diff --git a/bin/k8s/templates/aws/s3-credentials-secret.yaml b/bin/k8s/templates/aws/s3-credentials-secret.yaml new file mode 100644 index 00000000000..8506115167b --- /dev/null +++ b/bin/k8s/templates/aws/s3-credentials-secret.yaml @@ -0,0 +1,32 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# Credentials Secret for an external S3 store. Rendered only when an external +# endpoint is configured (storage.s3.endpoint) and the deployer has not supplied +# their own Secret (storage.s3.existingSecret). On the default in-cluster MinIO +# install this renders nothing -- the services use MinIO's own Secret instead. +{{- if and .Values.storage.s3.endpoint (not .Values.storage.s3.existingSecret) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-s3-credentials + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + access-key-id: {{ .Values.storage.s3.accessKeyId | quote }} + secret-access-key: {{ .Values.storage.s3.secretAccessKey | quote }} +{{- end }} diff --git a/bin/k8s/templates/base/_helpers.tpl b/bin/k8s/templates/base/_helpers.tpl new file mode 100644 index 00000000000..e044b7285a8 --- /dev/null +++ b/bin/k8s/templates/base/_helpers.tpl @@ -0,0 +1,56 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +*/}} + +{{/* +Object-storage (S3) resolution helpers. + +When storage.s3.endpoint is set the services talk to that external +S3-compatible store (credentials come from storage.s3.existingSecret, or a +chart-generated "-s3-credentials" Secret). When it is empty the +services fall back to the in-cluster MinIO Service and its auto-generated +"-minio" Secret, so the default install is unchanged. +*/}} + +{{/* S3 endpoint URL. */}} +{{- define "texera.s3.endpoint" -}} +{{- if .Values.storage.s3.endpoint -}} +{{- .Values.storage.s3.endpoint -}} +{{- else -}} +{{- printf "http://%s-minio:9000" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{/* Name of the Secret holding the S3 credentials. */}} +{{- define "texera.s3.secretName" -}} +{{- if .Values.storage.s3.endpoint -}} +{{- .Values.storage.s3.existingSecret | default (printf "%s-s3-credentials" .Release.Name) -}} +{{- else -}} +{{- printf "%s-minio" .Release.Name -}} +{{- end -}} +{{- end -}} + +{{/* Secret data key for the S3 access key id. */}} +{{- define "texera.s3.accessKeyIdKey" -}} +{{- if .Values.storage.s3.endpoint -}}access-key-id{{- else -}}root-user{{- end -}} +{{- end -}} + +{{/* Secret data key for the S3 secret access key. */}} +{{- define "texera.s3.secretAccessKeyKey" -}} +{{- if .Values.storage.s3.endpoint -}}secret-access-key{{- else -}}root-password{{- end -}} +{{- end -}} diff --git a/bin/k8s/templates/base/file-service/file-service-deployment.yaml b/bin/k8s/templates/base/file-service/file-service-deployment.yaml index 6c9a4041f98..6a9190bc6cf 100644 --- a/bin/k8s/templates/base/file-service/file-service-deployment.yaml +++ b/bin/k8s/templates/base/file-service/file-service-deployment.yaml @@ -41,17 +41,21 @@ spec: env: # LakeFS & S3 Access - name: STORAGE_S3_ENDPOINT - value: http://{{ .Release.Name }}-minio:9000 + value: {{ include "texera.s3.endpoint" . }} + {{- if .Values.storage.s3.endpoint }} + - name: STORAGE_S3_REGION + value: {{ .Values.storage.s3.region | quote }} + {{- end }} - name: STORAGE_S3_AUTH_USERNAME valueFrom: secretKeyRef: - name: {{ .Release.Name }}-minio - key: root-user + name: {{ include "texera.s3.secretName" . }} + key: {{ include "texera.s3.accessKeyIdKey" . }} - name: STORAGE_S3_AUTH_PASSWORD valueFrom: secretKeyRef: - name: {{ .Release.Name }}-minio - key: root-password + name: {{ include "texera.s3.secretName" . }} + key: {{ include "texera.s3.secretAccessKeyKey" . }} - name: STORAGE_LAKEFS_ENDPOINT value: http://{{ .Release.Name }}-lakefs:8000/api/v1 - name: STORAGE_LAKEFS_AUTH_USERNAME diff --git a/bin/k8s/templates/base/workflow-computing-unit-manager/workflow-computing-unit-manager-deployment.yaml b/bin/k8s/templates/base/workflow-computing-unit-manager/workflow-computing-unit-manager-deployment.yaml index 7a0185cd465..a9118450412 100644 --- a/bin/k8s/templates/base/workflow-computing-unit-manager/workflow-computing-unit-manager-deployment.yaml +++ b/bin/k8s/templates/base/workflow-computing-unit-manager/workflow-computing-unit-manager-deployment.yaml @@ -81,17 +81,21 @@ spec: value: http://{{ .Values.fileService.name }}-svc:9092/api/dataset/did/upload # S3 Access (for R UDF large binary support) - name: STORAGE_S3_ENDPOINT - value: http://{{ .Release.Name }}-minio:9000 + value: {{ include "texera.s3.endpoint" . }} + {{- if .Values.storage.s3.endpoint }} + - name: STORAGE_S3_REGION + value: {{ .Values.storage.s3.region | quote }} + {{- end }} - name: STORAGE_S3_AUTH_USERNAME valueFrom: secretKeyRef: - name: {{ .Release.Name }}-minio - key: root-user + name: {{ include "texera.s3.secretName" . }} + key: {{ include "texera.s3.accessKeyIdKey" . }} - name: STORAGE_S3_AUTH_PASSWORD valueFrom: secretKeyRef: - name: {{ .Release.Name }}-minio - key: root-password + name: {{ include "texera.s3.secretName" . }} + key: {{ include "texera.s3.secretAccessKeyKey" . }} # LakeFS Access (should be removed in production environment) - name: STORAGE_LAKEFS_ENDPOINT value: http://{{ .Release.Name }}-lakefs.{{ .Release.Namespace }}:8000/api/v1 diff --git a/bin/k8s/values.yaml b/bin/k8s/values.yaml index 2974c27c882..64642b517a9 100644 --- a/bin/k8s/values.yaml +++ b/bin/k8s/values.yaml @@ -65,6 +65,18 @@ postgresql: initdb: scriptsConfigMap: "postgresql-init-script" +# Object storage (S3) used by the Texera services. Leave storage.s3.endpoint +# empty to use the in-cluster MinIO (the `minio:` block below). Set it to an +# S3-compatible endpoint URL -- together with region and credentials -- to +# point the services at an external store (e.g. AWS S3) instead. +storage: + s3: + endpoint: "" # "" => in-cluster MinIO; otherwise an S3 endpoint URL + region: "us-west-2" + existingSecret: "" # existing Secret with access-key-id / secret-access-key; "" => chart creates one + accessKeyId: "" + secretAccessKey: "" + minio: mode: standalone image: