From 1dabfb4eada843155dd6dddaf252c29d96da2b55 Mon Sep 17 00:00:00 2001 From: Cesar N Date: Thu, 30 Jul 2020 15:21:45 -0700 Subject: [PATCH] Update to minio-operator 3.0.5 (#218) --- go.mod | 2 +- go.sum | 8 +- k8s/console/base/console-deployment.yaml | 1 - k8s/console/base/minio-operator.yaml | 1886 +++++++++++++++-- k8s/getoperator.sh | 3 - .../base/console-deployment.yaml | 1 - k8s/operator-console/base/minio-operator.yaml | 1886 +++++++++++++++-- 7 files changed, 3463 insertions(+), 324 deletions(-) delete mode 100755 k8s/getoperator.sh diff --git a/go.mod b/go.mod index 19b88800c..11cf2245d 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/minio/mc v0.0.0-20200725183142-90d22b271f60 github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8 github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252 - github.com/minio/operator v0.0.0-20200726122325-9efe901afebb + github.com/minio/operator v0.0.0-20200730044813-c2895a5065a1 github.com/pquerna/cachecontrol v0.0.0-20180517163645-1555304b9b35 // indirect github.com/satori/go.uuid v1.2.0 github.com/stretchr/testify v1.6.1 diff --git a/go.sum b/go.sum index 2a9b99c28..5869af4e0 100644 --- a/go.sum +++ b/go.sum @@ -143,6 +143,8 @@ github.com/go-ldap/ldap v3.0.2+incompatible h1:kD5HQcAzlQ7yrhfn+h+MSABeAy/jAJhvI github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc= github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= +github.com/go-logr/logr v0.2.0 h1:QvGt2nLcHH0WK9orKa+ppBPAxREcH364nPUedEpK0TY= +github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI= github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM= github.com/go-openapi/analysis v0.0.0-20180825180245-b006789cd277/go.mod h1:k70tL6pCuVxPJOHXQ+wIac1FUrvNkHolPie/cLEU6hI= @@ -463,8 +465,8 @@ github.com/minio/minio v0.0.0-20200725154241-abbf6ce6ccf8/go.mod h1:NBWtYp4t5pt3 github.com/minio/minio-go/v7 v7.0.1/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns= github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252 h1:V2JkMDoSmEIhRcMJwX3qeJVOzy1B5bHpHbZaQu77vbs= github.com/minio/minio-go/v7 v7.0.2-0.20200722162308-e0105ca08252/go.mod h1:dJ80Mv2HeGkYLH1sqS/ksz07ON6csH3S6JUMSQ2zAns= -github.com/minio/operator v0.0.0-20200726122325-9efe901afebb h1:xAfr+GIP+4c6fU+Ad8oWHVWKtbQ60Su3dfEv3nPPyWM= -github.com/minio/operator v0.0.0-20200726122325-9efe901afebb/go.mod h1:G0pMmQFV5b5OrH7/OmVKtPoHzj3SmHNgqDlTew1NM/Y= +github.com/minio/operator v0.0.0-20200730044813-c2895a5065a1 h1:cTgvRgFBUVxbnxhQUioT2T7SH0M7AyvO7dDX32yKPGw= +github.com/minio/operator v0.0.0-20200730044813-c2895a5065a1/go.mod h1:RLhFkLcL65qmrgUQJHrRwb1Lb4yHgD/DfjNENY2WNXg= github.com/minio/selfupdate v0.3.0 h1:1qfaZscU3hWwX1cF5m5Dov8Z5aZNvPHk9LROzIkas1k= github.com/minio/selfupdate v0.3.0/go.mod h1:b8ThJzzH7u2MkF6PcIra7KaXO9Khf6alWPvMSyTDCFM= github.com/minio/sha256-simd v0.1.1 h1:5QHSlgo3nt5yKOJrC7W8w7X+NFl8cMPZm96iu8kKUJU= @@ -915,6 +917,8 @@ k8s.io/klog v0.0.0-20181102134211-b9b56d5dfc92/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUc k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v1.0.0 h1:Pt+yjF5aB1xDSVbau4VsWe+dQNzA0qv1LlXdC2dF6Q8= k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= +k8s.io/klog/v2 v2.3.0 h1:WmkrnW7fdrm0/DMClc+HIxtftvxVIPAhlVwMQo5yLco= +k8s.io/klog/v2 v2.3.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c h1:/KUFqjjqAcY4Us6luF5RDNZ16KJtb49HfR3ZHB9qYXM= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6 h1:Oh3Mzx5pJ+yIumsAD0MOECPVeXsVot0UkiaCGVyfGQY= diff --git a/k8s/console/base/console-deployment.yaml b/k8s/console/base/console-deployment.yaml index a89c3cb55..2c1ef5afd 100644 --- a/k8s/console/base/console-deployment.yaml +++ b/k8s/console/base/console-deployment.yaml @@ -18,7 +18,6 @@ spec: image: minio/console:latest imagePullPolicy: "IfNotPresent" args: - - /console - server ports: - containerPort: 9090 diff --git a/k8s/console/base/minio-operator.yaml b/k8s/console/base/minio-operator.yaml index c7edf01cd..641e9a5b8 100644 --- a/k8s/console/base/minio-operator.yaml +++ b/k8s/console/base/minio-operator.yaml @@ -3,174 +3,1740 @@ kind: Namespace metadata: name: minio-operator --- -apiVersion: apiextensions.k8s.io/v1 +apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null name: tenants.minio.min.io spec: group: minio.min.io - scope: Namespaced names: kind: Tenant - singular: tenant + listKind: TenantList plural: tenants + shortNames: + - tenant + singular: tenant + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Tenant is a specification for a MinIO resource + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + scheduler: + description: TenantScheduler is the spec for a Tenant scheduler + properties: + name: + description: + SchedulerName defines the name of scheduler to be used + to schedule Tenant pods + type: string + required: + - name + type: object + spec: + description: TenantSpec is the spec for a Tenant resource + properties: + certConfig: + description: + CertConfig allows users to set entries like CommonName, + Organization, etc for the certificate + properties: + commonName: + type: string + dnsNames: + items: + type: string + type: array + organizationName: + items: + type: string + type: array + type: object + console: + description: + ConsoleConfiguration is for setting up minio/console for + graphical user interface + properties: + consoleSecret: + description: + This secret provides all environment variables for + KES This is a mandatory field + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + env: + description: + If provided, use these environment variables for Console + resource + items: + description: + EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: + 'Variable references $(VAR_NAME) are expanded + using the previous defined environment variables in the + container and any service environment variables. If a variable + cannot be resolved, the reference in the input string will + be unchanged. The $(VAR_NAME) syntax can be escaped with + a double $$, ie: $$(VAR_NAME). Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: + Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?" + type: string + optional: + description: + Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: + "Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs." + properties: + apiVersion: + description: + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: + Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: + "Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported." + properties: + containerName: + description: + "Container name: required for volumes, + optional for env vars" + type: string + divisor: + anyOf: + - type: integer + - type: string + description: + Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: "Required: resource to select" + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: + The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?" + type: string + optional: + description: + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + description: Image defines the Tenant Console Docker image. + type: string + metadata: + type: object + replicas: + description: Replicas defines number of pods for KES StatefulSet. + format: int32 + type: integer + resources: + description: + If provided, use these requests and limit for cpu/memory + resource allocation + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + type: object + required: + - consoleSecret + type: object + credsSecret: + description: + If provided, use this secret as the credentials for Tenant + resource Otherwise MinIO server creates dynamic credentials printed + on MinIO server startup banner + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + env: + description: + If provided, use these environment variables for Tenant + resource + items: + description: + EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: + 'Variable references $(VAR_NAME) are expanded using + the previous defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + The $(VAR_NAME) syntax can be escaped with a double $$, ie: + $$(VAR_NAME). Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: + Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + optional: + description: + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: + "Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs." + properties: + apiVersion: + description: + Version of the schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: + Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: + "Selects a resource of the container: only resources + limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported." + properties: + containerName: + description: + "Container name: required for volumes, optional + for env vars" + type: string + divisor: + anyOf: + - type: integer + - type: string + description: + Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: "Required: resource to select" + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: + The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + optional: + description: + Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + externalCertSecret: + description: + ExternalCertSecret allows a user to specify custom CA certificate, + and private key. This is used for enabling TLS support on MinIO Pods. + properties: + name: + type: string + type: + type: string + required: + - name + type: object + externalClientCertSecret: + description: + ExternalClientCertSecret allows a user to specify custom + CA client certificate, and private key. This is used for adding client + certificates on MinIO Pods --> used for KES authentication. + properties: + name: + type: string + type: + type: string + required: + - name + type: object + image: + description: Image defines the Tenant Docker image. + type: string + imagePullSecret: + description: + ImagePullSecret defines the secret to be used for pull + image from a private Docker image. + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + kes: + description: KES is for setting up minio/kes as MinIO KMS + properties: + externalCertSecret: + description: + ExternalCertSecret allows a user to specify custom + CA certificate, and private key for group replication SSL. + properties: + name: + type: string + type: + type: string + required: + - name + type: object + image: + description: Image defines the Tenant KES Docker image. + type: string + kesSecret: + description: + This kesSecret serves as the configuration for KES + This is a mandatory field + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + metadata: + type: object + replicas: + description: Replicas defines number of pods for KES StatefulSet. + format: int32 + type: integer + required: + - kesSecret + type: object + liveness: + description: + Liveness Probe for container liveness. Container will be + restarted if the probe fails. + properties: + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + timeoutSeconds: + format: int32 + type: integer + required: + - initialDelaySeconds + - periodSeconds + - timeoutSeconds + type: object + metadata: + description: + Metadata defines the object metadata passed to each pod + that is a part of this Tenant + type: object + mountPath: + description: Mount path for MinIO volume (PV). Defaults to /export + type: string + podManagementPolicy: + description: Pod Management Policy for pod created by StatefulSet + type: string + requestAutoCert: + description: + "RequestAutoCert allows user to enable Kubernetes based + TLS cert generation and signing as explained here: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/" + type: boolean + securityContext: + description: + Security Context allows user to set entries like runAsUser, + privilege escalation etc. + properties: + fsGroup: + description: + "A special supplemental group that applies to all containers + in a pod. Some volume types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The owning GID will + be the FSGroup 2. The setgid bit is set (new files created in + the volume will be owned by FSGroup) 3. The permission bits are + OR'd with rw-rw---- \n If unset, the Kubelet will not modify the + ownership and permissions of any volume." + format: int64 + type: integer + fsGroupChangePolicy: + description: + 'fsGroupChangePolicy defines behavior of changing ownership + and permission of the volume before being exposed inside Pod. + This field will only apply to volume types which support fsGroup + based ownership(and permissions). It will have no effect on ephemeral + volume types such as: secret, configmaps and emptydir. Valid values + are "OnRootMismatch" and "Always". If not specified defaults to + "Always".' + type: string + runAsGroup: + description: + The GID to run the entrypoint of the container process. + Uses runtime default if unset. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + format: int64 + type: integer + runAsNonRoot: + description: + Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no such validation + will be performed. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. May + also be set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + format: int64 + type: integer + seLinuxOptions: + description: + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux + context for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + properties: + level: + description: + Level is SELinux level label that applies to the + container. + type: string + role: + description: + Role is a SELinux role label that applies to the + container. + type: string + type: + description: + Type is a SELinux type label that applies to the + container. + type: string + user: + description: + User is a SELinux user label that applies to the + container. + type: string + type: object + supplementalGroups: + description: + A list of groups applied to the first process run in + each container, in addition to the container's primary GID. If + unspecified, no groups will be added to any container. + items: + format: int64 + type: integer + type: array + sysctls: + description: + Sysctls hold a list of namespaced sysctls used for + the pod. Pods with unsupported sysctls (by the container runtime) + might fail to launch. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: + GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named by + the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: + GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + runAsUserName: + description: + The UserName in Windows to run the entrypoint of + the container process. Defaults to the user specified in image + metadata if unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: string + type: object + type: object + serviceAccountName: + description: + ServiceAccountName is the name of the ServiceAccount to + use to run pods of all MinIO Pods created as a part of this Tenant. + type: string + serviceName: + description: + ServiceName defines name of the Service that will be created + for this instance, if none is specified, it will default to the instance + name + type: string + subPath: + description: + Subpath inside mount path. This is the directory where + MinIO stores data. Default to "" (empty) + type: string + zones: + description: Definition for Cluster in given MinIO cluster + items: + description: Zone defines the spec for a MinIO Zone + properties: + affinity: + description: + If specified, affinity will define the pod's scheduling + constraints + properties: + nodeAffinity: + description: + Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: + An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: + A list of node selector requirements + by node's labels. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector requirements + by node's fields. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: + Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: + Required. A list of node selector terms. + The terms are ORed. + items: + description: + A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: + A list of node selector requirements + by node's labels. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector requirements + by node's fields. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: + Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: + The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: + A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: + key is the label key + that the selector applies to. + type: string + operator: + description: + operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: + Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: + A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + key is the label key that + the selector applies to. + type: string + operator: + description: + operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: + Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: + The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: + A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: + key is the label key + that the selector applies to. + type: string + operator: + description: + operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: + Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: + A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + key is the label key that + the selector applies to. + type: string + operator: + description: + operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + name: + description: Name of the zone + type: string + nodeSelector: + additionalProperties: + type: string + description: + "NodeSelector is a selector which must be true for + the pod to fit on a node. Selector which must match a node's + labels for the pod to be scheduled on that node. More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" + type: object + resources: + description: + If provided, use these requests and limit for cpu/memory + resource allocation + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + type: object + servers: + description: Number of Servers in the zone + format: int32 + type: integer + tolerations: + description: + Tolerations allows users to set entries like effect, + key, operator, value. + items: + description: + The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: + Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: + Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: + Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: + TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: + Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + volumeClaimTemplate: + description: + VolumeClaimTemplate allows a user to specify how + volumes inside a Tenant + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + type: object + spec: + description: + "Spec defines the desired characteristics of + a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims" + properties: + accessModes: + description: + "AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1" + items: + type: string + type: array + dataSource: + description: + "This field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot + - Beta) * An existing PVC (PersistentVolumeClaim) * + An existing custom resource/object that implements data + population (Alpha) In order to use VolumeSnapshot object + types, the appropriate feature gate must be enabled + (VolumeSnapshotDataSource or AnyVolumeDataSource) If + the provisioner or an external controller can support + the specified data source, it will create a new volume + based on the contents of the specified data source. + If the specified data source is not supported, the volume + will not be created and the failure will be reported + as an event. In the future, we plan to support more + data source types and the behavior of the provisioner + may change." + properties: + apiGroup: + description: + APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + resources: + description: + "Resources represents the minimum resources + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources" + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + type: object + selector: + description: + A label query over volumes to consider for + binding. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: + A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: + operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: + values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + storageClassName: + description: + "Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1" + type: string + volumeMode: + description: + volumeMode defines what type of volume is + required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: + VolumeName is the binding reference to the + PersistentVolume backing this claim. + type: string + type: object + status: + description: + "Status represents the current information/status + of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims" + properties: + accessModes: + description: + "AccessModes contains the actual access modes + the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1" + items: + type: string + type: array + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + Represents the actual resources of the underlying + volume. + type: object + conditions: + description: + Current Condition of persistent volume claim. + If underlying persistent volume is being resized then + the Condition will be set to 'ResizeStarted'. + items: + description: + PersistentVolumeClaimCondition contails + details about state of pvc + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: + Last time the condition transitioned + from one status to another. + format: date-time + type: string + message: + description: + Human-readable message indicating details + about last transition. + type: string + reason: + description: + Unique, this should be a short, machine + understandable string that gives the reason for + condition's last transition. If it reports "ResizeStarted" + that means the underlying persistent volume is + being resized. + type: string + status: + type: string + type: + description: + PersistentVolumeClaimConditionType + is a valid value of PersistentVolumeClaimCondition.Type + type: string + required: + - status + - type + type: object + type: array + phase: + description: Phase represents the current phase of PersistentVolumeClaim. + type: string + type: object + type: object + volumesPerServer: + description: + Number of persistent volumes that will be attached + per server + format: int32 + type: integer + required: + - servers + - volumeClaimTemplate + - volumesPerServer + type: object + type: array + required: + - zones + type: object + status: + description: Status provides details of the state of the Tenant + properties: + availableReplicas: + format: int32 + type: integer + currentState: + type: string + required: + - availableReplicas + - currentState + type: object + required: + - spec + type: object + version: v1 versions: - name: v1 served: true storage: true - schema: - # openAPIV3Schema is the schema for validating custom objects. - # Refer https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#specifying-a-structural-schema - # for more details - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - metadata: - type: object - x-kubernetes-preserve-unknown-fields: true - image: - type: string - serviceName: - type: string - serviceAccountName: - type: string - zones: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - name: - type: string - servers: - type: integer - volumesPerServer: - type: integer - volumeClaimTemplate: - type: object - x-kubernetes-preserve-unknown-fields: true - resources: - type: object - x-kubernetes-preserve-unknown-fields: true - nodeSelector: - type: object - x-kubernetes-preserve-unknown-fields: true - affinity: - type: object - x-kubernetes-preserve-unknown-fields: true - tolerations: - type: object - x-kubernetes-preserve-unknown-fields: true - mountPath: - type: string - podManagementPolicy: - type: string - enum: [Parallel,OrderedReady] - default: Parallel - requestAutoCert: - type: boolean - default: false - certConfig: - type: object - properties: - commonName: - type: string - organizationName: - type: array - items: - type: string - dnsNames: - type: array - items: - type: string - version: - type: string - mountpath: - type: string - subpath: - type: string - nodeSelector: - type: object - x-kubernetes-preserve-unknown-fields: true - credsSecret: - type: object - x-kubernetes-preserve-unknown-fields: true - env: - type: object - x-kubernetes-preserve-unknown-fields: true - console: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - metadata: - type: object - x-kubernetes-preserve-unknown-fields: true - image: - type: string - replicas: - type: integer - default: 2 - consoleSecret: - type: object - properties: - name: - type: string - resources: - type: object - x-kubernetes-preserve-unknown-fields: true - env: - type: object - x-kubernetes-preserve-unknown-fields: true - kes: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - metadata: - type: object - x-kubernetes-preserve-unknown-fields: true - image: - type: string - replicas: - type: integer - default: 2 - kesSecret: - type: object - properties: - name: - type: string - liveness: - type: object - properties: - initialDelaySeconds: - type: integer - periodSeconds: - type: integer - timeoutSeconds: - type: integer - status: - type: object - properties: - currentState: - type: string - subresources: - # status enables the status subresource. - status: {} - additionalPrinterColumns: - - name: Current State - type: string - jsonPath: ".status.currentState" +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] --- apiVersion: v1 kind: ServiceAccount metadata: name: minio-operator - namespace: default + namespace: minio-operator --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: minio-operator-role @@ -237,17 +1803,17 @@ rules: - apiGroups: - minio.min.io resources: - - '*' + - "*" verbs: - - '*' + - "*" - apiGroups: - min.io resources: - - '*' + - "*" verbs: - - '*' + - "*" --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: minio-operator-binding @@ -258,13 +1824,13 @@ roleRef: subjects: - kind: ServiceAccount name: minio-operator - namespace: default + namespace: minio-operator --- apiVersion: apps/v1 kind: Deployment metadata: name: minio-operator - namespace: default + namespace: minio-operator spec: replicas: 1 selector: @@ -276,7 +1842,11 @@ spec: name: minio-operator spec: containers: - - image: minio/k8s-operator:v3.0.2 + - image: minio/k8s-operator:v3.0.5 imagePullPolicy: IfNotPresent name: minio-operator + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: minio-operator diff --git a/k8s/getoperator.sh b/k8s/getoperator.sh deleted file mode 100755 index 96986c8d1..000000000 --- a/k8s/getoperator.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -# Get's the latest deployment file from MinIO Operator -curl https://raw.githubusercontent.com/minio/operator/master/minio-operator.yaml > operator-console/base/minio-operator.yaml diff --git a/k8s/operator-console/base/console-deployment.yaml b/k8s/operator-console/base/console-deployment.yaml index 3d4d6b4af..be83cfbb0 100644 --- a/k8s/operator-console/base/console-deployment.yaml +++ b/k8s/operator-console/base/console-deployment.yaml @@ -21,7 +21,6 @@ spec: - name: CONSOLE_OPERATOR_MODE value: "on" args: - - /console - server ports: - containerPort: 9090 diff --git a/k8s/operator-console/base/minio-operator.yaml b/k8s/operator-console/base/minio-operator.yaml index c7edf01cd..641e9a5b8 100644 --- a/k8s/operator-console/base/minio-operator.yaml +++ b/k8s/operator-console/base/minio-operator.yaml @@ -3,174 +3,1740 @@ kind: Namespace metadata: name: minio-operator --- -apiVersion: apiextensions.k8s.io/v1 +apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null name: tenants.minio.min.io spec: group: minio.min.io - scope: Namespaced names: kind: Tenant - singular: tenant + listKind: TenantList plural: tenants + shortNames: + - tenant + singular: tenant + scope: Namespaced + subresources: + status: {} + validation: + openAPIV3Schema: + description: Tenant is a specification for a MinIO resource + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + type: object + scheduler: + description: TenantScheduler is the spec for a Tenant scheduler + properties: + name: + description: + SchedulerName defines the name of scheduler to be used + to schedule Tenant pods + type: string + required: + - name + type: object + spec: + description: TenantSpec is the spec for a Tenant resource + properties: + certConfig: + description: + CertConfig allows users to set entries like CommonName, + Organization, etc for the certificate + properties: + commonName: + type: string + dnsNames: + items: + type: string + type: array + organizationName: + items: + type: string + type: array + type: object + console: + description: + ConsoleConfiguration is for setting up minio/console for + graphical user interface + properties: + consoleSecret: + description: + This secret provides all environment variables for + KES This is a mandatory field + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + env: + description: + If provided, use these environment variables for Console + resource + items: + description: + EnvVar represents an environment variable present + in a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: + 'Variable references $(VAR_NAME) are expanded + using the previous defined environment variables in the + container and any service environment variables. If a variable + cannot be resolved, the reference in the input string will + be unchanged. The $(VAR_NAME) syntax can be escaped with + a double $$, ie: $$(VAR_NAME). Escaped references will never + be expanded, regardless of whether the variable exists or + not. Defaults to "".' + type: string + valueFrom: + description: + Source for the environment