minio
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
##
19
global:
20
imageRegistry: ""
21
## e.g.
22
## imagePullSecrets:
23
## - myRegistryKeySecretName
24
##
25
imagePullSecrets: []
26
defaultStorageClass: ""
27
## Security parameters
28
##
29
security:
30
## @param global.security.allowInsecureImages Allows skipping image verification
31
allowInsecureImages: false
32
## Compatibility adaptations for Kubernetes platforms
33
##
34
compatibility:
35
## Compatibility adaptations for Openshift
36
##
37
openshift:
38
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
39
##
40
adaptSecurityContext: auto
41
org: ""
42
## @section Common parameters
43
44
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
45
##
46
nameOverride: ""
47
## @param namespaceOverride String to fully override common.names.namespace
48
##
49
namespaceOverride: ""
50
## @param fullnameOverride String to fully override common.names.fullname template
51
##
52
fullnameOverride: ""
53
## @param commonLabels Labels to add to all deployed objects
54
##
55
commonLabels: {}
56
## @param commonAnnotations Annotations to add to all deployed objects
57
##
58
commonAnnotations: {}
59
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
60
##
61
kubeVersion: ""
62
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
63
##
64
apiVersions: []
65
## @param clusterDomain Default Kubernetes cluster domain
66
##
67
clusterDomain: cluster.local
68
## @param extraDeploy Array of extra objects to deploy with the release
69
##
70
extraDeploy: []
71
## @section MinIO® parameters
72
73
## Iamguarded MinIO® image version
74
## @param image.registry [default: REGISTRY_NAME] MinIO® image registry
75
## @param image.repository [default: REPOSITORY_NAME/minio] MinIO® image repository
76
## @skip image.tag MinIO® image tag (immutable tags are recommended)
77
## @param image.digest MinIO® image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
78
## @param image.pullPolicy Image pull policy
79
## @param image.pullSecrets Specify docker-registry secret names as an array
80
## @param image.debug Specify if debug logs should be enabled
81
##
82
image:
83
registry: cgr.dev
84
repository: chainguard-private/minio-iamguarded
85
tag: 0.20251015.172955
86
digest: ""
87
## Specify a imagePullPolicy
88
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
89
##
90
pullPolicy: IfNotPresent
91
## Optionally specify an array of imagePullSecrets.
92
## Secrets must be manually created in the namespace.
93
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
94
## e.g:
95
## pullSecrets:
96
## - myRegistryKeySecretName
97
##
98
pullSecrets: []
99
## Set to true if you would like to see extra information on logs
100
##
101
debug: false
102
## Iamguarded MinIO® Client image version
103
## @param clientImage.registry [default: REGISTRY_NAME] MinIO® Client image registry
104
## @param clientImage.repository [default: REPOSITORY_NAME/minio-client] MinIO® Client image repository
105
## @skip clientImage.tag MinIO® Client image tag (immutable tags are recommended)
106
## @param clientImage.digest MinIO® Client image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
107
##
108
clientImage:
109
registry: cgr.dev
110
repository: chainguard-private/minio-client-iamguarded
111
tag: 0.20250813.083541
112
digest: ""
113
## MinIO® authentication parameters
114
##
115
auth:
116
## @param auth.rootUser MinIO® root username
117
##
118
rootUser: admin
119
## @param auth.rootPassword Password for MinIO® root user
120
##
121
rootPassword: ""
122
## @param auth.existingSecret Use existing secret for credentials details (`auth.rootUser` and `auth.rootPassword` will be ignored and picked up from this secret).
123
##
124
existingSecret: ""
125
## @param auth.rootUserSecretKey Key where the MINIO_ROOT_USER username is being stored inside the existing secret `auth.existingSecret`
126
##
127
rootUserSecretKey: ""
128
## @param auth.rootPasswordSecretKey Key where the MINIO_ROOT_USER password is being stored inside the existing secret `auth.existingSecret`
129
##
130
rootPasswordSecretKey: ""
131
## @param auth.forcePassword Force users to specify required passwords
132
##
133
forcePassword: false
134
## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable
135
##
136
usePasswordFiles: true
137
## @param auth.useSecret Uses a secret to mount the credential files.
138
##
139
useSecret: true
140
## @param auth.forceNewKeys Force root credentials (user and password) to be reconfigured every time they change in the secrets
141
##
142
forceNewKeys: false
143
## @param defaultBuckets Comma, semi-colon or space separated list of buckets to create at initialization (only in standalone mode)
144
## e.g:
145
## defaultBuckets: "my-bucket, my-second-bucket"
146
##
147
defaultBuckets: ""
148
## @param tls.enabled Enable TLS configuration for MinIO®
149
## @param tls.autoGenerated.enabled Enable automatic generation of TLS certificates
150
## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
151
## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
152
## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
153
## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
154
## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
155
## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
156
## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
157
## @param tls.ca CA certificate for TLS. Ignored if `tls.existingCASecret` is set
158
## @param tls.existingCASecret The name of an existing Secret containing the CA certificate for TLS
159
## @param tls.server.cert TLS certificate for MinIO® servers. Ignored if `tls.server.existingSecret` is set
160
## @param tls.server.key TLS key for MinIO® servers. Ignored if `tls.server.existingSecret` is set
161
## @param tls.server.existingSecret The name of an existing Secret containing the TLS certificates for MinIO® servers
162
##
163
tls:
164
enabled: false
165
autoGenerated:
166
enabled: true
167
engine: helm
168
certManager:
169
existingIssuer: ""
170
existingIssuerKind: ""
171
keySize: 2048
172
keyAlgorithm: RSA
173
duration: 2160h
174
renewBefore: 360h
175
ca: ""
176
existingCASecret: ""
177
server:
178
cert: ""
179
key: ""
180
existingSecret: ""
181
## @param extraEnvVars Extra environment variables to be set on MinIO® container
182
## e.g:
183
## extraEnvVars:
184
## - name: FOO
185
## value: "bar"
186
##
187
extraEnvVars: []
188
## @param extraEnvVarsCM ConfigMap with extra environment variables
189
##
190
extraEnvVarsCM: ""
191
## @param extraEnvVarsSecret Secret with extra environment variables
192
##
193
extraEnvVarsSecret: ""
194
## @param command Default container command (useful when using custom images). Use array form
195
##
196
command: []
197
## @param args Default container args (useful when using custom images). Use array form
198
##
199
args: []
200
## @section MinIO® Deployment/StatefulSet parameters
201
202
## @param mode MinIO® server mode (`standalone` or `distributed`)
203
## ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
204
##
205
mode: standalone
206
## @param schedulerName Specifies the schedulerName, if it's nil uses kube-scheduler
207
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
208
##
209
schedulerName: ""
210
## @param terminationGracePeriodSeconds In seconds, time the given to the MinIO pod needs to terminate gracefully
211
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
212
##
213
terminationGracePeriodSeconds: ""
214
## @param updateStrategy.type MinIO® deployment/statefulset update strategy type
215
## Can be set to RollingUpdate or Recreate (deployment) | RollingUpdate or OnDelete (statefulset)
216
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
217
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
218
##
219
updateStrategy:
220
type: RollingUpdate
221
## MinIO® StatefulSet parameters
222
## Only when mode is 'distributed'
223
##
224
statefulset:
225
## @param statefulset.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
226
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
227
##
228
podManagementPolicy: Parallel
229
## @param statefulset.replicaCount Number of pods per zone (only for MinIO® distributed mode). Should be even and `>= 4`
230
##
231
replicaCount: 4
232
## @param statefulset.zones Number of zones (only for MinIO® distributed mode)
233
##
234
zones: 1
235
## @param statefulset.drivesPerNode Number of drives attached to every node (only for MinIO® distributed mode)
236
##
237
drivesPerNode: 1
238
## @param automountServiceAccountToken Mount Service Account token in pod
239
##
240
automountServiceAccountToken: false
241
## @param hostAliases MinIO® pod host aliases
242
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
243
##
244
hostAliases: []
245
## @param containerPorts.api MinIO® container port to open for MinIO® API
246
##
247
containerPorts:
248
api: 9000
249
## MinIO® pod Security Context
250
