1. 说明
1.2. 依赖
此文档部署的 MinIO 依赖于 StorageClass 和 LDAP ,在 MinIO 部署之前需准备好。
MinIO 使用如下镜像,如需离线环境部署则需要将其导入到 Kubernetes 可拉取的位置中。
1
2
quay.io/minio/minio:RELEASE.2022-08-22T23-53-06Z
quay.io/minio/mc:RELEASE.2022-08-23T05-45-20Z
2. 部署准备
2.1. 创建相关的持久卷
在 Kubernetes 下导入以下配置,创建对应的持久卷。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-minio
namespace: core-app
labels:
app: minio
spec:
storageClassName: 'sc-nfs-share'
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Gi
2.2. 导入相关配置
在 MinIO 部署过程中需要自定义部分配置,在 Kubernetes 导入此配置即可。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: minio
name: conf-minio
namespace: core-app
data:
MINIO_ROOT_USER: 'minio'
MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: '(&(uid=%s)(memberOf=cn=admin,ou=groups,dc=cluster,dc=local))'
MINIO_IDENTITY_LDAP_GROUP_SEARCH_FILTER: '(&(objectClass=groupOfNames)(member=%d))'
auto.sh: |
#!/usr/bin/env bash
sleep 10
mc config host add minio http://127.0.0.1:9000 ${MINIO_ROOT_USER} ${MINIO_ROOT_PASSWORD} --api S3v4
mc admin policy set minio consoleAdmin group=cn=admin,ou=groups,dc=cluster,dc=local
while true; do
if [ -f "/exit.hook" ]; then
break
fi
sleep 1
done
exit 0
---
apiVersion: v1
kind: Secret
metadata:
labels:
app: minio
name: secret-minio
namespace: core-app
stringData:
MINIO_ROOT_PASSWORD: 'minio123'
3. 开始部署
一切环境准备完成后,即可开始部署 MinIO。
3.1. 创建 MinIO Service
导入以下配置,创建 MinIO 的 Service。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: v1
kind: Service
metadata:
labels:
app: minio
name: svc-minio
namespace: core-app
spec:
ports:
- name: minio-s3
protocol: TCP
port: 9000
- name: minio-console
protocol: TCP
port: 9001
selector:
app: minio
3.2. 创建 MinIO StatefulSet
导入以下配置,创建 MinIO 的 StatefulSet。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: sts-minio
namespace: core-app
labels:
app: minio
spec:
serviceName: svc-minio
selector:
matchLabels:
app: minio
replicas: 1
template:
metadata:
labels:
app: minio
spec:
containers:
- name: minio
image: quay.io/minio/minio:RELEASE.2022-08-22T23-53-06Z
command:
- minio
- server
- '/data'
- '--console-address'
- ":9001"
envFrom:
- configMapRef:
name: conf-minio
- secretRef:
name: secret-minio
env:
- name: MINIO_SERVER_URL
value: 'https://s3.d7z.net'
- name: MINIO_DOMAIN
value: 's3.d7z.net'
- name: MINIO_BROWSER_REDIRECT_URL
value: 'https://minio.internal.d7z.net'
- name: MINIO_IDENTITY_LDAP_SERVER_INSECURE
value: 'on'
- name: MINIO_IDENTITY_LDAP_SERVER_ADDR
valueFrom:
configMapKeyRef:
key: LDAP_ADDRESS_PORT
name: conf-ldap
- name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_DN
valueFrom:
configMapKeyRef:
key: LDAP_BIND_DN
name: conf-ldap
- name: MINIO_IDENTITY_LDAP_LOOKUP_BIND_PASSWORD
valueFrom:
secretKeyRef:
key: LDAP_BIND_DN_PASSWORD
name: secret-ldap-service
- name: MINIO_IDENTITY_LDAP_USER_DN_SEARCH_BASE_DN
valueFrom:
configMapKeyRef:
key: LDAP_USERS_DN
name: conf-ldap
- name: MINIO_IDENTITY_LDAP_GROUP_SEARCH_BASE_DN
valueFrom:
configMapKeyRef:
key: LDAP_GROUPS_DN
name: conf-ldap
volumeMounts:
- name: minio-data
mountPath: /data
readinessProbe:
httpGet:
port: 9000
path: /minio/health/live
initialDelaySeconds: 5
periodSeconds: 5
- name: client
image: quay.io/minio/mc:RELEASE.2022-08-23T05-45-20Z
command:
- "/bin/sh"
- "/scripts/auto.sh"
lifecycle:
preStop:
exec:
command:
- touch
- /exit.hook
envFrom:
- configMapRef:
name: conf-minio
- secretRef:
name: secret-minio
volumeMounts:
- mountPath: /scripts
name: mc-conf
volumes:
- name: minio-data
persistentVolumeClaim:
claimName: pvc-minio
- name: mc-conf
configMap:
name: conf-minio
3.3. 暴露 MinIO 地址
导入以下配置,创建可用的 Ingress。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-minio
namespace: core-app
labels:
app: minio
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
ingressClassName: nginx-public
tls:
- hosts:
- s3.d7z.net
- minio.internal.d7z.net
secretName: tls-pub-d7z
rules:
- host: s3.d7z.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-minio
port:
name: minio-s3
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-minio-console
namespace: core-app
labels:
app: minio
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
ingressClassName: nginx-private
tls:
- hosts:
- minio.internal.d7z.net
secretName: tls-pri-d7z
rules:
- host: minio.internal.d7z.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: svc-minio
port:
name: minio-console
4. 测试
4.1. 查看运行状态
使用以下命令查看 MinIO 部署状态:
1
kubectl get pods,pvc,svc,ingress -n core-app -l app=minio
4.2. 访问Web控制台
在浏览器访问地址 https://minio.internal.d7z.net,使用 LDAP 配置的用户登陆,如无错误,将登陆成功。
4.3. 访问Cli控制台
使用以下命令进入 CLI 控制台
1
kubectl exec -n core-app sts-minio-0 --container client -it -- bash
进入后可使用 mc 操作 MinIO,例如:
1
mc ping minio