Skip to content

Commit

Permalink
[bitnami/milvus] feat: config external S3 tls client certs settings (b…
Browse files Browse the repository at this point in the history 
…itnami#26111)

Signed-off-by: Chen Rao <chenrao317328@163.com>
  • Loading branch information
@chenraoCR
chenraoCR committed Jun 10, 2024
1 parent 28b0770 commit e06de25
Show file tree
Hide file tree
Showing 13 changed files with 210 additions and 41 deletions.
2 changes: 1 addition & 1 deletion bitnami/milvus/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,4 @@ maintainers:
name: milvus
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/milvus
version: 8.2.0
version: 8.2.1
1 change: 0 additions & 1 deletion bitnami/milvus/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1734,7 +1734,6 @@ wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
| `externalS3.existingSecret` | Name of an existing secret resource containing the S3 credentials | `""` |
| `externalS3.existingSecretAccessKeyIDKey` | Name of an existing secret key containing the S3 access key ID | `root-user` |
| `externalS3.existingSecretKeySecretKey` | Name of an existing secret key containing the S3 access key secret | `root-password` |
| `externalS3.protocol` | External S3 protocol | `https` |
| `externalS3.bucket` | External S3 bucket | `milvus` |
| `externalS3.rootPath` | External S3 root path | `file` |
| `externalS3.iamEndpoint` | External S3 IAM endpoint | `""` |
Expand Down
45 changes: 33 additions & 12 deletions bitnami/milvus/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -605,7 +605,7 @@ Return the S3 protocol
{{- if .Values.minio.enabled -}}
{{- ternary "https" "http" .Values.minio.tls.enabled -}}
{{- else -}}
{{- print .Values.externalS3.protocol -}}
{{- ternary "https" "http" .Values.externalS3.tls.enabled -}}
{{- end -}}
{{- end -}}

Expand Down Expand Up @@ -637,10 +637,8 @@ Return true if TLS is used
{{- define "milvus.s3.useSSL" -}}
{{- if .Values.minio.enabled -}}
{{- .Values.minio.tls.enabled -}}
{{- else if (eq .Values.externalS3.protocol "https") -}}
{{- print "true" -}}
{{- else -}}
{{- print "false" -}}
{{- .Values.externalS3.tls.enabled -}}
{{- end -}}
{{- end -}}

Expand Down Expand Up @@ -772,7 +770,7 @@ Init container definition for waiting for the database to be ready

echo "Connection success"
exit 0
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
volumeMounts:
- name: etcd-client-certs
mountPath: /bitnami/milvus/conf/cert/etcd/client
Expand Down Expand Up @@ -816,14 +814,20 @@ Init container definition for waiting for the database to be ready

check_s3() {
local -r s3_host="${1:-?missing s3}"
if curl --max-time 5 "${s3_host}" | grep "RequestId"; then
local params_cert=""
if echo $s3_host | grep https; then
params_cert="--cacert /bitnami/milvus/conf/cert/minio/client/{{ .Values.externalS3.tls.caCert }}"
fi
if curl --max-time 5 "${s3_host}" $params_cert | grep "RequestId"; then
return 0
else
return 1
fi
}

host={{ printf "%v:%v" (include "milvus.s3.host" .) (include "milvus.s3.port" .) }}
host={{ template "milvus.s3.protocol" . }}://{{ printf "%v:%v" (include "milvus.s3.host" .) (include "milvus.s3.port" .) }}

echo "Checking connection to $host"
if retry_while "check_s3 $host"; then
Expand All @@ -835,6 +839,12 @@ Init container definition for waiting for the database to be ready

echo "Connection success"
exit 0
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
volumeMounts:
- name: minio-client-certs
mountPath: /bitnami/milvus/conf/cert/minio/client
readOnly: true
{{- end }}
{{- end -}}

{{/*
Expand Down Expand Up @@ -1014,17 +1024,28 @@ Init container definition for waiting for the database to be ready
mv /bitnami/milvus/rendered-conf/pre-render-config_00.yaml /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- end }}