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
251
## @param podSecurityContext.enabled Enable pod Security Context
252
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
253
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
254
## @param podSecurityContext.fsGroup Group ID for the container
255
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
256
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
257
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
258
## @param podSecurityContext.fsGroupChangePolicy When K8s should preform chown on attached volumes
259
##
260
podSecurityContext:
261
enabled: true
262
sysctls: []
263
supplementalGroups: []
264
fsGroup: 1001
265
fsGroupChangePolicy: "OnRootMismatch"
266
## MinIO® container Security Context
267
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
268
## @param containerSecurityContext.enabled Enabled containers' Security Context
269
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
270
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
271
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
272
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
273
## @param containerSecurityContext.privileged Set container's Security Context privileged
274
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
275
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
276
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
277
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
278
##
279
containerSecurityContext:
280
enabled: true
281
seLinuxOptions: {}
282
runAsUser: 1001
283
runAsGroup: 1001
284
runAsNonRoot: true
285
privileged: false
286
readOnlyRootFilesystem: true
287
allowPrivilegeEscalation: false
288
capabilities:
289
drop: ["ALL"]
290
seccompProfile:
291
type: "RuntimeDefault"
292
## @param podLabels Extra labels for MinIO® pods
293
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
294
##
295
podLabels: {}
296
## @param podAnnotations Annotations for MinIO® pods
297
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
298
##
299
podAnnotations: {}
300
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
301
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
302
##
303
podAffinityPreset: ""
304
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
305
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
306
##
307
podAntiAffinityPreset: soft
308
## Node affinity preset
309
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
310
##
311
nodeAffinityPreset:
312
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
313
##
314
type: ""
315
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
316
## E.g.
317
## key: "kubernetes.io/e2e-az-name"
318
##
319
key: ""
320
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
321
## E.g.
322
## values:
323
## - e2e-az1
324
## - e2e-az2
325
##
326
values: []
327
## @param affinity Affinity for pod assignment. Evaluated as a template.
328
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
329
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
330
##
331
affinity: {}
332
## @param nodeSelector Node labels for pod assignment. Evaluated as a template.
333
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
334
##
335
nodeSelector: {}
336
## @param tolerations Tolerations for pod assignment. Evaluated as a template.
337
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
338
##
339
tolerations: []
340
## @param topologySpreadConstraints Topology Spread Constraints for MinIO® pods assignment spread across your cluster among failure-domains
341
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
342
##
343
topologySpreadConstraints: []
344
## @param priorityClassName MinIO® pods' priorityClassName
345
##
346
priorityClassName: ""
347
## @param runtimeClassName Name of the runtime class to be used by MinIO® pods'
348
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
349
##
350
runtimeClassName: ""
351
## MinIO® containers' resource requests and limits
352
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
353
## We usually recommend not to specify default resources and to leave this as a conscious
354
## choice for the user. This also increases chances charts run on environments with little
355
## resources, such as Minikube. If you do want to specify resources, uncomment the following
356
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
357
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
358
##
359
resourcesPreset: "micro"
360
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
361
## Example:
362
## resources:
363
## requests:
364
## cpu: 2
365
## memory: 512Mi
366
## limits:
367
## cpu: 3
368
## memory: 1024Mi
369
##
370
resources: {}
371
## Configure extra options for liveness probe
372
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
373
## @param livenessProbe.enabled Enable livenessProbe
374
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
375
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
376
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
377
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
378
## @param livenessProbe.successThreshold Success threshold for livenessProbe
379
##
380
livenessProbe:
381
enabled: true
382
initialDelaySeconds: 5
383
periodSeconds: 5
384
timeoutSeconds: 5
385
successThreshold: 1
386
failureThreshold: 5
387
## Configure extra options for readiness probe
388
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
389
## @param readinessProbe.enabled Enable readinessProbe
390
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
391
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
392
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
393
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
394
## @param readinessProbe.successThreshold Success threshold for readinessProbe
395
##
396
readinessProbe:
397
enabled: true
398
initialDelaySeconds: 5
399
periodSeconds: 5
400
timeoutSeconds: 1
401
successThreshold: 1
402
failureThreshold: 5
403
## Configure extra options for startupProbe probe
404
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
405
## @param startupProbe.enabled Enable startupProbe
406
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
407
## @param startupProbe.periodSeconds Period seconds for startupProbe
408
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
409
## @param startupProbe.failureThreshold Failure threshold for startupProbe
410
## @param startupProbe.successThreshold Success threshold for startupProbe
411
##
412
startupProbe:
413
enabled: false
414
initialDelaySeconds: 0
415
periodSeconds: 10
416
timeoutSeconds: 5
417
successThreshold: 1
418
failureThreshold: 60
419
## @param customLivenessProbe Override default liveness probe
420
##
421
customLivenessProbe: {}
422
## @param customReadinessProbe Override default readiness probe
423
##
424
customReadinessProbe: {}
425
## @param customStartupProbe Override default startup probe
426
##
427
customStartupProbe: {}
428
## @param lifecycleHooks for the MinIO® container(s) to automate configuration before or after startup
429
##
430
lifecycleHooks: {}
431
## @param extraVolumes Optionally specify extra list of additional volumes for MinIO® pods
432
##
433
extraVolumes: []
434
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for MinIO® container(s)
435
##
436
extraVolumeMounts: []
437
## @param initContainers Add additional init containers to the MinIO® pods
438
## e.g:
439
## initContainers:
440
## - name: your-image-name
441
## image: your-image
442
## imagePullPolicy: Always
443
## ports:
444
## - name: portname
445
## containerPort: 1234
446
##
447
initContainers: []
448
## @param sidecars Add additional sidecar containers to the MinIO® pods
449
## e.g:
450
## sidecars:
451
## - name: your-image-name
452
## image: your-image
453
## imagePullPolicy: Always
454
## ports:
455
## - name: portname
456
## containerPort: 1234
457
##
458
sidecars: []
459
## MinIO® Pod Disruption Budget configuration in distributed mode.
460
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
461
##
462
pdb:
463
## @param pdb.create Enable/disable a Pod Disruption Budget creation
464
##
465
create: true
466
## @param pdb.minAvailable Minimum number/percentage of pods that must still be available after the eviction
467
##
468
minAvailable: ""
469
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable after the eviction
470
##
471
maxUnavailable: ""
472
## Autoscaling configuration
473
## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/
474
##
475
autoscaling:
476
## @param autoscaling.vpa.enabled Enable VPA for MinIO® pods
477
## @param autoscaling.vpa.annotations Annotations for VPA resource
478
## @param autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
479
## @param autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
480
## @param autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
481
##
482
vpa:
483
enabled: false
484
annotations: {}
485
controlledResources: []