variable's value. + Cannot be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?" + type: string + optional: + description: + Specify whether the ConfigMap or its + key must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: + "Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, + status.podIP, status.podIPs." + properties: + apiVersion: + description: + Version of the schema the FieldPath is + written in terms of, defaults to "v1". + type: string + fieldPath: + description: + Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: + "Selects a resource of the container: only + resources limits and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, requests.memory + and requests.ephemeral-storage) are currently supported." + properties: + containerName: + description: + "Container name: required for volumes, + optional for env vars" + type: string + divisor: + anyOf: + - type: integer + - type: string + description: + Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: "Required: resource to select" + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: + The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?" + type: string + optional: + description: + Specify whether the Secret or its key + must be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + image: + description: Image defines the Tenant Console Docker image. + type: string + metadata: + type: object + replicas: + description: Replicas defines number of pods for KES StatefulSet. + format: int32 + type: integer + resources: + description: + If provided, use these requests and limit for cpu/memory + resource allocation + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + type: object + required: + - consoleSecret + type: object + credsSecret: + description: + If provided, use this secret as the credentials for Tenant + resource Otherwise MinIO server creates dynamic credentials printed + on MinIO server startup banner + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + env: + description: + If provided, use these environment variables for Tenant + resource + items: + description: + EnvVar represents an environment variable present in + a Container. + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: + 'Variable references $(VAR_NAME) are expanded using + the previous defined environment variables in the container + and any service environment variables. If a variable cannot + be resolved, the reference in the input string will be unchanged. + The $(VAR_NAME) syntax can be escaped with a double $$, ie: + $$(VAR_NAME). Escaped references will never be expanded, regardless + of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: + Source for the environment variable's value. Cannot + be used if value is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + optional: + description: + Specify whether the ConfigMap or its key + must be defined + type: boolean + required: + - key + type: object + fieldRef: + description: + "Selects a field of the pod: supports metadata.name, + metadata.namespace, metadata.labels, metadata.annotations, + spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, + status.podIPs." + properties: + apiVersion: + description: + Version of the schema the FieldPath is written + in terms of, defaults to "v1". + type: string + fieldPath: + description: + Path of the field to select in the specified + API version. + type: string + required: + - fieldPath + type: object + resourceFieldRef: + description: + "Selects a resource of the container: only resources + limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, + requests.cpu, requests.memory and requests.ephemeral-storage) + are currently supported." + properties: + containerName: + description: + "Container name: required for volumes, optional + for env vars" + type: string + divisor: + anyOf: + - type: integer + - type: string + description: + Specifies the output format of the exposed + resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: "Required: resource to select" + type: string + required: + - resource + type: object + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + properties: + key: + description: + The key of the secret to select from. Must + be a valid secret key. + type: string + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + optional: + description: + Specify whether the Secret or its key must + be defined + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + externalCertSecret: + description: + ExternalCertSecret allows a user to specify custom CA certificate, + and private key. This is used for enabling TLS support on MinIO Pods. + properties: + name: + type: string + type: + type: string + required: + - name + type: object + externalClientCertSecret: + description: + ExternalClientCertSecret allows a user to specify custom + CA client certificate, and private key. This is used for adding client + certificates on MinIO Pods --> used for KES authentication. + properties: + name: + type: string + type: + type: string + required: + - name + type: object + image: + description: Image defines the Tenant Docker image. + type: string + imagePullSecret: + description: + ImagePullSecret defines the secret to be used for pull + image from a private Docker image. + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + kes: + description: KES is for setting up minio/kes as MinIO KMS + properties: + externalCertSecret: + description: + ExternalCertSecret allows a user to specify custom + CA certificate, and private key for group replication SSL. + properties: + name: + type: string + type: + type: string + required: + - name + type: object + image: + description: Image defines the Tenant KES Docker image. + type: string + kesSecret: + description: + This kesSecret serves as the configuration for KES + This is a mandatory field + properties: + name: + description: + "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?" + type: string + type: object + metadata: + type: object + replicas: + description: Replicas defines number of pods for KES StatefulSet. + format: int32 + type: integer + required: + - kesSecret + type: object + liveness: + description: + Liveness Probe for container liveness. Container will be + restarted if the probe fails. + properties: + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + timeoutSeconds: + format: int32 + type: integer + required: + - initialDelaySeconds + - periodSeconds + - timeoutSeconds + type: object + metadata: + description: + Metadata defines the object metadata passed to each pod + that is a part of this Tenant + type: object + mountPath: + description: Mount path for MinIO volume (PV). Defaults to /export + type: string + podManagementPolicy: + description: Pod Management Policy for pod created by StatefulSet + type: string + requestAutoCert: + description: + "RequestAutoCert allows user to enable Kubernetes based + TLS cert generation and signing as explained here: https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/" + type: boolean + securityContext: + description: + Security Context allows user to set entries like runAsUser, + privilege escalation etc. + properties: + fsGroup: + description: + "A special supplemental group that applies to all containers + in a pod. Some volume types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The owning GID will + be the FSGroup 2. The setgid bit is set (new files created in + the volume will be owned by FSGroup) 3. The permission bits are + OR'd with rw-rw---- \n If unset, the Kubelet will not modify the + ownership and permissions of any volume." + format: int64 + type: integer + fsGroupChangePolicy: + description: + 'fsGroupChangePolicy defines behavior of changing ownership + and permission of the volume before being exposed inside Pod. + This field will only apply to volume types which support fsGroup + based ownership(and permissions). It will have no effect on ephemeral + volume types such as: secret, configmaps and emptydir. Valid values + are "OnRootMismatch" and "Always". If not specified defaults to + "Always".' + type: string + runAsGroup: + description: + The GID to run the entrypoint of the container process. + Uses runtime default if unset. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + format: int64 + type: integer + runAsNonRoot: + description: + Indicates that the container must run as a non-root + user. If true, the Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no such validation + will be performed. May also be set in SecurityContext. If set + in both SecurityContext and PodSecurityContext, the value specified + in SecurityContext takes precedence. + type: boolean + runAsUser: + description: + The UID to run the entrypoint of the container process. + Defaults to user specified in image metadata if unspecified. May + also be set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in SecurityContext + takes precedence for that container. + format: int64 + type: integer + seLinuxOptions: + description: + The SELinux context to be applied to all containers. + If unspecified, the container runtime will allocate a random SELinux + context for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, the value + specified in SecurityContext takes precedence for that container. + properties: + level: + description: + Level is SELinux level label that applies to the + container. + type: string + role: + description: + Role is a SELinux role label that applies to the + container. + type: string + type: + description: + Type is a SELinux type label that applies to the + container. + type: string + user: + description: + User is a SELinux user label that applies to the + container. + type: string + type: object + supplementalGroups: + description: + A list of groups applied to the first process run in + each container, in addition to the container's primary GID. If + unspecified, no groups will be added to any container. + items: + format: int64 + type: integer + type: array + sysctls: + description: + Sysctls hold a list of namespaced sysctls used for + the pod. Pods with unsupported sysctls (by the container runtime) + might fail to launch. + items: + description: Sysctl defines a kernel parameter to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: + The Windows specific settings applied to all containers. + If unspecified, the options within a container's SecurityContext + will be used. If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + properties: + gmsaCredentialSpec: + description: + GMSACredentialSpec is where the GMSA admission + webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential spec named by + the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: + GMSACredentialSpecName is the name of the GMSA + credential spec to use. + type: string + runAsUserName: + description: + The UserName in Windows to run the entrypoint of + the container process. Defaults to the user specified in image + metadata if unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence. + type: string + type: object + type: object + serviceAccountName: + description: + ServiceAccountName is the name of the ServiceAccount to + use to run pods of all MinIO Pods created as a part of this Tenant. + type: string + serviceName: + description: + ServiceName defines name of the Service that will be created + for this instance, if none is specified, it will default to the instance + name + type: string + subPath: + description: + Subpath inside mount path. This is the directory where + MinIO stores data. Default to "" (empty) + type: string + zones: + description: Definition for Cluster in given MinIO cluster + items: + description: Zone defines the spec for a MinIO Zone + properties: + affinity: + description: + If specified, affinity will define the pod's scheduling + constraints + properties: + nodeAffinity: + description: + Describes node affinity scheduling rules for + the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node matches the corresponding matchExpressions; + the node(s) with the highest sum are the most preferred. + items: + description: + An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects + (i.e. is also a no-op). + properties: + preference: + description: + A node selector term, associated with + the corresponding weight. + properties: + matchExpressions: + description: + A list of node selector requirements + by node's labels. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector requirements + by node's fields. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: + Weight associated with matching the + corresponding nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to an update), the system + may or may not try to eventually evict the pod from + its node. + properties: + nodeSelectorTerms: + description: + Required. A list of node selector terms. + The terms are ORed. + items: + description: + A null or empty node selector term + matches no objects. The requirements of them are + ANDed. The TopologySelectorTerm type implements + a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: + A list of node selector requirements + by node's labels. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: + A list of node selector requirements + by node's fields. + items: + description: + A node selector requirement is + a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + The label key that the selector + applies to. + type: string + operator: + description: + Represents a key's relationship + to a set of values. Valid operators + are In, NotIn, Exists, DoesNotExist. + Gt, and Lt. + type: string + values: + description: + An array of string values. + If the operator is In or NotIn, the + values array must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. If the + operator is Gt or Lt, the values array + must have a single element, which will + be interpreted as an integer. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: + Describes pod affinity scheduling rules (e.g. + co-locate this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods + to nodes that satisfy the affinity expressions specified + by this field, but it may choose a node that violates + one or more of the expressions. The node that is most + preferred is the one with the greatest sum of weights, + i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: + The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: + A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: + key is the label key + that the selector applies to. + type: string + operator: + description: + operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + If the affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the affinity requirements + specified by this field cease to be met at some point + during pod execution (e.g. due to a pod label update), + the system may or may not try to eventually evict the + pod from its node. When there are multiple elements, + the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: + Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: + A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + key is the label key that + the selector applies to. + type: string + operator: + description: + operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: + Describes pod anti-affinity scheduling rules + (e.g. avoid putting this pod in the same node, zone, etc. + as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: + The scheduler will prefer to schedule pods + to nodes that satisfy the anti-affinity expressions + specified by this field, but it may choose a node that + violates one or more of the expressions. The node that + is most preferred is the one with the greatest sum of + weights, i.e. for each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + anti-affinity expressions, etc.), compute a sum by iterating + through the elements of this field and adding "weight" + to the sum if the node has pods which matches the corresponding + podAffinityTerm; the node(s) with the highest sum are + the most preferred. + items: + description: + The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred + node(s) + properties: + podAffinityTerm: + description: + Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: + A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: + key is the label key + that the selector applies to. + type: string + operator: + description: + operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: + values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the + pods matching the labelSelector in the specified + namespaces, where co-located is defined as + running on a node whose value of the label + with key topologyKey matches that of any node + on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: + weight associated with matching the + corresponding podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: + If the anti-affinity requirements specified + by this field are not met at scheduling time, the pod + will not be scheduled onto the node. If the anti-affinity + requirements specified by this field cease to be met + at some point during pod execution (e.g. due to a pod + label update), the system may or may not try to eventually + evict the pod from its node. When there are multiple + elements, the lists of nodes corresponding to each podAffinityTerm + are intersected, i.e. all terms must be satisfied. + items: + description: + Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not + co-located (anti-affinity) with, where co-located + is defined as running on a node whose value of the + label with key matches that of any node + on which a pod of the set of pods is running + properties: + labelSelector: + description: + A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: + A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: + key is the label key that + the selector applies to. + type: string + operator: + description: + operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: + values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: + namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: + This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + name: + description: Name of the zone + type: string + nodeSelector: + additionalProperties: + type: string + description: + "NodeSelector is a selector which must be true for + the pod to fit on a node. Selector which must match a node's + labels for the pod to be scheduled on that node. More info: + https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" + type: object + resources: + description: + If provided, use these requests and limit for cpu/memory + resource allocation + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount of compute + resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + type: object + servers: + description: Number of Servers in the zone + format: int32 + type: integer + tolerations: + description: + Tolerations allows users to set entries like effect, + key, operator, value. + items: + description: + The pod this Toleration is attached to tolerates + any taint that matches the triple using + the matching operator . + properties: + effect: + description: + Effect indicates the taint effect to match. + Empty means match all taint effects. When specified, allowed + values are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: + Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match + all values and all keys. + type: string + operator: + description: + Operator represents a key's relationship to + the value. Valid operators are Exists and Equal. Defaults + to Equal. Exists is equivalent to wildcard for value, + so that a pod can tolerate all taints of a particular + category. + type: string + tolerationSeconds: + description: + TolerationSeconds represents the period of + time the toleration (which must be of effect NoExecute, + otherwise this field is ignored) tolerates the taint. + By default, it is not set, which means tolerate the taint + forever (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: + Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + volumeClaimTemplate: + description: + VolumeClaimTemplate allows a user to specify how + volumes inside a Tenant + properties: + apiVersion: + description: + "APIVersion defines the versioned schema of this + representation of an object. Servers should convert recognized + schemas to the latest internal value, and may reject unrecognized + values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources" + type: string + kind: + description: + "Kind is a string value representing the REST + resource this object represents. Servers may infer this + from the endpoint the client submits requests to. Cannot + be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds" + type: string + metadata: + description: "Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata" + type: object + spec: + description: + "Spec defines the desired characteristics of + a volume requested by a pod author. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims" + properties: + accessModes: + description: + "AccessModes contains the desired access + modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1" + items: + type: string + type: array + dataSource: + description: + "This field can be used to specify either: + * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot + - Beta) * An existing PVC (PersistentVolumeClaim) * + An existing custom resource/object that implements data + population (Alpha) In order to use VolumeSnapshot object + types, the appropriate feature gate must be enabled + (VolumeSnapshotDataSource or AnyVolumeDataSource) If + the provisioner or an external controller can support + the specified data source, it will create a new volume + based on the contents of the specified data source. + If the specified data source is not supported, the volume + will not be created and the failure will be reported + as an event. In the future, we plan to support more + data source types and the behavior of the provisioner + may change." + properties: + apiGroup: + description: + APIGroup is the group for the resource + being referenced. If APIGroup is not specified, + the specified Kind must be in the core API group. + For any other third-party types, APIGroup is required. + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - kind + - name + type: object + resources: + description: + "Resources represents the minimum resources + the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources" + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Limits describes the maximum amount + of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + "Requests describes the minimum amount + of compute resources required. If Requests is omitted + for a container, it defaults to Limits if that is + explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/" + type: object + type: object + selector: + description: + A label query over volumes to consider for + binding. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: + A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: + operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: + values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: + matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + storageClassName: + description: + "Name of the StorageClass required by the + claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1" + type: string + volumeMode: + description: + volumeMode defines what type of volume is + required by the claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: + VolumeName is the binding reference to the + PersistentVolume backing this claim. + type: string + type: object + status: + description: + "Status represents the current information/status + of a persistent volume claim. Read-only. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims" + properties: + accessModes: + description: + "AccessModes contains the actual access modes + the volume backing the PVC has. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1" + items: + type: string + type: array + capacity: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: + Represents the actual resources of the underlying + volume. + type: object + conditions: + description: + Current Condition of persistent volume claim. + If underlying persistent volume is being resized then + the Condition will be set to 'ResizeStarted'. + items: + description: + PersistentVolumeClaimCondition contails + details about state of pvc + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: + Last time the condition transitioned + from one status to another. + format: date-time + type: string + message: + description: + Human-readable message indicating details + about last transition. + type: string + reason: + description: + Unique, this should be a short, machine + understandable string that gives the reason for + condition's last transition. If it reports "ResizeStarted" + that means the underlying persistent volume is + being resized. + type: string + status: + type: string + type: + description: + PersistentVolumeClaimConditionType + is a valid value of PersistentVolumeClaimCondition.Type + type: string + required: + - status + - type + type: object + type: array + phase: + description: Phase represents the current phase of PersistentVolumeClaim. + type: string + type: object + type: object + volumesPerServer: + description: + Number of persistent volumes that will be attached + per server + format: int32 + type: integer + required: + - servers + - volumeClaimTemplate + - volumesPerServer + type: object + type: array + required: + - zones + type: object + status: + description: Status provides details of the state of the Tenant + properties: + availableReplicas: + format: int32 + type: integer + currentState: + type: string + required: + - availableReplicas + - currentState + type: object + required: + - spec + type: object + version: v1 versions: - name: v1 served: true storage: true - schema: - # openAPIV3Schema is the schema for validating custom objects. - # Refer https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#specifying-a-structural-schema - # for more details - openAPIV3Schema: - type: object - properties: - spec: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - metadata: - type: object - x-kubernetes-preserve-unknown-fields: true - image: - type: string - serviceName: - type: string - serviceAccountName: - type: string - zones: - type: array - items: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - name: - type: string - servers: - type: integer - volumesPerServer: - type: integer - volumeClaimTemplate: - type: object - x-kubernetes-preserve-unknown-fields: true - resources: - type: object - x-kubernetes-preserve-unknown-fields: true - nodeSelector: - type: object - x-kubernetes-preserve-unknown-fields: true - affinity: - type: object - x-kubernetes-preserve-unknown-fields: true - tolerations: - type: object - x-kubernetes-preserve-unknown-fields: true - mountPath: - type: string - podManagementPolicy: - type: string - enum: [Parallel,OrderedReady] - default: Parallel - requestAutoCert: - type: boolean - default: false - certConfig: - type: object - properties: - commonName: - type: string - organizationName: - type: array - items: - type: string - dnsNames: - type: array - items: - type: string - version: - type: string - mountpath: - type: string - subpath: - type: string - nodeSelector: - type: object - x-kubernetes-preserve-unknown-fields: true - credsSecret: - type: object - x-kubernetes-preserve-unknown-fields: true - env: - type: object - x-kubernetes-preserve-unknown-fields: true - console: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - metadata: - type: object - x-kubernetes-preserve-unknown-fields: true - image: - type: string - replicas: - type: integer - default: 2 - consoleSecret: - type: object - properties: - name: - type: string - resources: - type: object - x-kubernetes-preserve-unknown-fields: true - env: - type: object - x-kubernetes-preserve-unknown-fields: true - kes: - type: object - x-kubernetes-preserve-unknown-fields: true - properties: - metadata: - type: object - x-kubernetes-preserve-unknown-fields: true - image: - type: string - replicas: - type: integer - default: 2 - kesSecret: - type: object - properties: - name: - type: string - liveness: - type: object - properties: - initialDelaySeconds: - type: integer - periodSeconds: - type: integer - timeoutSeconds: - type: integer - status: - type: object - properties: - currentState: - type: string - subresources: - # status enables the status subresource. - status: {} - additionalPrinterColumns: - - name: Current State - type: string - jsonPath: ".status.currentState" +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] --- apiVersion: v1 kind: ServiceAccount metadata: name: minio-operator - namespace: default + namespace: minio-operator --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: minio-operator-role @@ -237,17 +1803,17 @@ rules: - apiGroups: - minio.min.io resources: - - '*' + - "*" verbs: - - '*' + - "*" - apiGroups: - min.io resources: - - '*' + - "*" verbs: - - '*' + - "*" --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: minio-operator-binding @@ -258,13 +1824,13 @@ roleRef: subjects: - kind: ServiceAccount name: minio-operator - namespace: default + namespace: minio-operator --- apiVersion: apps/v1 kind: Deployment metadata: name: minio-operator - namespace: default + namespace: minio-operator spec: replicas: 1 selector: @@ -276,7 +1842,11 @@ spec: name: minio-operator spec: containers: - - image: minio/k8s-operator:v3.0.2 + - image: minio/k8s-operator:v3.0.5 imagePullPolicy: IfNotPresent name: minio-operator + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 serviceAccountName: minio-operator