[bitnami/milvus] feat: config external S3 tls client certs settings (… (

#27068) * [bitnami/milvus] feat: config external S3 tls client certs settings (#26111) Signed-off-by: Chen Rao <chenrao317328@163.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * commit suggestion Signed-off-by: Chen Rao <chenrao317328@163.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> --------- Signed-off-by: Chen Rao <chenrao317328@163.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Chen Rao <45187622+chenraoCR@users.noreply.github.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com>
bitnami · Jun 19, 2024 · f8249bf · f8249bf
1 parent 1aaac3c
commit f8249bf
Show file tree

Hide file tree

Showing 14 changed files with 236 additions and 57 deletions.
diff --git a/bitnami/milvus/CHANGELOG.md b/bitnami/milvus/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog
 
-## 8.2.7 (2024-06-18)
+## 8.3.0 (2024-06-19)
 
-* [bitnami/milvus] Release 8.2.7 ([#27403](https://github.com/bitnami/charts/pull/27403))
+* [bitnami/milvus] feat: config external S3 tls client certs settings (… ([#27068](https://github.com/bitnami/charts/pull/27068))
+
+## <small>8.2.7 (2024-06-18)</small>
+
+* [bitnami/milvus] Release 8.2.7 (#27403) ([72a2ad7](https://github.com/bitnami/charts/commit/72a2ad7c8a3f2eac2cfeede24bbf96d28c13fa18)), closes [#27403](https://github.com/bitnami/charts/issues/27403)
 
 ## <small>8.2.6 (2024-06-17)</small>
 

diff --git a/bitnami/milvus/Chart.yaml b/bitnami/milvus/Chart.yaml
@@ -48,4 +48,4 @@ maintainers:
 name: milvus
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/milvus
-version: 8.2.7
+version: 8.3.0
diff --git a/bitnami/milvus/README.md b/bitnami/milvus/README.md
@@ -1725,20 +1725,22 @@ wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
 
 ### External S3 parameters
 
-| Name                                      | Description                                                        | Value           |
-| ----------------------------------------- | ------------------------------------------------------------------ | --------------- |
-| `externalS3.host`                         | External S3 host                                                   | `""`            |
-| `externalS3.port`                         | External S3 port number                                            | `443`           |
-| `externalS3.accessKeyID`                  | External S3 access key ID                                          | `""`            |
-| `externalS3.accessKeySecret`              | External S3 access key secret                                      | `""`            |
-| `externalS3.existingSecret`               | Name of an existing secret resource containing the S3 credentials  | `""`            |
-| `externalS3.existingSecretAccessKeyIDKey` | Name of an existing secret key containing the S3 access key ID     | `root-user`     |
-| `externalS3.existingSecretKeySecretKey`   | Name of an existing secret key containing the S3 access key secret | `root-password` |
-| `externalS3.protocol`                     | External S3 protocol                                               | `https`         |
-| `externalS3.bucket`                       | External S3 bucket                                                 | `milvus`        |
-| `externalS3.rootPath`                     | External S3 root path                                              | `file`          |
-| `externalS3.iamEndpoint`                  | External S3 IAM endpoint                                           | `""`            |
-| `externalS3.cloudProvider`                | External S3 cloud provider                                         | `""`            |
+| Name                                      | Description                                                                                       | Value           |
+| ----------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------- |
+| `externalS3.host`                         | External S3 host                                                                                  | `""`            |
+| `externalS3.port`                         | External S3 port number                                                                           | `443`           |
+| `externalS3.accessKeyID`                  | External S3 access key ID                                                                         | `""`            |
+| `externalS3.accessKeySecret`              | External S3 access key secret                                                                     | `""`            |
+| `externalS3.existingSecret`               | Name of an existing secret resource containing the S3 credentials                                 | `""`            |
+| `externalS3.existingSecretAccessKeyIDKey` | Name of an existing secret key containing the S3 access key ID                                    | `root-user`     |
+| `externalS3.existingSecretKeySecretKey`   | Name of an existing secret key containing the S3 access key secret                                | `root-password` |
+| `externalS3.bucket`                       | External S3 bucket                                                                                | `milvus`        |
+| `externalS3.rootPath`                     | External S3 root path                                                                             | `file`          |
+| `externalS3.iamEndpoint`                  | External S3 IAM endpoint                                                                          | `""`            |
+| `externalS3.cloudProvider`                | External S3 cloud provider                                                                        | `""`            |
+| `externalS3.tls.enabled`                  | Enable TLS for externalS3 client connections.                                                     | `false`         |
+| `externalS3.tls.existingSecret`           | Name of the existing secret containing the TLS certificates for externalS3 client communications. | `""`            |
+| `externalS3.tls.caCert`                   | The secret key from the existingSecret if 'caCert' key different from the default (ca.crt)        | `ca.crt`        |
 
 ### External Kafka parameters
 

diff --git a/bitnami/milvus/templates/_helpers.tpl b/bitnami/milvus/templates/_helpers.tpl
@@ -605,7 +605,7 @@ Return the S3 protocol
     {{- if .Values.minio.enabled -}}
         {{- ternary "https" "http" .Values.minio.tls.enabled  -}}
     {{- else -}}
-        {{- print .Values.externalS3.protocol -}}
+        {{- ternary "https" "http" .Values.externalS3.tls.enabled  -}}
     {{- end -}}
 {{- end -}}
 
@@ -637,10 +637,8 @@ Return true if TLS is used
 {{- define "milvus.s3.useSSL" -}}
     {{- if .Values.minio.enabled -}}
         {{- .Values.minio.tls.enabled  -}}
-    {{- else if (eq .Values.externalS3.protocol "https") -}}
-        {{- print "true" -}}
     {{- else -}}
-        {{- print "false" -}}
+        {{- .Values.externalS3.tls.enabled  -}}
     {{- end -}}
 {{- end -}}
 
@@ -772,7 +770,7 @@ Init container definition for waiting for the database to be ready
 
       echo "Connection success"
       exit 0
-  {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+  {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
   volumeMounts:
     - name: etcd-client-certs
       mountPath: /bitnami/milvus/conf/cert/etcd/client
@@ -816,14 +814,24 @@ Init container definition for waiting for the database to be ready
 
       check_s3() {
           local -r s3_host="${1:-?missing s3}"
-          if curl --max-time 5 "${s3_host}" | grep "RequestId"; then
+          local params_cert=""
+
+          {{- if .Values.externalS3.tls.enabled }}
+          {{- if and .Values.externalS3.tls.existingSecret .Values.externalS3.tls.caCert }}
+          params_cert="--cacert /bitnami/milvus/conf/cert/minio/client/{{ .Values.externalS3.tls.caCert }}"
+          {{- else }}
+          params_cert="-k"
+          {{- end }}
+          {{- end }}
+
+          if curl --max-time 5 "${s3_host}" $params_cert | grep "RequestId"; then
              return 0
           else
              return 1
           fi
       }
 
-      host={{ printf "%v:%v" (include "milvus.s3.host" .) (include "milvus.s3.port" .) }}
+      host={{ template "milvus.s3.protocol" . }}://{{ printf "%v:%v" (include "milvus.s3.host" .) (include "milvus.s3.port" .) }}
 
       echo "Checking connection to $host"
       if retry_while "check_s3 $host"; then
@@ -835,6 +843,12 @@ Init container definition for waiting for the database to be ready
 
       echo "Connection success"
       exit 0
+  {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+  volumeMounts:
+    - name: minio-client-certs
+      mountPath: /bitnami/milvus/conf/cert/minio/client
+      readOnly: true
+  {{- end }}
 {{- end -}}
 