486
maxAllowed: {}
487
minAllowed: {}
488
## @param autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy
489
## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
490
## Possible values are "Off", "Initial", "Recreate", and "Auto".
491
##
492
updatePolicy:
493
updateMode: Auto
494
## Default init Containers
495
##
496
defaultInitContainers:
497
## 'volume-permissions' init container
498
## Used to change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
499
##
500
volumePermissions:
501
## @param defaultInitContainers.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
502
##
503
enabled: false
504
## @param defaultInitContainers.volumePermissions.image.registry [default: REGISTRY_NAME] "volume-permissions" init-containers' image registry
505
## @param defaultInitContainers.volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] "volume-permissions" init-containers' image repository
506
## @skip defaultInitContainers.volumePermissions.image.tag "volume-permissions" init-containers' image tag (immutable tags are recommended)
507
## @param defaultInitContainers.volumePermissions.image.digest "volume-permissions" init-containers' image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
508
## @param defaultInitContainers.volumePermissions.image.pullPolicy "volume-permissions" init-containers' image pull policy
509
## @param defaultInitContainers.volumePermissions.image.pullSecrets "volume-permissions" init-containers' image pull secrets
510
##
511
image:
512
registry: cgr.dev
513
repository: chainguard-private/os-shell-iamguarded
514
tag: 1.0.0
515
digest: ""
516
pullPolicy: IfNotPresent
517
## Optionally specify an array of imagePullSecrets.
518
## Secrets must be manually created in the namespace.
519
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
520
## Example:
521
## pullSecrets:
522
## - myRegistryKeySecretName
523
##
524
pullSecrets: []
525
## Configure "volume-permissions" init-container Security Context
526
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
527
## @param defaultInitContainers.volumePermissions.containerSecurityContext.enabled Enabled "volume-permissions" init-containers' Security Context
528
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "volume-permissions" init-containers
529
## @param defaultInitContainers.volumePermissions.containerSecurityContext.runAsUser Set runAsUser in "volume-permissions" init-containers' Security Context
530
## @param defaultInitContainers.volumePermissions.containerSecurityContext.privileged Set privileged in "volume-permissions" init-containers' Security Context
531
## @param defaultInitContainers.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "volume-permissions" init-containers' Security Context
532
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.add List of capabilities to be added in "volume-permissions" init-containers
533
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "volume-permissions" init-containers
534
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seccompProfile.type Set seccomp profile in "volume-permissions" init-containers
535
##
536
containerSecurityContext:
537
enabled: true
538
seLinuxOptions: {}
539
runAsUser: 0
540
privileged: false
541
allowPrivilegeEscalation: false
542
capabilities:
543
add: ["CHOWN"]
544
drop: ["ALL"]
545
seccompProfile:
546
type: "RuntimeDefault"
547
## MinIO® "volume-permissions" init container resource requests and limits
548
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
549
## @param defaultInitContainers.volumePermissions.resourcesPreset Set MinIO® "volume-permissions" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.volumePermissions.resources is set (defaultInitContainers.volumePermissions.resources is recommended for production).
550
##
551
resourcesPreset: "nano"
552
## @param defaultInitContainers.volumePermissions.resources Set MinIO® "volume-permissions" init container requests and limits for different resources like CPU or memory (essential for production workloads)
553
## E.g:
554
## resources:
555
## requests:
556
## cpu: 2
557
## memory: 512Mi
558
## limits:
559
## cpu: 3
560
## memory: 1024Mi
561
##
562
resources: {}
563
## @section MinIO® Traffic exposure parameters
564
565
## MinIO® Service properties
566
##
567
service:
568
## @param service.type MinIO® service type
569
##
570
type: ClusterIP
571
## @param service.ports.api MinIO® API service port
572
##
573
ports:
574
api: 9000
575
## @param service.nodePorts.api Specify the MinIO® API nodePort value for the LoadBalancer and NodePort service types
576
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
577
##
578
nodePorts:
579
api: ""
580
## @param service.clusterIP Service Cluster IP
581
## e.g.:
582
## clusterIP: None
583
##
584
clusterIP: ""
585
## @param service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` (optional, cloud specific)
586
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
587
##
588
loadBalancerIP: ""
589
## @param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
590
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
591
## e.g:
592
## loadBalancerSourceRanges:
593
## - 10.10.10.0/24
594
##
595
loadBalancerSourceRanges: []
596
## @param service.externalTrafficPolicy Enable client source IP preservation
597
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
598
##
599
externalTrafficPolicy: Cluster
600
## @param service.extraPorts Extra ports to expose in the service (normally used with the `sidecar` value)
601
##
602
extraPorts: []
603
## @param service.annotations Annotations for MinIO® service
604
## This can be used to set the LoadBalancer service type to internal only.
605
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
606
##
607
annotations: {}
608
## Headless service properties
609
##
610
headless:
611
## @param service.headless.annotations Annotations for the headless service
612
##
613
annotations: {}
614
## Configure the ingress resource that allows you to access the MinIO® API
615
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
616
##
617
ingress:
618
## @param ingress.enabled Enable ingress controller resource for MinIO API
619
##
620
enabled: false
621
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
622
##
623
apiVersion: ""
624
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
625
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.
626
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
627
##
628
ingressClassName: ""
629
## @param ingress.hostname Default host for the ingress resource
630
##
631
hostname: minio.local
632
## @param ingress.path The Path to MinIO®. You may need to set this to '/*' in order to use this with ALB ingress controllers.
633
##
634
path: /
635
## @param ingress.pathType Ingress path type
636
##
637
pathType: ImplementationSpecific
638
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
639
## For a full list of possible ingress annotations, please see
640
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
641
## Use this parameter to set the required annotations for cert-manager, see
642
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
643
##
644
## e.g:
645
## annotations:
646
## kubernetes.io/ingress.class: nginx
647
## cert-manager.io/cluster-issuer: cluster-issuer-name
648
##
649
annotations: {}
650
## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
651
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
652
## You can:
653
## - Use the `ingress.secrets` parameter to create this TLS secret
654
## - Rely on cert-manager to create it by setting the corresponding annotations
655
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
656
##
657
tls: false
658
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
659
##
660
selfSigned: false
661
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
662
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
663
## e.g:
664
## extraHosts:
665
## - name: minio.local
666
## path: /
667
##
668
extraHosts: []
669
## @param ingress.extraPaths Any additional paths that may need to be added to the ingress under the main host
670
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
671
## extraPaths:
672
## - path: /*
673
## backend:
674
## serviceName: ssl-redirect
675
## servicePort: use-annotation
676
##
677
extraPaths: []
678
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
679
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
680
## e.g:
681
## extraTls:
682
## - hosts:
683
## - minio.local
684
## secretName: minio.local-tls
685
##
686
extraTls: []
687
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
688
## key and certificate are expected in PEM format
689
## name should line up with a secretName set further up
690
##
691
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
692
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
693
## It is also possible to create and manage the certificates outside of this helm chart
694
## Please see README.md for more information
695
##
696
## Example
697
## secrets:
698
## - name: minio.local-tls
699
## key: ""
700
## certificate: ""
701
##
702
secrets: []
703
## @param ingress.extraRules Additional rules to be covered with this ingress record
704
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
705
## e.g:
706
## extraRules:
707
## - host: example.local
708
## http:
709
## paths:
710
## path: /
711
## pathType: ImplementationSpecific
712
## backend:
713
## service:
714
## name: example-svc
715
## port:
716
## name: http
717
##
718
extraRules: []
719
## Network Policy configuration
720
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
721
##
722
networkPolicy:
