autogenerated certificates.
    # 
    # If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS.
    #
    # See `Operator CRD: TenantSpec <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#tenantspec>`__.
    #
    # .. important::
    #
    #    The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates.
    #
    #    You can pass the CA to the Operator to allow it to trust that cert.
    #    See `Self-Signed, Internal, and Private Certificates <http://min-io.cn/docs/minio/kubernetes/upstream/operations/network-encryption.html#self-signed-internal-and-private-certificates>`__ for more information.
    #    This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust.
    externalCertSecret: [ ]
    ###
    # Enable automatic Kubernetes based `certificate generation and signing <http://kubernetes.ac.cn/docs/tasks/tls/managing-tls-in-a-cluster>`__
    requestAutoCert: true
    ###
    # The minimum number of days to expiry before an alert for an expiring certificate is fired.
    # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry
    # certExpiryAlertThreshold: 1
    ###
    # This field is used only when ``requestAutoCert: true``.
    # Use this field to set CommonName for the auto-generated certificate. 
    # MinIO defaults to using the internal Kubernetes DNS name for the pod
    # The default DNS name format is typically ``*.minio.default.svc.cluster.local``.
    #
    # See `Operator CRD: CertificateConfig <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#certificateconfig>`__
    certConfig: { }
  ###
  # MinIO features to enable or disable in the MinIO Tenant
  # See `Operator CRD: Features <http://min-io.cn/docs/minio/kubernetes/upstream/reference/operator-crd.html#features>`__.
  features:
    bucketDNS: false
    domains: { }
    enableSFTP: false
  ###
  # Array of objects describing one or more buckets to create during tenant provisioning.
  # Example:
  # 
  # .. code-block:: yaml
  #
  #    - name: my-minio-bucket
  #         objectLock: false        # optional
  #         region: us-east-1        # optional
  buckets: [ ]
  ###
  # Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning.
  #
  # Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user.
  users: [ ]
  ###
  # The `PodManagement <http://kubernetes.ac.cn/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for MinIO Tenant Pods. 
  # Can be "OrderedReady" or "Parallel"
  podManagementPolicy: Parallel
  # The `Liveness Probe <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes>`__ for monitoring Tenant pod liveness. 
  # Tenant pods will be restarted if the probe fails.
  liveness: { }
  ###
  # `Readiness Probe <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring Tenant container readiness.
  # Tenant pods will be removed from service endpoints if the probe fails.
  readiness: { }
  ###
  # `Startup Probe <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/>`__ for monitoring container startup. 
  # Tenant pods will be restarted if the probe fails.
  # Refer 
  startup: { }
  ###
  # The `Lifecycle hooks <http://kubernetes.ac.cn/docs/concepts/containers/container-lifecycle-hooks/>`__ for container.
  lifecycle: { }
  ###
  # Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects.
  #
  # If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically.
  #
  # - Specify ``minio: true`` to expose the MinIO S3 API.
  # - Specify ``console: true`` to expose the Console.
  #
  # Both fields default to ``false``.
  exposeServices: { }
  ###
  # The `Kubernetes Service Account <http://kubernetes.ac.cn/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Tenant.
  serviceAccountName: ""
  ###
  # Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator.
  prometheusOperator: false
  ###
  # Configure pod logging configuration for the MinIO Tenant.
  #
  # - Specify ``json`` for JSON-formatted logs.
  # - Specify ``anonymous`` for anonymized logs.
  # - Specify ``quiet`` to supress logging.
  #
  # An example of JSON-formatted logs is as follows:
  #
  # .. code-block:: shell
  #
  #    $ k logs myminio-pool-0-0 -n default
  #    {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"}
  logging: { }
  ###
  # serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
  # services created by the operator.
  serviceMetadata: { }
  ###
  # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
  env: [ ]
  ###
  # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
  # This is applied to MinIO pods only.
  # Refer Kubernetes documentation for details http://kubernetes.ac.cn/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
  priorityClassName: ""
  ###
  # An array of `Volumes <http://kubernetes.ac.cn/docs/concepts/storage/volumes/>`__ which the Operator can mount to Tenant pods.
