Skip to content

Latest commit

 

History

History
1293 lines (679 loc) · 42.4 KB

tenant_crd.adoc

File metadata and controls

1293 lines (679 loc) · 42.4 KB

API Reference

minio.min.io/v2

Package v2 - This page provides a quick automatically generated reference for the MinIO Operator minio.min.io/v2 CRD. For more complete documentation on the MinIO Operator CRD, see MinIO Kubernetes Documentation.

The minio.min.io/v2 API was released with the v4.0.0 MinIO Operator. The MinIO Operator automatically converts existing tenants using the /v1 API to /v2.

Resource Types

Bucket

Bucket describes the default created buckets

Appears In:
Field Description

name string

region string

objectLock boolean

CertificateConfig

CertificateConfig (certConfig) defines controlling attributes associated to any TLS certificate automatically generated by the Operator as part of tenant creation. These fields have no effect if spec.autoCert: false.

Appears In:
Field Description

commonName string

Optional

The CommonName or CN attribute to associate to automatically generated TLS certificates.

organizationName string array

Optional

Specify one or more OrganizationName or O attributes to associate to automatically generated TLS certificates.

dnsNames string array

Optional

Specify one or more x.509 Subject Alternative Names (SAN) to associate to automatically generated TLS certificates. MinIO Server pods use SNI to determine which certificate to respond with based on the requested hostname.

CertificateStatus

CertificateStatus keeps track of all the certificates managed by the operator

Appears In:
Field Description

autoCertEnabled boolean

AutoCertEnabled registers whether we know if the tenant has autocert enabled

customCertificates CustomCertificates

Provides the output of the client, minio, and`minioCAs` custom TLS certificates manually added to the Operator.

CustomCertificateConfig

CustomCertificateConfig (customCertificateConfig) provides attributes associated of the TLS certificates manually added to the Operator as part of tenant creation. These fields contain no data if there are no custom TLS certificates.

Appears In:
Field Description

certName string

Optional

Output one or more CertName attributes associated with the manually provided TLS certificates.

domains string array

Optional

Output one or more Domains attributes associated with the manually provided TLS certificates.

expiry string

Optional

Output one or more Expiry attributes associated with the manually provided TLS certificates.

expiresIn string

Optional

Output one or more ExpiresIn attributes associated with the manually provided TLS certificates.

serialNo string

Optional

Output one or more SerialNo attributes associated with the manually provided TLS certificates.

CustomCertificates

CustomCertificates (customCertificates) provides groupings of the TLS certificates manually added to the Operator as part of tenant creation. These fields contain no data if there are no custom TLS certificates.

Appears In:
Field Description

Optional

Client

Optional

Minio

minioCAs CustomCertificateConfig array

Optional

Certificate Authorities

ExposeServices

ExposeServices (exposeServices) defines the exposure of the MinIO object storage and Console services.

Appears In:
Field Description

minio boolean

Optional

Directs the Operator to expose the MinIO service. Defaults to false.

console boolean

Optional

Directs the Operator to expose the MinIO Console service. Defaults to false.

Features

Features (features) - Object describing which MinIO features to enable/disable in the MinIO Tenant.

Appears In:
Field Description

bucketDNS boolean

Optional

Specify true to allow clients to access buckets using the DNS path <bucket>.minio.default.svc.cluster.local. Defaults to false.

domains TenantDomains

Optional

Specify a list of domains used to access MinIO and Console.

enableSFTP boolean

Optional

Starts minio server with SFTP support

HealthStatus (string)

HealthStatus represents whether the tenant is healthy, with decreased service or offline

Appears In:

KESConfig

KESConfig (kes) defines the configuration of the MinIO Key Encryption Service (KES) StatefulSet deployed as part of the MinIO Tenant. KES supports Server-Side Encryption of objects using an external Key Management Service (KMS).

Appears In:
Field Description

replicas integer

Optional

Specify the number of replica KES pods to deploy in the tenant. Defaults to 2.

image string

Optional

The Docker image to use for deploying MinIO KES. Defaults to minio/kes:2024-04-12T13-50-00Z.

imagePullPolicy PullPolicy

Optional

The pull policy for the MinIO Docker image. Specify one of the following:

  • Always

  • Never

  • IfNotPresent (Default)

Refer to the Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images

serviceAccountName string

Optional

The Kubernetes Service Account to use for running MinIO KES pods created as part of the Tenant.

