From af93d2daba24d1b22b97ca82c4845fed8d3e248a Mon Sep 17 00:00:00 2001 From: majinghe <42570491+majinghe@users.noreply.github.com> Date: Thu, 16 Apr 2026 17:26:36 +0800 Subject: [PATCH] fix: update mtls configuration for standalone and distributed mode (#2565) --- helm/README.md | 3 +- helm/rustfs/templates/_helpers.tpl | 64 ++++++++++++++++++- .../cert-manager-mtls/servers-transport.yaml | 4 +- helm/rustfs/templates/deployment.yaml | 51 ++++++++++++--- helm/rustfs/templates/statefulset.yaml | 13 +--- helm/rustfs/values.yaml | 12 ++-- 6 files changed, 118 insertions(+), 29 deletions(-) diff --git a/helm/README.md b/helm/README.md index e77cae172..76688f6b2 100644 --- a/helm/README.md +++ b/helm/README.md @@ -102,7 +102,8 @@ RustFS helm chart supports **standalone and distributed mode**. For standalone m | mode.standalone.existingClaim.dataClaim |string |`""` |Whether to use existing pvc claim for data storage. | | mode.standalone.existingClaim.logsClaim |string |`""` |Whether to use existing pvc claim for logs storage. | | mtls.enabled | bool | `false` | Enable mtls betweens pods. | -| mtls.serverOnly | bool | `false` | Only enable server https. | +| mtls.clientCertPath | string | `/opt/tls/client_cert.pem` | The path for client cert. | +| mtls.clientKeyPath | string | `/opt/tls/client_key.pem` | The path for client key. | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | | pdb.create | bool | `false` | Enable/disable a Pod Disruption Budget creation | diff --git a/helm/rustfs/templates/_helpers.tpl b/helm/rustfs/templates/_helpers.tpl index c07dace5e..948847f51 100644 --- a/helm/rustfs/templates/_helpers.tpl +++ b/helm/rustfs/templates/_helpers.tpl @@ -191,4 +191,66 @@ Render RUSTFS_SERVER_DOMAINS {{- $domains = append $domains $podDomain -}} {{- end -}} {{- join "," $domains -}} -{{- end -}} \ No newline at end of file +{{- end -}} + +{{/* Render probe command for liveness and readiness +*/}} + +{{- define "rustfs.probeCommand" -}} +{{- $endpoint_port := .Values.service.endpoint.port | default 9000 -}} +{{- $console_port := .Values.service.console.port | default 9001 -}} +{{- $args := "-skf" -}} + +{{- if and .Values.mtls.enabled -}} + {{- $args = printf "%s --cert %s --key %s" $args .Values.mtls.clientCertPath .Values.mtls.clientKeyPath -}} +{{- end -}} +- /bin/sh +- -c +- | + curl {{ $args }} https://127.0.0.1:{{ $endpoint_port }}/health/ready && \ + curl {{ $args }} https://127.0.0.1:{{ $console_port }}/rustfs/console/health +{{- end -}} + +{{/* +Render liveness and readiness probe for http and https +*/}} + +{{- define "rustfs.probes" -}} +{{- if .Values.livenessProbe.enabled }} +livenessProbe: + {{- if .Values.mtls.enabled }} + exec: + command: +{{ include "rustfs.probeCommand" . | nindent 6 }} + {{- else }} + httpGet: + path: /health + port: {{ .Values.service.endpoint.port | default 9000 }} + scheme: {{ if .Values.mtls.enabled }}HTTPS{{ else }}HTTP{{ end }} + {{- end }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds | default 60 }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 5 }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds | default 3 }} + successThreshold: {{ .Values.livenessProbe.successThreshold | default 1 }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold | default 3 }} +{{- end }} + +{{- if .Values.readinessProbe.enabled }} +readinessProbe: + {{- if .Values.mtls.enabled }} + exec: + command: +{{ include "rustfs.probeCommand" . | nindent 6 }} + {{- else }} + httpGet: + path: /health/ready + port: {{ .Values.service.endpoint.port | default 9000 }} + scheme: {{ if .Values.mtls.enabled }}HTTPS{{ else }}HTTP{{ end }} + {{- end }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds | default 60 }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 5 }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds | default 3 }} + successThreshold: {{ .Values.readinessProbe.successThreshold | default 1 }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold | default 3 }} +{{- end }} +{{- end -}} diff --git a/helm/rustfs/templates/cert-manager-mtls/servers-transport.yaml b/helm/rustfs/templates/cert-manager-mtls/servers-transport.yaml index b7a8b3996..86e7d63fa 100644 --- a/helm/rustfs/templates/cert-manager-mtls/servers-transport.yaml +++ b/helm/rustfs/templates/cert-manager-mtls/servers-transport.yaml @@ -5,8 +5,8 @@ metadata: name: {{ include "rustfs.fullname" . }}-transport namespace: {{ .Release.Namespace }} spec: - rootcas: - - {{ include "rustfs.fullname" . }}-root-ca-secret + rootCAs: + - secret: {{ include "rustfs.fullname" . }}-root-ca-secret certificatesSecrets: - {{ include "rustfs.fullname" . }}-mtls-secret insecureSkipVerify: true diff --git a/helm/rustfs/templates/deployment.yaml b/helm/rustfs/templates/deployment.yaml index 550f6f9a7..003db17d9 100644 --- a/helm/rustfs/templates/deployment.yaml +++ b/helm/rustfs/templates/deployment.yaml @@ -100,21 +100,56 @@ spec: name: {{ include "rustfs.secretName" . }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }} - {{- end }} + {{- include "rustfs.probes" . | nindent 10 }} volumeMounts: + {{- if .Values.mtls.enabled }} + - name: server-cert + mountPath: /opt/tls/rustfs_cert.pem + subPath: rustfs_cert.pem + - name: server-cert + mountPath: /opt/tls/rustfs_key.pem + subPath: rustfs_key.pem + - name: server-cert + mountPath: /opt/tls/ca.crt + subPath: ca.crt + - name: client-cert + mountPath: /opt/tls/client_cert.pem + subPath: client_cert.pem + - name: client-cert + mountPath: /opt/tls/client_key.pem + subPath: client_key.pem + - name: client-cert + mountPath: /opt/tls/client_ca.crt + subPath: client_ca.crt + {{- end }} - name: logs mountPath: {{ $logDir }} subPath: logs - name: data mountPath: /data volumes: + {{- if .Values.mtls.enabled }} + - name: server-cert + secret: + secretName: rustfs-server-tls + items: + - key: tls.crt + path: rustfs_cert.pem + - key: tls.key + path: rustfs_key.pem + - key: ca.crt + path: ca.crt + - name: client-cert + secret: + secretName: rustfs-client-tls + items: + - key: tls.crt + path: client_cert.pem + - key: tls.key + path: client_key.pem + - key: ca.crt + path: client_ca.crt + {{- end }} - name: logs persistentVolumeClaim: {{- if .Values.mode.standalone.existingClaim.logsClaim }} diff --git a/helm/rustfs/templates/statefulset.yaml b/helm/rustfs/templates/statefulset.yaml index 29fe1cbda..b8a59fc32 100644 --- a/helm/rustfs/templates/statefulset.yaml +++ b/helm/rustfs/templates/statefulset.yaml @@ -119,17 +119,9 @@ spec: name: {{ include "rustfs.secretName" . }} resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if .Values.livenessProbe.enabled }} - livenessProbe: - {{- omit .Values.livenessProbe "enabled" | toYaml | nindent 12 }} - {{- end }} - {{- if .Values.readinessProbe.enabled }} - readinessProbe: - {{- omit .Values.readinessProbe "enabled" | toYaml | nindent 12 }} - {{- end }} + {{- include "rustfs.probes" . | nindent 10 }} volumeMounts: {{- if .Values.mtls.enabled }} - {{- if not .Values.mtls.serverOnly }} - name: client-cert mountPath: /opt/tls/client_cert.pem subPath: client_cert.pem @@ -139,7 +131,6 @@ spec: - name: client-cert mountPath: /opt/tls/client_ca.crt subPath: client_ca.crt - {{- end }} - name: server-cert mountPath: /opt/tls/rustfs_cert.pem subPath: rustfs_cert.pem @@ -174,7 +165,6 @@ spec: path: rustfs_key.pem - key: ca.crt path: ca.crt - {{- if not .Values.mtls.serverOnly }} - name: client-cert secret: secretName: rustfs-client-tls @@ -185,7 +175,6 @@ spec: path: client_key.pem - key: ca.crt path: client_ca.crt - {{- end }} {{- end }} volumeClaimTemplates: - metadata: diff --git a/helm/rustfs/values.yaml b/helm/rustfs/values.yaml index ac7f63cea..494112f0c 100644 --- a/helm/rustfs/values.yaml +++ b/helm/rustfs/values.yaml @@ -226,8 +226,8 @@ gatewayApi: mtls: enabled: false - serverOnly: false # If true, only server side TLS will be enabled. If false, both server and client side TLS will be enabled. - # This is for setting up mTLS for ingress. + clientCertPath: "/opt/tls/client_cert.pem" + clientKeyPath: "/opt/tls/client_key.pem" resources: {} # We usually recommend not to specify default resources and to leave this as a conscious @@ -246,8 +246,9 @@ livenessProbe: enabled: true # omitted httpGet: path: /health - port: endpoint - initialDelaySeconds: 10 + port: 9000 + scheme: HTTP + initialDelaySeconds: 30 periodSeconds: 5 timeoutSeconds: 3 successThreshold: 1 @@ -258,7 +259,8 @@ readinessProbe: httpGet: path: /health/ready port: endpoint - initialDelaySeconds: 30 + scheme: HTTP + initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 successThreshold: 1