# Minio TLS settings
{{- if and (not .context.Values.minio.enabled) .context.Values.externalS3.tls.enabled }}
{{- if and .context.Values.externalS3.tls.existingSecret .context.Values.externalS3.tls.caCert }}
yq e '.minio.ssl.tlsCACert = "/opt/bitnami/milvus/configs/cert/minio/client/{{ .context.Values.externalS3.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
{{- else }}
yq e '.minio.ssl.tlsCACert = ""' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
{{- end }}
{{- else }}
mv /bitnami/milvus/rendered-conf/pre-render-config_01.yaml /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
{{- end }}

# Milvus server TLS settings
yq e '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
yq e '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml > /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
{{- if ne (int .context.Values.proxy.tls.mode) 0 }}
yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
{{- if eq (int .context.Values.proxy.tls.mode) 2 }}
yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_03.yaml
{{- end }}
{{- end }}

render-template /bitnami/milvus/rendered-conf/pre-render-config_02.yaml > /bitnami/milvus/rendered-conf/milvus.yaml
render-template /bitnami/milvus/rendered-conf/pre-render-config_03.yaml > /bitnami/milvus/rendered-conf/milvus.yaml
rm /bitnami/milvus/rendered-conf/pre-render-config*
chmod 644 /bitnami/milvus/rendered-conf/milvus.yaml
env:
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/data-coordinator/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
Expand All @@ -185,6 +185,11 @@ spec:
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/minio/client
readOnly: true
{{- end }}
{{- if .Values.dataCoord.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -210,7 +215,7 @@ spec:
configMap:
name: {{ template "milvus.data-coordinator.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
Expand All @@ -222,6 +227,12 @@ spec:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
secret:
secretName: {{ .Values.externalS3.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.dataCoord.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/data-node/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
Expand All @@ -185,6 +185,11 @@ spec:
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/minio/client
readOnly: true
{{- end }}
{{- if .Values.dataNode.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -210,7 +215,7 @@ spec:
configMap:
name: {{ template "milvus.data-node.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
Expand All @@ -222,6 +227,12 @@ spec:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
secret:
secretName: {{ .Values.externalS3.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.dataNode.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/index-coordinator/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
Expand All @@ -185,6 +185,11 @@ spec:
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/minio/client
readOnly: true
{{- end }}
{{- if .Values.indexCoord.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -210,7 +215,7 @@ spec:
configMap:
name: {{ template "milvus.index-coordinator.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
Expand All @@ -222,6 +227,12 @@ spec:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
secret:
secretName: {{ .Values.externalS3.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.indexCoord.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/index-node/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
Expand All @@ -185,6 +185,11 @@ spec:
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/minio/client
readOnly: true
{{- end }}
{{- if .Values.indexNode.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -210,7 +215,7 @@ spec:
configMap:
name: {{ template "milvus.index-node.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
Expand All @@ -222,6 +227,12 @@ spec:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
secret:
secretName: {{ .Values.externalS3.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.indexNode.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
27 changes: 19 additions & 8 deletions bitnami/milvus/templates/proxy/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
Expand All @@ -187,6 +187,11 @@ spec:
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/minio/client
readOnly: true
{{- end }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }}
- name: milvus-certs
mountPath: /opt/bitnami/milvus/configs/cert/milvus
Expand Down Expand Up @@ -217,24 +222,30 @@ spec:
configMap:
name: {{ template "milvus.proxy.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
{{- if and (not .Values.etcd.enabled) .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }}
- name: milvus-certs
secret:
secretName: {{ .Values.proxy.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
secret:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.minio.enabled) .Values.externalS3.tls.enabled .Values.externalS3.tls.existingSecret }}
- name: minio-client-certs
secret:
secretName: {{ .Values.externalS3.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }}
- name: milvus-certs
secret:
secretName: {{ .Values.proxy.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.proxy.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
Loading

0 comments on commit e06de25

Please sign in to comment.