Required

Specify a Kubernetes opaque secret which contains environment variables to use for setting up the MinIO KES service.

See the MinIO Operator console-secret.yaml for an example.

externalCertSecret LocalCertificateReference

Optional

Enables TLS with SNI support on each MinIO KES pod in the tenant. If externalCertSecret is omitted and spec.requestAutoCert is set to false, MinIO KES pods deploy without TLS enabled.

Specify a Kubernetes TLS secret. The MinIO Operator copies the specified certificate to every MinIO pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName.

Specify an object containing the following fields:

  • - name - The name of the Kubernetes secret containing the TLS certificate.

  • - type - Specify kubernetes.io/tls

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

clientCertSecret LocalCertificateReference

Optional

Specify a a Kubernetes TLS secret containing a custom root Certificate Authority and x.509 certificate to use for performing mTLS authentication with an external Key Management Service, such as Hashicorp Vault.

Specify an object containing the following fields:

  • - name - The name of the Kubernetes secret containing the Certificate Authority and x.509 Certificate.

  • - type - Specify kubernetes.io/tls

gcpCredentialSecretName string

Optional

Specify the GCP default credentials to be used for KES to authenticate to GCP key store

gcpWorkloadIdentityPool string

Optional

Specify the name of the workload identity pool (This is required for generating service account token)

annotations object (keys:string, values:string)

Optional

If provided, use these annotations for KES Object Meta annotations

labels object (keys:string, values:string)

Optional

If provided, use these labels for KES Object Meta labels

Optional

Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.

nodeSelector object (keys:string, values:string)

Optional

The filter for the Operator to apply when selecting which nodes on which to deploy MinIO KES pods. The Operator only selects those nodes whose labels match the specified selector.

See the Kubernetes documentation on Assigning Pods to Nodes for more information.

tolerations Toleration array

Optional

Specify one or more Kubernetes tolerations to apply to MinIO KES pods.

affinity Affinity

Optional

Specify node affinity, pod affinity, and pod anti-affinity for the KES pods.

topologySpreadConstraints TopologySpreadConstraint array

Optional

Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.

keyName string

Optional

If provided, use this as the name of the key that KES creates on the KMS backend

securityContext PodSecurityContext

Specify the Security Context of MinIO KES pods. The Operator supports only the following pod security fields:

  • fsGroup

  • fsGroupChangePolicy

  • runAsGroup

  • runAsNonRoot

  • runAsUser

  • seLinuxOptions

containerSecurityContext SecurityContext

Specify the Security Context of MinIO KES pods.

env EnvVar array

Optional

If provided, the MinIO Operator adds the specified environment variables when deploying the KES resource.

LocalCertificateReference

LocalCertificateReference (externalCertSecret, externalCaCertSecret,clientCertSecret) contains a Kubernetes secret containing TLS certificates or Certificate Authority files for use with enabling TLS in the MinIO Tenant.

Appears In:
Field Description

name string

Required

The name of the Kubernetes secret containing the TLS certificate or Certificate Authority file.

type string

Required

The type of Kubernetes secret. Specify kubernetes.io/tls

Logging

Logging describes Logging for MinIO tenants.

Appears In:
Field Description

json boolean

anonymous boolean

quiet boolean

Pool

Pool (pools) defines a MinIO server pool on a Tenant. Each pool consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant.

See the MinIO Operator CRD reference for the pools object for examples and more complete documentation.

Appears In:
Field Description

name string

Required

Specify the name of the pool. The Operator automatically generates the pool name if this field is omitted.

servers integer

Required

The number of MinIO server pods to deploy in the pool. The minimum value is 2.

The MinIO Operator requires a minimum of 4 volumes per pool. Specifically, the result of pools.servers X pools.volumesPerServer must be greater than 4.

volumesPerServer integer

Required

The number of Persistent Volume Claims to generate for each MinIO server pod in the pool.

The MinIO Operator requires a minimum of 4 volumes per pool. Specifically, the result of pools.servers X pools.volumesPerServer must be greater than 4.

volumeClaimTemplate PersistentVolumeClaim

Required

Specify the configuration options for the MinIO Operator to use when generating Persistent Volume Claims for the MinIO tenant.

