Skip to content

12 Minio tenant deployment configuration

In this section, we will explain the configuration file of minion tenant deployment section by section.

12.1 Tenant root credential configuration

Below contains three secrets

  1. surcharge variable d'env
## Fix pour la surcharge des variables d'environnements
## Voir https://github.com/minio/operator/issues/790#issuecomment-917476406
apiVersion: v1
data:
  config.env: changeMe
kind: Secret
metadata:
  name: override-configuration
type: Opaque
---
## Secret to be used as MinIO Root Credentials
apiVersion: v1
kind: Secret
metadata:
  name: minio-creds-secret
type: Opaque
data:
  ## Access Key for MinIO Tenant, base64 encoded (echo -n 'minio' | base64)
  accesskey: changeMe
  ## Secret Key for MinIO Tenant, base64 encoded (echo -n '95mWXbS5sGJRjhEEU7fJvb8aXjJDZv5xnxRRwRL6' | base64)
  secretkey: changeMe
---
## Secret to be used for MinIO Console
apiVersion: v1
kind: Secret
metadata:
  name: console-secret
type: Opaque
data:
  ## Passphrase to encrypt jwt payload, base64 encoded (echo -n 'cL3zpqAv' | base64)
  CONSOLE_PBKDF_PASSPHRASE: changeMe
  ## Salt to encrypt jwt payload, base64 encoded (echo -n '5wDfRn3D' | base64)
  CONSOLE_PBKDF_SALT: changeMe
  ## MinIO User Access Key (used for Console Login), base64 encoded (echo -n 'console' | base64)
  CONSOLE_ACCESS_KEY: chaneMe
  ## MinIO User Secret Key (used for Console Login), base64 encoded (echo -n 'ZqYGLa3Fjcj4xWNGLUx3xeYmtFbsCDcD7c7Ls7qJ' | base64)
  CONSOLE_SECRET_KEY: changeMe
---

12.2 Tenant general configuration

  • Namespace: The Kubernetes Namespace in which to deploy the tenant. The Operator supports at most one MinIO Tenant per namespace.

  • Storage Class: Specify the Kubernetes Storage Class the minio Operator uses when generating Persistent Volume Claims for the Tenant. The default value is directpv-min-io, if you were using the DirectPV to format disk and create storage class.

  • Number of Servers: The total number of MinIO server pods to deploy in the Tenant. The Operator by default uses pod anti-affinity, such that the Kubernetes cluster must have at least one worker node per MinIO server pod. Use the Pod Placement pane to modify the pod scheduling settings for the Tenant.

  • Number of Drives per Server: The number of storage volumes (Persistent Volume Claims) the Operator requests per Server. The Operator generates an equal number of PVC plus two for supporting Tenant services (Metrics and Log Search). The specified Storage Class must correspond to a set of Persistent Volumes sufficient in number to match each generated PVC.

  • Total Size: The total raw storage size for the Tenant. Specify both the total storage size and the Unit of that storage. All storage units are in SI values, e.g. bytes.

  • Memory per Node [Gi]: Specify the total amount of memory (RAM) to allocate per MinIO server pod. See Memory guidance on setting this value. The Kubernetes cluster must have worker nodes with sufficient free RAM to match the pod request.

Erasure Code Parity

The Erasure Code Parity to set for the deployment.

The Operator displays the selected parity and its effect on the deployment under the Erasure Code Configuration section. Erasure Code parity defines the overall resiliency and availability of data on the cluster. Higher parity values increase tolerance to drive or node failure at the cost of total storage. See Erasure Coding for more complete documentation.

## Set the Tenant name
tenant:
  name: minionyxia

## Set the object storage pool specifications and tolerations
  pools:
      ## Number of MinIO object storage servers, same as the number of storage nodes
    - servers: 2
      ## custom name for the pool
      name: casd-minio-pool-0
      ## volumesPerServer specifies the number of volumes attached per MinIO Tenant Pod / Server.
      ## Must match the number of drives per node
      volumesPerServer: 1
      ## size specifies the capacity per volume
      size: 512Gi
      ## storageClass specifies the storage class name to be used for this pool
      storageClassName: directpv-min-io
      ## Tolerations to allow scheduling on storage nodes
      tolerations:
        - key: "storage-node"
          operator: "Equal"
          value: "true"
          effect: "NoSchedule"
      ## Run pods specifically on storage nodes
      nodeSelector:
        storage-node: "true"

## Environment variables for Onyxia's Keycloak integration
  env:
     # keycloak url
    - name: MINIO_IDENTITY_OPENID_CONFIG_URL
      value: "https://auth.casd.local/auth/realms/casd-onyxia/.well-known/openid-configuration"
      # keycloak minio client id
    - name: MINIO_IDENTITY_OPENID_CLIENT_ID
      value: "minio"
    ## Actually not used but cannot be removed for some reason
    - name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
      value: "wjYxvjZLaVF9NZLNnxCLD9B6JpPAl1Vx"
    - name: MINIO_IDENTITY_OPENID_CLAIM_NAME
      value: "policy"
    - name: MINIO_IDENTITY_OPENID_REDIRECT_URI
      value: "https://minio-console.casd.local/oauth_callback"
    - name: MINIO_IDENTITY_OPENID_SCOPES
      value: "openid, profile, email, roles"

## Ingress configuration to expose the API and console services
ingress:
  api:
    enabled: true
    ingressClassName: "nginx"
    annotations:
      # The following annotation is required to let MinIO communicate with the NGINX Ingress controller
      # when using external certificates. See Knowledge base: 8dc2998d-5699-4be6-bed0-b2384a87fe9e
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
    tls:
      - hosts:
          - minio.casd.local
    host: minio.casd.local
    path: /
    pathType: Prefix
  console:
    enabled: true
    ingressClassName: "nginx"
    annotations:
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
      nginx.ingress.kubernetes.io/proxy-body-size: "0"
    tls:
      - hosts:
          - minio-console.casd.local
    host: minio-console.casd.local
    path: /
    pathType: Prefix

SSL configuration

In the context of the Datalab cluster, it is required to:

  • let MinIO trust the domains established by the wildcard domain *.casd.local;
  • provide the associated Certificate Authority (CA).

The secrets were created in the MinIO Operator steps.

Those secrets then need to be indicated to the MinIO tenant. This is done in the following fields of the tenant-values.yaml file:

## Set the certificate configuration
tenant:
  certificate:
    externalCaCertSecret:
      - name: ca-cert
    externalCertSecret:
      - name: minio-tls
        type: kubernetes.io/tls

The above certificate config does not pass the test. We don't know why. For now we use a work around to config the certificate