Helm部署MinIO集群
添加Helm仓库
# 创建一个minio目录,后面的操作都在改目录下进行 [root@node1 ~]# mkdir minio [root@node1 ~]# cd minio/ # 添加仓库 [root@node1 minio]# helm repo add minio https://helm.min.io/ "minio" has been added to your repositories [root@node1 minio]#
搜索并下载MinIO Chart
[root@node1 minio]# helm search repo minio NAME CHART VERSION APP VERSION DESCRIPTION bitnami/minio 12.8.6 2023.9.16 MinIO(R) is an object storage server, compatibl... minio/minio 8.0.10 master High Performance, Kubernetes Native Object Storage stable/minio 0.5.5 Distributed object storage server built for clo... # 下载MinIO Chart [root@node1 minio]# helm fetch minio/minio [root@node1 minio]# ls minio-8.0.10.tgz # 解压下载下来的包 [root@node1 minio]# tar -xf minio-8.0.10.tgz [root@node1 minio]# ls minio minio-8.0.10.tgz [root@node1 minio]#
查看目录结构
# 进入minio目录 [root@node1 minio]# cd minio/ # 里面的文件结构如下 [root@node1 minio]# ls Chart.yaml ci README.md templates values.yaml
创建名称空间
后面将MinIO集群部署到该名称空间下
[root@node1 ~]# kubectl create ns minio namespace/minio created
创建一个Secret
# 创建名为tls-ssl-minio的Secret到minio名称空间下 [root@node1 cert]# kubectl create secret generic tls-ssl-minio --from-file=private.key --from-file=public.crt -n minio secret/tls-ssl-minio created # 查看是否创建成功 [root@node1 cert]# kubectl get secret -n minio NAME TYPE DATA AGE tls-ssl-minio Opaque 2 10s
修改value.yaml中的一些变量值
## Provide a name in place of minio for `app:` labels ## nameOverride: "" ## Provide a name to substitute for the full names of resources ## fullnameOverride: "" ## set kubernetes cluster domain where minio is running ## clusterDomain: cluster.local ## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the ## image: repository: minio/minio tag: RELEASE.2021-02-14T04-01-33Z pullPolicy: IfNotPresent ## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio ## client used to create a default bucket). ## mcImage: repository: minio/mc tag: RELEASE.2021-02-14T04-28-06Z pullPolicy: IfNotPresent ## Set default image, imageTag, and imagePullPolicy for the `jq` (the JSON ## process used to create secret for prometheus ServiceMonitor). ## helmKubectlJqImage: repository: bskim45/helm-kubectl-jq tag: 3.1.0 pullPolicy: IfNotPresent ## minio server mode, i.e. standalone or distributed. ## Distributed Minio ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide ## mode: distributed # 部署为分布式 ## Additional labels to include with deployment or statefulset additionalLabels: [] ## Additional annotations to include with deployment or statefulset additionalAnnotations: [] ## Additional arguments to pass to minio binary extraArgs: [] ## Update strategy for Deployments DeploymentUpdate: type: RollingUpdate maxUnavailable: 0 maxSurge: 100% ## Update strategy for StatefulSets StatefulSetUpdate: updateStrategy: RollingUpdate ## Pod priority settings ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ ## priorityClassName: "" ## Set default accesskey, secretkey, Minio config file path, volume mount path and ## number of nodes (only used for Minio distributed mode) ## AccessKey and secretKey is generated when not set ## Distributed Minio ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide ## accessKey: "admin" # 访问网页端的用户名 secretKey: "minio123456" # 访问网页端的密码 certsPath: "/etc/minio/certs/" configPathmc: "/etc/minio/mc/" mountPath: "/export" ## Use existing Secret that store following variables: ## ## | Chart var | .data. in Secret | ## |:----------------------|:-------------------------| ## | accessKey | accesskey | ## | secretKey | secretkey | ## | gcsgateway.gcsKeyJson | gcs_key.json | ## | s3gateway.accessKey | awsAccessKeyId | ## | s3gateway.secretKey | awsSecretAccessKey | ## | etcd.clientCert | etcd_client_cert.pem | ## | etcd.clientCertKey | etcd_client_cert_key.pem | ## ## All mentioned variables will be ignored in values file. ## .data.accesskey and .data.secretkey are mandatory, ## others depend on enabled status of corresponding sections. existingSecret: "" ## Override the root directory which the minio server should serve from. ## If left empty, it defaults to the value of {{ .Values.mountPath }} ## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }} bucketRoot: "" # Number of drives attached to a node drivesPerNode: 1 # Number of MinIO containers running replicas: 4 # Number of expanded MinIO clusters zones: 1 ## TLS Settings for Minio tls: enabled: false ## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret certSecret: "" publicCrt: public.crt privateKey: private.key ## Trusted Certificates Settings for Minio. Ref: https://docs.minio.io/docs/how-to-secure-access-to-minio-server-with-tls#install-certificates-from-third-party-cas ## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret ## When using self-signed certificates, remember to include Minio's own certificate in the bundle with key public.crt. ## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret. trustedCertsSecret: "" ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## persistence: enabled: true ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound existingClaim: "" ## minio data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## ## Storage class of PV to bind. By default it looks for standard storage class. ## If the PV uses a different storage class, specify that here. storageClass: "rook-ceph-block" # 设置持久化所使用的sc VolumeName: "" accessMode: ReadWriteOnce size: 10Gi # 设置每个Pod所申请的PVC大小 ## If subPath is set mount a sub folder of a volume instead of the root of the volume. ## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs). ## subPath: "" ## Expose the Minio service to be accessed from outside the cluster (LoadBalancer service). ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. ## ref: http://kubernetes.io/docs/user-guide/services/ ## service: type: NodePort # 如果要想下面的nodePort生效,这里需要设置为NodePort clusterIP: ~ port: 9000 nodePort: 32100 # 设置nodePort 端口 ## List of IP addresses at which the Prometheus server service is available ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips ## externalIPs: [] # - externalIp1 annotations: {} # prometheus.io/scrape: 'true' # prometheus.io/path: '/minio/prometheus/metrics' # prometheus.io/port: '9000' ## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## imagePullSecrets: [] # - name: "image-pull-secret" ingress: enabled: false labels: {} # node-role.kubernetes.io/ingress: platform annotations: {} # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" # kubernetes.io/ingress.allow-http: "false" # kubernetes.io/ingress.global-static-ip-name: "" # nginx.ingress.kubernetes.io/secure-backends: "true" # nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0 path: / hosts: - chart-example.local tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local ## Node labels for pod assignment ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ ## nodeSelector: {} tolerations: [] affinity: {} ## Add stateful containers to have security context, if enabled MinIO will run as this ## user and group NOTE: securityContext is only enabled if persistence.enabled=true securityContext: enabled: true runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 # Additational pod annotations podAnnotations: {} # Additional pod labels podLabels: {} ## Configure resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: requests: memory: 4Gi ## Create a bucket after minio install ## defaultBucket: enabled: false ## If enabled, must be a string with length > 0 name: bucket ## Can be one of none|download|upload|public policy: none ## Purge if bucket exists already purge: false ## set versioning for bucket true|false # versioning: false ## Create multiple buckets after minio install ## Enabling `defaultBucket` will take priority over this list ## buckets: [] # - name: bucket1 # policy: none # purge: false # - name: bucket2 # policy: none # purge: false ## Additional Annotations for the Kubernetes Batch (make-bucket-job) makeBucketJob: podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 resources: requests: memory: 128Mi ## Additional Annotations for the Kubernetes Batch (update-prometheus-secret) updatePrometheusJob: podAnnotations: annotations: securityContext: enabled: false runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 s3gateway: enabled: false replicas: 4 serviceEndpoint: "" accessKey: "" secretKey: "" ## Use minio as an azure blob gateway, you should disable data persistence so no volume claim are created. ## https://docs.minio.io/docs/minio-gateway-for-azure azuregateway: enabled: false # Number of parallel instances replicas: 4 ## Use minio as GCS (Google Cloud Storage) gateway, you should disable data persistence so no volume claim are created. ## https://docs.minio.io/docs/minio-gateway-for-gcs gcsgateway: enabled: false # Number of parallel instances replicas: 4 # credential json file of service account key gcsKeyJson: "" # Google cloud project-id projectId: "" ## Use minio on NAS backend ## https://docs.minio.io/docs/minio-gateway-for-nas nasgateway: enabled: false # Number of parallel instances replicas: 4 # For NAS Gateway, you may want to bind the PVC to a specific PV. To ensure that happens, PV to bind to should have # a label like "pv: ", use value here. pv: ~ ## Use this field to add environment variables relevant to Minio server. These fields will be passed on to Minio container(s) ## when Chart is deployed environment: {} ## Please refer for comprehensive list https://docs.minio.io/docs/minio-server-configuration-guide.html ## MINIO_DOMAIN: "chart-example.local" ## MINIO_BROWSER: "off" networkPolicy: enabled: false allowExternal: true ## PodDisruptionBudget settings ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ ## podDisruptionBudget: enabled: false maxUnavailable: 1 ## Specify the service account to use for the Minio pods. If 'create' is set to 'false' ## and 'name' is left unspecified, the account 'default' will be used. serviceAccount: create: true ## The name of the service account to use. If 'create' is 'true', a service account with that name ## will be created. Otherwise, a name will be auto-generated. name: metrics: # Metrics can not be disabled yet: https://github.com/minio/minio/issues/7493 serviceMonitor: enabled: false additionalLabels: {} relabelConfigs: {} # namespace: monitoring # interval: 30s # scrapeTimeout: 10s ## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md ## Define endpoints to enable this section. etcd: endpoints: [] pathPrefix: "" corednsPathPrefix: "" clientCert: "" clientCertKey: ""
使用Helm安装