  #
  # The volumes must exist *and* be accessible to the Tenant pods.
  additionalVolumes: [ ]
  ###
  # An array of volume mount points associated to each Tenant container.
  # 
  # Specify each item in the array as follows:
  #
  # .. code-block:: yaml
  #
  #    volumeMounts:
  #    - name: volumename
  #      mountPath: /path/to/mount
  #
  # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array.
  additionalVolumeMounts: [ ]
  # Define configuration for KES (stateless and distributed key-management system)
  # Refer https://github.com/minio/kes
  #kes:
  #  ## Image field:
  #  # Image from tag (original behavior), for example:
  #  # image:
  #  #   repository: quay.io/minio/kes
  #  #   tag: 2024-08-16T14-39-28Z
  #  # Image from digest (added after original behavior), for example:
  #  # image:
  #  #   repository: quay.io/minio/kes@sha256
  #  #   digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b
  #  image:
  #    repository: quay.io/minio/kes
  #    tag: 2024-08-16T14-39-28Z
  #    pullPolicy: IfNotPresent
  #  env: [ ]
  #  replicas: 2
  #  configuration: |-
  #    address: :7373
  #    tls:
  #      key: /tmp/kes/server.key   # Path to the TLS private key
  #      cert: /tmp/kes/server.crt # Path to the TLS certificate
  #      proxy:
  #        identities: []
  #        header:
  #          cert: X-Tls-Client-Cert
  #    admin:
  #      identity: ${MINIO_KES_IDENTITY}
  #    cache:
  #      expiry:
  #        any: 5m0s
  #        unused: 20s
  #    log:
  #      error: on
  #      audit: off
  #    keystore:
  #      # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended
  #      # use a real KMS
  #      # fs:
  #      #   path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production.
  #      vault:
  #        endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint
  #        namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html
  #        prefix: "my-minio"    # An optional K/V prefix. The server will store keys under this prefix.
  #        approle:    # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html
  #          id: "<YOUR APPROLE ID HERE>"      # Your AppRole Role ID
  #          secret: "<YOUR APPROLE SECRET ID HERE>"  # Your AppRole Secret ID
  #          retry: 15s  # Duration until the server tries to re-authenticate after connection loss.
  #        tls:        # The Vault client TLS configuration for mTLS authentication and certificate verification
  #          key: ""     # Path to the TLS client private key for mTLS authentication to Vault
  #          cert: ""    # Path to the TLS client certificate for mTLS authentication to Vault
  #          ca: ""      # Path to one or multiple PEM root CA certificates
  #        status:     # Vault status configuration. The server will periodically reach out to Vault to check its status.
  #          ping: 10s   # Duration until the server checks Vault's status again.
  #      # aws:
  #      #   # The AWS SecretsManager key store. The server will store
  #      #   # secret keys at the AWS SecretsManager encrypted with
  #      #   # AWS-KMS. See: https://aws.amazon.com/secrets-manager
  #      #   secretsmanager:
  #      #     endpoint: ""   # The AWS SecretsManager endpoint      - e.g.: secretsmanager.us-east-2.amazonaws.com
  #      #     region: ""     # The AWS region of the SecretsManager - e.g.: us-east-2
  #      #     kmskey: ""     # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used.
  #      #     credentials:   # The AWS credentials for accessing secrets at the AWS SecretsManager.
  #      #       accesskey: ""  # Your AWS Access Key
  #      #       secretkey: ""  # Your AWS Secret Key
  #      #       token: ""      # Your AWS session token (usually optional)
  #  imagePullPolicy: "IfNotPresent"
  #  externalCertSecret: null
  #  clientCertSecret: null
  #  # Key name to be created on the KMS, default is "my-minio-key"
  #  keyName: ""
  #  resources: { }
  #  nodeSelector: { }
  #  affinity:
  #    nodeAffinity: { }
  #    podAffinity: { }
  #    podAntiAffinity: { }
  #  tolerations: [ ]
  #  annotations: { }
  #  labels: { }
  #  serviceAccountName: ""
  #  securityContext:
  #    runAsUser: 1000
  #    runAsGroup: 1000
  #    runAsNonRoot: true
  #    fsGroup: 1000
  #  containerSecurityContext:
  #    runAsUser: 1000
  #    runAsGroup: 1000
  #    runAsNonRoot: true
  #    allowPrivilegeEscalation: false
  #    capabilities:
  #      drop:
  #        - ALL
  #    seccompProfile:
  #      type: RuntimeDefault

###
# Configures `Ingress <http://kubernetes.ac.cn/docs/concepts/services-networking/ingress/>`__ for the Tenant S3 API and Console.
#
# Set the keys to conform to the Ingress controller and configuration of your choice.
ingress:
  api:
    enabled: false
    ingressClassName: ""
    labels: { }
    annotations: { }
    tls: [ ]
    host: minio.local
    path: /
    pathType: Prefix
  console:
    enabled: false
    ingressClassName: ""
    labels: { }
    annotations: { }
    tls: [ ]
    host: minio-console.local
    path: /
    pathType: Prefix
# Use an extraResources template section to include additional Kubernetes resources
# with the Helm deployment.
#extraResources:
#  - |
#    apiVersion: v1
#    kind: Secret
#    type: Opaque
#    metadata:
#      name: {{ dig "tenant" "configSecret" "name" "" (.Values | merge (dict)) }}
#    stringData:
#      config.env: |-
#        export MINIO_ROOT_USER='minio'
#        export MINIO_ROOT_PASSWORD='minio123'