MinIO KMS Custom Resource Definition (Alpha)
Packages
minkms.min.io/v1alpha1
Package v1alpha1 is the v1alpha1 version of the Enterprise Operator API.
CertificateConfig
CertificateConfig (certConfig) defines controlling attributes associated to any Certificates certificate automatically generated by the Operator. These fields have no effect if disableAutoCert: true.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
commonName string |
Optional + The CommonName or CN attribute to associate to automatically generated Certificates certificates. + |
||
organizationName string array |
Optional + Specify one or more OrganizationName or O attributes to associate to automatically generated Certificates certificates. + |
||
dnsNames string array |
Optional + Specify one or more x.509 Subject Alternative Names (SAN) to associate to automatically generated Certificates certificates. MinIO Server pods use SNI to determine which certificate to respond with based on the requested hostname. |
Certificates
Certificates Collection of certificates to provide to MinIO Enterprise Resource
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
certConfig CertificateConfig |
Optional + Enables setting the CommonName, Organization, and dnsName attributes for all Certificates certificates automatically generated by the Operator. Configuring this object has no effect if disableAutoCert is true. + |
||
externalCertSecret LocalCertificateReference array |
Optional + Enables Certificates with SNI support on each MinIO Enterprise pod. If externalCertSecret is omitted andDisableAutoCert is set to true, the MinIO Enterprise Resource deploys without Certificates enabled. +Specify an array of Kubernetes Certificates secrets. The MinIO Enterprise Operator copies the specified certificates to every MinIO Enterprise pod. When the MinIO Enterprise pod/service responds to a Certificates connection request, it uses SNI to select the certificate with matching subjectAlternativeName. +Each element in the externalCertSecret array is an object containing the following fields: +* - name - The name of the Kubernetes secret containing the Certificates certificate. +* - type - Specify kubernetes.io/tls + |
||
externalCaCertSecret LocalCertificateReference array |
Optional + Allows MinIO Enterprise server pods to verify client Certificates certificates signed by a Certificate Authority not in the pod’s trust store. + Specify an array of Kubernetes Certificates secrets. The MinIO Enterprise Operator copies the specified certificates to every MinIO Enterprise pod. + Each element in the externalCertSecret array is an object containing the following fields: +* - name - The name of the Kubernetes secret containing the Certificate Authority. +* - type - Specify kubernetes.io/tls. + |
||
externalClientCertSecrets LocalCertificateReference array |
Optional + Provide support for mounting additional client certificate into MinIO Enterprise pods Multiple client certificates will be mounted using the following folder structure: + * certs + * * client-0 + * * * client.crt + * * * client.key + * * client-1 + * * * client.crt + * * * client.key + * * * client-2 + * * client.crt + * * * client.key + Specify a Kubernetes Certificates secrets. The MinIO Enterprise Operator copies the specified certificate to every MinIO Enterprise server pod that later can be referenced using environment variables. The secret must contain the following fields: + * name - The name of the Kubernetes secret containing the Certificates certificate. +* type - Specify kubernetes.io/tls + |
||
disableAutoCert boolean |
Optional + Whether to disable automatic certificate generation |
CustomCertificateConfig
CustomCertificateConfig provides attributes associated with TLS certificates for enterprise services. These fields contain certificate metadata extracted from the provided TLS secrets.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
certName string |
Name of the Kubernetes secret containing the certificate | Optional: {} |
|
domains string array |
Domain names and IP addresses associated with the certificate (including CN and SANs) | Optional: {} |
|
expiry string |
Certificate expiry date in RFC3339 format | Optional: {} |
|
expiresIn string |
Human-readable time until certificate expiry | Optional: {} |
|
serialNo string |
Certificate serial number | Optional: {} |
LocalCertificateReference
LocalCertificateReference (externalCertSecret, externalCaCertSecret,clientCertSecret) is a Kubernetes secret
name and secret type reference containing Certificates certificates or Certificate Authority files for Certificates in the MinIO Enterprise service. +
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
Required + The name of the Kubernetes secret containing the Certificates certificate or Certificate Authority file. + |
||
type string |
Required + The type of Kubernetes secret. Specify kubernetes.io/tls + |
MinKMS
MinKMS A high performance Key Management System for billions of objects. Key component of the performance at scale requirements.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec MinKMSSpec |
Spec denotes the specification of the MinKMS |
MinKMSSpec
MinKMSSpec denotes the specification of the MinKMS
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
hsmSecret LocalObjectReference |
Optional + Name of the secret containing the HSM Static Key. + |
||
apiKeySecret LocalObjectReference |
Name of the secret containing the Key Manager cluster API Key. + | ||
configuration LocalObjectReference |
Name of Secret containing the KMS config | ||
replicas integer |
Optional + Specify the number of MinKMS pods to be deployed. Defaults to 1. |
Minimum: 1 |
|
image string |
Optional + The container image to use when deploying MinKMS server pods. Defaults to {kms-image}. + |
||
imagePullSecrets LocalObjectReference array |
Optional + Specify the secret key to use for pulling images from a private container repository. + |
||
imagePullPolicy PullPolicy |
Optional + The pull policy for the MinKMS image. Specify one of the following: + * Always +* Never +* IfNotPresent (Default) +Refer to the Kubernetes documentation for details https://kubernetes.io/docs/concepts/containers/images#updating-images |
Enum: [Always IfNotPresent Never] |
|
