Remove tls configuration from minio chart for now

test/minio/8.0.5/README.md

@@ -52,44 +52,6 @@ By default a pre-generated access and secret key will be used. To override the d
 $ helm install --set accessKey=myaccesskey,secretKey=mysecretkey --generate-name minio/minio
 ```
 
-### Updating MinIO configuration via Helm
-
-[ConfigMap](https://kubernetes.io/docs/user-guide/configmap/) allows injecting containers with configuration data even while a Helm release is deployed.
-
-To update your MinIO server configuration while it is deployed in a release, you need to
-
-1. Check all the configurable values in the MinIO chart using `helm inspect values minio/minio`.
-2. Override the `minio_server_config` settings in a YAML formatted file, and then pass that file like this `helm upgrade -f config.yaml minio/minio`.
-3. Restart the MinIO server(s) for the changes to take effect.
-
-You can also check the history of upgrades to a release using `helm history my-release`. Replace `my-release` with the actual release name.
-
-### Installing certificates from third party CAs
-
-MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include Minio's own certificate with key `public.crt`, if it also needs to be trusted.
-
-For instance, given that TLS is enabled and you need to add trust for Minio's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`:
-
-```
-kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
-```
-
-If TLS is not enabled, you would need only the third party CA:
-
-```
-kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
-```
-
-The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter:
-
-```
-trustedCertsSecret: "minio-trusted-certs"
-
-or
-
---set trustedCertsSecret=minio-trusted-certs
-```
-
 Uninstalling the Chart
 ----------------------
 
@@ -134,11 +96,9 @@ The following table lists the configurable parameters of the MinIO chart and the
 | `image.repository`                               | Image repository                                                                                                                        | `minio/minio`                    |
 | `image.tag`                                      | MinIO image tag. Possible values listed [here](https://hub.docker.com/r/minio/minio/tags/).                                             | `RELEASE.2020-11-06T23-17-07Z`   |
 | `image.pullPolicy`                               | Image pull policy                                                                                                                       | `IfNotPresent`                   |
-| `trustedCertsSecret`                             | Kubernetes secret with trusted certificates to be mounted on `{{ .Values.certsPath }}/CAs`                                              | `""`                             |
 | `extraArgs`                                      | Additional command line arguments to pass to the MinIO server                                                                           | `[]`                             |
 | `accessKey`                                      | Default access key (5 to 20 characters)                                                                                                 | random 20 chars                  |
 | `secretKey`                                      | Default secret key (8 to 40 characters)                                                                                                 | random 40 chars                  |
-| `certsPath`                                      | Default certs path location                                                                                                             | `/etc/minio/certs`               |
 | `mountPath`                                      | Default mount location for persistent drive                                                                                             | `/export`                        |
 | `bucketRoot`                                     | Directory from where minio should serve buckets.                                                                                        | Value of `.mountPath`            |
 | `persistence.enabled`                            | Use persistent volume to store data                                                                                                     | `true`                           |
@@ -147,8 +107,6 @@ The following table lists the configurable parameters of the MinIO chart and the
 | `persistence.storageClass`                       | Storage class name of PVC                                                                                                               | `nil`                            |
 | `persistence.accessMode`                         | ReadWriteOnce or ReadOnly                                                                                                               | `ReadWriteOnce`                  |
 | `persistence.subPath`                            | Mount a sub directory of the persistent volume if set                                                                                   | `""`                             |
-| `tls.enabled`                                    | Enable TLS for MinIO server                                                                                                             | `false`                          |
-| `tls.certSecret`                                 | Kubernetes Secret with `public.crt` and `private.key` files.                                                                            | `""`                             |
 | `environment`                                    | Set MinIO server relevant environment variables in `values.yaml` file. MinIO containers will be passed these variables when they start. | `MINIO_STORAGE_CLASS_STANDARD: EC:4"` |
 
 Some of the parameters above map to the env variables defined in the [MinIO DockerHub image](https://hub.docker.com/r/minio/minio/).

