image: repository: quay.io/minio/minio tag: RELEASE.2023-07-07T07-13-57Z pullPolicy: IfNotPresent ## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio ## client used to create a default bucket). ## mcImage: repository: quay.io/minio/mc tag: RELEASE.2023-06-28T21-54-17Z pullPolicy: IfNotPresent ## minio mode, i.e. standalone or distributed mode: standalone ## other supported values are "standalone" ## Update strategy for Deployments deploymentUpdate: type: RollingUpdate maxUnavailable: 0 maxSurge: 100% ## Update strategy for StatefulSets statefulSetUpdate: updateStrategy: RollingUpdate ## | Chart var | .data. in Secret | ## |:----------------------|:-------------------------| ## | rootUser | rootUser | ## | rootPassword | rootPassword | ## ## All mentioned variables will be ignored in values file. ## .data.rootUser and .data.rootPassword are mandatory, ## others depend on enabled status of corresponding sections. existingSecret: "minio-root" ## Path where PV would be mounted on the MinIO Pod mountPath: "/export" # Number of drives attached to a node drivesPerNode: 1 # Number of MinIO containers running replicas: 1 # Number of expanded MinIO clusters pools: 1 ## TLS Settings for MinIO tls: enabled: false ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## persistence: enabled: true storageClass: "ssd" accessMode: ReadWriteOnce size: 200Gi ingress: enabled: true ingressClassName: ~ annotations: cert-manager.io/cluster-issuer: vault-issuer path: / hosts: - s3.dc tls: - secretName: minio-s3-tls hosts: - s3.dc consoleIngress: enabled: true ingressClassName: ~ annotations: cert-manager.io/cluster-issuer: vault-issuer path: / hosts: - minio-console.dc tls: - secretName: minio-console-tls hosts: - minio-console.dc securityContext: enabled: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: requests: memory: 200Mi ## List of policies to be created after minio install ## ## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics] ## you can define additional policies with custom supported actions and resources policies: [] ## writeexamplepolicy policy grants creation or deletion of buckets with name ## starting with example. In addition, grants objects write permissions on buckets starting with ## example. # - name: writeexamplepolicy # statements: # - resources: # - 'arn:aws:s3:::example*/*' # actions: # - "s3:AbortMultipartUpload" # - "s3:GetObject" # - "s3:DeleteObject" # - "s3:PutObject" # - "s3:ListMultipartUploadParts" # - resources: # - 'arn:aws:s3:::example*' # actions: # - "s3:CreateBucket" # - "s3:DeleteBucket" # - "s3:GetBucketLocation" # - "s3:ListBucket" # - "s3:ListBucketMultipartUploads" ## readonlyexamplepolicy policy grants access to buckets with name starting with example. ## In addition, grants objects read permissions on buckets starting with example. # - name: readonlyexamplepolicy # statements: # - resources: # - 'arn:aws:s3:::example*/*' # actions: # - "s3:GetObject" # - resources: # - 'arn:aws:s3:::example*' # actions: # - "s3:GetBucketLocation" # - "s3:ListBucket" # - "s3:ListBucketMultipartUploads" ## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only # - name: conditionsexample # statements: # - resources: # - 'arn:aws:s3:::example/*' # actions: # - 's3:*' # conditions: # - StringEquals: '"aws:username": "johndoe"' # - IpAddress: | # "aws:SourceIp": [ # "10.0.0.0/8", # "192.168.0.0/24" # ] # ## Additional Annotations for the Kubernetes Job makePolicyJob makePolicyJob: securityContext: enabled: true runAsUser: 1000 runAsGroup: 1000 resources: requests: memory: 128Mi # Command to run after the main command on exit exitCommand: "" ## List of users to be created after minio install ## users: [] ## Username, password and policy to be assigned to the user ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management ## NOTE: this will fail if LDAP is enabled in your MinIO deployment ## make sure to disable this if you are using LDAP. # - accessKey: console # secretKey: console123 # policy: consoleAdmin # Or you can refer to specific secret #- accessKey: externalSecret # existingSecret: my-secret # existingSecretKey: password # policy: readonly ## Additional Annotations for the Kubernetes Job makeUserJob makeUserJob: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 resources: requests: memory: 128Mi # Command to run after the main command on exit exitCommand: "" ## List of service accounts to be created after minio install ## svcaccts: [] ## accessKey, secretKey and parent user to be assigned to the service accounts ## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts # - accessKey: console-svcacct # secretKey: console123 # user: console ## Or you can refer to specific secret # - accessKey: externalSecret # existingSecret: my-secret # existingSecretKey: password # user: console ## You also can pass custom policy # - accessKey: console-svcacct # secretKey: console123 # user: console # policy: # statements: # - resources: # - 'arn:aws:s3:::example*/*' # actions: # - "s3:AbortMultipartUpload" # - "s3:GetObject" # - "s3:DeleteObject" # - "s3:PutObject" # - "s3:ListMultipartUploadParts" makeServiceAccountJob: securityContext: enabled: true runAsUser: 1000 runAsGroup: 1000 resources: requests: memory: 128Mi # Command to run after the main command on exit exitCommand: "" ## List of buckets to be created after minio install ## buckets: [] # # Name of the bucket # - name: bucket1 # # Policy to be set on the # # bucket [none|download|upload|public] # policy: none # # Purge if bucket exists already # purge: false # # set versioning for # # bucket [true|false] # versioning: false # # set objectlocking for # # bucket [true|false] NOTE: versioning is enabled by default if you use locking # objectlocking: false # - name: bucket2 # policy: none # purge: false # versioning: true # # set objectlocking for # # bucket [true|false] NOTE: versioning is enabled by default if you use locking # objectlocking: false ## Additional Annotations for the Kubernetes Job makeBucketJob makeBucketJob: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 resources: requests: memory: 128Mi # Command to run after the main command on exit exitCommand: "" ## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s) ## when Chart is deployed environment: ## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html ## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io" ## MINIO_BROWSER: "off" ## The name of a secret in the same kubernetes namespace which contain secret values ## This can be useful for LDAP password, etc ## The key in the secret must be 'config.env' ## extraSecret: ~ podDisruptionBudget: enabled: false metrics: serviceMonitor: enabled: false