volumeClaimTemplate PersistentVolumeClaim |
Required + Specify the configuration options for the MinIO Enterprise Operator to use when generating Persistent Volume Claims for MinKMS. + |
||
env EnvVar array |
Optional + If provided, the MinIO Enterprise Operator adds the specified environment variables when deploying MinKMS pods. |
||
podManagementPolicy PodManagementPolicyType |
Optional + Pod Management Policy for pod created by StatefulSet |
Parallel | |
certificates Certificates |
Optional + Configure Certificates for MinKMS + |
||
service Service |
Optional + Configure Service for MinKMS + |
||
securityContext PodSecurityContext |
Optional + Specify the Security Context of MinKMS pods. The Enterprise Operator supports only the following pod security fields: + * fsGroup +* fsGroupChangePolicy +* runAsGroup +* runAsNonRoot +* runAsUser + |
||
containerSecurityContext SecurityContext |
Specify the Security Context of containers in the MinKMS pods. The Enterprise Operator supports only the following container security fields: + * runAsGroup +* runAsNonRoot +* runAsUser + |
||
annotations object (keys:string, values:string) |
Optional + Specify custom labels and annotations to append to the MinKMS pods. Optional + If provided, use these annotations for the Pool Objects Meta annotations (StateFulSet and Pod template) |
||
labels object (keys:string, values:string) |
Optional + If provided, use these labels for the MinKMS Objects Meta annotations (StateFulSet and Pod template) |
||
runtimeClassName string |
Optional + If provided, each pod on the StateFulSet will run with the specified RuntimeClassName, for more info https://kubernetes.io/docs/concepts/containers/runtime-class/ + |
||
resources ResourceRequirements |
Optional + Object specification for specifying CPU and memory resource allocations or limits in MinKMS. + |
||
nodeSelector object (keys:string, values:string) |
Optional + The filter for the Enterprise Operator to apply when selecting on which nodes to deploy MinKMS pods. The Enterprise Operator only selects those nodes whose labels match the specified selector. + See the Kubernetes documentation on Assigning Pods to Nodes for more information. |
||
tolerations Toleration array |
Optional + Specify one or more Kubernetes tolerations to apply to MinKMS pods. |
||
affinity Affinity |
Optional + Specify node affinity, pod affinity, and pod anti-affinity for the MinKMS pods. + |
||
topologySpreadConstraints TopologySpreadConstraint array |
Optional + Specify one or more Kubernetes Topology Spread Constraints to apply to MinKMS pods. |
||
schedulerName string |
If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. |
||
serviceAccountName string |
Optional + The Kubernetes Service Account to use for running MinKMS pods. + |
||
priorityClassName string |
Optional + Indicates the Pod priority and therefore importance of a Pod relative to other Pods in the cluster. This is applied to MinKMS pods only. + Refer Kubernetes Priority Class documentation for more complete documentation. |
||
sideCars SideCars |
Optional + A list of containers to run as sidecars along every MinKMS Pod deployed. |
||
initContainers Container array |
Optional + Add custom initContainers for MinKMS StatefulSet |
MinKMSState
Underlying type: string
MinKMSState is the string type that represents the state of the MinKMS resource
Appears in:
| Field | Description |
|---|---|
Initialized |
MinKMSStatusInitialized “Initialized” |
Provisioning MinKMS Cluster IP Service |
MinKMSStatusProvisioningCIService “Provisioning MinKMS Cluster IP Service” |
Provisioning MinKMS Headless Service |
MinKMSStatusProvisioningHLService “Provisioning MinKMS Headless Service” |
Provisioning MinKMS Statefulset |
MinKMSStatusProvisioningStatefulSet “Provisioning MinKMS Statefulset” |
No HSM found |
MinKMSStatusHSMMissing used for when no HSM was found |
HSM Secret Not Found |
MinKMSStatusHSMSecretNotFound used for when HSM secret specified but not found |
Creating MinKMS Config secret |
MinKMSStatusCreatingConfigSecret “Creating MinKMS Config secret” |
Creating MinKMS certs |
MinKMSStatusCreatingCerts indicates the state for creating certs |
Waiting OCP MinKMS certs |
MinKMSStatusWaitingCerts indicates the state for waiting certs |
Auto Scaling MinKMS nodes |
MinKMSStatusAutoScalingNodes indicates the state for auto-scaling nodes |
Service
Service (service) defines custom labels and annotations for the Minio Enterprise service . +
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
name string |
Name of the service | MaxLength: 63 Optional: {} Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ |
|
serviceType ServiceType |
Optional + The type of service to expose the MinIO service. + If set, the service will be exposed using the specified type. + if omitted, the service will be exposed using the default type ClusterIP. + |
||
serviceExternalTrafficPolicy ServiceExternalTrafficPolicy |
Optional + The type of external traffic policy the service exposing the MinIO service will follow. + If set, the service external traffic policy will be exposed using the specified type. + if omitted, the service will be exposed using the default type Cluster. + |
||
nodePort integer |
Optional + The port to expose the MinIO service is using a NodePort. + If set, the service will be exposed using the specified port. + if omitted, the service will be exposed using whatever assigned port by kubernetes. + |
||
labels object (keys:string, values:string) |
Optional + If provided, append these labels to the MinIO Enterprise service. + |
||
annotations object (keys:string, values:string) |
Optional + If provided, append these annotations to the MinIO Enterprise service. + |
SideCars
SideCars (sidecars) defines a list of containers that Enterprise Operator attaches to each MinIO Enterprise server pods.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
containers Container array |
Optional + List of containers to run inside the Pod |
||
volumeClaimTemplates PersistentVolumeClaim array |
Optional + volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name. |
||
volumes Volume array |
Optional + List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes |
||
resources ResourceRequirements |
Optional + sidecar’s Resource, initcontainer will use that if set. |