723
## @param networkPolicy.enabled Enable creation of NetworkPolicy for MinIO®
724
##
725
enabled: true
726
## @param networkPolicy.allowExternal Don't require server label for connections
727
## The Policy model to apply. When set to false, only pods with the correct
728
## server label will have network access to the ports server is listening
729
## on. When true, server will accept connections from any source
730
## (with the correct destination port).
731
##
732
allowExternal: true
733
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
734
##
735
allowExternalEgress: true
736
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
737
##
738
addExternalClientAccess: true
739
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
740
## e.g:
741
## extraIngress:
742
## - ports:
743
## - port: 1234
744
## from:
745
## - podSelector:
746
## - matchLabels:
747
## - role: frontend
748
## - podSelector:
749
## - matchExpressions:
750
## - key: role
751
## operator: In
752
## values:
753
## - frontend
754
##
755
extraIngress: []
756
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
757
## e.g:
758
## extraEgress:
759
## - ports:
760
## - port: 1234
761
## to:
762
## - podSelector:
763
## - matchLabels:
764
## - role: frontend
765
## - podSelector:
766
## - matchExpressions:
767
## - key: role
768
## operator: In
769
## values:
770
## - frontend
771
##
772
extraEgress: []
773
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
774
## e.g:
775
## ingressPodMatchLabels:
776
## my-client: "true"
777
#
778
ingressPodMatchLabels: {}
779
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
780
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
781
##
782
ingressNSMatchLabels: {}
783
ingressNSPodMatchLabels: {}
784
## @section MinIO® Persistence parameters
785
786
## Enable persistence using Persistent Volume Claims
787
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
788
##
789
persistence:
790
## @param persistence.enabled Enable MinIO® data persistence using PVC. If false, use emptyDir
791
##
792
enabled: true
793
## @param persistence.storageClass PVC Storage Class for MinIO® data volume
794
## If defined, storageClassName: <storageClass>
795
## If set to "-", storageClassName: "", which disables dynamic provisioning
796
## If undefined (the default) or set to null, no storageClassName spec is
797
## set, choosing the default provisioner. (gp2 on AWS, standard on
798
## GKE, AWS & OpenStack)
799
##
800
storageClass: ""
801
## @param persistence.mountPath Data volume mount path
802
##
803
mountPath: /iamguarded/minio/data
804
## @param persistence.accessModes PVC Access Modes for MinIO® data volume
805
##
806
accessModes:
807
- ReadWriteOnce
808
## @param persistence.size PVC Storage Request for MinIO® data volume
809
##
810
size: 8Gi
811
## @param persistence.annotations Annotations for the PVC
812
##
813
annotations: {}
814
## @param persistence.existingClaim Name of an existing PVC to use (only in `standalone` mode)
815
##
816
existingClaim: ""
817
## @param persistence.selector Selector to match an existing Persistent Volume for MinIO® data PVC
818
## If set, the PVC can't have a PV dynamically provisioned for it
819
## E.g.
820
## selector:
821
## matchLabels:
822
## app: my-app
823
##
824
selector: {}
825
## @param persistence.dataSource Custom PVC data source
826
##
827
dataSource: {}
828
## @section RBAC parameters
829
830
## Specifies whether a ServiceAccount should be created
831
##
832
serviceAccount:
833
## @param serviceAccount.create Enable the creation of a ServiceAccount for MinIO® pods
834
##
835
create: true
836
## @param serviceAccount.name Name of the created ServiceAccount
837
## If not set and create is true, a name is generated using the common.names.fullname template
838
##
839
name: ""
840
## @param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token
841
##
842
automountServiceAccountToken: false
843
## @param serviceAccount.annotations Custom annotations for MinIO® ServiceAccount
844
##
845
annotations: {}
846
## @section Metrics parameters
847
metrics:
848
## @param metrics.prometheusAuthType Authentication mode for Prometheus (`jwt` or `public`)
849
## To allow public access without authentication for prometheus metrics set environment as follows.
850
##
851
prometheusAuthType: public
852
## @param metrics.enabled Enable the export of Prometheus metrics
853
##
854
enabled: false
855
## Prometheus Operator ServiceMonitor configuration
856
##
857
serviceMonitor:
858
## @param metrics.serviceMonitor.enabled If the operator is installed in your cluster, set to true to create a Service Monitor Entry
859
##
860
enabled: false
861
## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
862
##
863
namespace: ""
864
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
865
##
866
labels: {}
867
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
868
##
869
jobLabel: ""
870
## @param metrics.serviceMonitor.paths HTTP paths to scrape for metrics
871
##
872
paths:
873
- /minio/v2/metrics/cluster
874
- /minio/v2/metrics/node
875
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
876
##
877
interval: 30s
878
## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
879
## e.g:
880
## scrapeTimeout: 30s
881
scrapeTimeout: ""
882
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
883
##
884
metricRelabelings: []
885
## @param metrics.serviceMonitor.relabelings Metrics relabelings to add to the scrape endpoint, applied before scraping
886
##
887
relabelings: []
888
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
889
##
890
honorLabels: false
891
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
892
##
893
selector: {}
894
## @param metrics.serviceMonitor.apiVersion ApiVersion for the serviceMonitor Resource (defaults to "monitoring.coreos.com/v1")
895
apiVersion: ""
896
## @param metrics.serviceMonitor.tlsConfig Additional TLS configuration for metrics endpoint with "https" scheme
897
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.TLSConfig
898
tlsConfig: {}
899
## Prometheus Operator PrometheusRule configuration
900
##
901
prometheusRule:
902
## @param metrics.prometheusRule.enabled Create a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`)
903
##
904
enabled: false
905
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
906
##
907
namespace: ""
908
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
909
##
910
additionalLabels: {}
911
## @param metrics.prometheusRule.rules Prometheus Rule definitions
912
# - alert: minio cluster nodes offline
913
# annotations:
914
# summary: "minio cluster nodes offline"
915
# description: "minio cluster nodes offline, pod {{`{{`}} $labels.pod {{`}}`}} service {{`{{`}} $labels.job {{`}}`}} offline"
916
# for: 10m
917
# expr: minio_cluster_nodes_offline_total > 0
918
# labels:
919
# severity: critical
920
# group: PaaS
921
##
922
rules: []
923
## @section MinIO® Console parameters
924
console:
925
## @param console.enabled Enable MinIO® Console
926
##
927
enabled: true
928
## Iamguarded MinIO® Console image
929
## @param console.image.registry [default: REGISTRY_NAME] MinIO® Console image registry
930
## @param console.image.repository [default: REPOSITORY_NAME/minio-object-browser] MinIO® Console image repository
931
## @skip console.image.tag MinIO® Console image tag (immutable tags are recommended)
932
## @param console.image.digest MinIO® Console image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
933
## @param console.image.pullPolicy MinIO® Console image pull policy
934
## @param console.image.pullSecrets MinIO® Console image pull secrets
935
##
936
image:
937
registry: cgr.dev
938
repository: chainguard-private/minio-object-browser-iamguarded
939
tag: 2.0.4
940
digest: ""
941
## Specify a imagePullPolicy
942
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
943
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
944
##
945
pullPolicy: IfNotPresent
946
## Optionally specify an array of imagePullSecrets.
947
## Secrets must be manually created in the namespace.
948
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
949
## e.g:
950
## pullSecrets:
951
## - myRegistryKeySecretName
952
##
953
pullSecrets: []
954
## @param console.replicaCount Number of MinIO® Console replicas to deploy
955
##
956
replicaCount: 1
957
## @param console.containerPorts.http MinIO® Console HTTP container port
958
##
959
containerPorts:
960
http: 9090
961
## @param console.extraContainerPorts Optionally specify extra list of additional ports for MinIO® Console containers
962
## e.g:
963
## extraContainerPorts:
964
## - name: myservice
965
## containerPort: 9090
966
##
967
extraContainerPorts: []
968
## Configure extra options for MinIO® Console containers' liveness and readiness probes
969
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
970
## @param console.livenessProbe.enabled Enable livenessProbe on MinIO® Console containers
971
## @param console.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
972
## @param console.livenessProbe.periodSeconds Period seconds for livenessProbe
973
## @param console.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
974
## @param console.livenessProbe.failureThreshold Failure threshold for livenessProbe
975
## @param console.livenessProbe.successThreshold Success threshold for livenessProbe
976
##
977
livenessProbe:
978
enabled: true
979
initialDelaySeconds: 5
980
periodSeconds: 5
981
timeoutSeconds: 5
982
successThreshold: 1
983
failureThreshold: 5
984
## @param console.readinessProbe.enabled Enable readinessProbe on MinIO® Console containers
985
## @param console.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
986
## @param console.readinessProbe.periodSeconds Period seconds for readinessProbe
987
## @param console.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
988
## @param console.readinessProbe.failureThreshold Failure threshold for readinessProbe
989
## @param console.readinessProbe.successThreshold Success threshold for readinessProbe
990
##
991
readinessProbe:
992
enabled: true
993
initialDelaySeconds: 5
994
periodSeconds: 5
995
timeoutSeconds: 5
996
successThreshold: 1
997
failureThreshold: 5
998
## @param console.startupProbe.enabled Enable startupProbe on MinIO® Console containers
999
## @param console.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1000
## @param console.startupProbe.periodSeconds Period seconds for startupProbe
1001
## @param console.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1002
## @param console.startupProbe.failureThreshold Failure threshold for startupProbe
1003
## @param console.startupProbe.successThreshold Success threshold for startupProbe
1004
##
1005
startupProbe:
1006
enabled: false
1007
initialDelaySeconds: 0
1008
periodSeconds: 10
1009
timeoutSeconds: 5
1010
successThreshold: 1
1011
failureThreshold: 60
1012
## @param console.customLivenessProbe Custom livenessProbe that overrides the default one
1013
##
1014
customLivenessProbe: {}
1015
## @param console.customReadinessProbe Custom readinessProbe that overrides the default one
1016
##
1017
customReadinessProbe: {}
1018
## @param console.customStartupProbe Custom startupProbe that overrides the default one
1019
##
1020
customStartupProbe: {}
1021
## MinIO® Console resource requests and limits
1022
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1023
## @param console.resourcesPreset Set MinIO® Console container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if console.resources is set (console.resources is recommended for production).
1024
##
1025
resourcesPreset: "nano"
1026
## @param console.resources Set MinIO® Console container requests and limits for different resources like CPU or memory (essential for production workloads)
1027
## Example:
1028
## resources:
1029
## requests:
1030
## cpu: 2
1031
## memory: 512Mi
1032
## limits:
1033
## cpu: 3
1034
## memory: 1024Mi
1035
##
1036
resources: {}
1037
## Configure Pods Security Context
1038
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1039
## @param console.podSecurityContext.enabled Enable MinIO® Console pods' Security Context
1040
## @param console.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy for MinIO® Console pods
1041
## @param console.podSecurityContext.sysctls Set kernel settings using the sysctl interface for MinIO® Console pods
1042
## @param console.podSecurityContext.supplementalGroups Set filesystem extra groups for MinIO® Console pods
1043
## @param console.podSecurityContext.fsGroup Set fsGroup in MinIO® Console pods' Security Context
1044
##
1045
podSecurityContext:
1046
enabled: true
1047
fsGroupChangePolicy: Always
1048
sysctls: []
1049
supplementalGroups: []
1050
fsGroup: 1001
1051
## Configure Container Security Context
1052
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1053
## @param console.containerSecurityContext.enabled Enabled MinIO® Console container' Security Context
1054
## @param console.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in MinIO® Console container
1055
## @param console.containerSecurityContext.runAsUser Set runAsUser in MinIO® Console container' Security Context
1056
## @param console.containerSecurityContext.runAsGroup Set runAsGroup in MinIO® Console container' Security Context
1057
## @param console.containerSecurityContext.runAsNonRoot Set runAsNonRoot in MinIO® Console container' Security Context
1058
## @param console.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in MinIO® Console container' Security Context
1059
## @param console.containerSecurityContext.privileged Set privileged in MinIO® Console container' Security Context
1060
## @param console.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in MinIO® Console container' Security Context
1061
## @param console.containerSecurityContext.capabilities.drop List of capabilities to be dropped in MinIO® Console container
1062
## @param console.containerSecurityContext.seccompProfile.type Set seccomp profile in MinIO® Console container
1063
##
1064
containerSecurityContext:
1065
enabled: true
1066
seLinuxOptions: {}
1067
runAsUser: 1001
1068
runAsGroup: 1001
1069
runAsNonRoot: true
1070
readOnlyRootFilesystem: true
1071
privileged: false
1072
allowPrivilegeEscalation: false
1073
capabilities:
1074
drop: ["ALL"]
1075
seccompProfile:
1076
type: "RuntimeDefault"
1077
## @param console.command Override default MinIO® Console container command (useful when using custom images)
1078
##
1079
command: []
1080
## @param console.args Override default MinIO® Console container args (useful when using custom images)
1081
##
1082
args: []
1083
## @param console.automountServiceAccountToken Mount Service Account token in MinIO® Console pods
1084
##
1085
automountServiceAccountToken: false
1086
## @param console.hostAliases MinIO® Console pods host aliases
1087
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1088
##
1089
hostAliases: []
1090
## @param console.deploymentAnnotations Annotations for MinIO® Console deployment
1091
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1092
##
1093
deploymentAnnotations: {}
1094
## @param console.podLabels Extra labels for MinIO® Console pods
1095
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1096
##
1097
podLabels: {}
1098
## @param console.podAnnotations Annotations for MinIO® Console pods
1099
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1100
##
1101
podAnnotations: {}
1102
## @param console.podAffinityPreset Pod affinity preset. Ignored if `console.affinity` is set. Allowed values: `soft` or `hard`
1103
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1104
##
1105
podAffinityPreset: ""
1106
## @param console.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `console.affinity` is set. Allowed values: `soft` or `hard`
1107
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1108
##
1109
podAntiAffinityPreset: soft
1110
## Node console.affinity preset
1111
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1112
##
1113
nodeAffinityPreset:
1114
## @param console.nodeAffinityPreset.type Node affinity preset type. Ignored if `console.affinity` is set. Allowed values: `soft` or `hard`
1115
##
1116
type: ""
1117
## @param console.nodeAffinityPreset.key Node label key to match. Ignored if `console.affinity` is set
1118
##
1119
key: ""