[root@node1 minio]# helm install minio . -n minio [root@node1 minio]# helm install minio . -n minio NAME: minio LAST DEPLOYED: Fri Sep 22 13:03:56 2023 NAMESPACE: minio STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Minio can be accessed via port 9000 on the following DNS name from within your cluster: minio.minio.svc.cluster.local To access Minio from localhost, run the below commands: 1. export POD_NAME=$(kubectl get pods --namespace minio -l "release=minio" -o jsonpath="{.items[0].metadata.name}") 2. kubectl port-forward $POD_NAME 9000 --namespace minio Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/ You can now access Minio server on http://localhost:9000. Follow the below steps to connect to Minio server with mc client: 1. Download the Minio mc client - https://docs.minio.io/docs/minio-client-quickstart-guide 2. Get the ACCESS_KEY=$(kubectl get secret minio -o jsonpath="{.data.accesskey}" | base64 --decode) and the SECRET_KEY=$(kubectl get secret minio -o jsonpath="{.data.secretkey}" | base64 --decode) 3. mc alias set minio-local http://localhost:9000 "$ACCESS_KEY" "$SECRET_KEY" --api s3v4 4. mc ls minio-local Alternately, you can use your browser or the Minio SDK to access the server - https://docs.minio.io/categories/17
查看pod运行情况
[root@node1 ~]# kubectl get pods -n minio NAME READY STATUS RESTARTS AGE minio-0 1/1 Running 0 3m50s minio-1 1/1 Running 0 3m50s minio-2 1/1 Running 0 3m50s minio-3 1/1 Running 0 3m49s # 查看pvc [root@node1 minio]# kubectl get pvc -n minio NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE export-minio-0 Bound pvc-a70a5caa-2bad-40ab-bf19-dbbfccd3d151 10Gi RWO rook-ceph-block 28s export-minio-1 Bound pvc-c3c1a8c5-d429-47e4-acf6-a57da3bacd5a 10Gi RWO rook-ceph-block 28s export-minio-2 Bound pvc-15ed67b3-7ea0-4f06-ba46-93137480066c 10Gi RWO rook-ceph-block 28s export-minio-3 Bound pvc-a58ceb7f-dac0-4ee7-9a34-473c8f336d28 10Gi RWO rook-ceph-block 28s
查看Service地址
[root@node1 ~]# kubectl get service -n minio NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE minio NodePort 10.98.63.2 9000:32100/TCP 8m25s minio-svc ClusterIP None 9000/TCP 8m25s
登陆网页端上传文件验证
命令行方式访问测试
# 下载客户端 curl https://dl.min.io/client/mc/release/linux-amd64/mc --create-dirs -o $HOME/minio-binaries/mc chmod +x $HOME/minio-binaries/mc export PATH=$PATH:$HOME/minio-binaries/ # 查看命令行的帮助信息 [root@node1 minio]# mc --help NAME: mc - MinIO Client for object storage and filesystems. USAGE: mc [FLAGS] COMMAND [COMMAND FLAGS | -h] [ARGUMENTS...] COMMANDS: alias manage server credentials in configuration file ls list buckets and objects mb make a bucket rb remove a bucket cp copy objects mv move objects rm remove object(s) mirror synchronize object(s) to a remote site cat display object contents head display first 'n' lines of an object pipe stream STDIN to an object find search for objects sql run sql queries on objects stat show object metadata tree list buckets and objects in a tree format du summarize disk usage recursively retention set retention for object(s) legalhold manage legal hold for object(s) support support related commands license license related commands share generate URL for temporary access to an object version manage bucket versioning ilm manage bucket lifecycle quota manage bucket quota encrypt manage bucket encryption config event manage object notifications
访问MinIO中存储的文件
# 获取用户名和密码 [root@node1 minio]# ACCESS_KEY=$(kubectl get secret minio -o jsonpath="{.data.accesskey}" -n minio| base64 --decode) [root@node1 minio]# echo $ACCESS_KEY admin [root@node1 minio]# SECRET_KEY=$(kubectl get secret minio -o jsonpath="{.data.secretkey}" -n minio| base64 --decode) [root@node1 minio]# echo $SECRET_KEY minio123456 # 连接MinIO # 使用mc alias将服务器的密钥信息保存到配置文件 [root@node1 minio]# mc alias set my-minio http://192.168.0.184:32100 "$ACCESS_KEY" "$SECRET_KEY" --api s3v4 Added `my-minio` successfully. # 查看my-minio这个服务器里面存储的内容 [root@node1 minio]# mc ls my-minio [2023-09-22 19:14:56 CST] 0B books/ [root@node1 minio]# mc ls my-minio/books [2023-09-22 19:15:19 CST] 5.7MiB STANDARD 植物 鲜花.jpg
遇到的问题
问题一
[root@node1 minio]# helm install minio . -n minio Error: INSTALLATION FAILED: create: failed to create: Secret "sh.helm.release.v1.minio.v1" is invalid: data: Too long: must have at most 1048576 bytes
由于我在minio chart的解压目录新创建了一个cert文件夹,并生成了一些证书文件,导致了该错误的产生
解决办法: 删除除了minio Chart 包中以外的文件包括文件夹,重新执行安装。
参考文章
- github.com/minio/minio…
- artifacthub.io/packages/he…
- github.com/minio/opera…