 {{/*
@@ -1014,17 +1028,28 @@ Init container definition for waiting for the database to be ready
       mv /bitnami/milvus/rendered-conf/pre-render-config_00.yaml /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
       {{- end }}
 
+      # Minio TLS settings
+      {{- if and (not .context.Values.minio.enabled) .context.Values.externalS3.tls.enabled }}
+      {{- if and .context.Values.externalS3.tls.existingSecret .context.Values.externalS3.tls.caCert }}
+      yq e '.minio.ssl.tlsCACert = "/opt/bitnami/milvus/configs/cert/minio/client/{{ .context.Values.externalS3.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
+      {{- else }}
+      yq e '.minio.ssl.tlsCACert = ""' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
+      {{- end }}
+      {{- else }}
+      mv /bitnami/milvus/rendered-conf/pre-render-config_01.yaml /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
+      {{- end }}
+
       # Milvus server TLS settings
-      yq e '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
+      yq e '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml > /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
       {{- if ne (int .context.Values.proxy.tls.mode) 0 }}
-      yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
-      yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
+      yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
+      yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
       {{- if eq (int .context.Values.proxy.tls.mode) 2 }}
-      yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
+      yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
       {{- end }}
       {{- end }}
 
-      render-template /bitnami/milvus/rendered-conf/pre-render-config_02.yaml > /bitnami/milvus/rendered-conf/milvus.yaml
+      render-template /bitnami/milvus/rendered-conf/pre-render-config_03.yaml > /bitnami/milvus/rendered-conf/milvus.yaml
       rm /bitnami/milvus/rendered-conf/pre-render-config*
       chmod 644 /bitnami/milvus/rendered-conf/milvus.yaml
   env:

diff --git a/bitnami/milvus/templates/data-coordinator/deployment.yaml b/bitnami/milvus/templates/data-coordinator/deployment.yaml
@@ -175,7 +175,7 @@ spec:
             - name: empty-dir
               mountPath: /bitnami/milvus/data
               subPath: app-data-dir
-            {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+            {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
             - name: etcd-client-certs
               mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
               readOnly: true
@@ -185,6 +185,11 @@ spec:
               mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
               readOnly: true
             {{- end }}
+            {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+            - name: minio-client-certs
+              mountPath: /opt/bitnami/milvus/configs/cert/minio/client
+              readOnly: true
+            {{- end }}
           {{- if .Values.dataCoord.extraVolumeMounts }}
           {{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumeMounts "context" $) | nindent 12 }}
           {{- end }}
@@ -210,7 +215,7 @@ spec:
           configMap:
             name: {{ template "milvus.data-coordinator.extraConfigmapName" . }}
         {{- end }}
-        {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+        {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
         - name: etcd-client-certs
           secret:
             secretName: {{ .Values.externalEtcd.tls.existingSecret }}
@@ -222,6 +227,12 @@ spec:
             secretName: {{ .Values.externalKafka.tls.existingSecret }}
             defaultMode: 256
         {{- end }}
+        {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+        - name: minio-client-certs
+          secret:
+            secretName: {{ .Values.externalS3.tls.existingSecret }}
+            defaultMode: 256
+        {{- end }}
         {{- if .Values.dataCoord.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

diff --git a/bitnami/milvus/templates/data-node/deployment.yaml b/bitnami/milvus/templates/data-node/deployment.yaml
@@ -175,7 +175,7 @@ spec:
             - name: empty-dir
               mountPath: /bitnami/milvus/data
               subPath: app-data-dir
-            {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+            {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
             - name: etcd-client-certs
               mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
               readOnly: true
@@ -185,6 +185,11 @@ spec:
               mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
               readOnly: true
             {{- end }}
+            {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+            - name: minio-client-certs
+              mountPath: /opt/bitnami/milvus/configs/cert/minio/client
+              readOnly: true
+            {{- end }}
           {{- if .Values.dataNode.extraVolumeMounts }}
           {{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumeMounts "context" $) | nindent 12 }}
           {{- end }}
@@ -210,7 +215,7 @@ spec:
           configMap:
             name: {{ template "milvus.data-node.extraConfigmapName" . }}
         {{- end }}
-        {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+        {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
         - name: etcd-client-certs
           secret:
             secretName: {{ .Values.externalEtcd.tls.existingSecret }}
@@ -222,6 +227,12 @@ spec:
             secretName: {{ .Values.externalKafka.tls.existingSecret }}
             defaultMode: 256
         {{- end }}
+        {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+        - name: minio-client-certs
+          secret:
+            secretName: {{ .Values.externalS3.tls.existingSecret }}
+            defaultMode: 256
+        {{- end }}
         {{- if .Values.dataNode.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

diff --git a/bitnami/milvus/templates/index-coordinator/deployment.yaml b/bitnami/milvus/templates/index-coordinator/deployment.yaml
@@ -175,7 +175,7 @@ spec:
             - name: empty-dir
               mountPath: /bitnami/milvus/data
               subPath: app-data-dir
-            {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+            {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
             - name: etcd-client-certs
               mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
               readOnly: true
@@ -185,6 +185,11 @@ spec:
               mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
               readOnly: true
             {{- end }}
+            {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+            - name: minio-client-certs
+              mountPath: /opt/bitnami/milvus/configs/cert/minio/client
+              readOnly: true
+            {{- end }}
           {{- if .Values.indexCoord.extraVolumeMounts }}
           {{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumeMounts "context" $) | nindent 12 }}
           {{- end }}
@@ -210,7 +215,7 @@ spec:
           configMap:
             name: {{ template "milvus.index-coordinator.extraConfigmapName" . }}
         {{- end }}
-        {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+        {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
         - name: etcd-client-certs
           secret:
             secretName: {{ .Values.externalEtcd.tls.existingSecret }}
@@ -222,6 +227,12 @@ spec:
             secretName: {{ .Values.externalKafka.tls.existingSecret }}
             defaultMode: 256
         {{- end }}
+        {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+        - name: minio-client-certs
+          secret:
+            secretName: {{ .Values.externalS3.tls.existingSecret }}
+            defaultMode: 256
+        {{- end }}
         {{- if .Values.indexCoord.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumes "context" $) | nindent 8 }}
         {{- end }}

diff --git a/bitnami/milvus/templates/index-node/deployment.yaml b/bitnami/milvus/templates/index-node/deployment.yaml
@@ -175,7 +175,7 @@ spec:
             - name: empty-dir
               mountPath: /bitnami/milvus/data
               subPath: app-data-dir
-            {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+            {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
             - name: etcd-client-certs
               mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
               readOnly: true
@@ -185,6 +185,11 @@ spec:
               mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
               readOnly: true
             {{- end }}
+            {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+            - name: minio-client-certs
+              mountPath: /opt/bitnami/milvus/configs/cert/minio/client
+              readOnly: true
+            {{- end }}
           {{- if .Values.indexNode.extraVolumeMounts }}
           {{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumeMounts "context" $) | nindent 12 }}
           {{- end }}
@@ -210,7 +215,7 @@ spec:
           configMap:
             name: {{ template "milvus.index-node.extraConfigmapName" . }}
         {{- end }}
-        {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
+        {{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
         - name: etcd-client-certs
           secret:
             secretName: {{ .Values.externalEtcd.tls.existingSecret }}
@@ -222,6 +227,12 @@ spec:
             secretName: {{ .Values.externalKafka.tls.existingSecret }}
             defaultMode: 256
         {{- end }}
+        {{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
+        - name: minio-client-certs
+          secret:
+            secretName: {{ .Values.externalS3.tls.existingSecret }}
+            defaultMode: 256
+        {{- end }}
         {{- if .Values.indexNode.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumes "context" $) | nindent 8 }}
         {{- end }}