1120
## @param console.nodeAffinityPreset.values Node label values to match. Ignored if `console.affinity` is set
1121
## E.g.
1122
## values:
1123
## - e2e-az1
1124
## - e2e-az2
1125
##
1126
values: []
1127
## @param console.affinity Affinity for MinIO® Console pods assignment
1128
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1129
## NOTE: `console.podAffinityPreset`, `console.podAntiAffinityPreset`, and `console.nodeAffinityPreset` will be ignored when it's set
1130
##
1131
affinity: {}
1132
## @param console.nodeSelector Node labels for MinIO® Console pods assignment
1133
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1134
##
1135
nodeSelector: {}
1136
## @param console.tolerations Tolerations for MinIO® Console pods assignment
1137
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1138
##
1139
tolerations: []
1140
## @param console.updateStrategy.type MinIO® Console deployment strategy type
1141
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
1142
##
1143
updateStrategy:
1144
## Can be set to RollingUpdate or Recreate
1145
##
1146
type: RollingUpdate
1147
## @param console.priorityClassName MinIO® Console pods' priorityClassName
1148
##
1149
priorityClassName: ""
1150
## @param console.topologySpreadConstraints Topology Spread Constraints for MinIO® Console pod assignment spread across your cluster among failure-domains
1151
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1152
##
1153
topologySpreadConstraints: []
1154
## @param console.schedulerName Name of the k8s scheduler (other than default) for MinIO® Console pods
1155
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1156
##
1157
schedulerName: ""
1158
## @param console.terminationGracePeriodSeconds Seconds MinIO® Console pods need to terminate gracefully
1159
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1160
##
1161
terminationGracePeriodSeconds: ""
1162
## @param console.lifecycleHooks for MinIO® Console containers to automate configuration before or after startup
1163
##
1164
lifecycleHooks: {}
1165
## @param console.extraEnvVars Array with extra environment variables to add to MinIO® Console containers
1166
## e.g:
1167
## extraEnvVars:
1168
## - name: FOO
1169
## value: "bar"
1170
##
1171
extraEnvVars: []
1172
## @param console.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for MinIO® Console containers
1173
##
1174
extraEnvVarsCM: ""
1175
## @param console.extraEnvVarsSecret Name of existing Secret containing extra env vars for MinIO® Console containers
1176
##
1177
extraEnvVarsSecret: ""
1178
## @param console.extraVolumes Optionally specify extra list of additional volumes for the MinIO® Console pods
1179
##
1180
extraVolumes: []
1181
## @param console.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the MinIO® Console containers
1182
##
1183
extraVolumeMounts: []
1184
## @param console.sidecars Add additional sidecar containers to the MinIO® Console pods
1185
## e.g:
1186
## sidecars:
1187
## - name: your-image-name
1188
## image: your-image
1189
## imagePullPolicy: Always
1190
## ports:
1191
## - name: portname
1192
## containerPort: 1234
1193
##
1194
sidecars: []
1195
## @param console.initContainers Add additional init containers to the MinIO® Console pods
1196
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1197
## e.g:
1198
## initContainers:
1199
## - name: your-image-name
1200
## image: your-image
1201
## imagePullPolicy: Always
1202
## command: ['sh', '-c', 'echo "hello world"']
1203
##
1204
initContainers: []
1205
## Pod Disruption Budget configuration
1206
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
1207
## @param console.pdb.create Enable/disable a Pod Disruption Budget creation
1208
## @param console.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1209
## @param console.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `console.pdb.minAvailable` and `console.pdb.maxUnavailable` are empty.
1210
##
1211
pdb:
1212
create: true
1213
minAvailable: ""
1214
maxUnavailable: ""
1215
## Autoscaling configuration
1216
## ref: https://kubernetes.io/docs/concepts/workloads/autoscaling/
1217
##
1218
autoscaling:
1219
## @param console.autoscaling.vpa.enabled Enable VPA for MinIO® Console pods
1220
## @param console.autoscaling.vpa.annotations Annotations for VPA resource
1221
## @param console.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1222
## @param console.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1223
## @param console.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1224
##
1225
vpa:
1226
enabled: false
1227
annotations: {}
1228
controlledResources: []
1229
maxAllowed: {}
1230
minAllowed: {}
1231
## @param console.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy
1232
## Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1233
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1234
##
1235
updatePolicy:
1236
updateMode: Auto
1237
## @param console.autoscaling.hpa.enabled Enable HPA for MinIO® Console pods
1238
## @param console.autoscaling.hpa.minReplicas Minimum number of replicas
1239
## @param console.autoscaling.hpa.maxReplicas Maximum number of replicas
1240
## @param console.autoscaling.hpa.targetCPU Target CPU utilization percentage
1241
## @param console.autoscaling.hpa.targetMemory Target Memory utilization percentage
1242
##
1243
hpa:
1244
enabled: false
1245
minReplicas: ""
1246
maxReplicas: ""
1247
targetCPU: ""
1248
targetMemory: ""
1249
## MinIO® Console Service properties
1250
##
1251
service:
1252
## @param console.service.type MinIO® Console service type
1253
##
1254
type: ClusterIP
1255
## @param console.service.ports.http MinIO® Console HTTP service port
1256
##
1257
ports:
1258
http: 9090
1259
## @param console.service.nodePorts.http Specify the MinIO® Console HTTP nodePort value
1260
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
1261
##
1262
nodePorts:
1263
http: ""
1264
## @param console.service.clusterIP Service Cluster IP
1265
## e.g.:
1266
## clusterIP: None
1267
##
1268
clusterIP: ""
1269
## @param console.service.loadBalancerIP loadBalancerIP if service type is `LoadBalancer` (optional, cloud specific)
1270
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1271
##
1272
loadBalancerIP: ""
1273
## @param console.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer
1274
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1275
## e.g:
1276
## loadBalancerSourceRanges:
1277
## - 10.10.10.0/24
1278
##
1279
loadBalancerSourceRanges: []
1280
## @param console.service.externalTrafficPolicy Enable client source IP preservation
1281
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1282
##
1283
externalTrafficPolicy: Cluster
1284
## @param console.service.extraPorts Extra ports to expose in the service (normally used with the `sidecar` value)
1285
##
1286
extraPorts: []
1287
## @param console.service.annotations Annotations for MinIO® Console service
1288
## This can be used to set the LoadBalancer service type to internal only.
1289
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
1290
##
1291
annotations: {}
1292
## Configure the ingress resource that allows you to access the MinIO® Console
1293
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
1294
##
1295
ingress:
1296
## @param console.ingress.enabled Enable ingress controller resource for MinIO® Console
1297
##
1298
enabled: false
1299
## @param console.ingress.apiVersion Force Ingress API version (automatically detected if not set)
1300
##
1301
apiVersion: ""
1302
## @param console.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1303
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.
1304
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1305
##
1306
ingressClassName: ""
1307
## @param console.ingress.hostname Default host for the ingress resource
1308
##
1309
hostname: minio.local
1310
## @param console.ingress.path The Path to MinIO® Console. You may need to set this to '/*' in order to use this with ALB ingress controllers.
1311
##
1312
path: /
1313
## @param console.ingress.pathType Ingress path type
1314
##
1315
pathType: ImplementationSpecific
1316
## @param console.ingress.annotations Additional annotations for the Ingress resource. To enable certificate auto-generation, place here your cert-manager annotations.