test/minio/8.0.5/templates/_helpers.tpl

@@ -82,46 +82,3 @@ Properly format optional additional arguments to Minio binary
 {{ " " }}{{ . }}
 {{- end -}}
 {{- end -}}
-
-{{/*
-Formats volumeMount for Minio tls keys and trusted certs
-*/}}
-{{- define "minio.tlsKeysVolumeMount" -}}
-{{- if .Values.tls.enabled }}
-- name: cert-secret-volume
-  mountPath: {{ .Values.certsPath }}
-{{- end }}
-{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
-{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
-- name: trusted-cert-secret-volume
-  mountPath: {{ $casPath }}
-{{- end }}
-{{- end -}}
-
-{{/*
-Formats volume for Minio tls keys and trusted certs
-*/}}
-{{- define "minio.tlsKeysVolume" -}}
-{{- if .Values.tls.enabled }}
-- name: cert-secret-volume
-  secret:
-    secretName: {{ .Values.tls.certSecret }}
-    items:
-    - key: {{ .Values.tls.publicCrt }}
-      path: public.crt
-    - key: {{ .Values.tls.privateKey }}
-      path: private.key
-{{- end }}
-{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
-{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }}
-{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }}
-- name: trusted-cert-secret-volume
-  secret:
-    secretName: {{ $certSecret }}
-    {{- if ne $publicCrt "" }}
-    items:
-    - key: {{ $publicCrt }}
-      path: public.crt
-    {{- end }}
-{{- end }}
-{{- end -}}

test/minio/8.0.5/templates/deployment.yaml

@@ -1,7 +1,4 @@
 {{ $scheme := "http" }}
-{{- if .Values.tls.enabled }}
-{{ $scheme = "https" }}
-{{ end }}
 {{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
 apiVersion: {{ template "minio.deployment.apiVersion" . }}
 kind: Deployment
@@ -14,12 +11,7 @@ metadata:
     heritage: {{ .Release.Service }}
 spec:
   strategy:
-    type: {{ .Values.DeploymentUpdate.type }}
-    {{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }}
-    rollingUpdate:
-      maxSurge: {{ .Values.DeploymentUpdate.maxSurge }}
-      maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }}
-    {{- end}}
+    type: {{ .Values.updateStrategy }}
   selector:
     matchLabels:
       app: {{ template "minio.name" . }}
@@ -42,7 +34,7 @@ spec:
           command:
             - "/bin/sh"
             - "-ce"
-            - "/usr/bin/docker-entrypoint.sh minio -S {{ .Values.certsPath }} server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}"
+            - "/usr/bin/docker-entrypoint.sh minio -S server {{ $bucketRoot }} {{- template "minio.extraArgs" . }}"
           volumeMounts:
             {{- if .Values.persistence.enabled }}
             - name: export
@@ -51,7 +43,6 @@ spec:
               subPath: "{{ .Values.persistence.subPath }}"
               {{- end }}
             {{- end }}
-            {{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
           ports:
             - name: {{ $scheme }}
               containerPort: 9000
@@ -81,4 +72,3 @@ spec:
         - name: minio-user
           secret:
             secretName: {{ template "minio.secretName" . }}
-        {{- include "minio.tlsKeysVolume" . | indent 8 }}

test/minio/8.0.5/templates/service.yaml

@@ -1,7 +1,4 @@
 {{ $scheme := "http" }}
-{{- if .Values.tls.enabled }}
-{{ $scheme = "https" }}
-{{ end }}
 apiVersion: v1
 kind: Service
 metadata:

test/minio/8.0.5/values.yaml

@@ -5,14 +5,6 @@ image:
   tag: RELEASE.2020-11-19T23-48-16Z
   pullPolicy: IfNotPresent
 
-## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
-## client used to create a default bucket).
-##
-mcImage:
-  repository: minio/mc
-  tag: RELEASE.2020-11-17T00-39-14Z
-  pullPolicy: IfNotPresent
-
 ## Set default image, imageTag, and imagePullPolicy for the `jq` (the JSON
 ## process used to create secret for prometheus ServiceMonitor).
 ##
@@ -24,15 +16,7 @@ helmKubectlJqImage:
 ## Additional arguments to pass to minio binary
 extraArgs: []
 
-## Update strategy for Deployments
-DeploymentUpdate:
-  type: RollingUpdate
-  maxUnavailable: 0
-  maxSurge: 100%
-
-## Update strategy for StatefulSets
-StatefulSetUpdate:
-  updateStrategy: RollingUpdate
+updateStrategy: RollingUpdate
 
 ## Set default accesskey, secretkey, Minio config file path, volume mount path and
 ## number of nodes (only used for Minio distributed mode)
@@ -41,7 +25,6 @@ StatefulSetUpdate:
 ##
 accessKey: ""
 secretKey: ""
-certsPath: "/etc/minio/certs/"
 mountPath: "/export"
 
 ## Override the root directory which the minio server should serve from.
@@ -49,20 +32,6 @@ mountPath: "/export"
 ## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
 bucketRoot: ""
 
-## TLS Settings for Minio
-tls:
-  enabled: false
-  ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
-  certSecret: ""
-  publicCrt: public.crt
-  privateKey: private.key
-
-## Trusted Certificates Settings for Minio. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas
-## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
-## When using self-signed certificates, remember to include Minio's own certificate in the bundle with key public.crt.
-## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
-trustedCertsSecret: ""
-
 ## Enable persistence using Persistent Volume Claims
 ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
 ##