Optional

Object specification for specifying CPU and memory resource allocations or limits in the MinIO tenant.

nodeSelector object (keys:string, values:string)

Optional

The filter for the Operator to apply when selecting which nodes on which to deploy pods in the pool. The Operator only selects those nodes whose labels match the specified selector.

See the Kubernetes documentation on Assigning Pods to Nodes for more information.

affinity Affinity

Optional

Specify node affinity, pod affinity, and pod anti-affinity for pods in the MinIO pool.

tolerations Toleration array

Optional

Specify one or more Kubernetes tolerations to apply to pods deployed in the MinIO pool.

topologySpreadConstraints TopologySpreadConstraint array

Optional

Specify one or more Kubernetes Topology Spread Constraints to apply to pods deployed in the MinIO pool.

securityContext PodSecurityContext

Optional

Specify the Security Context of pods in the pool. The Operator supports only the following pod security fields:

  • fsGroup

  • fsGroupChangePolicy

  • runAsGroup

  • runAsNonRoot

  • runAsUser

containerSecurityContext SecurityContext

Specify the Security Context of containers in the pool. The Operator supports only the following container security fields:

  • runAsGroup

  • runAsNonRoot

  • runAsUser

annotations object (keys:string, values:string)

Optional

Specify custom labels and annotations to append to the Pool. Optional

If provided, use these annotations for the Pool Objects Meta annotations (Statefulset and Pod template)

labels object (keys:string, values:string)

Optional

If provided, use these labels for the Pool Objects Meta annotations (Statefulset and Pod template)

runtimeClassName string

Optional

If provided, each pod on the Statefulset will run with the specified RuntimeClassName, for more info https://kubernetes.io/docs/concepts/containers/runtime-class/

reclaimStorage boolean

Optional

If true. Will delete the storage when tenant has been deleted.

PoolState (string)

PoolState represents the state of a pool

Appears In:

PoolStatus

PoolStatus keeps track of all the pools and their current state

Appears In:
Field Description

ssName string

state PoolState

legacySecurityContext boolean

LegacySecurityContext stands for Legacy SecurityContext. It represents that these pool was created before v4.2.3 when we introduced the default securityContext as non-root, thus we should keep running this Pool without a Security Context

ServiceMetadata

ServiceMetadata (serviceMetadata) defines custom labels and annotations for the MinIO Object Storage service and/or MinIO Console service.

Appears In:
Field Description

minioServiceLabels object (keys:string, values:string)

Optional

If provided, append these labels to the MinIO service

minioServiceAnnotations object (keys:string, values:string)

Optional

If provided, append these annotations to the MinIO service

consoleServiceLabels object (keys:string, values:string)

Optional

If provided, append these labels to the Console service

consoleServiceAnnotations object (keys:string, values:string)

Optional

If provided, append these annotations to the Console service

SideCars

SideCars (sidecars) defines a list of containers that the Operator attaches to each MinIO server pods in the pool.

Appears In:
Field Description

containers Container array

Optional

List of containers to run inside the Pod

volumeClaimTemplates PersistentVolumeClaim array

Optional

volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.

volumes Volume array

Optional

List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes

Optional

sidecar’s Resource, initcontainer will use that if set.

Tenant

Tenant is a Kubernetes object describing a MinIO Tenant.

Appears In:
Field Description

apiVersion string

minio.min.io/v2

kind string

Tenant

metadata ObjectMeta

Refer to Kubernetes API documentation for fields of metadata.

scheduler TenantScheduler

spec TenantSpec

Required

The root field for the MinIO Tenant object.

TenantDomains

TenantDomains (domains) - List of domains used to access the tenant from outside the kubernetes clusters. this will only configure MinIO for the domains listed, but external DNS configuration is still needed. The listed domains should include schema and port if any is used, i.e. https://minio.domain.com:8123

Appears In:
Field Description

minio string array

List of Domains used by MinIO. This will enable DNS style access to the object store where the bucket name is inferred from a subdomain in the domain.

console string

Domain used to expose the MinIO Console, this will configure the redirect on MinIO when visiting from the browser If Console is exposed via a subpath, the domain should include it, i.e. https://console.domain.com:8123/subpath/

TenantScheduler

TenantScheduler (scheduler) - Object describing Kubernetes Scheduler to use for deploying the MinIO Tenant.