1317
## For a full list of possible ingress annotations, please see
1318
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
1319
## Use this parameter to set the required annotations for cert-manager, see
1320
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1321
##
1322
## e.g:
1323
## annotations:
1324
## kubernetes.io/ingress.class: nginx
1325
## cert-manager.io/cluster-issuer: cluster-issuer-name
1326
##
1327
annotations: {}
1328
## @param console.ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
1329
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.console.ingress.hostname }}`
1330
## You can:
1331
## - Use the `ingress.secrets` parameter to create this TLS secret
1332
## - Rely on cert-manager to create it by setting the corresponding annotations
1333
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
1334
##
1335
tls: false
1336
## @param console.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1337
##
1338
selfSigned: false
1339
## @param console.ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
1340
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
1341
## e.g:
1342
## extraHosts:
1343
## - name: minio.local
1344
## path: /
1345
##
1346
extraHosts: []
1347
## @param console.ingress.extraPaths Any additional paths that may need to be added to the ingress under the main host
1348
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
1349
## extraPaths:
1350
## - path: /*
1351
## backend:
1352
## serviceName: ssl-redirect
1353
## servicePort: use-annotation
1354
##
1355
extraPaths: []
1356
## @param console.ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
1357
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1358
## e.g:
1359
## extraTls:
1360
## - hosts:
1361
## - minio.local
1362
## secretName: minio.local-tls
1363
##
1364
extraTls: []
1365
## @param console.ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
1366
## key and certificate are expected in PEM format
1367
## name should line up with a secretName set further up
1368
##
1369
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1370
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1371
## It is also possible to create and manage the certificates outside of this helm chart
1372
## Please see README.md for more information
1373
##
1374
## Example
1375
## secrets:
1376
## - name: minio.local-tls
1377
## key: ""
1378
## certificate: ""
1379
##
1380
secrets: []
1381
## @param console.ingress.extraRules Additional rules to be covered with this ingress record
1382
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1383
## e.g:
1384
## extraRules:
1385
## - host: example.local
1386
## http:
1387
## paths:
1388
## path: /
1389
## pathType: ImplementationSpecific
1390
## backend:
1391
## service:
1392
## name: example-svc
1393
## port:
1394
## name: http
1395
##
1396
extraRules: []
1397
## Network Policy configuration
1398
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1399
##
1400
networkPolicy:
1401
## @param console.networkPolicy.enabled Enable creation of NetworkPolicy for MinIO® Console
1402
##
1403
enabled: true
1404
## @param console.networkPolicy.allowExternal Don't require server label for connections
1405
## The Policy model to apply. When set to false, only pods with the correct
1406
## server label will have network access to the ports server is listening
1407
## on. When true, server will accept connections from any source
1408
## (with the correct destination port).
1409
##
1410
allowExternal: true
1411
## @param console.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1412
##
1413
allowExternalEgress: true
1414
## @param console.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `console.networkPolicy.allowExternal` is true.
1415
##
1416
addExternalClientAccess: true
1417
## @param console.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1418
## e.g:
1419
## extraIngress:
1420
## - ports:
1421
## - port: 1234
1422
## from:
1423
## - podSelector:
1424
## - matchLabels:
1425
## - role: frontend
1426
## - podSelector:
1427
## - matchExpressions:
1428
## - key: role
1429
## operator: In
1430
## values:
1431
## - frontend
1432
##
1433
extraIngress: []
1434
## @param console.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1435
## e.g:
1436
## extraEgress:
1437
## - ports:
1438
## - port: 1234
1439
## to:
1440
## - podSelector:
1441
## - matchLabels:
1442
## - role: frontend
1443
## - podSelector:
1444
## - matchExpressions:
1445
## - key: role
1446
## operator: In
1447
## values:
1448
## - frontend
1449
##
1450
extraEgress: []
1451
## @param console.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `console.networkPolicy.allowExternal` is true.
1452
## e.g:
1453
## ingressPodMatchLabels:
1454
## my-client: "true"
1455
#
1456
ingressPodMatchLabels: {}
1457
## @param console.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `console.networkPolicy.allowExternal` is true.
1458
## @param console.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `console.networkPolicy.allowExternal` is true.
1459
##
1460
ingressNSMatchLabels: {}
1461
ingressNSPodMatchLabels: {}
1462
## @section MinIO® provisioning parameters
1463
provisioning:
1464
## @param provisioning.enabled Enable MinIO® provisioning Job
1465
##
1466
enabled: false
1467
## @param provisioning.sleepTime Sleep time before checking Minio availability
1468
##
1469
sleepTime: 5
1470
## @param provisioning.schedulerName Name of the k8s scheduler (other than default) for MinIO® provisioning
1471
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1472
##
1473
schedulerName: ""
1474
## @param provisioning.nodeSelector Node labels for pod assignment. Evaluated as a template.
1475
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
1476
##
1477
nodeSelector: {}
1478
## @param provisioning.podLabels Extra labels for provisioning pods
1479
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1480
##
1481
podLabels: {}
1482
## @param provisioning.podAnnotations Provisioning Pod annotations.
1483
##
1484
podAnnotations: {}
1485
## @param provisioning.command Default provisioning container command (useful when using custom images). Use array form
1486
##
1487
command: []
1488
## @param provisioning.args Default provisioning container args (useful when using custom images). Use array form
1489
##
1490
args: []
1491
## @param provisioning.extraCommands Optionally specify extra list of additional commands for MinIO® provisioning pod
1492
##
1493
extraCommands: []
1494
## @param provisioning.extraVolumes Optionally specify extra list of additional volumes for MinIO® provisioning pod
1495
##
1496
extraVolumes: []
1497
## @param provisioning.extraVolumeMounts Optionally specify extra list of additional volumeMounts for MinIO® provisioning container
1498
##
1499
extraVolumeMounts: []
1500
## We usually recommend not to specify default resources and to leave this as a conscious
1501
## choice for the user. This also increases chances charts run on environments with little
1502
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1503
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1504
## @param provisioning.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if provisioning.resources is set (provisioning.resources is recommended for production).
1505
##
1506
resourcesPreset: "nano"
1507
## @param provisioning.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1508
## Example:
1509
## resources:
1510
## requests:
1511
## cpu: 2
1512
## memory: 512Mi
1513
## limits:
1514
## cpu: 3
1515
## memory: 1024Mi
1516
##
1517
resources: {}
1518
## @param provisioning.policies MinIO® policies provisioning
1519
## https://docs.min.io/docs/minio-admin-complete-guide.html#policy
1520
## e.g.
1521
## policies:
1522
## - name: custom-bucket-specific-policy
1523
## statements:
1524
## - resources:
1525
## - "arn:aws:s3:::my-bucket"
1526
## actions:
1527
## - "s3:GetBucketLocation"
1528
## - "s3:ListBucket"
1529
## - "s3:ListBucketMultipartUploads"
1530
## - resources:
1531
## - "arn:aws:s3:::my-bucket/*"
1532
## # Allowed values: "Allow" | "Deny"
1533
## # Defaults to "Deny" if not specified
1534
## effect: "Allow"
1535
## actions:
1536
## - "s3:AbortMultipartUpload"
1537
## - "s3:DeleteObject"
1538
## - "s3:GetObject"
1539
## - "s3:ListMultipartUploadParts"
1540
## - "s3:PutObject"
1541
## condition:
1542
## StringLike:
1543
## "s3:prefix":
1544
## - "${aws:username}/*"
1545
policies: []
1546
## @param provisioning.users MinIO® users provisioning. Can be used in addition to provisioning.usersExistingSecrets.
1547
## https://docs.min.io/docs/minio-admin-complete-guide.html#user
1548
## e.g.
1549
## users:
1550
## - username: test-username
1551
## password: test-password
1552
## disabled: false
1553
## policies:
1554
## - readwrite
1555
## - consoleAdmin
1556
## - diagnostics
1557
## # When set to true, it will replace all policies with the specified.
1558
## # When false, the policies will be added to the existing.
1559
## setPolicies: false
1560
users: []
1561
## @param provisioning.usersExistingSecrets Array if existing secrets containing MinIO® users to be provisioned. Can be used in addition to provisioning.users.
