lywsvip/rustfs
1
0
Fork 0
mirror of https://github.com/rustfs/rustfs.git synced 2026-05-07 06:37:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: update mtls configuration for standalone and distributed mode (#2565)

Browse Source
This commit is contained in:
majinghe
2026-04-16 17:26:36 +08:00
committed by GitHub
parent 28edfd6190
commit af93d2daba
6 changed files with 118 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
helm/README.md
View File

@@ -102,7 +102,8 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m
| mode.standalone.existingClaim.dataClaim |string |`""` |Whether to use existing pvc claim for data storage. |
| mode.standalone.existingClaim.logsClaim |string |`""` |Whether to use existing pvc claim for logs storage. |
| mtls.enabled | bool | `false` | Enable mtls betweens pods. |
| mtls.serverOnly | bool | `false` | Only enable server https. |
| mtls.clientCertPath | string | `/opt/tls/client_cert.pem` | The path for client cert. |
| mtls.clientKeyPath | string | `/opt/tls/client_key.pem` | The path for client key. |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| pdb.create | bool | `false` | Enable/disable a Pod Disruption Budget creation |

64
helm/rustfs/templates/_helpers.tpl
View File

@@ -191,4 +191,66 @@ Render RUSTFS_SERVER_DOMAINS
{{- $domains = append $domains $podDomain -}}
{{- end -}}
{{- join "," $domains -}}
{{- end -}}
{{- end -}}
{{/* Render probe command for liveness and readiness
*/}}
{{- define "rustfs.probeCommand" -}}
{{- $endpoint_port := .Values.service.endpoint.port | default 9000 -}}
{{- $console_port := .Values.service.console.port | default 9001 -}}
{{- $args := "-skf" -}}
{{- if and .Values.mtls.enabled -}}
{{- $args = printf "%s --cert %s --key %s" $args .Values.mtls.clientCertPath .Values.mtls.clientKeyPath -}}
{{- end -}}
- /bin/sh
- -c
- |
curl {{ $args }} https://127.0.0.1:{{ $endpoint_port }}/health/ready && \
curl {{ $args }} https://127.0.0.1:{{ $console_port }}/rustfs/console/health
{{- end -}}
{{/*
Render liveness and readiness probe for http and https
*/}}
{{- define "rustfs.probes" -}}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
{{- if .Values.mtls.enabled }}
exec:
command:
{{ include "rustfs.probeCommand" . | nindent 6 }}
{{- else }}
httpGet:
path: /health
port: {{ .Values.service.endpoint.port | default 9000 }}
scheme: {{ if .Values.mtls.enabled }}HTTPS{{ else }}HTTP{{ end }}
{{- end }}
initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds | default 60 }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 5 }}
timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds | default 3 }}
successThreshold: {{ .Values.livenessProbe.successThreshold | default 1 }}
failureThreshold: {{ .Values.livenessProbe.failureThreshold | default 3 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
{{- if .Values.mtls.enabled }}
exec:
command:
{{ include "rustfs.probeCommand" . | nindent 6 }}
{{- else }}
httpGet:
path: /health/ready
port: {{ .Values.service.endpoint.port | default 9000 }}
scheme: {{ if .Values.mtls.enabled }}HTTPS{{ else }}HTTP{{ end }}
{{- end }}
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds | default 60 }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 5 }}
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds | default 3 }}
successThreshold: {{ .Values.readinessProbe.successThreshold | default 1 }}
failureThreshold: {{ .Values.readinessProbe.failureThreshold | default 3 }}
{{- end }}
{{- end -}}

4
helm/rustfs/templates/cert-manager-mtls/servers-transport.yaml
View File

@@ -5,8 +5,8 @@ metadata:
name: {{ include "rustfs.fullname" . }}-transport
namespace: {{ .Release.Namespace }}
spec:
rootcas:
- {{ include "rustfs.fullname" . }}-root-ca-secret
rootCAs:
- secret: {{ include "rustfs.fullname" . }}-root-ca-secret
certificatesSecrets:
- {{ include "rustfs.fullname" . }}-mtls-secret
insecureSkipVerify: true

51
helm/rustfs/templates/deployment.yaml
View File

@@ -100,21 +100,56 @@ spec:
name: {{ include "rustfs.secretName" . }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
{{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
{{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- include "rustfs.probes" . | nindent 10 }}
volumeMounts:
{{- if .Values.mtls.enabled }}
- name: server-cert
mountPath: /opt/tls/rustfs_cert.pem
subPath: rustfs_cert.pem
- name: server-cert
mountPath: /opt/tls/rustfs_key.pem
subPath: rustfs_key.pem
- name: server-cert
mountPath: /opt/tls/ca.crt
subPath: ca.crt
- name: client-cert
mountPath: /opt/tls/client_cert.pem
subPath: client_cert.pem
- name: client-cert
mountPath: /opt/tls/client_key.pem
subPath: client_key.pem
- name: client-cert
mountPath: /opt/tls/client_ca.crt
subPath: client_ca.crt
{{- end }}
- name: logs
mountPath: {{ $logDir }}
subPath: logs
- name: data
mountPath: /data
volumes:
{{- if .Values.mtls.enabled }}
- name: server-cert
secret:
secretName: rustfs-server-tls
items:
- key: tls.crt
path: rustfs_cert.pem
- key: tls.key
path: rustfs_key.pem
- key: ca.crt
path: ca.crt
- name: client-cert
secret:
secretName: rustfs-client-tls
items:
- key: tls.crt
path: client_cert.pem
- key: tls.key
path: client_key.pem
- key: ca.crt
path: client_ca.crt
{{- end }}
- name: logs
persistentVolumeClaim:
{{- if .Values.mode.standalone.existingClaim.logsClaim }}

13
helm/rustfs/templates/statefulset.yaml
View File

@@ -119,17 +119,9 @@ spec:
name: {{ include "rustfs.secretName" . }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- if .Values.livenessProbe.enabled }}
livenessProbe:
{{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- if .Values.readinessProbe.enabled }}
readinessProbe:
{{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }}
{{- end }}
{{- include "rustfs.probes" . | nindent 10 }}
volumeMounts:
{{- if .Values.mtls.enabled }}
{{- if not .Values.mtls.serverOnly }}
- name: client-cert
mountPath: /opt/tls/client_cert.pem
subPath: client_cert.pem
@@ -139,7 +131,6 @@ spec:
- name: client-cert
mountPath: /opt/tls/client_ca.crt
subPath: client_ca.crt
{{- end }}
- name: server-cert
mountPath: /opt/tls/rustfs_cert.pem
subPath: rustfs_cert.pem
@@ -174,7 +165,6 @@ spec:
path: rustfs_key.pem
- key: ca.crt
path: ca.crt
{{- if not .Values.mtls.serverOnly }}
- name: client-cert
secret:
secretName: rustfs-client-tls
@@ -185,7 +175,6 @@ spec:
path: client_key.pem
- key: ca.crt
path: client_ca.crt
{{- end }}
{{- end }}
volumeClaimTemplates:
- metadata:

12
helm/rustfs/values.yaml
View File

@@ -226,8 +226,8 @@ gatewayApi:
mtls:
enabled: false
serverOnly: false # If true, only server side TLS will be enabled. If false, both server and client side TLS will be enabled.
# This is for setting up mTLS for ingress.
clientCertPath: "/opt/tls/client_cert.pem"
clientKeyPath: "/opt/tls/client_key.pem"
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
@@ -246,8 +246,9 @@ livenessProbe:
enabled: true # omitted
httpGet:
path: /health
port: endpoint
initialDelaySeconds: 10
port: 9000
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 3
successThreshold: 1
@@ -258,7 +259,8 @@ readinessProbe:
httpGet:
path: /health/ready
port: endpoint
initialDelaySeconds: 30
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
successThreshold: 1