kubernetes/manifests-raw/minio/base/tenant.yaml
apiVersion: minio.min.io/v2
kind: Tenant
metadata:
name: storage
namespace: minio-tenant
## Optionally pass labels to be applied to the statefulset pods
labels:
app: minio
## Optionally pass annotations to be applied to the statefulset pods
annotations:
prometheus.io/path: /minio/v2/metrics/cluster
prometheus.io/port: "9000"
prometheus.io/scrape: "true"
## If a scheduler is specified here, Tenant pods will be dispatched by specified scheduler.
## If not specified, the Tenant pods will be dispatched by default scheduler.
# scheduler:
# name: my-custom-scheduler
spec:
## Enable S3 specific features such as Bucket DNS which would allow `buckets` to be
## accessible as DNS entries of form `<bucketname>.minio.namespace.svc.cluster.local`
s3:
## This feature is turned off by default
bucketDNS: false
## Create users in the Tenant using this field. Make sure to create secrets per user added here.
## Secret should follow the format used in `minio-creds-secret`.
users:
- name: storage-user
## This field is used only when "requestAutoCert" is set to true. Use this field to set CommonName
## for the auto-generated certificate. Internal DNS name for the pod will be used if CommonName is
## not provided. DNS name format is *.minio.default.svc.cluster.local
certConfig: {}
## PodManagement policy for MinIO Tenant Pods. Can be "OrderedReady" or "Parallel"
## Refer https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
## for details.
podManagementPolicy: Parallel
## Secret with credentials and configurations to be used by MinIO Tenant.
configuration:
name: storage-configuration
## DEPRECATED: Secret with credentials to be used by MinIO Tenant.
credsSecret:
name: storage-creds-secret
## Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config)
env: []
## serviceMetadata allows passing additional labels and annotations to MinIO and Console specific
## services created by the operator.
serviceMetadata:
minioServiceLabels: {}
minioServiceAnnotations: {}
consoleServiceLabels: {}
consoleServiceAnnotations: {}
## PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
## This is applied to MinIO pods only.
## Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
priorityClassName: ""
## Use this field to provide one or more external CA certificates. This is used by MinIO
## to verify TLS connections with other applications.
## Certificate secret files will be mounted under /tmp/certs/CAs folder, supported types:
## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
##
## ie:
##
## externalCaCertSecret:
## - name: ca-certificate-1
## type: Opaque
## - name: ca-certificate-2
## type: Opaque
## - name: ca-certificate-3
## type: Opaque
##
## Create secrets as explained here:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
externalCaCertSecret: []
## Use this field to provide one or more Secrets with external certificates. This can be used to configure
## TLS for MinIO Tenant pods.
## Certificate secret files will be mounted under /tmp/certs folder, supported types:
## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
##
## ie:
##
## externalCertSecret:
## - name: domain-certificate-1
## type: kubernetes.io/tls
## - name: domain-certificate-2
## type: kubernetes.io/tls
## - name:domain-certificate-3
## type: kubernetes.io/tls
##
## Create secrets as explained here:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
externalCertSecret: []
## Use this field to provide client certificates for MinIO & KES. This can be used to configure
## mTLS for MinIO and your KES server. Files will be mounted under /tmp/certs folder, supported types:
## Opaque | kubernetes.io/tls | cert-manager.io/v1alpha2 | cert-manager.io/v1
## ie:
##
## externalClientCertSecret:
## name: mtls-certificates-for-tenant
## type: Opaque
##
## Create secrets as explained here:
## https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
# externalClientCertSecret: {}
## Registry location and Tag to download MinIO Server image
image: minio/minio:RELEASE.2021-09-03T03-56-13Z
imagePullSecret: {}
## Mount path where PV will be mounted inside container(s).
mountPath: /export
## Sub path inside Mount path where MinIO stores data.
subPath: ""
## Service account to be used for all the MinIO Pods
serviceAccountName: ""
## Specification for MinIO Pool(s) in this Tenant.
pools:
## Servers specifies the number of MinIO Tenant Pods / Servers in this pool.
## For standalone mode, supply 1. For distributed mode, supply 4 or more.
## Note that the operator does not support upgrading from standalone to distributed mode.
- servers: 4
## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
volumesPerServer: 4
## nodeSelector parameters for MinIO Pods. It specifies a map of key-value pairs. For the pod to be
## eligible to run on a node, the node must have each of the
## indicated key-value pairs as labels.
## Read more here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}
## Used to specify a toleration for a pod
tolerations: []
## Affinity settings for MinIO pods. Read more about affinity
## here: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity.
affinity:
nodeAffinity: {}
podAffinity: {}
podAntiAffinity: {}
## Configure resource requests and limits for MinIO containers
resources: {}
## This VolumeClaimTemplate is used across all the volumes provisioned for MinIO Tenant in this
## Pool.
volumeClaimTemplate:
apiVersion: v1
kind: persistentvolumeclaims
metadata: {}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Ti
storageClassName: standard
status: {}
## Configure security context
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
fsGroup: 1000
## Enable automatic Kubernetes based certificate generation and signing as explained in
## https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster
requestAutoCert: true
## Prometheus setup for MinIO Tenant.
prometheus:
image: "" # defaults to quay.io/prometheus/prometheus:latest
sidecarimage: "" # defaults to alpine
initimage: "" # defaults to busybox:1.33.1
diskCapacityGB: 10
storageClassName: standard
annotations: {}
labels: {}
nodeSelector: {}
affinity:
nodeAffinity: {}
podAffinity: {}
podAntiAffinity: {}
resources: {}
serviceAccountName: ""
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
fsGroup: 1000
## Prometheus Operator's Service Monitor for MinIO Tenant Pods.
# prometheusOperator:
# labels:
# app: minio-sm
## LogSearch API setup for MinIO Tenant.
log:
image: "" # defaults to minio/logsearchapi:v4.2.4
resources: {}
nodeSelector: {}
affinity:
nodeAffinity: {}
podAffinity: {}
podAntiAffinity: {}
tolerations: []
annotations: {}
labels: {}
audit:
diskCapacityGB: 10
## Postgres setup for LogSearch API
db:
image: "" # defaults to library/postgres
initimage: "" # defaults to busybox:1.33.1
volumeClaimTemplate:
metadata: {}
spec:
storageClassName: standard
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
resources: {}
nodeSelector: {}
affinity:
nodeAffinity: {}
podAffinity: {}
podAntiAffinity: {}
tolerations: []
annotations: {}
labels: {}
serviceAccountName: ""
securityContext:
runAsUser: 999
runAsGroup: 999
runAsNonRoot: true
fsGroup: 999
serviceAccountName: ""
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
fsGroup: 1000