Appears In:
Field Description

name string

Optional

Specify the name of the Kubernetes scheduler to be used to schedule Tenant pods

TenantSpec

TenantSpec (spec) defines the configuration of a MinIO Tenant object.

The following parameters are specific to the minio.min.io/v2 MinIO CRD API spec definition added as part of the MinIO Operator v4.0.0.

For more complete documentation on this object, see the MinIO Kubernetes Documentation.

Appears In:
Field Description

pools Pool array

Required

An array of objects describing each MinIO server pool deployed in the MinIO Tenant. Each pool consists of a set of MinIO server pods which "pool" their storage resources for supporting object storage and retrieval requests. Each server pool is independent of all others and supports horizontal scaling of available storage resources in the MinIO Tenant.

The MinIO Tenant spec must have at least one element in the pools array.

See the MinIO Operator CRD reference for the pools object for examples and more complete documentation.

image string

Optional

The Docker image to use when deploying minio server pods. Defaults to minio/minio:RELEASE.2024-05-01T01-11-10Z.

imagePullSecret LocalObjectReference

Optional

Specify the secret key to use for pulling images from a private Docker repository.

podManagementPolicy PodManagementPolicyType

Optional

Pod Management Policy for pod created by StatefulSet

credsSecret LocalObjectReference

optional

Specify a Kubernetes opaque secret to use for setting the MinIO root access key and secret key. Specify the secret as name: <secret>. The Kubernetes secret must contain the following fields:

  • data.accesskey - The access key for the root credentials

  • data.secretkey - The secret key for the root credentials

env EnvVar array

Optional

If provided, the MinIO Operator adds the specified environment variables when deploying the Tenant resource.

externalCertSecret LocalCertificateReference array

Optional

Enables TLS with SNI support on each MinIO pod in the tenant. If externalCertSecret is omitted and requestAutoCert is set to false, the MinIO Tenant deploys without TLS enabled.

Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant. When the MinIO pod/service responds to a TLS connection request, it uses SNI to select the certificate with matching subjectAlternativeName.

Each element in the externalCertSecret array is an object containing the following fields:

  • - name - The name of the Kubernetes secret containing the TLS certificate.

  • - type - Specify kubernetes.io/tls

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

externalCaCertSecret LocalCertificateReference array

Optional

Allows MinIO server pods to verify client TLS certificates signed by a Certificate Authority not in the pod’s trust store.

Specify an array of Kubernetes TLS secrets. The MinIO Operator copies the specified certificates to every MinIO server pod in the tenant.

Each element in the externalCertSecret array is an object containing the following fields:

  • - name - The name of the Kubernetes secret containing the Certificate Authority.

  • - type - Specify kubernetes.io/tls.

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

externalClientCertSecret LocalCertificateReference

Optional

Enables mTLS authentication between the MinIO Tenant pods and MinIO KES. Required for enabling connectivity between the MinIO Tenant and MinIO KES.

Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant. The secret must contain the following fields:

  • name - The name of the Kubernetes secret containing the TLS certificate.

  • type - Specify kubernetes.io/tls

The specified certificate must correspond to an identity on the KES server. See the KES Wiki for more information on KES identities.

If deploying KES with the MinIO Operator, include the hash of the certificate as part of the kes object specification.

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

externalClientCertSecrets LocalCertificateReference array

Optional

Provide support for mounting additional client certificate into MinIO Tenant pods Multiple client certificates will be mounted using the following folder structure:

  • certs

  • * client-0

  • * * client.crt

  • * * client.key

  • * client-1

  • * * client.crt

  • * * client.key

  • * * client-2

  • * client.crt

  • * * client.key

Specify a Kubernetes TLS secrets. The MinIO Operator copies the specified certificate to every MinIO server pod in the tenant that later can be referenced using environment variables. The secret must contain the following fields:

  • name - The name of the Kubernetes secret containing the TLS certificate.

  • type - Specify kubernetes.io/tls

mountPath string

Optional

Mount path for MinIO volume (PV). Defaults to /export

subPath string

Optional

Subpath inside mount path. This is the directory where MinIO stores data. Default to ""` (empty)

requestAutoCert boolean

Optional

Enables using Kubernetes-based TLS certificate generation and signing for pods and services in the MinIO Tenant.