1562
## https://docs.min.io/docs/minio-admin-complete-guide.html#user
1563
##
1564
## Instead of configuring users inside values.yaml, referring to existing Kubernetes secrets containing user
1565
## configurations is possible.
1566
## e.g.
1567
## usersExistingSecrets:
1568
## - centralized-minio-users
1569
##
1570
## All provided Kubernetes secrets require a specific data structure. The same data from the provisioning.users example above
1571
## can be defined via secrets with the following data structure. The secret keys have no meaning to the provisioning job except that
1572
## they are used as filenames.
1573
## ## apiVersion: v1
1574
## ## kind: Secret
1575
## ## metadata:
1576
## ## name: centralized-minio-users
1577
## ## type: Opaque
1578
## ## stringData:
1579
## ## username1: |
1580
## ## username=test-username
1581
## ## password=test-password
1582
## ## disabled=false
1583
## ## policies=readwrite,consoleAdmin,diagnostics
1584
## ## setPolicies=false
1585
usersExistingSecrets: []
1586
## @param provisioning.groups MinIO® groups provisioning
1587
## https://docs.min.io/docs/minio-admin-complete-guide.html#group
1588
## e.g.
1589
## groups
1590
## - name: test-group
1591
## disabled: false
1592
## members:
1593
## - test-username
1594
## policies:
1595
## - readwrite
1596
## # When set to true, it will replace all policies with the specified.
1597
## # When false, the policies will be added to the existing.
1598
## setPolicies: false
1599
groups: []
1600
## @param provisioning.buckets MinIO® buckets, versioning, lifecycle, quota and tags provisioning
1601
## Buckets https://docs.min.io/docs/minio-client-complete-guide.html#mb
1602
## Lifecycle https://docs.min.io/docs/minio-client-complete-guide.html#ilm
1603
## Quotas https://docs.min.io/docs/minio-admin-complete-guide.html#bucket
1604
## Tags https://docs.min.io/docs/minio-client-complete-guide.html#tag
1605
## Versioning https://docs.min.io/docs/minio-client-complete-guide.html#version
1606
## e.g.
1607
## buckets:
1608
## - name: test-bucket
1609
## region: us-east-1
1610
## # Only when mode is 'distributed'
1611
## # Allowed values: "Versioned" | "Suspended" | "Unchanged"
1612
## # Defaults to "Suspended" if not specified.
1613
## # For compatibility, accepts boolean values as well, where true maps
1614
## # to "Versioned" and false to "Suspended".
1615
## # ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
1616
## versioning: Suspended
1617
## # Versioning is automatically enabled if withLock is true
1618
## # ref: https://docs.min.io/docs/minio-bucket-versioning-guide.html
1619
## withLock: true
1620
## # Only when mode is 'distributed'
1621
## # ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
1622
## lifecycle:
1623
## - id: TestPrefix7dRetention
1624
## prefix: test-prefix
1625
## disabled: false
1626
## expiry:
1627
## days: 7
1628
## # Days !OR! date
1629
## # date: "2021-11-11T00:00:00Z"
1630
## nonconcurrentDays: 3
1631
## # Only when mode is 'distributed'
1632
## # ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide
1633
## quota:
1634
## # set (hard still works as an alias but is deprecated) or clear(+ omit size)
1635
## type: set
1636
## size: 10GiB
1637
## tags:
1638
## key1: value1
1639
buckets: []
1640
## @param provisioning.config MinIO® config provisioning
1641
## https://docs.min.io/community/minio-object-store/reference/minio-mc-admin/mc-admin-config.html
1642
## e.g.
1643
## config:
1644
## - name: region
1645
## options:
1646
## name: us-east-1
1647
config: []
1648
## MinIO® pod Security Context
1649
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1650
## @param provisioning.podSecurityContext.enabled Enable pod Security Context
1651
## @param provisioning.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1652
## @param provisioning.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1653
## @param provisioning.podSecurityContext.supplementalGroups Set filesystem extra groups
1654
## @param provisioning.podSecurityContext.fsGroup Group ID for the container
1655
##
1656
podSecurityContext:
1657
enabled: true
1658
fsGroupChangePolicy: Always
1659
sysctls: []
1660
supplementalGroups: []
1661
fsGroup: 1001
1662
## MinIO® container Security Context
1663
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1664
## @param provisioning.containerSecurityContext.enabled Enabled containers' Security Context
1665
## @param provisioning.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1666
## @param provisioning.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1667
## @param provisioning.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1668
## @param provisioning.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1669
## @param provisioning.containerSecurityContext.privileged Set container's Security Context privileged
1670
## @param provisioning.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1671
## @param provisioning.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1672
## @param provisioning.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1673
## @param provisioning.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1674
##
1675
containerSecurityContext:
1676
enabled: true
1677
seLinuxOptions: {}
1678
runAsUser: 1001
1679
runAsGroup: 1001
1680
runAsNonRoot: true
1681
privileged: false
1682
readOnlyRootFilesystem: true
1683
allowPrivilegeEscalation: false
1684
capabilities:
1685
drop: ["ALL"]
1686
seccompProfile:
1687
type: "RuntimeDefault"
1688
## Automatic Cleanup for Finished Jobs
1689
## @param provisioning.cleanupAfterFinished.enabled Enables Cleanup for Finished Jobs
1690
## @param provisioning.cleanupAfterFinished.seconds Sets the value of ttlSecondsAfterFinished
1691
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/
1692
##
1693
cleanupAfterFinished:
1694
enabled: false
1695
seconds: 600
1696
## Network Policy configuration
1697
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1698
##
1699
networkPolicy:
1700
## @param provisioning.networkPolicy.enabled Enable creation of NetworkPolicy resources
1701
##
1702
enabled: true
1703
## @param provisioning.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1704
##
1705
allowExternalEgress: true
1706
## @param provisioning.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1707
## e.g:
1708
## extraIngress:
1709
## - ports:
1710
## - port: 1234
1711
## from:
1712
## - podSelector:
1713
## - matchLabels:
1714
## - role: frontend
1715
## - podSelector:
1716
## - matchExpressions:
1717
## - key: role
1718
## operator: In
1719
## values:
1720
## - frontend
1721
##
1722
extraIngress: []
1723
## @param provisioning.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1724
## e.g:
1725
## extraEgress:
1726
## - ports:
1727
## - port: 1234
1728
## to:
1729
## - podSelector:
1730
## - matchLabels:
1731
## - role: frontend
1732
## - podSelector:
1733
## - matchExpressions:
1734
## - key: role
1735
## operator: In
1736
## values:
1737
## - frontend
1738
##
1739
extraEgress: []
1740