  • Specify true to explicitly enable automatic certificate generate (Default).

  • Specify false to disable automatic certificate generation.

If requestAutoCert is set to false and externalCertSecret is omitted, the MinIO Tenant deploys without TLS enabled.

See the MinIO Operator CRD reference for examples and more complete documentation on configuring TLS for MinIO Tenants.

liveness Probe

Liveness Probe for container liveness. Container will be restarted if the probe fails.

readiness Probe

Readiness Probe for container readiness. Container will be removed from service endpoints if the probe fails.

startup Probe

Startup Probe allows to configure a max grace period for a pod to start before getting traffic routed to it.

lifecycle Lifecycle

Lifecycle hooks for container.

features Features

S3 related features can be disabled or enabled such as bucketDNS etc.

certConfig CertificateConfig

Optional

Enables setting the CommonName, Organization, and dnsName attributes for all TLS certificates automatically generated by the Operator. Configuring this object has no effect if requestAutoCert is false.

kes KESConfig

Optional

Directs the MinIO Operator to deploy the MinIO Key Encryption Service (KES) using the specified configuration. The MinIO KES supports performing server-side encryption of objects on the MiNIO Tenant.

prometheusOperator boolean

Optional

Directs the MinIO Operator to use prometheus operator.

Tenant scrape configuration will be added to prometheus managed by the prometheus-operator.

serviceAccountName string

Optional

The Kubernetes Service Account to use for running MinIO pods created as part of the Tenant.

priorityClassName string

Optional

Indicates the Pod priority and therefore importance of a Pod relative to other Pods in the cluster. This is applied to MinIO pods only.

Refer Kubernetes Priority Class documentation for more complete documentation.

imagePullPolicy PullPolicy

Optional

The pull policy for the MinIO Docker image. Specify one of the following:

  • Always

  • Never

  • IfNotPresent (Default)

sideCars SideCars

Optional

A list of containers to run as sidecars along every MinIO Pod deployed in the tenant.

exposeServices ExposeServices

Optional

Directs the Operator to expose the MinIO and/or Console services.

serviceMetadata ServiceMetadata

Optional

Specify custom labels and annotations to append to the MinIO service and/or Console service.

users LocalObjectReference array

Optional

An array of Kubernetes opaque secrets to use for generating MinIO users during tenant provisioning.

Each element in the array is an object consisting of a key-value pair name: <string>, where the <string> references an opaque Kubernetes secret.

Each referenced Kubernetes secret must include the following fields:

  • CONSOLE_ACCESS_KEY - The "Username" for the MinIO user

  • CONSOLE_SECRET_KEY - The "Password" for the MinIO user

The Operator creates each user with the consoleAdmin policy by default. You can change the assigned policy after the Tenant starts.

buckets Bucket array

Optional

Create buckets when creating a new tenant. Skip if bucket with given name already exists

logging Logging

Optional

Enable JSON, Anonymous logging for MinIO tenants.

configuration LocalObjectReference

Optional

Specify a secret that contains additional environment variable configurations to be used for the MinIO pools. The secret is expected to have a key named config.env containing all exported environment variables for MinIO+

initContainers Container array

Optional

Add custom initContainers to StatefulSet

additionalVolumes Volume array

Optional

If provided, statefulset will add these volumes. You should set the rules for the corresponding volumes and volume mounts. We will not test this rule, k8s will show the result.

additionalVolumeMounts VolumeMount array

Optional

If provided, statefulset will add these volumes. You should set the rules for the corresponding volumes and volume mounts. We will not test this rule, k8s will show the result.

TenantUsage

TenantUsage are metrics regarding the usage and capacity of the tenant

Appears In:
Field Description

capacity integer

Capacity the usage capacity of this tenant in bytes.

rawCapacity integer

Capacity the raw capacity of this tenant in bytes.

usage integer

Usage is how much data is managed by MinIO in bytes.

rawUsage integer

Usage is the raw usage on disks in bytes.

tiers TierUsage array

Tiers includes the usage of individual tiers in the tenant

TierUsage

TierUsage represents the usage from a tier setup by the tenant

Appears In:
Field Description

Name string

Name of the tier

Type string

type of the tier

totalSize integer

TotalSize usage of the tier